[system-administrators-guide] Adding: TigerVNC chapter
stephenw
stephenw at fedoraproject.org
Wed Dec 10 06:52:51 UTC 2014
commit 73c5df23dbf34bfbde6bccfb6f72a8ef3a139863
Author: Stephen Wadeley <swadeley at redhat.com>
Date: Wed Dec 10 07:46:29 2014 +0100
Adding: TigerVNC chapter
en-US/System_Administrators_Guide.xml | 1 +
en-US/TigerVNC.xml | 376 +++++++++++++++++++++++++++++++++
2 files changed, 377 insertions(+), 0 deletions(-)
---
diff --git a/en-US/System_Administrators_Guide.xml b/en-US/System_Administrators_Guide.xml
index 3258ad7..b818c43 100644
--- a/en-US/System_Administrators_Guide.xml
+++ b/en-US/System_Administrators_Guide.xml
@@ -38,6 +38,7 @@
</partintro>
<xi:include href="Services_and_Daemons.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
<xi:include href="OpenSSH.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
+ <xi:include href="TigerVNC.xml" xmlns:xi="http://www.w3.org/2001/XInclude" />
</part>
<part id="part-Servers">
<title>Servers</title>
diff --git a/en-US/TigerVNC.xml b/en-US/TigerVNC.xml
new file mode 100644
index 0000000..32c88fc
--- /dev/null
+++ b/en-US/TigerVNC.xml
@@ -0,0 +1,376 @@
+<?xml version='1.0'?>
+<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
+<chapter id="ch-TigerVNC">
+
+ <title>TigerVNC</title>
+ <para>
+<systemitem>TigerVNC</systemitem> (Tiger Virtual Network Computing) is a system
+for graphical desktop sharing which allows you to remotely control other computers.
+ </para>
+ <para>
+<systemitem>TigerVNC</systemitem> works on the client-server network: a
+<emphasis role="bold">server</emphasis> shares its output (<systemitem>vncserver</systemitem>) and a
+<emphasis role="bold">client</emphasis> (<systemitem>vncviewer</systemitem>) connects to the server.
+ </para>
+ <note>
+ <para>
+Unlike in previous Red Hat Enterprise Linux distributions, <systemitem>TigerVNC</systemitem> in Red Hat Enterprise Linux 7 uses the <systemitem>systemd</systemitem> system management daemon for its configuration.
+The <filename>/etc/sysconfig/vncserver</filename> configuration file has been replaced
+by <filename>/etc/systemd/system/vncserver at .service</filename>.
+ </para>
+ </note>
+ <section id="s1-vnc-server">
+ <title>VNC Server</title>
+ <para>
+<systemitem>vncserver</systemitem> is a utility which starts a VNC (Virtual
+Network Computing) desktop. It runs Xvnc with appropriate options and starts a window
+manager on the VNC desktop. <systemitem>vncserver</systemitem> allows users to run
+separate sessions in parallel on a machine which can then be accessed by any number of clients
+from anywhere.
+ </para>
+ <section id="s2-vnc-installation">
+ <title>Installing VNC Server</title>
+ <para>
+To install the TigerVNC server, issue the following command as <systemitem class="username">root</systemitem>:
+<screen><command><computeroutput>~]# </computeroutput><userinput>yum install tigervnc-server</userinput></command></screen>
+<!--SJW: This installs tigervnc-server and tigervnc-server-minimal, +54 Dependent packages. I now have vncserver and vncconfig man page.-->
+ </para>
+ </section>
+ <section id="s3-configuring-vnc-server">
+ <title>Configuring VNC Server</title>
+<procedure id="configuring-vncserver">
+ <title>Configuring the first VNC connection</title>
+ <step>
+ <para>
+A configuration file named <filename>/etc/systemd/system/vncserver at .service</filename> is required. To create this file, copy the <filename>/lib/systemd/system/vncserver at .service</filename> file as <systemitem class="username">root</systemitem>:
+ </para>
+ <screen>
+<computeroutput>~]# </computeroutput><userinput>cp /lib/systemd/system/vncserver at .service /etc/systemd/system/vncserver at .service</userinput>
+ </screen>
+ </step>
+ <step>
+ <para>
+Edit <filename>/etc/systemd/system/vncserver at .service</filename>,
+replacing <replaceable>USER</replaceable> with the actual user name.
+Leave the remaining lines of the file unmodified.
+The <option>-geometry</option> argument specifies the size of the VNC desktop to
+be created; by default, it is set to <literal>1024x768</literal>.
+ </para>
+ <screen>
+ExecStart=/sbin/runuser -l <replaceable>USER</replaceable> -c "/usr/bin/vncserver %i -geometry 1280x1024"
+PIDFile=/home/<replaceable>USER</replaceable>/.vnc/%H%i.pid
+ </screen>
+ </step>
+ <step>
+ <para>
+Save the changes.
+ </para>
+ </step>
+ <step>
+ <para>
+To make the changes take effect immediately, issue the following command:
+ </para>
+<screen>
+<computeroutput>~]# </computeroutput><userinput>systemctl daemon-reload</userinput>
+</screen>
+ </step>
+ <step>
+ <para>
+Set the password for the user or users defined in the configuration file. Note
+that you need to switch from <systemitem class="username">root</systemitem> to <replaceable>USER</replaceable> first.
+ </para>
+<screen>
+<computeroutput>~]# </computeroutput>su - <replaceable>USER</replaceable>
+<computeroutput>~]$ </computeroutput><userinput>vncpasswd</userinput>
+Password:
+Verify:
+</screen>
+ <important>
+ <para>
+The stored password is not encrypted; anyone who has access to the password
+file can find the plain-text password.
+ </para>
+ </important>
+ </step>
+ </procedure>
+ <section id="configuring-vncserver-2users">
+ <title>Configuring VNC Server for Two Users</title>
+ <para>
+If you want to configure more than one user on the same machine,
+create different template-type service files, one for each user.
+ </para>
+<procedure>
+ <step>
+ <para>
+Create two service files, for example <filename>vncserver-<replaceable>USER_1</replaceable>@.service</filename>
+and <filename>vncserver-<replaceable>USER_2</replaceable>@.service</filename>.
+In both these files substitute <replaceable>USER</replaceable> with the correct user name.
+ </para>
+ </step>
+<step>
+ <para>
+Set passwords for both users:
+ </para>
+<programlisting>
+<command><computeroutput>~]$ </computeroutput><userinput>su - <replaceable>USER_1</replaceable></userinput></command>
+<computeroutput>~]$ </computeroutput><userinput>vncpasswd</userinput>
+Password:
+Verify:
+<command><computeroutput>~]$ </computeroutput><userinput>su - <replaceable>USER_2</replaceable></userinput></command>
+<computeroutput>~]$ </computeroutput><userinput>vncpasswd</userinput>
+Password:
+Verify:
+</programlisting>
+</step>
+</procedure>
+ </section>
+ </section>
+ <section id="s4-starting-vncserver">
+ <title>Starting VNC Server</title>
+ <para>
+To start or enable the service, specify the display number directly in the command.
+The file configured above works as a template, in which <literal>%i</literal> is substituted with
+the display number by <systemitem>systemd</systemitem>.
+With a valid number, execute the following command:
+ </para>
+<screen>
+<command><computeroutput>~]# </computeroutput>systemctl start vncserver@:<replaceable>display_number</replaceable>.service</command>
+</screen>
+ <para>
+You can also enable the service to start automatically at system start. Then, when you log in, <systemitem>vncserver</systemitem> is automatically started. As <systemitem class="username">root</systemitem>, issue a command as follows:
+ </para>
+<screen>
+<command><computeroutput>~]# </computeroutput>systemctl enable vncserver@:<replaceable>display_number</replaceable>.service</command>
+</screen>
+ <para>
+At this point, other users are able to use the <systemitem>vncviewer</systemitem>
+program to connect to the VNC server using the display number and password defined.
+ </para>
+ <section id="starting-vncserver-2displays">
+ <title>Configuring VNC Server for two users and two different displays</title>
+ <para>
+For the two configured VNC servers, vncserver-USER_1 at .service and vncserver-USER_2 at .service,
+you can enable different display numbers. For example, the following commands will cause a VNC server for USER_1 to
+start on display 3, and a VNC server for USER_2 to start on display 5:
+ </para>
+<screen>
+<command><computeroutput>~]# </computeroutput>systemctl start vncserver-USER_1@:3.service</command>
+<command><computeroutput>~]# </computeroutput>systemctl start vncserver-USER_2@:5.service</command>
+</screen>
+ </section>
+ </section>
+ <section id="terminating-vnc-session">
+ <title>Terminating a VNC session</title>
+ <para>
+Similarly to enabling the <systemitem>vncserver</systemitem> service, you can disable
+the automatic start of the service at system start:
+ </para>
+<screen>
+<command><computeroutput>~]# </computeroutput><userinput>systemctl disable vncserver@:<replaceable>display_number</replaceable>.service</userinput></command>
+</screen>
+ <para>
+Or, when your system is running, you can stop the service by issuing the following
+command as <systemitem class="username">root</systemitem>:
+ </para>
+<screen>
+<command><computeroutput>~]# </computeroutput><userinput>systemctl stop vncserver@:<replaceable>display_number</replaceable>.service</userinput></command>
+</screen>
+ </section>
+ </section>
+ <section id="s5-vnc-viewer">
+ <title>VNC Viewer</title>
+ <para>
+<systemitem>vncviewer</systemitem> is the program which shows the shared graphical
+user interfaces and controls the server.
+ </para>
+<para>
+For operating the <systemitem>vncviewer</systemitem>, there is a pop-up menu
+containing entries which perform various actions such as switching in and out of
+full-screen mode or quitting the viewer. Alternatively, you can operate <systemitem>vncviewer</systemitem>
+through the terminal; there is a list of parameters <systemitem>vncviewer</systemitem>
+can be used with which you obtain by typing <command>vncviewer -h</command> on the command line.
+</para>
+ <section id="installing-vncviewer">
+ <title>Installing VNC Viewer</title>
+ <para>
+To install the TigerVNC client, referred to as <application>vncviewer</application>, issue the following command as <systemitem class="username">root</systemitem>:
+<synopsis><command><computeroutput>~]# </computeroutput><userinput>yum install tigervnc</userinput></command></synopsis>
+ </para>
+ </section>
+ <section id="s6-connecting-vnc-viewer">
+ <title>Connecting to VNC Server</title>
+ <para>
+Once the VNC server is configured, you can connect to it from any VNC viewer.
+In order to do so, issue the <command>vncviewer</command> command in the following format:
+<synopsis>vncviewer <replaceable>IP_address</replaceable>:<replaceable>port_number</replaceable></synopsis>
+ </para>
+<example id="connecting-to-vncserver">
+ <title>One Client Connecting to vncserver</title>
+ <para>
+With the <systemitem class="protocol">IP</systemitem> address <systemitem class="ipaddress">192.168.0.4</systemitem> and display number <emphasis>3</emphasis>
+the command looks as follows:
+ </para>
+<programlisting>
+<command><computeroutput>~]$ </computeroutput><userinput>vncviewer 192.168.0.4:3</userinput></command>
+</programlisting>
+</example>
+
+<section id="sec-Configuring_the_Firewall_for_VNC">
+<title>Configuring the Firewall for VNC</title>
+ <para>
+When using a non-encrypted connection, <systemitem>firewalld</systemitem> might
+block the connection. To allow <systemitem>firewalld</systemitem> to pass the VNC packets, you can open specific ports to <systemitem class="protocol">TCP</systemitem> traffic. When using the <option>-via</option> option, traffic is redirected over <systemitem class="protocol">SSH</systemitem> which is enabled by default in <systemitem>firewalld</systemitem>.
+ </para>
+ <note>
+ <para>
+The default port of VNC server is 5900. To reach the port through which a remote
+desktop will be accessible, sum the default port and the user's
+assigned display number. For example, for the second port: 2 + 5900 = 5902.
+ </para>
+ </note>
+ <para>
+ For displays <literal>0</literal> to <literal>3</literal>, make use of <systemitem>firewalld</systemitem>'s support for the VNC service by means of the <option>service</option> option as described below. Note that for display numbers greater than <literal>3</literal>, the corresponding ports will have to be opened specifically as explained in <xref linkend="proc-Opening-Ports_in_firewalld" />.
+ </para>
+<procedure id="proc-Enabling_VNC_Service_in_firewalld">
+<title>Enabling VNC Service in firewalld</title>
+<step>
+ <para>
+Run the following command to see the information concerning <systemitem>firewalld</systemitem>
+settings:
+ </para>
+<screen>
+<command><computeroutput>~]$ </computeroutput>firewall-cmd --list-all</command>
+</screen>
+</step>
+<step>
+ <para>
+ To allow all VNC connections from a specific address, use a command as follows:
+ <screen>~]# <command>firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.122.116" service name=vnc-server accept'</command>
+success</screen>
+See the <ulink url="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/">Red Hat Enterprise Linux 7 Security Guide</ulink> for more information on the use of firewall rich language commands.
+</para>
+</step>
+<step>
+<para>
+ To verify the above settings, use a command as follows:
+ <screen>~]# <command>firewall-cmd --list-all</command>
+public (default, active)
+ interfaces: bond0 bond0.192
+ sources:
+ services: dhcpv6-client ssh
+ ports:
+ masquerade: no
+ forward-ports:
+ icmp-blocks:
+ rich rules:
+ rule family="ipv4" source address="192.168.122.116" service name="vnc-server" accept</screen>
+</para>
+</step>
+</procedure>
+
+<para>
+ To open a specific port or range of ports make use of the <option>--list-ports</option> option to the <command>firewall-cmd</command> command Line tool. For example, VNC display <literal>4</literal> requires port <literal>5904</literal> to be opened for <systemitem class="protocol">TCP</systemitem> traffic.
+</para>
+<procedure id="proc-Opening-Ports_in_firewalld">
+<title>Opening Ports in firewalld</title>
+<step>
+<para>
+ To open a port for <systemitem class="protocol">TCP</systemitem> traffic in the public zone, issue a command as <systemitem class="username">root</systemitem> as follows:
+<screen>~]# <command>firewall-cmd --zone=public --add-port=5904/tcp</command>
+success</screen>
+</para>
+</step>
+<step>
+<para>
+To view the ports that are currently open for the public zone, issue a command as follows:
+<screen>~]# <command>firewall-cmd --zone=public --list-ports</command>
+5904/tcp</screen>
+</para>
+</step>
+</procedure>
+<para>
+A port can be removed using the <command>firewall-cmd --zone=<replaceable>zone</replaceable> --remove-port=<replaceable>number/protocol</replaceable></command> command.
+</para>
+
+<para>
+ For more information on opening and closing ports in <systemitem>firewalld</systemitem>, see the <ulink url="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/">Red Hat Enterprise Linux 7 Security Guide</ulink>.
+</para>
+ </section>
+ </section>
+ <section id="s1-using_ssh">
+ <title>Connecting to VNC Server using SSH</title>
+ <para>
+<acronym>VNC</acronym> is a clear text network protocol with no security against possible attacks on the communication. To make the communication secure, you can encrypt your server-client connection by using the <option>-via</option> option. This will create an <systemitem class="protocol">SSH</systemitem> tunnel between the VNC server and the client.
+ </para>
+ <para>
+The format of the command to encrypt a VNC server-client connection looks as follows:
+ </para>
+<screen>
+<command><computeroutput>~]$ </computeroutput><userinput>vncviewer -via <replaceable>user</replaceable>@<replaceable>host</replaceable>:<replaceable>display_number</replaceable></userinput></command>
+</screen>
+ <example id="using-via">
+ <title>Using the -via option</title>
+
+ <procedure>
+ <step>
+ <para>
+ To connect to a VNC server using <systemitem class="protocol">SSH</systemitem>, enter a command as follows:
+ </para>
+<programlisting>
+<command><computeroutput>~]$ </computeroutput><userinput>vncviewer -via USER_2 at 192.168.2.101:3</userinput></command>
+</programlisting>
+ </step>
+ <step>
+ <para>
+When you are prompted to, type the password, and confirm by pressing <keycap>Enter</keycap>.
+ </para>
+ </step>
+ <step>
+ <para>
+A window with a remote desktop appears on your screen.
+ </para>
+ </step>
+ </procedure>
+ </example>
+
+ <bridgehead id="bh-Restricting_VNC_access">Restricting VNC access</bridgehead>
+ <para>
+If you prefer only encrypted connections, you can prevent unencrypted connections
+altogether by using the <option>-localhost</option> option in the <systemitem class="service">systemd.service</systemitem>
+file, the ExecStart line:
+ </para>
+<screen>ExecStart=/sbin/runuser -l <replaceable>user</replaceable> -c "/usr/bin/vncserver -localhost %i"</screen>
+<para>
+This will stop <systemitem>vncserver</systemitem> from accepting connections from anything but the local host and port-forwarded connections sent using <systemitem class="protocol">SSH</systemitem> as a result of the <option>-via</option> option.
+</para>
+ <para>
+For more information on using <systemitem class="protocol">SSH</systemitem>, see <xref linkend="ch-OpenSSH" />.
+ </para>
+ </section>
+ </section>
+ <section id="s9-additional-sources">
+ <title>Additional Resources</title>
+ <para>
+ For more information about TigerVNC, see the resources listed below.
+ </para>
+ <bridgehead id="brid-TigerVNC-Resources-Installed" renderas="sect2">Installed Documentation</bridgehead>
+ <itemizedlist>
+ <listitem>
+ <para>
+ <filename>vncserver(1)</filename> — The <acronym>VNC</acronym> server manual pages.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <filename>vncviewer(1)</filename> — The <acronym>VNC</acronym> viewer manual pages.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <filename>vncpasswd(1)</filename> — The <acronym>VNC</acronym> password manual pages.
+ </para>
+ </listitem>
+</itemizedlist>
+ </section>
+
+</chapter>
More information about the docs-commits
mailing list