Version information
This version is compatible with:
- Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
- Puppet >= 7.0.0 < 9.0.0
- , , , , ,
Start using this module
Add this module to your Puppetfile:
mod 'jcpunk-vnc', '3.0.1'
Learn more about managing modules with a PuppetfileDocumentation
vnc
Manage tigervnc now that it expects systemd-logind support.
Table of Contents
- Description
- Setup - The basics of getting started with vnc
- Usage - Configuration options and additional functionality
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
Description
This module manages VNC servers utilizing the new tigervnc scripts from tigervnc 1.11 and later.
Users can optionally be given rights to restart their own servers.
Setup
What vnc affects
This will impact your VNC sessions, configs in /etc/tigervnc (parameter), and PolicyKit for systemd (if user restart is granted via the params).
If requested the vnc::client::novnc
will try to setup the non-webserver
parts of a noVNC site.
Setup Requirements OPTIONAL
If you wish to use the novnc client, you must setup a webserver to point at the websocket.
Beginning with vnc
Usage
Server
If the defaults are workable for you, basic usage is:
class { 'vnc::server':
manage_services => true,
vnc_servers => {
'userA' => {
'comment' => 'Optional comment',
'displaynumber' => 1,
'user_can_manage' => true,
}
}
Or via hiera
vnc::server::manage_services: true
vnc::server::vnc_servers:
userA:
comment: Optional comment
displaynumber: 1
user_can_manage: true
The most interesting parameter is vnc::server::vnc_servers
.
It has a structure of:
username:
comment: (optional) comment
displaynumber: The VNC screen, like 1, 2, 3, etc
ensure: service ensure, default is 'running'
enable: service enable, default is 'true'
seed_home_vnc: make ~${username}/.vnc/config, default is `vnc::server::seed_user_vnc_config`
extra_users_can_manage: [ usera, userb]
user_can_manage: Boolean value to permit a user to run `systemctl restart vncserver@:#.service`
where the `#` is their listed displaynumber.
default value is from $vnc::server::user_can_manage
For hosts where a users's home is on a kerberos protected volume, you'll
probably want to set seed_home_vnc = false
as the puppet process will
not have access. Or globally via vnc::server::seed_home_vnc
.
The extra_users_can_manage
grants systemctl restart vncserver@:#.service
to these users too. The user_can_manage
boolean must be true
for this
to work.
Similarly, when "user home" is not accessible to unauthenticated systemd,
you'll probably want to set vnc::server::manage_services = false
.
You can directly export these sessions to noVNC via include vnc::server::export::novnc
.
Client
Similarly, VNC clients can be loaded with:
class { 'vnc::client::gui': }
or
class { 'vnc::client::novnc': }
The noVNC client takes a parameter vnc_sessions
with a format of:
vnc::client::novnc::vnc_servers:
session_name: server:port
other_session_name: server:otherport
By default token based configuration is used to let the webserver multiplex to a single websockify
instance.
An example HTML list of configured sessions is written out to vnc::client::novnc::webserver_vnc_index
.
Limitations
This requires the systemd units from tigervnc 1.11+.
You must manage you own firewall settings.
There are too may ways folks may want to setup the webserver, so no attempt
is made here to provide hooks for the websockets proxy via httpd
or nginx
.
If you want to use the SSL wrapper for websockify
you are responsible to
depoy the cert, key, CA, and set the parameters you need.
Development
See the linked repo in metadata.json
Reference
Table of Contents
Classes
Public Classes
vnc::client::gui
: Install the VNC GUI clientsvnc::client::novnc
: Setup a websocket service for running the NoVNC interfacevnc::server
: Install and configure the tigervnc servervnc::server::export::novnc
: Map defined VNC servers into NOVNC client
Private Classes
vnc::client::novnc::config
: Setup any token file or webserver indexvnc::client::novnc::install
: Install the novnc packagesvnc::client::novnc::service
: manage the websockify servicevnc::server::config
: Configure the VNC servicesvnc::server::install
: Install the vnc server pacakgesvnc::server::service
: Ensure the VNC Server services are right
Classes
vnc::client::gui
Install the VNC GUI clients
Parameters
The following parameters are available in the vnc::client::gui
class:
manage_packages
Data type: Boolean
Should this class manage the packages
packages
Data type: Array
List of packages to install
packages_ensure
Data type: String
Ensure state of the vnc client packages
vnc::client::novnc
Setup a websocket service for running the NoVNC interface
Parameters
The following parameters are available in the vnc::client::novnc
class:
manage_packages
packages
packages_ensure
manage_service_config
websockify_config_dir
websockify_config_mode
websockify_token_plugin
websockify_token_source
websockify_auth_plugin
websockify_auth_source
websockify_service_user
websockify_service_group
websockify_service_dynamicuser
make_webserver_vnc_index
webserver_novnc_location
webserver_vnc_index
manage_service
websockify_command
websockify_service_name
websockify_service_ensure
websockify_service_enable
websockify_port
websockify_webroot
websockify_prefer_ipv6
websockify_use_ssl
websockify_use_ssl_only
websockify_ssl_ca
websockify_ssl_cert
websockify_ssl_key
vnc_servers
manage_packages
Data type: Boolean
Should this class manage the packages
packages
Data type: Array
List of packages to install
packages_ensure
Data type: String
Ensure state of the vnc server packages
manage_service_config
Data type: Boolean
should this class manage any config files?
websockify_config_dir
Data type: Stdlib::Absolutepath
where are config files kept
websockify_config_mode
Data type: String
what should the config mode be
websockify_token_plugin
Data type: String
what type of token plugin is in use
websockify_token_source
Data type: String
what is the data source for the token plugin if $websockify_token_plugin == 'TokenFile' or 'ReadOnlyTokenFile', this should be the filename
websockify_auth_plugin
Data type: String
what type of auth plugin is in use
websockify_auth_source
Data type: String
what is the data source for the auth plugin
websockify_service_user
Data type: String
User to run the service as
websockify_service_group
Data type: String
Group to run the service as
websockify_service_dynamicuser
Data type: Boolean
Use systemd dynamic users for this service
make_webserver_vnc_index
Data type: Boolean
Make a simple index file listing out known sessions
webserver_novnc_location
Data type: Stdlib::Absolutepath
What is the URL base for novnc (probably /novnc)
webserver_vnc_index
Data type: Stdlib::Absolutepath
Where should we write out the known session index?
manage_service
Data type: Boolean
Should this service be managed
websockify_command
Data type: Stdlib::Absolutepath
where is /usr/bin/websockify?
websockify_service_name
Data type: String
Name of service to manage
websockify_service_ensure
Data type: String
Ensure for service
websockify_service_enable
Data type: Boolean
Enable for service
websockify_port
Data type: Variant[String, Integer[0,65535]]
Port to listen on
websockify_webroot
Data type: Stdlib::Absolutepath
Webroot for service to use
websockify_prefer_ipv6
Data type: Boolean
Try IPv6 before IPv4
websockify_use_ssl
Data type: Boolean
Use an SSL certificate for websockify
websockify_use_ssl_only
Data type: Boolean
Only use SSL connections
websockify_ssl_ca
Data type: Stdlib::Absolutepath
SSL Certificate Authority for websockify
websockify_ssl_cert
Data type: Stdlib::Absolutepath
SSL certificate for websockify
websockify_ssl_key
Data type: Stdlib::Absolutepath
SSL key for websockify
vnc_servers
Data type: Hash
A hash of VNC servers to connect to. ie. {'session_name' => 'host:port'}
vnc::server
This class will install and configure the tigervnc server, setup defaults, and manage the services.
The default state is running/enabled, not user managed
Parameters
The following parameters are available in the vnc::server
class:
manage_packages
packages
packages_ensure
manage_config
config_defaults_file
config_defaults
config_mandatory_file
config_mandatory
vncserver_users_file
polkit_file
polkit_file_mode
manage_services
user_can_manage
extra_users_can_manage
vnc_home_conf
seed_home_vnc
systemd_template_startswith
systemd_template_endswith
vnc_servers
manage_packages
Data type: Boolean
Should this class manage the packages
packages
Data type: Array
List of packages to install
packages_ensure
Data type: String
Ensure state of the vnc server packages
manage_config
Data type: Boolean
Should this class manage the config
config_defaults_file
Data type: Stdlib::Absolutepath
Your /etc/tigervnc/vncserver-config-defaults
config_defaults
Data type: Hash[String, Variant[String, Undef]]
Settings to put in /etc/tigervnc/vncserver-config-defaults
config_mandatory_file
Data type: Stdlib::Absolutepath
Your /etc/tigervnc/vncserver-config-mandatory
config_mandatory
Data type: Hash[String, Variant[String, Undef]]
Settings to put in /etc/tigervnc/vncserver-config-mandatory
vncserver_users_file
Data type: Stdlib::Absolutepath
Your /etc/tigervnc/vncserver.users
polkit_file
Data type: Stdlib::Absolutepath
Your /etc/polkit-1/rules.d/25-puppet-vncserver.rules
polkit_file_mode
Data type: String
Your /etc/polkit-1/rules.d/25-puppet-vncserver.rules permissions It should pretty much always be 644
manage_services
Data type: Boolean
Should this class manage the vncserver services
user_can_manage
Data type: Boolean
Should users be able to manage the systemd service by default
extra_users_can_manage
Data type: Array[String]
Who else should be able to manage the VNC sessions
vnc_home_conf
Data type: Stdlib::Absolutepath
Where does VNC keep its config (/.vnc)
NOTE: MUST start with /
NOTE: MUST NOT end with /
seed_home_vnc
Data type: Boolean
Should this class generate a per-user ~/.vnc if it doesn't exist?
systemd_template_startswith
Data type: String
What does the vnc template service start with, including the '@'
systemd_template_endswith
Data type: String
What does the vnc template service end with (not including the '.')
vnc_servers
Data type: Hash[String, Hash[Enum['displaynumber', 'user_can_manage', 'seed_home_vnc', 'comment', 'ensure', 'enable', 'extra_users_can_manage'], Variant[Array[String], String, Integer, Boolean, Undef]]]
A hash of VNC servers to setup Format: userA: comment: Sometimes you've gotta write it down displaynumber: 1 ensure: running enable: true user_can_manage: true seed_home_vnc: false userB: displaynumber: 2 ensure: stopped enable: false user_can_manage: false
vnc::server::export::novnc
Map defined VNC servers into NOVNC client
Examples
include vnc::server::export::novnc
Parameters
The following parameters are available in the vnc::server::export::novnc
class:
vnc_server_hostname
Data type: String
Hostname to use as the default server target
Default value: 'localhost'
vnc_servers
Data type: Hash
Hash of vnc_servers to export. You probably should just let inheritance do the work here
Default value: $vnc::server::vnc_servers
Changelog
All notable changes to this project will be documented in this file.
Release 3.0.1
Features
- Permit puppet-systemd v8
Release 3.0.0
Breaking Changes
- Require stdlib 9.x
Release 2.3.7
Features
- Add hostname to static html file
Release 2.3.6
Bugfix
- Puppet 7 and Puppet 8 respond differently when using mix of
unless
andonlyif
Release 2.3.5
Bugfix
- Fix backwards logic on link test
Release 2.3.4
Bugfix
- Forgot to commit
,
Release 2.3.3
Bugfix
- don't try to change mode of symbolic link
Release 2.3.2
Bugfix
- Fix doc typos
Release 2.3.1
Bugfix
- Fix doc in config files
- Update dependencies
Release 2.3.0
Features
- Add support for setting vnc home config to ~/.local/config or something else
Release 2.2.0
Features
- Add support for extra users who can manage the service
Release 2.1.0
Features
- Add suse support
Release 2.0.1
Bugfixes
- Permit passing
undef
to vnc server parameters
Release 2.0.0
Breaking Change
- Ports less than 100 passed to websockify will be prefixed with
59
Features
- Added class to directly export VNC Servers to novnc/websockify
Release 1.2.0
Features
- Added flag for setting config mode
Release 1.1.0
Features
- Added switch for dynamic users under websockify service
- Note compat with puppet-systemd 6.x
Release 1.0.2
Features
- Note puppet8 support
Release 1.0.1
Features
- Note stdlib 9.x.x support
Release 1.0.0
Breaking Change Switch to stdlib::crc32, requires stdlib >= 8.6.0
Release 0.4.0
Bugfixes
- Polkit tends to like world readable policy files.
Release 0.3.3
Bugfixes
- fix typo in vncpasswd
Release 0.3.2
Bugfixes
- fix template output when comments are missing
Release 0.3.1
Features
- Added global param to set default for user managed services
Release 0.3.0
Features
- Ability to not make ~/.vnc dirs per user
- Ability to not make ~/.vnc dirs in general
Release 0.2.1
Features
- Note compatibility with puppet/systemd 4.x.x
Release 0.2.0
Features
- Added minimal novnc support (just websockify really)
Release 0.1.2
Bugfixes
- Typo in homedir search
Release 0.1.1
Bugfixes
- Some template values had extra
=
Release 0.1.0
Features Initial Release
Roadmap
- Add a novnc option
Bugfixes
Known Issues
Dependencies
- puppetlabs/concat (>= 4.2.0 < 10.0.0)
- puppetlabs/stdlib (>= 9.0.0 < 10.0.0)
- puppet/systemd (>= 5.0.0 < 9.0.0)