On Fri, Sep 6, 2024 at 9:11 AM danonymous <d87130...@gmail.com> wrote:
> I am running guacamole within a k8s environment and followed the guacamole > docker installation guide. It generally works fine and the connection can > be displayed. There is an error happening that leads occasionally to having > to reload the main page in the browser. > > My setup: > * HEADER_ENABLED=true is configured (see > https://guacamole.apache.org/doc/gug/guacamole-docker.html#header-authentication > ) > * Postgres is configured and works. > > This is the guacamole.conf that is appended to the docker mechanism that > adds the basic configuration controlled by the env variable HEADER_ENABLE. > ``` > http-auth-header: X-Auth-USER > > postgresql-hostname: guacamole-db-v2 > postgresql-database: guacamole > postgresql-username: $POSTGRES_GUACAMOLE_USERNAME > postgresql-password: $POSTGRES_GUACAMOLE_PASSWORD > > postgresql-default-max-connections: 12 > postgresql-default-max-group-connections: 12 > postgresql-default-max-connections-per-user: 12 > postgresql-default-max-group-connections-per-user: 12 > postgresql-absolute-max-connections: 120 > postgresql-user-required: false > postgresql-auto-create-accounts: true > ``` > > The problem: > > * On the web frontend when I look at the list of possible connections I > get this error in the browser console: > ``` > Session not associated with authentication provider "header". > ``` > The url that fails is: `https://<internal guacamole > url>/guacamole/api/session/data/header/users/<myuser>` > * Very rarely the page would error out and I need to reload the page. > * My interpretation is that this is related to the session association. > > I cannot find any pointers in troubleshooting etc that help me. > Does anyone know what is going on? > > I suspect that you're either running multiple containers and trying to load balance between them for the front end, or, if you're not trying to do any active load balancing, you've got some sort of situation where K8s is detecting a situation where it needs to reload and swap over to a new container for the front-end, which is resulting in the session getting lost. Guacamole currently does not support any sort of session synchronization between multiple front-end instances - the sessions are stored completely in-memory, not in any sort of a database, and so one front-end instance (container, in your case) does not "know" about the sessions for another container. If, for some reason, a client gets sent to a different container instance than they logged into, the behavior you're seeing will be the result. Your possible solutions, at the moment, are: * Only use a single container for the Guacamole Client front-end. * Make sure whatever load balancing algorithm you use "sticks" clients to the same container every time, which should mostly avoid this error. -Nick
