KASM
KASM 是工作串流平台,
從任何位置將您的工作空間直接傳輸到任何裝置上的網路瀏覽器。部份開放原始碼。運作於一些類似居家上班、安全運算環境之分析架構平台。透過網頁就可以開啟遠端桌面,因為使用容器,速度也比較快。該專案也有提供一些資料保護措施。
offline KASM installation
先安裝好 docker 然後開始安裝 KASM
curl -O https://kasm-static-content.s3.amazonaws.com/kasm_release_1.15.0.06fdc8.tar.gz
curl -O https://kasm-static-content.s3.amazonaws.com/kasm_release_service_images_amd64_1.15.0.06fdc8.tar.gz
curl -O https://kasm-static-content.s3.amazonaws.com/kasm_release_workspace_images_amd64_1.15.0.06fdc8.tar.gz
tar -xf kasm_release_1.15.0.06fdc8.tar.gz
sudo bash kasm_release/install.sh --offline-workspaces /tmp/kasm_release_workspace_images_amd64_1.15.0.06fdc8.tar.gz --offline-service /tmp/kasm_release_service_images_amd64_1.15.0.06fdc8.tar.gz安裝完成會顯示:
Kasm UI Login Credentials
------------------------------------
username: admin@kasm.local
password: ddddddd
------------------------------------
username: user@kasm.local
password: ddddddd
------------------------------------
Kasm Database Credentials
------------------------------------
username: kasmapp
password: ddddddd
------------------------------------
Kasm Redis Credentials
------------------------------------
password: ddddddd
------------------------------------
Kasm Manager Token
------------------------------------
password: ddddddd
------------------------------------
Kasm Guac Token
------------------------------------
password: ddddddd
------------------------------------
Service Registration Token
------------------------------------
password: ddddddd
------------------------------------
好好保留,之後一些設定可能會用到。
DLP (Data Loss Prevention) 措施
KASM 有提供 Data Loss Prevention 的防護,例如
watermark 浮水印
https://kasmweb.com/docs/latest/how_to/kasmvnc_dlp_policies.html
watermark 實作
group->all user->file mapping
network:
ssl:
pem_certificate: ${HOME}/.vnc/self.pem
pem_key: ${HOME}/.vnc/self.pem
udp:
public_ip: 127.0.0.1
data_loss_prevention:
watermark:
repeat_spacing: 50
tint: 200,200,235,60
text:
template: "TRE UserID ${KASM_USER} (${KASM_ID}) at %F %H:%M"
font: auto
font_size: 36
timezone_name: Asia/Taipei
file download upload clipboard ... 資料傳輸限制
https://kasmweb.com/docs/latest/security/data_loss_prevention.html#group-settings
session recording 桌面錄影
https://kasmweb.com/docs/latest/guide/session_recording.html
Session recording is configured but not licensed. Will not enable. // 需要付費!
費用可以參考這邊
https://www.kasmweb.com/server-checkout
session recording 實作
settings -> global -> Session Recording
access key & secret key
path:
s3://kasm@tos.nchahahahc.org.tw/session-record/{user_id}/{image_friendly_name}-{start_date}.mp4
enable active code// 需要錢!
架構上,如果需要提供更安全的環境,一般會做
multi server 多主機架構
https://kasmweb.com/docs/latest/install/multi_server_install.html
https://kasmweb.com/docs/latest/guide/compute/pools.html
基本上需要的是 docker agent
找一台linux ubuntu2204 不需要publicl ip / private ip也可以
安裝agent
cd /tmp
curl -O https://kasm-static-content.s3.amazonaws.com/kasm_release_1.15.0.06fdc8.tar.gz
tar -xf kasm_release_1.15.0.06fdc8.tar.gz
sudo bash kasm_release/install.sh --role agent --public-hostname [AGENT_HOSTNAME] --manager-hostname [MANAGER_HOSTNAME] --manager-token [MANAGER_TOKEN]MANAGER_HOSTNAME : kasm.hahaha.org
MANAGER_TOKEN : ddddddd
AGENT_HOSTNAME : 192.168.1.130
裝好之後回到admin可以看到已經自動新增了agent
這時候docker還沒有辦法派到這邊,需要增加到pool
之後workspace就會分散到pool
IME
啟用輸入法切換,啟動之後輸入法切換才會正常
https://kasmweb.com/docs/latest/how_to/ime.html
keep data
啟用家目錄儲存
https://kasmweb.com/docs/latest/guide/persistent_data.html
persistent data 實作
settings -> global -> Storage
group setting for allow_persistent_profile should be enabled
Persistent Profile Path
s3://kasm@tos.hahaha.org.tw/user-profile/{username}/{image_id}/
persistent data for every workspace and size limit
Docker Run Config Override (JSON)
{
"hostname": "kasm",
"extra_hosts": {
"proxy.ha.ha.org.tw": "192.168.139.101"
},
"environment": {
"KASM_PROFILE_SIZE_LIMIT": "20000"
}
}
custom network
https://kasmweb.com/docs/latest/how_to/bridged_network_source_nat.html
關鍵是:
-A POSTROUTING -s 172.19.0.0/16 -d 203.145.220.209/32 ! -o z_custom_a -j SNAT --to-source 192.168.0.89Custom network for agent 實作
ip a
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 8942 qdisc fq_codel state UP group default qlen 1000
link/ether fa:16:3e:d8:b9:62 brd ff:ff:ff:ff:ff:ff
altname enp0s3
inet 192.168.0.202/24 metric 100 brd 192.168.0.255 scope global dynamic ens3
valid_lft 39485sec preferred_lft 39485sec
inet6 fe80::f816:3eff:fed8:b962/64 scope link
valid_lft forever preferred_lft forever
sudo docker network create \
--driver bridge \
--attachable \
--opt "com.docker.network.bridge.name"="z_custom_a" \
--opt "com.docker.network.bridge.enable_ip_masquerade"="false" \
z_custom_a
ubuntu@instance-agent-1:~$ sudo docker inspect z_custom_a | grep Subnet
"Subnet": "172.20.0.0/16",
ubuntu@instance-agent-1:~$ sudo iptables -t nat -A POSTROUTING -s 172.20.0.0/16 -d 192.110.139.101 ! -o z_custom_a -j SNAT --to-source 192.168.0.202
ubuntu@instance-agent-1:~$
ubuntu@instance-agent-1:~$ sudo iptables -t nat -A POSTROUTING -s 172.20.0.0/16 -d 10.231.0.0/16 ! -o z_custom_a -j SNAT --to-source 192.168.0.202
ubuntu@instance-agent-1:~$ sudo iptables -t nat -A POSTROUTING -s 172.20.0.0/16 -d 192.168.0.0/16 ! -o z_custom_a -j SNAT --to-source 192.168.0.202
以及其他功能,我的一些 Production 都有用上,感覺不錯!
external_proxy 透過 Proxy 進行防護
https://kasmweb.com/docs/latest/how_to/external_proxy.html
saml 認証
https://kasmweb.com/docs/latest/guide/saml_authentication.html
workspace registry
https://github.com/kasmtech/workspaces_registry_template
https://github.com/kasmtech/workspaces_registry_template?tab=readme-ov-file
https://github.com/Thomas-Tsai/kasm_registry/actions
https://blog.libthomas.org/kasm_registry/1.0/
custom image
build proxy desktop
https://kasmweb.com/docs/latest/how_to/external_proxy.html
add custom image to custom workspace
https://github.com/kasmtech/workspaces_registry_template?tab=readme-ov-file#5-creating-workspaces
雖然不是完全的開源軟體,但是也很有誠意的釋出不少開源專案,如果非營利組織,在client 數量限制下用是沒有問題。