KASM Workspace 經驗與紀錄

KASM

KASM 是工作串流平台,

從任何位置將您的工作空間直接傳輸到任何裝置上的網路瀏覽器。部份開放原始碼。運作於一些類似居家上班、安全運算環境之分析架構平台。透過網頁就可以開啟遠端桌面,因為使用容器,速度也比較快。該專案也有提供一些資料保護措施。

offline KASM installation

先安裝好 docker 然後開始安裝 KASM

curl -O https://kasm-static-content.s3.amazonaws.com/kasm_release_1.15.0.06fdc8.tar.gz
curl -O https://kasm-static-content.s3.amazonaws.com/kasm_release_service_images_amd64_1.15.0.06fdc8.tar.gz
curl -O https://kasm-static-content.s3.amazonaws.com/kasm_release_workspace_images_amd64_1.15.0.06fdc8.tar.gz
tar -xf kasm_release_1.15.0.06fdc8.tar.gz
sudo bash kasm_release/install.sh --offline-workspaces /tmp/kasm_release_workspace_images_amd64_1.15.0.06fdc8.tar.gz --offline-service /tmp/kasm_release_service_images_amd64_1.15.0.06fdc8.tar.gz

安裝完成會顯示:

Kasm UI Login Credentials

------------------------------------
  username: admin@kasm.local
  password: ddddddd
------------------------------------
  username: user@kasm.local
  password: ddddddd
------------------------------------

Kasm Database Credentials
------------------------------------
  username: kasmapp
  password: ddddddd
------------------------------------

Kasm Redis Credentials
------------------------------------
  password: ddddddd
------------------------------------

Kasm Manager Token
------------------------------------
  password: ddddddd
------------------------------------

Kasm Guac Token
------------------------------------
  password: ddddddd
------------------------------------

Service Registration Token
------------------------------------
  password: ddddddd
------------------------------------

好好保留,之後一些設定可能會用到。

DLP (Data Loss Prevention) 措施

KASM 有提供 Data Loss Prevention 的防護,例如

watermark 浮水印

https://kasmweb.com/docs/latest/how_to/kasmvnc_dlp_policies.html

watermark 實作

group->all user->file mapping

network: 
  ssl:
   pem_certificate: ${HOME}/.vnc/self.pem
   pem_key: ${HOME}/.vnc/self.pem
  udp:
    public_ip: 127.0.0.1
data_loss_prevention:
  watermark:
    repeat_spacing: 50
    tint: 200,200,235,60
    text:
      template: "TRE UserID ${KASM_USER} (${KASM_ID}) at %F %H:%M"
      font: auto
      font_size: 36
      timezone_name: Asia/Taipei

file download upload clipboard ... 資料傳輸限制

https://kasmweb.com/docs/latest/security/data_loss_prevention.html#group-settings

session recording 桌面錄影

https://kasmweb.com/docs/latest/guide/session_recording.html

Session recording is configured but not licensed. Will not enable. // 需要付費!

費用可以參考這邊
https://www.kasmweb.com/server-checkout

session recording 實作

settings -> global -> Session Recording

access key & secret key
path:
s3://kasm@tos.nchahahahc.org.tw/session-record/{user_id}/{image_friendly_name}-{start_date}.mp4

enable active code// 需要錢!

架構上,如果需要提供更安全的環境,一般會做

multi server 多主機架構

https://kasmweb.com/docs/latest/install/multi_server_install.html
https://kasmweb.com/docs/latest/guide/compute/pools.html

基本上需要的是 docker agent
找一台linux ubuntu2204 不需要publicl ip / private ip也可以
安裝agent

cd /tmp
curl -O https://kasm-static-content.s3.amazonaws.com/kasm_release_1.15.0.06fdc8.tar.gz
tar -xf kasm_release_1.15.0.06fdc8.tar.gz
sudo bash kasm_release/install.sh --role agent --public-hostname [AGENT_HOSTNAME] --manager-hostname [MANAGER_HOSTNAME] --manager-token [MANAGER_TOKEN]

MANAGER_HOSTNAME : kasm.hahaha.org
MANAGER_TOKEN : ddddddd
AGENT_HOSTNAME : 192.168.1.130

裝好之後回到admin可以看到已經自動新增了agent

這時候docker還沒有辦法派到這邊,需要增加到pool

之後workspace就會分散到pool

IME

啟用輸入法切換,啟動之後輸入法切換才會正常
https://kasmweb.com/docs/latest/how_to/ime.html

keep data

啟用家目錄儲存
https://kasmweb.com/docs/latest/guide/persistent_data.html

persistent data 實作

settings -> global -> Storage

group setting for allow_persistent_profile should be enabled

Persistent Profile Path
s3://kasm@tos.hahaha.org.tw/user-profile/{username}/{image_id}/

persistent data for every workspace and size limit

Docker Run Config Override (JSON)

{
  "hostname": "kasm",
  "extra_hosts": {
    "proxy.ha.ha.org.tw": "192.168.139.101"
  },
  "environment": {
    "KASM_PROFILE_SIZE_LIMIT": "20000"
  }
}

custom network

https://kasmweb.com/docs/latest/how_to/bridged_network_source_nat.html

關鍵是:

-A POSTROUTING -s 172.19.0.0/16 -d 203.145.220.209/32 ! -o z_custom_a -j SNAT --to-source 192.168.0.89

Custom network for agent 實作

ip a

2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 8942 qdisc fq_codel state UP group default qlen 1000                                                                                                                                          
    link/ether fa:16:3e:d8:b9:62 brd ff:ff:ff:ff:ff:ff                                                                
    altname enp0s3                                
    inet 192.168.0.202/24 metric 100 brd 192.168.0.255 scope global dynamic ens3
       valid_lft 39485sec preferred_lft 39485sec
    inet6 fe80::f816:3eff:fed8:b962/64 scope link 
       valid_lft forever preferred_lft forever


sudo docker network create \
    --driver bridge \
    --attachable \
    --opt "com.docker.network.bridge.name"="z_custom_a" \
    --opt "com.docker.network.bridge.enable_ip_masquerade"="false" \
    z_custom_a
    
ubuntu@instance-agent-1:~$ sudo docker inspect z_custom_a | grep Subnet
                    "Subnet": "172.20.0.0/16",
                
ubuntu@instance-agent-1:~$ sudo iptables -t nat -A POSTROUTING -s  172.20.0.0/16 -d 192.110.139.101  ! -o z_custom_a -j SNAT --to-source  192.168.0.202
ubuntu@instance-agent-1:~$ 
ubuntu@instance-agent-1:~$ sudo iptables -t nat -A POSTROUTING -s  172.20.0.0/16 -d 10.231.0.0/16  ! -o z_custom_a -j SNAT --to-source  192.168.0.202
 
ubuntu@instance-agent-1:~$ sudo iptables -t nat -A POSTROUTING -s  172.20.0.0/16 -d 192.168.0.0/16  ! -o z_custom_a -j SNAT --to-source  192.168.0.202

以及其他功能,我的一些 Production 都有用上,感覺不錯!

external_proxy 透過 Proxy 進行防護

https://kasmweb.com/docs/latest/how_to/external_proxy.html

saml 認証

https://kasmweb.com/docs/latest/guide/saml_authentication.html

workspace registry

https://github.com/kasmtech/workspaces_registry_template
https://github.com/kasmtech/workspaces_registry_template?tab=readme-ov-file
https://github.com/Thomas-Tsai/kasm_registry/actions
https://blog.libthomas.org/kasm_registry/1.0/

custom image

build proxy desktop
https://kasmweb.com/docs/latest/how_to/external_proxy.html
add custom image to custom workspace
https://github.com/kasmtech/workspaces_registry_template?tab=readme-ov-file#5-creating-workspaces

雖然不是完全的開源軟體,但是也很有誠意的釋出不少開源專案,如果非營利組織,在client 數量限制下用是沒有問題。