ThinLinc server and client installation
ThinLinc is a remote desktop server from Cendio. Server and Client software is available on the Download page. See also the Documentation and Support pages.
ThinLinc server on RHEL/CentOS 7
Install the server
Download the ThinLinc Server Bundle from Cendio after registering with them. Installation of the server software:
unzip tl-4.8.0-server.zip
cd tl-4.8.0-server
./install-server
NOTICE:
SELinux systems (RHEL/CentOS) require settings of files in
/opt/thinlinc
, so installation must be in that directory (soft-links will break the setup).CentOS: A warning will be issued that CentOS 7 is not supported.
To rerun the ThinLinc configuration setup script do:
/opt/thinlinc/sbin/tl-setup
Many additional RPMs will be installed on the system, and configuration of the firewall and SELinux.
Read the ThinLinc_selinux page about installation of ThinLinc on an SELinux-enabled platform.
The SELinux module and other policy changes performed can be examined in /opt/thinlinc/share/selinux
.
Execute the command:
/opt/thinlinc/share/selinux/install
to reapply ThinLinc’s policy changes.
If you don’t run an Apache web-server, some installation warnings will be issued. A web-server is actually not required for normal operation, for more on that topic see Web Integration and HTML5 Browser Client.
Uninstall server
If necessary you can uninstall the server packages by:
yum remove thinlinc*
License installation
By default there are 5 user licenses (hard limit is 6). We can get additional licenses from Bernd Dammann (DTU Compute).
License installation instructions are in https://www.cendio.com/resources/docs/tag/ch04s03.html:
Transfer each file to your ThinLinc master server and place it in
/opt/thinlinc/etc/licenses/
.After adding new license files, either restart VSM Server by running:
/opt/thinlinc/libexec/service vsmserver restart
or wait until the VSM Server automatically reads in the new licenses, something that happens once every 12 hours.
Check the licenses by:
/opt/thinlinc/sbin/tl-show-licenses
See also the log file /var/log/thinlinc-user-licenses
.
Configure hostname
If the server has multiple network interfaces, you may have to configure the primary hostname in /opt/thinlinc/etc/conf.d/vsmagent.hconf
, for example:
agent_hostname=XXX.fysik.dtu.dk
and restart the agent service.
Daemon services
Several daemon processes are started:
python-thinlinc /opt/thinlinc/sbin/vsmagent
python-thinlinc /opt/thinlinc/sbin/tlwebaccess
/u/opt/thinlinc/libexec/tlstunnel --port 300 --sock /var/run/thinlinc/tlwebaccess-notls.sock --tls-sock /var/run/thinlinc/tlwebaccess-tls.sock --cert /opt/thinlinc/etc/tlwebaccess/server.crt --certkey /opt/thinlinc/etc/tlwebaccess/server.key --logname tlwebaccess --priority NORMAL:-VERS-SSL3.0
python-thinlinc /opt/thinlinc/sbin/vsmserver
Check the daemons status by:
systemctl status vsmserver vsmagent tlwebadm tlwebaccess
The daemon logfiles are:
/var/log/tlwebaccess.log
/var/log/tlwebadm.log
/var/log/vsmagent.log
/var/log/vsmserver.log
and other relevant logfiles are:
/var/log/thinlinc-install.log
/var/log/thinlinc-user-licenses
/var/log/tlsetup.log
Firewall ports
Network setup is documented in Preparing the Network for ThinLinc Installation.
Several firewall ports are opened by the ThinLinc Server installation,
see the service files /etc/firewalld/services/tl*
which are referred to in /etc/firewalld/zones/public.xml
.
The page TCP Ports Used by ThinLinc
and A.2. On Machine Running VSM Agent
say that the following TCP ports must be opened in the firewall of the ThinLinc VSM server:
22: SSH Daemon
300: ThinLinc HTML5 Browser Client
904: VSM Agent
1010: ThinLinc Administration Interface (tlwebadm)
9000: VSM server
If users are supposed to be able to connect using a web browser, using the ThinLinc HTML5 Browser Client, they must be able to connect to port 300 on both the VSM server and on all VSM agents.
To list the current firewall configuration run:
iptables-save
Only port 22 required
All that’s required for a ThinLinc Client to connect to a Server is an open port 22 (SSH). The other additional ports mentioned above are not required for simple client access via SSH (by default port 22).
If port 22 is all you need, you may remove the other ThinLinc firewalld services. List active services by:
firewall-cmd --list-services
To remove the ThinLinc services permanently do:
firewall-cmd --permanent --remove-service={tlagent,tlmaster,tlwebaccess,tlwebadm}
Adding desktops
If your server has a minimal CentOS/RHEL installation without a GNOME or other desktop, the ThinLinc client login won’t have any available desktops.
Install GNOME (NOTICE: puts a heavy load on the server) by:
yum groups install "GNOME Desktop"
Install Xfce Desktop Environment (lightweight desktop). For CentOS first add the EPEL repository:
yum install epel-release
then install Xfce:
yum groups install "Xfce"
On CentOS 6 use yum groupinstall in stead of yum groups install.
ThinLinc server parameters
Sometimes the ThinLinc server parameters need reconfiguration, and configuration files are in /opt/thinlinc/etc/conf.d/
.
See the manual section 14.2. Server Configuration Parameters.
Multiple network interfaces
If the server has multiple network interfaces, it may be necessary to specify which hostname clients connect to in the file vsmagent.hconf
:
# Public hostname; the hostname that clients are redirected to. If not
# defined, the agent will use the computer's IP address.
agent_hostname=server.example.com
This is documented in 3.3. Preparing the Network for ThinLinc Installation section 3.3.4.3. Configuring the VSM Agents
Error condition on RHEL/CentOS 7
Even though the ThinLinc server apparently has installed correctly, clients are unable to connect to it but give an error message:
ThinLinc login failed (No agent server was available)
In the /var/log/messages
syslog you may see a message like:
python: SELinux is preventing /u/opt/thinlinc/libexec/tl-session from using the transition access on a process.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that tl-session should be allowed transition access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do allow this access for now by executing:
grep tl-session /var/log/audit/audit.log | audit2allow -M mypol; semodule -i mypol.pp
You should make sure that ThinLinc has been installed in the default /opt/thinlinc directory (soft-links not permitted).
If you want to check if SELinux is causing troubles, you can temporarily turn SELinux off and on by:
setenforce 0 # Turn SELinux off
setenforce 1 # Turn SELinux on
ThinLinc client installation
Client software is available on the Download page for many operating systems.
CentOS 7 client
The 64-bit Linux RPM should be installed:
yum install https://www.cendio.com/downloads/clients/thinlinc-client-4.XXX.x86_64.rpm
(replace the XXX version number by the current version).
Start the ThinLinc client by:
tlclient
ThinLinc client problems
NOTICE: When starting up ThinLinc with the GNOME desktop, a warning pops up:
Authentication Required
Authentication is required to create a color managed device
and the client host’s superuser password is required for Authentication. However, you may also just type Cancel.
This problem seems to be a GNOME bug.