Self-hosted Linux VDI w/ no cloud portal (for security)
Posted by sarctastic@reddit | linuxadmin | View on Reddit | 11 comments
Any recommendations on the best way to provide a small cluster of higher-end virtual desktops for developer use? Looking at a configuration of 16-24GB and 8 vCPU per VM, each of which will host a set of docker containers during builds and unit testing. Responsiveness and easy of management are top priorities (after security). GPU sharing would be nice, but not absolutely essential for our current workflow.
The key thing is that I REALLY don't want to expose a public portal so something self-hosted that can be accessed via a VPN or ZT. I'm not necessarily limited to or even inclined to go with a completely FOSS solution because I need to share the admin of the system with others. (On the other hands, I'm I'm not eager to throw any more money at VMware/Broadcom.)
I've used xRDP, VNC and Gnome's RDP, but I'm looking for something more manageable and a better user experience. I've also reviewed a few other solutions at a high-level (KasmWeb, X2Go, NoMachine, ThinLinc, and some others.)
Any advice would be greatly appreciated!
Cendio@reddit
u/sarctastic We ended up finding this comment because we saw the mention about ThinLinc, quite late, sorry. We are happy to advise you if you still need information.
SWE_Admin@reddit
Hey! ThinLinc employee here. ThinLinc would totally deliver on this. If your team is < 10 people, our free tier would suffice. It's not limited in any functionality, but you get no paid support :)
SWE_Admin@reddit
The only protocol you'd need to expose to the outside would be SSH. Also, if the environment is behind NAT there's some extra steps that needs to be taken, but nothing major.
SurfRedLin@reddit
So your VMS run docker and are Linux machines. Why not use ssh ? Its basicly made for this. Also we have good experiences with x2go but we only use it in the b local lan. I would use a VPN to connect to the cluster and then ssh to get to the individual machines. With wireguard there is even no port exposed to the outside world. Also use sshkeys of course.
sarctastic@reddit (OP)
One of the options we were discussing was to use IntelliJ Remote Development / VS Code Remote Development, but they occasionally the devs need a local browser for application testing, so we're stuck providing a full desktop experience.
WildManner1059@reddit
Try vnc over ssh. If it still works.
Have you looked at Guacamole? Not sure if it can be run more securely than RDP/xRDP. I think it does RDP over an ssh tunnel.
Xipher@reddit
I've used SSH to act as a SOCKS proxy to a remote host, but that's assuming your testing doesn't require some customization to the browser itself which isn't reproducible from the remote developers end.
NaturalReply@reddit
I'm curious why wouldn't a simple VPN work for this? You can do this at the firewall level and even enforce 2FA on it for security, then allow each developer access to their own virtual machines via whatever method you want (SSH, NoMachine, etc). You can then host the virtual machines on whatever infrastructure you have or get dedicated rack workstations with GPUs if needed.
speedy19981@reddit
I sadly had not enough hardware to justify a setup of it but I am highly intrigued by https://github.com/UPC/ravada.
A few months back I gave it a push with translations in German but I never got around to deploying it. As it is university backed it will not be the most shiny one but it should get the job done just fine.
sarctastic@reddit (OP)
Thanks for the recommendation. I've seen Ravada mentioned favorably a couple of times, but I've had a hard time finding any useful resources to evaluate it without actually installing it.
The documentation seems bit primitive (by comparison) and the most recent YT videos are 3-4 years old and most are over 6 years old. Despite all that, it's clear that it's actively maintained, based on their github page.
CyberKiller40@reddit
I recall Xen had a product for this use case. And if not self hosting, then AWS Cloud9 is a pretty good offering for development. OVH also has something for this, might be cheaper.