Search code examples
google-app-enginedockervncmanaged-vmgoogle-managed-vm

Possible? How to setup VNC in a Google Managed VM Environment

I'm using Java but this isn't necessarily a Java question. Google's "java-compat" image is Debian (3.16.7-ckt20-1+deb8u3~bpo70+1 (2016-01-19)).

Here is my Dockerfile:

FROM gcr.io/google_appengine/java-compat
RUN apt-get -qqy update && apt-get qqy install curl xvfb x11vnc
RUN mkdir -p ~/.vnc
RUN x11vnc -storepasswd xxxxxxxx ~/.vnc/passwd 
EXPOSE 5900

ADD . /app

And in the Admin Console I created a firewall rule to open up 5900. And lastly I am calling the vnc server itself in the "_ah/start" startup hook with this command: 

x11vnc -forever -usepw -create

All seems to be setup correctly but I'm unable to connect with TightVNC. I use the public (ephemeral) IP address for the instance I find in the Admin Console followed by ::5900 (TightVNC requires two colons for some reason). I'm getting a message that the server refused the connection. And indeed when I try to telnet to port 5900 it's blocked.

Next I SSH into the container machine and when I test the port on the container with wget xxx.xxx.xxx.xxx:5900 I get a connection. So it seems to me the container is not accepting connections on port 5900. Am I getting this right? Is it possible to open up ports and route my VNC client into the docker container? Any help appreciated.

Why I can't use Compute Engine. Just to preempt some comments about using google's Compute Engine environment instead of Managed VMs. I make heavy use of the Datastore and Task Queues in my code. I don't think those can run (or run natively/efficiently) on Compute Engine. But I may pose that as a separate question.

Update: Per Paul in the comments... having learned some of the docker terminology: Can I publish a port on the container in Google's environment?

Solution

  • Out of curiosity - why are you trying to VNC into your instances? If it's just for management purposes, you can SSH into Managed VM instances.

    Use SSH instead of VNC if you can

    That having been said - you can use the network/forwarded_ports config to route traffic from the VM to the application container:

    network:
  forwarded_ports:
  - 5900
  instance_tag: vnc

    Put that in your app.yaml, and re-deploy your app. You'll also need to open the port in your firewall (if you intend on accessing this from the public internet):

    gcloud compute firewall-rules create default-allow-vnc \
  --allow tcp:5900 \
  --target-tags vnc \
  --description "Allow vnc traffic on port 5900"

    Hope this helps!