# keeper/guacd

**Image:** `keeper/guacd`

`keeper/guacd` is a Dockerized deployment of **guacd**, the Apache Guacamole proxy daemon, with support for VNC, RDP, SSH, K8s, MySQL, PostgreSQL, SQL Server and telnet. It is normally used to provide a guacd instance for a container using the [`keeper/guacamole`](/keeper-connection-manager/installation/docker-compose-install/keeper-guacamole.md) image.

### Starting a guacd instance <a href="#id-.glyptodon-guacdv1.x-startingaguacdinstance" id="id-.glyptodon-guacdv1.x-startingaguacdinstance"></a>

To start a guacd instance which listens on TCP port 4822:

```
docker run --name some-guacd -e ACCEPT_EULA=Y -d keeper/guacd
```

where `some-guacd` is the name you wish to assign to your container.

### Viewing the guacd logs <a href="#id-.glyptodon-guacdv1.x-viewingtheguacdlogs" id="id-.glyptodon-guacdv1.x-viewingtheguacdlogs"></a>

The guacd logs are useful if debugging unexpected behavior of the remote desktop or failure to connect, as it is guacd that handles protocol-specific communication. To view the guacd logs:

```
docker logs some-guacd
```

By default, these logs will show messages only at the "info" level or above. This can be overridden when the container is created using the `LOG_LEVEL` environment variable.

### Environment variables <a href="#id-.glyptodon-guacdv1.x-environmentvariables" id="id-.glyptodon-guacdv1.x-environmentvariables"></a>

#### `ACCEPT_EULA` <a href="#id-.glyptodon-guacdv1.x-accept_eula" id="id-.glyptodon-guacdv1.x-accept_eula"></a>

The `ACCEPT_EULA` environment variable must be set to "Y" to indicate your acceptance of the Keeper Connection Manager EULA. This Docker image may not be used except under the terms of the [EULA](https://www.keepersecurity.com/en_GB/termsofuse.html?t=v).

#### `CA_CERTIFICATES`

This variable is optional and specifies the contents of one or more certificates used by your internal certificate authority (CA), in PEM form. When specified, SSL/TLS connections to other servers will be verified against these certificates, including connections to RDP servers and Remote Browser Isolation sessions that use SSL/TLS.

Below is an example `guacd` section of `docker-compose.yml` with 2 certificates:

<pre><code>
    guacd:
        image: keeper/guacd:2
        restart: unless-stopped
        shm_size: 1001500k
        security_opt:
            - "seccomp:/etc/kcm-setup/guacd-docker-seccomp.json"
        environment:
            ACCEPT_EULA: "Y"
            CA_CERTIFICATES: |
              -----BEGIN CERTIFICATE-----
<strong>              MIIEczCCA1ugAwIBAgIBADANBgkqhkiG9w0BAQQFAD..AkGA1UEBhMCR0Ix
</strong>              EzARBgNVBAgTClNvbWUtU3RhdGUxFDASBgNVBAoTC0..0EgTHRkMTcwNQYD
              VQQLEy5DbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcn..XRpb24gQXV0aG9y
              aXR5MRQwEgYDVQQDEwtCZXN0IENBIEx0ZDAeFw0wMD..TUwMTZaFw0wMTAy
              -----END CERTIFICATE-----
              -----BEGIN CERTIFICATE-----
              MIIEczCCA1ugAwIBAgIBADANBgkqhkiG9w0BAQQFAD..AkGA1UEBhMCR0Ix
              EzARBgNVBAgTClNvbWUtU3RhdGUxFDASBgNVBAoTC0..0EgTHRkMTcwNQYD
              VQQLEy5DbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcn..XRpb24gQXV0aG9y
              aXR5MRQwEgYDVQQDEwtCZXN0IENBIEx0ZDAeFw0wMD..TUwMTZaFw0wMTAy
              -----END CERTIFICATE-----
        volumes:
            - "common-storage:/var/lib/guacamole:rw"
</code></pre>

#### `GUACD_UID` <a href="#id-.glyptodon-guacdv1.x-guacd_uid" id="id-.glyptodon-guacdv1.x-guacd_uid"></a>

This variable is optional and specifies the numeric UID which should be assigned to the user that the guacd service runs as. If omitted, the guacd service will run with the UID of the reduced-privilege user created by the Keeper Connection Manager package for guacd.

This is mainly useful if guacd will need to write to a volume mount whose file permissions may not match those of the `keeper/guacd` Docker image.

#### `GUACD_GID` <a href="#id-.glyptodon-guacdv1.x-guacd_gid" id="id-.glyptodon-guacdv1.x-guacd_gid"></a>

This variable is optional and specifies the numeric GID which should be assigned to the group that the guacd service runs as. If omitted, the guacd service will run with the GID of the reduced-privilege group created by the Keeper Connection Manager package for guacd.

This is mainly useful if guacd will need to write to a volume mount whose file permissions may not match those of the `keeper/guacd` Docker image.

#### `LOG_LEVEL` <a href="#id-.glyptodon-guacdv1.x-log_level" id="id-.glyptodon-guacdv1.x-log_level"></a>

This variable is optional and specifies the lowest level of log message that should be displayed. In order of increasing verbosity, valid values are: "error", "warning", "info", "debug", "trace".

The default log level is "info".

#### `AUTOFILL_RULES` <a href="#id-.glyptodon-guacdv1.x-log_level" id="id-.glyptodon-guacdv1.x-log_level"></a>

This variable is optional and specifies the full contents of the `/etc/guacamole/autofill-rules.yml` file that can be used to configure autofill of username/password in the [Remote Browser Isolation](/keeper-connection-manager/supported-protocols/remote-browser-isolation.md) protocol.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeper-connection-manager/installation/docker-compose-install/keeper-guacd.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.