Deployment Overview of Kasm Workspaces on Server¶

Prerequisites and Basic Requirements¶

Operating System: Debian-based distributions (e.g., Ubuntu 22.04 Jammy) or RHEL-based distributions.
Privileges: Root access or sudo privileges are required for package installation, Docker management, and certificate generation.
Dependencies:
ca-certificates, curl, gnupg
python3-pip, python3-requests, python3-docker
letsencrypt for SSL certificate management
Docker Version: Docker Engine 5:28.5.2-1_ubuntu.22.04jammy (specifically held on Ubuntu Jammy).
Swap Space: 8192 MB allocated during installation.

The application is accessible via the following Fully Qualified Domain Name (FQDN) format:

Domain: kasm<Server ID>.hostkey.in
Example: If the server ID is 123, the address is kasm123.hostkey.in.
Port: The service listens on port 3000 and a dynamic port defined by the kasm_port variable.

The application utilizes the following directory structure for configuration, data, and certificates:

Main Application Directory: /opt/kasm/
Current Version: /opt/kasm/current/
Service Scripts: /opt/kasm/bin/ (contains start, stop scripts)
Certificates: /opt/kasm/current/certs/
- Primary Key: /opt/kasm/current/certs/kasm_nginx.key
- Primary Certificate: /opt/kasm/current/certs/kasm_nginx.crt
- Backup Key: /opt/kasm/current/certs/kasm_nginx.key_bak
- Backup Certificate: /opt/kasm/current/certs/kasm_nginx.crt_bak
Data Storage (RHEL/Container Mode):
/data/kasm/: Mapped to /opt inside the container.
/data/kasm/profiles/: Mapped to /profiles inside the container.
SSL Certificates (System-wide): /etc/letsencrypt/live/kasm<Server ID>.hostkey.in/

The installation is performed by downloading a specific release archive, extracting it, and running the installation script with specific parameters.

Download Release Archive: The installation source is retrieved from the official Kasm static content repository.
```
https://kasm-static-content.s3.amazonaws.com/kasm_release_1.17.0.bbc15c.tar.gz
```
Extract Archive: The archive is extracted to the /root/ directory.
```
tar -xf kasm_release_1.17.0.bbc15c.tar.gz
```
Execute Installation Script: The install.sh script is executed with the following arguments:
```
./install.sh \
  --admin-password <password> \
  --user-password <password> \
  --public-hostname kasm<Server ID>.hostkey.in \
  --accept-eula \
  --no-images \
  --no-check-ports \
  --no-check-disk \
  --swap-size 8192
```
- --admin-password and --user-password: Set during deployment using SSH password.
- --public-hostname: Defines the FQDN for the panel.
- --swap-size: Allocates 8192 MB of swap memory.

Firewall: The deployment skips port checks (--no-check-ports), implying external port access must be managed via the host firewall to allow incoming traffic on configured ports.
SSL/TLS: Secure connections are enforced using Let's Encrypt certificates issued for the specific host FQDN.
User Accounts: The installation script sets passwords for both the admin and standard user accounts during the initial setup.

Storage Method: The provided configuration does not explicitly define a separate database connection string, external database server, or SQL initialization script.
Data Persistence: Data is stored within the Docker container volumes mapped to the host's filesystem (e.g., /data/kasm/ on RHEL or /opt/kasm/ in the default installation path).

Kasm Workspaces is deployed using Docker containers with the following specifications:

The container is launched with the following settings:

Privileged Mode: true (required for hardware access and specific features).
Restart Policy: unless-stopped.
Environment Variables:
KASM_PORT: Defined by the deployment variable kasm_port.

/data/kasm on host maps to /opt inside the container.
/data/kasm/profiles on host maps to /profiles inside the container.
/dev/input on host maps to /dev/input inside the container (for USB redirection).
/run/udev/data on host maps to /run/udev/data inside the container.

The deployment configures Nginx (integrated within Kasm) to handle reverse proxying and SSL termination.

SSL Certificate Source: Let's Encrypt (certbot).
Certificate Renewal: Certificates are issued using the standalone challenge via HTTP.
Certificate Application: The system copies the privkey.pem and fullchain.pem from /etc/letsencrypt/live/ to /opt/kasm/current/certs/, replacing the default Kasm self-signed certificates.
Original Certificates: The original Kasm certificates are renamed with a .bak extension and preserved in /opt/kasm/current/certs/.

Directory Permissions:
/data and /data/kasm/profiles are created with 0640 permissions.
Owner: root, Group: root.
Docker Daemon Configuration:
The daemon.json file is placed in /etc/docker/ with 0644 permissions, owned by root.
Package Management:
Docker packages (docker-ce, docker-ce-cli) are set to hold to prevent automatic downgrades or updates.

Service Scripts: /opt/kasm/bin/start and /opt/kasm/bin/stop.
SSL Certificates:
Active: /opt/kasm/current/certs/kasm_nginx.key and /opt/kasm/current/certs/kasm_nginx.crt.
Source (Let's Encrypt): /etc/letsencrypt/live/kasm<Server ID>.hostkey.in/.
Docker Configuration: /etc/docker/daemon.json.
User Data: Stored within the mounted volumes defined in the Docker configuration.

The application is managed using the custom scripts provided in the Kasm installation directory.

The Docker daemon is enabled and started via systemd:

systemctl start docker
systemctl enable docker

Docker Compose:
Docker Compose v1.52 is installed via the CLI plugins directory.
Legacy Docker Compose v1.42 is removed or archived to /root/docker-plugin-142/docker-compose.old.