Install Linux Virtual Delivery Agent for RHEL/CentOS
You can choose to follow the steps in this article for manual installation or use easy install for automatic installation and configuration. Easy install saves time and labor and is less error-prone than the manual installation.
Note:
Use easy install only for fresh installations. Do not use easy install to update an existing installation.
Step 1: Prepare RHEL 7/CentOS 7, RHEL 6/CentOS 6 for VDA installation
Step 1a: Verify the network configuration
Citrix recommends that the network is connected and configured correctly before proceeding.
Step 1b: Set the host name
Note:
The Linux VDA does not currently support NetBIOS name truncation. Therefore, the host name must not exceed 15 characters.
To ensure that the host name of the machine is reported correctly, change the /etc/hostname file to contain only the host name of the machine.
HOSTNAME=
hostname
Step 1c: Assign a loopback address to the host name
Note:
The Linux VDA does not currently support NetBIOS name truncation. Therefore, the host name must not exceed 15 characters.
To ensure that the DNS domain name and Fully Qualified Domain Name (FQDN) of the machine are reported back correctly, change the following line of the /etc/hosts file to include the FQDN and host name as the first two entries:
127.0.0.1 hostname-fqdn hostname localhost localhost.localdomain localhost4 localhost4.localdomain4
For example:
127.0.0.1 vda01.example.com vda01 localhost localhost.localdomain localhost4 localhost4.localdomain4
Remove any other references to hostname-fqdn or hostname from other entries in the file.
Tip:
Use a–z, A–Z, 0–9, and hyphen (-) characters only. Avoid underscores (_), spaces, and other symbols. Do not start a host name with a number and do not end with a hyphen. This rule also applies to Delivery Controller host names.
Step 1d: Check the host name
Verify that the host name is set correctly:
hostname
<!--NeedCopy-->
This command returns only the machine’s host name and not its fully qualified domain name (FQDN).
Verify that the FQDN is set correctly:
hostname -f
<!--NeedCopy-->
This command returns the FQDN of the machine.
Step 1e: Check name resolution and service reachability
Verify that you can resolve the FQDN and ping the domain controller and Delivery Controller:
nslookup domain-controller-fqdn
ping domain-controller-fqdn
nslookup delivery-controller-fqdn
ping delivery-controller-fqdn
<!--NeedCopy-->
If you cannot resolve the FQDN or ping either of these machines, review the steps before proceeding.
Step 1f: Configure clock synchronization
Maintaining accurate clock synchronization between the VDAs, Delivery Controllers, and domain controllers is crucial. Hosting the Linux VDA as a virtual machine can cause clock skew problems. For this reason, synchronizing time with a remote time service is preferred.
RHEL 6.x and earlier releases use the NTP daemon (ntpd
) for clock synchronization, whereas an RHEL 7.x default environment uses the newer Chrony daemon (chronyd
) instead. The configuration and operational process between the two services is similar.
Configure the NTP service (RHEL 6/CentOS 6 only)
As a root user, edit /etc/ntp.conf and add a server entry for each remote time server:
server peer1-fqdn-or-ip-address iburst
server peer2-fqdn-or-ip-address iburst
<!--NeedCopy-->
In a typical deployment, synchronize time from the local domain controllers and not directly from public NTP pool servers. Add a server entry for each Active Directory domain controller in the domain.
Remove any other server entries listed including loopback IP address, localhost, and public server *.pool.ntp.org entries.
Save changes and restart the NTP daemon:
sudo /sbin/service ntpd restart
<!--NeedCopy-->
Configure the Chrony service (RHEL 7/CentOS 7 only)
As a root user, edit /etc/chrony.conf and add a server entry for each remote time server:
server peer1-fqdn-or-ip-address iburst
server peer2-fqdn-or-ip-address iburst
<!--NeedCopy-->
In a typical deployment, synchronize time from the local domain controllers and not directly from public NTP pool servers. Add a server entry for each Active Directory domain controller in the domain.
Remove any other server entries listed including loopback IP address, localhost, and public server *.pool.ntp.org entries.
Save changes and restart the Chrony daemon:
sudo /sbin/service chronyd restart
<!--NeedCopy-->
Step 1g: Install OpenJDK
The Linux VDA depends on OpenJDK. Typically, the runtime environment is installed as part of the operating system installation.
Confirm the correct version:
- RHEL 7/CentOS 7:
sudo yum info java-1.8.0-openjdk
<!--NeedCopy-->
- RHEL 6/CentOS 6:
sudo yum info java-1.7.0-openjdk
<!--NeedCopy-->
The prepackaged OpenJDK might be an earlier version. Update to the latest version as required:
- RHEL 7/CentOS 7:
sudo yum -y update java-1.8.0-openjdk
<!--NeedCopy-->
- RHEL 6/CentOS 6:
sudo yum -y update java-1.7.0-openjdk
<!--NeedCopy-->
Set the JAVA_HOME environment variable by adding the following line to the ~/.bashrc file:
export JAVA\_HOME=/usr/lib/jvm/java
Open a new shell and verify the version of Java:
java -version
<!--NeedCopy-->
Tip:
To avoid problems, ensure that you installed only OpenJDK Version 1.7.0 or 1.8.0 in case of RHEL 6/CentOS 6 or only OpenJDK Version 1.8.0 in case of RHEL 7/CentOS 7. Remove all other versions of Java on your system.
Step 1h: Install PostgreSQL
The Linux VDA requires either PostgreSQL 8.4 or later on RHEL 6 or PostgreSQL 9.2 or later on RHEL 7.
Install the following packages:
sudo yum -y install postgresql-server
sudo yum -y install postgresql-jdbc
<!--NeedCopy-->
The following post-installation step is required to initialize the database and to ensure that the service starts upon machine startup. This action creates database files under /var/lib/pgsql/data. The command differs between PostgreSQL 8 and PostgreSQL 9:
- RHEL 7 only: PostgreSQL 9
sudo postgresql-setup initdb
<!--NeedCopy-->
- RHEL 6 only: PostgreSQL 8
sudo /sbin/service postgresql initdb
<!--NeedCopy-->
Step 1i: Start PostgreSQL
Start the service upon machine startup and start the service immediately:
- RHEL 7 only: PostgreSQL 9
sudo systemctl enable postgresql
sudo systemctl start postgresql
<!--NeedCopy-->
- RHEL 6 only: PostgreSQL 8
sudo /sbin/chkconfig postgresql on
sudo /sbin/service postgresql start
<!--NeedCopy-->
Check the version of PostgreSQL by using:
psql --version
<!--NeedCopy-->
Verify that the data directory is set by using the psql command-line utility:
sudo -u postgres psql -c 'show data_directory'
<!--NeedCopy-->
Important:
In this release, a new dependency is added for gperftools-libs, but it does not exist in the original repository. Add a new repository by using the
sudo rpm -ivh https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
command.
Only RHEL 6/CentOS 6 is impacted. Run the command before installing the Linux VDA package.
Step 2: Prepare the hypervisor
Some changes are required when running the Linux VDA as a virtual machine on a supported hypervisor. Make the following changes according to the hypervisor platform in use. No changes are required if you are running the Linux machine on bare metal hardware.
Fix time synchronization on Citrix XenServer
When the XenServer Time Sync feature is enabled, within each paravirtualized Linux VM you experience issues with the NTP and the XenServer, both of which try to manage the system clock. To avoid the clock becoming out of sync with other servers, ensure that the system clock within each Linux guest is synchronized with the NTP. This case requires disabling host time synchronization. No changes are required in HVM mode.
On some Linux distributions, if you are running a paravirtualized Linux kernel with XenServer Tools installed, you can check whether the XenServer Time Sync feature is present and enabled from within the Linux VM:
su -
cat /proc/sys/xen/independent_wallclock
<!--NeedCopy-->
This command returns 0 or 1:
- 0 - The time sync feature is enabled, and must be disabled.
- 1 - The time sync feature is disabled, and no further action is required.
If the /proc/sys/xen/indepent_wallclock file is not present, the following steps are not required.
If enabled, disable the time sync feature by writing 1 to the file:
sudo echo 1 > /proc/sys/xen/independent_wallclock
<!--NeedCopy-->
To make this change permanent and persistent after restart, edit the /etc/sysctl.conf file and add the line:
xen.independent_wallclock = 1
To verify these changes, restart the system:
su -
cat /proc/sys/xen/independent_wallclock
<!--NeedCopy-->
This command returns the value 1.
Fix time synchronization on Microsoft Hyper-V
The Linux VMs with Hyper-V Linux Integration Services installed can apply the Hyper-V time synchronization feature to use the time of the host operating system. To ensure that the system clock remains accurate, you must enable this feature alongside the NTP services.
From the management operating system:
- Open the Hyper-V Manager console.
- For the settings of a Linux VM, select Integration Services.
- Ensure that Time synchronization is selected.
Note:
This approach is different from VMware and XenServer, where host time synchronization is disabled to avoid conflicts with NTP. Hyper-V time synchronization can coexist and supplement NTP time synchronization.
Fix time synchronization on ESX and ESXi
When the VMware Time Synchronization feature is enabled, within each paravirtualized Linux VM you experience issues with the NTP and the hypervisor, both of which try to synchronize the system clock. To avoid the clock becoming out of sync with other servers, ensure that the system clock within each Linux guest is synchronized with the NTP. This case requires disabling host time synchronization.
If you are running a paravirtualized Linux kernel with VMware Tools installed:
- Open the vSphere Client.
- Edit settings for the Linux VM.
- In the Virtual Machine Properties dialog, open the Options tab.
- Select VMware Tools.
- In the Advanced box, clear Synchronize guest time with host.
Step 3: Add the Linux virtual machine (VM) to the Windows domain
The Linux VDA supports several methods for adding Linux machines to the Active Directory (AD) domain:
- Samba Winbind
- Quest Authentication Service
- Centrify DirectControl
- SSSD
Follow instructions based on your chosen method.
Note:
Session launches might fail when the same user name is used for the local account in the Linux VDA and the account in AD.
Samba Winbind
Install or update the required packages:
sudo yum -y install samba-winbind samba-winbind-clients krb5-workstation authconfig oddjob-mkhomedir
<!--NeedCopy-->
Enable Winbind daemon to start upon machine startup
The Winbind daemon must be configured to start upon machine startup:
sudo /sbin/chkconfig winbind on
<!--NeedCopy-->
Configure Winbind Authentication
Configure the machine for Kerberos authentication by using Winbind:
sudo authconfig --disablecache --disablesssd --disablesssdauth --enablewinbind --enablewinbindauth --disablewinbindoffline --smbsecurity=ads --smbworkgroup=domain --smbrealm=REALM --krb5realm=REALM --krb5kdc=fqdn-of-domain-controller --winbindtemplateshell=/bin/bash --enablemkhomedir --updateall
<!--NeedCopy-->
Where REALM is the Kerberos realm name in uppercase and domain is the NetBIOS name of the domain.
If DNS-based lookup of the KDC server and realm name is required, add the following two options to the previous command:
--enablekrb5kdcdns --enablekrb5realmdns
Ignore any errors returned from the authconfig
command about the winbind
service failing to start. The errors can occur when authconfig
tries to start the winbind
service without the machine yet being joined to the domain.
Open /etc/samba/smb.conf and add the following entries under the [Global] section, but after the section generated by the authconfig
tool:
kerberos method = secrets and keytab
winbind refresh tickets = true
The Linux VDA requires the system keytab file /etc/krb5.keytab to authenticate and register with the Delivery Controller. The previous kerberos method setting forces Winbind to create the system keytab file when the machine is first joined to the domain.
Join Windows domain
Your domain controller must be reachable and you must have an Active Directory user account with permissions to add computers to the domain:
sudo net ads join REALM -U user
<!--NeedCopy-->
REALM is the Kerberos realm name in uppercase, and user is a domain user who has permissions to add computers to the domain.
Configure PAM for Winbind
By default, the configuration for the Winbind PAM module (pam_winbind) does not enable Kerberos ticket caching and home directory creation. Open /etc/security/pam_winbind.conf
and add or change the following entries under the [Global] section:
krb5_auth = yes
krb5_ccache_type = FILE
mkhomedir = yes
Ensure that any leading semi-colons from each setting are removed. These changes require restarting the Winbind daemon:
sudo /sbin/service winbind restart
<!--NeedCopy-->
Tip:
The winbind daemon stays running only if the machine is joined to a domain.
Open /etc/krb5.conf and change the following setting under the [libdefaults] section from KEYRING to FILE type:
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
Verify domain membership
The Delivery Controller requires that all VDA machines (Windows and Linux VDAs) have a computer object in Active Directory.
Run the net ads command of Samba to verify that the machine is joined to a domain:
sudo net ads testjoin
<!--NeedCopy-->
Run the following command to verify extra domain and computer object information:
sudo net ads info
<!--NeedCopy-->
Verify Kerberos configuration
To ensure that Kerberos is configured correctly for use with the Linux VDA, check that the system keytab file has been created and contains valid keys:
sudo klist -ke
<!--NeedCopy-->
This command displays the list of keys available for the various combinations of principal names and cipher suites. Run the Kerberos kinit
command to authenticate the machine with the domain controller using these keys:
sudo kinit -k MACHINE\$@REALM
<!--NeedCopy-->
The machine and realm names must be specified in uppercase. The dollar sign ($) must be escaped with a backslash (\) to prevent shell substitution. In some environments, the DNS domain name is different from the Kerberos realm name. Ensure that the realm name is used. If this command is successful, no output is displayed.
Verify that the TGT ticket for the machine account has been cached using:
sudo klist
<!--NeedCopy-->
Examine the account details of the machine using:
sudo net ads status
<!--NeedCopy-->
Verify user authentication
Use the wbinfo tool to verify that domain users can authenticate with the domain:
wbinfo --krb5auth=domain\\username%password
<!--NeedCopy-->
The domain specified here is the AD domain name, not the Kerberos realm name. For the bash shell, the backslash (\) character must be escaped with another backslash. This command returns a message indicating success or failure.
To verify that the Winbind PAM module is configured correctly, use a domain user account to log on to the Linux VDA. The domain user account has not been used before.
ssh localhost -l domain\\username
id -u
<!--NeedCopy-->
Check that the tickets in the Kerberos credential cache are valid and not expired:
klist
<!--NeedCopy-->
Exit the session:
exit
<!--NeedCopy-->
A similar test can be performed by logging on to the Gnome or KDE console directly. Proceed to Step 4: Install the Linux VDA after the domain joining verification.
Quest authentication service
Configure Quest on domain controller
Assume that you have installed and configured the Quest software on the Active Directory domain controllers, and have been granted administrative privileges to create computer objects in Active Directory.
Enable domain users to log on to Linux VDA machines
To enable domain users to establish HDX sessions on a Linux VDA machine:
- In the Active Directory Users and Computers management console, open Active Directory user properties for that user account.
- Select the Unix Account tab.
- Check Unix-enabled.
- Set the Primary GID Number to the group ID of an actual domain user group.
Note:
These instructions are equivalent for setting up domain users for logon using the console, RDP, SSH, or any other remoting protocol.
Configure Quest on Linux VDA
Work around SELinux policy enforcement
The default RHEL environment has SELinux fully enforced. This enforcement interferes with the Unix domain socket IPC mechanisms used by Quest, and prevents domain users from logging on.
The convenient way to work around this issue is to disable SELinux. As a root user, edit /etc/selinux/config and change the SELinux setting:
SELINUX=permissive
This change requires a machine restart:
reboot
<!--NeedCopy-->
Important:
Use this setting carefully. Reenabling SELinux policy enforcement after disabling can cause a complete lockout, even for the root user and other local users.
Configure VAS daemon
Auto-renewal of Kerberos tickets must be enabled and disconnected. Authentication (offline logon) must be disabled.
sudo /opt/quest/bin/vastool configure vas vasd auto-ticket-renew-interval 32400
sudo /opt/quest/bin/vastool configure vas vas_auth allow-disconnected-auth false
<!--NeedCopy-->
This command sets the renewal interval to nine hours (32,400 seconds) which is one hour less than the default 10-hour ticket lifetime. Set this parameter to a lower value on systems with a shorter ticket lifetime.
Configure PAM and NSS
To enable domain user logon through HDX and other services such as su, ssh, and RDP, run the following commands to manually configure PAM and NSS:
sudo /opt/quest/bin/vastool configure pam
sudo /opt/quest/bin/vastool configure nss
<!--NeedCopy-->
Join Windows domain
Join the Linux machine to the Active Directory domain using the Quest vastool
command:
sudo /opt/quest/bin/vastool -u user join domain-name
<!--NeedCopy-->
The user is any domain user who has permissions to join computers to the Active Directory domain. The domain-name is the DNS name of the domain, for example, example.com.
Verify domain membership
The Delivery Controller requires that all VDA machines (Windows and Linux VDAs) have a computer object in Active Directory. To verify that a Quest-joined Linux machine is on the domain:
sudo /opt/quest/bin/vastool info domain
<!--NeedCopy-->
If the machine is joined to a domain, this command returns the domain name. If the machine is not joined to any domain, the following error appears:
ERROR: No domain could be found.
ERROR: VAS_ERR_CONFIG: at ctx.c:414 in _ctx_init_default_realm
default_realm not configured in vas.conf. Computer may not be joined to domain
Verify user authentication
To verify that Quest can authenticate domain users through PAM, use a domain user account to log on to the Linux VDA. The domain user account has not been used before.
ssh localhost -l domain\\username
id -u
<!--NeedCopy-->
Check that a corresponding Kerberos credential cache file was created for the UID returned by the id -u command:
ls /tmp/krb5cc_uid
<!--NeedCopy-->
Check that the tickets in the Kerberos credential cache are valid and not expired:
/opt/quest/bin/vastool klist
<!--NeedCopy-->
Exit the session:
exit
<!--NeedCopy-->
A similar test can be performed by logging on to the Gnome or KDE console directly. Proceed to Step 4: Install the Linux VDA after the domain joining verification.
Centrify DirectControl
Join Windows domain
With the Centrify DirectControl Agent installed, join the Linux machine to the Active Directory domain using the Centrify adjoin
command:
su –
adjoin -w -V -u user domain-name
<!--NeedCopy-->
The user parameter is any Active Directory domain user who has permissions to join computers to the Active Directory domain. The domain-name is the name of the domain to join the Linux machine to.
Verify domain membership
The Delivery Controller requires that all VDA machines (Windows and Linux VDAs) have a computer object in Active Directory. To verify that a Centrify-joined Linux machine is on the domain:
su –
adinfo
<!--NeedCopy-->
Check that the Joined to domain value is valid and the CentrifyDC mode returns connected. If the mode remains stuck in the starting state, then the Centrify client is experiencing server connection or authentication problems.
More comprehensive system and diagnostic information is available using:
adinfo --sysinfo all
adinfo –diag
<!--NeedCopy-->
Test connectivity to the various Active Directory and Kerberos services. Proceed to Step 4: Install the Linux VDA after the domain joining verification.
adinfo --test
<!--NeedCopy-->
SSSD
If you are using SSSD, follow the instructions in this section. This section includes instructions for joining a Linux VDA machine to a Windows domain and provides guidance for configuring Kerberos authentication.
To set up SSSD on RHEL and CentOS, do the following:
- Join the domain and create host keytab with Samba
- Set up SSSD
- Configure NSS/PAM
- Verify the Kerberos configuration
- Verify user authentication
Required software
The Active Directory provider was first introduced with SSSD Version 1.9.0. If you are using an earlier version, follow the instructions provided in configuring the LDAP provider with Active Directory.
The following environments have been tested and verified when using the instructions included in this article:
- RHEL 7.3 or later/CentOS 7.3 or later
- Linux VDA Version 1.3 or later
Join the domain and create host keytab with Samba
SSSD does not provide Active Directory client functions for joining the domain and managing the system keytab file. You can use adcli
, realmd
, Winbind
, or Samba
instead.
The information in this section describes the Samba
approach only. For realmd
, see the RHEL or CentOS documentation. These steps must be followed before configuring SSSD.
On the Linux client with properly configured files:
- /etc/krb5.conf
- /etc/samba/smb.conf:
Configure the machine for Samba and Kerberos authentication:
sudo authconfig --smbsecurity=ads --smbworkgroup=domain --smbrealm=REALM --krb5realm=REALM --krb5kdc=fqdn-of-domain-controller --update
<!--NeedCopy-->
Where REALM is the Kerberos realm name in uppercase and domain is the short NetBIOS name of the Active Directory domain.
If DNS-based lookup of the KDC server and realm name is required, add the following two options to the preceding command:
--enablekrb5kdcdns --enablekrb5realmdns
Open /etc/samba/smb.conf and add the following entries under the [Global] section, but after the section generated by the authconfig tool:
kerberos method = secrets and keytab
Join the Windows domain. Ensure that your domain controller is reachable and you have an Active Directory user account with permissions to add computers to the domain:
sudo net ads join REALM -U user
<!--NeedCopy-->
REALM is the Kerberos realm name in uppercase and user is a domain user who has permissions to add computers to the domain.
Set up SSSD
Setting up SSSD consists of the following steps:
- Install the sssd-ad package on the Linux VDA.
- Make configuration changes to various files (for example, sssd.conf).
- Start the sssd service.
An example sssd.conf configuration (extra options can be added as needed):
[sssd]
config_file_version = 2
domains = ad.example.com
services = nss, pam
[domain/ad.example.com]
# Uncomment if you need offline logins
# cache_credentials = true
id_provider = ad
auth_provider = ad
access_provider = ad
ldap_id_mapping = true
ldap_schema = ad
# Should be specified as the lower-case version of the long version of the Active Directory domain.
ad_domain = ad.example.com
# Kerberos settings
krb5_ccachedir = /tmp
krb5_ccname_template = FILE:%d/krb5cc_%U
# Uncomment if service discovery is not working
# ad_server = server.ad.example.com
# Comment out if the users have the shell and home dir set on the AD side
default_shell = /bin/bash
fallback_homedir = /home/%d/%u
# Uncomment and adjust if the default principal SHORTNAME$@REALM is not available
# ldap_sasl_authid = host/client.ad.example.com@AD.EXAMPLE.COM
<!--NeedCopy-->
Replace ad.example.com, server.ad.example.com with the corresponding values. For more details, see sssd-ad(5) - Linux man page.
Set the file ownership and permissions on sssd.conf:
chown root:root /etc/sssd/sssd.conf
chmod 0600 /etc/sssd/sssd.conf
restorecon /etc/sssd/sssd.conf
Configure NSS/PAM
RHEL/CentOS:
Use authconfig
to enable SSSD. Install oddjob-mkhomedir to ensure that the home directory creation is compatible with SELinux:
authconfig --enablesssd --enablesssdauth --enablemkhomedir –-update
sudo service sssd start
sudo chkconfig sssd on
<!--NeedCopy-->
Verify Kerberos configuration
Check that the system keytab file has been created and contains valid keys:
sudo klist -ke
<!--NeedCopy-->
This command displays the list of keys available for the various combinations of principal names and cipher suites. Run the Kerberos kinit command to authenticate the machine with the domain controller using these keys:
sudo kinit –k MACHINE\$@REALM
<!--NeedCopy-->
The machine and realm names must be specified in uppercase. The dollar sign ($) must be escaped with a backslash (\) to prevent shell substitution. In some environments, the DNS domain name is different from the Kerberos realm name. Ensure that the realm name is used. If this command is successful, no output is displayed.
Verify that the TGT ticket for the machine account has been cached using:
sudo klist
<!--NeedCopy-->
Verify user authentication
Use the getent command to verify that the logon format is supported and the NSS works:
sudo getent passwd DOMAIN\\username
<!--NeedCopy-->
The DOMAIN parameter indicates the short version domain name. If another logon format is needed, verify by using the getent command first.
The supported logon formats are:
- Down-level logon name:
DOMAIN\username
- UPN:
username@domain.com
- NetBIOS Suffix format:
username@DOMAIN
To verify that the SSSD PAM module is configured correctly, use a domain user account to log on to the Linux VDA. The domain user account has not been used before.
sudo ssh localhost –l DOMAIN\\username
id -u
<!--NeedCopy-->
Check that a corresponding Kerberos credential cache file was created for the uid returned by the command:
ls /tmp/krb5cc_{uid}
<!--NeedCopy-->
Check that the tickets in the user’s Kerberos credential cache are valid and not expired. Proceed to Step 4: Install the Linux VDA after the domain joining verification.
klist
<!--NeedCopy-->
Step 4: Install the Linux VDA
Step 4a: Uninstall the old version
If you have previously installed an earlier version of the Linux VDA, uninstall it before installing the new version.
-
Stop the Linux VDA services:
sudo /sbin/service ctxvda stop sudo /sbin/service ctxhdx stop <!--NeedCopy-->
-
Uninstall the package:
sudo rpm -e XenDesktopVDA <!--NeedCopy-->
Note:
Upgrading from the previous two versions is supported.
Note:
Starting with Version 1.3, the installation path changed. In previous releases, installation components were located in /usr/local/. The new location is /opt/Citrix/VDA/.
To run a command, the full path is needed; alternately, you can add /opt/Citrix/VDA/sbin and /opt/Citrix/VDA/bin to the system path.
Step 4b: Download the Linux VDA package
Go to the Citrix website and download the appropriate Linux VDA package based on your Linux distribution.
Step 4c: Install the Linux VDA
Install the Linux VDA software using Yum
:
For RHEL 7/CentOS 7:
sudo yum install -y XenDesktopVDA-7.15.0.404-1.el7_3.x86_64.rpm
<!--NeedCopy-->
For RHEL 6.9:
sudo yum install -y XenDesktopVDA-7.15.0.404-1.el6_9.x86_64.rpm
<!--NeedCopy-->
For RHEL 6.6/CentOS 6.6:
sudo yum install -y XenDesktopVDA-7.15.0.404-1.el6_6.x86_64.rpm
<!--NeedCopy-->
Install the Linux VDA software using the RPM package manager. Before doing so, you must resolve the following dependencies:
For RHEL 7/CentOS 7:
sudo rpm -i XenDesktopVDA-7.15.0.404-1.el7_3.x86_64.rpm
<!--NeedCopy-->
For RHEL 6.9:
sudo rpm -i XenDesktopVDA-7.15.0.404-1.el6_9.x86_64.rpm
<!--NeedCopy-->
For RHEL 6.6/CentOS 6.6:
sudo rpm -i XenDesktopVDA-7.15.0.404-1.el6_6.x86_64.rpm
<!--NeedCopy-->
RPM dependency list for RHEL 7:
postgresql-server >= 9.2
postgresql-jdbc >= 9.2
java-1.8.0-openjdk >= 1.8.0
ImageMagick >= 6.7.8.9
firewalld >= 0.3.9
policycoreutils-python >= 2.0.83
dbus >= 1.6.12
dbus-x11 >= 1.6.12
xorg-x11-server-utils >= 7.7
xorg-x11-xinit >= 1.3.2
libXpm >= 3.5.10
libXrandr >= 1.4.1
libXtst >= 1.2.2
motif >= 2.3.4
pam >= 1.1.8
util-linux >= 2.23.2
bash >= 4.2
findutils >= 4.5
gawk >= 4.0
sed >= 4.2
cups >= 1.6.0
foomatic-filters >= 4.0.9
openldap >= 2.4
cyrus-sasl >= 2.1
cyrus-sasl-gssapi >= 2.1
libxml2 >= 2.9
python-requests >= 2.6.0
gperftools-libs >= 2.4
xorg-x11-server-Xorg >= 1.17
xorg-x11-server-Xorg < 1.18
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(PayloadIsXz) <= 5.2-1
<!--NeedCopy-->
RPM dependency list for RHEL 6.9:
postgresql-jdbc >= 8.4
postgresql-server >= 8.4
java-1.7.0-openjdk >= 1.7.0
ImageMagick >= 6.5.4.7
GConf2 >= 2.28.0
system-config-firewall-base >= 1.2.27
policycoreutils-python >= 2.0.83
xorg-x11-server-utils >= 7.7
xorg-x11-xinit >= 1.0.9
ConsoleKit >= 0.4.1
dbus >= 1.2.24
dbus-x11 >= 1.2.24
libXpm >= 3.5.10
libXrandr >= 1.4.1
libXtst >= 1.2.2
openmotif >= 2.3.3
pam >= 1.1.1
util-linux-ng >= 2.17.2
bash >= 4.1
findutils >= 4.4
gawk >= 3.1
sed >= 4.2
cups >= 1.4.0
foomatic >= 4.0.0
openldap >= 2.4
cyrus-sasl >= 2.1
cyrus-sasl-gssapi >= 2.1
libxml2 >= 2.7
python-requests >= 2.6.0
gperftools-libs >= 2.0
xorg-x11-server-Xorg >= 1.17
xorg-x11-server-Xorg < 1.18
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(PayloadIsXz) <= 5.2-1
<!--NeedCopy-->
RPM dependency list for RHEL 6.6/CentOS 6.6:
postgresql-jdbc >= 8.4
postgresql-server >= 8.4
java-1.7.0-openjdk >= 1.7.0
ImageMagick >= 6.5.4.7
GConf2 >= 2.28.0
system-config-firewall-base >= 1.2.27
policycoreutils-python >= 2.0.83
xorg-x11-server-utils >= 7.7
xorg-x11-xinit >= 1.0.9
ConsoleKit >= 0.4.1
dbus >= 1.2.24
dbus-x11 >= 1.2.24
libXpm >= 3.5.10
libXrandr >= 1.4.1
libXtst >= 1.2.2
openmotif >= 2.3.3
pam >= 1.1.1
util-linux-ng >= 2.17.2
bash >= 4.1
findutils >= 4.4
gawk >= 3.1
sed >= 4.2
cups >= 1.4.0
foomatic >= 4.0.0
openldap >= 2.4
cyrus-sasl >= 2.1
cyrus-sasl-gssapi >= 2.1
libxml2 >= 2.7
python-requests >= 2.6.0
gperftools-libs >= 2.0
xorg-x11-server-Xorg >= 1.15
xorg-x11-server-Xorg < 1.16
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(PayloadIsXz) <= 5.2-1
<!--NeedCopy-->
Step 4d: Upgrade the Linux VDA (optional)
You can upgrade the Linux VDA software from versions 7.14 and 7.13 using Yum
:
For RHEL 7/CentOS 7:
sudo yum install -y XenDesktopVDA-7.15.0.404-1.el7_3.x86_64.rpm
<!--NeedCopy-->
For RHEL 6.9:
sudo yum install -y XenDesktopVDA-7.15.0.404-1.el6_9.x86_64.rpm
<!--NeedCopy-->
For RHEL 6.6/CentOS 6.6:
sudo yum install -y XenDesktopVDA-7.15.0.404-1.el6_6.x86_64.rpm
<!--NeedCopy-->
Upgrade the Linux VDA software using the RPM package manager:
For RHEL 7/CentOS 7:
sudo rpm -U XenDesktopVDA-7.15.0.404-1.el7_3.x86_64.rpm
<!--NeedCopy-->
For RHEL 6.9:
sudo rpm -U XenDesktopVDA-7.15.0.404-1.el6_9.x86_64.rpm
<!--NeedCopy-->
For RHEL 6.6/CentOS 6.6:
sudo rpm -U XenDesktopVDA-7.15.0.404-1.el6_6.x86_64.rpm
<!--NeedCopy-->
Important:
Restart the Linux VDA machine after upgrading the software.
Step 5: Install NVIDIA GRID drivers
Enabling HDX 3D Pro requires extra installation steps to install the requisite graphics drivers on the hypervisor and on the VDA machines.
Configure the following:
- Citrix XenServer
- VMware ESX
Follow the instructions for your chosen hypervisor.
Citrix XenServer:
This detailed section walks through the install and configuration of the NVIDIA GRID drivers on Citrix XenServer.
VMware ESX:
Follow the information contained in this guide to install and configure the NVIDIA GRID drivers for VMware ESX.
VDA machines:
Follow these steps to install and configure the drivers for each of the Linux VM guests:
- Before starting, ensure that the Linux VM is shut down.
- In XenCenter, add a GPU in GPU pass-through mode to the VM.
- Start the RHEL VM.
To prepare the machine for the NVIDIA GRID drivers, run the following commands:
yum install gcc
yum install "kernel-devel-$(uname -r)"
systemctl set-default multi-user.target
<!--NeedCopy-->
Follow the steps in the Red Hat Enterprise Linux document to install the NVIDIA GRID driver.
Note:
During the GPU driver install, select the default (‘no’) for each question.
Important:
After GPU pass-through is enabled, the Linux VM is no longer accessible through XenCenter. Use SSH to connect.
Set the correct configuration for the card:
etc/X11/ctx-nvidia.sh
To take advantage of large resolutions and multi-monitor capabilities, you need a valid NVIDIA license. To apply for the license, follow the product documentation from “GRID Licensing Guide.pdf - DU-07757-001 September 2015.”
Step 6: Configure the Linux VDA
After installing the package, you must configure the Linux VDA by running the ctxsetup.sh script. Before making any changes, the script verifies the environment and ensures that all dependencies are installed. If necessary, you can rerun the script at any time to change settings.
You can run the script manually with prompting, or automatically with preconfigured responses. Review Help about the script before proceeding:
sudo /opt/Citrix/VDA/sbin/ctxsetup.sh --help
<!--NeedCopy-->
Prompted configuration
Run a manual configuration with prompted questions:
sudo /opt/Citrix/VDA/sbin/ctxsetup.sh
<!--NeedCopy-->
Automated configuration
For an automated install, provide the options required by the setup script with environment variables. If all required variables are present, the script does not prompt for any information.
Supported environment variables include:
- CTX_XDL_SUPPORT_DDC_AS_CNAME = Y | N – The Linux VDA supports specifying a Delivery Controller name using a DNS CNAME record. Set to N by default.
- CTX_XDL_DDC_LIST = list-ddc-fqdns – The Linux VDA requires a space-separated list of Delivery Controller Fully Qualified Domain Names (FQDNs) to use for registering with a Delivery Controller. At least one FQDN or CNAME alias must be specified.
- CTX_XDL_VDA_PORT = port-number – The Linux VDA communicates with Delivery Controllers through a TCP/IP port, which is port 80 by default.
- CTX_XDL_REGISTER_SERVICE = Y | N - The Linux Virtual Desktop services are started after machine startup. The value is set to Y by default.
- CTX_XDL_ADD_FIREWALL_RULES = Y | N – The Linux Virtual Desktop services require incoming network connections to be allowed through the system firewall. You can automatically open the required ports (ports 80 and 1494 by default) in the system firewall for the Linux Virtual Desktop. Set to Y by default.
-
CTX_XDL_AD_INTEGRATION = 1 | 2 | 3 | 4 – The Linux VDA requires Kerberos configuration settings to authenticate with the Delivery Controllers. The Kerberos configuration is determined from the installed and configured Active Directory integration tool on the system. Specify the supported Active Directory integration method to use:
- 1 – Samba Winbind
- 2 – Quest Authentication Service
- 3 – Centrify DirectControl
- 4 – SSSD
- CTX_XDL_HDX_3D_PRO = Y | N – The Linux VDA supports HDX 3D Pro, a set of GPU acceleration technologies designed to optimize the virtualization of rich graphics applications. If HDX 3D Pro is selected, the Virtual Delivery Agent is configured for VDI desktops (single-session) mode – (that is, CTX_XDL_VDI_MODE=Y).
- CTX_XDL_VDI_MODE = Y | N – Whether to configure the machine as a dedicated desktop delivery model (VDI) or hosted shared desktop delivery model. For HDX 3D Pro environments, set this variable to Y. This variable is set to N by default.
- CTX_XDL_SITE_NAME = dns-name – The Linux VDA discovers LDAP servers through DNS. To limit the DNS search results to a local site, specify a DNS site name. This variable is set to <none> by default.
- CTX_XDL_LDAP_LIST = list-ldap-servers – The Linux VDA queries DNS to discover LDAP servers. If DNS cannot provide LDAP service records, you can provide a space-separated list of LDAP FQDNs with LDAP port. For example, ad1.mycompany.com:389. This variable is set to <none> by default.
- CTX_XDL_SEARCH_BASE = search-base-set – The Linux VDA queries LDAP through a search base set to the root of the Active Directory Domain (for example, DC=mycompany,DC=com). To improve search performance, you can specify a search base (for example, OU=VDI,DC=mycompany,DC=com). This variable is set to <none> by default.
- CTX_XDL_START_SERVICE = Y | N – Whether or not the Linux VDA services are started when the Linux VDA configuration is complete. Set to Y by default.
Set the environment variable and run the configure script:
export CTX_XDL_SUPPORT_DDC_AS_CNAME=Y|N
export CTX_XDL_DDC_LIST=list-ddc-fqdns
export CTX_XDL_VDA_PORT=port-number
export CTX_XDL_REGISTER_SERVICE=Y|N
export CTX_XDL_ADD_FIREWALL_RULES=Y|N
export CTX_XDL_AD_INTEGRATION=1|2|3|4
export CTX_XDL_HDX_3D_PRO=Y|N
export CTX_XDL_VDI_MODE=Y|N
export CTX_XDL_SITE_NAME=dns-name
export CTX_XDL_LDAP_LIST=list-ldap-servers
export CTX_XDL_SEARCH_BASE=search-base-set
export CTX_XDL_START_SERVICE=Y|N
sudo -E /opt/Citrix/VDA/sbin/ctxsetup.sh
<!--NeedCopy-->
When running the sudo command, type the -E option to pass the existing environment variables to the new shell it creates. Citrix recommends that you create a shell script file from the preceding commands with #!/bin/bash as the first line.
Alternatively, you can specify all parameters by using a single command:
sudo CTX_XDL_SUPPORT_DDC_AS_CNAME=Y|N \
CTX_XDL_DDC_LIST=list-ddc-fqdns \
CTX_XDL_VDA_PORT=port-number \
CTX_XDL_REGISTER_SERVICE=Y|N \
CTX_XDL_ADD_FIREWALL_RULES=Y|N \
CTX_XDL_AD_INTEGRATION=1|2|3|4 \
CTX_XDL_HDX_3D_PRO=Y|N \
CTX_XDL_VDI_MODE=Y|N \
CTX_XDL_SITE_NAME=dns-name \
CTX_XDL_LDAP_LIST=list-ldap-servers \
CTX_XDL_SEARCH_BASE=search-base-set \
CTX_XDL_START_SERVICE=Y|N \
/opt/Citrix/VDA/sbin/ctxsetup.sh
<!--NeedCopy-->
Remove configuration changes
In some scenarios, you might have to remove the configuration changes made by the ctxsetup.sh script without uninstalling the Linux VDA package.
Review Help about this script before proceeding:
sudo /opt/Citrix/VDA/sbin/ctxcleanup.sh --help
<!--NeedCopy-->
To remove configuration changes:
sudo /opt/Citrix/VDA/sbin/ctxcleanup.sh
<!--NeedCopy-->
Important:
This script deletes all configuration data from the database and renders the Linux VDA inoperable.
Configuration logs
The ctxsetup.sh and ctxcleanup.sh scripts display errors on the console, with additional information written to the configuration log file /tmp/xdl.configure.log.
Restart the Linux VDA services to have the changes take effect.
Step 7: Run the Linux VDA
After configuring the Linux VDA by using the ctxsetup.sh script, you can run the following commands to control the Linux VDA.
Start the Linux VDA:
To start the Linux VDA services:
sudo /sbin/service ctxhdx start
sudo /sbin/service ctxvda start
<!--NeedCopy-->
Stop the Linux VDA:
To stop the Linux VDA services:
sudo /sbin/service ctxvda stop
sudo /sbin/service ctxhdx stop
<!--NeedCopy-->
Restart the Linux VDA:
To restart the Linux VDA services:
sudo /sbin/service ctxvda stop
sudo /sbin/service ctxhdx restart
sudo /sbin/service ctxvda start
<!--NeedCopy-->
Check the status of the Linux VDA:
To check the running status of the Linux VDA services:
sudo /sbin/service ctxvda status
sudo /sbin/service ctxhdx status
<!--NeedCopy-->
Step 8: Create the machine catalog in XenApp or XenDesktop
The process for creating machine catalogs and adding Linux VDA machines is similar to the traditional Windows VDA approach. For a more detailed description of how to complete these tasks, see Create machine catalogs and Manage machine catalogs.
For creating machine catalogs that contain Linux VDA machines, there are a few restrictions that differentiate the process from creating machine catalogs for Windows VDA machines:
- For the operating system, select:
- The Server OS option for a hosted shared desktops delivery model.
- The Desktop OS option for a VDI dedicated desktop delivery model.
- Ensure that machines are set as not power managed.
- Because MCS is not supported for Linux VDAs, choose PVS or the Another service or technology (existing images) deployment method.
- Do not mix Linux and Windows VDA machines in the same machine catalog.
Note:
Early versions of Citrix Studio did not support the notion of a “Linux OS.” However, selecting the Windows Server OS or Server OS option implies an equivalent hosted shared desktops delivery model. Selecting the Windows Desktop OS or Desktop OS option implies a single user per machine delivery model.
Tip:
If you remove and rejoin a machine to the Active Directory domain, you must remove and add the machine to the machine catalog again.
Step 9: Create the delivery group in XenApp or XenDesktop
The process for creating a delivery group and adding machine catalogs containing Linux VDA machines is almost identical to Windows VDA machines. For a more detailed description of how to complete these tasks, see Create Delivery Groups.
For creating delivery groups that contain Linux VDA machine catalogs, the following restrictions apply:
- For the delivery type, select Desktops or Applications.
- Ensure that the AD users and groups you select have been properly configured to log on to the Linux VDA machines.
- Do not allow logon of unauthenticated (anonymous) users.
- Do not mix the delivery group with machine catalogs that contain Windows machines.
Important:
Publishing applications is supported with Linux VDA Version 1.4 and later. However, the Linux VDA does not support the delivery of desktops and apps to the same machine.
In this article
- Step 1: Prepare RHEL 7/CentOS 7, RHEL 6/CentOS 6 for VDA installation
- Step 2: Prepare the hypervisor
- Step 3: Add the Linux virtual machine (VM) to the Windows domain
- Step 4: Install the Linux VDA
- Step 5: Install NVIDIA GRID drivers
- Step 6: Configure the Linux VDA
- Step 7: Run the Linux VDA
- Step 8: Create the machine catalog in XenApp or XenDesktop
- Step 9: Create the delivery group in XenApp or XenDesktop