Configuring the VNC Service

About VNC

Virtual Network Computing (VNC) is a system for sharing a graphical desktop over a network. A VNC client (the "viewer") connects to, and can control, a desktop that is shared by a VNC server on a remote system. Because VNC is platform independent, you can use any operating system with a VNC client to connect to a VNC server. VNC makes remote administration using graphical tools possible.

By default, all communication between a VNC client and a VNC server is not secure. You can secure VNC communication by using an SSH tunnel. Using an SSH tunnel also reduces the number of firewall ports that need to be open. Oracle recommends that you use SSH tunnels.

Configuring a VNC Server

To configure a VNC server:

Install the tigervnc-server package:
```
sudo yum install tigervnc-server
```
Create the VNC environment for the VNC users.

Each VNC desktop on the system runs a VNC server as a particular user. This user must be able to log in to the system with a user name and either a password or an SSH key (if the VNC desktop is to be accessed through an SSH tunnel).

Use the vncpasswd command to create a password for the VNC desktop. The password must be created by the user that runs the VNC server and not root, for example:
```
su - vncuser
vncpasswd
Password: password
Verify: password
```
The password must contain at least six characters. If the password is longer than eight characters, only the first eight characters are used for authentication. An obfuscated version of the password is stored in $HOME/.vnc/passwd unless the name of a file is specified with the vncpasswd command.
Create a service unit configuration file for each VNC desktop that is to be made available on the system.
1. Copy the vncserver@.service template file, for example:
```
cp /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver@\:display.service
```
  In the previous command, display is the unique display number of the VNC desktop, starting from 1. Use a backslash character (\) to escape the colon (:) character.
  
  Each VNC desktop is associated with a user account. For ease of administration if you have multiple VNC desktops, you can include the name of the VNC user in the name of the service unit configuration file, for example:
```
cp /lib/systemd/system/vncserver@.service /etc/systemd/system/vncserver-vncuser@\:display.service
```
2. Edit the service unit configuration files.
  
  The following sections in the configuration file should resemble the sample entries. Replace vncuser with the actual VNC user name.
```
[Service]
Type=forking
WorkingDirectory=/home/vncuser
User=vncuser
Group=vncuser
              
# Clean any existing files in /tmp/.X11-unix environment
ExecStartPre=/bin/sh -c '/usr/bin/vncserver -kill %i > /dev/null 2>&1 || :'
ExecStart=/usr/bin/vncserver %i
PIDFile=/home/vncuser/.vnc/%H%i.pid
ExecStop=/usr/bin/vncserver -kill %i
```
  Optionally, you can add command-line arguments for the VNC server. In the following example, the VNC server only accepts connections from localhost, which means the VNC desktop can only be accessed locally or through an SSH tunnel; and the size of the window has been changed from the default 1024x768 to 640x480 using the geometry flag:
```
ExecStart=/usr/bin/vncserver %i -localhost -geometry 640x480
PIDFile=/home/vncuser/.vnc/%H%i.pid
```
Start the VNC desktops.
1. Make systemd reload its configuration files:
```
sudo systemctl daemon-reload
```
2. For each VNC desktop, start the service, and configure the service to start after a system reboot. Remember to use the username and the display number that you specified in the service unit configuration file to be associated with that service. For example:
```
sudo systemctl start vncserver-vncuser@\:display.service
sudo systemctl enable vncserver-vncuser@\:display.service
```
Note:

If you make any changes to a service unit configuration file, you must reload the configuration file and restart the service.
Configure the firewall to allow access to the VNC desktops.

If users will access the VNC desktops through an SSH tunnel and the SSH service is enabled on the system, you do not need to open additional ports in the firewall. SSH is enabled by default. For information on enabling SSH, see Oracle^® Linux: Connecting to Remote Systems With OpenSSH.

If users will access the VNC desktops directly, you must open the required port for each desktop. The required ports can be calculated by adding the VNC desktop service display number to 5900 (the default VNC server port). So if the display number is 1, the required port is 5901 and if the display number is 67, the required port is 5967.

To open ports 5900 to 5903, you can use the following commands:
```
sudo firewall-cmd --zone=zone --add-service=vnc-server
sudo firewall-cmd --zone=zone --add-service=vnc-server --permanent
```
To open additional ports, for example port 5967, use the following commands:
```
sudo firewall-cmd --zone=zone --add-port=5967/tcp
sudo firewall-cmd --zone=zone --add-port=5967/tcp --permanent
```
Configure the VNC desktops.

By default, the VNC server runs the user's default desktop environment. This is controlled by the VNC user's $HOME/.vnc/xstartup file, which is created automatically when the VNC desktop service is started.

If you did not install a desktop environment when you installed the system (for example because you selected Minimal Install as the base environment), you can install one with the following command:
```
sudo yum groupinstall "server with gui"
```
When the installation is complete, use the systemctl get-default command to check that the default system state is multi-user.target (multi-user command-line environment). Use the systemctl set-default command reset the default system state or to change it to the graphical.target (multi-user graphical environment) if you prefer.

The $HOME/.vnc/xstartup file is a shell script that specifies the X applications to run when the VNC desktop is started. For example, to run a KDE Plasma Workspace, you could edit the file as follows:
```
#!/bin/sh
unset SESSION_MANAGER
unset DBUS_SESSION_BUS_ADDRESS
#exec /etc/X11/xinit/xinitrc
startkde &
```
If you make any changes to a user's $HOME/.vnc/xstartup file, you must restart the VNC desktop for the changes to take effect:
```
sudo systemctl restart vncserver-vncuser@\:display.service
```

See the vncserver(1), Xvnc(1), and vncpasswd(1) manual pages for more information.

Connecting to VNC Desktop

You can connect to a VNC desktop on an Oracle Linux 7 system using any VNC client. The following example instructions are for the TigerVNC client. Adapt the instructions for your client.

Install the TigerVNC client (vncviewer).
```
sudo yum install tigervnc
```
Start the TigerVNC client and connect to a desktop.

To connect directly to a VNC desktop, you can start the TigerVNC client and enter host:display to specify the host name or IP address of the VNC server and the display number of the VNC desktop to connect to. Alternatively, you can specify the VNC desktop as an argument for the vncviewer command. For example:
```
vncviewer myhost.example.com:1
```
To connect to a VNC desktop through an SSH tunnel, use the -via option for the vncviewer command to specify the user name and host for the SSH connection, and use localhost:display to specify the VNC desktop. For example:
```
vncviewer -via vncuser@myhost.example.com localhost:67
```
See the vncviewer(1) manual page for more information.