Kasm Workspaces (KW) is a web-native open-source “Container Streaming Platform” [Link]. What does that really mean?
KW uses Docker to run ephemeral sessions of applications and desktops, streaming them encrypted (no VPN required) to any web browser.
Behind the scenes, KW provides enterprise-class orchestration, data loss prevention, and web streaming technology out of the box. See more features and technical details in the official documentation [Link].
System requirements:
- 4 vCPU (the minimum is 2, but not practical)
- 8GB of RAM (the minimum is 4, but it is not enough for desktops)
- 100GB of Storage (the documentation says 50GB, but the installation refuses to proceed)
- Operating system (amd64/arm64):
- Debian 9+ / Ubuntu 18.04+ / RaspberryPi OS 10+ (Debian-based)
- CentOS 7+ / Oracle Linux 7+ (RHEL-based)
Note: Do not use the bare minimum for real usage, as it will cause problems and the experience will not be satisfactory.
INSTALLING KASM SINGLE-SERVER
After installing Debian or Ubuntu, prepare the system:
sudo apt update && sudo apt upgrade -y sudo reboot
If prompted for a new kernel installation, allow it to proceed.
Downloading and installing (replace the version with the latest available):
wget https://kasm-static-content.s3.amazonaws.com/kasm_release_1.17.0.7f020d.tar.gz tar -xf kasm_release_*.tar.gz && cd kasm_release/ sudo ./install.sh
It is highly recommended to have a SWAP partition or file. Just accept, and the installation will proceed with creating one.
The installation may end with the following output. Take note of all newly generated credentials, as they will not be shown again:
INSTALLING KASM MULTI-SERVER
(pending)
ACCESSING THE KW DASHBOARD
Navigate to your server’s address: https://10.10.10.10/
A self-signed certificate is already installed, but for Internet access it is recommended (though not required) to place a public certificate on a reverse proxy server to act as a shield.
- Admin Dashboard
- User Dashboard
Clicking to launch any session will prompt:
In a new tab, I opened the first session and ran a basic fingerprinting test on a free test site:
As you can see, it reveals very little about the operating system and browser.
IMPORTANT: Do not consider this tool a complete anonymity platform unless you are using the Tor Browser.
Back on the main tab, the running session appears as a thumbnail and can be resumed, minimized, or terminated at any time.
The same test was performed under another session, this time using the Tor Browser:
Unsurprisingly, it does a much better job of hiding identifiable information:
All sessions include a left-side menu to assist with interaction over the customized web VNC session:
Back on the main tab (dashboard), active sessions are shown with a countdown timer, and will self-terminate after 60 minutes of inactivity:
Note: All sessions are ephemeral and no data persists after termination. This is by design. If you need to retain applications, extensions, or data, this may not be the right tool. That said, custom images can be created for specific application needs, and connecting to a network share or cloud drive can cover most data retention requirements.
UPDATED UI
The new UI is much cleaner but offers the same features. Here is how it looks on a fresh installation in 2024.
MOREOVER
Kasm Workspaces goes well beyond the demonstrated features, including:
- Multi-server load distribution in single or multi-zone setups,
- User and group management with support for LDAP, SAML, OpenID, and 2FA,
- Reporting, logging, web filtering, and more,
- GPU pass-through acceleration,
- Session staging, casting, and sharing,
- Optional native persistent data and profiles, Tailscale compatibility, and much more.
Mapping a path from the server’s file system into the container. Admin > Workspaces > Edit > Volume Mappings (JSON):
{
"/server/path": {
"bind": "/container/path",
"mode": "rw",
"uid": 1000,
"gid": 1000,
"required": true,
"skip_check": false
}
}
Overriding container configuration. Admin > Workspaces > Edit > Docker Run Config Override (JSON):
{
"hostname": "kasm",
"user": "root"
}
Execute a command on launch to allow kasm_user to use sudo without a password:
{ "first_launch":{ "user":"root", "cmd":"bash -c 'echo \"kasm-user ALL=(ALL) NOPASSWD: ALL\" >> /etc/sudoers' ; apt update" } }
BONUS
Kasm Workspaces can be installed in an LXC (Linux Container) in Proxmox. This nested setup lets you make the most of your home lab resources.
Notes / Tips
- When creating the CT, uncheck the box that marks the container as “unprivileged“,
- Edit the container settings at Options > Features and check the “nesting” box,
- Containers run as the
rootuser, soinstall.shandinstall_dependencies.shmust be manually edited to remove all occurrences ofsudo, or the installation will fail.