The following packages have been kept back

If you’ve ever seen the words “The following packages have been kept back” you’ll know it can be pretty frustrating. You’ve told it to update, why isn’t it updating?

This occurs because the package has had it’s dependencies changed. It’s either going to install more or uninstall software the new version doesn’t need. A lot of replies will tell you to do a dist-upgrade.

This is a very bad idea, unless you know what you are doing. This will cause a LOT of changes to your system, and it’s not massively unusual to see it prevent a system running until you sort out a raft of post dist-upgrade issues. Now, some people will argue that you should always dist-upgrade, and deal with issues as they crop up, and while there’s merit to this, you can’t do it on a production system, especially just because you need to upgrade a package.

What’s the solution?


apt-get update
apt-get dselect-upgrade


This will then follow up with the usual explanation of which packages will be added or removed. Type in “y” like you normally do, and it will install/uninstall/upgrade your packages. Done.

Ubuntu 12.04 Precise Pangolin – Complete VNC Server Setup

There are lots of guides for setting up VNC Server on 12.04, so why write another one?
I had my own requirements for setting up VNC:

1. It had to be configurable “headless” on a server or desktop ubuntu install via SSH.
2. I prefer to use vnc4server
3. You need to install gnome-session in 12.04 (in previous unity distros, it was pre-installed IIRC)

Without covering all the above points, a VNC install walkthrough is pretty pointless. There are plenty of prettier, easier, GUI based install guides. This assumes terminal, VNC and X11 knowledge. If you somehow break your config, you need to be able to work it out for yourself or with help from the ubuntu community.

First things first, make sure you have these packages, as they are essential to get this working. If you get a screen when you try and connect via VNC which only allows you to log out, it’s probably because you skipped these earlier steps.

sudo apt-get update
sudo apt-get install gnome-core gnome-session-fallback


Obviously this updates your package list to the latest 12.04 releases. You can optionally “sudo apt-get upgrade”, to keep your ubuntu up to date.
Now we get into install a VNC server and configuring it.

sudo apt-get install vnc4server
This installs the VNC server software we are going to use.

vncserver
vncserver -kill :1
cp .vnc/xstartup .vnc/xstartup.bak
nano .vnc/xstartup

The first line fires up VNC server with the default config. We do this because it will prompt you to enter a password. Bear in mind that passwords longer than 8 characters will be truncated to 8 characters We’ll cover the security implications in a bit.
The second line kills the default VNC session.
The third line can be omitted, but it’s traditional IT paranoia.
The fourth line opens nano and allows you to edit the config for VNC server.

You need to edit the file to make it look like this:
#!/bin/sh

# Uncomment the following two lines for normal desktop:
unset SESSION_MANAGER
#exec /etc/X11/xinit/xinitrc
gnome-session –session=gnome-classic &

[ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup
[ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources
xsetroot -solid grey
vncconfig -iconic &
#x-terminal-emulator -geometry 80×24+10+10 -ls -title “$VNCDESKTOP Desktop” &
#x-window-manager &

The changes of note are removing the # in front of unset SESSION_MANAGER (making that line active) and adding the “gnome-session –session=gnome-classic &” line, before commenting out (with hash) the x-terminal-emulator and x-window-manager lines. If you don’t do this, your VNC session will start, but it will be a blank grey hatched background.

EDIT: Make sure your file looks like this. WordPress is turning my double-dash into a single longer dash by the look of it, and triple dash doesn’t seem to fix it:

Save your changes to the file, and exit (in nano, it’s ctrl-x).

Now, we killed the VNC server session that was running before. So recreate it using the screen size you want. I use 1024×768 on my iPhone to reduce bandwidth, but that might not suit what you want to do. You can add -depth 24 for more colours, or -depth 8 to force 256 colour mode which is required for some VNC clients especially on mobile phones:
vncserver -geometry 1680x1050

so a good phone config might be:
vncserver -geometry 1024x768 -depth 8

iSSH connecting

iSSH connected to Ubuntu 12.04 Precise Pangolin via VNC over SSH

If you get a grey screen when you try and connect tunnelling over SSH, don’t panic. Try using port 5902, because you might not have killed the initial session properly, or restarted a default one by mistake. If you don’t know what I mean by tunnelling, you might find that you can’t connect to the VNC server. The problem is the built-in firewall, ufw.

You can use the following code to see if ufw is enabled, and what it’s rules are:
sudo ufw status

If it’s enabled we need to tell it that it’s safe to allow VNC connections to the machine. But before we do that, a shot digression on security:

Hopefully your computer is behind a firewalled NAT. Most are these days, but if you are connecting directly to a modem, with no other computers connected to it, this might not be safe. As the maximum password length is 8 characters, there is a very finite number of passwords that exist. In theory, a hacker could see that your VNC port is open, and start guessing your password using software that will keep trying combinations until it gets in. After we open a hole for VNC in the firewall, we will test whether it’s visible to the internet.

Okay, so to open a hole in the firewall we need to add a rule that allows connections on the correct port, which are initiated from outside your computer. Obviously the computer doesn’t dial out to your phone, and command it to connect via VNC, the phone or other external device is the instigator of the connection, and this is what a firewall is designed to prevent.

sudo ufw allow 5901
This tells ufw to allow connections for screen0 and screen1 over VNC to any outside computer.

Now we will test whether there is another firewall in between your computer and the internet.

Go to the ShieldsUp! site, and click “proceed” enter “5900-5902” into the blank box then “user specified custom port probe” button below. If it says “Stealth” in green for each port, then your system is secure.

If you don’t get the green “Stealth” next to each port, you have opened a potential vulnerability to your system.
Fix this by reversing the firewall rule we made:
sudo ufw deny 5901

Assuming you have SSH access remotely for this machine, you can tunnel the SSH connection from an external machine with ssh -NfL 5901:127.0.0.1:5901 user@remote.host replacing the 5901s with the correct port for the desktop you want to access if necessary. You can now VNC to the server by telling the machine you run the above code on, to connect to itself on the same port. Alternatively, because of the ufw fix, you can connect directly while on the same subnet.

If you use an iOS device, i highly recommend iSSH as it allows you to easily set up an SSH tunnelled VNC connection.

We are nearly done!

Once you reboot, The VNC Server isn’t up any more.

sudo nano /etc/rc.local


Go to the line above “exit 0”.
paste in: “/usr/bin/vncserver -geometry 1024×768 -depth 8” or similar.

You are now done!

EDIT: If you get a grey screen, please read the comments. There is a problem with how wordpress renders double-dashes, apparently turning them into a single dash, which will misconfigure your vnc login data. The other most common problem is that VNC server doesn’t work on startup automatically. Check that you’ve edited your /etc/rc.local correctly, and that you are connecting to the correct port for screen 0. The way VNC server works, the first “screen” is 0, the next is 1, the next is 2. If you are trying to connect to screen 1, then it won’t appear to be running, because the rc.local version will be running on screen 0.