[Engine-devel] Adding VNC support
Ewoud Kohl van Wijngaarden
ewoud+ovirt at kohlvanwijngaarden.nl
Tue Jul 31 15:25:53 UTC 2012
On Tue, Jul 31, 2012 at 09:44:10AM -0400, Alon Bar-Lev wrote:
> Ewoud Kohl van Wijngaarden wrote:
> > On Tue, Jul 31, 2012 at 10:09:26AM +0100, Daniel P. Berrange wrote:
> > > On Tue, Jul 31, 2012 at 09:18:50AM +0300, Itamar Heim wrote:
> > > > On 07/26/2012 05:36 PM, snmishra at linux.vnet.ibm.com wrote:
> > > > 5.2 novnc websocket server - i see three options
> > > >
> > > > 5.2.1 extend qemu to do this, so novnc can connect to it directly
> > > > like we do today for vnc/spice
> > >
> > > I don't think this is a desirable approach. One of the nice
> > > benefits
> > > you gain from using a websocket proxy is that you only need to have
> > > one single TCP port exposed to the internet now. If you put
> > > websockets
> > > in QEMU itself, you'd be stuck with having to open your firewall to
> > > allow 100's of ports. With a separate web proxy, you can even make
> > > each QEMU server now use a local UNIX socket for their VNC server,
> > > since only the proxy needs to be able to connect. This means that
> > > the VNC server would no longer be exposed to random local user
> > > access too.
> >
> > Another benefit of a proxy is that you can run it in a DMZ and not
> > have
> > to expose all your virtualization hosts to the internet.
>
> But this way you do expose them :)
Since I've worked with VNCAuthProxy I'll explain how that works.
First of all it listens on a control port. This can be inside the
firewall and has a simple JSON-based protocol. On this control port you
can ask it to open a connection on port X to virt-host.example.org:Y.
virt-host.example.org can also be behind the firewall and now only port
X is exposed to the internet.
More information about the Engine-devel
mailing list