[Kimchi-devel] [PATCH 2/6] Enable encryption in vm console connection

Aline Manera alinefm at linux.vnet.ibm.com
Fri May 2 00:49:21 UTC 2014


From: Mark Wu <wudxw at linux.vnet.ibm.com>

The current vm ui console connection is unencrypted. This patch enables
encrypted vm console connection. But browsers doesn't
support well for the usage self-signed certs in the ssl websocket
connection. For details, please see:
https://github.com/kanaka/websockify/wiki/Encrypted-Connections

For chrome browser, the encrypted console connection should work after
you login with ssl connection. But for firefox, you have to connect to
https://host-ip:64667/ and accept the self-signed cert.

Signed-off-by: Mark Wu <wudxw at linux.vnet.ibm.com>
---
 src/kimchi/vnc.py       |   10 ++++++++--
 ui/js/src/kimchi.api.js |    2 ++
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/kimchi/vnc.py b/src/kimchi/vnc.py
index 1f36e9a..3251f06 100644
--- a/src/kimchi/vnc.py
+++ b/src/kimchi/vnc.py
@@ -23,7 +23,7 @@ import os
 import subprocess
 
 
-from kimchi.config import config
+from kimchi.config import config, paths
 
 
 WS_TOKENS_DIR = '/var/lib/kimchi/vnc-tokens'
@@ -36,9 +36,15 @@ def new_ws_proxy():
         if e.errno == errno.EEXIST:
             pass
 
+    cert = config.get('server', 'ssl_cert')
+    key = config.get('server', 'ssl_key')
+    if not (cert and key):
+        cert = '%s/kimchi-cert.pem' % paths.conf_dir
+        key = '%s/kimchi-key.pem' % paths.conf_dir
+
     cmd = os.path.join(os.path.dirname(__file__), 'websockify.py')
     args = ['python', cmd, config.get('display', 'display_proxy_port'),
-            '--target-config', WS_TOKENS_DIR]
+            '--target-config', WS_TOKENS_DIR, '--cert', cert, '--key', key]
     p = subprocess.Popen(args, close_fds=True)
     return p
 
diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js
index 1bde45c..6fcac6d 100644
--- a/ui/js/src/kimchi.api.js
+++ b/ui/js/src/kimchi.api.js
@@ -332,6 +332,7 @@ var kimchi = {
                 url = 'http://' + location.hostname + ':' + http_port;
                 url += "/vnc_auto.html?port=" + proxy_port;
                 url += "&path=?token=" + encodeURIComponent(vm);
+                url += '&encrypt=1'
                 window.open(url);
             });
         }).error(function() {
@@ -355,6 +356,7 @@ var kimchi = {
                 url = 'http://' + location.hostname + ':' + http_port;
                 url += "/spice.html?port=" + proxy_port + "&listen="
                 + data.graphics.listen + "&token=" + encodeURIComponent(vm);
+                url += '&encrypt=1'
                 window.open(url);
             });
         }).error(function() {
-- 
1.7.10.4




More information about the Kimchi-devel mailing list