[Kimchi-devel] [PATCH 2/4] ticket in backend: add a set ticket action for VM resource

Sheldon shaohef at linux.vnet.ibm.com
Wed May 21 03:06:22 UTC 2014 

On 05/21/2014 04:17 AM, Christy Perez wrote:
> One comment inline...
>
>
> On Tue, 2014-05-20 at 23:27 +0800, shaohef at linux.vnet.ibm.com wrote:
>> From: ShaoHe Feng <shaohef at linux.vnet.ibm.com>
>>
>> Only the user who get the ticket can access the VM console.
>>
>> the ticket will be invalid when its expire.
>>
>> We just manange the VM create by kimchi.
>> We do not set the ticket for other VMs that created by other managerment tool.
>>
>> Signed-off-by: ShaoHe Feng <shaohef at linux.vnet.ibm.com>
>> Signed-off-by: Zhou Zheng Sheng <zhshzhou at linux.vnet.ibm.com>
>> ---
>>   src/kimchi/control/vms.py |  1 +
>>   src/kimchi/model/vms.py   | 28 ++++++++++++++++++++++++++++
>>   2 files changed, 29 insertions(+)
>>
>> diff --git a/src/kimchi/control/vms.py b/src/kimchi/control/vms.py
>> index 508f478..e3c72d1 100644
>> --- a/src/kimchi/control/vms.py
>> +++ b/src/kimchi/control/vms.py
>> @@ -37,6 +37,7 @@ class VM(Resource):
>>           self.uri_fmt = '/vms/%s'
>>           for ident, node in sub_nodes.items():
>>               setattr(self, ident, node(model, self.ident))
>> +        self.setticket = self.generate_action_handler('setticket')
>>           self.start = self.generate_action_handler('start')
>>           self.poweroff = self.generate_action_handler('poweroff')
>>           self.shutdown = self.generate_action_handler('shutdown')
>> diff --git a/src/kimchi/model/vms.py b/src/kimchi/model/vms.py
>> index 17bda04..0daaea0 100644
>> --- a/src/kimchi/model/vms.py
>> +++ b/src/kimchi/model/vms.py
>> @@ -19,7 +19,10 @@
>>
>>   from lxml.builder import E
>>   import lxml.etree as ET
>> +from lxml import etree, objectify
>>   import os
>> +import random
>> +import string
>>   import time
>>   import uuid
>>   from xml.etree import ElementTree
>> @@ -353,9 +356,14 @@ class VMModel(object):
>>           graphics = self._vm_get_graphics(name)
>>           graphics_type, graphics_listen, graphics_port = graphics
>>           graphics_port = graphics_port if state == 'running' else None
>> +        passwd = None
>>           try:
>>               if state == 'running' and self._has_video(dom):
>>                   screenshot = self.vmscreenshot.lookup(name)
>> +                xml = dom.XMLDesc(libvirt.VIR_DOMAIN_XML_SECURE)
>> +                root = objectify.fromstring(xml)
>> +                graphic = root.devices.find("graphics")
>> +                passwd = graphic.attrib.get('passwd')
>>               elif state == 'shutoff':
>>                   # reset vm stats when it is powered off to avoid sending
>>                   # incorrect (old) data
>> @@ -394,6 +402,7 @@ class VMModel(object):
>>                   'graphics': {"type": graphics_type,
>>                                "listen": graphics_listen,
>>                                "port": graphics_port},
>> +                'ticket': passwd,
>>                   'users': users,
>>                   'groups': groups
>>                   }
>> @@ -513,6 +522,25 @@ class VMModel(object):
>>           else:
>>               raise OperationFailed("KCHVM0010E", {'name': name})
>>
>> +    def setticket(self, name, password=None, expire=10):
> The default is 10, not 30?
still need to discuss about the default value.

now we can distinguish the guest are created by kimchi or other tools.


Now there's my proposal:
1. if the guest are created by other tools, such as virt-manager.
if he does not set a password, we will not let kimchi to add a password 
for it.
if he sets a password for guest, we will not let kimchi to change the 
password.
and we will not return this password to UI, we let user type in the 
password by himself.

2. if the guest are created by kimchi.
kimchi set ticket. and UI get the ticket automatically to access guest.

so 10s maybe OK.

but we should consider:
do we allow other tools such as virt-manager to access the guest created 
by kimchi?

Then 10s is not enough. and also how does the user get the ticket?
He use the virt-manager re-set the password?

or kimchi support a way to show them the password?


>
>> +        dom = self.get_vm(name, self.conn)
>> +        version, distro = self.vm_get_os_metadata(dom)
>> +        if distro is None:
>> +            # this VM is not created by kimchi
>> +            return
>> +
>> +        xml = dom.XMLDesc(libvirt.VIR_DOMAIN_XML_SECURE)
>> +        root = objectify.fromstring(xml)
>> +        graphic = root.devices.find("graphics")
>> +        password = password if password is not None else "".join(
>> +            random.sample(string.ascii_letters + string.digits, 8))
>> +        graphic.attrib['passwd'] = password
>> +        valid_to = time.strftime('%Y-%m-%dT%H:%M:%S',
>> +                                 time.gmtime(time.time() + float(expire)))
>> +        graphic.attrib['passwdValidTo'] = valid_to
>> +        graphic_xml = etree.tostring(graphic)
>> +        dom.updateDeviceFlags(graphic_xml, 0)
>> +
>>       def _vmscreenshot_delete(self, vm_uuid):
>>           screenshot = VMScreenshotModel.get_screenshot(vm_uuid, self.objstore,
>>                                                         self.conn)
> Regards,
>
> - Christy
>
> _______________________________________________
> Kimchi-devel mailing list
> Kimchi-devel at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/kimchi-devel
>
>
>


-- 
Thanks and best regards!

Sheldon Feng(冯少合)<shaohef at linux.vnet.ibm.com>
IBM Linux Technology Center

More information about the Kimchi-devel mailing list