April 2014 - Kimchi-devel - oVirt List Archives

[PATCH] Set default storage pool to autostart and make persistent
by Christy Perez 30 Apr '14

30 Apr '14

The default storage pool wasn't set to autostart, and wasn't persistent. If a user wants to continue to use any VMs they have created in kimchi (maybe only for troubleshooting) but kimchi isn't active, the default pool may not be active. Signed-off-by: Christy Perez <christy(a)linux.vnet.ibm.com> --- src/kimchi/model/model.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/kimchi/model/model.py b/src/kimchi/model/model.py index a7d843e..a766ca5 100644 --- a/src/kimchi/model/model.py +++ b/src/kimchi/model/model.py @@ -71,7 +71,8 @@ class Model(BaseModel): pool = conn.storagePoolLookupByName("default") except libvirt.libvirtError: try: - pool = conn.storagePoolCreateXML(xml, 0) + pool = conn.storagePoolDefineXML(xml, 0) + pool.setAutostart(1) except libvirt.libvirtError, e: cherrypy.log.error("Fatal: Cannot create default pool because " "of %s, exit kimchid" % e.message, -- 1.9.0

5 4

[PATCH v2] Enable encryption in vm console connection
by Mark Wu 29 Apr '14

29 Apr '14

The current vm ui console connection is unencrypted. This patch enables encrypted vm console connection. But browsers doesn't support well for the usage self-signed certs in the ssl websocket connection. For details, please see: https://github.com/kanaka/websockify/wiki/Encrypted-Connections For chrome browser, the encrypted console connection should work after you login with ssl connection. But for firefox, you have to connect to https://host-ip:64667/ and accept the self-signed cert. --- src/kimchi/vnc.py | 10 ++++++++-- ui/js/src/kimchi.api.js | 2 ++ 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/src/kimchi/vnc.py b/src/kimchi/vnc.py index 1f36e9a..3251f06 100644 --- a/src/kimchi/vnc.py +++ b/src/kimchi/vnc.py @@ -23,7 +23,7 @@ import os import subprocess -from kimchi.config import config +from kimchi.config import config, paths WS_TOKENS_DIR = '/var/lib/kimchi/vnc-tokens' @@ -36,9 +36,15 @@ def new_ws_proxy(): if e.errno == errno.EEXIST: pass + cert = config.get('server', 'ssl_cert') + key = config.get('server', 'ssl_key') + if not (cert and key): + cert = '%s/kimchi-cert.pem' % paths.conf_dir + key = '%s/kimchi-key.pem' % paths.conf_dir + cmd = os.path.join(os.path.dirname(__file__), 'websockify.py') args = ['python', cmd, config.get('display', 'display_proxy_port'), - '--target-config', WS_TOKENS_DIR] + '--target-config', WS_TOKENS_DIR, '--cert', cert, '--key', key] p = subprocess.Popen(args, close_fds=True) return p diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js index 1bde45c..6fcac6d 100644 --- a/ui/js/src/kimchi.api.js +++ b/ui/js/src/kimchi.api.js @@ -332,6 +332,7 @@ var kimchi = { url = 'http://' + location.hostname + ':' + http_port; url += "/vnc_auto.html?port=" + proxy_port; url += "&path=?token=" + encodeURIComponent(vm); + url += '&encrypt=1' window.open(url); }); }).error(function() { @@ -355,6 +356,7 @@ var kimchi = { url = 'http://' + location.hostname + ':' + http_port; url += "/spice.html?port=" + proxy_port + "&listen=" + data.graphics.listen + "&token=" + encodeURIComponent(vm); + url += '&encrypt=1' window.open(url); }); }).error(function() { -- 1.8.4.2

1 0

[PATCH] Add encrypted vm console connection
by Mark Wu 29 Apr '14

29 Apr '14

The current vm ui console connection is unencrypted. This patch adds encrypted vm console connection by enabling ssl support in websockify and adding a new connection option on UI side. We don't enable the encrypted by default in the existing vm console connection because it can avoid the overhead caused by encryption and also browsers doesn't support well for the usage self-signed certs in the ssl websocket connection. For details, please see: https://github.com/kanaka/websockify/wiki/Encrypted-Connections For chrome browser, the encrypted console connection should work after you login with ssl connection. But for firefox, you have to connect to https://host-ip:64667/ and accept the self-signed cert. --- src/kimchi/vnc.py | 10 ++++++++-- ui/js/src/kimchi.api.js | 8 +++++++- ui/js/src/kimchi.guest_main.js | 20 ++++++++++++++++++-- ui/pages/guest.html.tmpl | 1 + 4 files changed, 34 insertions(+), 5 deletions(-) diff --git a/src/kimchi/vnc.py b/src/kimchi/vnc.py index 1f36e9a..3251f06 100644 --- a/src/kimchi/vnc.py +++ b/src/kimchi/vnc.py @@ -23,7 +23,7 @@ import os import subprocess -from kimchi.config import config +from kimchi.config import config, paths WS_TOKENS_DIR = '/var/lib/kimchi/vnc-tokens' @@ -36,9 +36,15 @@ def new_ws_proxy(): if e.errno == errno.EEXIST: pass + cert = config.get('server', 'ssl_cert') + key = config.get('server', 'ssl_key') + if not (cert and key): + cert = '%s/kimchi-cert.pem' % paths.conf_dir + key = '%s/kimchi-key.pem' % paths.conf_dir + cmd = os.path.join(os.path.dirname(__file__), 'websockify.py') args = ['python', cmd, config.get('display', 'display_proxy_port'), - '--target-config', WS_TOKENS_DIR] + '--target-config', WS_TOKENS_DIR, '--cert', cert, '--key', key] p = subprocess.Popen(args, close_fds=True) return p diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js index 1bde45c..262f64d 100644 --- a/ui/js/src/kimchi.api.js +++ b/ui/js/src/kimchi.api.js @@ -312,7 +312,7 @@ var kimchi = { }); }, - vncToVM : function(vm) { + vncToVM : function(vm, encrypted) { kimchi.requestJSON({ url : '/config', type : 'GET', @@ -332,6 +332,9 @@ var kimchi = { url = 'http://' + location.hostname + ':' + http_port; url += "/vnc_auto.html?port=" + proxy_port; url += "&path=?token=" + encodeURIComponent(vm); + if (encrypted) { + url += '&encrypt=1' + } window.open(url); }); }).error(function() { @@ -355,6 +358,9 @@ var kimchi = { url = 'http://' + location.hostname + ':' + http_port; url += "/spice.html?port=" + proxy_port + "&listen=" + data.graphics.listen + "&token=" + encodeURIComponent(vm); + if (encrypted) { + url += '&encrypt=1' + } window.open(url); }); }).error(function() { diff --git a/ui/js/src/kimchi.guest_main.js b/ui/js/src/kimchi.guest_main.js index 510e7f9..a811a6b 100644 --- a/ui/js/src/kimchi.guest_main.js +++ b/ui/js/src/kimchi.guest_main.js @@ -151,10 +151,22 @@ kimchi.openVmConsole = function(event) { var vm=$(this).closest('li[name=guest]'); var vmObject=vm.data(); if (vmObject.graphics['type'] == 'vnc') { - kimchi.vncToVM(vm.attr('id')); + kimchi.vncToVM(vm.attr('id'), false); } else if (vmObject.graphics['type'] == 'spice') { - kimchi.spiceToVM(vm.attr('id')); + kimchi.spiceToVM(vm.attr('id'), false); + } + +}; + +kimchi.openVmSecureConsole = function(event) { + var vm=$(this).closest('li[name=guest]'); + var vmObject=vm.data(); + if (vmObject.graphics['type'] == 'vnc') { + kimchi.vncToVM(vm.attr('id'), true); + } + else if (vmObject.graphics['type'] == 'spice') { + kimchi.spiceToVM(vm.attr('id'), true); } }; @@ -275,13 +287,17 @@ kimchi.createGuestLi = function(vmObject, prevScreenImage, openMenu) { } var consoleActions=guestActions.find("[name=vm-console]"); + var secureConsoleActions=guestActions.find("[name=vm-secureConsole]"); if ((vmObject.graphics['type'] == 'vnc') || (vmObject.graphics['type'] == 'spice')) { consoleActions.on("click", kimchi.openVmConsole); consoleActions.show(); + secureConsoleActions.on("click", kimchi.openVmSecureConsole); } else { //we don't recognize the VMs supported graphics, so hide the menu choice consoleActions.hide(); consoleActions.off("click",kimchi.openVmConsole); + secureConsoleActions.hide(); + secureConsoleActions.off("click", kimchi.openVmSecureConsole); } //Setup action event handlers diff --git a/ui/pages/guest.html.tmpl b/ui/pages/guest.html.tmpl index c7335c8..6cacc11 100644 --- a/ui/pages/guest.html.tmpl +++ b/ui/pages/guest.html.tmpl @@ -56,6 +56,7 @@ <span class="text">$_("Actions")</span><span class="arrow"></span> <div class="popover actionsheet right-side" style="width: 250px"> <button class="button-big shutoff-disabled" name="vm-console" ><span class="text">$_("Connect")</span></button> + <button class="button-big shutoff-disabled" name="vm-secureConsole" ><span class="text">$_("Securely connect")</span></button> <button class="button-big shutoff-disabled" name="vm-media"><span class="text">$_("Manage Media")</span></button> <button class="button-big running-disabled" name="vm-edit"><span class="text">$_("Edit")</span></button> <button class="button-big shutoff-hidden" name="vm-reset"><span class="text">$_("Reset")</span></button> -- 1.8.4.2

2 2

[PATCH V2 0/4] vmiface update support
by shaohef＠linux.vnet.ibm.com 29 Apr '14

29 Apr '14

From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com> V1 -> V2 add test case for running VM We allow user change the interface from one network to another network when VM is alive. But we only support change the vm configure no matter vm is alive or not. ShaoHe Feng (4): vmiface update support: update API.md vmiface update support: update model. vmiface update support: update mockmodel vmiface update support: update test case docs/API.md | 8 ++++++++ src/kimchi/API.json | 17 +++++++++++++++++ src/kimchi/control/vm/ifaces.py | 1 + src/kimchi/i18n.py | 1 + src/kimchi/mockmodel.py | 12 ++++++++++++ src/kimchi/model/vmifaces.py | 25 +++++++++++++++++++++++++ tests/test_model.py | 20 ++++++++++++++++++++ tests/test_rest.py | 8 ++++++++ 8 files changed, 92 insertions(+) -- 1.9.0

3 7

[PATCH V11 0/7] bug fix: get user and group when VM is running
by shaohef＠linux.vnet.ibm.com 29 Apr '14

29 Apr '14

From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com> V10 -> V11 fix typo V9 -> V10 metadata xml will be changed to hierarchical structure rather than flat. V8 -> V9 move meta feature test to src/kimchi/model/config.py use ElementMaker to construct a metanode. V7 -> V8 add a feature test to probe libvirt support metadata. add namespace for manully metadata. V6 -> V7: After V6 rebase, still find one error code "KCHVM0029E" does not change. V5 -> V6: rebase V4 -> V5: it is wrong to call dom.isPersistent in V4, fix it. V3 -> V4: work around if libvirt do not support metadata API well. V2 -> V3: move the virDomain.metadata and virDomain.setMetadata to model/utils.py add testcase V1 -> V2: libvirt also support virDomain.metadata and virDomain.setMetadata two api. use virDomain.metadata to get the user and group. use virDomain.setMetadata to set the user and group. ShaoHe Feng (7): bug fix: call a method should be followed by "()" add method to test libvirt metadata api are available Add two function to set and get domain xml metadata manually manage the metadata element bug fix: get user and group when vm is living. update test case to set/get user and group when VM is running write the template OS info to vm metadata src/kimchi/featuretests.py | 33 +++++++++++- src/kimchi/i18n.py | 1 + src/kimchi/model/config.py | 2 + src/kimchi/model/utils.py | 124 +++++++++++++++++++++++++++++++++++++++++++++ src/kimchi/model/vms.py | 105 +++++++++++++++++++++++--------------- tests/test_model.py | 13 +++++ 6 files changed, 236 insertions(+), 42 deletions(-) -- 1.9.0

3 12

[PATCHv3 0/3] UI: Manage guest disks
by lvroyce＠linux.vnet.ibm.com 29 Apr '14

29 Apr '14

From: Royce Lv <lvroyce(a)linux.vnet.ibm.com> v1>v3, Fix disk view display, Fix align problem in select menu, Fill default value in pool and volume box. Royce Lv (3): Fix select menu data append UI: Support add guest disk Display all disk types in storage edit view ui/css/theme-default/guest-storage-add.css | 16 ++++ ui/js/src/kimchi.guest_edit_main.js | 5 +- ui/js/src/kimchi.guest_storage_add.main.js | 114 +++++++++++++++++++++++++++-- ui/js/widgets/select-menu.js | 4 +- ui/pages/guest-edit.html.tmpl | 17 ++++- ui/pages/guest-storage-add.html.tmpl | 62 ++++++++++++++-- 6 files changed, 199 insertions(+), 19 deletions(-) -- 1.8.3.2

2 4

[PATCH V2] Fix PEP8 in scan.py
by Rodrigo Trujillo 28 Apr '14

28 Apr '14

Fixes PEP8 issues in src/kimchi/scan.py and adds it to PEP8_WHITELIST. Signed-off-by: Rodrigo Trujillo <rodrigo.trujillo(a)linux.vnet.ibm.com> --- Makefile.am | 1 + src/kimchi/scan.py | 15 +++++++++------ 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/Makefile.am b/Makefile.am index 1e4a8be..9785de9 100644 --- a/Makefile.am +++ b/Makefile.am @@ -60,6 +60,7 @@ PEP8_WHITELIST = \ src/kimchi/repositories.py \ src/kimchi/rollbackcontext.py \ src/kimchi/root.py \ + src/kimchi/scan.py \ src/kimchi/server.py \ src/kimchi/swupdate.py \ src/kimchi/template.py \ diff --git a/src/kimchi/scan.py b/src/kimchi/scan.py index b67e3a5..e50dbbc 100644 --- a/src/kimchi/scan.py +++ b/src/kimchi/scan.py @@ -15,7 +15,7 @@ # # You should have received a copy of the GNU Lesser General Public # License along with this library; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA # import glob @@ -32,6 +32,7 @@ from kimchi.utils import kimchi_log SCAN_IGNORE = ['/tmp/kimchi-scan-*'] + class Scanner(object): SCAN_TTL = 300 @@ -56,8 +57,8 @@ class Scanner(object): shutil.rmtree(d) self.clean_cb(transient_pool) except OSError as e: - kimchi_log.debug( - "Exception %s occured when cleaning stale pool, ignore" % e.message) + msg = "Exception %s occured when cleaning stale pool, ignore" + kimchi_log.debug(msg % e.message) def scan_dir_prepare(self, name): # clean stale scan storage pools @@ -71,16 +72,18 @@ class Scanner(object): duplicates = "%s/%s*" % (params['pool_path'], iso_name) for f in glob.glob(duplicates): iso_img = IsoImage(f) - if (iso_info['distro'], iso_info['version']) == iso_img.probe(): + if (iso_info['distro'], iso_info['version']) == \ + iso_img.probe(): return - iso_path = iso_name + hashlib.md5(iso_info['path']).hexdigest() + '.iso' + iso_path = iso_name + hashlib.md5(iso_info['path']).hexdigest() + \ + '.iso' link_name = os.path.join(params['pool_path'], os.path.basename(iso_path)) os.symlink(iso_info['path'], link_name) ignore_paths = params.get('ignore_list', []) scan_params = dict(path=params['scan_path'], updater=updater, - ignore_list=ignore_paths + SCAN_IGNORE) + ignore_list=ignore_paths + SCAN_IGNORE) probe_iso(None, scan_params) cb('', True) -- 1.9.0

2 1

[PATCH] security: Prevent XSS attacks
by Aline Manera 28 Apr '14

28 Apr '14

From: Aline Manera <alinefm(a)br.ibm.com> Add the following headers to Kimchi responses: X-Frame-Options DENY; X-Content-Type-Options nosniff; X-XSS-Protection "1; mode=block"; And Content-Security-Policy for error pages. Signed-off-by: Aline Manera <alinefm(a)br.ibm.com> --- src/kimchi/root.py | 11 +++++++++++ src/nginx.conf.in | 4 ++++ 2 files changed, 15 insertions(+) diff --git a/src/kimchi/root.py b/src/kimchi/root.py index 514d75d..8b1d09b 100644 --- a/src/kimchi/root.py +++ b/src/kimchi/root.py @@ -47,18 +47,29 @@ class Root(Resource): self._cp_config = dict([(key, self.error_development_handler) for key in self._handled_error]) + def _set_CSP(self): + # set Content-Security-Policy to prevent XSS attacks + headers = cherrypy.response.headers + headers['Content-Security-Policy'] = "default-src 'self'" + def error_production_handler(self, status, message, traceback, version): + self._set_CSP() + data = {'code': status, 'reason': message} res = template.render('error.html', data) + if (type(res) is unicode and LooseVersion(cherrypy.__version__) < LooseVersion('3.2.5')): res = res.encode("utf-8") return res def error_development_handler(self, status, message, traceback, version): + self._set_CSP() + data = {'code': status, 'reason': message, 'call_stack': cherrypy._cperror.format_exc()} res = template.render('error.html', data) + if (type(res) is unicode and LooseVersion(cherrypy.__version__) < LooseVersion('3.2.5')): res = res.encode("utf-8") diff --git a/src/nginx.conf.in b/src/nginx.conf.in index 967b46b..da6358e 100644 --- a/src/nginx.conf.in +++ b/src/nginx.conf.in @@ -47,6 +47,10 @@ http { ssl_certificate $cert_pem; ssl_certificate_key $cert_key; + add_header X-Frame-Options DENY; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + location / { proxy_pass http://localhost:$kimchid_port; proxy_set_header Host $host; -- 1.7.10.4

2 2

[PATCH V2] bug fix: Use secure cookies
by Aline Manera 28 Apr '14

28 Apr '14

From: Aline Manera <alinefm(a)br.ibm.com> Since this cookie does not contain the "secure" attribute, it might also be sent to the site during an unencrypted session. Any information such as cookies, session tokens or user credentials that are sent to the server as clear text, may be stolen and used later for identity theft or user impersonation. Fix it. Signed-off-by: Aline Manera <alinefm(a)br.ibm.com> --- src/kimchi/config.py.in | 1 + tests/test_config.py.in | 1 + ui/js/src/kimchi.cookie.js | 1 + 3 files changed, 3 insertions(+) diff --git a/src/kimchi/config.py.in b/src/kimchi/config.py.in index f8a645a..da89e3a 100644 --- a/src/kimchi/config.py.in +++ b/src/kimchi/config.py.in @@ -172,6 +172,7 @@ class KimchiConfig(dict): 'tools.nocache.on': True, 'tools.sessions.on': True, 'tools.sessions.name': 'kimchi', + 'tools.sessions.secure': True, 'tools.sessions.httponly': True, 'tools.sessions.locking': 'explicit', 'tools.sessions.storage_type': 'ram', diff --git a/tests/test_config.py.in b/tests/test_config.py.in index 9654016..cf89fa3 100644 --- a/tests/test_config.py.in +++ b/tests/test_config.py.in @@ -97,6 +97,7 @@ class ConfigTests(unittest.TestCase): 'tools.nocache.on': True, 'tools.sessions.on': True, 'tools.sessions.name': 'kimchi', + 'tools.sessions.secure': True, 'tools.sessions.httponly': True, 'tools.sessions.locking': 'explicit', 'tools.sessions.storage_type': 'ram', diff --git a/ui/js/src/kimchi.cookie.js b/ui/js/src/kimchi.cookie.js index d63fb97..2a69407 100644 --- a/ui/js/src/kimchi.cookie.js +++ b/ui/js/src/kimchi.cookie.js @@ -18,6 +18,7 @@ kimchi.cookie = { set: function(key, value, expireDays) { value = encodeURIComponent(value); + value += '; secure' if (expireDays) { var expireDate = new Date(); expireDate.setDate(expireDate.getDate() + expireDays); -- 1.7.10.4

2 2

[PATCH] security: Redirect all HTTP requests to HTTPS
by Aline Manera 28 Apr '14

28 Apr '14

From: Aline Manera <alinefm(a)br.ibm.com> Improve kimchi security by redirecting all HTTP requests to HTTPS that way we make sure all information will be send in a secure way to and from the server. Also add Strict-Transport-Security header to avoid SSL stripping (https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping) Signed-off-by: Aline Manera <alinefm(a)br.ibm.com> --- src/nginx.conf.in | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/src/nginx.conf.in b/src/nginx.conf.in index 967b46b..9218032 100644 --- a/src/nginx.conf.in +++ b/src/nginx.conf.in @@ -17,7 +17,6 @@ # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA # 02110-1301 USA - # This is a template file to be used to generate a nginx # proxy config file at kimchid script. @@ -30,7 +29,6 @@ events { worker_connections 1024; } - http { log_format main '$remote_addr - $remote_user [$time_local] "$request" ' @@ -38,18 +36,26 @@ http { '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; - - sendfile on; + sendfile on; server { - listen $proxy_port; listen $proxy_ssl_port ssl; + ssl_certificate $cert_pem; ssl_certificate_key $cert_key; + add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; + location / { proxy_pass http://localhost:$kimchid_port; proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } + + server { + listen $proxy_port; + rewrite ^/(.*)$ https://$host:$proxy_ssl_port/$1 redirect; + } } -- 1.7.10.4

2 2