[PATCH] issue #374: Use base64 encoding to launch VM console
by alinefm@linux.vnet.ibm.com
From: Aline Manera <alinefm(a)linux.vnet.ibm.com>
websockify.py uses urlparse.parse_qs() to parse token parameter in the
console URL
/vnc_auto.html?port=64667&path=?token=issue%2B374&encrypt=1
And even encoding the VM name using encodeURIComponent() it replaces the
plus sign for a white space,
{'token': ['issue 374']}
That way the console (noVNC/Spice) will never be able to find the console port
based on VM name, as it was wrongly recorded.
To fix it, uses base64 for encoding the VM name while setting up the
console configuration and accessing it using noVNC or Spice.
Signed-off-by: Aline Manera <alinefm(a)linux.vnet.ibm.com>
---
src/kimchi/vnc.py | 2 ++
ui/js/src/kimchi.api.js | 4 ++--
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/kimchi/vnc.py b/src/kimchi/vnc.py
index 002b950..660b9c6 100644
--- a/src/kimchi/vnc.py
+++ b/src/kimchi/vnc.py
@@ -18,6 +18,7 @@
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+import base64
import errno
import os
import subprocess
@@ -53,6 +54,7 @@ def new_ws_proxy():
def add_proxy_token(name, port):
with open(os.path.join(WS_TOKENS_DIR, name), 'w') as f:
+ name = base64.b64encode(name)
f.write('%s: localhost:%s' % (name.encode('utf-8'), port))
diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js
index 021be63..97d5800 100644
--- a/ui/js/src/kimchi.api.js
+++ b/ui/js/src/kimchi.api.js
@@ -352,7 +352,7 @@ var kimchi = {
}).done(function() {
url = 'https://' + location.hostname + ':' + proxy_port;
url += "/console.html?url=vnc_auto.html&port=" + proxy_port;
- url += "&path=?token=" + encodeURIComponent(vm);
+ url += "&path=?token=" + btoa(vm);
url += "&kimchi=" + location.port;
url += '&encrypt=1';
window.open(url);
@@ -377,7 +377,7 @@ var kimchi = {
url = 'https://' + location.hostname + ':' + proxy_port;
url += "/console.html?url=spice.html&port=" + proxy_port;
url += "&listen=" + location.hostname;
- url += "&token=" + encodeURIComponent(vm);
+ url += "&token=" + btoa(vm);
url += "&kimchi=" + location.port;
url += '&encrypt=1';
window.open(url);
--
1.9.3
9 years, 9 months
[PATCH] issue #374: Use base64 encoding to launch VM console
by alinefm@linux.vnet.ibm.com
From: Aline Manera <alinefm(a)linux.vnet.ibm.com>
websockify.py uses urlparse.parse_qs() to parse token parameter in the
console URL
/vnc_auto.html?port=64667&path=?token=issue%2B374&encrypt=1
And even encoding the VM name using encodeURIComponent() it replaces the
plus sign for a white space,
{'token': ['issue 374']}
That way websockify will never be able to find the console port based on VM
name.
To fix it, use base64 for encoding the VM name while setting up the
console configuration and accessing it using noVNC or Spice.
Signed-off-by: Aline Manera <alinefm(a)linux.vnet.ibm.com>
---
src/kimchi/vnc.py | 2 ++
ui/js/src/kimchi.api.js | 4 ++--
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/kimchi/vnc.py b/src/kimchi/vnc.py
index 002b950..9380e21 100644
--- a/src/kimchi/vnc.py
+++ b/src/kimchi/vnc.py
@@ -18,6 +18,7 @@
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+import base64
import errno
import os
import subprocess
@@ -53,6 +54,7 @@ def new_ws_proxy():
def add_proxy_token(name, port):
with open(os.path.join(WS_TOKENS_DIR, name), 'w') as f:
+ name = base64.urlsafe_b64encode(name)
f.write('%s: localhost:%s' % (name.encode('utf-8'), port))
diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js
index 021be63..99ac730 100644
--- a/ui/js/src/kimchi.api.js
+++ b/ui/js/src/kimchi.api.js
@@ -352,7 +352,7 @@ var kimchi = {
}).done(function() {
url = 'https://' + location.hostname + ':' + proxy_port;
url += "/console.html?url=vnc_auto.html&port=" + proxy_port;
- url += "&path=?token=" + encodeURIComponent(vm);
+ url += "&path=?token=" + kimchi.urlSafeB64Encode(vm);
url += "&kimchi=" + location.port;
url += '&encrypt=1';
window.open(url);
@@ -377,7 +377,7 @@ var kimchi = {
url = 'https://' + location.hostname + ':' + proxy_port;
url += "/console.html?url=spice.html&port=" + proxy_port;
url += "&listen=" + location.hostname;
- url += "&token=" + encodeURIComponent(vm);
+ url += "&token=" + kimchi.urlSafeB64Encode(vm);
url += "&kimchi=" + location.port;
url += '&encrypt=1';
window.open(url);
--
1.9.3
9 years, 9 months
[PATCH V4 0/4] Authorization: disable non-root user functions in UI
by wenwang@linux.vnet.ibm.com
From: Wen Wang <wenwang(a)linux.vnet.ibm.com>
V3 -> V4:
Removed the additional white border line in user mode(Aline)
Minor change to the layout of the storage tab of user mode that makes
the arrow-down/arrow-up more consistent(Aline)
V2 -> V3:
stored the mode into global _tabMode that can be used for each tab.(Aline)
Making the buttons that is not avaiable for non-root users invisible
by default and enable when user is admin.(Yu Xin)
Fixed css inconsistent under "Storage" tab.
Removed the onClick function if the buttons are not avaiable.
V1 -> V2:
Store "roles" parameter in cookie instead of each tab's mode.(Aline)
read only "roles" from cookie instead of roles of each tab(Aline)
Minor changes in method of removing "Action" title under network tab
(Hongliang Wang)
This patch defines user privilege according to different user roles In this
release, only two roles are supported: "admin" and "user", conbined with four
modes: "admin", "byInstance", "read-only" and "none", each of which has own
privileges to different tabs as well as instances. modes are stored in cookie
and functions of different roles are protected in the back-end.
Wen Wang (4):
Add roles into cookie
Authorization: remove host/template tabs for non-root users
Authorization: remove [+] icon from non-root users view
Authorization: Remove actions based on roles
ui/css/theme-default/network.css | 4 +
ui/css/theme-default/storage.css | 22 ++++---
ui/js/src/kimchi.guest_main.js | 10 ++-
ui/js/src/kimchi.login.js | 16 +++--
ui/js/src/kimchi.main.js | 26 +++++--
ui/js/src/kimchi.network.js | 12 +++-
ui/js/src/kimchi.storage_main.js | 137 ++++++++++++++++++++-----------------
ui/js/src/kimchi.template_main.js | 21 ++++--
ui/pages/tabs/guests.html.tmpl | 4 +-
ui/pages/tabs/network.html.tmpl | 6 +-
ui/pages/tabs/storage.html.tmpl | 6 +-
ui/pages/tabs/templates.html.tmpl | 2 +-
12 files changed, 159 insertions(+), 107 deletions(-)
9 years, 9 months
[V1 0/2] Add Users/Groups to VM
by huoyuxin@linux.vnet.ibm.com
From: Yu Xin Huo <huoyuxin(a)linux.vnet.ibm.com>
Yu Xin Huo (2):
Add users/groups to VM
update po
po/en_US.po | 9 +++
po/kimchi.pot | 9 +++
po/pt_BR.po | 39 ++++++++-----
po/zh_CN.po | 9 +++
ui/css/theme-default/guest-edit.css | 106 +++++++++++++++++++++++++++++++++
ui/images/theme-default/group.png | Bin 0 -> 1703 bytes
ui/images/theme-default/user.png | Bin 0 -> 1322 bytes
ui/js/src/kimchi.api.js | 28 +++++++++
ui/js/src/kimchi.guest_edit_main.js | 112 ++++++++++++++++++++++++++++++++++-
ui/pages/guest-edit.html.tmpl | 33 ++++++++++
10 files changed, 327 insertions(+), 18 deletions(-)
create mode 100644 ui/images/theme-default/group.png
create mode 100644 ui/images/theme-default/user.png
9 years, 9 months
[PATCH 0/2 V2] [Fix BZ#111243 - pkvm 2.1-SP2]
by Rodrigo Trujillo
V2:
- Patch disables vhost feature only in ubuntu 14.04 or lower
V1:
Patch 1 - Disables vhost feature
Patch 2 - Uses/modify SUSE patch from kimchi upstream. Adds SLES and change
RHEL version (6.5) in modern distros dict. Modern distros are going
to use virtio.
Rodrigo Trujillo (2):
Disable vhost feature in Ubuntu LE
Change modern distro versions
src/kimchi/isoinfo.py | 1 +
src/kimchi/osinfo.py | 9 ++++++---
src/kimchi/vmtemplate.py | 10 +++++++++-
3 files changed, 16 insertions(+), 4 deletions(-)
--
1.9.3
9 years, 9 months
[PATCHv3 0/8] Support img based template
by lvroyce0210@gmail.com
From: Royce Lv <lvroyce(a)linux.vnet.ibm.com>
v2>v3,
Clear unused iso link,
Adding mockmodel and tests
How to test:
create a image using:
POST /templates {'name':'mytemp', 'disks':[{'base':'a_base_img_path'}]}
create a vm using:
POST /vms {'template': '/templates/mytemp', 'pool'....}
Known issues:
1.This is only available for NFS and dir pool, logical pool in kimchi now adopted
raw format which does not suitable for qcow2 img(will fix later).
iscsi, scsi pool volume size need to be checked and handled later.
So in this version just support dir based pool.
2.Due to template integrity check need be refactored, this check will be added later.
Royce Lv (8):
Add image probe function
Change doc and api specification
Change 'cdrom' to a optional param
Fix: Prevent iso links filling in osinfo.py
Integrate image os probe in vm template create
Create volume based on backing store image
Update mockmodel of base img vm
Add tests for image based template
Makefile.am | 1 +
contrib/DEBIAN/control.in | 4 +-
contrib/kimchi.spec.fedora.in | 2 +
contrib/kimchi.spec.suse.in | 2 +
docs/API.md | 3 +-
docs/README.md | 9 +++--
src/kimchi/API.json | 8 +++-
src/kimchi/control/storagevolumes.py | 2 +-
src/kimchi/control/templates.py | 2 +-
src/kimchi/exception.py | 4 ++
src/kimchi/i18n.py | 8 +++-
src/kimchi/imageinfo.py | 66 +++++++++++++++++++++++++++++++
src/kimchi/mockmodel.py | 31 ++++++++++++---
src/kimchi/model/templates.py | 13 +++---
src/kimchi/model/vms.py | 1 +
src/kimchi/osinfo.py | 24 +-----------
src/kimchi/vmtemplate.py | 76 ++++++++++++++++++++++++------------
tests/test_model.py | 25 ++++++++++++
tests/test_osinfo.py | 8 ----
tests/test_rest.py | 32 ++++++++++++++-
tests/test_vmtemplate.py | 2 +-
21 files changed, 244 insertions(+), 79 deletions(-)
create mode 100644 src/kimchi/imageinfo.py
--
1.8.3.2
9 years, 9 months
[PATCH V3 0/4] Authorization: disable non-root user functions in UI
by wenwang@linux.vnet.ibm.com
From: Wen Wang <wenwang(a)linux.vnet.ibm.com>
V2 -> V3:
stored the mode into global _tabMode that can be used for each tab.(Aline)
Making the buttons that is not avaiable for non-root users invisible
by default and enable when user is admin.(Yu Xin)
Fixed css inconsistent under "Storage" tab.
Removed the onClick function if the buttons are not avaiable.
V1 -> V2:
Store "roles" parameter in cookie instead of each tab's mode.(Aline)
read only "roles" from cookie instead of roles of each tab(Aline)
Minor changes in method of removing "Action" title under network tab
(Hongliang Wang)
This patch defines user privilege according to different user roles In this
release, only two roles are supported: "admin" and "user", conbined with four
modes: "admin", "byInstance", "read-only" and "none", each of which has own
privileges to different tabs as well as instances. modes are stored in cookie
and functions of different roles are protected in the back-end.
Wen Wang (4):
Add roles into cookie
Authorization: remove host/template tabs for non-root users
Authorization: remove [+] icon from non-root users view
Authorization: Remove actions based on roles
ui/css/theme-default/storage.css | 22 ++++---
ui/js/src/kimchi.guest_main.js | 10 ++-
ui/js/src/kimchi.login.js | 16 +++--
ui/js/src/kimchi.main.js | 26 +++++--
ui/js/src/kimchi.network.js | 10 +++-
ui/js/src/kimchi.storage_main.js | 137 ++++++++++++++++++++-----------------
ui/js/src/kimchi.template_main.js | 21 ++++--
ui/pages/tabs/guests.html.tmpl | 4 +-
ui/pages/tabs/network.html.tmpl | 6 +-
ui/pages/tabs/storage.html.tmpl | 6 +-
ui/pages/tabs/templates.html.tmpl | 2 +-
11 files changed, 153 insertions(+), 107 deletions(-)
9 years, 9 months
[PATCH V3 0/5] vm ticket in backend
by shaohef@linux.vnet.ibm.com
From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
V2 -> V3:
do not make ticket as sub-resource of a VM
V1 -> V2:
make ticket as sub-resource of a VM
A ticket is the credential to access VM.
Only who get the ticket can access a VM.
test this patch set:
set the ticket
$ sudo curl -k -u <user>:<password> -H "Content-Type: application/json" -H \
"Accept: application/json" https://localhost:8001/vms/test-vm-8/ \
-X PUT -d '{"ticket": {"passwd": "abcd"}}'
get the ticket
$ sudo curl -k -u <user>:<password> -H "Content-Type: application/json" -H \
"Accept: application/json" https://localhost:8001/vms/test-vm-8/
ShaoHe Feng (5):
vm ticket in backend: update API.md
vm ticket in backend: update controller and API.json
vm ticket in backend: update model
vm ticket in backend: update mockmodel
vm ticket in backend: update test case
docs/API.md | 7 +++++
src/kimchi/API.json | 16 +++++++++++
src/kimchi/control/vms.py | 3 ++-
src/kimchi/i18n.py | 2 ++
src/kimchi/mockmodel.py | 14 ++++++++++
src/kimchi/model/vms.py | 68 +++++++++++++++++++++++++++++++++++++++++++++++
tests/test_model.py | 15 +++++++++++
tests/test_rest.py | 12 +++++++++
8 files changed, 136 insertions(+), 1 deletion(-)
--
1.9.3
9 years, 9 months
[PATCH V2] add a base64 safe url encode and decode to js utils
by shaohef@linux.vnet.ibm.com
From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com>
V1 -> V2:
address zhengsheng's comment.
add the base64 wiki to commit message.
ShaoHe Feng (1):
add a base64 safe url encode and decode to js utils
ui/js/src/kimchi.utils.js | 8 ++++++++
1 file changed, 8 insertions(+)
--
1.9.3
9 years, 9 months
[RFC]Redirect to login page if user close the browser
by Wen Wang
Hi all,
Now after closing the browser, paste the url you copied from either
kimchi or vnc, you can access kimchi or vnc without asking for
authentication with login page. I think it's better to redirect user to
login page after closing the browser even if they pasted their url used
before to enhance the security.
Thanks
Wang Wen
9 years, 9 months
