Re: [Kimchi-devel] [PATCH 2/4] ticket in backend: add a set ticket action for VM resource

Tuesday, 20 May 2014

On 05/21/2014 04:17 AM, Christy Perez wrote:
...
 One comment inline...

 On Tue, 2014-05-20 at 23:27 +0800, shaohef(a)linux.vnet.ibm.com wrote:
> From: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com&gt;
>
> Only the user who get the ticket can access the VM console.
>
> the ticket will be invalid when its expire.
>
> We just manange the VM create by kimchi.
> We do not set the ticket for other VMs that created by other managerment tool.
>
> Signed-off-by: ShaoHe Feng <shaohef(a)linux.vnet.ibm.com&gt;
> Signed-off-by: Zhou Zheng Sheng <zhshzhou(a)linux.vnet.ibm.com&gt;
> ---
>   src/kimchi/control/vms.py |  1 +
>   src/kimchi/model/vms.py   | 28 ++++++++++++++++++++++++++++
>   2 files changed, 29 insertions(+)
>
> diff --git a/src/kimchi/control/vms.py b/src/kimchi/control/vms.py
> index 508f478..e3c72d1 100644
> --- a/src/kimchi/control/vms.py
> +++ b/src/kimchi/control/vms.py
> @@ -37,6 +37,7 @@ class VM(Resource):
>           self.uri_fmt = '/vms/%s'
>           for ident, node in sub_nodes.items():
>               setattr(self, ident, node(model, self.ident))
> +        self.setticket = self.generate_action_handler('setticket')
>           self.start = self.generate_action_handler('start')
>           self.poweroff = self.generate_action_handler('poweroff')
>           self.shutdown = self.generate_action_handler('shutdown')
> diff --git a/src/kimchi/model/vms.py b/src/kimchi/model/vms.py
> index 17bda04..0daaea0 100644
> --- a/src/kimchi/model/vms.py
> +++ b/src/kimchi/model/vms.py
> @@ -19,7 +19,10 @@
>
>   from lxml.builder import E
>   import lxml.etree as ET
> +from lxml import etree, objectify
>   import os
> +import random
> +import string
>   import time
>   import uuid
>   from xml.etree import ElementTree
> @@ -353,9 +356,14 @@ class VMModel(object):
>           graphics = self._vm_get_graphics(name)
>           graphics_type, graphics_listen, graphics_port = graphics
>           graphics_port = graphics_port if state == 'running' else None
> +        passwd = None
>           try:
>               if state == 'running' and self._has_video(dom):
>                   screenshot = self.vmscreenshot.lookup(name)
> +                xml = dom.XMLDesc(libvirt.VIR_DOMAIN_XML_SECURE)
> +                root = objectify.fromstring(xml)
> +                graphic = root.devices.find("graphics")
> +                passwd = graphic.attrib.get('passwd')
>               elif state == 'shutoff':
>                   # reset vm stats when it is powered off to avoid sending
>                   # incorrect (old) data
> @@ -394,6 +402,7 @@ class VMModel(object):
>                   'graphics': {"type": graphics_type,
>                                "listen": graphics_listen,
>                                "port": graphics_port},
> +                'ticket': passwd,
>                   'users': users,
>                   'groups': groups
>                   }
> @@ -513,6 +522,25 @@ class VMModel(object):
>           else:
>               raise OperationFailed("KCHVM0010E", {'name': name})
>
> +    def setticket(self, name, password=None, expire=10):
 The default is 10, not 30? still need to discuss about the default value.

now we can distinguish the guest are created by kimchi or other tools.

Now there's my proposal:
1. if the guest are created by other tools, such as virt-manager.
if he does not set a password, we will not let kimchi to add a password 
for it.
if he sets a password for guest, we will not let kimchi to change the 
password.
and we will not return this password to UI, we let user type in the 
password by himself.

2. if the guest are created by kimchi.
kimchi set ticket. and UI get the ticket automatically to access guest.

so 10s maybe OK.

but we should consider:
do we allow other tools such as virt-manager to access the guest created 
by kimchi?

Then 10s is not enough. and also how does the user get the ticket?
He use the virt-manager re-set the password?

or kimchi support a way to show them the password?

...

> +        dom = self.get_vm(name, self.conn)
> +        version, distro = self.vm_get_os_metadata(dom)
> +        if distro is None:
> +            # this VM is not created by kimchi
> +            return
> +
> +        xml = dom.XMLDesc(libvirt.VIR_DOMAIN_XML_SECURE)
> +        root = objectify.fromstring(xml)
> +        graphic = root.devices.find("graphics")
> +        password = password if password is not None else "".join(
> +            random.sample(string.ascii_letters + string.digits, 8))
> +        graphic.attrib['passwd'] = password
> +        valid_to = time.strftime('%Y-%m-%dT%H:%M:%S',
> +                                 time.gmtime(time.time() + float(expire)))
> +        graphic.attrib['passwdValidTo'] = valid_to
> +        graphic_xml = etree.tostring(graphic)
> +        dom.updateDeviceFlags(graphic_xml, 0)
> +
>       def _vmscreenshot_delete(self, vm_uuid):
>           screenshot = VMScreenshotModel.get_screenshot(vm_uuid, self.objstore,
>                                                         self.conn)
 Regards,

 - Christy

 _______________________________________________
 Kimchi-devel mailing list
 Kimchi-devel(a)ovirt.org
 http://lists.ovirt.org/mailman/listinfo/kimchi-devel

-- 
Thanks and best regards!

Sheldon Feng(冯少合)&lt;shaohef(a)linux.vnet.ibm.com&gt;
IBM Linux Technology Center

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

Re: [Kimchi-devel] [PATCH 2/4] ticket in backend: add a set ticket action for VM resource