9:37 a.m.
The current vm ui console connection is unencrypted. This patch adds
encrypted vm console connection by enabling ssl support in websockify
and adding a new connection option on UI side. We don't enable the
encrypted by default in the existing vm console connection because it
can avoid the overhead caused by encryption and also browsers doesn't
support well for the usage self-signed certs in the ssl websocket
connection. For details, please see:
https://github.com/kanaka/websockify/wiki/Encrypted-Connections
For chrome browser, the encrypted console connection should work after
you login with ssl connection. But for firefox, you have to connect to
https://host-ip:64667/ and accept the self-signed cert.
---
src/kimchi/vnc.py | 10 ++++++++--
ui/js/src/kimchi.api.js | 8 +++++++-
ui/js/src/kimchi.guest_main.js | 20 ++++++++++++++++++--
ui/pages/guest.html.tmpl | 1 +
4 files changed, 34 insertions(+), 5 deletions(-)
diff --git a/src/kimchi/vnc.py b/src/kimchi/vnc.py
index 1f36e9a..3251f06 100644
--- a/src/kimchi/vnc.py
+++ b/src/kimchi/vnc.py
@@ -23,7 +23,7 @@ import os
import subprocess
-from kimchi.config import config
+from kimchi.config import config, paths
WS_TOKENS_DIR = '/var/lib/kimchi/vnc-tokens'
@@ -36,9 +36,15 @@ def new_ws_proxy():
if e.errno == errno.EEXIST:
pass
+ cert = config.get('server', 'ssl_cert')
+ key = config.get('server', 'ssl_key')
+ if not (cert and key):
+ cert = '%s/kimchi-cert.pem' % paths.conf_dir
+ key = '%s/kimchi-key.pem' % paths.conf_dir
+
cmd = os.path.join(os.path.dirname(__file__), 'websockify.py')
args = ['python', cmd, config.get('display',
'display_proxy_port'),
- '--target-config', WS_TOKENS_DIR]
+ '--target-config', WS_TOKENS_DIR, '--cert', cert,
'--key', key]
p = subprocess.Popen(args, close_fds=True)
return p
diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js
index 1bde45c..262f64d 100644
--- a/ui/js/src/kimchi.api.js
+++ b/ui/js/src/kimchi.api.js
@@ -312,7 +312,7 @@ var kimchi = {
});
},
- vncToVM : function(vm) {
+ vncToVM : function(vm, encrypted) {
kimchi.requestJSON({
url : '/config',
type : 'GET',
@@ -332,6 +332,9 @@ var kimchi = {
url = 'http://' + location.hostname + ':' + http_port;
url += "/vnc_auto.html?port=" + proxy_port;
url += "&path=?token=" + encodeURIComponent(vm);
+ if (encrypted) {
+ url += '&encrypt=1'
+ }
window.open(url);
});
}).error(function() {
@@ -355,6 +358,9 @@ var kimchi = {
url = 'http://' + location.hostname + ':' + http_port;
url += "/spice.html?port=" + proxy_port +
"&listen="
+ data.graphics.listen + "&token=" +
encodeURIComponent(vm);
+ if (encrypted) {
+ url += '&encrypt=1'
+ }
window.open(url);
});
}).error(function() {
diff --git a/ui/js/src/kimchi.guest_main.js b/ui/js/src/kimchi.guest_main.js
index 510e7f9..a811a6b 100644
--- a/ui/js/src/kimchi.guest_main.js
+++ b/ui/js/src/kimchi.guest_main.js
@@ -151,10 +151,22 @@ kimchi.openVmConsole = function(event) {
var vm=$(this).closest('li[name=guest]');
var vmObject=vm.data();
if (vmObject.graphics['type'] == 'vnc') {
- kimchi.vncToVM(vm.attr('id'));
+ kimchi.vncToVM(vm.attr('id'), false);
}
else if (vmObject.graphics['type'] == 'spice') {
- kimchi.spiceToVM(vm.attr('id'));
+ kimchi.spiceToVM(vm.attr('id'), false);
+ }
+
+};
+
+kimchi.openVmSecureConsole = function(event) {
+ var vm=$(this).closest('li[name=guest]');
+ var vmObject=vm.data();
+ if (vmObject.graphics['type'] == 'vnc') {
+ kimchi.vncToVM(vm.attr('id'), true);
+ }
+ else if (vmObject.graphics['type'] == 'spice') {
+ kimchi.spiceToVM(vm.attr('id'), true);
}
};
@@ -275,13 +287,17 @@ kimchi.createGuestLi = function(vmObject, prevScreenImage, openMenu)
{
}
var consoleActions=guestActions.find("[name=vm-console]");
+ var secureConsoleActions=guestActions.find("[name=vm-secureConsole]");
if ((vmObject.graphics['type'] == 'vnc') ||
(vmObject.graphics['type'] == 'spice')) {
consoleActions.on("click", kimchi.openVmConsole);
consoleActions.show();
+ secureConsoleActions.on("click", kimchi.openVmSecureConsole);
} else { //we don't recognize the VMs supported graphics, so hide the
menu choice
consoleActions.hide();
consoleActions.off("click",kimchi.openVmConsole);
+ secureConsoleActions.hide();
+ secureConsoleActions.off("click", kimchi.openVmSecureConsole);
}
//Setup action event handlers
diff --git a/ui/pages/guest.html.tmpl b/ui/pages/guest.html.tmpl
index c7335c8..6cacc11 100644
--- a/ui/pages/guest.html.tmpl
+++ b/ui/pages/guest.html.tmpl
@@ -56,6 +56,7 @@
<span
class="text">$_("Actions")</span><span
class="arrow"></span>
<div class="popover actionsheet right-side"
style="width: 250px">
<button class="button-big shutoff-disabled"
name="vm-console" ><span
class="text">$_("Connect")</span></button>
+ <button class="button-big shutoff-disabled"
name="vm-secureConsole" ><span class="text">$_("Securely
connect")</span></button>
<button class="button-big shutoff-disabled"
name="vm-media"><span class="text">$_("Manage
Media")</span></button>
<button class="button-big running-disabled"
name="vm-edit"><span
class="text">$_("Edit")</span></button>
<button class="button-big shutoff-hidden"
name="vm-reset"><span
class="text">$_("Reset")</span></button>
--
1.8.4.2
10:10 a.m.
On 04/29/2014 11:37 AM, Mark Wu wrote:
The current vm ui console connection is unencrypted. This patch adds
encrypted vm console connection by enabling ssl support in websockify
and adding a new connection option on UI side. We don't enable the
encrypted by default in the existing vm console connection because it
can avoid the overhead caused by encryption and also browsers doesn't
support well for the usage self-signed certs in the ssl websocket
connection. For details, please see:
https://github.com/kanaka/websockify/wiki/Encrypted-Connections
For chrome browser, the encrypted console connection should work after
you login with ssl connection. But for firefox, you have to connect to
https://host-ip:64667/ and accept the self-signed cert.
---
src/kimchi/vnc.py | 10 ++++++++--
ui/js/src/kimchi.api.js | 8 +++++++-
ui/js/src/kimchi.guest_main.js | 20 ++++++++++++++++++--
ui/pages/guest.html.tmpl | 1 +
4 files changed, 34 insertions(+), 5 deletions(-)
diff --git a/src/kimchi/vnc.py b/src/kimchi/vnc.py
index 1f36e9a..3251f06 100644
--- a/src/kimchi/vnc.py
+++ b/src/kimchi/vnc.py
@@ -23,7 +23,7 @@ import os
import subprocess
-from kimchi.config import config
+from kimchi.config import config, paths
WS_TOKENS_DIR = '/var/lib/kimchi/vnc-tokens'
@@ -36,9 +36,15 @@ def new_ws_proxy():
if e.errno == errno.EEXIST:
pass
+ cert = config.get('server', 'ssl_cert')
+ key = config.get('server', 'ssl_key')
+ if not (cert and key):
+ cert = '%s/kimchi-cert.pem' % paths.conf_dir
+ key = '%s/kimchi-key.pem' % paths.conf_dir
+
cmd = os.path.join(os.path.dirname(__file__), 'websockify.py')
args = ['python', cmd, config.get('display',
'display_proxy_port'),
- '--target-config', WS_TOKENS_DIR]
+ '--target-config', WS_TOKENS_DIR, '--cert', cert,
'--key', key]
p = subprocess.Popen(args, close_fds=True)
return p
Thanks for the patch, Mark!
I was thinking in to do it too.
But as all HTTP requests will be redirect to HTTPS I don't see any
reason to have 2 kinds of connections to VNC/spice.
The default should handle the secure version.
diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js
index 1bde45c..262f64d 100644
--- a/ui/js/src/kimchi.api.js
+++ b/ui/js/src/kimchi.api.js
@@ -312,7 +312,7 @@ var kimchi = {
});
},
- vncToVM : function(vm) {
+ vncToVM : function(vm, encrypted) {
kimchi.requestJSON({
url : '/config',
type : 'GET',
@@ -332,6 +332,9 @@ var kimchi = {
url = 'http://' + location.hostname + ':' + http_port;
url += "/vnc_auto.html?port=" + proxy_port;
url += "&path=?token=" + encodeURIComponent(vm);
+ if (encrypted) {
+ url += '&encrypt=1'
+ }
window.open(url);
});
}).error(function() {
@@ -355,6 +358,9 @@ var kimchi = {
url = 'http://' + location.hostname + ':' + http_port;
url += "/spice.html?port=" + proxy_port +
"&listen="
+ data.graphics.listen + "&token=" +
encodeURIComponent(vm);
+ if (encrypted) {
+ url += '&encrypt=1'
+ }
window.open(url);
});
}).error(function() {
diff --git a/ui/js/src/kimchi.guest_main.js b/ui/js/src/kimchi.guest_main.js
index 510e7f9..a811a6b 100644
--- a/ui/js/src/kimchi.guest_main.js
+++ b/ui/js/src/kimchi.guest_main.js
@@ -151,10 +151,22 @@ kimchi.openVmConsole = function(event) {
var vm=$(this).closest('li[name=guest]');
var vmObject=vm.data();
if (vmObject.graphics['type'] == 'vnc') {
- kimchi.vncToVM(vm.attr('id'));
+ kimchi.vncToVM(vm.attr('id'), false);
}
else if (vmObject.graphics['type'] == 'spice') {
- kimchi.spiceToVM(vm.attr('id'));
+ kimchi.spiceToVM(vm.attr('id'), false);
+ }
+
+};
+
+kimchi.openVmSecureConsole = function(event) {
+ var vm=$(this).closest('li[name=guest]');
+ var vmObject=vm.data();
+ if (vmObject.graphics['type'] == 'vnc') {
+ kimchi.vncToVM(vm.attr('id'), true);
+ }
+ else if (vmObject.graphics['type'] == 'spice') {
+ kimchi.spiceToVM(vm.attr('id'), true);
}
};
@@ -275,13 +287,17 @@ kimchi.createGuestLi = function(vmObject, prevScreenImage,
openMenu) {
}
var consoleActions=guestActions.find("[name=vm-console]");
+ var secureConsoleActions=guestActions.find("[name=vm-secureConsole]");
if ((vmObject.graphics['type'] == 'vnc') ||
(vmObject.graphics['type'] == 'spice')) {
consoleActions.on("click", kimchi.openVmConsole);
consoleActions.show();
+ secureConsoleActions.on("click", kimchi.openVmSecureConsole);
} else { //we don't recognize the VMs supported graphics, so hide the
menu choice
consoleActions.hide();
consoleActions.off("click",kimchi.openVmConsole);
+ secureConsoleActions.hide();
+ secureConsoleActions.off("click", kimchi.openVmSecureConsole);
}
//Setup action event handlers
diff --git a/ui/pages/guest.html.tmpl b/ui/pages/guest.html.tmpl
index c7335c8..6cacc11 100644
--- a/ui/pages/guest.html.tmpl
+++ b/ui/pages/guest.html.tmpl
@@ -56,6 +56,7 @@
<span
class="text">$_("Actions")</span><span
class="arrow"></span>
<div class="popover actionsheet right-side"
style="width: 250px">
<button class="button-big shutoff-disabled"
name="vm-console" ><span
class="text">$_("Connect")</span></button>
+ <button class="button-big shutoff-disabled"
name="vm-secureConsole" ><span class="text">$_("Securely
connect")</span></button>
<button class="button-big shutoff-disabled"
name="vm-media"><span class="text">$_("Manage
Media")</span></button>
<button class="button-big running-disabled"
name="vm-edit"><span
class="text">$_("Edit")</span></button>
<button class="button-big shutoff-hidden"
name="vm-reset"><span
class="text">$_("Reset")</span></button>
8:45 p.m.
On 04/29/2014 11:10 PM, Aline Manera wrote:
On 04/29/2014 11:37 AM, Mark Wu wrote:
> The current vm ui console connection is unencrypted. This patch adds
> encrypted vm console connection by enabling ssl support in websockify
> and adding a new connection option on UI side. We don't enable the
> encrypted by default in the existing vm console connection because it
> can avoid the overhead caused by encryption and also browsers doesn't
> support well for the usage self-signed certs in the ssl websocket
> connection. For details, please see:
> https://github.com/kanaka/websockify/wiki/Encrypted-Connections
>
> For chrome browser, the encrypted console connection should work after
> you login with ssl connection. But for firefox, you have to connect to
> https://host-ip:64667/ and accept the self-signed cert.
> ---
> src/kimchi/vnc.py | 10 ++++++++--
> ui/js/src/kimchi.api.js | 8 +++++++-
> ui/js/src/kimchi.guest_main.js | 20 ++++++++++++++++++--
> ui/pages/guest.html.tmpl | 1 +
> 4 files changed, 34 insertions(+), 5 deletions(-)
>
> diff --git a/src/kimchi/vnc.py b/src/kimchi/vnc.py
> index 1f36e9a..3251f06 100644
> --- a/src/kimchi/vnc.py
> +++ b/src/kimchi/vnc.py
> @@ -23,7 +23,7 @@ import os
> import subprocess
>
>
> -from kimchi.config import config
> +from kimchi.config import config, paths
>
>
> WS_TOKENS_DIR = '/var/lib/kimchi/vnc-tokens'
> @@ -36,9 +36,15 @@ def new_ws_proxy():
> if e.errno == errno.EEXIST:
> pass
>
> + cert = config.get('server', 'ssl_cert')
> + key = config.get('server', 'ssl_key')
> + if not (cert and key):
> + cert = '%s/kimchi-cert.pem' % paths.conf_dir
> + key = '%s/kimchi-key.pem' % paths.conf_dir
> +
> cmd = os.path.join(os.path.dirname(__file__), 'websockify.py')
> args = ['python', cmd, config.get('display',
> 'display_proxy_port'),
> - '--target-config', WS_TOKENS_DIR]
> + '--target-config', WS_TOKENS_DIR, '--cert', cert,
> '--key', key]
> p = subprocess.Popen(args, close_fds=True)
> return p
Thanks for the patch, Mark!
I was thinking in to do it too.
But as all HTTP requests will be redirect to HTTPS I don't see any
reason to have 2 kinds of connections to VNC/spice.
The default should handle the secure version.
The reason why I added a new connection rather than enable encrypted in
the existing connection is
the browser doesn't support well forthe usage self-signed certs in the
ssl websocket
connection, especially for firefox. I mentioned it in commit message.
For firefox user, the connect will
break if they don't know the notes to connect to https://host-ip:64667.
But I agree one connection looks clean from the technical perspective.
I will provide a revised version based on your comments.
If it still needs tuning, I need ask your help on it since I will be on
vacation in the following days. Thanks!
>
> diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js
> index 1bde45c..262f64d 100644
> --- a/ui/js/src/kimchi.api.js
> +++ b/ui/js/src/kimchi.api.js
> @@ -312,7 +312,7 @@ var kimchi = {
> });
> },
>
> - vncToVM : function(vm) {
> + vncToVM : function(vm, encrypted) {
> kimchi.requestJSON({
> url : '/config',
> type : 'GET',
> @@ -332,6 +332,9 @@ var kimchi = {
> url = 'http://' + location.hostname + ':' +
http_port;
> url += "/vnc_auto.html?port=" + proxy_port;
> url += "&path=?token=" + encodeURIComponent(vm);
> + if (encrypted) {
> + url += '&encrypt=1'
> + }
> window.open(url);
> });
> }).error(function() {
> @@ -355,6 +358,9 @@ var kimchi = {
> url = 'http://' + location.hostname + ':' +
http_port;
> url += "/spice.html?port=" + proxy_port +
"&listen="
> + data.graphics.listen + "&token=" +
> encodeURIComponent(vm);
> + if (encrypted) {
> + url += '&encrypt=1'
> + }
> window.open(url);
> });
> }).error(function() {
> diff --git a/ui/js/src/kimchi.guest_main.js
> b/ui/js/src/kimchi.guest_main.js
> index 510e7f9..a811a6b 100644
> --- a/ui/js/src/kimchi.guest_main.js
> +++ b/ui/js/src/kimchi.guest_main.js
> @@ -151,10 +151,22 @@ kimchi.openVmConsole = function(event) {
> var vm=$(this).closest('li[name=guest]');
> var vmObject=vm.data();
> if (vmObject.graphics['type'] == 'vnc') {
> - kimchi.vncToVM(vm.attr('id'));
> + kimchi.vncToVM(vm.attr('id'), false);
> }
> else if (vmObject.graphics['type'] == 'spice') {
> - kimchi.spiceToVM(vm.attr('id'));
> + kimchi.spiceToVM(vm.attr('id'), false);
> + }
> +
> +};
> +
> +kimchi.openVmSecureConsole = function(event) {
> + var vm=$(this).closest('li[name=guest]');
> + var vmObject=vm.data();
> + if (vmObject.graphics['type'] == 'vnc') {
> + kimchi.vncToVM(vm.attr('id'), true);
> + }
> + else if (vmObject.graphics['type'] == 'spice') {
> + kimchi.spiceToVM(vm.attr('id'), true);
> }
>
> };
> @@ -275,13 +287,17 @@ kimchi.createGuestLi = function(vmObject,
> prevScreenImage, openMenu) {
> }
>
> var consoleActions=guestActions.find("[name=vm-console]");
> + var
> secureConsoleActions=guestActions.find("[name=vm-secureConsole]");
>
> if ((vmObject.graphics['type'] == 'vnc') ||
> (vmObject.graphics['type'] == 'spice')) {
> consoleActions.on("click", kimchi.openVmConsole);
> consoleActions.show();
> + secureConsoleActions.on("click", kimchi.openVmSecureConsole);
> } else { //we don't recognize the VMs supported
> graphics, so hide the menu choice
> consoleActions.hide();
> consoleActions.off("click",kimchi.openVmConsole);
> + secureConsoleActions.hide();
> + secureConsoleActions.off("click", kimchi.openVmSecureConsole);
> }
>
> //Setup action event handlers
> diff --git a/ui/pages/guest.html.tmpl b/ui/pages/guest.html.tmpl
> index c7335c8..6cacc11 100644
> --- a/ui/pages/guest.html.tmpl
> +++ b/ui/pages/guest.html.tmpl
> @@ -56,6 +56,7 @@
> <span
> class="text">$_("Actions")</span><span
class="arrow"></span>
> <div class="popover actionsheet right-side"
> style="width: 250px">
> <button class="button-big
> shutoff-disabled" name="vm-console" ><span
> class="text">$_("Connect")</span></button>
> + <button class="button-big
> shutoff-disabled" name="vm-secureConsole" ><span
> class="text">$_("Securely
connect")</span></button>
> <button class="button-big
> shutoff-disabled" name="vm-media"><span
class="text">$_("Manage
> Media")</span></button>
> <button class="button-big
> running-disabled" name="vm-edit"><span
> class="text">$_("Edit")</span></button>
> <button class="button-big
> shutoff-hidden" name="vm-reset"><span
> class="text">$_("Reset")</span></button>
3888
days inactive
3889
days old
2 comments
2 participants
participants (2)
-
Aline Manera -
Mark Wu