[Kimchi-devel] [PATCH v2] Enable encryption in vm console connection
Mark Wu
wudxw at linux.vnet.ibm.com
Wed Apr 30 01:48:20 UTC 2014
The current vm ui console connection is unencrypted. This patch enables
encrypted vm console connection. But browsers doesn't
support well for the usage self-signed certs in the ssl websocket
connection. For details, please see:
https://github.com/kanaka/websockify/wiki/Encrypted-Connections
For chrome browser, the encrypted console connection should work after
you login with ssl connection. But for firefox, you have to connect to
https://host-ip:64667/ and accept the self-signed cert.
---
src/kimchi/vnc.py | 10 ++++++++--
ui/js/src/kimchi.api.js | 2 ++
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/src/kimchi/vnc.py b/src/kimchi/vnc.py
index 1f36e9a..3251f06 100644
--- a/src/kimchi/vnc.py
+++ b/src/kimchi/vnc.py
@@ -23,7 +23,7 @@ import os
import subprocess
-from kimchi.config import config
+from kimchi.config import config, paths
WS_TOKENS_DIR = '/var/lib/kimchi/vnc-tokens'
@@ -36,9 +36,15 @@ def new_ws_proxy():
if e.errno == errno.EEXIST:
pass
+ cert = config.get('server', 'ssl_cert')
+ key = config.get('server', 'ssl_key')
+ if not (cert and key):
+ cert = '%s/kimchi-cert.pem' % paths.conf_dir
+ key = '%s/kimchi-key.pem' % paths.conf_dir
+
cmd = os.path.join(os.path.dirname(__file__), 'websockify.py')
args = ['python', cmd, config.get('display', 'display_proxy_port'),
- '--target-config', WS_TOKENS_DIR]
+ '--target-config', WS_TOKENS_DIR, '--cert', cert, '--key', key]
p = subprocess.Popen(args, close_fds=True)
return p
diff --git a/ui/js/src/kimchi.api.js b/ui/js/src/kimchi.api.js
index 1bde45c..6fcac6d 100644
--- a/ui/js/src/kimchi.api.js
+++ b/ui/js/src/kimchi.api.js
@@ -332,6 +332,7 @@ var kimchi = {
url = 'http://' + location.hostname + ':' + http_port;
url += "/vnc_auto.html?port=" + proxy_port;
url += "&path=?token=" + encodeURIComponent(vm);
+ url += '&encrypt=1'
window.open(url);
});
}).error(function() {
@@ -355,6 +356,7 @@ var kimchi = {
url = 'http://' + location.hostname + ':' + http_port;
url += "/spice.html?port=" + proxy_port + "&listen="
+ data.graphics.listen + "&token=" + encodeURIComponent(vm);
+ url += '&encrypt=1'
window.open(url);
});
}).error(function() {
--
1.8.4.2
More information about the Kimchi-devel
mailing list