[ovirt-users] Guest VM Console Creation/Access using REST API and noVNC
Itamar Heim
iheim at redhat.com
Thu Jul 24 22:31:32 UTC 2014
On 07/24/2014 02:43 PM, Frantisek Kobzik wrote:
> Hello Punit,
>
> this wouldn't be so straightforward. The data that goes from noVNC client to websocket proxy must be digitally signed. In engine, we use SignString query for that. There are 2 possibilities to create such signatures:
> 1, Expose SignString via rest api, or
this means its a gap we need to close in any case to allow moving the
portals to work over the REST API?
> 2, implement this signing mechanism from scratch (for that the "signing machine" would have to posses private key for signing ovirt-websocket-proxy tickets, which I don't like).
>
> This is just first idea on how we could do it. Let me think about it a little bit longer, I'll try to ask around and maybe we'll come up with something better.
>
> Thanks,
> Franta.
>
> ----- Original Message -----
> From: "Punit Dambiwal" <hypunit at gmail.com>
> To: "Shanil S" <xielesshanil at gmail.com>, "Dan Kenigsberg" <danken at redhat.com>, ahadas at redhat.com, "Sven Kieske" <S.Kieske at mittwald.de>, "Antoni Segura Puimedon" <asegurap at redhat.com>, "Itamar Heim" <iheim at redhat.com>
> Cc: "Michal Skrivanek" <michal.skrivanek at redhat.com>, "Frantisek Kobzik" <fkobzik at redhat.com>, users at ovirt.org
> Sent: Thursday, July 24, 2014 6:50:02 AM
> Subject: Re: [ovirt-users] Guest VM Console Creation/Access using REST API and noVNC
>
> Hi All,
>
> Is there any body in the community...who can help us to resolve this
> issue...
>
> 1. We are using Ovirt 3.4.3 and we are able to access the console from the
> ovirt panel.
> 2. We don't want to use the ovirt engine portal for the webUI, we want to
> use our own portal for user interface.
> 3. Webbsocket proxy Installed on the same sever where ovirt engine
> installed.
> 4. We want to access the VM console from our portal,which is different from
> this Ovirt cluster.
> 5. We already allowed our portal server Ip address in the engine as well as
> all the hypervisior servers.....also selinux on all the servers are
> disabled mode.
> 6. Display network is on the ovirtmgmt network and the same network we are
> using to get the VM console....
> 7. We are able to create the ticket and with the help of the ticket
> details,when we try to access the VM console through our portal it failed
> with the following error (Failed to connect to server (code: 1006)).
> 8. Same time we can access the console from any vnc client,which is
> installed on my local system,but through browser with novnc it through
> error.
> 9. We found that there is no direct api function to create console, so how
> we can create console using our own portal and how we can achieve this ??
> 10. If it's not possible then is there any workaround for the same...
>
> Our whole project just stuck because of this issue...please help us so we
> can go ahead with Ovirt....
>
> Thanks,
> Punit
>
>
>
> On Wed, Jul 23, 2014 at 1:00 PM, Shanil S <xielesshanil at gmail.com> wrote:
>
>> Hi Michal,
>>
>> We are using 3.4.3 and we are able to access the console from the ovirt
>> panel. We don't want to use the ovirt engine portal for the webUI, we want
>> to use our own portal for user interface. We have installed websocket proxy
>> on the ovirt engine server and now we want to access the VM console from
>> our portal. How we can achieve this ? it is found that there is no direct
>> api function to create console, so how we can create console using our own
>> portal ?
>>
>>
>> --
>> Regards
>> Shanil
>>
>>
>> On Tue, Jul 22, 2014 at 7:15 PM, Michal Skrivanek <
>> michal.skrivanek at redhat.com> wrote:
>>
>>>
>>> On Jul 22, 2014, at 13:34 , Shanil S <xielesshanil at gmail.com> wrote:
>>>
>>>> Hi Michal,
>>>>
>>>> Thanks for your updates.
>>>>
>>>> I am unable to view the above post
>>> https://bugzilla.redhat.com/show_bug.cgi?id=838468 and getting an access
>>> denied error. I don't have the login to this, could you please paste the
>>> content here ?
>>>
>>> should be fixed now, sorry. try again
>>> NoVncImpl.java in review 13931 should explain some things… (or Franta
>>> can, if something's not clear:-)
>>>
>>>>
>>>>
>>>> --
>>>> Regards
>>>> Shanil
>>>>
>>>>
>>>> On Tue, Jul 22, 2014 at 12:53 PM, Michal Skrivanek <
>>> michal.skrivanek at redhat.com> wrote:
>>>>
>>>> On 22 Jul 2014, at 09:02, Punit Dambiwal wrote:
>>>>
>>>>> Hi Michal,
>>>>>
>>>>> We want to access vm console by using noVNC and Rest api. We are using
>>> websocket proxy on the same machine where engine runs and we try to get the
>>> console access from the another server that is outside from this cluster.
>>>>>
>>>>> But when we try to connect the vnc_auto.html from the server using
>>> host ip, port and the password which we get from the ticket creation… it
>>> shows a Failed to connect to server (code: 1006).
>>>>
>>>> Hi Punit,
>>>> did you read about the modification we did for the noVNC package?
>>> http://www.ovirt.org/Features/noVNC_console
>>>>
>>>>
>>>>>
>>>>> The following are the codes which we use to create the ticket…
>>> host,port and the password will get from the ticket and with the same
>>> details (host,port & password) we are able to connect the console using the
>>> vnc clients(TigerVNC etc.)
>>>>
>>>> you mean the "ticket" call? that returns you the direct connection
>>> information
>>>> but you want to connect to websocket proxy(to engine:6100 indeed) and
>>> pass the above information as an signed encoded url path (where to connect
>>> to from proxy)
>>>> check https://bugzilla.redhat.com/show_bug.cgi?id=838468 and
>>> associated patches to see how it is being encoded
>>>>
>>>> Thanks,
>>>> michal
>>>>
>>>>>
>>>>> try {
>>>>> var host = WebUtil.getQueryVar('host', '<?php echo
>>> $host?>');
>>>>> var port = WebUtil.getQueryVar('port', '<?php echo
>>> $port?>');
>>>>> var path = WebUtil.getQueryVar('path', 'websockify');
>>>>>
>>>>> var password = '<?php echo $password?>';
>>>>>
>>>>> if ((!host) || (!port)) {
>>>>> updateState('failed',
>>>>> "Must specify host and port in URL");
>>>>> return;
>>>>> }
>>>>>
>>>>> rfb = new RFB({'target': $D('noVNC_canvas'),
>>>>> 'encrypt':
>>> WebUtil.getQueryVar('encrypt',
>>>>>
>>>>> (window.location.protocol === "https:")),
>>>>> 'true_color':
>>> WebUtil.getQueryVar('true_color', true),
>>>>> 'local_cursor':
>>> WebUtil.getQueryVar('cursor', true),
>>>>> 'shared':
>>> WebUtil.getQueryVar('shared', true),
>>>>> 'view_only':
>>> WebUtil.getQueryVar('view_only', false),
>>>>> 'updateState': updateState,
>>>>> 'onPasswordRequired': passwordRequired});
>>>>> rfb.connect(host, port, password, path);
>>>>> }catch(e) {alert(e);
>>>>>
>>>>>
>>>>> Could you please check if there any issues with it and guide me how to
>>> get rid of this failed to connect error?
>>>>>
>>>>> I have attached the screen shots for further reference…
>>>>>
>>>>> Thanks,
>>>>> Punit
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Jul 22, 2014 at 2:54 PM, Shanil S <xielesshanil at gmail.com>
>>> wrote:
>>>>> Hi All,
>>>>>
>>>>> We already updated with the logs and the clear picture about the issue.
>>>>>
>>>>> --
>>>>> Regards
>>>>> Shanil
>>>>>
>>>>>
>>>>> On Mon, Jul 21, 2014 at 5:54 PM, Michal Skrivanek <
>>> michal.skrivanek at redhat.com> wrote:
>>>>>
>>>>> On Jul 21, 2014, at 04:33 , Punit Dambiwal <hypunit at gmail.com> wrote:
>>>>>
>>>>>> Hi All,
>>>>>>
>>>>>> I am still waiting for the updates...is there any one have the clue
>>> to solve this problem.... ???
>>>>>
>>>>> Hi Punit,
>>>>> I'm afraid no one can help you debug connectivity issues remotely,
>>> without describing precisely what are you doing and how, and include all
>>> the logs
>>>>>
>>>>> Thanks,
>>>>> michal
>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>> Punit
>>>>>>
>>>>>>
>>>>>> On Fri, Jul 18, 2014 at 12:37 PM, Punit Dambiwal <hypunit at gmail.com>
>>> wrote:
>>>>>> Hi All,
>>>>>>
>>>>>> We are also struggling with the same problem....can anybody mind to
>>> update here the resolution or suggest us the way to get rid of this "Failed
>>> to connect to server (code: 1006" error.
>>>>>>
>>>>>> Thanks,
>>>>>> Punit
>>>>>>
>>>>>>
>>>>>> On Thu, Jul 17, 2014 at 5:20 PM, Shanil S <xielesshanil at gmail.com>
>>> wrote:
>>>>>> Hi,
>>>>>>
>>>>>> We are waiting for the updates, it will be great if anyone can give
>>> the helpful details.. :)
>>>>>>
>>>>>> --
>>>>>> Regards
>>>>>> Shanil
>>>>>>
>>>>>>
>>>>>> On Thu, Jul 17, 2014 at 10:23 AM, Shanil S <xielesshanil at gmail.com>
>>> wrote:
>>>>>> Hi,
>>>>>>
>>>>>> we have enabled our portal ip address on the engine and hosts
>>> firewall but still the connection failed. so there should be no firewall
>>> issues.
>>>>>>
>>>>>> --
>>>>>> Regards
>>>>>> Shanil
>>>>>>
>>>>>>
>>>>>> On Wed, Jul 16, 2014 at 3:26 PM, Shanil S <xielesshanil at gmail.com>
>>> wrote:
>>>>>> Hi Sven,
>>>>>>
>>>>>> Regarding the ticket "path", Is it the direct combination of host
>>> and port ? suppose if the host is 1.2.3.4 and the port is 5100 then what
>>> should be the "path" value ? Is there encryption needs here ?
>>>>>>
>>>>>>
>>>>>>>> so you have access from the browser to the websocket-proxy, network
>>>>>> wise? can you ping the proxy?
>>>>>> and the websocket proxy can reach the host where the vm runs?
>>>>>>
>>>>>> yes.. there should be no firewall issue as we can access the
>>> console from ovirt engine portal
>>>>>>
>>>>>> Do we need to allow our own portal ip address in the ovirt engine
>>> and hypervisiors also ???
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Regards
>>>>>> Shanil
>>>>>>
>>>>>>
>>>>>> On Wed, Jul 16, 2014 at 3:13 PM, Sven Kieske <S.Kieske at mittwald.de>
>>> wrote:
>>>>>>
>>>>>>
>>>>>> Am 16.07.2014 11:30, schrieb Shanil S:
>>>>>>> We will get the ticket details like host,port and password from
>>> the ticket
>>>>>>> api funcion call but didn't get the "path" value. Will it get it
>>> from the
>>>>>>> ticket details ? i couldn't find out any from the ticket details.
>>>>>>
>>>>>> the "path" is the combination of host and port.
>>>>>>
>>>>>> so you have access from the browser to the websocket-proxy, network
>>>>>> wise? can you ping the proxy?
>>>>>> and the websocket proxy can reach the host where the vm runs?
>>>>>> are you sure there are no firewalls in between?
>>>>>> also you should pay attention on how long your ticket
>>>>>> is valid, you can specify the duration in minutes in your api call.
>>>>>>
>>>>>> --
>>>>>> Mit freundlichen Grüßen / Regards
>>>>>>
>>>>>> Sven Kieske
>>>>>>
>>>>>> Systemadministrator
>>>>>> Mittwald CM Service GmbH & Co. KG
>>>>>> Königsberger Straße 6
>>>>>> 32339 Espelkamp
>>>>>> T: +49-5772-293-100
>>>>>> F: +49-5772-293-333
>>>>>> https://www.mittwald.de
>>>>>> Geschäftsführer: Robert Meyer
>>>>>> St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad
>>> Oeynhausen
>>>>>> Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad
>>> Oeynhausen
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Users mailing list
>>>>>> Users at ovirt.org
>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Users mailing list
>>>>>> Users at ovirt.org
>>>>>> http://lists.ovirt.org/mailman/listinfo/users
>>>>>
>>>>>
>>>>>
>>>>> <screen3 Jul. 15.1.jpg>
>>>>
>>>>
>>>
>>>
>>
More information about the Users
mailing list