From 7825b7ce81dec97e997d296c3e30b5d143948abc Mon Sep 17 00:00:00 2001 From: Anthony Young Date: Wed, 2 Mar 2011 01:21:54 -0800 Subject: initial commit of vnc support --- nova/api/ec2/cloud.py | 6 ++ nova/compute/api.py | 17 +++++ nova/compute/manager.py | 9 +++ nova/flags.py | 6 ++ nova/virt/libvirt.xml.template | 1 + nova/virt/libvirt_conn.py | 17 +++++ tools/euca-get-vnc-console | 163 +++++++++++++++++++++++++++++++++++++++++ 7 files changed, 219 insertions(+) create mode 100755 tools/euca-get-vnc-console diff --git a/nova/api/ec2/cloud.py b/nova/api/ec2/cloud.py index 844ccbe5e..aa9c6824e 100644 --- a/nova/api/ec2/cloud.py +++ b/nova/api/ec2/cloud.py @@ -539,6 +539,12 @@ class CloudController(object): return self.compute_api.get_ajax_console(context, instance_id=instance_id) + def get_vnc_console(self, context, instance_id, **kwargs): + ec2_id = instance_id + instance_id = ec2_id_to_id(ec2_id) + return self.compute_api.get_vnc_console(context, + instance_id=instance_id) + def describe_volumes(self, context, volume_id=None, **kwargs): if volume_id: volumes = [] diff --git a/nova/compute/api.py b/nova/compute/api.py index 625778b66..cec978d75 100644 --- a/nova/compute/api.py +++ b/nova/compute/api.py @@ -476,6 +476,23 @@ class API(base.Base): return {'url': '%s/?token=%s' % (FLAGS.ajax_console_proxy_url, output['token'])} + def get_vnc_console(self, context, instance_id): + """Get a url to an AJAX Console""" + instance = self.get(context, instance_id) + output = self._call_compute_message('get_vnc_console', + context, + instance_id) + rpc.cast(context, '%s' % FLAGS.vnc_console_proxy_topic, + {'method': 'authorize_vnc_console', + 'args': {'token': output['token'], 'host': output['host'], + 'port': output['port']}}) + + time.sleep(1) + + return {'url': '%s/vnc_auto.html?token=%s&host=%s&port=%s' % + (FLAGS.vnc_console_proxy_url, + output['token'], 'hostignore', 'portignore')} + def get_console_output(self, context, instance_id): """Get console output for an an instance""" return self._call_compute_message('get_console_output', diff --git a/nova/compute/manager.py b/nova/compute/manager.py index d659712ad..e53b36b34 100644 --- a/nova/compute/manager.py +++ b/nova/compute/manager.py @@ -557,6 +557,15 @@ class ComputeManager(manager.Manager): return self.driver.get_ajax_console(instance_ref) + @exception.wrap_exception + def get_vnc_console(self, context, instance_id): + """Return connection information for an vnc console""" + context = context.elevated() + LOG.debug(_("instance %s: getting vnc console"), instance_id) + instance_ref = self.db.instance_get(context, instance_id) + + return self.driver.get_vnc_console(instance_ref) + @checks_instance_lock def attach_volume(self, context, instance_id, volume_id, mountpoint): """Attach a volume to an instance.""" diff --git a/nova/flags.py b/nova/flags.py index 8cf199b2f..4f2be82b6 100644 --- a/nova/flags.py +++ b/nova/flags.py @@ -281,6 +281,12 @@ DEFINE_string('ajax_console_proxy_url', in the form "http://127.0.0.1:8000"') DEFINE_string('ajax_console_proxy_port', 8000, 'port that ajax_console_proxy binds') +DEFINE_string('vnc_console_proxy_topic', 'vnc_proxy', + 'the topic vnc proxy nodes listen on') +DEFINE_string('vnc_console_proxy_url', + 'http://127.0.0.1:6080', + 'location of vnc console proxy, \ + in the form "http://127.0.0.1:6080"') DEFINE_bool('verbose', False, 'show debug output') DEFINE_boolean('fake_rabbit', False, 'use a fake rabbit') DEFINE_bool('fake_network', False, diff --git a/nova/virt/libvirt.xml.template b/nova/virt/libvirt.xml.template index 88bfbc668..7b4c23211 100644 --- a/nova/virt/libvirt.xml.template +++ b/nova/virt/libvirt.xml.template @@ -101,5 +101,6 @@ + diff --git a/nova/virt/libvirt_conn.py b/nova/virt/libvirt_conn.py index 4e0fd106f..4fca84639 100644 --- a/nova/virt/libvirt_conn.py +++ b/nova/virt/libvirt_conn.py @@ -511,6 +511,23 @@ class LibvirtConnection(object): subprocess.Popen(cmd, shell=True) return {'token': token, 'host': host, 'port': port} + @exception.wrap_exception + def get_vnc_console(self, instance): + def get_vnc_port_for_instance(instance_name): + virt_dom = self._conn.lookupByName(instance_name) + xml = virt_dom.XMLDesc(0) + dom = minidom.parseString(xml) + + for graphic in dom.getElementsByTagName('graphics'): + if graphic.getAttribute('type') == 'vnc': + return graphic.getAttribute('port') + + port = get_vnc_port_for_instance(instance['name']) + token = str(uuid.uuid4()) + host = instance['host'] + + return {'token': token, 'host': host, 'port': port} + def _cache_image(self, fn, target, fname, cow=False, *args, **kwargs): """Wrapper for a method that creates an image that caches the image. diff --git a/tools/euca-get-vnc-console b/tools/euca-get-vnc-console new file mode 100755 index 000000000..bd2788f03 --- /dev/null +++ b/tools/euca-get-vnc-console @@ -0,0 +1,163 @@ +#!/usr/bin/env python +# pylint: disable-msg=C0103 +# vim: tabstop=4 shiftwidth=4 softtabstop=4 + +# Copyright 2010 United States Government as represented by the +# Administrator of the National Aeronautics and Space Administration. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +"""Euca add-on to use vnc console""" + +import getopt +import os +import sys + +# If ../nova/__init__.py exists, add ../ to Python search path, so that +# it will override what happens to be installed in /usr/(local/)lib/python... +possible_topdir = os.path.normpath(os.path.join(os.path.abspath(sys.argv[0]), + os.pardir, + os.pardir)) +if os.path.exists(os.path.join(possible_topdir, 'nova', '__init__.py')): + sys.path.insert(0, possible_topdir) + +import boto +import nova +from boto.ec2.connection import EC2Connection +from euca2ools import Euca2ool, InstanceValidationError, Util, ConnectionFailed + +usage_string = """ +Retrieves a url to an vnc console terminal + +euca-get-vnc-console [-h, --help] [--version] [--debug] instance_id + +REQUIRED PARAMETERS + +instance_id: unique identifier for the instance show the console output for. + +OPTIONAL PARAMETERS + +""" + + +# This class extends boto to add VNCConsole functionality +class NovaEC2Connection(EC2Connection): + + def get_vnc_console(self, instance_id): + """ + Retrieves a console connection for the specified instance. + + :type instance_id: string + :param instance_id: The instance ID of a running instance on the cloud. + + :rtype: :class:`VNCConsole` + """ + + class VNCConsole: + def __init__(self, parent=None): + self.parent = parent + self.instance_id = None + self.url = None + + def startElement(self, name, attrs, connection): + return None + + def endElement(self, name, value, connection): + if name == 'instanceId': + self.instance_id = value + elif name == 'url': + self.url = value + else: + setattr(self, name, value) + + params = {} + return self.get_object('GetVNCConsole', + {'InstanceId': instance_id}, VNCConsole) + + +def override_connect_ec2(aws_access_key_id=None, + aws_secret_access_key=None, **kwargs): + return NovaEC2Connection(aws_access_key_id, + aws_secret_access_key, **kwargs) + +# override boto's connect_ec2 method, so that we can use NovaEC2Connection +boto.connect_ec2 = override_connect_ec2 + + +def usage(status=1): + print usage_string + Util().usage() + sys.exit(status) + + +def version(): + print Util().version() + sys.exit() + + +def display_console_output(console_output): + print console_output.instance_id + print console_output.timestamp + print console_output.output + + +def display_vnc_console_output(console_output): + print console_output.url + + +def main(): + try: + euca = Euca2ool() + except Exception, e: + print e + usage() + + instance_id = None + + for name, value in euca.opts: + if name in ('-h', '--help'): + usage(0) + elif name == '--version': + version() + elif name == '--debug': + debug = True + + for arg in euca.args: + instance_id = arg + break + + if instance_id: + try: + euca.validate_instance_id(instance_id) + except InstanceValidationError: + print 'Invalid instance id' + sys.exit(1) + + try: + euca_conn = euca.make_connection() + except ConnectionFailed, e: + print e.message + sys.exit(1) + try: + console_output = euca_conn.get_vnc_console(instance_id) + except Exception, ex: + euca.display_error_and_exit('%s' % ex) + + display_vnc_console_output(console_output) + else: + print 'instance_id must be specified' + usage() + +if __name__ == "__main__": + main() -- cgit From 00787af795023b6f2104b33b206356442072996e Mon Sep 17 00:00:00 2001 From: Anthony Young Date: Tue, 22 Mar 2011 13:25:53 -0700 Subject: add in eventlet version of vnc proxy --- bin/nova-vnc-proxy | 203 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 203 insertions(+) create mode 100644 bin/nova-vnc-proxy diff --git a/bin/nova-vnc-proxy b/bin/nova-vnc-proxy new file mode 100644 index 000000000..5f913a82c --- /dev/null +++ b/bin/nova-vnc-proxy @@ -0,0 +1,203 @@ +#!/usr/bin/env python +# pylint: disable-msg=C0103 +# vim: tabstop=4 shiftwidth=4 softtabstop=4 + +# Copyright 2010 United States Government as represented by the +# Administrator of the National Aeronautics and Space Administration. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +"""VNC Console Proxy Server""" + +from base64 import b64encode, b64decode +import eventlet +from eventlet import wsgi +from eventlet import websocket +import os +import random +import sys +import time +from webob import Request + +possible_topdir = os.path.normpath(os.path.join(os.path.abspath(sys.argv[0]), + os.pardir, + os.pardir)) +if os.path.exists(os.path.join(possible_topdir, 'nova', '__init__.py')): + sys.path.insert(0, possible_topdir) + +from nova import flags +from nova import log as logging +from nova import rpc +from nova import utils + +FLAGS = flags.FLAGS +flags.DEFINE_string('vnc_novnc_dir', '/code/noVNC/vnclet/noVNC', + 'Full path to noVNC directory') +flags.DEFINE_boolean('vnc_debug', True, + 'Enable debugging features, like token bypassing') +flags.DEFINE_integer('vnc_proxy_port', 7000, + 'Port that the VNC proxy should bind to') +flags.DEFINE_string('vnc_proxy_address', '0.0.0.0', + 'Address that the VNC proxy should bind to') + + +class WebsocketVNCProxy(object): + """Class to proxy from websocket to vnc server""" + + def sock2ws(self, source, dest): + try: + while True: + d = source.recv(32384) + if d == '': + break + d = b64encode(d) + dest.send(d) + except: + source.close() + dest.close() + + def ws2sock(self, source, dest): + try: + while True: + d = source.wait() + if d is None: + break + d = b64decode(d) + dest.sendall(d) + except: + source.close() + dest.close() + + def proxy_connection(self, environ, start_response): + @websocket.WebSocketWSGI + def _handle(client): + server = eventlet.connect((client.environ['vnc_host'], + client.environ['vnc_port'])) + t1 = eventlet.spawn(self.ws2sock, client, server) + t2 = eventlet.spawn(self.sock2ws, server, client) + t1.wait() + t2.wait() + _handle(environ, start_response) + + def serve(self, environ, start_response): + req = Request(environ) + if req.path == '/data': + return self.proxy_connection(environ, start_response) + else: + if req.path == '/': + fname = '/vnc_auto.html' + else: + fname = req.path + + fname = FLAGS.vnc_novnc_dir + fname + + base, ext = os.path.splitext(fname) + if ext == '.js': + mimetype = 'application/javascript' + elif ext == '.css': + mimetype = 'text/css' + elif ext in ['.svg', '.jpg', '.png', '.gif']: + mimetype = 'image' + else: + mimetype = 'text/html' + + start_response('200 OK', [('content-type', mimetype)]) + return [open(os.path.join(fname)).read()] + + +class DebugAuthMiddleware(object): + """ Debug middleware for testing purposes. Skips security check + and allows host and port of vnc endpoint to be specified in + the url. + """ + + def __init__(self, app): + self.app = app + + def __call__(self, environ, start_response): + req = Request(environ) + environ['vnc_host'] = req.params.get('host') + environ['vnc_port'] = int(req.params.get('port')) + resp = req.get_response(self.app) + return resp(environ, start_response) + + +class NovaAuthMiddleware(object): + """Implementation of Middleware to Handle Nova Auth""" + + def __init__(self, app): + self.app = app + self.register_listeners() + + def __call__(self, environ, start_response): + req = Request(environ) + + if req.path == '/data': + token = req.params.get('token') + if not token in self.tokens: + start_response('403 Forbidden', + [('content-type', 'text/html')]) + return 'Not Authorized' + + environ['vnc_host'] = self.tokens[token]['args']['host'] + environ['vnc_port'] = int(self.tokens[token]['args']['port']) + + resp = req.get_response(self.app) + return resp(environ, start_response) + + def register_listeners(self): + middleware = self + middleware.tokens = {} + + class Callback: + def __call__(self, data, message): + if data['method'] == 'authorize_vnc_console': + middleware.tokens[data['args']['token']] = \ + {'args': data['args'], 'last_activity_at': time.time()} + + def delete_expired_tokens(): + now = time.time() + to_delete = [] + for k, v in middleware.tokens.items(): + if now - v['last_activity_at'] > 600: + to_delete.append(k) + + for k in to_delete: + del middleware.tokens[k] + + conn = rpc.Connection.instance(new=True) + consumer = rpc.TopicConsumer( + connection=conn, + topic=FLAGS.vnc_console_proxy_topic) + consumer.register_callback(Callback()) + + utils.LoopingCall(consumer.fetch, auto_ack=True, + enable_callbacks=True).start(0.1) + utils.LoopingCall(delete_expired_tokens).start(1) + + +if __name__ == "__main__": + utils.default_flagfile() + FLAGS(sys.argv) + logging.setup() + + listener = eventlet.listen((FLAGS.vnc_proxy_address, FLAGS.vnc_proxy_port)) + proxy = WebsocketVNCProxy() + + if FLAGS.vnc_debug: + proxy = DebugAuthMiddleware(proxy.serve) + else: + proxy = NovaAuthMiddleware(proxy.serve) + + wsgi.server(listener, proxy, max_size=1000) -- cgit From 4ba57654ca03d687da3b994c127665c7118ab9a5 Mon Sep 17 00:00:00 2001 From: Anthony Young Date: Tue, 22 Mar 2011 13:26:23 -0700 Subject: intermediate progress on vnc-nova integration. checking in to show vish. --- nova/flags.py | 4 ++++ nova/virt/libvirt.xml.template | 4 +++- nova/virt/libvirt_conn.py | 2 ++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/nova/flags.py b/nova/flags.py index 4f2be82b6..0360b1e3a 100644 --- a/nova/flags.py +++ b/nova/flags.py @@ -287,6 +287,10 @@ DEFINE_string('vnc_console_proxy_url', 'http://127.0.0.1:6080', 'location of vnc console proxy, \ in the form "http://127.0.0.1:6080"') +DEFINE_string('vnc_host_iface', '0.0.0.0', + 'the compute host interface on which vnc server should listen') +DEFINE_bool('vnc_enabled', True, + 'enable vnc related features') DEFINE_bool('verbose', False, 'show debug output') DEFINE_boolean('fake_rabbit', False, 'use a fake rabbit') DEFINE_bool('fake_network', False, diff --git a/nova/virt/libvirt.xml.template b/nova/virt/libvirt.xml.template index 7b4c23211..037cd0902 100644 --- a/nova/virt/libvirt.xml.template +++ b/nova/virt/libvirt.xml.template @@ -101,6 +101,8 @@ - +#if $getVar('vnc_host_iface', False) + +#end if diff --git a/nova/virt/libvirt_conn.py b/nova/virt/libvirt_conn.py index 4fca84639..51f263ce9 100644 --- a/nova/virt/libvirt_conn.py +++ b/nova/virt/libvirt_conn.py @@ -734,6 +734,8 @@ class LibvirtConnection(object): 'local': instance_type['local_gb'], 'driver_type': driver_type} + if FLAGS.vnc_enabled: + xml_info['vnc_host_iface'] = FLAGS.vnc_host_iface if ra_server: xml_info['ra_server'] = ra_server + "/128" if not rescue: -- cgit From 8048fb9902d80c6a14786f89e672ebff8407d0dd Mon Sep 17 00:00:00 2001 From: Anthony Young Date: Tue, 22 Mar 2011 13:28:19 -0700 Subject: make executable --- bin/nova-vnc-proxy | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 bin/nova-vnc-proxy diff --git a/bin/nova-vnc-proxy b/bin/nova-vnc-proxy old mode 100644 new mode 100755 -- cgit From 9c75878e5f6f1b90695e725d7bc8e6e9002cabbb Mon Sep 17 00:00:00 2001 From: Anthony Young Date: Wed, 23 Mar 2011 01:57:38 -0700 Subject: separating out components of vnc console --- bin/nova-vnc-proxy | 177 ++++++++------------------------------------------- nova/vnc/__init__.py | 0 nova/vnc/auth.py | 83 ++++++++++++++++++++++++ nova/vnc/proxy.py | 111 ++++++++++++++++++++++++++++++++ 4 files changed, 220 insertions(+), 151 deletions(-) create mode 100644 nova/vnc/__init__.py create mode 100644 nova/vnc/auth.py create mode 100644 nova/vnc/proxy.py diff --git a/bin/nova-vnc-proxy b/bin/nova-vnc-proxy index 5f913a82c..52e966090 100755 --- a/bin/nova-vnc-proxy +++ b/bin/nova-vnc-proxy @@ -20,15 +20,10 @@ """VNC Console Proxy Server""" -from base64 import b64encode, b64decode import eventlet -from eventlet import wsgi -from eventlet import websocket +import gettext import os -import random import sys -import time -from webob import Request possible_topdir = os.path.normpath(os.path.join(os.path.abspath(sys.argv[0]), os.pardir, @@ -36,168 +31,48 @@ possible_topdir = os.path.normpath(os.path.join(os.path.abspath(sys.argv[0]), if os.path.exists(os.path.join(possible_topdir, 'nova', '__init__.py')): sys.path.insert(0, possible_topdir) +gettext.install('nova', unicode=1) + from nova import flags from nova import log as logging -from nova import rpc from nova import utils +from nova import wsgi +from nova.vnc import auth +from nova.vnc import proxy FLAGS = flags.FLAGS -flags.DEFINE_string('vnc_novnc_dir', '/code/noVNC/vnclet/noVNC', +flags.DEFINE_string('vnc_proxy_wwwroot', '/code/noVNC/vnclet/noVNC', 'Full path to noVNC directory') -flags.DEFINE_boolean('vnc_debug', True, +flags.DEFINE_boolean('vnc_debug', False, 'Enable debugging features, like token bypassing') flags.DEFINE_integer('vnc_proxy_port', 7000, 'Port that the VNC proxy should bind to') -flags.DEFINE_string('vnc_proxy_address', '0.0.0.0', +flags.DEFINE_string('vnc_proxy_host', '0.0.0.0', 'Address that the VNC proxy should bind to') - - -class WebsocketVNCProxy(object): - """Class to proxy from websocket to vnc server""" - - def sock2ws(self, source, dest): - try: - while True: - d = source.recv(32384) - if d == '': - break - d = b64encode(d) - dest.send(d) - except: - source.close() - dest.close() - - def ws2sock(self, source, dest): - try: - while True: - d = source.wait() - if d is None: - break - d = b64decode(d) - dest.sendall(d) - except: - source.close() - dest.close() - - def proxy_connection(self, environ, start_response): - @websocket.WebSocketWSGI - def _handle(client): - server = eventlet.connect((client.environ['vnc_host'], - client.environ['vnc_port'])) - t1 = eventlet.spawn(self.ws2sock, client, server) - t2 = eventlet.spawn(self.sock2ws, server, client) - t1.wait() - t2.wait() - _handle(environ, start_response) - - def serve(self, environ, start_response): - req = Request(environ) - if req.path == '/data': - return self.proxy_connection(environ, start_response) - else: - if req.path == '/': - fname = '/vnc_auto.html' - else: - fname = req.path - - fname = FLAGS.vnc_novnc_dir + fname - - base, ext = os.path.splitext(fname) - if ext == '.js': - mimetype = 'application/javascript' - elif ext == '.css': - mimetype = 'text/css' - elif ext in ['.svg', '.jpg', '.png', '.gif']: - mimetype = 'image' - else: - mimetype = 'text/html' - - start_response('200 OK', [('content-type', mimetype)]) - return [open(os.path.join(fname)).read()] - - -class DebugAuthMiddleware(object): - """ Debug middleware for testing purposes. Skips security check - and allows host and port of vnc endpoint to be specified in - the url. - """ - - def __init__(self, app): - self.app = app - - def __call__(self, environ, start_response): - req = Request(environ) - environ['vnc_host'] = req.params.get('host') - environ['vnc_port'] = int(req.params.get('port')) - resp = req.get_response(self.app) - return resp(environ, start_response) - - -class NovaAuthMiddleware(object): - """Implementation of Middleware to Handle Nova Auth""" - - def __init__(self, app): - self.app = app - self.register_listeners() - - def __call__(self, environ, start_response): - req = Request(environ) - - if req.path == '/data': - token = req.params.get('token') - if not token in self.tokens: - start_response('403 Forbidden', - [('content-type', 'text/html')]) - return 'Not Authorized' - - environ['vnc_host'] = self.tokens[token]['args']['host'] - environ['vnc_port'] = int(self.tokens[token]['args']['port']) - - resp = req.get_response(self.app) - return resp(environ, start_response) - - def register_listeners(self): - middleware = self - middleware.tokens = {} - - class Callback: - def __call__(self, data, message): - if data['method'] == 'authorize_vnc_console': - middleware.tokens[data['args']['token']] = \ - {'args': data['args'], 'last_activity_at': time.time()} - - def delete_expired_tokens(): - now = time.time() - to_delete = [] - for k, v in middleware.tokens.items(): - if now - v['last_activity_at'] > 600: - to_delete.append(k) - - for k in to_delete: - del middleware.tokens[k] - - conn = rpc.Connection.instance(new=True) - consumer = rpc.TopicConsumer( - connection=conn, - topic=FLAGS.vnc_console_proxy_topic) - consumer.register_callback(Callback()) - - utils.LoopingCall(consumer.fetch, auto_ack=True, - enable_callbacks=True).start(0.1) - utils.LoopingCall(delete_expired_tokens).start(1) - +flags.DEFINE_flag(flags.HelpFlag()) +flags.DEFINE_flag(flags.HelpshortFlag()) +flags.DEFINE_flag(flags.HelpXMLFlag()) if __name__ == "__main__": utils.default_flagfile() FLAGS(sys.argv) logging.setup() - listener = eventlet.listen((FLAGS.vnc_proxy_address, FLAGS.vnc_proxy_port)) - proxy = WebsocketVNCProxy() + app = proxy.WebsocketVNCProxy(FLAGS.vnc_proxy_wwwroot) if FLAGS.vnc_debug: - proxy = DebugAuthMiddleware(proxy.serve) + app = proxy.DebugMiddleware(app.serve) else: - proxy = NovaAuthMiddleware(proxy.serve) + app = auth.NovaAuthMiddleware(app.serve) + + + listener = eventlet.listen((FLAGS.vnc_proxy_host, FLAGS.vnc_proxy_port)) + + + from eventlet import wsgi + wsgi.server(listener, app, max_size=1000) + - wsgi.server(listener, proxy, max_size=1000) +# server = wsgi.Server() +# server.start(app, FLAGS.vnc_proxy_port, host=FLAGS.vnc_proxy_host) +# server.wait() diff --git a/nova/vnc/__init__.py b/nova/vnc/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/nova/vnc/auth.py b/nova/vnc/auth.py new file mode 100644 index 000000000..2596bdd24 --- /dev/null +++ b/nova/vnc/auth.py @@ -0,0 +1,83 @@ +#!/usr/bin/env python +# pylint: disable-msg=C0103 +# vim: tabstop=4 shiftwidth=4 softtabstop=4 + +# Copyright 2010 United States Government as represented by the +# Administrator of the National Aeronautics and Space Administration. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +"""Auth Components for VNC Console""" + +import time +from webob import Request +from nova import flags +from nova import log as logging +from nova import rpc +from nova import utils +from nova import wsgi + + +class NovaAuthMiddleware(object): + """Implementation of Middleware to Handle Nova Auth""" + + def __init__(self, app): + self.app = app + self.register_listeners() + + def __call__(self, environ, start_response): + req = Request(environ) + + if req.path == '/data': + token = req.params.get('token') + if not token in self.tokens: + start_response('403 Forbidden', + [('content-type', 'text/html')]) + return 'Not Authorized' + + environ['vnc_host'] = self.tokens[token]['args']['host'] + environ['vnc_port'] = int(self.tokens[token]['args']['port']) + + resp = req.get_response(self.app) + return resp(environ, start_response) + + def register_listeners(self): + middleware = self + middleware.tokens = {} + + class Callback: + def __call__(self, data, message): + if data['method'] == 'authorize_vnc_console': + middleware.tokens[data['args']['token']] = \ + {'args': data['args'], 'last_activity_at': time.time()} + + def delete_expired_tokens(): + now = time.time() + to_delete = [] + for k, v in middleware.tokens.items(): + if now - v['last_activity_at'] > 600: + to_delete.append(k) + + for k in to_delete: + del middleware.tokens[k] + + conn = rpc.Connection.instance(new=True) + consumer = rpc.TopicConsumer( + connection=conn, + topic=FLAGS.vnc_console_proxy_topic) + consumer.register_callback(Callback()) + + utils.LoopingCall(consumer.fetch, auto_ack=True, + enable_callbacks=True).start(0.1) + utils.LoopingCall(delete_expired_tokens).start(1) diff --git a/nova/vnc/proxy.py b/nova/vnc/proxy.py new file mode 100644 index 000000000..3f218e744 --- /dev/null +++ b/nova/vnc/proxy.py @@ -0,0 +1,111 @@ +#!/usr/bin/env python +# pylint: disable-msg=C0103 +# vim: tabstop=4 shiftwidth=4 softtabstop=4 + +# Copyright 2010 United States Government as represented by the +# Administrator of the National Aeronautics and Space Administration. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +"""Eventlet WSGI Services to proxy VNC. No nova deps.""" + +from base64 import b64encode, b64decode +import eventlet +from eventlet import wsgi +from eventlet import websocket +import os +from webob import Request +import webob + + +class WebsocketVNCProxy(object): + """Class to proxy from websocket to vnc server""" + + def __init__(self, wwwroot): + self.wwwroot = wwwroot + + def sock2ws(self, source, dest): + try: + while True: + d = source.recv(32384) + if d == '': + break + d = b64encode(d) + dest.send(d) + except: + source.close() + dest.close() + + def ws2sock(self, source, dest): + try: + while True: + d = source.wait() + if d is None: + break + d = b64decode(d) + dest.sendall(d) + except: + source.close() + dest.close() + + def proxy_connection(self, environ, start_response): + @websocket.WebSocketWSGI + def _handle(client): + server = eventlet.connect((client.environ['vnc_host'], + client.environ['vnc_port'])) + t1 = eventlet.spawn(self.ws2sock, client, server) + t2 = eventlet.spawn(self.sock2ws, server, client) + t1.wait() + t2.wait() + _handle(environ, start_response) + + def serve(self, environ, start_response): + req = Request(environ) + if req.path == '/data': + return self.proxy_connection(environ, start_response) + else: + if req.path == '/': + fname = '/vnc_auto.html' + else: + fname = req.path + + fname = self.wwwroot + fname + + base, ext = os.path.splitext(fname) + if ext == '.js': + mimetype = 'application/javascript' + elif ext == '.css': + mimetype = 'text/css' + elif ext in ['.svg', '.jpg', '.png', '.gif']: + mimetype = 'image' + else: + mimetype = 'text/html' + + start_response('200 OK', [('content-type', mimetype)]) + return open(os.path.join(fname)).read() + + +class DebugMiddleware(object): + """Debug middleware. Skip auth, get vnc port and host from query string""" + + def __init__(self, app): + self.app = app + + def __call__(self, environ, start_response): + req = Request(environ) + if req.path == '/data': + environ['vnc_host'] = req.params.get('host') + environ['vnc_port'] = int(req.params.get('port')) + resp = req.get_response(self.app) + return resp(environ, start_response) -- cgit From e2f085eae874012784e53416f6e6213dcfde4859 Mon Sep 17 00:00:00 2001 From: Anthony Young Date: Wed, 23 Mar 2011 02:06:16 -0700 Subject: use the nova Server object --- bin/nova-vnc-proxy | 18 +++++------------- nova/vnc/proxy.py | 2 +- 2 files changed, 6 insertions(+), 14 deletions(-) diff --git a/bin/nova-vnc-proxy b/bin/nova-vnc-proxy index 52e966090..5891652c4 100755 --- a/bin/nova-vnc-proxy +++ b/bin/nova-vnc-proxy @@ -61,18 +61,10 @@ if __name__ == "__main__": app = proxy.WebsocketVNCProxy(FLAGS.vnc_proxy_wwwroot) if FLAGS.vnc_debug: - app = proxy.DebugMiddleware(app.serve) + app = proxy.DebugMiddleware(app) else: - app = auth.NovaAuthMiddleware(app.serve) + app = auth.NovaAuthMiddleware(app) - - listener = eventlet.listen((FLAGS.vnc_proxy_host, FLAGS.vnc_proxy_port)) - - - from eventlet import wsgi - wsgi.server(listener, app, max_size=1000) - - -# server = wsgi.Server() -# server.start(app, FLAGS.vnc_proxy_port, host=FLAGS.vnc_proxy_host) -# server.wait() + server = wsgi.Server() + server.start(app, FLAGS.vnc_proxy_port, host=FLAGS.vnc_proxy_host) + server.wait() diff --git a/nova/vnc/proxy.py b/nova/vnc/proxy.py index 3f218e744..5dc83fcb1 100644 --- a/nova/vnc/proxy.py +++ b/nova/vnc/proxy.py @@ -70,7 +70,7 @@ class WebsocketVNCProxy(object): t2.wait() _handle(environ, start_response) - def serve(self, environ, start_response): + def __call__(self, environ, start_response): req = Request(environ) if req.path == '/data': return self.proxy_connection(environ, start_response) -- cgit From 5cdf8f63fb2dbccea0152d17f00bf80352f8fa1a Mon Sep 17 00:00:00 2001 From: Anthony Young Date: Wed, 23 Mar 2011 02:33:11 -0700 Subject: more progress --- bin/nova-vnc-proxy | 14 +++++++++++--- nova/vnc/auth.py | 35 +++++++++++++++++++++++++++-------- nova/vnc/proxy.py | 11 +++++------ 3 files changed, 43 insertions(+), 17 deletions(-) diff --git a/bin/nova-vnc-proxy b/bin/nova-vnc-proxy index 5891652c4..838c871d0 100755 --- a/bin/nova-vnc-proxy +++ b/bin/nova-vnc-proxy @@ -37,9 +37,12 @@ from nova import flags from nova import log as logging from nova import utils from nova import wsgi +from nova import version from nova.vnc import auth from nova.vnc import proxy +LOG = logging.getLogger('nova.vnc-proxy') + FLAGS = flags.FLAGS flags.DEFINE_string('vnc_proxy_wwwroot', '/code/noVNC/vnclet/noVNC', 'Full path to noVNC directory') @@ -58,13 +61,18 @@ if __name__ == "__main__": FLAGS(sys.argv) logging.setup() + LOG.audit(_("Starting nova-vnc-proxy node (version %s)"), + version.version_string_with_vcs()) + app = proxy.WebsocketVNCProxy(FLAGS.vnc_proxy_wwwroot) + with_logging = auth.LoggingMiddleware(app) + if FLAGS.vnc_debug: - app = proxy.DebugMiddleware(app) + with_auth = proxy.DebugMiddleware(with_logging) else: - app = auth.NovaAuthMiddleware(app) + with_auth = auth.NovaAuthMiddleware(with_logging) server = wsgi.Server() - server.start(app, FLAGS.vnc_proxy_port, host=FLAGS.vnc_proxy_host) + server.start(with_auth, FLAGS.vnc_proxy_port, host=FLAGS.vnc_proxy_host) server.wait() diff --git a/nova/vnc/auth.py b/nova/vnc/auth.py index 2596bdd24..9b30b08b8 100644 --- a/nova/vnc/auth.py +++ b/nova/vnc/auth.py @@ -27,6 +27,10 @@ from nova import log as logging from nova import rpc from nova import utils from nova import wsgi +import webob + +LOG = logging.getLogger('nova.vnc-proxy') +FLAGS = flags.FLAGS class NovaAuthMiddleware(object): @@ -36,9 +40,8 @@ class NovaAuthMiddleware(object): self.app = app self.register_listeners() - def __call__(self, environ, start_response): - req = Request(environ) - + @webob.dec.wsgify + def __call__(self, req): if req.path == '/data': token = req.params.get('token') if not token in self.tokens: @@ -46,11 +49,10 @@ class NovaAuthMiddleware(object): [('content-type', 'text/html')]) return 'Not Authorized' - environ['vnc_host'] = self.tokens[token]['args']['host'] - environ['vnc_port'] = int(self.tokens[token]['args']['port']) + req.environ['vnc_host'] = self.tokens[token]['args']['host'] + req.environ['vnc_port'] = int(self.tokens[token]['args']['port']) - resp = req.get_response(self.app) - return resp(environ, start_response) + return req.get_response(self.app) def register_listeners(self): middleware = self @@ -59,7 +61,9 @@ class NovaAuthMiddleware(object): class Callback: def __call__(self, data, message): if data['method'] == 'authorize_vnc_console': - middleware.tokens[data['args']['token']] = \ + token = data['args']['token'] + LOG.info(_("Received Token: %s)"), token) + middleware.tokens[token] = \ {'args': data['args'], 'last_activity_at': time.time()} def delete_expired_tokens(): @@ -81,3 +85,18 @@ class NovaAuthMiddleware(object): utils.LoopingCall(consumer.fetch, auto_ack=True, enable_callbacks=True).start(0.1) utils.LoopingCall(delete_expired_tokens).start(1) + + +class LoggingMiddleware(object): + def __init__(self, app): + self.app = app + + @webob.dec.wsgify + def __call__(self, req): + + if req.path == '/data': + LOG.info(_("Received Websocket Request: %s)"), req.url) + else: + LOG.info(_("Received Request: %s)"), req.url) + + return req.get_response(self.app) diff --git a/nova/vnc/proxy.py b/nova/vnc/proxy.py index 5dc83fcb1..354c2405f 100644 --- a/nova/vnc/proxy.py +++ b/nova/vnc/proxy.py @@ -102,10 +102,9 @@ class DebugMiddleware(object): def __init__(self, app): self.app = app - def __call__(self, environ, start_response): - req = Request(environ) + @webob.dec.wsgify + def __call__(self, req): if req.path == '/data': - environ['vnc_host'] = req.params.get('host') - environ['vnc_port'] = int(req.params.get('port')) - resp = req.get_response(self.app) - return resp(environ, start_response) + req.environ['vnc_host'] = req.params.get('host') + req.environ['vnc_port'] = int(req.params.get('port')) + return req.get_response(self.app) -- cgit From e0289dd26821545a6ef2ca91eb2dba7c11c2cc9f Mon Sep 17 00:00:00 2001 From: Anthony Young Date: Wed, 23 Mar 2011 15:53:46 -0700 Subject: general cleanup, use whitelist for webserver security --- bin/nova-vnc-proxy | 22 ++++++++++++++++++---- nova/flags.py | 2 +- nova/virt/libvirt.xml.template | 2 +- nova/virt/libvirt_conn.py | 2 +- nova/vnc/auth.py | 34 ++++++++++++++++++++++------------ nova/vnc/proxy.py | 28 +++++++++++++++++++++++++--- 6 files changed, 68 insertions(+), 22 deletions(-) diff --git a/bin/nova-vnc-proxy b/bin/nova-vnc-proxy index 838c871d0..4cd1e9082 100755 --- a/bin/nova-vnc-proxy +++ b/bin/nova-vnc-proxy @@ -44,14 +44,16 @@ from nova.vnc import proxy LOG = logging.getLogger('nova.vnc-proxy') FLAGS = flags.FLAGS -flags.DEFINE_string('vnc_proxy_wwwroot', '/code/noVNC/vnclet/noVNC', +flags.DEFINE_string('vnc_proxy_wwwroot', '/code/noVNC/', 'Full path to noVNC directory') flags.DEFINE_boolean('vnc_debug', False, 'Enable debugging features, like token bypassing') -flags.DEFINE_integer('vnc_proxy_port', 7000, +flags.DEFINE_integer('vnc_proxy_port', 6080, 'Port that the VNC proxy should bind to') -flags.DEFINE_string('vnc_proxy_host', '0.0.0.0', +flags.DEFINE_string('vnc_proxy_iface', '0.0.0.0', 'Address that the VNC proxy should bind to') +flags.DEFINE_integer('vnc_token_ttl', 300, + 'How many seconds before deleting tokens') flags.DEFINE_flag(flags.HelpFlag()) flags.DEFINE_flag(flags.HelpshortFlag()) flags.DEFINE_flag(flags.HelpXMLFlag()) @@ -64,8 +66,20 @@ if __name__ == "__main__": LOG.audit(_("Starting nova-vnc-proxy node (version %s)"), version.version_string_with_vcs()) + if not os.path.exists(FLAGS.vnc_proxy_wwwroot): + LOG.info(_("Missing vnc_proxy_wwwroot (version %s)"), + FLAGS.vnc_proxy_wwwroot) + LOG.info(_("You need a slightly modified version of noVNC " + "to work with the nova-vnc-proxy")) + LOG.info(_("Check out the most recent nova noVNC code here: %s"), + "git://github.com/sleepsonthefloor/noVNC.git") + exit(1) + app = proxy.WebsocketVNCProxy(FLAGS.vnc_proxy_wwwroot) + LOG.audit(_("Allowing access to the following files: %s"), + app.get_whitelist()) + with_logging = auth.LoggingMiddleware(app) if FLAGS.vnc_debug: @@ -74,5 +88,5 @@ if __name__ == "__main__": with_auth = auth.NovaAuthMiddleware(with_logging) server = wsgi.Server() - server.start(with_auth, FLAGS.vnc_proxy_port, host=FLAGS.vnc_proxy_host) + server.start(with_auth, FLAGS.vnc_proxy_port, host=FLAGS.vnc_proxy_iface) server.wait() diff --git a/nova/flags.py b/nova/flags.py index 0360b1e3a..a0ea10795 100644 --- a/nova/flags.py +++ b/nova/flags.py @@ -287,7 +287,7 @@ DEFINE_string('vnc_console_proxy_url', 'http://127.0.0.1:6080', 'location of vnc console proxy, \ in the form "http://127.0.0.1:6080"') -DEFINE_string('vnc_host_iface', '0.0.0.0', +DEFINE_string('vnc_compute_host_iface', '0.0.0.0', 'the compute host interface on which vnc server should listen') DEFINE_bool('vnc_enabled', True, 'enable vnc related features') diff --git a/nova/virt/libvirt.xml.template b/nova/virt/libvirt.xml.template index 037cd0902..bcc6b3aed 100644 --- a/nova/virt/libvirt.xml.template +++ b/nova/virt/libvirt.xml.template @@ -101,7 +101,7 @@ -#if $getVar('vnc_host_iface', False) +#if $getVar('vnc_compute_host_iface', False) #end if diff --git a/nova/virt/libvirt_conn.py b/nova/virt/libvirt_conn.py index 51f263ce9..c3529f512 100644 --- a/nova/virt/libvirt_conn.py +++ b/nova/virt/libvirt_conn.py @@ -735,7 +735,7 @@ class LibvirtConnection(object): 'driver_type': driver_type} if FLAGS.vnc_enabled: - xml_info['vnc_host_iface'] = FLAGS.vnc_host_iface + xml_info['vnc_compute_host_iface'] = FLAGS.vnc_compute_host_iface if ra_server: xml_info['ra_server'] = ra_server + "/128" if not rescue: diff --git a/nova/vnc/auth.py b/nova/vnc/auth.py index 9b30b08b8..676cb2360 100644 --- a/nova/vnc/auth.py +++ b/nova/vnc/auth.py @@ -21,13 +21,16 @@ """Auth Components for VNC Console""" import time +import urlparse +import webob from webob import Request + from nova import flags from nova import log as logging from nova import rpc from nova import utils from nova import wsgi -import webob +from nova import vnc LOG = logging.getLogger('nova.vnc-proxy') FLAGS = flags.FLAGS @@ -42,13 +45,19 @@ class NovaAuthMiddleware(object): @webob.dec.wsgify def __call__(self, req): - if req.path == '/data': - token = req.params.get('token') - if not token in self.tokens: - start_response('403 Forbidden', - [('content-type', 'text/html')]) - return 'Not Authorized' + token = req.params.get('token') + + if not token: + referrer = req.environ.get('HTTP_REFERER') + auth_params = urlparse.parse_qs(urlparse.urlparse(referrer).query) + if 'token' in auth_params: + token = auth_params['token'][0] + + if not token in self.tokens: + LOG.audit(_("Unauthorized Access: (%s)"), req.environ) + return webob.exc.HTTPForbidden(detail='Unauthorized') + if req.path == vnc.proxy.WS_ENDPOINT: req.environ['vnc_host'] = self.tokens[token]['args']['host'] req.environ['vnc_port'] = int(self.tokens[token]['args']['port']) @@ -62,7 +71,7 @@ class NovaAuthMiddleware(object): def __call__(self, data, message): if data['method'] == 'authorize_vnc_console': token = data['args']['token'] - LOG.info(_("Received Token: %s)"), token) + LOG.audit(_("Received Token: %s)"), token) middleware.tokens[token] = \ {'args': data['args'], 'last_activity_at': time.time()} @@ -70,10 +79,11 @@ class NovaAuthMiddleware(object): now = time.time() to_delete = [] for k, v in middleware.tokens.items(): - if now - v['last_activity_at'] > 600: + if now - v['last_activity_at'] > FLAGS.vnc_token_ttl: to_delete.append(k) for k in to_delete: + LOG.audit(_("Deleting Token: %s)"), k) del middleware.tokens[k] conn = rpc.Connection.instance(new=True) @@ -94,9 +104,9 @@ class LoggingMiddleware(object): @webob.dec.wsgify def __call__(self, req): - if req.path == '/data': - LOG.info(_("Received Websocket Request: %s)"), req.url) + if req.path == vnc.proxy.WS_ENDPOINT: + LOG.info(_("Received Websocket Request: %s"), req.url) else: - LOG.info(_("Received Request: %s)"), req.url) + LOG.info(_("Received Request: %s"), req.url) return req.get_response(self.app) diff --git a/nova/vnc/proxy.py b/nova/vnc/proxy.py index 354c2405f..70ebd022a 100644 --- a/nova/vnc/proxy.py +++ b/nova/vnc/proxy.py @@ -28,12 +28,30 @@ import os from webob import Request import webob +WS_ENDPOINT = '/data' + class WebsocketVNCProxy(object): """Class to proxy from websocket to vnc server""" def __init__(self, wwwroot): self.wwwroot = wwwroot + self.whitelist = {} + for root, dirs, files in os.walk(wwwroot): + hidden_dirs = [] + for d in dirs: + if d.startswith('.'): + hidden_dirs.append(d) + for d in hidden_dirs: + dirs.remove(d) + for name in files: + if not str(name).startswith('.'): + filename = os.path.join(root, name) + self.whitelist[filename] = True + + + def get_whitelist(self): + return self.whitelist.keys() def sock2ws(self, source, dest): try: @@ -72,7 +90,7 @@ class WebsocketVNCProxy(object): def __call__(self, environ, start_response): req = Request(environ) - if req.path == '/data': + if req.path == WS_ENDPOINT: return self.proxy_connection(environ, start_response) else: if req.path == '/': @@ -80,7 +98,11 @@ class WebsocketVNCProxy(object): else: fname = req.path - fname = self.wwwroot + fname + fname = (self.wwwroot + fname).replace('//','/') + if not fname in self.whitelist: + start_response('404 Not Found', + [('content-type', 'text/html')]) + return "Not Found" base, ext = os.path.splitext(fname) if ext == '.js': @@ -104,7 +126,7 @@ class DebugMiddleware(object): @webob.dec.wsgify def __call__(self, req): - if req.path == '/data': + if req.path == WS_ENDPOINT: req.environ['vnc_host'] = req.params.get('host') req.environ['vnc_port'] = int(req.params.get('port')) return req.get_response(self.app) -- cgit From 3b381792c2cce1e43f68e39f2fc9c73ba2760024 Mon Sep 17 00:00:00 2001 From: Anthony Young Date: Wed, 23 Mar 2011 15:55:37 -0700 Subject: clean some pep8 issues --- nova/vnc/proxy.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/nova/vnc/proxy.py b/nova/vnc/proxy.py index 70ebd022a..dea838e3d 100644 --- a/nova/vnc/proxy.py +++ b/nova/vnc/proxy.py @@ -48,7 +48,6 @@ class WebsocketVNCProxy(object): if not str(name).startswith('.'): filename = os.path.join(root, name) self.whitelist[filename] = True - def get_whitelist(self): return self.whitelist.keys() @@ -98,7 +97,7 @@ class WebsocketVNCProxy(object): else: fname = req.path - fname = (self.wwwroot + fname).replace('//','/') + fname = (self.wwwroot + fname).replace('//', '/') if not fname in self.whitelist: start_response('404 Not Found', [('content-type', 'text/html')]) -- cgit From 85ad729e4448bb4211b79e325cef897fc4e2b0bb Mon Sep 17 00:00:00 2001 From: Anthony Young Date: Wed, 23 Mar 2011 16:11:50 -0700 Subject: make missing noVNC error condition a bit more fool-proof --- bin/nova-vnc-proxy | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/bin/nova-vnc-proxy b/bin/nova-vnc-proxy index 4cd1e9082..ea2533dc3 100755 --- a/bin/nova-vnc-proxy +++ b/bin/nova-vnc-proxy @@ -44,7 +44,7 @@ from nova.vnc import proxy LOG = logging.getLogger('nova.vnc-proxy') FLAGS = flags.FLAGS -flags.DEFINE_string('vnc_proxy_wwwroot', '/code/noVNC/', +flags.DEFINE_string('vnc_proxy_wwwroot', '/var/lib/nova/noVNC/', 'Full path to noVNC directory') flags.DEFINE_boolean('vnc_debug', False, 'Enable debugging features, like token bypassing') @@ -66,13 +66,15 @@ if __name__ == "__main__": LOG.audit(_("Starting nova-vnc-proxy node (version %s)"), version.version_string_with_vcs()) - if not os.path.exists(FLAGS.vnc_proxy_wwwroot): + if not (os.path.exists(FLAGS.vnc_proxy_wwwroot) and + os.path.exists(FLAGS.vnc_proxy_wwwroot + '/vnc_auto.html')): LOG.info(_("Missing vnc_proxy_wwwroot (version %s)"), FLAGS.vnc_proxy_wwwroot) LOG.info(_("You need a slightly modified version of noVNC " - "to work with the nova-vnc-proxy")) - LOG.info(_("Check out the most recent nova noVNC code here: %s"), - "git://github.com/sleepsonthefloor/noVNC.git") + "to work with the nova-vnc-proxy")) + LOG.info(_("Check out the most recent nova noVNC code: %s"), + "git://github.com/sleepsonthefloor/noVNC.git") + LOG.info(_("And drop it in %s"), FLAGS.vnc_proxy_wwwroot) exit(1) app = proxy.WebsocketVNCProxy(FLAGS.vnc_proxy_wwwroot) -- cgit From d83ec9a667f7b9787a6ad9d7af78069f6d0f2cda Mon Sep 17 00:00:00 2001 From: Anthony Young Date: Thu, 24 Mar 2011 00:10:28 -0700 Subject: minor tweak from termie feedback --- bin/nova-vnc-proxy | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/bin/nova-vnc-proxy b/bin/nova-vnc-proxy index ea2533dc3..e7b647c00 100755 --- a/bin/nova-vnc-proxy +++ b/bin/nova-vnc-proxy @@ -1,5 +1,4 @@ #!/usr/bin/env python -# pylint: disable-msg=C0103 # vim: tabstop=4 shiftwidth=4 softtabstop=4 # Copyright 2010 United States Government as represented by the @@ -50,7 +49,7 @@ flags.DEFINE_boolean('vnc_debug', False, 'Enable debugging features, like token bypassing') flags.DEFINE_integer('vnc_proxy_port', 6080, 'Port that the VNC proxy should bind to') -flags.DEFINE_string('vnc_proxy_iface', '0.0.0.0', +flags.DEFINE_string('vnc_proxy_host', '0.0.0.0', 'Address that the VNC proxy should bind to') flags.DEFINE_integer('vnc_token_ttl', 300, 'How many seconds before deleting tokens') @@ -90,5 +89,5 @@ if __name__ == "__main__": with_auth = auth.NovaAuthMiddleware(with_logging) server = wsgi.Server() - server.start(with_auth, FLAGS.vnc_proxy_port, host=FLAGS.vnc_proxy_iface) + server.start(with_auth, FLAGS.vnc_proxy_port, host=FLAGS.vnc_proxy_host) server.wait() -- cgit From 71bd388a6c04df68e4392dbb7354cc8b14f596fe Mon Sep 17 00:00:00 2001 From: Anthony Young Date: Thu, 24 Mar 2011 15:41:02 -0700 Subject: fix typo --- nova/virt/libvirt.xml.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nova/virt/libvirt.xml.template b/nova/virt/libvirt.xml.template index bcc6b3aed..ff98275fc 100644 --- a/nova/virt/libvirt.xml.template +++ b/nova/virt/libvirt.xml.template @@ -102,7 +102,7 @@ #if $getVar('vnc_compute_host_iface', False) - + #end if -- cgit From b01742ddb5bfec7e89ccc4cee17800614a0fce3c Mon Sep 17 00:00:00 2001 From: Anthony Young Date: Thu, 24 Mar 2011 15:55:29 -0700 Subject: incorporate feedback from termie --- bin/nova-vnc-proxy | 5 +- nova/compute/api.py | 15 ++-- nova/compute/manager.py | 2 +- nova/flags.py | 4 +- nova/virt/libvirt.xml.template | 4 +- nova/virt/libvirt_conn.py | 3 +- nova/vnc/auth.py | 22 +++--- nova/vnc/proxy.py | 15 ++-- tools/euca-get-vnc-console | 163 ----------------------------------------- 9 files changed, 36 insertions(+), 197 deletions(-) delete mode 100755 tools/euca-get-vnc-console diff --git a/bin/nova-vnc-proxy b/bin/nova-vnc-proxy index ea2533dc3..e7b647c00 100755 --- a/bin/nova-vnc-proxy +++ b/bin/nova-vnc-proxy @@ -1,5 +1,4 @@ #!/usr/bin/env python -# pylint: disable-msg=C0103 # vim: tabstop=4 shiftwidth=4 softtabstop=4 # Copyright 2010 United States Government as represented by the @@ -50,7 +49,7 @@ flags.DEFINE_boolean('vnc_debug', False, 'Enable debugging features, like token bypassing') flags.DEFINE_integer('vnc_proxy_port', 6080, 'Port that the VNC proxy should bind to') -flags.DEFINE_string('vnc_proxy_iface', '0.0.0.0', +flags.DEFINE_string('vnc_proxy_host', '0.0.0.0', 'Address that the VNC proxy should bind to') flags.DEFINE_integer('vnc_token_ttl', 300, 'How many seconds before deleting tokens') @@ -90,5 +89,5 @@ if __name__ == "__main__": with_auth = auth.NovaAuthMiddleware(with_logging) server = wsgi.Server() - server.start(with_auth, FLAGS.vnc_proxy_port, host=FLAGS.vnc_proxy_iface) + server.start(with_auth, FLAGS.vnc_proxy_port, host=FLAGS.vnc_proxy_host) server.wait() diff --git a/nova/compute/api.py b/nova/compute/api.py index cec978d75..cb3898f72 100644 --- a/nova/compute/api.py +++ b/nova/compute/api.py @@ -477,21 +477,22 @@ class API(base.Base): output['token'])} def get_vnc_console(self, context, instance_id): - """Get a url to an AJAX Console""" + """Get a url to a VNC Console.""" instance = self.get(context, instance_id) output = self._call_compute_message('get_vnc_console', context, instance_id) rpc.cast(context, '%s' % FLAGS.vnc_console_proxy_topic, {'method': 'authorize_vnc_console', - 'args': {'token': output['token'], 'host': output['host'], + 'args': {'token': output['token'], + 'host': output['host'], 'port': output['port']}}) - time.sleep(1) - - return {'url': '%s/vnc_auto.html?token=%s&host=%s&port=%s' % - (FLAGS.vnc_console_proxy_url, - output['token'], 'hostignore', 'portignore')} + return {'url': '%s/vnc_auto.html?token=%s&host=%s&port=%s' % ( + FLAGS.vnc_console_proxy_url, + output['token'], + 'hostignore', + 'portignore')} def get_console_output(self, context, instance_id): """Get console output for an an instance""" diff --git a/nova/compute/manager.py b/nova/compute/manager.py index e53b36b34..64982d8ff 100644 --- a/nova/compute/manager.py +++ b/nova/compute/manager.py @@ -559,7 +559,7 @@ class ComputeManager(manager.Manager): @exception.wrap_exception def get_vnc_console(self, context, instance_id): - """Return connection information for an vnc console""" + """Return connection information for an vnc console.""" context = context.elevated() LOG.debug(_("instance %s: getting vnc console"), instance_id) instance_ref = self.db.instance_get(context, instance_id) diff --git a/nova/flags.py b/nova/flags.py index a0ea10795..1d2469206 100644 --- a/nova/flags.py +++ b/nova/flags.py @@ -287,8 +287,8 @@ DEFINE_string('vnc_console_proxy_url', 'http://127.0.0.1:6080', 'location of vnc console proxy, \ in the form "http://127.0.0.1:6080"') -DEFINE_string('vnc_compute_host_iface', '0.0.0.0', - 'the compute host interface on which vnc server should listen') +DEFINE_string('vnc_server_host', '0.0.0.0', + 'the host interface on which vnc server should listen') DEFINE_bool('vnc_enabled', True, 'enable vnc related features') DEFINE_bool('verbose', False, 'show debug output') diff --git a/nova/virt/libvirt.xml.template b/nova/virt/libvirt.xml.template index ff98275fc..609784982 100644 --- a/nova/virt/libvirt.xml.template +++ b/nova/virt/libvirt.xml.template @@ -101,8 +101,8 @@ -#if $getVar('vnc_compute_host_iface', False) - +#if $getVar('vnc_server_host', False) + #end if diff --git a/nova/virt/libvirt_conn.py b/nova/virt/libvirt_conn.py index c3529f512..cb6384e01 100644 --- a/nova/virt/libvirt_conn.py +++ b/nova/virt/libvirt_conn.py @@ -516,6 +516,7 @@ class LibvirtConnection(object): def get_vnc_port_for_instance(instance_name): virt_dom = self._conn.lookupByName(instance_name) xml = virt_dom.XMLDesc(0) + # TODO: use etree instead of minidom dom = minidom.parseString(xml) for graphic in dom.getElementsByTagName('graphics'): @@ -735,7 +736,7 @@ class LibvirtConnection(object): 'driver_type': driver_type} if FLAGS.vnc_enabled: - xml_info['vnc_compute_host_iface'] = FLAGS.vnc_compute_host_iface + xml_info['vnc_server_host'] = FLAGS.vnc_server_host if ra_server: xml_info['ra_server'] = ra_server + "/128" if not rescue: diff --git a/nova/vnc/auth.py b/nova/vnc/auth.py index 676cb2360..1c6a638fc 100644 --- a/nova/vnc/auth.py +++ b/nova/vnc/auth.py @@ -18,11 +18,12 @@ # See the License for the specific language governing permissions and # limitations under the License. -"""Auth Components for VNC Console""" +"""Auth Components for VNC Console.""" import time import urlparse import webob + from webob import Request from nova import flags @@ -32,12 +33,13 @@ from nova import utils from nova import wsgi from nova import vnc + LOG = logging.getLogger('nova.vnc-proxy') FLAGS = flags.FLAGS class NovaAuthMiddleware(object): - """Implementation of Middleware to Handle Nova Auth""" + """Implementation of Middleware to Handle Nova Auth.""" def __init__(self, app): self.app = app @@ -67,13 +69,12 @@ class NovaAuthMiddleware(object): middleware = self middleware.tokens = {} - class Callback: - def __call__(self, data, message): - if data['method'] == 'authorize_vnc_console': - token = data['args']['token'] - LOG.audit(_("Received Token: %s)"), token) - middleware.tokens[token] = \ - {'args': data['args'], 'last_activity_at': time.time()} + def callback(self, data, message): + if data['method'] == 'authorize_vnc_console': + token = data['args']['token'] + LOG.audit(_("Received Token: %s)"), token) + middleware.tokens[token] = \ + {'args': data['args'], 'last_activity_at': time.time()} def delete_expired_tokens(): now = time.time() @@ -90,7 +91,7 @@ class NovaAuthMiddleware(object): consumer = rpc.TopicConsumer( connection=conn, topic=FLAGS.vnc_console_proxy_topic) - consumer.register_callback(Callback()) + consumer.register_callback(callback) utils.LoopingCall(consumer.fetch, auto_ack=True, enable_callbacks=True).start(0.1) @@ -103,7 +104,6 @@ class LoggingMiddleware(object): @webob.dec.wsgify def __call__(self, req): - if req.path == vnc.proxy.WS_ENDPOINT: LOG.info(_("Received Websocket Request: %s"), req.url) else: diff --git a/nova/vnc/proxy.py b/nova/vnc/proxy.py index dea838e3d..49379d9ae 100644 --- a/nova/vnc/proxy.py +++ b/nova/vnc/proxy.py @@ -1,5 +1,4 @@ #!/usr/bin/env python -# pylint: disable-msg=C0103 # vim: tabstop=4 shiftwidth=4 softtabstop=4 # Copyright 2010 United States Government as represented by the @@ -20,11 +19,13 @@ """Eventlet WSGI Services to proxy VNC. No nova deps.""" -from base64 import b64encode, b64decode +import base64 +import os + import eventlet from eventlet import wsgi from eventlet import websocket -import os + from webob import Request import webob @@ -32,7 +33,7 @@ WS_ENDPOINT = '/data' class WebsocketVNCProxy(object): - """Class to proxy from websocket to vnc server""" + """Class to proxy from websocket to vnc server.""" def __init__(self, wwwroot): self.wwwroot = wwwroot @@ -58,7 +59,7 @@ class WebsocketVNCProxy(object): d = source.recv(32384) if d == '': break - d = b64encode(d) + d = base64.b64encode(d) dest.send(d) except: source.close() @@ -70,7 +71,7 @@ class WebsocketVNCProxy(object): d = source.wait() if d is None: break - d = b64decode(d) + d = base64.b64decode(d) dest.sendall(d) except: source.close() @@ -118,7 +119,7 @@ class WebsocketVNCProxy(object): class DebugMiddleware(object): - """Debug middleware. Skip auth, get vnc port and host from query string""" + """Debug middleware. Skip auth, get vnc connect info from query string.""" def __init__(self, app): self.app = app diff --git a/tools/euca-get-vnc-console b/tools/euca-get-vnc-console deleted file mode 100755 index bd2788f03..000000000 --- a/tools/euca-get-vnc-console +++ /dev/null @@ -1,163 +0,0 @@ -#!/usr/bin/env python -# pylint: disable-msg=C0103 -# vim: tabstop=4 shiftwidth=4 softtabstop=4 - -# Copyright 2010 United States Government as represented by the -# Administrator of the National Aeronautics and Space Administration. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -"""Euca add-on to use vnc console""" - -import getopt -import os -import sys - -# If ../nova/__init__.py exists, add ../ to Python search path, so that -# it will override what happens to be installed in /usr/(local/)lib/python... -possible_topdir = os.path.normpath(os.path.join(os.path.abspath(sys.argv[0]), - os.pardir, - os.pardir)) -if os.path.exists(os.path.join(possible_topdir, 'nova', '__init__.py')): - sys.path.insert(0, possible_topdir) - -import boto -import nova -from boto.ec2.connection import EC2Connection -from euca2ools import Euca2ool, InstanceValidationError, Util, ConnectionFailed - -usage_string = """ -Retrieves a url to an vnc console terminal - -euca-get-vnc-console [-h, --help] [--version] [--debug] instance_id - -REQUIRED PARAMETERS - -instance_id: unique identifier for the instance show the console output for. - -OPTIONAL PARAMETERS - -""" - - -# This class extends boto to add VNCConsole functionality -class NovaEC2Connection(EC2Connection): - - def get_vnc_console(self, instance_id): - """ - Retrieves a console connection for the specified instance. - - :type instance_id: string - :param instance_id: The instance ID of a running instance on the cloud. - - :rtype: :class:`VNCConsole` - """ - - class VNCConsole: - def __init__(self, parent=None): - self.parent = parent - self.instance_id = None - self.url = None - - def startElement(self, name, attrs, connection): - return None - - def endElement(self, name, value, connection): - if name == 'instanceId': - self.instance_id = value - elif name == 'url': - self.url = value - else: - setattr(self, name, value) - - params = {} - return self.get_object('GetVNCConsole', - {'InstanceId': instance_id}, VNCConsole) - - -def override_connect_ec2(aws_access_key_id=None, - aws_secret_access_key=None, **kwargs): - return NovaEC2Connection(aws_access_key_id, - aws_secret_access_key, **kwargs) - -# override boto's connect_ec2 method, so that we can use NovaEC2Connection -boto.connect_ec2 = override_connect_ec2 - - -def usage(status=1): - print usage_string - Util().usage() - sys.exit(status) - - -def version(): - print Util().version() - sys.exit() - - -def display_console_output(console_output): - print console_output.instance_id - print console_output.timestamp - print console_output.output - - -def display_vnc_console_output(console_output): - print console_output.url - - -def main(): - try: - euca = Euca2ool() - except Exception, e: - print e - usage() - - instance_id = None - - for name, value in euca.opts: - if name in ('-h', '--help'): - usage(0) - elif name == '--version': - version() - elif name == '--debug': - debug = True - - for arg in euca.args: - instance_id = arg - break - - if instance_id: - try: - euca.validate_instance_id(instance_id) - except InstanceValidationError: - print 'Invalid instance id' - sys.exit(1) - - try: - euca_conn = euca.make_connection() - except ConnectionFailed, e: - print e.message - sys.exit(1) - try: - console_output = euca_conn.get_vnc_console(instance_id) - except Exception, ex: - euca.display_error_and_exit('%s' % ex) - - display_vnc_console_output(console_output) - else: - print 'instance_id must be specified' - usage() - -if __name__ == "__main__": - main() -- cgit From f2f08a5b0309876bb312c9124e75bd89331c4816 Mon Sep 17 00:00:00 2001 From: Anthony Young Date: Thu, 24 Mar 2011 17:04:55 -0700 Subject: make everything work with trunk again --- nova/api/ec2/cloud.py | 2 +- nova/virt/libvirt_conn.py | 2 +- nova/vnc/auth.py | 20 +++++++++++--------- 3 files changed, 13 insertions(+), 11 deletions(-) diff --git a/nova/api/ec2/cloud.py b/nova/api/ec2/cloud.py index 6b08f98c2..eb0428c2c 100644 --- a/nova/api/ec2/cloud.py +++ b/nova/api/ec2/cloud.py @@ -538,7 +538,7 @@ class CloudController(object): def get_vnc_console(self, context, instance_id, **kwargs): ec2_id = instance_id - instance_id = ec2_id_to_id(ec2_id) + instance_id = ec2utils.ec2_id_to_id(ec2_id) return self.compute_api.get_vnc_console(context, instance_id=instance_id) diff --git a/nova/virt/libvirt_conn.py b/nova/virt/libvirt_conn.py index 9cd0e8ac9..41adbfe27 100644 --- a/nova/virt/libvirt_conn.py +++ b/nova/virt/libvirt_conn.py @@ -626,7 +626,7 @@ class LibvirtConnection(driver.ComputeDriver): return {'token': token, 'host': host, 'port': port} - _image_sems = {} # FIXME: why is this here? (anthony) + _image_sems = {} # FIXME: why is this here? (anthony) @staticmethod def _cache_image(fn, target, fname, cow=False, *args, **kwargs): diff --git a/nova/vnc/auth.py b/nova/vnc/auth.py index 1c6a638fc..4161f3666 100644 --- a/nova/vnc/auth.py +++ b/nova/vnc/auth.py @@ -69,12 +69,14 @@ class NovaAuthMiddleware(object): middleware = self middleware.tokens = {} - def callback(self, data, message): - if data['method'] == 'authorize_vnc_console': - token = data['args']['token'] + class Proxy(): + @staticmethod + def authorize_vnc_console(context, **kwargs): + data = kwargs + token = kwargs['token'] LOG.audit(_("Received Token: %s)"), token) middleware.tokens[token] = \ - {'args': data['args'], 'last_activity_at': time.time()} + {'args': kwargs, 'last_activity_at': time.time()} def delete_expired_tokens(): now = time.time() @@ -88,12 +90,12 @@ class NovaAuthMiddleware(object): del middleware.tokens[k] conn = rpc.Connection.instance(new=True) - consumer = rpc.TopicConsumer( - connection=conn, - topic=FLAGS.vnc_console_proxy_topic) - consumer.register_callback(callback) + consumer = rpc.TopicAdapterConsumer( + connection=conn, + proxy=Proxy, + topic=FLAGS.vnc_console_proxy_topic) - utils.LoopingCall(consumer.fetch, auto_ack=True, + utils.LoopingCall(consumer.fetch, enable_callbacks=True).start(0.1) utils.LoopingCall(delete_expired_tokens).start(1) -- cgit From 06c0eff8ec7eef33933da9bd8adbf7b70a977889 Mon Sep 17 00:00:00 2001 From: Anthony Young Date: Thu, 24 Mar 2011 17:44:27 -0700 Subject: add hook for osapi --- nova/api/ec2/cloud.py | 1 + nova/api/openstack/servers.py | 10 ++++++++++ nova/vnc/auth.py | 4 ++-- 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/nova/api/ec2/cloud.py b/nova/api/ec2/cloud.py index eb0428c2c..fa4624ff1 100644 --- a/nova/api/ec2/cloud.py +++ b/nova/api/ec2/cloud.py @@ -537,6 +537,7 @@ class CloudController(object): instance_id=instance_id) def get_vnc_console(self, context, instance_id, **kwargs): + """Returns vnc browser url to the dashboard.""" ec2_id = instance_id instance_id = ec2utils.ec2_id_to_id(ec2_id) return self.compute_api.get_vnc_console(context, diff --git a/nova/api/openstack/servers.py b/nova/api/openstack/servers.py index 0dad46268..88cc790c1 100644 --- a/nova/api/openstack/servers.py +++ b/nova/api/openstack/servers.py @@ -481,6 +481,16 @@ class Controller(wsgi.Controller): return faults.Fault(exc.HTTPNotFound()) return exc.HTTPAccepted() + @scheduler_api.redirect_handler + def get_vnc_console(self, req, id): + """ Returns a url to an instance's ajaxterm console. """ + try: + self.compute_api.get_vnc_console(req.environ['nova.context'], + int(id)) + except exception.NotFound: + return faults.Fault(exc.HTTPNotFound()) + return exc.HTTPAccepted() + @scheduler_api.redirect_handler def diagnostics(self, req, id): """Permit Admins to retrieve server diagnostics.""" diff --git a/nova/vnc/auth.py b/nova/vnc/auth.py index 4161f3666..dff9b376f 100644 --- a/nova/vnc/auth.py +++ b/nova/vnc/auth.py @@ -69,7 +69,7 @@ class NovaAuthMiddleware(object): middleware = self middleware.tokens = {} - class Proxy(): + class TopicProxy(): @staticmethod def authorize_vnc_console(context, **kwargs): data = kwargs @@ -92,7 +92,7 @@ class NovaAuthMiddleware(object): conn = rpc.Connection.instance(new=True) consumer = rpc.TopicAdapterConsumer( connection=conn, - proxy=Proxy, + proxy=TopicProxy, topic=FLAGS.vnc_console_proxy_topic) utils.LoopingCall(consumer.fetch, -- cgit From b30d5aa17c86bf1487945d8f2b2878644f79999e Mon Sep 17 00:00:00 2001 From: Anthony Young Date: Thu, 24 Mar 2011 18:37:23 -0700 Subject: add documentation --- doc/source/runnova/vncconsole.rst | 76 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 doc/source/runnova/vncconsole.rst diff --git a/doc/source/runnova/vncconsole.rst b/doc/source/runnova/vncconsole.rst new file mode 100644 index 000000000..69f147613 --- /dev/null +++ b/doc/source/runnova/vncconsole.rst @@ -0,0 +1,76 @@ +.. + Copyright 2010-2011 United States Government as represented by the + Administrator of the National Aeronautics and Space Administration. + All Rights Reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); you may + not use this file except in compliance with the License. You may obtain + a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + License for the specific language governing permissions and limitations + under the License. + +Getting Started with the VNC Proxy +================================== + +The VNC Proxy is an OpenStack component that allows users of Nova to access +their instances through a websocket enabled browser (like Google Chrome). + +A VNC Connection works like so: + +* User connects over an api and gets a url like http://ip:port/?token=xyz +* User pastes url in browser +* Browser connects to VNC Proxy though a websocket enabled client like noVNC +* VNC Proxy authorizes users token, maps the token to a host and port of an + instance's VNC server +* VNC Proxy initiates connection to VNC server, and continues proxying until + the session ends + + +Configuring the VNC Proxy +------------------------- +nova-vnc-proxy requires a websocket enabled html client to work properly. At +this time, the only tested client is a slightly modified fork of noVNC, which +you can at find git://github.com/sleepsonthefloor/noVNC.git. + +.. todo:: add instruction for installing from package + +noVNC must be in the location specified by --vnc_proxy_wwwroot, which defaults +to /var/lib/nova/noVNC. nova-vnc-proxy will fail to launch until this code +is properly installed. + +By default, nova-vnc-proxy binds 0.0.0.0:6080. This can be configured with: + +* --vnc_proxy_port=[port] +* --vnc_proxy_host=[host] + + +Enabling VNC Consoles in Nova +----------------------------- +At the moment, VNC support is supported only when using libvirt. To enable VNC +Console, configure the following flags: + +* --vnc_console_proxy_url=http://[proxy_host]:[proxy_port] - proxy_port + defaults to 6080. This url must point to nova-vnc-proxy +* --vnc_enabled=[True|False] - defaults to True. If this flag is not set your + instances will launch without vnc support. + + +Getting an instance's VNC Console +--------------------------------- +You can access an instance's VNC Console url in the following methods: + +* Using the direct api: + eg: 'stack --user=admin --project=admin compute get_vnc_console instance_id=1' +* Support for Dashboard, and the Openstack API will be forthcoming + + +Accessing VNC Consoles without a web browser +-------------------------------------------- +At the moment, VNC Consoles are only supported through the web browser, but +more general VNC support is in the works. -- cgit From e722803067e6386e98f29aa867d4cf98ce6e0cc2 Mon Sep 17 00:00:00 2001 From: Anthony Young Date: Thu, 24 Mar 2011 18:38:28 -0700 Subject: clarify comment --- nova/api/ec2/cloud.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nova/api/ec2/cloud.py b/nova/api/ec2/cloud.py index fa4624ff1..e5a957b83 100644 --- a/nova/api/ec2/cloud.py +++ b/nova/api/ec2/cloud.py @@ -537,7 +537,7 @@ class CloudController(object): instance_id=instance_id) def get_vnc_console(self, context, instance_id, **kwargs): - """Returns vnc browser url to the dashboard.""" + """Returns vnc browser url. Used by OS dashboard.""" ec2_id = instance_id instance_id = ec2utils.ec2_id_to_id(ec2_id) return self.compute_api.get_vnc_console(context, -- cgit From abdd9a5078bef240fac91085f4af2da3f86e0b4e Mon Sep 17 00:00:00 2001 From: Anthony Young Date: Mon, 28 Mar 2011 15:30:25 -0700 Subject: add period, test github --- bin/nova-vnc-proxy | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/nova-vnc-proxy b/bin/nova-vnc-proxy index e7b647c00..d39a9613e 100755 --- a/bin/nova-vnc-proxy +++ b/bin/nova-vnc-proxy @@ -17,7 +17,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -"""VNC Console Proxy Server""" +"""VNC Console Proxy Server.""" import eventlet import gettext -- cgit From 94092e3d896732fa1a97627f0fa504c3af70b3c5 Mon Sep 17 00:00:00 2001 From: Anthony Young Date: Mon, 28 Mar 2011 15:38:09 -0700 Subject: address some of termie's recommendations --- bin/nova-vnc-proxy | 3 +++ nova/api/openstack/servers.py | 4 ++-- nova/compute/api.py | 2 +- nova/tests/test_compute.py | 2 +- 4 files changed, 7 insertions(+), 4 deletions(-) diff --git a/bin/nova-vnc-proxy b/bin/nova-vnc-proxy index d39a9613e..e26bc6d8c 100755 --- a/bin/nova-vnc-proxy +++ b/bin/nova-vnc-proxy @@ -40,8 +40,10 @@ from nova import version from nova.vnc import auth from nova.vnc import proxy + LOG = logging.getLogger('nova.vnc-proxy') + FLAGS = flags.FLAGS flags.DEFINE_string('vnc_proxy_wwwroot', '/var/lib/nova/noVNC/', 'Full path to noVNC directory') @@ -57,6 +59,7 @@ flags.DEFINE_flag(flags.HelpFlag()) flags.DEFINE_flag(flags.HelpshortFlag()) flags.DEFINE_flag(flags.HelpXMLFlag()) + if __name__ == "__main__": utils.default_flagfile() FLAGS(sys.argv) diff --git a/nova/api/openstack/servers.py b/nova/api/openstack/servers.py index c0fba4bb9..822342149 100644 --- a/nova/api/openstack/servers.py +++ b/nova/api/openstack/servers.py @@ -473,7 +473,7 @@ class Controller(wsgi.Controller): @scheduler_api.redirect_handler def get_ajax_console(self, req, id): - """ Returns a url to an instance's ajaxterm console. """ + """Returns a url to an instance's ajaxterm console.""" try: self.compute_api.get_ajax_console(req.environ['nova.context'], int(id)) @@ -483,7 +483,7 @@ class Controller(wsgi.Controller): @scheduler_api.redirect_handler def get_vnc_console(self, req, id): - """ Returns a url to an instance's ajaxterm console. """ + """Returns a url to an instance's ajaxterm console.""" try: self.compute_api.get_vnc_console(req.environ['nova.context'], int(id)) diff --git a/nova/compute/api.py b/nova/compute/api.py index f19c552e9..5470f40dc 100644 --- a/nova/compute/api.py +++ b/nova/compute/api.py @@ -618,7 +618,7 @@ class API(base.Base): {'method': 'authorize_vnc_console', 'args': {'token': output['token'], 'host': output['host'], - 'port': output['port']}}) + 'port': output['port']}}) return {'url': '%s/vnc_auto.html?token=%s&host=%s&port=%s' % ( FLAGS.vnc_console_proxy_url, diff --git a/nova/tests/test_compute.py b/nova/tests/test_compute.py index 0be08a778..038824ef8 100644 --- a/nova/tests/test_compute.py +++ b/nova/tests/test_compute.py @@ -290,7 +290,7 @@ class ComputeTestCase(test.TestCase): self.compute.terminate_instance(self.context, instance_id) def test_vnc_console(self): - """Make sure we can a vnc console for an instance""" + """Make sure we can a vnc console for an instance.""" instance_id = self._create_instance() self.compute.run_instance(self.context, instance_id) -- cgit From 3e9b5977137c430d218ec8c00e286b691ea8367d Mon Sep 17 00:00:00 2001 From: Anthony Young Date: Tue, 29 Mar 2011 12:54:35 -0700 Subject: use manager pattern for auth token proxy --- bin/nova-vnc-proxy | 96 ----------------------------------- bin/nova-vncproxy | 101 +++++++++++++++++++++++++++++++++++++ doc/source/runnova/vncconsole.rst | 6 +-- nova/flags.py | 2 +- nova/vnc/auth.py | 103 +++++++++++++++++++++++--------------- nova/vnc/proxy.py | 3 +- 6 files changed, 168 insertions(+), 143 deletions(-) delete mode 100755 bin/nova-vnc-proxy create mode 100755 bin/nova-vncproxy diff --git a/bin/nova-vnc-proxy b/bin/nova-vnc-proxy deleted file mode 100755 index e26bc6d8c..000000000 --- a/bin/nova-vnc-proxy +++ /dev/null @@ -1,96 +0,0 @@ -#!/usr/bin/env python -# vim: tabstop=4 shiftwidth=4 softtabstop=4 - -# Copyright 2010 United States Government as represented by the -# Administrator of the National Aeronautics and Space Administration. -# All Rights Reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -"""VNC Console Proxy Server.""" - -import eventlet -import gettext -import os -import sys - -possible_topdir = os.path.normpath(os.path.join(os.path.abspath(sys.argv[0]), - os.pardir, - os.pardir)) -if os.path.exists(os.path.join(possible_topdir, 'nova', '__init__.py')): - sys.path.insert(0, possible_topdir) - -gettext.install('nova', unicode=1) - -from nova import flags -from nova import log as logging -from nova import utils -from nova import wsgi -from nova import version -from nova.vnc import auth -from nova.vnc import proxy - - -LOG = logging.getLogger('nova.vnc-proxy') - - -FLAGS = flags.FLAGS -flags.DEFINE_string('vnc_proxy_wwwroot', '/var/lib/nova/noVNC/', - 'Full path to noVNC directory') -flags.DEFINE_boolean('vnc_debug', False, - 'Enable debugging features, like token bypassing') -flags.DEFINE_integer('vnc_proxy_port', 6080, - 'Port that the VNC proxy should bind to') -flags.DEFINE_string('vnc_proxy_host', '0.0.0.0', - 'Address that the VNC proxy should bind to') -flags.DEFINE_integer('vnc_token_ttl', 300, - 'How many seconds before deleting tokens') -flags.DEFINE_flag(flags.HelpFlag()) -flags.DEFINE_flag(flags.HelpshortFlag()) -flags.DEFINE_flag(flags.HelpXMLFlag()) - - -if __name__ == "__main__": - utils.default_flagfile() - FLAGS(sys.argv) - logging.setup() - - LOG.audit(_("Starting nova-vnc-proxy node (version %s)"), - version.version_string_with_vcs()) - - if not (os.path.exists(FLAGS.vnc_proxy_wwwroot) and - os.path.exists(FLAGS.vnc_proxy_wwwroot + '/vnc_auto.html')): - LOG.info(_("Missing vnc_proxy_wwwroot (version %s)"), - FLAGS.vnc_proxy_wwwroot) - LOG.info(_("You need a slightly modified version of noVNC " - "to work with the nova-vnc-proxy")) - LOG.info(_("Check out the most recent nova noVNC code: %s"), - "git://github.com/sleepsonthefloor/noVNC.git") - LOG.info(_("And drop it in %s"), FLAGS.vnc_proxy_wwwroot) - exit(1) - - app = proxy.WebsocketVNCProxy(FLAGS.vnc_proxy_wwwroot) - - LOG.audit(_("Allowing access to the following files: %s"), - app.get_whitelist()) - - with_logging = auth.LoggingMiddleware(app) - - if FLAGS.vnc_debug: - with_auth = proxy.DebugMiddleware(with_logging) - else: - with_auth = auth.NovaAuthMiddleware(with_logging) - - server = wsgi.Server() - server.start(with_auth, FLAGS.vnc_proxy_port, host=FLAGS.vnc_proxy_host) - server.wait() diff --git a/bin/nova-vncproxy b/bin/nova-vncproxy new file mode 100755 index 000000000..0fad8397d --- /dev/null +++ b/bin/nova-vncproxy @@ -0,0 +1,101 @@ +#!/usr/bin/env python +# vim: tabstop=4 shiftwidth=4 softtabstop=4 + +# Copyright (c) 2010 Openstack, LLC. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +"""VNC Console Proxy Server.""" + +import eventlet +import gettext +import os +import sys + +possible_topdir = os.path.normpath(os.path.join(os.path.abspath(sys.argv[0]), + os.pardir, + os.pardir)) +if os.path.exists(os.path.join(possible_topdir, 'nova', '__init__.py')): + sys.path.insert(0, possible_topdir) + +gettext.install('nova', unicode=1) + +from nova import flags +from nova import log as logging +from nova import service +from nova import utils +from nova import wsgi +from nova import version +from nova.vnc import auth +from nova.vnc import proxy + + +LOG = logging.getLogger('nova.vnc-proxy') + + +FLAGS = flags.FLAGS +flags.DEFINE_string('vncproxy_wwwroot', '/var/lib/nova/noVNC/', + 'Full path to noVNC directory') +flags.DEFINE_boolean('vnc_debug', False, + 'Enable debugging features, like token bypassing') +flags.DEFINE_integer('vncproxy_port', 6080, + 'Port that the VNC proxy should bind to') +flags.DEFINE_string('vncproxy_host', '0.0.0.0', + 'Address that the VNC proxy should bind to') +flags.DEFINE_integer('vnc_token_ttl', 300, + 'How many seconds before deleting tokens') +flags.DEFINE_string('vncproxy_manager', 'nova.vnc.auth.VNCProxyAuthManager', + 'Manager for vncproxy auth') + +flags.DEFINE_flag(flags.HelpFlag()) +flags.DEFINE_flag(flags.HelpshortFlag()) +flags.DEFINE_flag(flags.HelpXMLFlag()) + + +if __name__ == "__main__": + utils.default_flagfile() + FLAGS(sys.argv) + logging.setup() + + LOG.audit(_("Starting nova-vnc-proxy node (version %s)"), + version.version_string_with_vcs()) + + service.serve() + + if not (os.path.exists(FLAGS.vncproxy_wwwroot) and + os.path.exists(FLAGS.vncproxy_wwwroot + '/vnc_auto.html')): + LOG.info(_("Missing vncproxy_wwwroot (version %s)"), + FLAGS.vncproxy_wwwroot) + LOG.info(_("You need a slightly modified version of noVNC " + "to work with the nova-vnc-proxy")) + LOG.info(_("Check out the most recent nova noVNC code: %s"), + "git://github.com/sleepsonthefloor/noVNC.git") + LOG.info(_("And drop it in %s"), FLAGS.vncproxy_wwwroot) + exit(1) + + app = proxy.WebsocketVNCProxy(FLAGS.vncproxy_wwwroot) + + LOG.audit(_("Allowing access to the following files: %s"), + app.get_whitelist()) + + with_logging = auth.LoggingMiddleware(app) + + if FLAGS.vnc_debug: + with_auth = proxy.DebugMiddleware(with_logging) + else: + with_auth = auth.VNCNovaAuthMiddleware(with_logging) + + server = wsgi.Server() + server.start(with_auth, FLAGS.vncproxy_port, host=FLAGS.vncproxy_host) + server.wait() diff --git a/doc/source/runnova/vncconsole.rst b/doc/source/runnova/vncconsole.rst index 69f147613..6d93bad93 100644 --- a/doc/source/runnova/vncconsole.rst +++ b/doc/source/runnova/vncconsole.rst @@ -40,14 +40,14 @@ you can at find git://github.com/sleepsonthefloor/noVNC.git. .. todo:: add instruction for installing from package -noVNC must be in the location specified by --vnc_proxy_wwwroot, which defaults +noVNC must be in the location specified by --vncproxy_wwwroot, which defaults to /var/lib/nova/noVNC. nova-vnc-proxy will fail to launch until this code is properly installed. By default, nova-vnc-proxy binds 0.0.0.0:6080. This can be configured with: -* --vnc_proxy_port=[port] -* --vnc_proxy_host=[host] +* --vncproxy_port=[port] +* --vncproxy_host=[host] Enabling VNC Consoles in Nova diff --git a/nova/flags.py b/nova/flags.py index ba543f46d..b5c0cd380 100644 --- a/nova/flags.py +++ b/nova/flags.py @@ -281,7 +281,7 @@ DEFINE_string('ajax_console_proxy_url', in the form "http://127.0.0.1:8000"') DEFINE_string('ajax_console_proxy_port', 8000, 'port that ajax_console_proxy binds') -DEFINE_string('vnc_console_proxy_topic', 'vnc_proxy', +DEFINE_string('vnc_console_proxy_topic', 'vncproxy', 'the topic vnc proxy nodes listen on') DEFINE_string('vnc_console_proxy_url', 'http://127.0.0.1:6080', diff --git a/nova/vnc/auth.py b/nova/vnc/auth.py index dff9b376f..105b68fe2 100644 --- a/nova/vnc/auth.py +++ b/nova/vnc/auth.py @@ -1,9 +1,7 @@ #!/usr/bin/env python -# pylint: disable-msg=C0103 # vim: tabstop=4 shiftwidth=4 softtabstop=4 -# Copyright 2010 United States Government as represented by the -# Administrator of the National Aeronautics and Space Administration. +# Copyright (c) 2010 Openstack, LLC. # All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); @@ -26,8 +24,10 @@ import webob from webob import Request +from nova import context from nova import flags from nova import log as logging +from nova import manager from nova import rpc from nova import utils from nova import wsgi @@ -38,12 +38,24 @@ LOG = logging.getLogger('nova.vnc-proxy') FLAGS = flags.FLAGS -class NovaAuthMiddleware(object): +class VNCNovaAuthMiddleware(object): """Implementation of Middleware to Handle Nova Auth.""" def __init__(self, app): self.app = app - self.register_listeners() + self.token_cache = {} + utils.LoopingCall(self._delete_expired_tokens).start(1) + + def get_token_info(self, token): + if token in self.token_cache: + return self.token_cache[token] + + rval = rpc.call(context.get_admin_context(), + FLAGS.vnc_console_proxy_topic, + {"method": "check_token", "args": {'token': token}}) + if rval: + self.token_cache[token] = rval + return rval @webob.dec.wsgify def __call__(self, req): @@ -55,49 +67,27 @@ class NovaAuthMiddleware(object): if 'token' in auth_params: token = auth_params['token'][0] - if not token in self.tokens: + connection_info = self.get_token_info(token) + if not connection_info: LOG.audit(_("Unauthorized Access: (%s)"), req.environ) return webob.exc.HTTPForbidden(detail='Unauthorized') if req.path == vnc.proxy.WS_ENDPOINT: - req.environ['vnc_host'] = self.tokens[token]['args']['host'] - req.environ['vnc_port'] = int(self.tokens[token]['args']['port']) + req.environ['vnc_host'] = connection_info['host'] + req.environ['vnc_port'] = int(connection_info['port']) return req.get_response(self.app) - def register_listeners(self): - middleware = self - middleware.tokens = {} - - class TopicProxy(): - @staticmethod - def authorize_vnc_console(context, **kwargs): - data = kwargs - token = kwargs['token'] - LOG.audit(_("Received Token: %s)"), token) - middleware.tokens[token] = \ - {'args': kwargs, 'last_activity_at': time.time()} - - def delete_expired_tokens(): - now = time.time() - to_delete = [] - for k, v in middleware.tokens.items(): - if now - v['last_activity_at'] > FLAGS.vnc_token_ttl: - to_delete.append(k) - - for k in to_delete: - LOG.audit(_("Deleting Token: %s)"), k) - del middleware.tokens[k] - - conn = rpc.Connection.instance(new=True) - consumer = rpc.TopicAdapterConsumer( - connection=conn, - proxy=TopicProxy, - topic=FLAGS.vnc_console_proxy_topic) - - utils.LoopingCall(consumer.fetch, - enable_callbacks=True).start(0.1) - utils.LoopingCall(delete_expired_tokens).start(1) + def _delete_expired_tokens(self): + now = time.time() + to_delete = [] + for k, v in self.token_cache.items(): + if now - v['last_activity_at'] > FLAGS.vnc_token_ttl: + to_delete.append(k) + + for k in to_delete: + del self.token_cache[k] + class LoggingMiddleware(object): @@ -112,3 +102,34 @@ class LoggingMiddleware(object): LOG.info(_("Received Request: %s"), req.url) return req.get_response(self.app) + + +class VNCProxyAuthManager(manager.Manager): + """Manages token based authentication.""" + + def __init__(self, scheduler_driver=None, *args, **kwargs): + super(VNCProxyAuthManager, self).__init__(*args, **kwargs) + self.tokens = {} + utils.LoopingCall(self._delete_expired_tokens).start(1) + + def authorize_vnc_console(self, context, token, host, port): + self.tokens[token] = {'host': host, + 'port': port, + 'last_activity_at': time.time()} + LOG.audit(_("Received Token: %s, %s)"), token, self.tokens[token]) + + def check_token(self, context, token): + LOG.audit(_("Checking Token: %s, %s)"), token, (token in self.tokens)) + if token in self.tokens: + return self.tokens[token] + + def _delete_expired_tokens(self): + now = time.time() + to_delete = [] + for k, v in self.tokens.items(): + if now - v['last_activity_at'] > FLAGS.vnc_token_ttl: + to_delete.append(k) + + for k in to_delete: + LOG.audit(_("Deleting Expired Token: %s)"), k) + del self.tokens[k] diff --git a/nova/vnc/proxy.py b/nova/vnc/proxy.py index 49379d9ae..c6e46396b 100644 --- a/nova/vnc/proxy.py +++ b/nova/vnc/proxy.py @@ -1,8 +1,7 @@ #!/usr/bin/env python # vim: tabstop=4 shiftwidth=4 softtabstop=4 -# Copyright 2010 United States Government as represented by the -# Administrator of the National Aeronautics and Space Administration. +# Copyright (c) 2010 Openstack, LLC. # All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); -- cgit From dbef49203985b4eea82912d010df7204ec68586c Mon Sep 17 00:00:00 2001 From: Anthony Young Date: Tue, 29 Mar 2011 13:32:03 -0700 Subject: fix flag names --- nova/compute/api.py | 4 ++-- nova/flags.py | 6 +++--- nova/virt/libvirt.xml.template | 4 ++-- nova/virt/libvirt_conn.py | 2 +- nova/vnc/auth.py | 2 +- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/nova/compute/api.py b/nova/compute/api.py index 5470f40dc..8f5803649 100644 --- a/nova/compute/api.py +++ b/nova/compute/api.py @@ -614,14 +614,14 @@ class API(base.Base): output = self._call_compute_message('get_vnc_console', context, instance_id) - rpc.cast(context, '%s' % FLAGS.vnc_console_proxy_topic, + rpc.cast(context, '%s' % FLAGS.vncproxy_topic, {'method': 'authorize_vnc_console', 'args': {'token': output['token'], 'host': output['host'], 'port': output['port']}}) return {'url': '%s/vnc_auto.html?token=%s&host=%s&port=%s' % ( - FLAGS.vnc_console_proxy_url, + FLAGS.vncproxy_url, output['token'], 'hostignore', 'portignore')} diff --git a/nova/flags.py b/nova/flags.py index b5c0cd380..b0c116f6b 100644 --- a/nova/flags.py +++ b/nova/flags.py @@ -281,13 +281,13 @@ DEFINE_string('ajax_console_proxy_url', in the form "http://127.0.0.1:8000"') DEFINE_string('ajax_console_proxy_port', 8000, 'port that ajax_console_proxy binds') -DEFINE_string('vnc_console_proxy_topic', 'vncproxy', +DEFINE_string('vncproxy_topic', 'vncproxy', 'the topic vnc proxy nodes listen on') -DEFINE_string('vnc_console_proxy_url', +DEFINE_string('vncproxy_url', 'http://127.0.0.1:6080', 'location of vnc console proxy, \ in the form "http://127.0.0.1:6080"') -DEFINE_string('vnc_server_host', '0.0.0.0', +DEFINE_string('vncserver_host', '0.0.0.0', 'the host interface on which vnc server should listen') DEFINE_bool('vnc_enabled', True, 'enable vnc related features') diff --git a/nova/virt/libvirt.xml.template b/nova/virt/libvirt.xml.template index c492e488c..cf6bed530 100644 --- a/nova/virt/libvirt.xml.template +++ b/nova/virt/libvirt.xml.template @@ -104,8 +104,8 @@ -#if $getVar('vnc_server_host', False) - +#if $getVar('vncserver_host', False) + #end if diff --git a/nova/virt/libvirt_conn.py b/nova/virt/libvirt_conn.py index 41adbfe27..ec09aca28 100644 --- a/nova/virt/libvirt_conn.py +++ b/nova/virt/libvirt_conn.py @@ -885,7 +885,7 @@ class LibvirtConnection(driver.ComputeDriver): 'nics': nics} if FLAGS.vnc_enabled: - xml_info['vnc_server_host'] = FLAGS.vnc_server_host + xml_info['vncserver_host'] = FLAGS.vncserver_host if not rescue: if instance['kernel_id']: xml_info['kernel'] = xml_info['basepath'] + "/kernel" diff --git a/nova/vnc/auth.py b/nova/vnc/auth.py index 105b68fe2..45f77dd59 100644 --- a/nova/vnc/auth.py +++ b/nova/vnc/auth.py @@ -51,7 +51,7 @@ class VNCNovaAuthMiddleware(object): return self.token_cache[token] rval = rpc.call(context.get_admin_context(), - FLAGS.vnc_console_proxy_topic, + FLAGS.vncproxy_topic, {"method": "check_token", "args": {'token': token}}) if rval: self.token_cache[token] = rval -- cgit From cc7ba9a7a4ed8a38f217ad7f33fc33254f80ead7 Mon Sep 17 00:00:00 2001 From: Anthony Young Date: Tue, 29 Mar 2011 13:47:47 -0700 Subject: move flags per termie's feedback --- nova/flags.py | 10 ---------- nova/virt/libvirt_conn.py | 1 + nova/vnc/__init__.py | 35 +++++++++++++++++++++++++++++++++++ nova/vnc/auth.py | 3 ++- 4 files changed, 38 insertions(+), 11 deletions(-) diff --git a/nova/flags.py b/nova/flags.py index b0c116f6b..f011ab383 100644 --- a/nova/flags.py +++ b/nova/flags.py @@ -281,16 +281,6 @@ DEFINE_string('ajax_console_proxy_url', in the form "http://127.0.0.1:8000"') DEFINE_string('ajax_console_proxy_port', 8000, 'port that ajax_console_proxy binds') -DEFINE_string('vncproxy_topic', 'vncproxy', - 'the topic vnc proxy nodes listen on') -DEFINE_string('vncproxy_url', - 'http://127.0.0.1:6080', - 'location of vnc console proxy, \ - in the form "http://127.0.0.1:6080"') -DEFINE_string('vncserver_host', '0.0.0.0', - 'the host interface on which vnc server should listen') -DEFINE_bool('vnc_enabled', True, - 'enable vnc related features') DEFINE_bool('verbose', False, 'show debug output') DEFINE_boolean('fake_rabbit', False, 'use a fake rabbit') DEFINE_bool('fake_network', False, diff --git a/nova/virt/libvirt_conn.py b/nova/virt/libvirt_conn.py index ec09aca28..8c948950b 100644 --- a/nova/virt/libvirt_conn.py +++ b/nova/virt/libvirt_conn.py @@ -57,6 +57,7 @@ from nova import flags from nova import log as logging #from nova import test from nova import utils +from nova import vnc from nova.auth import manager from nova.compute import instance_types from nova.compute import power_state diff --git a/nova/vnc/__init__.py b/nova/vnc/__init__.py index e69de29bb..1642295ec 100644 --- a/nova/vnc/__init__.py +++ b/nova/vnc/__init__.py @@ -0,0 +1,35 @@ +#!/usr/bin/env python +# vim: tabstop=4 shiftwidth=4 softtabstop=4 + +# Copyright (c) 2010 Openstack, LLC. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +"""Module for VNC Proxying.""" + +from nova import flags + + +FLAGS = flags.FLAGS + +flags.DEFINE_string('vncproxy_topic', 'vncproxy', + 'the topic vnc proxy nodes listen on') +flags.DEFINE_string('vncproxy_url', + 'http://127.0.0.1:6080', + 'location of vnc console proxy, \ + in the form "http://127.0.0.1:6080"') +flags.DEFINE_string('vncserver_host', '0.0.0.0', + 'the host interface on which vnc server should listen') +flags.DEFINE_bool('vnc_enabled', True, + 'enable vnc related features') diff --git a/nova/vnc/auth.py b/nova/vnc/auth.py index 45f77dd59..fd8d351f1 100644 --- a/nova/vnc/auth.py +++ b/nova/vnc/auth.py @@ -89,8 +89,9 @@ class VNCNovaAuthMiddleware(object): del self.token_cache[k] - class LoggingMiddleware(object): + """Middleware for basic vnc-specific request logging.""" + def __init__(self, app): self.app = app -- cgit From 817572265871fd2cfd1252dd0cffb167f0e2ccdb Mon Sep 17 00:00:00 2001 From: Anthony Young Date: Tue, 29 Mar 2011 13:49:49 -0700 Subject: move functions around --- nova/vnc/auth.py | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/nova/vnc/auth.py b/nova/vnc/auth.py index fd8d351f1..86efffbe6 100644 --- a/nova/vnc/auth.py +++ b/nova/vnc/auth.py @@ -44,18 +44,7 @@ class VNCNovaAuthMiddleware(object): def __init__(self, app): self.app = app self.token_cache = {} - utils.LoopingCall(self._delete_expired_tokens).start(1) - - def get_token_info(self, token): - if token in self.token_cache: - return self.token_cache[token] - - rval = rpc.call(context.get_admin_context(), - FLAGS.vncproxy_topic, - {"method": "check_token", "args": {'token': token}}) - if rval: - self.token_cache[token] = rval - return rval + utils.LoopingCall(self.delete_expired_tokens).start(1) @webob.dec.wsgify def __call__(self, req): @@ -78,7 +67,18 @@ class VNCNovaAuthMiddleware(object): return req.get_response(self.app) - def _delete_expired_tokens(self): + def get_token_info(self, token): + if token in self.token_cache: + return self.token_cache[token] + + rval = rpc.call(context.get_admin_context(), + FLAGS.vncproxy_topic, + {"method": "check_token", "args": {'token': token}}) + if rval: + self.token_cache[token] = rval + return rval + + def delete_expired_tokens(self): now = time.time() to_delete = [] for k, v in self.token_cache.items(): -- cgit From 2c533ca5a4cd74907b3238ec65ab29c4f686dfcc Mon Sep 17 00:00:00 2001 From: Anthony Young Date: Tue, 29 Mar 2011 13:55:01 -0700 Subject: switch cast to a call --- nova/compute/api.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nova/compute/api.py b/nova/compute/api.py index 8f5803649..89d821d44 100644 --- a/nova/compute/api.py +++ b/nova/compute/api.py @@ -614,7 +614,7 @@ class API(base.Base): output = self._call_compute_message('get_vnc_console', context, instance_id) - rpc.cast(context, '%s' % FLAGS.vncproxy_topic, + rpc.call(context, '%s' % FLAGS.vncproxy_topic, {'method': 'authorize_vnc_console', 'args': {'token': output['token'], 'host': output['host'], -- cgit From 8cdad1ab8343eb038f119a92e28d77c731b61793 Mon Sep 17 00:00:00 2001 From: Anthony Young Date: Tue, 29 Mar 2011 13:59:46 -0700 Subject: add comment --- nova/compute/api.py | 1 + 1 file changed, 1 insertion(+) diff --git a/nova/compute/api.py b/nova/compute/api.py index 89d821d44..7977b07a2 100644 --- a/nova/compute/api.py +++ b/nova/compute/api.py @@ -620,6 +620,7 @@ class API(base.Base): 'host': output['host'], 'port': output['port']}}) + # hostignore and portignore are compatability params for noVNC return {'url': '%s/vnc_auto.html?token=%s&host=%s&port=%s' % ( FLAGS.vncproxy_url, output['token'], -- cgit From f5c072de1edddc4ddab89be8146a81d361397c45 Mon Sep 17 00:00:00 2001 From: Anthony Young Date: Tue, 29 Mar 2011 14:53:38 -0700 Subject: incorporate feedback from termie --- bin/nova-vncproxy | 4 ++-- doc/source/runnova/vncconsole.rst | 2 +- nova/api/openstack/servers.py | 2 +- nova/virt/libvirt_conn.py | 2 -- nova/vnc/__init__.py | 2 -- nova/vnc/auth.py | 4 ++-- nova/vnc/proxy.py | 4 ++-- 7 files changed, 8 insertions(+), 12 deletions(-) diff --git a/bin/nova-vncproxy b/bin/nova-vncproxy index 0fad8397d..ccb97e3a3 100755 --- a/bin/nova-vncproxy +++ b/bin/nova-vncproxy @@ -71,8 +71,6 @@ if __name__ == "__main__": LOG.audit(_("Starting nova-vnc-proxy node (version %s)"), version.version_string_with_vcs()) - service.serve() - if not (os.path.exists(FLAGS.vncproxy_wwwroot) and os.path.exists(FLAGS.vncproxy_wwwroot + '/vnc_auto.html')): LOG.info(_("Missing vncproxy_wwwroot (version %s)"), @@ -96,6 +94,8 @@ if __name__ == "__main__": else: with_auth = auth.VNCNovaAuthMiddleware(with_logging) + service.serve() + server = wsgi.Server() server.start(with_auth, FLAGS.vncproxy_port, host=FLAGS.vncproxy_host) server.wait() diff --git a/doc/source/runnova/vncconsole.rst b/doc/source/runnova/vncconsole.rst index 6d93bad93..942ace611 100644 --- a/doc/source/runnova/vncconsole.rst +++ b/doc/source/runnova/vncconsole.rst @@ -36,7 +36,7 @@ Configuring the VNC Proxy ------------------------- nova-vnc-proxy requires a websocket enabled html client to work properly. At this time, the only tested client is a slightly modified fork of noVNC, which -you can at find git://github.com/sleepsonthefloor/noVNC.git. +you can at find http://github.com/openstack/noVNC.git .. todo:: add instruction for installing from package diff --git a/nova/api/openstack/servers.py b/nova/api/openstack/servers.py index 822342149..8170ab4a1 100644 --- a/nova/api/openstack/servers.py +++ b/nova/api/openstack/servers.py @@ -486,7 +486,7 @@ class Controller(wsgi.Controller): """Returns a url to an instance's ajaxterm console.""" try: self.compute_api.get_vnc_console(req.environ['nova.context'], - int(id)) + int(id)) except exception.NotFound: return faults.Fault(exc.HTTPNotFound()) return exc.HTTPAccepted() diff --git a/nova/virt/libvirt_conn.py b/nova/virt/libvirt_conn.py index 8c948950b..502e61395 100644 --- a/nova/virt/libvirt_conn.py +++ b/nova/virt/libvirt_conn.py @@ -627,8 +627,6 @@ class LibvirtConnection(driver.ComputeDriver): return {'token': token, 'host': host, 'port': port} - _image_sems = {} # FIXME: why is this here? (anthony) - @staticmethod def _cache_image(fn, target, fname, cow=False, *args, **kwargs): """Wrapper for a method that creates an image that caches the image. diff --git a/nova/vnc/__init__.py b/nova/vnc/__init__.py index 1642295ec..2733c81d6 100644 --- a/nova/vnc/__init__.py +++ b/nova/vnc/__init__.py @@ -20,9 +20,7 @@ from nova import flags - FLAGS = flags.FLAGS - flags.DEFINE_string('vncproxy_topic', 'vncproxy', 'the topic vnc proxy nodes listen on') flags.DEFINE_string('vncproxy_url', diff --git a/nova/vnc/auth.py b/nova/vnc/auth.py index 86efffbe6..c7df13450 100644 --- a/nova/vnc/auth.py +++ b/nova/vnc/auth.py @@ -44,7 +44,7 @@ class VNCNovaAuthMiddleware(object): def __init__(self, app): self.app = app self.token_cache = {} - utils.LoopingCall(self.delete_expired_tokens).start(1) + utils.LoopingCall(self.delete_expired_cache_items).start(1) @webob.dec.wsgify def __call__(self, req): @@ -78,7 +78,7 @@ class VNCNovaAuthMiddleware(object): self.token_cache[token] = rval return rval - def delete_expired_tokens(self): + def delete_expired_cache_items(self): now = time.time() to_delete = [] for k, v in self.token_cache.items(): diff --git a/nova/vnc/proxy.py b/nova/vnc/proxy.py index c6e46396b..c4603803b 100644 --- a/nova/vnc/proxy.py +++ b/nova/vnc/proxy.py @@ -25,9 +25,9 @@ import eventlet from eventlet import wsgi from eventlet import websocket -from webob import Request import webob + WS_ENDPOINT = '/data' @@ -88,7 +88,7 @@ class WebsocketVNCProxy(object): _handle(environ, start_response) def __call__(self, environ, start_response): - req = Request(environ) + req = webob.Request(environ) if req.path == WS_ENDPOINT: return self.proxy_connection(environ, start_response) else: -- cgit From 3cdc2a90f0a7a066a231b0590aeb3d51d8ec699a Mon Sep 17 00:00:00 2001 From: Anthony Young Date: Tue, 29 Mar 2011 14:58:10 -0700 Subject: add line --- nova/vnc/__init__.py | 1 + 1 file changed, 1 insertion(+) diff --git a/nova/vnc/__init__.py b/nova/vnc/__init__.py index 2733c81d6..b5b00e44e 100644 --- a/nova/vnc/__init__.py +++ b/nova/vnc/__init__.py @@ -20,6 +20,7 @@ from nova import flags + FLAGS = flags.FLAGS flags.DEFINE_string('vncproxy_topic', 'vncproxy', 'the topic vnc proxy nodes listen on') -- cgit From 93a7a7b94a0d9e4100abb3a4309a3546ab532535 Mon Sep 17 00:00:00 2001 From: Anthony Young Date: Tue, 29 Mar 2011 15:22:16 -0700 Subject: clarify test --- nova/tests/test_compute.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nova/tests/test_compute.py b/nova/tests/test_compute.py index 038824ef8..1b0f426d2 100644 --- a/nova/tests/test_compute.py +++ b/nova/tests/test_compute.py @@ -286,7 +286,7 @@ class ComputeTestCase(test.TestCase): console = self.compute.get_ajax_console(self.context, instance_id) - self.assert_(console) + self.assert_(set(['token', 'host', 'port']).issubset(console.keys())) self.compute.terminate_instance(self.context, instance_id) def test_vnc_console(self): -- cgit From 9513458c3e50fac5f40e76757b45ab15b67e8f00 Mon Sep 17 00:00:00 2001 From: Anthony Young Date: Tue, 29 Mar 2011 15:34:25 -0700 Subject: add nova-vncproxy to setup.py --- setup.py | 1 + 1 file changed, 1 insertion(+) diff --git a/setup.py b/setup.py index 3b48990ac..20f4c1947 100644 --- a/setup.py +++ b/setup.py @@ -112,4 +112,5 @@ DistUtilsExtra.auto.setup(name='nova', 'bin/nova-spoolsentry', 'bin/stack', 'bin/nova-volume', + 'bin/nova-vncproxy', 'tools/nova-debug']) -- cgit From 3e9bafd4f05a4bda29c30460bf3e3428a03f8218 Mon Sep 17 00:00:00 2001 From: Vishvananda Ishaya Date: Tue, 29 Mar 2011 22:37:19 -0700 Subject: fix doc to refer to nova-vncproxy --- doc/source/runnova/vncconsole.rst | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/doc/source/runnova/vncconsole.rst b/doc/source/runnova/vncconsole.rst index 942ace611..c1fe9be39 100644 --- a/doc/source/runnova/vncconsole.rst +++ b/doc/source/runnova/vncconsole.rst @@ -26,7 +26,7 @@ A VNC Connection works like so: * User connects over an api and gets a url like http://ip:port/?token=xyz * User pastes url in browser * Browser connects to VNC Proxy though a websocket enabled client like noVNC -* VNC Proxy authorizes users token, maps the token to a host and port of an +* VNC Proxy authorizes users token, maps the token to a host and port of an instance's VNC server * VNC Proxy initiates connection to VNC server, and continues proxying until the session ends @@ -34,17 +34,17 @@ A VNC Connection works like so: Configuring the VNC Proxy ------------------------- -nova-vnc-proxy requires a websocket enabled html client to work properly. At -this time, the only tested client is a slightly modified fork of noVNC, which +nova-vncproxy requires a websocket enabled html client to work properly. At +this time, the only tested client is a slightly modified fork of noVNC, which you can at find http://github.com/openstack/noVNC.git .. todo:: add instruction for installing from package noVNC must be in the location specified by --vncproxy_wwwroot, which defaults -to /var/lib/nova/noVNC. nova-vnc-proxy will fail to launch until this code -is properly installed. +to /var/lib/nova/noVNC. nova-vncproxy will fail to launch until this code +is properly installed. -By default, nova-vnc-proxy binds 0.0.0.0:6080. This can be configured with: +By default, nova-vncproxy binds 0.0.0.0:6080. This can be configured with: * --vncproxy_port=[port] * --vncproxy_host=[host] @@ -55,17 +55,17 @@ Enabling VNC Consoles in Nova At the moment, VNC support is supported only when using libvirt. To enable VNC Console, configure the following flags: -* --vnc_console_proxy_url=http://[proxy_host]:[proxy_port] - proxy_port - defaults to 6080. This url must point to nova-vnc-proxy +* --vnc_console_proxy_url=http://[proxy_host]:[proxy_port] - proxy_port + defaults to 6080. This url must point to nova-vncproxy * --vnc_enabled=[True|False] - defaults to True. If this flag is not set your - instances will launch without vnc support. + instances will launch without vnc support. Getting an instance's VNC Console --------------------------------- You can access an instance's VNC Console url in the following methods: -* Using the direct api: +* Using the direct api: eg: 'stack --user=admin --project=admin compute get_vnc_console instance_id=1' * Support for Dashboard, and the Openstack API will be forthcoming -- cgit From 7856df88b22e6ff3bd0f124e3d71f130e3e9c205 Mon Sep 17 00:00:00 2001 From: Vishvananda Ishaya Date: Tue, 29 Mar 2011 22:41:15 -0700 Subject: fix localization for multiple replacement strings --- nova/vnc/auth.py | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/nova/vnc/auth.py b/nova/vnc/auth.py index c7df13450..ce5e10388 100644 --- a/nova/vnc/auth.py +++ b/nova/vnc/auth.py @@ -117,11 +117,13 @@ class VNCProxyAuthManager(manager.Manager): self.tokens[token] = {'host': host, 'port': port, 'last_activity_at': time.time()} - LOG.audit(_("Received Token: %s, %s)"), token, self.tokens[token]) + token_dict = self.tokens[token] + LOG.audit(_("Received Token: %(token)s, %(token_dict)s)"), locals()) def check_token(self, context, token): - LOG.audit(_("Checking Token: %s, %s)"), token, (token in self.tokens)) - if token in self.tokens: + token_valid = token in self.tokens + LOG.audit(_("Checking Token: %(token)s, %(token_valid)s)"), locals()) + if token_valid: return self.tokens[token] def _delete_expired_tokens(self): -- cgit