Commit 09fd3049 authored by Stratos Psomadakis's avatar Stratos Psomadakis
Browse files

vnc: Make host for incoming connections configurable

parent e30db96d
......@@ -8,6 +8,19 @@ repository and have aligned versions.
.. _Changelog-0.16:
v0.16rc4
========
Released: UNRELEASED
Cyclades
--------
* Change the ``CYCLADES_VNCAUTHPROXY_OPTS`` setting to a list of dictionaries
and support configurable vncauthproxy proxy addresses (added in
snf-vncauthproxy-1.6).
v0.16rc3
========
......
......@@ -1439,6 +1439,71 @@ To fix detected inconsistencies, use the `--fix` option.
$ snf-manage reconcile-pools
$ snf-manage reconcile-pools --fix
.. _admin-guide-vnc:
snf-vncauthproxy configuration
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Since ``snf-vncauthproxy-1.6`` and ``snf-cyclades-app-0.16``, it is possible
to run snf-vncauthproxy on a separate node and have multiple snf-vncauthproxy
instances / nodes, to serve clients.
The ``CYCLADES_VNCAUTHPROXY_OPTS`` setting has become a list of dictionaries,
each of which defines one snf-vncauthproxy instance. Each vncauthproxy should
be properly configured to accept control connections by the Cylades host (via
the ``--listen-address`` CLI parameter of snf-vncauthproxy) and VNC connections
from clients (via the ``--proxy-listen-address`` CLI parameter.
For a two-node vncauthproxy setup, the ``CYCLADES_VNCAUTHPROXY_OPTS`` would
look like:
.. code-block:: console
CYCLADES_VNCAUTHPROXY_OPTS = [
{
'auth_user': 'synnefo',
'auth_password': 'secret_password',
'server_address': 'node1.synnefo.live',
'server_port': 24999,
'enable_ssl': True,
'ca_cert': '/path/to/cacert',
'strict': True,
},
{
'auth_user': 'synnefo',
'auth_password': 'secret_password',
'server_address': 'node2.synnefo.live',
'server_port': 24999,
'enable_ssl': False,
'ca_cert': '/path/to/cacert',
'strict': True,
},
]
The ``server_address`` is the host / IP which Cyclades will use for the control
connection, in order to set up the forwarding.
The vncauthproxy ``DAEMON_OPTS`` option in ``/etc/default/vncauthproxy`` would
look like:
.. code-block:: console
DAEMON_OPTS="--pid-file=$PIDFILE --listen-address=node1.synnefo.live --proxy-listen-address=node1.synnefo.live"
The ``--proxy-listen-address`` is the host / IP which clients (Web browsers /
VNC clients) will use to connect to snf-vncauthproxy.
In case that snf-vncauthproxy doesn't run on the same node as the Cyclades
node, it is highly recommended to enable SSL on the control socket, using
strict verification of the server certificate. The only caveat, for the time
being, is that the same certificate, provided to snf-vncauthproxy, is used for
both the control and the client connections. If the control and client host
(``--listen-address`` and ``--proxy-listen-address`` parameters, respectively)
differ, you should make sure to generate a certificate covering both (using the
one as common name / CN, and specifying the other as a subject alternative
name).
.. _admin-guide-stats:
VM stats collecting
......
......@@ -2091,7 +2091,7 @@ Configure the vncauthproxy settings in
.. code-block:: console
CYCLADES_VNCAUTHPROXY_OPTS = {
CYCLADES_VNCAUTHPROXY_OPTS = [{
'auth_user': 'synnefo',
'auth_password': 'secret_password',
'server_address': '127.0.0.1',
......@@ -2099,7 +2099,7 @@ Configure the vncauthproxy settings in
'enable_ssl': False,
'ca_cert': None,
'strict': False,
}
}]
Depending on your snf-vncauthproxy setup, you might want to tweak the above
settings. Check the `documentation
......@@ -2119,8 +2119,11 @@ Both files should be readable by the `vncauthproxy` user or group.
.. note::
At the moment, the certificates should be issued to the FQDN of the
Cyclades worker.
When installing snf-vncauthproxy on the same node as Cyclades and using the
default settings for snf-vncauthproxy, the certificates should be issued to
the FQDN of the Cyclades worker. Refer to the :ref:`admin guide
<admin-guide-vnc>`, for more information on how to setup vncauthproxy on a
different host / interface.
We have now finished with the basic Cyclades configuration.
......
......@@ -2192,7 +2192,7 @@ Configure the vncauthproxy settings in
.. code-block:: console
CYCLADES_VNCAUTHPROXY_OPTS = {
CYCLADES_VNCAUTHPROXY_OPTS = [{
'auth_user': 'synnefo',
'auth_password': 'secret_password',
'server_address': '127.0.0.1',
......@@ -2200,7 +2200,8 @@ Configure the vncauthproxy settings in
'enable_ssl': False,
'ca_cert': None,
'strict': False,
}
}]
Depending on your snf-vncauthproxy setup, you might want to tweak the above
settings. Check the `documentation
......@@ -2220,8 +2221,11 @@ Both files should be readable by the `vncauthproxy` user or group.
.. note::
At the moment, the certificates should be issued to the FQDN of the
Cyclades worker.
When installing snf-vncauthproxy on the same node as Cyclades and using the
default settings for snf-vncauthproxy, the certificates should be issued to
the FQDN of the Cyclades worker. Refer to the :ref:`admin guide
<admin-guide-vnc>`, for more information on how to setup vncauthproxy on a
different host / interface.
We have now finished with the basic Cyclades configuration.
......
......@@ -357,8 +357,11 @@ Both files should be readable by the `vncauthproxy` user or group.
.. note::
At the moment, the certificates should be issued to the FQDN of the
Cyclades worker.
When installing snf-vncauthproxy on the same node as Cyclades and using the
default settings for snf-vncauthproxy, the certificates should be issued to
the FQDN of the Cyclades worker. Refer to the :ref:`admin guide
<admin-guide-vnc>`, for more information on how to setup vncauthproxy on a
different host / interface.
For more information on how to setup snf-vncauthproxy check the
snf-vncauthproxy `documentation <https://www.synnefo.org/docs/snf-vncauthproxy/latest/index.html#usage-with-synnefo>`_
......
......@@ -154,25 +154,28 @@
##}
#CYCLADES_PORT_FORWARDING = {}
## Extra configuration options required for snf-vncauthproxy (>=1.5)
#CYCLADES_VNCAUTHPROXY_OPTS = {
# # These values are required for VNC console support. They should match a
# # user / password configured in the snf-vncauthproxy authentication / users
# # file (/var/lib/vncauthproxy/users).
# 'auth_user': 'synnefo',
# 'auth_password': 'secret_password',
# # server_address and server_port should reflect the --listen-address and
# # --listen-port options passed to the vncauthproxy daemon
# 'server_address': '127.0.0.1',
# 'server_port': 24999,
# # Set to True to enable SSL support on the control socket.
# 'enable_ssl': False,
# # If you enabled SSL support for snf-vncauthproxy you can optionally
# # provide a path to a CA file and enable strict checkfing for the server
# # certficiate.
# 'ca_cert': None,
# 'strict': False,
#}
## Extra configuration options required for snf-vncauthproxy (>=1.5). Each dict
## of the list, describes one vncauthproxy instance.
#CYCLADES_VNCAUTHPROXY_OPTS = [
# {
# # These values are required for VNC console support. They should match
# # a user / password configured in the snf-vncauthproxy authentication /
# # users file (/var/lib/vncauthproxy/users).
# 'auth_user': 'synnefo',
# 'auth_password': 'secret_password',
# # server_address and server_port should reflect the --listen-address and
# # --listen-port options passed to the vncauthproxy daemon
# 'server_address': '127.0.0.1',
# 'server_port': 24999,
# # Set to True to enable SSL support on the control socket.
# 'enable_ssl': False,
# # If you enabled SSL support for snf-vncauthproxy you can optionally
# # provide a path to a CA file and enable strict checkfing for the server
# # certficiate.
# 'ca_cert': None,
# 'strict': False,
# },
#]
#
## The maximum allowed size(GB) for a Cyclades Volume
#CYCLADES_VOLUME_MAX_SIZE = 200
......
......@@ -152,25 +152,28 @@ CYCLADES_SERVERS_FQDN = 'snf-%(id)s.vm.example.synnefo.org'
#}
CYCLADES_PORT_FORWARDING = {}
# Extra configuration options required for snf-vncauthproxy (>=1.5)
CYCLADES_VNCAUTHPROXY_OPTS = {
# These values are required for VNC console support. They should match a
# user / password configured in the snf-vncauthproxy authentication / users
# file (/var/lib/vncauthproxy/users).
'auth_user': 'synnefo',
'auth_password': 'secret_password',
# server_address and server_port should reflect the --listen-address and
# --listen-port options passed to the vncauthproxy daemon
'server_address': '127.0.0.1',
'server_port': 24999,
# Set to True to enable SSL support on the control socket.
'enable_ssl': False,
# If you enabled SSL support for snf-vncauthproxy you can optionally
# provide a path to a CA file and enable strict checkfing for the server
# certficiate.
'ca_cert': None,
'strict': False,
}
# Extra configuration options required for snf-vncauthproxy (>=1.5). Each dict
# of the list, describes one vncauthproxy instance.
CYCLADES_VNCAUTHPROXY_OPTS = [
{
# These values are required for VNC console support. They should match
# a user / password configured in the snf-vncauthproxy authentication /
# users file (/var/lib/vncauthproxy/users).
'auth_user': 'synnefo',
'auth_password': 'secret_password',
# server_address and server_port should reflect the --listen-address and
# --listen-port options passed to the vncauthproxy daemon
'server_address': '127.0.0.1',
'server_port': 24999,
# Set to True to enable SSL support on the control socket.
'enable_ssl': False,
# If you enabled SSL support for snf-vncauthproxy you can optionally
# provide a path to a CA file and enable strict checkfing for the server
# certficiate.
'ca_cert': None,
'strict': False,
},
]
# The maximum allowed size(GB) for a Cyclades Volume
CYCLADES_VOLUME_MAX_SIZE = 200
......
......@@ -17,6 +17,7 @@ import logging
from datetime import datetime
from socket import getfqdn
from random import choice
from django import dispatch
from synnefo.db import transaction
from django.utils import simplejson as json
......@@ -397,6 +398,11 @@ def console(vm, console_type):
password = util.random_password()
vnc_extra_opts = settings.CYCLADES_VNCAUTHPROXY_OPTS
# Maintain backwards compatibility with the dict setting
if isinstance(vnc_extra_opts, list):
vnc_extra_opts = choice(vnc_extra_opts)
fwd = request_vnc_forwarding(sport, daddr, dport, password,
console_type=console_type, **vnc_extra_opts)
......@@ -410,9 +416,14 @@ def console(vm, console_type):
if get_console_data(i) != console_data:
raise faults.ServiceUnavailable('VNC Server settings changed.')
try:
host = fwd['proxy_address']
except KeyError:
host = getfqdn()
console = {
'type': console_type,
'host': getfqdn(),
'host': host,
'port': fwd['source_port'],
'password': password}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment