[pve-devel] [PATCH] API2/Qemu: add unsecure and websocket options to vncpoxy also set qemu vnc server properties on the fly
Stefan Priebe
s.priebe at profihost.ag
Mon Jun 2 09:44:33 CEST 2014
Signed-off-by: Stefan Priebe <s.priebe at profihost.ag>
---
PVE/API2/Qemu.pm | 38 +++++++++++++++++++++++++++++++++-----
1 file changed, 33 insertions(+), 5 deletions(-)
diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index e3aa24a..01de65b 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -1354,6 +1354,16 @@ __PACKAGE__->register_method({
properties => {
node => get_standard_option('pve-node'),
vmid => get_standard_option('pve-vmid'),
+ unsecure => {
+ optional => 1,
+ type => 'boolean',
+ description => "disables x509 auth",
+ },
+ websocket => {
+ optional => 1,
+ type => 'boolean',
+ description => "starts websockify instead of vncproxy",
+ },
},
},
returns => {
@@ -1375,6 +1385,8 @@ __PACKAGE__->register_method({
my $vmid = $param->{vmid};
my $node = $param->{node};
+ my $unsecure = $param->{unsecure} // 0;
+ my $websocket = $param->{websocket} // 0;
my $conf = PVE::QemuServer::load_config($vmid, $node); # check if VM exists
@@ -1392,7 +1404,7 @@ __PACKAGE__->register_method({
if ($node ne 'localhost' && $node ne PVE::INotify::nodename()) {
$remip = PVE::Cluster::remote_node_ip($node);
- # NOTE: kvm VNC traffic is already TLS encrypted
+ # NOTE: kvm VNC traffic is already TLS encrypted or is known unsecure
$remcmd = ['/usr/bin/ssh', '-T', '-o', 'BatchMode=yes', $remip];
}
@@ -1407,6 +1419,8 @@ __PACKAGE__->register_method({
if ($conf->{vga} && ($conf->{vga} =~ m/^serial\d+$/)) {
+ die "Unsecure mode is not supported in vga serial mode!" if $unsecure;
+
my $termcmd = [ '/usr/sbin/qm', 'terminal', $vmid, '-iface', $conf->{vga} ];
#my $termcmd = "/usr/bin/qm terminal -iface $conf->{vga}";
$cmd = ['/usr/bin/vncterm', '-rfbport', $port,
@@ -1414,12 +1428,26 @@ __PACKAGE__->register_method({
'-perm', 'Sys.Console', '-c', @$remcmd, @$termcmd];
} else {
- my $qmcmd = [@$remcmd, "/usr/sbin/qm", 'vncproxy', $vmid];
+ my $vnc_socket = PVE::QemuServer::vnc_socket($vmid);
- my $qmstr = join(' ', @$qmcmd);
+ if ($unsecure) {
+ PVE::QemuServer::vm_mon_cmd($vmid, "change", device => 'vnc', target => "unix:$vnc_socket,password");
+ PVE::QemuServer::vm_mon_cmd($vmid, "set_password", protocol => 'vnc', password => $ticket);
+ PVE::QemuServer::vm_mon_cmd($vmid, "expire_password", protocol => 'vnc', time => "+30");
+ } else {
+ PVE::QemuServer::vm_mon_cmd($vmid, "change", device => 'vnc', target => "unix:$vnc_socket,x509,password");
+ }
+
+ if ($websocket) {
+ $cmd = ["/usr/share/novnc/utils/wsproxy.py", '--run-once', '--timeout=90', '--idle-timeout=90', '--ssl-only', '--cert', '/etc/pve/local/pve-ssl.pem', '--key', '/etc/pve/local/pve-ssl.key', "--unix-target=$vnc_socket", $port];
+ } else {
+ my $qmcmd = [@$remcmd, "/usr/sbin/qm", 'vncproxy', $vmid];
+
+ my $qmstr = join(' ', @$qmcmd);
- # also redirect stderr (else we get RFB protocol errors)
- $cmd = ['/bin/nc', '-l', '-p', $port, '-w', $timeout, '-c', "$qmstr 2>/dev/null"];
+ # also redirect stderr (else we get RFB protocol errors)
+ $cmd = ['/bin/nc', '-l', '-p', $port, '-w', $timeout, '-c', "$qmstr 2>/dev/null"];
+ }
}
PVE::Tools::run_command($cmd);
--
1.7.10.4
More information about the pve-devel
mailing list