API2/Qemu: add unsecure and websocket options to vncpoxy also set qemu vnc server...

Signed-off-by: Stefan Priebe <s.priebe@profihost.ag>

diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index ca8cdd516b05c40f8242bc7f503f4ad5fd7829a4..ebacc95cecefd58ca0517eaf5f2680f06c5d53fa 100644 (file)
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -1270,6 +1270,16 @@ __PACKAGE__->register_method({
        properties => {
            node => get_standard_option('pve-node'),
            vmid => get_standard_option('pve-vmid'),
+           unsecure => {
+               optional => 1,
+               type => 'boolean',
+               description => "disables x509 auth",
+           },
+           websocket => {
+               optional => 1,
+               type => 'boolean',
+               description => "starts websockify instead of vncproxy",
+           },
        },
     },
     returns => {
@@ -1291,6 +1301,8 @@ __PACKAGE__->register_method({
 
        my $vmid = $param->{vmid};
        my $node = $param->{node};
+       my $unsecure = $param->{unsecure} // 0;
+       my $websocket = $param->{websocket} // 0;
 
        my $conf = PVE::QemuServer::load_config($vmid, $node); # check if VM exists
 
@@ -1308,7 +1320,7 @@ __PACKAGE__->register_method({
 
        if ($node ne 'localhost' && $node ne PVE::INotify::nodename()) {
            $remip = PVE::Cluster::remote_node_ip($node);
-           # NOTE: kvm VNC traffic is already TLS encrypted
+           # NOTE: kvm VNC traffic is already TLS encrypted or is known unsecure
            $remcmd = ['/usr/bin/ssh', '-T', '-o', 'BatchMode=yes', $remip];
        }
 
@@ -1323,6 +1335,8 @@ __PACKAGE__->register_method({
 
            if ($conf->{vga} && ($conf->{vga} =~ m/^serial\d+$/)) {
 
+               die "Unsecure mode is not supported in vga serial mode!" if $unsecure;
+
                my $termcmd = [ '/usr/sbin/qm', 'terminal', $vmid, '-iface', $conf->{vga} ];
                #my $termcmd = "/usr/bin/qm terminal -iface $conf->{vga}";
                $cmd = ['/usr/bin/vncterm', '-rfbport', $port,
@@ -1330,12 +1344,50 @@ __PACKAGE__->register_method({
                        '-perm', 'Sys.Console', '-c', @$remcmd, @$termcmd];
            } else {
 
+               my $vnc_socket = PVE::QemuServer::vnc_socket($vmid);
+
+               if (defined $remip) {
+                   my $perlcode = "";
+                   if ($unsecure) {
+                       $perlcode = qq|
+                               use PVE::QemuServer;
+
+                               PVE::QemuServer::vm_mon_cmd($vmid, "change", device => "vnc", target => "unix:$vnc_socket,password");
+
+                               PVE::QemuServer::vm_mon_cmd($vmid, "set_password", protocol => "vnc", password => "$ticket");
+
+                               PVE::QemuServer::vm_mon_cmd($vmid, "expire_password", protocol => "vnc", time => "+30");
+                               |;
+                   } else {
+                       $perlcode = qq|
+                               use PVE::QemuServer;
+
+                               PVE::QemuServer::vm_mon_cmd($vmid, "change", device => "vnc", target => "unix:$vnc_socket,x509,password");
+                               |;
+                   }
+
+                   PVE::Tools::run_command([@$remcmd, 'perl', '-'], input => $perlcode, outfunc => sub {print shift;}, errfunc => sub {print STDERR shift;});
+
+               } else {
+                   if ($unsecure) {
+                       PVE::QemuServer::vm_mon_cmd($vmid, "change", device => 'vnc', target => "unix:$vnc_socket,password");
+                       PVE::QemuServer::vm_mon_cmd($vmid, "set_password", protocol => 'vnc', password => $ticket);
+                       PVE::QemuServer::vm_mon_cmd($vmid, "expire_password", protocol => 'vnc', time => "+30");
+                   } else {
+                       PVE::QemuServer::vm_mon_cmd($vmid, "change", device => 'vnc', target => "unix:$vnc_socket,x509,password");
+                   }
+               }
+
                my $qmcmd = [@$remcmd, "/usr/sbin/qm", 'vncproxy', $vmid];
 
                my $qmstr = join(' ', @$qmcmd);
 
                # also redirect stderr (else we get RFB protocol errors)
                $cmd = ['/bin/nc', '-l', '-p', $port, '-w', $timeout, '-c', "$qmstr 2>/dev/null"];
+
+               if ($websocket) {
+                   $cmd = ["/usr/share/novnc/utils/wsproxy.py", '--run-once', "--timeout=$timeout", "--idle-timeout=$timeout", '--ssl-only', '--cert', '/etc/pve/local/pve-ssl.pem', '--key', '/etc/pve/local/pve-ssl.key', $port, '--', @$cmd];
+               }
            }
 
            PVE::Tools::run_command($cmd);