From b4d5c00063d3112e7f65b816458889842b67cdff Mon Sep 17 00:00:00 2001 From: Stefan Priebe Date: Tue, 3 Jun 2014 10:22:00 +0200 Subject: [PATCH] API2/Qemu: add unsecure and websocket options to vncpoxy also set qemu vnc server properties on the fly Signed-off-by: Stefan Priebe --- PVE/API2/Qemu.pm | 54 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 53 insertions(+), 1 deletion(-) diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm index ca8cdd5..ebacc95 100644 --- a/PVE/API2/Qemu.pm +++ b/PVE/API2/Qemu.pm @@ -1270,6 +1270,16 @@ __PACKAGE__->register_method({ properties => { node => get_standard_option('pve-node'), vmid => get_standard_option('pve-vmid'), + unsecure => { + optional => 1, + type => 'boolean', + description => "disables x509 auth", + }, + websocket => { + optional => 1, + type => 'boolean', + description => "starts websockify instead of vncproxy", + }, }, }, returns => { @@ -1291,6 +1301,8 @@ __PACKAGE__->register_method({ my $vmid = $param->{vmid}; my $node = $param->{node}; + my $unsecure = $param->{unsecure} // 0; + my $websocket = $param->{websocket} // 0; my $conf = PVE::QemuServer::load_config($vmid, $node); # check if VM exists @@ -1308,7 +1320,7 @@ __PACKAGE__->register_method({ if ($node ne 'localhost' && $node ne PVE::INotify::nodename()) { $remip = PVE::Cluster::remote_node_ip($node); - # NOTE: kvm VNC traffic is already TLS encrypted + # NOTE: kvm VNC traffic is already TLS encrypted or is known unsecure $remcmd = ['/usr/bin/ssh', '-T', '-o', 'BatchMode=yes', $remip]; } @@ -1323,6 +1335,8 @@ __PACKAGE__->register_method({ if ($conf->{vga} && ($conf->{vga} =~ m/^serial\d+$/)) { + die "Unsecure mode is not supported in vga serial mode!" if $unsecure; + my $termcmd = [ '/usr/sbin/qm', 'terminal', $vmid, '-iface', $conf->{vga} ]; #my $termcmd = "/usr/bin/qm terminal -iface $conf->{vga}"; $cmd = ['/usr/bin/vncterm', '-rfbport', $port, @@ -1330,12 +1344,50 @@ __PACKAGE__->register_method({ '-perm', 'Sys.Console', '-c', @$remcmd, @$termcmd]; } else { + my $vnc_socket = PVE::QemuServer::vnc_socket($vmid); + + if (defined $remip) { + my $perlcode = ""; + if ($unsecure) { + $perlcode = qq| + use PVE::QemuServer; + + PVE::QemuServer::vm_mon_cmd($vmid, "change", device => "vnc", target => "unix:$vnc_socket,password"); + + PVE::QemuServer::vm_mon_cmd($vmid, "set_password", protocol => "vnc", password => "$ticket"); + + PVE::QemuServer::vm_mon_cmd($vmid, "expire_password", protocol => "vnc", time => "+30"); + |; + } else { + $perlcode = qq| + use PVE::QemuServer; + + PVE::QemuServer::vm_mon_cmd($vmid, "change", device => "vnc", target => "unix:$vnc_socket,x509,password"); + |; + } + + PVE::Tools::run_command([@$remcmd, 'perl', '-'], input => $perlcode, outfunc => sub {print shift;}, errfunc => sub {print STDERR shift;}); + + } else { + if ($unsecure) { + PVE::QemuServer::vm_mon_cmd($vmid, "change", device => 'vnc', target => "unix:$vnc_socket,password"); + PVE::QemuServer::vm_mon_cmd($vmid, "set_password", protocol => 'vnc', password => $ticket); + PVE::QemuServer::vm_mon_cmd($vmid, "expire_password", protocol => 'vnc', time => "+30"); + } else { + PVE::QemuServer::vm_mon_cmd($vmid, "change", device => 'vnc', target => "unix:$vnc_socket,x509,password"); + } + } + my $qmcmd = [@$remcmd, "/usr/sbin/qm", 'vncproxy', $vmid]; my $qmstr = join(' ', @$qmcmd); # also redirect stderr (else we get RFB protocol errors) $cmd = ['/bin/nc', '-l', '-p', $port, '-w', $timeout, '-c', "$qmstr 2>/dev/null"]; + + if ($websocket) { + $cmd = ["/usr/share/novnc/utils/wsproxy.py", '--run-once', "--timeout=$timeout", "--idle-timeout=$timeout", '--ssl-only', '--cert', '/etc/pve/local/pve-ssl.pem', '--key', '/etc/pve/local/pve-ssl.key', $port, '--', @$cmd]; + } } PVE::Tools::run_command($cmd); -- 2.39.2