Add support for VNC console for shim VMs #3822
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #3822 +/- ##
=======================================
Coverage 17.51% 17.51%
=======================================
Files 3 3
Lines 805 805
=======================================
Hits 141 141
Misses 629 629
Partials 35 35 ☔ View full report in Codecov by Sentry. |
europaul
force-pushed
the
enable-vnc-for-shim-vm
branch
from
868c4ce to
0424695
Compare
|
Can you please add to the commit message and PR description that this will work only for the standalone vnc client, not the "Remote Console" guacamole plugin. Also would be great if you specify the reasons why it does not work there. I do not have any objections on this PR, this is what we discussed with you. The main thing is left to be done here is to enable this feature by a separate flag, like the regular vnc is enabled: https://github.com/lf-edge/eve-api/blob/6180247abbc1c04422e093458809e8da59a25eff/proto/config/vm.proto#L52 Why? There are huge security concerns that we can't let everyone who has a vnc access to the Container let freely access the Shim Vm (if you wish we can discuss that once again with you and @shjala). So my advice is in order to complete this PR is to add a new field to the |
github-actions
bot
requested review from
christoph-zededa,
jsfakian,
naiming-zededa and
uncleDecart
|
@rouming I added the flag |
europaul
force-pushed
the
enable-vnc-for-shim-vm
branch
from
53d3579 to
c01cde6
Compare
I'm also curious why it wouldn't work since guacamole is built using the vnc access in kvm/qemu. Don't we have some markdown file which documents the current use of the console/vnc where this information can be added? If not we need to add it. |
|
@europaul There are a few changes requested (documentation, branching shim-vnc enabling). Also please fix yetus. Seems it wants "VM" name (all capital). |
Here we talk about this https://www.qemu.org/docs/master/system/keys.html, so you can switch between consoles from the VNC viewport. But guacamole browser client (I assume this is guacamole) does not let you send those keys combinations (or this is the browser? I did not invesitate that, might be Paul knows). So the switch between VNC consoles (vm and shim-vm) will work from application client (tightvnc, etc), but not guacamole.
Seems indeed we don't have any documentation VNC related. |
|
@eriknordmark @europaul I'm still looking into how to switch between consoles using a key combination in guacamole. According to the guacamole's FAQ this might be possible. If I find a solution it will be part of another PR. |
europaul
force-pushed
the
enable-vnc-for-shim-vm
branch
from
c01cde6 to
c594d29
Compare
|
@eriknordmark @rouming I think I addressed all comments, feel free to have another look! |
europaul
force-pushed
the
enable-vnc-for-shim-vm
branch
from
c594d29 to
7d949cd
Compare
|
@rouming @eriknordmark I actually just confirmed that switching between virtual consoles works via the keyboard shortcut in guacamole in both Firefox in Chromium on my machine. So I removed that line about the limitation from the docs. |
|
That's cool. Thanks for update. |
| @@ -173,6 +173,16 @@ const qemuConfTemplate = `# This file is automatically generated by domainmgr | |||
| driver = "virtconsole" | |||
| chardev = "charserial1" | |||
| name = "org.lfedge.eve.console.prime" | |||
|
|
|||
| {{- if .DomainConfig.EnableVncShimVM}} | |||
There was a problem hiding this comment.
What about adding a test to check that this is actually activated like the other tests we already have for this template?
Signed-off-by: Paul Gaiduk <paulg@zededa.com>
We enable access to shim VMs via VNC console through the following steps: - add another virtual console in the QEMU configuration that's gonna be used by VNC - call agetty on that virtual console during VMs boot to enable login When connecting to the QEMU instance via VNC the user will first be presented with a view of the currently running process (container's entry point). To switch to the shell of the shim VM the user will have to press 'Ctrl+Alt+2' and then 'Enter' to get the login prompt. Due to inability of some VNC clients to change the resolution of the display, the client might crash. However upon the client restart the new virtual console will appear as expected. The user can then switch back to the previous virtual console by pressing 'Ctrl+Alt+1'. Signed-off-by: Paul Gaiduk <paulg@zededa.com>
The fields - VirtualizationMode - EnableVnc - VncDisplay - VncPassword are already part of VmConfig, which is embedded in DomainStatus, so there is no need to duplicate them in DomainStatus. Signed-off-by: Paul Gaiduk <paulg@zededa.com>
Signed-off-by: Paul Gaiduk <paulg@zededa.com>
We differentiate between the access to the edge application and the shim VM: - `enableVNC` is used to enable VNC for the edge application - `enableVncShimVm` is used to enable VNC for the shim VM This differentiation is need, because currently shim VM doesn't support any user authentication, so anybody able to access the VNC port can access the shim VM. This way VNC access to the shim VM stays disabled by default unless explicitly enabled by the controller. VNC is enabled in QEMU if either of the flags is set, but the virtconsole is only enabled if the `enableVNCshimVm` flag is set. Signed-off-by: Paul Gaiduk <paulg@zededa.com>
Signed-off-by: Paul Gaiduk <paulg@zededa.com>
Add a test to verify that the QEMU configuration for VNC in contianer is generated correctly Signed-off-by: Paul Gaiduk <paulg@zededa.com>
europaul
force-pushed
the
enable-vnc-for-shim-vm
branch
from
7d949cd to
e7b84e7
Compare
| if err := kvmIntel.CreateDomConfig("test", config, types.DomainStatus{}, diskStatuses, &aa, conf); err != nil { | ||
| t.Errorf("CreateDomConfig failed %v", err) | ||
| } | ||
| defer os.Truncate(conf.Name(), 0) |
There was a problem hiding this comment.
| defer os.Truncate(conf.Name(), 0) | |
why is it needed for if you remove the file anyways?
There was a problem hiding this comment.
LGTM (but I think there is a comment or two from @christoph-zededa to look at)
We enable access to shim VMs via VNC console through the following steps:
When connecting to the QEMU instance via VNC the user will first be presented with a view of the currently running process (container's entry point). To switch to the shell of the shim VM the user will have to press 'Ctrl+Alt+2' and then 'Enter' to get the login prompt. Due to inability of some VNC clients to change the resolution of the display, the client might crash. However upon the client restart the new virtual console will appear as expected. The user can then switch back to the previous virtual console by pressing 'Ctrl+Alt+1'.