libvirt-console-proxy.git
5 months agoDon't register handler to root of server master
Daniel P. Berrange [Thu, 26 Jan 2017 11:23:12 +0000]
Don't register handler to root of server

Require all clients to use the /websockify path. This will
facilitate setup of alternative paths for other encodings,
for example, a plain HTTP(s) tunnelling.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

5 months agoIntroduce a virtconsoleresolveradm command
Daniel P. Berrange [Wed, 25 Jan 2017 15:20:05 +0000]
Introduce a virtconsoleresolveradm command

The virtconsoleresolveradm command makes it easy for admins to
enable/disable exporting of consoles via the proxy. It automates
the setup of secrets and the metadata xml.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

5 months agoDon't assume console port type matches service type
Daniel P. Berrange [Thu, 26 Jan 2017 11:20:08 +0000]
Don't assume console port type matches service type

Both <serial> and <console> ports types map to the
'serial' service type.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

5 months agoAssociate and index with consoles
Daniel P. Berrange [Thu, 26 Jan 2017 11:19:03 +0000]
Associate and index with consoles

There can be multiple consoles of the same type, so an
index must be associated with each one to allow them to
be identified.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

5 months agoHonour hostname override in console metadata
Daniel P. Berrange [Wed, 25 Jan 2017 14:50:10 +0000]
Honour hostname override in console metadata

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

5 months agoPull set/get of domain metadata into separate file
Daniel P. Berrange [Wed, 25 Jan 2017 13:27:49 +0000]
Pull set/get of domain metadata into separate file

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

5 months agoFix package name
Daniel P. Berrange [Wed, 25 Jan 2017 13:27:26 +0000]
Fix package name

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

5 months agoSwitch to pflag for CLI parsing for POSIX style args
Daniel P. Berrange [Wed, 25 Jan 2017 11:48:37 +0000]
Switch to pflag for CLI parsing for POSIX style args

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

5 months agoPull host/port for graphics from domain XML
Daniel P. Berrange [Tue, 24 Jan 2017 18:09:57 +0000]
Pull host/port for graphics from domain XML

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

5 months agoFix proxying of > 64kb of data
Daniel P. Berrange [Tue, 24 Jan 2017 17:22:50 +0000]
Fix proxying of > 64kb of data

The code was mistakenly shrinking the data buffer on each
i/o op, until it got to 0 bytes whereupon we'd think we
had EOF from Read()

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

5 months agoIntroduce resolver daemon for using libvrt guest metadata
Daniel P. Berrange [Mon, 23 Jan 2017 17:15:15 +0000]
Introduce resolver daemon for using libvrt guest metadata

Re-introduce libvirt integration via a virtconsoleresolverd
daemon. This daemon connects to libvirt and reads metadata
against the running domains to identify sockets.

e.g. if the guest has spice graphics enabled:

    <graphics type='spice' port='5900' autoport='yes' listen='127.0.0.1'>
      <listen type='address' address='127.0.0.1'/>
      <image compression='off'/>
    </graphics>

Then it needs a metadata record to export the console saying
which secret to use as the access token:

  <metadata>
    <lcp:consoles xmlns:lcp="http://libvirt.org/schemas/console-proxy/1.0">
      <lcp:console type="spice" token="55806c7d-8e93-456f-829b-607d8c198367" insecure="yes"/>
    </lcp:consoles>
  </metadata>

The value for the secret is the actual token to use

  # virsh secret-get-value 55806c7d-8e93-456f-829b-607d8c198367 | base64 -d
  123456

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

5 months agoMove pkg/consoleproxy to pkg/proxy
Daniel P. Berrange [Mon, 23 Jan 2017 16:27:04 +0000]
Move pkg/consoleproxy to pkg/proxy

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

5 months agoReplace connector framework with resolver framework
Daniel P. Berrange [Mon, 23 Jan 2017 15:13:01 +0000]
Replace connector framework with resolver framework

The connector framework is responsible both for resolving
tokens to consoles, and opening the connection to the
console. Replace this with a resolver framework which
solely deals with resolving tokens to consoles.

There are only two resolver impls, a simple built-in one
that resolves against a JSON file, and a pluggable external
one that looks up tokesn against a REST service.

For the builtin resolver, the token file is simply a map
of tokens

  {
      "123456": {
          "type": "vnc",
          "address": "127.0.0.1:5900",
          "insecure": true
      }
  }

For the external resolver, given a base URI like

  https://somehost/consoleresolver/

It will attempt to GET

  https://somehost/consoleresolver/token/[token id]

which is expected to return a JSON document

  {
    "type": "vnc",
    "address: "192.168.1.122:5901",
    "insecure: false
  }

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

6 months agoRemove libvirt and etcd support
Daniel P. Berrange [Mon, 23 Jan 2017 14:57:24 +0000]
Remove libvirt and etcd support

The logic for resolving tokens into console addresses is being
split off into a separate service so the console proxy does not
need to have permission to talk to any sensitive services.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

6 months agoDon't pass ServiceConfig into Proxy method
Daniel P. Berrange [Mon, 23 Jan 2017 14:52:41 +0000]
Don't pass ServiceConfig into Proxy method

Just pass the raw TLS config into the client constructors,
to avoid tieing the client code to the ServiceConfig struct
which is going to change shortly.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

6 months agoSetup custom gopath in build/ dir
Daniel P. Berrange [Mon, 23 Jan 2017 14:14:28 +0000]
Setup custom gopath in build/ dir

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

6 months agoIgnore build/ dir
Daniel P. Berrange [Thu, 12 Jan 2017 12:24:32 +0000]
Ignore build/ dir

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

6 months agoMove files into a pkg subdir
Daniel P. Berrange [Thu, 12 Jan 2017 12:23:37 +0000]
Move files into a pkg subdir

Common practice is for code to be in a pkg/ subdir rather than
the top level.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

6 months agoRename command to virtconsoleproxyd
Daniel P. Berrange [Thu, 12 Jan 2017 11:32:23 +0000]
Rename command to virtconsoleproxyd

The libvirt command names are commonly without hyphens
(eg virtlogd virtlockd)

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

6 months agoParse domain XML to extract listening port/addresses
Daniel P. Berrange [Tue, 3 Jan 2017 11:37:44 +0000]
Parse domain XML to extract listening port/addresses

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

7 months agoFix handling of IPv6 raw addresses
Daniel P. Berrange [Wed, 21 Dec 2016 12:22:11 +0000]
Fix handling of IPv6 raw addresses

Simply concatenating host/port fails for IPv6 raw addresses.
Use the JoinHostPort method instead and use a separate cli
arg for host/port

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

7 months agoAllow specifying a token for fixed connector
Daniel P. Berrange [Wed, 21 Dec 2016 12:20:38 +0000]
Allow specifying a token for fixed connector

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

7 months agoRename args related to fixed connector
Daniel P. Berrange [Wed, 21 Dec 2016 12:19:35 +0000]
Rename args related to fixed connector

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

7 months agoPush token extract up into server object
Daniel P. Berrange [Wed, 21 Dec 2016 12:15:42 +0000]
Push token extract up into server object

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

7 months agoAdd proof of concept of an etcd connector
Daniel P. Berrange [Wed, 21 Dec 2016 12:01:42 +0000]
Add proof of concept of an etcd connector

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

7 months agoAvoid leak of secret object
Daniel P. Berrange [Wed, 21 Dec 2016 11:34:21 +0000]
Avoid leak of secret object

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

7 months agoRename libvirt-console-proxy to virt-console-proxyd
Daniel P. Berrange [Wed, 21 Dec 2016 10:18:34 +0000]
Rename libvirt-console-proxy to virt-console-proxyd

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

7 months agoAdd a connector that uses libvirt to detect consoles
Daniel P. Berrange [Tue, 20 Dec 2016 18:14:01 +0000]
Add a connector that uses libvirt to detect consoles

The libvirt connector opens one or more connections to libvirt
and watches for running domains. Metadata in the domain XML
indicates which console(s) should be exposed via the proxy
and secrets provide their auth token.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

7 months agoInitial commit
Daniel P. Berrange [Fri, 16 Dec 2016 19:30:34 +0000]
Initial commit

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>