Addon-vnctoken proposal

Hello,

After playing with this for a while, I’ve finally decided to share with the community a service that provide tokens for the websocketproxy used by Sunstone to serve the VM console via noVNC.

In the current OpenNebula implementation the VNC console is tightly linked to the Sunstone interface and it is the only way to access it due to the fact that only Sunstone generates the access tokens for the websocketproxy.

The proposed addon, written as a Ruby’s Sinatra application provide a single XML-RPC method that can generate websocketproxy tokens and provide them in the method response. There are hints in the README file how to configure Nginx to proxy both OpenNebula’s API and this addon API via a single SSL protected port. A complete example nginx configuration file is included in the repository too.

This way any external billing/management system could have access to all needed details to build a VNC session for a given VM without the need to create a user in OpenNebula/Sunstone.

Please note that this service works in parallel with Sunstone so only the last generated token will be valid. A running Sunstone service is needed anyway because it is managing the novnc service that provide the websocketproxy.

As I am not native Ruby programmer any feedback is welcome.

The repository is here: https://github.com/storpool/addon-vnctoken

Best Regards,
Anton Todorov

4 Likes

Following the feedback here there is an addon update to behave more like the native OpenNebula XML-RPC API

  • response to POST requests
  • added two more methods for convenience
    • one.vm.vnctokenonly - which return only the VNC proxy token as a proxy
    • one.vm.vnc - will return same data as one.vm.vnctoken method but as XML encoded in a string

Cheers,
Anton Todorov

I can get vnc token.
but using
https://xxx.frontend.com/vnc?host=xxx.frontend.com.com&port=443&token=[vnctoken]&encrypt=yes&title=video.frontend.com&password=null

sunstone will asked for authentication.
How i can access vnc without sunstone ?. we need to access from our billing system directly.

Hi Endry_J,

The proposed addon address exact issue. did you try installing and configuring it?

Best Regards
Anton Todorov

Hi Anton Todorov,
I’m didn’t installing it.
The issue I am having is in order to access the VNC URL the user must be authenticated via sunstone however I am trying to avoid this as the user is logging in twice.

did this addon solve the problem ?

by accesing https://xxx.frontend.com/vnc?host=xxx.frontend.com.com&port=443&token=[vnctoken]&encrypt=yes&title=video.frontend.com&password=null, it wont asked for auth… am i right?

Regards
Endry

Just to clarify - the end user communicate with the billing interface only, right? And the billing communicates with OpenNebula XML-RPC2 API.
This addon creates an additional XML-RPC2 API endpoint, that is working with the same credentials as the OpenNebula XML-RPC2 API and there is a method to request a vnctoken for a given VM that you should provide on the vnc URL.

Please take a thorough look at the addon and the provided examples.

Best Regards
Anton Todorov

Missed this, sorry.

It depends how and what you’ve proxied. There is a complete working example with nginx that I use.

BR,
Anton

Hi Anton,

Yes… we need to a vnc url from our billing system (whmcs). But it’s look like Sunstone blocking us, even thought we have vnctoken.

We have same issue with this one:

With OpenNebula, the process of establishing a VNC session is as follow

  1. User requests a VNC session to the /vnc URL in sunstone
  2. Sunstone generates a VNC token and return a page that has the noVNC javascripts and instruct them to connect to the opennebula-novnc service which actually is websockify listening by default on port 29876.

You could access directly the websockify service on port 29876 using noVNC scripts from the noVNC project instead of the one served by sunstone. All needed credentials but the vnctoken could be obtained via OpenNebula’s API. addon-vnctoken provide an API to request the missing vnctoken needed to complete the request to websockify.
This way sunstone is not used at all - the noVNC code on the billing communicate directly with the websockify service.

Best Regards,
Anton Todorov

Hi Anton,

Thank you for explainations.
It’s more clear now.
I’m going to connect directly websockify port 29876 using novnc script with vnc token.

Regards,
Endry

I’d would add that it is strongly recommended to protect all ports with SSL via reverse proxy. A complete nginx configuration example could be found in https://github.com/storpool/addon-vnctoken/blob/master/vnctoken.conf.nginx

Best Regards and stay safe!
Anton Todorov

AWESOME. Thank you for the advance warning.

Regards,
Endry

I did manage to get this working, setup websockify on my web server which then used the tokens generated by opennebula , the host that websockify connects to is pulled from opennebula api XML.

Secured with ssl using fortigate firewall as the reverse proxy and installing cert on there .

Works like a charm

The tokens are generated by Sunstone only when a VNC session is requested via Sunstone. So the VMs created by an external billing that work only with the OpenNebula API has no VNC tokens generated. The addon-vnctoken solves this case by providing API to get a generated token when sunstone is not used at all.

Also, in your case the VNC tokens are same, not rotated unless VNC session is requested via sunstone regularly.

Best Regards,
Anton Todorov

Best Regards,
Anton Todorov

Hi @Endry_J! Now that you mention WHMCS… that’s an integration we’ve been thinking about for a while, as several users have shown interest in connecting OpenNebula with a billing platform. We were considering launching a community-led initiative for that. Is this something you would be happy to contribute to? It sounds your experience would be really helpful :slight_smile:

Cheers,

Alberto.

Hi,

From sunstone, i can run vnc smoothly.
Here is the url format:
https://xxx.frontend.com/vnc?host=xxx.frontend.com&port=443&token=[sunstone_vnc_token]&encrypt=yes&title=xxx.frontend.com&password=null

Now i download novnc project
From query string above, Running vnc_lite.html + querystring didnt work
https://xxx.billing.com/novnc/vnc_lite.html?host=xxx.frontend.com&port=443&token=[sunstone_vnc_token]&encrypt=yes&title=xxx.frontend.com&password=null

Note:


I already have https://xxx.frontend.com/websockify in port 443

Please let me know if I missed anything or anything is incorrect.

Hi Alberto,

I’m happy to see, opennebula team gonna launching community integration whmcs. And wishing i can share all my knowledge.
But as you can see, i’m in early stage.

Thanks
Endry

Hi @Endry_J

I think you should try with vnc.html from release 1.1.0 and fill the menu as follow:


In the Path: file you should have all arguments

?host=xxx.frontend.com&port=443&token=[sunstone_vnc_token]&encrypt=yes&title=xxx.frontend.com&password=null

When you manage to make it works you should figure-out what is wrong with vnc_lite.html.

For debugging info and clues you could check the /var/log/one/novnc.log, the Nginx logs, and the debug console in the browser.

Best Regards,
Anton Todorov

Hi,

I found bug at vnctokenonly method.
In vnctoken.log:
Wed Apr 01 16:10:32 2020 [E]: Graphics type ‘vnc’ but ‘VNC’ expected //1024

We have to replace line 171 (vnctoken-server.rb)
if type == ‘VNC’
with
if type.upcase == ‘VNC’

Regard,
Endry

Hi Endry_J,

Fixed. THANKS!

Best Regards,
Anton Todorov