Great, thanks Wei. Looking forward to your PR.
Regards, Rohit Yadav Software Architect, ShapeBlue https://www.shapeblue.com ________________________________ From: Wei Zhou <w.z...@global.leaseweb.com> Sent: Thursday, April 4, 2019 3:20:13 PM To: Rohit Yadav; d...@cloudstack.apache.org; users@cloudstack.apache.org Subject: RE: CloudStack NoVNC solution in Leaseweb Hi Rohit, There are lots of changes between noVNC 1.0.0 and stable/0.6. Our codes is not compatible with noVNC 1.0.0. We can submit two pull requests, one with novnc stable/0.6 to cloudstack 4.11.2 LTS so 4.11.2 users can test it, another one with novnc 1.0.0 to cloudstack 4.13. When CPVM starts and connects to management server, mgt server will send the cert/key to CPVM so CPVM saves them to local files, websockify proxy server is launched with the cert/key files. The novnc console url is generated by cloudstack so session check is same as current cloudstack console. The url times out after 5 minutes and only the ip to cloudstack can access the url. I think there is no security issue with this part. The key used for 'path' encryption and decryption is sent from mgt server to CPVM and saved in websockify proxy as plain text, that might be a potential security issue. We use AES/rijndael to encrypt/decrypt the 'path' and DES in vnc password authentication, which should be secure. We have tested PR 2204, we think python-based websockify is more stable and efficient than java-based websocket proxy. We did not test C-based websockify so I cannot say which one is better. Thanks a lot for the information you provided. Kind regards, Wei Zhou Principal Cloud Engineer Leaseweb Global B.V. [cid:image878037.png@B351532D.3F4F059A] +31 20 316 0230<tel:+31%2020%20316%200230> [cid:image878221.png@7A321129.163EE812] +31 6 1585 5099<tel:+31%206%201585%205099> [cid:image661172.png@8CEF6C15.C2EE41B6] w.z...@global.leaseweb.com<mailto:w.z...@global.leaseweb.com> [cid:image139378.png@A9FBC6D6.EBC749A7] www.leaseweb.com<https://www.leaseweb.com/> [cid:image530862.png@A44EFC4A.18FE2535] [cid:image925709.png@0BE69682.191C9591] Luttenbergweg 8 , 1101 EC Amsterdam , Netherlands [Facebook]<http://www.facebook.com/leaseweb> [LinkedIn]<https://www.linkedin.com/company/leaseweb/> [Twitter]<http://www.twitter.com/leaseweb> Leaseweb is the brand name under which the various independent Leaseweb companies operate. Each company is a separate and distinct entity that provides services in a particular geographic area. Leaseweb Global B.V. does not provide third-party services. Please see www.leaseweb.com/en/legal for more information. From: Rohit Yadav <rohit.ya...@shapeblue.com> Sent: donderdag 4 april 2019 11:09 To: d...@cloudstack.apache.org; users@cloudstack.apache.org; Wei Zhou <w.z...@global.leaseweb.com> Subject: Re: CloudStack NoVNC solution in Leaseweb Hi Wei, Great to hear from you on this. Yes, it been a long time on the previous noVNC integration attempt by our GSoC student. The 4.11 branch is LTS and cannot accept new features, please use master (4.13) for the PR you'll submit. I can help with reviewing and testing. The noVNC project has moved to 1.0.0 stable (https://github.com/novnc/noVNC/releases/tag/v1.0.0), do you think it would be difficult to adapt the stable 1.0.0 version and not use the old 0.6.2 release? Does your implementation also support secured websocket (using a tls certificate)? To keep things turn-key, does it make sense to use C-based websockify or write our own Java based implementation that is in-built in the console proxy agent? I would prefer to reuse the java agent otherwise session/IP based authentication without checking with cloudstack may lead to some security issue. Licensing: We can ask for experts on the list and on asf-legal for advice but in my opinion we only need to ensure that the new licenses of the packages wrt the feature are compatible with Apache 2.0, largely allows redistributing (via systemvm.iso or a via new systemvmtemplate) with modifications: 1.0.0 license:https://github.com/novnc/noVNC/blob/v1.0.0/LICENSE.txt (MPL, BSD and MIT) 0.6.2 license: https://github.com/novnc/noVNC/blob/v0.6.2/LICENSE.txt (MPL, BSD, LGPL 3.0, Apache 2.0, MIT) The main license is MPL and I think it allows for that: https://tldrlegal.com/license/mozilla-public-license-2.0-(mpl-2) Other references: https://tldrlegal.com/license/bsd-3-clause-license-(revised) https://tldrlegal.com/license/gnu-lesser-general-public-license-v3-(lgpl-3) https://tldrlegal.com/license/apache-license-2.0-(apache-2.0) https://tldrlegal.com/license/mit-license Regards, Rohit Yadav Software Architect, ShapeBlue https://www.shapeblue.com rohit.ya...@shapeblue.com<mailto:rohit.ya...@shapeblue.com> www.shapeblue.com<http://www.shapeblue.com> @shapeblue ________________________________ From: Wei ZHOU <ustcweiz...@gmail.com<mailto:ustcweiz...@gmail.com>> Sent: Thursday, April 4, 2019 1:34:24 PM To: d...@cloudstack.apache.org<mailto:d...@cloudstack.apache.org>; users@cloudstack.apache.org<mailto:users@cloudstack.apache.org>; w.z...@global.leaseweb.com<mailto:w.z...@global.leaseweb.com> Subject: CloudStack NoVNC solution in Leaseweb Hello CloudStack developers and users, We (as leaseweb) would like to share our NoVNC solution on our cloudstack platforms with the CloudStack community . The feature was implemented in 2012 and we have made some changes since that. We have used it for more than 7 years and it is very stable. Unlike the pull request submitted by sachinnitw1317 ( https://github.com/apache/cloudstack/pull/2204 ) ,which is based on the novnc as the front end (different from the cloudstack) and the java websocket proxy (same as cloudstack) in console proxy vm (cpvm), we use modified novnc and websockify to launch a websockify proxy in cpvm . Here are some technical details: (1) We use two open source projects: noVNC (https://github.com/novnc/noVNC , 0.6.2) and websockify (https://github.com/novnc/websockify ,latest) (2) We modified websockify so we can launch it without the target server/port and token. (3) We reuse the 'path' in novnc and websockify to pass some necessary vm informations from cloudstack to novnc and websockify. path is encrypted in cpvm / java, which contains target server,target port, vnc password, client ip and timestamp. When a new client comes, websockify will decrypt 'path' to get the vm informations above, and check if the client ip matches and the timestamp has not expired. (4) We moved the server/client initialization from novnc(js) to websockify(python). When a new client comes, websockify will create a websocket connection to the target server and port ,then check the protocol version and authentication scheme, use the password in step (3) in vnc authentication . (5) Add a global setting in cloudstack for encryption in java and decryption in websockify. Compared to the cloudstack native console (ajax/java websocket proxy) and the novnc console purposed in PR 2204 (novnc /java websocket proxy) , we believe that the novnc console based on websockifty (written in python) is more efficient than the consoles based on java websocket proxy. If you have any questions or concerns, please feel free to ask. If nobody objects, we will port our changes to cloudstack 4.11.2 LTS and submit a pull request on cloudstack github, so everyone who is interested can merge and build it in his/her fork and test it . Considering that novnc and websockify are both open source projects, and we also use some open source code (such as in pyDes.py VNC password authentication) , it would be appreciated if anyone can help us on software licensing issues. Kind regards, Wei Zhou Principal Cloud Engineer LEASEWEB rohit.ya...@shapeblue.com www.shapeblue.com Amadeus House, Floral Street, London WC2E 9DPUK @shapeblue
