Great, thanks Wei. Looking forward to your PR.

Regards,

Rohit Yadav

Software Architect, ShapeBlue

https://www.shapeblue.com

________________________________
From: Wei Zhou <w.z...@global.leaseweb.com>
Sent: Thursday, April 4, 2019 3:20:13 PM
To: Rohit Yadav; d...@cloudstack.apache.org; users@cloudstack.apache.org
Subject: RE: CloudStack NoVNC solution in Leaseweb


Hi Rohit,



There are lots of changes between noVNC 1.0.0 and stable/0.6. Our codes is not 
compatible with noVNC 1.0.0. We can submit two pull requests, one with novnc 
stable/0.6 to cloudstack 4.11.2 LTS so 4.11.2 users can test it, another one 
with novnc 1.0.0 to cloudstack 4.13.



When CPVM starts and connects to management server, mgt server will send the 
cert/key to CPVM so CPVM saves them to local files, websockify proxy server is 
launched with the cert/key files.



The novnc console url is generated by cloudstack so session check is same as 
current cloudstack console. The url times out after 5 minutes and only the ip 
to cloudstack can access the url. I think there is no security issue with this 
part. The key used for 'path' encryption and decryption is sent from mgt server 
to CPVM and saved in websockify proxy as plain text, that might be a potential 
security issue. We use AES/rijndael to encrypt/decrypt the 'path' and DES in 
vnc password authentication, which should be secure.



We have tested PR 2204, we think python-based websockify is more stable and 
efficient than java-based websocket proxy. We did not test C-based websockify 
so I cannot say which one is better.



Thanks a lot for the information you provided.







​Kind regards,​


Wei Zhou

Principal Cloud Engineer
Leaseweb Global B.V.


[cid:image878037.png@B351532D.3F4F059A]  +31 20 316 
0230<tel:+31%2020%20316%200230>

[cid:image878221.png@7A321129.163EE812]  +31 6 1585 
5099<tel:+31%206%201585%205099>

[cid:image661172.png@8CEF6C15.C2EE41B6]  
w.z...@global.leaseweb.com<mailto:w.z...@global.leaseweb.com>

[cid:image139378.png@A9FBC6D6.EBC749A7]  
www.leaseweb.com<https://www.leaseweb.com/>



[cid:image530862.png@A44EFC4A.18FE2535]

[cid:image925709.png@0BE69682.191C9591]
        Luttenbergweg 8 ,       1101 EC         Amsterdam       ,       
Netherlands


[Facebook]<http://www.facebook.com/leaseweb>

[LinkedIn]<https://www.linkedin.com/company/leaseweb/>

[Twitter]<http://www.twitter.com/leaseweb>



Leaseweb is the brand name under which the various independent Leaseweb 
companies operate. Each company is a separate and distinct entity that provides 
services in a particular geographic area. Leaseweb Global B.V. does not provide 
third-party services. Please see www.leaseweb.com/en/legal for more information.




From: Rohit Yadav <rohit.ya...@shapeblue.com>
Sent: donderdag 4 april 2019 11:09
To: d...@cloudstack.apache.org; users@cloudstack.apache.org; Wei Zhou 
<w.z...@global.leaseweb.com>
Subject: Re: CloudStack NoVNC solution in Leaseweb



 Hi Wei,



Great to hear from you on this. Yes, it been a long time on the previous noVNC 
integration attempt by our GSoC student. The 4.11 branch is LTS and cannot 
accept new features, please use master (4.13) for the PR you'll submit. I can 
help with reviewing and testing.



The noVNC project has moved to 1.0.0 stable 
(https://github.com/novnc/noVNC/releases/tag/v1.0.0), do you think it would be 
difficult to adapt the stable 1.0.0 version and not use the old 0.6.2 release? 
Does your implementation also support secured websocket (using a tls 
certificate)?



To keep things turn-key, does it make sense to use C-based websockify or write 
our own Java based implementation that is in-built in the console proxy agent? 
I would prefer to reuse the java agent otherwise session/IP based 
authentication without checking with cloudstack may lead to some security issue.



Licensing:

We can ask for experts on the list and on asf-legal for advice but in my 
opinion we only need to ensure that the new licenses of the packages wrt the 
feature are compatible with Apache 2.0, largely allows redistributing (via 
systemvm.iso or a via new systemvmtemplate) with modifications:



1.0.0 license:https://github.com/novnc/noVNC/blob/v1.0.0/LICENSE.txt (MPL,

BSD and MIT)

0.6.2 license: https://github.com/novnc/noVNC/blob/v0.6.2/LICENSE.txt (MPL, 
BSD, LGPL 3.0, Apache 2.0, MIT)



The main license is MPL and I think it allows for that: 
https://tldrlegal.com/license/mozilla-public-license-2.0-(mpl-2)



Other references:

https://tldrlegal.com/license/bsd-3-clause-license-(revised)
https://tldrlegal.com/license/gnu-lesser-general-public-license-v3-(lgpl-3)
https://tldrlegal.com/license/apache-license-2.0-(apache-2.0)

https://tldrlegal.com/license/mit-license



Regards,

Rohit Yadav

Software Architect, ShapeBlue

https://www.shapeblue.com

rohit.ya...@shapeblue.com<mailto:rohit.ya...@shapeblue.com>
www.shapeblue.com<http://www.shapeblue.com>
@shapeblue




________________________________

From: Wei ZHOU <ustcweiz...@gmail.com<mailto:ustcweiz...@gmail.com>>
Sent: Thursday, April 4, 2019 1:34:24 PM
To: d...@cloudstack.apache.org<mailto:d...@cloudstack.apache.org>; 
users@cloudstack.apache.org<mailto:users@cloudstack.apache.org>; 
w.z...@global.leaseweb.com<mailto:w.z...@global.leaseweb.com>
Subject: CloudStack NoVNC solution in Leaseweb



Hello CloudStack developers and users,

We (as leaseweb) would like to share our NoVNC solution on our cloudstack
platforms with the CloudStack community . The feature was implemented in
2012 and we have made some changes since that. We have used it for more
than 7 years and it is very stable.

Unlike the pull request submitted by sachinnitw1317 (
https://github.com/apache/cloudstack/pull/2204 ) ,which is based on the
novnc as the front end (different from the cloudstack) and the java
websocket proxy (same as cloudstack) in console proxy vm (cpvm), we use
modified novnc and websockify to launch a websockify proxy in cpvm .

Here are some technical details:

(1) We use two open source projects: noVNC (https://github.com/novnc/noVNC
, 0.6.2) and websockify (https://github.com/novnc/websockify ,latest)
(2) We modified websockify so we can launch it without the target
server/port and token.
(3) We reuse the 'path' in novnc and websockify to pass some necessary vm
informations from cloudstack to novnc and websockify. path is encrypted in
cpvm / java, which contains target server,target port, vnc password, client
ip and timestamp. When a new client comes, websockify will decrypt 'path'
to get the vm informations above, and check if the client ip matches and
the timestamp has not expired.
(4) We moved the server/client initialization from novnc(js) to
websockify(python). When a new client comes, websockify will create a
websocket connection to the target server and port ,then check the protocol
version and authentication scheme, use the password in step (3) in vnc
authentication .
(5) Add a global setting in cloudstack for encryption in java and
decryption in websockify.

Compared to the cloudstack native console (ajax/java websocket proxy) and
the novnc console purposed in PR 2204 (novnc /java websocket proxy) , we
believe that the novnc console based on websockifty (written in python) is
more efficient than the consoles based on java websocket proxy.

If you have any questions or concerns, please feel free to ask. If nobody
objects, we will port our changes to cloudstack 4.11.2 LTS and submit a
pull request on cloudstack github, so everyone who is interested can merge
and build it in his/her fork and test it .

Considering that novnc and websockify are both open source projects, and we
also use some open source code (such as in pyDes.py VNC password
authentication) , it would be appreciated if anyone can help us on software
licensing issues.


Kind regards,

Wei Zhou
Principal Cloud Engineer
LEASEWEB

rohit.ya...@shapeblue.com 
www.shapeblue.com
Amadeus House, Floral Street, London  WC2E 9DPUK
@shapeblue
  
 

Reply via email to