Ovirt devel - Aug 2008 - oVirt console

As some background, Hugh Brock asked me to look at how much work it
would be to add console access to guests from the oVirt WUI, properly
authenticated and encrypted and -- this is the key -- supporting
Windows users.

I previously wrote a VNC browser plugin based around the open source
gtk-vnc[i] and virt-viewer[ii] projects.  This hasn't worked out well
because, for reasons which are elusive, the browser plugin makes the
whole browser somewhat unstable.  And in any case it looks like the
plugin would be limited to Firefox on Linux.

My feeling is that instead of embedding the console in the browser,
with all the potential complexity and unstableness involved in that,
instead we should have a very small browser plugin which launches a
separate virt-viewer process.  This way, the browser plugin should be
very small and short-lived (so won't affect the stability of the
browser), should be easy to port, and all the open consoles will be
running as separate virt-viewer processes so again there is a benefit
of separation & stability.

To achieve this, we need the following steps:

(1) SASL support the VNC protocol:

  (a) Register one or two new VNC protocol extensions for, respectively,
      authentication & encryption using SASL.

  (b) Implement server-side protocols in upstream QEMU.  This will
      eventually lead to it being supported in projects that synch
      with QEMU, ie. KVM.

  (c) Implement client-side protocols in gtk-vnc.

(2) virt-viewer changed to register a callback to collect the required
    auth information

(3) Build the following chain of SASL dependencies on Windows, using
    the MinGW cross-compiler[iii]:

      cyrus-sasl-*[iv]
      krb5-libs[v]
      keyutils-libs[vi]

    These may require changes upstream.

(4) Build gtk-vnc and a virt-viewer binary for Windows.  (It will
    already be built for Linux eg. in Fedora).

(5) Write plugin(s) for Firefox on Linux / Windows using the NPAPI[vii].

(6) Write plugin for Windows / IE.

(7) Build packages.

Rich.

Links
-----

  [i] http://gtk-vnc.sourceforge.net/
 [ii] http://freshmeat.net/projects/virtviewer/
[iii] http://fedoraproject.org/wiki/SIGs/MinGW
 [iv] http://asg.web.cmu.edu/sasl/
  [v] http://web.mit.edu/kerberos/www/
 [vi] http://people.redhat.com/~dhowells/keyutils/
[vii] http://en.wikipedia.org/wiki/NPAPI

-- 
Richard Jones, Emerging Technologies, Red Hat  http://et.redhat.com/~rjones
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine.  Supports Linux and Windows.
http://et.redhat.com/~rjones/virt-df/

In case it wasn't clear, the console traffic will still travel over
the VNC port (eg. 5900-) between the client's machine and the managed
node.  Is this expected to be a problem?

Rich.

-- 
Richard Jones, Emerging Technologies, Red Hat  http://et.redhat.com/~rjones
virt-p2v converts physical machines to virtual machines.  Boot with a
live CD or over the network (PXE) and turn machines into Xen guests.
http://et.redhat.com/~rjones/virt-p2v

On Fri, Aug 01, 2008 at 01:57:27PM +0100, Richard W.M. Jones
wrote:
> As some background, Hugh Brock asked me to look at how much work it
> would be to add console access to guests from the oVirt WUI, properly
> authenticated and encrypted and -- this is the key -- supporting
> Windows users.
> 
> I previously wrote a VNC browser plugin based around the open source
> gtk-vnc[i] and virt-viewer[ii] projects.  This hasn't worked out well
> because, for reasons which are elusive, the browser plugin makes the
> whole browser somewhat unstable.  And in any case it looks like the
> plugin would be limited to Firefox on Linux.
> 
> My feeling is that instead of embedding the console in the browser,
> with all the potential complexity and unstableness involved in that,
> instead we should have a very small browser plugin which launches a
> separate virt-viewer process.  This way, the browser plugin should be
> very small and short-lived (so won't affect the stability of the
> browser), should be easy to port, and all the open consoles will be
> running as separate virt-viewer processes so again there is a benefit
> of separation & stability.
> 
> To achieve this, we need the following steps:
> 
> (1) SASL support the VNC protocol:
> 
>   (a) Register one or two new VNC protocol extensions for, respectively,
>       authentication & encryption using SASL.
Only one extension is required. You negotiate encryption as part of the
SASL authentication handshake. Basically if we're using SASL on the TLS
encrypted channel then you set a min&max SSF of 0 (SSF = Security Strength
Factor), and if not using TLS then set a min SSF of 56 (good enough to
require Kerberos) and max of 100000 (or a suitably large number). This
ensures that SASL encryption will be negotiated if the underlying channel
isn't already using strong encryption.
>   (b) Implement server-side protocols in upstream QEMU.  This will
>       eventually lead to it being supported in projects that synch
>       with QEMU, ie. KVM.
The bulk of the server side stuff for libvirt is in the qemud/remote.c
file, remoteDispatchAuthSasl(Init,Start,Step). This handles all the
auth side of things. If you negotiate a SSF layer, then you also need
to wire in calls to sasl_encode, sasl_decode in the part where you
read/write data on the wire.
>   (c) Implement client-side protocols in gtk-vnc.
Similarly the client side stuff in libvirt is in src/remote_internal.c
in the remoteAuthSASL() method which takes care of all client auth.
Again, we wire in sasl_encode/decode where needed for SSF.

Gathering client credentials is a hairy bit - the virConnectCredential,
virConnectAuth and virConnectAuthCallbackPtr  structs/function define
the public contract to expose to apps.  If we use a similar contract
for credentials in GTK-VNC, then it'll make the virt-viewer integration
easier because it already has to deal this for libvirt auth credentials.

Getting it working with Kerberos first is actually eaiser than getting it
working with username/password, because with Kerberos you don't have to
debug the callback stuff - it just uses the keytab. 

Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|