This PR introduces console access support for instances deployed using Orchestrator Extensions, available via either VNC or a direct URL.
- CloudStack queries the extension using the getconsole action.
- For VNC-based access, the extension must return host/port/ticket details. CloudStack then forwards these to the Console Proxy VM (CPVM) in the instance’s zone. It is assumed that the CPVM can reach the specified host and port.
- For direct URL access, the extension returns a console URL with the protocol set to `direct`. The URL is then provided directly to the user.
- The built-in Proxmox Orchestrator Extension now supports console access via VNC. The extension calls the Proxmox API to fetch console details and returns them in the required format.
Also, adds changes to send caller details to the extension payload.
```
# cat /var/lib/cloudstack/management/extensions/Proxmox/02b650f6-bb98-49cb-8cac-82b7a78f43a2.json | jq
{
"caller": {
"roleid": "6b86674b-7e61-11f0-ba77-1e00c8000158",
"rolename": "Root Admin",
"name": "admin",
"roletype": "Admin",
"id": "93567ed9-7e61-11f0-ba77-1e00c8000158",
"type": "ADMIN"
},
"virtualmachineid": "126f4562-1f0f-4313-875e-6150cabeb72f",
...
```
Documentation PR: https://github.com/apache/cloudstack-documentation/pull/560
---------
Signed-off-by: Abhishek Kumar <abhishek.mrt22@gmail.com>
* increment cpvm connection logs
* remove sourceIp variable
* increment cpvm connection logs
* extract duplicate error messages to variables
* change logs level from trace to debug in authenticateToVNCServer
* add logs in trace level inside of connection loop
* remove redundant trace log
* add logs to ConsoleProxyNoVNCHandler class
* retrieve client source IP
* add periods to log messages
* change log levels from warn to error inside of catch blocks
* add client IP to successful authentication log
* replace concatenation with String.format()
* remove String.format() and use log4j2 new features instead
* remove String.format() and use log4j2 new features instead
* apply Daan's suggestion
Co-authored-by: dahn <daan.hoogland@gmail.com>
* resolve conflicts
* fix logs with three parameters
* get correct client IP
* use log4j dependencies directly
* apply winterhazel's suggestion
Co-authored-by: Fabricio Duarte <fabricio.duarte.jr@gmail.com>
* remove log proxy
* address winterhazel's suggestions on ConsoleProxyNoVncClient class
* address winterhazel's suggestions on ConsoleProxyNoVNCHandler class
* address winterhazel's suggestions on ConsoleProxyNoVNCHandler class
Co-authored-by: Fabricio Duarte <fabricio.duarte.jr@gmail.com>
---------
Co-authored-by: dahn <daan.hoogland@gmail.com>
Co-authored-by: Fabricio Duarte <fabricio.duarte.jr@gmail.com>
This PR allows securing the console access through CloudStack to the virtual machines running on KVM. The secure access is achieved through the generated certificates for the CA Framework in CloudStack, that provides mutual TLS connections between agents. These certificates are used to also secure the connection between the console proxies and the VNC ports for VM console access.
This feature is only supported on the KVM hypervisor
Design Document: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+KVM+VNC+connection+using+the+CA+framework
This PR creates a new API createConsoleAccess to create VM console URL allowing it to connect using other UI implementations. To avoid reply attacks, the console access is enhanced to use a one time token per session
New configuration added:
consoleproxy.extra.security.validation.enabled: Enable/disable extra security validation for console proxy using a token
Documentation PR: apache/cloudstack-documentation#284
* novnc: Add client IP check for novnc console in cloudstack 4.16
* novnc ip check : Fix restart CPVM or mgt server does not update novnc param
* novnc ip check: move to method
Remove maven standard module (which only a few were using) and get ride of maven customization for the projects structure.
- moved all directories to src/main/java, src/main/resources, src/main/scripts, src/test/java, src/test/resources
- grep scan to search for src/com and src/org left over
- grep for <project>/scripts to fix pom.xml configuration
- remove custom <build> configuration in pom.xml
Signed-off-by: Marc-Aurèle Brothier <m@brothier.org>
