VNC and SPICE HTML5 consoles


#1

Recently we have added support for HTM5 based VNC and SPICE consoles.

In the current master we support:

  • VNC and SPICE consoles for RHEVM with websocket proxy
  • VNC consoles for VMWare with websocket proxy
  • VNC consoles for OpenStack using OpenStack supplied websocket proxy

All of the above make use of the websocket protocol supported by all recent versions of browsers and also can utilize SSL to encrypt the websocket connection.

In case of OpenStack, please refer to OpenStack documentation on the topic: http://docs.openstack.org/admin-guide-cloud/content/getting-started-with-vnc-proxy.html. We only make a API call to get the URL for the console and open that console in a web browser.

The following information applies to RHEVM and VMWare consoles.

The websocket connection by default runs over HTTPS or HTTP bases on how the application was accessed. Meaning under an appliance you will most likely use HTTPS and therefor also the websocket connection will be wss:// (websocket with SSL). In developer setup, when accessing the appliance by HTTPS the proxy will run w/o SSL: ws://

Configuration

Under Configure–>Configuration–> [active server] – >Advanced

you can use several options.

All keys below belong under the key server.

Previously used key

server:
remote_console_type: mkfs

valid values: mks or vmrc

This key is currently and previously used to configure what type of browser plugin and console is used to access VMWare consoles.

Configuration of SSL encryption

You can control the encryption of data between proxy process running on the appliance and the browser using SSL:

server:
websocket:
:encrypt: true
:cert: certs/server.cer
:key : certs/server.cer.key

the paths are relative to the vmdb/

Encrypt defaults to true for SSL connections and to false for non-ssl encryption however it can be overidden here. So for example you can access the application using HTTP and yet use wss:// for the websocket proxy.

To make the consoles actually work you need a certificate that is accepted by your browser.

The best way to do this is to by a certificate from a public CA such as Verisign, Thawte, RapidSSL…

To install certificates into a the CFME which is the product based on ManageIQ, you can use this howto: https://access.redhat.com/articles/449033

If you use the default self-signed certificate that is supplied with the appliance you will most likely experience a lot of trouble based on browser you use. Generally I would recommend that only with Chrome because both Firefox and IE don’t make it easy to accept a self-signed certificate and most likely the HTML5 console will not work with an error message being displayed in the JavaScript console.

For testing purposes it’s best to create an own CA.

Here’s a link to generate a CA on Linux:

https://jamielinux.com/articles/2013/08/act-as-your-own-certificate-authority/

Generate a server certificate and sign it by your new CA:

https://jamielinux.com/articles/2013/08/create-and-sign-ssl-certificates-certificate-authority/

Convert the certificate for Windows IE:

openssl x509 -outform der -in ca.cert.pem -out ca.cert.der

Here’s a link on how to import a CA into IE: http://www.poweradmin.com/help/sslhints/ie.aspx

For Firefox and Chrome the process is pretty straight-forward.

If you insist on testing with the self signed certificate pre-installed in the appliance you can try a trick:

  1. take the wss://xxxx:port url that is logged into the javascript console
  2. change wss:// to https:// and open the url
  3. confirm the security exception
  4. reopen the VNC/SPICE console
  5. voila, in Chrome and FF you have the connection between the appliance and browser encrypted by SSL.

Problem with VNC console
#2

For vCenter 5.X+, the gdbserver ruleset has to be enabled on every ESXi host hosting VMs that will be accessed through ManageIQ HTML5 console (or VNC in general).

Steps to setup your ESXi host(s) for ManageIQ HTML5 console access:

Through SSH:

  1. SSH to your ESXi host
  2. #esxcli network firewall ruleset set --ruleset-id gdbserver --enabled true
  3. #esxcli network firewall ruleset list (to confirm that it’s active)

Through vCenter web UI:

  1. Go to your ESXi host
  2. “Manage” tab
  3. “Settings” section
  4. “System > Security Profile” on the left
  5. “Edit” button in the right top
  6. Find the “gdbserver” ruleset, select it and click “OK”

#3

Jan, I guess these settings are needed for whatever VNC implementation the user wants to use. It’s not required specially for the HTML5 consoles. Right?


Can't access vnc console to vmware
#4

Right now, the issue seems to be with HTML5 console only. VMRC works just fine without applying the firewall changes mentioned above.


#5

But if you use a “normal” (desktop) VNC client you need those ports open I guess. VMRC might use some proxy.


#6

Yes, Martin, absolutely correct.
Enabled gdbserver ruleset is a requirement for direct VNC access.
Furthermore, the selected VM’s configuration file also has to be altered but that is only necessary for direct VNC; it is not needed for the ManageIQ HTML5 console.


#7

Hello. I used this article to configure VNC console in the Capablanca appliance (I have created the own CA) and I want to add some details:

  1. You should set selinux context for files, which Apache will use, for example:
    chcon unconfined_u:object_r:httpd_config_t:s0 /path/to/certificate/file
    chcon unconfined_u:object_r:httpd_config_t:s0 /path/to/key/file
    chcon unconfined_u:object_r:httpd_config_t:s0 /path/to/chain/file
  2. I have to set SSLCertificateChainFile. VNC console doesn’t work without it in the appliance.

#8

This link is dead:

http://docs.openstack.org/admin-guide-cloud/content/getting-started-with-vnc-proxy.html

I’m not sure what the correct one is.


#9

It looks like the equivalent documentation link has been moved to [1]. To configure Openstack itself for console access you would need [2].

For documentation purposes, the original cited page is available at [3].

[1] https://docs.openstack.org/user-guide/cli-access-instance-through-a-console.html
[2] https://docs.openstack.org/admin-guide/compute-remote-console-access.html
[3] http://web.archive.org/web/20150324021620/http://docs.openstack.org/admin-guide-cloud/content/getting-started-with-vnc-proxy.html