root / docs / upgrade / upgrade-1.5.rst @ 3b98303f
History | View | Annotate | Download (3.4 kB)
1 |
Upgrade notes |
---|---|
2 |
^^^^^^^^^^^^^ |
3 |
|
4 |
v1.5 |
5 |
==== |
6 |
Version 1.5 replaced Unix domain control sockets with TCP control sockets. This |
7 |
change made it necessary to introduce an authentication file to replace the |
8 |
POSIX file permissions, which protected the domain sockets. |
9 |
|
10 |
You can configure vncauthproxy daemon by modifying the Debian default file |
11 |
(``/etc/default/vncauthproxy``) and more specifically the ``DAEMON_OPTS`` |
12 |
variable. This option (along with the modified ``CHUID`` option) has been added |
13 |
to the v1.5 default file (which you'll need to 'merge' if you're upgrading from |
14 |
an older version of snf-vncauthproxy). |
15 |
|
16 |
The ``DAEMON_OPTS`` variable accepts any valid option you can pass to the |
17 |
vncauthproxy daemon on the command line. For a detailed listing and information |
18 |
about the avaialble options plese check vncauthproxy help output: |
19 |
|
20 |
.. code-block:: console |
21 |
|
22 |
# vncauthproxy --help |
23 |
|
24 |
The default path for the auth file is ``/var/lib/vncauthproxy/users`` |
25 |
(configurable by the ``--auth-file`` option). Each line in the file represents |
26 |
one user which is allowed to use the control socket and should be in the |
27 |
following format: |
28 |
|
29 |
.. code-block:: console |
30 |
|
31 |
username:$6$salt$hash |
32 |
|
33 |
The password part of the line (after the colon) is the output of crypt(), using |
34 |
a random 16-char salt with SHA-512. |
35 |
|
36 |
To manage the authentication file, you can use the vncauthproxy-passwd tool, |
37 |
to easily add, update and delete users: |
38 |
|
39 |
To add a user: |
40 |
|
41 |
.. code-block:: console |
42 |
|
43 |
# vncauthproxy-passwd /var/lib/vncauthproxy/users user |
44 |
|
45 |
You will be prompted for a password. |
46 |
|
47 |
To delete a user: |
48 |
|
49 |
.. code-block:: console |
50 |
|
51 |
# vncauthproxy-passwd -D /var/lib/vncauthproxy/users user |
52 |
|
53 |
See the help output of the tool for more options: |
54 |
|
55 |
.. code-block:: console |
56 |
|
57 |
# vncauthproxy-passwd -h |
58 |
|
59 |
.. warning:: The vncauthproxy daemon requires a restart for the changes in the |
60 |
authentication file to take effect. |
61 |
|
62 |
.. warning:: After installing snf-vncauthproxy for the fist time, make sure |
63 |
that you create a valid authentication file and define any users needed. The |
64 |
vncauthproxy daemon will start but will not be usable if no users are defined |
65 |
or if no authentication file is present. |
66 |
|
67 |
Version 1.5 also introduced support for SSL for the control socket. If you |
68 |
enable SSL support (``--enable-ssl`` parameter, disabled by default) you will |
69 |
have to provide a certficate and key file (``--cert-file`` and ``--key-file`` |
70 |
parameters). The default values for certificate and key files are |
71 |
``/var/lib/vncauthrpoxy/{cert,key}.pem`` respectively. |
72 |
|
73 |
If you're using snf-vncauthproxy with Synnefo, you should make sure to edit the |
74 |
``CYCLADES_VNCAUTHPROXY_OPTS`` setting in |
75 |
``/etc/synnefo/20-snf-cyclades-app-api.conf``. The |
76 |
``CYCLADES_VNCAUTHPROXY_OPTS`` dict in |
77 |
``/etc/synnefo/20-snf-cyclades-app-api.conf`` should be edited to match |
78 |
snf-vncauthproxy configuration (user, password, SSL support, certificate file). |
79 |
You should also make sure that the node running snf-cyclades-app can connect to |
80 |
the snf-vncauthproxy's control socket address / port (the suggested deployment to |
81 |
run snf-vncauthproxy on the same host as snf-cyclades-app should work with |
82 |
the defaults of snf-vncauthproxy, with the exception of the authentication |
83 |
file). |
84 |
|
85 |
Finally, snf-vncauthproxy now adds a user and group (``vncauthproxy``) to be |
86 |
used by the vncauthproxy daemon. As a result the ``CHUID`` option in the Debian |
87 |
default file (``/etc/default/vncauthproxy``) has changed accordingly. Although |
88 |
it is recommended to run vncauhtproxy with the predfined user and group, it's |
89 |
not mandatory. |