root / docs / index.rst @ 7b67c026
History | View | Annotate | Download (7.7 kB)
1 |
.. snf-vncauthproxy documentation master file, created by |
---|---|
2 |
sphinx-quickstart on Thu Nov 14 20:47:22 2013. |
3 |
You can adapt this file completely to your liking, but it should at least |
4 |
contain the root `toctree` directive. |
5 |
|
6 |
snf-vncauthproxy's documentation |
7 |
******************************** |
8 |
|
9 |
snf-vncauthproxy is a daemon, which acts as a VNC authentication proxy between |
10 |
a VNC client and server. |
11 |
|
12 |
snf-vncauthproxy daemon listens on a TCP socket for control messages and sets |
13 |
up one-time port forwardings upon request. |
14 |
|
15 |
Main features include: |
16 |
* Lightweight, coroutine-based main loop with gevent |
17 |
* Supports RFB protocol version 3.8 |
18 |
* IPv4 and IPv6 support |
19 |
* Configurable timeout for client connections |
20 |
|
21 |
Its main use is to enable VNC clients to connect to firewalled VNC servers. |
22 |
|
23 |
It is used by `Synnefo <https://code.grnet.gr/projects/synnefo>`_ to provide |
24 |
users with (VNC) console access to their VMs. |
25 |
|
26 |
Installation |
27 |
^^^^^^^^^^^^ |
28 |
|
29 |
snf-vncauthproxy is currently packaged only for Debian (stable). |
30 |
|
31 |
You can find and install the latest version snf-vncauthproxy at Synnefo's apt |
32 |
repository: |
33 |
|
34 |
| ``http://apt.dev.grnet.gr {release}`` |
35 |
|
36 |
To import the GPG key of the repo, use: |
37 |
|
38 |
| ``curl https://dev.grnet.gr/files/apt-grnetdev.pub | apt-key add -`` |
39 |
|
40 |
In case you're upgrading from an older snf-vncauthproxy version or it's the |
41 |
first time you're installing snf-vncauthproxy, you should create a vncauthproxy |
42 |
user, in order to have a functional vncauthproxy installation (see below for |
43 |
more information on user management). |
44 |
|
45 |
Overview |
46 |
^^^^^^^^ |
47 |
|
48 |
snf-vncauthproxy listens on a TCP socket for control (JSON) messages from |
49 |
clients. The format of the control messages is: |
50 |
|
51 |
.. code-block:: console |
52 |
|
53 |
Control request, in JSON: |
54 |
{ |
55 |
"source_port": |
56 |
<source port or 0 for automatic allocation>, |
57 |
"destination_address": |
58 |
<destination address of backend server>, |
59 |
"destination_port": |
60 |
<destination port> |
61 |
"password": |
62 |
<the password to use to authenticate clients> |
63 |
"auth_user": |
64 |
<user for control connection authentication>, |
65 |
"auth_password": |
66 |
<password for control connection authentication>, |
67 |
} |
68 |
|
69 |
The <password> is used for MITM authentication of clients |
70 |
connecting to <source_port>, who will subsequently be |
71 |
forwarded to a VNC server listening at |
72 |
<destination_address>:<destination_port> |
73 |
|
74 |
Control reply, in JSON: |
75 |
{ |
76 |
"source_port": <the allocated source port> |
77 |
"status": <one of "OK" or "FAILED"> |
78 |
} |
79 |
|
80 |
snf-vncauthproxy will then spawn a greenlet to handle the incoming control |
81 |
message, establish the connection with the server (RFB handshake) and set up a |
82 |
listening socket for the client to connect (with a configurable timeout). |
83 |
|
84 |
When the client connects, the greenlet will proxy the traffic between the |
85 |
client and server (reading and writing to the client and server socket when |
86 |
needed). |
87 |
|
88 |
The handling of control connections, client connections and the actual proxying |
89 |
is implemented using `gevent <http://www.gevent.org/>`_ and greenlets. |
90 |
|
91 |
Usage |
92 |
^^^^^ |
93 |
|
94 |
The snf-vncauthproxy daemon can be either run manually or managed via its init |
95 |
script. |
96 |
|
97 |
If you're using the init script, snf-vncauthproxy reads its options from its |
98 |
default file (``DAEMON_OPTS`` parameter in ``/etc/default/vncauthproxy``). |
99 |
Refer to the vncauthproxy help output for a detailed listing and information |
100 |
on all available options: |
101 |
|
102 |
.. code-block:: console |
103 |
|
104 |
# vncauthproxy --help |
105 |
|
106 |
By default snf-vncauthproxy will listen to ``127.0.0.1:24999`` TCP, for |
107 |
incoming control connections and uses the ``25000-30000`` range for the |
108 |
listening / data sockets. |
109 |
|
110 |
Version 1.5 replaced Unix domain control sockets with TCP control sockets. This |
111 |
change made it necessary to introduce an authentication file to replace the |
112 |
POSIX file permissions, which protected the domain sockets. |
113 |
|
114 |
The default path for the auth file is ``/var/lib/vncauthproxy/users`` |
115 |
(configurable by the ``--auth-file`` option). Each line in the file represents |
116 |
one user which is allowed to use the control socket and should be in the |
117 |
following format: |
118 |
|
119 |
.. code-block:: console |
120 |
|
121 |
username:$6$salt$hash |
122 |
|
123 |
The password part of the line (after the colon) is the output of crypt(), using |
124 |
a random 16-char salt with SHA-512. |
125 |
|
126 |
To manage the authentication file, you can use the vncauthproxy-passwd tool, |
127 |
to easily add, update and delete users: |
128 |
|
129 |
To add a user: |
130 |
|
131 |
.. code-block:: console |
132 |
|
133 |
# vncauthproxy-passwd /var/lib/vncauthproxy/users user |
134 |
|
135 |
You will be prompted for a password. |
136 |
|
137 |
To delete a user: |
138 |
|
139 |
.. code-block:: console |
140 |
|
141 |
# vncauthproxy-passwd -D /var/lib/vncauthproxy/users user |
142 |
|
143 |
See the help output of the tool for more options: |
144 |
|
145 |
.. code-block:: console |
146 |
|
147 |
# vncauthproxy-passwd -h |
148 |
|
149 |
.. warning:: The vncauthproxy daemon requires a restart for the changes in the |
150 |
authentication file to take effect. |
151 |
|
152 |
.. warning:: After installing snf-vncauthproxy for the fist time, make sure |
153 |
that you create a valid authentication file and define any users needed. The |
154 |
vncauthproxy daemon will start but will not be usable if no users are defined |
155 |
or if no authentication file is present. |
156 |
|
157 |
Version 1.5 introduced also support for SSL for the control socket. If you |
158 |
enable SSL support (``--enable-ssl`` parameter, disabled by default) you wil |
159 |
have to provide a certficate and key file (``--cert-file`` and ``--key-file`` |
160 |
parameters). The default values for certificate and key files are |
161 |
``/var/lib/vncauthrpoxy/{cert,key}.pem`` respectively. |
162 |
|
163 |
For detailed help on its configuration parameters, either consult its man page |
164 |
or run: |
165 |
|
166 |
| ``snf-vncauthproxy --help`` |
167 |
|
168 |
on the command line. |
169 |
|
170 |
snf-vncauthproxy also provides a client which can be used to test from the |
171 |
command line that snf-vncauhtproxy has been deployed correctly. It also |
172 |
provides a method (``request_forwarding``) which can be used fron any Python |
173 |
programm to request forwarding from the snf-vncauthproxy daemon. |
174 |
|
175 |
See the client's usage / help output and the method's signature for more |
176 |
information on how to use the them |
177 |
|
178 |
Usage with Synnefo |
179 |
================== |
180 |
|
181 |
Synnefo (snf-cyclades-app) uses snf-vncauthproxy to provide users (VNC) console |
182 |
access to their VMs. |
183 |
|
184 |
Synnefo uses `Ganeti <https://code.google.com/p/ganeti/>`_ and KVM for the |
185 |
cluster and VM management. In the common case the Ganeti nodes, running the KVM |
186 |
instances are firewalled, and only the Cyclades (Compute) app server |
187 |
(snf-cyclades-app) is publicly accessible. In order for users to be able to |
188 |
access the VNC console /server (spawned by the KVM instances on the Ganeti |
189 |
nodes), snf-cyclades-app uses snf-vncauthproxy to allow users to connect to the |
190 |
VNC servers and access the VNC consoles of their VMs. |
191 |
|
192 |
If you're running snf-vncauthproxy on the same host as snf-cyclades-app, |
193 |
you will only need to configure one Synnefo setting. Specifically, |
194 |
the ``CYCLADES_VNCAUTHPROXY_OPTS`` dict in |
195 |
``/etc/synnefo/20-snf-cyclades-app-api.conf`` should be edited to match |
196 |
snf-vncauthproxy configuration (user, password, SSL support, certificate file). |
197 |
|
198 |
In case you want to deploy snf-vncauthproxy on a different host than |
199 |
snf-cyclades-app, you should make sure that you change the default listening |
200 |
address (and / or port) for snf-vncauthproxy and make sure that |
201 |
snf-cyclades-app can connect to the snf-vncauthproxy on the listening address / |
202 |
port. It's also recommended to enable SSL on the control socket in that case. |
203 |
|
204 |
Changelog |
205 |
^^^^^^^^^ |
206 |
|
207 |
* v1.5 :ref:`Changelog <Changelog-1.5>` |
208 |
|
209 |
Upgrade notes |
210 |
^^^^^^^^^^^^^ |
211 |
|
212 |
.. toctree:: |
213 |
:maxdepth: 1 |
214 |
|
215 |
v1.4 -> v1.5 <upgrade/upgrade-1.5.rst> |
216 |
|
217 |
Contact |
218 |
^^^^^^^ |
219 |
|
220 |
For questions or bug reports you can contact the Synnefo team at the following |
221 |
mailing lists: |
222 |
|
223 |
* Users list: synnefo@googlegroups.com |
224 |
* Developers list: synnefo-devel@googlegroups.com |
225 |
|
226 |
License |
227 |
^^^^^^^ |
228 |
|
229 |
snf-vncauthproxy is licensed under GNU Generic Public License version 2 |
230 |
(GPLv2), please see LICENSE for the full text. |