You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Wei ZHOU <us...@gmail.com> on 2019/04/04 08:04:24 UTC
CloudStack NoVNC solution in Leaseweb
Hello CloudStack developers and users,
We (as leaseweb) would like to share our NoVNC solution on our cloudstack
platforms with the CloudStack community . The feature was implemented in
2012 and we have made some changes since that. We have used it for more
than 7 years and it is very stable.
Unlike the pull request submitted by sachinnitw1317 (
https://github.com/apache/cloudstack/pull/2204 ) ,which is based on the
novnc as the front end (different from the cloudstack) and the java
websocket proxy (same as cloudstack) in console proxy vm (cpvm), we use
modified novnc and websockify to launch a websockify proxy in cpvm .
Here are some technical details:
(1) We use two open source projects: noVNC (https://github.com/novnc/noVNC
, 0.6.2) and websockify (https://github.com/novnc/websockify ,latest)
(2) We modified websockify so we can launch it without the target
server/port and token.
(3) We reuse the 'path' in novnc and websockify to pass some necessary vm
informations from cloudstack to novnc and websockify. path is encrypted in
cpvm / java, which contains target server,target port, vnc password, client
ip and timestamp. When a new client comes, websockify will decrypt 'path'
to get the vm informations above, and check if the client ip matches and
the timestamp has not expired.
(4) We moved the server/client initialization from novnc(js) to
websockify(python). When a new client comes, websockify will create a
websocket connection to the target server and port ,then check the protocol
version and authentication scheme, use the password in step (3) in vnc
authentication .
(5) Add a global setting in cloudstack for encryption in java and
decryption in websockify.
Compared to the cloudstack native console (ajax/java websocket proxy) and
the novnc console purposed in PR 2204 (novnc /java websocket proxy) , we
believe that the novnc console based on websockifty (written in python) is
more efficient than the consoles based on java websocket proxy.
If you have any questions or concerns, please feel free to ask. If nobody
objects, we will port our changes to cloudstack 4.11.2 LTS and submit a
pull request on cloudstack github, so everyone who is interested can merge
and build it in his/her fork and test it .
Considering that novnc and websockify are both open source projects, and we
also use some open source code (such as in pyDes.py VNC password
authentication) , it would be appreciated if anyone can help us on software
licensing issues.
Kind regards,
Wei Zhou
Principal Cloud Engineer
LEASEWEB
Re: CloudStack NoVNC solution in Leaseweb
Posted by Wei ZHOU <us...@gmail.com>.
Hi Fariborz,
It is good to know you are interested.
We will create a pull request for 4.11.2 LTS in the next weeks.
-Wei
Fariborz Navidan <md...@gmail.com> 于2019年4月4日周四 上午10:29写道:
> Hello,
>
> It's a great and valuable job because we have already observed that noVNC
> integrated into control panels such as Virtualizor has great speed and
> efficiency in comparison with CloudStack's native console proxy
> implementation. Especially noVNC is more comfortable when user is on on a
> low speed or high latency internet connection.
>
> We were looking forward to investigate current CPVM and try to integrate
> noVNC. It's pleasure to us that this has already been implemented and hope
> we can take advantage of it in near future.
>
> Best regards
>
> On Thu, Apr 4, 2019 at 12:34 PM Wei ZHOU <us...@gmail.com> wrote:
>
> > Hello CloudStack developers and users,
> >
> > We (as leaseweb) would like to share our NoVNC solution on our cloudstack
> > platforms with the CloudStack community . The feature was implemented in
> > 2012 and we have made some changes since that. We have used it for more
> > than 7 years and it is very stable.
> >
> > Unlike the pull request submitted by sachinnitw1317 (
> > https://github.com/apache/cloudstack/pull/2204 ) ,which is based on the
> > novnc as the front end (different from the cloudstack) and the java
> > websocket proxy (same as cloudstack) in console proxy vm (cpvm), we use
> > modified novnc and websockify to launch a websockify proxy in cpvm .
> >
> > Here are some technical details:
> >
> > (1) We use two open source projects: noVNC (
> https://github.com/novnc/noVNC
> > , 0.6.2) and websockify (https://github.com/novnc/websockify ,latest)
> > (2) We modified websockify so we can launch it without the target
> > server/port and token.
> > (3) We reuse the 'path' in novnc and websockify to pass some necessary vm
> > informations from cloudstack to novnc and websockify. path is encrypted
> in
> > cpvm / java, which contains target server,target port, vnc password,
> client
> > ip and timestamp. When a new client comes, websockify will decrypt 'path'
> > to get the vm informations above, and check if the client ip matches and
> > the timestamp has not expired.
> > (4) We moved the server/client initialization from novnc(js) to
> > websockify(python). When a new client comes, websockify will create a
> > websocket connection to the target server and port ,then check the
> protocol
> > version and authentication scheme, use the password in step (3) in vnc
> > authentication .
> > (5) Add a global setting in cloudstack for encryption in java and
> > decryption in websockify.
> >
> > Compared to the cloudstack native console (ajax/java websocket proxy) and
> > the novnc console purposed in PR 2204 (novnc /java websocket proxy) , we
> > believe that the novnc console based on websockifty (written in python)
> is
> > more efficient than the consoles based on java websocket proxy.
> >
> > If you have any questions or concerns, please feel free to ask. If nobody
> > objects, we will port our changes to cloudstack 4.11.2 LTS and submit a
> > pull request on cloudstack github, so everyone who is interested can
> merge
> > and build it in his/her fork and test it .
> >
> > Considering that novnc and websockify are both open source projects, and
> we
> > also use some open source code (such as in pyDes.py VNC password
> > authentication) , it would be appreciated if anyone can help us on
> software
> > licensing issues.
> >
> >
> > Kind regards,
> >
> > Wei Zhou
> > Principal Cloud Engineer
> > LEASEWEB
> >
>
Re: CloudStack NoVNC solution in Leaseweb
Posted by Fariborz Navidan <md...@gmail.com>.
Hello,
It's a great and valuable job because we have already observed that noVNC
integrated into control panels such as Virtualizor has great speed and
efficiency in comparison with CloudStack's native console proxy
implementation. Especially noVNC is more comfortable when user is on on a
low speed or high latency internet connection.
We were looking forward to investigate current CPVM and try to integrate
noVNC. It's pleasure to us that this has already been implemented and hope
we can take advantage of it in near future.
Best regards
On Thu, Apr 4, 2019 at 12:34 PM Wei ZHOU <us...@gmail.com> wrote:
> Hello CloudStack developers and users,
>
> We (as leaseweb) would like to share our NoVNC solution on our cloudstack
> platforms with the CloudStack community . The feature was implemented in
> 2012 and we have made some changes since that. We have used it for more
> than 7 years and it is very stable.
>
> Unlike the pull request submitted by sachinnitw1317 (
> https://github.com/apache/cloudstack/pull/2204 ) ,which is based on the
> novnc as the front end (different from the cloudstack) and the java
> websocket proxy (same as cloudstack) in console proxy vm (cpvm), we use
> modified novnc and websockify to launch a websockify proxy in cpvm .
>
> Here are some technical details:
>
> (1) We use two open source projects: noVNC (https://github.com/novnc/noVNC
> , 0.6.2) and websockify (https://github.com/novnc/websockify ,latest)
> (2) We modified websockify so we can launch it without the target
> server/port and token.
> (3) We reuse the 'path' in novnc and websockify to pass some necessary vm
> informations from cloudstack to novnc and websockify. path is encrypted in
> cpvm / java, which contains target server,target port, vnc password, client
> ip and timestamp. When a new client comes, websockify will decrypt 'path'
> to get the vm informations above, and check if the client ip matches and
> the timestamp has not expired.
> (4) We moved the server/client initialization from novnc(js) to
> websockify(python). When a new client comes, websockify will create a
> websocket connection to the target server and port ,then check the protocol
> version and authentication scheme, use the password in step (3) in vnc
> authentication .
> (5) Add a global setting in cloudstack for encryption in java and
> decryption in websockify.
>
> Compared to the cloudstack native console (ajax/java websocket proxy) and
> the novnc console purposed in PR 2204 (novnc /java websocket proxy) , we
> believe that the novnc console based on websockifty (written in python) is
> more efficient than the consoles based on java websocket proxy.
>
> If you have any questions or concerns, please feel free to ask. If nobody
> objects, we will port our changes to cloudstack 4.11.2 LTS and submit a
> pull request on cloudstack github, so everyone who is interested can merge
> and build it in his/her fork and test it .
>
> Considering that novnc and websockify are both open source projects, and we
> also use some open source code (such as in pyDes.py VNC password
> authentication) , it would be appreciated if anyone can help us on software
> licensing issues.
>
>
> Kind regards,
>
> Wei Zhou
> Principal Cloud Engineer
> LEASEWEB
>
Re: CloudStack NoVNC solution in Leaseweb
Posted by Sven Vogel <S....@ewerk.com>.
Hi Wei Zhou,
That would be great.
Thanks for that!
Greetings
Sven
__
Sven Vogel
Teamlead Platform
EWERK RZ GmbH
Br?hl 24, D-04109 Leipzig
P +49 341 42649 - 11
F +49 341 42649 - 18
S.Vogel@ewerk.com
www.ewerk.com
Gesch?ftsf?hrer:
Dr. Erik Wende, Hendrik Schubert, Frank Richter, Gerhard Hoyer
Registergericht: Leipzig HRB 17023
Zertifiziert nach:
ISO/IEC 27001:2013
DIN EN ISO 9001:2015
DIN ISO/IEC 20000-1:2011
EWERK-Blog<https://blog.ewerk.com/> | LinkedIn<https://www.linkedin.com/company/ewerk-group> | Xing<https://www.xing.com/company/ewerk> | Twitter<https://twitter.com/EWERK_Group> | Facebook<https://de-de.facebook.com/EWERK.IT/>
Ausk?nfte und Angebote per Mail sind freibleibend und unverbindlich.
Disclaimer Privacy:
Der Inhalt dieser E-Mail (einschlie?lich etwaiger beigef?gter Dateien) ist vertraulich und nur f?r den Empf?nger bestimmt. Sollten Sie nicht der bestimmungsgem??e Empf?nger sein, ist Ihnen jegliche Offenlegung, Vervielf?ltigung, Weitergabe oder Nutzung des Inhalts untersagt. Bitte informieren Sie in diesem Fall unverz?glich den Absender und l?schen Sie die E-Mail (einschlie?lich etwaiger beigef?gter Dateien) von Ihrem System. Vielen Dank.
The contents of this e-mail (including any attachments) are confidential and may be legally privileged. If you are not the intended recipient of this e-mail, any disclosure, copying, distribution or use of its contents is strictly prohibited, and you should please notify the sender immediately and then delete it (including any attachments) from your system. Thank you.
Am 04.04.2019 um 13:06 schrieb Rohit Yadav <ro...@shapeblue.com>>:
012 and we have made some changes since that. We have used it for more
than 7 years and it is very stable.
Re: CloudStack NoVNC solution in Leaseweb
Posted by Sven Vogel <S....@ewerk.com>.
Hi Wei Zhou,
That would be great.
Thanks for that!
Greetings
Sven
__
Sven Vogel
Teamlead Platform
EWERK RZ GmbH
Br?hl 24, D-04109 Leipzig
P +49 341 42649 - 11
F +49 341 42649 - 18
S.Vogel@ewerk.com
www.ewerk.com
Gesch?ftsf?hrer:
Dr. Erik Wende, Hendrik Schubert, Frank Richter, Gerhard Hoyer
Registergericht: Leipzig HRB 17023
Zertifiziert nach:
ISO/IEC 27001:2013
DIN EN ISO 9001:2015
DIN ISO/IEC 20000-1:2011
EWERK-Blog<https://blog.ewerk.com/> | LinkedIn<https://www.linkedin.com/company/ewerk-group> | Xing<https://www.xing.com/company/ewerk> | Twitter<https://twitter.com/EWERK_Group> | Facebook<https://de-de.facebook.com/EWERK.IT/>
Ausk?nfte und Angebote per Mail sind freibleibend und unverbindlich.
Disclaimer Privacy:
Der Inhalt dieser E-Mail (einschlie?lich etwaiger beigef?gter Dateien) ist vertraulich und nur f?r den Empf?nger bestimmt. Sollten Sie nicht der bestimmungsgem??e Empf?nger sein, ist Ihnen jegliche Offenlegung, Vervielf?ltigung, Weitergabe oder Nutzung des Inhalts untersagt. Bitte informieren Sie in diesem Fall unverz?glich den Absender und l?schen Sie die E-Mail (einschlie?lich etwaiger beigef?gter Dateien) von Ihrem System. Vielen Dank.
The contents of this e-mail (including any attachments) are confidential and may be legally privileged. If you are not the intended recipient of this e-mail, any disclosure, copying, distribution or use of its contents is strictly prohibited, and you should please notify the sender immediately and then delete it (including any attachments) from your system. Thank you.
Am 04.04.2019 um 13:06 schrieb Rohit Yadav <ro...@shapeblue.com>>:
012 and we have made some changes since that. We have used it for more
than 7 years and it is very stable.
Re: CloudStack NoVNC solution in Leaseweb
Posted by Rohit Yadav <ro...@shapeblue.com>.
Great, thanks Wei. Looking forward to your PR.
Regards,
Rohit Yadav
Software Architect, ShapeBlue
https://www.shapeblue.com
________________________________
From: Wei Zhou <w....@global.leaseweb.com>
Sent: Thursday, April 4, 2019 3:20:13 PM
To: Rohit Yadav; dev@cloudstack.apache.org; users@cloudstack.apache.org
Subject: RE: CloudStack NoVNC solution in Leaseweb
Hi Rohit,
There are lots of changes between noVNC 1.0.0 and stable/0.6. Our codes is not compatible with noVNC 1.0.0. We can submit two pull requests, one with novnc stable/0.6 to cloudstack 4.11.2 LTS so 4.11.2 users can test it, another one with novnc 1.0.0 to cloudstack 4.13.
When CPVM starts and connects to management server, mgt server will send the cert/key to CPVM so CPVM saves them to local files, websockify proxy server is launched with the cert/key files.
The novnc console url is generated by cloudstack so session check is same as current cloudstack console. The url times out after 5 minutes and only the ip to cloudstack can access the url. I think there is no security issue with this part. The key used for 'path' encryption and decryption is sent from mgt server to CPVM and saved in websockify proxy as plain text, that might be a potential security issue. We use AES/rijndael to encrypt/decrypt the 'path' and DES in vnc password authentication, which should be secure.
We have tested PR 2204, we think python-based websockify is more stable and efficient than java-based websocket proxy. We did not test C-based websockify so I cannot say which one is better.
Thanks a lot for the information you provided.
Kind regards,
Wei Zhou
Principal Cloud Engineer
Leaseweb Global B.V.
[cid:image878037.png@B351532D.3F4F059A] +31 20 316 0230<tel:+31%2020%20316%200230>
[cid:image878221.png@7A321129.163EE812] +31 6 1585 5099<tel:+31%206%201585%205099>
[cid:image661172.png@8CEF6C15.C2EE41B6] w.zhou@global.leaseweb.com<ma...@global.leaseweb.com>
[cid:image139378.png@A9FBC6D6.EBC749A7] www.leaseweb.com<https://www.leaseweb.com/>
[cid:image530862.png@A44EFC4A.18FE2535]
[cid:image925709.png@0BE69682.191C9591]
Luttenbergweg 8 , 1101 EC Amsterdam , Netherlands
[Facebook]<http://www.facebook.com/leaseweb>
[LinkedIn]<https://www.linkedin.com/company/leaseweb/>
[Twitter]<http://www.twitter.com/leaseweb>
Leaseweb is the brand name under which the various independent Leaseweb companies operate. Each company is a separate and distinct entity that provides services in a particular geographic area. Leaseweb Global B.V. does not provide third-party services. Please see www.leaseweb.com/en/legal for more information.
From: Rohit Yadav <ro...@shapeblue.com>
Sent: donderdag 4 april 2019 11:09
To: dev@cloudstack.apache.org; users@cloudstack.apache.org; Wei Zhou <w....@global.leaseweb.com>
Subject: Re: CloudStack NoVNC solution in Leaseweb
Hi Wei,
Great to hear from you on this. Yes, it been a long time on the previous noVNC integration attempt by our GSoC student. The 4.11 branch is LTS and cannot accept new features, please use master (4.13) for the PR you'll submit. I can help with reviewing and testing.
The noVNC project has moved to 1.0.0 stable (https://github.com/novnc/noVNC/releases/tag/v1.0.0), do you think it would be difficult to adapt the stable 1.0.0 version and not use the old 0.6.2 release? Does your implementation also support secured websocket (using a tls certificate)?
To keep things turn-key, does it make sense to use C-based websockify or write our own Java based implementation that is in-built in the console proxy agent? I would prefer to reuse the java agent otherwise session/IP based authentication without checking with cloudstack may lead to some security issue.
Licensing:
We can ask for experts on the list and on asf-legal for advice but in my opinion we only need to ensure that the new licenses of the packages wrt the feature are compatible with Apache 2.0, largely allows redistributing (via systemvm.iso or a via new systemvmtemplate) with modifications:
1.0.0 license:https://github.com/novnc/noVNC/blob/v1.0.0/LICENSE.txt (MPL,
BSD and MIT)
0.6.2 license: https://github.com/novnc/noVNC/blob/v0.6.2/LICENSE.txt (MPL, BSD, LGPL 3.0, Apache 2.0, MIT)
The main license is MPL and I think it allows for that: https://tldrlegal.com/license/mozilla-public-license-2.0-(mpl-2)
Other references:
https://tldrlegal.com/license/bsd-3-clause-license-(revised)
https://tldrlegal.com/license/gnu-lesser-general-public-license-v3-(lgpl-3)
https://tldrlegal.com/license/apache-license-2.0-(apache-2.0)
https://tldrlegal.com/license/mit-license
Regards,
Rohit Yadav
Software Architect, ShapeBlue
https://www.shapeblue.com
rohit.yadav@shapeblue.com<ma...@shapeblue.com>
www.shapeblue.com<http://www.shapeblue.com>
@shapeblue
________________________________
From: Wei ZHOU <us...@gmail.com>>
Sent: Thursday, April 4, 2019 1:34:24 PM
To: dev@cloudstack.apache.org<ma...@cloudstack.apache.org>; users@cloudstack.apache.org<ma...@cloudstack.apache.org>; w.zhou@global.leaseweb.com<ma...@global.leaseweb.com>
Subject: CloudStack NoVNC solution in Leaseweb
Hello CloudStack developers and users,
We (as leaseweb) would like to share our NoVNC solution on our cloudstack
platforms with the CloudStack community . The feature was implemented in
2012 and we have made some changes since that. We have used it for more
than 7 years and it is very stable.
Unlike the pull request submitted by sachinnitw1317 (
https://github.com/apache/cloudstack/pull/2204 ) ,which is based on the
novnc as the front end (different from the cloudstack) and the java
websocket proxy (same as cloudstack) in console proxy vm (cpvm), we use
modified novnc and websockify to launch a websockify proxy in cpvm .
Here are some technical details:
(1) We use two open source projects: noVNC (https://github.com/novnc/noVNC
, 0.6.2) and websockify (https://github.com/novnc/websockify ,latest)
(2) We modified websockify so we can launch it without the target
server/port and token.
(3) We reuse the 'path' in novnc and websockify to pass some necessary vm
informations from cloudstack to novnc and websockify. path is encrypted in
cpvm / java, which contains target server,target port, vnc password, client
ip and timestamp. When a new client comes, websockify will decrypt 'path'
to get the vm informations above, and check if the client ip matches and
the timestamp has not expired.
(4) We moved the server/client initialization from novnc(js) to
websockify(python). When a new client comes, websockify will create a
websocket connection to the target server and port ,then check the protocol
version and authentication scheme, use the password in step (3) in vnc
authentication .
(5) Add a global setting in cloudstack for encryption in java and
decryption in websockify.
Compared to the cloudstack native console (ajax/java websocket proxy) and
the novnc console purposed in PR 2204 (novnc /java websocket proxy) , we
believe that the novnc console based on websockifty (written in python) is
more efficient than the consoles based on java websocket proxy.
If you have any questions or concerns, please feel free to ask. If nobody
objects, we will port our changes to cloudstack 4.11.2 LTS and submit a
pull request on cloudstack github, so everyone who is interested can merge
and build it in his/her fork and test it .
Considering that novnc and websockify are both open source projects, and we
also use some open source code (such as in pyDes.py VNC password
authentication) , it would be appreciated if anyone can help us on software
licensing issues.
Kind regards,
Wei Zhou
Principal Cloud Engineer
LEASEWEB
rohit.yadav@shapeblue.com
www.shapeblue.com
Amadeus House, Floral Street, London WC2E 9DPUK
@shapeblue
Re: CloudStack NoVNC solution in Leaseweb
Posted by Rohit Yadav <ro...@shapeblue.com>.
Great, thanks Wei. Looking forward to your PR.
Regards,
Rohit Yadav
Software Architect, ShapeBlue
https://www.shapeblue.com
________________________________
From: Wei Zhou <w....@global.leaseweb.com>
Sent: Thursday, April 4, 2019 3:20:13 PM
To: Rohit Yadav; dev@cloudstack.apache.org; users@cloudstack.apache.org
Subject: RE: CloudStack NoVNC solution in Leaseweb
Hi Rohit,
There are lots of changes between noVNC 1.0.0 and stable/0.6. Our codes is not compatible with noVNC 1.0.0. We can submit two pull requests, one with novnc stable/0.6 to cloudstack 4.11.2 LTS so 4.11.2 users can test it, another one with novnc 1.0.0 to cloudstack 4.13.
When CPVM starts and connects to management server, mgt server will send the cert/key to CPVM so CPVM saves them to local files, websockify proxy server is launched with the cert/key files.
The novnc console url is generated by cloudstack so session check is same as current cloudstack console. The url times out after 5 minutes and only the ip to cloudstack can access the url. I think there is no security issue with this part. The key used for 'path' encryption and decryption is sent from mgt server to CPVM and saved in websockify proxy as plain text, that might be a potential security issue. We use AES/rijndael to encrypt/decrypt the 'path' and DES in vnc password authentication, which should be secure.
We have tested PR 2204, we think python-based websockify is more stable and efficient than java-based websocket proxy. We did not test C-based websockify so I cannot say which one is better.
Thanks a lot for the information you provided.
Kind regards,
Wei Zhou
Principal Cloud Engineer
Leaseweb Global B.V.
[cid:image878037.png@B351532D.3F4F059A] +31 20 316 0230<tel:+31%2020%20316%200230>
[cid:image878221.png@7A321129.163EE812] +31 6 1585 5099<tel:+31%206%201585%205099>
[cid:image661172.png@8CEF6C15.C2EE41B6] w.zhou@global.leaseweb.com<ma...@global.leaseweb.com>
[cid:image139378.png@A9FBC6D6.EBC749A7] www.leaseweb.com<https://www.leaseweb.com/>
[cid:image530862.png@A44EFC4A.18FE2535]
[cid:image925709.png@0BE69682.191C9591]
Luttenbergweg 8 , 1101 EC Amsterdam , Netherlands
[Facebook]<http://www.facebook.com/leaseweb>
[LinkedIn]<https://www.linkedin.com/company/leaseweb/>
[Twitter]<http://www.twitter.com/leaseweb>
Leaseweb is the brand name under which the various independent Leaseweb companies operate. Each company is a separate and distinct entity that provides services in a particular geographic area. Leaseweb Global B.V. does not provide third-party services. Please see www.leaseweb.com/en/legal for more information.
From: Rohit Yadav <ro...@shapeblue.com>
Sent: donderdag 4 april 2019 11:09
To: dev@cloudstack.apache.org; users@cloudstack.apache.org; Wei Zhou <w....@global.leaseweb.com>
Subject: Re: CloudStack NoVNC solution in Leaseweb
Hi Wei,
Great to hear from you on this. Yes, it been a long time on the previous noVNC integration attempt by our GSoC student. The 4.11 branch is LTS and cannot accept new features, please use master (4.13) for the PR you'll submit. I can help with reviewing and testing.
The noVNC project has moved to 1.0.0 stable (https://github.com/novnc/noVNC/releases/tag/v1.0.0), do you think it would be difficult to adapt the stable 1.0.0 version and not use the old 0.6.2 release? Does your implementation also support secured websocket (using a tls certificate)?
To keep things turn-key, does it make sense to use C-based websockify or write our own Java based implementation that is in-built in the console proxy agent? I would prefer to reuse the java agent otherwise session/IP based authentication without checking with cloudstack may lead to some security issue.
Licensing:
We can ask for experts on the list and on asf-legal for advice but in my opinion we only need to ensure that the new licenses of the packages wrt the feature are compatible with Apache 2.0, largely allows redistributing (via systemvm.iso or a via new systemvmtemplate) with modifications:
1.0.0 license:https://github.com/novnc/noVNC/blob/v1.0.0/LICENSE.txt (MPL,
BSD and MIT)
0.6.2 license: https://github.com/novnc/noVNC/blob/v0.6.2/LICENSE.txt (MPL, BSD, LGPL 3.0, Apache 2.0, MIT)
The main license is MPL and I think it allows for that: https://tldrlegal.com/license/mozilla-public-license-2.0-(mpl-2)
Other references:
https://tldrlegal.com/license/bsd-3-clause-license-(revised)
https://tldrlegal.com/license/gnu-lesser-general-public-license-v3-(lgpl-3)
https://tldrlegal.com/license/apache-license-2.0-(apache-2.0)
https://tldrlegal.com/license/mit-license
Regards,
Rohit Yadav
Software Architect, ShapeBlue
https://www.shapeblue.com
rohit.yadav@shapeblue.com<ma...@shapeblue.com>
www.shapeblue.com<http://www.shapeblue.com>
@shapeblue
________________________________
From: Wei ZHOU <us...@gmail.com>>
Sent: Thursday, April 4, 2019 1:34:24 PM
To: dev@cloudstack.apache.org<ma...@cloudstack.apache.org>; users@cloudstack.apache.org<ma...@cloudstack.apache.org>; w.zhou@global.leaseweb.com<ma...@global.leaseweb.com>
Subject: CloudStack NoVNC solution in Leaseweb
Hello CloudStack developers and users,
We (as leaseweb) would like to share our NoVNC solution on our cloudstack
platforms with the CloudStack community . The feature was implemented in
2012 and we have made some changes since that. We have used it for more
than 7 years and it is very stable.
Unlike the pull request submitted by sachinnitw1317 (
https://github.com/apache/cloudstack/pull/2204 ) ,which is based on the
novnc as the front end (different from the cloudstack) and the java
websocket proxy (same as cloudstack) in console proxy vm (cpvm), we use
modified novnc and websockify to launch a websockify proxy in cpvm .
Here are some technical details:
(1) We use two open source projects: noVNC (https://github.com/novnc/noVNC
, 0.6.2) and websockify (https://github.com/novnc/websockify ,latest)
(2) We modified websockify so we can launch it without the target
server/port and token.
(3) We reuse the 'path' in novnc and websockify to pass some necessary vm
informations from cloudstack to novnc and websockify. path is encrypted in
cpvm / java, which contains target server,target port, vnc password, client
ip and timestamp. When a new client comes, websockify will decrypt 'path'
to get the vm informations above, and check if the client ip matches and
the timestamp has not expired.
(4) We moved the server/client initialization from novnc(js) to
websockify(python). When a new client comes, websockify will create a
websocket connection to the target server and port ,then check the protocol
version and authentication scheme, use the password in step (3) in vnc
authentication .
(5) Add a global setting in cloudstack for encryption in java and
decryption in websockify.
Compared to the cloudstack native console (ajax/java websocket proxy) and
the novnc console purposed in PR 2204 (novnc /java websocket proxy) , we
believe that the novnc console based on websockifty (written in python) is
more efficient than the consoles based on java websocket proxy.
If you have any questions or concerns, please feel free to ask. If nobody
objects, we will port our changes to cloudstack 4.11.2 LTS and submit a
pull request on cloudstack github, so everyone who is interested can merge
and build it in his/her fork and test it .
Considering that novnc and websockify are both open source projects, and we
also use some open source code (such as in pyDes.py VNC password
authentication) , it would be appreciated if anyone can help us on software
licensing issues.
Kind regards,
Wei Zhou
Principal Cloud Engineer
LEASEWEB
rohit.yadav@shapeblue.com
www.shapeblue.com
Amadeus House, Floral Street, London WC2E 9DPUK
@shapeblue
Re: CloudStack NoVNC solution in Leaseweb
Posted by Rohit Yadav <ro...@shapeblue.com>.
Hi Wei,
Great to hear from you on this. Yes, it been a long time on the previous noVNC integration attempt by our GSoC student. The 4.11 branch is LTS and cannot accept new features, please use master (4.13) for the PR you'll submit. I can help with reviewing and testing.
The noVNC project has moved to 1.0.0 stable (https://github.com/novnc/noVNC/releases/tag/v1.0.0), do you think it would be difficult to adapt the stable 1.0.0 version and not use the old 0.6.2 release? Does your implementation also support secured websocket (using a tls certificate)?
To keep things turn-key, does it make sense to use C-based websockify or write our own Java based implementation that is in-built in the console proxy agent? I would prefer to reuse the java agent otherwise session/IP based authentication without checking with cloudstack may lead to some security issue.
Licensing:
We can ask for experts on the list and on asf-legal for advice but in my opinion we only need to ensure that the new licenses of the packages wrt the feature are compatible with Apache 2.0, largely allows redistributing (via systemvm.iso or a via new systemvmtemplate) with modifications:
1.0.0 license:https://github.com/novnc/noVNC/blob/v1.0.0/LICENSE.txt (MPL, BSD and MIT)
0.6.2 license: https://github.com/novnc/noVNC/blob/v0.6.2/LICENSE.txt (MPL, BSD, LGPL 3.0, Apache 2.0, MIT)
The main license is MPL and I think it allows for that: https://tldrlegal.com/license/mozilla-public-license-2.0-(mpl-2)
Other references:
https://tldrlegal.com/license/bsd-3-clause-license-(revised)
https://tldrlegal.com/license/gnu-lesser-general-public-license-v3-(lgpl-3)
https://tldrlegal.com/license/apache-license-2.0-(apache-2.0)
https://tldrlegal.com/license/mit-license
Regards,
Rohit Yadav
Software Architect, ShapeBlue
https://www.shapeblue.com
________________________________
From: Wei ZHOU <us...@gmail.com>
Sent: Thursday, April 4, 2019 1:34:24 PM
To: dev@cloudstack.apache.org; users@cloudstack.apache.org; w.zhou@global.leaseweb.com
Subject: CloudStack NoVNC solution in Leaseweb
Hello CloudStack developers and users,
We (as leaseweb) would like to share our NoVNC solution on our cloudstack
platforms with the CloudStack community . The feature was implemented in
2012 and we have made some changes since that. We have used it for more
than 7 years and it is very stable.
Unlike the pull request submitted by sachinnitw1317 (
https://github.com/apache/cloudstack/pull/2204 ) ,which is based on the
novnc as the front end (different from the cloudstack) and the java
websocket proxy (same as cloudstack) in console proxy vm (cpvm), we use
modified novnc and websockify to launch a websockify proxy in cpvm .
Here are some technical details:
(1) We use two open source projects: noVNC (https://github.com/novnc/noVNC
, 0.6.2) and websockify (https://github.com/novnc/websockify ,latest)
(2) We modified websockify so we can launch it without the target
server/port and token.
(3) We reuse the 'path' in novnc and websockify to pass some necessary vm
informations from cloudstack to novnc and websockify. path is encrypted in
cpvm / java, which contains target server,target port, vnc password, client
ip and timestamp. When a new client comes, websockify will decrypt 'path'
to get the vm informations above, and check if the client ip matches and
the timestamp has not expired.
(4) We moved the server/client initialization from novnc(js) to
websockify(python). When a new client comes, websockify will create a
websocket connection to the target server and port ,then check the protocol
version and authentication scheme, use the password in step (3) in vnc
authentication .
(5) Add a global setting in cloudstack for encryption in java and
decryption in websockify.
Compared to the cloudstack native console (ajax/java websocket proxy) and
the novnc console purposed in PR 2204 (novnc /java websocket proxy) , we
believe that the novnc console based on websockifty (written in python) is
more efficient than the consoles based on java websocket proxy.
If you have any questions or concerns, please feel free to ask. If nobody
objects, we will port our changes to cloudstack 4.11.2 LTS and submit a
pull request on cloudstack github, so everyone who is interested can merge
and build it in his/her fork and test it .
Considering that novnc and websockify are both open source projects, and we
also use some open source code (such as in pyDes.py VNC password
authentication) , it would be appreciated if anyone can help us on software
licensing issues.
Kind regards,
Wei Zhou
Principal Cloud Engineer
LEASEWEB
rohit.yadav@shapeblue.com
www.shapeblue.com
Amadeus House, Floral Street, London WC2E 9DPUK
@shapeblue
Re: CloudStack NoVNC solution in Leaseweb
Posted by Rohit Yadav <ro...@shapeblue.com>.
Hi Wei,
Great to hear from you on this. Yes, it been a long time on the previous noVNC integration attempt by our GSoC student. The 4.11 branch is LTS and cannot accept new features, please use master (4.13) for the PR you'll submit. I can help with reviewing and testing.
The noVNC project has moved to 1.0.0 stable (https://github.com/novnc/noVNC/releases/tag/v1.0.0), do you think it would be difficult to adapt the stable 1.0.0 version and not use the old 0.6.2 release? Does your implementation also support secured websocket (using a tls certificate)?
To keep things turn-key, does it make sense to use C-based websockify or write our own Java based implementation that is in-built in the console proxy agent? I would prefer to reuse the java agent otherwise session/IP based authentication without checking with cloudstack may lead to some security issue.
Licensing:
We can ask for experts on the list and on asf-legal for advice but in my opinion we only need to ensure that the new licenses of the packages wrt the feature are compatible with Apache 2.0, largely allows redistributing (via systemvm.iso or a via new systemvmtemplate) with modifications:
1.0.0 license:https://github.com/novnc/noVNC/blob/v1.0.0/LICENSE.txt (MPL, BSD and MIT)
0.6.2 license: https://github.com/novnc/noVNC/blob/v0.6.2/LICENSE.txt (MPL, BSD, LGPL 3.0, Apache 2.0, MIT)
The main license is MPL and I think it allows for that: https://tldrlegal.com/license/mozilla-public-license-2.0-(mpl-2)
Other references:
https://tldrlegal.com/license/bsd-3-clause-license-(revised)
https://tldrlegal.com/license/gnu-lesser-general-public-license-v3-(lgpl-3)
https://tldrlegal.com/license/apache-license-2.0-(apache-2.0)
https://tldrlegal.com/license/mit-license
Regards,
Rohit Yadav
Software Architect, ShapeBlue
https://www.shapeblue.com
________________________________
From: Wei ZHOU <us...@gmail.com>
Sent: Thursday, April 4, 2019 1:34:24 PM
To: dev@cloudstack.apache.org; users@cloudstack.apache.org; w.zhou@global.leaseweb.com
Subject: CloudStack NoVNC solution in Leaseweb
Hello CloudStack developers and users,
We (as leaseweb) would like to share our NoVNC solution on our cloudstack
platforms with the CloudStack community . The feature was implemented in
2012 and we have made some changes since that. We have used it for more
than 7 years and it is very stable.
Unlike the pull request submitted by sachinnitw1317 (
https://github.com/apache/cloudstack/pull/2204 ) ,which is based on the
novnc as the front end (different from the cloudstack) and the java
websocket proxy (same as cloudstack) in console proxy vm (cpvm), we use
modified novnc and websockify to launch a websockify proxy in cpvm .
Here are some technical details:
(1) We use two open source projects: noVNC (https://github.com/novnc/noVNC
, 0.6.2) and websockify (https://github.com/novnc/websockify ,latest)
(2) We modified websockify so we can launch it without the target
server/port and token.
(3) We reuse the 'path' in novnc and websockify to pass some necessary vm
informations from cloudstack to novnc and websockify. path is encrypted in
cpvm / java, which contains target server,target port, vnc password, client
ip and timestamp. When a new client comes, websockify will decrypt 'path'
to get the vm informations above, and check if the client ip matches and
the timestamp has not expired.
(4) We moved the server/client initialization from novnc(js) to
websockify(python). When a new client comes, websockify will create a
websocket connection to the target server and port ,then check the protocol
version and authentication scheme, use the password in step (3) in vnc
authentication .
(5) Add a global setting in cloudstack for encryption in java and
decryption in websockify.
Compared to the cloudstack native console (ajax/java websocket proxy) and
the novnc console purposed in PR 2204 (novnc /java websocket proxy) , we
believe that the novnc console based on websockifty (written in python) is
more efficient than the consoles based on java websocket proxy.
If you have any questions or concerns, please feel free to ask. If nobody
objects, we will port our changes to cloudstack 4.11.2 LTS and submit a
pull request on cloudstack github, so everyone who is interested can merge
and build it in his/her fork and test it .
Considering that novnc and websockify are both open source projects, and we
also use some open source code (such as in pyDes.py VNC password
authentication) , it would be appreciated if anyone can help us on software
licensing issues.
Kind regards,
Wei Zhou
Principal Cloud Engineer
LEASEWEB
rohit.yadav@shapeblue.com
www.shapeblue.com
Amadeus House, Floral Street, London WC2E 9DPUK
@shapeblue