eve icon indicating copy to clipboard operation
eve copied to clipboard
verified publisher icon lf-edge

Add support for VNC console for shim VMs

Open europaul opened this issue 1 year ago • 2 comments

We enable access to shim VMs via VNC console through the following steps:

  • add another virtual console in the QEMU configuration that's gonna be used by VNC
  • call agetty on that virtual console during VMs boot to enable login

When connecting to the QEMU instance via VNC the user will first be presented with a view of the currently running process (container's entry point). To switch to the shell of the shim VM the user will have to press 'Ctrl+Alt+2' and then 'Enter' to get the login prompt. Due to inability of some VNC clients to change the resolution of the display, the client might crash. However upon the client restart the new virtual console will appear as expected. The user can then switch back to the previous virtual console by pressing 'Ctrl+Alt+1'.

europaul avatar Mar 15 '24 13:03 europaul

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 17.51%. Comparing base (d864826) to head (7d949cd). Report is 19 commits behind head on master.

:exclamation: Current head 7d949cd differs from pull request most recent head e7b84e7. Consider uploading reports for the commit e7b84e7 to get more accurate results

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #3822   +/-   ##
=======================================
  Coverage   17.51%   17.51%           
=======================================
  Files           3        3           
  Lines         805      805           
=======================================
  Hits          141      141           
  Misses        629      629           
  Partials       35       35

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov[bot] avatar Mar 15 '24 13:03 codecov[bot]

Can you please add to the commit message and PR description that this will work only for the standalone vnc client, not the "Remote Console" guacamole plugin. Also would be great if you specify the reasons why it does not work there.

I do not have any objections on this PR, this is what we discussed with you. The main thing is left to be done here is to enable this feature by a separate flag, like the regular vnc is enabled: https://github.com/lf-edge/eve-api/blob/6180247abbc1c04422e093458809e8da59a25eff/proto/config/vm.proto#L52

Why? There are huge security concerns that we can't let everyone who has a vnc access to the Container let freely access the Shim Vm (if you wish we can discuss that once again with you and @shjala).

So my advice is in order to complete this PR is to add a new field to the VmConfig structure (vm.proto). Then we can raise the whole security discussion how to enable this safely while the VNC for shim VM stays disabled unless cloud explicitly enables this (which can be done later).

rouming avatar Mar 18 '24 11:03 rouming

@rouming I added the flag EnableVncShimVm to pillar. It needs to be added to edgeview as well, but since it depends on pillar I will have to create another PR for that after this one is merged.

europaul avatar Mar 22 '24 14:03 europaul

Can you please add to the commit message and PR description that this will work only for the standalone vnc client, not the "Remote Console" guacamole plugin. Also would be great if you specify the reasons why it does not work there.

I'm also curious why it wouldn't work since guacamole is built using the vnc access in kvm/qemu.

Don't we have some markdown file which documents the current use of the console/vnc where this information can be added? If not we need to add it.

eriknordmark avatar Mar 22 '24 20:03 eriknordmark

@europaul There are a few changes requested (documentation, branching shim-vnc enabling). Also please fix yetus. Seems it wants "VM" name (all capital).

rouming avatar Apr 02 '24 08:04 rouming

Can you please add to the commit message and PR description that this will work only for the standalone vnc client, not the "Remote Console" guacamole plugin. Also would be great if you specify the reasons why it does not work there.

I'm also curious why it wouldn't work since guacamole is built using the vnc access in kvm/qemu.

Here we talk about this https://www.qemu.org/docs/master/system/keys.html, so you can switch between consoles from the VNC viewport. But guacamole browser client (I assume this is guacamole) does not let you send those keys combinations (or this is the browser? I did not invesitate that, might be Paul knows). So the switch between VNC consoles (vm and shim-vm) will work from application client (tightvnc, etc), but not guacamole.

Don't we have some markdown file which documents the current use of the console/vnc where this information can be added? If not we need to add it.

Seems indeed we don't have any documentation VNC related.

rouming avatar Apr 02 '24 08:04 rouming

@eriknordmark @europaul I'm still looking into how to switch between consoles using a key combination in guacamole. According to the guacamole's FAQ this might be possible. If I find a solution it will be part of another PR.

europaul avatar Apr 02 '24 20:04 europaul

@eriknordmark @rouming I think I addressed all comments, feel free to have another look!

europaul avatar Apr 05 '24 10:04 europaul

@rouming @eriknordmark I actually just confirmed that switching between virtual consoles works via the keyboard shortcut in guacamole in both Firefox in Chromium on my machine. So I removed that line about the limitation from the docs.

europaul avatar Apr 05 '24 14:04 europaul

That's cool. Thanks for update.

rouming avatar Apr 05 '24 15:04 rouming