lima
lima copied to clipboard
lima-vm
Add VNC video display including password
The other display options open a window always, while the vnc is more "on demand" by using a separate vnc viewer.
Add localhost and password support for some minimal security. The password is generated, and is stored as an instance file.
Closes #1003
Probably should move the display of the password, or perhaps just show the filename ?
INFO[0000] [hostagent] Starting QEMU (hint: to watch the boot progress, see "/home/anders/.lima/default/serial.log")
INFO[0001] [hostagent] VNC Password for 127.0.0.1:0 is: 17791850
INFO[0001] SSH Local Port: 60022
INFO[0001] [hostagent] Waiting for the essential requirement 1 of 5: "ssh"
Some viewers accept a passwordfile, rather than prompting for the (clear-text) password.
Oops, forgot to seed the random number generator so the generated "password" is always the same.
https://pkg.go.dev/math/rand
Should show a real URL, so that it is clickable in the console (maybe include the VNC password too?)
The current output works in vncviewer:
127.0.0.1:0 <--> vnc://127.0.0.1:5900
https://tools.ietf.org/html/rfc7869
INFO[0000] [hostagent] VNC Password for 127.0.0.1:0 <vnc://127.0.0.1:5900> is:
INFO[0000] [hostagent] "46479782" | `/home/anders/.lima/default/vncpassword`
Note that the default user doesn't have any password, so still needs passwd for console.
gvncviewer 127.0.0.1:0
novnc 127.0.0.1:0 (https://novnc.com/)
Using installed websockify at /snap/novnc/8/bin/websockify
Starting webserver and WebSockets proxy on port 6080
WebSocket server settings:
- Listen on :6080
- Web server. Web root: /snap/novnc/8
- No SSL/TLS support (no cert file)
- proxying from :6080 to localhost:5900
Navigate to this URL:
http://ubuntu:6080/vnc.html?host=ubuntu&port=6080
Press Ctrl-C to exit
Note that the default user doesn't have any password, so still needs passwd for console.
So this works great to get the console, but how do you log in?
Note that the default user doesn't have any password, so still needs passwd for console.
So this works great to get the console, but how do you log in?
Sorry, was confused; I just realized that this is exactly the same as the regular console 😄
So this works great to get the console, but how do you log in?
It also depends on the example, and if you add a login manager you could also add more login methods ?
The VNC "password" is just to protect the display as such, it doesn't change anything about authentication
Otherwise it is no different from any other qemu -display option.
It seems there is a nice feature to try next available port, maybe have that as a vnc default and require "display" ?
display: "vnc"
vnc:
display: "127.0.0.1:0,to=9"
Then it wouldn't use vnc.display, unless also setting display=vnc. And return an unused display 0-9 ? (port 5900-5909)
to=L
With this option, QEMU will try next available VNC displays, until the number L, if the origianlly defined "-vnc display" is not available, e.g. port 5900+display is already used by
another application. By default, to=0.
host:d
TCP connections will only be allowed from host on display d. By convention the TCP port is 5900+d. Optionally, host can be omitted in which case the server will accept connections
from any host.
EDIT: only problem is getting the selected display back, and some minor issues with parsing
strconv.Atoi: parsing \"0,to=9\": invalid syntax
I suppose QueryVNC would do the trick:
Welcome to the QMP low-level shell!
Connected to QEMU 4.2.1
(QEMU) query-vnc
{"return": {"enabled": true, "auth": "vnc", "family": "ipv4", "clients": [], "service": "5900", "host": "127.0.0.1"}}
(QEMU) query-vnc-servers
{"return": [{"auth": "vnc", "clients": [], "server": [{"auth": "vnc", "family": "ipv4", "service": "5900", "host": "127.0.0.1", "websocket": false}], "id": "default"}]}
Now the default vnc display will pick the first available one, from 127.0.0.1:0 127.0.0.1:1 ... 127.0.0.1:9
This means that all the user needs to to do is to change the display type from "none" to "vnc", and get the password.
It can either be seen in the log, or read from the instance file.
The log will also show the display number, if it wasn't fixed.
Maybe the display needs a separate file, next to the password.
Then you could just read the vncdisplay file, for the address ?
Then you could just read the vncdisplay file, for the address ?
SGTM.
Maybe we can also have limactl show-vnc (akin to limactl show-ssh) to show the VNC info.
Btw, I guess the VNC feature should be marked as an experimental for now, at least until we can have integration tests (how?)?
Btw, I guess the VNC feature should be marked as an experimental for now, at least until we can have integration tests (how?)?
I couldn't really find any integration tests for the other display settings either, except for the default of none I guess.
Just because I said that, I actually managed to break "default" in the latest re-design (when moving to Video.Display)
"level":"fatal","msg":"Could not set password"
oops.
Added some new functions to the BaseDriver, need to verify that it is QEMU before allowing VNC...
ChangeDisplayPassword(_ context.Context, password string) error
GetDisplayConnection(_ context.Context) (string, error)
"port" seemed a little specific, so went with a more generic "connection" (even if only vnc uses it)
For some versions of QEMU, the only display option is VNC.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/virtualization_deployment_and_administration_guide/index