作者:张华 发表于:2015-06-27
版权声明:可以任意转载,转载时请务必以超链接形式标明文章原始出处和作者信息及本版权声明
( http://blog.csdn.net/quqi99)
libvirt是支持设置密码来保护vnc session的,
<graphics type='vnc' port='-1' autoport='yes' listen='192.168.1.5' passwd='YOUR-PASSWORD-HERE' keymap='en-us'/>
但下面的代码显示nova不支持,
if ((CONF.vnc_enabled and virt_type not in ('lxc', 'uml'))):
graphics = vconfig.LibvirtConfigGuestGraphics()
graphics.type = "vnc"
graphics.keymap = CONF.vnc_keymap
graphics.listen = CONF.vncserver_listen
guest.add_device(graphics)
add_video_driver = True
添加代码蛮简单,提交了代码还得backport,算了太麻烦了,这也不是一个bug,算是一个feature enhancemment, 还是优先级workaround吧。
通过在计算节点加iptables规则block所以对计算节点进行vnc请求的流量,但放开novnc过来的访问流量。
iptables -A INPUT -p tcp ! -s 10.5.0.67 --sport 6080 -m multiport --dports 5900:5999 -j DROP
如果有多个novnc-proxy节点可以:
sudo iptables -A INPUT -p tcp -s 10.5.0.81 -m multiport --dports 5900:5999 -j ACCEPT
sudo iptables -A INPUT -p tcp -m multiport --dports 5900:5999 -j DROP
或者使用ipset,
sudo ipset create good_ips iphash
sudo ipset add good_ips 172.24.0.93
sudo ipset add good_ips 172.24.0.193
sudo iptables -A INPUT -m set ! --match-set good_ips src -j DROP
当horizon和nova-novnc-proxy不在同一个机器上时,应试在nova-novnc-proxy上有“sudo iptables -I INPUT -m state --state NEW -s 172.24.0.93,172.24.0.193 -m tcp -p tcp --dport 6080 -j ACCEPT”确保它接收从horizon传过来的流量,当然在openstack中默认就是打开的。
nova-novnc-proxy与nova-cosoleauth在不在同一个节点上没有关系。
一般地,/var/log/upstart/nova-novncproxy.log 中会有很多调试信息:
ubuntu@juju-zhhuabj-machine-8:~$ sudo tailf /var/log/upstart/nova-novncproxy.log
35: 10.5.0.3: Plain non-SSL (ws://) WebSocket connection
35: 10.5.0.3: Version hybi-13, base64: 'False'
35: 10.5.0.3: Path: '/websockify'
35: connecting to: 10.5.0.83:5900
另外,novnc client应该在nova-novncproxy节点上,下列方法可以调大novnc client的超时时间。
a) Open rfb.js file in the editor of your control node located at : /usr/share/novnc/include/rfb.js
b) Find def_con_timeout variable in the file (def_con_timeout = Websock_native ? 2 : 5,), can try to bump it up to 200:500
c) Restart the noVNC service by following command: sudo service nova-novncproxy restart
其中10.5.0.67是nova-novacproxy节点的IP,6080是novnc的端口,步骤如下:
1, 控制节点需要安装nova-consoleauth novnc python-novnc nova-novncproxy四个组件:
sudo apt-get install nova-consoleauth novnc python-novnc nova-novncproxy
sudo service nova-consoleauth restart
sudo service nova-novncproxy restart
sudo service libvirt-bin restart
2, 计算节点不需要安装特别的包
3, 控制节点与计算节点的配置如下:
vnc_enabled = True
novnc_enabled = True
vncserver_proxyclient_address=10.5.0.68
vncserver_listen=0.0.0.0
novncproxy_base_url=http://10.5.0.67:6080/vnc_auto.html
需要重启才能看得到下列信息:
nova reboot --hard xenial-095412
root@juju-b8168c-pike-ha-189699-8:~# virsh dumpxml 2 |grep vnc<graphics type='vnc' port='5900' autoport='yes' listen='0.0.0.0' keymap='en-us'>$ nova get-vnc-console xenial-095412 novnc
+-------+--------------------------------------------------------------------------------+
| Type | Url |
+-------+--------------------------------------------------------------------------------+
| novnc | http://10.5.0.85:8081/vnc_auto.html?token=581dde70-b344-49b2-9dd5-9e1e3f5aed90 |
+-------+--------------------------------------------------------------------------------+
4, 验证vnc是否配置成功,由于做实验的两个节点位于国外的内网的又一层内网之中,所以我的物理机通过vpn连接到10.230.64.153这一层内网之后,再使用下列命令继续为里层内网10.5.0.0/24设置vpn隧道。
#make sure install python2.7 in remote bastion machine and use 10.5.0.0/16
sudo sshuttle --python=/usr/bin/python2.7 -r ubuntu@bastion 10.5.0.0/16 -D
http://10.5.2.52/horizon admin_domain/admin/openstack
然后在物理机上通过ssh -X <ssh-server> && vncviewer 10.5.0.68:0应该可以访问。(注意:因为10.230.64.153上没有GUI界面,需先通过ssh -X来利用本地物理机上的GUI环境)
或者通过horzion来访问,http://10.5.0.69/horizon admin/openstack
5, 获取novnc的访问链接,
nova get-vnc-console i1 novnc
6, 设置iptables之后,应该看到无法再通过vnc来访问了,但可以通过horizon来访问。OK,目的达到。
附一,
为spice定制化端口, 如下. 注意如果运行"openstack console url show --spice i1"命令有问题, 记得重启VM.
code snippet widget
附二, 若使用xvpnvc, 需要VncViewer.jar
git clone git://github.com/cloudbuilders/nova-xvpvncviewer.git
cd nova-xvpvncviewer/viewer/ && make all
java -jar ./VncViewer.jar URL http://10.5.0.28:6084/console?token=8fb1693b-2a14-4dd6-a29b-2754614c4688
Reference
1, https://review.openstack.org/gitweb?p=openstack%2Fnova.git;a=commitdiff;h=974d9cc788c584076ef952fa3cc5a53a5e5717d5
2, https://bugs.launchpad.net/nova/+bug/1450294
3, https://blueprints.launchpad.net/nova/+spec/vnc-default-password
4, https://blog.csdn.net/youyou1543724847/article/details/71079618