Authors:

Feature pages are design documents that developers have created while collaborating on oVirt.

Most of them are outdated, but provide historical design context.

They are not user documentation and should not be treated as such.

Documentation is available here.

WebSocketProxy on a separate host

Summary

The aim of this feature is to enhance the engine setup being able to install and configure the WebSocketProxy on a second machine, where engine does not run, in a fully automated way.

Owner

Current status

Detailed Description

The noVNC client used for VM web console utilizes websockets for passing VNC data. However, VNC server in qemu doesn’t support websockets natively and there must be a websocket proxy placed between the client and VNC server. This proxy can run either on any node that has access to the host network but, currently, the engine-setup is only able to install and configure the WebSocketProxy on the node that runs the engine.

Currently, it’s already possible run the WebSocketProxy on a separate host but it requires a manual procedure. What we are proposing will automate a bit the setup process making it easier but still requiring some manual actions on both the machine.

Assumption:

Under this assumptions it can work this way:

At the end WebSocket Proxy runs on a different host, in order to connect to it from your browser trusting the engine cert it’s not enough (cause we now have two hosts) so the user has to download the CA cert end explicitly trust it in his browser. The CA cert can be downloaded from http://<enginehost>/ca.crt

Example setup

Two VMs were created with fedora 19 installed. They are named ‘f19t11’ (for the engine) and ‘f19t12’ (for the websocket-proxy).

Engine

Install the engine as usual on the first host.

WebSocket Proxy

Add ovirt-engine-websocket-proxy on the second host

  [root@f19t12 ~]# yum install ovirt-engine-websocket-proxy

Than, on the second host, run engine setup

  [root@f19t12 ~]# engine-setup 
  [ INFO  ] Stage: Initializing
  [ INFO  ] Stage: Environment setup
            Configuration files: []
            Log file: /var/log/ovirt-engine/setup/ovirt-engine-setup-20140919173308-96y9sa.log
            Version: otopi-1.3.0_master (otopi-1.3.0-0.0.master.20140911.git7c7d631.fc19)
  [ INFO  ] Stage: Environment packages setup
  [ INFO  ] Stage: Programs detection
  [ INFO  ] Stage: Environment setup
  [ INFO  ] Stage: Environment customization
           
            --== PRODUCT OPTIONS ==--
           
            Configure WebSocket Proxy on this host (Yes, No) [Yes]: 

Choose Yes here

            Setup can automatically configure the firewall on this system.
            Note: automatic configuration of the firewall may overwrite current settings.
            Do you want Setup to configure the firewall? (Yes, No) [Yes]: 
  [ INFO  ] iptables will be configured as firewall manager.
            Host fully qualified DNS name of this server [f19t12.localdomain]: 
  [ INFO  ] Stage: Setup validation
           
            --== CONFIGURATION PREVIEW ==--
           
            Update Firewall                         : True
            Host FQDN                               : f19t12.localdomain
            Firewall manager                        : iptables
            Configure WebSocket Proxy               : True
           
            Please confirm installation settings (OK, Cancel) [OK]: 
  [ INFO  ] Stage: Transaction setup
  [ INFO  ] Stopping websocket-proxy service
  [ INFO  ] Stage: Misc configuration
  [ INFO  ] Stage: Package installation
  [ INFO  ] Stage: Misc configuration
  [ INFO  ] Configuring WebSocket Proxy
           
            ATTENTION
           
            Manual actions are required on the engine host
            in order to enroll certs for this host and configure the engine about it.
           
            Please execute this command on the engine host: 
               engine-config -s WebSocketProxy=f19t12.localdomain:6100
            and than restart the engine service to make it effective

Connect to first (engine) host and execute there the proposed command

  [root@f19t11 ~]# engine-config -s WebSocketProxy=f19t12.localdomain:6100
  [root@f19t11 ~]# service ovirt-engine restart
  Redirecting to /bin/systemctl restart  ovirt-engine.service

back to the second host:

            Do you prefer to manage certificate signing request and response
            inline or thought support files? (Inline, Files) [Inline]: 

Choose the way you prefer, here we run with the inline mode:

            Please issue WebSocket Proxy certificate based on this certificate request

This is the certificate request:

  D:MULTI-STRING WSP_CERTIFICATE_REQUEST --=451b80dc-996f-432e-9e4f-2b29ef6d1141=--
  -----BEGIN CERTIFICATE REQUEST-----
  MIICRDCCASwCADAAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzFNa
  PAFK0votbVDN+QfMarcXmpq1gq2zzCM3PU19Fnz+ULcgUqb7B2wQBYgTtRUQfswu
  XyB+Ki+O53+CUPWlVfwlxENmqyj5zCe4MiVHr09SCnztdtgVoPKOJThyviWbVW3Q
  iTNaTLOo7eBejfiBlFEnh15HkRSrm6HvMsFPgdolKopfZqxBeKZqT4BOS4qk4Y+B
  B2vthcKlLnTdyzIeDyUPsFkYritwU0DuNyQw4F3O5tdJGmW/Xc3GWLgHbILMXF9N
  Y1c4WOvD5hmsrEc1G8jXb0xmBzHfyUTve84V4pl+PVwQjIHXihOoi8x4R3tM2IBC
  5+sPDbJsBBMdEJ9G7QIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAL6jeqY6RydJ
  7ON5Bye45m/amscASpC4YknG28zBRAJTvsUDOPMhqm/JC/keQe1dNJ/951lbQ5ob
  5Dzgz5lBQ9LGPpqozAfX930Gw+VsajL8RT0VgTtgaUt9G4iiUNObaRkBLALscBXG
  kUJ2kEyvd9vrsU/bGZ69mHmsK3eSV5aW4AKLoeUoWlnJqhfh9Dun6xWt9bLpQ7NH
  ku4pFXrRQ6aAiL88XT1vjvWI8DTit50atgxNZuY6m+ETeAUfcXtNM0pEVnMXr+s6
  rzI7Rgz+oLQOX4h0s0yaIHZk+OUPk5i+rQUZUeSXDpVl+UtntgjOB7fRECKXsNza
  23hFCulH9ok=
  -----END CERTIFICATE REQUEST-----
  --=451b80dc-996f-432e-9e4f-2b29ef6d1141=--
           
            Enroll SSL certificate for the websocket proxy service.
            It can be done using engine internal CA, if no 3rd party CA is available,
            with this sequence:
            1. Copy and save certificate request at
                /etc/pki/ovirt-engine/requests/websocket-proxy-f19t12.localdomain.req
            on the engine host

As proposed save that certificate request at the proposed path on the engine host.

            2. execute, on the engine host, this command to enroll the cert:
             /usr/share/ovirt-engine/bin/pki-enroll-request.sh \
                 --name=websocket-proxy-f19t12.localdomain \
                 --subject="/C=`<country>`/O=`<organization>`/CN=f19t12.localdomain"
            Substitute `<country>`, `<organization>` to suite your environment
            (i.e. the values must match values in the certificate authority of your engine)
           3. Certificate will be available at
                /etc/pki/ovirt-engine/certs/websocket-proxy-f19t12.localdomain.cer
            on the engine host, please paste that content here when required

Connect again to the engine host in order to execute the proposed command. You also need to know the Country and Organization used for the CA, if you don’t know:

  [root@f19t11 ~]# openssl x509 -in /etc/pki/ovirt-engine/certs/ca.der -noout -subject
  subject= /C=US/O=localdomain/CN=f19t11.localdomain.84133

so use them to complete the proposed command and execute it on the engine host

  [root@f19t11 ~]# /usr/share/ovirt-engine/bin/pki-enroll-request.sh --name=websocket-proxy-f19t12.localdomain --subject="/C=US/O=localdomain/CN=f19t12.localdomain"
  Using configuration from openssl.conf
  Check that the request matches the signature
  Signature ok
  The Subject's Distinguished Name is as follows
  countryName           :PRINTABLE:'US'
  organizationName      :PRINTABLE:'localdomain'
  commonName            :PRINTABLE:'f19t12.localdomain'
  Certificate is to be certified until Aug 24 15:47:58 2019 GMT (1800 days)
  Write out database with 1 new entries
  Data Base Updated

The cert will be available at the proposed path, so, on the engine host:

  [root@f19t11 ~]# cat /etc/pki/ovirt-engine/certs/websocket-proxy-f19t12.localdomain.cer       
  Certificate:
      Data:
          Version: 3 (0x2)
          Serial Number: 4121 (0x1019)
      Signature Algorithm: sha1WithRSAEncryption
          Issuer: C=US, O=localdomain, CN=f19t11.localdomain.84133
          Validity
              Not Before: Sep 18 15:47:58 2014
              Not After : Aug 24 15:47:58 2019 GMT
          Subject: C=US, O=localdomain, CN=f19t12.localdomain
          Subject Public Key Info:
              Public Key Algorithm: rsaEncryption
                  Public-Key: (2048 bit)
                  Modulus:
                      00:cc:53:5a:3c:01:4a:d2:fa:2d:6d:50:cd:f9:07:
                      cc:6a:b7:17:9a:9a:b5:82:ad:b3:cc:23:37:3d:4d:
                      7d:16:7c:fe:50:b7:20:52:a6:fb:07:6c:10:05:88:
                      13:b5:15:10:7e:cc:2e:5f:20:7e:2a:2f:8e:e7:7f:
                      82:50:f5:a5:55:fc:25:c4:43:66:ab:28:f9:cc:27:
                      b8:32:25:47:af:4f:52:0a:7c:ed:76:d8:15:a0:f2:
                      8e:25:38:72:be:25:9b:55:6d:d0:89:33:5a:4c:b3:
                      a8:ed:e0:5e:8d:f8:81:94:51:27:87:5e:47:91:14:
                      ab:9b:a1:ef:32:c1:4f:81:da:25:2a:8a:5f:66:ac:
                      41:78:a6:6a:4f:80:4e:4b:8a:a4:e1:8f:81:07:6b:
                      ed:85:c2:a5:2e:74:dd:cb:32:1e:0f:25:0f:b0:59:
                      18:ae:2b:70:53:40:ee:37:24:30:e0:5d:ce:e6:d7:
                      49:1a:65:bf:5d:cd:c6:58:b8:07:6c:82:cc:5c:5f:
                      4d:63:57:38:58:eb:c3:e6:19:ac:ac:47:35:1b:c8:
                      d7:6f:4c:66:07:31:df:c9:44:ef:7b:ce:15:e2:99:
                      7e:3d:5c:10:8c:81:d7:8a:13:a8:8b:cc:78:47:7b:
                      4c:d8:80:42:e7:eb:0f:0d:b2:6c:04:13:1d:10:9f:
                      46:ed
                  Exponent: 65537 (0x10001)
          X509v3 extensions:
              X509v3 Subject Key Identifier: 
                  87:D6:7C:B1:4D:89:E5:ED:79:1E:2C:5C:51:AD:9E:45:D6:7E:6D:FC
              Authority Information Access:  `                CA Issuers - URI:`[`http://f19t11.localdomain:80/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA`](http://f19t11.localdomain:80/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA)
              X509v3 Authority Key Identifier: 
                  keyid:7C:62:A5:65:2B:58:8A:61:20:8E:F5:A2:B3:1E:2D:03:C4:3E:80:11
                  DirName:/C=US/O=localdomain/CN=f19t11.localdomain.84133
                  serial:10:00
              X509v3 Basic Constraints: 
                  CA:FALSE
              X509v3 Key Usage: critical
                  Digital Signature, Key Encipherment
              X509v3 Extended Key Usage: critical
                  TLS Web Server Authentication, TLS Web Client Authentication
      Signature Algorithm: sha1WithRSAEncryption
           57:ce:55:f2:12:1f:18:6d:0b:ce:f4:c8:6e:1b:e4:d9:9c:a7:
           de:10:8b:13:54:ba:b3:a7:77:68:a1:09:90:d9:03:db:b9:f8:
           dd:20:15:a9:96:e8:21:55:2b:e3:39:fd:1e:f5:6a:01:1c:43:
           00:9d:7f:6d:d9:c4:7d:0c:f7:6b:c8:b1:97:e3:2e:af:62:40:
           95:3c:a9:63:83:17:6c:26:34:bb:4b:a8:74:7c:2f:51:70:b5:
           40:f7:5a:55:41:7d:1b:05:7a:95:23:3e:c0:b9:e1:e5:92:68:
           6d:07:ab:16:e6:72:7c:19:e1:b4:31:16:db:56:14:de:8e:bd:
           26:28:02:1d:2f:34:ac:a0:39:60:4c:d2:33:9e:9f:3b:46:06:
           fe:c9:be:4a:8a:f9:c1:4f:2b:1b:7d:c0:ed:43:41:d9:97:fc:
           f5:1a:83:77:69:f9:00:24:fd:67:0f:bc:c5:a2:0f:36:c9:04:
           47:39:bf:0a:8f:e6:05:41:04:38:c6:2d:45:12:60:b7:a9:0a:
           e8:0e:a5:ee:7c:d2:bb:09:79:fa:f5:da:db:a5:18:ed:a8:e3:
           d5:cc:e9:2b:11:31:0c:3f:fa:42:dc:d9:b6:55:94:7f:55:e8:
           ad:91:8d:d7:0e:38:09:cc:7c:21:99:73:9e:86:52:1d:84:f7:
           67:fa:2b:95
  -----BEGIN CERTIFICATE-----
  MIIEYjCCA0qgAwIBAgICEBkwDQYJKoZIhvcNAQEFBQAwRjELMAkGA1UEBhMCVVMx
  FDASBgNVBAoTC2xvY2FsZG9tYWluMSEwHwYDVQQDExhmMTl0MTEubG9jYWxkb21h
  aW4uODQxMzMwIhcRMTQwOTE4MTU0NzU4KzAwMDAXDTE5MDgyNDE1NDc1OFowQDEL
  MAkGA1UEBhMCVVMxFDASBgNVBAoTC2xvY2FsZG9tYWluMRswGQYDVQQDExJmMTl0
  MTIubG9jYWxkb21haW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDM
  U1o8AUrS+i1tUM35B8xqtxeamrWCrbPMIzc9TX0WfP5QtyBSpvsHbBAFiBO1FRB+
  zC5fIH4qL47nf4JQ9aVV/CXEQ2arKPnMJ7gyJUevT1IKfO122BWg8o4lOHK+JZtV
  bdCJM1pMs6jt4F6N+IGUUSeHXkeRFKuboe8ywU+B2iUqil9mrEF4pmpPgE5LiqTh
  j4EHa+2FwqUudN3LMh4PJQ+wWRiuK3BTQO43JDDgXc7m10kaZb9dzcZYuAdsgsxc
  X01jVzhY68PmGaysRzUbyNdvTGYHMd/JRO97zhXimX49XBCMgdeKE6iLzHhHe0zY
  gELn6w8NsmwEEx0Qn0btAgMBAAGjggFaMIIBVjAdBgNVHQ4EFgQUh9Z8sU2J5e15
  HixcUa2eRdZ+bfwwgYYGCCsGAQUFBwEBBHoweDB2BggrBgEFBQcwAoZqaHR0cDov
  L2YxOXQxMS5sb2NhbGRvbWFpbjo4MC9vdmlydC1lbmdpbmUvc2VydmljZXMvcGtp
  LXJlc291cmNlP3Jlc291cmNlPWNhLWNlcnRpZmljYXRlJmZvcm1hdD1YNTA5LVBF
  TS1DQTBvBgNVHSMEaDBmgBR8YqVlK1iKYSCO9aKzHi0DxD6AEaFKpEgwRjELMAkG
  A1UEBhMCVVMxFDASBgNVBAoTC2xvY2FsZG9tYWluMSEwHwYDVQQDExhmMTl0MTEu
  bG9jYWxkb21haW4uODQxMzOCAhAAMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWg
  MCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQUF
  AAOCAQEAV85V8hIfGG0LzvTIbhvk2Zyn3hCLE1S6s6d3aKEJkNkD27n43SAVqZbo
  IVUr4zn9HvVqARxDAJ1/bdnEfQz3a8ixl+Mur2JAlTypY4MXbCY0u0uodHwvUXC1
  QPdaVUF9GwV6lSM+wLnh5ZJobQerFuZyfBnhtDEW21YU3o69JigCHS80rKA5YEzS
  M56fO0YG/sm+Sor5wU8rG33A7UNB2Zf89RqDd2n5ACT9Zw+8xaIPNskERzm/Co/m
  BUEEOMYtRRJgt6kK6A6l7nzSuwl5+vXa26UY7ajj1czpKxExDD/6QtzZtlWUf1Xo
  rZGN1w44Ccx8IZlznoZSHYT3Z/orlQ==
  -----END CERTIFICATE-----

Take the last section in order to input it on the websocket proxy host

            Please input WSP certificate chain that matches certificate request,
            (issuer is not mandatory, from intermediate and upper)
           
            type '--=451b80dc-996f-432e-9e4f-2b29ef6d1141=--' in own line to mark end.

Use that line to end the input phase.

  -----BEGIN CERTIFICATE-----
  MIIEYjCCA0qgAwIBAgICEBkwDQYJKoZIhvcNAQEFBQAwRjELMAkGA1UEBhMCVVMx
  FDASBgNVBAoTC2xvY2FsZG9tYWluMSEwHwYDVQQDExhmMTl0MTEubG9jYWxkb21h
  aW4uODQxMzMwIhcRMTQwOTE4MTU0NzU4KzAwMDAXDTE5MDgyNDE1NDc1OFowQDEL
  MAkGA1UEBhMCVVMxFDASBgNVBAoTC2xvY2FsZG9tYWluMRswGQYDVQQDExJmMTl0
  MTIubG9jYWxkb21haW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDM
  U1o8AUrS+i1tUM35B8xqtxeamrWCrbPMIzc9TX0WfP5QtyBSpvsHbBAFiBO1FRB+
  zC5fIH4qL47nf4JQ9aVV/CXEQ2arKPnMJ7gyJUevT1IKfO122BWg8o4lOHK+JZtV
  bdCJM1pMs6jt4F6N+IGUUSeHXkeRFKuboe8ywU+B2iUqil9mrEF4pmpPgE5LiqTh
  j4EHa+2FwqUudN3LMh4PJQ+wWRiuK3BTQO43JDDgXc7m10kaZb9dzcZYuAdsgsxc
  X01jVzhY68PmGaysRzUbyNdvTGYHMd/JRO97zhXimX49XBCMgdeKE6iLzHhHe0zY
  gELn6w8NsmwEEx0Qn0btAgMBAAGjggFaMIIBVjAdBgNVHQ4EFgQUh9Z8sU2J5e15
  HixcUa2eRdZ+bfwwgYYGCCsGAQUFBwEBBHoweDB2BggrBgEFBQcwAoZqaHR0cDov
  L2YxOXQxMS5sb2NhbGRvbWFpbjo4MC9vdmlydC1lbmdpbmUvc2VydmljZXMvcGtp
  LXJlc291cmNlP3Jlc291cmNlPWNhLWNlcnRpZmljYXRlJmZvcm1hdD1YNTA5LVBF
  TS1DQTBvBgNVHSMEaDBmgBR8YqVlK1iKYSCO9aKzHi0DxD6AEaFKpEgwRjELMAkG
  A1UEBhMCVVMxFDASBgNVBAoTC2xvY2FsZG9tYWluMSEwHwYDVQQDExhmMTl0MTEu
  bG9jYWxkb21haW4uODQxMzOCAhAAMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWg
  MCAGA1UdJQEB/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQUF
  AAOCAQEAV85V8hIfGG0LzvTIbhvk2Zyn3hCLE1S6s6d3aKEJkNkD27n43SAVqZbo
  IVUr4zn9HvVqARxDAJ1/bdnEfQz3a8ixl+Mur2JAlTypY4MXbCY0u0uodHwvUXC1
  QPdaVUF9GwV6lSM+wLnh5ZJobQerFuZyfBnhtDEW21YU3o69JigCHS80rKA5YEzS
  M56fO0YG/sm+Sor5wU8rG33A7UNB2Zf89RqDd2n5ACT9Zw+8xaIPNskERzm/Co/m
  BUEEOMYtRRJgt6kK6A6l7nzSuwl5+vXa26UY7ajj1czpKxExDD/6QtzZtlWUf1Xo
  rZGN1w44Ccx8IZlznoZSHYT3Z/orlQ==

Input the terminating line:

  --=451b80dc-996f-432e-9e4f-2b29ef6d1141=--

Now the second host needs to download and trust the engine cert, provide engine FQDN

            Please provide the FQDN or IP of the remote engine host: f19t11.localdomain

That’s it…

  [ INFO  ] Generating post install configuration file '/etc/ovirt-engine-setup.conf.d/20-setup-ovirt-post.conf'
  [ INFO  ] Stage: Transaction commit
  [ INFO  ] Stage: Closing up
           
            --== SUMMARY ==--
           
           
            --== END OF SUMMARY ==--
           
  [ INFO  ] Stage: Clean up
            Log file is located at /var/log/ovirt-engine/setup/ovirt-engine-setup-20140919173308-96y9sa.log
  [ INFO  ] Generating answer file '/var/lib/ovirt-engine/setup/answers/20140919173600-setup.conf'
  [ INFO  ] Stage: Pre-termination
  [ INFO  ] Stage: Termination
  [ INFO  ] Execution of setup completed successfully

WebSocket Proxy now runs on a different host, in order to connect to it from your browser trusting the engine cert it’s not enough (cause we have two host) so the user has to download the CA cert end explicitly trust it in his browser. The CA cert can be downloaded from http://<enginehost>/ca.crt

Benefit to oVirt

The installation process will become easier for who needs to install the WebSocketProxy on a separate engine cause it will require less manual actions

The WebSocketProxy is already able to run on a different host, only the engine setup should be improved to allow it being automatically configured.

Documentation / External references

Testing

Install and setup ovirt-engine on machine A, ovirt-engine-websocket-proxy on machine B and setup it as described. The user should be able to see a VM console thought websocket-proxy on host B.

On A:

  yum install ovirt-engine-setup 
  engine-setup

On B:

  yum install ovirt-engine-websocket-proxy
  engine-setup

Add a virtualization host, start a VM from the engine and pen the noVNC console. The user should be able to see the VM console.

WebSocketProxy on a separate host WebSocketProxy on a separate host