software/kvm: don't use websockify anymore

f48a06ec · Thomas Gambier · 7168ba00 · f48a06ec · f48a06ec · f48a06ec
Commit f48a06ec authored Jul 13, 2022 by Thomas Gambier 🚴🏼
7 changed files
--- a/software/kvm/buildout.hash.cfg
+++ b/software/kvm/buildout.hash.cfg
@@ -15,11 +15,11 @@

 [template]
 filename = instance.cfg.in
-md5sum = a7978940fb9cdcc4e1ec33015ba640ba
+md5sum = b6204319cca4264b3c351d4dd1f2b5d0

 [template-kvm]
 filename = instance-kvm.cfg.jinja2
-md5sum = 69749ef4be49b970af9548d68e6d8785
+md5sum = 14a8433ca9f0038bb6cc4b68ef7ea8e5

 [template-kvm-cluster]
 filename = instance-kvm-cluster.cfg.jinja2.in
@@ -49,13 +49,17 @@ md5sum = 64aa1ce8785f6b94aabd787fa3443082
 filename = instance-nbd.cfg.jinja2
 md5sum = e041e8011ad2ec7f104be173ef76f5e9

+[template-nginx]
+filename = template/nginx_conf.in
+md5sum = 9ca886120a99befe25ca761ddc54753c
+
 [template-ansible-promise]
 filename = template/ansible-promise.in
 md5sum = 6328f99728284847b8dd1146aadeae1b

 [template-kvm-run]
 filename = template/template-kvm-run.in
-md5sum = fa048a28da7362d570f5b6bd1e05d232
+md5sum = 4ce3fc8072e1e010ee99651cb01d3b3d

 [template-kvm-controller]
 filename = template/kvm-controller-run.in

--- a/software/kvm/instance-kvm.cfg.jinja2
+++ b/software/kvm/instance-kvm.cfg.jinja2
@@ -643,31 +643,48 @@ promise = check_command_execute
 name = qemu-virtual-machine-is-ready.py
 config-command = ${kvm-started-bin:output}

-[novnc-instance]
-recipe = slapos.cookbook:novnc
-path = ${ca-novnc:executable}
+[nginx-tempdir]
+recipe = slapos.cookbook:mkdirectory
+tmp = ${buildout:directory}/tmp
+client-body-temp-path = ${:tmp}/client_body_temp_path
+proxy-temp-path = ${:tmp}/proxy_temp_path
+fastcgi-temp-path = ${:tmp}/fastcgi_temp_path
+uwsgi-temp-path = ${:tmp}/uwsgi_temp_path
+scgi-temp-path = ${:tmp}/scgi_temp_path
+
+[nginx-launcher]
+recipe = slapos.cookbook:wrapper
+command-line = ${ca-novnc:executable} -c ${nginx-config:output}
+wrapper-path = ${directory:services}/nginx
+
+[nginx-config]
+recipe = slapos.recipe.template:jinja2
+url = {{ template_nginx }}
+output = ${directory:etc}/nginx.conf
+context =
+    section params nginx-params
+    section ca ca-novnc
+    section tempdir nginx-tempdir
+    raw docroot {{ novnc_location }}
+    raw mime {{ nginx_mime }}
+
+[nginx-params]
+path-pid = ${directory:run}/nginx.pid
+path-error-log = ${directory:log}/nginx-error.log
+path-access-log = ${directory:log}/nginx-access.log
 ip = ${slap-network-information:global-ipv6}
 port = 6080
-vnc-ip = ${kvm-parameter-dict:vnc-ip}
-vnc-port = ${kvm-parameter-dict:vnc-port}
-novnc-location = {{ novnc_location }}
-websockify-path = {{ websockify_executable_location }}
-ssl-key-path = ${ca-novnc:key-file}
-ssl-cert-path = ${ca-novnc:cert-file}
-
-[websockify-sighandler]
-recipe = slapos.cookbook:signalwrapper
-wrapper-path = ${directory:bin}/websockify-sighandler
-wrapped-path = ${novnc-instance:path}
-
-[websockify-sighandler-service]
-recipe = slapos.cookbook:wrapper
-command-line = ${websockify-sighandler:wrapper-path}
-wrapper-path = ${directory:services}/websockify
-hash-existing-files = ${buildout:directory}/software_release/buildout.cfg
-wait-for-files =
-  ${ca-novnc:key-file}
-  ${ca-novnc:cert-file}
+websocket-ip = ${kvm-parameter-dict:vnc-ip}
+websocket-port = ${kvm-parameter-dict:vnc-port}
+websocket-path = websockify
+nb-workers = 2
+
+[nginx-graceful]
+recipe = slapos.recipe.template
+output = ${directory:scripts}/nginx-graceful
+inline =
+  #!/bin/sh
+  exec kill -s SIGHUP $(cat ${nginx-params:path-pid})

 [certificate-authority]
 recipe = slapos.cookbook:certificate_authority
@@ -699,15 +716,15 @@ crl = ${directory:ca-dir}/crl/
 recipe = slapos.cookbook:certificate_authority.request
 key-file = ${directory:novnc-conf}/novnc.key
 cert-file = ${directory:novnc-conf}/novnc.crt
-executable = ${directory:bin}/novnc
-wrapper = ${directory:bin}/websockify
+executable = {{ nginx_executable }}
+wrapper = ${directory:bin}/nginx-with-ca

 [novnc-promise]
 <= monitor-promise-base
 promise = check_socket_listening
 name = novnc_promise.py
-config-host = ${novnc-instance:ip}
-config-port = ${novnc-instance:port}
+config-host = ${nginx-params:ip}
+config-port = ${nginx-params:port}


 #----------------
@@ -748,7 +765,8 @@ partition-id = ${slap-connection:partition-id}
 shared = true
 config-https-only = True
 config-type = websocket
-config-url = https://[${novnc-instance:ip}]:${novnc-instance:port}
+config-websocket-path-list = ${nginx-params:websocket-path}
+config-url = https://[${nginx-params:ip}]:${nginx-params:port}
 return = secure_access domain

 [request-slave-frontend]
@@ -762,7 +780,7 @@ sla-instance_guid = ${slap-parameter:frontend-instance-guid}
 <= monitor-promise-base
 promise = check_url_available
 name = frontend_promise.py
-config-url = ${request-slave-frontend:connection-secure_access}
+config-url = ${request-slave-frontend:connection-secure_access}/vnc.html

 {% if additional_frontend %}
 [request-slave-frontend-additional]
@@ -823,10 +841,10 @@ blank-line =
 <= monitor-publish
 recipe = slapos.cookbook:publish.serialised
 ipv6 = ${slap-network-information:global-ipv6}
-backend-url = https://[${novnc-instance:ip}]:${novnc-instance:port}/vnc.html?auto=1&encrypt=1&password=${kvm-controller-parameter-dict:vnc-passwd}
-url = ${request-slave-frontend:connection-secure_access}/vnc.html?auto=1&encrypt=1&password=${kvm-controller-parameter-dict:vnc-passwd}
+backend-url = https://[${nginx-params:ip}]:${nginx-params:port}/vnc.html?encrypt=1&password=${kvm-controller-parameter-dict:vnc-passwd}
+url = ${request-slave-frontend:connection-secure_access}/vnc.html?encrypt=1&password=${kvm-controller-parameter-dict:vnc-passwd}
 {% if additional_frontend %}
-url-additional = ${request-slave-frontend-additional:connection-secure_access}/vnc.html?auto=1&encrypt=1&password=${kvm-controller-parameter-dict:vnc-passwd}
+url-additional = ${request-slave-frontend-additional:connection-secure_access}/vnc.html?encrypt=1&password=${kvm-controller-parameter-dict:vnc-passwd}
 {% endif %}
 {% set disk_number = len(storage_dict) -%}
 maximum-extra-disk-amount = {{ disk_number }}
@@ -1242,8 +1260,8 @@ parts =
  kvm-controller-wrapper
  kvm-vnc-promise
  kvm-disk-image-corruption-promise
-  websockify-sighandler
-  websockify-sighandler-service
+  nginx-launcher
+  nginx-graceful
  novnc-promise
  kvm-started-promise
  cron

--- a/software/kvm/instance.cfg.in
+++ b/software/kvm/instance.cfg.in
@@ -89,6 +89,8 @@ extra-context =
  raw logrotate_cfg ${template-logrotate-base:output}
  raw novnc_location ${noVNC:location}
  raw netcat_bin ${netcat:location}/bin/netcat
+  raw nginx_executable ${nginx-output:nginx}
+  raw nginx_mime ${nginx-output:mime}
  raw python_executable ${buildout:executable}
  raw python_eggs_executable ${buildout:bin-directory}/${python-with-eggs:interpreter}
  raw qemu_executable_location ${qemu:location}/bin/qemu-system-x86_64
@@ -100,6 +102,7 @@ extra-context =
  raw template_kvm_controller_run ${template-kvm-controller:target}
  raw template_kvm_run ${template-kvm-run:target}
  raw template_monitor ${monitor2-template:output}
+  raw template_nginx ${template-nginx:target}
  raw websockify_executable_location ${buildout:directory}/bin/websockify
  raw wipe_disk_wrapper ${buildout:directory}/bin/securedelete
 template-parts-destination = ${template-parts:target}

--- a/software/kvm/software.cfg
+++ b/software/kvm/software.cfg
@@ -8,9 +8,8 @@ extends =
  ../../component/noVNC/buildout.cfg
  ../../component/openssl/buildout.cfg
  ../../component/netcat/buildout.cfg
-  ../../component/lxml-python/buildout.cfg
+  ../../component/nginx/buildout.cfg
  ../../component/pycurl/buildout.cfg
-  ../../component/numpy/buildout.cfg
  ../../component/gzip/buildout.cfg
  ../../stack/slapos.cfg
  ../../stack/resilient/buildout.cfg
@@ -33,28 +32,20 @@ parts = ${:common-parts}
 #             In qemu builtin vnc server, and make it available only for localhost
 #             so that only novnc can listen to it.

-#XXX-Cedric: Check status of https://github.com/kanaka/noVNC/issues/13 to see
-#            When qemu has builtin support for websockets in vnc server to get rid of
-#            Websockify (socket <-> websocket proxy server) when it is ready.
-#            May solve previous XXX depending on the implementation.
-
-#XXX-Cedric : add list of keyboard layouts (azerty/us querty/...) parameter to qemu
-
 [python-with-eggs]
 recipe = zc.recipe.egg
 interpreter = ${:_buildout_section_name_}
 eggs =
  ${slapos-toolbox:eggs}
  ${python-cffi:egg}
-  ${lxml-python:egg}
-  websockify
  ${slapos-cookbook:eggs}
  erp5.util
 # BBB: eggs used as recipe should be kept otherwise sections depending
 # on it can't be uninstalled
  collective.recipe.shelloutput
-scripts =
-  websockify
+# Only generate the interpreter script to avoid conflicts with scripts
+# for eggs that are also generated by another section, like slapos.toolbox
+scripts = ${:interpreter}

 # Create all templates that will be used to deploy instances
 [download-base]
@@ -97,6 +88,9 @@ output = ${buildout:directory}/template.cfg
 [template-nbd]
 <= download-base

+[template-nginx]
+<= download-base
+
 [template-ansible-promise]
 <= download-base

@@ -135,9 +129,3 @@ context =

 [whitelist-domains-default]
 <= download-base
-
-[versions]
-websockify = 0.9.0
-gitdb = 0.6.4
-pycurl = 7.43.0
-smmap = 0.9.0
--- a/software/kvm/template/nginx_conf.in
+++ b/software/kvm/template/nginx_conf.in
+worker_processes {{ params['nb-workers'] }};
+
+pid {{ params['path-pid'] }};
+error_log {{ params['path-error-log'] }};
+
+daemon off;
+
+events {
+  worker_connections 1024;
+  accept_mutex off;
+}
+
+http {
+    include {{ mime }};
+    default_type  application/octet-stream;
+    types_hash_bucket_size 64;
+    access_log {{ params['path-access-log'] }} combined;
+    index novnc.html;
+
+    upstream vnc_proxy {
+        server {{ params['websocket-ip'] }}:{{ params['websocket-port'] }};
+    }
+    server {
+        listen [{{ params['ip'] }}]:{{ params['port'] }} ssl http2;
+        server_name _;
+
+        ssl_certificate {{ ca['cert-file'] }};
+        ssl_certificate_key {{ ca['key-file'] }};
+        ssl_session_timeout 1d;
+        ssl_session_cache shared:MozSSL:10m;
+        ssl_session_tickets off;
+        ssl_protocols TLSv1.3;
+        ssl_prefer_server_ciphers off;
+
+        keepalive_timeout 5;
+        client_body_temp_path {{ tempdir['client-body-temp-path'] }};
+        proxy_temp_path {{ tempdir['proxy-temp-path'] }};
+        fastcgi_temp_path {{ tempdir['fastcgi-temp-path'] }};
+        uwsgi_temp_path {{ tempdir['uwsgi-temp-path'] }};
+        scgi_temp_path {{ tempdir['scgi-temp-path'] }};
+
+        # path for static files
+        root {{ docroot }};
+
+        location /{{ params['websocket-path'] }} {
+            proxy_http_version 1.1;
+            proxy_pass http://vnc_proxy/;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+
+            # VNC connection timeout
+            proxy_read_timeout 61s;
+
+            # Disable cache
+            proxy_buffering off;
+        }
+
+    }
+}
--- a/software/kvm/template/template-kvm-run.in
+++ b/software/kvm/template/template-kvm-run.in
@@ -62,7 +62,7 @@ cluster_doc_port = {{ parameter_dict.get("cluster-doc-port") }}
 auto_ballooning = '{{ parameter_dict.get("auto-ballooning") }}' in ('true', 'True', '1')
 vm_name = '{{ parameter_dict.get("name") }}'

-# If a device (ie.: /dev/sdb) is provided, use it instead 
+# If a device (ie.: /dev/sdb) is provided, use it instead
 # the disk_path with disk_format
 disk_info_list = []
 for disk_device_path in '{{ parameter_dict.get("disk-device-path", "") }}'.split():
@@ -145,7 +145,7 @@ def getMapStorageList(disk_storage_dict, external_disk_number):

  if id_list:
    if not map_f_exist:
-      # shuffle the list to not write disk in data1, data2, ... everytime 
+      # shuffle the list to not write disk in data1, data2, ... everytime
      shuffle(id_list)
    if external_disk_number < last_amount:
      # Drop created disk is not allowed
@@ -277,7 +277,7 @@ ram = '%sM,slots=128,maxmem=%sM' % (init_ram_size, ram_max_size)

 kvm_argument_list = [qemu_path,
  '-enable-kvm', '-smp', smp, '-name', vm_name, '-m', ram, '-vga', 'std',
-  '-vnc', '%s:1,ipv4=on,password=on' % listen_ip,
+  '-vnc', '%s:1,password=on,websocket=on' % listen_ip,
  '-boot', 'order=cd,menu=on',
  '-qmp', 'unix:%s,server,nowait' % socket_path,
  '-pidfile', pid_file_path, '-msg', 'timestamp=on',

--- a/software/kvm/test/test.py
+++ b/software/kvm/test/test.py
@@ -212,7 +212,8 @@ i0:kvm-{kvm-hash-value}-on-watch RUNNING
 i0:kvm_controller EXITED
 i0:monitor-httpd-{hash}-on-watch RUNNING
 i0:monitor-httpd-graceful EXITED
-i0:websockify-{hash}-on-watch RUNNING
+i0:nginx-graceful EXITED
+i0:nginx-on-watch RUNNING
 i0:whitelist-domains-download-{hash} RUNNING
 i0:whitelist-firewall-{hash} RUNNING""",
      self.getProcessInfo()
@@ -702,11 +703,12 @@ ir2:kvm-{kvm-hash-value}-on-watch RUNNING
 ir2:kvm_controller EXITED
 ir2:monitor-httpd-{hash}-on-watch RUNNING
 ir2:monitor-httpd-graceful EXITED
+ir2:nginx-graceful EXITED
+ir2:nginx-on-watch RUNNING
 ir2:notifier-on-watch RUNNING
 ir2:resilient_sshkeys_authority-on-watch RUNNING
 ir2:sshd-graceful EXITED
 ir2:sshd-on-watch RUNNING
-ir2:websockify-{hash}-on-watch RUNNING
 ir2:whitelist-domains-download-{hash} RUNNING
 ir2:whitelist-firewall-{hash} RUNNING
 ir3:bootstrap-monitor EXITED
@@ -2295,7 +2297,8 @@ ihs0:kvm-{kvm-hash-value}-on-watch RUNNING
 ihs0:kvm_controller EXITED
 ihs0:monitor-httpd-{hash}-on-watch RUNNING
 ihs0:monitor-httpd-graceful EXITED
-ihs0:websockify-{hash}-on-watch RUNNING
+ihs0:nginx-graceful EXITED
+ihs0:nginx-on-watch RUNNING
 ihs0:whitelist-domains-download-{hash} RUNNING
 ihs0:whitelist-firewall-{hash} RUNNING""",
      self.getProcessInfo()