new spec: support of vnc console.
Change-Id: I04ebf824e13765d84d866f49695d9268a8175b41
This commit is contained in:
parent
08a53c95b9
commit
9a8ea0ae01
|
@ -0,0 +1,216 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
=====================
|
||||
VNC console
|
||||
=====================
|
||||
|
||||
https://bugs.launchpad.net/ironic/+bug/1567629
|
||||
|
||||
In addition to a serial console, allow ironic nodes to be accessed through a
|
||||
vnc console. This proposal presents the work required to create a new
|
||||
driver interface for accessing graphical console of a node.
|
||||
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
End users often have to troubleshoot their instances because they might
|
||||
have broken their boot configuration or locked themselves out with a
|
||||
firewall. Keyboard-Video-Mouse (KVM) access is often required for
|
||||
troubleshooting these types of issues as serial access is not always
|
||||
available or correctly configured. Also, KVM provides a better user
|
||||
experience as compared to serial console.
|
||||
|
||||
Horizon's VNC console is not supported for the ironic
|
||||
nodes provisioned by Nova. This spec intents to extend that to
|
||||
grapical console via the novnc proxy.
|
||||
|
||||
The end user will be able to get workable vnc console url from baremetal
|
||||
server:
|
||||
switch console type on bm side to ``vnc``
|
||||
``openstack baremetal node console enable``
|
||||
``openstack console url show --novnc``
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
* In order to support the handshake for VNC authentication we have to
|
||||
implement proxy service as a part of security isolation. During handshake
|
||||
``vnc password`` is used. It is stored on ironic side in
|
||||
``driver_info/vnc password`` and without proxy need to be provided to Nova.
|
||||
This password should be set by admin. More information about vnc password is
|
||||
in rfb protocol. With novncproxy Nova internals don't need internal details
|
||||
of the BMC network. Expected that this new service can be based on
|
||||
nova_novncproxy.
|
||||
|
||||
* for drac will be created a vnc driver based on ``base.ConsoleInterface``
|
||||
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
* Accept this limitation and only offer a serial console.
|
||||
|
||||
* We can configure kvm access including access to the bios via the
|
||||
serial proxy and shell in a box for nova provisioned ironic baremetal
|
||||
intances. This would require exposing credentials.
|
||||
|
||||
* Use out-of-band KVM access provided by administrator without Ironic support.
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
State Machine Impact
|
||||
--------------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Client (CLI) impact
|
||||
-------------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
RPC API impact
|
||||
--------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Driver API impact
|
||||
-----------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Nova driver impact
|
||||
------------------
|
||||
|
||||
Nova impacts are fully described in the support of vnc console for ironic
|
||||
spec in Nova.
|
||||
|
||||
Essentially, the Ironic virt driver will have to implement ``get_vnc_console``
|
||||
|
||||
As per policy in Nova, changes cannot land until ironic changes have landed.
|
||||
|
||||
|
||||
Ramdisk impact
|
||||
--------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
The VNC connection to the nodes are secured by a token generated while
|
||||
creating the console in Nova. This bearer token is the only thing required
|
||||
to connect to the novnc proxy, So the connection between user and novnc proxy
|
||||
should be protected via ssl
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Scalability impact
|
||||
------------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Performance Impact
|
||||
------------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
additions to configs (idrac example):
|
||||
|
||||
``ironic-conductor/ironic.conf``:
|
||||
enabled_console_interfaces = idrac-socat,ipmitool-socat, ``idrac-vnc``
|
||||
|
||||
``ironic-api/ironic.conf``:
|
||||
enabled_console_interfaces = idrac-socat,ipmitool-socat, ``idrac-vnc``
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
* kirillgermanov
|
||||
|
||||
Other contributors:
|
||||
None.
|
||||
|
||||
Work Items
|
||||
----------
|
||||
|
||||
* implement ``ironic-novncproxy`` service
|
||||
|
||||
* Introduce ``drac.DracWSManVNCConsole(base.ConsoleInterface)``
|
||||
|
||||
* Add usage description to documentation
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
https://review.opendev.org/c/openstack/nova-specs/+/863773
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
* Unit tests
|
||||
|
||||
|
||||
Upgrades and Backwards Compatibility
|
||||
====================================
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Documentation Impact
|
||||
====================
|
||||
|
||||
* Documentation will be updated.
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
* https://review.opendev.org/c/openstack/nova-specs/+/863773
|
||||
|
||||
* https://stackoverflow.com/questions/16469487/vnc-des-authentication-algorithm
|
||||
|
||||
* https://review.opendev.org/c/openstack/ironic/+/860689 - gerrit review ironic
|
||||
|
||||
* https://review.opendev.org/c/openstack/nova/+/863177 - gerrit review nova
|
||||
|
||||
* https://datatracker.ietf.org/doc/html/rfc6143 - rfb protocol
|
Loading…
Reference in New Issue