Feature #3149

VNC windows not opening

Added by Christian Hüning about 5 years ago. Updated almost 4 years ago.

Status:ClosedStart date:08/12/2014
Priority:NormalDue date:
Assignee:Daniel Molina% Done:

100%

Category:Sunstone
Target version:Release 4.12
Resolution:fixed Pull request:

Description

I upgraded my OpenNebula 4.6 installation to the 4.8 preview (exact version reads: 4.7.80). Everything is working fine so far, but the VNC modal views in Sunstone. They simply don't come up.
I tried under windows 8.1 with Firefox (latest) and Chrome (latest).

error.png (6.59 KB) Christian Hüning, 08/13/2014 11:07 AM

Unbenannt.PNG (24.9 KB) Christian Hüning, 08/21/2014 06:13 AM

Unbenannt.PNG (24.9 KB) Christian Hüning, 08/21/2014 06:14 AM

Associated revisions

Revision 4c6e4986
Added by Daniel Molina over 4 years ago

feature #3149: do not rely on user config to set VNC wss

History

#1 Updated by Christian Hüning about 5 years ago

EDIT: This happens when using HTTPS via an lighttpd proxy. noVNC then can't get a secure connection.

#2 Updated by Daniel Molina about 5 years ago

Hi Christian,

Did you enable the VNC Secure Websockets checkbox in the Conf tab of the User Settings?

#3 Updated by Christian Hüning about 5 years ago

Hi,
thanks, didn't have that set. But now I get a VNC Disconnect timeout :

#4 Updated by Daniel Dehennin about 5 years ago

Christian Hüning wrote:

Hi,
thanks, didn't have that set. But now I get a VNC Disconnect timeout

I had the same issue because the certificate was not recognize by my browser.

To install the self-signed certificate:

  • I point my browser to https://sunstone:29876
  • Accept the certificate permanently
  • Close the tab as nothing will appear on that port

Regards.

#5 Updated by Ruben S. Montero about 5 years ago

  • Tracker changed from Bug to Feature
  • Category changed from Sunstone to Documentation
  • Status changed from Pending to New
  • Priority changed from High to Normal
  • Target version set to Release 4.10

Assuming this was causing the problem, I've moved the issue to the Documentation category to add a warning.

#6 Updated by Christian Hüning about 5 years ago

Well actually that doesn't do it for me. When trying to open that page via https I simply do not get any response. Via HTTP I get:

#7 Updated by Christian Hüning about 5 years ago

Sorry i misstyped the image's name. Here it is:

#8 Updated by Johan Kooijman about 5 years ago

Did you proxy port 29876 through lighttpd with SSL as well?

#9 Updated by Christian Hüning about 5 years ago

Johan Kooijman wrote:

Did you proxy port 29876 through lighttpd with SSL as well?

I'd say yes. I simply added a second line like" host : 127.0.0.1 , port : 29876" to the lighted config. But that doesn't solve it.

#10 Updated by Ruben S. Montero almost 5 years ago

  • Target version changed from Release 4.10 to Release 4.12

#11 Updated by Jimb0 Hon1nbo over 4 years ago

This is actually a bug in the Ruby for Sunstone. I confirmed it today, and am writing a patch that will be submitted (the bug is below, but to find out where these values breaking the conditional are coming from may take me time or maybe someone else can figure it out faster). All testing was done on CentOS 7 packages, both on 4.8 (found the bug while preparing for an update and getting really frustrated with some VNC admin only instances before migration), and on the current 4.10.

Error lies in the code that determines if the configuration is configured for wss in sunstone-server.conf.

There are three options: yes, no, and only. I found that there is a conditional in the sunstone interface that always returns in such a way that secure sockets is not the default. If it is not the default, even if supported, Firefox and Chrome will not partake in even displaying the fact the socket is there. noVNC is configured to only accept SSL connections via the config properly, and even with an SSL proxy it works just fine if you add a valid SSL cert to the vnc service (i just gave it perms to access my normal cert for now until I make a new one).
To verify that it is because the secure socket is not the default advertisement, even when set to only, do the following for firefox or chrome:
Firefox:
goto about:config and search for socket. There is a setting for allowing insecure https websockets. If you allow this then the window will at least popup, but there will be no session if you set wss support to "only". This is because noVNC will not allow non-ssl connections if you set to only. If you have it on yes or no, then it may render. However, if the connection ends up going over an insecure socket to the VNC server after the window pops up there will be a 1006 error. This can be fixed by clicking the blue square link by the error in the popup window, and in the resulting URL changing the encrypt parameter to "yes" and entering (which BTW, that URL is going to be another report as it puts the password and "session" token in a GET request, and the session token does not seem to reasonably expire with the user logging out). This is not an issue once the initial HTTPS websocket support is fixed, but due to a lack of a secure connection in the first place encryption does not get turned on automatically. If you do not want to use a valid SSL for noVNC, or simply want to use non-https for whatever reason, you can change a parameter to return an encrypt value of true always instead of depending on a conditional in /usr/lib/one/sunstone/public/vendor/noVNC/ui.js

I am trying to get all the details for the bugs to submit properly, or I can submit them here. But this is not really a documentation issue, as the SSL proxy should not make a difference as long as the bugs in the code are fixed.

-Jimb0

--- all findings were on a CentOS 7 server, running 4.10 but also confirmed on 4.8 before I upgraded----

error checking configuration conditional of noVNC script in /usr/lib/one/sunstone/sunstone-server.rb:
If you comment out the conditional then it works. Problem is that this is nowhere to set a secure websocket I could find in any template, but even worse is that the template can override the sunstone-server.conf setting of wss only, which a user should never be able to override. Period. "yes," perhaps since it is not strict. But an only case set by an admin should be enforced.
With the template conditional commented out, it actually checks the configuration setting defined for vnc in sunstone-server.conf

  1. if user['TEMPLATE/VNC_WSS']
  2. session[:vnc_wss] = user['TEMPLATE/VNC_WSS']
  3. else
    wss = $conf[:vnc_proxy_support_wss]
    #limit to yes,no options
    session[:vnc_wss] = (wss true || wss "yes" || wss == "only" ?
    "yes" : "no")
  4. end

If this conditional for the template, which I have no documentation for and frankly shouldn't exist, is fixed then the web based VNC will work with natively as long as a valid certificate is provided, with no issues for SSL proxy, native SSL, and no having to disable web sockets protections.

#12 Updated by Jimb0 Hon1nbo over 4 years ago

Forgot Chrome test instructions:

Attempt to load a VNC viewer in sunstone. when no popup appears other than the session notification in the bottom right, note that there is a lock icon on the top right in the URL bar. If you click it, there is a message that the page has insecure content. If you allow the insecure content the VNC sessions can open assuming you don't have a popup blocker enabled on the sunstone server.

#13 Updated by Ruben S. Montero over 4 years ago

  • Category changed from Documentation to Sunstone

#14 Updated by Daniel Molina over 4 years ago

  • Assignee set to Daniel Molina

#15 Updated by Daniel Molina over 4 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100
  • Resolution set to fixed

Jimb0, thank you for your input. I have uploaded a patch to fix this

#16 Updated by Christian Hüning almost 4 years ago

Thx for the work!
Which version of ONE includes the fix? I am running on 4.12.1 and still am having this issue. Do I need to update to 4.14 ?

Also available in: Atom PDF