web interface?

web interface?

[Paul J R]

Hi guys, I had a quick question.

I was playing around writing a php-based web interface for KVM. 
Basically something that would allow you to use a tiny distro and let 
you manage disk/net etc via php (atm its crude to say the least).

It all seems relatively straight forward except for one component - the 
console bits. I wanted to make it so you could click on your new vm, 
then click on a "console" link and *poof* your console appears on your 
web browser via an embedded java applet. The problem is security, 
Authenticating users on the page is simple enough, but i cant see a 
method by which i could put a password on the vnc port in qemu?

Ideally, what i would like to be able to do is when someone accesses the 
console it sets the password randomly, then embed's it into the request. 
Once everyone disconnects it resets the password (but thats not quite so 
important at this point).

Of course, if someone is already doing a web interface then i'd like to 
know that too :)

Thanks in advance guys.


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Re: web interface?

[ron minnich]

Take a look at Lucho's kvmfs before you go too far.

See his OLS talk and papers.

ron

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Re: web interface?

[Jorge Lucángeli Obes]

On 7/31/07, ron minnich <rminnich-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> Take a look at Lucho's kvmfs before you go too far.
>
> See his OLS talk and papers.

https://ols2006.108.redhat.com/2007/Reprints/mirtchovski-Reprint.pdf

Seems pretty cool.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Re: web interface?

[Paul J R]

Wow, those are both pretty informative. Given both those replies, i'm 
wondering if i should continue?

The kind of thing I had in mind was relatively simple, it'd be a 
miniture OS that would boot up (over pxe/usb/cdrom) into ram (its about 
90mb of ram so far with kvm and a full kernel + kudzu and few small 
components such as a httpd+php). it searches for a configuration 
partition and away you go managing the rest via the web interface. I had 
clustering/multi-node sitting at the back of my head as well.

But im no guru at such things, and the reason I ask is that it sounds 
like it may be someone is already thinking along those lines anyway 
(someone much better at such things than me!).

Thanks for the replies everyone.

Jorge Lucángeli Obes wrote:
> On 7/31/07, ron minnich <rminnich-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>   
>> Take a look at Lucho's kvmfs before you go too far.
>>
>> See his OLS talk and papers.
>>     
>
> https://ols2006.108.redhat.com/2007/Reprints/mirtchovski-Reprint.pdf
>
> Seems pretty cool.
>
>   


Daniel P. Berrange wrote:
> On Wed, Aug 01, 2007 at 01:52:39AM +1000, Paul J R wrote:
>   
>> Hi guys, I had a quick question.
>>
>> I was playing around writing a php-based web interface for KVM. 
>> Basically something that would allow you to use a tiny distro and let 
>> you manage disk/net etc via php (atm its crude to say the least).
>>
>> It all seems relatively straight forward except for one component - the 
>> console bits. I wanted to make it so you could click on your new vm, 
>> then click on a "console" link and *poof* your console appears on your 
>> web browser via an embedded java applet. The problem is security, 
>> Authenticating users on the page is simple enough, but i cant see a 
>> method by which i could put a password on the vnc port in qemu?
>>     
>
> Watch this space. I will be submitting patches to upstream QEMU either
> today or tomorrow which will enable password support in VNC. It will
> also provide for optional TLS encryption, and x509 certificates for both
> client and server validation & authentication.
>
>   
>> Ideally, what i would like to be able to do is when someone accesses the 
>> console it sets the password randomly, then embed's it into the request. 
>> Once everyone disconnects it resets the password (but thats not quite so 
>> important at this point).
>>     
>
> My patches will cope with that scenario. They provide a monitor command
> to let you change the password on the fly.
>
> Regards,
> Dan.
>   




-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Re: web interface?

[Daniel P. Berrange]

On Wed, Aug 01, 2007 at 03:26:57AM +1000, Paul J R wrote:
> Wow, those are both pretty informative. Given both those replies, i'm 
> wondering if i should continue?
> 
> The kind of thing I had in mind was relatively simple, it'd be a 
> miniture OS that would boot up (over pxe/usb/cdrom) into ram (its about 
> 90mb of ram so far with kvm and a full kernel + kudzu and few small 
> components such as a httpd+php). it searches for a configuration 
> partition and away you go managing the rest via the web interface. I had 
> clustering/multi-node sitting at the back of my head as well.

FYI, libvirt also now provides secure remote access, so it can be used
off-node from the box being managed. Access is either tunnelled over SSH,
or directly connected using TLS + x509 certificates.

  http://libvirt.org/remote.html

This would enable a single web service to manage multiple hosts securely.
http://libvirt.org/remote.html

I illustrated some very simple examples here, showing the same commands
talking to Xen, and KVM/QEMU both locally and remotely over SSH, or TLS.

  http://berrange.com/personal/diary/2007/07/libvirt-remote-management-news

Regards,
Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Re: web interface?

[Paul J R]

Yeah, i did look at libvirt and it remains an option. Originally this 
was all going to be built around xen (I got xen running on two servers 
and had it changing the number of cpu's in a pv host on the fly as well 
as live-migrate guests and went oooooo). But then kvm got merged and so 
i went thru a phase of trying to decide which would be better suited to 
my little project. Around the same time frame, f7 came out and i had a 
good play with virt manager (as well as a few other things like the qemu 
virtualpc for webmin plugin). Libvirt was right after that and i wrote a 
bit of test code to see what i could do with it mostly because it solved 
part of the equation. After much agonizing though i settled on native 
kvm/qemu mostly for simplicity and its ability to run non-modified 
guests on non-hardware virt capable cpus.

Daniel P. Berrange wrote:
> On Wed, Aug 01, 2007 at 03:26:57AM +1000, Paul J R wrote:
>   
>> Wow, those are both pretty informative. Given both those replies, i'm 
>> wondering if i should continue?
>>
>> The kind of thing I had in mind was relatively simple, it'd be a 
>> miniture OS that would boot up (over pxe/usb/cdrom) into ram (its about 
>> 90mb of ram so far with kvm and a full kernel + kudzu and few small 
>> components such as a httpd+php). it searches for a configuration 
>> partition and away you go managing the rest via the web interface. I had 
>> clustering/multi-node sitting at the back of my head as well.
>>     
>
> FYI, libvirt also now provides secure remote access, so it can be used
> off-node from the box being managed. Access is either tunnelled over SSH,
> or directly connected using TLS + x509 certificates.
>
>   http://libvirt.org/remote.html
>
> This would enable a single web service to manage multiple hosts securely.
> http://libvirt.org/remote.html
>
> I illustrated some very simple examples here, showing the same commands
> talking to Xen, and KVM/QEMU both locally and remotely over SSH, or TLS.
>
>   http://berrange.com/personal/diary/2007/07/libvirt-remote-management-news
>
> Regards,
> Dan.
>   



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Re: web interface?

[Daniel P. Berrange]

On Thu, Aug 02, 2007 at 02:25:46AM +1000, Paul J R wrote:
> Yeah, i did look at libvirt and it remains an option. Originally this 
> was all going to be built around xen (I got xen running on two servers 
> and had it changing the number of cpu's in a pv host on the fly as well 
> as live-migrate guests and went oooooo). But then kvm got merged and so 
> i went thru a phase of trying to decide which would be better suited to 
> my little project. Around the same time frame, f7 came out and i had a 
> good play with virt manager (as well as a few other things like the qemu 
> virtualpc for webmin plugin). Libvirt was right after that and i wrote a 
> bit of test code to see what i could do with it mostly because it solved 
> part of the equation. After much agonizing though i settled on native 
> kvm/qemu mostly for simplicity and its ability to run non-modified 
> guests on non-hardware virt capable cpus.

libvirt could help in reference to the points elsewhere in this thread about 
some people prefering to use a Web UI, and others preferring to automate 
with command line tools. The command line virsh tool would see exactly the
same state as the Web UI & they'd each see the results of the other's changes.

We realize there are some things that libvirt doesn't support in its APIs
yet, and so welcome feedback from any users & developers about capabilites
that they need so we can adapt & prioritize future development plans.

Regards,
Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Re: web interface?

[ron minnich]

On 7/31/07, Paul J R <me-wwXWdph6gTo@public.gmane.org> wrote:

> The kind of thing I had in mind was relatively simple, it'd be a
> miniture OS that would boot up (over pxe/usb/cdrom) into ram (its about
> 90mb of ram so far with kvm and a full kernel + kudzu and few small
> components such as a httpd+php). it searches for a configuration
> partition and away you go managing the rest via the web interface. I had
> clustering/multi-node sitting at the back of my head as well.

I can tell you that for clusters web console interfaces are pretty
useless, as scripting is hard for them, and a web interface is really
pretty clumsy for almost anything of reasonable size. I think that
kvmfs is really a great idea, and what I would want if I had a 128 or
1024 node or larger cluster. Note that we plan9 to do sims here with
10,000 instances of lguest on a 128-node cluster, and a web interface
would be the worst possible way to do that.

ron

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Re: web interface?

[Paul J R]

Being a command line guy myself, I tend to agree and disagree. You can 
wrap up nearly all of your day-to-day tasks in a gui (be it X, web or 
other). Your gui may only provide 75% of the functionality of your 
software. The kind of thing i had in mind was more like, "hey, we got a 
new initrd//kernel, lets push that out to the pxeboot area and we'll do 
rolling reboots of the nodes" and get the cluster/web framework to 
manage live migration of hosts (or shutdown/startup) from one node to 
another. Plus things like, click, click, click - i just provisioned a 
new guest with a some disk space, a network connection and a chunk of 
memory/cpu. Of course the most important part of that is "how's the 
cluster going this morning" - *click* its all green, good.

That doesn't mean your free from the command, god no cause a gui limits 
(quite harshly at times) what your capable of doing - but it can 
simplify your life.

But why web? <story>a while ago i was deploying a bunch of sun servers 
doing some web server work for a large corp (by AU terms, 50k 
employee's) mostly j2ee, iplanet web server and oracle. They used HP 
openview (among other things), but the op's guys jumped on and installed 
big brother agents. The guy said to me "oh yeah, we have this little 
server over here running bb for ourselves cause we can do almost 
anything and monitor almost anything with it. If its not in BB already 
its like easy enough to throw together a script of some kind to 
measure/monitor it. Basically, what i do is set the warning levels 
really low so i can just pull up my java nokia phone and go thru the wap 
portal and see if im likely to get paged before i go anywhere. If its 
yellow, OV wont alarm but I know I had best take a look before i go 
anywhere".</story>

But, its always made me aim for a simple interface for day-to-day and 
get funky for the special cases, disaster recovery, etc. Now as the 
thing im trying to manage gets large, the better I want that interface 
to be because if i have to manage 4 machines i could ssh into them all 
and just look, but as that becomes 8 machines, 16, 32, etc the more i 
need information compressed or the harder its going to be for me to get 
to terms with it (this may come across as me sounding like im missing 
the point of kvmfs, which it inst intended to).

But, i whole-heartedly agree with kvmfs, it looks brilliant and exactly 
what vm's really do need!

Of course, prefix everything i just said with "in my humble opinion".

ron minnich wrote:
> On 7/31/07, Paul J R <me-wwXWdph6gTo@public.gmane.org> wrote:
>
>   
>> The kind of thing I had in mind was relatively simple, it'd be a
>> miniture OS that would boot up (over pxe/usb/cdrom) into ram (its about
>> 90mb of ram so far with kvm and a full kernel + kudzu and few small
>> components such as a httpd+php). it searches for a configuration
>> partition and away you go managing the rest via the web interface. I had
>> clustering/multi-node sitting at the back of my head as well.
>>     
>
> I can tell you that for clusters web console interfaces are pretty
> useless, as scripting is hard for them, and a web interface is really
> pretty clumsy for almost anything of reasonable size. I think that
> kvmfs is really a great idea, and what I would want if I had a 128 or
> 1024 node or larger cluster. Note that we plan9 to do sims here with
> 10,000 instances of lguest on a 128-node cluster, and a web interface
> would be the worst possible way to do that.
>
> ron
>
>   



-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Re: web interface?

[Matthew Kent]

On Wed, 2007-01-08 at 01:52 +1000, Paul J R wrote:
> Hi guys, I had a quick question.
> 
> I was playing around writing a php-based web interface for KVM. 

Well since KVM uses QEMU you'd really be writing a frontend for that.
I've already seen a number of other projects for QEMU frontends, google
should turn up a few.

> Basically something that would allow you to use a tiny distro and let 
> you manage disk/net etc via php (atm its crude to say the least).
> 
> It all seems relatively straight forward except for one component - the 
> console bits. I wanted to make it so you could click on your new vm, 
> then click on a "console" link and *poof* your console appears on your 
> web browser via an embedded java applet.

Try http://www.oszoo.org/wiki/index.php/Free_Live_OS_Zoo

>  The problem is security, 
> Authenticating users on the page is simple enough, but i cant see a 
> method by which i could put a password on the vnc port in qemu?
> 

http://fedoraproject.org/wiki/Releases/FeatureVirtSecurity is a project
tasked with improving VNC security among other things, right now qemu
doesn't have many options in that regard.

> Ideally, what i would like to be able to do is when someone accesses the 
> console it sets the password randomly, then embed's it into the request. 
> Once everyone disconnects it resets the password (but thats not quite so 
> important at this point).
> 

Xen has patches to qemu vnc for supporting passwords if you need a
starting point. Though iirc they are pulled from the xenstore or
whatever they call it, so it would need some work I'd imagine.
-- 
Matthew Kent \ SA \ bravenet.com


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Re: web interface?

[Daniel P. Berrange]

On Tue, Jul 31, 2007 at 09:33:30AM -0700, Matthew Kent wrote:
> >  The problem is security, 
> > Authenticating users on the page is simple enough, but i cant see a 
> > method by which i could put a password on the vnc port in qemu?
> > 
> 
> http://fedoraproject.org/wiki/Releases/FeatureVirtSecurity is a project
> tasked with improving VNC security among other things, right now qemu
> doesn't have many options in that regard.

Yep, this is the code I'm just finishing off now in preparation for review
on QEMU mailing lists.

> > Ideally, what i would like to be able to do is when someone accesses the 
> > console it sets the password randomly, then embed's it into the request. 
> > Once everyone disconnects it resets the password (but thats not quite so 
> > important at this point).
> > 
> 
> Xen has patches to qemu vnc for supporting passwords if you need a
> starting point. Though iirc they are pulled from the xenstore or
> whatever they call it, so it would need some work I'd imagine.

The Xenstore integration made it pretty useless as a basis for password
support in general QEMU codebase :-(

Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Re: web interface?

[Avi Kivity]

Paul J R wrote:
> Hi guys, I had a quick question.
>
> I was playing around writing a php-based web interface for KVM. 
> Basically something that would allow you to use a tiny distro and let 
> you manage disk/net etc via php (atm its crude to say the least).
>
> It all seems relatively straight forward except for one component - the 
> console bits. I wanted to make it so you could click on your new vm, 
> then click on a "console" link and *poof* your console appears on your 
> web browser via an embedded java applet. The problem is security, 
> Authenticating users on the page is simple enough, but i cant see a 
> method by which i could put a password on the vnc port in qemu?
>   

You could have the qemu listen on localhost, the web server connect to 
qemu and encapsulate it in ssl, so:

   [ client ] ---ssl---> [ web server ] ----plain---> [ qemu ]

Presumably, the ssl session was already authenticated by the web server, 
so all you need to do is peel away the ssl encapsulation and forward 
traffic to the qemu process.

An advantage of this approach is that qemu need not be on the same 
machine as the web server; you could have a single web server tunneling 
vnc sessions to several hosts.

-- 
error compiling committee.c: too many arguments to function


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Re: web interface?

[Daniel P. Berrange]

On Wed, Aug 01, 2007 at 01:52:39AM +1000, Paul J R wrote:
> Hi guys, I had a quick question.
> 
> I was playing around writing a php-based web interface for KVM. 
> Basically something that would allow you to use a tiny distro and let 
> you manage disk/net etc via php (atm its crude to say the least).
> 
> It all seems relatively straight forward except for one component - the 
> console bits. I wanted to make it so you could click on your new vm, 
> then click on a "console" link and *poof* your console appears on your 
> web browser via an embedded java applet. The problem is security, 
> Authenticating users on the page is simple enough, but i cant see a 
> method by which i could put a password on the vnc port in qemu?

Watch this space. I will be submitting patches to upstream QEMU either
today or tomorrow which will enable password support in VNC. It will
also provide for optional TLS encryption, and x509 certificates for both
client and server validation & authentication.

> Ideally, what i would like to be able to do is when someone accesses the 
> console it sets the password randomly, then embed's it into the request. 
> Once everyone disconnects it resets the password (but thats not quite so 
> important at this point).

My patches will cope with that scenario. They provide a monitor command
to let you change the password on the fly.

Regards,
Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=| 

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

Re: web interface?

[Matthew Kent]

On Tue, 2007-31-07 at 17:57 +0100, Daniel P. Berrange wrote:
> On Wed, Aug 01, 2007 at 01:52:39AM +1000, Paul J R wrote:
> > Hi guys, I had a quick question.
> > 
> > I was playing around writing a php-based web interface for KVM. 
> > Basically something that would allow you to use a tiny distro and let 
> > you manage disk/net etc via php (atm its crude to say the least).
> > 
> > It all seems relatively straight forward except for one component - the 
> > console bits. I wanted to make it so you could click on your new vm, 
> > then click on a "console" link and *poof* your console appears on your 
> > web browser via an embedded java applet. The problem is security, 
> > Authenticating users on the page is simple enough, but i cant see a 
> > method by which i could put a password on the vnc port in qemu?
> 
> Watch this space. I will be submitting patches to upstream QEMU either
> today or tomorrow which will enable password support in VNC. It will
> also provide for optional TLS encryption, and x509 certificates for both
> client and server validation & authentication.

Oh that's great stuff. I'll be sure to help test it out thoroughly.
-- 
Matthew Kent \ SA \ bravenet.com


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/