VM Console Access

irtaza9

Hey I want to access my vm console wss://domain/api/consoles/vm-id on the web. What client or library should i use and then pass it to that so i can get the console?

I am using the same code which is in your github repo

getting this error.

on /V6 route it is working fine

github code: https://github.com/irtaza9/no-vnc-vuejs-xcpng

olivierlambert

Hi,

The question is ultra vast and there's potentially millions of reasons why you have a problem. Could be your app code, could be anything else. This means we would probably need to debug your existing app, which is not possible for obvious reasons…

At least I can answer it's a RFB protocol (any VNC can read it). You need to be connected with a valid token though.

irtaza9

@olivierlambert My code is same as yours but I think I have to pass the the same cookies which are being sent in XO.

cookie:
clientId=077127hpx0cp; connect.sid=s%3AmANobWiFk3Xult7ML-XM8Wxvn4tAF0Ry.nHFRrmcTkvRXFrcjjTLsNGB5ti5w5sc7WDJCZQeeUec; token=HTfGqSylve1882ycxhuCPAWXmy9vmXM8gkC6FAAM1_M
host:
xenorchestra1.nayatel.com
origin:
https://xenorchestra1.nayatel.com

my app is running locally and I am trying to access a diff origin resource and without passing the authentication material. I want to know where to pass it in the ws?

irtaza9

@olivierlambert

My XO is deployed and when i go to console it gives me access.

production XO

wss://xenorchestra1.nayatel.com/api/consoles/vm-id

test XO

ws://xen.zeests.com:7778/api/consoles/vm-id

I have tokens for both services.

Now I want to access the console from a different web application who is running on different host and have a different domain mapped. How can I achieve this?

One Error is:

noVNC requires a secure context (TLS). Expect crashes!

irtaza9

@olivierlambert any comment will help me a lot.

I am testing to access the console on noVNC official client https://hub.docker.com/r/theasp/novnc but I am getting this error.

can you guys give it a try and share your thoughts? Idk how to pass the token in local noVNC docker image.

olivierlambert

That's almost a question for the DevOps Team Tool I suppose

Ping @nathanael-h

irtaza9

@nathanael-h your comments will help me to a lot. I am not able to access my vm console outside.

this is my url format to access the console.

wss://domain/api/consoles/vmid

I know we have to pass the token and I have a valid admin token but still I am not able to get it done.

nathanael-h

@irtaza9 Hey, I tried quickly on my local laptop but was not able to handle to auth. So I asked internally who already knows how this works. (Unfortunately I cannot spend multiple hours on this)

irtaza9

@nathanael-h

this is my code to test console for vms but I am not able to access it. Actually I have to access the console but I do not know how do auth for this.

irtaza9

@olivierlambert @nathanael-h

I am able to solve this and access the vm-consoles on my web app. I deployed the xen orchestra from sources and run on localhost then I run my custom web app on localhost and pass my admin token to set in the cookies and then I got the access to the consoles.

But when I try to access the console from a different domain then it does'nt work cause it is a cross browser cookie issue. Browser rejects to store the cookie of my production XO. Now I do not know any other way to resolve this cause the authentication mechanism you guy are using is token in cookie.

suggestion: noVNC supports username & password in the url what if we perform authentication for consoles like this too. Also what about token in query params?

irtaza9

This post is deleted!

nathanael-h

@irtaza9 I am glad to read you find a solution that works for you. And thanks for sharing!

irtaza9

@nathanael-h I got more information as I am still observing few things regarding the console. I got to know that there is no authentication at all on console level and on per user basis.

My test use case

Vm -> Ubuntu

vm:5173 -> custom app
vm:3000 -> custom api server

vm:ngnix:80/443

• rncp.nayatel.com -> localhost:5173
• rncpbe.nayatel.com -> localhost:3000

My XOA is running on xenorchestra1.nayatel.com which is on private network and my vm is allow in the route so I can connect to it. Now my custom work and XOA is on the same domain with same SSL certs. Now When I go to my rncp.nayatel.com and place any VM ID in the query param then the console for my VM is accessible on my custom web app and my this app is calling an api to rncpbe.nayatel.com for authentication only and returns the wss url to my frontend app and then my frontend app uses that url and create the socket on noVNC and console gets accessed.

From this It is my conclusion that XOA do not perform authentication on console access it only checks the cross-domain and it also do not need token in cookies for console authentication.

irtaza9

@nathanael-h @olivierlambert

extending this thread because still relevant

The console is using RFB protocol for streaming, right now each user who have an access to a VM console is seeing the same console that is seen by other. Is there any way to give each user their own console?

olivierlambert

Hi,

No, there's only one console, which is the "virtual screen" of the VM. If you want multi user thing, check VDI solution, like UDS Enterprise https://docs.xcp-ng.org/project/ecosystem/#uds-enterprise