Results 1 to 21 of 21

Thread: PVECert parameter in VNC

  1. #1
    Join Date
    Apr 2010
    Posts
    383

    Default PVECert parameter in VNC

    I've my own code which will connect to VNC of each VM from inside my web application, this feature was fine with Proxmox 1.9 but it seems Proxmox 2 have add a PVECert parameter
    My question about this parameter is if it's unique for each VNC session or it's unique for each VM or each Proxmox serve?
    And what about PASSWORD parameter? which kind of encryption does it use?
    Last edited by tincboy; 03-28-2012 at 03:17 PM.

  2. #2
    Join Date
    Apr 2005
    Location
    Austria
    Posts
    11,882

    Default Re: PVECert parameter in VNC

    New VNC is encrypted using TLS with VEncrytAuthPlain, so you need a client which supports that (tigervnc).

    You get all needed parameters when you create the vncproxy with the API (/nodes/<node>/qemu<VMID>/vncproxy).

    Try:

    # pvesh create /nodes/localhost/qemu/10000/vncproxy

    to get an idea

  3. #3
    Join Date
    Apr 2010
    Posts
    383

    Default Re: PVECert parameter in VNC

    Thanks dietmar,
    I've run the command below, but it gots me connection timeout errors, also how can I specify which port I want VNC to listen on?
    Code:
    pvesh create /nodes/c43/qemu/4333/vncproxy
    no connection : Connection timed out
    command '/bin/nc -l -p 5900 -w 10 -c '/usr/sbin/qm vncproxy 4333 2>/dev/null'' failed: exit code 1

  4. #4
    Join Date
    Apr 2005
    Location
    Austria
    Posts
    11,882

    Default Re: PVECert parameter in VNC

    Quote Originally Posted by tincboy View Post
    Thanks dietmar,
    I've run the command below, but it gots me connection timeout errors,
    Do you use the latest version? And do you run that on the same node the VM is on?

    Quote Originally Posted by tincboy View Post
    also how can I specify which port I want VNC to listen on?
    There is currently no way to specify the port.

  5. #5
    Join Date
    Apr 2010
    Posts
    383

    Default Re: PVECert parameter in VNC

    I guess it's final version, because I've isntalled it last week,
    Code:
    pveversion -v
    pve-manager: 2.0-38 (pve-manager/2.0/af81df02)
    running kernel: 2.6.32-7-pve
    proxmox-ve-2.6.32: 2.0-60
    pve-kernel-2.6.32-7-pve: 2.6.32-60
    lvm2: 2.02.88-2pve1
    clvm: 2.02.88-2pve1
    corosync-pve: 1.4.1-1
    openais-pve: 1.1.4-2
    libqb: 0.10.1-2
    redhat-cluster-pve: 3.1.8-3
    resource-agents-pve: 3.9.2-3
    fence-agents-pve: 3.1.7-1
    pve-cluster: 1.0-23
    qemu-server: 2.0-25
    pve-firmware: 1.0-15
    libpve-common-perl: 1.0-17
    libpve-access-control: 1.0-17
    libpve-storage-perl: 2.0-12
    vncterm: 1.0-2
    vzctl: 3.0.30-2pve1
    vzprocps: 2.0.11-2
    vzquota: 3.0.12-3
    pve-qemu-kvm: 1.0-5
    ksm-control-daemon: 1.1-1

  6. #6
    Join Date
    Apr 2010
    Posts
    383

    Default Re: PVECert parameter in VNC

    And do you run that on the same node the VM is on
    Yes, it on the same server
    Quote Originally Posted by tincboy View Post
    I guess it's final version, because I've isntalled it last week,
    Code:
    pveversion -v
    pve-manager: 2.0-38 (pve-manager/2.0/af81df02)
    running kernel: 2.6.32-7-pve
    proxmox-ve-2.6.32: 2.0-60
    pve-kernel-2.6.32-7-pve: 2.6.32-60
    lvm2: 2.02.88-2pve1
    clvm: 2.02.88-2pve1
    corosync-pve: 1.4.1-1
    openais-pve: 1.1.4-2
    libqb: 0.10.1-2
    redhat-cluster-pve: 3.1.8-3
    resource-agents-pve: 3.9.2-3
    fence-agents-pve: 3.1.7-1
    pve-cluster: 1.0-23
    qemu-server: 2.0-25
    pve-firmware: 1.0-15
    libpve-common-perl: 1.0-17
    libpve-access-control: 1.0-17
    libpve-storage-perl: 2.0-12
    vncterm: 1.0-2
    vzctl: 3.0.30-2pve1
    vzprocps: 2.0.11-2
    vzquota: 3.0.12-3
    pve-qemu-kvm: 1.0-5
    ksm-control-daemon: 1.1-1

  7. #7
    Join Date
    Apr 2005
    Location
    Austria
    Posts
    11,882

    Default Re: PVECert parameter in VNC

    Quote Originally Posted by tincboy View Post
    Yes, it on the same server
    Oh - please can you use a non-existing VMID for the test (or stop the VM)?

  8. #8
    Join Date
    Apr 2010
    Posts
    383

    Default Re: PVECert parameter in VNC

    output for not existing vmid:
    Code:
    pvesh create /nodes/localhost/qemu/8888/vncproxy
    no connection : Connection timed out
    command '/bin/nc -l -p 5900 -w 10 -c '/usr/sbin/qm vncproxy 8888 2>/dev/null'' failed: exit code 1
    200 OK
    {
       "cert" : "-----BEGIN CERTIFICATE-----\nMIIEPzCCAyegAwIBAgIJAICXJAdaqrphMA0GCSqGSIb3DQEBBQUAMHIxJDAiBgNV\nBAMTG1Byb3htb3ggVmlydHVhbCBFbnZpcm9ubWVudDEpMCcGA1UECxMgYWI2ZDgx\nYjhlZWJhNDNiZjE2ODk4ZDIwYWMyYmFlNWQxHzAdBgNVBAoTFlBWRSBDbHVzdGVy\nIE1hbmFnZXIgQ0EwHhcNMTIwMzE3MTMyNjAxWhcNMjIwMzE1MTMyNjAxWjByMSQw\nIgYDVQQDExtQcm94bW94IFZpcnR1YWwgRW52aXJvbm1lbnQxKTAnBgNVBAsTIGFi\nNmQ4MWI4ZWViYTQzYmYxNjg5OGQyMGFjMmJhZTVkMR8wHQYDVQQKExZQVkUgQ2x1\nc3RlciBNYW5hZ2VyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\n5Jrpsbam/nknztPDyzsJtiVy32GROvxmSbxgQOyhF6k1xFa9Z33xXl25CxSHkOei\nH4fLKTGhtwC7XoVCaPmBq9Wnyu0DiguPY7tPs5R+YJAWNzK9/vaAakYpcA43deBl\nd/KOdvZNlqiOqzG3QLL/M84+yZt961QTTFBOErjGW6BEMnJqzxk7LSeujsrNZRZ5\noaCUUHDFpMbw/A8Hijy7tFK8LKTnq1bssV3tAZHxU/RHo4IvDMhbWuiDN2RZtEov\nf8Mpy2+7JYBrWkIyp3rix5EMeMPcixkP9KIQb+btn3myNKMcSTvQxteGXoCoTPd4\nWZFAS3vtoje/tBgZW7HrSQIDAQABo4HXMIHUMB0GA1UdDgQWBBR8znH2R1ktEXBq\nqwlPHFZg96XESDCBpAYDVR0jBIGcMIGZgBR8znH2R1ktEXBqqwlPHFZg96XESKF2\npHQwcjEkMCIGA1UEAxMbUHJveG1veCBWaXJ0dWFsIEVudmlyb25tZW50MSkwJwYD\nVQQLEyBhYjZkODFiOGVlYmE0M2JmMTY4OThkMjBhYzJiYWU1ZDEfMB0GA1UEChMW\nUFZFIENsdXN0ZXIgTWFuYWdlciBDQYIJAICXJAdaqrphMAwGA1UdEwQFMAMBAf8w\nDQYJKoZIhvcNAQEFBQADggEBAMZ4hXMWYtJSNq79PhiDnzrJp8LQjQvBs6Q0dZMg\nOT6ZfN6GhMYiEwKN0hHJlxe1GyqQMPG7Kod0UR8RjzGEM6U+QYi9otqNlJlVzNyS\ndn/7qmqvGr9+U6l++SOZkiexUnlaa52ZBiCwCs46B9MjkyCRwEUk7daIhBxFgrAw\nBrQTbkm4TwADXABozQFQPAFt69yokEvLBHdOUidWxmh5fQdO0QUJauLeyF28KTX3\nTqUtZzdpPzE39KRCOwPjeeA79QoTb1Bk7b33gIXmxUTbdPgGGOVJZA4DGRFiELX5\nCckZHgAZqNNZhN/dMzqTpvU1ZNpSZqViwm37SZyfOmtAOwE=\n-----END CERTIFICATE-----\n",
       "port" : 5900,
       "ticket" : "PVEVNC:4F7481E8::OHjcIAAY99aIN6kRKkwv7RO30Quox9XfeTfM1Ae2DsLaMfhkXI2jFzjgA+b6eIKN65ylLXhJc1Hw4ugLoA3lNO34zeHZDYk3FazPLymb5ZGodL3QB0R0KE9if3sjWGR2BmVDiwzUj4ZHknafl9qZxJBy0xQvQ8UAQkFM32S9AAFhpWVTRqPccgf0Dhb3fE4b8XPT5eyJQ3SLT1rP8x7KHa6VayXSOCBa58B0MxlRKbx6SKoK2ulkLgRf+Xu9KBxxxpssAkV7M3W4Xen3Uluby2eDtv7tosKIT/YB3l547kRffCYKPHovWzqMvfYnQcX9EnbJD3a9zqUADco+cTfQkw==",
       "upid" : "UPID:c43:00084C2E:05558C53:4F7481E8:vncproxy:8888:root@pam:",
       "user" : "root@pam"
    }
    output for existing vmid:
    Code:
    pvesh create /nodes/localhost/qemu/4333/vncproxy
    no connection : Connection timed out
    command '/bin/nc -l -p 5900 -w 10 -c '/usr/sbin/qm vncproxy 4333 2>/dev/null'' failed: exit code 1
    200 OK
    {
       "cert" : "-----BEGIN CERTIFICATE-----\nMIIEPzCCAyegAwIBAgIJAICXJAdaqrphMA0GCSqGSIb3DQEBBQUAMHIxJDAiBgNV\nBAMTG1Byb3htb3ggVmlydHVhbCBFbnZpcm9ubWVudDEpMCcGA1UECxMgYWI2ZDgx\nYjhlZWJhNDNiZjE2ODk4ZDIwYWMyYmFlNWQxHzAdBgNVBAoTFlBWRSBDbHVzdGVy\nIE1hbmFnZXIgQ0EwHhcNMTIwMzE3MTMyNjAxWhcNMjIwMzE1MTMyNjAxWjByMSQw\nIgYDVQQDExtQcm94bW94IFZpcnR1YWwgRW52aXJvbm1lbnQxKTAnBgNVBAsTIGFi\nNmQ4MWI4ZWViYTQzYmYxNjg5OGQyMGFjMmJhZTVkMR8wHQYDVQQKExZQVkUgQ2x1\nc3RlciBNYW5hZ2VyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA\n5Jrpsbam/nknztPDyzsJtiVy32GROvxmSbxgQOyhF6k1xFa9Z33xXl25CxSHkOei\nH4fLKTGhtwC7XoVCaPmBq9Wnyu0DiguPY7tPs5R+YJAWNzK9/vaAakYpcA43deBl\nd/KOdvZNlqiOqzG3QLL/M84+yZt961QTTFBOErjGW6BEMnJqzxk7LSeujsrNZRZ5\noaCUUHDFpMbw/A8Hijy7tFK8LKTnq1bssV3tAZHxU/RHo4IvDMhbWuiDN2RZtEov\nf8Mpy2+7JYBrWkIyp3rix5EMeMPcixkP9KIQb+btn3myNKMcSTvQxteGXoCoTPd4\nWZFAS3vtoje/tBgZW7HrSQIDAQABo4HXMIHUMB0GA1UdDgQWBBR8znH2R1ktEXBq\nqwlPHFZg96XESDCBpAYDVR0jBIGcMIGZgBR8znH2R1ktEXBqqwlPHFZg96XESKF2\npHQwcjEkMCIGA1UEAxMbUHJveG1veCBWaXJ0dWFsIEVudmlyb25tZW50MSkwJwYD\nVQQLEyBhYjZkODFiOGVlYmE0M2JmMTY4OThkMjBhYzJiYWU1ZDEfMB0GA1UEChMW\nUFZFIENsdXN0ZXIgTWFuYWdlciBDQYIJAICXJAdaqrphMAwGA1UdEwQFMAMBAf8w\nDQYJKoZIhvcNAQEFBQADggEBAMZ4hXMWYtJSNq79PhiDnzrJp8LQjQvBs6Q0dZMg\nOT6ZfN6GhMYiEwKN0hHJlxe1GyqQMPG7Kod0UR8RjzGEM6U+QYi9otqNlJlVzNyS\ndn/7qmqvGr9+U6l++SOZkiexUnlaa52ZBiCwCs46B9MjkyCRwEUk7daIhBxFgrAw\nBrQTbkm4TwADXABozQFQPAFt69yokEvLBHdOUidWxmh5fQdO0QUJauLeyF28KTX3\nTqUtZzdpPzE39KRCOwPjeeA79QoTb1Bk7b33gIXmxUTbdPgGGOVJZA4DGRFiELX5\nCckZHgAZqNNZhN/dMzqTpvU1ZNpSZqViwm37SZyfOmtAOwE=\n-----END CERTIFICATE-----\n",
       "port" : 5900,
       "ticket" : "PVEVNC:4F74825B::RSl8dc71OVwwQqc3n7PooT0vq7H2gP7CZ3QRvNC0yq7E+pDVsdbEn1sJj8FFRAQMnnM6fWfPCU6wUUf66Dh1b48NkHCsrViss0FZ600Jq8kRfsbt6mhGWgHhoRN62XSmk9AL/sOtlDKDmY2g4uoIKhRZHQAikT7yTAd8ltov5omaMak9JJnr1g67uS+DYGvRXJ+OTieAKoxezYP6T4dsvd6GA6pEIxeDjHizzNm9njzBi40TyLnt/nTC3truFftIzZfdYTqiutwvGNzBz5tJMXI2/oZB4PaX3h+OQyf2CKcsU7NnrGcFWfZ3K6/+C7dUg9O7gZlErpQiS8fupJUAHQ==",
       "upid" : "UPID:c43:00084D02:0555B91B:4F74825B:vncproxy:4333:root@pam:",
       "user" : "root@pam"
    }
    Thanks for your attention

  9. #9
    Join Date
    Apr 2005
    Location
    Austria
    Posts
    11,882

    Default Re: PVECert parameter in VNC

    So it works as expected - You can use the returned parameters for VNC (use ticket as password).

  10. #10
    Join Date
    Apr 2010
    Posts
    383

    Default Re: PVECert parameter in VNC

    I'm using the data, but would you please let me know if the name of HOST parameter is changed? because the VNC shows me nothing not even any error just a white screen.

  11. #11
    Join Date
    Apr 2005
    Location
    Austria
    Posts
    11,882

    Default Re: PVECert parameter in VNC

    Quote Originally Posted by tincboy View Post
    I'm using the data, but would you please let me know if the name of HOST parameter is changed? because the VNC shows me nothing not even any error just a white screen.
    Take a look at our code - function start_vnc_viewer() in:

    https://git.proxmox.com/?p=pve-manag...81d14d;hb=HEAD

  12. #12
    Join Date
    Apr 2010
    Posts
    383

    Default Re: PVECert parameter in VNC

    Quote Originally Posted by dietmar View Post
    Take a look at our code - function start_vnc_viewer() in:

    https://git.proxmox.com/?p=pve-manag...81d14d;hb=HEAD
    Thank you dietmar,
    I've implement my code just like what you did in start_vnc_viewer,
    But the issue is not gone, I didn't find out how to pass the HOST ip to the applet, and white screen is still what I got from the applet.
    Would you please let me know if there's any thing else I should consider?

  13. #13
    Join Date
    Apr 2005
    Location
    Austria
    Posts
    11,882

    Default Re: PVECert parameter in VNC

    Quote Originally Posted by tincboy View Post
    But the issue is not gone, I didn't find out how to pass the HOST ip to the applet, and white screen is still what I got from the applet.
    You can only connect to the host where you started the proxy. Sorry, but I do not really know what you are trying to do.

  14. #14
    Join Date
    Apr 2010
    Posts
    383

    Default Re: PVECert parameter in VNC

    I'm a VPS provider, in my website I've a section which my clients can reboot/shut down/vnc to their servers,
    This was simply done with Proxmox 1.9 but in Proxmox 2 I didn't get any success to show VNC console in my web site to my clients,
    It is important for me to let my clients control their servers via inside of their client area and not going to different address,

  15. #15
    Join Date
    Apr 2010
    Posts
    383

    Default Re: PVECert parameter in VNC

    Any help on this?
    Do you think running the qm vncproxy manually by myself will help me in this situation?

  16. #16
    Join Date
    Apr 2005
    Location
    Austria
    Posts
    11,882

    Default Re: PVECert parameter in VNC

    Quote Originally Posted by tincboy View Post
    Do you think running the qm vncproxy manually by myself will help me in this situation?
    Again, I do not know your setup in detail, and you did not wrote any details about the problem. In general, you need a VNC server, and connect that to the VNC client. You have the complete source code, so it should be easy to debug.

  17. #17
    Join Date
    Apr 2010
    Posts
    383

    Default Re: PVECert parameter in VNC

    OK, thanks dietmar,
    I already find out how vnc session can be initiated by reading the vncproxy method of this file:https://git.proxmox.com/?p=qemu-serv...d56e65;hb=HEAD
    but As it seems the source code of VNC appelet is not available would you please let me know if the applete supports remote server to connect to?

  18. #18
    Join Date
    Apr 2005
    Location
    Austria
    Posts
    11,882

    Default Re: PVECert parameter in VNC

    Quote Originally Posted by tincboy View Post
    As it seems the source code of VNC appelet is not available would you please let me know if the applete supports remote server to connect to?
    The VNC applet is part of the 'vncterm' package. That package include the whole tigervnc sources.

  19. #19
    Join Date
    Apr 2010
    Posts
    383

    Default Re: PVECert parameter in VNC

    Security question,
    As I want to show the applet to my clients on my own website, I've to pass the username & password to the applet, So does the ticket value contains critical data? and can be abused be who knows it?

  20. #20
    Join Date
    Apr 2005
    Location
    Austria
    Posts
    11,882

    Default Re: PVECert parameter in VNC

    Quote Originally Posted by tincboy View Post
    So does the ticket value contains critical data? and can be abused be who knows it?
    I guess you talk about the ticket returned by the create vncproxy API? That is a special ticket only valid for a very limited time (1 min). That ticket allows access to that VNC console for that time, so you should not make it public.

  21. #21
    Join Date
    Apr 2005
    Location
    Austria
    Posts
    11,882

    Default Re: PVECert parameter in VNC


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •