Created own interface to allow clients to create VM's and only access those VM's

tylerdurden81

Member
Jan 8, 2011
124
0
16
I am not a very good programmer at all. I wouldn't even call myself a programmer. But i was able to create a web interface when a customer can create there own Virtual machine. Start | Stop it. Log into it with java VNC. Mount different iso's ect. But only for the machines that they create. I couldnt wait for version 2.0 to come out for this. Anyways i was hoping someone could look over the code to make sure there are not any security flaws.


Here is the Basic Create VM Code

Please don't be to harsh.

PHP:
<?php 
include('php/Net/SSH2.php');
include 'dbc.php';
page_protect();
session_start();

$sql_insert =   "UPDATE users SET       os = '$_POST[os]'       WHERE id = '$_SESSION[user_id]'";
$sql_insert3 =  "UPDATE users SET comments = '$_POST[comments]' WHERE id = '$_SESSION[user_id]'";
$sql_insert4 =  "UPDATE users SET vmid     = '$_SESSION[user_id]' WHERE id = '$_SESSION[user_id]'";
$sql_insert5 =  "UPDATE users SET vncport  = '$_SESSION[user_id]'   WHERE id = '$_SESSION[user_id]'";
$sql_insert7 =  "UPDATE users SET vncpass  = '$_POST[pwd]'       WHERE id = '$_SESSION[user_id]'";
$sql_insert8 =  "UPDATE users SET storage  = '$_POST[harddisk]'       WHERE id = '$_SESSION[user_id]'";
$sql_insert9 =  "UPDATE users SET memory  = '$_POST[mem]'       WHERE id = '$_SESSION[user_id]'";
$sql_insert6 =  "UPDATE users SET vncpage  = '<HTML>
<TITLE>
VPS Viewer
</TITLE>
<BODY>

<APPLET ARCHIVE=\"TightVncViewer.jar\" CODE=\"com.tightvnc.vncviewer.VncViewer\" WIDTH=\"1\" HEIGHT=\"1\">
<PARAM NAME=\"HOST\" VALUE=\"HOST\">
<PARAM NAME=\"PORT\" VALUE=\"$_SESSION[user_id]\">
<PARAM NAME=\"Open New Window\" VALUE=\"yes\">
</APPLET>



</BODY>
</HTML>'       WHERE id = '$_SESSION[user_id]'";







            
            
            
mysql_query($sql_insert) or die("Insertion Failed: OS" . mysql_error());
mysql_query($sql_insert3) or die("Insertion Failed: Comments" . mysql_error());
mysql_query($sql_insert4) or die("Insertion Failed: Comments" . mysql_error());
mysql_query($sql_insert5) or die("Insertion Failed: Comments" . mysql_error());
mysql_query($sql_insert6) or die("Insertion Failed: Comments" . mysql_error());
mysql_query($sql_insert7) or die("Insertion Failed: Comments" . mysql_error());
mysql_query($sql_insert8) or die("Insertion Failed: Comments" . mysql_error());
mysql_query($sql_insert9) or die("Insertion Failed: Comments" . mysql_error());




$con = mysql_connect("localhost","USER","PASSWORD");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("login", $con);


$result = mysql_query("SELECT * FROM users WHERE id='$_SESSION[user_id]'");

while($row = mysql_fetch_array($result))
{
    $ip = $row['node'];
    $ssh = new Net_SSH2($ip);
    if (!$ssh->login('USER', 'PASSWORD')) {
        exit('Login Failed');
    }

$a = $row['user_email'];
$vmid = $row['id'];
    echo "<center>";
    echo $ssh->exec("/usr/sbin/qm create $vmid --cdrom Backups:iso/$_POST[os] --name $a --vlan0 rtl8139 --bootdisk ide0 --ostype other --ide0 openfiler4lvm:$_POST[harddisk],format=raw --memory $_POST[mem] --onboot no --sockets 1");
    echo "</center>";
    
    
 }

$filename = 'inetd.conf';
$somecontent = "$_SESSION[user_id] stream tcp nowait root /usr/sbin/qm qm vncproxy $_SESSION[user_id]  $_POST[pwd] \n";


if (is_writable($filename)) {


    if (!$handle = fopen($filename, 'a')) {
         echo "Cannot open file ($filename)";
         exit;
    }

   
    if (fwrite($handle, $somecontent) === FALSE) {
        echo "Cannot write to file ($filename)";
        exit;
    }

    

    fclose($handle);

} else {
    echo "The file $filename is not writable";
}
$ip2 = "ADDRESS";

$ssh2 = new Net_SSH2($ip2);
    if (!$ssh2->login('USER', 'PASSWORD')) {
        exit('Login Failed');
}
    echo "<center>";
    echo $ssh2->exec("scp public_html/inetd.conf root@ADDRESS:/etc/");
    echo "</center>";
    
 

$ssh3 = new Net_SSH2($ip);
    if (!$ssh3->login('USER', 'PASSWORD')) {
        exit('Login Failed');
}
    echo "<center>";
    echo $ssh3->exec("/etc/init.d/openbsd-inetd restart");
    echo "</center>";
    
    
echo "<center> Thank you $_SESSION[user_name] for setting up your server. </center>";
?>

<html>
    <head>
    </head>
    <body>
        <center>
        <p><b> Please Click the Green Power Button to Start your VPS. </br> 
        Once you have started your VPS you may access your VPS with the Access your VPS button at the stop of the screen.</b></p>
        <p> We will now redirect you </p>
        <meta http-equiv="refresh"
       content="7; url=myaccount.php">
     </center>
    </body>
</html>
Here is the basic stop code.


PHP:
<?PHP
include 'dbc.php';
page_protect();
session_start();

include('php/Net/SSH2.php');

$con = mysql_connect("localhost","USER","PASSWORD");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("login", $con);


$result = mysql_query("SELECT * FROM users WHERE id='$_SESSION[user_id]'");

while($row = mysql_fetch_array($result))
{
    $ip = $row['node'];
    $ssh = new Net_SSH2($ip);
    if (!$ssh->login('USER', 'PASSWORD')) {
        exit('Login Failed');
    }

$a = $row['vmid'];
    echo "<center>";
    echo $ssh->exec("qm stop $a");
    echo "</center>";
    
    
 }

?> 

<html>

<table align="center"><tr><td>
<div id="showbar" style="font-size:8pt;padding:2px;border:solid black 1px;visibility:hidden">
<span id="progress1">&nbsp; &nbsp;</span>
<span id="progress2">&nbsp; &nbsp;</span>
<span id="progress3">&nbsp; &nbsp;</span>
<span id="progress4">&nbsp; &nbsp;</span>
<span id="progress5">&nbsp; &nbsp;</span>
<span id="progress6">&nbsp; &nbsp;</span>
<span id="progress7">&nbsp; &nbsp;</span>
<span id="progress8">&nbsp; &nbsp;</span>
<span id="progress9">&nbsp; &nbsp;</span>
</div>
</td></tr></table>
<body onload="progress_update();">

<script language="javascript">
var progressEnd = 9; // set to number of progress <span>'s.
var progressColor = 'blue'; // set to progress bar color
var progressInterval = 1000; // set to time between updates (milli-seconds)

var progressAt = progressEnd;
var progressTimer;
function progress_clear() {
for (var i = 1; i <= progressEnd; i++) document.getElementById('progress'+i).style.backgroundColor = 'transparent';
progressAt = 0;
}
function progress_update() {
document.getElementById('showbar').style.visibility = 'visible';
progressAt++;
if (progressAt > progressEnd) progress_clear();
else document.getElementById('progress'+progressAt).style.backgroundColor = progressColor;
progressTimer = setTimeout('progress_update()',progressInterval);
}
function progress_stop() {
clearTimeout(progressTimer);
progress_clear();
document.getElementById('showbar').style.visibility = 'hidden';
}
//progress_update(); // start progress bar

</script>

<meta http-equiv="refresh"
       content="7; url=myaccount.php">
</html>
Basic Start VM

PHP:
<?PHP
include 'dbc.php';
page_protect();
session_start();

include('php/Net/SSH2.php');

$con = mysql_connect("localhost","USER","PASS");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("login", $con);


$result = mysql_query("SELECT * FROM users WHERE id='$_SESSION[user_id]'");

while($row = mysql_fetch_array($result))
{
    $ip = $row['node'];
    
    $ssh = new Net_SSH2($ip);
    if (!$ssh->login('USER', 'PASS')) {
        exit('Login Failed');
    }

$a = $row['vmid'];

    echo "<center>";
    echo $ssh->exec("qm start $a");
    echo "</center>";
    
 

 
}






?> 
<html>

<table align="center"><tr><td>
<div id="showbar" style="font-size:8pt;padding:2px;border:solid black 1px;visibility:hidden">
<span id="progress1">&nbsp; &nbsp;</span>
<span id="progress2">&nbsp; &nbsp;</span>
<span id="progress3">&nbsp; &nbsp;</span>
<span id="progress4">&nbsp; &nbsp;</span>
<span id="progress5">&nbsp; &nbsp;</span>
<span id="progress6">&nbsp; &nbsp;</span>
<span id="progress7">&nbsp; &nbsp;</span>
<span id="progress8">&nbsp; &nbsp;</span>
<span id="progress9">&nbsp; &nbsp;</span>
</div>
</td></tr></table>
<body onload="progress_update();">

<script language="javascript">
var progressEnd = 9; 
var progressColor = 'blue'; 
var progressInterval = 1000; 

var progressAt = progressEnd;
var progressTimer;
function progress_clear() {
for (var i = 1; i <= progressEnd; i++) document.getElementById('progress'+i).style.backgroundColor = 'transparent';
progressAt = 0;
}
function progress_update() {
document.getElementById('showbar').style.visibility = 'visible';
progressAt++;
if (progressAt > progressEnd) progress_clear();
else document.getElementById('progress'+progressAt).style.backgroundColor = progressColor;
progressTimer = setTimeout('progress_update()',progressInterval);
}
function progress_stop() {
clearTimeout(progressTimer);
progress_clear();
document.getElementById('showbar').style.visibility = 'hidden';
}
//progress_update(); // start progress bar

</script>

<meta http-equiv="refresh"
       content="7; url=myaccount.php">
</html>
Basic Mount ISO Code

PHP:
<?php 
include('php/Net/SSH2.php');
include 'dbc.php';
page_protect();
session_start();
$sql_insert =   "UPDATE users SET       os = '$_POST[os]'       WHERE id = '$_SESSION[user_id]'";
mysql_query($sql_insert) or die("Insertion Failed: OS" . mysql_error());

$con = mysql_connect("localhost","USER","PASSWORD");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("login", $con);


$result = mysql_query("SELECT * FROM users WHERE id='$_SESSION[user_id]'");

while($row = mysql_fetch_array($result))
{
    $ip = $row['node'];
    $ssh = new Net_SSH2($ip);
    if (!$ssh->login('USER', 'PASSWORD')) {
        exit('Login Failed');
    }

$a = $row['user_email'];
$vmid = $row['vmid'];
    echo "<center>";
    echo $ssh->exec("/usr/sbin/qm set $vmid --cdrom Backups:iso/$_POST[os]");
    echo "</center>";
    
    
 }

echo "<html><center>You have now mounted $_POST[os]</center></html>" ;
?>
 
Rather than MySQL, it would be better to base it on plain text files as the Proxmox VE does not rely on MySQL running on the host.
Please place the contents of the include files referred in the scripts listed.

Also in the Proxmox VE host file:
/etc/mysql/my.cnf
we have a lot of duplicate lines like:
Code:
[mysqld]
default-character-set=utf8
default-character-set=utf8
default-character-set=utf8
default-character-set=utf8
default-character-set=utf8
default-character-set=utf8
default-character-set=utf8
default-character-set=utf8
default-character-set=utf8
default-character-set=utf8
default-character-set=utf8
default-character-set=utf8
default-character-set=utf8
default-character-set=utf8
default-character-set=utf8
..
..
..
..
 
This is not running on the proxmox host. This is running a completely separate web server. Where there is a need to store the customer info in a database.
 
This is not running on the proxmox host. This is running a completely separate web server. Where there is a need to store the customer info in a database.

yes, you are right , and the remote must have SSH2 library installer in php to work with this methode .