e6e842b228
The current containerised graphical console approach has a Selenium script managing a Chrome browser session. This change replaces that with firefox and a custom extension to perform the required actions to login and load the BMC console. This supports the same vendors as the previous approach (iDRAC, iLO, Supermicro). This change is required by Red Hat as Chrome is not packaged in RHEL. However switching to firefox has allowed a more robust and featureful implementation so it is presented here on its own merits. This is implemented with bash, calling out to dedicated python scripts for these specific tasks: - Detecting which vendor specific javascript to use for the redfish-graphical driver - Building the required certificate fingerprint when app_info.verify_ca is false, which is written to the profile's cert_override.txt - Building a custom policy.json which is specific to the BMC and vendor implementation. Functional differences with the chrome/selenium version - Firefox kiosk mode has a more locked-down environment, including disabling context menus. This means the brittle workaround to disable them is no longer required. - Firefox global policy allows the environment to be locked down further, including limiting accessing to all URLs except the BMC. - There is now a dedicated loading page which can show status updates until the first BMC page loads. This page shows error messages if any of the early redfish calls fail. - VNC client sessions are now shared with multiple clients, and firefox will be started on the first connection, and stopped when the last connection ends. - Starting Xvfb is now deferred until the first VNC client connection. This results in a never-connected container using 5MB vs 30MB once Xvfb is started. Starting Xvfb has ~1sec time penality on first connection. - The browser now runs in a dedicated non-root user - All redfish consoles now hide toolbar elements with a CSS overlay rather than simulating other methods such as clicking the "Full Screen" button. - ilo6/ilo5 detection is now done by a redfish call and the ilo5 path has less moving parts. Change-Id: Ib42704a016dc891833a0ddbeae8054cac2c57d4d Signed-off-by: Steve Baker <sbaker@redhat.com> Assisted-By: gemini
VNC Container
Overview
This allows a container image to be built which supports Ironic's graphical console functionality.
For each node with an enabled graphical console, the service ironic-novncproxy (or nova-novncproxy) will connect to a VNC server exposed by a container running this image.
Building and using
To build the container image for local use, install
buildah and run the following as the user which runs
ironic-conductor:
buildah bud -f ./Containerfile -t localhost/ironic-vnc-containerThe systemd container provider (or an external provider)
can then be configured to use this image in
ironic.conf:
[vnc]
enabled = True
container_provider=systemd
console_image=localhost/ironic-vnc-containerImplementation
When the container is started the following occurs:
- x11vnc is run, which exposes a VNC server port
When a VNC connection is established, the following occurs:
- Xvfb is run, which starts a virtual X11 session
- A firefox browser is started in kiosk mode
- A firefox extension automates loading the requested console app
- For the
fakeapp, display drivers/fake/index.html - For the
redfish-graphicalapp, detect the vendor by looking at theOemvalue in a/redfish/v1response - Runs vendor specific scripts to display an HTML5 based console
Multiple VNC connections can share a single instance. When the last VNC connection is closed, the running Firefox is closed.
Vendor specific implementations are as follows.
Dell iDRAC
One-time console credentials are created with a call to
/Managers/<manager>/Oem/Dell/DelliDRACCardService/Actions/DelliDRACCardService.GetKVMSession
and the browser loads a console URL using those credentials.
HPE iLO
The /irc.html URL is loaded. For iLO 6 the inline login
form is populated with credentials and submitted, showing the console.
For iLO 5 the main login page is loaded, and when the login is submitted
irc.html is loaded again.
Supermicro (Experimental)
A simulated user logs in, waits for the console preview image to load, then clicks on it.