Skip to content

Commit d692aa7

Browse files
nvazqueznvazquez
authored
Add CreateConsoleEndpoint docs (#284)
* Add CreateConsoleEndpoint docs * Format * Update systemvm.rst * Update systemvm.rst
1 parent 17bd93e commit d692aa7

1 file changed

Lines changed: 52 additions & 1 deletion

File tree

source/adminguide/systemvm.rst

Lines changed: 52 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -194,6 +194,57 @@ the capacity to handle new sessions is used.
194194
Console proxies can be restarted by administrators but this will
195195
interrupt existing console sessions for users.
196196

197+
Creating a VM Console Endpointy
198+
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
199+
200+
The access to a VM Console is created by the API 'createConsoleEndpoint',
201+
for the VM specified in the parameter 'virtualmachineid'. By default,
202+
the CloudStack UI connects to the URL that this API generates.
203+
204+
The response of the 'createConsoleEndpoint' API also contain the information
205+
to create a websocket session to the VNC server on the console proxy, this
206+
infomation includes: the host, port, path and token parameters required to
207+
establish a websocket session, bypassing the VNC client on the console proxy.
208+
209+
It is possible to add extra validation for the console proxy authentication,
210+
with the following configurations:
211+
212+
- ‘consoleproxy.extra.security.validation.enabled’: Enable/disable extra security
213+
validation for console proxy using a token
214+
215+
When ‘consoleproxy.extra.security.validation.enabled’ is true: then CloudStack
216+
requests the ‘token’ parameter to the ‘createConsoleEndpoint’ API. The console URL
217+
retrieved on the API response includes an ‘extra’ parameter for users validation on
218+
the console proxy.
219+
220+
When the console proxy receives a request including the ‘extra’ parameter it
221+
will decode the ‘token’ parameter and uses the original token to compare it with
222+
the ‘extra’ token. Only in case both matches, then the console access is allowed.
223+
224+
When ‘consoleproxy.extra.security.validation.enabled’ is false: then CloudStack
225+
does not require a token for validation.
226+
227+
The websocket port is passed as a boot argument to the console proxy and the
228+
management server decides between the secure or unsecure port (8443 or 8080) when
229+
setting the boot arguments for the CPVM.
230+
231+
- The secure port 8443 is sent as a boot argument when:
232+
233+
- The setting ‘consoleproxy.sslEnabled’ is true
234+
235+
- The setting ‘consoleproxy.url.domain’ is not empty
236+
237+
- There is a record on the ‘keystore’ database with name ‘CPVMCertificate’
238+
239+
- In any other case, then the port 8080 is selected
240+
241+
242+
Administrators must ensure a new console proxy VM is recreated after changing
243+
the value of any of the settings. Once the console proxy VM is recreated,
244+
the new VNC server port will be used as the websocket traffic port. The console proxy
245+
VM startup will also ensure a new iptable rule is added for the new VNC port,
246+
allowing the traffic on it.
247+
197248

198249
Using a SSL Certificate for the Console Proxy
199250
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -950,4 +1001,4 @@ generated diagnostics data files and are as follows:
9501001
9511002
Sets the secondary storage disk utilisation percentage for file retrieval.
9521003
An exception is thrown when no secondary store is found with a lower capacity
953-
than the specified value. The default value is 0.95 (95 %).
1004+
than the specified value. The default value is 0.95 (95 %).

0 commit comments

Comments
 (0)