Update VNC functionality for Proxmox 7 (#148)

Chown `targets`, Add run and kill scripts

Lol Joe figured it out

* Dude it works holy shit

We need to fix some logistical bugs, probably, and also like remove dead
code lol

* Open VNC session on the node that the VM belongs

Figured out why I couldn't open a session on anything but 01. It was
because I was making the API call on proxmox01-nrh. So that's where the
session opened. I hope that by doing this, it will balance the load
(what little there is) from VNC sessions.

* Update websockify-related tasks

* Remove SSH key from build

* Add option to specify VNC port.

Should be 443 for OKD, probably 8081 for development.

This hosts a smattering of fixes, acutally uses gunicorn properly(?),
launches websockify correctly, and introduces MORE DEAD CODE!

TODO: Fix the scheduling system

* Make things not crash as much :)

* Remove obviously dead code

There's still some code in here that may require more careful
extraction, testing, and review, so I'm saving that for another PR.

* Fix Joe's complaints

* Replace hardcoded URL

Author: WillNilges

Dockerfile

@@ -7,5 +7,5 @@ COPY start_worker.sh start_scheduler.sh .
 COPY .git ./.git
 COPY *.py .
 COPY proxstar ./proxstar
-RUN touch proxmox_ssh_key && chmod a+w proxmox_ssh_key # This is some OKD shit.
-ENTRYPOINT ddtrace-run python3 wsgi.py
+RUN touch proxmox_ssh_key targets && chmod a+w proxmox_ssh_key targets # This is some OKD shit.
+ENTRYPOINT ddtrace-run gunicorn proxstar:app --bind=0.0.0.0:8080

HACKING/.gitignore

@@ -1,3 +1,4 @@
 volume/
 volume/*
-.env
+.env
+ssh_key

HACKING/README.md

@@ -1,3 +1,43 @@
+# Contributing
+1. [Fork](https://help.github.com/en/articles/fork-a-repo) this repository
+  - Optionally create a new [git branch](https://git-scm.com/book/en/v2/Git-Branching-Branches-in-a-Nutshell) if your change is more than a small tweak (`git checkout -b BRANCH-NAME-HERE`)
+
+2. Follow the _Podman Environment Instructions_ to set up a Podman dev environment. If you'd like to run Proxstar entirely on your own hardware, check out _Setting up a full dev environment_
+
+3. Create a Virtualenv to do your linting in
+```
+mkdir venv
+python3.8 -m venv venv
+source venv/bin/activate
+```
+
+4. Make your changes locally, commit, and push to your fork
+  - If you want to test locally, you should copy `HACKING/.env.sample` to `HACKING/.env`, and talk to an RTP about filling in secrets.
+  - Lint and format your local changes with `pylint proxstar` and `black proxstar`
+    - You'll need dependencies installed locally to do this. You should do that in a [venv](https://packaging.python.org/tutorials/installing-packages/#creating-virtual-environments) of some sort to keep your system clean. All the dependencies are listed in [requirements.txt](./requirements.txt), so you can install everything with `pip install -r requirements.txt`. You'll need python 3.6 at minimum, though things should work up to python 3.8.
+
+5. Create a [Pull Request](https://help.github.com/en/articles/about-pull-requests) on this repo for our Webmasters to review
+
+### Podman Environment Instructions
+
+1.  Build your containers. The `proxstar` container serves as proxstar, rq, rq-scheduler, and VNC. The `proxstar-postgres` container sets up the database schema.
+
+`mkdir HACKING/proxstar-postgres/volume`
+
+`podman build . --tag=proxstar`
+
+`podman build HACKING/proxstar-postgres --tag=proxstar-postgres`
+
+2. Configure your environment variables. I'd recommend setting up a .env file and passing that into your container. Check `.env.template` for more info.
+
+3. Run it. This sets up redis, postgres, rq, and proxstar.
+
+`./HACKING/launch_env.sh`
+
+4. To stop all containers, use the provided script
+
+`./HACKING/stop_env.sh`
+
 ## Setting up a full dev environment
 
 If you want to work on Proxstar using a 1:1 development setup, there are a couple things you're going to need
@@ -6,9 +46,11 @@ If you want to work on Proxstar using a 1:1 development setup, there are a coupl
     - SSH into
         - With portforwarding (see `man ssh` for info on the `-L` option)
     - and run
+        - Podman
         - Flask
-        - Redis
-        - Docker
+		- Redis
+		- Postgres
+		- RQ
 - At least one (1) Proxmox host running Proxmox >6.3
 - A CSH account
 - An RTP (to tell you secrets)
@@ -25,24 +67,4 @@ If you're trying to run this all on a VM without a graphical web browser, you ca
 ```
 ssh [email protected] -L 8000:localhost:8000
 ```
-# New Deployment Instructions
-
-1.  Build your containers. The `proxstar` container serves as proxstar, rq, rq-scheduler, and VNC. The `proxstar-postgres` container sets up the database schema.
-
-`mkdir HACKING/proxstar-postgres/volume`
-
-`podman build . --tag=proxstar`
-
-`podman build HACKING/proxstar-postgres --tag=proxstar-postgres`
-
-2. Configure your environment variables. I'd recommend setting up a .env file and passing that into your container. Check `.env.template` for more info.
 
-3. Run it. This sets up redis, postgres, rq, and proxstar.
-
-```
-podman run --rm -d --network=proxstar --name=proxstar-redis redis:alpine
-podman run --rm -d --network=proxstar --name=proxstar-postgres -e POSTGRES_PASSWORD=changeme -v ./HACKING/proxstar-postgres/volume:/var/lib/postgresql/data:Z proxstar-postgres
-podman run --rm -d --network=proxstar --name=proxstar-rq-scheduler  --env-file=HACKING/.env --entrypoint ./start_scheduler.sh proxstar
-podman run --rm -d --network=proxstar --name=proxstar-rq  --env-file=HACKING/.env --entrypoint ./start_worker.sh proxstar
-podman run --rm -d --network=proxstar --name=proxstar -p 8000:8000 --env-file=HACKING/.env proxstar
-```

HACKING/launch_env.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+podman run --rm -d --network=proxstar --name=proxstar-redis redis:alpine
+podman run --rm -d --network=proxstar --name=proxstar-postgres -e POSTGRES_PASSWORD=changeme -v ./HACKING/proxstar-postgres/volume:/var/lib/postgresql/data:Z proxstar-postgres
+podman run --rm -d --network=proxstar --name=proxstar-rq-scheduler  --env-file=HACKING/.env --entrypoint ./start_scheduler.sh proxstar
+podman run --rm -d --network=proxstar --name=proxstar-rq  --env-file=HACKING/.env --entrypoint ./start_worker.sh proxstar
+podman run --rm -it --network=proxstar --name=proxstar -p 8000:8000 -p 8081:8081 --env-file=HACKING/.env --entrypoint='["gunicorn", "proxstar:app", "--bind=0.0.0.0:8000"]' proxstar

HACKING/stop_env.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+podman kill proxstar
+podman kill proxstar-rq
+podman kill proxstar-rq-scheduler
+podman stop proxstar-redis
+podman stop proxstar-postgres

README.md

@@ -17,13 +17,7 @@ It is available to house members at [proxstar.csh.rit.edu](https://proxstar.csh.
 
 ## Contributing
 
-1. [Fork](https://help.github.com/en/articles/fork-a-repo) this repository
-  - Optionally create a new [git branch](https://git-scm.com/book/en/v2/Git-Branching-Branches-in-a-Nutshell) if your change is more than a small tweak (`git checkout -b BRANCH-NAME-HERE`)
-3. Make your changes locally, commit, and push to your fork
-  - If you want to test locally, you should copy `config.py` to `config_local.py`, and talk to an RTP about filling in secrets.
-  - Lint and format your local changes with `pylint proxstar` and `black proxstar`
-    - You'll need dependencies installed locally to do this. You should do that in a [venv](https://packaging.python.org/tutorials/installing-packages/#creating-virtual-environments) of some sort to keep your system clean. All the dependencies are listed in [requirements.txt](./requirements.txt), so you can install everything with `pip install -r requirements.txt`. You'll need python 3.6 at minimum, though things should work up to python 3.8.
-4. Create a [Pull Request](https://help.github.com/en/articles/about-pull-requests) on this repo for our Webmasters to review
+Check out `HACKING/` for more info.
 
 ## Questions/Concerns
 

wsgi.py renamed to app.py

@@ -62,8 +62,10 @@
 REDIS_PORT = int(environ.get('PROXSTAR_REDIS_PORT', '6379'))
 
 # VNC
-WEBSOCKIFY_PATH = environ.get('PROXSTAR_WEBSOCKIFY_PATH', '/opt/app-root/bin/websockify')
-WEBSOCKIFY_TARGET_FILE = environ.get('PROXSTAR_WEBSOCKIFY_TARGET_FILE', '/opt/app-root/src/targets')
+WEBSOCKIFY_PATH = environ.get('PROXSTAR_WEBSOCKIFY_PATH', '/usr/local/bin/websockify')
+WEBSOCKIFY_TARGET_FILE = environ.get('PROXSTAR_WEBSOCKIFY_TARGET_FILE', '/opt/proxstar/targets')
+VNC_HOST = environ.get('PROXSTAR_VNC_HOST', 'proxstar-vnc.csh.rit.edu')
+VNC_PORT = environ.get('PROXSTAR_VNC_PORT', '443')
 
 # SENTRY
 # If you set the sentry dsn locally, make sure you use the local-dev or some

config.py

@@ -2,7 +2,6 @@
 import subprocess
 
 from flask import Flask
-
 app = Flask(__name__)
 if os.path.exists(os.path.join(app.config.get('ROOT_DIR', os.getcwd()), "config_local.py")):
     config = os.path.join(app.config.get('ROOT_DIR', os.getcwd()), "config_local.py")
@@ -16,6 +15,7 @@
 def start_websockify(websockify_path, target_file):
     result = subprocess.run(['pgrep', 'websockify'], stdout=subprocess.PIPE)
     if not result.stdout:
+        print("Websockify is stopped. Starting websockify.")
         subprocess.call(
             [
                 websockify_path,
@@ -28,7 +28,10 @@ def start_websockify(websockify_path, target_file):
             ],
             stdout=subprocess.PIPE,
         )
+    else:
+        print("Websockify started.")
 
 
 def on_starting(server):
+    print("Booting Websockify server in daemon mode...")
     start_websockify(app.config['WEBSOCKIFY_PATH'], app.config['WEBSOCKIFY_TARGET_FILE'])

gunicorn_conf.py renamed to gunicorn.conf.py

@@ -6,13 +6,25 @@
 import subprocess
 import psutil
 import psycopg2
+
+# from gunicorn_conf import start_websockify
 import rq_dashboard
 from rq import Queue
 from redis import Redis
 from rq_scheduler import Scheduler
 from sqlalchemy import create_engine
 from sqlalchemy.orm import sessionmaker
-from flask import Flask, render_template, request, redirect, session, abort, url_for, jsonify
+from flask import (
+    Flask,
+    render_template,
+    request,
+    redirect,
+    session,
+    abort,
+    url_for,
+    jsonify,
+    Response,
+)
 import sentry_sdk
 from sentry_sdk.integrations.flask import FlaskIntegration
 from sentry_sdk.integrations.rq import RqIntegration
@@ -34,13 +46,11 @@
     set_template_info,
 )
 from proxstar.vnc import (
-    send_stop_ssh_tunnel,
-    stop_ssh_tunnel,
     add_vnc_target,
-    start_ssh_tunnel,
     get_vnc_targets,
     delete_vnc_target,
     stop_websockify,
+    open_vnc_session,
 )
 from proxstar.auth import get_auth
 from proxstar.util import gen_password
@@ -67,8 +77,9 @@
     environment=app.config['SENTRY_ENV'],
 )
 
-with open('proxmox_ssh_key', 'w') as ssh_key_file:
-    ssh_key_file.write(app.config['PROXMOX_SSH_KEY'])
+if not os.path.exists('proxmox_ssh_key'):
+    with open('proxmox_ssh_key', 'w') as ssh_key_file:
+        ssh_key_file.write(app.config['PROXMOX_SSH_KEY'])
 
 ssh_tunnels = []
 
@@ -142,14 +153,22 @@ def rq_dashboard_auth(*args, **kwargs):  # pylint: disable=unused-argument,unuse
 
 @app.errorhandler(404)
 def not_found(e):
-    user = User(session['userinfo']['preferred_username'])
-    return render_template('404.html', user=user, e=e), 404
+    try:
+        user = User(session['userinfo']['preferred_username'])
+        return render_template('404.html', user=user, e=e), 404
+    except KeyError as exception:
+        print(exception)
+        return render_template('404.html', user='chom', e=e), 404
 
 
 @app.errorhandler(403)
 def forbidden(e):
-    user = User(session['userinfo']['preferred_username'])
-    return render_template('403.html', user=user, e=e), 403
+    try:
+        user = User(session['userinfo']['preferred_username'])
+        return render_template('403.html', user=user, e=e), 403
+    except KeyError as exception:
+        print(exception)
+        return render_template('403.html', user='chom', e=e), 403
 
 
 @app.route('/')
@@ -247,47 +266,43 @@ def vm_power(vmid, action):
             vm.start()
         elif action == 'stop':
             vm.stop()
-            send_stop_ssh_tunnel(vmid)
+            # TODO (willnilges): Replace with remove target function or something
+            # send_stop_ssh_tunnel(vmid)
         elif action == 'shutdown':
             vm.shutdown()
-            send_stop_ssh_tunnel(vmid)
+            # send_stop_ssh_tunnel(vmid)
         elif action == 'reset':
             vm.reset()
         elif action == 'suspend':
             vm.suspend()
-            send_stop_ssh_tunnel(vmid)
+            # send_stop_ssh_tunnel(vmid)
         elif action == 'resume':
             vm.resume()
         return '', 200
     else:
         return '', 403
 
 
-@app.route('/console/vm/<string:vmid>/stop', methods=['POST'])
-def vm_console_stop(vmid):
-    if request.form['token'] == app.config['VNC_CLEANUP_TOKEN']:
-        stop_ssh_tunnel(vmid, ssh_tunnels)
-        return '', 200
-    else:
-        return '', 403
-
-
 @app.route('/console/vm/<string:vmid>', methods=['POST'])
 @auth.oidc_auth
 def vm_console(vmid):
     user = User(session['userinfo']['preferred_username'])
     connect_proxmox()
     if user.rtp or int(vmid) in user.allowed_vms:
+        # import pdb; pdb.set_trace()
         vm = VM(vmid)
-        stop_ssh_tunnel(vm.id, ssh_tunnels)
-        port = str(5900 + int(vmid))
-        token = add_vnc_target(port)
-        node = '{}.csh.rit.edu'.format(vm.node)
-        logging.info('creating SSH tunnel to %s for VM %s', node, vm.id)
-        tunnel = start_ssh_tunnel(node, port)
-        ssh_tunnels.append(tunnel)
-        vm.start_vnc(port)
-        return token, 200
+        vnc_ticket, vnc_port = open_vnc_session(
+            vmid, vm.node, app.config['PROXMOX_USER'], app.config['PROXMOX_PASS']
+        )
+        node = f'{vm.node}.csh.rit.edu'
+        token = add_vnc_target(node, vnc_port)
+        return {
+            'host': app.config['VNC_HOST'],
+            'port': app.config['VNC_PORT'],
+            'token': token,
+            'password': vnc_ticket,
+        }, 200
+
     else:
         return '', 403
 
@@ -399,7 +414,7 @@ def delete(vmid):
     user = User(session['userinfo']['preferred_username'])
     connect_proxmox()
     if user.rtp or int(vmid) in user.allowed_vms:
-        send_stop_ssh_tunnel(vmid)
+        # send_stop_ssh_tunnel(vmid)
         # Submit the delete VM task to RQ
         q.enqueue(delete_vm_task, vmid)
         return '', 200
@@ -571,29 +586,12 @@ def allowed_users(user):
 @app.route('/console/cleanup', methods=['POST'])
 def cleanup_vnc():
     if request.form['token'] == app.config['VNC_CLEANUP_TOKEN']:
-        for target in get_vnc_targets():
-            tunnel = next(
-                (tunnel for tunnel in ssh_tunnels if tunnel.local_bind_port == int(target['port'])),
-                None,
-            )
-            if tunnel:
-                if not next(
-                    (
-                        conn
-                        for conn in psutil.net_connections()
-                        if conn.laddr[1] == int(target['port']) and conn.status == 'ESTABLISHED'
-                    ),
-                    None,
-                ):
-                    try:
-                        tunnel.stop()
-                    except:
-                        pass
-                    ssh_tunnels.remove(tunnel)
-                    delete_vnc_target(target['port'])
-        return '', 200
-    else:
-        return '', 403
+        print('Cleaning up targets file...')
+        with open(app.config['WEBSOCKIFY_TARGET_FILE'], 'w') as targets:
+            targets.truncate()
+            return '', 200
+    print('Got bad cleanup request')
+    return '', 403
 
 
 @app.route('/template/<string:template_id>/disk')

proxstar/__init__.py

@@ -650,9 +650,11 @@ $("#console-vm").click(function(){
         credentials: 'same-origin',
         method: 'post'
     }).then((response) => {
-        return response.text()
-    }).then((token) => {
-        window.open(`/static/noVNC/vnc.html?autoconnect=true&encrypt=true&host=proxstar-vnc.csh.rit.edu&port=443&path=path?token=${token}`, '_blank');
+        return response.json()
+    }).then((vnc_params) => {
+        // TODO (willnilges): encrypt=true
+        // TODO (willnilges): set host and port to an env variable
+        window.open(`/static/noVNC/vnc.html?autoconnect=true&password=${vnc_params.password}&host=${vnc_params.host}&port=${vnc_params.port}&path=path?token=${vnc_params.token}`, '_blank');
     }).catch(err => {
         if (err) {
             swal("Uh oh...", `Unable to start console for ${vmname}. Please try again later.`, "error");