kvm: Secure KVM VNC Console Access Using the CA Framework (#7015)

This PR allows securing the console access through CloudStack to the virtual machines running on KVM. The secure access is achieved through the generated certificates for the CA Framework in CloudStack, that provides mutual TLS connections between agents. These certificates are used to also secure the connection between the console proxies and the VNC ports for VM console access.

This feature is only supported on the KVM hypervisor

Design Document: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Secure+KVM+VNC+connection+using+the+CA+framework

Author: nvazquez

agent/bindir/cloud-setup-agent.in

@@ -26,7 +26,7 @@ from cloudutils.configFileOps import  configFileOps
 from cloudutils.globalEnv import globalEnv
 from cloudutils.networkConfig import networkConfig
 from cloudutils.syscfg import sysConfigFactory
-from cloudutils.serviceConfig import configureLibvirtConfig
+from cloudutils.serviceConfig import configureLibvirtConfig, configure_libvirt_tls
 
 from optparse import OptionParser
 
@@ -115,6 +115,7 @@ if __name__ == '__main__':
 
     if not options.auto and options.secure:
         configureLibvirtConfig(True)
+        configure_libvirt_tls(True)
         print("Libvirtd with TLS configured")
         sys.exit(0)
 

python/lib/cloudutils/serviceConfig.py

@@ -587,6 +587,23 @@ def restore(self):
 class securityPolicyConfigSUSE(securityPolicyConfigRedhat):
     pass
 
+
+def configure_libvirt_tls(tls_enabled=False, cfo=None):
+    save = False
+    if not cfo:
+        cfo = configFileOps("/etc/libvirt/qemu.conf")
+        save = True
+
+    if tls_enabled:
+        cfo.addEntry("vnc_tls", "1")
+        cfo.addEntry("vnc_tls_x509_verify", "1")
+        cfo.addEntry("vnc_tls_x509_cert_dir", "\"/etc/pki/libvirt-vnc\"")
+    else:
+        cfo.addEntry("vnc_tls", "0")
+
+    if save:
+        cfo.save()
+
 def configureLibvirtConfig(tls_enabled = True, cfg = None):
     cfo = configFileOps("/etc/libvirt/libvirtd.conf", cfg)
     if tls_enabled:
@@ -639,6 +656,7 @@ def config(self):
             cfo.addEntry("user", "\"root\"")
             cfo.addEntry("group", "\"root\"")
             cfo.addEntry("vnc_listen", "\"0.0.0.0\"")
+            configure_libvirt_tls(self.syscfg.env.secure, cfo)
             cfo.save()
 
             self.syscfg.svo.stopService("libvirtd")
@@ -676,6 +694,7 @@ def config(self):
             cfo.addEntry("user", "\"root\"")
             cfo.addEntry("group", "\"root\"")
             cfo.addEntry("vnc_listen", "\"0.0.0.0\"")
+            configure_libvirt_tls(self.syscfg.env.secure, cfo)
             cfo.save()
 
             self.syscfg.svo.stopService("libvirtd")
@@ -729,6 +748,7 @@ def config(self):
             cfo.addEntry("security_driver", "\"none\"")
             cfo.addEntry("user", "\"root\"")
             cfo.addEntry("group", "\"root\"")
+            configure_libvirt_tls(self.syscfg.env.secure, cfo)
             cfo.save()
 
             if os.path.exists("/lib/systemd/system/libvirtd.service"):

scripts/util/keystore-cert-import

@@ -114,6 +114,12 @@ if [ -f "$LIBVIRTD_FILE" ]; then
     ln -sf /etc/cloudstack/agent/cloud.crt /etc/pki/libvirt/servercert.pem
     ln -sf /etc/cloudstack/agent/cloud.key /etc/pki/libvirt/private/clientkey.pem
     ln -sf /etc/cloudstack/agent/cloud.key /etc/pki/libvirt/private/serverkey.pem
+
+    # VNC TLS directory and certificates
+    mkdir -p /etc/pki/libvirt-vnc
+    ln -sf /etc/pki/CA/cacert.pem /etc/pki/libvirt-vnc/ca-cert.pem
+    ln -sf /etc/pki/libvirt/servercert.pem /etc/pki/libvirt-vnc/server-cert.pem
+    ln -sf /etc/pki/libvirt/private/serverkey.pem /etc/pki/libvirt-vnc/server-key.pem
     cloudstack-setup-agent -s > /dev/null
 fi
 

server/src/main/java/com/cloud/servlet/ConsoleProxyClientParam.java

@@ -22,6 +22,7 @@ public class ConsoleProxyClientParam {
     private int clientHostPort;
     private String clientHostPassword;
     private String clientTag;
+    private String clientDisplayName;
     private String ticket;
     private String locale;
     private String clientTunnelUrl;
@@ -85,6 +86,10 @@ public void setClientTag(String clientTag) {
         this.clientTag = clientTag;
     }
 
+    public String getClientDisplayName() { return this.clientDisplayName; }
+
+    public void setClientDisplayName(String clientDisplayName) { this.clientDisplayName = clientDisplayName; }
+
     public String getTicket() {
         return ticket;
     }

server/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManagerImpl.java

@@ -33,6 +33,7 @@
 import com.cloud.storage.GuestOSVO;
 import com.cloud.user.Account;
 import com.cloud.user.AccountManager;
+import com.cloud.uservm.UserVm;
 import com.cloud.utils.Pair;
 import com.cloud.utils.Ternary;
 import com.cloud.utils.component.ManagerBase;
@@ -285,11 +286,15 @@ private ConsoleEndpoint composeConsoleAccessEndpoint(String rootUrl, VirtualMach
         UserVmDetailVO details = userVmDetailsDao.findDetail(vm.getId(), VmDetailConstants.KEYBOARD);
 
         String tag = vm.getUuid();
+        String displayName = vm.getHostName();
+        if (vm instanceof UserVm) {
+            displayName = ((UserVm) vm).getDisplayName();
+        }
 
         String ticket = genAccessTicket(parsedHostInfo.first(), String.valueOf(port), sid, tag, sessionUuid);
         ConsoleProxyPasswordBasedEncryptor encryptor = new ConsoleProxyPasswordBasedEncryptor(getEncryptorPassword());
         ConsoleProxyClientParam param = generateConsoleProxyClientParam(parsedHostInfo, port, sid, tag, ticket,
-                sessionUuid, addr, extraSecurityToken, vm, hostVo, details, portInfo, host);
+                sessionUuid, addr, extraSecurityToken, vm, hostVo, details, portInfo, host, displayName);
         String token = encryptor.encryptObject(ConsoleProxyClientParam.class, param);
         int vncPort = consoleProxyManager.getVncPort();
 
@@ -353,12 +358,14 @@ private ConsoleProxyClientParam generateConsoleProxyClientParam(Ternary<String,
                                                                     String sessionUuid, String addr,
                                                                     String extraSecurityToken, VirtualMachine vm,
                                                                     HostVO hostVo, UserVmDetailVO details,
-                                                                    Pair<String, Integer> portInfo, String host) {
+                                                                    Pair<String, Integer> portInfo, String host,
+                                                                    String displayName) {
         ConsoleProxyClientParam param = new ConsoleProxyClientParam();
         param.setClientHostAddress(parsedHostInfo.first());
         param.setClientHostPort(port);
         param.setClientHostPassword(sid);
         param.setClientTag(tag);
+        param.setClientDisplayName(displayName);
         param.setTicket(ticket);
         param.setSessionUuid(sessionUuid);
         param.setSourceIP(addr);

services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyAjaxHandler.java

@@ -76,6 +76,7 @@ private void doHandle(HttpExchange t) throws Exception, IllegalArgumentException
         String portStr = queryMap.get("port");
         String sid = queryMap.get("sid");
         String tag = queryMap.get("tag");
+        String displayName = queryMap.get("displayname");
         String ticket = queryMap.get("ticket");
         String ajaxSessionIdStr = queryMap.get("sess");
         String eventStr = queryMap.get("event");
@@ -129,6 +130,7 @@ private void doHandle(HttpExchange t) throws Exception, IllegalArgumentException
             param.setClientHostPort(port);
             param.setClientHostPassword(sid);
             param.setClientTag(tag);
+            param.setClientDisplayName(displayName);
             param.setTicket(ticket);
             param.setClientTunnelUrl(console_url);
             param.setClientTunnelSession(console_host_session);

services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyAjaxImageHandler.java

@@ -69,6 +69,7 @@ private void doHandle(HttpExchange t) throws Exception, IllegalArgumentException
         String portStr = queryMap.get("port");
         String sid = queryMap.get("sid");
         String tag = queryMap.get("tag");
+        String displayName = queryMap.get("displayname");
         String ticket = queryMap.get("ticket");
         String keyStr = queryMap.get("key");
         String console_url = queryMap.get("consoleurl");
@@ -113,6 +114,7 @@ private void doHandle(HttpExchange t) throws Exception, IllegalArgumentException
         param.setClientHostPort(port);
         param.setClientHostPassword(sid);
         param.setClientTag(tag);
+        param.setClientDisplayName(displayName);
         param.setTicket(ticket);
         param.setClientTunnelUrl(console_url);
         param.setClientTunnelSession(console_host_session);

services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyClientParam.java

@@ -26,6 +26,7 @@ public class ConsoleProxyClientParam {
     private int clientHostPort;
     private String clientHostPassword;
     private String clientTag;
+    private String clientDisplayName;
     private String ticket;
 
     private String clientTunnelUrl;
@@ -89,6 +90,10 @@ public void setClientTag(String clientTag) {
         this.clientTag = clientTag;
     }
 
+    public String getClientDisplayName() { return this.clientDisplayName; }
+
+    public void setClientDisplayName(String clientDisplayName) { this.clientDisplayName = clientDisplayName; }
+
     public String getTicket() {
         return ticket;
     }

services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyHttpHandlerHelper.java

@@ -71,6 +71,14 @@ public static Map<String, String> getQueryMap(String query) {
                 } else {
                     s_logger.error("decode token. tag info is not found!");
                 }
+                if (param.getClientDisplayName() != null) {
+                    if (s_logger.isDebugEnabled()) {
+                        s_logger.debug("decode token. displayname: " + param.getClientDisplayName());
+                    }
+                    map.put("displayname", param.getClientDisplayName());
+                } else {
+                    s_logger.error("decode token. displayname info is not found!");
+                }
                 if (param.getClientHostPassword() != null) {
                     map.put("sid", param.getClientHostPassword());
                 } else {

services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyNoVNCHandler.java

@@ -29,6 +29,7 @@
 import org.eclipse.jetty.websocket.api.Session;
 import org.eclipse.jetty.websocket.api.annotations.OnWebSocketClose;
 import org.eclipse.jetty.websocket.api.annotations.OnWebSocketConnect;
+import org.eclipse.jetty.websocket.api.annotations.OnWebSocketError;
 import org.eclipse.jetty.websocket.api.annotations.OnWebSocketFrame;
 import org.eclipse.jetty.websocket.api.annotations.WebSocket;
 import org.eclipse.jetty.websocket.api.extensions.Frame;
@@ -79,6 +80,7 @@ public void onConnect(final Session session) throws IOException, InterruptedExce
         String sid = queryMap.get("sid");
         String tag = queryMap.get("tag");
         String ticket = queryMap.get("ticket");
+        String displayName = queryMap.get("displayname");
         String ajaxSessionIdStr = queryMap.get("sess");
         String console_url = queryMap.get("consoleurl");
         String console_host_session = queryMap.get("sessionref");
@@ -126,6 +128,7 @@ public void onConnect(final Session session) throws IOException, InterruptedExce
             param.setClientHostPassword(sid);
             param.setClientTag(tag);
             param.setTicket(ticket);
+            param.setClientDisplayName(displayName);
             param.setClientTunnelUrl(console_url);
             param.setClientTunnelSession(console_host_session);
             param.setLocale(vm_locale);
@@ -174,4 +177,9 @@ public void onClose(Session session, int statusCode, String reason) throws IOExc
     public void onFrame(Frame f) throws IOException {
         viewer.sendClientFrame(f);
     }
+
+    @OnWebSocketError
+    public void onError(Throwable cause) {
+        s_logger.error("Error on websocket", cause);
+    }
 }