Simplify VNC management and fix SSL problems

and fix regression in popup mode

extra/installer/zenbuntu-desktop/firefox-cert-override

@@ -41,6 +41,4 @@ my $key = encode_base64($buf);
 my @key_bits = ( $key =~ /.{1,64}/gs );
 $key = join("\t", @key_bits);
 
-for my $port (8443, 6900 .. 6910) {
-    print "localhost:$port\tOID.2.16.840.1.101.3.4.2.1\t$fp\tMU\t$key";
-}
+print "localhost:8443\tOID.2.16.840.1.101.3.4.2.1\t$fp\tMU\t$key";

main/core/ChangeLog

@@ -1,4 +1,5 @@
 6.0
+	+ Simplify nginx.conf includes management
 	+ Fix undefined $actualValue warning in ViewCustomizer
 	+ Fix unitialized $filter warning in tableBody.mas
 	+ Set default size of EBox::Types::Int to 6

main/core/extra/css/public.css.mas

@@ -2011,13 +2011,15 @@ body.first-install {
 **************************************************************************************/
 
 .VMConsole{
-    width: 80% !important;
-    top: 50px !important;
+    left: 50% !important;
+    transform: translateX(-50%);
+    height: auto !important;
+    width: auto !important;
 }
-#load_in_dialog iframe {
+#vnc_frame {
+    display: none;
     border: 0 solid white;
     height: 100%;
-    min-height: 600px;
     width: 100%;
 }
 .moveRowHandle {

main/core/src/EBox/WebAdmin.pm

@@ -167,7 +167,6 @@ sub _writeNginxConfFile
     push @confFileParams, (port                => $self->listeningPort());
     push @confFileParams, (tmpdir              => EBox::Config::tmp());
     push @confFileParams, (zentyalconfdir      => EBox::Config::conf());
-    push @confFileParams, (includes            => $self->_nginxIncludes(1));
     push @confFileParams, (servers             => $self->_nginxServers(1));
     push @confFileParams, (restrictedresources => $self->get_list('restricted_resources') );
     if (@{$self->_CAs(1)}) {
@@ -415,93 +414,6 @@ sub _nginxServers
     return \@servers;
 }
 
-# Method: addNginxInclude
-#
-#      Add an "include" directive to the nginx configuration. If it is already
-#      added, it does nothing
-#
-#      Added only in the webadmin server file
-#
-# Parameters:
-#
-#      includeFilePath - String the configuration file path to include
-#      in nginx configuration
-#
-# Exceptions:
-#
-#      <EBox::Exceptions::MissingArgument> - thrown if any compulsory
-#      argument is missing
-#
-sub addNginxInclude
-{
-    my ($self, $includeFilePath) = @_;
-
-    unless(defined($includeFilePath)) {
-        throw EBox::Exceptions::MissingArgument('includeFilePath');
-    }
-
-    my @includes = @{$self->_nginxIncludes(0)};
-    unless ( grep { $_ eq $includeFilePath } @includes) {
-        push(@includes, $includeFilePath);
-        $self->set_list(NGINX_INCLUDE_KEY, 'string', \@includes);
-    }
-
-}
-
-# Method: removeNginxInclude
-#
-#      Remove an "include" directive to the nginx configuration. If the
-#      "include" was not in the configuration, it does nothing
-#
-#
-# Parameters:
-#
-#      includeFilePath - String the configuration file path to remove
-#      from nginx configuration
-#
-# Exceptions:
-#
-#      <EBox::Exceptions::MissingArgument> - thrown if any compulsory
-#      argument is missing
-#
-#
-sub removeNginxInclude
-{
-    my ($self, $includeFilePath) = @_;
-
-    unless(defined($includeFilePath)) {
-        throw EBox::Exceptions::MissingArgument('includeFilePath');
-    }
-    my @includes = @{$self->_nginxIncludes(0)};
-    my @newIncludes = grep { $_ ne $includeFilePath } @includes;
-    if ( @newIncludes == @includes ) {
-        return;
-    }
-    $self->set_list(NGINX_INCLUDE_KEY, 'string', \@newIncludes);
-
-}
-
-# Return those include files that has been added
-sub _nginxIncludes
-{
-    my ($self, $check) = @_;
-    my $includeList = $self->get_list(NGINX_INCLUDE_KEY);
-    if (not $check) {
-        return $includeList;
-    }
-
-    my @includes;
-    foreach my $incPath (@{ $includeList }) {
-        if ((-f $incPath) and (-r $incPath)) {
-            push @includes, $incPath;
-        } else {
-            EBox::warn("Ignoring nginx include $incPath: cannot read the file or it is not a regular file");
-        }
-    }
-
-    return \@includes;
-}
-
 # Method: certificates
 #
 # Overrides: EBox::Module::Service::certificates

main/core/stubs/nginx.conf.mas

@@ -6,7 +6,6 @@ Parameters:
     port - Int the listening port.
     tmpdir - String the path to the WebAdmin temporary directory.
     zentyalconfdir - String the path to the WebAdmin configuration folder.
-    includes - Array. The list of configuration files to include.
     servers - Array The list of configuration files with servers definition.
     restrictedresources - Array containing a hash ref structure which contains
                           the following elements:
@@ -20,7 +19,6 @@ Parameters:
     $tmpdir
     $zentyalconfdir
     $caFile
-    @includes => ()
     @servers => ()
     @restrictedresources => ()
 </%args>
@@ -160,6 +158,8 @@ http {
         }
 <& .restricted, restrictions => $sectionrestrictions{''} &>
 
+        include /var/lib/zentyal/conf/nginx-*.conf;
+
         location @proxy {
             uwsgi_pass unix:///run/zentyal-webadmin/webadmin.sock;
 
@@ -180,10 +180,6 @@ http {
             uwsgi_param SERVER_NAME $server_name;
             uwsgi_param HTTP_X_FORWARDED_PROTO https;
         }
-% foreach my $includeFile (@includes) {
-
-        include <% $includeFile %>;
-% }
     }
 
 % foreach my $serverFile (@servers) {

main/virt/ChangeLog

@@ -1,4 +1,5 @@
 6.0
+	+ Simplify VNC management and fix SSL problems
 	+ Remove duplicated call to createInternalNetworks()
 	+ Add support for EFI or Hybrid ISO files
 	+ Adapt to Ubuntu 18.04

main/virt/conf/virt.conf

@@ -9,13 +9,6 @@
 # this key only applies to virtual machine with system operative set to 'Other'
 #use_ide_disks = yes
 
-# View Console size
-# You can customize the width and height of the built-in VNC console
-# that appears on the Zentyal interface
-# Default size: 800x600
-view_console_width = 800
-view_console_height = 600
-
 # System user who will run the virtualbox machines
 vm_user = ebox
 
@@ -46,4 +39,4 @@ vm_max = 32
 # chmod 600 /var/lib/zentyal/conf/vnc-passwd
 
 # Open noVNC virtual console on a new window
-view_console_new_window = yes
+view_console_new_window = no

main/virt/debian/zentyal.vncproxy.service

@@ -0,0 +1,9 @@
+[Unit]
+Description=Zentyal vncproxy daemon
+
+[Service]
+ExecStart=/usr/bin/websockify --ssl-only --key=/var/lib/zentyal/conf/ssl/ssl.key --cert=/var/lib/zentyal/conf/ssl/ssl.pem --token-plugin TokenFile --token-source /var/lib/zentyal/conf/vnc-tokens --web /usr/share/novnc 6900
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

main/virt/extra/files.list

@@ -0,0 +1 @@
+nginx-virt.conf /var/lib/zentyal/conf

main/virt/extra/nginx-virt.conf

@@ -0,0 +1,18 @@
+    location /websockify {
+          proxy_http_version 1.1;
+          proxy_pass https://127.0.0.1:6900/;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection "upgrade";
+
+          # VNC connection timeout
+          proxy_read_timeout 61s;
+
+          # Disable cache
+          proxy_buffering off;
+    }
+
+    location /vncws {
+          index vnc_auto.html;
+          alias /usr/share/novnc/;
+          try_files $uri $uri/ /vnc_auto.html;
+    }

main/virt/src/EBox/Virt.pm

@@ -41,6 +41,7 @@ use constant DEFAULT_VNC_PORT => 5900;
 use constant LIBVIRT_BIN => '/usr/bin/virsh';
 use constant DEFAULT_VIRT_USER => 'ebox';
 use constant VNC_PASSWD_FILE => '/var/lib/zentyal/conf/vnc-passwd';
+use constant VNC_TOKENS_FILE => '/var/lib/zentyal/conf/vnc-tokens';
 
 my $SYSTEMD_PATH = '/lib/systemd/system';
 my $WWW_PATH = EBox::Config::www();
@@ -179,6 +180,7 @@ sub _setConf
             $vncPasswords{$machine} = $pass;
         }
     }
+    my %vncPorts;
 
     $backend->initInternalNetworks();
 
@@ -207,6 +209,7 @@ sub _setConf
         }
 
         my $vncport = $vm->valueByName('vncport');
+        $vncPorts{$name} = $vncport;
         $self->_writeMachineConf($name, $vncport, $vncPasswords{$name});
         $backend->writeConf($name);
     }
@@ -223,6 +226,11 @@ sub _setConf
     @lines = map { "$_:$vncPasswords{$_}\n" } keys %vncPasswords;
     write_file(VNC_PASSWD_FILE, @lines);
     chmod (0600, VNC_PASSWD_FILE);
+
+    # Write vncproxy tokens file
+    @lines = map { "$_: 127.0.0.1:$vncPorts{$_}\n" } keys %vncPorts;
+    write_file(VNC_TOKENS_FILE, @lines);
+    chmod (0600, VNC_TOKENS_FILE);
 }
 
 sub updateFirewallService
@@ -255,13 +263,6 @@ sub machineDaemon
     return "zentyal-virt.$name";
 }
 
-sub vncDaemon
-{
-    my ($self, $name) = @_;
-
-    return "zentyal-virt.vnc.$name";
-}
-
 sub vmRunning
 {
     my ($self, $name) = @_;
@@ -304,12 +305,6 @@ sub _manageVM
     my $manageScript = $self->manageScript($name);
     $manageScript = shell_quote($manageScript);
     EBox::Sudo::root("$manageScript $action");
-
-    my $vncDaemon = $self->vncDaemon($name);
-    my $currentStatus = EBox::Service::running($vncDaemon) ? 'start' : 'stop';
-    if ($action ne $currentStatus) {
-        EBox::Service::manage($vncDaemon, $action);
-    }
 }
 
 sub pauseVM
@@ -539,20 +534,11 @@ sub _writeMachineConf
             { uid => 0, gid => 0, mode => '0644' }
     );
 
-    EBox::Module::Base::writeConfFileNoCheck(
-            "$SYSTEMD_PATH/" . $self->vncDaemon($name) . '.service',
-            '/virt/vncproxy.mas',
-            [ vncport => $vncport, listenport => $listenport ],
-            { uid => 0, gid => 0, mode => '0644' }
-    );
-
-    my $width = $self->consoleWidth();
-    my $height = $self->consoleHeight();
     my $gid = getgrnam('www-data'); # nginx needs to read it
     EBox::Module::Base::writeConfFileNoCheck(
             EBox::Config::www() . "/vncviewer-$name.html",
             '/virt/vncviewer.html.mas',
-            [ port => $listenport, password => $vncpass, width => $width, height => $height ],
+            [ token => $name, password => $vncpass ],
             { uid => 0, gid => $gid, mode => '0640' }
     );
 }
@@ -643,21 +629,6 @@ sub firstFreeVNCPort
     return $prev + 1;
 }
 
-sub consoleWidth
-{
-    my ($self) = @_;
-
-    my $vncport = EBox::Config::configkey('view_console_width');
-    return $vncport ? $vncport : 800;
-}
-
-sub consoleHeight
-{
-    my ($self) = @_;
-    my $vncport = EBox::Config::configkey('view_console_height');
-    return $vncport ? $vncport : 600;
-}
-
 sub viewNewWindow
 {
     return EBox::Config::boolean('view_console_new_window');

main/virt/src/EBox/Virt/Libvirt.pm

@@ -755,7 +755,11 @@ sub vmsPath
 
 sub daemons
 {
-    return [ { name => 'virtlogd' }, { name => 'libvirtd' } ];
+    return [
+        { name => 'virtlogd' },
+        { name => 'libvirtd' },
+        { name => 'zentyal.vncproxy' }
+    ];
 }
 
 sub ifaces

main/virt/src/EBox/Virt/Model/VirtualMachines.pm

@@ -241,16 +241,13 @@ sub _viewConsoleClicked
         return "return false";
     }
 
-    my $width = $virt->consoleWidth() . 'px';
-    my $height = $virt->consoleHeight() . 'px';
-
     my $viewConsoleURL = "/data/vncviewer-$name.html";
     my $viewConsoleCaption = __('View Console') . " ($name)";
 
     if ($virt->viewNewWindow()) {
         return "window.open('$viewConsoleURL'); return false";
     } else {
-        return "Zentyal.Dialog.showURL('$viewConsoleURL', {title: '$viewConsoleCaption', width: '$width', height: '$height', wideWindow : true, dialogClass: 'VMConsole' }); return false";
+        return "Zentyal.Dialog.showURL('$viewConsoleURL', {title: '$viewConsoleCaption', wideWindow : true, dialogClass: 'VMConsole' }); return false";
     }
 }