Description of problem: Currently, oVirt has a hard dependency on novnc on the host it is installed on. Version-Release number of selected component (if applicable): 3.3.2, should also apply to current master and 3.4 branches How reproducible: always Steps to Reproduce: 1. install ovirt-engine 2. watch dependy installation of novnc 3. Actual results: novnc gets installed, even if you do not use it at all, or if you want to install it on a separate host Expected results: unbundle novnc from ovirt-engine setup Additional info: First: not everyone uses or needs novnc at all, so it's a package that is not needed for core functionality. Second: You might just want to run the novnc software from a different host which communicates with the ovirt hosts for security reasons, because the client needs to reach the server directly where novnc is installed, this may be forbidden for security reasons. So you can setup novnc on a different machine and generate tickets via api in order to get access to the vms but you still have novnc installed on the engine host for no reason. What I did not try: setup ovirt-engine and then remove novnc package. would this break ovirt-engine, as it expects novnc to be present?
not sure I understand what do you mean by run novnc on other host. The client is integrated into ovirt, hence it's a dependency. It runs at client's browser so it doesn't really matter much from where you're getting it. You can use another instance/client set up elsewhere in non-integrated way, pretty much the same way as any other custom client, getting the ticket via API and launching it yourself. Or is this about websocket proxy deployment?
Well, as you said, you can run novnc on another client and getting the ticket via api. Then you don't need the novnc on the engine-host. Thus it would be cool to change it's installation from "integrated" to "optional" at engine-setup (let the installer maybe ask if you want to use the novnc integration, maybe default to yes?) this would somewhat lower the attack surface of the engine host.
there's a default installer option for websocket proxy which is independent. But novnc itself is part of the product, if you don't want to use it it's not going to be run or anything…pretty much like all those hundreds of megabytes of jboss code:) I'm not sure the setup code handles additional dependencies and can pull in an extra rpm based on engine-setup answer. Alon? I still think the current integration is better and would only consider a case of platforms where novnc package is not available…to have a "configure --with-*"-like option….however since it's just a bunch of javascript files I don't think there's actually any need.
We have a some unneeded packages as dependency to ease user experience. Examples for comfort dependencies: ovirt-engine-cli ovirt-image-uploader ovirt-iso-uploader ovirt-log-collector postgresql-server novnc spice-html5 python-websockify Example of configuration that may be split into different server with effort: httpd mod_ssl nfs-utils Not sure that in the case of the websockify we have a an issue as it is small and in most configuration we would like it up and running on engine machine. The websocket support was initially written as separate module, and dependency was added to ovirt-engine in order to ease users to set it up: Requires: %{name}-websocket-proxy >= %{version}-%{release} It can be removed, so only when installed setup will prompt for questions.
I don't think it's worth the effort. Indeed it's very small.
Hi, We want to have this. As soon as we split dwh/reports to different host, this will be possible as well. Should be on queue... so won't be left out. Thanks,
@Alon, not that I mind, but what is it good for? @Simone, what and where is POSTed?
@Michal added missing reference to the gerrit patch
(In reply to Michal Skrivanek from comment #7) > @Alon, not that I mind, but what is it good for? As I wrote in gerrit, this work should be done after the engine setup rework is done to make the engine optional properly, then we can allow installing th websocket proxy on its own. I think is premature at this point.
(In reply to Sandro Bonazzola from comment #8) IIUC the patch is about the websocket-proxy(which makes sense), whereas this bug is about the novnc client code (the actual .js stuff, which is IMHO useless)
Hi Michal, probably the bug description it's a bit misleading. > because the client > needs to reach the server directly where novnc is installed, this may be > forbidden for security reasons. I try to read it this way: noVNC is a browser based VNC client implemented using HTML5 WebSockets and as you said it's coded in JS. So what Sven calls novnc client is the the real novnc and in my opinion you don't need additional RPM for that cause it's simply composed by some js already packed in the portal webapp. What Sven calls novnc server it's instead what we call WebSocketProxy. WebSocketProxy acts as proxy between the HTML5 WebSocket world and the VNC world cause the VNC server embedded in qemu on the managed hosts, as far I know, doesn't support websockets natively. So we need to add a proxy that connects to the VNC server embedded on qemu on the managed host exposing them via HTML5 WebSocket for the novnc clients in the browser. Until today the WebSocketProxy should be installed on the same machine that runs the ovirt engine. Sven is saying that an user could prefer to avoid to expose the engine machine to outside world but the noVNC clients still needs to reach the WebSocketProxy and so he is proposing to let the user install the WebSocketProxy on a different host for security reason and is exactly what my patch addresses.
1. novnc is required by webadmin if you use webadmin with novnc. 2. If you use webadmin with e.g. spice or traditional vnc client you do not need novnc. 3.If you don't use webadmin, you don't need novnc on ovirt-engine host. Conclusion: it's just a (small) waste of bytes with possible security bugs so for my use case: I'd like to use webadmin as little as possible (I do just things there that can't be done via API atm). The optimal case would be to not even need to install webadmin, just the REST api to the DB :) I hope I could make my point more clear now? I hope I can achieve this goal in 3.5 or 3.6 when we got ovirt.js and full rest support. maybe than you can even delete the hard dependency for webadmin? :)
(In reply to Sven Kieske from comment #12) > Conclusion: > it's just a (small) waste of bytes with possible security bugs 1. very small compare to our other infra. 2. security level of such product is determined by the server side components not the client side components, so novnc artifacts cannot effect the security level of ovirt-engine.
(In reply to Simone Tiraboschi from comment #11) Simone, yes, that's exactly my point, that's about WebSocket Proxy, not about the .js files which are executed in client's context. IIUC that's not what you're working on in 3.5, right? @Sven: "so for my use case: I'd like to use webadmin as little as possible" compared to the megabytes of other stuff we have sitting on the disk it's not really relevant if there are some .js files there or not. No one is forcing you to run them. If you're asking for splitting webadmin, I'd suggest to use a dedicated bug for that
With oVirt 3.5 the websocket proxy could be installed on a separate host.