It looks like a couple of projects are interested in using the noVNC
viewer as a way of talking to machines from a web browser. I've made a
first stab at packageing them, and, in doing so, learned a little bit.
The noVNC code is designed around a proxy that, under the Debian deploy,
lives in /usr/share/noVNC/utils/. This directory contains shell
scripts, a shared object complete with Makefile, and lots of python
code. Needless to say, it does not match Fedora packaging standards.
It uses the Websocket protocol, which is not quite HTTP. Apache HTTPD
does not support Websocket natively, although there is apparently a
path to do so via
http://code.google.com/p/pywebsocket/. However, the
noVNC approach is to bundle a simple web server and websocket
implementation. In addition, a python script called websockify handles
SSL.
When deployed, the web proxy does not lock down browsing of sub dirs.
When run from an init script that did not set cwd, it exposes the
entire directory tree underneath. The normal usage is better: devstack
runs $ cd /opt/stack/noVNC && ./utils/nova-novncproxy --config-file
/etc/nova/nova.conf --web . Run this way, it only exposes the
/usr/share/noVNC directory as read only, but really should not allow
directory indexing. However, our current init script runs:
daemon --user nova --pidfile $pidfile "$exec --flagfile $config
--logfile $logfile &>/dev/null & echo \$! > $pidfile"
where $exec is
/usr/bin/nova-vncproxy.
In my spec file, in order to match this, I moved the executables from
/opt/stack/noVNC/utils to /usr/bin, but that does not seem like a good
long term solution: they are generically named and should have novnc as
part of their name as well.
I've also and renamed /opt/stack/noVNC/utils/nova-novncproxy to
/usr/bin/nova-vncproxy which seems like it should not be necessary.
Currently, the Openstack specific code is in the upstream git repo for
noVNC, but it really should be moved to the Nova git repository. I'll
talk to the original author to find out his rationale, and to see if we
can get it moved over.
I've posted my current work here
http://admiyo.fedorapeople.org/noVNC/
But would not suggest that people use it yet. I am certainly willing to
take feed back on the spec file:
http://admiyo.fedorapeople.org/noVNC/novnc.spec
Dan B suggested a few things that I'd like to record here:
1. Is there a need to create a novnc user with an empty home dir to run in?
2. The python code should be made into a site-package.