Show helper to set up SSH tunnel for Desktop Viewer #1084
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| /* | ||
| * This file is part of Cockpit. | ||
| * | ||
| * Copyright (C) 2023 Red Hat, Inc. | ||
| * | ||
| * Cockpit is free software; you can redistribute it and/or modify it | ||
| * under the terms of the GNU Lesser General Public License as published by | ||
| * the Free Software Foundation; either version 2.1 of the License, or | ||
| * (at your option) any later version. | ||
| * | ||
| * Cockpit is distributed in the hope that it will be useful, but | ||
| * WITHOUT ANY WARRANTY; without even the implied warranty of | ||
| * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
| * Lesser General Public License for more details. | ||
| * | ||
| * You should have received a copy of the GNU Lesser General Public License | ||
| * along with Cockpit; If not, see <http://www.gnu.org/licenses/>. | ||
| */ | ||
| export function getServerAddress() { | ||
| return window.location.hostname; | ||
| } | ||
|
|
||
| export function isLocalhost(address) { | ||
| return address === "localhost" || address.startsWith("127"); | ||
|
There was a problem hiding this comment. Do we need to be concerned about IPv6? |
||
| } | ||
|
|
||
| export function isAmbigious(address) { | ||
skobyda marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| return isLocalhost(address) || ["0", "0.0.0.0"].includes(address); | ||
| } | ||
|
|
||
| // Get address where VNC or SPICE server is located | ||
| export function getConsoleAddress(consoleDetails) { | ||
| let address = consoleDetails.address; | ||
|
There was a problem hiding this comment. This looks like a server listening address then, judging by the test that you run on it. Would this ever be an actually real address? Even if it's interface specific, it's usually a netmask then, such as 10.1.2.0/24 There was a problem hiding this comment. Yeah that is an address at which a VNC server is listening to. |
||
|
|
||
| if (!address || isAmbigious(address)) | ||
| address = getServerAddress(); | ||
|
There was a problem hiding this comment. I don't understand why the UI wouldn't just always show window.location.hostname -- in what situations would that be wrong? It could be if Cockpit is running behind a reverse proxy -- but then you have no chance of figuring out the real server name/IP anyway, and the UI will be wrong. But I don't see much that you can do about it. There was a problem hiding this comment. Server can have multiple IP addresses, and VNC server can be configured to listen only to one specific IP address. So I think I'll drop this logic here, and see if somebody asks for it in the future |
||
|
|
||
| return address; | ||
| } | ||
|
|
||
| export function needsTunnel(consoleAddress, serverAddress) { | ||
| return isLocalhost(consoleAddress) && !isLocalhost(serverAddress); | ||
| } | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@martinpitt Is there any way for me to mock
window.location.hostnamein our tests so I can test a situation where it's value is different from localhost/127.x.x.x ?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not directly -- if you write to that attribute, you will actually change the page. But you can add a destructive test with
provisionto actually get a second machine, like you already did in test/check-machines-migrate. That's IMHO a better way to validate that this really works.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As you just said in the chat, this won't help, as the browser runs outside the VMs and the cockpit port always gets tunneled to 127.0.0.2. We can't run a browser inside the VM. So this is actually exactly the unfixable cockpit behind a reverse proxy scenario below.
But there's a workaround: You can restrict the "localhost" check to 127.0.0.1, treat any other 127.* address as "remote", and then have one test set up a
socatfrom 127.0.0.2:cockpit_port to 127.0.0.1:5555 (or any other port which is definitively not used); then that test can connect the browser to that forwarded port and it'll appear as truly "localhost". See e.g. this cockpit test where we do this. The caveat is that we run socat in the VM in these tests. But (1) our tasks container has socat, and (2) you can also usessh -Lto tunnel the port (which is incidentally the very thing that this PR advertises, so perhaps that's better 😁 )