novnc no longer sets token inside cookie
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | OpenStack Compute (nova) |
High
|
Mohammed Naser | ||
| | Rocky |
Undecided
|
Unassigned | ||
| | Stein |
Medium
|
Lee Yarwood | ||
| | openstack-ansible |
Undecided
|
melanie witt | ||
Bug Description
For a long time, noVNC set the token inside a cookie so that when the /websockify request came in, we had it in the cookies and we could look it up from there and return the correct host.
However, since the following commit, they've removed this behavior
This means that we're unable to use latest noVNC with Nova. There is a really gross workaround of using the 'path' override in the URL for something like this
http://
That feels pretty lame to me and it will have all deployment tools change their settings. Also, this wasn't caught in CI because we deploy novnc from packages.
| melanie witt (melwitt) wrote : | #1 |
| tags: | added: console |
| Changed in nova: | |
| assignee: | nobody → melanie witt (melwitt) |
| importance: | Undecided → High |
| status: | New → Confirmed |
Related fix proposed to branch: master
Review: https:/
| melanie witt (melwitt) wrote : | #3 |
I've opened the following pull request for noVNC:
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 33c4f9df3dfc263
Author: Mohammed Naser <email address hidden>
Date: Mon Apr 1 16:50:15 2019 -0400
Use non-broken commit for NoVNC
NoVNC shipped a change that broke the entire Nova integration,
this patch reverts to the change *just* before it in order to
be able to ship a working NoVNC.
Change-Id: Icde731c89c6666
Related-Bug: #1822676
| Changed in nova: | |
| status: | Confirmed → In Progress |
| melanie witt (melwitt) wrote : | #5 |
nova patch is proposed here: https:/
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 9606c80402f6db2
Author: Mohammed Naser <email address hidden>
Date: Tue Apr 2 11:34:58 2019 -0400
Add 'path' query parameter to console access url
Starting in noVNC v1.1.0, the token query parameter is no longer
forwarded via cookie [1]. We must instead use the 'path' query
parameter to pass the token through to the websocketproxy [2].
This means that if someone deploys noVNC v1.1.0, VNC consoles will
break in nova because the code is relying on the cookie functionality
that v1.1.0 removed.
This modifies the ConsoleAuthToke
'path' query parameter as part of the returned access_url that the
client will use to call the console proxy service.
This change is backward compatible with noVNC < v1.1.0. The 'path' query
parameter is a long supported feature in noVNC.
Co-Authored-By: melanie witt <email address hidden>
Closes-Bug: #1822676
[1] https:/
[2] https:/
Change-Id: I2ddf0f4d768b69
| Changed in nova: | |
| status: | In Progress → Fix Released |
Fix proposed to branch: stable/stein
Review: https:/
Change abandoned by Lee Yarwood (<email address hidden>) on branch: stable/stein
Review: https:/
Related fix proposed to branch: master
Review: https:/
| OpenStack Infra (hudson-openstack) wrote : Related fix proposed to openstack-ansible-os_tempest (master) | #10 |
Related fix proposed to branch: master
Review: https:/
| Changed in openstack-ansible: | |
| assignee: | nobody → melanie witt (melwitt) |
| status: | New → In Progress |
| Changed in nova: | |
| assignee: | melanie witt (melwitt) → Mohammed Naser (mnaser) |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/stein
commit 186aff98b751b97
Author: Mohammed Naser <email address hidden>
Date: Tue Apr 2 11:34:58 2019 -0400
Add 'path' query parameter to console access url
Starting in noVNC v1.1.0, the token query parameter is no longer
forwarded via cookie [1]. We must instead use the 'path' query
parameter to pass the token through to the websocketproxy [2].
This means that if someone deploys noVNC v1.1.0, VNC consoles will
break in nova because the code is relying on the cookie functionality
that v1.1.0 removed.
This modifies the ConsoleAuthToke
'path' query parameter as part of the returned access_url that the
client will use to call the console proxy service.
This change is backward compatible with noVNC < v1.1.0. The 'path' query
parameter is a long supported feature in noVNC.
Co-Authored-By: melanie witt <email address hidden>
Closes-Bug: #1822676
[1] https:/
[2] https:/
Change-Id: I2ddf0f4d768b69
(cherry picked from commit 9606c80402f6db2
Fix proposed to branch: stable/rocky
Review: https:/
This issue was fixed in the openstack/nova 19.0.2 release.
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: stable/rocky
commit d72f24569ea9da1
Author: Mohammed Naser <email address hidden>
Date: Tue Apr 2 11:34:58 2019 -0400
Add 'path' query parameter to console access url
Starting in noVNC v1.1.0, the token query parameter is no longer
forwarded via cookie [1]. We must instead use the 'path' query
parameter to pass the token through to the websocketproxy [2].
This means that if someone deploys noVNC v1.1.0, VNC consoles will
break in nova because the code is relying on the cookie functionality
that v1.1.0 removed.
This modifies the ConsoleAuthToke
'path' query parameter as part of the returned access_url that the
client will use to call the console proxy service.
This change is backward compatible with noVNC < v1.1.0. The 'path' query
parameter is a long supported feature in noVNC.
Co-Authored-By: melanie witt <email address hidden>
Closes-Bug: #1822676
Conflicts:
doc/
nova/
NOTE(melwitt): The conflicts are due to the following changes not being
in Rocky:
I08991796
I7f5f0869
[1] https:/
[2] https:/
Change-Id: I2ddf0f4d768b69
(cherry picked from commit 9606c80402f6db2
(cherry picked from commit 186aff98b751b97
Related fix proposed to branch: master
Review: https:/
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 2b23ee7a3074e92
Author: melanie witt <email address hidden>
Date: Wed Sep 18 16:57:58 2019 +0000
Add note about needing noVNC >= v1.1.0 with using ESX
As discussed on the following review:
https:/
this adds a note indicating that the version of noVNC needs to be at
least v1.1.0 in order for the nova-novncproxy to work with ESX/ESXi
hypervisors.
Related-Bug: #1822676
Change-Id: Ia4ba37b6d6a1e4
This issue was fixed in the openstack/nova 20.0.0.0rc1 release candidate.
This issue was fixed in the openstack/nova 18.2.3 release.
Fix proposed to branch: stable/queens
Review: https:/
Change abandoned by Lee Yarwood (<email address hidden>) on branch: stable/queens
Review: https:/
Related fix proposed to branch: master
Review: https:/
Change abandoned by Dmitriy Rabotyagov (noonedeadpunk) (<email address hidden>) on branch: master
Review: https:/
Reason: has been already implemented with https:/
I'm investigating a fix for this in nova.