)]}'
{"specs/pike/approved/spice-native-client-support.rst":[{"author":{"_account_id":6772,"name":"Stephen Gordon","email":"sgordon@redhat.com","username":"sgordon"},"change_message_id":"6d8378a985fc7a79bfe2e80ea49fb8c8900f493e","unresolved":false,"context_lines":[{"line_number":25,"context_line":"Problem description"},{"line_number":26,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":27,"context_line":""},{"line_number":28,"context_line":"Current consoles are accessed through a HTML5 client that uses a websocket"},{"line_number":29,"context_line":"proxy. While this is adequate for the most basic of tasks, it does not allow a"},{"line_number":30,"context_line":"server\u0027s GUI to be used for any real productive work."},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"Use Cases"},{"line_number":33,"context_line":"---------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"9a30ddce_2f8af2bf","line":30,"range":{"start_line":28,"start_character":0,"end_line":30,"end_character":53},"updated":"2017-03-08 16:41:38.000000000","message":"There are a couple of other issues with the HTML5 client from my recollection:\n\n- Lack of support for certain hot key combinations particularly for Windows guests.\n- Lack of support for sound.\n- Lack of support for multi-monitor.\n- Lack of support for client USB attach.\n\nNot all of these things are currently available through Nova anyway but many are desirable particularly for workstation virtualization. It is likely that in the future users looking for e.g. vGPU for modelling workstation virtualization use cases will also need to use spicy.","commit_id":"78e17901e32564fbc773bdd5cf3040a90fadfca5"},{"author":{"_account_id":6735,"name":"Bob Ball","email":"bob.ball@citrix.com","username":"bob-ball"},"change_message_id":"a533196360ab5a6ff95e24ca41d9002d1162b1ff","unresolved":false,"context_lines":[{"line_number":25,"context_line":"Problem description"},{"line_number":26,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":27,"context_line":""},{"line_number":28,"context_line":"Current consoles are accessed through a HTML5 client that uses a websocket"},{"line_number":29,"context_line":"proxy. While this is adequate for the most basic of tasks, it does not allow a"},{"line_number":30,"context_line":"server\u0027s GUI to be used for any real productive work."},{"line_number":31,"context_line":""},{"line_number":32,"context_line":"Use Cases"},{"line_number":33,"context_line":"---------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"9a30ddce_cca628c0","line":30,"range":{"start_line":28,"start_character":0,"end_line":30,"end_character":53},"in_reply_to":"9a30ddce_2f8af2bf","updated":"2017-03-13 16:42:02.000000000","message":"Are there issues with correct keymapping with foreign keyboards?  I believe this is an issue for some VNC clients.\n\nI suspect that all hypervisor-provided consoles will be insufficient for vGPU modelling.  A direct-connect protocol (such as ICA) is really needed to intercept the in-VM graphics calls and provide those to the client rather than working from the fully composited framebuffer.  I therefore don\u0027t think this spec is likely to be much use for vGPU.","commit_id":"78e17901e32564fbc773bdd5cf3040a90fadfca5"},{"author":{"_account_id":6735,"name":"Bob Ball","email":"bob.ball@citrix.com","username":"bob-ball"},"change_message_id":"a533196360ab5a6ff95e24ca41d9002d1162b1ff","unresolved":false,"context_lines":[{"line_number":56,"context_line":"FORWARD rules necessary to proxy a single SPICE console connection."},{"line_number":57,"context_line":"Nova-nativeproxy returns an IP and port. The API returns this IP and port to"},{"line_number":58,"context_line":"the user, along with the password set by the virt driver."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"In order to deal with clients disconnecting from the SPICE console,"},{"line_number":61,"context_line":"nova-nativeproxy keeps a count of packets hitting proxy instances. If the"},{"line_number":62,"context_line":"packet count has not increased after a deployer-configurable timeout, the proxy"}],"source_content_type":"text/x-rst","patch_set":2,"id":"9a30ddce_b97bf4f3","line":59,"updated":"2017-03-13 16:42:02.000000000","message":"My understanding from IRC is that newly initiated connections will be prevented after a timeout - for example by setting the password to a different random password once the timeout expires.","commit_id":"78e17901e32564fbc773bdd5cf3040a90fadfca5"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"37dda219d3f0776c4c54e1d898b1fc5f47e5435f","unresolved":false,"context_lines":[{"line_number":56,"context_line":"FORWARD rules necessary to proxy a single SPICE console connection."},{"line_number":57,"context_line":"Nova-nativeproxy returns an IP and port. The API returns this IP and port to"},{"line_number":58,"context_line":"the user, along with the password set by the virt driver."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"In order to deal with clients disconnecting from the SPICE console,"},{"line_number":61,"context_line":"nova-nativeproxy keeps a count of packets hitting proxy instances. If the"},{"line_number":62,"context_line":"packet count has not increased after a deployer-configurable timeout, the proxy"}],"source_content_type":"text/x-rst","patch_set":2,"id":"9a30ddce_0a37404d","line":59,"in_reply_to":"9a30ddce_b97bf4f3","updated":"2017-10-03 14:32:05.000000000","message":"libvirt has a passwdValidTo attribute it can set in the console XML [1] that we\u0027re planning to use, so there\u0027ll be no code that\u0027ll explicitly unset/change the password.\n\n[1] https://libvirt.org/formatdomain.html#elementsGraphics","commit_id":"78e17901e32564fbc773bdd5cf3040a90fadfca5"},{"author":{"_account_id":6735,"name":"Bob Ball","email":"bob.ball@citrix.com","username":"bob-ball"},"change_message_id":"a533196360ab5a6ff95e24ca41d9002d1162b1ff","unresolved":false,"context_lines":[{"line_number":59,"context_line":""},{"line_number":60,"context_line":"In order to deal with clients disconnecting from the SPICE console,"},{"line_number":61,"context_line":"nova-nativeproxy keeps a count of packets hitting proxy instances. If the"},{"line_number":62,"context_line":"packet count has not increased after a deployer-configurable timeout, the proxy"},{"line_number":63,"context_line":"instance and all its rules are deleted. For example, if a user disconnects from"},{"line_number":64,"context_line":"his SPICE console and does not reconnect with 5 minutes, the packet count"},{"line_number":65,"context_line":"hitting those rules will not go up during 5 minutes. Nova-nativeproxy"}],"source_content_type":"text/x-rst","patch_set":2,"id":"9a30ddce_ef803ef9","line":62,"updated":"2017-03-13 16:42:02.000000000","message":"not increased after the keep-alive timeout (and the new connection timeout has already expired)","commit_id":"78e17901e32564fbc773bdd5cf3040a90fadfca5"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"37dda219d3f0776c4c54e1d898b1fc5f47e5435f","unresolved":false,"context_lines":[{"line_number":59,"context_line":""},{"line_number":60,"context_line":"In order to deal with clients disconnecting from the SPICE console,"},{"line_number":61,"context_line":"nova-nativeproxy keeps a count of packets hitting proxy instances. If the"},{"line_number":62,"context_line":"packet count has not increased after a deployer-configurable timeout, the proxy"},{"line_number":63,"context_line":"instance and all its rules are deleted. For example, if a user disconnects from"},{"line_number":64,"context_line":"his SPICE console and does not reconnect with 5 minutes, the packet count"},{"line_number":65,"context_line":"hitting those rules will not go up during 5 minutes. Nova-nativeproxy"}],"source_content_type":"text/x-rst","patch_set":2,"id":"9a30ddce_2a57a458","line":62,"in_reply_to":"9a30ddce_ef803ef9","updated":"2017-10-03 14:32:05.000000000","message":"Good catch! We need to give the client at least passwdValidTo seconds to connect (not strictly true because passwdValidTo is a timestamp, but the idea\u0027s the same). The timeout math is still a bit fuzzy in my head at this point, but definitely need to keep this in mind.","commit_id":"78e17901e32564fbc773bdd5cf3040a90fadfca5"},{"author":{"_account_id":6735,"name":"Bob Ball","email":"bob.ball@citrix.com","username":"bob-ball"},"change_message_id":"a533196360ab5a6ff95e24ca41d9002d1162b1ff","unresolved":false,"context_lines":[{"line_number":61,"context_line":"nova-nativeproxy keeps a count of packets hitting proxy instances. If the"},{"line_number":62,"context_line":"packet count has not increased after a deployer-configurable timeout, the proxy"},{"line_number":63,"context_line":"instance and all its rules are deleted. For example, if a user disconnects from"},{"line_number":64,"context_line":"his SPICE console and does not reconnect with 5 minutes, the packet count"},{"line_number":65,"context_line":"hitting those rules will not go up during 5 minutes. Nova-nativeproxy"},{"line_number":66,"context_line":"will then delete that proxy instance and all of its iptables rules."},{"line_number":67,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"9a30ddce_efcf5e26","line":64,"updated":"2017-03-13 16:42:02.000000000","message":"This implies that the password/new connection timeout is expected to be quite large to enable reconnections?\nThis seems to contradict with the attempt to mitigate the chance of the password leaking.\n\nPerhaps nova-nativeproxy should only add rules for one source IP; once a connection is made reconnections could only be made from that IP address.\nThis would mitigate a longer password validity timeout","commit_id":"78e17901e32564fbc773bdd5cf3040a90fadfca5"},{"author":{"_account_id":6735,"name":"Bob Ball","email":"bob.ball@citrix.com","username":"bob-ball"},"change_message_id":"a533196360ab5a6ff95e24ca41d9002d1162b1ff","unresolved":false,"context_lines":[{"line_number":93,"context_line":"one file descriptor to another, so a great many system calls will be needed to"},{"line_number":94,"context_line":"implement nova-nativeproxy using splice. This is still less efficient than"},{"line_number":95,"context_line":"using iptables and not using any system calls (except to set up and tear down"},{"line_number":96,"context_line":"the rules)."},{"line_number":97,"context_line":""},{"line_number":98,"context_line":"Data model impact"},{"line_number":99,"context_line":"-----------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"9a30ddce_166f6ffc","line":96,"updated":"2017-03-13 16:42:02.000000000","message":"Are OVS rules an option rather than iptables?  I assume that, since we\u0027re only talking about one source/destination combination, the \u0027overhead\u0027 of using OVS which might need to refresh the kernel rules from userspace will be minimal.","commit_id":"78e17901e32564fbc773bdd5cf3040a90fadfca5"},{"author":{"_account_id":6735,"name":"Bob Ball","email":"bob.ball@citrix.com","username":"bob-ball"},"change_message_id":"a533196360ab5a6ff95e24ca41d9002d1162b1ff","unresolved":false,"context_lines":[{"line_number":107,"context_line":"to os-GETSPICEConsole as follows::"},{"line_number":108,"context_line":""},{"line_number":109,"context_line":"    {"},{"line_number":110,"context_line":"        \"os-getSPICEConsole\": {"},{"line_number":111,"context_line":"            \"type\": \"spice-native\""},{"line_number":112,"context_line":"        }"},{"line_number":113,"context_line":"    }"}],"source_content_type":"text/x-rst","patch_set":2,"id":"9a30ddce_76e6eb44","line":110,"updated":"2017-03-13 16:42:02.000000000","message":"Can we extend each of os-get[RDP|Serial|SPICE|VNC]Console Action with a \u0027native\u0027 or \u0027direct\u0027 type to be more generic?\nNotImplemented(501) appears to be a valid response from each of these calls already so we should default to just replying with that?","commit_id":"78e17901e32564fbc773bdd5cf3040a90fadfca5"},{"author":{"_account_id":6735,"name":"Bob Ball","email":"bob.ball@citrix.com","username":"bob-ball"},"change_message_id":"a533196360ab5a6ff95e24ca41d9002d1162b1ff","unresolved":false,"context_lines":[{"line_number":119,"context_line":"    {"},{"line_number":120,"context_line":"        \"console\": {"},{"line_number":121,"context_line":"            \"type\": \"spice-native\","},{"line_number":122,"context_line":"            \"url\": \"spice://loclahost?tls-port\u003d1234\u0026password\u003dsecret\","},{"line_number":123,"context_line":"            \"password_expires\": \"2017-03-06T16:33:28\""},{"line_number":124,"context_line":"        }"},{"line_number":125,"context_line":"    }"}],"source_content_type":"text/x-rst","patch_set":2,"id":"9a30ddce_16cccfb9","line":122,"range":{"start_line":122,"start_character":28,"end_line":122,"end_character":37},"updated":"2017-03-13 16:42:02.000000000","message":"nit: localhost","commit_id":"78e17901e32564fbc773bdd5cf3040a90fadfca5"},{"author":{"_account_id":6735,"name":"Bob Ball","email":"bob.ball@citrix.com","username":"bob-ball"},"change_message_id":"a533196360ab5a6ff95e24ca41d9002d1162b1ff","unresolved":false,"context_lines":[{"line_number":120,"context_line":"        \"console\": {"},{"line_number":121,"context_line":"            \"type\": \"spice-native\","},{"line_number":122,"context_line":"            \"url\": \"spice://loclahost?tls-port\u003d1234\u0026password\u003dsecret\","},{"line_number":123,"context_line":"            \"password_expires\": \"2017-03-06T16:33:28\""},{"line_number":124,"context_line":"        }"},{"line_number":125,"context_line":"    }"},{"line_number":126,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"9a30ddce_367f1316","line":123,"updated":"2017-03-13 16:42:02.000000000","message":"Rather than \u0027password_expires\u0027 perhaps \u0027url expires\u0027 so we\u0027re not specific to the password in case it\u0027s other parts of the URL that are time-protected?.\nPresumably the responses would not include \u0027localhost\u0027 though, but would actually include the nova-nativeproxy IP?","commit_id":"78e17901e32564fbc773bdd5cf3040a90fadfca5"},{"author":{"_account_id":1779,"name":"Daniel Berrange","email":"berrange@redhat.com","username":"berrange"},"change_message_id":"3b3254a5c49e8b9e72a9085058a8d1b7450d1e10","unresolved":false,"context_lines":[{"line_number":55,"context_line":"proxy instance for that console. A proxy instance is the set of SNAT, DNAT and"},{"line_number":56,"context_line":"FORWARD rules necessary to proxy a single SPICE console connection."},{"line_number":57,"context_line":"Nova-nativeproxy returns an IP and port. The API returns this IP and port to"},{"line_number":58,"context_line":"the user, along with the password set by the virt driver."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"In order to deal with clients disconnecting from the SPICE console,"},{"line_number":61,"context_line":"nova-nativeproxy keeps a count of packets hitting proxy instances. If the"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9a30ddce_0522d3a2","line":58,"updated":"2017-03-13 17:09:48.000000000","message":"This approach has a number of downsides compared to the doing full MITM proxying as is done by the current proxy services\n\nFirst, you are inherently requiring the public facing proxy to open up a massive range of incoming ports, since you require 1 open TCP port for each open console.\n\nSecond, when using TLS, instead of being able to separate internal vs public facing certificate management tasks, you now have to expose the public facing CA to the internal compute nodes. Further more, the certificate presented by the compute node, has to refer to the name of the public facing nova-nativeproxy host, rather than the hostname of the compute node. This means that if you want to add further public endpoints for nova-nativeproxy (to deal with fact that you ran out of free ports on the existing instance), then you have to update the certificates on every host to include to the newly deployed public hostname.\n\nThird, it is not possible to expire the access password after it has been used, since it isn\u0027t possible for the proxy to determine when the password has been used. A SPICE connection comprises many TCP connections. When the SPICE proxy is doing MITM on the connection, it can determine how many valid connections are expected, and track those, so it knows exactly when it can invalidate the one-time password. It also knows if a 2nd client tries to re-use the one-time password and can reject it. This is not possible when doing straight passthrough - time based expiry is just a crude hack.  Admittedly the current spice proxy doesn\u0027t do this, but it is capable of doing it.","commit_id":"beafa62976b066d49e17c0c1a86c27cf64fb7d6c"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"56c7bd5a025969876e0e52934015b728bc22bb28","unresolved":false,"context_lines":[{"line_number":55,"context_line":"proxy instance for that console. A proxy instance is the set of SNAT, DNAT and"},{"line_number":56,"context_line":"FORWARD rules necessary to proxy a single SPICE console connection."},{"line_number":57,"context_line":"Nova-nativeproxy returns an IP and port. The API returns this IP and port to"},{"line_number":58,"context_line":"the user, along with the password set by the virt driver."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"In order to deal with clients disconnecting from the SPICE console,"},{"line_number":61,"context_line":"nova-nativeproxy keeps a count of packets hitting proxy instances. If the"}],"source_content_type":"text/x-rst","patch_set":3,"id":"ffe62b97_13290c89","line":58,"in_reply_to":"9a30ddce_0522d3a2","updated":"2017-03-27 16:11:45.000000000","message":"All good points :) I\u0027ll rework the spec to propose a HTTP CONNECT approach.\n\nThat being said, I wouldn\u0027t kill off the iptables approach just yet. I think the main use case for a spice native client is in a private behind the firewall kind of cloud, where opening up a large swath of ports isn\u0027t necessarily as a big a deal as if it were on the open Internet.\n\nThe certificates management problem is also solvable, albeit with some hoops to jump through for operators. I\u0027m thinking of a single wildcard certificate on all the compute hosts, and the proxies would all fall under that wildcard. It\u0027s not something that we\u0027d want to impose on all operators, but I can conceive of an operator willing to jump through those hoops if it ever gets to a point where they absolutely need kernel-space proxy performance.\n\nI don\u0027t have an answer to the password expiration problem, other than the time based hack. This might be less of a problem than we think in private clouds?\n\nI\u0027ll rework the spec to propose HTTP CONNECT proxying. It\u0027s a more robust solution, and it\u0027ll give us a baseline of native client support. All the better if operators are happy with the performance, and if they\u0027re not, well, we can revisit this discussion and there\u0027ll be a stronger argument for the iptables approach ;)","commit_id":"beafa62976b066d49e17c0c1a86c27cf64fb7d6c"},{"author":{"_account_id":1779,"name":"Daniel Berrange","email":"berrange@redhat.com","username":"berrange"},"change_message_id":"3b3254a5c49e8b9e72a9085058a8d1b7450d1e10","unresolved":false,"context_lines":[{"line_number":86,"context_line":""},{"line_number":87,"context_line":"Do nothing and continue using the HTML5 clients. This will never provide the"},{"line_number":88,"context_line":"level of performance that a native client combined with a proxy that doesn\u0027t"},{"line_number":89,"context_line":"use websockets can provide."},{"line_number":90,"context_line":""},{"line_number":91,"context_line":"Implement the proxy without using iptables. The splice system call [1]_ would"},{"line_number":92,"context_line":"be a candidate, but it needs to receive a len parameter of bytes to copy from"}],"source_content_type":"text/x-rst","patch_set":3,"id":"9a30ddce_a584a75d","line":89,"updated":"2017-03-13 17:09:48.000000000","message":"Exposing the console via websockets does not imply that you have to use the HTML5 client. \n\nIt is entirely possible to create a native client that access spice over a websockets proxy.  The native SPICE client is already capable of using a plain (ie non-websockets) HTTP proxy connection to access consoles. \n\nThere was a blueprint proposed to support that feature in Nova\u0027s spice proxy in the past. Specifically, the proxy would have been extended to allow connections on either websockets or via the traditional HTTP \"CONNECT\" proxying mechanism. \n\nThis would allow use of high performing native client, without having to write a completely new proxy service, and without the downsides I describe above. IMHO that is much better than this proposal.","commit_id":"beafa62976b066d49e17c0c1a86c27cf64fb7d6c"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"6e4ebb75247beb1d829193ed90b0d85d3b787d92","unresolved":false,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":8,"context_line":"SPICE native client support"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"Include the URL of your launchpad blueprint:"},{"line_number":12,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"dfeb2761_2bc0052a","line":9,"range":{"start_line":9,"start_character":27,"end_line":9,"end_character":42},"updated":"2017-04-04 14:22:44.000000000","message":"Remove this","commit_id":"5e6ccd3cce65c2eac68b9d78313b82b23b543f0e"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"a41d710f97ca88c0517992df7f1d24749f2e5973","unresolved":false,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":8,"context_line":"SPICE native client support"},{"line_number":9,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"Include the URL of your launchpad blueprint:"},{"line_number":12,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"dfeb2761_13869767","line":9,"range":{"start_line":9,"start_character":27,"end_line":9,"end_character":42},"in_reply_to":"dfeb2761_2bc0052a","updated":"2017-04-04 16:19:54.000000000","message":"Done","commit_id":"5e6ccd3cce65c2eac68b9d78313b82b23b543f0e"},{"author":{"_account_id":1779,"name":"Daniel Berrange","email":"berrange@redhat.com","username":"berrange"},"change_message_id":"6cc8fa346ebfce3f2893db853f424f3caf6c91ba","unresolved":false,"context_lines":[{"line_number":42,"context_line":"A new executable, nova-nativeproxy, is added. It is an HTTP CONNECT proxy that"},{"line_number":43,"context_line":"forwards traffic to the correct compute host. The initial implementation would"},{"line_number":44,"context_line":"be for SPICE, but nova-nativeproxy is a generic proxy that can later be used"},{"line_number":45,"context_line":"for native client support for other graphical console types."},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"In a new microversion, the remote-consoles API is modified to accept a new"},{"line_number":48,"context_line":"``type``, ``spice-native``.  Instead of returning a ``url`` like it currently"}],"source_content_type":"text/x-rst","patch_set":4,"id":"dfeb2761_7a75bd63","line":45,"updated":"2017-04-04 13:13:05.000000000","message":"I think it\u0027d be compelling to have the existing spice proxy executable handle both proxying modes - they\u0027re both HTTP based proxies, just differing in their URL path + HTTP method, so should be possible to have one service handle both.","commit_id":"5e6ccd3cce65c2eac68b9d78313b82b23b543f0e"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"a41d710f97ca88c0517992df7f1d24749f2e5973","unresolved":false,"context_lines":[{"line_number":42,"context_line":"A new executable, nova-nativeproxy, is added. It is an HTTP CONNECT proxy that"},{"line_number":43,"context_line":"forwards traffic to the correct compute host. The initial implementation would"},{"line_number":44,"context_line":"be for SPICE, but nova-nativeproxy is a generic proxy that can later be used"},{"line_number":45,"context_line":"for native client support for other graphical console types."},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"In a new microversion, the remote-consoles API is modified to accept a new"},{"line_number":48,"context_line":"``type``, ``spice-native``.  Instead of returning a ``url`` like it currently"}],"source_content_type":"text/x-rst","patch_set":4,"id":"dfeb2761_33df5bd7","line":45,"in_reply_to":"dfeb2761_20c0242a","updated":"2017-04-04 16:19:54.000000000","message":"The existing executable is specifically called spicehtml5proxy (that\u0027s what you\u0027re referring to, right?), in which the baseproxy module starts a websocketproxy that handles GET requests. You\u0027re saying that we should add CONNECT handling to  websocketproxy? Shouldn\u0027t we then also rename spicehtml5proxy to something else that\u0027s more reflective of its new nature? And rename websocketproxy too, for that matter, since it\u0027d become also a HTTP CONNECT proxy?\n\nI think the deployer impact of a single new executable is less than renaming a bunch of existing stuff. I grok that conceptually the spice stuff should remain together, however in practice it seems overly forced to me.","commit_id":"5e6ccd3cce65c2eac68b9d78313b82b23b543f0e"},{"author":{"_account_id":2750,"name":"Sean Dague","email":"sean@dague.net","username":"sdague"},"change_message_id":"16d52612bbc02ec38c7d9c28a5e5f20cccd8cd36","unresolved":false,"context_lines":[{"line_number":42,"context_line":"A new executable, nova-nativeproxy, is added. It is an HTTP CONNECT proxy that"},{"line_number":43,"context_line":"forwards traffic to the correct compute host. The initial implementation would"},{"line_number":44,"context_line":"be for SPICE, but nova-nativeproxy is a generic proxy that can later be used"},{"line_number":45,"context_line":"for native client support for other graphical console types."},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"In a new microversion, the remote-consoles API is modified to accept a new"},{"line_number":48,"context_line":"``type``, ``spice-native``.  Instead of returning a ``url`` like it currently"}],"source_content_type":"text/x-rst","patch_set":4,"id":"dfeb2761_dfe94db7","line":45,"in_reply_to":"dfeb2761_33df5bd7","updated":"2017-04-04 18:13:56.000000000","message":"Having just watched the blow back on placement, I new services do cost a lot more to all the deployement tools than additional config for existing services.","commit_id":"5e6ccd3cce65c2eac68b9d78313b82b23b543f0e"},{"author":{"_account_id":2750,"name":"Sean Dague","email":"sean@dague.net","username":"sdague"},"change_message_id":"d4ee151f770c387013d728bbd1c80aaaaf8c2db4","unresolved":false,"context_lines":[{"line_number":42,"context_line":"A new executable, nova-nativeproxy, is added. It is an HTTP CONNECT proxy that"},{"line_number":43,"context_line":"forwards traffic to the correct compute host. The initial implementation would"},{"line_number":44,"context_line":"be for SPICE, but nova-nativeproxy is a generic proxy that can later be used"},{"line_number":45,"context_line":"for native client support for other graphical console types."},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"In a new microversion, the remote-consoles API is modified to accept a new"},{"line_number":48,"context_line":"``type``, ``spice-native``.  Instead of returning a ``url`` like it currently"}],"source_content_type":"text/x-rst","patch_set":4,"id":"dfeb2761_20c0242a","line":45,"in_reply_to":"dfeb2761_7a75bd63","updated":"2017-04-04 14:03:09.000000000","message":"Yeh, I\u0027d much rather put these 2 paths into 1 service, It\u0027s going to make the deploy story much less complicated.","commit_id":"5e6ccd3cce65c2eac68b9d78313b82b23b543f0e"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"089d4ff440e6fc6769bd28a9d60cc81b7a3bc30f","unresolved":false,"context_lines":[{"line_number":42,"context_line":"A new executable, nova-nativeproxy, is added. It is an HTTP CONNECT proxy that"},{"line_number":43,"context_line":"forwards traffic to the correct compute host. The initial implementation would"},{"line_number":44,"context_line":"be for SPICE, but nova-nativeproxy is a generic proxy that can later be used"},{"line_number":45,"context_line":"for native client support for other graphical console types."},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"In a new microversion, the remote-consoles API is modified to accept a new"},{"line_number":48,"context_line":"``type``, ``spice-native``.  Instead of returning a ``url`` like it currently"}],"source_content_type":"text/x-rst","patch_set":4,"id":"dfeb2761_227dbe7e","line":45,"in_reply_to":"dfeb2761_dfe94db7","updated":"2017-04-04 18:30:18.000000000","message":"Fair enough. I guess we\u0027ll need to mention somewhere that \"due to historical reasons, nova-spicehtml5proxy is actually also a HTTP CONNECT proxy\" ;)","commit_id":"5e6ccd3cce65c2eac68b9d78313b82b23b543f0e"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"6e4ebb75247beb1d829193ed90b0d85d3b787d92","unresolved":false,"context_lines":[{"line_number":56,"context_line":"returned. This is done in the interest of user-friendlyness so that users of"},{"line_number":57,"context_line":"remote-viewer do not need to copy-paste the ``proxy`` and ``host`` values into"},{"line_number":58,"context_line":"a manually created INI file."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"Alternatives"},{"line_number":61,"context_line":"------------"},{"line_number":62,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"dfeb2761_4bf10995","line":59,"updated":"2017-04-04 14:22:44.000000000","message":"Is it worth mentioning the existence of other proxy types like XVP for XenServer?","commit_id":"5e6ccd3cce65c2eac68b9d78313b82b23b543f0e"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"a41d710f97ca88c0517992df7f1d24749f2e5973","unresolved":false,"context_lines":[{"line_number":56,"context_line":"returned. This is done in the interest of user-friendlyness so that users of"},{"line_number":57,"context_line":"remote-viewer do not need to copy-paste the ``proxy`` and ``host`` values into"},{"line_number":58,"context_line":"a manually created INI file."},{"line_number":59,"context_line":""},{"line_number":60,"context_line":"Alternatives"},{"line_number":61,"context_line":"------------"},{"line_number":62,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"dfeb2761_1397b7ee","line":59,"in_reply_to":"dfeb2761_4bf10995","updated":"2017-04-04 16:19:54.000000000","message":"The initial API exposure would be for SPICE only, unless other virt drivers want to do it in this same spec (which would be awesome, but so far I haven\u0027t heard anything).","commit_id":"5e6ccd3cce65c2eac68b9d78313b82b23b543f0e"},{"author":{"_account_id":1779,"name":"Daniel Berrange","email":"berrange@redhat.com","username":"berrange"},"change_message_id":"6cc8fa346ebfce3f2893db853f424f3caf6c91ba","unresolved":false,"context_lines":[{"line_number":64,"context_line":"to do nothing and continue using the HTML5 client. The current HTML5 client in"},{"line_number":65,"context_line":"Nova is not very good, but EyeOS have written an `improved client`_ that"},{"line_number":66,"context_line":"promises better performance and more features, but even the improved client"},{"line_number":67,"context_line":"does not, and in all likeleyhood will never, support USB redirection or audio."},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"If we assume that native client support is necessary, a entirely different"},{"line_number":70,"context_line":"architecture is possible: a previous iteration of this spec proposed an"}],"source_content_type":"text/x-rst","patch_set":4,"id":"dfeb2761_ba0c65ec","line":67,"updated":"2017-04-04 13:13:05.000000000","message":"It also won\u0027t be able to handle keyboard layouts as well as native clients, since browsers just don\u0027t provide the support to get it working well enough","commit_id":"5e6ccd3cce65c2eac68b9d78313b82b23b543f0e"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"a41d710f97ca88c0517992df7f1d24749f2e5973","unresolved":false,"context_lines":[{"line_number":64,"context_line":"to do nothing and continue using the HTML5 client. The current HTML5 client in"},{"line_number":65,"context_line":"Nova is not very good, but EyeOS have written an `improved client`_ that"},{"line_number":66,"context_line":"promises better performance and more features, but even the improved client"},{"line_number":67,"context_line":"does not, and in all likeleyhood will never, support USB redirection or audio."},{"line_number":68,"context_line":""},{"line_number":69,"context_line":"If we assume that native client support is necessary, a entirely different"},{"line_number":70,"context_line":"architecture is possible: a previous iteration of this spec proposed an"}],"source_content_type":"text/x-rst","patch_set":4,"id":"dfeb2761_f39b3315","line":67,"in_reply_to":"dfeb2761_ba0c65ec","updated":"2017-04-04 16:19:54.000000000","message":"Done","commit_id":"5e6ccd3cce65c2eac68b9d78313b82b23b543f0e"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"6e4ebb75247beb1d829193ed90b0d85d3b787d92","unresolved":false,"context_lines":[{"line_number":99,"context_line":"REST API impact"},{"line_number":100,"context_line":"---------------"},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"The body of POST /servers/{server_id}/remote-consoles is modified. A new type"},{"line_number":103,"context_line":"is added as follows::"},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"    {"}],"source_content_type":"text/x-rst","patch_set":4,"id":"dfeb2761_ab9bf563","line":102,"range":{"start_line":102,"start_character":12,"end_line":102,"end_character":39},"updated":"2017-04-04 14:22:44.000000000","message":"This should probably be `quoted` or ``literal``","commit_id":"5e6ccd3cce65c2eac68b9d78313b82b23b543f0e"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"a41d710f97ca88c0517992df7f1d24749f2e5973","unresolved":false,"context_lines":[{"line_number":99,"context_line":"REST API impact"},{"line_number":100,"context_line":"---------------"},{"line_number":101,"context_line":""},{"line_number":102,"context_line":"The body of POST /servers/{server_id}/remote-consoles is modified. A new type"},{"line_number":103,"context_line":"is added as follows::"},{"line_number":104,"context_line":""},{"line_number":105,"context_line":"    {"}],"source_content_type":"text/x-rst","patch_set":4,"id":"dfeb2761_d39caf0f","line":102,"range":{"start_line":102,"start_character":12,"end_line":102,"end_character":39},"in_reply_to":"dfeb2761_ab9bf563","updated":"2017-04-04 16:19:54.000000000","message":"Done","commit_id":"5e6ccd3cce65c2eac68b9d78313b82b23b543f0e"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"6e4ebb75247beb1d829193ed90b0d85d3b787d92","unresolved":false,"context_lines":[{"line_number":148,"context_line":"Other deployer impact"},{"line_number":149,"context_line":"---------------------"},{"line_number":150,"context_line":""},{"line_number":151,"context_line":"There is a new executable, nova-nativeproxy that needs to run on a controller"},{"line_number":152,"context_line":"node accessible from both the outside world and the compute hosts."},{"line_number":153,"context_line":""},{"line_number":154,"context_line":"Developer impact"}],"source_content_type":"text/x-rst","patch_set":4,"id":"dfeb2761_6b7ccd1e","line":151,"range":{"start_line":151,"start_character":27,"end_line":151,"end_character":43},"updated":"2017-04-04 14:22:44.000000000","message":"`nova-nativeproxy`","commit_id":"5e6ccd3cce65c2eac68b9d78313b82b23b543f0e"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"a41d710f97ca88c0517992df7f1d24749f2e5973","unresolved":false,"context_lines":[{"line_number":148,"context_line":"Other deployer impact"},{"line_number":149,"context_line":"---------------------"},{"line_number":150,"context_line":""},{"line_number":151,"context_line":"There is a new executable, nova-nativeproxy that needs to run on a controller"},{"line_number":152,"context_line":"node accessible from both the outside world and the compute hosts."},{"line_number":153,"context_line":""},{"line_number":154,"context_line":"Developer impact"}],"source_content_type":"text/x-rst","patch_set":4,"id":"dfeb2761_d3438f6b","line":151,"range":{"start_line":151,"start_character":27,"end_line":151,"end_character":43},"in_reply_to":"dfeb2761_6b7ccd1e","updated":"2017-04-04 16:19:54.000000000","message":"Done","commit_id":"5e6ccd3cce65c2eac68b9d78313b82b23b543f0e"},{"author":{"_account_id":15334,"name":"Stephen Finucane","display_name":"stephenfin","email":"stephenfin@redhat.com","username":"sfinucan"},"change_message_id":"6e4ebb75247beb1d829193ed90b0d85d3b787d92","unresolved":false,"context_lines":[{"line_number":200,"context_line":"References"},{"line_number":201,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":202,"context_line":""},{"line_number":203,"context_line":".. _original proposal: https://review.openstack.org/#/c/38974/"},{"line_number":204,"context_line":".. _INI file: http://manpages.ubuntu.com/manpages/yakkety/man1/remote-viewer.1.html#contenttoc5"},{"line_number":205,"context_line":".. _improved client: https://github.com/eyeos/spice-web-client"},{"line_number":206,"context_line":""},{"line_number":207,"context_line":""},{"line_number":208,"context_line":"History"}],"source_content_type":"text/x-rst","patch_set":4,"id":"dfeb2761_2b992578","line":205,"range":{"start_line":203,"start_character":0,"end_line":205,"end_character":62},"updated":"2017-04-04 14:22:44.000000000","message":"You need to use footnote style links [1] for this to work\n\n[1] http://docutils.sourceforge.net/docs/user/rst/quickref.html#inline-markup","commit_id":"5e6ccd3cce65c2eac68b9d78313b82b23b543f0e"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"a41d710f97ca88c0517992df7f1d24749f2e5973","unresolved":false,"context_lines":[{"line_number":200,"context_line":"References"},{"line_number":201,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":202,"context_line":""},{"line_number":203,"context_line":".. _original proposal: https://review.openstack.org/#/c/38974/"},{"line_number":204,"context_line":".. _INI file: http://manpages.ubuntu.com/manpages/yakkety/man1/remote-viewer.1.html#contenttoc5"},{"line_number":205,"context_line":".. _improved client: https://github.com/eyeos/spice-web-client"},{"line_number":206,"context_line":""},{"line_number":207,"context_line":""},{"line_number":208,"context_line":"History"}],"source_content_type":"text/x-rst","patch_set":4,"id":"dfeb2761_ce0be221","line":205,"range":{"start_line":203,"start_character":0,"end_line":205,"end_character":62},"in_reply_to":"dfeb2761_2b992578","updated":"2017-04-04 16:19:54.000000000","message":"Done","commit_id":"5e6ccd3cce65c2eac68b9d78313b82b23b543f0e"},{"author":{"_account_id":11564,"name":"Chris Dent","email":"cdent@anticdent.org","username":"chdent"},"change_message_id":"995cdb2f2ed787e25b2d3d768b31864992f9b22f","unresolved":false,"context_lines":[{"line_number":64,"context_line":"to do nothing and continue using the HTML5 client. The current HTML5 client in"},{"line_number":65,"context_line":"Nova is not very good, but EyeOS have written an improved client [#]_ that"},{"line_number":66,"context_line":"promises better performance and more features, but even the improved client"},{"line_number":67,"context_line":"does not support USB redirection, audio, or keyboard layours, and probably"},{"line_number":68,"context_line":"never will."},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"If we assume that native client support is necessary, a entirely different"}],"source_content_type":"text/x-rst","patch_set":5,"id":"dfeb2761_9fdce6e4","line":67,"updated":"2017-04-04 17:56:04.000000000","message":"layouts ?","commit_id":"4797a0012144e6914e3af3306cbe9a2c2c167d0c"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"1519148e417f5a48137d40ecfdd6b78468c34d48","unresolved":false,"context_lines":[{"line_number":64,"context_line":"to do nothing and continue using the HTML5 client. The current HTML5 client in"},{"line_number":65,"context_line":"Nova is not very good, but EyeOS have written an improved client [#]_ that"},{"line_number":66,"context_line":"promises better performance and more features, but even the improved client"},{"line_number":67,"context_line":"does not support USB redirection, audio, or keyboard layours, and probably"},{"line_number":68,"context_line":"never will."},{"line_number":69,"context_line":""},{"line_number":70,"context_line":"If we assume that native client support is necessary, a entirely different"}],"source_content_type":"text/x-rst","patch_set":5,"id":"dfeb2761_ffa8918c","line":67,"in_reply_to":"dfeb2761_9fdce6e4","updated":"2017-04-04 18:29:57.000000000","message":"Done","commit_id":"4797a0012144e6914e3af3306cbe9a2c2c167d0c"}],"specs/queens/approved/spice-native-client-support.rst":[{"author":{"_account_id":2750,"name":"Sean Dague","email":"sean@dague.net","username":"sdague"},"change_message_id":"69a4340fb5bf028d2a3c951d14ae757a35933728","unresolved":false,"context_lines":[{"line_number":53,"context_line":"If the ``format\u003dini`` query parameter is sent, a remote-viewer INI file [#]_ is"},{"line_number":54,"context_line":"returned. This is done in the interest of user-friendlyness so that users of"},{"line_number":55,"context_line":"remote-viewer do not need to copy-paste the ``proxy`` and ``host`` values into"},{"line_number":56,"context_line":"a manually created INI file."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"Alternatives"},{"line_number":59,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":7,"id":"7f515b1d_e9929158","line":56,"updated":"2017-10-03 13:40:20.000000000","message":"if this is in a microversion, we can return more descriptive fields and not be restricted to existing ones. Host \u003d\u003d token just seems like a lot of confusion for the future.\n\nI think overall this is fine, as it\u0027s still going through the proxy. Are there any reasons that an adminstrator of a public cloud wouldn\u0027t want this exposed?","commit_id":"889248a0a61a0e5dafcad356a9e17406acf09176"},{"author":{"_account_id":8864,"name":"Artom Lifshitz","email":"notartom@gmail.com","username":"artom"},"change_message_id":"37dda219d3f0776c4c54e1d898b1fc5f47e5435f","unresolved":false,"context_lines":[{"line_number":53,"context_line":"If the ``format\u003dini`` query parameter is sent, a remote-viewer INI file [#]_ is"},{"line_number":54,"context_line":"returned. This is done in the interest of user-friendlyness so that users of"},{"line_number":55,"context_line":"remote-viewer do not need to copy-paste the ``proxy`` and ``host`` values into"},{"line_number":56,"context_line":"a manually created INI file."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"Alternatives"},{"line_number":59,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":7,"id":"7f515b1d_ecd85ff1","line":56,"in_reply_to":"7f515b1d_e9929158","updated":"2017-10-03 14:32:05.000000000","message":"\u003e Host \u003d\u003d token just seems like a lot of confusion for the\n\u003e future.\n\nThe thinking is that the client, when doing the HTTP CONNECT to the proxy, sends a Host header. If we put the token in this header, it allows us to use our existing token-based authentication.\n\nSo to keep things consistent, I thought putting \u0027host\u0027 in the API response would make it clearer that the value is supposed to be assigned to the host key in the virt-viewer ini file, for instance:\n\n[virt-viewer]\ntype\u003dspice\nproxy\u003dhttp://example.com:5900\nhost\u003d0e77beb5-2b7c-4c9b-8cb5-63e047fed6b9\n\nWe could put \u0027token\u0027 in the API response, but then it\u0027s not as obvious to the user what to do with that token.\n\n\u003e Are there any reasons that an adminstrator of a public\n\u003e cloud wouldn\u0027t want this exposed?\n\nWhat\u0027s \u0027this\u0027 in this context?","commit_id":"889248a0a61a0e5dafcad356a9e17406acf09176"},{"author":{"_account_id":1779,"name":"Daniel Berrange","email":"berrange@redhat.com","username":"berrange"},"change_message_id":"6b7745c7d8c0ed48ddd1c32318913f9b657667b0","unresolved":false,"context_lines":[{"line_number":53,"context_line":"If the ``format\u003dini`` query parameter is sent, a remote-viewer INI file [#]_ is"},{"line_number":54,"context_line":"returned. This is done in the interest of user-friendlyness so that users of"},{"line_number":55,"context_line":"remote-viewer do not need to copy-paste the ``proxy`` and ``host`` values into"},{"line_number":56,"context_line":"a manually created INI file."},{"line_number":57,"context_line":""},{"line_number":58,"context_line":"Alternatives"},{"line_number":59,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":7,"id":"7f515b1d_6f4b415f","line":56,"in_reply_to":"7f515b1d_ecd85ff1","updated":"2017-10-03 14:47:30.000000000","message":"FYI, the approach outlined here is going to create some significant problems wrt security.\n\nIf you want to run TLS for the SPICE connections, and you certainly do, then the SPICE client is going to validate the x509 certificate sent by the server against the \u0027host\u0027 value, because that\u0027s what is connecting to.\n\nSo by using the security token  as a fake \u0027host\u0027, Nova is going to be forced to dynamically generate new server certificates for every single auth token, and you\u0027re going to have to deploy these certs out to the compute nodes and somehow get QEMU to pick them up. This is impossible right now as QEMU has no support for dynamically updates SPICE certs. I doubt any the CA is going to much apprepricate generating new certs for every token either.\n\nIf, on the other hand, you use the real compute host name + port number in the \u0027host\u0027 field, you\u0027ve now got an information leakage such that internal hostnames are exposed to the public. Cloud providers may well not like this.\n\nThis is the key problem with the HTTP CONNECT proxy approach to console access, and why the VNC proxy Nova provides does a websockets tunnelling approach. In that way the VNC client validates certs associated with the public facing console proxy, and the console proxy validates certs against the compute node. No information leakage about internal compute hostnmaes, and no need to generate 1000\u0027s of x509 certificates.\n\nIMHO, a better approach is to enhance the native client so that it can support websockets tunnelling as a transport, as an alternative to the HTTP CONNECT proxying.","commit_id":"889248a0a61a0e5dafcad356a9e17406acf09176"}]}