)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},"change_message_id":"b841dd8c39c3d067b7e94614ea007f1bdf149191","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"17378781_e6c1145a","updated":"2024-04-08 04:27:49.000000000","message":"I am unclear on what is causing this error:\n\nWarning, treated as error:\n/Users/mikal/src/openstack/nova-specs/doc/source/specs/2024.2/approved/libvirt-spice-direct-consoles.rst:125:Unexpected indentation.\ndocs: exit 2 (8.69 seconds) /Users/mikal/src/openstack/nova-specs\u003e sphinx-build -W -b html doc/source doc/build/html pid\u003d66987\n\nI have tried indenting that block and it didn\u0027t help.","commit_id":"787ff3a7c19a47db6e1fcedbd7630772ceb0767c"},{"author":{"_account_id":34860,"name":"Amit Uniyal","email":"auniyal@redhat.com","username":"auniyal"},"change_message_id":"ccd7d326c347df46e4488790f6f4c28e06b9584e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"a30a6c3b_92eedcb6","updated":"2024-04-12 09:59:31.000000000","message":"question, and -1 on connecting to hypervisor directly which of-course is in discussion, so I\u0027ll update later once decided and updated. thanks","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},"change_message_id":"572e9fb061a950de82eb507bff6927441f44e00e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"287da362_6a50a084","updated":"2024-06-22 07:14:07.000000000","message":"My apologies for the unacceptably slow replies here. A CentOS 7 upgrade project at work has been consuming a huge amount of my time...\n\nI haven\u0027t replied to all your comments here, but I\u0027ve replied to at least some and done some tweaks to the spec itself as well. I will continue replying tomorrow.","commit_id":"d52600ab768406fa54e9743a096d4fb677588d99"},{"author":{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},"change_message_id":"07e6cbbfcfe54d9765e49253d56ff7c1ae6ca1d4","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"ad872d27_62ddafd9","updated":"2024-06-25 10:06:17.000000000","message":"Give me a little while and I\u0027ll prototype up a Nova-requests-URL flow to see what that would look like. I\u0027d prefer to provide a bit of detail for the mechanism for that here.","commit_id":"a9f4730f911d1be39b9e69ce117ffc004fca12bd"},{"author":{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},"change_message_id":"62935a1ed1deaa61b1a08ff3baa9d9fc685074c9","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":8,"id":"4bb9b453_22b617fc","updated":"2024-07-18 12:29:58.000000000","message":"Sean, I\u0027ve updated the spec to match what we discussed. I now have 90% of a working prototype of returning a Kerbside console URL which contains the Nova auth token, and then Kerbside using that token to lookup console connection information.","commit_id":"7e8ffde6501f6ce9a45e28243e9e9cffca625fb4"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"055782b44648083a563f01f8b7d3ee78049932ae","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":13,"id":"f0db65e9_5dd4018e","updated":"2024-07-18 15:10:14.000000000","message":"OK, let\u0027s accept this spec but please address my two concerns : \n* change the option name\n* make sure you\u0027re able to create a functional test that will fake Kerbside by calling the second Nova API based on the value from the Nova API a user gets on the first API.","commit_id":"19e99bfaaf85f0984ebddcf8ad39419cd6875910"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"069ad9feaa74dadbce7bdafddf18c9db51ebaf83","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":13,"id":"4cf2443a_79d64702","updated":"2024-07-18 17:41:57.000000000","message":"recheck the post failure really has no logs so i dont see any other option then rechecking and hoping it either gives us logs with a fialure or passes","commit_id":"19e99bfaaf85f0984ebddcf8ad39419cd6875910"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"eb771712ff3ed4a5bf5904737a0dc77d7e60a050","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":13,"id":"18a9cf62_af340675","updated":"2024-07-18 14:07:36.000000000","message":"still looks good to me","commit_id":"19e99bfaaf85f0984ebddcf8ad39419cd6875910"}],"specs/2024.2/approved/libvirt-spice-direct-consoles.rst":[{"author":{"_account_id":34860,"name":"Amit Uniyal","email":"auniyal@redhat.com","username":"auniyal"},"change_message_id":"ccd7d326c347df46e4488790f6f4c28e06b9584e","unresolved":true,"context_lines":[{"line_number":74,"context_line":"sound devices in the domain XML are all deployer configurable and can be"},{"line_number":75,"context_line":"disabled."},{"line_number":76,"context_line":""},{"line_number":77,"context_line":"*As an end user, I would like access to a richer desktop experience than is"},{"line_number":78,"context_line":"currently available.* Once these changes are integrated and Kerbside deployed,"},{"line_number":79,"context_line":"a further change to either Horizon or Skyline will be required to orchestrate"},{"line_number":80,"context_line":"console access via Kerbside. It is expected the complete end to end"}],"source_content_type":"text/x-rst","patch_set":2,"id":"81d6ba4c_0ebd5b02","line":77,"range":{"start_line":77,"start_character":42,"end_line":77,"end_character":67},"updated":"2024-04-12 09:59:31.000000000","message":"w.r.t richer experience can you please give an example .\n- options/buttons: Will end-user get more buttons then what we have right now; i.e CtrlAltDel ?\n- Will end-user/operators gets and option to see VM device/net config somehow ?","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},"change_message_id":"8d6bd5ec0a87ef8f1c874f7d925583aaeb88ee6c","unresolved":false,"context_lines":[{"line_number":74,"context_line":"sound devices in the domain XML are all deployer configurable and can be"},{"line_number":75,"context_line":"disabled."},{"line_number":76,"context_line":""},{"line_number":77,"context_line":"*As an end user, I would like access to a richer desktop experience than is"},{"line_number":78,"context_line":"currently available.* Once these changes are integrated and Kerbside deployed,"},{"line_number":79,"context_line":"a further change to either Horizon or Skyline will be required to orchestrate"},{"line_number":80,"context_line":"console access via Kerbside. It is expected the complete end to end"}],"source_content_type":"text/x-rst","patch_set":2,"id":"088d9fd5_27551be4","line":77,"range":{"start_line":77,"start_character":42,"end_line":77,"end_character":67},"in_reply_to":"4e174f41_c27995c0","updated":"2024-04-12 12:29:53.000000000","message":"Off the top of my head you\u0027d get:\n\n - ctrl / alt / del\n - cut and paste\n - usb passthrough (make a USB disk appear from your client in the VM for example)\n - two way audio\n - video playback\n - multiple screens\n \nI\u0027m sure I\u0027ve missed something.","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"c7ff40eb638d1fbe3ce71335c3a080db2c0c18fd","unresolved":true,"context_lines":[{"line_number":74,"context_line":"sound devices in the domain XML are all deployer configurable and can be"},{"line_number":75,"context_line":"disabled."},{"line_number":76,"context_line":""},{"line_number":77,"context_line":"*As an end user, I would like access to a richer desktop experience than is"},{"line_number":78,"context_line":"currently available.* Once these changes are integrated and Kerbside deployed,"},{"line_number":79,"context_line":"a further change to either Horizon or Skyline will be required to orchestrate"},{"line_number":80,"context_line":"console access via Kerbside. It is expected the complete end to end"}],"source_content_type":"text/x-rst","patch_set":2,"id":"e2432ec8_e3d5edad","line":77,"range":{"start_line":77,"start_character":42,"end_line":77,"end_character":67},"in_reply_to":"81d6ba4c_0ebd5b02","updated":"2024-04-12 10:52:35.000000000","message":"using a navive spice client they will get 2 way audio (speaker + mic)\nclipboard integration and other things like usb forawsding depending on the protocal\n\nfor example rpd can do local usb forwarding to a remote server\ni belive spice can do that too or make other local network resouces like printer avaiable to the vm.","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":34860,"name":"Amit Uniyal","email":"auniyal@redhat.com","username":"auniyal"},"change_message_id":"35db1b28f9d58e15b4ce2269e0bdded8957719f4","unresolved":false,"context_lines":[{"line_number":74,"context_line":"sound devices in the domain XML are all deployer configurable and can be"},{"line_number":75,"context_line":"disabled."},{"line_number":76,"context_line":""},{"line_number":77,"context_line":"*As an end user, I would like access to a richer desktop experience than is"},{"line_number":78,"context_line":"currently available.* Once these changes are integrated and Kerbside deployed,"},{"line_number":79,"context_line":"a further change to either Horizon or Skyline will be required to orchestrate"},{"line_number":80,"context_line":"console access via Kerbside. It is expected the complete end to end"}],"source_content_type":"text/x-rst","patch_set":2,"id":"4e174f41_c27995c0","line":77,"range":{"start_line":77,"start_character":42,"end_line":77,"end_character":67},"in_reply_to":"e2432ec8_e3d5edad","updated":"2024-04-12 12:07:15.000000000","message":"Acknowledged, thanks","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"663a5a4cbc7a808922c0ae1e8e7282b137d5ec39","unresolved":true,"context_lines":[{"line_number":83,"context_line":"capable of delivering a `.vv` configuration file for a specific console to a"},{"line_number":84,"context_line":"client, who will then have seamless access to their virtual desktop."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"Proposed change"},{"line_number":87,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"As part of prototyping this functionality, a series of patches to Nova were"}],"source_content_type":"text/x-rst","patch_set":2,"id":"b72faddc_498b26b2","line":86,"updated":"2024-04-12 11:38:43.000000000","message":"this is pretty light on the libvirt dirver changes that are needed by the way.\n\nwe should detail what chnages will be required for the xml generation and what feature sets you plan to enabled.\n\naudio, usb passhtough, clipboard ectra","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},"change_message_id":"07e6cbbfcfe54d9765e49253d56ff7c1ae6ca1d4","unresolved":true,"context_lines":[{"line_number":83,"context_line":"capable of delivering a `.vv` configuration file for a specific console to a"},{"line_number":84,"context_line":"client, who will then have seamless access to their virtual desktop."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"Proposed change"},{"line_number":87,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"As part of prototyping this functionality, a series of patches to Nova were"}],"source_content_type":"text/x-rst","patch_set":2,"id":"faa06ae2_e234a70b","line":86,"in_reply_to":"585e093f_f9061254","updated":"2024-06-25 10:06:17.000000000","message":"I _think_ that thing is true, but I haven\u0027t done a complete bench audit against the patches and am human so may have missed something.","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"865fdedfb4d4e88778802d900555a5a8f11a38ff","unresolved":true,"context_lines":[{"line_number":83,"context_line":"capable of delivering a `.vv` configuration file for a specific console to a"},{"line_number":84,"context_line":"client, who will then have seamless access to their virtual desktop."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"Proposed change"},{"line_number":87,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"As part of prototyping this functionality, a series of patches to Nova were"}],"source_content_type":"text/x-rst","patch_set":2,"id":"585e093f_f9061254","line":86,"in_reply_to":"83acfdfa_707de57e","updated":"2024-06-24 12:17:53.000000000","message":"the spec at least at a high level shoudl still have enouch prose to ensure that if you coudl not work on this futher someone coudl read the spec and with enouch knowladge of nova proceed with it.\n\n\nso the spec shoudl still contain the design specification such that it can server as a guide to reivewrs and implemetes of what was agreed and can be used as  a reference for operator as to how the fetaure is inteded to be used.","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},"change_message_id":"572e9fb061a950de82eb507bff6927441f44e00e","unresolved":true,"context_lines":[{"line_number":83,"context_line":"capable of delivering a `.vv` configuration file for a specific console to a"},{"line_number":84,"context_line":"client, who will then have seamless access to their virtual desktop."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"Proposed change"},{"line_number":87,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"As part of prototyping this functionality, a series of patches to Nova were"}],"source_content_type":"text/x-rst","patch_set":2,"id":"83acfdfa_707de57e","line":86,"in_reply_to":"b72faddc_498b26b2","updated":"2024-06-22 07:14:07.000000000","message":"As discussed a few weeks ago, I\u0027ve uploaded the patches from https://github.com/shakenfist/kerbside-patches to gerrit. That has the advantage that I can now add change id references here to specifically what each of these bullet points means.\n\nAre the patches sufficient here, or would you like to see an English prose description of the changes as well?","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"41111617140e70d9bd6d444ce28edb3dba63cd88","unresolved":false,"context_lines":[{"line_number":83,"context_line":"capable of delivering a `.vv` configuration file for a specific console to a"},{"line_number":84,"context_line":"client, who will then have seamless access to their virtual desktop."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"Proposed change"},{"line_number":87,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":88,"context_line":""},{"line_number":89,"context_line":"As part of prototyping this functionality, a series of patches to Nova were"}],"source_content_type":"text/x-rst","patch_set":2,"id":"ad788947_6180ede0","line":86,"in_reply_to":"faa06ae2_e234a70b","updated":"2024-07-18 13:16:39.000000000","message":"Acknowledged","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"0833f5857c3a76c8ee11a54df0b56e5ce1ca8f7a","unresolved":true,"context_lines":[{"line_number":92,"context_line":"* Allow Nova to require secured SPICE connections, via a new `require_secure`"},{"line_number":93,"context_line":"  configuration option in the SPICE configuration group."},{"line_number":94,"context_line":"* Add an API microversion to expose SPICE \"direct\" consoles."},{"line_number":95,"context_line":""},{"line_number":96,"context_line":"Alternatives"},{"line_number":97,"context_line":"------------"},{"line_number":98,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"70edb44a_c2403d3b","line":95,"updated":"2024-04-07 04:33:01.000000000","message":"i think this is not a good on two fronts.\n\nfirst if we were to do this it should be done for all console type IMO\nwhich would imply a new parmater to the exiting console type not a new conosle type\n\ni.e. client_type\u003dweb|native\n\nany direct connection to the hypervior is a security risk and im not sure we want to support upstream\n\ni could see use allowing the current proxies to work as a transprent tcp proxy\nor adding a new proxy for that which allocats a public port for when you request a console to be exported but given the risk of leaking internal info like hypervior ips/hostname to non admins i dont think what is propsoed here is viable.","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},"change_message_id":"d2e9bd8bf6bb2a625688d50fcc7743fa62cb0114","unresolved":true,"context_lines":[{"line_number":92,"context_line":"* Allow Nova to require secured SPICE connections, via a new `require_secure`"},{"line_number":93,"context_line":"  configuration option in the SPICE configuration group."},{"line_number":94,"context_line":"* Add an API microversion to expose SPICE \"direct\" consoles."},{"line_number":95,"context_line":""},{"line_number":96,"context_line":"Alternatives"},{"line_number":97,"context_line":"------------"},{"line_number":98,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"664db140_19fed322","line":95,"in_reply_to":"0c7a5943_b91efba3","updated":"2024-04-12 07:29:57.000000000","message":"I think its hard to \"require\" a proxy be present when lots of deployers do things lots of different ways. That said, if people turn on spice-direct consoles, they are opting into this behaviour and should know what they\u0027re doing.\n\nKerbside also uses a Keystone group to control access to its APIs. We could only return the hypervisor-detailing API response if the user is in that same group on the Nova side? I don\u0027t love it, but it would resolve your concern.","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"b9905a3c1ed773543c1762117e7a60ee71a3db28","unresolved":true,"context_lines":[{"line_number":92,"context_line":"* Allow Nova to require secured SPICE connections, via a new `require_secure`"},{"line_number":93,"context_line":"  configuration option in the SPICE configuration group."},{"line_number":94,"context_line":"* Add an API microversion to expose SPICE \"direct\" consoles."},{"line_number":95,"context_line":""},{"line_number":96,"context_line":"Alternatives"},{"line_number":97,"context_line":"------------"},{"line_number":98,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"0c7a5943_b91efba3","line":95,"in_reply_to":"251c5593_601a40e8","updated":"2024-04-08 13:13:06.000000000","message":"if we actully will requrie a spice native proxy and the url we retrun at the api level is to that proxy then that is fine\n\nwhat i want to ensure is that as an end user we dont get the connection information for the qemu vm as a normal user.","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"865fdedfb4d4e88778802d900555a5a8f11a38ff","unresolved":false,"context_lines":[{"line_number":92,"context_line":"* Allow Nova to require secured SPICE connections, via a new `require_secure`"},{"line_number":93,"context_line":"  configuration option in the SPICE configuration group."},{"line_number":94,"context_line":"* Add an API microversion to expose SPICE \"direct\" consoles."},{"line_number":95,"context_line":""},{"line_number":96,"context_line":"Alternatives"},{"line_number":97,"context_line":"------------"},{"line_number":98,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"88d8044f_fed86c15","line":95,"in_reply_to":"3d824fca_0d1abf76","updated":"2024-06-24 12:17:53.000000000","message":"Acknowledged","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"c7ff40eb638d1fbe3ce71335c3a080db2c0c18fd","unresolved":true,"context_lines":[{"line_number":92,"context_line":"* Allow Nova to require secured SPICE connections, via a new `require_secure`"},{"line_number":93,"context_line":"  configuration option in the SPICE configuration group."},{"line_number":94,"context_line":"* Add an API microversion to expose SPICE \"direct\" consoles."},{"line_number":95,"context_line":""},{"line_number":96,"context_line":"Alternatives"},{"line_number":97,"context_line":"------------"},{"line_number":98,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"d6469148_875ab718","line":95,"in_reply_to":"664db140_19fed322","updated":"2024-04-12 10:52:35.000000000","message":"exposing the hypervior hostname or other info to non admings is a security isssue period.\n\nthat is considerd privladged info. we woudl have to restirct this to admin only in default policy.\n\nif the cloud wanted to use custom policy to create a seperate keystone role and expose this to user via that role that woudl be fine but the member and reader roles should not have a way to get hypervior speicifc info.","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},"change_message_id":"b841dd8c39c3d067b7e94614ea007f1bdf149191","unresolved":true,"context_lines":[{"line_number":92,"context_line":"* Allow Nova to require secured SPICE connections, via a new `require_secure`"},{"line_number":93,"context_line":"  configuration option in the SPICE configuration group."},{"line_number":94,"context_line":"* Add an API microversion to expose SPICE \"direct\" consoles."},{"line_number":95,"context_line":""},{"line_number":96,"context_line":"Alternatives"},{"line_number":97,"context_line":"------------"},{"line_number":98,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"251c5593_601a40e8","line":95,"in_reply_to":"70edb44a_c2403d3b","updated":"2024-04-08 04:27:49.000000000","message":"So the reason that spice-direct makes sense when the other native protocols don\u0027t is exactly because I am providing a SPICE native proxy to deploy in front. If there was a similar functionality for VNC etc, I\u0027d have no problem with that being supported too, but I don\u0027t think it exists right now.\n\nThere is no more direct connection to the hypervisor in this proposal than there is if you\u0027re using the HTML5 transcoding proxy. That too depends on a proxy being deployed in front.","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},"change_message_id":"0883f34588d98213ffab481d78671ae704d9ef20","unresolved":true,"context_lines":[{"line_number":92,"context_line":"* Allow Nova to require secured SPICE connections, via a new `require_secure`"},{"line_number":93,"context_line":"  configuration option in the SPICE configuration group."},{"line_number":94,"context_line":"* Add an API microversion to expose SPICE \"direct\" consoles."},{"line_number":95,"context_line":""},{"line_number":96,"context_line":"Alternatives"},{"line_number":97,"context_line":"------------"},{"line_number":98,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"3d824fca_0d1abf76","line":95,"in_reply_to":"d6469148_875ab718","updated":"2024-06-23 05:54:02.000000000","message":"I feel this thread is addressed by the comments above?","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"455b9228c580366c0333f3bceeb181e18faf538f","unresolved":true,"context_lines":[{"line_number":137,"context_line":"        \"remote_console\": {"},{"line_number":138,"context_line":"        \"protocol\": \"spice\","},{"line_number":139,"context_line":"        \"type\": \"spice-direct\","},{"line_number":140,"context_line":"        \"host\": \"localhost\","},{"line_number":141,"context_line":"        \"port\": 5900,"},{"line_number":142,"context_line":"        \"tls_port\": 5901"},{"line_number":143,"context_line":"        }"}],"source_content_type":"text/x-rst","patch_set":2,"id":"04ca763c_789f188d","line":140,"updated":"2024-04-12 11:24:28.000000000","message":"so this host is the kerbside proxy?","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},"change_message_id":"0883f34588d98213ffab481d78671ae704d9ef20","unresolved":true,"context_lines":[{"line_number":137,"context_line":"        \"remote_console\": {"},{"line_number":138,"context_line":"        \"protocol\": \"spice\","},{"line_number":139,"context_line":"        \"type\": \"spice-direct\","},{"line_number":140,"context_line":"        \"host\": \"localhost\","},{"line_number":141,"context_line":"        \"port\": 5900,"},{"line_number":142,"context_line":"        \"tls_port\": 5901"},{"line_number":143,"context_line":"        }"}],"source_content_type":"text/x-rst","patch_set":2,"id":"130618c0_407e9644","line":140,"in_reply_to":"04ca763c_789f188d","updated":"2024-06-23 05:54:02.000000000","message":"No, this host is the hypervisor. Its just confusing because the example came from my all-in-one Kolla-Ansible installation. I have tweaked to make it clearer.","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},"change_message_id":"62935a1ed1deaa61b1a08ff3baa9d9fc685074c9","unresolved":false,"context_lines":[{"line_number":137,"context_line":"        \"remote_console\": {"},{"line_number":138,"context_line":"        \"protocol\": \"spice\","},{"line_number":139,"context_line":"        \"type\": \"spice-direct\","},{"line_number":140,"context_line":"        \"host\": \"localhost\","},{"line_number":141,"context_line":"        \"port\": 5900,"},{"line_number":142,"context_line":"        \"tls_port\": 5901"},{"line_number":143,"context_line":"        }"}],"source_content_type":"text/x-rst","patch_set":2,"id":"352b3007_075e8fe3","line":140,"in_reply_to":"130618c0_407e9644","updated":"2024-07-18 12:29:58.000000000","message":"Done","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"455b9228c580366c0333f3bceeb181e18faf538f","unresolved":true,"context_lines":[{"line_number":208,"context_line":"            \u0027port\u0027: 6969,"},{"line_number":209,"context_line":"            \u0027tls_port\u0027: 6970"},{"line_number":210,"context_line":"        }"},{"line_number":211,"context_line":"    }"},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"Security impact"},{"line_number":214,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"5eff40e9_d179bc6f","line":211,"updated":"2024-04-12 11:24:28.000000000","message":"this correaltat to what your asserting here yes\n\nhttps://github.com/shakenfist/kerbside-patches/blob/00eafdbc1884387d858c969af19998802bd2df6d/nova/patch004-nova-allow-direct-spice-connections.patch#L403-L411\n\n\nim trying to reason about that and \n\nhttps://github.com/shakenfist/kerbside-patches/blob/00eafdbc1884387d858c969af19998802bd2df6d/nova/patch004-nova-allow-direct-spice-connections.patch#L423-L431\n\n\n       self.assertEqual({\n+            \u0027access_url\u0027: \u0027fake_console_url\u0027,\n+            \u0027console_type\u0027: \u0027spice-html5\u0027,\n+            \u0027host\u0027: \u0027fake_console_host\u0027,\n+            \u0027instance_uuid\u0027: \u0027f3000000-0000-0000-0000-000000000000\u0027,\n+            \u0027internal_access_path\u0027: \u0027fake_access_path\u0027,\n+            \u0027port\u0027: \u0027fake_console_port\u0027,\n+            \u0027token\u0027: \u0027fake_token\u0027\n+            }, console)\n\n\nif the datapath for the spice client is clinet -\u003e kerbside proxy -\u003e qemu\nthen i dont think we have a problem povdied the respocen we provide a the\nnova api for the console usr is just a conneciton url to the kerbside proxy\n\nagain provided the datapath is not clinet -\u003e qemu directly tehre is no security concern here as we never need to expose the hypervior information to the user\n\nwe proably need a way fo nova and kerbside to itenract so that kerbside can forward teh client connection but that a backend to backend comunciaotn and it would be ok for another cloud level service (kerbside in this case) to know about the hyperviors connection info.\n\ncould you perhaps add an ascii diagaram showign the network toplogy here to make it clear how the spice connection works.","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"32c3ef5a5b4a45e12b3a5a74fae5925deecccd6f","unresolved":true,"context_lines":[{"line_number":208,"context_line":"            \u0027port\u0027: 6969,"},{"line_number":209,"context_line":"            \u0027tls_port\u0027: 6970"},{"line_number":210,"context_line":"        }"},{"line_number":211,"context_line":"    }"},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"Security impact"},{"line_number":214,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"c4949b35_e20241c8","line":211,"in_reply_to":"1acb886f_8f4ac36b","updated":"2024-07-02 12:26:17.000000000","message":"right but that is out os scope of nova.\n\nnova support setting that via \n\nhttps://docs.openstack.org/nova/latest/configuration/config.html#vnc.server_listen\n\nbut securing that is out of scope of nova but in scope of the operator/installer that deployed qemu/nova to restict in any maner that makes sense.\n\nbe that network level or not.\n\nwe docuemtn/recommend that the vnc network shoudl not be accsible form the internet or tenant networks and defalut to binding to     127.0.0.1 so that the console is  only locally accsable. this require the opertor to eithe deploy one proxy server per host or intetially choose what network to use to allow the console to be connected to the proxy.","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},"change_message_id":"07e6cbbfcfe54d9765e49253d56ff7c1ae6ca1d4","unresolved":true,"context_lines":[{"line_number":208,"context_line":"            \u0027port\u0027: 6969,"},{"line_number":209,"context_line":"            \u0027tls_port\u0027: 6970"},{"line_number":210,"context_line":"        }"},{"line_number":211,"context_line":"    }"},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"Security impact"},{"line_number":214,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"1acb886f_8f4ac36b","line":211,"in_reply_to":"28d486c8_f1248821","updated":"2024-06-25 10:06:17.000000000","message":"Yes, I had assumed it would be locked down at the network layer. For example, its possible to configure qemu to bind to a different IP address, at which point you could have a separate \"VDI VLAN\" which only Kerbside and the hypervisors were on.","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},"change_message_id":"0883f34588d98213ffab481d78671ae704d9ef20","unresolved":true,"context_lines":[{"line_number":208,"context_line":"            \u0027port\u0027: 6969,"},{"line_number":209,"context_line":"            \u0027tls_port\u0027: 6970"},{"line_number":210,"context_line":"        }"},{"line_number":211,"context_line":"    }"},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"Security impact"},{"line_number":214,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"9d7e60a7_a49d4942","line":211,"in_reply_to":"5eff40e9_d179bc6f","updated":"2024-06-23 05:54:02.000000000","message":"So with the current implementation in nova, a connection from client -\u003e qemu is entirely possible. Kerbside then rewrites this console information to provide client -\u003e kerbside -\u003e qemu. If you wanted to force connections to use kerbside, then we\u0027d have to tweak how the nova implementation works as discussed above -- basically have nova request a token in kerbside, and then return that token to the user here. I have been hesitant to land kerbside code in nova until now however.","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"865fdedfb4d4e88778802d900555a5a8f11a38ff","unresolved":true,"context_lines":[{"line_number":208,"context_line":"            \u0027port\u0027: 6969,"},{"line_number":209,"context_line":"            \u0027tls_port\u0027: 6970"},{"line_number":210,"context_line":"        }"},{"line_number":211,"context_line":"    }"},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"Security impact"},{"line_number":214,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"28d486c8_f1248821","line":211,"in_reply_to":"9d7e60a7_a49d4942","updated":"2024-06-24 12:17:53.000000000","message":"that or use firewalling or client cert auth to make it so that only the kerbside provxies can actully conenct to qemu.\n\nthere are a few operattiona ways to enforece that the only way to conenct is via kerbside without modifying kerbside.\n\nwith that said i coudl see a case where both the spice html console and kerbside might be deployed together.\n\ni.e. internal clients are given direct spice access via kerbside and external client are only allowed limited spice access via the html proxy.\n\nthe desicsion i think of how or if to lockdown direct acceess can effectivly be delegated to the installation tool and operator that is deploying the cloud.","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"41111617140e70d9bd6d444ce28edb3dba63cd88","unresolved":false,"context_lines":[{"line_number":208,"context_line":"            \u0027port\u0027: 6969,"},{"line_number":209,"context_line":"            \u0027tls_port\u0027: 6970"},{"line_number":210,"context_line":"        }"},{"line_number":211,"context_line":"    }"},{"line_number":212,"context_line":""},{"line_number":213,"context_line":"Security impact"},{"line_number":214,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"8e4cd721_38d91518","line":211,"in_reply_to":"c4949b35_e20241c8","updated":"2024-07-18 13:16:39.000000000","message":"Acknowledged","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"0833f5857c3a76c8ee11a54df0b56e5ce1ca8f7a","unresolved":true,"context_lines":[{"line_number":218,"context_line":"for the purposes of the HTML5 transcoding proxy. While the proposed change"},{"line_number":219,"context_line":"makes this more directly accessible, it also adds support for TLS encryption"},{"line_number":220,"context_line":"of the consoles, and would require a misconfigured network to expose these"},{"line_number":221,"context_line":"ports to end users."},{"line_number":222,"context_line":""},{"line_number":223,"context_line":"Notifications impact"},{"line_number":224,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"577b7090_966607bf","line":221,"updated":"2024-04-07 04:33:01.000000000","message":"this is a fairly major security change.\n\nfirst of all the end user today is not intended to be able to discover the hypervior hostname or its ip via any nova restapi.\n\nwe consdier any leakage fo that form nova to be a security bug and you are proposing adding a api that would enable this that anyoen could use.\n\nto me that a pretty big security hole and its not at all comparableto how this works with the console proxy service today.\n\n\ntoday the end user never get the ip or port of the hyperiovr or the vm console port.","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},"change_message_id":"d2e9bd8bf6bb2a625688d50fcc7743fa62cb0114","unresolved":true,"context_lines":[{"line_number":218,"context_line":"for the purposes of the HTML5 transcoding proxy. While the proposed change"},{"line_number":219,"context_line":"makes this more directly accessible, it also adds support for TLS encryption"},{"line_number":220,"context_line":"of the consoles, and would require a misconfigured network to expose these"},{"line_number":221,"context_line":"ports to end users."},{"line_number":222,"context_line":""},{"line_number":223,"context_line":"Notifications impact"},{"line_number":224,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"60a2c15a_bb724d91","line":221,"in_reply_to":"21aff7d3_30dbddbb","updated":"2024-04-12 07:29:57.000000000","message":"Kerbside is that SPICE native proxy. I am not aware of a similar proxy for other protocols, but there\u0027s nothing stopping someone from writing one and then extending the -direct functionality to other protocols too.","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"865fdedfb4d4e88778802d900555a5a8f11a38ff","unresolved":false,"context_lines":[{"line_number":218,"context_line":"for the purposes of the HTML5 transcoding proxy. While the proposed change"},{"line_number":219,"context_line":"makes this more directly accessible, it also adds support for TLS encryption"},{"line_number":220,"context_line":"of the consoles, and would require a misconfigured network to expose these"},{"line_number":221,"context_line":"ports to end users."},{"line_number":222,"context_line":""},{"line_number":223,"context_line":"Notifications impact"},{"line_number":224,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"d6894798_25eb35bd","line":221,"in_reply_to":"2694c1c1_cac3b0b2","updated":"2024-06-24 12:17:53.000000000","message":"ya lets resolve this for now and we can continue seperately.\n\nthis comment is on an old reveion and the spec has evloved enought that keeping it open is not really helping.\n\nyou have updated the security section enough that we can consider this resolved for now","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},"change_message_id":"b841dd8c39c3d067b7e94614ea007f1bdf149191","unresolved":true,"context_lines":[{"line_number":218,"context_line":"for the purposes of the HTML5 transcoding proxy. While the proposed change"},{"line_number":219,"context_line":"makes this more directly accessible, it also adds support for TLS encryption"},{"line_number":220,"context_line":"of the consoles, and would require a misconfigured network to expose these"},{"line_number":221,"context_line":"ports to end users."},{"line_number":222,"context_line":""},{"line_number":223,"context_line":"Notifications impact"},{"line_number":224,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"f056613b_e71fabf2","line":221,"in_reply_to":"577b7090_966607bf","updated":"2024-04-08 04:27:49.000000000","message":"This is true, I had missed that the HTML5 proxy has the following flow:\n\n* It creates an access token. That token maps to a hypervisor and TCP port.\n* The access token is then handed out via the Nova APIs.\n* nova.console.websocketproxy.NovaProxyRequestHandler._get_connect_info knows how to map that access token back to the hypervisor and port.\n\nThat\u0027s not a great fit for my use case because the SPICE native protocol isn\u0027t a websocket, which this code assumes.\n\nI need to think through an alternate mechanism more, but given my general read of your comments is your entirely opposed to SPICE native console functionality, I\u0027d like some clarity on if this idea is entirely dead before I spend that time.","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},"change_message_id":"572e9fb061a950de82eb507bff6927441f44e00e","unresolved":true,"context_lines":[{"line_number":218,"context_line":"for the purposes of the HTML5 transcoding proxy. While the proposed change"},{"line_number":219,"context_line":"makes this more directly accessible, it also adds support for TLS encryption"},{"line_number":220,"context_line":"of the consoles, and would require a misconfigured network to expose these"},{"line_number":221,"context_line":"ports to end users."},{"line_number":222,"context_line":""},{"line_number":223,"context_line":"Notifications impact"},{"line_number":224,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"2694c1c1_cac3b0b2","line":221,"in_reply_to":"5f14e6ac_042c1425","updated":"2024-06-22 07:14:07.000000000","message":"I feel like we talked this through at the vPTG and we were ok with the alternative approach of proving a limited lookup API, but I don\u0027t want to just mash resolve here. You\u0027re ok with that?","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"c7ff40eb638d1fbe3ce71335c3a080db2c0c18fd","unresolved":true,"context_lines":[{"line_number":218,"context_line":"for the purposes of the HTML5 transcoding proxy. While the proposed change"},{"line_number":219,"context_line":"makes this more directly accessible, it also adds support for TLS encryption"},{"line_number":220,"context_line":"of the consoles, and would require a misconfigured network to expose these"},{"line_number":221,"context_line":"ports to end users."},{"line_number":222,"context_line":""},{"line_number":223,"context_line":"Notifications impact"},{"line_number":224,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"5f14e6ac_042c1425","line":221,"in_reply_to":"60a2c15a_bb724d91","updated":"2024-04-12 10:52:35.000000000","message":"i think if we were to proceed with this you will need to instead have nova talk to kerbside and establish a console forwarding for the instance and then return the forwoarded uri that point at the kerbside proxy.","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"b9905a3c1ed773543c1762117e7a60ee71a3db28","unresolved":true,"context_lines":[{"line_number":218,"context_line":"for the purposes of the HTML5 transcoding proxy. While the proposed change"},{"line_number":219,"context_line":"makes this more directly accessible, it also adds support for TLS encryption"},{"line_number":220,"context_line":"of the consoles, and would require a misconfigured network to expose these"},{"line_number":221,"context_line":"ports to end users."},{"line_number":222,"context_line":""},{"line_number":223,"context_line":"Notifications impact"},{"line_number":224,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":2,"id":"21aff7d3_30dbddbb","line":221,"in_reply_to":"f056613b_e71fabf2","updated":"2024-04-08 13:13:06.000000000","message":"im not against it entirly i actully would love to be ablel to use remmina or similar to connect to our vms over vnc spice whatever.\n\nso i would like to find a way to have a protocol native proxy that could be used to expose the vm console more directly so you can use a native client via the proxy to connect to the hypervior.\n\ni just dont thnk we sould supprot a direct connect form the client to qemu without an intermideary like a native spice proxy server.\n\nthats just my perspective however. \nif other are ok with a driect connect provide its not enabled by default(i.e. opt in by the adminsisrator of the cloud)\ni can be conviced that we coudl supprot this\n\neither with a new console type or a new sub filed which we could bike shed the name/sematics of later.\n\ni just want to make sure that any solution we proceedd with woudl work equally well for a public cloud as it would for a private one.\n\ni dont think we should have any api that can only be safely used in a private cloud where you can trust your users to be able to connect to the hypervior network driectly.\n\nwe should ensure this would be safe to expose to a public wan. at least that is the design critia i am thinking about primarly when pushhing back currently.","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"663a5a4cbc7a808922c0ae1e8e7282b137d5ec39","unresolved":true,"context_lines":[{"line_number":317,"context_line":""},{"line_number":318,"context_line":"Testing graphical user interfaces in the gate is hard. However, test for the"},{"line_number":319,"context_line":"API microversion will be added, and manual testing of the console functionality"},{"line_number":320,"context_line":"has occurred on the prototype and will be redone as the patches land."},{"line_number":321,"context_line":""},{"line_number":322,"context_line":"Documentation Impact"},{"line_number":323,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":2,"id":"1b158abf_0d8f9bd9","line":320,"updated":"2024-04-12 11:38:43.000000000","message":"i would likely want to see one of our jobs reconfigured to run with spice-direct and kerbside.\nthat would invovle writhing a devstack plugin to support confiuring this\n\nnova recently gained a minimal plugin so if you didnt add this to the kerside repo which would be my prefernce we could add it to nova\u0027s plugin or to core devstack depending on how inovled it is.\n\nwe generally do not deploy horizon but we do deploy with novnc i belive and we have tempest test for that.\n\nim not sure if we should require tempest coverage here or not but im incliend to say we should.\n\na very basic test to just create a spice direct console and perhaps use nc to connect to it is proably approrate to add.\n\n\nwe do have exsiting tempest console tests that basically do that.\nbaiscally like this https://github.com/openstack/tempest/blob/c0da6e843a74c2392c8e87e8ff36d2fea12949c4/tempest/api/compute/servers/test_server_actions.py#L764-L778\nor this\nhttps://github.com/openstack/tempest/blob/c0da6e843a74c2392c8e87e8ff36d2fea12949c4/tempest/tests/lib/services/compute/test_servers_client.py#L1047-L1061\n\nso if we proceed with this i would hope we can extend tempest to \njust conenct to the url to ensure that its accessable as a client.\nwe dont need to connect as a spcie client jsut make sure the kerbside proxy is \n\nwe would likely need at least functional test coverage in the absence of tempest.","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},"change_message_id":"0883f34588d98213ffab481d78671ae704d9ef20","unresolved":true,"context_lines":[{"line_number":317,"context_line":""},{"line_number":318,"context_line":"Testing graphical user interfaces in the gate is hard. However, test for the"},{"line_number":319,"context_line":"API microversion will be added, and manual testing of the console functionality"},{"line_number":320,"context_line":"has occurred on the prototype and will be redone as the patches land."},{"line_number":321,"context_line":""},{"line_number":322,"context_line":"Documentation Impact"},{"line_number":323,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":2,"id":"7cdaf315_a5194a3c","line":320,"in_reply_to":"02934cfe_eaf06c2f","updated":"2024-06-23 05:54:02.000000000","message":"I am happy to have a go at devstack testing, but I haven\u0027t had a chance to yet. I\u0027d also prefer not to block merging some amount of this feature if possible.\n\nThat said, I am also working on adding Kolla-Ansible based CI on the Shaken Fist side, but it has been a little fiddly for reasons unrelated to OpenStack.","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"b2590b210d26d40718d9dd06587ac7655cee3a77","unresolved":true,"context_lines":[{"line_number":317,"context_line":""},{"line_number":318,"context_line":"Testing graphical user interfaces in the gate is hard. However, test for the"},{"line_number":319,"context_line":"API microversion will be added, and manual testing of the console functionality"},{"line_number":320,"context_line":"has occurred on the prototype and will be redone as the patches land."},{"line_number":321,"context_line":""},{"line_number":322,"context_line":"Documentation Impact"},{"line_number":323,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":2,"id":"02934cfe_eaf06c2f","line":320,"in_reply_to":"1b158abf_0d8f9bd9","updated":"2024-05-30 07:59:53.000000000","message":"so at the ptg dan was open to not reqiuring a devstack job to validate the end to end integration.\n\ni personally think that would still be nice to have but we agreed on unit and functional testing as the minimum, tempest testing can/should be provided when you have time to do so but are not required to merge the nova feature.","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"865fdedfb4d4e88778802d900555a5a8f11a38ff","unresolved":false,"context_lines":[{"line_number":317,"context_line":""},{"line_number":318,"context_line":"Testing graphical user interfaces in the gate is hard. However, test for the"},{"line_number":319,"context_line":"API microversion will be added, and manual testing of the console functionality"},{"line_number":320,"context_line":"has occurred on the prototype and will be redone as the patches land."},{"line_number":321,"context_line":""},{"line_number":322,"context_line":"Documentation Impact"},{"line_number":323,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":2,"id":"5d7969c0_a5645464","line":320,"in_reply_to":"7cdaf315_a5194a3c","updated":"2024-06-24 12:17:53.000000000","message":"Acknowledged","commit_id":"46e3a675903174c7daebc430039214311910d318"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"b2590b210d26d40718d9dd06587ac7655cee3a77","unresolved":true,"context_lines":[{"line_number":26,"context_line":"the moment, Horizon\u0027s HTML5 transcoding proxy is the only way to access these"},{"line_number":27,"context_line":"SPICE consoles, and the HTML5 interface does not support many of the more novel"},{"line_number":28,"context_line":"features of the SPICE protocol, nor does it support high resolution desktops"},{"line_number":29,"context_line":"well."},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"The proposed solution is relatively simple -- add an API microversion which"},{"line_number":32,"context_line":"makes it possible to create a \"spice-direct\" console, and to lookup connection"}],"source_content_type":"text/x-rst","patch_set":4,"id":"ec255822_fb2d4b00","line":29,"updated":"2024-05-30 07:59:53.000000000","message":"so this paragraph is not really correct\n\nill ignore the subjective argument of did rdp provide a richer envionment or not\nbut there is no such thing as “horizon’s html5 tanscoding proxy”\n\nthe html5 proxy is part of nova and usable fully without horizon\n\nhorizon just embeds an iframe pointing at nova’s html5 proxy.","commit_id":"d52600ab768406fa54e9743a096d4fb677588d99"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"865fdedfb4d4e88778802d900555a5a8f11a38ff","unresolved":false,"context_lines":[{"line_number":26,"context_line":"the moment, Horizon\u0027s HTML5 transcoding proxy is the only way to access these"},{"line_number":27,"context_line":"SPICE consoles, and the HTML5 interface does not support many of the more novel"},{"line_number":28,"context_line":"features of the SPICE protocol, nor does it support high resolution desktops"},{"line_number":29,"context_line":"well."},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"The proposed solution is relatively simple -- add an API microversion which"},{"line_number":32,"context_line":"makes it possible to create a \"spice-direct\" console, and to lookup connection"}],"source_content_type":"text/x-rst","patch_set":4,"id":"18b6a9cf_ad0e3907","line":29,"in_reply_to":"a366d47b_a5882de8","updated":"2024-06-24 12:17:53.000000000","message":"Done","commit_id":"d52600ab768406fa54e9743a096d4fb677588d99"},{"author":{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},"change_message_id":"572e9fb061a950de82eb507bff6927441f44e00e","unresolved":true,"context_lines":[{"line_number":26,"context_line":"the moment, Horizon\u0027s HTML5 transcoding proxy is the only way to access these"},{"line_number":27,"context_line":"SPICE consoles, and the HTML5 interface does not support many of the more novel"},{"line_number":28,"context_line":"features of the SPICE protocol, nor does it support high resolution desktops"},{"line_number":29,"context_line":"well."},{"line_number":30,"context_line":""},{"line_number":31,"context_line":"The proposed solution is relatively simple -- add an API microversion which"},{"line_number":32,"context_line":"makes it possible to create a \"spice-direct\" console, and to lookup connection"}],"source_content_type":"text/x-rst","patch_set":4,"id":"a366d47b_a5882de8","line":29,"in_reply_to":"ec255822_fb2d4b00","updated":"2024-06-22 07:14:07.000000000","message":"I\u0027ve made a small tweak to make this paragraph more accurate. Let me know if you want a bigger re-write.","commit_id":"d52600ab768406fa54e9743a096d4fb677588d99"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"b2590b210d26d40718d9dd06587ac7655cee3a77","unresolved":true,"context_lines":[{"line_number":34,"context_line":"required because we need to be able to lookup both the insecure and secure TCP"},{"line_number":35,"context_line":"ports for the console, as well as the hypervisor address. While this is"},{"line_number":36,"context_line":"similar to what the HTML5 proxy does, it is distinct enough to require an"},{"line_number":37,"context_line":"API change."},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"This specification also covers tweaks the to the libvirt domain XML to enrich"},{"line_number":40,"context_line":"the desktop experience provided by such a direct console, such as:"}],"source_content_type":"text/x-rst","patch_set":4,"id":"a0540637_593ffe89","line":37,"updated":"2024-05-30 07:59:53.000000000","message":"so at the ptg we said we were open to allowing an admin or ideally a request form a user with the service role to look up those detail but not a normal user.\n\ni.e. we said kerbside could be given acess to the hypervisor details but not a normal user.\n\nknowing the hypervior ip or port is a security issue and not somethign someone with the member or reader role should be able to do","commit_id":"d52600ab768406fa54e9743a096d4fb677588d99"},{"author":{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},"change_message_id":"62935a1ed1deaa61b1a08ff3baa9d9fc685074c9","unresolved":false,"context_lines":[{"line_number":34,"context_line":"required because we need to be able to lookup both the insecure and secure TCP"},{"line_number":35,"context_line":"ports for the console, as well as the hypervisor address. While this is"},{"line_number":36,"context_line":"similar to what the HTML5 proxy does, it is distinct enough to require an"},{"line_number":37,"context_line":"API change."},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"This specification also covers tweaks the to the libvirt domain XML to enrich"},{"line_number":40,"context_line":"the desktop experience provided by such a direct console, such as:"}],"source_content_type":"text/x-rst","patch_set":4,"id":"58750638_b4654b4b","line":37,"in_reply_to":"100d6734_cc3f7e93","updated":"2024-07-18 12:29:58.000000000","message":"Done","commit_id":"d52600ab768406fa54e9743a096d4fb677588d99"},{"author":{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},"change_message_id":"572e9fb061a950de82eb507bff6927441f44e00e","unresolved":true,"context_lines":[{"line_number":34,"context_line":"required because we need to be able to lookup both the insecure and secure TCP"},{"line_number":35,"context_line":"ports for the console, as well as the hypervisor address. While this is"},{"line_number":36,"context_line":"similar to what the HTML5 proxy does, it is distinct enough to require an"},{"line_number":37,"context_line":"API change."},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"This specification also covers tweaks the to the libvirt domain XML to enrich"},{"line_number":40,"context_line":"the desktop experience provided by such a direct console, such as:"}],"source_content_type":"text/x-rst","patch_set":4,"id":"100d6734_cc3f7e93","line":37,"in_reply_to":"a0540637_593ffe89","updated":"2024-06-22 07:14:07.000000000","message":"I\u0027ve added a paragraph below this one to address this.","commit_id":"d52600ab768406fa54e9743a096d4fb677588d99"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"b2590b210d26d40718d9dd06587ac7655cee3a77","unresolved":true,"context_lines":[{"line_number":82,"context_line":"functionality will take several releases to land before a fully seamless"},{"line_number":83,"context_line":"experience is available. Once fully implemented, Horizon and Skyline will be"},{"line_number":84,"context_line":"capable of delivering a `.vv` configuration file for a specific console to a"},{"line_number":85,"context_line":"client, who will then have seamless access to their virtual desktop."},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"Proposed change"},{"line_number":88,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":4,"id":"2ba5ce88_5e260fbf","line":85,"updated":"2024-05-30 07:59:53.000000000","message":"im not sure if that is true.\ntoday the console aceess has no dependcy on either horizon or skyline\n\nyou can do openstack console url show\n\nthis api is expecte to return the url to the proxy that a end user can use to connect to the console without horizon or any other web ui.\n\nits the api horion uses to know how to render the console in its ui the same is true for skyline.\n\nhttps://docs.openstack.org/python-openstackclient/latest/cli/command-objects/console-url.html#console-url-show\n\nwe did not resolve what that api should return since it should not contain the direct hypervior info but you have not desibed what info if any nova will have about kerbside.\n\n\nhow this works today is the compute agent reads\n\nhttps://docs.openstack.org/nova/latest/configuration/config.html#spice.html5proxy_base_url in responce to an rpc call to generate a console auth token and a url to allow the user to connect.\n\nwe would need to add a similar option for when it deployed with kerbside,\n\ni.e. the way this should work is the repsonce would be something like\n\nhttps://kerbside.my.cloud.domain/\u003cbearer token\u003e\n\nkerbside would take that token and then look up the hypervior details and create a proxied connection that tthe clinet could then use.\n\ni.e. it would retirn with spice://kerbside.mycloud.domain:9000 or what ever the spice uri would look like as the payload/reponce to https://kerbside.my.cloud.domain/\u003cbearer token\u003e\n\nthen a human or automation in horizon/skyline can connect to the prodxied conenction with a real spice client.","commit_id":"d52600ab768406fa54e9743a096d4fb677588d99"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"32c3ef5a5b4a45e12b3a5a74fae5925deecccd6f","unresolved":true,"context_lines":[{"line_number":82,"context_line":"functionality will take several releases to land before a fully seamless"},{"line_number":83,"context_line":"experience is available. Once fully implemented, Horizon and Skyline will be"},{"line_number":84,"context_line":"capable of delivering a `.vv` configuration file for a specific console to a"},{"line_number":85,"context_line":"client, who will then have seamless access to their virtual desktop."},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"Proposed change"},{"line_number":88,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":4,"id":"1b68f8b9_9548a98d","line":85,"in_reply_to":"057f33aa_e36263d3","updated":"2024-07-02 12:26:17.000000000","message":"we uses to support both xml and json apis now we only support json apis.\n\nhowever i belive we do have one api that returned a diffent mimetype and thats the console log show.\n\nthe flow i was suggesting would not require nova to call kerbside.\nit could but what i was suggesting is that nova returns a reposnce like this\n\n```\nconsole\": {\n\"type\": \"spice-direct\",\n\"url\":\"spice://${KERBSIDE_HOST}/?token\u003df9906a48-b71e-4f18-baca-c987da3ebdb3\"\n}\n}\n```\n\nkerbside would then use the token in the uri parmaters to call nova with a service token and lookup the hypervior port and ip then proxy the conenction transparently to that host after stripign token\u003d* from the connection parmaters.\n\nalternitvly i proposed that nova would retrun \n\n```\nconsole\": {\n\"type\": \"spice-direct\",\n\"url\":\"https://${KERBSIDE_HOST}/?token\u003df9906a48-b71e-4f18-baca-c987da3ebdb3\"\n}\n}\n```\n and kerbside would also use the token to call nova and get the proxy details then repond to the client with the .vv file.\n \n \n \n \nnova-compute could instead be modifed to call kerbside vai a rest api to prefcreate the keberside proxy and return \n\n```\nconsole\": {\n\"type\": \"spice-direct\",\n\"url\":\"spice://${KERBSIDE_HOST}:{port}/\n}\n}\n```\n\nbut i am not pusshing you to go in that direction.\n\ni think we can do this cleanly without needing nova to talk to kerbside\n\nwhat i was trying to convay is that the console token copled with the user/project  is unique identifier for the console that kerbside needs to pull the info form the new api microversion.","commit_id":"d52600ab768406fa54e9743a096d4fb677588d99"},{"author":{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},"change_message_id":"62935a1ed1deaa61b1a08ff3baa9d9fc685074c9","unresolved":true,"context_lines":[{"line_number":82,"context_line":"functionality will take several releases to land before a fully seamless"},{"line_number":83,"context_line":"experience is available. Once fully implemented, Horizon and Skyline will be"},{"line_number":84,"context_line":"capable of delivering a `.vv` configuration file for a specific console to a"},{"line_number":85,"context_line":"client, who will then have seamless access to their virtual desktop."},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"Proposed change"},{"line_number":88,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":4,"id":"ca7834ab_ba434a35","line":85,"in_reply_to":"1b68f8b9_9548a98d","updated":"2024-07-18 12:29:58.000000000","message":"I think I got this working. More details in an update soon.","commit_id":"d52600ab768406fa54e9743a096d4fb677588d99"},{"author":{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},"change_message_id":"572e9fb061a950de82eb507bff6927441f44e00e","unresolved":true,"context_lines":[{"line_number":82,"context_line":"functionality will take several releases to land before a fully seamless"},{"line_number":83,"context_line":"experience is available. Once fully implemented, Horizon and Skyline will be"},{"line_number":84,"context_line":"capable of delivering a `.vv` configuration file for a specific console to a"},{"line_number":85,"context_line":"client, who will then have seamless access to their virtual desktop."},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"Proposed change"},{"line_number":88,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":4,"id":"aeb52c55_5127e065","line":85,"in_reply_to":"2ba5ce88_5e260fbf","updated":"2024-06-22 07:14:07.000000000","message":"This is interesting. I hadn\u0027t thought about this before reading this comment to be honest. At the moment kerbside has a user interface and API which allows you to list the \"VDI capable\" instances in a given OpenStack cloud and then initiate a console to them. The definition of \"VDI capable\" isn\u0027t great at the moment, it effectively filters on an allowlist of flavors but I am no longer convinced that\u0027s the right approach.\n\nWhen a user selects an instance to create a proxied console for, they request a URL of the form `https://${KERBSIDE_HOST}/console/proxy/${OPENSTACK_REGION}/${INSTANCE_UUID}/console.vv` which then returns a `.vv` file as consumed by remote-viewer. So, having Nova return a URL which provides a console is feasible, although I think we\u0027d have to think through the authentication story there -- a browser wouldn\u0027t know how to authenticate with keystone to prove it had permission to access that kerbside URL.\n\nNow, Nova could orchestrate kerbside so that it provided a URL like you describe above, but so far I have been avoiding adding code to Nova that knows how to talk to kerbside and we\u0027d have to cross that bridge if we went that route.","commit_id":"d52600ab768406fa54e9743a096d4fb677588d99"},{"author":{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},"change_message_id":"07e6cbbfcfe54d9765e49253d56ff7c1ae6ca1d4","unresolved":true,"context_lines":[{"line_number":82,"context_line":"functionality will take several releases to land before a fully seamless"},{"line_number":83,"context_line":"experience is available. Once fully implemented, Horizon and Skyline will be"},{"line_number":84,"context_line":"capable of delivering a `.vv` configuration file for a specific console to a"},{"line_number":85,"context_line":"client, who will then have seamless access to their virtual desktop."},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"Proposed change"},{"line_number":88,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":4,"id":"057f33aa_e36263d3","line":85,"in_reply_to":"5821744a_f2c0a44e","updated":"2024-06-25 10:06:17.000000000","message":"I think we should split this bit of the conversation into two phases to make this clearer. Specifically:\n\n* is Nova ok with calling Kerbside to enable access to a console?\n* if so, should that either be generating a bearer token and returning a URL, or by proxying a .vv file to the caller?\n\nAs I said, I\u0027d been avoiding adding any dependency inside Nova to Kerbside. We can do that thing if that\u0027s preferred though. Would that be a REST API? Kerbside growing support for Nova rabbitmq messaging? Or something else? Is there a precident here apart from perhaps vendordata?\n\nHow hard is it to change the MIME type of a Nova REST API response? If that\u0027s hard that might mean the URL to Kerbside to collect a .vv file is preferable?","commit_id":"d52600ab768406fa54e9743a096d4fb677588d99"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"865fdedfb4d4e88778802d900555a5a8f11a38ff","unresolved":true,"context_lines":[{"line_number":82,"context_line":"functionality will take several releases to land before a fully seamless"},{"line_number":83,"context_line":"experience is available. Once fully implemented, Horizon and Skyline will be"},{"line_number":84,"context_line":"capable of delivering a `.vv` configuration file for a specific console to a"},{"line_number":85,"context_line":"client, who will then have seamless access to their virtual desktop."},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"Proposed change"},{"line_number":88,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":4,"id":"5821744a_f2c0a44e","line":85,"in_reply_to":"aeb52c55_5127e065","updated":"2024-06-24 12:17:53.000000000","message":"the issue with \n\n```https://${KERBSIDE_HOST}/console/proxy/${OPENSTACK_REGION}/${INSTANCE_UUID}/console.vv``` is that without some form of auth that is guessable so its not safe to use in a public cloud context.\n\nif it was possible i woudl try to some degree to model this after the serial console\n\nhttps://docs.openstack.org/api-ref/compute/#id119\n\n```\n\"console\": {\n        \"type\": \"serial\",\n        \"url\":\"ws://127.0.0.1:6083/?token\u003df9906a48-b71e-4f18-baca-c987da3ebdb3\"\n    }\n}\n```\nthere we return a websocket url which the poxy will read the bearer token form and use to create a tcp conenction to the instnace which it will wrap and export as a websocket to provide \"direct\" acces to the client.\n\ni understand that we cant do this with kerbside but the ideal case in my mind would have been somethign like this\n\n\"console\": {\n        \"type\": \"spice-direct\",\n        \"url\":\"spice://${KERBSIDE_HOST}/?token\u003df9906a48-b71e-4f18-baca-c987da3ebdb3\"\n    }\n}\n\nthe spice uri does supprot  query string peramters \nhttps://man.archlinux.org/man/extra/spice-gtk/spice-client.1.en#URI_query_string\n\nso kerbside could take the console token and lookup the host info form that and establis a direct spice connefction to the instance.\n\n\n\nassuming that is not the direction this is going in the best we can do is have the url provide the .vv config file that when used woudl allow the spice client to conenct proeprly.\n\n\n\nassuming we went the .vv route nova woudl idelly generate a uri like this\n\n```https://${KERBSIDE_HOST}/console/proxy/${OPENSTACK_REGION}/?token\u003d\u003cconsole_token\u003e```\n\nthen the relevent kerbside proxy woudl use a service token to call \n```https://nova.mycloud//os-console-auth-tokens/\u003cconsole_token\u003e```\nhttps://docs.openstack.org/api-ref/compute/#show-console-connection-information\n\nwhich woudl return the info you need \n```\n {\n        \"remote_console\": {\n        \"protocol\": \"spice\",\n        \"type\": \"spice-direct\",\n        \"host\": \"hypervisor-1\",\n        \"port\": 5900,\n        \"tls_port\": 5901\n }\n```\n\nif we can avoid it we should avoid matiraly changing the behviaor of\n\nhttps://docs.openstack.org/api-ref/compute/#create-console\n\nim not oposed to embeded the addtion filed in that repocne when invoked with an a token with the admin/service token\n\nbut the response should contain the required url field that either use the spice protocal as i suggest above or https protocal and returns the .vv file.","commit_id":"d52600ab768406fa54e9743a096d4fb677588d99"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"41111617140e70d9bd6d444ce28edb3dba63cd88","unresolved":false,"context_lines":[{"line_number":82,"context_line":"functionality will take several releases to land before a fully seamless"},{"line_number":83,"context_line":"experience is available. Once fully implemented, Horizon and Skyline will be"},{"line_number":84,"context_line":"capable of delivering a `.vv` configuration file for a specific console to a"},{"line_number":85,"context_line":"client, who will then have seamless access to their virtual desktop."},{"line_number":86,"context_line":""},{"line_number":87,"context_line":"Proposed change"},{"line_number":88,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"}],"source_content_type":"text/x-rst","patch_set":4,"id":"9289872c_fd2c8802","line":85,"in_reply_to":"ca7834ab_ba434a35","updated":"2024-07-18 13:16:39.000000000","message":"Acknowledged","commit_id":"d52600ab768406fa54e9743a096d4fb677588d99"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"b2590b210d26d40718d9dd06587ac7655cee3a77","unresolved":true,"context_lines":[{"line_number":94,"context_line":"  configuration option in the SPICE configuration group."},{"line_number":95,"context_line":"* Add an API microversion to expose SPICE \"direct\" consoles. After discussion"},{"line_number":96,"context_line":"  at the vPTG, it is agreed that this API call will only return hypervisor"},{"line_number":97,"context_line":"  connection details to users who are a member of the Kerbside service group."},{"line_number":98,"context_line":""},{"line_number":99,"context_line":"Alternatives"},{"line_number":100,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"fe7e675d_0e06855f","line":97,"updated":"2024-05-30 07:59:53.000000000","message":"that is not what we said at the ptg.\n\nwe said the connection info would only be returned to in an api responce if the request was main with the standard “service” role or “admin”.\n\nwe should not have a “kerbside service group” or any other kerbside specific role.\nhttps://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#","commit_id":"d52600ab768406fa54e9743a096d4fb677588d99"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"865fdedfb4d4e88778802d900555a5a8f11a38ff","unresolved":false,"context_lines":[{"line_number":94,"context_line":"  configuration option in the SPICE configuration group."},{"line_number":95,"context_line":"* Add an API microversion to expose SPICE \"direct\" consoles. After discussion"},{"line_number":96,"context_line":"  at the vPTG, it is agreed that this API call will only return hypervisor"},{"line_number":97,"context_line":"  connection details to users who are a member of the Kerbside service group."},{"line_number":98,"context_line":""},{"line_number":99,"context_line":"Alternatives"},{"line_number":100,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"67f16199_c7d5020f","line":97,"in_reply_to":"7176cf5e_ed0cbfdb","updated":"2024-06-24 12:17:53.000000000","message":"Acknowledged","commit_id":"d52600ab768406fa54e9743a096d4fb677588d99"},{"author":{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},"change_message_id":"0883f34588d98213ffab481d78671ae704d9ef20","unresolved":true,"context_lines":[{"line_number":94,"context_line":"  configuration option in the SPICE configuration group."},{"line_number":95,"context_line":"* Add an API microversion to expose SPICE \"direct\" consoles. After discussion"},{"line_number":96,"context_line":"  at the vPTG, it is agreed that this API call will only return hypervisor"},{"line_number":97,"context_line":"  connection details to users who are a member of the Kerbside service group."},{"line_number":98,"context_line":""},{"line_number":99,"context_line":"Alternatives"},{"line_number":100,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"7176cf5e_ed0cbfdb","line":97,"in_reply_to":"935fc42c_18005a89","updated":"2024-06-23 05:54:02.000000000","message":"Ok, I think I understand what you\u0027re saying now and I\u0027m fine with that. I will update the spec accordingly.","commit_id":"d52600ab768406fa54e9743a096d4fb677588d99"},{"author":{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},"change_message_id":"572e9fb061a950de82eb507bff6927441f44e00e","unresolved":true,"context_lines":[{"line_number":94,"context_line":"  configuration option in the SPICE configuration group."},{"line_number":95,"context_line":"* Add an API microversion to expose SPICE \"direct\" consoles. After discussion"},{"line_number":96,"context_line":"  at the vPTG, it is agreed that this API call will only return hypervisor"},{"line_number":97,"context_line":"  connection details to users who are a member of the Kerbside service group."},{"line_number":98,"context_line":""},{"line_number":99,"context_line":"Alternatives"},{"line_number":100,"context_line":"------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"935fc42c_18005a89","line":97,"in_reply_to":"fe7e675d_0e06855f","updated":"2024-06-22 07:14:07.000000000","message":"I am reading that link and then will respond.","commit_id":"d52600ab768406fa54e9743a096d4fb677588d99"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"b2590b210d26d40718d9dd06587ac7655cee3a77","unresolved":true,"context_lines":[{"line_number":221,"context_line":"of the HTML5 transcoding proxy although is exposed via a websocket proxy"},{"line_number":222,"context_line":"managed by Nova. The risk of leaking hypervisor details to untrusted users is"},{"line_number":223,"context_line":"mitigated via only returning those results for users in the Kerbside service"},{"line_number":224,"context_line":"group."},{"line_number":225,"context_line":""},{"line_number":226,"context_line":"Notifications impact"},{"line_number":227,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"66910faf_44e209cd","line":224,"updated":"2024-05-30 07:59:53.000000000","message":"again i think you miss understood the feedback at the ptg.\nper the consitent and secure rbac comunity goal creating new per project roles is stongly discuraged.\n\nat the ptg we said this info should be returned if the request is made with a tokeen form a user with the “service” role\n\nnova has no awareness of keystone groups and we should keep it that way.\n\ndirect connections to the hypervior are considerd a security risk so while its fine for kebside or horizion to connect as an infrastucure level sevice and to retrive this privladge info its not ok to return that info to an end user of the cloud with only the member or reader roles.","commit_id":"d52600ab768406fa54e9743a096d4fb677588d99"},{"author":{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},"change_message_id":"0883f34588d98213ffab481d78671ae704d9ef20","unresolved":true,"context_lines":[{"line_number":221,"context_line":"of the HTML5 transcoding proxy although is exposed via a websocket proxy"},{"line_number":222,"context_line":"managed by Nova. The risk of leaking hypervisor details to untrusted users is"},{"line_number":223,"context_line":"mitigated via only returning those results for users in the Kerbside service"},{"line_number":224,"context_line":"group."},{"line_number":225,"context_line":""},{"line_number":226,"context_line":"Notifications impact"},{"line_number":227,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"9ed85b44_97bedc83","line":224,"in_reply_to":"66910faf_44e209cd","updated":"2024-06-23 05:54:02.000000000","message":"I have updated the paragraph.","commit_id":"d52600ab768406fa54e9743a096d4fb677588d99"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"865fdedfb4d4e88778802d900555a5a8f11a38ff","unresolved":false,"context_lines":[{"line_number":221,"context_line":"of the HTML5 transcoding proxy although is exposed via a websocket proxy"},{"line_number":222,"context_line":"managed by Nova. The risk of leaking hypervisor details to untrusted users is"},{"line_number":223,"context_line":"mitigated via only returning those results for users in the Kerbside service"},{"line_number":224,"context_line":"group."},{"line_number":225,"context_line":""},{"line_number":226,"context_line":"Notifications impact"},{"line_number":227,"context_line":"--------------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"7bf55cab_0967eed0","line":224,"in_reply_to":"9ed85b44_97bedc83","updated":"2024-06-24 12:17:53.000000000","message":"Done","commit_id":"d52600ab768406fa54e9743a096d4fb677588d99"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"b2590b210d26d40718d9dd06587ac7655cee3a77","unresolved":true,"context_lines":[{"line_number":244,"context_line":"As discussed, a complete implementation requires deployment systems to"},{"line_number":245,"context_line":"integrate the Kerbside SPICE proxy, as well as modifications to front ends"},{"line_number":246,"context_line":"such as Horizon and Skyline to orchestrate consoles via Kerbside. However,"},{"line_number":247,"context_line":"those are outside the scope of a Nova specification."},{"line_number":248,"context_line":""},{"line_number":249,"context_line":"The following configuration options are added by the proposed changes:"},{"line_number":250,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"82251fd7_b2e736ee","line":247,"updated":"2024-05-30 07:59:53.000000000","message":"it should still be posible for user of nova without horion or skyline to fully use this feature.\n\nmeaing they should be able to use the openstack console url show command to get a url that direct them to kerbside which should be enouch to get the kerbside proxy connection info to connect to there vm via the kerbside proxy.\n\nfailing to support that would be an interop issue in my view.","commit_id":"d52600ab768406fa54e9743a096d4fb677588d99"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"32c3ef5a5b4a45e12b3a5a74fae5925deecccd6f","unresolved":true,"context_lines":[{"line_number":244,"context_line":"As discussed, a complete implementation requires deployment systems to"},{"line_number":245,"context_line":"integrate the Kerbside SPICE proxy, as well as modifications to front ends"},{"line_number":246,"context_line":"such as Horizon and Skyline to orchestrate consoles via Kerbside. However,"},{"line_number":247,"context_line":"those are outside the scope of a Nova specification."},{"line_number":248,"context_line":""},{"line_number":249,"context_line":"The following configuration options are added by the proposed changes:"},{"line_number":250,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"5294e925_237043c8","line":247,"in_reply_to":"0277445f_14727df4","updated":"2024-07-02 12:26:17.000000000","message":"to other openstack project yes to non opentack project not really.\n\nnova obviouysly talks to neutron, glance, barbican, cyborg ectra but\n\nthere are some driver integration like libvirt talks to ceph for storage\nand ovs for basic networking, libvirt iself is also a xml rest api integration at the driver level, it just happens to normally be over a unix socket but can be over tcp.\n\nthe ironic and vmware drivers also talks to the resective rest apis.\n\ni dont think we need to have a Kerbside client and have nova compute talk to Kerbside i was originally saying that kerbside can use the bearer token in from the console url to lookup the info it needs to make the proxy work.\n\nbut an argument could be made for an optional integration provided it was opt-in and did not require kerbside or a kerbside client to be installed when not used.\n\nreally all the clinet moduel would need to be is a few function in a module usign either keystone auth client or opentack client to get a generic rest clint with a keystone token. then we could use that to auth to kerbside and make raw rest request.\n\nbut as i noted above i think you miss read what i previosu wrote.\n\nim not saying we shoudl do it that way im saying ti could be done if the other flow i suggested is not workable.\n\nthis would be plan B or C","commit_id":"d52600ab768406fa54e9743a096d4fb677588d99"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"865fdedfb4d4e88778802d900555a5a8f11a38ff","unresolved":true,"context_lines":[{"line_number":244,"context_line":"As discussed, a complete implementation requires deployment systems to"},{"line_number":245,"context_line":"integrate the Kerbside SPICE proxy, as well as modifications to front ends"},{"line_number":246,"context_line":"such as Horizon and Skyline to orchestrate consoles via Kerbside. However,"},{"line_number":247,"context_line":"those are outside the scope of a Nova specification."},{"line_number":248,"context_line":""},{"line_number":249,"context_line":"The following configuration options are added by the proposed changes:"},{"line_number":250,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"dd1bee6d_fb600474","line":247,"in_reply_to":"057267d0_d1a0d238","updated":"2024-06-24 12:17:53.000000000","message":"so long as its an optional depency that would be opt in as part of enabling the kerbside intergartion then it could be workable. \n\nim not sure if that depenciy is actully requred more on that in my previosu comment above but i coudl see use haveing a limited kebside clinet module for makeing rest calls form teh nova-compute to kerbside. \n\nwe can continue to discuss if we think its needed once you have had time to digest my other comments.","commit_id":"d52600ab768406fa54e9743a096d4fb677588d99"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"56679fcb4ebd3c78ac0b32a334ea9920b23eda66","unresolved":false,"context_lines":[{"line_number":244,"context_line":"As discussed, a complete implementation requires deployment systems to"},{"line_number":245,"context_line":"integrate the Kerbside SPICE proxy, as well as modifications to front ends"},{"line_number":246,"context_line":"such as Horizon and Skyline to orchestrate consoles via Kerbside. However,"},{"line_number":247,"context_line":"those are outside the scope of a Nova specification."},{"line_number":248,"context_line":""},{"line_number":249,"context_line":"The following configuration options are added by the proposed changes:"},{"line_number":250,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"5287ac39_a6a3bc02","line":247,"in_reply_to":"5294e925_237043c8","updated":"2024-07-18 13:19:56.000000000","message":"Acknowledged","commit_id":"d52600ab768406fa54e9743a096d4fb677588d99"},{"author":{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},"change_message_id":"0883f34588d98213ffab481d78671ae704d9ef20","unresolved":true,"context_lines":[{"line_number":244,"context_line":"As discussed, a complete implementation requires deployment systems to"},{"line_number":245,"context_line":"integrate the Kerbside SPICE proxy, as well as modifications to front ends"},{"line_number":246,"context_line":"such as Horizon and Skyline to orchestrate consoles via Kerbside. However,"},{"line_number":247,"context_line":"those are outside the scope of a Nova specification."},{"line_number":248,"context_line":""},{"line_number":249,"context_line":"The following configuration options are added by the proposed changes:"},{"line_number":250,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"057267d0_d1a0d238","line":247,"in_reply_to":"82251fd7_b2e736ee","updated":"2024-06-23 05:54:02.000000000","message":"As implemented now, such a use case would require that the user be handed permissiones to log into the Kerbside administrative interface.\n\nHowever, we have discussed above Nova being able to provide a Kerbside URL with a bearer token to a specific console, if we\u0027re happy for Nova to depend on Kerbside being present for that to work. So if nova-core is ok with that, I am happy to add it.","commit_id":"d52600ab768406fa54e9743a096d4fb677588d99"},{"author":{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},"change_message_id":"07e6cbbfcfe54d9765e49253d56ff7c1ae6ca1d4","unresolved":true,"context_lines":[{"line_number":244,"context_line":"As discussed, a complete implementation requires deployment systems to"},{"line_number":245,"context_line":"integrate the Kerbside SPICE proxy, as well as modifications to front ends"},{"line_number":246,"context_line":"such as Horizon and Skyline to orchestrate consoles via Kerbside. However,"},{"line_number":247,"context_line":"those are outside the scope of a Nova specification."},{"line_number":248,"context_line":""},{"line_number":249,"context_line":"The following configuration options are added by the proposed changes:"},{"line_number":250,"context_line":""}],"source_content_type":"text/x-rst","patch_set":4,"id":"0277445f_14727df4","line":247,"in_reply_to":"dd1bee6d_fb600474","updated":"2024-06-25 10:06:17.000000000","message":"I feel like we\u0027re discussing this above... If there\u0027s precident for a REST API call from Nova to something external, then its relatively easy to add. It would just be a call to the existing Kerbside REST API, which already supports Keystone authentication.","commit_id":"d52600ab768406fa54e9743a096d4fb677588d99"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"b2590b210d26d40718d9dd06587ac7655cee3a77","unresolved":true,"context_lines":[{"line_number":270,"context_line":"  consoles are enabled. Configuring this on a per flavor or per image basis"},{"line_number":271,"context_line":"  was considered, but the additional complexity doesn\u0027t seem justified"},{"line_number":272,"context_line":"  compared to a sound device which emits no sound if the client isn\u0027t"},{"line_number":273,"context_line":"  capable of using it. An `ich6` sound device is always used."},{"line_number":274,"context_line":""},{"line_number":275,"context_line":"Additionally, if SPICE consoles are enabled, then USB passthrough devices are"},{"line_number":276,"context_line":"created in the guest. These devices are harmless if not used by a client"}],"source_content_type":"text/x-rst","patch_set":4,"id":"631fe304_634682e7","line":273,"updated":"2024-05-30 07:59:53.000000000","message":"so per host config options that affect the instance xml are generally a bad thing.\n\nif we have these it can complicate live migration when the value is diffent on differnt hosts which is generallly a valid thing to do.\n\nthe end user behavior end up being a that they boot a vm on host a and it gets a sound device. an admin later live migrates it to host b and it keeps the sound device because the xml was generated on the souce node that has the config option set. at some later point in time the user does a hard reboot and the vm nologer has a sound device and they file a support ticket.\n\n\n\ni would prefer to add a hw_audio_model image property to allow requesting a sound device be added to the vm. we can also have the config option as a fallback\nand when a vm first boots we can populate image_hw_audio_model in the instance_system_metadata table with either the value form the image if set or the fallback valume from the config if defiend.\n\nwe do this for several other image properties today to ensure that once an instance is created it maintains the same device set/configuratin.","commit_id":"d52600ab768406fa54e9743a096d4fb677588d99"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"41111617140e70d9bd6d444ce28edb3dba63cd88","unresolved":false,"context_lines":[{"line_number":270,"context_line":"  consoles are enabled. Configuring this on a per flavor or per image basis"},{"line_number":271,"context_line":"  was considered, but the additional complexity doesn\u0027t seem justified"},{"line_number":272,"context_line":"  compared to a sound device which emits no sound if the client isn\u0027t"},{"line_number":273,"context_line":"  capable of using it. An `ich6` sound device is always used."},{"line_number":274,"context_line":""},{"line_number":275,"context_line":"Additionally, if SPICE consoles are enabled, then USB passthrough devices are"},{"line_number":276,"context_line":"created in the guest. These devices are harmless if not used by a client"}],"source_content_type":"text/x-rst","patch_set":4,"id":"26002715_21a8c701","line":273,"in_reply_to":"4dde162a_ae999446","updated":"2024-07-18 13:16:39.000000000","message":"Acknowledged","commit_id":"d52600ab768406fa54e9743a096d4fb677588d99"},{"author":{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},"change_message_id":"0883f34588d98213ffab481d78671ae704d9ef20","unresolved":true,"context_lines":[{"line_number":270,"context_line":"  consoles are enabled. Configuring this on a per flavor or per image basis"},{"line_number":271,"context_line":"  was considered, but the additional complexity doesn\u0027t seem justified"},{"line_number":272,"context_line":"  compared to a sound device which emits no sound if the client isn\u0027t"},{"line_number":273,"context_line":"  capable of using it. An `ich6` sound device is always used."},{"line_number":274,"context_line":""},{"line_number":275,"context_line":"Additionally, if SPICE consoles are enabled, then USB passthrough devices are"},{"line_number":276,"context_line":"created in the guest. These devices are harmless if not used by a client"}],"source_content_type":"text/x-rst","patch_set":4,"id":"b36f9bd1_6c7390e1","line":273,"in_reply_to":"631fe304_634682e7","updated":"2024-06-23 05:54:02.000000000","message":"If you want this to be an image property, then should I do the same for require_secure and allow_concurrent? Similarly, those are things which might differ between hypervisor configurations if an administrator has some hypervisors configured differently from others.","commit_id":"d52600ab768406fa54e9743a096d4fb677588d99"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"865fdedfb4d4e88778802d900555a5a8f11a38ff","unresolved":true,"context_lines":[{"line_number":270,"context_line":"  consoles are enabled. Configuring this on a per flavor or per image basis"},{"line_number":271,"context_line":"  was considered, but the additional complexity doesn\u0027t seem justified"},{"line_number":272,"context_line":"  compared to a sound device which emits no sound if the client isn\u0027t"},{"line_number":273,"context_line":"  capable of using it. An `ich6` sound device is always used."},{"line_number":274,"context_line":""},{"line_number":275,"context_line":"Additionally, if SPICE consoles are enabled, then USB passthrough devices are"},{"line_number":276,"context_line":"created in the guest. These devices are harmless if not used by a client"}],"source_content_type":"text/x-rst","patch_set":4,"id":"b38c0cd0_142b15ef","line":273,"in_reply_to":"b36f9bd1_6c7390e1","updated":"2024-06-24 12:17:53.000000000","message":"require_secure and allow_concurrent dont actully change the guest view of the hardware. so sicne this is not visiable form a process inside the guest im more ok with keeping that as a nova level config option.\n\nwe could have them be user-specific but i think that less suited to a image properly and more a flavor thing since it requires operators to configure auth\nbetween kerbside and qemu ectra.\n\nby the way if we add hw_audio_model as an image property im also not agaisnt inclduing a sound device by default going forward as long as we supprot opting out with hw_audio_model\u003dnone\n\nlibvirt somethimes adds audio devices today i belvie and depending on the code path we take  vai nova anyway so just having it alwasy be there provided we can select a reasonable default normalises the vm we are providing.","commit_id":"d52600ab768406fa54e9743a096d4fb677588d99"},{"author":{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},"change_message_id":"07e6cbbfcfe54d9765e49253d56ff7c1ae6ca1d4","unresolved":true,"context_lines":[{"line_number":270,"context_line":"  consoles are enabled. Configuring this on a per flavor or per image basis"},{"line_number":271,"context_line":"  was considered, but the additional complexity doesn\u0027t seem justified"},{"line_number":272,"context_line":"  compared to a sound device which emits no sound if the client isn\u0027t"},{"line_number":273,"context_line":"  capable of using it. An `ich6` sound device is always used."},{"line_number":274,"context_line":""},{"line_number":275,"context_line":"Additionally, if SPICE consoles are enabled, then USB passthrough devices are"},{"line_number":276,"context_line":"created in the guest. These devices are harmless if not used by a client"}],"source_content_type":"text/x-rst","patch_set":4,"id":"4dde162a_ae999446","line":273,"in_reply_to":"b38c0cd0_142b15ef","updated":"2024-06-25 10:06:17.000000000","message":"I can change this to be an image property.","commit_id":"d52600ab768406fa54e9743a096d4fb677588d99"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"b2590b210d26d40718d9dd06587ac7655cee3a77","unresolved":true,"context_lines":[{"line_number":274,"context_line":""},{"line_number":275,"context_line":"Additionally, if SPICE consoles are enabled, then USB passthrough devices are"},{"line_number":276,"context_line":"created in the guest. These devices are harmless if not used by a client"},{"line_number":277,"context_line":"capable of using USB passthrough."},{"line_number":278,"context_line":""},{"line_number":279,"context_line":"Developer impact"},{"line_number":280,"context_line":"----------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"191004b4_6eaca6e6","line":277,"updated":"2024-05-30 07:59:53.000000000","message":"these are added automatically when you add a spice console by libvirt i belive.\nat least they are in virt manager so ya adding the usb redirection devices is fine,","commit_id":"d52600ab768406fa54e9743a096d4fb677588d99"},{"author":{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},"change_message_id":"0883f34588d98213ffab481d78671ae704d9ef20","unresolved":false,"context_lines":[{"line_number":274,"context_line":""},{"line_number":275,"context_line":"Additionally, if SPICE consoles are enabled, then USB passthrough devices are"},{"line_number":276,"context_line":"created in the guest. These devices are harmless if not used by a client"},{"line_number":277,"context_line":"capable of using USB passthrough."},{"line_number":278,"context_line":""},{"line_number":279,"context_line":"Developer impact"},{"line_number":280,"context_line":"----------------"}],"source_content_type":"text/x-rst","patch_set":4,"id":"5b91359c_1df391e4","line":277,"in_reply_to":"191004b4_6eaca6e6","updated":"2024-06-23 05:54:02.000000000","message":"Done","commit_id":"d52600ab768406fa54e9743a096d4fb677588d99"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"865fdedfb4d4e88778802d900555a5a8f11a38ff","unresolved":true,"context_lines":[{"line_number":41,"context_line":"console is running on, it is agreed that these API methods should check for"},{"line_number":42,"context_line":"the correct `service` role or `admin` permissions, and otherwise return an"},{"line_number":43,"context_line":"error. This protects sensitive network configuration information from being"},{"line_number":44,"context_line":"provided to less trusted users."},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"This specification also covers tweaks the to the libvirt domain XML to enrich"},{"line_number":47,"context_line":"the desktop experience provided by such a direct console, such as:"}],"source_content_type":"text/x-rst","patch_set":7,"id":"760d1649_bc4cf8f0","line":44,"updated":"2024-06-24 12:17:53.000000000","message":"not quite. we coudl but that woudl baically make the feaure unusable by non admins\n\nwhat should happen is we shoudl return the respocen as normal with the url pointing to the kernside proxy  including a console token but not including any port info\n\nthen when the user follows that url to kerbside kerbside can take the token form the url and do thet get with a keystone token with the service role.\nthat will allow kerbside to lookup the hypervior specific port/ip and establish the proxy connection for the user request without exposing the info to the user.\n\nso instead of an  error if a member/reader toekn is used to cal the get_spice_console it should just return the console uri templated based on the compute node config to point to kerbside with the console auth token.","commit_id":"a9f4730f911d1be39b9e69ce117ffc004fca12bd"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"41111617140e70d9bd6d444ce28edb3dba63cd88","unresolved":false,"context_lines":[{"line_number":41,"context_line":"console is running on, it is agreed that these API methods should check for"},{"line_number":42,"context_line":"the correct `service` role or `admin` permissions, and otherwise return an"},{"line_number":43,"context_line":"error. This protects sensitive network configuration information from being"},{"line_number":44,"context_line":"provided to less trusted users."},{"line_number":45,"context_line":""},{"line_number":46,"context_line":"This specification also covers tweaks the to the libvirt domain XML to enrich"},{"line_number":47,"context_line":"the desktop experience provided by such a direct console, such as:"}],"source_content_type":"text/x-rst","patch_set":7,"id":"a90a83d3_caa656ab","line":44,"in_reply_to":"760d1649_bc4cf8f0","updated":"2024-07-18 13:16:39.000000000","message":"Acknowledged","commit_id":"a9f4730f911d1be39b9e69ce117ffc004fca12bd"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"49d9687d75b81ce162caa0b910cd55386cdd4502","unresolved":true,"context_lines":[{"line_number":33,"context_line":""},{"line_number":34,"context_line":"*As a developer, I don\u0027t want these changes to make the Nova codebase even more"},{"line_number":35,"context_line":"complicated.* The changes proposed are relatively contained -- a single new API"},{"line_number":36,"context_line":"microversion, some changes to the domain XML generation code which are optional,"},{"line_number":37,"context_line":"and associated tests."},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"*As a deployer, I want to be able to use OpenStack to provide rich virtual"}],"source_content_type":"text/x-rst","patch_set":11,"id":"5bb0412b_fd4a5411","line":36,"range":{"start_line":36,"start_character":0,"end_line":36,"end_character":80},"updated":"2024-07-18 13:18:20.000000000","message":"the comma breaks the line limit of 79 \nthats why the pep8 job failed.","commit_id":"c7fb18f1cb427ff0e02ba2327e8fbd8802fe36fd"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"a03624548db0fa03f23865ec88a2736820ac07f4","unresolved":false,"context_lines":[{"line_number":33,"context_line":""},{"line_number":34,"context_line":"*As a developer, I don\u0027t want these changes to make the Nova codebase even more"},{"line_number":35,"context_line":"complicated.* The changes proposed are relatively contained -- a single new API"},{"line_number":36,"context_line":"microversion, some changes to the domain XML generation code which are optional,"},{"line_number":37,"context_line":"and associated tests."},{"line_number":38,"context_line":""},{"line_number":39,"context_line":"*As a deployer, I want to be able to use OpenStack to provide rich virtual"}],"source_content_type":"text/x-rst","patch_set":11,"id":"6508a1e9_64ad5ef5","line":36,"range":{"start_line":36,"start_character":0,"end_line":36,"end_character":80},"in_reply_to":"5bb0412b_fd4a5411","updated":"2024-07-18 13:44:05.000000000","message":"Done","commit_id":"c7fb18f1cb427ff0e02ba2327e8fbd8802fe36fd"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"41111617140e70d9bd6d444ce28edb3dba63cd88","unresolved":true,"context_lines":[{"line_number":59,"context_line":"client, who will then have seamless access to their virtual desktop. However,"},{"line_number":60,"context_line":"a user will be able to use the `openstack console url show` command immediately"},{"line_number":61,"context_line":"to create a console session outside of our web clients."},{"line_number":62,"context_line":""},{"line_number":63,"context_line":"Proposed change"},{"line_number":64,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":65,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"c24ec7b8_e01e583e","line":62,"updated":"2024-07-18 13:16:39.000000000","message":"+1 to all of the above","commit_id":"c7fb18f1cb427ff0e02ba2327e8fbd8802fe36fd"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"41111617140e70d9bd6d444ce28edb3dba63cd88","unresolved":true,"context_lines":[{"line_number":81,"context_line":"on the hypervisor that the SPICE console is running on, it is agreed that these"},{"line_number":82,"context_line":"API methods should have restricted accessibility. However, this is a"},{"line_number":83,"context_line":"pre-existing API and this should already be true. This protects sensitive"},{"line_number":84,"context_line":"network configuration information from being provided to less trusted users."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"This specification also covers tweaks the to the libvirt domain XML to enrich"},{"line_number":87,"context_line":"the desktop experience provided by such a direct console, such as:"}],"source_content_type":"text/x-rst","patch_set":11,"id":"f454fe3d_d1c74a7a","line":84,"updated":"2024-07-18 13:16:39.000000000","message":"yes its currently admin only\n\nhttps://github.com/openstack/nova/blob/master/nova/policies/console_auth_tokens.py#L27\n\ni would suggest making this admin_or_service as kerbside would ideally not have admin rights\n\nbut the existing protection should be sufficient.\n\nI\u0027m oke with deferring the details to the implementation review and updating this via a follow-up patch to record them post spec-freeze so i won\u0027t block on this point.","commit_id":"c7fb18f1cb427ff0e02ba2327e8fbd8802fe36fd"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"41111617140e70d9bd6d444ce28edb3dba63cd88","unresolved":true,"context_lines":[{"line_number":103,"context_line":"for it to Kolla-Ansible. This proxy is called Kerbside, and more details are"},{"line_number":104,"context_line":"available at https://github.com/shakenfist/kerbside. That is, with the proxy"},{"line_number":105,"context_line":"deployed there is effectively no change to the network exposure of Nova"},{"line_number":106,"context_line":"hypervisors."},{"line_number":107,"context_line":""},{"line_number":108,"context_line":"As part of prototyping this functionality, a series of patches to Nova were"},{"line_number":109,"context_line":"developed. These are available at"}],"source_content_type":"text/x-rst","patch_set":11,"id":"bd7e9035_85c83dd9","line":106,"updated":"2024-07-18 13:16:39.000000000","message":"the installer support is good to note but i would also say there is no depency on that being completed to be able to move forward with this in nova.\n\nthe one caveat to that is i would like to see an install gudie update in the nova docs describing how to enable this manulally even if that is just a short paragraph and a link to the relevant kerbside install docs.\n\nwe don\u0027t need to capture that here in the spec just highlighting i would like to see documentation for configuring this before we consider it complete.","commit_id":"c7fb18f1cb427ff0e02ba2327e8fbd8802fe36fd"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"41111617140e70d9bd6d444ce28edb3dba63cd88","unresolved":true,"context_lines":[{"line_number":109,"context_line":"developed. These are available at"},{"line_number":110,"context_line":"https://github.com/shakenfist/kerbside-patches/tree/develop/nova as well as"},{"line_number":111,"context_line":"on gerrit at"},{"line_number":112,"context_line":"https://review.opendev.org/q/topic:%22kerbside-spice-direct-consoles%22."},{"line_number":113,"context_line":""},{"line_number":114,"context_line":"They are:"},{"line_number":115,"context_line":""}],"source_content_type":"text/x-rst","patch_set":11,"id":"8adee056_c253409d","line":112,"updated":"2024-07-18 13:16:39.000000000","message":"so meta comment we normally say dont start the implemation before the spec is appoved but we discssed this at the PTG and gave a nottional green light to start the poc ectra.\n\nso we dont actully have a policy on if you should or shoudl not include links to gerrit reviews in specs.\n\ni thin ktis is fine  in general but your confgtion is that the gerrit topic and spec and blueprint should all match i.e. libvirt-spice-direct-consoles","commit_id":"c7fb18f1cb427ff0e02ba2327e8fbd8802fe36fd"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"41111617140e70d9bd6d444ce28edb3dba63cd88","unresolved":true,"context_lines":[{"line_number":159,"context_line":"should not be difficult for deployers to support as this table should not be"},{"line_number":160,"context_line":"particularly large given authentication tokens already expire."},{"line_number":161,"context_line":""},{"line_number":162,"context_line":"REST API impact"},{"line_number":163,"context_line":"---------------"},{"line_number":164,"context_line":""},{"line_number":165,"context_line":"This specification adds a new console type, \"spice-direct\", which provides"}],"source_content_type":"text/x-rst","patch_set":11,"id":"37b5c406_011d766c","line":162,"updated":"2024-07-18 13:16:39.000000000","message":"so we chated on irc about the neeed to make on eaddtion schema change to add the tls_port to /os-console-auth-tokens\n\ni think that is the only think missign to move forward with this spec","commit_id":"c7fb18f1cb427ff0e02ba2327e8fbd8802fe36fd"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"a03624548db0fa03f23865ec88a2736820ac07f4","unresolved":false,"context_lines":[{"line_number":159,"context_line":"should not be difficult for deployers to support as this table should not be"},{"line_number":160,"context_line":"particularly large given authentication tokens already expire."},{"line_number":161,"context_line":""},{"line_number":162,"context_line":"REST API impact"},{"line_number":163,"context_line":"---------------"},{"line_number":164,"context_line":""},{"line_number":165,"context_line":"This specification adds a new console type, \"spice-direct\", which provides"}],"source_content_type":"text/x-rst","patch_set":11,"id":"499a25a0_e2dbf9e2","line":162,"in_reply_to":"37b5c406_011d766c","updated":"2024-07-18 13:44:05.000000000","message":"Done","commit_id":"c7fb18f1cb427ff0e02ba2327e8fbd8802fe36fd"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"a03624548db0fa03f23865ec88a2736820ac07f4","unresolved":false,"context_lines":[{"line_number":225,"context_line":""},{"line_number":226,"context_line":"The response from `/os-console-auth-tokens/` also needs to be tweaked to return"},{"line_number":227,"context_line":"a TLS port if one is configured for the console, which will require a response"},{"line_number":228,"context_line":"schema change."},{"line_number":229,"context_line":""},{"line_number":230,"context_line":"Security impact"},{"line_number":231,"context_line":"---------------"}],"source_content_type":"text/x-rst","patch_set":12,"id":"474a7b9c_4d0bcd53","line":228,"updated":"2024-07-18 13:44:05.000000000","message":"+1","commit_id":"0b8e1cdc39c22788cd6059f48b6221645afe7696"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"aab6a5d4a7d882969c6cae5047ec9ea83e662591","unresolved":true,"context_lines":[{"line_number":262,"context_line":""},{"line_number":263,"context_line":"The following configuration options are added by the proposed changes:"},{"line_number":264,"context_line":""},{"line_number":265,"context_line":"* `spice.kerbside_base_url`: defaults to an example URL which wouldn\u0027t actually"},{"line_number":266,"context_line":"  work for a non-trivial installation (just as the HTML5 transcoding proxy"},{"line_number":267,"context_line":"  does). This is the base URL for the Kerbside URLs handed out by Nova."},{"line_number":268,"context_line":""}],"source_content_type":"text/x-rst","patch_set":13,"id":"21ba6df9_2aa8e82b","line":265,"range":{"start_line":265,"start_character":9,"end_line":265,"end_character":26},"updated":"2024-07-18 14:46:46.000000000","message":"I\u0027m not fan of holding specs on naming things, but I\u0027d prefer if we could leave mentions of Kerbside out of nova. Could you please change it to `spice.base_url` ?","commit_id":"19e99bfaaf85f0984ebddcf8ad39419cd6875910"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"5372ef9a67e2ded3961b4dee1250981c5d1a9013","unresolved":true,"context_lines":[{"line_number":262,"context_line":""},{"line_number":263,"context_line":"The following configuration options are added by the proposed changes:"},{"line_number":264,"context_line":""},{"line_number":265,"context_line":"* `spice.kerbside_base_url`: defaults to an example URL which wouldn\u0027t actually"},{"line_number":266,"context_line":"  work for a non-trivial installation (just as the HTML5 transcoding proxy"},{"line_number":267,"context_line":"  does). This is the base URL for the Kerbside URLs handed out by Nova."},{"line_number":268,"context_line":""}],"source_content_type":"text/x-rst","patch_set":13,"id":"8bd27c96_78a5fa01","line":265,"range":{"start_line":265,"start_character":9,"end_line":265,"end_character":26},"in_reply_to":"21ba6df9_2aa8e82b","updated":"2024-07-18 14:55:05.000000000","message":"this name is chosen because we areadly have a `spice.html5proxy_base_url` and we ant to be able to have both supproted at the same time.\n\nso `spice.base_url` is intentionally not proposed here to avoid confution\n\nif you dont want to have kerbside in the name then i woudl suggest\n\n`spice.direct_base_url","commit_id":"19e99bfaaf85f0984ebddcf8ad39419cd6875910"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"aab6a5d4a7d882969c6cae5047ec9ea83e662591","unresolved":true,"context_lines":[{"line_number":340,"context_line":"Testing graphical user interfaces in the gate is hard. However, a test for the"},{"line_number":341,"context_line":"API microversion will be added, and manual testing of the console functionality"},{"line_number":342,"context_line":"has occurred on the prototype and will be redone as the patches land."},{"line_number":343,"context_line":""},{"line_number":344,"context_line":"Documentation Impact"},{"line_number":345,"context_line":"\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d"},{"line_number":346,"context_line":""}],"source_content_type":"text/x-rst","patch_set":13,"id":"2c351108_f5b74a8a","line":343,"updated":"2024-07-18 14:46:46.000000000","message":"could you maybe create a FakeExternalSpiceRemote object in the functional tests that would just accept the call and return what\u0027s expected so we could add functional tests that wouldn\u0027t depend our CI on something external ?","commit_id":"19e99bfaaf85f0984ebddcf8ad39419cd6875910"}]}