Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1063236 - [RFE] Allow installation of novnc on a different host than engine
Summary: [RFE] Allow installation of novnc on a different host than engine
Alias: None
Product: oVirt
Classification: Retired
Component: ovirt-engine-installer
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
: 3.6.0
Assignee: Simone Tiraboschi
QA Contact:
Whiteboard: integration
Depends On:
Blocks: 1080992
TreeView+ depends on / blocked
Reported: 2014-02-10 10:44 UTC by Sven Kieske
Modified: 2014-08-08 11:44 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Last Closed: 2014-08-08 11:44:48 UTC
oVirt Team: ---

Attachments (Terms of Use)

Description Sven Kieske 2014-02-10 10:44:50 UTC
Description of problem:

Currently, oVirt has a hard dependency on novnc on the host it is installed on.

Version-Release number of selected component (if applicable):
3.3.2, should also apply to current master and 3.4 branches

How reproducible:

Steps to Reproduce:
1. install ovirt-engine
2. watch dependy installation of novnc

Actual results:
novnc gets installed, even if you do not use it at all, or if you want to
install it on a separate host

Expected results:
unbundle novnc from ovirt-engine setup

Additional info:

First: not everyone uses or needs novnc at all, so it's a package that is not
needed for core functionality.
Second: You might just want to run the novnc software from a different host
which communicates with the ovirt hosts for security reasons, because the client
needs to reach the server directly where novnc is installed, this may be forbidden for security reasons.

So you can setup novnc on a different machine and generate tickets via api
in order to get access to the vms but you still have novnc installed on the
engine host for no reason.

What I did not try: setup ovirt-engine and then remove novnc package.
would this break ovirt-engine, as it expects novnc to be present?

Comment 1 Michal Skrivanek 2014-02-26 11:22:01 UTC
not sure I understand what do you mean by run novnc on other host.
The client is integrated into ovirt, hence it's a dependency. It runs at client's browser so it doesn't really matter much from where you're getting it.
You can use another instance/client set up elsewhere in non-integrated way, pretty much the same way as any other custom client, getting the ticket via API and launching it yourself.
Or is this about websocket proxy deployment?

Comment 2 Sven Kieske 2014-02-26 12:26:42 UTC
Well, as you said, you can run novnc on another client and getting the ticket via
Then you don't need the novnc on the engine-host.
Thus it would be cool to change it's installation from "integrated"
to "optional" at engine-setup (let the installer maybe ask if you want to use the novnc integration, maybe default to yes?)

this would somewhat lower the attack surface of the engine host.

Comment 3 Michal Skrivanek 2014-02-26 12:46:10 UTC
there's a default installer option for websocket proxy which is independent. But novnc itself is part of the product, if you don't want to use it it's not going to be run or anything…pretty much like all those hundreds of megabytes of jboss code:)

I'm not sure the setup code handles additional dependencies and can pull in an extra rpm based on engine-setup answer. Alon?
I still think the current integration is better and would only consider a case of platforms where novnc package is not available…to have a "configure --with-*"-like  option….however since it's just a bunch of javascript files I don't think there's actually any need.

Comment 4 Alon Bar-Lev 2014-02-26 13:01:29 UTC
We have a some unneeded packages as dependency to ease user experience.

Examples for comfort dependencies:


Example of configuration that may be split into different server with effort:


Not sure that in the case of the websockify we have a an issue as it is small and in most configuration we would like it up and running on engine machine.

The websocket support was initially written as separate module, and dependency was added to ovirt-engine in order to ease users to set it up:

Requires:       %{name}-websocket-proxy >= %{version}-%{release}

It can be removed, so only when installed setup will prompt for questions.

Comment 5 Michal Skrivanek 2014-04-03 11:52:14 UTC
I don't think it's worth the effort. Indeed it's very small.

Comment 6 Alon Bar-Lev 2014-04-03 11:55:00 UTC

We want to have this. As soon as we split dwh/reports to different host, this will be possible as well.

Should be on queue... so won't be left out.


Comment 7 Michal Skrivanek 2014-05-07 06:50:29 UTC
@Alon, not that I mind, but what is it good for?
@Simone, what and where is POSTed?

Comment 8 Sandro Bonazzola 2014-05-07 06:52:22 UTC
@Michal added missing reference to the gerrit patch

Comment 9 Alon Bar-Lev 2014-05-07 07:05:52 UTC
(In reply to Michal Skrivanek from comment #7)
> @Alon, not that I mind, but what is it good for?

As I wrote in gerrit, this work should be done after the engine setup rework is done to make the engine optional properly, then we can allow installing th websocket proxy on its own. I think is premature at this point.

Comment 10 Michal Skrivanek 2014-05-07 08:37:22 UTC
(In reply to Sandro Bonazzola from comment #8)
IIUC the patch is about the websocket-proxy(which makes sense), whereas this bug is about the novnc client code (the actual .js stuff, which is IMHO useless)

Comment 11 Simone Tiraboschi 2014-05-07 09:27:42 UTC
Hi Michal,
probably the bug description it's a bit misleading.

> because the client
> needs to reach the server directly where novnc is installed, this may be
> forbidden for security reasons.

I try to read it this way:
noVNC is a browser based VNC client implemented using HTML5 WebSockets and as you said it's coded in JS.
So what Sven calls novnc client is the the real novnc and in my opinion you don't need additional RPM for that cause it's simply composed by some js already packed in the portal webapp.

What Sven calls novnc server it's instead what we call WebSocketProxy.

WebSocketProxy acts as proxy between the HTML5 WebSocket world and the VNC world cause the VNC server embedded in qemu on the managed hosts, as far I know, doesn't support websockets natively.

So we need to add a proxy that connects to the VNC server embedded on qemu on the managed host exposing them via HTML5 WebSocket for the novnc clients in the browser.

Until today the WebSocketProxy should be installed on the same machine that runs the ovirt engine.
Sven is saying that an user could prefer to avoid to expose the engine machine to outside world but the noVNC clients still needs to reach the WebSocketProxy and so he is proposing to let the user install the WebSocketProxy on a different host for security reason and is exactly what my patch addresses.

Comment 12 Sven Kieske 2014-05-07 13:10:42 UTC
1. novnc is required by webadmin if you use webadmin with novnc.
2. If you use webadmin with e.g. spice or traditional vnc client you do not need novnc.
3.If you don't use webadmin, you don't need novnc on ovirt-engine host.

it's just a (small) waste of bytes with possible security bugs

so for my use case: I'd like to use webadmin as little as possible
(I do just things there that can't be done via API atm).

The optimal case would be to not even need to install webadmin, just the REST api
to the DB :)

I hope I could make my point more clear now?

I hope I can achieve this goal in 3.5 or 3.6 when we got ovirt.js and full rest
support. maybe than you can even delete the hard dependency for webadmin? :)

Comment 13 Alon Bar-Lev 2014-05-07 13:18:42 UTC
(In reply to Sven Kieske from comment #12)
> Conclusion:
> it's just a (small) waste of bytes with possible security bugs

1. very small compare to our other infra.

2. security level of such product is determined by the server side components not the client side components, so novnc artifacts cannot effect the security level of ovirt-engine.

Comment 14 Michal Skrivanek 2014-05-12 12:32:52 UTC
(In reply to Simone Tiraboschi from comment #11)
Simone, yes, that's exactly my point, that's about WebSocket Proxy, not about the .js files which are executed in client's context. IIUC that's not what you're working on in 3.5, right? 

@Sven: "so for my use case: I'd like to use webadmin as little as possible"
compared to the megabytes of other stuff we have sitting on the disk it's not really relevant if there are some .js files there or not. No one is forcing you to run them. If you're asking for splitting webadmin, I'd suggest to use a dedicated bug for that

Comment 15 Simone Tiraboschi 2014-08-08 11:44:48 UTC
With oVirt 3.5 the websocket proxy could be installed on a separate host.

Note You need to log in before you can comment on or make changes to this bug.