Experiment with adapting nova serial console proxy code for use with Ironic

CCI-MOC / esi

Elastic Secure Infrastructure project

6 stars 12 forks source link

Experiment with adapting nova serial console proxy code for use with Ironic #567

Closed tzumainn closed 2 months ago

tzumainn commented 3 months ago

Nova has a serial console proxy that works with its baremetal based instances. We should model our own after it. Users will use the proxy's API, which will instantiate the Ironic serial console and create a secured connection for the user.

tzumainn commented 2 months ago

@larsks you were right - an alternative client worked much better at displaying the websocket-proxied serial console. There are occasional errors, but by and large it seems to work.

I'm now thinking that instead of perfecting that, I should get started on formally implementing this, with the idea of getting it deployed in production in parallel with the current insecure serial console deployment. That way users can try both - something that I think will be important for the unikernel devs whose scripts depend on the serial console output. And any iteration needed on the client can be done then.

Thoughts?

larsks commented 2 months ago

with the idea of getting it deployed in production in parallel with the current insecure serial console deployment

It makes sense to hold off on disabling the existing serial console feature until we have a working replacement. Maybe to reduce the attack service we should set up a cron job that disables the serial console on all systems every 24 hours, so that people don't inadvertently leave a port open forever?

tzumainn commented 2 months ago

I'm going to turn this into an investigation task, put some details here, and create two followup issues to develop the replacement more formally and to do as you suggest. Thanks!

tzumainn commented 2 months ago

I've played around with the nova serial console code. Much of it can be pared away since it either deals with nova instances or is code intended to deal with multiple console types (which is something we don't need to worry about).

The upshot is that it actually seems pretty simple to port the remaining code into esi-leap, and create a new command that starts up this proxy web server. Afterwards, the websocat tool seems to do a good job of providing serial console access close-ish to par with what we have now.

tzumainn commented 2 months ago

Followups:

https://github.com/CCI-MOC/esi/issues/584 https://github.com/CCI-MOC/esi/issues/585