Suggestion to proxy serial console from vm; basic HTML UI

[gbraad]

I like the idea of this tool, as it allows to easily expose a VM to anyone on a tailnet. However, while the idea of SSH to control the VM state is novel, it is probably a better idea to proxy the actual SSH of the host to UI. Below is a quick mockup of a minimal interface that looks a lot like the one provided by cockpit.

For example, the dropdown allows switching between VNC Console and an SSH terminal. Under the menu that popped out is a Expand [] button to allow the desktop/terminal to take over the whole area. The URL vmproxy/#terminal would automagically open an expanded terminal:

and similarly for #desktop.

Note: Migrate has no meaning here (copy/paste) from the Cockpit UI. And Console being a placeholder for the vmname.

Also, this would mean the command line could be:

$ vmproxy <vmname> <IP address> <vnc session|:0> [--ssh]

With [--ssh] to allow SSH forwarding or not, and the VNC sessions defaulting to :0 for port 5900.

Note: --ssh should also register the node as it was run with setArgs.runSSH, and therefore allow the Dashboard to allow the javascript terminal.

---

Actually, in that case it becomes more of a generic machine-proxy tool, as VNC and SSH aren't only for a VM... so what about:

$ machineproxy <name> <IP address> <vnc session|:0> [--ssh] [--vm]

which only registers the Libvirt/virsh interaction when --vm is provided, and otherwise will just act as a proxy for a machine at a given IP address.

[shayne]

@gbraad, thanks for your interest in this project. It was a fun weekend hack. 😄

Regarding SSH: Were you thinking $ ssh <vmproxy>.my-tcd.ts.net would SSH into the guest? The VM guest will have its own IP address and may not be on the tailnet. If I understand your suggestion, you're saying we proxy SSH just like VNC?

I like your ideas; if given time, it'd be great to work on them. Feel free to send PRs. My only preference would be many smaller PRs vs. a few big ones! :)

[gbraad]

If I understand your suggestion, you're saying we proxy SSH just like VNC?

yes, as in that case the VM itself does not have to run the tailscaled daemon inside. It would also allow any machine to run as vmproxy myMac localhost --ssh and expose a shell outside of the sandbox issues.

I will look what I can work on. Glad to know these ideas sound OK.

[shayne]

I was writing down a few thoughts I had.

For producing the SSH connection, I think there are a couple of gotchas.

The first is not knowing the IP address of the machine. If the VM has guest agent tools installed, we could get it from libvirt.

I've deployed this for a single VM, and other than the initial setup and potential recovery, its primary use is entering the LUKS password for encrypted disks at boot.

After setting up the VM, I installed Tailscale and accessed the system traditionally. There's a long tail of features that we'd chase trying to create a feature proxy when it's just as easy to reach for the VM once it's online.

[gbraad]

I am not sure how many people are actually going to use ssh to toggle state of the VM either ;-). It would be friendlier to capture these by a simple http.HandleFunc("/vm/start", libvirtStart) and then use the SSH to proxy the VMs serial console, just like VNC can be exposed from libvirt directly.

This way you can handle the LUKS password from SSH

[shayne]

I'd <3 if we could have an interactive console via SSH, that would be ideal. I did the SSH thing because it was a cool demo of attaching services to tsnet, and well, Charm is pretty crazy, right? I also punted on doing frontend work and/or modifying/embedding the VNC client.

[gbraad]

Charm is pretty crazy, right?

LOL. So far only using Glow and already busy theming to get my theme served. (Necessary step to adopt Charm, right?)

I agree, it is a nice tech demo. SSH is very versatile. So, how to set the actual tag for the Tailscale dashboard to pick up using the tsconnect/JS terminal? Wasn't able to track this down easily.

---

I also thought about it, 'serial console' over SSH would make more sense as a recovery option and very specific, just like the exposed VNC to a VM usecase.

[shayne]

Regarding the serial console, you're right. That's what I see this project as primarily helpful for. Set-up, recovery, and booting with encrypted disks.

As for the guest, I'd install Tailscale on it, and assuming it's up, I'd access it directly.

--

Regarding Taislcale SSH with tsnet, I'll have to look into it more.

[gbraad]

Taislcale SSH with tsnet

Didn't have a lot of time, but guess it should be possible to use the Prefs on tsnet to toggle RunSSH. Alhough at the moment the tsnet interface does not allow you to set this directly: https://github.com/tailscale/tailscale/blob/bdc7a61c24fda0b1a788ac76e9f70f81a3f370b8/tsnet/tsnet.go#L546. It should have something like enableSSH or similarly for this to work.