啟用spice(Q版) · OpenStack生產環境實踐中的常見問題

### 背景 OpenStack默認無法通過spice客戶端直連，但實際上運行的qemu實例啟用了spice，用以支持spice-html5。通過查看運行的qemu實例進程信息，就能看到如下實例的虛擬機使用的spice端口為6001 ``` /usr/libexec/qemu\-kvm -name guest=instance-000007c3 -vnc 0.0.0.0:100 -k en-us -spice port=6001,addr=0.0.0.0,disable-ticketing,seamless-migration=on ``` 所以，通過客戶端連接虛擬機理論上是可行的。 ### 操作步驟： #### 修改計算節點防火墻通過防火墻規則允許spice的端口范圍，可從5900開始開放一個范圍，允許外界訪問。此時通過spice客戶端輸入地址 spice://ip:port 就可以連接spice客戶端了。 #### 連接安全 spice直連沒有密碼，權限過大。qemu是支持spice設置密碼的, 通過虛擬機實例的配置文件可以看到 ``` <graphics type='spice' autoport='yes' listen='0.0.0.0' keymap='en-us'> <listen type='address' address='0.0.0.0'/> </graphics> ``` 但遺憾的是OpenStack創建虛擬機時并沒有接口可以設置password選項。要增加password選項，需要修改OpenStack源碼。需要修改兩個文件。 1. `nova/virt/libvirt/driver.py` 通過在創建虛擬機時設置元數據`spice_passwd`項，并在創建虛擬機時使用該項完成。需要修改`_guest_add_video_device`方法，關鍵代碼 ``` def _guest_add_video_device(guest, instance): # NB some versions of libvirt support both SPICE and VNC # at the same time. We're not trying to second guess which # those versions are. We'll just let libvirt report the # errors appropriately if the user enables both. add_video_driver = False if CONF.vnc.enabled and guest.virt_type not in ('lxc', 'uml'): graphics = vconfig.LibvirtConfigGuestGraphics() graphics.type = "vnc" if CONF.vnc.keymap: # TODO(stephenfin): There are some issues here that may # necessitate deprecating this option entirely in the future. # Refer to bug #1682020 for more information. graphics.keymap = CONF.vnc.keymap graphics.listen = CONF.vnc.server_listen guest.add_device(graphics) add_video_driver = True if CONF.spice.enabled and guest.virt_type not in ('lxc', 'uml', 'xen'): graphics = vconfig.LibvirtConfigGuestGraphics() graphics.type = "spice" if CONF.spice.keymap: # TODO(stephenfin): There are some issues here that may # necessitate deprecating this option entirely in the future. # Refer to bug #1682020 for more information. graphics.keymap = CONF.spice.keymap graphics.listen = CONF.spice.server_listen spice_passwd = instance.metadata.get('spice_passwd') if spice_passwd: graphics.passwd = spice_passwd guest.add_device(graphics) add_video_driver = True return add_video_driver ``` 2. `nova/virt/libvirt/config.py` 需要修改`LibvirtConfigGuestGraphics`，關鍵代碼 ``` class LibvirtConfigGuestGraphics(LibvirtConfigGuestDevice): def __init__(self, **kwargs): super(LibvirtConfigGuestGraphics, self).__init__(root_name="graphics", **kwargs) self.type = "vnc" self.autoport = True self.keymap = None self.listen = None self.passwd = None def format_dom(self): dev = super(LibvirtConfigGuestGraphics, self).format_dom() dev.set("type", self.type) if self.autoport: dev.set("autoport", "yes") else: dev.set("autoport", "no") if self.keymap: dev.set("keymap", self.keymap) if self.listen: dev.set("listen", self.listen) if self.passwd: dev.set("passwd", self.passwd) return dev ``` #### 擴展API，通過API獲取連接信息 1. 新增API，增加`nova/api/openstack/compute/server_connectinfo.py` ``` from webob import exc from nova.api.openstack import common from nova.api.openstack.compute.schemas import server_metadata from nova.api.openstack import wsgi from nova.api import validation from nova import compute from nova import exception from nova.i18n import _ from nova.compute import rpcapi as compute_rpcapi #ALIAS = 'os-server-connectinfo' #authorize = extensions.os_compute_authorizer(ALIAS) class ServerConnectinfoController(wsgi.Controller): """The server connect info API controller for the OpenStack API.""" def __init__(self, *args, **kwargs): self.compute_api = compute.API() self.compute_rpcapi = compute_rpcapi.ComputeAPI() self.handlers = {'vnc': self.compute_rpcapi.get_vnc_console, 'spice': self.compute_rpcapi.get_spice_console, 'rdp': self.compute_rpcapi.get_rdp_console, 'serial': self.compute_rpcapi.get_serial_console, 'mks': self.compute_rpcapi.get_mks_console} #super(ServerConnectinfoController, self).__init__() super(ServerConnectinfoController, self).__init__(*args, **kwargs) def _get_connect_info(self, context, server_id, body): instance = common.get_instance(self.compute_api, context, server_id) try: protocol = body['os-getServerConnectinfo']['protocol'] console_type = body['os-getServerConnectinfo']['type'] handler = self.handlers.get(protocol) connect_info = handler(context, instance=instance, console_type=console_type) except exception.InstanceNotFound: msg = _('Server does not exist') raise exc.HTTPNotFound(explanation=msg) return connect_info @wsgi.Controller.api_version("2.1", "2.5") @wsgi.expected_errors((404)) @wsgi.action('os-getServerConnectinfo') def index(self, req, id): """Returns the list of connectinfo for a given instance.""" context = req.environ['nova.context'] #authorize(context, action='index') return {'connectinfo': self._get_connect_info(context, id)} @wsgi.Controller.api_version("2.1", "2.5") @wsgi.expected_errors((404)) @wsgi.action('os-getServerConnectinfo') def create(self, req, id, body): """Return a single connectinfo item.""" context = req.environ['nova.context'] #authorize(context, action='create') data = self._get_connect_info(context, id, body) try: return {'connectinfo': data} except KeyError: msg = _("Connectinfo item was not found") raise exc.HTTPNotFound(explanation=msg) ``` 2. 在entry_points.txt中`nova/api/openstack/compute/routers.py`注冊API ``` server_connectinfo.ServerConnectinfoController, server_server_connectinfo_controller = functools.partial(_create_controller, server_connectinfo.ServerConnectinfoController, [], []) ```