fix(dashboard): gh #651 Fixed turbovnc version and template for local environment #56
Conversation
abujeda
force-pushed
the
651-fix-turbovnc-local
branch
from
52de044 to
f43184f
Compare
abujeda
force-pushed
the
651-fix-turbovnc-local
branch
from
f43184f to
7b35a7a
Compare
dashboard/Makefile
Outdated
| remote-dev clean-remote-dev: LOGIN_HOST := login.rc.fas.harvard.edu | ||
| remote-dev clean-remote-dev: APP_FOLDER := ./fasrc/dev/dashboard | ||
| remote-dev: TEMPLATE_URL := https://vdi.rc.fas.harvard.edu/pun/sys/dashboard/files/fs/opt/ood/ondemand/root/usr/share/gems/2.7/ondemand/2.0.12/gems/ood_core-0.17.1/lib/ood_core/batch_connect/templates |
There was a problem hiding this comment.
The way in which TEMPLATE_URL is specified is extremely fragile. This will break whenever minor upgrades to OOD are performed.
You could probe for the location of this file. It would be easy over SSH, but it will be a little tricky using curl to interact with the file browser.
If that does not seem feasible, then please update the Sid2 Dependencies page, section on Open OnDemand to specify that these variables need to be updated whenever the version of Open OnDemand changes in Remote Dev Cannon / Remote Dev FASSE.
There was a problem hiding this comment.
I cannot think any other way. I have added a check to make sure there is a valid template file coming back from the server. But with this approach we will need to update the Makefile on every OOD update.
As the actual templates will change less often, not sure it will be less troublesome to change the approach and have a copy of the files in the code base and copy the right version with Make.
There was a problem hiding this comment.
I like that you added a validation check, but I'd like to think about this a little more. How can we avoid introducing this troublesome and potentially unnecessary effort of multiple password entries and updating URL paths?
The problem we are trying to solve is to keep the turbovnc.rb and kvm.rb files from the default dashboard app in sync with the same files in the Sid dashboard app. Is there another opportunity for us to do so, other than at deployment time?
What about at runtime? Would it be possible for the Sid dashboard app itself to check the local filesystem to determine if the files differ, and raise a warning if so? This implementation would also address #658.
There was a problem hiding this comment.
We decided that if we do #658 first (to change the puppet manifest so that it deploys a copy of the turbovnc.rb and kvm.rb files directly in to the Sid app installation dir), then we will be able to access these files at a fixed path from the Cannon Staging and FASSE Staging servers. This will make this implementation of deploying the files to remote dev at build time more resilient.
dashboard/Makefile
Outdated
| @echo "You need to be connected to the VPN" | ||
| @read -p "OOD password to copy templates:" ood_password; \ | ||
| echo "Downloading: $(TEMPLATE_URL)/$(TURBOVNC_TEMPLATE)"; \ | ||
| curl -kL $(TEMPLATE_URL)/$(TURBOVNC_TEMPLATE) --user $(REMOTE_USERNAME):$$ood_password -o $(TEMPLATE_LOCATION)/$(TURBOVNC_TEMPLATE) ; \ |
There was a problem hiding this comment.
- Do not use the
-koption to curl; it is a synonym for--insecure. We want to ensure that this connection is encrypted and verified since we will be sending a[n admin] password. - Do not pass the user password as a command-line parameter. The curl manpage itself advises against this, since it will be visible in plaintext in the process table. Instead, just omit the password and curl will prompt for it.
- You can add the
-sSoptions to curl to suppress status output and only output errors.
dashboard/Makefile
Outdated
| echo "Downloading: $(TEMPLATE_URL)/$(TURBOVNC_TEMPLATE)"; \ | ||
| curl -kL $(TEMPLATE_URL)/$(TURBOVNC_TEMPLATE) --user $(REMOTE_USERNAME):$$ood_password -o $(TEMPLATE_LOCATION)/$(TURBOVNC_TEMPLATE) ; \ | ||
| echo "Downloading: $(TEMPLATE_URL)/$(KVM_TEMPLATE)"; \ | ||
| curl -kL $(TEMPLATE_URL)/$(KVM_TEMPLATE) --user $(REMOTE_USERNAME):$$ood_password -o $(TEMPLATE_LOCATION)/$(KVM_TEMPLATE) ; \ |
There was a problem hiding this comment.
You can avoid having to prompt again for a password by storing the cookies from the first curl session and loading them in the second curl session. If you do so, be sure to store the file in a secure location with secure permissions, and end the session with a Logout and remove the cookie jar file. See e.g. https://stackoverflow.com/questions/12752555/sessions-with-curl
There was a problem hiding this comment.
OOD uses basic auth, this requires an specific Authorization header.
There are no auth cookies being set in the response.
I tested the examples in stackoverflow, just in case, but they do not work for OOD.
There was a problem hiding this comment.
Yes, you are right, we are not yet using OIDC in production. Even if there were session cookies, we would still need to send the Authorization header for HTTP Basic auth. I think for now you will just need to prompt for the password multiple times, since it is not secure to put in in plaintext into the process table, and it would be possibly even less secure to read it plaintext from a file.
dashboard/README.md
Outdated
| @@ -60,15 +60,21 @@ Docker images are used to create the local development environment. Information | |||
|
|
|||
| - Run `make down` | |||
|
|
|||
| ## Deploying to remote development (your FASRC account) | |||
| ## Deploying to remote development (your FASRC/FASSE account) | |||
| ### Cannon | |||
|
|
|||
| - Run `make remote-dev`. `make remote-dev` builds all required OOD/Ruby libs locally and exports built artifacts to FASRC. This task will prompt you for your FASRC SSH credentials (password and pin) twice as it creates/validates the pre-requisite directory structure as setup in your home directory. | |||
There was a problem hiding this comment.
| - Run `make remote-dev`. `make remote-dev` builds all required OOD/Ruby libs locally and exports built artifacts to FASRC. This task will prompt you for your FASRC SSH credentials (password and pin) twice as it creates/validates the pre-requisite directory structure as setup in your home directory. | |
| - Run `make remote-dev`. `make remote-dev` builds all required OOD/Ruby libs locally and exports built artifacts to FASRC. This task will prompt you for your FASRC credentials (password and pin) more than once as it retrieves files, creates/validates the pre-requisite directory structure, and deploys the app to your home directory. |
dashboard/README.md
Outdated
|
|
||
| - Run `make remote-dev`. `make remote-dev` builds all required OOD/Ruby libs locally and exports built artifacts to FASRC. This task will prompt you for your FASRC SSH credentials (password and pin) twice as it creates/validates the pre-requisite directory structure as setup in your home directory. | ||
|
|
||
| - Once completed, visit: | ||
|
|
||
| https://vdi.rc.fas.harvard.edu | ||
|
|
||
| and go through the same Validation process as for the development environment. | ||
| ### FASSE | ||
| - Run `make remote-fasse`. `make remote-fasse` builds as before and deploys to FASSE. This task will prompt you for your FASSE SSH credentials (password and pin) twice as it creates/validates the pre-requisite directory structure as setup in your home directory. |
There was a problem hiding this comment.
| - Run `make remote-fasse`. `make remote-fasse` builds as before and deploys to FASSE. This task will prompt you for your FASSE SSH credentials (password and pin) twice as it creates/validates the pre-requisite directory structure as setup in your home directory. | |
| - Run `make remote-fasse`. `make remote-fasse` builds as before and deploys to FASSE. This task will prompt you for your FASRC credentials (password and pin) more than once as it retrieves files, creates/validates the pre-requisite directory structure, and deploys the app to your home directory. |
There was a problem hiding this comment.
If you are accepting this suggestion, you can click the "Commit suggestion" button.
There was a problem hiding this comment.
Yes, I am.
sorry, I thought that I had add it to my new commit.
I have reset my commit and made the update into a new one, just to push all changes under a single commit.
abujeda
force-pushed
the
651-fix-turbovnc-local
branch
from
7b35a7a to
9633e02
Compare
|
I have made all the changes. This is ready for review again |
abujeda
force-pushed
the
651-fix-turbovnc-local
branch
from
9633e02 to
4472ca5
Compare
abujeda
force-pushed
the
651-fix-turbovnc-local
branch
2 times, most recently
from
1da512d to
6d0be9c
Compare
abujeda
force-pushed
the
651-fix-turbovnc-local
branch
2 times, most recently
from
ab1d9d4 to
44705ac
Compare
dashboard/download_and_check.sh
Outdated
|
|
||
| FILE_NAME=$(basename "$FILE_LOCATION") | ||
|
|
||
| NEW_VERSION_FILE_LOCATION=$(mktemp /tmp/dashboard_template.XXXXXX) |
There was a problem hiding this comment.
- Please use
${TMPDIR:-/tmp}instead oftmp - Please check the return value of
mktempto ensure it succeeded
These two checks will help to prevent symlink attacks on multi-user systems with a shared /tmp.
There was a problem hiding this comment.
Check added. PR ready for review.
abujeda
force-pushed
the
651-fix-turbovnc-local
branch
2 times, most recently
from
2557dcf to
d25e457
Compare
abujeda
force-pushed
the
651-fix-turbovnc-local
branch
from
d25e457 to
593ae2c
Compare
New Docker image with turbovnc version already built and pushed