OpenNebula – Securing Sunstone’s NoVNC connections with Secure Websocket and your own Certificate Authority

When dealing with NoVNC connections, I’ve faced some problems as a newbie, so today I’m sharing with you this post that may help you.

If you’re already using SSL to secure Sunstone’s access you could get an error when opening a VNC window: VNC Connection in progress”It’s quite possible that your browser is silently blocking the VNC connection using websockets. Reason? You’re using an https connection with Sunstone, but you’re trying to open an uncrypted websocket connection.

VNC_Connection_In_Progress

This is solved easily, just edit the following lines in the # UI Settings section in your /etc/one/sunstone-server.conf configuration file:

:vnc_proxy_support_wss: yes
:vnc_proxy_cert: /etc/one/certs/one-tornasol.crt
:vnc_proxy_key: /etc/one/certs/one-tornasol.key

We’ve just activated the secure websockets (wss) options and tell Sunstone where to find the SSL certificate and the key (if it’s not already included in the cert). Now, just restart your Sunstone server.

 

There’s another issue with VNC and SSL when using self-signed certificates. When running your own lab or using a development environment maybe you don’t have an SSL certificate signed by a real CA and you opt to use self-signed certificates which are quick and free to use… but this has some drawbacks

Trying to protect you from security threats, your Internet browser could have problems with secure websockets and self-signed certificates and messages like “VNC Disconnect timeout” and VNC Server disconnected (code: 1006)” could show.

VNC_Disconnected

In my labs I just use the openssl command (available in CentOS/Redhat and Debian/Ubuntu in the openssl package) to generate my own Certificate Authority certificate and sign the SSL certificates.

First we’ll create the /etc/one/certs directory in my Frontend and set the right owner:

mkdir -p /etc/one/certs
chown -R oneadmin:oneadmin /etc/one/certs

We’ll generate an RSA key with 2048 bits for the CA:

openssl genrsa -out /etc/one/certs/oneCA.key 2048

Now, we’ll produce the CA certificate using the key we’ve just created, and we’ll have to answer some questions to identify our CA (e.g my CA will be named ArtemIT Labs CA). Note that this CA certificate will be valid for 3650 days, 10 years!…

openssl req -x509 -new -nodes -key /etc/one/certs/oneCA.key -days 3650 -out /etc/one/certs/oneCA.pem

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.
----
Country Name (2 letter code) [XX]:ES
State or Province Name (full name) []:Valladolid
Locality Name (eg, city) [Default City]:Valladolid
Organization Name (eg, company) [Default Company Ltd]:ArtemIT Labs
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ArtemIT Labs CA
Email Address []:

Now, we already have a CA certificate and a key to sign SSL certificates. Time to generate the SSL certificate for WSS connections.

First, we’ll create the key for the Frontend, then we’ll generate the certificate answering some questions. In this example my Frontend server is called tornasol.artemit.local and I’ve set no challenge password for the certificate.

openssl genrsa -out /etc/one/certs/one-tornasol.key 2048


openssl req -new -key /etc/one/certs/one-tornasol.key -days 3650 -out /etc/one/certs/one-tornasol.csr

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:ES
State or Province Name (full name) []:Valladolid
Locality Name (eg, city) [Default City]:Valladolid
Organization Name (eg, company) [Default Company Ltd]:ArtemIT Labs
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:tornasol.artemit.local
Email Address []:
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:

If everything is fine you’ll have the certs and keys under /etc/one/certs.

Now we’ll copy the oneCA.pem file to the computers where I’ll use my browser to open the Sunstone GUI.

In Firefox we’ll import the oneCA.pem (the CA certificate file) using Preferences -> Advanced -> Certificates -> Authorities tab checking all the options as shown in this image. If using Chrome under Linux it’s the same process when importing your CA cert.

trust_ca_firefox

If using IE or Chrome under Windows, change the extension from pem to crt, double-click the certificate and add the Certificate to the Trusted Root Certification Authorities storage. Some warnings will show, just accept them.

Once we trust our CA certificate, you can open your encrypted NoVNC windows.

Captura de pantalla de 2015-04-25 15:06:08

Free, quick and secure for your lab environment, but remember don’t do this in a production environment! 

Cheers!

Barcelona Opennebula User Group

Skyline-Barcelona211

As you know, the community of OpenNebula is an important pillar for the project. Opennebula community through the distribution lists and forums can express their questions, requests, or contribute with new ideas to the developers. This information is very useful and can contribute by helping other users or develop new features.

However, OpenNebula project thought in User Groups too. The OpenNebula User Groups are local communities, where users can discuss or share information and experiences in a more direct way across ‘town’. Getting a closer diffusion, and joining people who want to collaborate with the project.

Also, remember that this year (2015) the Opennebula annual conference travels from Berlin to Barcelona, ​​the ‘smartcity’ that will be the meeting point where developers, users, administrators, researchers, … can share experiences, case studies, etc.

bcn_conference

For these reasons, some cloudadmins of Barcelona area have decided to create the Barcelona OpenNebula User Group. This group aims to be a small-scale community where we can discuss and find common objectives that support the project. We have created a website and a Google group where we will inform about first steps and work together in common goals.

In addition, and inside ONEBCN usergroup official presentations tour we will be next 5th of May on sudoers, a sysadmins group that meets regularly at the North Campus of the UPC.

It is a totally open group, so you are welcome!  First members of the Group:

Oriol Martí gabriel-verdejo-380x303 Angel Galindo Muñoz Xavier Peralta Ramos Jordi Guijarro Juan José Fuentes Miguel Ángel Flores Alex Vaqué

Some interesting links:

Cloudadmins Community Blog – http://www.cloudadmins.org

OneBCN Google Group – https://groups.google.com/forum/embed/?place=forum%2Fopennebula-barcelona-usergroup

Sudoers Barcelona – http://sudoers-barcelona.wikia.com/wiki/Sudoers_Barcelona_Wiki

Videos from OpenNebulaConf 2014

Last week we celebrated the OpenNebulaConf 2014, an event where the community comes together to share their experiences and new ideas around OpenNebula. If you were there, go ahead and take a look at the photos in the conference page to check if we caught a flattering pic of you.

The OpenNebulaConf 2014 was a great event, and certainly our speakers deserve most of the credit for it. Thank you for sharing your expertise!

If you missed the conference, now you have a chance to listen to the talks in our YouTube channel, and download the slides from the slideshare account. Enjoy.

 

Technical Notes from OpenNebulaConf 2014

One of the best things about getting together for the conference is that our community always comes with plenty of new ideas and useful feedback to shape the project’s roadmap.

This year’s OpenNebulaConf was full of interesting talks with lots of thoughtful feedback, but we also had many productive discussions in the hacking session, the coffee breaks, and the evening get-togethers.

In this post we will try to summarize the main requests we gathered during the OpenNebulaConf. Feel free to join the discussion in the development portal or in the mailing lists.

And remember, you are always welcome to add new tickets, don’t be shy! We appreciate it when you open new requests, it’s always better to develop with real needs and use cases in mind.

Finally, I would like to take this opportunity to thank all of you for showing up in Berlin and making the conference awesome. See you next year!

 

Resource Management


New Integrations


Quotas & Accounting


Administration


Authentication & Authorization


Sunstone


First day of OpenNebula Conf

…or the day before the Conf – depending on how you count.

We started the day early to get from the NETWAYS headquarter in Nuremberg to the conference hotel Berlin. Our friends from OpenNebula were already there and we could make all preparations for the workshops very smoothly. There was even enough time to take a snack.
Exactly at 2:00 pm (just like expected when dealing with pettifogging Germans) the workshops started. The next thing we looked forward to is dinner. :)

IMG_0599

The day after the actual conference will and will be officially opened with Ignacio M. Llorente kick off “State and Future of OpenNebula”. We also looked forward to David Lutterkort talking about what an enchanting match Puppet and OpenNebula are.

Another great keynote will be delivered by Carlo Daffara, showing us why disaster recovery is really important and how can you take care of it using OpenNebula.

The early afternoon will then be filled with lightening talks curated Daniel Molina until it was time for lunch. These talks included presentations about Docker and OpenNebula, a very interesting topic approached differently by OpenNebula users.

Late afternoon (or pre evening event time slot, as we call it) will start with another highlight: Armin Deliomini will tell us how Runtastic switched from commercial products to Open Source only. Now, about one year later, he will give us an insight to the Status Quo where the private infrastructure for more than 40 000 000 registered users for Runtastic is implemented.

Also the talks of Jose Angel Diaz (CENATIC), Jordi Guijarro (CSUC) Tino Vazquez (OpenNebula) and many more will sweeten the time until the evening event finally starts. This year we will be at the restaurant “Alte Meierei”.

And then we just have to wake up once again, until the next Conf day, with even more highlights starts. :)

Last Few Places Available for OpenNebulaConf 2014!

OpenNebula Conference 2014

This year’s edition of the international OpenNebula Conference is packed with an amazing agenda, If you want to learn about Cloud Computing in general, and OpenNebula in particular. If you are familiar with the software or even an active user or contributor to the project, willing to hear and learn how other members of the community bend OpenNebula for their infrastructure needs, this is the place to be!

Want to know what to expect? Last year’s conference was an absolute success, with fruity presentations of long time users of OpenNebula, and with various use cases that, we can confess, largely surprised the OpenNebula team for their artfulness. It is always a pleasure to see how people are using OpenNebula! But do not take our word for it, but rather take a look at the recorded video sessions of all talks of 2013, skim through the slides of the different keynotes and talks and take peak at the various pictures taken during the conference and the evening event.

OpenNebulaConf 2014 is shaping even better this year. Take a look at the highlights from the final agenda:

This edition of the conference is just around the corner, happening next 2-4 December in Berlin, Germany. If you are interested in attending the conference, we entreat you to register swiftly, since seats are limited and only a few are left.

See you in Berlin!

 

OpenNebula at CentOS Paris Dojo

We are happy to announce that OpenNebula will be at the upcoming CentOS Dojo Paris, France, which will take place on August 25th.

If you are interested in learning how to get a fully operational private cloud under CentOS you should definitely drop by this event. It’s going to be fun and exciting!

Here at OpenNebula we really enjoy CentOS Dojos, it’s a wonderful occastion to meet with the local group of sysadmins, talk about experiences and to learn a lot about how to really get things done.

Registrations run through EventBrite. More info at the Dojo page.

dojo

CloudCatalyst Survey about Cloud Computing Trends

CloudCatalystLogo1-1
The EU CloudCatalyst initiative invites you to participate in a survey about cloud computing trends. You can influence over the CloudCatalyst project by collaborating on the identification of existing challenges for Cloud expansion as well as on the definition of new market opportunities. The survey will produce detailed information about the main barriers to cloud adoption in order to help entrepreneurs, researchers, and software developers create value-added Cloud solutions and services.

To take the survey, click the link:

https://www.surveymonkey.com/s/3GHCM9K

The results of the survey will be shared (for free) with all the respondents.

Cloud Catalyst is an initiative funded by the European Commission that aims to provide useful tools to foster the adoption of Cloud Computing in Europe. CloudCatalyst will set up a cross-border advice and support service targeting two main groups:

  1. Software developers, researchers, start-ups, and other Cloud entrepreneurs interested in accelerating the development and deployment of Cloud Computing and internet services
  2. End-users from large industries, SMEs, and public entities interested in knowing how to benefit from the implementation of Cloud solutions.

On behalf of the CloudCatalyst Team,

Thank you in advance for your participation!

CloudCatalyst.eu

Unknown

Aftermath of the TechDays in Florida and Bay Area

We have had a great time in OpenNebula Cloud TechDays of the past weeks:

We had the chance to share the new features in OpenNebula 4.6 and the upcoming releases with all the attendess and have them build a fully working private cloud in just a matter of hours. Cloud computing has never been this easy!

But that’s not everything, we had really interesting talks, ranging from PaaS solutions based on OpenNebula: Megam – Cloud orchestrator for OpenNebula, open hardware iniciatives which are a great match for OpenNebula: OCP Open Rack, the renowned distributed object-store: Ceph for Cloud and Virtualization environments and more use cases.

So a big thank you all, for coming and attending the event, for your great feedback and excitement.

And of course big thanks to the hosts: TransUnion|TLOxp and Hyve Solutions for their amazing hospitality, organization and making these events a success!

techday

lego

upgrade

hyve-techday