KVM Support - blocked by Content Security Policy (Joseph Reynolds)

xiuzhi 1450335857 at qq.com
Sun Nov 4 13:10:50 AEDT 2018


Hi Joseph,
  Thanks for your suggestion. I can get the host screen now after modifying the  ngnix.conf .
Best,
Xiuzhi
Message: 1
Date: Fri, 2 Nov 2018 16:21:12 +0000
From: "Joseph Reynolds" <jrey at us.ibm.com>
To: openbmc at lists.ozlabs.org
Subject: Re: KVM Support - blocked by Content Security Policy
Message-ID:
	<OF544CEE71.9C43484A-ON00258339.0058B832-00258339.0059D50B at notes.na.collabserv.com>
	
Content-Type: text/plain; charset="us-ascii"

An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20181102/9a547a81/attachment-0001.html>
Message: 2
Date: Fri, 2 Nov 2018 11:14:51 +0800
From: "=?ISO-8859-1?B?eGl1emhp?=" <1450335857 at qq.com>
To: "=?ISO-8859-1?B?QXZpLkZpc2htYW4=?=" ,
"=?ISO-8859-1?B?S1dMSVU=?=" ,
"=?ISO-8859-1?B?RWRkaWUgSmFtZXM=?=" ,
"=?ISO-8859-1?B?VGFub3VzLCBFZA==?=" ,
"=?ISO-8859-1?B?b3BlbmJtYw==?=" 
Subject: Re:RE: Re:RE: KVM Support?
Message-ID: 
Content-Type: text/plain; charset="iso-8859-1"

Hi Avi ,Joseph,
I can't get the host screen after updating openbmc source to to latest version (Oct 31 commit 7baabe48d8a2a30857994f222925505750728e39).
The error of opening the webpage https//xxxx/#kvm is :
Refused to load the image 'data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAgAAAAHCAYAAAA1WQxeAAAAOklEQVQYV2P8////fwYoYGRkZAQxUcRAHJA4SB2yArgYTAdMAMRH1gA2ElkRlA03DW4nThMIuoGQLwCKQ0b4DNy9fwAAAABJRU5ErkJggg==' because it violates the following Content Security Policy directive: "default-src 'self' wss: 'unsafe-eval' 'unsafe-inline'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback

Can you give me advice on how to modify the 0001-Implement-KVM-in-webui.patch ?
Best,
xiuzhi







Hi Avi ,Joseph,
I checked the patches for bmc side, the rest_dbus.py on bmc was not patched sucessfully.
The files on bmc are:
/run/initramfs/ro/usr/lib/python2.7 /site-packages/obmc/wsgi/apps/rest_dbus.py
/usr/lib/python2.7/site-packages/obmc/wsgi/apps/rest_dbus.py

I patched the file on phosphor-gevent .
Now I patched the rest_dbus.py on phosphor-rest again,the file of bmc side has updated.

Now it works.



Thanks,
Xiuzhi
------------------ Original ------------------
From: "Avi.Fishman";;
Date: Aug 29, 2018
To: "KWLIU"; "xiuzhi"<1450335857 at qq.com>; "eajames"; "ed.tanous"; "openbmc";

Subject: RE: Re:RE: KVM Support?




Hi Xiuzhi,



Can you take the patches and merge them to your environment?



Josef,

Maybe you need to give the commit or tag you are that above it you use your patches?



Thanks,

Avi




From: openbmc On Behalf Of CS20 KWLiu
Sent: Wednesday, August 29, 2018 5:44 AM
To: 1450335857 at qq.com; eajames at linux.vnet.ibm.com; ed.tanous at intel.com; openbmc at lists.ozlabs.org
Subject: RE: Re:RE: KVM Support?





Hi Xiuzhi:



I think we are using different bases of the openbmc, this patch is really working on my side

Sorry for I cannot find the exact error in your message.



Thanks,

Joseph

From: xiuzhi [mailto:1450335857 at qq.com]
Sent: Tuesday, August 28, 2018 6:57 PM
To: Eddie James; Tanous, Ed; CS20 KWLiu; openbmc
Subject: Re:RE: KVM Support?



Hi Joseph, Ed,
There was an error when I updated the patches https://github.com/Nuvoton-Israel/meta-openbmc-nuvoton-addon/commit/140771b7e898dd5ca8f0364290cce669609088ac
Would you like to give me some suggestions to debug it?
When I logged in https:///#/kvm, The errors read:
"
WebSocket on-close event app.89eaa0b6e5e9417cb602.js:38:675915
Failed when connecting: Connection closed (code: 1005) app.89eaa0b6e5e9417cb602.js:38:685584
RFB.prototype._fail https://192.168.120.132/app.89eaa0b6e5e9417cb602.js:38:685584
RFB/< https://192.168.120.132/app.89eaa0b6e5e9417cb602.js:38:676138
Websock.prototype.open/this._websocket.onclose< https://192.168.120.132/app.89eaa0b6e5e9417cb602.js:38:778159
New state 'disconnecting', was 'connecting'. app.89eaa0b6e5e9417cb602.js:38:684301
>> RFB.disconnect app.89eaa0b6e5e9417cb602.js:38:680495
>> Keyboard.allKeysUp app.89eaa0b6e5e9417cb602.js:38:739659
<< Keyboard.allKeysUp app.89eaa0b6e5e9417cb602.js:38:739828
"
The line 38 of app.89eaa0b6e5e9417cb602.js is :
void 0!==module&&void 0!==exports&&module.exports===exports&&(module.exports="ui.router"),function(window,angular,undefined){"use strict";var $$UMFP,isDefined=angular.isDefined,isFunction=angular.isFunction,isString=angular.isString,isObject=angular.isObject,isArray=angular.isArray,forEach=angular.forEach,extend=angular.extend,copy=angular.copy,toJson=angular.toJson;function inherit(parent,extra){return extend(new(extend(function(){},{prototype:parent})),extra)}function merge(dst){return forEach(arguments,function(obj){obj!==dst&&forEach(obj,function(value,key){dst.hasOwnProperty(key)||(dst[key]=value)})}),dst}function objectKeys(object){if(Object.keys)return Object.keys(object);var result=[];return forEach(object,function(val,key){result.push(key)}),result}function indexOf(array,value){if(Array.prototype.indexOf)return array.indexOf(value,Number(arguments[2])||0);var len=array.length>>>0,from=Number(arguments[2])||0;for((from=from<0?Math.ceil(from):Math.floor(from))<0&&(from+=len);f
rom

Best,
Xiuzhi
>Hi Eddie & Ed: >Do you have any plan to support non-jpeg video stream in obmc-iKVM? >It is possible some platforms don't have hardware JPEG engine, instead have the RGB video stream. >If possible to support RGB video stream, I think it would be better if you can add the video frame differentiation in obmc-iKVM because we don't need to send the full screen >to VNC client on every request, it can reduce the buffer size at least. (libvncserver already has the video frame differentiation) >Also, I have implemented a KVM application for our platform(nuvoton evb-npcm750) which has hardware video frame differentiation and hardware hextile engine. https://github.com/Nuvoton-Israel/obmc-ikvm https://github.com/Nuvoton-Israel/linux/commit/7e90f572323e56e9425b85aafe86dfa5a35c4e7d >I also enabled ED's KVM webui and added kvmws proxy in python web server. https://github.com/Nuvoton-Israel/meta-openbmc-nuvoton-addon/commit/140771b7e898dd5ca8f0364290cce669609088ac >If you can spare a few m
inutes to review my implementation is my pleasure. >Currently, my video driver is not v4l2, so I am going to redesign it to fit v4l2 and your obmc-iKVM, then I will try to add the RGB format support in your obmc-ikvm. >Regarding the larger binary size, I think we need to review all configurations of libvncserver and check which functions should be disabled. >Thanks, >Joseph Liu.


===========================================================================================
The privileged confidential information contained in this email is intended for use only by the addressees as indicated by the original sender of this email. If you are not the addressee indicated in this email or are not responsible for delivery of the email to such a person, please kindly reply to the sender indicating this fact and delete all copies of it from your computer and network server immediately. Your cooperation is highly appreciated. It is advised that any unauthorized use of confidential information of Nuvoton is strictly prohibited; and any information in this email irrelevant to the official business of Nuvoton shall be deemed as neither given nor endorsed by Nuvoton.



===========================================================================================
The privileged confidential information contained in this email is intended for use only by the addressees as indicated by the original sender of this email. If you are not the addressee indicated in this email or are not responsible for delivery of the email to such a person, please kindly reply to the sender indicating this fact and delete all copies of it from your computer and network server immediately. Your cooperation is highly appreciated. It is advised that any unauthorized use of confidential information of Nuvoton is strictly prohibited; and any information in this email irrelevant to the official business of Nuvoton shall be deemed as neither given nor endorsed by Nuvoton.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20181102/a6129bdf/attachment.html>





Message: 2
Date: Fri, 2 Nov 2018 11:14:51 +0800
From: "=?ISO-8859-1?B?eGl1emhp?=" <1450335857 at qq.com>
To: "=?ISO-8859-1?B?QXZpLkZpc2htYW4=?=" ,
"=?ISO-8859-1?B?S1dMSVU=?=" ,
"=?ISO-8859-1?B?RWRkaWUgSmFtZXM=?=" ,
"=?ISO-8859-1?B?VGFub3VzLCBFZA==?=" ,
"=?ISO-8859-1?B?b3BlbmJtYw==?=" 
Subject: Re:RE: Re:RE: KVM Support?
Message-ID: 
Content-Type: text/plain; charset="iso-8859-1"

Hi Avi ,Joseph,
I can't get the host screen after updating openbmc source to to latest version (Oct 31 commit 7baabe48d8a2a30857994f222925505750728e39).
The error of opening the webpage https//xxxx/#kvm is :
Refused to load the image 'data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAgAAAAHCAYAAAA1WQxeAAAAOklEQVQYV2P8////fwYoYGRkZAQxUcRAHJA4SB2yArgYTAdMAMRH1gA2ElkRlA03DW4nThMIuoGQLwCKQ0b4DNy9fwAAAABJRU5ErkJggg==' because it violates the following Content Security Policy directive: "default-src 'self' wss: 'unsafe-eval' 'unsafe-inline'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback

Can you give me advice on how to modify the 0001-Implement-KVM-in-webui.patch ?
Best,
xiuzhi


We are reviewing a proposed fix to change the Content-Security-Policy directive to: script-src 'self' 'unsafe-eval' 'unsafe-inline'; object-src 'self'
See: https://gerrit.openbmc-project.xyz/#/c/openbmc/meta-ibm/+/14800/1/recipes-httpd/nginx/files/nginx.conf

For a quick workaround, remove the Content-Security-Policy directive from your nginx config file (on the BMC, typically /etc/nginx/nginx.conf) or change it to the setting mentioned above, restart the nginx service: systemctl restart nginx, and then you may need to clear your web browser's cache (for example, Firefox - Preferences - advanced - clear cache).

FYA: There are now two different people named "Joseph" on this email chain.



Hi Avi ,Joseph,
I checked the patches for bmc side, the rest_dbus.py on bmc was not patched sucessfully.
The files on bmc are:
/run/initramfs/ro/usr/lib/python2.7 /site-packages/obmc/wsgi/apps/rest_dbus.py
/usr/lib/python2.7/site-packages/obmc/wsgi/apps/rest_dbus.py

I patched the file on phosphor-gevent .
Now I patched the rest_dbus.py on phosphor-rest again,the file of bmc side has updated.

Now it works.



Thanks,
Xiuzhi
------------------ Original ------------------
From: "Avi.Fishman";;
Date: Aug 29, 2018
To: "KWLIU"; "xiuzhi"<1450335857 at qq.com>; "eajames"; "ed.tanous"; "openbmc";

Subject: RE: Re:RE: KVM Support?




Hi Xiuzhi,



Can you take the patches and merge them to your environment?



Josef,

Maybe you need to give the commit or tag you are that above it you use your patches?



Thanks,

Avi




From: openbmc On Behalf Of CS20 KWLiu
Sent: Wednesday, August 29, 2018 5:44 AM
To: 1450335857 at qq.com; eajames at linux.vnet.ibm.com; ed.tanous at intel.com; openbmc at lists.ozlabs.org
Subject: RE: Re:RE: KVM Support?





Hi Xiuzhi:



I think we are using different bases of the openbmc, this patch is really working on my side

Sorry for I cannot find the exact error in your message.



Thanks,

Joseph

From: xiuzhi [mailto:1450335857 at qq.com]
Sent: Tuesday, August 28, 2018 6:57 PM
To: Eddie James; Tanous, Ed; CS20 KWLiu; openbmc
Subject: Re:RE: KVM Support?



Hi Joseph, Ed,
There was an error when I updated the patches https://github.com/Nuvoton-Israel/meta-openbmc-nuvoton-addon/commit/140771b7e898dd5ca8f0364290cce669609088ac
Would you like to give me some suggestions to debug it?
When I logged in https:///#/kvm, The errors read:
"
WebSocket on-close event app.89eaa0b6e5e9417cb602.js:38:675915
Failed when connecting: Connection closed (code: 1005) app.89eaa0b6e5e9417cb602.js:38:685584
RFB.prototype._fail https://192.168.120.132/app.89eaa0b6e5e9417cb602.js:38:685584
RFB/< https://192.168.120.132/app.89eaa0b6e5e9417cb602.js:38:676138
Websock.prototype.open/this._websocket.onclose< https://192.168.120.132/app.89eaa0b6e5e9417cb602.js:38:778159
New state 'disconnecting', was 'connecting'. app.89eaa0b6e5e9417cb602.js:38:684301
>> RFB.disconnect app.89eaa0b6e5e9417cb602.js:38:680495
>> Keyboard.allKeysUp app.89eaa0b6e5e9417cb602.js:38:739659
<< Keyboard.allKeysUp app.89eaa0b6e5e9417cb602.js:38:739828
"
The line 38 of app.89eaa0b6e5e9417cb602.js is :
void 0!==module&&void 0!==exports&&module.exports===exports&&(module.exports="ui.router"),function(window,angular,undefined){"use strict";var $$UMFP,isDefined=angular.isDefined,isFunction=angular.isFunction,isString=angular.isString,isObject=angular.isObject,isArray=angular.isArray,forEach=angular.forEach,extend=angular.extend,copy=angular.copy,toJson=angular.toJson;function inherit(parent,extra){return extend(new(extend(function(){},{prototype:parent})),extra)}function merge(dst){return forEach(arguments,function(obj){obj!==dst&&forEach(obj,function(value,key){dst.hasOwnProperty(key)||(dst[key]=value)})}),dst}function objectKeys(object){if(Object.keys)return Object.keys(object);var result=[];return forEach(object,function(val,key){result.push(key)}),result}function indexOf(array,value){if(Array.prototype.indexOf)return array.indexOf(value,Number(arguments[2])||0);var len=array.length>>>0,from=Number(arguments[2])||0;for((from=from<0?Math.ceil(from):Math.floor(from))<0&&(from+=len);f
rom

Best,
Xiuzhi
>Hi Eddie & Ed: >Do you have any plan to support non-jpeg video stream in obmc-iKVM? >It is possible some platforms don't have hardware JPEG engine, instead have the RGB video stream. >If possible to support RGB video stream, I think it would be better if you can add the video frame differentiation in obmc-iKVM because we don't need to send the full screen >to VNC client on every request, it can reduce the buffer size at least. (libvncserver already has the video frame differentiation) >Also, I have implemented a KVM application for our platform(nuvoton evb-npcm750) which has hardware video frame differentiation and hardware hextile engine. https://github.com/Nuvoton-Israel/obmc-ikvm https://github.com/Nuvoton-Israel/linux/commit/7e90f572323e56e9425b85aafe86dfa5a35c4e7d >I also enabled ED's KVM webui and added kvmws proxy in python web server. https://github.com/Nuvoton-Israel/meta-openbmc-nuvoton-addon/commit/140771b7e898dd5ca8f0364290cce669609088ac >If you can spare a few m
inutes to review my implementation is my pleasure. >Currently, my video driver is not v4l2, so I am going to redesign it to fit v4l2 and your obmc-iKVM, then I will try to add the RGB format support in your obmc-ikvm. >Regarding the larger binary size, I think we need to review all configurations of libvncserver and check which functions should be disabled. >Thanks, >Joseph Liu.


===========================================================================================
The privileged confidential information contained in this email is intended for use only by the addressees as indicated by the original sender of this email. If you are not the addressee indicated in this email or are not responsible for delivery of the email to such a person, please kindly reply to the sender indicating this fact and delete all copies of it from your computer and network server immediately. Your cooperation is highly appreciated. It is advised that any unauthorized use of confidential information of Nuvoton is strictly prohibited; and any information in this email irrelevant to the official business of Nuvoton shall be deemed as neither given nor endorsed by Nuvoton.



===========================================================================================
The privileged confidential information contained in this email is intended for use only by the addressees as indicated by the original sender of this email. If you are not the addressee indicated in this email or are not responsible for delivery of the email to such a person, please kindly reply to the sender indicating this fact and delete all copies of it from your computer and network server immediately. Your cooperation is highly appreciated. It is advised that any unauthorized use of confidential information of Nuvoton is strictly prohibited; and any information in this email irrelevant to the official business of Nuvoton shall be deemed as neither given nor endorsed by Nuvoton.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20181102/a6129bdf/attachment.html>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20181104/d34d6752/attachment-0001.html>


More information about the openbmc mailing list