[PATCH] fix #6079: use vncticket endpoint for VM serial terminal

public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed

* [PATCH] fix #6079: use vncticket endpoint for VM serial terminal
@ 2026-04-16 17:40 Koji Nishimura
  2026-04-27  9:05 ` Fiona Ebner
  0 siblings, 1 reply; 3+ messages in thread
From: Koji Nishimura @ 2026-04-16 17:40 UTC (permalink / raw)
  To: pve-devel; +Cc: Koji Nishimura

Use the vncticket endpoint for the VM serial terminal termproxy path.

The node shell termproxy path already uses the vncticket endpoint,
but the VM serial terminal path still uses the older authentication
flow.

That older flow prevents VM /termproxy from working with API tokens,
because authentication fails before the websocket connection can use
the VNC ticket verification path.

Make the VM serial terminal path use the same vncticket-based
authentication flow as the node shell path.

This fixes the VM /termproxy side of bug 6079. In local testing,
this was required together with the already-posted access-control
change for token-owned VNC ticket verification.

Signed-off-by: Koji Nishimura <nsm.kkoji@gmail.com>
---
 src/PVE/API2/Qemu.pm | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/PVE/API2/Qemu.pm b/src/PVE/API2/Qemu.pm
index 2a1e3854..0b8859fb 100644
--- a/src/PVE/API2/Qemu.pm
+++ b/src/PVE/API2/Qemu.pm
@@ -3152,7 +3152,16 @@ __PACKAGE__->register_method({
             syslog('info', "starting qemu termproxy $upid\n");

             my $cmd =
-                ['/usr/bin/termproxy', $port, '--path', $authpath, '--perm', 'VM.Console', '--'];
+                [
+                    '/usr/bin/termproxy',
+                    $port,
+                    '--path',
+                    $authpath,
+                    '--perm',
+                    'VM.Console',
+                    '--vncticket-endpoint',
+                    '--',
+                ];
             push @$cmd, @$remcmd, @$termcmd;

             run_command($cmd);
-- 
2.43.0

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] fix #6079: use vncticket endpoint for VM serial terminal
  2026-04-16 17:40 [PATCH] fix #6079: use vncticket endpoint for VM serial terminal Koji Nishimura
@ 2026-04-27  9:05 ` Fiona Ebner
  2026-04-27  9:36   ` 西村幸治
  0 siblings, 1 reply; 3+ messages in thread
From: Fiona Ebner @ 2026-04-27  9:05 UTC (permalink / raw)
  To: Koji Nishimura, pve-devel

Hi,

Am 20.04.26 um 4:17 PM schrieb Koji Nishimura:
> Use the vncticket endpoint for the VM serial terminal termproxy path.
> 
> The node shell termproxy path already uses the vncticket endpoint,
> but the VM serial terminal path still uses the older authentication
> flow.
> 
> That older flow prevents VM /termproxy from working with API tokens,
> because authentication fails before the websocket connection can use
> the VNC ticket verification path.
> 
> Make the VM serial terminal path use the same vncticket-based
> authentication flow as the node shell path.
> 
> This fixes the VM /termproxy side of bug 6079. In local testing,
> this was required together with the already-posted access-control
> change for token-owned VNC ticket verification.
> 
> Signed-off-by: Koji Nishimura <nsm.kkoji@gmail.com>
> ---
>  src/PVE/API2/Qemu.pm | 11 ++++++++++-
>  1 file changed, 10 insertions(+), 1 deletion(-)
> 
> diff --git a/src/PVE/API2/Qemu.pm b/src/PVE/API2/Qemu.pm
> index 2a1e3854..0b8859fb 100644
> --- a/src/PVE/API2/Qemu.pm
> +++ b/src/PVE/API2/Qemu.pm
> @@ -3152,7 +3152,16 @@ __PACKAGE__->register_method({
>              syslog('info', "starting qemu termproxy $upid\n");
>  
>              my $cmd =
> -                ['/usr/bin/termproxy', $port, '--path', $authpath, '--perm', 'VM.Console', '--'];
> +                [
> +                    '/usr/bin/termproxy',
> +                    $port,
> +                    '--path',
> +                    $authpath,
> +                    '--perm',
> +                    'VM.Console',
> +                    '--vncticket-endpoint',
> +                    '--',
> +                ];
>              push @$cmd, @$remcmd, @$termcmd;
>  
>              run_command($cmd);

many thanks for your contribution! FYI, the issue was independently
fixed already with commit c9ee34b5 ("api: vnc/termproxy: encode and
verify port in ticket") [0] as part of some other changes, which also
switched to using the 'vncticket' endpoint.

Best Regards,
Fiona

[0]:
https://git.proxmox.com/?p=qemu-server.git;a=commitdiff;h=c9ee34b50280f46b793e93b9652fbbd5a742c6e4




^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] fix #6079: use vncticket endpoint for VM serial terminal
  2026-04-27  9:05 ` Fiona Ebner
@ 2026-04-27  9:36   ` 西村幸治
  0 siblings, 0 replies; 3+ messages in thread
From: 西村幸治 @ 2026-04-27  9:36 UTC (permalink / raw)
  To: Fiona Ebner; +Cc: pve-devel

Hi Fiona,

Thank you for letting me know and for the pointer to the commit.
Understood.

Best regards,
Koji

2026年4月27日(月) 18:06 Fiona Ebner <f.ebner@proxmox.com>:

> Hi,
>
> Am 20.04.26 um 4:17 PM schrieb Koji Nishimura:
> > Use the vncticket endpoint for the VM serial terminal termproxy path.
> >
> > The node shell termproxy path already uses the vncticket endpoint,
> > but the VM serial terminal path still uses the older authentication
> > flow.
> >
> > That older flow prevents VM /termproxy from working with API tokens,
> > because authentication fails before the websocket connection can use
> > the VNC ticket verification path.
> >
> > Make the VM serial terminal path use the same vncticket-based
> > authentication flow as the node shell path.
> >
> > This fixes the VM /termproxy side of bug 6079. In local testing,
> > this was required together with the already-posted access-control
> > change for token-owned VNC ticket verification.
> >
> > Signed-off-by: Koji Nishimura <nsm.kkoji@gmail.com>
> > ---
> >  src/PVE/API2/Qemu.pm | 11 ++++++++++-
> >  1 file changed, 10 insertions(+), 1 deletion(-)
> >
> > diff --git a/src/PVE/API2/Qemu.pm b/src/PVE/API2/Qemu.pm
> > index 2a1e3854..0b8859fb 100644
> > --- a/src/PVE/API2/Qemu.pm
> > +++ b/src/PVE/API2/Qemu.pm
> > @@ -3152,7 +3152,16 @@ __PACKAGE__->register_method({
> >              syslog('info', "starting qemu termproxy $upid\n");
> >
> >              my $cmd =
> > -                ['/usr/bin/termproxy', $port, '--path', $authpath,
> '--perm', 'VM.Console', '--'];
> > +                [
> > +                    '/usr/bin/termproxy',
> > +                    $port,
> > +                    '--path',
> > +                    $authpath,
> > +                    '--perm',
> > +                    'VM.Console',
> > +                    '--vncticket-endpoint',
> > +                    '--',
> > +                ];
> >              push @$cmd, @$remcmd, @$termcmd;
> >
> >              run_command($cmd);
>
> many thanks for your contribution! FYI, the issue was independently
> fixed already with commit c9ee34b5 ("api: vnc/termproxy: encode and
> verify port in ticket") [0] as part of some other changes, which also
> switched to using the 'vncticket' endpoint.
>
> Best Regards,
> Fiona
>
> [0]:
>
> https://git.proxmox.com/?p=qemu-server.git;a=commitdiff;h=c9ee34b50280f46b793e93b9652fbbd5a742c6e4
>
>

-- 
西村 幸治 ( nsm.kkoji@gmail.com )

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-04-27  9:44 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-16 17:40 [PATCH] fix #6079: use vncticket endpoint for VM serial terminal Koji Nishimura
2026-04-27  9:05 ` Fiona Ebner
2026-04-27  9:36   ` 西村幸治

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal