Source code for ironic.conf.vnc

#   Copyright 2025 Red Hat, Inc.
#
#    Licensed under the Apache License, Version 2.0 (the "License"); you may
#    not use this file except in compliance with the License. You may obtain
#    a copy of the License at
#
#         http://www.apache.org/licenses/LICENSE-2.0
#
#    Unless required by applicable law or agreed to in writing, software
#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#    License for the specific language governing permissions and limitations
#    under the License.

import os

from oslo_config import cfg
from oslo_config import types


opts = [
    cfg.BoolOpt(
        'enabled',
        default=False,
        help='Enable VNC related features. '
             'Guests will get created with graphical devices to support '
             'this. Clients (for example Horizon) can then establish a '
             'VNC connection to the guest.'),
    cfg.HostAddressOpt(
        'host_ip',
        default='0.0.0.0',
        help='The IP address or hostname on which ironic-novncproxy '
             'listens.'),
    cfg.PortOpt(
        'port',
        default=6090,
        help='The TCP port on which ironic-novncproxy listens.'),
    cfg.StrOpt(
        'public_url',
        mutable=True,
        help='Public URL to use when building the links to the noVNC client '
             'browser page '
             '(for example, "http://127.0.0.1:6090/vnc_auto.html"). '
             'If the API is operating behind a proxy, you '
             'will want to change this to represent the proxy\'s URL. '
             'Defaults to None. '),
    cfg.BoolOpt(
        'enable_ssl',
        default=False,
        help='Enable the integrated stand-alone noVNC to service '
             'requests via HTTPS instead of HTTP. If there is a '
             'front-end service performing HTTPS offloading from '
             'the service, this option should be False; note, you '
             'will want to configure [vnc]public_endpoint option '
             'to set URLs in responses to the SSL terminated one.'),
    cfg.StrOpt(
        'novnc_web',
        default='/usr/share/novnc',
        help='Path to directory with content which will be served by a web '
             'server.'),
    cfg.StrOpt(
        'novnc_record',
        help='Filename that will be used for storing websocket frames '
             'received and sent by a VNC proxy service running on this host. '
             'If this is not set, no recording will be done.'),
    cfg.ListOpt(
        'novnc_auth_schemes',
        item_type=types.String(choices=(
            ('none', 'Allow connection without authentication'),
        )),
        default=['none'],
        help='The allowed authentication schemes to use with proxied '
             'VNC connections'),
    cfg.BoolOpt(
        'read_only',
        default=False,
        help='When True, keyboard and mouse events will not be passed '
             'to the console.'
    ),
    cfg.IntOpt(
        'token_timeout',
        default=600,
        min=10,
        help='The lifetime of a console auth token (in seconds).'),
    cfg.IntOpt(
        'expire_console_session_interval',
        default=120,
        min=1,
        help='Interval (in seconds) between periodic checks to determine '
             'whether active console sessions have expired and need to be '
             'closed.'),
    cfg.StrOpt(
        'container_provider',
        default='fake',
        help='Console container provider which manages the containers that '
             'expose a VNC service to ironic-novncproxy or nova-novncproxy. '
             'Each container runs an X11 session and a browser showing the '
             'actual BMC console. '
             '"systemd" manages containers as systemd units via podman '
             'Quadlet support. The default is "fake" which returns an '
             'unusable VNC host and port. This needs to be changed if enabled '
             'is True'),
    cfg.StrOpt(
        'console_image',
        mutable=True,
        help='Container image reference for the "systemd" console container '
             'provider, and any other out-of-tree provider which requires a '
             'configurable image reference.'),
    cfg.StrOpt(
        'systemd_container_template',
        default=os.path.join(
            '$pybasedir',
            'console/container/ironic-console.container.template'),
        mutable=True,
        help='For the systemd provider, path to the template for defining a '
             'console container. The default template requires that '
             '"console_image" be set.'),
    cfg.StrOpt(
        'systemd_container_publish_port',
        default='$my_ip::5900',
        help='Equivalent to the podman run --port argument for the '
             'mapping of VNC port 5900 to the host. An IP address is '
             'required to bind to, defaulting to $my_ip. The VNC port '
             'exposed on the host will be a randomly allocated high port. '
             'These containers expose VNC servers which must be accessible '
             'by ironic-novncproxy and/or nova-novncproxy. The VNC servers '
             'have no authentication or encryption so they also should not '
             'be exposed to public access. Additionally, the containers '
             'need to be able to access BMC management endpoints. '),
    cfg.StrOpt(
        'ssl_cert_file',
        help="Certificate file to use when starting the server securely."),
    cfg.StrOpt(
        'ssl_key_file',
        help="Private key file to use when starting the server securely."),
    cfg.StrOpt(
        'ssl_minimum_version',
        help="The minimum SSL version to use."),
    cfg.StrOpt(
        'ssl_ciphers',
        help="Sets the list of available ciphers. value should be a "
             "string in the OpenSSL cipher list format."),
]


[docs]def register_opts(conf): conf.register_opts(opts, group='vnc')