Upgrade notes ^^^^^^^^^^^^^ v1.5 ==== Version 1.5 replaced Unix domain control sockets with TCP control sockets. This change made it necessary to introduce an authentication file to replace the POSIX file permissions, which protected the domain sockets. You can configure vncauthproxy daemon by modifying the Debian default file (``/etc/default/vncauthproxy``) and more specifically the ``DAEMON_OPTS`` variable. This option (along with the modified ``CHUID`` option) has been added to the v1.5 default file (which you'll need to 'merge' if you're upgrading from an older version of snf-vncauthproxy). The ``DAEMON_OPTS`` variable accepts any valid option you can pass to the vncauthproxy daemon on the command line. For a detailed listing and information about the avaialble options plese check vncauthproxy help output: .. code-block:: console # vncauthproxy --help The default path for the auth file is ``/var/lib/vncauthproxy/users`` (configurable by the ``--auth-file`` option). Each line in the file represents one user which is allowed to use the control socket and should be in the following format: .. code-block:: console username:$6$salt$hash The password part of the line (after the colon) is the output of crypt(), using a random 16-char salt with SHA-512. To manage the authentication file, you can use the vncauthproxy-passwd tool, to easily add, update and delete users: To add a user: .. code-block:: console # vncauthproxy-passwd /var/lib/vncauthproxy/users user You will be prompted for a password. To delete a user: .. code-block:: console # vncauthproxy-passwd -D /var/lib/vncauthproxy/users user See the help output of the tool for more options: .. code-block:: console # vncauthproxy-passwd -h .. warning:: The vncauthproxy daemon requires a restart for the changes in the authentication file to take effect. .. warning:: After installing snf-vncauthproxy for the fist time, make sure that you create a valid authentication file and define any users needed. The vncauthproxy daemon will start but will not be usable if no users are defined or if no authentication file is present. Version 1.5 also introduced support for SSL for the control socket. If you enable SSL support (``--enable-ssl`` parameter, disabled by default) you will have to provide a certficate and key file (``--cert-file`` and ``--key-file`` parameters). The default values for certificate and key files are ``/var/lib/vncauthrpoxy/{cert,key}.pem`` respectively. If you're using snf-vncauthproxy with Synnefo, you should make sure to edit the ``CYCLADES_VNCAUTHPROXY_OPTS`` setting in ``/etc/synnefo/20-snf-cyclades-app-api.conf``. The ``CYCLADES_VNCAUTHPROXY_OPTS`` dict in ``/etc/synnefo/20-snf-cyclades-app-api.conf`` should be edited to match snf-vncauthproxy configuration (user, password, SSL support, certificate file). You should also make sure that the node running snf-cyclades-app can connect to the snf-vncauthproxy's control socket address / port (the suggested deployment to run snf-vncauthproxy on the same host as snf-cyclades-app should work with the defaults of snf-vncauthproxy, with the exception of the authentication file). Finally, snf-vncauthproxy now adds a user and group (``vncauthproxy``) to be used by the vncauthproxy daemon. As a result the ``CHUID`` option in the Debian default file (``/etc/default/vncauthproxy``) has changed accordingly. Although it is recommended to run vncauhtproxy with the predfined user and group, it's not mandatory.