Fix KasmVNC

selkies-project · Jun 25, 2024 · 1d2d710 · 1d2d710
1 parent a8dd53f
commit 1d2d710
Show file tree

Hide file tree

Showing 6 changed files with 39 additions and 35 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -265,7 +265,7 @@ ENV DISPLAY_REFRESH=60
 ENV DISPLAY_DPI=96
 ENV DISPLAY_CDEPTH=24
 ENV VIDEO_PORT=DFP
-ENV KASMVNC_VIEWONLY=false
+ENV KASMVNC_ENABLE=false
 ENV SELKIES_ENCODER=nvh264enc
 ENV SELKIES_ENABLE_RESIZE=false
 ENV SELKIES_ENABLE_BASIC_AUTH=true

diff --git a/README.md b/README.md
@@ -14,7 +14,7 @@ Wine, Winetricks, Lutris, and PlayOnLinux are bundled by default. Comment out th
 
 There are two web interfaces that can be chosen in this container, the first being the default [selkies-gstreamer](https://github.com/selkies-project/selkies-gstreamer) WebRTC HTML5 interface (requires a TURN server or host networking), and the second being the fallback [KasmVNC](https://github.com/kasmtech/KasmVNC) WebSocket HTML5 interface. While the KasmVNC interface does not support audio forwarding and remote cursors for gaming, it can be useful for troubleshooting the selkies-gstreamer WebRTC interface or using this container with low bandwidth environments.
 
-The KasmVNC interface is located in the `/vnc` path, where the environment variable `KASMVNC_VIEWONLY` can be set to `true` to disallow controlling the KasmVNC interface and only view the share screen.
+The KasmVNC interface can be enabled by setting `KASMVNC_ENABLE` to `true`. When using the KasmVNC interface, all environment variables related to the selkies-gstreamer WebRTC interface are ignored, with the exception of `SELKIES_BASIC_AUTH_PASSWORD`. As with the selkies-gstreamer WebRTC interface, the KasmVNC interface password will be set to `SELKIES_BASIC_AUTH_PASSWORD`, and uses `PASSWD` by default if not set.
 
 The container requires host NVIDIA GPU driver versions of at least **450.80.02** and preferably **470.42.01**, with the [NVIDIA Container Toolkit](https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/install-guide.html) to be also configured on the host for allocating GPUs. All Maxwell or later generation GPUs in the consumer, professional, or datacenter lineups will not have significant issues running this container, although the selkies-gstreamer high-performance NVENC backend may not be available (see the next paragraph). Kepler GPUs are untested and likely does not support the NVENC backend, but can be mostly functional using fallback software acceleration.
 

diff --git a/kasmvnc-entrypoint.sh b/kasmvnc-entrypoint.sh
@@ -6,9 +6,6 @@
 
 set -e
 
-# Set password for basic authentication
-if [ "$(echo ${SELKIES_ENABLE_BASIC_AUTH} | tr '[:upper:]' '[:lower:]')" = "true" ] && [ -z "${SELKIES_BASIC_AUTH_PASSWORD}" ]; then export SELKIES_BASIC_AUTH_PASSWORD="${PASSWD}"; fi
-
 # Set default display
 export DISPLAY="${DISPLAY:-:0}"
 # PipeWire-Pulse server socket path
@@ -18,6 +15,39 @@ export PIPEWIRE_RUNTIME_DIR="${PIPEWIRE_RUNTIME_DIR:-${XDG_RUNTIME_DIR:-/tmp}}"
 export PULSE_RUNTIME_PATH="${PULSE_RUNTIME_PATH:-${XDG_RUNTIME_DIR:-/tmp}/pulse}"
 export PULSE_SERVER="${PULSE_SERVER:-unix:${PULSE_RUNTIME_PATH:-${XDG_RUNTIME_DIR:-/tmp}/pulse}/native}"
 
+# Configure NGINX
+if [ "$(echo ${SELKIES_ENABLE_BASIC_AUTH} | tr '[:upper:]' '[:lower:]')" != "false" ]; then htpasswd -bcm "${XDG_RUNTIME_DIR}/.htpasswd" "${SELKIES_BASIC_AUTH_USER:-${USER}}" "${SELKIES_BASIC_AUTH_PASSWORD:-${PASSWD}}"; fi
+echo "# Selkies KasmVNC NGINX Configuration
+server {
+    access_log /dev/stdout;
+    error_log /dev/stderr;
+    listen 8080 $(if [ \"$(echo ${SELKIES_ENABLE_HTTPS} | tr '[:upper:]' '[:lower:]')\" = \"true\" ]; then echo -n "ssl"; fi);
+    listen [::]:8080 $(if [ \"$(echo ${SELKIES_ENABLE_HTTPS} | tr '[:upper:]' '[:lower:]')\" = \"true\" ]; then echo -n "ssl"; fi);
+    ssl_certificate ${SELKIES_HTTPS_CERT-/etc/ssl/certs/ssl-cert-snakeoil.pem};
+    ssl_certificate_key ${SELKIES_HTTPS_KEY-/etc/ssl/private/ssl-cert-snakeoil.key};
+    $(if [ \"$(echo ${SELKIES_ENABLE_BASIC_AUTH} | tr '[:upper:]' '[:lower:]')\" != \"false\" ]; then echo "auth_basic \"Selkies\";"; echo -n "    auth_basic_user_file ${XDG_RUNTIME_DIR}/.htpasswd;"; fi)
+
+    location / {
+        proxy_set_header        Upgrade \$http_upgrade;
+        proxy_set_header        Connection \"upgrade\";
+
+        proxy_set_header        Host \$host;
+        proxy_set_header        X-Real-IP 127.0.0.1;
+        proxy_set_header        X-Forwarded-For 127.0.0.1;
+        proxy_set_header        X-Forwarded-Proto \$scheme;
+
+        proxy_http_version      1.1;
+        proxy_read_timeout      3600s;
+        proxy_send_timeout      3600s;
+        proxy_connect_timeout   3600s;
+        proxy_buffering         off;
+
+        client_max_body_size    10M;
+
+        proxy_pass http$(if [ \"$(echo ${SELKIES_ENABLE_HTTPS} | tr '[:upper:]' '[:lower:]')\" = \"true\" ]; then echo -n "s"; fi)://localhost:8082;
+    }
+}" | tee /etc/nginx/sites-available/default > /dev/null
+
 # Configure KasmVNC
 export KASM_DISPLAY=":50"
 yq -i "
@@ -36,7 +66,6 @@ if [ -n "${SELKIES_HTTPS_CERT}" ]; then yq -i ".network.ssl.pem_certificate = \"
 if [ -n "${SELKIES_HTTPS_KEY}" ]; then yq -i ".network.ssl.pem_key = \"${SELKIES_HTTPS_KEY-/etc/ssl/private/ssl-cert-snakeoil.key}\"" /etc/kasmvnc/kasmvnc.yaml; fi
 
 if [ "$(echo ${SELKIES_ENABLE_RESIZE} | tr '[:upper:]' '[:lower:]')" = "true" ]; then export KASM_PROXY_FLAG="${KASM_PROXY_FLAG} -r"; fi
-if [ "$(echo ${KASMVNC_VIEWONLY} | tr '[:upper:]' '[:lower:]')" = "true" ]; then export KASM_FLAG="${KASM_FLAG} -AcceptPointerEvents=0 -AcceptKeyEvents=0 -AcceptSetDesktopSize=0"; fi
 
 mkdir -pm700 ~/.vnc
 (echo "${SELKIES_BASIC_AUTH_PASSWORD:-${PASSWD}}"; echo "${SELKIES_BASIC_AUTH_PASSWORD:-${PASSWD}}";) | kasmvncpasswd -u "${SELKIES_BASIC_AUTH_USER:-${USER}}" -ow ~/.kasmpasswd

diff --git a/selkies-gstreamer-entrypoint.sh b/selkies-gstreamer-entrypoint.sh
@@ -6,9 +6,6 @@
 
 set -e
 
-# Set password for basic authentication
-if [ "$(echo ${SELKIES_ENABLE_BASIC_AUTH} | tr '[:upper:]' '[:lower:]')" = "true" ] && [ -z "${SELKIES_BASIC_AUTH_PASSWORD}" ]; then export SELKIES_BASIC_AUTH_PASSWORD="${PASSWD}"; fi
-
 # Set default display
 export DISPLAY="${DISPLAY:-:0}"
 # PipeWire-Pulse server socket path
@@ -111,28 +108,6 @@ server {
         proxy_pass http$(if [ \"$(echo ${SELKIES_ENABLE_HTTPS} | tr '[:upper:]' '[:lower:]')\" = \"true\" ]; then echo -n "s"; fi)://localhost:9081;
     }
 
-    location /vnc {
-        rewrite ^/vnc(.*)\$ \$1?\$args break;
-
-        proxy_set_header        Upgrade \$http_upgrade;
-        proxy_set_header        Connection \"upgrade\";
-
-        proxy_set_header        Host \$host;
-        proxy_set_header        X-Real-IP 127.0.0.1;
-        proxy_set_header        X-Forwarded-For 127.0.0.1;
-        proxy_set_header        X-Forwarded-Proto \$scheme;
-
-        proxy_http_version      1.1;
-        proxy_read_timeout      3600s;
-        proxy_send_timeout      3600s;
-        proxy_connect_timeout   3600s;
-        proxy_buffering         off;
-
-        client_max_body_size    10M;
-
-        proxy_pass http$(if [ \"$(echo ${SELKIES_ENABLE_HTTPS} | tr '[:upper:]' '[:lower:]')\" = \"true\" ]; then echo -n "s"; fi)://localhost:8082;
-    }
-
     error_page 500 502 503 504 /50x.html;
     location = /50x.html {
         root /opt/gst-web/;

diff --git a/supervisord.conf b/supervisord.conf
@@ -38,7 +38,7 @@ autorestart=true
 priority=1
 
 [program:selkies-gstreamer]
-command=bash -c "/etc/selkies-gstreamer-entrypoint.sh"
+command=bash -c "if [ $(echo %(ENV_KASMVNC_ENABLE)s | tr '[:upper:]' '[:lower:]') != true ]; then /etc/selkies-gstreamer-entrypoint.sh; else sleep infinity; fi"
 stdout_logfile=/tmp/selkies-gstreamer-entrypoint.log
 stdout_logfile_maxbytes=5MB
 stdout_logfile_backups=0
@@ -50,7 +50,7 @@ autorestart=true
 priority=20
 
 [program:kasmvnc]
-command=bash -c "/etc/kasmvnc-entrypoint.sh"
+command=bash -c "if [ $(echo %(ENV_KASMVNC_ENABLE)s | tr '[:upper:]' '[:lower:]') = true ]; then /etc/kasmvnc-entrypoint.sh; else sleep infinity; fi"
 stdout_logfile=/tmp/kasmvnc-entrypoint.log
 stdout_logfile_maxbytes=5MB
 stdout_logfile_backups=0

diff --git a/xgl.yml b/xgl.yml
@@ -45,8 +45,8 @@ spec:
 #            secretKeyRef:
 #              name: my-pass
 #              key: my-pass
-        # Uncomment to make KasmVNC available only for screen viewing without desktop control
-#        - name: KASMVNC_VIEWONLY
+        # Uncomment to enable KasmVNC instead of Selkies-GStreamer, `SELKIES_BASIC_AUTH_PASSWORD` is used for authentication with KasmVNC, defaulting to `PASSWD` if not provided
+#        - name: KASMVNC_ENABLE
 #          value: "true"
         ###
         # Selkies-GStreamer parameters, for additional configurations see `selkies-gstreamer --help`