[lxc-users] websocket and authentication

Frans Meulenbroeks fransmeulenbroeks at gmail.com
Fri Feb 17 10:14:00 UTC 2017 

Hi all,

I found the issue. I just had to use CERT_NONE
Below is the working test code.
If someone else is struggling with this I hope google will lead them to
this.

I understand the documentation can't explain everything and that websocket
is considered to be known.
Then again it would have been nice to have a note somewhere stating that
the websocket did not need a certificate.

Enjoy, Frans.


#!/usr/bin/python2

# code is a minimally adapted version of the code of raharper as found on
# https://github.com/lxc/lxd/issues/231

import json
import requests
import sys
import websocket
import urllib
import ssl

URL = '127.0.0.1:8443'

if len(sys.argv) < 2:
    print('usage: exec <container> cmd')
    sys.exit(1)

u='https://%s/1.0/containers/%s/exec' % (URL, sys.argv[1])
cert = ('client.crt', 'client.key')
command = {
    "command": sys.argv[2:],
    "wait-for-websocket": True,
}
params = json.dumps(command)
r = requests.post(u, data=params, verify=False, cert=cert)
content = json.loads(r.text)
op = content['operation']
fds = content['metadata']['metadata']['fds']
sockets = {}

stdout = '1'
stdin = '0'
stderr = '2'


ssl_options = {
       "cert_reqs": ssl.CERT_NONE,
    };

for fd in [stdin, stdout, stderr]:
    secret = urllib.urlencode({'secret': fds[fd]})
    wsurl = 'wss://%s%s/websocket?%s' %(URL, op, secret)
    ws = websocket.create_connection(wsurl, sslopt=ssl_options)
    sockets[fd] = ws

# stdout = 1, stderr = 2
output = sockets[stdout].recv()
error = sockets[stderr].recv()

print(output)


2017-02-15 22:47 GMT+01:00 Frans Meulenbroeks <fransmeulenbroeks at gmail.com>:

> This is as far as I got, but I am not properly authenticated.
> The program is below.
>
> The error I get is:
>   File "/home/frans/lxd/websock.py", line 42, in <module>
>     ws.connect(wsurl)
>   File "/usr/local/lib/python2.7/dist-packages/websocket/_core.py", line
> 211, in connect
>     options.pop('socket', None))
>   File "/usr/local/lib/python2.7/dist-packages/websocket/_http.py", line
> 77, in connect
>     sock = _ssl_socket(sock, options.sslopt, hostname)
>   File "/usr/local/lib/python2.7/dist-packages/websocket/_http.py", line
> 179, in _ssl_socket
>     sock = _wrap_sni_socket(sock, sslopt, hostname, check_hostname)
>   File "/usr/local/lib/python2.7/dist-packages/websocket/_http.py", line
> 160, in _wrap_sni_socket
>     server_hostname=hostname,
>   File "/usr/lib/python2.7/ssl.py", line 353, in wrap_socket
>     _context=self)
>   File "/usr/lib/python2.7/ssl.py", line 601, in __init__
>     self.do_handshake()
>   File "/usr/lib/python2.7/ssl.py", line 830, in do_handshake
>     self._sslobj.do_handshake()
> ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
> (_ssl.c:590)
>
> Obviously something wrong with certificates, but what ?
> Anyone a clue?
>
> Thanks, Frans
>
> [ non working code deleted in order not to confuse people]

>
> 2017-02-15 16:28 GMT+01:00 Frans Meulenbroeks <fransmeulenbroeks at gmail.com
> >:
>
>> Hi,
>>
>> I was wondering if someone could help me a bit with exec over the REST
>> API (in python in my case).
>>
>> I found this example: https://github.com/lxc/lxd/issues/231 but
>> unfortunately this did not work for me (after changing 8080 to 8443).
>>
>> I suspect this is caused by missing authentication, but as I am a
>> websocket n00b, I was wondering if someone could help me out by providing
>> some more info, a link or a code snippet.
>>
>> Also: should I use ws:// or wss:// ?
>>
>> Thanks for any help!
>> Frans
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20170217/0807c597/attachment-0001.html>

More information about the lxc-users mailing list