extension/proxmox: add console access for instances

[shwstppr]

Description

This PR introduces console access support for instances deployed using Orchestrator Extensions, available via either VNC or a direct URL.

• CloudStack queries the extension using the getconsole action.
• For VNC-based access, the extension must return host/port/ticket details. CloudStack then forwards these to the Console Proxy VM (CPVM) in the instance’s zone. It is assumed that the CPVM can reach the specified host and port.
• For direct URL access, the extension returns a console URL with the protocol set to direct. The URL is then provided directly to the user.
• The built-in Proxmox Orchestrator Extension now supports console access via VNC. The extension calls the Proxmox API to fetch console details and returns them in the required format.

Also, adds changes to send caller details to the extension payload.

# cat /var/lib/cloudstack/management/extensions/Proxmox/02b650f6-bb98-49cb-8cac-82b7a78f43a2.json | jq
{
  "caller": {
    "roleid": "6b86674b-7e61-11f0-ba77-1e00c8000158",
    "rolename": "Root Admin",
    "name": "admin",
    "roletype": "Admin",
    "id": "93567ed9-7e61-11f0-ba77-1e00c8000158",
    "type": "ADMIN"
  },
  "virtualmachineid": "126f4562-1f0f-4313-875e-6150cabeb72f",
  ...

Documentation PR: apache/cloudstack-documentation#560

Types of changes

• Breaking change (fix or feature that would cause existing functionality to change)
• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Enhancement (improves an existing feature and functionality)
• Cleanup (Code refactoring and cleanup, that may add test cases)
• build/CI
• test (unit or integration test code)

Feature/Enhancement Scale or Bug Severity

Feature/Enhancement Scale

• Major
• Minor

Bug Severity

• BLOCKER
• Critical
• Major
• Minor
• Trivial

Screenshots (if appropriate):

proxmox-console.mp4

How Has This Been Tested?

How did you try to break this feature and the system with this change?

[shwstppr]

@blueorangutan package

[blueorangutan]

@shwstppr a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[codecov]

Codecov Report

❌ Patch coverage is 66.98113% with 140 lines in your changes missing coverage. Please review.
✅ Project coverage is 17.50%. Comparing base (0526ec0) to head (1e911a9).
⚠️ Report is 23 commits behind head on main.

Files with missing lines	Patch %	Lines
...com/cloud/agent/api/GetExternalConsoleCommand.java	0.00%	21 Missing ⚠️
.../com/cloud/consoleproxy/vnc/network/NioSocket.java	0.00%	16 Missing ⚠️
.../com/cloud/agent/api/GetExternalConsoleAnswer.java	48.27%	15 Missing ⚠️
...udstack/consoleproxy/ConsoleAccessManagerImpl.java	92.81%	9 Missing and 4 partials ⚠️
...al/provisioner/ExternalPathPayloadProvisioner.java	83.56%	7 Missing and 5 partials ⚠️
...work/extensions/manager/ExtensionsManagerImpl.java	75.55%	2 Missing and 9 partials ⚠️
...om/cloud/consoleproxy/ConsoleProxyClientParam.java	0.00%	9 Missing ⚠️
...in/java/com/cloud/servlet/ConsoleProxyServlet.java	0.00%	8 Missing ⚠️
...om/cloud/consoleproxy/ConsoleProxyNoVncClient.java	0.00%	8 Missing ⚠️
...hypervisor/external/resource/ExternalResource.java	0.00%	7 Missing ⚠️
... and 7 more

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #11601      +/-   ##
============================================
+ Coverage     17.39%   17.50%   +0.10%     
- Complexity    15285    15425     +140     
============================================
  Files          5889     5894       +5     
  Lines        526183   526836     +653     
  Branches      64242    64331      +89     
============================================
+ Hits          91542    92228     +686     
+ Misses       424297   424231      -66     
- Partials      10344    10377      +33     

Flag	Coverage Δ
uitests	3.61% <ø> (-0.01%)	⬇️
unittests	18.56% <66.98%> (+0.11%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 14921

[Copilot]

Pull Request Overview

Add console access support for instances deployed using the inbuilt Proxmox Orchestrator extension. CloudStack queries the Proxmox API for console credentials and passes them to the CPVM for the zone.

• Enables console access for External hypervisor instances by removing restriction
• Implements console command handling for External/Proxmox instances
• Adds proper authentication bypass for External hypervisors

Reviewed Changes

Copilot reviewed 20 out of 20 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
ui/src/components/view/ActionButton.vue	Removes External hypervisor restriction from console buttons
server/src/main/java/org/apache/cloudstack/consoleproxy/ConsoleAccessManagerImpl.java	Adds console connection details handling for External hypervisors with proper fallback logic
server/src/main/java/com/cloud/servlet/ConsoleProxyServlet.java	Adds authentication bypass for External hypervisor instances
server/src/main/java/com/cloud/consoleproxy/AgentHookBase.java	Adds authentication bypass for External hypervisor instances
server/src/main/java/com/cloud/server/ManagementServerImpl.java	Implements getExternalVmConsole method
extensions/Proxmox/proxmox.sh	Adds getconsole action for Proxmox VNC proxy support
Multiple test files	Comprehensive test coverage for new console functionality
Multiple API/framework files	New command classes and framework integration

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[shwstppr]

@blueorangutan package

[blueorangutan]

@shwstppr a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 14936

[nvazquez]

Thanks @shwstppr LGTM - left only some minor comments.

It would worth documenting what CloudStack expects from external extensions in order to display the console correctly.

[kiranchavala]

@blueorangutan test

[blueorangutan]

@kiranchavala a [SL] Trillian-Jenkins test job (ol8 mgmt + kvm-ol8) has been kicked to run smoke tests

[kiranchavala]

LGTM

Test Case Execution	Result
Test the console access of a proxmox vm from the UI	Pass
Test the listConsoleSessions api call	Pass
Test the api createConsoleEndpoint	Pass
Test the Direct Url based console	Pass
Test from multiple management servers enabled environment	Pass
Test from a ssl enabled cloudstack-management server	Pass

[blueorangutan]

[SF] Trillian test result (tid-14431)
Environment: kvm-ol8 (x2), zone: Advanced Networking with Mgmt server ol8
Total time taken: 51538 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr11601-t14431-kvm-ol8.zip
Smoke tests completed. 147 look OK, 0 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File

[rohityadavcloud]

Changes requested:

1. Improve spec & documentation on getconsole access types, vnc and url. This does not make sense to me: " the extension returns a console URL with the protocol set to direct, url, or link. The URL is then provided directly to the user." Please also update https://github.com/apache/cloudstack-documentation/pull/560/files

2. In the getconsole, can we pass some kind of account or role type information, which can be used by Extension authors to return different URLs for different types of roles. For example, return an internal URL if the caller is a root admin versus a normal/public URL if the caller is a public tenant.

[shwstppr]

@blueorangutan package

[blueorangutan]

@shwstppr a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[shwstppr]

@rohityadavcloud @harikrishna-patnala addressed comments. Now all extension payloads will contain caller field in externaldetails which will give basic details of the caller. Please see if that works for you

# cat /var/lib/cloudstack/management/extensions/Proxmox/5811778e-bded-4576-96bb-3d529d8c0a33.json | jq
{
  "virtualmachineid": "126f4562-1f0f-4313-875e-6150cabeb72f",
  "cloudstack.vm.details": {
    "id": 45,
    "name": "i-2-45-VM",
    "state": "Running",
    "type": "User",
    "cpus": 1,
    "minSpeed": 500,
    "maxSpeed": 500,
    "minRam": 536870912,
    "maxRam": 536870912,
    "arch": "x86_64",
    "bootArgs": "",
    "enableHA": false,
    "limitCpuUse": false,
    "enableDynamicallyScaleVm": false,
    "vncPassword": "uHQHQ4niy8f4ogwCM1k-rw",
    "details": {
      "proxmox_vmid": "103",
      "cpuOvercommitRatio": "2.0",
      "External:template_type": "template",
      "External:template_id": "101",
      "Message.ReservedCapacityFreed.Flag": "false"
    },
    "uuid": "126f4562-1f0f-4313-875e-6150cabeb72f",
    "enterHardwareSetup": false,
    "disks": [],
    "nics": [],
    "configDriveLocation": "SECONDARY",
    "guestOsDetails": {},
    "extraConfig": {},
    "networkIdToNetworkNameMap": {}
  },
  "virtualmachinename": "i-2-45-VM",
  "externaldetails": {
    "caller": {
      "roleid": "6b86674b-7e61-11f0-ba77-1e00c8000158",
      "rolename": "Root Admin",
      "name": "admin",
      "roletype": "Admin",
      "id": "93567ed9-7e61-11f0-ba77-1e00c8000158",
      "type": "ADMIN"
    },
    "host": {
      "node": "ref-trl-9283-k-mr8-abhishek-kumar-proxmox1",
      "network_bridge": "cloudbr1",
      "secret": "c0541327-d325-4a0f-8e14-3baf9eeb2da0",
      "user": "root@pam",
      "verify_tls_certificate": "false",
      "url": "10.0.35.44",
      "token": "token1"
    },
    "virtualmachine": {
      "template_type": "template",
      "template_id": "101"
    }
  }
}

[blueorangutan]

Packaging result [SF]: ✖️ el8 ✖️ el9 ✔️ debian ✖️ suse15. SL-JID 15161

[rohityadavcloud]

LGTM, didn't test the changes but good to see my remarks have been addressed. Thanks Abhishek, great work.

[shwstppr]

On a second thought, I feel caller field shouldn't be a child of externaldetails. I would make changes to move it to the root element.

[shwstppr]

@blueorangutan package

[blueorangutan]

@shwstppr a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.

[blueorangutan]

Packaging result [SF]: ✔️ el8 ✔️ el9 ✔️ el10 ✔️ debian ✔️ suse15. SL-JID 15165

[shwstppr]

@blueorangutan test ol8 vmware-80u3

[blueorangutan]

@shwstppr a [SL] Trillian-Jenkins test job (ol8 mgmt + vmware-80u3) has been kicked to run smoke tests

[blueorangutan]

[SF] Trillian test result (tid-14439)
Environment: vmware-80u3 (x2), zone: Advanced Networking with Mgmt server ol8
Total time taken: 78614 seconds
Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr11601-t14439-vmware-80u3.zip
Smoke tests completed. 144 look OK, 3 have errors, 0 did not run
Only failed and skipped tests results shown below:

Test	Result	Time (s)	Test File
test_08_upgrade_kubernetes_ha_cluster	Failure	3681.92	test_kubernetes_clusters.py
test_01_ssl_offloading_isolated_network	Failure	895.58	test_ssl_offloading.py
test_02_ssl_offloading_project_vpc	Failure	764.59	test_ssl_offloading.py
test_01_vpn_usage	Error	1.11	test_usage.py

[shwstppr]

Some VMware test failures unrelated. Similar results seen here in healthcheck, #11523 (comment)
Merging based on reviews and test results