[one-users] sunstone: any way to download an image?

Olivier Sallou olivier.sallou at irisa.fr
Mon Apr 23 01:43:02 PDT 2012



Le 4/23/12 9:56 AM, Jhon Masschelein a écrit :
> Hi,
>
> On our cloud, we made it work, but it's a bit of a hack. The end
> result is that the "source" line in the image template details in the
> sunstone image tab is a click-able link.
>
> here you can see a screenshot:
> https://www.cloud.sara.nl/projects/hpc-cloud-documentation/wiki/Downloading_Images
>
Thanks, this is the kind of feature I expect.
>
>
> A first attempt to use "send_file()" in ruby did not work since there
> is a problem with the "Thin" library that sinatra (sunstone) is using.
> Thin will always load the entire file into memory before sending it
> out. Not what you want.
> (Yes, you can set params on send_file, but apparantly, the Thin layer
> keeps buffering the whole file.)
>
> So we went back to basics and made it a simple html file download link:
> (The following works om 3.2.1, haven't tried it with 3.4)
>
>
> 1. Add a "get path" to /usr/lib/one/sunstone/sunstone-server.rb
>
> I put this just above the "Monitoring" comment:
>
> get '/download/var/lib/one/images/:filename' do |filename|
>     redirect "http://ui.calligo.sara.nl/yourimagesdirectory/"+filename
> end
>
>
> 2. Serve the "images" directory
>
> You have to make sure that the /var/lib/one/images direcory is served
> by a webserver (apache, lighthttps, whatever) on
> http://<hostname>/yourimagesdirectory/<filename>.
> (Of course you can change this location.)
>
> Again, we'd very much prefer to do this with the send_file in ruby,
> but the problem with the buffering makes this impossible.
>
> Since we are using the lighthttpd proxy for sunstone, we just added a
> symbolic link to the opennebula image directory to the documentroot.
> (If you're using the proxy, you'll need to exempt that directory.)
>
>
> 3. Adapt the sunstone plugin
>
> Look for
>
> <td class="value_td">'+(typeof img_info.SOURCE === "string" ?
> img_info.SOURCE : "--")+'</td>\
>
> And change it to
>
> <td class="value_td">\
>   <a href="/download' + img_info.SOURCE + '">'
>   +(typeof img_info.SOURCE === "string" ? img_info.SOURCE : "--")
>   +'</a></td>\
>
>
> Now just go to the image tab in sunstone, select an image, look for
> the source line tin the image template and click on it do download it.
>
>
> 4. Security
>
> Do note that this means you have a publicly browse-able directory with
> all you images!
>
> However there is some security due to the naming of the image files: a
> brute force attack would be required to find a UID that matches with
> an existing image name.
>
> Make sure the directory shows no directory listing, of course, or
> someone could just wget the entire directory!
>
> Again, definitely not a 100% safe solution and the moment the Thin
> problem with send_file gets resolved, or sunstone moves to another
> library, we'll change this. but for the moment, it actually works
> rather nicely.
>
> Hope this can inspire you to crate a better solution. :)
I do not have an urgent requirement on this, so I will wait for the
moment.... but if I need to implement this before being in official
distrib, I will use your tricks, thanks for it.

Apache redirection is a secure enough solution I think due to the UID
that indeed prevents brut force attack.


Thanks

Olivier

>
> Wkr,
>
> Jhon
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>

-- 
Olivier Sallou
IRISA / University of Rennes 1
Campus de Beaulieu, 35000 RENNES - FRANCE
Tel: 02.99.84.71.95

gpg key id: 4096R/326D8438  (keyring.debian.org)
Key fingerprint = 5FB4 6F83 D3B9 5204 6335  D26D 78DC 68DB 326D 8438





More information about the Users mailing list