Project

General

Profile

Functionality #14269

make it easier to login directly to the media players

Added by Antoine Beaupré almost 6 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Media players - 2015-July
Start date:
2014-05-01
Due date:
% Done:

100%

Estimated time:
4.00 h
RT ticket:
Points:
1

Description

the current auto-ssh package is nice, but it could be improved. right now, we need to first login to the central server, then to the media player.

but what if the SSH tunnel would listen on a public port of the central server? we could reserve a port for each media player (say based on the uid right now) and make it publicly accessible on the media player.

the advantage is that we could login directly to the media players without going through an intermediate step. it would facilitate batch updates and communication between the MPs themselves. this would be a minor modification to the autossh package.

optionnally, we could use IPv6 to have real IP addresses for each Media Player, but unfortunately, Amazon doesn't support it so we'd need to roll out some tunneling, which seems a little over the top.

History

#1 Updated by Antoine Beaupré almost 6 years ago

  • Project changed from Media players to isuma-autossh

#2 Updated by Antoine Beaupré almost 6 years ago

  • Description updated (diff)

#3 Updated by Antoine Beaupré almost 6 years ago

  • Status changed from New to Needs client approval

#4 Updated by John Hodgins almost 6 years ago

I like this a lot. It would make future management much easier, and I like the inter-media player communication possibilities! I think this should be started after the other immediate tasks are completed. How much work would it entail?

#5 Updated by Antoine Beaupré almost 6 years ago

  • Status changed from Needs client approval to In progress

it wouldn't be very difficult. the MPs would need to be secured first (changing the password, #14270) and we would need to choose a configuration management tool (#14271). then we would simply change the autossh configuration to allow remote connexions and we'd be mostly done.

the only thing that would remain in the above scenario is to have static ports allocated to each MP, but maybe that is not necessary - since we'd need to look at the central server web interface to find the MP uid anyways...

#6 Updated by Antoine Beaupré almost 6 years ago

  • Target version changed from 2014-May to 2014-June

#7 Updated by Antoine Beaupré almost 6 years ago

  • Assignee set to Antoine Beaupré

#8 Updated by Antoine Beaupré over 5 years ago

  • Target version changed from 2014-June to 2014-July

#9 Updated by Antoine Beaupré over 5 years ago

  • Target version changed from 2014-July to 2014-September

#10 Updated by Antoine Beaupré over 5 years ago

  • Target version changed from 2014-September to 2014-October

#11 Updated by Antoine Beaupré over 5 years ago

  • Target version changed from 2014-October to 2014-November

#12 Updated by Antoine Beaupré over 5 years ago

  • Target version changed from 2014-November to 2015-January

#13 Updated by Antoine Beaupré about 5 years ago

  • Target version changed from 2015-January to 2015-February

#14 Updated by Antoine Beaupré about 5 years ago

  • Target version changed from 2015-February to 2015-March

#15 Updated by Antoine Beaupré about 5 years ago

  • Estimated time set to 4.00 h

#17 Updated by Antoine Beaupré almost 5 years ago

  • Target version changed from 2015-March to 2015-April

#18 Updated by Antoine Beaupré almost 5 years ago

  • Target version changed from 2015-April to 2015-May

#19 Updated by Cleve Higgins almost 5 years ago

  • Target version changed from 2015-May to 2015-July

#20 Updated by Antoine Beaupré over 4 years ago

  • Status changed from In progress to Resolved
  • % Done changed from 0 to 100

port have been allocated, dynamically, by puppet. a list isn't available anywhere right now, but there are instructions in the troubleshooting manual: http://isuma-media-players.readthedocs.org/en/latest/troubleshooting.html#remote-login-to-media-players

i had to change the ssh config on the central server to allow "GatewayPorts", otherwise this went fairly smoothly.

#21 Updated by Antoine Beaupré over 4 years ago

hi

as per #14269, a long standing blocking issue, i have made it impossible
to login to media players (and also the central server) using the
"secret" root password we were using everywhere. this was also discussed
in #14270.

individual user accounts are now required to login to media players and
the central server. access can be granted by Koumbit staff or other
people with acess to the puppet server (the central server) using the
directions here:

http://isuma-media-players.readthedocs.org/en/latest/maintenance.html#creating-user-accounts

documentation is a little light right now: it assumes operators know how
to clone puppet repos...

i hope this doesn't create any problems, but this was a blocker for
having access to VLC remotely (#14854). you can see the result here:

http://cs.isuma.tv:28529/

user: "" (nothing)
pass: "CENSORED"

(yes, we reuse our crappy password, but bear with me :)

this gives you access to the koumbit office VLC instance, if it is
running.

cheers,

a.

#22 Updated by Antoine Beaupré over 4 years ago

  • Status changed from Resolved to Needs deployment

my key doesn't get deployed unless a UTF8 locale is available.

also, the homes don't seem to get created even though i did managehome=true in puppet.

#23 Updated by Cara Di Staulo over 4 years ago

Hi,

Thank you Antoine.

Some local operators do regularly visit the central server page to
determine how many files are currently downloading and where their
uploads are in the queue list, so this will be a feature loss for them.
But then again, we will need to give them all this password so they can
operate VLC remotely, right? Which means all operators will have access
to all other MPs including their broadcasts?

Cara Di Staulo
Tel : 514.486.0707 Fax : 514.486.9851

www.isuma.tv

On 28/07/2015 6:13 PM, Antoine Beaupré wrote:

hi

as per #14269, a long standing blocking issue, i have made it impossible
to login to media players (and also the central server) using the
"secret" root password we were using everywhere. this was also discussed
in #14270.

individual user accounts are now required to login to media players and
the central server. access can be granted by Koumbit staff or other
people with acess to the puppet server (the central server) using the
directions here:

http://isuma-media-players.readthedocs.org/en/latest/maintenance.html#creating-user-accounts

documentation is a little light right now: it assumes operators know how
to clone puppet repos...

i hope this doesn't create any problems, but this was a blocker for
having access to VLC remotely (#14854). you can see the result here:

http://cs.isuma.tv:28529/

user: "" (nothing)
pass: "isumatv"

(yes, we reuse our crappy password, but bear with me :)

this gives you access to the koumbit office VLC instance, if it is
running.

cheers,

a.

#24 Updated by Antoine Beaupré over 4 years ago

On 2015-08-03 11:51:38, Cara Di Staulo wrote:

Hi,

Thank you Antoine.

Hi!

(trimming Ccs)

Some local operators do regularly visit the central server page to
determine how many files are currently downloading and where their
uploads are in the queue list, so this will be a feature loss for them.

Hmm... well, the central server is a different thing! That is now the
Puppet Dashboard, and we still need to determine how authentication
works there. We could grant people access there.

But then again, we will need to give them all this password so they can
operate VLC remotely, right? Which means all operators will have access
to all other MPs including their broadcasts?

Yes, basically, unless we do per host usernames and passwords.

Ultimately, we need to start thinking about who has access to what and
how. It's kind of unclear to me how this works right now - if we want to
grant people access to the central server (the puppet dashboard and the
remote VLC interface), we'll need to clarify how those credentials work.

Right now, i don't believe there's such functionality, so I am not clear
on what the functionality loss is, but i'd be glad to understand this
better.

Thanks!

A.

#25 Updated by Cara Di Staulo over 4 years ago

On 04/08/2015 11:35 AM, Antoine Beaupré wrote:

On 2015-08-03 11:51:38, Cara Di Staulo wrote:

Hi,

Thank you Antoine.

Hi!

(trimming Ccs)

Some local operators do regularly visit the central server page to
determine how many files are currently downloading and where their
uploads are in the queue list, so this will be a feature loss for them.

Hmm... well, the central server is a different thing! That is now the
Puppet Dashboard, and we still need to determine how authentication
works there. We could grant people access there.

Ideally we would have multiple permission levels and be able to create
user accounts to access to all MPs or only some of the MPs so local
operators could check on their MP status without having access to other
MPs. Can this be done? Can this be done under the current Koumbit quote?
Or will it need to be postponed to future development. Current, when
connected to an MP, any IsumaTV viewer has access to a direct link (on
the right hand side menu, bellow the Mediaplayer notification, across
IsumaTV) to the Central Server page for the MP.

But then again, we will need to give them all this password so they can
operate VLC remotely, right? Which means all operators will have access
to all other MPs including their broadcasts?

Yes, basically, unless we do per host usernames and passwords.

Ultimately, we need to start thinking about who has access to what and
how. It's kind of unclear to me how this works right now - if we want to
grant people access to the central server (the puppet dashboard and the
remote VLC interface), we'll need to clarify how those credentials work.

Again, ideally, we would have multiple permissions levels to give users
access to one, some or all remote VLC control panels. A community may
have multiple operators that each need access to the panel, however,
they could share on username. Then their are users that may have
multiple MPs with live broadcasts and will need access to all their VLC
control panels. Finally, Koumbit and Isuma operators should have access
to all control panels.

Right now, i don't believe there's such functionality, so I am not clear
on what the functionality loss is, but i'd be glad to understand this
better.

Current functionality is described above for the current central server.
As for VLC, currently users only have access by logging on directly on
the machines. Cleve has been working on the remote VLC as a solution to
allow local operators to launch and controle playlists remotely, so
whiteout having to be physically with the MP. Though, it is still
unclear to me how this will work.

Thanks!

A.

#26 Updated by Antoine Beaupré over 4 years ago

  • Assignee changed from Antoine Beaupré to Cleve Higgins

i believe this is mostly complete, but will let cleve confirm this.

#27 Updated by Cleve Higgins over 4 years ago

  • Status changed from Needs deployment to Closed

It works! Like this...

ssh -p MP-PORT -l USER cs.isuma.tv

Finding the MP-PORT isn't exactly "easy" per se, but that is a different issue (#18346) so I will close this ticket.

Also available in: Atom PDF