# od.config # Configuration File # # This file is a cherrypy config file # Global config is stored in the cherrypy.config dict # Syntax must be Python builtin ConfigParser # # To create your own config file : # update this file, then # ## in docker mode # update your docker-compose.yml file to add the mapping to the od.config file # services: # pyos: # depends_on: # - memcached # - mongodb # image: 'abcdesktop/oio:oc.pyos' # networks: # - netback # volumes: # - /var/run/docker.sock:/var/run/docker.sock # - /tmp/abcdesktop:/mnt/abcdesktop # - /home/demo/abcdesktop/od.config:/var/pyos/od.config # # the last line - /home/demo/abcdesktop/od.config:/var/pyos/od.config add the new mapping # ## in kubernetes mode # run the kubectl create configmap command : # kubectl create configmap abcdesktop-config --from-file=od.config # ####### # data [global] # DEFAULT HOST URL # public host url of the service # change this with your URL or # set the external URL service if you use a reverse proxy default_host_url : 'http://localhost' # END OF DEFAULT HOST URL # WEBSOCKETROUTING # describe which url is returned by od.py to reach the WebSocket server # the more secured value is default_host_url # websocketrouting: permit value are ['bridge', 'default_host_url', 'host','http_origin'] # websocketrouting describe how the web browser can establish web socket to the user container # # the default websocketrouting value is http_origin # default_host_url : the default_host_url value is used as the wss or ws connect # host : use the hostname in the requested url # http_origin : use the hostname set in the recievied http Header request # this is less secure than default_host_url # but it always works # bridge : use if the user's container need to bridge the host's ethernet interface # bridge is only used if user container can bind a local network (level 2) # this value is experimental and is not yet avalaible websocketrouting: 'http_origin' # END OF WEBSOCKETROUTING # BIND_SECTION # # od.py need an ip address and tcp port to listen # ip addr to listen is set by default to 0.0.0.0 # this option is only used if you run od.py without a docker container # this option is only used for developers # if you run this services in a container, the common usage, keep the default value to 0.0.0.0 server.socket_host: '0.0.0.0' # TCP PORT # the default tcp port to listen is 8000 # this tcp port is used by nginx to forward HTTP request to od.py # if you change the default TCP port value, you have to change it to the nginx config file server.socket_port: 8000 # # END OF BIND_SECTION # # EXTERNAL IP ADDRESS SECTION # THIS IS NOT THE BINDING IP ADDR # server.default.ipaddr is only used to locate the external ip of the service # the server.default.ipaddr is used by geoip and Active Directory site subnet queries # the default value is a dummy value '127.0.0.1' # change this value to help geoip to locate your service or for Active Directory site and subnet query server.default.ipaddr: '127.0.0.1' # END OF EXTERNAL IP ADDRESS SECTION # # STACK MODE SECTION # stackmode: 'standalone' or 'kubernetes' # standalone for the mode to use for docker mode, docker mode is recommaned for personnal usuage # kubernetes for the mode to use kubernetes stack.mode: 'standalone' # stack.mode: 'kubernetes' # END OF STACK MODE SECTION # # NETWORK SECTION # OVERLAY NETWORK FOR STACK MODE standalone # overlaynetwork internal network use by oc.user # this option is only used if stack.mode is 'standalone' # kubernetes does not use this value # define the network name to bind user's container # if not set the default value is abcdesktop_netuser stack.network: 'abcdesktop_netuser' # END OF NETWORK SECTION # # CONNECT TO DOCKERD DAEMON SECTION # section describes how od.py can establish a dockerd daemon # # in docker mode, # the docker-compose add by default : # volumes: # - /var/run/docker.sock:/var/run/docker.sock # and the od.py connect to the unix socket /var/run/docker.sock to start container # in docker mode, if the following connections are not set then od.py use the unix socket /var/run/docker.sock # This works fine if we use only one server # # in kubernetes mode # od.py need to reach the dockerd on each compute nodes # this section describes how to secure your dockerd and how od.py can connect to them # read the doc 'Protect the Docker daemon socket' https://docs.docker.com/engine/security/https # to create a CA, server and client keys with OpenSSL # echo 'Build CA Root certificates' # openssl genrsa -aes256 -out ca-key.pem 4096 # openssl req -new -x509 -days 9365 -key ca-key.pem -sha256 -out ca.pem # and change on all nodes the dockerd startup parameters # for example set the HOST var to the FQDN of your compute node # set HOST=mycomputenode.domain.local # set HOST_IP=192.168.9.5 # echo 'Build $HOST certificat' # openssl genrsa -out $HOST.pem 4096 # openssl req -subj "/CN=$HOST" -sha256 -new -key $HOST.pem -out $HOST.csr # echo subjectAltName = DNS:$HOST,IP:$HOST_IP > extfile.cnf # openssl x509 -req -days 9365 -sha256 -in $HOST.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out $HOST.cert.pem -extfile extfile.cnf # then copy $HOST.cert.pem $HOST.pem ca.pem to your compute node # and update the dockerd params # dockerd --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=0.0.0.0:2376 # # od.py need the CA certificat, X509 client certificat and the associated private key # echo 'Build client-key certificat' # openssl genrsa -out client-key.pem 4096 # openssl req -subj '/CN=client' -new -key client-key.pem -out client.csr # echo extendedKeyUsage = clientAuth > extfile.cnf # openssl x509 -req -days 9365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -extfile extfile.cnf # # First define the tcp port to connect to # the default value is 2376 # daemondockertcpport: 2376 # # daemondockertlscacert CA certificat for the daemondockertlscert # daemondockertlscacert default value is None # to connect to the secured dockerd # set the value to ca.pem computed few lines before # daemondockertlscacert : 'ca.pem' daemondockertlscacert: None # # daemondockertlskey the default value is None # to connect to the secured dockerd # set the value to client-key.pem computed few lines before # daemondockertlskey : 'client-key.pem' daemondockertlskey: None # # daemondockertlscert certificat for the daemondockertlscert # to connect to the secured dockerd # set the value to client-cert.pem computed few lines before # daemondockertlscert : 'client-cert.pem' daemondockertlscert : None # # daemondockerdomainname # daemondockerdomainname the default value is None daemondockerdomainname: None # daemondockerdomainname : 'domain.local' # END OF CONNECT TO DOCKERD DAEMON SECTION # JWT SECTION # # # JWT Token for /API URL # exp : time in seconds, None for unlimited jwt_token_user : { 'exp': 360, 'jwtuserprivatekeyfile': '/config.signing/abcdesktop_jwt_user_signing_private_key.pem', 'jwtuserpublickeyfile' : '/config.signing/abcdesktop_jwt_user_signing_public_key.pem' } # # JWT RSA SIGNING ANS PAYLOAD KEYS # od.py use two RSA keys to sign jwt and encrypt payload's jwt # Use OpenSSL to generate the RSA Keys # # command to build rsa kay pairs for jwt payload # 1024 bits is a smallest value, change here if need # >openssl genrsa -out abcdesktop_jwt_desktop_payload_private_key.pem 1024 # >openssl rsa -in abcdesktop_jwt_desktop_payload_private_key.pem -outform PEM -pubout -out _abcdesktop_jwt_desktop_payload_public_key.pem # >openssl rsa -pubin -in _abcdesktop_jwt_desktop_payload_public_key.pem -RSAPublicKey_out -out abcdesktop_jwt_desktop_payload_public_key.pem # # command build rsa kay pairs for jwt signing # >openssl genrsa -out abcdesktop_jwt_desktop_signing_private_key.pem 1024 # >openssl rsa -in abcdesktop_jwt_desktop_signing_private_key.pem -outform PEM -pubout -out abcdesktop_jwt_desktop_signing_public_key.pem # # ! IMPORTANT # ! the same key files are used by nginx # ! you have to copy the key file to nginx container image # jwt_token_desktop : { 'exp': 240, 'jwtdesktopprivatekeyfile': '/config.signing/abcdesktop_jwt_desktop_signing_private_key.pem', 'jwtdesktoppublickeyfile' : '/config.signing/abcdesktop_jwt_desktop_signing_public_key.pem', 'payloaddesktoppublickeyfile' : '/config.payload/abcdesktop_jwt_desktop_payload_public_key.pem' } # END OF JWT SECTION # ### AUTH SECTION ### # Complete AUTH Sample dictionnary # The authmanagers is defined as a dictionnary object : # # # authmanagers: { # 'external': { }, # 'explicit': { }, # 'implicit': { } # } # The od.config defines 3 kinds of entries in the authmanagers object : # external: use for OAuth 2.0 Authentification # explicit: use for LDAP, LDAPS and ActiveDirectory Authentification # implicit: use for Anonymous Authentification # # external: use for OAuth 2.0 Authentification # 'external': { # 'providers': { # 'google': { # 'displayname': 'Google', # 'enabled': True, # 'client_id': 'YYYYYY', # 'client_secret': 'XXXXXX', # 'scope': 'https://www.googleapis.com/auth/userinfo.email', # 'dialog_url': 'https://accounts.google.com/o/oauth2/v2/auth?client_id={client_id}&redirect_uri={callback_url}&response_type=code&scope={scope}', # 'auth_url': 'https://oauth2.googleapis.com/token?code={code}&grant_type=authorization_code&redirect_uri={callback_url}&scope={scope}&client_id={client_id}&client_secret={client_secret}', # 'userinfo_url': 'https://openidconnect.googleapis.com/v1/userinfo?access_token={access_token}', # 'callback_url': 'https://FQDN/API/auth/oauth?manager={manager.name}&provider={name}' # } # } # # explicit: use for LDAP, LDAPS and ActiveDirectory Authentification # # 'explicit': { # 'show_domains': True, # 'providers': { # 'LDAP': { # 'config_ref': 'ldapconfig', # 'enabled': True # } # }} # ldapconfig : { 'planet': { # 'default' : True, # 'ldap_timeout' : 15, # 'ldap_protocol' : 'ldap', # 'ldap_basedn' : 'ou=people,dc=planetexpress,dc=com', # 'servers' : [ '192.168.8.195' ], # 'secure' : False # }} # # explicit with ActiveDirectory Authentification # 'explicit': { # 'show_domains': True, # 'providers': { # 'AD': { # 'config_ref': 'adconfig', # 'enabled': True # } # } # adconfig : { 'AD': { 'default' : True, # 'ldap_timeout' : 15, # 'ldap_protocol' : 'ldap', # 'ldap_basedn' : 'DC=ad,DC=domain,DC=local', # 'ldap_fqdn' : '_ldap._tcp.ad.domain.local', # 'domain' : 'AD', # 'domain_fqdn': 'AD.DOMAIN.LOCAL', # 'servers' : [ '192.168.7.12' ], # 'kerberos_realm': 'AD.DOMAIN.LOCAL', # 'query_dcs' : True, # 'wins_servers' : [ '192.168.1.12' ], # } # } # implicit: use for Anonymous Authentification # 'implicit': { # 'providers': { # 'anonymous': { # 'displayname': 'Anonymous', # 'caption': 'Have a look !', # 'userid': 'anonymous', # 'username': 'Anonymous' # } # } # Default auth managers with implicits defined 'anonymous' authmanagers: { 'external': { }, 'explicit': { }, 'implicit': { 'providers': { 'anonymous': { 'displayname': 'Anonymous', 'caption': 'Have a look !', 'userid': 'anonymous', 'username': 'Anonymous' } } } } # Note serviceaccount is optional ldapconfig : { 'planet': { 'default' : True, 'ldap_timeout' : 15, 'ldap_protocol' : 'ldap', 'ldap_basedn' : 'ou=people,dc=planetexpress,dc=com', 'servers' : [ '192.168.8.195' ], 'secure' : False, 'serviceaccount': { 'login': 'cn=admin,dc=planetexpress,dc=com', 'password': 'GoodNewsEveryone' }}} # Note serviceaccount and wins_servers are optional adconfig : { 'AD': { 'default' : True, 'ldap_timeout' : 15, 'ldap_protocol' : 'ldap', 'ldap_basedn' : 'DC=ad,DC=domain,DC=local', 'ldap_fqdn' : '_ldap._tcp.ad.domain.local', 'domain' : 'AD', 'domain_fqdn': 'AD.DOMAIN.LOCAL', 'servers' : [ '192.168.7.12' ], 'kerberos_realm': 'AD.DOMAIN.LOCAL', 'query_dcs' : True, 'wins_servers' : [ '192.168.1.12' ], 'serviceaccount': { 'login': 'SVCACCOUNT', 'password': 'SVCACCOUNTPASSWORD' } } } # END OF AUTH SECTION # MEMCACHE SECTION # memcache server # describe how od.py can reach the memcached server # memcacheserver is the name (FQDN) of the memcached server # memcacheserver default value is None # memcacheserver SHOULD BE SET TO None # od.py build the default : # in standalone mode the build value is 'memcached' # in kubernetes mode the build value is 'memcached.abcdesktop.svc.cluster.local' # change it if you need or if you have to run od.py in developer env memcacheserver: None # memcacheserver: 'memcached' # memcacheserver: 'memcached.abcdesktop.svc.cluster.local' # # # memcachedport is the tcp port of the memcached server # the default value is 11211 memcachedport: 11211 # END OF MEMCACHE SECTION # MONGO SECTION # mongodb url # describe how od.py can reach the mongodb server # mongodburi is the URI name of the mongodb server # the same var name mongodbserver support connection string URI format # read https://docs.mongodb.com/manual/reference/connection-string/#mongodb-uri # the format is: # mongodb://[username:password@]host1[:port1][,...hostN[:portN]][/[defaultauthdb][?options]] # mongodburl SHOULD BE SET TO None # od.py build the default : # in standalone mode the build value is 'mongodb://mongodb:27017' # in kubernetes mode the build value is 'mongodb://mongodb.abcdesktop.svc.cluster.local:27017' # change it if you need or if you have to run od.py in developer env mongodburl: None # mongodburl: 'mongodb://mongodb:27017' # mongodburl: 'mongodb://mongodb.abcdesktop.svc.cluster.local:27017' # END OF MONGO SECTION # LANGUAGE SECTION # list of default supported language # user container must have the supported language installed # else the default fallback language is en_US language : [ 'af_ZA', 'am_ET', 'an_ES', 'ar_AE', 'ar_BH', 'ar_DZ', 'ar_EG', 'ar_IN', 'ar_IQ', 'ar_JO', 'ar_KW','ar_LB', 'ar_LY', 'ar_MA', 'ar_OM', 'ar_QA', 'ar_SA', 'ar_SD', 'ar_SY', 'ar_TN', 'ar_YE', 'as_IN', 'ast_ES', 'az_AZ', 'be_BY', 'bg_BG', 'bn_BD', 'bn_IN', 'bo_CN', 'bo_IN', 'br_FR', 'bs_BA', 'ca_AD', 'ca_ES', 'ca_FR', 'ca_IT', 'crh_UA', 'cs_CZ', 'cy_GB', 'da_DK', 'de_AT', 'de_BE', 'de_CH', 'de_DE', 'de_LI', 'de_LU', 'dz_BT', 'el_CY', 'el_GR', 'en_AG', 'en_AU', 'en_BW', 'en_CA', 'en_DK', 'en_GB', 'en_HK', 'en_IE', 'en_IN', 'en_NG', 'en_NZ', 'en_PH', 'en_SG', 'en_US', 'en_ZA', 'en_ZM', 'en_ZW', 'eo', 'eo_US', 'es_AR', 'es_BO', 'es_CL', 'es_CO', 'es_CR', 'es_CU', 'es_DO', 'es_EC', 'es_ES', 'es_GT', 'es_HN', 'es_MX', 'es_NI', 'es_PA', 'es_PE', 'es_PR', 'es_PY', 'es_SV', 'es_US', 'es_UY', 'es_VE', 'et_EE', 'eu_ES', 'eu_FR', 'fa_IR', 'fi_FI', 'fr_BE', 'fr_CA', 'fr_CH', 'fr_FR', 'fr_LU', 'ga_IE', 'gd_GB', 'gl_ES', 'gu_IN', 'he_IL', 'hi_IN', 'hr_HR', 'hu_HU', 'id_ID', 'is_IS', 'it_CH', 'it_IT', 'ja_JP', 'ka_GE', 'kk_KZ', 'km_KH', 'kn_IN', 'ko_KR', 'ku_TR', 'lt_LT', 'lv_LV', 'mai_IN', 'mk_MK', 'ml_IN', 'mn_MN', 'mr_IN', 'ms_MY', 'my_MM', 'nb_NO', 'nds_DE', 'nds_NL', 'ne_NP', 'nl_AW', 'nl_BE', 'nl_NL', 'nn_NO', 'oc_FR', 'or_IN', 'pa_IN', 'pa_PK', 'pl_PL', 'pt_BR', 'pt_PT', 'ro_RO', 'ru_RU', 'ru_UA', 'si_LK', 'sk_SK', 'sl_SI', 'sq_AL', 'sq_MK', 'sr_ME', 'sr_RS', 'sv_FI', 'sv_SE', 'ta_IN', 'ta_LK', 'te_IN', 'tg_TJ', 'th_TH', 'tr_CY', 'tr_TR', 'ug_CN', 'uk_UA', 'uz_UZ', 'vi_VN', 'xh_ZA', 'zh_CN', 'zh_HK', 'zh_SG', 'zh_TW' ] # END OF LANGUAGE SECTION # DESKTOP OPTIONS # describe how the user container is created # desktop options # docker images to start # desktop.image is the docker image name to start the desktop user container # this image MUST exists on each abcdesktop node # Please download this image BEFORE starting od.py # desktop.image is used in both standalone and kubernetes mode desktop.image: 'abcdesktopio/oc.user.18.04' # desktop.printerimage is only used in Kubernetes mode # desktop.printerimage is the docker image name to start the printer servive container # Please download this image BEFORE starting od.py if you have to run cupds service in a dedicated container in your user pod desktop.printerimage: 'abcdesktopio/oc.cupsd.18.04' # desktop.useprintercontainer is a BOOLEAN # add or not the desktop.printerimage into the user pod desktop.useprintercontainer: False # desktop.useprintercontainer: True # desktop.soundimage is only used in Kubernetes mode # desktop.soundimage is the docker image name to start the sound servive container # Please download this image BEFORE starting od.py if you have to run pulseaudio service in a dedicated container un your user pod desktop.soundimage: 'abcdesktopio/oc.pulseaudio.18.04' # desktop.usesoundcontainer is a BOOLEAN # add or not the desktop.soundimage into the user pod desktop.usesoundcontainer: False # desktop.usesoundcontainer: True # # desktop.applicationconfig # desktop.hostconfig # use host_config dictionary # read host_config page on abcdesktop website # desktop.applicationconfig : { 'auto_remove' : True, 'ipc_mode' : 'shareable', 'pid_mode' : True, 'network_mode' : 'container', 'shm_size' : '256M' } desktop.hostconfig : { 'auto_remove' : True, 'ipc_mode' : 'shareable', 'pid_mode' : True, 'network_mode' : 'container', 'shm_size' : '256M' } # desktop.usex11unixsocket describes # desktop.usex11unixsocket MUST ALWAYS SET TO True # Only shared tmp volume is supported in this release # tmp volume share X11, /tmp/.pulse.sock, and /tmp/.cupsd.sock # set env # DISPLAY=:0.0 # PULSE_SERVER=/tmp/.pulse.sock # CUPS_SERVER=/tmp/.cupsd.sock # the default value is True # keep this line comment and unchange # desktop.usex11unixsocket : True # desktop.shareipcnamespace # the value is a string # the default value is 'shareable' # This option permit user contain to share the ipc namespace with application # This is only for application # this option is used by pulseaudio by default # Values : # '' : Use daemon default. # 'none' : Own private IPC namespace, with /dev/shm not mounted. # 'private' : Own private IPC namespace. # 'shareable' : Own private IPC namespace, with a possibility to share it with other containers. # 'host' : Use the host system IPC namespace. # If not specified, daemon default is used, which can either be "private" or "shareable", depending on the daemon version and configuration. # IPC (POSIX/SysV IPC) namespace provides separation of named shared memory segments, semaphores and message queues. # Shared memory segments are used to accelerate inter-process communication at memory speed, rather than through pipes or through the network stack. # Shared memory is commonly used by databases and custom-built. # If these types of applications are broken into multiple containers, you might need to share the IPC mechanisms of the containers, i # using shareable mode for the main (i.e. donor) container, and container: for other containers. desktop.shareipcnamespace : 'shareable' # desktop.shareipcnamespace: 'private' # Option: desktop.desktopuseinternalfqdn # desktop.desktopuseinternalfqdn: BOOLEAN # the default value is False # Nginx front end act as a reverse proxy. This reverse proxy use the FQDN of the user pod to route http request. # To enable the zone update with pod name add the option endpoint_pod_names # to the ConfigMap coredns # desktop.desktopuseinternalfqdn: True # # desktop.homedirectorytype: # values: None or 'volume' or 'persistentVolumeClaim' # This option describes how the default home directory for user user ballon should be created : # # desktop.homedirectorytype: None # if desktop.homedirectorytype is None, then no dedicated volume is created. The oc.user container use a directory inside the container. # All user data will be removed at logout. # # desktop.homedirectorytype: 'volume' # if desktop.homedirectorytype is 'volume'', then a dedicated volume for homedirectory is created, # the oc.user container and applications may share this volume. # This value is only recommanded in docker mode. # # desktop.homedirectorytype: 'persistentVolumeClaim' # User home data are persistent. # if desktop.homedirectorytype is 'persistentVolumeClaim', then homedirectory use a kubernetes Persistent Volume Claim # This value is only avalaible in kubernetes. # This value is recommanded in kubernetes mode. # PersistentVolumeClaim option use a persistentVolumeClaim to create the user home directory. # The persistentVolumeClaim can be mapped to differents storage data (like NFS, iSCSI, RBD...). # Read more about persistentVolumeClaim on the kubernetes.io website. # If you set desktop.homedirectorytype to 'persistentVolumeClaim' # Then you have to set the value of desktop.persistentvolumeclaim desktop.homedirectorytype: 'volume' # desktop.persistentvolumeclaim # value name of the persistentvolumeclaim # example persistentvolumeclaim-home-directory # This value is only avalaible in kubernetes mode. # desktop.persistentvolumeclaim is the name of the Persistent Volume Claim if the desktop.homedirectory is set to 'persistentVolumeClaim'. # The PVC (Persistent Volume Claim) must exist. # kubectl get pvc -n abcdesktop # NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE # persistentvolumeclaim-home-directory Bound pv-volume-home-directory 10Gi RWX storage-local-abcdesktop 3h44m # desktop.persistentvolumeclaim: 'persistentvolumeclaim-home-directory' desktop.persistentvolumeclaim: None # desktop.allowPrivilegeEscalation # value True or False # This value is only avalaible in kubernetes mode, # The desktop.allowPrivilegeEscalation allow a user to run a sudo command. # This option set the runtime privilege and Linux capabilities # The execve system call can grant a newly-started program privileges that its parent did not have, # such as the setuid or setgid Linux flags. # The default value is False # You should only set desktop.allowPrivilegeEscalation to run sudo command. # In production this value MUST be set to False desktop.allowPrivilegeEscalation: False # # desktop.defaultbackgroundcolors # list of string color # example [ '#6EC6F0', '#333333' ] # The desktop.defaultbackgroundcolors allow you to change the desktop default background color. # The default value is a list of string # [ '#6EC6F0', '#333333', '#666666', '#CD3C14', '#4BB4E6', '#50BE87', '#A885D8', '#FFB4E6' ] # The desktop.defaultbackgroundcolors length can contain up to 8 entries. desktop.defaultbackgroundcolors : [ '#6EC6F0', '#333333', '#666666', '#CD3C14', '#4BB4E6', '#50BE87', '#A885D8', '#FFB4E6' ] # desktop.nodeselector # Value None or dict # This option permits to assign user pods to nodes # It specifies a map of key-value pairs. # For the pod to be eligible to run on a node, # the node must have each of the indicated key-value pairs as labels (it can have additional labels as well). # The most common usage is one key-value pair. # { 'disktype': 'ssd' } # desktop.nodeselector: None # desktop.imagePullSecret # The desktop.imagePullSecret is the name of the secret used by Kubernetes to access to the private registry. # The type of desktop.imagePullSecret is a string. # This option is only available in Kubernetes mode, and # only used if you need to store the abcdesktop docker image on a private registry. # Example to build a registry Kubernetes secret named abcdesktopregistrysecret with the docker hub. # kubectl create secret docker-registry abcdesktopregistrysecret --docker-server=https://index.docker.io/v1/ --docker-username=XXXXXXX --docker-password=YYYYYYYU # Example to build a registry Kubernetes secret named abcdesktopregistrysecret with your own privateregistry # kubectl create secret docker-registry abcdesktopregistrysecret --docker-server=registry.mydomain.local:443 --docker-username=XXXXXXX --docker-password=YYYYYYYU desktop.imagePullSecret: None # Add default environment vars # desktop.envlocal is a dictionary. # desktop.envlocal contains a (key,value) added by default as environment variables to oc.user. # Only static variables are defined here. # Dynamics values like language, TZ are set by python code desktop.envlocal : { 'DISPLAY' : ':0.0', 'USER' : 'balloon', 'LOGNAME' : 'balloon', 'LIBOVERLAY_SCROLLBAR' : '0', 'UBUNTU_MENUPROXY' : '0', 'HOME' : '/home/balloon', 'PULSE_SERVER' : '/tmp/.pulse.sock', 'CUPS_SERVER' : '/tmp/.cups.sock' } # # desktop default generic user # balloon is the default generic user name. # The user is created inside the oc.user container # this user MUST exist in the oc.user image # If you change this value, you have to rebuild your own oc.user file # The script oc.user in Dockerfile oc.user : # oc.user Dockerfile commands extract # ENV BUSER balloon # RUN groupadd --gid 4096 $BUSER # RUN useradd --create-home --shell /bin/bash --uid 4096 -g $BUSER --groups lpadmin,sudo $BUSER # desktop.username : 'balloon' # default user id of desktop.username desktop.userid : 4096 # default group id of desktop.username desktop.groupid : 4096 # default home directory of desktop.username desktop.userhomedirectory : '/home/balloon' # END OF DESKTOP OPTIONS # # default dock config # dock option describes which default application are show by default # dock option is a dictionary # 'filemanager' : FileManager application # 'terminal' : Terminal application # 'webshell' : HTML 5, terminal application based on xterm.js # The values are parsed by javascript front # dock : { 'filemanager': { 'args': None, 'acl': { 'permit': [ 'all' ] }, 'showinview': u'dock', 'name': u'FileManager', 'keyword': u'files,file manager', 'launch': u'nautilus.Nautilus', 'displayname': u'FileManager', 'execmode': u'builtin', 'cat': u'utilities,office', 'id': u'filemanager.d', 'icon': u'pantheon-files-icons.svg'}, 'terminal': { 'args': '', 'acl': { 'permit': [ 'all' ] }, 'name': u'TerminalBuiltin', 'keyword': u'terminal,shell,bash,builtin,pantheon', 'launch': u'qterminal.qterminal', 'displayname': u'Terminal Builtin', 'execmode': u'builtin', 'cat': u'utilities,development', 'id': u'terminalbuiltin.d', 'hideindock': True, 'icon': u'pantheon-terminal-builtin-icons.svg'}, 'webshell': { 'name': u'WebShell', 'acl': { 'permit': [ 'all' ] }, 'keyword': u'terminal,shell,webshell,bash,cmd', 'launch': u'frontendjs.webshell', 'displayname': u'Web Shell', 'execmode': u'frontendjs', 'cat': u'utilities,development', 'id': u'webshell.d', 'icon': u'webshell.svg'} } # FRONT END OPTIONS # front.menuconfig is a dictionary to show or hide menu entries # at the to rignt corner # in front js front.menuconfig : { 'settings': True, 'appstore': True, 'screenshot':True, 'download': True, 'logout': True, 'disconnect': True } # PRINTER SECTION # printer.cupsdriverLanguageMap # printer.cupsdriverLanguageMap describe # WARNING 'HPGL2': shoud be 'drv:///sample.drv/generic.ppd', but this fail with xeros workcenter # force xeros workcenter to use PCL driver, this works printer.cupsdriverLanguageMap : { 'PCL': 'drv:///sample.drv/generpcl.ppd', 'PCLXL': 'drv:///sample.drv/generpcl.ppd', 'PostScript': 'drv:///sample.drv/generic.ppd', 'HPGL2': 'drv:///sample.drv/generpcl.ppd', 'default': 'drv:///sample.drv/generic.ppd' } # printer.cupsPrinterEmbeddedList # printer.cupsPrinterEmbeddedList is the list of default printer already prenset in the oc.user container # The values must match with printer.cupsPrinterEmbeddedList : [ 'abcdesktop_PDF_Printer' ] # END OF PRINTER SECTION # # LOGGING SECTION # The logging configuration is a dictionnary object. # The logging configuration describes where and how log message information have to been send. # The syslog and graylog protocol messaging are supported too. # The default features for each handlers are : # handler Features # console log message using a logging.StreamHandler to the stream: ext://sys.stdout formated as standard # cherrypy_console log message using a logging.StreamHandler to the stream: ext://sys.stdout formatted as access # cherrypy_access log message using a logging.StreamHandler to the file stream logs/access.log formatted as access # cherrypy_trace log message using a logging.StreamHandler to the stream: logs/trace.log formatted as standard # # Sub modules used by od.py can log information too. # # Sub module Default Values # docker.utils.config { 'level': 'INFO' }, # urllib3.connectionpool { 'level': 'ERROR'}, # # # logging configuration # come from https://docs.python.org/3.8/library/logging.config.html # need double %% to escape % # # graylog https://github.com/severb/graypy # use handler class name as # graypy.GELFUDPHandler - UDP log forwarding # graypy.GELFTCPHandler - TCP log forwarding # graypy.GELFTLSHandler - TCP log forwarding with TLS support # graypy.GELFHTTPHandler - HTTP log forwarding # graypy.GELFRabbitHandler - RabbitMQ log forwarding logging: { 'version': 1, 'disable_existing_loggers': False, 'formatters': { 'access': { 'format': '%%(message)s - user: %%(userid)s', 'datefmt': '%%Y-%%m-%%d %%H:%%M:%%S' }, 'standard': { 'format': '%%(asctime)s %%(module)s [%%(levelname)-7s] %%(name)s.%%(funcName)s:%%(userid)s %%(message)s', 'datefmt': '%%Y-%%m-%%d %%H:%%M:%%S' }, 'syslog': { 'format': '%%(asctime)s %%(levelname)s %%(module)s %%(process)d %%(name)s.%%(funcName)s:%%(userid)s %%(message)s', 'datefmt': '%%Y-%%m-%%d %%H:%%M:%%S' }, 'graylog': { 'format': '%%(levelname)s %%(module)s %%(process)d %%(name)s.%%(funcName)s:%%(userid)s %%(message)s' } }, 'filters': { 'odcontext': { '()': 'oc.logging.OdContextFilter' } }, 'handlers': { 'console': { 'class': 'logging.StreamHandler', 'filters': [ 'odcontext' ], 'formatter': 'standard', 'stream': 'ext://sys.stdout' }, 'cherrypy_console': { 'class': 'logging.StreamHandler', 'filters': [ 'odcontext' ], 'formatter': 'access', 'stream': 'ext://sys.stdout' }, 'cherrypy_access': { 'class': 'logging.handlers.RotatingFileHandler', 'filters': [ 'odcontext' ], 'formatter': 'access', 'filename': 'logs/access.log', 'maxBytes': 10485760, 'backupCount': 20, 'encoding': 'utf8' }, 'cherrypy_trace': { 'class': 'logging.handlers.RotatingFileHandler', 'filters': [ 'odcontext' ], 'formatter': 'standard', 'filename': 'logs/trace.log', 'maxBytes': 10485760, 'backupCount': 20, 'encoding': 'utf8', 'mode': 'w' } }, 'loggers': { '': { 'handlers': [ 'console', 'cherrypy_trace' ], 'level': 'DEBUG' }, 'docker.utils.config': { 'level': 'INFO' }, 'urllib3.connectionpool': { 'level': 'ERROR' }, 'cherrypy.access': { 'handlers': [ 'cherrypy_access' ], 'level': 'INFO', 'propagate': False }, 'cherrypy.error': { 'handlers': [ 'console', 'cherrypy_trace' ], 'level': 'ERROR', 'propagate': False } } } # END OF LOGGING SECTION [/] [/img]