Provisioning the VM console secret
The in-browser VM console needs a one-time setup on each server appliance: a shared secret that lets Turtini issue console tickets the host trusts. This is an operator task run on the machine.
Why it's needed:
When you open a VM console, Turtini signs a short-lived ticket and the host-agent verifies it before bridging you to the VM's screen. Both sides must share the same secret for that to work. Until it's provisioned, the console panel falls back to showing the raw endpoint for a standalone VNC client.
The one command:
On the TurtiniOS server node, run as root:
sudo /usr/libexec/turtini/provision-console.sh
It generates one random secret, writes the same value to both the fabric service and the host-agent configuration, and opens the console port so the web front door can reach the host bridge. It's idempotent — running it again keeps the existing secret. To rotate to a fresh secret, add --rotate.
Apply it:
systemctl restart turtini-fabric turtini-node-agent
After that, the Console button on a running VM opens noVNC in the browser over a secure same-origin connection.
Notes:
• The secret is never printed and is stored with restricted permissions.
• The host must be reachable from the web front door on the console port; the script opens it in the firewall when one is active.