subject:"\[libvirt\] \[PATCH v2 11\/12\] spice\: introduce spice_auto_unix

Re: [libvirt] [PATCH v2 11/12] spice: introduce spice_auto_unix_socket config option

2016-05-12 Thread Christophe Fergeau

On Wed, May 11, 2016 at 05:08:30PM +0200, Pavel Hrdina wrote:
> Signed-off-by: Pavel Hrdina 
> ---
>  src/qemu/qemu.conf | 11 +++
>  src/qemu/qemu_conf.c   |  1 +
>  src/qemu/qemu_conf.h   |  1 +
>  src/qemu/qemu_process.c|  4 +++
>  ...emuxml2argv-graphics-spice-auto-socket-cfg.args | 20 +
>  ...qemuxml2argv-graphics-spice-auto-socket-cfg.xml | 30 +++
>  tests/qemuxml2argvtest.c   |  5 
>  ...muxml2xmlout-graphics-spice-auto-socket-cfg.xml | 35 
> ++
>  tests/qemuxml2xmltest.c|  4 +++
>  9 files changed, 111 insertions(+)
>  create mode 100644 
> tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-auto-socket-cfg.args
>  create mode 100644 
> tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-auto-socket-cfg.xml
>  create mode 100644 
> tests/qemuxml2xmloutdata/qemuxml2xmlout-graphics-spice-auto-socket-cfg.xml
> 
> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
> index 4fa5e8a..baf0b00 100644
> --- a/src/qemu/qemu.conf
> +++ b/src/qemu/qemu.conf
> @@ -130,6 +130,17 @@
>  #spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
>  
>  
> +# Enable this option to have SPICE served over an automatically created
> +# unix socket. This prevents unprivileged access from users on the
> +# host machine, though most SPICE clients do not support it.
> +#
> +# This will only be enabled for SPICE configurations that do not have
> +# a hardcoded 'listen' or 'socket' value. This setting takes preference

I think the "hardcoded 'listen' or 'socket' value" should be rephrased
to refer to  nodes instead.

Christophe


signature.asc
Description: PGP signature
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH v2 11/12] spice: introduce spice_auto_unix_socket config option

2016-05-12 Thread Pavel Hrdina

On Wed, May 11, 2016 at 08:14:36PM +0200, Marc-André Lureau wrote:
> Hi
> 
> On Wed, May 11, 2016 at 5:08 PM, Pavel Hrdina  wrote:
> > Signed-off-by: Pavel Hrdina 
> > ---
> 
> make check fails :
> test_libvirtd_qemu.aug:68.3-145.28:exception thrown in test
> test_libvirtd_qemu.aug:68.8-.34:exception: Iterated lens matched less
> than it should
> Lens: ./qemu/libvirtd_qemu.aug:113.13-.43:
>   Last match: ./qemu/libvirtd_qemu.aug:109.17-.31:
> Error encountered at 13:0 (324 characters into string)
> < = "/etc/pki/libvirt-spice"\n|=|spice_auto_unix_socket = 1\ns>

I guess that I should install augeas :) thanks.

> Tbh, I don't understand the need for unix socket listening when using
> libvirt. If you use libvirt to manage your VM, you may as well just
> use it to connect to the display (virti-viewer --attach). These avoid
> having extra listening sockets. Other than that, looks good to me.

This will allow us to add another way how to restrict access to the graphics
console. I'll add a  for the  and administrator
can set a uid/gid to restrict access to this socket.

Pavel

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH v2 11/12] spice: introduce spice_auto_unix_socket config option

2016-05-11 Thread Marc-André Lureau

Hi

On Wed, May 11, 2016 at 5:08 PM, Pavel Hrdina  wrote:
> Signed-off-by: Pavel Hrdina 
> ---

make check fails :
test_libvirtd_qemu.aug:68.3-145.28:exception thrown in test
test_libvirtd_qemu.aug:68.8-.34:exception: Iterated lens matched less
than it should
Lens: ./qemu/libvirtd_qemu.aug:113.13-.43:
  Last match: ./qemu/libvirtd_qemu.aug:109.17-.31:
Error encountered at 13:0 (324 characters into string)
< = "/etc/pki/libvirt-spice"\n|=|spice_auto_unix_socket = 1\ns>


Tbh, I don't understand the need for unix socket listening when using
libvirt. If you use libvirt to manage your VM, you may as well just
use it to connect to the display (virti-viewer --attach). These avoid
having extra listening sockets. Other than that, looks good to me.



>  src/qemu/qemu.conf | 11 +++
>  src/qemu/qemu_conf.c   |  1 +
>  src/qemu/qemu_conf.h   |  1 +
>  src/qemu/qemu_process.c|  4 +++
>  ...emuxml2argv-graphics-spice-auto-socket-cfg.args | 20 +
>  ...qemuxml2argv-graphics-spice-auto-socket-cfg.xml | 30 +++
>  tests/qemuxml2argvtest.c   |  5 
>  ...muxml2xmlout-graphics-spice-auto-socket-cfg.xml | 35 
> ++
>  tests/qemuxml2xmltest.c|  4 +++
>  9 files changed, 111 insertions(+)
>  create mode 100644 
> tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-auto-socket-cfg.args
>  create mode 100644 
> tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-auto-socket-cfg.xml
>  create mode 100644 
> tests/qemuxml2xmloutdata/qemuxml2xmlout-graphics-spice-auto-socket-cfg.xml
>
> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
> index 4fa5e8a..baf0b00 100644
> --- a/src/qemu/qemu.conf
> +++ b/src/qemu/qemu.conf
> @@ -130,6 +130,17 @@
>  #spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
>
>
> +# Enable this option to have SPICE served over an automatically created
> +# unix socket. This prevents unprivileged access from users on the
> +# host machine, though most SPICE clients do not support it.
> +#
> +# This will only be enabled for SPICE configurations that do not have
> +# a hardcoded 'listen' or 'socket' value. This setting takes preference
> +# over spice_listen.
> +#
> +#spice_auto_unix_socket = 1
> +
> +
>  # The default SPICE password. This parameter is only used if the
>  # per-domain XML config does not already provide a password. To
>  # allow access without passwords, leave this commented out. An
> diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
> index e00ddca..d4c34c9 100644
> --- a/src/qemu/qemu_conf.c
> +++ b/src/qemu/qemu_conf.c
> @@ -588,6 +588,7 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr 
> cfg,
>  GET_VALUE_STR("spice_sasl_dir", cfg->spiceSASLdir);
>  GET_VALUE_STR("spice_listen", cfg->spiceListen);
>  GET_VALUE_STR("spice_password", cfg->spicePassword);
> +GET_VALUE_BOOL("spice_auto_unix_socket", cfg->spiceAutoUnixSocket);
>
>
>  GET_VALUE_ULONG("remote_websocket_port_min", cfg->webSocketPortMin);
> diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
> index a714b84..c94bf13 100644
> --- a/src/qemu/qemu_conf.h
> +++ b/src/qemu/qemu_conf.h
> @@ -123,6 +123,7 @@ struct _virQEMUDriverConfig {
>  char *spiceSASLdir;
>  char *spiceListen;
>  char *spicePassword;
> +bool spiceAutoUnixSocket;
>
>  int remotePortMin;
>  int remotePortMax;
> diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
> index 21c2db2..05ddb32 100644
> --- a/src/qemu/qemu_process.c
> +++ b/src/qemu/qemu_process.c
> @@ -4438,7 +4438,11 @@ qemuProcessGraphicsListenGenerate(virDomainObjPtr vm,
>  break;
>
>  case VIR_DOMAIN_GRAPHICS_TYPE_SPICE:
> +if (cfg->spiceAutoUnixSocket) {
> +autoSocket = true;
> +} else {
>  listenAddr = cfg->spiceListen;
> +}
>  break;
>
>  case VIR_DOMAIN_GRAPHICS_TYPE_SDL:
> diff --git 
> a/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-auto-socket-cfg.args 
> b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-auto-socket-cfg.args
> new file mode 100644
> index 000..61335b0
> --- /dev/null
> +++ b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-auto-socket-cfg.args
> @@ -0,0 +1,20 @@
> +LC_ALL=C \
> +PATH=/bin \
> +HOME=/home/test \
> +USER=test \
> +LOGNAME=test \
> +QEMU_AUDIO_DRV=spice \
> +/usr/bin/qemu \
> +-name QEMUGuest1 \
> +-S \
> +-M pc \
> +-m 214 \
> +-smp 1 \
> +-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \
> +-nodefaults \
> +-monitor unix:/tmp/lib/domain--1-QEMUGuest1/monitor.sock,server,nowait \
> +-no-acpi \
> +-boot c \
> +-usb \
> +-spice unix,addr=/tmp/lib/domain--1-QEMUGuest1/spice.sock \
> +-vga cirrus
> diff --git 
> a/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-auto-socket-cfg.xml 
>

[libvirt] [PATCH v2 11/12] spice: introduce spice_auto_unix_socket config option

2016-05-11 Thread Pavel Hrdina

Signed-off-by: Pavel Hrdina 
---
 src/qemu/qemu.conf | 11 +++
 src/qemu/qemu_conf.c   |  1 +
 src/qemu/qemu_conf.h   |  1 +
 src/qemu/qemu_process.c|  4 +++
 ...emuxml2argv-graphics-spice-auto-socket-cfg.args | 20 +
 ...qemuxml2argv-graphics-spice-auto-socket-cfg.xml | 30 +++
 tests/qemuxml2argvtest.c   |  5 
 ...muxml2xmlout-graphics-spice-auto-socket-cfg.xml | 35 ++
 tests/qemuxml2xmltest.c|  4 +++
 9 files changed, 111 insertions(+)
 create mode 100644 
tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-auto-socket-cfg.args
 create mode 100644 
tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-auto-socket-cfg.xml
 create mode 100644 
tests/qemuxml2xmloutdata/qemuxml2xmlout-graphics-spice-auto-socket-cfg.xml

diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index 4fa5e8a..baf0b00 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -130,6 +130,17 @@
 #spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
 
 
+# Enable this option to have SPICE served over an automatically created
+# unix socket. This prevents unprivileged access from users on the
+# host machine, though most SPICE clients do not support it.
+#
+# This will only be enabled for SPICE configurations that do not have
+# a hardcoded 'listen' or 'socket' value. This setting takes preference
+# over spice_listen.
+#
+#spice_auto_unix_socket = 1
+
+
 # The default SPICE password. This parameter is only used if the
 # per-domain XML config does not already provide a password. To
 # allow access without passwords, leave this commented out. An
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index e00ddca..d4c34c9 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -588,6 +588,7 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
 GET_VALUE_STR("spice_sasl_dir", cfg->spiceSASLdir);
 GET_VALUE_STR("spice_listen", cfg->spiceListen);
 GET_VALUE_STR("spice_password", cfg->spicePassword);
+GET_VALUE_BOOL("spice_auto_unix_socket", cfg->spiceAutoUnixSocket);
 
 
 GET_VALUE_ULONG("remote_websocket_port_min", cfg->webSocketPortMin);
diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index a714b84..c94bf13 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -123,6 +123,7 @@ struct _virQEMUDriverConfig {
 char *spiceSASLdir;
 char *spiceListen;
 char *spicePassword;
+bool spiceAutoUnixSocket;
 
 int remotePortMin;
 int remotePortMax;
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 21c2db2..05ddb32 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -4438,7 +4438,11 @@ qemuProcessGraphicsListenGenerate(virDomainObjPtr vm,
 break;
 
 case VIR_DOMAIN_GRAPHICS_TYPE_SPICE:
+if (cfg->spiceAutoUnixSocket) {
+autoSocket = true;
+} else {
 listenAddr = cfg->spiceListen;
+}
 break;
 
 case VIR_DOMAIN_GRAPHICS_TYPE_SDL:
diff --git 
a/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-auto-socket-cfg.args 
b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-auto-socket-cfg.args
new file mode 100644
index 000..61335b0
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-auto-socket-cfg.args
@@ -0,0 +1,20 @@
+LC_ALL=C \
+PATH=/bin \
+HOME=/home/test \
+USER=test \
+LOGNAME=test \
+QEMU_AUDIO_DRV=spice \
+/usr/bin/qemu \
+-name QEMUGuest1 \
+-S \
+-M pc \
+-m 214 \
+-smp 1 \
+-uuid c7a5fdbd-edaf-9455-926a-d65c16db1809 \
+-nodefaults \
+-monitor unix:/tmp/lib/domain--1-QEMUGuest1/monitor.sock,server,nowait \
+-no-acpi \
+-boot c \
+-usb \
+-spice unix,addr=/tmp/lib/domain--1-QEMUGuest1/spice.sock \
+-vga cirrus
diff --git 
a/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-auto-socket-cfg.xml 
b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-auto-socket-cfg.xml
new file mode 100644
index 000..ff155c3
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-auto-socket-cfg.xml
@@ -0,0 +1,30 @@
+
+  QEMUGuest1
+  c7a5fdbd-edaf-9455-926a-d65c16db1809
+  219100
+  219100
+  1
+  
+hvm
+
+  
+  
+  destroy
+  restart
+  destroy
+  
+/usr/bin/qemu
+
+
+
+
+
+
+  
+
+
+  
+
+
+  
+
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index a3651c9..f046060 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -950,6 +950,11 @@ mymain(void)
 DO_TEST("graphics-spice-auto-socket",
 QEMU_CAPS_SPICE,
 QEMU_CAPS_SPICE_UNIX);
+driver.config->spiceAutoUnixSocket = true;
+DO_TEST("graphics-spice-auto-socket-cfg",
+QEMU_CAPS_SPICE,
+QEMU_CAPS_SPICE_UNIX);
+driver.config->spiceAutoUnixSocket = false;
 
 DO_TEST("input-usbmouse", NONE);

Re: [libvirt] [PATCH v2 11/12] spice: introduce spice_auto_unix_socket config option

Re: [libvirt] [PATCH v2 11/12] spice: introduce spice_auto_unix_socket config option

Re: [libvirt] [PATCH v2 11/12] spice: introduce spice_auto_unix_socket config option

[libvirt] [PATCH v2 11/12] spice: introduce spice_auto_unix_socket config option

4 matches

Site Navigation

Mail list logo

Footer information