>>So upon migration, libvirt/ovirt will set the dest VM with the same old >>password? That sounds sane to me in general, but looks kinda against an >>expiry-based ticket.
Yes, that's why I think is strange too. When a ticked is expired, it shouldn't be reused and stored. I don't known too much the spice procotol, but I see 3 workaround: 1) extend client_info_migrate to send a new ticket/password. 2) when we use qmp set_password, change the spice server password and send this password to clients currently connected. (So we can renew the ticket like this) 3) In the case of seamless migration, why does the client need to resend the password, if the session state is restored ? Maybe use some kind of session cookie ? (Note, I'm working on this for Proxmox integration, I don't known if I can easily implement something like this, without changing spice client ? I can hack qemu or spice server). ----- Mail original ----- De: "Marc-André Lureau" <mlur...@redhat.com> À: "Yonit Halperin" <yhalp...@redhat.com> Cc: "Alexandre DERUMIER" <aderum...@odiso.com>, "spice-devel" <spice-devel@lists.freedesktop.org> Envoyé: Lundi 22 Juillet 2013 18:50:43 Objet: Re: [Spice-devel] seamless spice migration : question about password/ticket for target vm Hi ----- Mensaje original ----- > Hi, > On 07/22/2013 08:04 AM, Alexandre DERUMIER wrote: > > Hi, > > > > I'm trying to do migration, and I have a question about password on target > > vm. > > > > > > If I understand, client try to connect to target vm with same password > > (temporary ticket) used to connect to source vm. > > > > > > But, we need to configure this password to target vm, as I think that qemu > > migration process don't copy the password between both spice server right > > ? > > So we need to store this password somewhere on the host, which seem to be > > bad for security. (Seem that libvirt store it in guest config xml) > ovirt's vdsm sets to the destination host the same ticket that was set > upon the original connection. > > > > Is it possible to generate a new ticket for target vm, and send it to the > > client ? (I don't see any option in qmp client_migrate_info ) > > > I don't think there is a way to do it without changing > client_migrate_info and the protocol. Even if we would have a password > option in client_migrate_info, I don't know if libvirt can retrieve this > information. > So upon migration, libvirt/ovirt will set the dest VM with the same old password? That sounds sane to me in general, but looks kinda against an expiry-based ticket. It would be worth asking the ovirt folks. _______________________________________________ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
