+# SPICE is configured to listen on 127.0.0.1 by default.
+# To make it listen on all public interfaces, uncomment
+# this next option.
+#
+# NB, strong recommendation to enable TLS + x509 certificate
+# verification when allowing public access
+#
+# spice_listen = "0.0.0.0"
+
+
+# Enable use of TLS encryption on the SPICE server.
+#
+# It is necessary to setup CA and issue a server certificate
+# before enabling this.
+#
+# spice_tls = 1
+
+
+# Use of TLS requires that x509 certificates be issued. The
+# default it to keep them in /etc/pki/libvirt-spice. This directory
+# must contain
+#
+# ca-cert.pem - the CA master certificate
+# server-cert.pem - the server certificate signed with ca-cert.pem
+# server-key.pem - the server private key
+#
+# This option allows the certificate directory to be changed
+#
+# spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
+
+
+# The default SPICE password. This parameter is only used if the
+# per-domain XML config does not already provide a password. To
+# allow access without passwords, leave this commented out. An
+# empty string will still enable passwords, but be rejected by
+# QEMU effectively preventing any use of SPICE. Obviously change
+# this example here before you set this
+#
+# spice_password = "XYZ12345"
+
# The default security driver is SELinux. If SELinux is disabled
# on the host, then the security driver will automatically disable
return -1;
}
+ if (!(driver->spiceListen = strdup("127.0.0.1"))) {
+ virReportOOMError();
+ return -1;
+ }
+ if (!(driver->spiceTLSx509certdir = strdup(SYSCONF_DIR "/pki/libvirt-spice"))) {
+ virReportOOMError();
+ return -1;
+ }
+
#if defined HAVE_MNTENT_H && defined HAVE_GETMNTENT_R
/* For privileged driver, try and find hugepage mount automatically.
* Non-privileged driver requires admin to create a dir for the
}
}
+ p = virConfGetValue (conf, "spice_tls");
+ CHECK_TYPE ("spice_tls", VIR_CONF_LONG);
+ if (p) driver->spiceTLS = p->l;
+
+ p = virConfGetValue (conf, "spice_tls_x509_cert_dir");
+ CHECK_TYPE ("spice_tls_x509_cert_dir", VIR_CONF_STRING);
+ if (p && p->str) {
+ VIR_FREE(driver->spiceTLSx509certdir);
+ if (!(driver->spiceTLSx509certdir = strdup(p->str))) {
+ virReportOOMError();
+ virConfFree(conf);
+ return -1;
+ }
+ }
+
+ p = virConfGetValue (conf, "spice_listen");
+ CHECK_TYPE ("spice_listen", VIR_CONF_STRING);
+ if (p && p->str) {
+ VIR_FREE(driver->spiceListen);
+ if (!(driver->spiceListen = strdup(p->str))) {
+ virReportOOMError();
+ virConfFree(conf);
+ return -1;
+ }
+ }
+
+ p = virConfGetValue (conf, "spice_password");
+ CHECK_TYPE ("spice_password", VIR_CONF_STRING);
+ if (p && p->str) {
+ VIR_FREE(driver->spicePassword);
+ if (!(driver->spicePassword = strdup(p->str))) {
+ virReportOOMError();
+ virConfFree(conf);
+ return -1;
+ }
+ }
+
p = virConfGetValue (conf, "user");
CHECK_TYPE ("user", VIR_CONF_STRING);
if (!(user = strdup(p && p->str ? p->str : QEMU_USER))) {
virBufferVSprintf(&opt, "port=%u", def->graphics[0]->data.spice.port);
- if (def->graphics[0]->data.spice.tlsPort)
+ if (driver->spiceTLS && def->graphics[0]->data.spice.tlsPort != -1)
virBufferVSprintf(&opt, ",tls-port=%u", def->graphics[0]->data.spice.tlsPort);
if (def->graphics[0]->data.spice.listenAddr)
virBufferVSprintf(&opt, ",addr=%s", def->graphics[0]->data.spice.listenAddr);
+ else if (driver->spiceListen)
+ virBufferVSprintf(&opt, ",addr=%s", driver->spiceListen);
+
+ /* In the password case we set it via monitor command, to avoid
+ * making it visible on CLI, so there's no use of password=XXX
+ * in this bit of the code */
+ if (!def->graphics[0]->data.spice.passwd &&
+ !driver->spicePassword)
+ virBufferAddLit(&opt, ",disable-ticketing");
+
+ if (driver->spiceTLS)
+ virBufferVSprintf(&opt, ",x509-dir=%s",
+ driver->spiceTLSx509certdir);
+
if (virBufferError(&opt))
goto no_memory;
char *vncListen;
char *vncPassword;
char *vncSASLdir;
+ unsigned int spiceTLS : 1;
+ char *spiceTLSx509certdir;
+ char *spiceListen;
+ char *spicePassword;
char *hugetlbfs_mount;
char *hugepage_path;
} else if (vm->def->graphics[0]->type == VIR_DOMAIN_GRAPHICS_TYPE_SPICE &&
vm->def->graphics[0]->data.spice.autoport) {
int port = qemudNextFreePort(driver, 5900);
- int tlsPort = port == -1 ? -1 : qemudNextFreePort(driver, port + 1);
- if (port < 0 || tlsPort < 0) {
+ int tlsPort = -1;
+ if (port < 0) {
qemuReportError(VIR_ERR_INTERNAL_ERROR,
- "%s", _("Unable to find unused SPICE ports"));
+ "%s", _("Unable to find an unused SPICE port"));
goto cleanup;
}
+ if (driver->spiceTLS) {
+ tlsPort = qemudNextFreePort(driver, port + 1);
+ if (tlsPort < 0) {
+ qemuReportError(VIR_ERR_INTERNAL_ERROR,
+ "%s", _("Unable to find an unused SPICE TLS port"));
+ goto cleanup;
+ }
+ }
+
vm->def->graphics[0]->data.spice.port = port;
vm->def->graphics[0]->data.spice.tlsPort = tlsPort;
}
-LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=spice /usr/bin/qemu -S -M pc -m 214 -smp 1 -nodefaults -monitor unix:/tmp/test-monitor,server,nowait -no-acpi -boot c -hda /dev/HostVG/QEMUGuest1 -usb -spice port=5903,tls-port=5904,addr=127.0.0.1 -vga qxl -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3
+LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=spice /usr/bin/qemu -S -M pc -m 214 -smp 1 -nodefaults -monitor unix:/tmp/test-monitor,server,nowait -no-acpi -boot c -hda /dev/HostVG/QEMUGuest1 -usb -spice port=5903,tls-port=5904,addr=127.0.0.1,x509-dir=/etc/pki/libvirt-spice -vga qxl -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3
return EXIT_FAILURE;
if ((driver.hugepage_path = strdup("/dev/hugepages/libvirt/qemu")) == NULL)
return EXIT_FAILURE;
+ driver.spiceTLS = 1;
+ if (!(driver.spiceTLSx509certdir = strdup("/etc/pki/libvirt-spice")))
+ return EXIT_FAILURE;
+ if (!(driver.spicePassword = strdup("123456")))
+ return EXIT_FAILURE;
# define DO_TEST_FULL(name, extraFlags, migrateFrom, expectError) \
do { \
projects / libvirt.git / commitdiff