<span class="since">Since 0.9.3</span>
NB, this may not be supported by all hypervisors.
<span class="since">"spice" since 0.8.6</span>.
+ The <code>defaultMode</code> attribute sets the default channel
+ security policy, valid values are <code>secure</code>,
+ <code>insecure</code> and the default <code>any</code>
+ (which is secure if possible, but falls back to insecure
+ rather than erroring out if no secure path is
+ available). <span class="since">"defaultMode" since
+ 0.9.12</span>.
</p>
<p>
When SPICE has both a normal and TLS secured TCP port
</choice>
</attribute>
</optional>
+ <optional>
+ <attribute name="defaultMode">
+ <choice>
+ <value>any</value>
+ <value>secure</value>
+ <value>insecure</value>
+ </choice>
+ </attribute>
+ </optional>
<interleave>
<ref name="listenElements"/>
<zeroOrMore>
char *port = virXMLPropString(node, "port");
char *tlsPort;
char *autoport;
+ char *defaultMode;
+ int defaultModeVal;
if (port) {
if (virStrToLong_i(port, NULL, 10, &def->data.spice.port) < 0) {
VIR_FREE(autoport);
}
+ def->data.spice.defaultMode = VIR_DOMAIN_GRAPHICS_SPICE_CHANNEL_MODE_ANY;
+
+ if ((defaultMode = virXMLPropString(node, "defaultMode")) != NULL) {
+ if ((defaultModeVal = virDomainGraphicsSpiceChannelModeTypeFromString(defaultMode)) < 0) {
+ virDomainReportError(VIR_ERR_INTERNAL_ERROR,
+ _("unknown default spice channel mode %s"),
+ defaultMode);
+ VIR_FREE(defaultMode);
+ goto error;
+ }
+ def->data.spice.defaultMode = defaultModeVal;
+ VIR_FREE(defaultMode);
+ }
+
if (def->data.spice.port == -1 && def->data.spice.tlsPort == -1) {
/* Legacy compat syntax, used -1 for auto-port */
def->data.spice.autoport = 1;
virBufferEscapeString(buf, " keymap='%s'",
def->data.spice.keymap);
+ if (def->data.spice.defaultMode != VIR_DOMAIN_GRAPHICS_SPICE_CHANNEL_MODE_ANY)
+ virBufferAsprintf(buf, " defaultMode='%s'",
+ virDomainGraphicsSpiceChannelModeTypeToString(def->data.spice.defaultMode));
+
virDomainGraphicsAuthDefFormatAttr(buf, &def->data.spice.auth, flags);
break;
virDomainGraphicsAuthDef auth;
unsigned int autoport :1;
int channels[VIR_DOMAIN_GRAPHICS_SPICE_CHANNEL_LAST];
+ int defaultMode; /* enum virDomainGraphicsSpiceChannelMode */
int image;
int jpeg;
int zlib;
const char *listenAddr = NULL;
char *netAddr = NULL;
int ret;
+ int defaultMode = def->graphics[0]->data.spice.defaultMode;
if (!qemuCapsGet(qemuCaps, QEMU_CAPS_SPICE)) {
qemuReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
virBufferAsprintf(&opt, ",x509-dir=%s",
driver->spiceTLSx509certdir);
+ switch (defaultMode) {
+ case VIR_DOMAIN_GRAPHICS_SPICE_CHANNEL_MODE_SECURE:
+ virBufferAsprintf(&opt, ",tls-channel=default");
+ break;
+ case VIR_DOMAIN_GRAPHICS_SPICE_CHANNEL_MODE_INSECURE:
+ virBufferAsprintf(&opt, ",plaintext-channel=default");
+ break;
+ case VIR_DOMAIN_GRAPHICS_SPICE_CHANNEL_MODE_ANY:
+ /* nothing */
+ break;
+ }
+
for (i = 0 ; i < VIR_DOMAIN_GRAPHICS_SPICE_CHANNEL_LAST ; i++) {
int mode = def->graphics[0]->data.spice.channels[i];
switch (mode) {
/usr/bin/qemu -S -M pc -m 214 -smp 1 -nodefaults -monitor \
unix:/tmp/test-monitor,server,nowait -no-acpi -boot c -hda \
/dev/HostVG/QEMUGuest1 -usb -spice port=5903,tls-port=5904,addr=127.0.0.1,\
-x509-dir=/etc/pki/libvirt-spice,tls-channel=main,plaintext-channel=inputs,\
+x509-dir=/etc/pki/libvirt-spice,tls-channel=default,tls-channel=main,plaintext-channel=inputs,\
image-compression=auto_glz,jpeg-wan-compression=auto,zlib-glz-wan-compression=auto,\
playback-compression=on,streaming-video=filter,disable-copy-paste -vga \
qxl -global qxl.vram_size=18874368 -device qxl,id=video1,vram_size=33554432,bus=pci.0,addr=0x4 \
<controller type='usb' index='0'/>
<controller type='ide' index='0'/>
<input type='mouse' bus='ps2'/>
- <graphics type='spice' port='5903' tlsPort='5904' autoport='no' listen='127.0.0.1'>
+ <graphics type='spice' port='5903' tlsPort='5904' autoport='no' listen='127.0.0.1' defaultMode='secure'>
<listen type='address' address='127.0.0.1'/>
<channel name='main' mode='secure'/>
<channel name='inputs' mode='insecure'/>
projects / libvirt.git / commitdiff