[libvirt] [PATCHv2] Error out when using SPICE TLS with spice_tls=0

Daniel P. Berrange berrange at redhat.com
Fri Feb 24 10:41:16 UTC 2012


On Fri, Feb 24, 2012 at 11:34:45AM +0100, Christophe Fergeau wrote:
> It's possible to disable SPICE TLS in qemu.conf. When this happens,
> libvirt ignores any SPICE TLS port or x509 directory that may have
> been set when it builds the qemu command line to use. However, it's
> not ignoring the secure channels that may have been set and adds
> tls-channel arguments to qemu command line.
> Current qemu versions don't report an error when this happens, and try to use
> TLS for the specified channels.
> 
> Before this patch
> 
> <domain type='kvm'>
>   <name>auto-tls-port</name>
>   <memory>65536</memory>
>   <os>
>     <type arch='x86_64' machine='pc'>hvm</type>
>   </os>
>   <devices>
>     <graphics type='spice' port='5900' tlsPort='-1' autoport='yes' listen='0' ke
>       <listen type='address' address='0'/>
>       <channel name='main' mode='secure'/>
>       <channel name='inputs' mode='secure'/>
>     </graphics>
>   </devices>
> </domain>
> 
> generates
> 
> -spice port=5900,addr=0,disable-ticketing,tls-channel=main,tls-channel=inputs
> 
> and starts QEMU.
> 
> After this patch, an error is reported if a TLS port is set in the XML
> or if secure channels are specified but TLS is disabled in qemu.conf.
> This is the behaviour the oVirt people (where I spotted this issue) said
> they would expect.
> 
> This fixes bug #790436
> ---
>  src/qemu/qemu_command.c |   12 +++++++++++-
>  1 files changed, 11 insertions(+), 1 deletions(-)
> 
> diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
> index 5a34504..4f3e61e 100644
> --- a/src/qemu/qemu_command.c
> +++ b/src/qemu/qemu_command.c
> @@ -5231,7 +5231,12 @@ qemuBuildCommandLine(virConnectPtr conn,
>  
>          virBufferAsprintf(&opt, "port=%u", def->graphics[0]->data.spice.port);
>  
> -        if (driver->spiceTLS && def->graphics[0]->data.spice.tlsPort != -1)
> +        if (def->graphics[0]->data.spice.tlsPort != -1)
> +            if (!driver->spiceTLS) {
> +                qemuReportError(VIR_ERR_XML_ERROR,
> +                                _("spice TLS port set in XML configuration, but TLS is disabled in qemu.conf"));
> +                goto error;
> +            }
>              virBufferAsprintf(&opt, ",tls-port=%u", def->graphics[0]->data.spice.tlsPort);
>  
>          switch (virDomainGraphicsListenGetType(def->graphics[0], 0)) {
> @@ -5287,6 +5292,11 @@ qemuBuildCommandLine(virConnectPtr conn,
>              int mode = def->graphics[0]->data.spice.channels[i];
>              switch (mode) {
>              case VIR_DOMAIN_GRAPHICS_SPICE_CHANNEL_MODE_SECURE:
> +                if (!driver->spiceTLS) {
> +                    qemuReportError(VIR_ERR_XML_ERROR,
> +                                    _("spice secure channels set in XML configuration, but TLS is disabled in qemu.conf"));
> +                    goto error;
> +                }
>                  virBufferAsprintf(&opt, ",tls-channel=%s",
>                                    virDomainGraphicsSpiceChannelNameTypeToString(i));
>                  break;

ACK, if we  s/XML_ERROR/CONFIG_UNSUPPORTED/  in the those two error
messages

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|




More information about the libvir-list mailing list