[libvirt] [PATCH] Add support for SPICE SASL

Christophe Fergeau cfergeau at redhat.com
Thu Oct 17 13:38:04 UTC 2013 

This adds a spice_sasl boolean option to qemu.conf to mimic what is
donc for VNC SASL support.

I did not add a spice_sasl_dir option as the corresponding
vnc_sasl_dir option sets a SASL_CONF_DIR environment variable, but
I could not find any reference to that variable in either QEMU or
cyrus-sasl, and Google was not helpful either.
---
 src/qemu/libvirtd_qemu.aug                         |  1 +
 src/qemu/qemu.conf                                 | 11 ++++++
 src/qemu/qemu_command.c                            |  2 +
 src/qemu/qemu_conf.c                               |  1 +
 src/qemu/qemu_conf.h                               |  1 +
 src/qemu/test_libvirtd_qemu.aug.in                 |  1 +
 .../qemuxml2argv-graphics-spice-sasl.args          | 12 ++++++
 .../qemuxml2argv-graphics-spice-sasl.xml           | 45 ++++++++++++++++++++++
 tests/qemuxml2argvtest.c                           |  6 +++
 9 files changed, 80 insertions(+)
 create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-sasl.args
 create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-sasl.xml

diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
index 32db983..3dc1b43 100644
--- a/src/qemu/libvirtd_qemu.aug
+++ b/src/qemu/libvirtd_qemu.aug
@@ -38,6 +38,7 @@ module Libvirtd_qemu =
                  | bool_entry "spice_tls"
                  | str_entry  "spice_tls_x509_cert_dir"
                  | str_entry "spice_password"
+                 | bool_entry "spice_sasl"
 
    let nogfx_entry = bool_entry "nographics_allow_host_audio"
 
diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index bf57b9c..7b128aa 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -140,6 +140,17 @@
 #spice_password = "XYZ12345"
 
 
+# Enable use of SASL encryption on the SPICE server. This requires
+# a SPICE client which supports the SASL protocol extension.
+# Examples include vinagre, virt-viewer and virt-manager
+# itself.
+#
+# It is necessary to configure /etc/sasl2/qemu.conf to choose
+# the desired SASL plugin (eg, GSSPI for Kerberos)
+#
+#spice_sasl = 1
+
+
 # By default, if no graphical front end is configured, libvirt will disable
 # QEMU audio output since directly talking to alsa/pulseaudio may not work
 # with various security settings. If you know what you're doing, enable
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index abb62e9..ea5cfcb 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -7340,6 +7340,8 @@ qemuBuildGraphicsSPICECommandLine(virQEMUDriverConfigPtr cfg,
          * migration algorithm silently. */
         virBufferAddLit(&opt, ",seamless-migration=on");
     }
+    if (cfg->spiceSASL)
+        virBufferAddLit(&opt, ",sasl");
 
     virCommandAddArg(cmd, "-spice");
     virCommandAddArgBuffer(cmd, &opt);
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 44a2296..532b0ff 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -399,6 +399,7 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
     GET_VALUE_STR("spice_tls_x509_cert_dir", cfg->spiceTLSx509certdir);
     GET_VALUE_STR("spice_listen", cfg->spiceListen);
     GET_VALUE_STR("spice_password", cfg->spicePassword);
+    GET_VALUE_BOOL("spice_sasl", cfg->spiceSASL);
 
 
     GET_VALUE_LONG("remote_websocket_port_min", cfg->webSocketPortMin);
diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index ea3c691..35a2515 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -110,6 +110,7 @@ struct _virQEMUDriverConfig {
     char *vncSASLdir;
 
     bool spiceTLS;
+    bool spiceSASL;
     char *spiceTLSx509certdir;
     char *spiceListen;
     char *spicePassword;
diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qemu.aug.in
index 7af3f64..f759db5 100644
--- a/src/qemu/test_libvirtd_qemu.aug.in
+++ b/src/qemu/test_libvirtd_qemu.aug.in
@@ -15,6 +15,7 @@ module Test_libvirtd_qemu =
 { "spice_tls" = "1" }
 { "spice_tls_x509_cert_dir" = "/etc/pki/libvirt-spice" }
 { "spice_password" = "XYZ12345" }
+{ "spice_sasl" = "1" }
 { "nographics_allow_host_audio" = "1" }
 { "remote_display_port_min" = "5900" }
 { "remote_display_port_max" = "65535" }
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-sasl.args b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-sasl.args
new file mode 100644
index 0000000..4fe78a5
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-sasl.args
@@ -0,0 +1,12 @@
+LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test QEMU_AUDIO_DRV=spice \
+/usr/bin/qemu -S -M pc -m 214 -smp 1 -nodefaults -monitor \
+unix:/tmp/test-monitor,server,nowait -no-acpi -boot c -usb -hda \
+/dev/HostVG/QEMUGuest1 -spice port=5903,tls-port=5904,addr=127.0.0.1,\
+x509-dir=/etc/pki/libvirt-spice,tls-channel=default,tls-channel=main,\
+plaintext-channel=inputs,\
+image-compression=auto_glz,jpeg-wan-compression=auto,\
+zlib-glz-wan-compression=auto,\
+playback-compression=on,streaming-video=filter,disable-copy-paste,sasl -vga \
+qxl -global qxl.ram_size=67108864 -global qxl.vram_size=18874368 \
+-device qxl,id=video1,ram_size=67108864,vram_size=33554432,bus=pci.0,addr=0x4 \
+-device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3
diff --git a/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-sasl.xml b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-sasl.xml
new file mode 100644
index 0000000..b22fbcc
--- /dev/null
+++ b/tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-sasl.xml
@@ -0,0 +1,45 @@
+<domain type='qemu'>
+  <name>QEMUGuest1</name>
+  <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+  <memory unit='KiB'>219136</memory>
+  <currentMemory unit='KiB'>219136</currentMemory>
+  <vcpu placement='static'>1</vcpu>
+  <os>
+    <type arch='i686' machine='pc'>hvm</type>
+    <boot dev='hd'/>
+  </os>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+    <emulator>/usr/bin/qemu</emulator>
+    <disk type='block' device='disk'>
+      <source dev='/dev/HostVG/QEMUGuest1'/>
+      <target dev='hda' bus='ide'/>
+      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
+    </disk>
+    <controller type='usb' index='0'/>
+    <controller type='ide' index='0'/>
+    <controller type='pci' index='0' model='pci-root'/>
+    <input type='mouse' bus='ps2'/>
+    <graphics type='spice' port='5903' tlsPort='5904' autoport='no' listen='127.0.0.1' defaultMode='secure'>
+      <listen type='address' address='127.0.0.1'/>
+      <channel name='main' mode='secure'/>
+      <channel name='inputs' mode='insecure'/>
+      <image compression='auto_glz'/>
+      <jpeg compression='auto'/>
+      <zlib compression='auto'/>
+      <playback compression='on'/>
+      <streaming mode='filter'/>
+      <clipboard copypaste='no'/>
+    </graphics>
+    <video>
+      <model type='qxl' ram='65536' vram='18432' heads='1'/>
+    </video>
+    <video>
+      <model type='qxl' ram='65536' vram='32768' heads='1'/>
+    </video>
+    <memballoon model='virtio'/>
+  </devices>
+</domain>
diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c
index 060acf2..1cdb964 100644
--- a/tests/qemuxml2argvtest.c
+++ b/tests/qemuxml2argvtest.c
@@ -685,6 +685,12 @@ mymain(void)
             QEMU_CAPS_PCI_MULTIFUNCTION, QEMU_CAPS_USB_HUB,
             QEMU_CAPS_ICH9_USB_EHCI1, QEMU_CAPS_USB_REDIR,
             QEMU_CAPS_CHARDEV_SPICEVMC);
+    driver.config->spiceSASL = 1;
+    DO_TEST("graphics-spice-sasl",
+            QEMU_CAPS_VGA, QEMU_CAPS_VGA_QXL,
+            QEMU_CAPS_DEVICE, QEMU_CAPS_SPICE,
+            QEMU_CAPS_DEVICE_QXL);
+    driver.config->spiceSASL = 0;
 
     DO_TEST("input-usbmouse", NONE);
     DO_TEST("input-usbtablet", NONE);
-- 
1.8.3.1

More information about the libvir-list mailing list