[PATCH v2 4/4] bhyve: add VNC password support

Daniel P. Berrangé berrange at redhat.com
Tue Sep 22 12:47:51 UTC 2020 

On Tue, Sep 22, 2020 at 04:28:51PM +0400, Roman Bogorodskiy wrote:
> From: Fabian Freyer <fabian.freyer at physik.tu-berlin.de>
> 
> Support setting a password for the VNC framebuffer using the passwd
> attribute on the <graphics/> element, if the driver has the
> BHYVE_CAP_VNC_PASSWORD capability.
> 
> Note that virsh domxml-from-native does not output the password in the
> generated XML, as VIR_DOMAIN_DEF_FORMAT_SECURE is not set when
> formatting the domain definition.
> 
> Signed-off-by: Fabian Freyer <fabian.freyer at physik.tu-berlin.de>
> Signed-off-by: Roman Bogorodskiy <bogorodskiy at gmail.com>
> ---
>  NEWS.rst                                      |  7 +++
>  src/bhyve/bhyve_command.c                     | 33 +++++++++-----
>  src/bhyve/bhyve_parse_command.c               |  5 +++
>  .../bhyveargv2xml-vnc-password.args           | 10 +++++
>  .../bhyveargv2xml-vnc-password.xml            | 22 ++++++++++
>  tests/bhyveargv2xmltest.c                     |  3 +-
>  .../bhyvexml2argv-vnc-password-comma.xml      | 26 +++++++++++
>  .../bhyvexml2argv-vnc-password.args           | 12 +++++
>  .../bhyvexml2argv-vnc-password.ldargs         |  1 +
>  .../bhyvexml2argv-vnc-password.xml            | 26 +++++++++++
>  tests/bhyvexml2argvtest.c                     |  8 +++-
>  .../bhyvexml2xmlout-vnc-password.xml          | 44 +++++++++++++++++++
>  tests/bhyvexml2xmltest.c                      |  1 +
>  13 files changed, 185 insertions(+), 13 deletions(-)
>  create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.args
>  create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.xml
>  create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password-comma.xml
>  create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.args
>  create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.ldargs
>  create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.xml
>  create mode 100644 tests/bhyvexml2xmloutdata/bhyvexml2xmlout-vnc-password.xml
> 
> diff --git a/NEWS.rst b/NEWS.rst
> index bb48f5bd43..c949cb941b 100644
> --- a/NEWS.rst
> +++ b/NEWS.rst
> @@ -25,6 +25,13 @@ v6.8.0 (unreleased)
>      Libvirt can now set the framebuffer's "w" and "h" parameters
>      using the ``resolution`` element.
>  
> +  * bhyve: Support VNC password authentication
> +
> +    Libvirt can now probe whether the bhyve binary supports
> +    VNC password authentication. In case it does, a VNC password
> +    can now be passed using the ``passwd`` attribute on
> +    the ``<graphics>`` element.
> +
>  * **Improvements**
>  
>    * qemu: Allow migration over UNIX sockets
> diff --git a/src/bhyve/bhyve_command.c b/src/bhyve/bhyve_command.c
> index 176a339d5a..1b48438168 100644
> --- a/src/bhyve/bhyve_command.c
> +++ b/src/bhyve/bhyve_command.c
> @@ -424,17 +424,6 @@ bhyveBuildGraphicsArgStr(const virDomainDef *def,
>              return -1;
>          }
>  
> -        if (graphics->data.vnc.auth.passwd) {
> -            virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
> -                           _("vnc password auth not supported"));
> -            return -1;
> -        } else {
> -             /* Bhyve doesn't support VNC Auth yet, so print a warning about
> -              * unauthenticated VNC sessions */
> -             VIR_WARN("%s", _("Security warning: currently VNC auth is not"
> -                              " supported."));
> -        }
> -
>          if (glisten->address) {
>              escapeAddr = strchr(glisten->address, ':') != NULL;
>              if (escapeAddr)
> @@ -468,6 +457,28 @@ bhyveBuildGraphicsArgStr(const virDomainDef *def,
>          return -1;
>      }
>  
> +    if (graphics->data.vnc.auth.passwd) {
> +        if (!(bhyveDriverGetBhyveCaps(driver) & BHYVE_CAP_VNC_PASSWORD)) {
> +            virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
> +                           _("VNC Passwort authentication not supported "

s/Passwort/Password/

> +                             "by bhyve"));
> +            return -1;
> +        }
> +
> +        if (strchr(graphics->data.vnc.auth.passwd, ',')) {
> +            virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
> +                           _("Password may not contain ',' character"));
> +            return -1;
> +        }
> +
> +        virBufferAsprintf(&opt, ",password=%s", graphics->data.vnc.auth.passwd);
> +    } else {
> +        if (!(bhyveDriverGetBhyveCaps(driver) & BHYVE_CAP_VNC_PASSWORD))
> +            VIR_WARN("%s", _("Security warning: VNC auth is not supported."));
> +        else
> +            VIR_WARN("%s", _("Security warning: VNC is used without authentication."));
> +    }
> +
>      if (video->res)
>          virBufferAsprintf(&opt, ",w=%d,h=%d", video->res->x, video->res->y);
>

With typo fixed:

Reviewed-by: Daniel P. Berrangé <berrange at redhat.com>


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list