[Ovirt-devel] virt-viewer plugin integration issues
Daniel P. Berrange
berrange at redhat.com
Fri Aug 22 08:25:05 UTC 2008
On Fri, Aug 22, 2008 at 09:12:39AM +0200, Chris Lalancette wrote:
> Perry N. Myers wrote:
> > Dan you mentioned just falling back and using straight vnc plugin since we
> > don't need the vnc port lookup since oVirt Server has that info. That
> > doesn't work for when Node is in standalone mode with no server... And
> > besides in standalone mode libvirt has to do digest-md5 since we have no
> > kerberos infrastructure in that mode.
>
> One thought. You *can* setup libvirt to do completely unencrypted tcp
> communication; you just need to set up libvirtd.conf properly. So maybe we can
> just do that in standalone mode, and bypass the digest-md5 thing altogether?
> Since we aren't ever leaving the local node with the traffic, we really
> shouldn't have a security concern. Then (I think) we would be able to use the
> VNC plugin.
If you're doing it local only, then don't use TCP at all. Connect to the
UNIX socket. Use TCP in unencrypted mode is just a recipe for disaster
because sooner or later someone will switch it from localhost to public
forgetting you disabled encryption. Either set the user/group ownership
of the UNIX socket to what you need, or let is do PolicyKit auth locally
(if running a desktop app for local node).
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
More information about the ovirt-devel
mailing list