mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-22 13:45:38 +00:00
Add support for enabling SASL for SPICE guests
QEMU has support for SASL auth for SPICE guests, but libvirt has no way to enable it. Following the example from VNC where it is globally enabled via qemu.conf Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
This commit is contained in:
parent
ac5f3f292b
commit
291a6ef3e4
@ -38,6 +38,8 @@ module Libvirtd_qemu =
|
||||
| bool_entry "spice_tls"
|
||||
| str_entry "spice_tls_x509_cert_dir"
|
||||
| str_entry "spice_password"
|
||||
| bool_entry "spice_sasl"
|
||||
| str_entry "spice_sasl_dir"
|
||||
|
||||
let nogfx_entry = bool_entry "nographics_allow_host_audio"
|
||||
|
||||
|
@ -140,6 +140,22 @@
|
||||
#spice_password = "XYZ12345"
|
||||
|
||||
|
||||
# Enable use of SASL encryption on the SPICE server. This requires
|
||||
# a SPICE client which supports the SASL protocol extension.
|
||||
#
|
||||
# It is necessary to configure /etc/sasl2/qemu.conf to choose
|
||||
# the desired SASL plugin (eg, GSSPI for Kerberos)
|
||||
#
|
||||
#spice_sasl = 1
|
||||
|
||||
# The default SASL configuration file is located in /etc/sasl2/
|
||||
# When running libvirtd unprivileged, it may be desirable to
|
||||
# override the configs in this location. Set this parameter to
|
||||
# point to the directory, and create a qemu.conf in that location
|
||||
#
|
||||
#spice_sasl_dir = "/some/directory/sasl2"
|
||||
|
||||
|
||||
# By default, if no graphical front end is configured, libvirt will disable
|
||||
# QEMU audio output since directly talking to alsa/pulseaudio may not work
|
||||
# with various security settings. If you know what you're doing, enable
|
||||
|
@ -7191,6 +7191,16 @@ qemuBuildGraphicsSPICECommandLine(virQEMUDriverConfigPtr cfg,
|
||||
virBufferAsprintf(&opt, "tls-port=%u", tlsPort);
|
||||
}
|
||||
|
||||
if (cfg->spiceSASL) {
|
||||
virBufferAddLit(&opt, ",sasl");
|
||||
|
||||
if (cfg->spiceSASLdir)
|
||||
virCommandAddEnvPair(cmd, "SASL_CONF_PATH",
|
||||
cfg->spiceSASLdir);
|
||||
|
||||
/* TODO: Support ACLs later */
|
||||
}
|
||||
|
||||
switch (virDomainGraphicsListenGetType(graphics, 0)) {
|
||||
case VIR_DOMAIN_GRAPHICS_LISTEN_TYPE_ADDRESS:
|
||||
listenAddr = virDomainGraphicsListenGetAddress(graphics, 0);
|
||||
|
@ -284,6 +284,7 @@ static void virQEMUDriverConfigDispose(void *obj)
|
||||
VIR_FREE(cfg->spiceTLSx509certdir);
|
||||
VIR_FREE(cfg->spiceListen);
|
||||
VIR_FREE(cfg->spicePassword);
|
||||
VIR_FREE(cfg->spiceSASLdir);
|
||||
|
||||
VIR_FREE(cfg->hugetlbfsMount);
|
||||
VIR_FREE(cfg->hugepagePath);
|
||||
@ -397,6 +398,8 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
|
||||
|
||||
GET_VALUE_BOOL("spice_tls", cfg->spiceTLS);
|
||||
GET_VALUE_STR("spice_tls_x509_cert_dir", cfg->spiceTLSx509certdir);
|
||||
GET_VALUE_BOOL("spice_sasl", cfg->spiceSASL);
|
||||
GET_VALUE_STR("spice_sasl_dir", cfg->spiceSASLdir);
|
||||
GET_VALUE_STR("spice_listen", cfg->spiceListen);
|
||||
GET_VALUE_STR("spice_password", cfg->spicePassword);
|
||||
|
||||
|
@ -111,6 +111,8 @@ struct _virQEMUDriverConfig {
|
||||
|
||||
bool spiceTLS;
|
||||
char *spiceTLSx509certdir;
|
||||
bool spiceSASL;
|
||||
char *spiceSASLdir;
|
||||
char *spiceListen;
|
||||
char *spicePassword;
|
||||
|
||||
|
@ -15,6 +15,8 @@ module Test_libvirtd_qemu =
|
||||
{ "spice_tls" = "1" }
|
||||
{ "spice_tls_x509_cert_dir" = "/etc/pki/libvirt-spice" }
|
||||
{ "spice_password" = "XYZ12345" }
|
||||
{ "spice_sasl" = "1" }
|
||||
{ "spice_sasl_dir" = "/some/directory/sasl2" }
|
||||
{ "nographics_allow_host_audio" = "1" }
|
||||
{ "remote_display_port_min" = "5900" }
|
||||
{ "remote_display_port_max" = "65535" }
|
||||
|
@ -0,0 +1,9 @@
|
||||
LC_ALL=C PATH=/bin HOME=/home/test USER=test LOGNAME=test \
|
||||
SASL_CONF_PATH=/root/.sasl2 QEMU_AUDIO_DRV=spice \
|
||||
/usr/bin/qemu -S -M pc -m 214 -smp 1 -nodefaults \
|
||||
-monitor unix:/tmp/test-monitor,server,nowait -no-acpi -boot c -usb -hda \
|
||||
/dev/HostVG/QEMUGuest1 \
|
||||
-spice port=5903,tls-port=5904,sasl,addr=127.0.0.1,\
|
||||
x509-dir=/etc/pki/libvirt-spice,tls-channel=default \
|
||||
-vga qxl -global qxl.ram_size=67108864 -global \
|
||||
qxl.vram_size=18874368 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3
|
35
tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-sasl.xml
Normal file
35
tests/qemuxml2argvdata/qemuxml2argv-graphics-spice-sasl.xml
Normal file
@ -0,0 +1,35 @@
|
||||
<domain type='qemu'>
|
||||
<name>QEMUGuest1</name>
|
||||
<uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
|
||||
<memory unit='KiB'>219100</memory>
|
||||
<currentMemory unit='KiB'>219100</currentMemory>
|
||||
<vcpu placement='static'>1</vcpu>
|
||||
<os>
|
||||
<type arch='i686' machine='pc'>hvm</type>
|
||||
<boot dev='hd'/>
|
||||
</os>
|
||||
<clock offset='utc'/>
|
||||
<on_poweroff>destroy</on_poweroff>
|
||||
<on_reboot>restart</on_reboot>
|
||||
<on_crash>destroy</on_crash>
|
||||
<devices>
|
||||
<emulator>/usr/bin/qemu</emulator>
|
||||
<disk type='block' device='disk'>
|
||||
<driver name='qemu' type='raw'/>
|
||||
<source dev='/dev/HostVG/QEMUGuest1'/>
|
||||
<target dev='hda' bus='ide'/>
|
||||
<address type='drive' controller='0' bus='0' target='0' unit='0'/>
|
||||
</disk>
|
||||
<controller type='usb' index='0'/>
|
||||
<controller type='ide' index='0'/>
|
||||
<controller type='pci' index='0' model='pci-root'/>
|
||||
<input type='mouse' bus='ps2'/>
|
||||
<graphics type='spice' port='5903' tlsPort='5904' autoport='no' listen='127.0.0.1' defaultMode='secure'>
|
||||
<listen type='address' address='127.0.0.1'/>
|
||||
</graphics>
|
||||
<video>
|
||||
<model type='qxl' ram='65536' vram='18432' heads='1'/>
|
||||
</video>
|
||||
<memballoon model='virtio'/>
|
||||
</devices>
|
||||
</domain>
|
@ -660,6 +660,14 @@ mymain(void)
|
||||
QEMU_CAPS_VGA, QEMU_CAPS_VGA_QXL,
|
||||
QEMU_CAPS_DEVICE, QEMU_CAPS_SPICE,
|
||||
QEMU_CAPS_DEVICE_QXL);
|
||||
driver.config->spiceSASL = 1;
|
||||
ignore_value(VIR_STRDUP(driver.config->spiceSASLdir, "/root/.sasl2"));
|
||||
DO_TEST("graphics-spice-sasl",
|
||||
QEMU_CAPS_VGA, QEMU_CAPS_VGA_QXL,
|
||||
QEMU_CAPS_DEVICE, QEMU_CAPS_SPICE,
|
||||
QEMU_CAPS_DEVICE_QXL);
|
||||
VIR_FREE(driver.config->spiceSASLdir);
|
||||
driver.config->spiceSASL = 0;
|
||||
DO_TEST("graphics-spice-agentmouse",
|
||||
QEMU_CAPS_VGA, QEMU_CAPS_VGA_QXL,
|
||||
QEMU_CAPS_DEVICE, QEMU_CAPS_SPICE,
|
||||
|
Loading…
Reference in New Issue
Block a user