Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 291435 Details for
Bug 428231
Switch Xen PVFB over to use QEMU instead of libvncserver & merge TLS patches
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Add XenD config opts for TLS
xen-qemu-vnc-x509-certs.patch (text/plain), 5.67 KB, created by
Daniel Berrangé
on 2008-01-11 22:53:49 UTC
(
hide
)
Description:
Add XenD config opts for TLS
Filename:
MIME Type:
Creator:
Daniel Berrangé
Created:
2008-01-11 22:53:49 UTC
Size:
5.67 KB
patch
obsolete
>diff -rupN xen-3.1.0-src.orig/tools/examples/xend-config.sxp xen-3.1.0-src.new/tools/examples/xend-config.sxp >--- xen-3.1.0-src.orig/tools/examples/xend-config.sxp 2008-01-11 12:30:46.000000000 -0500 >+++ xen-3.1.0-src.new/tools/examples/xend-config.sxp 2008-01-11 16:01:47.000000000 -0500 >@@ -141,3 +141,33 @@ > # The default password for VNC console on HVM domain. > # Empty string is no authentication. > (vncpasswd '') >+ >+# The VNC server can be told to negotiate a TLS session >+# to encryption all traffic, and provide x509 cert to >+# clients enalbing them to verify server identity. The >+# GTK-VNC widget, virt-viewer, virt-manager and VeNCrypt >+# all support the VNC extension for TLS used in QEMU. The >+# TightVNC/RealVNC/UltraVNC clients do not. >+# >+# To enable this create x509 certificates / keys in the >+# directory /etc/xen/vnc >+# >+# ca-cert.pem - The CA certificate >+# server-cert.pem - The Server certificate signed by the CA >+# server-key.pem - The server private key >+# >+# and then uncomment this next line >+# (vnc-tls 1) >+# >+# The certificate dir can be pointed elsewhere.. >+# >+# (vnc-x509-cert-dir /etc/xen/vnc) >+# >+# The server can be told to request & validate an x509 >+# certificate from the client. Only clients with a cert >+# signed by the trusted CA will be able to connect. This >+# is more secure the password auth alone. Passwd auth can >+# used at the same time if desired. To enable client cert >+# checking uncomment this: >+# >+# (vnc-x509-verify 1) >diff -rupN xen-3.1.0-src.orig/tools/python/xen/xend/image.py xen-3.1.0-src.new/tools/python/xen/xend/image.py >--- xen-3.1.0-src.orig/tools/python/xen/xend/image.py 2008-01-11 15:56:09.000000000 -0500 >+++ xen-3.1.0-src.new/tools/python/xen/xend/image.py 2008-01-11 16:01:09.000000000 -0500 >@@ -17,7 +17,7 @@ > #============================================================================ > > >-import os, string >+import os, os.path, string > import re > import math > import signal >@@ -373,6 +373,19 @@ class HVMImageHandler(ImageHandler): > else: > log.debug("No VNC passwd configured for vfb access") > >+ if XendRoot.instance().get_vnc_tls(): >+ vncx509certdir = XendRoot.instance().get_vnc_x509_cert_dir() >+ vncx509verify = XendRoot.instance().get_vnc_x509_verify() >+ >+ if not os.path.exists(vncx509certdir): >+ raise "VNC x509 certificate dir does not exist" >+ >+ if vncx509verify: >+ vncopts = vncopts + ",tls,x509verify=%s" % vncx509certdir >+ else: >+ vncopts = vncopts + ",tls,x509=%s" % vncx509certdir >+ >+ > vnclisten = sxp.child_value(config, 'vnclisten', > XendRoot.instance().get_vnclisten_address()) > vncdisplay = sxp.child_value(config, 'vncdisplay', self.vm.getDomid()) >diff -rupN xen-3.1.0-src.orig/tools/python/xen/xend/server/vfbif.py xen-3.1.0-src.new/tools/python/xen/xend/server/vfbif.py >--- xen-3.1.0-src.orig/tools/python/xen/xend/server/vfbif.py 2008-01-11 15:56:09.000000000 -0500 >+++ xen-3.1.0-src.new/tools/python/xen/xend/server/vfbif.py 2008-01-11 16:04:35.000000000 -0500 >@@ -1,10 +1,11 @@ > from xen.xend.server.DevController import DevController > from xen.xend.XendLogging import log >+from xen.xend import XendRoot > > from xen.xend.XendError import VmError > from xen.xend import sxp > import xen.xend >-import os >+import os, os.path > > def spawn_detached(path, args, env): > log.debug("Spawn: " + str(args)) >@@ -68,6 +69,18 @@ class VfbifController(DevController): > else: > log.debug("No VNC passwd configured for vfb access") > >+ if XendRoot.instance().get_vnc_tls(): >+ vncx509certdir = XendRoot.instance().get_vnc_x509_cert_dir() >+ vncx509verify = XendRoot.instance().get_vnc_x509_verify() >+ >+ if not os.path.exists(vncx509certdir): >+ raise "VNC x509 certificate dir does not exist" >+ >+ if vncx509verify: >+ vncopts = vncopts + ",tls,x509verify=%s" % vncx509certdir >+ else: >+ vncopts = vncopts + ",tls,x509=%s" % vncx509certdir >+ > vnclisten = sxp.child_value(config, 'vnclisten', > xen.xend.XendRoot.instance().get_vnclisten_address()) > vncdisplay = sxp.child_value(config, 'vncdisplay', 0) >diff -rupN xen-3.1.0-src.orig/tools/python/xen/xend/XendRoot.py xen-3.1.0-src.new/tools/python/xen/xend/XendRoot.py >--- xen-3.1.0-src.orig/tools/python/xen/xend/XendRoot.py 2008-01-11 12:30:46.000000000 -0500 >+++ xen-3.1.0-src.new/tools/python/xen/xend/XendRoot.py 2008-01-11 15:57:47.000000000 -0500 >@@ -101,6 +101,15 @@ class XendRoot: > """Default interface to listen for VNC connections on""" > xend_vnc_listen_default = '127.0.0.1' > >+ """Use of TLS mode in QEMU VNC server""" >+ xend_vnc_tls = 0 >+ >+ """x509 certificate directory for QEMU VNC server""" >+ xend_vnc_x509_cert_dir = "/etc/xen/vnc" >+ >+ """Verify incoming client x509 certs""" >+ xend_vnc_x509_verify = 0 >+ > components = {} > > def __init__(self): >@@ -284,6 +293,16 @@ class XendRoot: > return self.get_config_value('vncpasswd', > self.vncpasswd_default) > >+ def get_vnc_tls(self): >+ return self.get_config_value('vnc-tls', self.xend_vnc_tls) >+ >+ def get_vnc_x509_cert_dir(self): >+ return self.get_config_value('vnc-x509-cert-dir', self.xend_vnc_x509_cert_dir) >+ >+ def get_vnc_x509_verify(self): >+ return self.get_config_value('vnc-x509-verify', self.xend_vnc_x509_verify) >+ >+ > def instance(): > """Get an instance of XendRoot. > Use this instead of the constructor.
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=291435">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 428231
:
291430
|
291431
|
291432
|
291433
|
291434
| 291435 |
291473
|
291474