Bug 1335832

Summary: add support to use unix sockets for SPICE graphics console
Product: Red Hat Enterprise Linux 7 Reporter: Pavel Hrdina <phrdina>
Component: libvirtAssignee: Pavel Hrdina <phrdina>
Status: CLOSED ERRATA QA Contact: Fangge Jin <fjin>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: crobinso, dyuan, fjin, fweimer, gscrivan, marcandre.lureau, mrezanin, mzhan, pgrunt, phrdina, rbalakri, riehecky, sherold, tzheng, virt-bugs, xiaodwan, xuzhang, zhguo
Target Milestone: rcKeywords: FutureFeature, TestOnly
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libvirt-2.0.0-1.el7 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: 1044570 Environment:
Last Closed: 2017-08-01 17:09:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1043919, 1377551    
Bug Blocks: 1044570    

Description Pavel Hrdina 2016-05-13 10:34:33 UTC 
virt-manager does not prevent other local users from using the VNC and SPICE protocols to access the console of virtual machines created using virt-manager.

Using UNIX domain socket connections by default would be the best solution for this.  Automatically generated random passwords do not authenticate the server and allow it to be impersonated by other users because it is usually running on an untrusted port.

--- Additional comment from Cole Robinson on 2015-11-05 02:13:41 CET ---

In fact I don't think there _is_ any virt-manager component to this request. If libvirt provided a qemu.conf option to default graphics devices to listen on a local unix socket, that should really be all that's required, since virt-manager should work with unix sockets already. Maybe we would want to switch to DomainOpenGraphics like #1044021 but that isn't blocked by the libvirt request

--- Additional comment from Florian Weimer on 2015-11-05 10:17:53 CET ---

(In reply to Cole Robinson from comment #8)
> In fact I don't think there _is_ any virt-manager component to this request.
> If libvirt provided a qemu.conf option to default graphics devices to listen
> on a local unix socket, that should really be all that's required, since
> virt-manager should work with unix sockets already.

Okay, I'm therefore reassinging this bug to libvirt.

--- Additional comment from Cole Robinson on 2015-11-05 18:40:25 CET ---

(In reply to Florian Weimer from comment #9)
> (In reply to Cole Robinson from comment #8)
> > In fact I don't think there _is_ any virt-manager component to this request.
> > If libvirt provided a qemu.conf option to default graphics devices to listen
> > on a local unix socket, that should really be all that's required, since
> > virt-manager should work with unix sockets already.
> 
> Okay, I'm therefore reassinging this bug to libvirt.

sorry, I thought there was already a RHEL libvirt bug for this

As mentioned in bug #1043919, the missing dev piece is wiring up unix socket support for spice. I think it's supported in qemu.git nowadays, but we would want an auto-socket option in qemu.conf like we have for VNC
Comment 2 Pavel Hrdina 2016-06-09 13:13:41 UTC 
Upstream commit:

commit e0c309b2dc0655d212fb65e1e7bbc444794759a5
Author: Pavel Hrdina <phrdina>
Date:   Wed Jun 8 15:18:59 2016 +0200

    spice: add support for listen type socket
Comment 4 Fangge Jin 2016-09-06 06:16:36 UTC 
Test with the following builds, unix socket for spice is not supported by qemu for now:
libvirt-2.0.0-6.el7.x86_64
qemu-kvm-rhev-2.6.0-22.el7.x86_64

Steps:
1.Prepare a guest with spice graphic and listen type='socket':
# virsh edit rhel7.3-0817
...
    <graphics type='spice'>
      <listen type='socket'/>
    </graphics>

2. Try to start guest:
# virsh start rhel7.3-0817
error: Failed to start domain rhel7.3-0817
error: unsupported configuration: unix socket for spice graphics are not supported with this QEMU
Comment 5 Fangge Jin 2016-09-12 09:32:55 UTC 
Hi Marc,

According to comment 4, libvirt has already supports spice unix sockets in RHEL7.3, but qemu-kvm-rhev doesn't support it for now. So I can't verify this libvirt bug.

Does qemu has a plan to support this feature in RHEL7.4?

As I don't find a qemu BZ for this feature, could I open a qemu bug to track this, and make this libvirt bug depend on the qemu bug?

Thank you very much!
Fangge Jin
Comment 6 Marc-Andre Lureau 2016-09-12 11:27:21 UTC 
qemu 2.6 is fine, but it requires building against spice >= 0.12.6, but rhel7 is still spice-server-devel-0.12.4-18.el7.x86_64.

I think we need two new bugs, one for spice to backport the feature, and one for qemu to pick up the feature.
Comment 7 Fangge Jin 2016-09-14 07:53:21 UTC 
Test with libvirt-2.0.0-8.el7.x86_64, upstream qemu (v2.7.0-217-g7263da7), and upstream spice server(0.12.8).

Steps:

1. Prepare a guest with spice listen type='socket'

# virsh dumpxml rhel7.3-0817

    <graphics type='spice'>
      <listen type='socket'/>
    </graphics>
2. Start guest:

# virsh start rhel7.3-0817

3. Dumpxml:

# virsh dumpxml rhel7.3-0817

   <graphics type='spice'>
      <listen type='socket' socket='/var/lib/libvirt/qemu/domain-4-rhel7.3-0817/spice.sock'/>
    </graphics>

4. Check qemu command line:

...-chardev socket,id=charchannel0,path=/var/lib/libvirt/qemu/channel/target/domain-4-rhel7.3-0817/org.qemu.guest_agent.0,server,nowait...

5. Use virt-viewer to connect to guest:, connect successfully and I can operate in guest

# virt-viewer rhel7.3-0817 --attach
Comment 8 Fangge Jin 2016-09-14 08:40:06 UTC 
Hi Pavel,

I have two questions about the testing results in comment 7:

1) In step 3, should there be a graphics/@socket attribute in the active domain xml just like what it is for vnc?

    <graphics type='vnc' **socket='/var/lib/libvirt/qemu/domain-9-rhel7.3-0817/vnc.sock'**>
      <listen type='socket' socket='/var/lib/libvirt/qemu/domain-9-rhel7.3-0817/vnc.sock'/>
    </graphics>


2) In step5,  when I use virt-viewer to connect to guest without --attach, virt-viewer always said "Failed to connect: Display can only be attached through libvirt with --attach":

# virt-viewer rhel7.3-0817

While if I change the graphics type to vnc, virt-viewer can connect to guest graphic console successfully without --attach.
Comment 9 Pavel Grunt 2016-09-14 09:44:35 UTC 
(In reply to JinFangge from comment #8)
> Hi Pavel,
> 
> I have two questions about the testing results in comment 7:
> 
> 1) In step 3, should there be a graphics/@socket attribute in the active
> domain xml just like what it is for vnc?
> 
>     <graphics type='vnc'
> **socket='/var/lib/libvirt/qemu/domain-9-rhel7.3-0817/vnc.sock'**>
>       <listen type='socket'
> socket='/var/lib/libvirt/qemu/domain-9-rhel7.3-0817/vnc.sock'/>
>     </graphics>

Per http://libvirt.org/formatdomain.html you don't need to add it
> 
> 
> 2) In step5,  when I use virt-viewer to connect to guest without --attach,
> virt-viewer always said "Failed to connect: Display can only be attached
> through libvirt with --attach":

For the unix socket connection using SPICE --attach is needed and the user is informed about that 

> 
> # virt-viewer rhel7.3-0817
> 
> While if I change the graphics type to vnc, virt-viewer can connect to guest
> graphic console successfully without --attach.
Comment 10 Pavel Hrdina 2016-09-15 13:20:43 UTC 
(In reply to JinFangge from comment #8)
> Hi Pavel,
> 
> I have two questions about the testing results in comment 7:
> 
> 1) In step 3, should there be a graphics/@socket attribute in the active
> domain xml just like what it is for vnc?
> 
>     <graphics type='vnc'
> **socket='/var/lib/libvirt/qemu/domain-9-rhel7.3-0817/vnc.sock'**>
>       <listen type='socket'
> socket='/var/lib/libvirt/qemu/domain-9-rhel7.3-0817/vnc.sock'/>
>     </graphics>

The graphics/@sorcket attribute is an old attribute and is there only for backward compatibility with.  Spice supports sockets only with the new listen elements and doesn't need to maintain backward compatibility using the graphics/@socket attribute.
Comment 11 Xuesong Zhang 2016-09-20 06:53:53 UTC 
Move this bug to RHEL7.4 with Testonly keyword, since spice and qemu component do not implement this feature in current RHEL7.3.
Comment 13 Guo, Zhiyi 2017-03-08 07:25:07 UTC 
Check qemu-options.hx from downstream qemu-kvm-rhev 2.8, spice really does support -spice addr=/path/to/socket,unix. The block caused by version of spice-server package

When using the prebuild qemu-kvm-rhev-2.8.0-5.el7.x86_64.rpm download from brew, spice-server version is still the old version 0.12.4 via checking build log:
spice support     yes (0.12.11/0.12.4)

Same behavior as rhev 2.6 from rhel7.3:
# /usr/libexec/qemu-kvm -spice addr=/tmp/spice.sock,unix,disable-ticketing -monitor stdio
qemu-kvm: -spice addr=/tmp/spice.sock,unix,disable-ticketing: Invalid parameter 'unix'
And you can see qemu is using old spice-server by:
# /usr/libexec/qemu-kvm -spice addr=/tmp/spice.sock,disable-ticketing -monitor stdio
QEMU 2.8.0 monitor - type 'help' for more information
(qemu) info spice
Server:
    migrated: false
        auth: none
    compiled: 0.12.4
  mouse-mode: server
Channels: none

Problem solved by rebuild qemu-kvm-rhev src package under rhel7.4 host environment.

spice-server has been rebased to spice-server-0.12.8-1.el7.x86_64 and build log show an update of spice-server:
spice support     yes (0.12.12/0.12.8)

Launch qemu by same cli and remote-viewer can be connected and operate well:
# /usr/libexec/qemu-kvm -spice addr=/tmp/spice.sock,unix,disable-ticketing -monitor stdio
QEMU 2.8.0 monitor - type 'help' for more information
(qemu)

remote-viewer spice+unix:///tmp/spice.sock

(qemu) main_channel_link: add main channel client
inputs_connect: inputs channel client create
red_dispatcher_set_cursor_peer:
Comment 15 Xiaodai Wang 2017-03-09 09:10:02 UTC 
> > 
> > 2) In step5,  when I use virt-viewer to connect to guest without --attach,
> > virt-viewer always said "Failed to connect: Display can only be attached
> > through libvirt with --attach":
> 
> For the unix socket connection using SPICE --attach is needed and the user
> is informed about that 
> 

Hi Pavel,

The different result between VNC and SPICE is because VNC and SPICE have different XML (as below). virt-viewer doesn't get correct socket url for spice, so when connecting to spice guest, virt-viewer doesn't have a chance to run 'virt_viewer_app_open_unix_sock'. And finnally virt-viewer failed with the error above directly.

I think this is same as bug 1410671, virt-viewer should rework to do correct xml parse.

    <graphics type='vnc' socket='/var/lib/libvirt/qemu/domain-5-rhel7.2/vnc.sock'>
      <listen type='socket' socket='/var/lib/libvirt/qemu/domain-5-rhel7.2/vnc.sock'/>
    </graphics>


    <graphics type='spice'>
      <listen type='socket' socket='/var/lib/libvirt/qemu/domain-1-fedora25-workstation/spice.sock'/>
      <image compression='off'/>
    </graphics>

Thanks
xiaodwan
Comment 16 Pavel Grunt 2017-04-03 11:24:21 UTC 
sorry, what is the question? Comment 15 mentions a virt-viewer bug - unrelated to this bug (support in libvirt)
Comment 17 Fangge Jin 2017-04-05 00:30:33 UTC 
(In reply to Pavel Grunt from comment #16)
> sorry, what is the question? Comment 15 mentions a virt-viewer bug -
> unrelated to this bug (support in libvirt)

I can't connect to spice unix socket by virt-viewer due to bug 1410671, I will not verify this bug until virt-viewer bug is fixed. No other question.
Comment 18 Pavel Grunt 2017-04-05 06:44:55 UTC 
(In reply to JinFangge from comment #17)
> (In reply to Pavel Grunt from comment #16)
> > sorry, what is the question? Comment 15 mentions a virt-viewer bug -
> > unrelated to this bug (support in libvirt)
> 
> I can't connect to spice unix socket by virt-viewer due to bug 1410671, I
> will not verify this bug until virt-viewer bug is fixed. No other question.

If this is the case than there should be a dependency to the bug 1411765.

But if I read your comment 7 correctly then it is possible to verify the bug - sorry this bug is not clear - in the comment 4 it was verified, comment 13 mentions another option for verifying...

Out of curiosity - isn't possible to verify using another app then virt-viewer ?  virt-manager or gnome-boxes ? Both use libvirt to connect.
Comment 19 Fangge Jin 2017-04-10 06:37:10 UTC 
virt-manager also doesn't work for spice unix socket:

[Mon, 10 Apr 2017 14:31:45 virt-manager 2851] DEBUG (console:718) Starting connect process for proto=spice trans= connhost=127.0.0.1 connuser= connport= gaddr=127.0.0.1 gport=None gtlsport=None gsocket=None
Comment 22 Fangge Jin 2017-05-22 03:08:20 UTC 
Verify pass on builds:
libvirt-3.2.0-5.virtcov.el7.x86_64
qemu-kvm-rhev-2.9.0-5.el7.x86_64
virt-viewer-5.0-4.el7.x86_64
spice-server-0.12.8-2.el7.x86_64

Steps:
1. Set spice listen to socket in guest xml:
# virsh dumpxml rhel7.4
...
    <graphics type='spice'>
      <listen type='socket'/>
    </graphics>

2. # virsh start rhel7.4

3. # virsh dumpxml rhel7.4
...
    <graphics type='spice'>
      <listen type='socket' socket='/var/lib/libvirt/qemu/domain-6-rhel7.4/spice.sock'/>
    </graphics>

4. Connect to guest by virt-viewer, do some random operations in guest
# virt-viewer rhel7.4
Comment 23 errata-xmlrpc 2017-08-01 17:09:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1846
Comment 24 errata-xmlrpc 2017-08-01 23:51:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1846