Bug 602199
| Summary: | [vdsm] [libvirt intg] spice command line security tune-ups | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Haim <hateya> |
| Component: | vdsm | Assignee: | Dan Kenigsberg <danken> |
| Status: | CLOSED NOTABUG | QA Contact: | Haim <hateya> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 6.1 | CC: | bazulay, berrange, danken, hateya, iheim, mgoldboi, Rhev-m-bugs, yeylon, ykaul |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | vdsm & libvirt integration | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-06-10 13:43:01 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 581275 | ||
|
Description
Haim
2010-06-09 11:50:36 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux major release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Major release. This request is not yet committed for inclusion. There is no support for encrypted passwords in the XML. Assuming there are appropriately configured access controls on the libvirt UNIX sockets this isn't a serious problem, because only root, or a user with privileges to connect to libvirt can see this. A port of '-1' should only be seen on an inactive guest. It indicates that the port is allocated dynamically when the guest is booted. When the guest is running libvirt should tell you what the actual port number is when querying the XML config. Not sure why your seeing such a password validity date. I would need to see the full original XML that the guest was booted with, and details of whether VDSM had issued the API call to update the passwd after booting This is how the XML looks like.
<domain type="kvm">
<name>libvirt-nfs2-desk-10</name>
<uuid>f3abace3-c078-4d9c-81b7-2b4b8052b56c</uuid>
<memory>524288</memory>
<currentMemory>524288</currentMemory>
<vcpu>1</vcpu>
<devices>
<disk device="disk" type="file">
<source file="/rhev/data-center/fb89b279-1019-456b-be42-fb4d35587970/cfc7045f-89b5-4f67-96e6-15e3bc3b0f31/images/f7da02af-f191-4359-9ebb-9c1ace60629a/0369972a-993c-4716-9c66-4db66f757d91"/>
<target bus="ide" dev="hda"/>
<serial>59-9ebb-9c1ace60629a</serial>
<driver cache="none" name="qemu" type="qcow2"/>
</disk>
<controller index="0" ports="16" type="virtio-serial"/>
<channel type="unix">
<target name="org.linux-kvm.port.0" type="virtio"/>
<source mode="bind" path="/var/lib/libvirt/qemu/channels/libvirt-nfs2-desk-10.org.linux-kvm.port.0"/>
</channel>
<interface type="bridge">
<mac address="00:1a:4a:23:71:2e"/>
<model type="virtio"/>
<source bridge="rhevm"/>
</interface>
<input bus="usb" type="tablet"/>
<video>
<model heads="1" type="qxl" vram="65536"/>
</video>
<graphics autoport="yes" keymap="en-us" listen="0" passwd="12345" passwdValidTo="1970-01-01T00:00:01" port="-1" tlsPort="-1" type="spice">
<channel mode="secure" name="main"/>
<channel mode="secure" name="inputs"/>
<channel mode="secure" name="cursor"/>
<channel mode="secure" name="playback"/>
<channel mode="secure" name="record"/>
<channel mode="secure" name="display"/>
</graphics>
</devices>
<os>
<type arch="x86_64" machine="pc">hvm</type>
<boot dev="hd"/>
</os>
<clock adjustment="10800" offset="variable"/>
<features>
<acpi/>
</features>
<cpu match="exact">
<model>qemu64</model>
<topology cores="1" sockets="1" threads="1"/>
<feature name="nx" policy="disable"/>
<feature name="sse2" policy="require"/>
<feature name="svm" policy="disable"/>
</cpu>
</domain>
and the qemu command from libvrt/qemu/ log:
LC_ALL=C PATH=/sbin:/usr/sbin:/bin:/usr/bin QEMU_AUDIO_DRV=spice /usr/libexec/qemu-kvm -S -M rhel6.0.0 -cpu qemu64,-svm,-nx -enable-kvm -m 51
2 -smp 1,sockets=1,cores=1,threads=1 -name libvirt-nfs2-desk-10 -uuid f3abace3-c078-4d9c-81b7-2b4b8052b56c -nodefaults -chardev socket,id=mon
itor,path=/var/lib/libvirt/qemu/libvirt-nfs2-desk-10.monitor,server,nowait -mon chardev=monitor,mode=control -rtc base=2010-5-10T16:4:59 -boo
t c -device virtio-serial-pci,id=virtio-serial0,max_ports=16,bus=pci.0,addr=0x5 -drive file=/rhev/data-center/fb89b279-1019-456b-be42-fb4d355
87970/cfc7045f-89b5-4f67-96e6-15e3bc3b0f31/images/f7da02af-f191-4359-9ebb-9c1ace60629a/0369972a-993c-4716-9c66-4db66f757d91,if=none,id=drive-
ide0-0-0,boot=on,format=qcow2,serial=59-9ebb-9c1ace60629a,cache=none -device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0 -net
dev tap,fd=21,id=hostnet0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=00:1a:4a:23:71:2e,bus=pci.0,addr=0x4 -chardev socket,id=channel0
,path=/var/lib/libvirt/qemu/channels/libvirt-nfs2-desk-10.org.linux-kvm.port.0,server,nowait -device virtserialport,chardev=channel0,name=org
.linux-kvm.port.0 -usb -device usb-tablet,id=input0 -spice port=5900,tls-port=5901,addr=0,x509-dir=/etc/pki/libvirt-spice,tls-channel=main,tl
s-channel=display,tls-channel=inputs,tls-channel=cursor,tls-channel=playback,tls-channel=record -k en-us -vga qxl -device virtio-balloon-pci,
id=balloon0,bus=pci.0,addr=0x3
|