-e

Ops, wrong comment.  Moving to RHEL-7.3 as this is not yet implemented in libvirt.

In fact I don't think there _is_ any virt-manager component to this request. If libvirt provided a qemu.conf option to default graphics devices to listen on a local unix socket, that should really be all that's required, since virt-manager should work with unix sockets already. Maybe we would want to switch to DomainOpenGraphics like #1044021 but that isn't blocked by the libvirt request

(In reply to Cole Robinson from comment #8)
> In fact I don't think there _is_ any virt-manager component to this request.
> If libvirt provided a qemu.conf option to default graphics devices to listen
> on a local unix socket, that should really be all that's required, since
> virt-manager should work with unix sockets already.

Okay, I'm therefore reassinging this bug to libvirt.

(In reply to Florian Weimer from comment #9)
> (In reply to Cole Robinson from comment #8)
> > In fact I don't think there _is_ any virt-manager component to this request.
> > If libvirt provided a qemu.conf option to default graphics devices to listen
> > on a local unix socket, that should really be all that's required, since
> > virt-manager should work with unix sockets already.
> 
> Okay, I'm therefore reassinging this bug to libvirt.

sorry, I thought there was already a RHEL libvirt bug for this

As mentioned in bug #1043919, the missing dev piece is wiring up unix socket support for spice. I think it's supported in qemu.git nowadays, but we would want an auto-socket option in qemu.conf like we have for VNC

Upstream commit:

commit 14fd99255b6960ca54a84696ac25731d7357337c
Author: Cole Robinson <crobinso>
Date:   Sat Jun 11 16:51:33 2016 -0400

    cli: add --graphics listen=socket support

Try to verify this bug with build:
virt-manager-1.4.0-1.el7.noarch
libvirt-2.0.0-2.el7.x86_64
libvirt-python-2.0.0-1.el7.x86_64
virt-install-1.4.0-1.el7.noarch
qemu-kvm-rhev-2.6.0-14.el7.x86_64

Steps:
I. Check virt-install manual page:
# man virt-install
...

           listen
               Address to listen on for VNC/Spice connections. Default is typically 127.0.0.1 (localhost only), but some hypervisors
               allow changing this globally (for example, the qemu driver default can be changed in /etc/libvirt/qemu.conf).  Use
               0.0.0.0 to allow access from other machines.

               Use 'none' to specify that the display server should not listen on any port. The display server can be accessed only
               locally through libvirt unix socket (virt-viewer with --attach for instance).
[Newly added part for bug]
               Use 'socket' to have the VM listen on a libvirt generated unix socket path on the host filesystem.
[Newly added part for bug]
               This is used by 'vnc' and 'spice'

Result-step-1: Refer to [Newly added part for bug], tells a graphics server to listen on unix socket.

II: Try to check unix sockets for vnc and spice graphics.

Environment setup:
# vi /etc/libvirt/qemu.conf
enable vnc_auto_unix_socket = 1
enable spice_auto_unix_socket = 1

# service libvirtd restart
Stopping libvirtd daemon: [ OK ]
Starting libvirtd daemon: [ OK ]

1. Create a new vm with vnc graphics and listen on socket.

# virt-install --name=test3 --ram=1024 --vcpus=2  --location=http://download.eng.pek2.redhat.com/pub/rhel/nightly/latest-RHEL-6.*/6.8/Server/x86_64/os/ --disk=/var/lib/libvirt/images/test3.img,size=5 --graphics vnc,listen=socket --video model=qxl

2. Create a new vm with spice graphics and listen on socket.

# virt-install --name=test2 --ram=1024 --vcpus=2  --location=http://download.eng.pek2.redhat.com/pub/rhel/nightly/latest-RHEL-6.*/6.8/Server/x86_64/os/ --disk=/var/lib/libvirt/images/test2.img,size=5 --graphics spice,listen=socket --video model=qxl

Result:
Step-1: Installation finished with no error, use virt-manager to connect, can displays guest console correctly.
# virsh dumpxml test3
...
    <graphics type='vnc' socket='/var/lib/libvirt/qemu/domain-24-test3/vnc.sock'>
      <listen type='socket' socket='/var/lib/libvirt/qemu/domain-24-test3/vnc.sock'/>
    </graphics>

Step-2: Installation failed with following error.
...
ERROR    unsupported configuration: unix socket for spice graphics are not supported with this QEMU
...

According to above result, we can only get virt-manager supports to use unix sockets for VNC graphics console works well, but for spice graphics not supports by QEMU now.

Hi Pavel,
I think if now move this bug to VERIFIED will with some risk, for not testing spice graphics, and what's your opinion, thanks.

And add more for Step-2: Installation failed with following error in Comment 13.

Though installation failed, but i can get some information from debug info:

# virt-install --name=test2 --ram=1024 --vcpus=2  --location=http://download.eng.pek2.redhat.com/pub/rhel/nightly/latest-RHEL-6.*/6.8/Server/x86_64/os/ --disk=/var/lib/libvirt/images/test2.img,size=5 --graphics spice,listen=socket --video model=qxl --debug
...
    <graphics type="spice" port="-1" tlsPort="-1" autoport="yes">
      <image compression="off"/>
      <listen type="socket"/>         <-------------added
    </graphics>
...

So pavel,
Do you think is it ok while test some parameters not supported yet, i'm not sure.

Hi Junqin,

The spice unix sockets are not supported by qemu-kvm shipped in RHEL but it should be supported by qemu-kvm-rhev so in this case this should be tested as one of the features that are supported only by qemu-kvm-rhev.

So I was apparently wrong. This feature is available in upstream since qemu-2.3.0 but it also depends on spice-server.  In rhel there is old spice-server-0.12.4, qemu requires spice-server-1.12.6 to enable unix sockets for spice.

So to answer your question, right now there is no way how to test this feature for spice so it's safe to ignore the fact that it's unsupported for the time being and once the spice-server is updated in RHEL you can start testing this feature.

Pavel

(In reply to Pavel Hrdina from comment #16)
> So I was apparently wrong. This feature is available in upstream since
> qemu-2.3.0 but it also depends on spice-server.  In rhel there is old
> spice-server-0.12.4, qemu requires spice-server-1.12.6 to enable unix
> sockets for spice.
> 
> So to answer your question, right now there is no way how to test this
> feature for spice so it's safe to ignore the fact that it's unsupported for
> the time being and once the spice-server is updated in RHEL you can start
> testing this feature.
> 
> Pavel

Thanks for your reply, Pavel.

So according to Comment 13, Comment 14 and Comment 16, move this bug from ON_QA to VERIFIED.

(In reply to Florian Weimer from comment #0)
> This bug appears to be present in RHEL 7.0 as well.
> 
> +++ This bug was initially created as a clone of Bug #1043919 +++
> 
> virt-manager does not prevent other local users from using the VNC and SPICE
> protocols to access the console of virtual machines created using
> virt-manager.
> 
> Using UNIX domain socket connections by default would be the best solution
> for this.  Automatically generated random passwords do not authenticate the
> server and allow it to be impersonated by other users because it is usually
> running on an untrusted port.


GNOME Boxes achieved this by using virDomainOpenGraphicsFd rather than needing some Unix socket to be created and used, see bug#1043950
Couldn't we do the same for virt-manager, as this is already working in 7.3 on the SPICE-side?

Yes, you can connect to the SPICE via virDomainOpenGraphicsFd, but still it does not prevent other users connect via TCP if the SPICE server listens on TCP port.  That's why we've introduced new listen types in libvirt to set to listen on socket or to not listen at all.  Now it's possible to set listen type 'socket' or listen type 'none' and that's what fixes this bug to prevent other users to connect to the SPICE server.

(In reply to Pavel Hrdina from comment #19)
> Yes, you can connect to the SPICE via virDomainOpenGraphicsFd, but still it
> does not prevent other users connect via TCP if the SPICE server listens on
> TCP port.  That's why we've introduced new listen types in libvirt to set to
> listen on socket or to not listen at all.  Now it's possible to set listen
> type 'socket' or listen type 'none' and that's what fixes this bug to
> prevent other users to connect to the SPICE server.

Yup, and <listen type="none"/> is enough to fix this virt-manager issue, backporting SPICE unix socket support is not strictly required in the context of this bug.

I still don't understand why did you start this conversation?  virt-manager is able to connect to domain with SPICE graphics configured with <listen type="none"/>.  We did not expose this feature in the GUI but it's possible to use virt-xml to configure it.  virt-manager uses virDomainOpenGraphicsFd if it's available and it's possible to do it.

Ah, sorry about the lack of context :-/ I'm coming from https://bugzilla.redhat.com/show_bug.cgi?id=1377551 which, as I understand it, is basically saying "please backport unix socket support to spice-server in el7, as this is required by virt-manager in order to make VMs private to the user running them". I brought that issue up here as <listen type="none"/> should be enough to solve that virt-manager issue, so I was double-checking if spice unix socket support was a strong requirement to have in el7 or not.

(In reply to Christophe Fergeau from comment #22)
> Ah, sorry about the lack of context :-/ I'm coming from
> https://bugzilla.redhat.com/show_bug.cgi?id=1377551 which, as I understand
> it, is basically saying "please backport unix socket support to spice-server
> in el7, as this is required by virt-manager in order to make VMs private to
> the user running them". I brought that issue up here as <listen
> type="none"/> should be enough to solve that virt-manager issue, so I was
> double-checking if spice unix socket support was a strong requirement to
> have in el7 or not.

This is for libvirt,see bug 1335832,if spice unix socket is not supported on downstream,the bug can not be verified by QE.

(In reply to tingting zheng from comment #23)

> This is for libvirt,see bug 1335832,if spice unix socket is not supported on
> downstream,the bug can not be verified by QE.

And the rationale for this libvirt bug is saying that it's needed to solve 
this virt-manager bug. If this bug (#1044570) is solved with <listen type='none'>, then I'm going to ask again for some rationale/use case to understand why we are adding it to the spice-server package too.

If the rationale is just "<listen type='unix'> was added to libvirt as a side-effect of adding <listen type='none'> to libvirt, and it would be nice for spice not to error out when someone tries to use <listen type='unix'>", then sure we can add this to spice, it's just a less compelling reason than "it's needed to achieve feature X" :)

(In reply to Christophe Fergeau from comment #24)
> (In reply to tingting zheng from comment #23)
> 
> > This is for libvirt,see bug 1335832,if spice unix socket is not supported on
> > downstream,the bug can not be verified by QE.
> 
> And the rationale for this libvirt bug is saying that it's needed to solve 
> this virt-manager bug. If this bug (#1044570) is solved with <listen
> type='none'>, then I'm going to ask again for some rationale/use case to
> understand why we are adding it to the spice-server package too.
> 
> If the rationale is just "<listen type='unix'> was added to libvirt as a
> side-effect of adding <listen type='none'> to libvirt, and it would be nice
> for spice not to error out when someone tries to use <listen type='unix'>",
> then sure we can add this to spice, it's just a less compelling reason than
> "it's needed to achieve feature X" :)

For listen type='unix',it is supported on rhel7.3,right now listen type='socket' is not supported by spice in downstream.
# virsh dumpxml rhel7.3-0817

   <graphics type='spice'>
      <listen type='socket' socket='/var/lib/libvirt/qemu/domain-4-rhel7.3-0817/spice.sock'/>
    </graphics>

I saw comments from https://bugzilla.redhat.com/show_bug.cgi?id=1335832#c10,
The graphics/@socket attribute is an old attribute and is there only for backward compatibility with.  Spice supports sockets only with the new listen elements and doesn't need to maintain backward compatibility using the graphics/@socket attribute.

So can I understand that the above xml like listen type='socket' is old attribute,is there some xml example for the new attribute?

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2269.html