1335832 – add support to use unix sockets for SPICE graphics console

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1335832 - add support to use unix sockets for SPICE graphics console

Summary: add support to use unix sockets for SPICE graphics console

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	libvirt
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Pavel Hrdina
QA Contact:	Fangge Jin
Docs Contact:
URL:
Whiteboard:
Depends On:	1043919 1377551
Blocks:	1044570
TreeView+	depends on / blocked

Reported:	2016-05-13 10:34 UTC by Pavel Hrdina
Modified:	2017-08-01 23:51 UTC (History)
CC List:	18 users (show)
Fixed In Version:	libvirt-2.0.0-1.el7
Doc Type:	Enhancement
Doc Text:
Clone Of:	1044570
Environment:
Last Closed:	2017-08-01 17:09:12 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2017:1846	0	normal	SHIPPED_LIVE	libvirt bug fix and enhancement update	2017-08-01 18:02:50 UTC

Description Pavel Hrdina 2016-05-13 10:34:33 UTC

virt-manager does not prevent other local users from using the VNC and SPICE protocols to access the console of virtual machines created using virt-manager.

Using UNIX domain socket connections by default would be the best solution for this.  Automatically generated random passwords do not authenticate the server and allow it to be impersonated by other users because it is usually running on an untrusted port.

--- Additional comment from Cole Robinson on 2015-11-05 02:13:41 CET ---

In fact I don't think there _is_ any virt-manager component to this request. If libvirt provided a qemu.conf option to default graphics devices to listen on a local unix socket, that should really be all that's required, since virt-manager should work with unix sockets already. Maybe we would want to switch to DomainOpenGraphics like #1044021 but that isn't blocked by the libvirt request

--- Additional comment from Florian Weimer on 2015-11-05 10:17:53 CET ---

(In reply to Cole Robinson from comment #8)
> In fact I don't think there _is_ any virt-manager component to this request.
> If libvirt provided a qemu.conf option to default graphics devices to listen
> on a local unix socket, that should really be all that's required, since
> virt-manager should work with unix sockets already.

Okay, I'm therefore reassinging this bug to libvirt.

--- Additional comment from Cole Robinson on 2015-11-05 18:40:25 CET ---

(In reply to Florian Weimer from comment #9)
> (In reply to Cole Robinson from comment #8)
> > In fact I don't think there _is_ any virt-manager component to this request.
> > If libvirt provided a qemu.conf option to default graphics devices to listen
> > on a local unix socket, that should really be all that's required, since
> > virt-manager should work with unix sockets already.
> 
> Okay, I'm therefore reassinging this bug to libvirt.

sorry, I thought there was already a RHEL libvirt bug for this

As mentioned in bug #1043919, the missing dev piece is wiring up unix socket support for spice. I think it's supported in qemu.git nowadays, but we would want an auto-socket option in qemu.conf like we have for VNC

Comment 2 Pavel Hrdina 2016-06-09 13:13:41 UTC

Upstream commit:

commit e0c309b2dc0655d212fb65e1e7bbc444794759a5
Author: Pavel Hrdina <phrdina>
Date:   Wed Jun 8 15:18:59 2016 +0200

    spice: add support for listen type socket

Comment 4 Fangge Jin 2016-09-06 06:16:36 UTC

Test with the following builds, unix socket for spice is not supported by qemu for now:
libvirt-2.0.0-6.el7.x86_64
qemu-kvm-rhev-2.6.0-22.el7.x86_64

Steps:
1.Prepare a guest with spice graphic and listen type='socket':
# virsh edit rhel7.3-0817
...
    <graphics type='spice'>
      <listen type='socket'/>
    </graphics>

2. Try to start guest:
# virsh start rhel7.3-0817
error: Failed to start domain rhel7.3-0817
error: unsupported configuration: unix socket for spice graphics are not supported with this QEMU

Comment 5 Fangge Jin 2016-09-12 09:32:55 UTC

Hi Marc,

According to comment 4, libvirt has already supports spice unix sockets in RHEL7.3, but qemu-kvm-rhev doesn't support it for now. So I can't verify this libvirt bug.

Does qemu has a plan to support this feature in RHEL7.4?

As I don't find a qemu BZ for this feature, could I open a qemu bug to track this, and make this libvirt bug depend on the qemu bug?

Thank you very much!
Fangge Jin

Comment 6 Marc-Andre Lureau 2016-09-12 11:27:21 UTC

qemu 2.6 is fine, but it requires building against spice >= 0.12.6, but rhel7 is still spice-server-devel-0.12.4-18.el7.x86_64.

I think we need two new bugs, one for spice to backport the feature, and one for qemu to pick up the feature.

Comment 7 Fangge Jin 2016-09-14 07:53:21 UTC

Test with libvirt-2.0.0-8.el7.x86_64, upstream qemu (v2.7.0-217-g7263da7), and upstream spice server(0.12.8).

Steps:

1. Prepare a guest with spice listen type='socket'

# virsh dumpxml rhel7.3-0817

    <graphics type='spice'>
      <listen type='socket'/>
    </graphics>
2. Start guest:

# virsh start rhel7.3-0817

3. Dumpxml:

# virsh dumpxml rhel7.3-0817

   <graphics type='spice'>
      <listen type='socket' socket='/var/lib/libvirt/qemu/domain-4-rhel7.3-0817/spice.sock'/>
    </graphics>

4. Check qemu command line:

...-chardev socket,id=charchannel0,path=/var/lib/libvirt/qemu/channel/target/domain-4-rhel7.3-0817/org.qemu.guest_agent.0,server,nowait...

5. Use virt-viewer to connect to guest:, connect successfully and I can operate in guest

# virt-viewer rhel7.3-0817 --attach

Comment 8 Fangge Jin 2016-09-14 08:40:06 UTC

Hi Pavel,

I have two questions about the testing results in comment 7:

1) In step 3, should there be a graphics/@socket attribute in the active domain xml just like what it is for vnc?

    <graphics type='vnc' **socket='/var/lib/libvirt/qemu/domain-9-rhel7.3-0817/vnc.sock'**>
      <listen type='socket' socket='/var/lib/libvirt/qemu/domain-9-rhel7.3-0817/vnc.sock'/>
    </graphics>


2) In step5,  when I use virt-viewer to connect to guest without --attach, virt-viewer always said "Failed to connect: Display can only be attached through libvirt with --attach":

# virt-viewer rhel7.3-0817

While if I change the graphics type to vnc, virt-viewer can connect to guest graphic console successfully without --attach.

Comment 9 Pavel Grunt 2016-09-14 09:44:35 UTC

(In reply to JinFangge from comment #8)
> Hi Pavel,
> 
> I have two questions about the testing results in comment 7:
> 
> 1) In step 3, should there be a graphics/@socket attribute in the active
> domain xml just like what it is for vnc?
> 
>     <graphics type='vnc'
> **socket='/var/lib/libvirt/qemu/domain-9-rhel7.3-0817/vnc.sock'**>
>       <listen type='socket'
> socket='/var/lib/libvirt/qemu/domain-9-rhel7.3-0817/vnc.sock'/>
>     </graphics>

Per http://libvirt.org/formatdomain.html you don't need to add it
> 
> 
> 2) In step5,  when I use virt-viewer to connect to guest without --attach,
> virt-viewer always said "Failed to connect: Display can only be attached
> through libvirt with --attach":

For the unix socket connection using SPICE --attach is needed and the user is informed about that 

> 
> # virt-viewer rhel7.3-0817
> 
> While if I change the graphics type to vnc, virt-viewer can connect to guest
> graphic console successfully without --attach.

Comment 10 Pavel Hrdina 2016-09-15 13:20:43 UTC

(In reply to JinFangge from comment #8)
> Hi Pavel,
> 
> I have two questions about the testing results in comment 7:
> 
> 1) In step 3, should there be a graphics/@socket attribute in the active
> domain xml just like what it is for vnc?
> 
>     <graphics type='vnc'
> **socket='/var/lib/libvirt/qemu/domain-9-rhel7.3-0817/vnc.sock'**>
>       <listen type='socket'
> socket='/var/lib/libvirt/qemu/domain-9-rhel7.3-0817/vnc.sock'/>
>     </graphics>

The graphics/@sorcket attribute is an old attribute and is there only for backward compatibility with.  Spice supports sockets only with the new listen elements and doesn't need to maintain backward compatibility using the graphics/@socket attribute.

Comment 11 Xuesong Zhang 2016-09-20 06:53:53 UTC

Move this bug to RHEL7.4 with Testonly keyword, since spice and qemu component do not implement this feature in current RHEL7.3.

Comment 13 Guo, Zhiyi 2017-03-08 07:25:07 UTC

Check qemu-options.hx from downstream qemu-kvm-rhev 2.8, spice really does support -spice addr=/path/to/socket,unix. The block caused by version of spice-server package

When using the prebuild qemu-kvm-rhev-2.8.0-5.el7.x86_64.rpm download from brew, spice-server version is still the old version 0.12.4 via checking build log:
spice support     yes (0.12.11/0.12.4)

Same behavior as rhev 2.6 from rhel7.3:
# /usr/libexec/qemu-kvm -spice addr=/tmp/spice.sock,unix,disable-ticketing -monitor stdio
qemu-kvm: -spice addr=/tmp/spice.sock,unix,disable-ticketing: Invalid parameter 'unix'
And you can see qemu is using old spice-server by:
# /usr/libexec/qemu-kvm -spice addr=/tmp/spice.sock,disable-ticketing -monitor stdio
QEMU 2.8.0 monitor - type 'help' for more information
(qemu) info spice
Server:
    migrated: false
        auth: none
    compiled: 0.12.4
  mouse-mode: server
Channels: none

Problem solved by rebuild qemu-kvm-rhev src package under rhel7.4 host environment.

spice-server has been rebased to spice-server-0.12.8-1.el7.x86_64 and build log show an update of spice-server:
spice support     yes (0.12.12/0.12.8)

Launch qemu by same cli and remote-viewer can be connected and operate well:
# /usr/libexec/qemu-kvm -spice addr=/tmp/spice.sock,unix,disable-ticketing -monitor stdio
QEMU 2.8.0 monitor - type 'help' for more information
(qemu)

remote-viewer spice+unix:///tmp/spice.sock

(qemu) main_channel_link: add main channel client
inputs_connect: inputs channel client create
red_dispatcher_set_cursor_peer:

Comment 15 Xiaodai Wang 2017-03-09 09:10:02 UTC

> > 
> > 2) In step5,  when I use virt-viewer to connect to guest without --attach,
> > virt-viewer always said "Failed to connect: Display can only be attached
> > through libvirt with --attach":
> 
> For the unix socket connection using SPICE --attach is needed and the user
> is informed about that 
> 

Hi Pavel,

The different result between VNC and SPICE is because VNC and SPICE have different XML (as below). virt-viewer doesn't get correct socket url for spice, so when connecting to spice guest, virt-viewer doesn't have a chance to run 'virt_viewer_app_open_unix_sock'. And finnally virt-viewer failed with the error above directly.

I think this is same as bug 1410671, virt-viewer should rework to do correct xml parse.

    <graphics type='vnc' socket='/var/lib/libvirt/qemu/domain-5-rhel7.2/vnc.sock'>
      <listen type='socket' socket='/var/lib/libvirt/qemu/domain-5-rhel7.2/vnc.sock'/>
    </graphics>


    <graphics type='spice'>
      <listen type='socket' socket='/var/lib/libvirt/qemu/domain-1-fedora25-workstation/spice.sock'/>
      <image compression='off'/>
    </graphics>

Thanks
xiaodwan

Comment 16 Pavel Grunt 2017-04-03 11:24:21 UTC

sorry, what is the question? Comment 15 mentions a virt-viewer bug - unrelated to this bug (support in libvirt)

Comment 17 Fangge Jin 2017-04-05 00:30:33 UTC

(In reply to Pavel Grunt from comment #16)
> sorry, what is the question? Comment 15 mentions a virt-viewer bug -
> unrelated to this bug (support in libvirt)

I can't connect to spice unix socket by virt-viewer due to bug 1410671, I will not verify this bug until virt-viewer bug is fixed. No other question.

Comment 18 Pavel Grunt 2017-04-05 06:44:55 UTC

(In reply to JinFangge from comment #17)
> (In reply to Pavel Grunt from comment #16)
> > sorry, what is the question? Comment 15 mentions a virt-viewer bug -
> > unrelated to this bug (support in libvirt)
> 
> I can't connect to spice unix socket by virt-viewer due to bug 1410671, I
> will not verify this bug until virt-viewer bug is fixed. No other question.

If this is the case than there should be a dependency to the bug 1411765.

But if I read your comment 7 correctly then it is possible to verify the bug - sorry this bug is not clear - in the comment 4 it was verified, comment 13 mentions another option for verifying...

Out of curiosity - isn't possible to verify using another app then virt-viewer ?  virt-manager or gnome-boxes ? Both use libvirt to connect.

Comment 19 Fangge Jin 2017-04-10 06:37:10 UTC

virt-manager also doesn't work for spice unix socket:

[Mon, 10 Apr 2017 14:31:45 virt-manager 2851] DEBUG (console:718) Starting connect process for proto=spice trans= connhost=127.0.0.1 connuser= connport= gaddr=127.0.0.1 gport=None gtlsport=None gsocket=None

Comment 22 Fangge Jin 2017-05-22 03:08:20 UTC

Verify pass on builds:
libvirt-3.2.0-5.virtcov.el7.x86_64
qemu-kvm-rhev-2.9.0-5.el7.x86_64
virt-viewer-5.0-4.el7.x86_64
spice-server-0.12.8-2.el7.x86_64

Steps:
1. Set spice listen to socket in guest xml:
# virsh dumpxml rhel7.4
...
    <graphics type='spice'>
      <listen type='socket'/>
    </graphics>

2. # virsh start rhel7.4

3. # virsh dumpxml rhel7.4
...
    <graphics type='spice'>
      <listen type='socket' socket='/var/lib/libvirt/qemu/domain-6-rhel7.4/spice.sock'/>
    </graphics>

4. Connect to guest by virt-viewer, do some random operations in guest
# virt-viewer rhel7.4

Comment 23 errata-xmlrpc 2017-08-01 17:09:12 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1846

Comment 24 errata-xmlrpc 2017-08-01 23:51:16 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:1846

Note You need to log in before you can comment on or make changes to this bug.