Hide Forgot
Description of problem: several security tune ups are required for spice command line from vdsm perspective: 1) password - password appears in clear text in xml - needs to be encrypted: <graphics autoport="yes" keymap="en-us" listen="0" passwd="12345" 2) password expiration date is set to the past: passwdValidTo="1970-01-01T00:00:01" 3) ports are set to -1 port="-1" tlsPort="-1" type="spice"> Version-Release number of selected component (if applicable): vdsm 4.9-8 How reproducible: start vm and set console to spice, and monitor logs.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux major release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Major release. This request is not yet committed for inclusion.
There is no support for encrypted passwords in the XML. Assuming there are appropriately configured access controls on the libvirt UNIX sockets this isn't a serious problem, because only root, or a user with privileges to connect to libvirt can see this. A port of '-1' should only be seen on an inactive guest. It indicates that the port is allocated dynamically when the guest is booted. When the guest is running libvirt should tell you what the actual port number is when querying the XML config. Not sure why your seeing such a password validity date. I would need to see the full original XML that the guest was booted with, and details of whether VDSM had issued the API call to update the passwd after booting
This is how the XML looks like. <domain type="kvm"> <name>libvirt-nfs2-desk-10</name> <uuid>f3abace3-c078-4d9c-81b7-2b4b8052b56c</uuid> <memory>524288</memory> <currentMemory>524288</currentMemory> <vcpu>1</vcpu> <devices> <disk device="disk" type="file"> <source file="/rhev/data-center/fb89b279-1019-456b-be42-fb4d35587970/cfc7045f-89b5-4f67-96e6-15e3bc3b0f31/images/f7da02af-f191-4359-9ebb-9c1ace60629a/0369972a-993c-4716-9c66-4db66f757d91"/> <target bus="ide" dev="hda"/> <serial>59-9ebb-9c1ace60629a</serial> <driver cache="none" name="qemu" type="qcow2"/> </disk> <controller index="0" ports="16" type="virtio-serial"/> <channel type="unix"> <target name="org.linux-kvm.port.0" type="virtio"/> <source mode="bind" path="/var/lib/libvirt/qemu/channels/libvirt-nfs2-desk-10.org.linux-kvm.port.0"/> </channel> <interface type="bridge"> <mac address="00:1a:4a:23:71:2e"/> <model type="virtio"/> <source bridge="rhevm"/> </interface> <input bus="usb" type="tablet"/> <video> <model heads="1" type="qxl" vram="65536"/> </video> <graphics autoport="yes" keymap="en-us" listen="0" passwd="12345" passwdValidTo="1970-01-01T00:00:01" port="-1" tlsPort="-1" type="spice"> <channel mode="secure" name="main"/> <channel mode="secure" name="inputs"/> <channel mode="secure" name="cursor"/> <channel mode="secure" name="playback"/> <channel mode="secure" name="record"/> <channel mode="secure" name="display"/> </graphics> </devices> <os> <type arch="x86_64" machine="pc">hvm</type> <boot dev="hd"/> </os> <clock adjustment="10800" offset="variable"/> <features> <acpi/> </features> <cpu match="exact"> <model>qemu64</model> <topology cores="1" sockets="1" threads="1"/> <feature name="nx" policy="disable"/> <feature name="sse2" policy="require"/> <feature name="svm" policy="disable"/> </cpu> </domain> and the qemu command from libvrt/qemu/ log: LC_ALL=C PATH=/sbin:/usr/sbin:/bin:/usr/bin QEMU_AUDIO_DRV=spice /usr/libexec/qemu-kvm -S -M rhel6.0.0 -cpu qemu64,-svm,-nx -enable-kvm -m 51 2 -smp 1,sockets=1,cores=1,threads=1 -name libvirt-nfs2-desk-10 -uuid f3abace3-c078-4d9c-81b7-2b4b8052b56c -nodefaults -chardev socket,id=mon itor,path=/var/lib/libvirt/qemu/libvirt-nfs2-desk-10.monitor,server,nowait -mon chardev=monitor,mode=control -rtc base=2010-5-10T16:4:59 -boo t c -device virtio-serial-pci,id=virtio-serial0,max_ports=16,bus=pci.0,addr=0x5 -drive file=/rhev/data-center/fb89b279-1019-456b-be42-fb4d355 87970/cfc7045f-89b5-4f67-96e6-15e3bc3b0f31/images/f7da02af-f191-4359-9ebb-9c1ace60629a/0369972a-993c-4716-9c66-4db66f757d91,if=none,id=drive- ide0-0-0,boot=on,format=qcow2,serial=59-9ebb-9c1ace60629a,cache=none -device ide-drive,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0 -net dev tap,fd=21,id=hostnet0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=00:1a:4a:23:71:2e,bus=pci.0,addr=0x4 -chardev socket,id=channel0 ,path=/var/lib/libvirt/qemu/channels/libvirt-nfs2-desk-10.org.linux-kvm.port.0,server,nowait -device virtserialport,chardev=channel0,name=org .linux-kvm.port.0 -usb -device usb-tablet,id=input0 -spice port=5900,tls-port=5901,addr=0,x509-dir=/etc/pki/libvirt-spice,tls-channel=main,tl s-channel=display,tls-channel=inputs,tls-channel=cursor,tls-channel=playback,tls-channel=record -k en-us -vga qxl -device virtio-balloon-pci, id=balloon0,bus=pci.0,addr=0x3