On 15.04.2014 09:01, Kekane, Abhishek wrote:
Hi All,
Greetings!!!
We are using KVM hypervisor driver for running OpenStack IaaS. Couple of
months back we have reported one security issue [1] in OS.
Basically we want to limit on the number of vnc client connections that
can be opened by users for a given VM.
>From libvirt 1.0.6 version onwards share policy feature is supported
to control the way consoles are accessed by the user.
Presently it is possible to configure share policy for vnc in 3
different ways:-
1. allow-exclusive, allows clients to ask for exclusive access by
dropping other connections
2. force-share, This is the default value, It allows multiple clients to
connect to the console in parallel sharing the same session
3. ignore, welcomes every connection unconditionally
In openstack nova for libvirt driver I am able to configure the
sharePolicy value to graphics element of domain's xml.
<graphics type="vnc" autoport="yes" keymap="en-us"
listen="127.0.0.1"
sharePolicy="force-shared">
<listen type='address' address='127.0.0.1'/>
</graphics>
<graphics type="vnc" autoport="yes" keymap="en-us"
listen="127.0.0.1"
sharePolicy="allow-exclusive">
<listen type='address' address='127.0.0.1'/>
</graphics>
<graphics type="vnc" autoport="yes" keymap="en-us"
listen="127.0.0.1"
sharePolicy="ignore">
<listen type='address' address='127.0.0.1'/>
</graphics>
But while testing I am not able to get expected results for
allow-exclusive and ignore sharePolicy.
For allow-exclusive sharePolicy previous connections are not getting
dropped and console contents are getting shared among all open consoles.
For ignore sharePolicy also contents are getting shared among all open
consoles.
I am using libvirt version 1.1.1 and qemu version is 1.5.0.
If libvirt is constructing the qemu command line properly (look for -vnc
...,share=force-shared) then I'd say it's a qemu bug.
Michal