
16 Apr
2014
16 Apr
'14
10:47 a.m.
On 15.04.2014 09:01, Kekane, Abhishek wrote: > Hi All, > Greetings!!! > > We are using KVM hypervisor driver for running OpenStack IaaS. Couple of > months back we have reported one security issue [1] in OS. > Basically we want to limit on the number of vnc client connections that > can be opened by users for a given VM. > > >From libvirt 1.0.6 version onwards share policy feature is supported > to control the way consoles are accessed by the user. > Presently it is possible to configure share policy for vnc in 3 > different ways:- > 1. allow-exclusive, allows clients to ask for exclusive access by > dropping other connections > 2. force-share, This is the default value, It allows multiple clients to > connect to the console in parallel sharing the same session > 3. ignore, welcomes every connection unconditionally > > In openstack nova for libvirt driver I am able to configure the > sharePolicy value to graphics element of domain's xml. > > <graphics type="vnc" autoport="yes" keymap="en-us" listen="127.0.0.1" > sharePolicy="force-shared"> > <listen type='address' address='127.0.0.1'/> > </graphics> > <graphics type="vnc" autoport="yes" keymap="en-us" listen="127.0.0.1" > sharePolicy="allow-exclusive"> > <listen type='address' address='127.0.0.1'/> > </graphics> > <graphics type="vnc" autoport="yes" keymap="en-us" listen="127.0.0.1" > sharePolicy="ignore"> > <listen type='address' address='127.0.0.1'/> > </graphics> > > But while testing I am not able to get expected results for > allow-exclusive and ignore sharePolicy. > For allow-exclusive sharePolicy previous connections are not getting > dropped and console contents are getting shared among all open consoles. > For ignore sharePolicy also contents are getting shared among all open > consoles. > > I am using libvirt version 1.1.1 and qemu version is 1.5.0. If libvirt is constructing the qemu command line properly (look for -vnc ...,share=force-shared) then I'd say it's a qemu bug. Michal