[PATCH 4/4] bhyve: add VNC password support

Support setting a password for the VNC framebuffer using the passwd attribute on the <graphics/> element, if the driver has the BHYVE_CAP_VNC_PASSWORD capability. Note that virsh domxml-from-native does not output the password in the generated XML, as VIR_DOMAIN_DEF_FORMAT_SECURE is not set when formatting the domain definition. Signed-off-by: Fabian Freyer <fabian.freyer(a)physik.tu-berlin.de&gt; --- docs/news.xml | 11 +++++ src/bhyve/bhyve_command.c | 33 ++++++++++----- src/bhyve/bhyve_parse_command.c | 5 +++ .../bhyveargv2xml-vnc-password.args | 10 +++++ .../bhyveargv2xml-vnc-password.xml | 22 ++++++++++ tests/bhyveargv2xmltest.c | 3 +- .../bhyvexml2argv-vnc-password-comma.xml | 26 ++++++++++++ .../bhyvexml2argv-vnc-password.args | 12 ++++++ .../bhyvexml2argv-vnc-password.ldargs | 1 + .../bhyvexml2argv-vnc-password.xml | 26 ++++++++++++ tests/bhyvexml2argvtest.c | 7 +++- .../bhyvexml2xmlout-vnc-password.xml | 41 +++++++++++++++++++ tests/bhyvexml2xmltest.c | 1 + 13 files changed, 185 insertions(+), 13 deletions(-) create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.args create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.xml create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password-comma.xml create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.args create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.ldargs create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.xml create mode 100644 tests/bhyvexml2xmloutdata/bhyvexml2xmlout-vnc-password.xml diff --git a/docs/news.xml b/docs/news.xml index d728dfa93c..bd951c2e04 100644 --- a/docs/news.xml +++ b/docs/news.xml @@ -44,6 +44,17 @@ <libvirt> <release version="v6.4.0" date="unreleased"> <section title="New features"> + <change> + <summary> + bhyve: support VNC password authentication + </summary> + <description> + libvirt can now probe whether the bhyve binary supports + VNC password authentication. In case it does, a VNC password + can now be passed using the <code>passwd</code> attribute on + the <code>graphics</code> element. + </description> + </change> <change> <summary> bhyve: support setting the framebuffer resolution diff --git a/src/bhyve/bhyve_command.c b/src/bhyve/bhyve_command.c index db35cb9bd8..369278214c 100644 --- a/src/bhyve/bhyve_command.c +++ b/src/bhyve/bhyve_command.c @@ -425,17 +425,6 @@ bhyveBuildGraphicsArgStr(const virDomainDef *def, goto error; } - if (graphics->data.vnc.auth.passwd) { - virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", - _("vnc password auth not supported")); - goto error; - } else { - /* Bhyve doesn't support VNC Auth yet, so print a warning about - * unauthenticated VNC sessions */ - VIR_WARN("%s", _("Security warning: currently VNC auth is not" - " supported.")); - } - if (glisten->address) { escapeAddr = strchr(glisten->address, ':') != NULL; if (escapeAddr) @@ -469,6 +458,28 @@ bhyveBuildGraphicsArgStr(const virDomainDef *def, goto error; } + if (graphics->data.vnc.auth.passwd) { + if (!(bhyveDriverGetBhyveCaps(driver) & BHYVE_CAP_VNC_PASSWORD)) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("VNC Passwort authentication not supported " + "by bhyve")); + goto error; + } + + if (strchr(graphics->data.vnc.auth.passwd, ',')) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("Password may not contain ',' character")); + goto error; + } + + virBufferAsprintf(&opt, ",password=%s", graphics->data.vnc.auth.passwd); + } else { + if (!(bhyveDriverGetBhyveCaps(driver) & BHYVE_CAP_VNC_PASSWORD)) + VIR_WARN("%s", _("Security warning: VNC auth is not supported.")); + else + VIR_WARN("%s", _("Security warning: VNC is used without authentication.")); + } + if (video->res) virBufferAsprintf(&opt, ",w=%d,h=%d", video->res->x, video->res->y); diff --git a/src/bhyve/bhyve_parse_command.c b/src/bhyve/bhyve_parse_command.c index 0414cb1ef1..af990f8e51 100644 --- a/src/bhyve/bhyve_parse_command.c +++ b/src/bhyve/bhyve_parse_command.c @@ -640,6 +640,11 @@ bhyveParsePCIFbuf(virDomainDefPtr def, if (virStrToLong_uip(param, NULL, 10, &video->res->y)) goto error; } + + if (STRPREFIX(param, "password=")) { + param += strlen("password="); + graphics->data.vnc.auth.passwd = g_strdup(param); + } } cleanup: diff --git a/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.args b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.args new file mode 100644 index 0000000000..c16e970795 --- /dev/null +++ b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.args @@ -0,0 +1,10 @@ +/usr/sbin/bhyve \ +-c 1 \ +-m 214 \ +-u \ +-H \ +-P \ +-s 0:0,hostbridge \ +-l bootrom,/path/to/test.fd \ +-s 4:0,fbuf,tcp=127.0.0.1:5904,password=s3cr3t \ +-s 1,lpc bhyve diff --git a/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.xml b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.xml new file mode 100644 index 0000000000..456a1ee9e3 --- /dev/null +++ b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.xml @@ -0,0 +1,22 @@ +<domain type='bhyve'> + <name>bhyve</name> + <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> + <memory unit='KiB'>219136</memory> + <currentMemory unit='KiB'>219136</currentMemory> + <vcpu placement='static'>1</vcpu> + <os> + <type>hvm</type> + </os> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>destroy</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <graphics type='vnc' port='5904' autoport='no' listen='127.0.0.1' passwd='s3cr3t'> + <listen type='address' address='127.0.0.1'/> + </graphics> + <video> + <model type='default' heads='1'/> + </video> + </devices> +</domain> diff --git a/tests/bhyveargv2xmltest.c b/tests/bhyveargv2xmltest.c index 09d14e3fd0..5ec8c7f22a 100644 --- a/tests/bhyveargv2xmltest.c +++ b/tests/bhyveargv2xmltest.c @@ -77,7 +77,7 @@ testCompareXMLToArgvFiles(const char *xmlfile, goto fail; } - if (vmdef && !(actualxml = virDomainDefFormat(vmdef, driver.xmlopt, 0))) + if (vmdef && !(actualxml = virDomainDefFormat(vmdef, driver.xmlopt, VIR_DOMAIN_DEF_FORMAT_SECURE))) goto fail; if (vmdef && virTestCompareToFile(actualxml, xmlfile) < 0) @@ -200,6 +200,7 @@ mymain(void) DO_TEST("vnc-vga-off"); DO_TEST("vnc-vga-io"); DO_TEST("vnc-resolution"); + DO_TEST("vnc-password"); virObjectUnref(driver.caps); virObjectUnref(driver.xmlopt); diff --git a/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password-comma.xml b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password-comma.xml new file mode 100644 index 0000000000..76dd36f72a --- /dev/null +++ b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password-comma.xml @@ -0,0 +1,26 @@ +<domain type='bhyve'> + <name>bhyve</name> + <uuid>df3be7e7-a104-11e3-aeb0-50e5492bd3dc</uuid> + <memory>219136</memory> + <vcpu>1</vcpu> + <os> + <type>hvm</type> + <loader readonly="yes" type="pflash">/path/to/test.fd</loader> + </os> + <devices> + <disk type='file'> + <driver name='file' type='raw'/> + <source file='/tmp/freebsd.img'/> + <target dev='hda' bus='sata'/> + <address type='drive' controller='0' bus='0' target='2' unit='0'/> + </disk> + <interface type='bridge'> + <model type='virtio'/> + <source bridge="virbr0"/> + <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> + </interface> + <graphics type='vnc' port='5904' passwd="in,valid"> + <listen type='address' address='127.0.0.1'/> + </graphics> + </devices> +</domain> diff --git a/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.args b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.args new file mode 100644 index 0000000000..41b679b51f --- /dev/null +++ b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.args @@ -0,0 +1,12 @@ +/usr/sbin/bhyve \ +-c 1 \ +-m 214 \ +-u \ +-H \ +-P \ +-s 0:0,hostbridge \ +-l bootrom,/path/to/test.fd \ +-s 2:0,ahci,hd:/tmp/freebsd.img \ +-s 3:0,virtio-net,faketapdev,mac=52:54:00:00:00:00 \ +-s 4:0,fbuf,tcp=127.0.0.1:5904,password=s3cr3t \ +-s 1,lpc bhyve diff --git a/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.ldargs b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.ldargs new file mode 100644 index 0000000000..421376db9e --- /dev/null +++ b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.ldargs @@ -0,0 +1 @@ +dummy diff --git a/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.xml b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.xml new file mode 100644 index 0000000000..97925a74fc --- /dev/null +++ b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.xml @@ -0,0 +1,26 @@ +<domain type='bhyve'> + <name>bhyve</name> + <uuid>df3be7e7-a104-11e3-aeb0-50e5492bd3dc</uuid> + <memory>219136</memory> + <vcpu>1</vcpu> + <os> + <type>hvm</type> + <loader readonly="yes" type="pflash">/path/to/test.fd</loader> + </os> + <devices> + <disk type='file'> + <driver name='file' type='raw'/> + <source file='/tmp/freebsd.img'/> + <target dev='hda' bus='sata'/> + <address type='drive' controller='0' bus='0' target='2' unit='0'/> + </disk> + <interface type='bridge'> + <model type='virtio'/> + <source bridge="virbr0"/> + <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> + </interface> + <graphics type='vnc' port='5904' passwd="s3cr3t"> + <listen type='address' address='127.0.0.1'/> + </graphics> + </devices> +</domain> diff --git a/tests/bhyvexml2argvtest.c b/tests/bhyvexml2argvtest.c index b948f740bd..914aa0e54f 100644 --- a/tests/bhyvexml2argvtest.c +++ b/tests/bhyvexml2argvtest.c @@ -175,7 +175,7 @@ mymain(void) driver.bhyvecaps = BHYVE_CAP_RTC_UTC | BHYVE_CAP_AHCI32SLOT | \ BHYVE_CAP_NET_E1000 | BHYVE_CAP_LPC_BOOTROM | \ BHYVE_CAP_FBUF | BHYVE_CAP_XHCI | \ - BHYVE_CAP_CPUTOPOLOGY; + BHYVE_CAP_CPUTOPOLOGY | BHYVE_CAP_VNC_PASSWORD; DO_TEST("base"); DO_TEST("wired"); @@ -207,6 +207,8 @@ mymain(void) DO_TEST("vnc-vgaconf-io"); DO_TEST("vnc-autoport"); DO_TEST("vnc-resolution"); + DO_TEST("vnc-password"); + DO_TEST_FAILURE("vnc-password-comma"); DO_TEST("cputopology"); DO_TEST_FAILURE("cputopology-nvcpu-mismatch"); DO_TEST("commandline"); @@ -250,6 +252,9 @@ mymain(void) driver.bhyvecaps &= ~BHYVE_CAP_CPUTOPOLOGY; DO_TEST_FAILURE("cputopology"); + driver.bhyvecaps &= ~BHYVE_CAP_VNC_PASSWORD; + DO_TEST_FAILURE("vnc-password"); + virObjectUnref(driver.caps); virObjectUnref(driver.xmlopt); virPortAllocatorRangeFree(driver.remotePorts); diff --git a/tests/bhyvexml2xmloutdata/bhyvexml2xmlout-vnc-password.xml b/tests/bhyvexml2xmloutdata/bhyvexml2xmlout-vnc-password.xml new file mode 100644 index 0000000000..4bacc94e94 --- /dev/null +++ b/tests/bhyvexml2xmloutdata/bhyvexml2xmlout-vnc-password.xml @@ -0,0 +1,41 @@ +<domain type='bhyve'> + <name>bhyve</name> + <uuid>df3be7e7-a104-11e3-aeb0-50e5492bd3dc</uuid> + <memory unit='KiB'>219136</memory> + <currentMemory unit='KiB'>219136</currentMemory> + <vcpu placement='static'>1</vcpu> + <os> + <type arch='x86_64'>hvm</type> + <loader readonly='yes' type='pflash'>/path/to/test.fd</loader> + <boot dev='hd'/> + </os> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <disk type='file' device='disk'> + <driver name='file' type='raw'/> + <source file='/tmp/freebsd.img'/> + <target dev='hda' bus='sata'/> + <address type='drive' controller='0' bus='0' target='2' unit='0'/> + </disk> + <controller type='pci' index='0' model='pci-root'/> + <controller type='sata' index='0'> + <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/> + </controller> + <interface type='bridge'> + <mac address='52:54:00:00:00:00'/> + <source bridge='virbr0'/> + <model type='virtio'/> + <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> + </interface> + <graphics type='vnc' port='5904' autoport='no' listen='127.0.0.1' passwd='s3cr3t'> + <listen type='address' address='127.0.0.1'/> + </graphics> + <video> + <model type='gop' heads='1' primary='yes'/> + <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/> + </video> + </devices> +</domain> diff --git a/tests/bhyvexml2xmltest.c b/tests/bhyvexml2xmltest.c index f6e4d44b8a..4514fccf20 100644 --- a/tests/bhyvexml2xmltest.c +++ b/tests/bhyvexml2xmltest.c @@ -109,6 +109,7 @@ mymain(void) DO_TEST_DIFFERENT("vnc-vgaconf-io"); DO_TEST_DIFFERENT("vnc-autoport"); DO_TEST_DIFFERENT("vnc-resolution"); + DO_TEST_DIFFERENT("vnc-password"); DO_TEST_DIFFERENT("commandline"); DO_TEST_DIFFERENT("msrs"); -- 2.19.2