On Tue, Sep 22, 2020 at 04:28:51PM +0400, Roman Bogorodskiy wrote:
From: Fabian Freyer <fabian.freyer@physik.tu-berlin.de>
Support setting a password for the VNC framebuffer using the passwd attribute on the <graphics/> element, if the driver has the BHYVE_CAP_VNC_PASSWORD capability.
Note that virsh domxml-from-native does not output the password in the generated XML, as VIR_DOMAIN_DEF_FORMAT_SECURE is not set when formatting the domain definition.
Signed-off-by: Fabian Freyer <fabian.freyer@physik.tu-berlin.de> Signed-off-by: Roman Bogorodskiy <bogorodskiy@gmail.com> --- NEWS.rst | 7 +++ src/bhyve/bhyve_command.c | 33 +++++++++----- src/bhyve/bhyve_parse_command.c | 5 +++ .../bhyveargv2xml-vnc-password.args | 10 +++++ .../bhyveargv2xml-vnc-password.xml | 22 ++++++++++ tests/bhyveargv2xmltest.c | 3 +- .../bhyvexml2argv-vnc-password-comma.xml | 26 +++++++++++ .../bhyvexml2argv-vnc-password.args | 12 +++++ .../bhyvexml2argv-vnc-password.ldargs | 1 + .../bhyvexml2argv-vnc-password.xml | 26 +++++++++++ tests/bhyvexml2argvtest.c | 8 +++- .../bhyvexml2xmlout-vnc-password.xml | 44 +++++++++++++++++++ tests/bhyvexml2xmltest.c | 1 + 13 files changed, 185 insertions(+), 13 deletions(-) create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.args create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.xml create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password-comma.xml create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.args create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.ldargs create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.xml create mode 100644 tests/bhyvexml2xmloutdata/bhyvexml2xmlout-vnc-password.xml
diff --git a/NEWS.rst b/NEWS.rst index bb48f5bd43..c949cb941b 100644 --- a/NEWS.rst +++ b/NEWS.rst @@ -25,6 +25,13 @@ v6.8.0 (unreleased) Libvirt can now set the framebuffer's "w" and "h" parameters using the ``resolution`` element.
+ * bhyve: Support VNC password authentication + + Libvirt can now probe whether the bhyve binary supports + VNC password authentication. In case it does, a VNC password + can now be passed using the ``passwd`` attribute on + the ``<graphics>`` element. + * **Improvements**
* qemu: Allow migration over UNIX sockets diff --git a/src/bhyve/bhyve_command.c b/src/bhyve/bhyve_command.c index 176a339d5a..1b48438168 100644 --- a/src/bhyve/bhyve_command.c +++ b/src/bhyve/bhyve_command.c @@ -424,17 +424,6 @@ bhyveBuildGraphicsArgStr(const virDomainDef *def, return -1; }
- if (graphics->data.vnc.auth.passwd) { - virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", - _("vnc password auth not supported")); - return -1; - } else { - /* Bhyve doesn't support VNC Auth yet, so print a warning about - * unauthenticated VNC sessions */ - VIR_WARN("%s", _("Security warning: currently VNC auth is not" - " supported.")); - } - if (glisten->address) { escapeAddr = strchr(glisten->address, ':') != NULL; if (escapeAddr) @@ -468,6 +457,28 @@ bhyveBuildGraphicsArgStr(const virDomainDef *def, return -1; }
+ if (graphics->data.vnc.auth.passwd) { + if (!(bhyveDriverGetBhyveCaps(driver) & BHYVE_CAP_VNC_PASSWORD)) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("VNC Passwort authentication not supported "
s/Passwort/Password/
+ "by bhyve")); + return -1; + } + + if (strchr(graphics->data.vnc.auth.passwd, ',')) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("Password may not contain ',' character")); + return -1; + } + + virBufferAsprintf(&opt, ",password=%s", graphics->data.vnc.auth.passwd); + } else { + if (!(bhyveDriverGetBhyveCaps(driver) & BHYVE_CAP_VNC_PASSWORD)) + VIR_WARN("%s", _("Security warning: VNC auth is not supported.")); + else + VIR_WARN("%s", _("Security warning: VNC is used without authentication.")); + } + if (video->res) virBufferAsprintf(&opt, ",w=%d,h=%d", video->res->x, video->res->y);
With typo fixed: Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|