Re: [PATCH v2 4/4] bhyve: add VNC password support

From: Fabian Freyer <fabian.freyer(a)physik.tu-berlin.de&gt; Support setting a password for the VNC framebuffer using the passwd attribute on the <graphics/> element, if the driver has the BHYVE_CAP_VNC_PASSWORD capability. Note that virsh domxml-from-native does not output the password in the generated XML, as VIR_DOMAIN_DEF_FORMAT_SECURE is not set when formatting the domain definition. Signed-off-by: Fabian Freyer <fabian.freyer(a)physik.tu-berlin.de&gt; Signed-off-by: Roman Bogorodskiy <bogorodskiy(a)gmail.com&gt; --- NEWS.rst | 7 +++ src/bhyve/bhyve_command.c | 33 +++++++++----- src/bhyve/bhyve_parse_command.c | 5 +++ .../bhyveargv2xml-vnc-password.args | 10 +++++ .../bhyveargv2xml-vnc-password.xml | 22 ++++++++++ tests/bhyveargv2xmltest.c | 3 +- .../bhyvexml2argv-vnc-password-comma.xml | 26 +++++++++++ .../bhyvexml2argv-vnc-password.args | 12 +++++ .../bhyvexml2argv-vnc-password.ldargs | 1 + .../bhyvexml2argv-vnc-password.xml | 26 +++++++++++ tests/bhyvexml2argvtest.c | 8 +++- .../bhyvexml2xmlout-vnc-password.xml | 44 +++++++++++++++++++ tests/bhyvexml2xmltest.c | 1 + 13 files changed, 185 insertions(+), 13 deletions(-) create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.args create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.xml create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password-comma.xml create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.args create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.ldargs create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.xml create mode 100644 tests/bhyvexml2xmloutdata/bhyvexml2xmlout-vnc-password.xml diff --git a/NEWS.rst b/NEWS.rst index bb48f5bd43..c949cb941b 100644 --- a/NEWS.rst +++ b/NEWS.rst @@ -25,6 +25,13 @@ v6.8.0 (unreleased) Libvirt can now set the framebuffer's "w" and "h" parameters using the ``resolution`` element. + * bhyve: Support VNC password authentication + + Libvirt can now probe whether the bhyve binary supports + VNC password authentication. In case it does, a VNC password + can now be passed using the ``passwd`` attribute on + the ``<graphics>`` element. + * **Improvements** * qemu: Allow migration over UNIX sockets diff --git a/src/bhyve/bhyve_command.c b/src/bhyve/bhyve_command.c index 176a339d5a..1b48438168 100644 --- a/src/bhyve/bhyve_command.c +++ b/src/bhyve/bhyve_command.c @@ -424,17 +424,6 @@ bhyveBuildGraphicsArgStr(const virDomainDef *def, return -1; } - if (graphics->data.vnc.auth.passwd) { - virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", - _("vnc password auth not supported")); - return -1; - } else { - /* Bhyve doesn't support VNC Auth yet, so print a warning about - * unauthenticated VNC sessions */ - VIR_WARN("%s", _("Security warning: currently VNC auth is not" - " supported.")); - } - if (glisten->address) { escapeAddr = strchr(glisten->address, ':') != NULL; if (escapeAddr) @@ -468,6 +457,28 @@ bhyveBuildGraphicsArgStr(const virDomainDef *def, return -1; } + if (graphics->data.vnc.auth.passwd) { + if (!(bhyveDriverGetBhyveCaps(driver) & BHYVE_CAP_VNC_PASSWORD)) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("VNC Passwort authentication not supported "

+ "by bhyve")); + return -1; + } + + if (strchr(graphics->data.vnc.auth.passwd, ',')) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("Password may not contain ',' character")); + return -1; + } + + virBufferAsprintf(&opt, ",password=%s", graphics->data.vnc.auth.passwd); + } else { + if (!(bhyveDriverGetBhyveCaps(driver) & BHYVE_CAP_VNC_PASSWORD)) + VIR_WARN("%s", _("Security warning: VNC auth is not supported.")); + else + VIR_WARN("%s", _("Security warning: VNC is used without authentication.")); + } + if (video->res) virBufferAsprintf(&opt, ",w=%d,h=%d", video->res->x, video->res->y);