[PATCH 0/4] bhyve: framebuffer resolution and VNC password
Add support for setting the bhyve framebuffer resolution and probe whether bhyve supports VNC password authentication. If it does, allow setting the password. While we're here, also add support for parsing bhyve's framebuffer argument string. Fabian Freyer (4): bhyve: support parsing fbuf PCI device bhyve: add support for setting fbuf resolution bhyve: probe for VNC password capability bhyve: add VNC password support docs/formatdomain.html.in | 2 +- docs/news.xml | 20 +++ src/bhyve/bhyve_capabilities.c | 16 ++- src/bhyve/bhyve_capabilities.h | 1 + src/bhyve/bhyve_command.c | 36 ++++-- src/bhyve/bhyve_parse_command.c | 116 +++++++++++++++++- src/libvirt_private.syms | 1 + .../bhyveargv2xml-vnc-listen.args | 10 ++ .../bhyveargv2xml-vnc-listen.xml | 22 ++++ .../bhyveargv2xml-vnc-password.args | 10 ++ .../bhyveargv2xml-vnc-password.xml | 22 ++++ .../bhyveargv2xml-vnc-resolution.args | 10 ++ .../bhyveargv2xml-vnc-resolution.xml | 24 ++++ .../bhyveargv2xml-vnc-vga-io.args | 10 ++ .../bhyveargv2xml-vnc-vga-io.xml | 22 ++++ .../bhyveargv2xml-vnc-vga-off.args | 10 ++ .../bhyveargv2xml-vnc-vga-off.xml | 23 ++++ .../bhyveargv2xml-vnc-vga-on.args | 10 ++ .../bhyveargv2xml-vnc-vga-on.xml | 23 ++++ .../bhyveargv2xmldata/bhyveargv2xml-vnc.args | 10 ++ tests/bhyveargv2xmldata/bhyveargv2xml-vnc.xml | 22 ++++ tests/bhyveargv2xmltest.c | 9 +- .../bhyvexml2argv-vnc-password-comma.xml | 26 ++++ .../bhyvexml2argv-vnc-password.args | 12 ++ .../bhyvexml2argv-vnc-password.ldargs | 1 + .../bhyvexml2argv-vnc-password.xml | 26 ++++ .../bhyvexml2argv-vnc-resolution.args | 10 ++ .../bhyvexml2argv-vnc-resolution.ldargs | 1 + .../bhyvexml2argv-vnc-resolution.xml | 20 +++ tests/bhyvexml2argvtest.c | 8 +- .../bhyvexml2xmlout-vnc-password.xml | 41 +++++++ .../bhyvexml2xmlout-vnc-resolution.xml | 28 +++++ tests/bhyvexml2xmltest.c | 2 + 33 files changed, 588 insertions(+), 16 deletions(-) create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-listen.args create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-listen.xml create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.args create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.xml create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-resolution.args create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-resolution.xml create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-vga-io.args create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-vga-io.xml create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-vga-off.args create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-vga-off.xml create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-vga-on.args create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-vga-on.xml create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc.args create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc.xml create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password-comma.xml create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.args create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.ldargs create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.xml create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-resolution.args create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-resolution.ldargs create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-resolution.xml create mode 100644 tests/bhyvexml2xmloutdata/bhyvexml2xmlout-vnc-password.xml create mode 100644 tests/bhyvexml2xmloutdata/bhyvexml2xmlout-vnc-resolution.xml -- 2.19.2
Add a new helper function, bhyveParsePCIFbuf, to parse the bhyve-argv parameters for a frame-buffer device to <graphics/> and <video/> definitions. For now, only the listen address, port, and vga mode are detected. Unsupported parameters are silently skipped. This involves upgrading the private API to expose the virDomainGraphicsDefNew helper function, which is used by bhyveParsePCIFbuf. Signed-off-by: Fabian Freyer <fabian.freyer@physik.tu-berlin.de> --- src/bhyve/bhyve_parse_command.c | 91 ++++++++++++++++++- src/libvirt_private.syms | 1 + .../bhyveargv2xml-vnc-listen.args | 10 ++ .../bhyveargv2xml-vnc-listen.xml | 22 +++++ .../bhyveargv2xml-vnc-vga-io.args | 10 ++ .../bhyveargv2xml-vnc-vga-io.xml | 22 +++++ .../bhyveargv2xml-vnc-vga-off.args | 10 ++ .../bhyveargv2xml-vnc-vga-off.xml | 23 +++++ .../bhyveargv2xml-vnc-vga-on.args | 10 ++ .../bhyveargv2xml-vnc-vga-on.xml | 23 +++++ .../bhyveargv2xmldata/bhyveargv2xml-vnc.args | 10 ++ tests/bhyveargv2xmldata/bhyveargv2xml-vnc.xml | 22 +++++ tests/bhyveargv2xmltest.c | 5 + 13 files changed, 258 insertions(+), 1 deletion(-) create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-listen.args create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-listen.xml create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-vga-io.args create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-vga-io.xml create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-vga-off.args create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-vga-off.xml create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-vga-on.args create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-vga-on.xml create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc.args create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc.xml diff --git a/src/bhyve/bhyve_parse_command.c b/src/bhyve/bhyve_parse_command.c index 76423730d9..39cce67ea9 100644 --- a/src/bhyve/bhyve_parse_command.c +++ b/src/bhyve/bhyve_parse_command.c @@ -4,7 +4,7 @@ * Copyright (C) 2006-2016 Red Hat, Inc. * Copyright (C) 2006 Daniel P. Berrange * Copyright (c) 2011 NetApp, Inc. - * Copyright (C) 2016 Fabian Freyer + * Copyright (C) 2020 Fabian Freyer * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -552,6 +552,93 @@ bhyveParsePCINet(virDomainDefPtr def, return -1; } +static int +bhyveParsePCIFbuf(virDomainDefPtr def, + virDomainXMLOptionPtr xmlopt, + unsigned caps G_GNUC_UNUSED, + unsigned bus, + unsigned slot, + unsigned function, + const char *config) +{ + /* -s slot,fbuf,wait,vga=on|io|off,rfb=<ip>:port,w=width,h=height */ + + virDomainVideoDefPtr video = NULL; + virDomainGraphicsDefPtr graphics = NULL; + char **params = NULL; + char *param = NULL, *separator = NULL; + size_t nparams = 0; + unsigned int i = 0; + + if (!(video = virDomainVideoDefNew(xmlopt))) + goto cleanup; + + if (!(graphics = virDomainGraphicsDefNew(xmlopt))) + goto cleanup; + + graphics->type = VIR_DOMAIN_GRAPHICS_TYPE_VNC; + video->info.addr.pci.bus = bus; + video->info.addr.pci.slot = slot; + video->info.addr.pci.function = function; + + if (!config) + goto error; + + if (!(params = virStringSplitCount(config, ",", 0, &nparams))) + goto error; + + for (i = 0; i < nparams; i++) { + param = params[i]; + if (!video->driver && VIR_ALLOC(video->driver) < 0) + goto error; + + if (STREQ(param, "vga=on")) + video->driver->vgaconf = VIR_DOMAIN_VIDEO_VGACONF_ON; + + if (STREQ(param, "vga=io")) + video->driver->vgaconf = VIR_DOMAIN_VIDEO_VGACONF_IO; + + if (STREQ(param, "vga=off")) + video->driver->vgaconf = VIR_DOMAIN_VIDEO_VGACONF_OFF; + + if (STRPREFIX(param, "rfb=") || STRPREFIX(param, "tcp=")) { + /* fortunately, this is the same length as "tcp=" */ + param += strlen("rfb="); + + if (!(separator = strchr(param, ':'))) + goto error; + + *separator = '\0'; + + if (separator != param) + virDomainGraphicsListenAppendAddress(graphics, param); + else + /* Default to 127.0.0.1, just like bhyve does */ + virDomainGraphicsListenAppendAddress(graphics, "127.0.0.1"); + + param = ++separator; + if (virStrToLong_i(param, NULL, 10, &graphics->data.vnc.port)) + goto error; + } + } + + cleanup: + if (VIR_APPEND_ELEMENT(def->videos, def->nvideos, video) < 0) + goto error; + + if (VIR_APPEND_ELEMENT(def->graphics, def->ngraphics, graphics) < 0) + goto error; + + virStringListFree(params); + return 0; + + error: + virDomainVideoDefFree(video); + virDomainGraphicsDefFree(graphics); + virStringListFree(params); + return -1; +} + static int bhyveParseBhyvePCIArg(virDomainDefPtr def, virDomainXMLOptionPtr xmlopt, @@ -614,6 +701,8 @@ bhyveParseBhyvePCIArg(virDomainDefPtr def, else if (STREQ(emulation, "e1000")) bhyveParsePCINet(def, xmlopt, caps, bus, slot, function, VIR_DOMAIN_NET_MODEL_E1000, conf); + else if (STREQ(emulation, "fbuf")) + bhyveParsePCIFbuf(def, xmlopt, caps, bus, slot, function, conf); VIR_FREE(emulation); VIR_FREE(slotdef); diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 935ef7303b..6fed32bfb9 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -414,6 +414,7 @@ virDomainGraphicsAuthConnectedTypeFromString; virDomainGraphicsAuthConnectedTypeToString; virDomainGraphicsDefFree; virDomainGraphicsDefHasOpenGL; +virDomainGraphicsDefNew; virDomainGraphicsGetListen; virDomainGraphicsGetRenderNode; virDomainGraphicsListenAppendAddress; diff --git a/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-listen.args b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-listen.args new file mode 100644 index 0000000000..b97b64a0dc --- /dev/null +++ b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-listen.args @@ -0,0 +1,10 @@ +/usr/sbin/bhyve \ +-c 1 \ +-m 214 \ +-u \ +-H \ +-P \ +-s 0:0,hostbridge \ +-l bootrom,/path/to/test.fd \ +-s 2:0,fbuf,tcp=1.2.3.4:5900 \ +-s 1,lpc bhyve diff --git a/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-listen.xml b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-listen.xml new file mode 100644 index 0000000000..4ab17aef81 --- /dev/null +++ b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-listen.xml @@ -0,0 +1,22 @@ +<domain type='bhyve'> + <name>bhyve</name> + <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> + <memory unit='KiB'>219136</memory> + <currentMemory unit='KiB'>219136</currentMemory> + <vcpu placement='static'>1</vcpu> + <os> + <type>hvm</type> + </os> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>destroy</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <graphics type='vnc' port='5900' autoport='no' listen='1.2.3.4'> + <listen type='address' address='1.2.3.4'/> + </graphics> + <video> + <model type='default' heads='1'/> + </video> + </devices> +</domain> diff --git a/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-vga-io.args b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-vga-io.args new file mode 100644 index 0000000000..f4c0067b79 --- /dev/null +++ b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-vga-io.args @@ -0,0 +1,10 @@ +/usr/sbin/bhyve \ +-c 1 \ +-m 214 \ +-u \ +-H \ +-P \ +-s 0:0,hostbridge \ +-l bootrom,/path/to/test.fd \ +-s 2:0,fbuf,tcp=:5900,vga=io \ +-s 1,lpc bhyve diff --git a/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-vga-io.xml b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-vga-io.xml new file mode 100644 index 0000000000..1e2f3d6938 --- /dev/null +++ b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-vga-io.xml @@ -0,0 +1,22 @@ +<domain type='bhyve'> + <name>bhyve</name> + <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> + <memory unit='KiB'>219136</memory> + <currentMemory unit='KiB'>219136</currentMemory> + <vcpu placement='static'>1</vcpu> + <os> + <type>hvm</type> + </os> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>destroy</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <graphics type='vnc' port='5900' autoport='no' listen='127.0.0.1'> + <listen type='address' address='127.0.0.1'/> + </graphics> + <video> + <model type='default' heads='1'/> + </video> + </devices> +</domain> diff --git a/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-vga-off.args b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-vga-off.args new file mode 100644 index 0000000000..4bd5ed1027 --- /dev/null +++ b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-vga-off.args @@ -0,0 +1,10 @@ +/usr/sbin/bhyve \ +-c 1 \ +-m 214 \ +-u \ +-H \ +-P \ +-s 0:0,hostbridge \ +-l bootrom,/path/to/test.fd \ +-s 2:0,fbuf,tcp=:5900,vga=off \ +-s 1,lpc bhyve diff --git a/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-vga-off.xml b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-vga-off.xml new file mode 100644 index 0000000000..3c9c76e5aa --- /dev/null +++ b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-vga-off.xml @@ -0,0 +1,23 @@ +<domain type='bhyve'> + <name>bhyve</name> + <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> + <memory unit='KiB'>219136</memory> + <currentMemory unit='KiB'>219136</currentMemory> + <vcpu placement='static'>1</vcpu> + <os> + <type>hvm</type> + </os> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>destroy</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <graphics type='vnc' port='5900' autoport='no' listen='127.0.0.1'> + <listen type='address' address='127.0.0.1'/> + </graphics> + <video> + <driver vgaconf='off'/> + <model type='default' heads='1'/> + </video> + </devices> +</domain> diff --git a/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-vga-on.args b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-vga-on.args new file mode 100644 index 0000000000..d17f347a39 --- /dev/null +++ b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-vga-on.args @@ -0,0 +1,10 @@ +/usr/sbin/bhyve \ +-c 1 \ +-m 214 \ +-u \ +-H \ +-P \ +-s 0:0,hostbridge \ +-l bootrom,/path/to/test.fd \ +-s 2:0,fbuf,tcp=:5900,vga=on \ +-s 1,lpc bhyve diff --git a/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-vga-on.xml b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-vga-on.xml new file mode 100644 index 0000000000..b83772c47a --- /dev/null +++ b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-vga-on.xml @@ -0,0 +1,23 @@ +<domain type='bhyve'> + <name>bhyve</name> + <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> + <memory unit='KiB'>219136</memory> + <currentMemory unit='KiB'>219136</currentMemory> + <vcpu placement='static'>1</vcpu> + <os> + <type>hvm</type> + </os> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>destroy</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <graphics type='vnc' port='5900' autoport='no' listen='127.0.0.1'> + <listen type='address' address='127.0.0.1'/> + </graphics> + <video> + <driver vgaconf='on'/> + <model type='default' heads='1'/> + </video> + </devices> +</domain> diff --git a/tests/bhyveargv2xmldata/bhyveargv2xml-vnc.args b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc.args new file mode 100644 index 0000000000..fd4178f0a8 --- /dev/null +++ b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc.args @@ -0,0 +1,10 @@ +/usr/sbin/bhyve \ +-c 1 \ +-m 214 \ +-u \ +-H \ +-P \ +-s 0:0,hostbridge \ +-l bootrom,/path/to/test.fd \ +-s 2:0,fbuf,tcp=:5900 \ +-s 1,lpc bhyve diff --git a/tests/bhyveargv2xmldata/bhyveargv2xml-vnc.xml b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc.xml new file mode 100644 index 0000000000..1e2f3d6938 --- /dev/null +++ b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc.xml @@ -0,0 +1,22 @@ +<domain type='bhyve'> + <name>bhyve</name> + <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> + <memory unit='KiB'>219136</memory> + <currentMemory unit='KiB'>219136</currentMemory> + <vcpu placement='static'>1</vcpu> + <os> + <type>hvm</type> + </os> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>destroy</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <graphics type='vnc' port='5900' autoport='no' listen='127.0.0.1'> + <listen type='address' address='127.0.0.1'/> + </graphics> + <video> + <model type='default' heads='1'/> + </video> + </devices> +</domain> diff --git a/tests/bhyveargv2xmltest.c b/tests/bhyveargv2xmltest.c index 735cc4b338..88690ba304 100644 --- a/tests/bhyveargv2xmltest.c +++ b/tests/bhyveargv2xmltest.c @@ -194,6 +194,11 @@ mymain(void) DO_TEST_FAIL("bhyveload-memsize-fail"); DO_TEST("bhyveload-bootorder"); DO_TEST_FAIL("extraargs"); + DO_TEST("vnc"); + DO_TEST("vnc-listen"); + DO_TEST("vnc-vga-on"); + DO_TEST("vnc-vga-off"); + DO_TEST("vnc-vga-io"); virObjectUnref(driver.caps); virObjectUnref(driver.xmlopt); -- 2.19.2
The resolution of the VNC framebuffer can now be set via the resolution definition introduced in 5.9.0. Also, add "gop" to the list of model types the <resolution/> sub-element is valid for. Signed-off-by: Fabian Freyer <fabian.freyer@physik.tu-berlin.de> --- docs/formatdomain.html.in | 2 +- docs/news.xml | 9 ++++++ src/bhyve/bhyve_command.c | 3 ++ src/bhyve/bhyve_parse_command.c | 20 +++++++++++++ .../bhyveargv2xml-vnc-resolution.args | 10 +++++++ .../bhyveargv2xml-vnc-resolution.xml | 24 ++++++++++++++++ tests/bhyveargv2xmltest.c | 1 + .../bhyvexml2argv-vnc-resolution.args | 10 +++++++ .../bhyvexml2argv-vnc-resolution.ldargs | 1 + .../bhyvexml2argv-vnc-resolution.xml | 20 +++++++++++++ tests/bhyvexml2argvtest.c | 1 + .../bhyvexml2xmlout-vnc-resolution.xml | 28 +++++++++++++++++++ tests/bhyvexml2xmltest.c | 1 + 13 files changed, 129 insertions(+), 1 deletion(-) create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-resolution.args create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-resolution.xml create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-resolution.args create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-resolution.ldargs create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-resolution.xml create mode 100644 tests/bhyvexml2xmloutdata/bhyvexml2xmlout-vnc-resolution.xml diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in index 23eb029234..06bbbf7fea 100644 --- a/docs/formatdomain.html.in +++ b/docs/formatdomain.html.in @@ -7543,7 +7543,7 @@ qemu-kvm -net nic,model=? /dev/null element may also have an optional <code>resolution</code> sub-element. The <code>resolution</code> element has attributes <code>x</code> and <code>y</code> to set the minimum resolution for the video device. This - sub-element is valid for model types "vga", "qxl", "bochs", and + sub-element is valid for model types "vga", "qxl", "bochs", "gop", and "virtio". </p> </dd> diff --git a/docs/news.xml b/docs/news.xml index 4cef804aac..d728dfa93c 100644 --- a/docs/news.xml +++ b/docs/news.xml @@ -44,6 +44,15 @@ <libvirt> <release version="v6.4.0" date="unreleased"> <section title="New features"> + <change> + <summary> + bhyve: support setting the framebuffer resolution + </summary> + <description> + libvirt can now set the framebuffer's "w" and "h" parameters + using the <code>resolution</code> element. + </description> + </change> </section> <section title="Improvements"> </section> diff --git a/src/bhyve/bhyve_command.c b/src/bhyve/bhyve_command.c index 5b1d80083a..db35cb9bd8 100644 --- a/src/bhyve/bhyve_command.c +++ b/src/bhyve/bhyve_command.c @@ -469,6 +469,9 @@ bhyveBuildGraphicsArgStr(const virDomainDef *def, goto error; } + if (video->res) + virBufferAsprintf(&opt, ",w=%d,h=%d", video->res->x, video->res->y); + if (video->driver) virBufferAsprintf(&opt, ",vga=%s", virDomainVideoVGAConfTypeToString(video->driver->vgaconf)); diff --git a/src/bhyve/bhyve_parse_command.c b/src/bhyve/bhyve_parse_command.c index 39cce67ea9..0414cb1ef1 100644 --- a/src/bhyve/bhyve_parse_command.c +++ b/src/bhyve/bhyve_parse_command.c @@ -620,6 +620,26 @@ bhyveParsePCIFbuf(virDomainDefPtr def, if (virStrToLong_i(param, NULL, 10, &graphics->data.vnc.port)) goto error; } + + if (STRPREFIX(param, "w=")) { + param += strlen("w="); + + if (video->res == NULL) + video->res = g_new0(virDomainVideoResolutionDef, 1); + + if (virStrToLong_uip(param, NULL, 10, &video->res->x)) + goto error; + } + + if (STRPREFIX(param, "h=")) { + param += strlen("h="); + + if (video->res == NULL) + video->res = g_new0(virDomainVideoResolutionDef, 1); + + if (virStrToLong_uip(param, NULL, 10, &video->res->y)) + goto error; + } } cleanup: diff --git a/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-resolution.args b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-resolution.args new file mode 100644 index 0000000000..e5e2c0f2e8 --- /dev/null +++ b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-resolution.args @@ -0,0 +1,10 @@ +/usr/sbin/bhyve \ +-c 1 \ +-m 214 \ +-u \ +-H \ +-P \ +-s 0:0,hostbridge \ +-l bootrom,/path/to/test.fd \ +-s 2:0,fbuf,tcp=127.0.0.1:5904,w=1920,h=1080 \ +-s 1,lpc bhyve diff --git a/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-resolution.xml b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-resolution.xml new file mode 100644 index 0000000000..f8fa0ed1ce --- /dev/null +++ b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-resolution.xml @@ -0,0 +1,24 @@ +<domain type='bhyve'> + <name>bhyve</name> + <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> + <memory unit='KiB'>219136</memory> + <currentMemory unit='KiB'>219136</currentMemory> + <vcpu placement='static'>1</vcpu> + <os> + <type>hvm</type> + </os> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>destroy</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <graphics type='vnc' port='5904' autoport='no' listen='127.0.0.1'> + <listen type='address' address='127.0.0.1'/> + </graphics> + <video> + <model type='default' heads='1'> + <resolution x='1920' y='1080'/> + </model> + </video> + </devices> +</domain> diff --git a/tests/bhyveargv2xmltest.c b/tests/bhyveargv2xmltest.c index 88690ba304..09d14e3fd0 100644 --- a/tests/bhyveargv2xmltest.c +++ b/tests/bhyveargv2xmltest.c @@ -199,6 +199,7 @@ mymain(void) DO_TEST("vnc-vga-on"); DO_TEST("vnc-vga-off"); DO_TEST("vnc-vga-io"); + DO_TEST("vnc-resolution"); virObjectUnref(driver.caps); virObjectUnref(driver.xmlopt); diff --git a/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-resolution.args b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-resolution.args new file mode 100644 index 0000000000..e5e2c0f2e8 --- /dev/null +++ b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-resolution.args @@ -0,0 +1,10 @@ +/usr/sbin/bhyve \ +-c 1 \ +-m 214 \ +-u \ +-H \ +-P \ +-s 0:0,hostbridge \ +-l bootrom,/path/to/test.fd \ +-s 2:0,fbuf,tcp=127.0.0.1:5904,w=1920,h=1080 \ +-s 1,lpc bhyve diff --git a/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-resolution.ldargs b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-resolution.ldargs new file mode 100644 index 0000000000..421376db9e --- /dev/null +++ b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-resolution.ldargs @@ -0,0 +1 @@ +dummy diff --git a/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-resolution.xml b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-resolution.xml new file mode 100644 index 0000000000..637a121fb7 --- /dev/null +++ b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-resolution.xml @@ -0,0 +1,20 @@ +<domain type='bhyve'> + <name>bhyve</name> + <uuid>df3be7e7-a104-11e3-aeb0-50e5492bd3dc</uuid> + <memory>219136</memory> + <vcpu>1</vcpu> + <os> + <type>hvm</type> + <loader readonly="yes" type="pflash">/path/to/test.fd</loader> + </os> + <devices> + <video> + <model type='gop' heads='1' primary='yes'> + <resolution x="1920" y="1080"/> + </model> + </video> + <graphics type='vnc' port='5904'> + <listen type='address' address='127.0.0.1'/> + </graphics> + </devices> +</domain> diff --git a/tests/bhyvexml2argvtest.c b/tests/bhyvexml2argvtest.c index 9e7eb218b8..b948f740bd 100644 --- a/tests/bhyvexml2argvtest.c +++ b/tests/bhyvexml2argvtest.c @@ -206,6 +206,7 @@ mymain(void) DO_TEST("vnc-vgaconf-off"); DO_TEST("vnc-vgaconf-io"); DO_TEST("vnc-autoport"); + DO_TEST("vnc-resolution"); DO_TEST("cputopology"); DO_TEST_FAILURE("cputopology-nvcpu-mismatch"); DO_TEST("commandline"); diff --git a/tests/bhyvexml2xmloutdata/bhyvexml2xmlout-vnc-resolution.xml b/tests/bhyvexml2xmloutdata/bhyvexml2xmlout-vnc-resolution.xml new file mode 100644 index 0000000000..958da4f82c --- /dev/null +++ b/tests/bhyvexml2xmloutdata/bhyvexml2xmlout-vnc-resolution.xml @@ -0,0 +1,28 @@ +<domain type='bhyve'> + <name>bhyve</name> + <uuid>df3be7e7-a104-11e3-aeb0-50e5492bd3dc</uuid> + <memory unit='KiB'>219136</memory> + <currentMemory unit='KiB'>219136</currentMemory> + <vcpu placement='static'>1</vcpu> + <os> + <type arch='x86_64'>hvm</type> + <loader readonly='yes' type='pflash'>/path/to/test.fd</loader> + <boot dev='hd'/> + </os> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <controller type='pci' index='0' model='pci-root'/> + <graphics type='vnc' port='5904' autoport='no' listen='127.0.0.1'> + <listen type='address' address='127.0.0.1'/> + </graphics> + <video> + <model type='gop' heads='1' primary='yes'> + <resolution x='1920' y='1080'/> + </model> + <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/> + </video> + </devices> +</domain> diff --git a/tests/bhyvexml2xmltest.c b/tests/bhyvexml2xmltest.c index a0c20a14c1..f6e4d44b8a 100644 --- a/tests/bhyvexml2xmltest.c +++ b/tests/bhyvexml2xmltest.c @@ -108,6 +108,7 @@ mymain(void) DO_TEST_DIFFERENT("vnc-vgaconf-off"); DO_TEST_DIFFERENT("vnc-vgaconf-io"); DO_TEST_DIFFERENT("vnc-autoport"); + DO_TEST_DIFFERENT("vnc-resolution"); DO_TEST_DIFFERENT("commandline"); DO_TEST_DIFFERENT("msrs"); -- 2.19.2
Introduces the BHYVE_CAP_VNC_PASSWORD capability, which is probed by parsing the error message from the bhyve command. When it is not supported, bhyve -s 0,fbuf,password= will return an error message. Signed-off-by: Fabian Freyer <fabian.freyer@physik.tu-berlin.de> --- src/bhyve/bhyve_capabilities.c | 16 +++++++++++++++- src/bhyve/bhyve_capabilities.h | 1 + 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/src/bhyve/bhyve_capabilities.c b/src/bhyve/bhyve_capabilities.c index fb8829d571..59783f8576 100644 --- a/src/bhyve/bhyve_capabilities.c +++ b/src/bhyve/bhyve_capabilities.c @@ -3,7 +3,7 @@ * * Copyright (C) 2014 Roman Bogorodskiy * Copyright (C) 2014 Semihalf - * Copyright (C) 2016 Fabian Freyer + * Copyright (C) 2020 Fabian Freyer * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -323,6 +323,17 @@ bhyveProbeCapsXHCIController(unsigned int *caps, char *binary) } +static int +bhyveProbeCapsVNCPassword(unsigned int *caps, char *binary) +{ + return bhyveProbeCapsDeviceHelper(caps, binary, + "-s", + "0,fbuf,password=", + "Invalid fbuf emulation \"password\"", + BHYVE_CAP_VNC_PASSWORD); +} + + int virBhyveProbeCaps(unsigned int *caps) { @@ -351,6 +362,9 @@ virBhyveProbeCaps(unsigned int *caps) if ((ret = bhyveProbeCapsXHCIController(caps, binary))) goto out; + if ((ret = bhyveProbeCapsVNCPassword(caps, binary))) + goto out; + out: VIR_FREE(binary); return ret; diff --git a/src/bhyve/bhyve_capabilities.h b/src/bhyve/bhyve_capabilities.h index 12926cf423..89f4b0308e 100644 --- a/src/bhyve/bhyve_capabilities.h +++ b/src/bhyve/bhyve_capabilities.h @@ -49,6 +49,7 @@ typedef enum { BHYVE_CAP_FBUF = 1 << 4, BHYVE_CAP_XHCI = 1 << 5, BHYVE_CAP_CPUTOPOLOGY = 1 << 6, + BHYVE_CAP_VNC_PASSWORD = 1 << 7, } virBhyveCapsFlags; int virBhyveProbeGrubCaps(virBhyveGrubCapsFlags *caps); -- 2.19.2
Support setting a password for the VNC framebuffer using the passwd attribute on the <graphics/> element, if the driver has the BHYVE_CAP_VNC_PASSWORD capability. Note that virsh domxml-from-native does not output the password in the generated XML, as VIR_DOMAIN_DEF_FORMAT_SECURE is not set when formatting the domain definition. Signed-off-by: Fabian Freyer <fabian.freyer@physik.tu-berlin.de> --- docs/news.xml | 11 +++++ src/bhyve/bhyve_command.c | 33 ++++++++++----- src/bhyve/bhyve_parse_command.c | 5 +++ .../bhyveargv2xml-vnc-password.args | 10 +++++ .../bhyveargv2xml-vnc-password.xml | 22 ++++++++++ tests/bhyveargv2xmltest.c | 3 +- .../bhyvexml2argv-vnc-password-comma.xml | 26 ++++++++++++ .../bhyvexml2argv-vnc-password.args | 12 ++++++ .../bhyvexml2argv-vnc-password.ldargs | 1 + .../bhyvexml2argv-vnc-password.xml | 26 ++++++++++++ tests/bhyvexml2argvtest.c | 7 +++- .../bhyvexml2xmlout-vnc-password.xml | 41 +++++++++++++++++++ tests/bhyvexml2xmltest.c | 1 + 13 files changed, 185 insertions(+), 13 deletions(-) create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.args create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.xml create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password-comma.xml create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.args create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.ldargs create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.xml create mode 100644 tests/bhyvexml2xmloutdata/bhyvexml2xmlout-vnc-password.xml diff --git a/docs/news.xml b/docs/news.xml index d728dfa93c..bd951c2e04 100644 --- a/docs/news.xml +++ b/docs/news.xml @@ -44,6 +44,17 @@ <libvirt> <release version="v6.4.0" date="unreleased"> <section title="New features"> + <change> + <summary> + bhyve: support VNC password authentication + </summary> + <description> + libvirt can now probe whether the bhyve binary supports + VNC password authentication. In case it does, a VNC password + can now be passed using the <code>passwd</code> attribute on + the <code>graphics</code> element. + </description> + </change> <change> <summary> bhyve: support setting the framebuffer resolution diff --git a/src/bhyve/bhyve_command.c b/src/bhyve/bhyve_command.c index db35cb9bd8..369278214c 100644 --- a/src/bhyve/bhyve_command.c +++ b/src/bhyve/bhyve_command.c @@ -425,17 +425,6 @@ bhyveBuildGraphicsArgStr(const virDomainDef *def, goto error; } - if (graphics->data.vnc.auth.passwd) { - virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", - _("vnc password auth not supported")); - goto error; - } else { - /* Bhyve doesn't support VNC Auth yet, so print a warning about - * unauthenticated VNC sessions */ - VIR_WARN("%s", _("Security warning: currently VNC auth is not" - " supported.")); - } - if (glisten->address) { escapeAddr = strchr(glisten->address, ':') != NULL; if (escapeAddr) @@ -469,6 +458,28 @@ bhyveBuildGraphicsArgStr(const virDomainDef *def, goto error; } + if (graphics->data.vnc.auth.passwd) { + if (!(bhyveDriverGetBhyveCaps(driver) & BHYVE_CAP_VNC_PASSWORD)) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("VNC Passwort authentication not supported " + "by bhyve")); + goto error; + } + + if (strchr(graphics->data.vnc.auth.passwd, ',')) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("Password may not contain ',' character")); + goto error; + } + + virBufferAsprintf(&opt, ",password=%s", graphics->data.vnc.auth.passwd); + } else { + if (!(bhyveDriverGetBhyveCaps(driver) & BHYVE_CAP_VNC_PASSWORD)) + VIR_WARN("%s", _("Security warning: VNC auth is not supported.")); + else + VIR_WARN("%s", _("Security warning: VNC is used without authentication.")); + } + if (video->res) virBufferAsprintf(&opt, ",w=%d,h=%d", video->res->x, video->res->y); diff --git a/src/bhyve/bhyve_parse_command.c b/src/bhyve/bhyve_parse_command.c index 0414cb1ef1..af990f8e51 100644 --- a/src/bhyve/bhyve_parse_command.c +++ b/src/bhyve/bhyve_parse_command.c @@ -640,6 +640,11 @@ bhyveParsePCIFbuf(virDomainDefPtr def, if (virStrToLong_uip(param, NULL, 10, &video->res->y)) goto error; } + + if (STRPREFIX(param, "password=")) { + param += strlen("password="); + graphics->data.vnc.auth.passwd = g_strdup(param); + } } cleanup: diff --git a/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.args b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.args new file mode 100644 index 0000000000..c16e970795 --- /dev/null +++ b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.args @@ -0,0 +1,10 @@ +/usr/sbin/bhyve \ +-c 1 \ +-m 214 \ +-u \ +-H \ +-P \ +-s 0:0,hostbridge \ +-l bootrom,/path/to/test.fd \ +-s 4:0,fbuf,tcp=127.0.0.1:5904,password=s3cr3t \ +-s 1,lpc bhyve diff --git a/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.xml b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.xml new file mode 100644 index 0000000000..456a1ee9e3 --- /dev/null +++ b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.xml @@ -0,0 +1,22 @@ +<domain type='bhyve'> + <name>bhyve</name> + <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid> + <memory unit='KiB'>219136</memory> + <currentMemory unit='KiB'>219136</currentMemory> + <vcpu placement='static'>1</vcpu> + <os> + <type>hvm</type> + </os> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>destroy</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <graphics type='vnc' port='5904' autoport='no' listen='127.0.0.1' passwd='s3cr3t'> + <listen type='address' address='127.0.0.1'/> + </graphics> + <video> + <model type='default' heads='1'/> + </video> + </devices> +</domain> diff --git a/tests/bhyveargv2xmltest.c b/tests/bhyveargv2xmltest.c index 09d14e3fd0..5ec8c7f22a 100644 --- a/tests/bhyveargv2xmltest.c +++ b/tests/bhyveargv2xmltest.c @@ -77,7 +77,7 @@ testCompareXMLToArgvFiles(const char *xmlfile, goto fail; } - if (vmdef && !(actualxml = virDomainDefFormat(vmdef, driver.xmlopt, 0))) + if (vmdef && !(actualxml = virDomainDefFormat(vmdef, driver.xmlopt, VIR_DOMAIN_DEF_FORMAT_SECURE))) goto fail; if (vmdef && virTestCompareToFile(actualxml, xmlfile) < 0) @@ -200,6 +200,7 @@ mymain(void) DO_TEST("vnc-vga-off"); DO_TEST("vnc-vga-io"); DO_TEST("vnc-resolution"); + DO_TEST("vnc-password"); virObjectUnref(driver.caps); virObjectUnref(driver.xmlopt); diff --git a/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password-comma.xml b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password-comma.xml new file mode 100644 index 0000000000..76dd36f72a --- /dev/null +++ b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password-comma.xml @@ -0,0 +1,26 @@ +<domain type='bhyve'> + <name>bhyve</name> + <uuid>df3be7e7-a104-11e3-aeb0-50e5492bd3dc</uuid> + <memory>219136</memory> + <vcpu>1</vcpu> + <os> + <type>hvm</type> + <loader readonly="yes" type="pflash">/path/to/test.fd</loader> + </os> + <devices> + <disk type='file'> + <driver name='file' type='raw'/> + <source file='/tmp/freebsd.img'/> + <target dev='hda' bus='sata'/> + <address type='drive' controller='0' bus='0' target='2' unit='0'/> + </disk> + <interface type='bridge'> + <model type='virtio'/> + <source bridge="virbr0"/> + <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> + </interface> + <graphics type='vnc' port='5904' passwd="in,valid"> + <listen type='address' address='127.0.0.1'/> + </graphics> + </devices> +</domain> diff --git a/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.args b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.args new file mode 100644 index 0000000000..41b679b51f --- /dev/null +++ b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.args @@ -0,0 +1,12 @@ +/usr/sbin/bhyve \ +-c 1 \ +-m 214 \ +-u \ +-H \ +-P \ +-s 0:0,hostbridge \ +-l bootrom,/path/to/test.fd \ +-s 2:0,ahci,hd:/tmp/freebsd.img \ +-s 3:0,virtio-net,faketapdev,mac=52:54:00:00:00:00 \ +-s 4:0,fbuf,tcp=127.0.0.1:5904,password=s3cr3t \ +-s 1,lpc bhyve diff --git a/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.ldargs b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.ldargs new file mode 100644 index 0000000000..421376db9e --- /dev/null +++ b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.ldargs @@ -0,0 +1 @@ +dummy diff --git a/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.xml b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.xml new file mode 100644 index 0000000000..97925a74fc --- /dev/null +++ b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.xml @@ -0,0 +1,26 @@ +<domain type='bhyve'> + <name>bhyve</name> + <uuid>df3be7e7-a104-11e3-aeb0-50e5492bd3dc</uuid> + <memory>219136</memory> + <vcpu>1</vcpu> + <os> + <type>hvm</type> + <loader readonly="yes" type="pflash">/path/to/test.fd</loader> + </os> + <devices> + <disk type='file'> + <driver name='file' type='raw'/> + <source file='/tmp/freebsd.img'/> + <target dev='hda' bus='sata'/> + <address type='drive' controller='0' bus='0' target='2' unit='0'/> + </disk> + <interface type='bridge'> + <model type='virtio'/> + <source bridge="virbr0"/> + <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> + </interface> + <graphics type='vnc' port='5904' passwd="s3cr3t"> + <listen type='address' address='127.0.0.1'/> + </graphics> + </devices> +</domain> diff --git a/tests/bhyvexml2argvtest.c b/tests/bhyvexml2argvtest.c index b948f740bd..914aa0e54f 100644 --- a/tests/bhyvexml2argvtest.c +++ b/tests/bhyvexml2argvtest.c @@ -175,7 +175,7 @@ mymain(void) driver.bhyvecaps = BHYVE_CAP_RTC_UTC | BHYVE_CAP_AHCI32SLOT | \ BHYVE_CAP_NET_E1000 | BHYVE_CAP_LPC_BOOTROM | \ BHYVE_CAP_FBUF | BHYVE_CAP_XHCI | \ - BHYVE_CAP_CPUTOPOLOGY; + BHYVE_CAP_CPUTOPOLOGY | BHYVE_CAP_VNC_PASSWORD; DO_TEST("base"); DO_TEST("wired"); @@ -207,6 +207,8 @@ mymain(void) DO_TEST("vnc-vgaconf-io"); DO_TEST("vnc-autoport"); DO_TEST("vnc-resolution"); + DO_TEST("vnc-password"); + DO_TEST_FAILURE("vnc-password-comma"); DO_TEST("cputopology"); DO_TEST_FAILURE("cputopology-nvcpu-mismatch"); DO_TEST("commandline"); @@ -250,6 +252,9 @@ mymain(void) driver.bhyvecaps &= ~BHYVE_CAP_CPUTOPOLOGY; DO_TEST_FAILURE("cputopology"); + driver.bhyvecaps &= ~BHYVE_CAP_VNC_PASSWORD; + DO_TEST_FAILURE("vnc-password"); + virObjectUnref(driver.caps); virObjectUnref(driver.xmlopt); virPortAllocatorRangeFree(driver.remotePorts); diff --git a/tests/bhyvexml2xmloutdata/bhyvexml2xmlout-vnc-password.xml b/tests/bhyvexml2xmloutdata/bhyvexml2xmlout-vnc-password.xml new file mode 100644 index 0000000000..4bacc94e94 --- /dev/null +++ b/tests/bhyvexml2xmloutdata/bhyvexml2xmlout-vnc-password.xml @@ -0,0 +1,41 @@ +<domain type='bhyve'> + <name>bhyve</name> + <uuid>df3be7e7-a104-11e3-aeb0-50e5492bd3dc</uuid> + <memory unit='KiB'>219136</memory> + <currentMemory unit='KiB'>219136</currentMemory> + <vcpu placement='static'>1</vcpu> + <os> + <type arch='x86_64'>hvm</type> + <loader readonly='yes' type='pflash'>/path/to/test.fd</loader> + <boot dev='hd'/> + </os> + <clock offset='utc'/> + <on_poweroff>destroy</on_poweroff> + <on_reboot>restart</on_reboot> + <on_crash>destroy</on_crash> + <devices> + <disk type='file' device='disk'> + <driver name='file' type='raw'/> + <source file='/tmp/freebsd.img'/> + <target dev='hda' bus='sata'/> + <address type='drive' controller='0' bus='0' target='2' unit='0'/> + </disk> + <controller type='pci' index='0' model='pci-root'/> + <controller type='sata' index='0'> + <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/> + </controller> + <interface type='bridge'> + <mac address='52:54:00:00:00:00'/> + <source bridge='virbr0'/> + <model type='virtio'/> + <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/> + </interface> + <graphics type='vnc' port='5904' autoport='no' listen='127.0.0.1' passwd='s3cr3t'> + <listen type='address' address='127.0.0.1'/> + </graphics> + <video> + <model type='gop' heads='1' primary='yes'/> + <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/> + </video> + </devices> +</domain> diff --git a/tests/bhyvexml2xmltest.c b/tests/bhyvexml2xmltest.c index f6e4d44b8a..4514fccf20 100644 --- a/tests/bhyvexml2xmltest.c +++ b/tests/bhyvexml2xmltest.c @@ -109,6 +109,7 @@ mymain(void) DO_TEST_DIFFERENT("vnc-vgaconf-io"); DO_TEST_DIFFERENT("vnc-autoport"); DO_TEST_DIFFERENT("vnc-resolution"); + DO_TEST_DIFFERENT("vnc-password"); DO_TEST_DIFFERENT("commandline"); DO_TEST_DIFFERENT("msrs"); -- 2.19.2
On Wed, May 06, 2020 at 01:35:55PM +0000, Fabian Freyer wrote:
Support setting a password for the VNC framebuffer using the passwd attribute on the <graphics/> element, if the driver has the BHYVE_CAP_VNC_PASSWORD capability.
Note that virsh domxml-from-native does not output the password in the generated XML, as VIR_DOMAIN_DEF_FORMAT_SECURE is not set when formatting the domain definition.
Signed-off-by: Fabian Freyer <fabian.freyer@physik.tu-berlin.de> --- docs/news.xml | 11 +++++ src/bhyve/bhyve_command.c | 33 ++++++++++----- src/bhyve/bhyve_parse_command.c | 5 +++ .../bhyveargv2xml-vnc-password.args | 10 +++++ .../bhyveargv2xml-vnc-password.xml | 22 ++++++++++ tests/bhyveargv2xmltest.c | 3 +- .../bhyvexml2argv-vnc-password-comma.xml | 26 ++++++++++++ .../bhyvexml2argv-vnc-password.args | 12 ++++++ .../bhyvexml2argv-vnc-password.ldargs | 1 + .../bhyvexml2argv-vnc-password.xml | 26 ++++++++++++ tests/bhyvexml2argvtest.c | 7 +++- .../bhyvexml2xmlout-vnc-password.xml | 41 +++++++++++++++++++ tests/bhyvexml2xmltest.c | 1 + 13 files changed, 185 insertions(+), 13 deletions(-) create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.args create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.xml create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password-comma.xml create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.args create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.ldargs create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.xml create mode 100644 tests/bhyvexml2xmloutdata/bhyvexml2xmlout-vnc-password.xml
diff --git a/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.args b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.args new file mode 100644 index 0000000000..c16e970795 --- /dev/null +++ b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.args @@ -0,0 +1,10 @@ +/usr/sbin/bhyve \ +-c 1 \ +-m 214 \ +-u \ +-H \ +-P \ +-s 0:0,hostbridge \ +-l bootrom,/path/to/test.fd \ +-s 4:0,fbuf,tcp=127.0.0.1:5904,password=s3cr3t \
On Linux at least, providing passwords on the command line is considered a security flaw, because any user can see the command line args of any other process on the host. If CLI args of processes are similarly visible to other users on FreeBSD, then this VNC password would be a security flaw. Of course VNC password auth scheme itself is a security flaw since it is using Single-DES :-) Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
On 6 May 2020, at 15:41, Daniel P. Berrangé wrote:
On Linux at least, providing passwords on the command line is considered a security flaw, because any user can see the command line args of any other process on the host.
Agreed. The only reason bhyve supports this is to support VNC clients that don’t support password-less authentication. Since it doesn’t have any configuration file, and stdin may be used by the client, I’m unsure what the alternative would be.
If CLI args of processes are similarly visible to other users on FreeBSD, then this VNC password would be a security flaw. They are by default, however FreeBSD does have a sysctl that disallows seeing other user’s processes. Since a few versions, users can easily configure this sysctl in the FreeBSD installer.
Of course VNC password auth scheme itself is a security flaw since it is using Single-DES :-)
The bhyve(8) man page states that too:
This type of authentication is known to be cryptographically weak and is not intended for use on untrusted networks. Many implementations will want to use stronger security, such as running the session over an encrypted channel provided by IPsec or SSH.
(On a side note, it seems that Single-DES got even more broken recently: https://eprint.iacr.org/2020/523) I guess this is something that should probably also be added to that man page. Should we add a comment about this as well as the password being visible to the docs on libvirt’s side?
participants (2)
-
Daniel P. Berrangé -
Fabian Freyer