2:01 a.m.
Hi All,
Greetings!!!
We are using KVM hypervisor driver for running OpenStack IaaS. Couple of months back we
have reported one security issue [1] in OS.
Basically we want to limit on the number of vnc client connections that can be opened by
users for a given VM.
From libvirt 1.0.6 version onwards share policy feature is supported
to control the way consoles are accessed by the user.
Presently it is possible to
configure share policy for vnc in 3 different ways:-
1. allow-exclusive, allows clients to ask for exclusive access by dropping other
connections
2. force-share, This is the default value, It allows multiple clients to connect to the
console in parallel sharing the same session
3. ignore, welcomes every connection unconditionally
In openstack nova for libvirt driver I am able to configure the sharePolicy value to
graphics element of domain's xml.
<graphics type="vnc" autoport="yes" keymap="en-us"
listen="127.0.0.1" sharePolicy="force-shared">
<listen type='address' address='127.0.0.1'/>
</graphics>
<graphics type="vnc" autoport="yes" keymap="en-us"
listen="127.0.0.1" sharePolicy="allow-exclusive">
<listen type='address' address='127.0.0.1'/>
</graphics>
<graphics type="vnc" autoport="yes" keymap="en-us"
listen="127.0.0.1" sharePolicy="ignore">
<listen type='address' address='127.0.0.1'/>
</graphics>
But while testing I am not able to get expected results for allow-exclusive and ignore
sharePolicy.
For allow-exclusive sharePolicy previous connections are not getting dropped and console
contents are getting shared among all open consoles.
For ignore sharePolicy also contents are getting shared among all open consoles.
I am using libvirt version 1.1.1 and qemu version is 1.5.0.
We want to restrict only single authorized user to connect to the console dropping
previously connected users automatically by using allow-exclusive sharePolicy.
Please let me know what else is required to get this worked successfully.
[1] : https://bugs.launchpad.net/nova/+bug/1227575
Thanks,
Abhishek
______________________________________________________________________
Disclaimer:This email and any attachments are sent in strictest confidence for the sole
use of the addressee and may contain legally privileged, confidential, and proprietary
data. If you are not the intended recipient, please advise the sender by replying
promptly to this email and then delete and destroy this email and any attachments without
any further use, copying or forwarding
3:47 a.m.
New subject: [libvirt] VNC sharePolicy not working as expected
On 15.04.2014 09:01, Kekane, Abhishek wrote:
Hi All,
Greetings!!!
We are using KVM hypervisor driver for running OpenStack IaaS. Couple of
months back we have reported one security issue [1] in OS.
Basically we want to limit on the number of vnc client connections that
can be opened by users for a given VM.
>From libvirt 1.0.6 version onwards share policy feature is supported
to control the way consoles are accessed by the user.
Presently it is possible to configure share policy for vnc in 3
different ways:-
1. allow-exclusive, allows clients to ask for exclusive access by
dropping other connections
2. force-share, This is the default value, It allows multiple clients to
connect to the console in parallel sharing the same session
3. ignore, welcomes every connection unconditionally
In openstack nova for libvirt driver I am able to configure the
sharePolicy value to graphics element of domain's xml.
<graphics type="vnc" autoport="yes" keymap="en-us"
listen="127.0.0.1"
sharePolicy="force-shared">
<listen type='address' address='127.0.0.1'/>
</graphics>
<graphics type="vnc" autoport="yes" keymap="en-us"
listen="127.0.0.1"
sharePolicy="allow-exclusive">
<listen type='address' address='127.0.0.1'/>
</graphics>
<graphics type="vnc" autoport="yes" keymap="en-us"
listen="127.0.0.1"
sharePolicy="ignore">
<listen type='address' address='127.0.0.1'/>
</graphics>
But while testing I am not able to get expected results for
allow-exclusive and ignore sharePolicy.
For allow-exclusive sharePolicy previous connections are not getting
dropped and console contents are getting shared among all open consoles.
For ignore sharePolicy also contents are getting shared among all open
consoles.
I am using libvirt version 1.1.1 and qemu version is 1.5.0.
If libvirt is constructing the qemu command line properly (look for -vnc
...,share=force-shared) then I'd say it's a qemu bug.
Michal
4:08 a.m.
New subject: [libvirt] VNC sharePolicy not working as expected
On 04/16/2014 10:47 AM, Michal Privoznik wrote:
On 15.04.2014 09:01, Kekane, Abhishek wrote:
> Hi All,
> Greetings!!!
>
> We are using KVM hypervisor driver for running OpenStack IaaS. Couple of
> months back we have reported one security issue [1] in OS.
> Basically we want to limit on the number of vnc client connections that
> can be opened by users for a given VM.
>
> >From libvirt 1.0.6 version onwards share policy feature is supported
> to control the way consoles are accessed by the user.
> Presently it is possible to configure share policy for vnc in 3
> different ways:-
> 1. allow-exclusive, allows clients to ask for exclusive access by
> dropping other connections
> 2. force-share, This is the default value, It allows multiple clients to
> connect to the console in parallel sharing the same session
IIRC the default should be 'ignore' for both libvirt and qemu.
> 3. ignore, welcomes every connection unconditionally
>
> In openstack nova for libvirt driver I am able to configure the
> sharePolicy value to graphics element of domain's xml.
>
> <graphics type="vnc" autoport="yes" keymap="en-us"
listen="127.0.0.1"
> sharePolicy="force-shared">
> <listen type='address' address='127.0.0.1'/>
> </graphics>
> <graphics type="vnc" autoport="yes" keymap="en-us"
listen="127.0.0.1"
> sharePolicy="allow-exclusive">
> <listen type='address' address='127.0.0.1'/>
> </graphics>
> <graphics type="vnc" autoport="yes" keymap="en-us"
listen="127.0.0.1"
> sharePolicy="ignore">
> <listen type='address' address='127.0.0.1'/>
> </graphics>
>
> But while testing I am not able to get expected results for
> allow-exclusive and ignore sharePolicy.
> For allow-exclusive sharePolicy previous connections are not getting
> dropped and console contents are getting shared among all open consoles.
With allow-exclusive, the client needs to ask for exclusive access to drop all
other connections. If all clients ask for shared access, multiple connections
are allowed.
> For ignore sharePolicy also contents are getting shared among all
open
> consoles.
This is expected, the client's request for exclusive access is ignored and the
console is shared.
>
> I am using libvirt version 1.1.1 and qemu version is 1.5.0.
If libvirt is constructing the qemu command line properly (look for -vnc
...,share=force-shared) then I'd say it's a qemu bug.
See also the reply to this mail by Gerd Hoffman on qemu-devel:
https://lists.gnu.org/archive/html/qemu-devel/2014-04/msg02293.html
Jan
4078
days inactive
4079
days old
2 comments
3 participants
participants (3)
-
Ján Tomko -
Kekane, Abhishek -
Michal Privoznik