Support setting a password for the VNC framebuffer using the passwd
attribute on the <graphics/> element, if the driver has the
BHYVE_CAP_VNC_PASSWORD capability.
Note that virsh domxml-from-native does not output the password in the
generated XML, as VIR_DOMAIN_DEF_FORMAT_SECURE is not set when
formatting the domain definition.
Signed-off-by: Fabian Freyer <fabian.freyer@xxxxxxxxxxxxxxxxxxx>
---
docs/news.xml | 11 +++++
src/bhyve/bhyve_command.c | 33 ++++++++++-----
src/bhyve/bhyve_parse_command.c | 5 +++
.../bhyveargv2xml-vnc-password.args | 10 +++++
.../bhyveargv2xml-vnc-password.xml | 22 ++++++++++
tests/bhyveargv2xmltest.c | 3 +-
.../bhyvexml2argv-vnc-password-comma.xml | 26 ++++++++++++
.../bhyvexml2argv-vnc-password.args | 12 ++++++
.../bhyvexml2argv-vnc-password.ldargs | 1 +
.../bhyvexml2argv-vnc-password.xml | 26 ++++++++++++
tests/bhyvexml2argvtest.c | 7 +++-
.../bhyvexml2xmlout-vnc-password.xml | 41 +++++++++++++++++++
tests/bhyvexml2xmltest.c | 1 +
13 files changed, 185 insertions(+), 13 deletions(-)
create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.args
create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.xml
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password-comma.xml
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.args
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.ldargs
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.xml
create mode 100644 tests/bhyvexml2xmloutdata/bhyvexml2xmlout-vnc-password.xml
diff --git a/docs/news.xml b/docs/news.xml
index d728dfa93c..bd951c2e04 100644
--- a/docs/news.xml
+++ b/docs/news.xml
@@ -44,6 +44,17 @@
<libvirt>
<release version="v6.4.0" date="unreleased">
<section title="New features">
+ <change>
+ <summary>
+ bhyve: support VNC password authentication
+ </summary>
+ <description>
+ libvirt can now probe whether the bhyve binary supports
+ VNC password authentication. In case it does, a VNC password
+ can now be passed using the <code>passwd</code> attribute on
+ the <code>graphics</code> element.
+ </description>
+ </change>
<change>
<summary>
bhyve: support setting the framebuffer resolution
diff --git a/src/bhyve/bhyve_command.c b/src/bhyve/bhyve_command.c
index db35cb9bd8..369278214c 100644
--- a/src/bhyve/bhyve_command.c
+++ b/src/bhyve/bhyve_command.c
@@ -425,17 +425,6 @@ bhyveBuildGraphicsArgStr(const virDomainDef *def,
goto error;
}
- if (graphics->data.vnc.auth.passwd) {
- virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
- _("vnc password auth not supported"));
- goto error;
- } else {
- /* Bhyve doesn't support VNC Auth yet, so print a warning about
- * unauthenticated VNC sessions */
- VIR_WARN("%s", _("Security warning: currently VNC auth is not"
- " supported."));
- }
-
if (glisten->address) {
escapeAddr = strchr(glisten->address, ':') != NULL;
if (escapeAddr)
@@ -469,6 +458,28 @@ bhyveBuildGraphicsArgStr(const virDomainDef *def,
goto error;
}
+ if (graphics->data.vnc.auth.passwd) {
+ if (!(bhyveDriverGetBhyveCaps(driver) & BHYVE_CAP_VNC_PASSWORD)) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("VNC Passwort authentication not supported "
+ "by bhyve"));
+ goto error;
+ }
+
+ if (strchr(graphics->data.vnc.auth.passwd, ',')) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("Password may not contain ',' character"));
+ goto error;
+ }
+
+ virBufferAsprintf(&opt, ",password=%s", graphics->data.vnc.auth.passwd);
+ } else {
+ if (!(bhyveDriverGetBhyveCaps(driver) & BHYVE_CAP_VNC_PASSWORD))
+ VIR_WARN("%s", _("Security warning: VNC auth is not supported."));
+ else
+ VIR_WARN("%s", _("Security warning: VNC is used without authentication."));
+ }
+
if (video->res)
virBufferAsprintf(&opt, ",w=%d,h=%d", video->res->x, video->res->y);
diff --git a/src/bhyve/bhyve_parse_command.c b/src/bhyve/bhyve_parse_command.c
index 0414cb1ef1..af990f8e51 100644
--- a/src/bhyve/bhyve_parse_command.c
+++ b/src/bhyve/bhyve_parse_command.c
@@ -640,6 +640,11 @@ bhyveParsePCIFbuf(virDomainDefPtr def,
if (virStrToLong_uip(param, NULL, 10, &video->res->y))
goto error;
}
+
+ if (STRPREFIX(param, "password=")) {
+ param += strlen("password=");
+ graphics->data.vnc.auth.passwd = g_strdup(param);
+ }
}
cleanup:
diff --git a/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.args b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.args
new file mode 100644
index 0000000000..c16e970795
--- /dev/null
+++ b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.args
@@ -0,0 +1,10 @@
+/usr/sbin/bhyve \
+-c 1 \
+-m 214 \
+-u \
+-H \
+-P \
+-s 0:0,hostbridge \
+-l bootrom,/path/to/test.fd \
+-s 4:0,fbuf,tcp=127.0.0.1:5904,password=s3cr3t \
+-s 1,lpc bhyve
diff --git a/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.xml b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.xml
new file mode 100644
index 0000000000..456a1ee9e3
--- /dev/null
+++ b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.xml
@@ -0,0 +1,22 @@
+<domain type='bhyve'>
+ <name>bhyve</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory unit='KiB'>219136</memory>
+ <currentMemory unit='KiB'>219136</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type>hvm</type>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>destroy</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <graphics type='vnc' port='5904' autoport='no' listen='127.0.0.1' passwd='s3cr3t'>
+ <listen type='address' address='127.0.0.1'/>
+ </graphics>
+ <video>
+ <model type='default' heads='1'/>
+ </video>
+ </devices>
+</domain>
diff --git a/tests/bhyveargv2xmltest.c b/tests/bhyveargv2xmltest.c
index 09d14e3fd0..5ec8c7f22a 100644
--- a/tests/bhyveargv2xmltest.c
+++ b/tests/bhyveargv2xmltest.c
@@ -77,7 +77,7 @@ testCompareXMLToArgvFiles(const char *xmlfile,
goto fail;
}
- if (vmdef && !(actualxml = virDomainDefFormat(vmdef, driver.xmlopt, 0)))
+ if (vmdef && !(actualxml = virDomainDefFormat(vmdef, driver.xmlopt, VIR_DOMAIN_DEF_FORMAT_SECURE)))
goto fail;
if (vmdef && virTestCompareToFile(actualxml, xmlfile) < 0)
@@ -200,6 +200,7 @@ mymain(void)
DO_TEST("vnc-vga-off");
DO_TEST("vnc-vga-io");
DO_TEST("vnc-resolution");
+ DO_TEST("vnc-password");
virObjectUnref(driver.caps);
virObjectUnref(driver.xmlopt);
diff --git a/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password-comma.xml b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password-comma.xml
new file mode 100644
index 0000000000..76dd36f72a
--- /dev/null
+++ b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password-comma.xml
@@ -0,0 +1,26 @@
+<domain type='bhyve'>
+ <name>bhyve</name>
+ <uuid>df3be7e7-a104-11e3-aeb0-50e5492bd3dc</uuid>
+ <memory>219136</memory>
+ <vcpu>1</vcpu>
+ <os>
+ <type>hvm</type>
+ <loader readonly="yes" type="pflash">/path/to/test.fd</loader>
+ </os>
+ <devices>
+ <disk type='file'>
+ <driver name='file' type='raw'/>
+ <source file='/tmp/freebsd.img'/>
+ <target dev='hda' bus='sata'/>
+ <address type='drive' controller='0' bus='0' target='2' unit='0'/>
+ </disk>
+ <interface type='bridge'>
+ <model type='virtio'/>
+ <source bridge="virbr0"/>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+ </interface>
+ <graphics type='vnc' port='5904' passwd="in,valid">
+ <listen type='address' address='127.0.0.1'/>
+ </graphics>
+ </devices>
+</domain>
diff --git a/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.args b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.args
new file mode 100644
index 0000000000..41b679b51f
--- /dev/null
+++ b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.args
@@ -0,0 +1,12 @@
+/usr/sbin/bhyve \
+-c 1 \
+-m 214 \
+-u \
+-H \
+-P \
+-s 0:0,hostbridge \
+-l bootrom,/path/to/test.fd \
+-s 2:0,ahci,hd:/tmp/freebsd.img \
+-s 3:0,virtio-net,faketapdev,mac=52:54:00:00:00:00 \
+-s 4:0,fbuf,tcp=127.0.0.1:5904,password=s3cr3t \
+-s 1,lpc bhyve
diff --git a/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.ldargs b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.ldargs
new file mode 100644
index 0000000000..421376db9e
--- /dev/null
+++ b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.ldargs
@@ -0,0 +1 @@
+dummy
diff --git a/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.xml b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.xml
new file mode 100644
index 0000000000..97925a74fc
--- /dev/null
+++ b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.xml
@@ -0,0 +1,26 @@
+<domain type='bhyve'>
+ <name>bhyve</name>
+ <uuid>df3be7e7-a104-11e3-aeb0-50e5492bd3dc</uuid>
+ <memory>219136</memory>
+ <vcpu>1</vcpu>
+ <os>
+ <type>hvm</type>
+ <loader readonly="yes" type="pflash">/path/to/test.fd</loader>
+ </os>
+ <devices>
+ <disk type='file'>
+ <driver name='file' type='raw'/>
+ <source file='/tmp/freebsd.img'/>
+ <target dev='hda' bus='sata'/>
+ <address type='drive' controller='0' bus='0' target='2' unit='0'/>
+ </disk>
+ <interface type='bridge'>
+ <model type='virtio'/>
+ <source bridge="virbr0"/>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+ </interface>
+ <graphics type='vnc' port='5904' passwd="s3cr3t">
+ <listen type='address' address='127.0.0.1'/>
+ </graphics>
+ </devices>
+</domain>
diff --git a/tests/bhyvexml2argvtest.c b/tests/bhyvexml2argvtest.c
index b948f740bd..914aa0e54f 100644
--- a/tests/bhyvexml2argvtest.c
+++ b/tests/bhyvexml2argvtest.c
@@ -175,7 +175,7 @@ mymain(void)
driver.bhyvecaps = BHYVE_CAP_RTC_UTC | BHYVE_CAP_AHCI32SLOT | \
BHYVE_CAP_NET_E1000 | BHYVE_CAP_LPC_BOOTROM | \
BHYVE_CAP_FBUF | BHYVE_CAP_XHCI | \
- BHYVE_CAP_CPUTOPOLOGY;
+ BHYVE_CAP_CPUTOPOLOGY | BHYVE_CAP_VNC_PASSWORD;
DO_TEST("base");
DO_TEST("wired");
@@ -207,6 +207,8 @@ mymain(void)
DO_TEST("vnc-vgaconf-io");
DO_TEST("vnc-autoport");
DO_TEST("vnc-resolution");
+ DO_TEST("vnc-password");
+ DO_TEST_FAILURE("vnc-password-comma");
DO_TEST("cputopology");
DO_TEST_FAILURE("cputopology-nvcpu-mismatch");
DO_TEST("commandline");
@@ -250,6 +252,9 @@ mymain(void)
driver.bhyvecaps &= ~BHYVE_CAP_CPUTOPOLOGY;
DO_TEST_FAILURE("cputopology");
+ driver.bhyvecaps &= ~BHYVE_CAP_VNC_PASSWORD;
+ DO_TEST_FAILURE("vnc-password");
+
virObjectUnref(driver.caps);
virObjectUnref(driver.xmlopt);
virPortAllocatorRangeFree(driver.remotePorts);
diff --git a/tests/bhyvexml2xmloutdata/bhyvexml2xmlout-vnc-password.xml b/tests/bhyvexml2xmloutdata/bhyvexml2xmlout-vnc-password.xml
new file mode 100644
index 0000000000..4bacc94e94
--- /dev/null
+++ b/tests/bhyvexml2xmloutdata/bhyvexml2xmlout-vnc-password.xml
@@ -0,0 +1,41 @@
+<domain type='bhyve'>
+ <name>bhyve</name>
+ <uuid>df3be7e7-a104-11e3-aeb0-50e5492bd3dc</uuid>
+ <memory unit='KiB'>219136</memory>
+ <currentMemory unit='KiB'>219136</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='x86_64'>hvm</type>
+ <loader readonly='yes' type='pflash'>/path/to/test.fd</loader>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <disk type='file' device='disk'>
+ <driver name='file' type='raw'/>
+ <source file='/tmp/freebsd.img'/>
+ <target dev='hda' bus='sata'/>
+ <address type='drive' controller='0' bus='0' target='2' unit='0'/>
+ </disk>
+ <controller type='pci' index='0' model='pci-root'/>
+ <controller type='sata' index='0'>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
+ </controller>
+ <interface type='bridge'>
+ <mac address='52:54:00:00:00:00'/>
+ <source bridge='virbr0'/>
+ <model type='virtio'/>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+ </interface>
+ <graphics type='vnc' port='5904' autoport='no' listen='127.0.0.1' passwd='s3cr3t'>
+ <listen type='address' address='127.0.0.1'/>
+ </graphics>
+ <video>
+ <model type='gop' heads='1' primary='yes'/>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
+ </video>
+ </devices>
+</domain>
diff --git a/tests/bhyvexml2xmltest.c b/tests/bhyvexml2xmltest.c
index f6e4d44b8a..4514fccf20 100644
--- a/tests/bhyvexml2xmltest.c
+++ b/tests/bhyvexml2xmltest.c
@@ -109,6 +109,7 @@ mymain(void)
DO_TEST_DIFFERENT("vnc-vgaconf-io");
DO_TEST_DIFFERENT("vnc-autoport");
DO_TEST_DIFFERENT("vnc-resolution");
+ DO_TEST_DIFFERENT("vnc-password");
DO_TEST_DIFFERENT("commandline");
DO_TEST_DIFFERENT("msrs");
--
2.19.2
