From: Fabian Freyer <fabian.freyer@xxxxxxxxxxxxxxxxxxx>
Support setting a password for the VNC framebuffer using the passwd
attribute on the <graphics/> element, if the driver has the
BHYVE_CAP_VNC_PASSWORD capability.
Note that virsh domxml-from-native does not output the password in the
generated XML, as VIR_DOMAIN_DEF_FORMAT_SECURE is not set when
formatting the domain definition.
Signed-off-by: Fabian Freyer <fabian.freyer@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Roman Bogorodskiy <bogorodskiy@xxxxxxxxx>
---
NEWS.rst | 7 +++
src/bhyve/bhyve_command.c | 33 +++++++++-----
src/bhyve/bhyve_parse_command.c | 5 +++
.../bhyveargv2xml-vnc-password.args | 10 +++++
.../bhyveargv2xml-vnc-password.xml | 22 ++++++++++
tests/bhyveargv2xmltest.c | 3 +-
.../bhyvexml2argv-vnc-password-comma.xml | 26 +++++++++++
.../bhyvexml2argv-vnc-password.args | 12 +++++
.../bhyvexml2argv-vnc-password.ldargs | 1 +
.../bhyvexml2argv-vnc-password.xml | 26 +++++++++++
tests/bhyvexml2argvtest.c | 8 +++-
.../bhyvexml2xmlout-vnc-password.xml | 44 +++++++++++++++++++
tests/bhyvexml2xmltest.c | 1 +
13 files changed, 185 insertions(+), 13 deletions(-)
create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.args
create mode 100644 tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.xml
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password-comma.xml
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.args
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.ldargs
create mode 100644 tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.xml
create mode 100644 tests/bhyvexml2xmloutdata/bhyvexml2xmlout-vnc-password.xml
diff --git a/NEWS.rst b/NEWS.rst
index bb48f5bd43..c949cb941b 100644
--- a/NEWS.rst
+++ b/NEWS.rst
@@ -25,6 +25,13 @@ v6.8.0 (unreleased)
Libvirt can now set the framebuffer's "w" and "h" parameters
using the ``resolution`` element.
+ * bhyve: Support VNC password authentication
+
+ Libvirt can now probe whether the bhyve binary supports
+ VNC password authentication. In case it does, a VNC password
+ can now be passed using the ``passwd`` attribute on
+ the ``<graphics>`` element.
+
* **Improvements**
* qemu: Allow migration over UNIX sockets
diff --git a/src/bhyve/bhyve_command.c b/src/bhyve/bhyve_command.c
index 176a339d5a..1b48438168 100644
--- a/src/bhyve/bhyve_command.c
+++ b/src/bhyve/bhyve_command.c
@@ -424,17 +424,6 @@ bhyveBuildGraphicsArgStr(const virDomainDef *def,
return -1;
}
- if (graphics->data.vnc.auth.passwd) {
- virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
- _("vnc password auth not supported"));
- return -1;
- } else {
- /* Bhyve doesn't support VNC Auth yet, so print a warning about
- * unauthenticated VNC sessions */
- VIR_WARN("%s", _("Security warning: currently VNC auth is not"
- " supported."));
- }
-
if (glisten->address) {
escapeAddr = strchr(glisten->address, ':') != NULL;
if (escapeAddr)
@@ -468,6 +457,28 @@ bhyveBuildGraphicsArgStr(const virDomainDef *def,
return -1;
}
+ if (graphics->data.vnc.auth.passwd) {
+ if (!(bhyveDriverGetBhyveCaps(driver) & BHYVE_CAP_VNC_PASSWORD)) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("VNC Passwort authentication not supported "
+ "by bhyve"));
+ return -1;
+ }
+
+ if (strchr(graphics->data.vnc.auth.passwd, ',')) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("Password may not contain ',' character"));
+ return -1;
+ }
+
+ virBufferAsprintf(&opt, ",password=%s", graphics->data.vnc.auth.passwd);
+ } else {
+ if (!(bhyveDriverGetBhyveCaps(driver) & BHYVE_CAP_VNC_PASSWORD))
+ VIR_WARN("%s", _("Security warning: VNC auth is not supported."));
+ else
+ VIR_WARN("%s", _("Security warning: VNC is used without authentication."));
+ }
+
if (video->res)
virBufferAsprintf(&opt, ",w=%d,h=%d", video->res->x, video->res->y);
diff --git a/src/bhyve/bhyve_parse_command.c b/src/bhyve/bhyve_parse_command.c
index c6abdfacf3..05cb8eb7d6 100644
--- a/src/bhyve/bhyve_parse_command.c
+++ b/src/bhyve/bhyve_parse_command.c
@@ -641,6 +641,11 @@ bhyveParsePCIFbuf(virDomainDefPtr def,
if (virStrToLong_uip(param, NULL, 10, &video->res->y))
goto error;
}
+
+ if (STRPREFIX(param, "password=")) {
+ param += strlen("password=");
+ graphics->data.vnc.auth.passwd = g_strdup(param);
+ }
}
cleanup:
diff --git a/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.args b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.args
new file mode 100644
index 0000000000..c16e970795
--- /dev/null
+++ b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.args
@@ -0,0 +1,10 @@
+/usr/sbin/bhyve \
+-c 1 \
+-m 214 \
+-u \
+-H \
+-P \
+-s 0:0,hostbridge \
+-l bootrom,/path/to/test.fd \
+-s 4:0,fbuf,tcp=127.0.0.1:5904,password=s3cr3t \
+-s 1,lpc bhyve
diff --git a/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.xml b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.xml
new file mode 100644
index 0000000000..456a1ee9e3
--- /dev/null
+++ b/tests/bhyveargv2xmldata/bhyveargv2xml-vnc-password.xml
@@ -0,0 +1,22 @@
+<domain type='bhyve'>
+ <name>bhyve</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ <memory unit='KiB'>219136</memory>
+ <currentMemory unit='KiB'>219136</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type>hvm</type>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>destroy</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <graphics type='vnc' port='5904' autoport='no' listen='127.0.0.1' passwd='s3cr3t'>
+ <listen type='address' address='127.0.0.1'/>
+ </graphics>
+ <video>
+ <model type='default' heads='1'/>
+ </video>
+ </devices>
+</domain>
diff --git a/tests/bhyveargv2xmltest.c b/tests/bhyveargv2xmltest.c
index 4bf39d50dc..2c1ffc75f3 100644
--- a/tests/bhyveargv2xmltest.c
+++ b/tests/bhyveargv2xmltest.c
@@ -76,7 +76,7 @@ testCompareXMLToArgvFiles(const char *xmlfile,
return -1;
}
- if (vmdef && !(actualxml = virDomainDefFormat(vmdef, driver.xmlopt, 0)))
+ if (vmdef && !(actualxml = virDomainDefFormat(vmdef, driver.xmlopt, VIR_DOMAIN_DEF_FORMAT_SECURE)))
return -1;
if (vmdef && virTestCompareToFile(actualxml, xmlfile) < 0)
@@ -187,6 +187,7 @@ mymain(void)
DO_TEST("vnc-vga-off");
DO_TEST("vnc-vga-io");
DO_TEST("vnc-resolution");
+ DO_TEST("vnc-password");
virObjectUnref(driver.caps);
virObjectUnref(driver.xmlopt);
diff --git a/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password-comma.xml b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password-comma.xml
new file mode 100644
index 0000000000..76dd36f72a
--- /dev/null
+++ b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password-comma.xml
@@ -0,0 +1,26 @@
+<domain type='bhyve'>
+ <name>bhyve</name>
+ <uuid>df3be7e7-a104-11e3-aeb0-50e5492bd3dc</uuid>
+ <memory>219136</memory>
+ <vcpu>1</vcpu>
+ <os>
+ <type>hvm</type>
+ <loader readonly="yes" type="pflash">/path/to/test.fd</loader>
+ </os>
+ <devices>
+ <disk type='file'>
+ <driver name='file' type='raw'/>
+ <source file='/tmp/freebsd.img'/>
+ <target dev='hda' bus='sata'/>
+ <address type='drive' controller='0' bus='0' target='2' unit='0'/>
+ </disk>
+ <interface type='bridge'>
+ <model type='virtio'/>
+ <source bridge="virbr0"/>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+ </interface>
+ <graphics type='vnc' port='5904' passwd="in,valid">
+ <listen type='address' address='127.0.0.1'/>
+ </graphics>
+ </devices>
+</domain>
diff --git a/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.args b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.args
new file mode 100644
index 0000000000..b3b1c244be
--- /dev/null
+++ b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.args
@@ -0,0 +1,12 @@
+/usr/sbin/bhyve \
+-c 1 \
+-m 214 \
+-u \
+-H \
+-P \
+-s 0:0,hostbridge \
+-l bootrom,/path/to/test.fd \
+-s 1:0,lpc \
+-s 2:0,ahci,hd:/tmp/freebsd.img \
+-s 3:0,virtio-net,faketapdev,mac=52:54:00:00:00:00 \
+-s 4:0,fbuf,tcp=127.0.0.1:5904,password=s3cr3t bhyve
diff --git a/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.ldargs b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.ldargs
new file mode 100644
index 0000000000..421376db9e
--- /dev/null
+++ b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.ldargs
@@ -0,0 +1 @@
+dummy
diff --git a/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.xml b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.xml
new file mode 100644
index 0000000000..97925a74fc
--- /dev/null
+++ b/tests/bhyvexml2argvdata/bhyvexml2argv-vnc-password.xml
@@ -0,0 +1,26 @@
+<domain type='bhyve'>
+ <name>bhyve</name>
+ <uuid>df3be7e7-a104-11e3-aeb0-50e5492bd3dc</uuid>
+ <memory>219136</memory>
+ <vcpu>1</vcpu>
+ <os>
+ <type>hvm</type>
+ <loader readonly="yes" type="pflash">/path/to/test.fd</loader>
+ </os>
+ <devices>
+ <disk type='file'>
+ <driver name='file' type='raw'/>
+ <source file='/tmp/freebsd.img'/>
+ <target dev='hda' bus='sata'/>
+ <address type='drive' controller='0' bus='0' target='2' unit='0'/>
+ </disk>
+ <interface type='bridge'>
+ <model type='virtio'/>
+ <source bridge="virbr0"/>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+ </interface>
+ <graphics type='vnc' port='5904' passwd="s3cr3t">
+ <listen type='address' address='127.0.0.1'/>
+ </graphics>
+ </devices>
+</domain>
diff --git a/tests/bhyvexml2argvtest.c b/tests/bhyvexml2argvtest.c
index d4c4275702..def2acc15c 100644
--- a/tests/bhyvexml2argvtest.c
+++ b/tests/bhyvexml2argvtest.c
@@ -166,7 +166,8 @@ mymain(void)
driver.bhyvecaps = BHYVE_CAP_RTC_UTC | BHYVE_CAP_AHCI32SLOT | \
BHYVE_CAP_NET_E1000 | BHYVE_CAP_LPC_BOOTROM | \
BHYVE_CAP_FBUF | BHYVE_CAP_XHCI | \
- BHYVE_CAP_CPUTOPOLOGY | BHYVE_CAP_SOUND_HDA;
+ BHYVE_CAP_CPUTOPOLOGY | BHYVE_CAP_SOUND_HDA | \
+ BHYVE_CAP_VNC_PASSWORD;
DO_TEST("base");
DO_TEST("wired");
@@ -198,6 +199,8 @@ mymain(void)
DO_TEST("vnc-vgaconf-io");
DO_TEST("vnc-autoport");
DO_TEST("vnc-resolution");
+ DO_TEST("vnc-password");
+ DO_TEST_FAILURE("vnc-password-comma");
DO_TEST("cputopology");
DO_TEST_FAILURE("cputopology-nvcpu-mismatch");
DO_TEST("commandline");
@@ -250,6 +253,9 @@ mymain(void)
driver.bhyvecaps &= ~BHYVE_CAP_SOUND_HDA;
DO_TEST_FAILURE("sound");
+ driver.bhyvecaps &= ~BHYVE_CAP_VNC_PASSWORD;
+ DO_TEST_FAILURE("vnc-password");
+
virObjectUnref(driver.caps);
virObjectUnref(driver.xmlopt);
virPortAllocatorRangeFree(driver.remotePorts);
diff --git a/tests/bhyvexml2xmloutdata/bhyvexml2xmlout-vnc-password.xml b/tests/bhyvexml2xmloutdata/bhyvexml2xmlout-vnc-password.xml
new file mode 100644
index 0000000000..6786e10ab9
--- /dev/null
+++ b/tests/bhyvexml2xmloutdata/bhyvexml2xmlout-vnc-password.xml
@@ -0,0 +1,44 @@
+<domain type='bhyve'>
+ <name>bhyve</name>
+ <uuid>df3be7e7-a104-11e3-aeb0-50e5492bd3dc</uuid>
+ <memory unit='KiB'>219136</memory>
+ <currentMemory unit='KiB'>219136</currentMemory>
+ <vcpu placement='static'>1</vcpu>
+ <os>
+ <type arch='x86_64'>hvm</type>
+ <loader readonly='yes' type='pflash'>/path/to/test.fd</loader>
+ <boot dev='hd'/>
+ </os>
+ <clock offset='utc'/>
+ <on_poweroff>destroy</on_poweroff>
+ <on_reboot>restart</on_reboot>
+ <on_crash>destroy</on_crash>
+ <devices>
+ <disk type='file' device='disk'>
+ <driver name='file' type='raw'/>
+ <source file='/tmp/freebsd.img'/>
+ <target dev='hda' bus='sata'/>
+ <address type='drive' controller='0' bus='0' target='2' unit='0'/>
+ </disk>
+ <controller type='pci' index='0' model='pci-root'/>
+ <controller type='isa' index='0'>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>
+ </controller>
+ <controller type='sata' index='0'>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
+ </controller>
+ <interface type='bridge'>
+ <mac address='52:54:00:00:00:00'/>
+ <source bridge='virbr0'/>
+ <model type='virtio'/>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
+ </interface>
+ <graphics type='vnc' port='5904' autoport='no' listen='127.0.0.1' passwd='s3cr3t'>
+ <listen type='address' address='127.0.0.1'/>
+ </graphics>
+ <video>
+ <model type='gop' heads='1' primary='yes'/>
+ <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
+ </video>
+ </devices>
+</domain>
diff --git a/tests/bhyvexml2xmltest.c b/tests/bhyvexml2xmltest.c
index b266e8b934..8808d5a8fa 100644
--- a/tests/bhyvexml2xmltest.c
+++ b/tests/bhyvexml2xmltest.c
@@ -107,6 +107,7 @@ mymain(void)
DO_TEST_DIFFERENT("vnc-vgaconf-io");
DO_TEST_DIFFERENT("vnc-autoport");
DO_TEST_DIFFERENT("vnc-resolution");
+ DO_TEST_DIFFERENT("vnc-password");
DO_TEST_DIFFERENT("commandline");
DO_TEST_DIFFERENT("msrs");
DO_TEST_DIFFERENT("sound");
--
2.27.0
