Re: [PATCH] qemu: Allow serving VNC over a unix domain socket

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jan 10, 2011 at 12:15:59PM -0500, Cole Robinson wrote:
> QEMU supports serving VNC over a unix domain socket rather than traditional
> TCP host/port. This is specified with:
> 
> <graphics type='vnc' socket='/foo/bar/baz'/>
> 
> Currently not hooked up with the security driver, I'll wait for Dan's
> big reorg. I also have a virtinst/virt-manager patch queued locally to
> handle this change.

Actually there's nothing you can do with UNIX sockets that QEMU
itself is responsible for creating. You just have to make sure
you place them in a directory that is labelled virt_image_t
and then rely on the policy doing correct labelling. cf the UNIX
socket used for the monitor.

> To be useful, we probably want a qemu.conf option to use sockets as the
> default VNC method, so VMs without hardcoded listen addresses will
> magically start up serving over a socket in /var/lib/libvirt/qemu. This
> provides better security access control than VNC listening on 127.0.0.1, but
> will cause issues with tools that rely on the lax security (virt-manager
> in fedora runs as regular user by default, and wouldn't be able to access
> a socket owned by 'qemu' or 'root').

Yes, we'd want a qemu.conf option for this, though not enabled by
default due to the problem you mention. The only current approach
is to make your desktop user be a member of the 'qemu' group which
isn't entirely satisfactory for qemu://system. Works nicely for
qemu://session though.


Daniel

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]