On 05/07/2012 09:53 AM, Eric Blake wrote:
> On 05/07/2012 06:33 AM, Alon Levy wrote:
>> qemu's behavior in this case is to change the spice server behavior to
>> require secure connection to any channel not otherwise specified as
>> being in plaintext mode. libvirt doesn't currently allow requesting this
>> (via plaintext-channel=<channel name>).
>>
>> RHBZ: 819499
>>
>> Signed-off-by: Alon Levy <alevy@xxxxxxxxxx>
>> ---
>> src/conf/domain_conf.c | 3 ++-
>> src/conf/domain_conf.h | 1 +
>> 2 files changed, 3 insertions(+), 1 deletion(-)
>
> Same complaints as for 1/2 (docs, RNG schema, tests). Also, is it ever
> valid to mark the default channel for plaintext (meaning all channels
> not marked secure are plaintext), or must it only be permitted for
> secure channels?
Here's one of the existing tests:
tests/qemuxml2argvdata/qemuxml2argv-graphics-spice.xml
<graphics type='spice' port='5903' tlsPort='5904' autoport='no'
listen='127.0.0.1'>
<listen type='address' address='127.0.0.1'/>
<channel name='main' mode='secure'/>
<channel name='inputs' mode='insecure'/>
I'm wondering if rather than adding a new <channel name='default'
mode='.../'>, it might make more sense to hoist the default channel
security mode up one element. Something like:
<graphics type='spice' default_mode='secure' ...>
<channel name='main' mode='secure'/> <!-- redundant -->
<channel name='inputs' mode='insecure'/> <!-- override default -->
<channel name='usbredir'/> <!-- defaults to secure due to <graphics> -->
While it is obvious that usbredir must be a valid channel name, it's not
as obvious about 'default' being a channel name (since it is really more
of the catchall for all other channels not explicitly listed).
--
Eric Blake eblake@xxxxxxxxxx +1-919-301-3266
Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list