On 04/16/2014 10:47 AM, Michal Privoznik wrote: > On 15.04.2014 09:01, Kekane, Abhishek wrote: >> Hi All, >> Greetings!!! >> >> We are using KVM hypervisor driver for running OpenStack IaaS. Couple of >> months back we have reported one security issue [1] in OS. >> Basically we want to limit on the number of vnc client connections that >> can be opened by users for a given VM. >> >> >From libvirt 1.0.6 version onwards share policy feature is supported >> to control the way consoles are accessed by the user. >> Presently it is possible to configure share policy for vnc in 3 >> different ways:- >> 1. allow-exclusive, allows clients to ask for exclusive access by >> dropping other connections >> 2. force-share, This is the default value, It allows multiple clients to >> connect to the console in parallel sharing the same session IIRC the default should be 'ignore' for both libvirt and qemu. >> 3. ignore, welcomes every connection unconditionally >> >> In openstack nova for libvirt driver I am able to configure the >> sharePolicy value to graphics element of domain's xml. >> >> <graphics type="vnc" autoport="yes" keymap="en-us" listen="127.0.0.1" >> sharePolicy="force-shared"> >> <listen type='address' address='127.0.0.1'/> >> </graphics> >> <graphics type="vnc" autoport="yes" keymap="en-us" listen="127.0.0.1" >> sharePolicy="allow-exclusive"> >> <listen type='address' address='127.0.0.1'/> >> </graphics> >> <graphics type="vnc" autoport="yes" keymap="en-us" listen="127.0.0.1" >> sharePolicy="ignore"> >> <listen type='address' address='127.0.0.1'/> >> </graphics> >> >> But while testing I am not able to get expected results for >> allow-exclusive and ignore sharePolicy. >> For allow-exclusive sharePolicy previous connections are not getting >> dropped and console contents are getting shared among all open consoles. With allow-exclusive, the client needs to ask for exclusive access to drop all other connections. If all clients ask for shared access, multiple connections are allowed. >> For ignore sharePolicy also contents are getting shared among all open >> consoles. This is expected, the client's request for exclusive access is ignored and the console is shared. >> >> I am using libvirt version 1.1.1 and qemu version is 1.5.0. > > If libvirt is constructing the qemu command line properly (look for -vnc > ...,share=force-shared) then I'd say it's a qemu bug. > See also the reply to this mail by Gerd Hoffman on qemu-devel: https://lists.gnu.org/archive/html/qemu-devel/2014-04/msg02293.html Jan
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list