Alexandre DERUMIER píše v Út 23. 07. 2013 v 06:55 +0200: > >>So upon migration, libvirt/ovirt will set the dest VM with the same old password? That sounds sane to me in general, but looks kinda against an expiry-based ticket. > > Yes, that's why I think is strange too. When a ticked is expired, it shouldn't be reused and stored. > > I don't known too much the spice procotol, but I see 3 workaround: > > 1) extend client_info_migrate to send a new ticket/password. That IMO makes most sense. David > > 2) when we use qmp set_password, change the spice server password and send this password to clients currently connected. (So we can renew the ticket like this) > > 3) In the case of seamless migration, why does the client need to resend the password, if the session state is restored ? Maybe use some kind of session cookie ? > > > > (Note, I'm working on this for Proxmox integration, I don't known if I can easily implement something like this, without changing spice client ? I can hack qemu or spice server). > > > > ----- Mail original ----- > > De: "Marc-André Lureau" <mlureau@xxxxxxxxxx> > À: "Yonit Halperin" <yhalperi@xxxxxxxxxx> > Cc: "Alexandre DERUMIER" <aderumier@xxxxxxxxx>, "spice-devel" <spice-devel@xxxxxxxxxxxxxxxxxxxxx> > Envoyé: Lundi 22 Juillet 2013 18:50:43 > Objet: Re: seamless spice migration : question about password/ticket for target vm > > Hi > > ----- Mensaje original ----- > > Hi, > > On 07/22/2013 08:04 AM, Alexandre DERUMIER wrote: > > > Hi, > > > > > > I'm trying to do migration, and I have a question about password on target > > > vm. > > > > > > > > > If I understand, client try to connect to target vm with same password > > > (temporary ticket) used to connect to source vm. > > > > > > > > > But, we need to configure this password to target vm, as I think that qemu > > > migration process don't copy the password between both spice server right > > > ? > > > So we need to store this password somewhere on the host, which seem to be > > > bad for security. (Seem that libvirt store it in guest config xml) > > ovirt's vdsm sets to the destination host the same ticket that was set > > upon the original connection. > > > > > > Is it possible to generate a new ticket for target vm, and send it to the > > > client ? (I don't see any option in qmp client_migrate_info ) > > > > > I don't think there is a way to do it without changing > > client_migrate_info and the protocol. Even if we would have a password > > option in client_migrate_info, I don't know if libvirt can retrieve this > > information. > > > > So upon migration, libvirt/ovirt will set the dest VM with the same old password? That sounds sane to me in general, but looks kinda against an expiry-based ticket. It would be worth asking the ovirt folks. > _______________________________________________ > Spice-devel mailing list > Spice-devel@xxxxxxxxxxxxxxxxxxxxx > http://lists.freedesktop.org/mailman/listinfo/spice-devel -- David Jaša, RHCE SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel