mirror of
https://git.proxmox.com/git/qemu-server
synced 2026-01-27 12:25:51 +00:00
spice: use TLS
we now use a local tcp port instead of a unix socket, because that is implemented and works with current spice libraries.
This commit is contained in:
Dietmar Maurer
parent
82a87eb43a
commit
943340a628
@ -1346,7 +1346,7 @@ __PACKAGE__->register_method({
|
||||
password => { type => 'string' },
|
||||
proxy => { type => 'string' },
|
||||
host => { type => 'string' },
|
||||
port => { type => 'integer' },
|
||||
'tls-port' => { type => 'integer' },
|
||||
},
|
||||
},
|
||||
code => sub {
|
||||
@ -1371,25 +1371,27 @@ __PACKAGE__->register_method({
|
||||
my $timeout = 10;
|
||||
|
||||
# Note: this only works if VM is on local node
|
||||
my $port = PVE::QemuServer::spice_port($vmid);
|
||||
PVE::QemuServer::vm_mon_cmd($vmid, "set_password", protocol => 'spice', password => $ticket);
|
||||
PVE::QemuServer::vm_mon_cmd($vmid, "expire_password", protocol => 'spice', time => "+30");
|
||||
|
||||
# allow access for group www-data to the spice socket,
|
||||
# so that spiceproxy can access it
|
||||
my $socket = PVE::QemuServer::spice_socket($vmid);
|
||||
my $gid = getgrnam('www-data') || die "getgrnam failed - $!\n";
|
||||
chown 0, $gid, $socket;
|
||||
chmod 0770, $socket;
|
||||
|
||||
# fimxe: ??
|
||||
my $host = `hostname -f` || PVE::INotify::nodename();
|
||||
chomp $host;
|
||||
|
||||
my $subject = "OU=PVE Cluster Node, O=Proxmox Virtual Environment, CN=$host";
|
||||
|
||||
my $cacert = PVE::Tools::file_get_contents("/etc/pve/pve-root-ca.pem", 8192);
|
||||
$cacert =~ s/\n/\\n/g;
|
||||
|
||||
return {
|
||||
type => 'spice',
|
||||
host => $proxyticket,
|
||||
title => "VM $vmid",
|
||||
host => $proxyticket, # this break tls hostname verification, so we need to use 'host-subject'
|
||||
proxy => "http://$host:3128",
|
||||
port => 1, # not used for now
|
||||
'tls-port' => $port,
|
||||
'host-subject' => $subject,
|
||||
ca => $cacert,
|
||||
password => $ticket,
|
||||
'delete-this-file' => 1,
|
||||
};
|
||||
|
||||
@ -2440,13 +2440,15 @@ sub config_to_command {
|
||||
if ($vga eq 'qxl') {
|
||||
my $pciaddr = print_pci_addr("spice", $bridges);
|
||||
|
||||
# todo: enable tls
|
||||
#my $x509 = "x509-key-file=/etc/pve/local/pve-ssl.key";
|
||||
#$x509 .= ",x509-cert-file=/etc/pve/local/pve-ssl.pem";
|
||||
#$x509 .= ",x509-cacert-file=/etc/pve/pve-root-ca.pem";
|
||||
my $x509 = "x509-key-file=/etc/pve/local/pve-ssl.key" .
|
||||
",x509-cert-file=/etc/pve/local/pve-ssl.pem" .
|
||||
",x509-cacert-file=/etc/pve/pve-root-ca.pem";
|
||||
|
||||
my $port = PVE::Tools::next_unused_port(61000, 61099);
|
||||
|
||||
push @$cmd, '-spice', "tls-port=$port,addr=127.0.0.1,$x509,tls-ciphers=DES-CBC3-SHA";
|
||||
|
||||
|
||||
my $socket = spice_socket($vmid);
|
||||
push @$cmd, '-spice', "unix=$socket";
|
||||
push @$cmd, '-device', "virtio-serial,id=spice$pciaddr";
|
||||
push @$cmd, '-chardev', "spicevmc,id=vdagent,name=vdagent";
|
||||
push @$cmd, '-device', "virtserialport,chardev=vdagent,name=com.redhat.spice.0";
|
||||
@ -2575,9 +2577,12 @@ sub vnc_socket {
|
||||
return "${var_run_tmpdir}/$vmid.vnc";
|
||||
}
|
||||
|
||||
sub spice_socket {
|
||||
sub spice_port {
|
||||
my ($vmid) = @_;
|
||||
return "${var_run_tmpdir}/$vmid.spice";
|
||||
|
||||
my $res = vm_mon_cmd($vmid, 'query-spice');
|
||||
|
||||
return $res->{'tls-port'} || $res->{'port'} || die "no spice port\n";
|
||||
}
|
||||
|
||||
sub qmp_socket {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user