[Spice-devel] seamless spice migration : question about password/ticket for target vm

[Yonit Halperin]

On 07/22/2013 12:50 PM, Marc-André Lureau wrote:
> Hi
>
> ----- Mensaje original -----
>> Hi,
>> On 07/22/2013 08:04 AM, Alexandre DERUMIER wrote:
>>> Hi,
>>>
>>> I'm trying to do migration, and I have a question about password on target
>>> vm.
>>>
>>>
>>> If I understand, client try to connect to target vm with same password
>>> (temporary ticket) used to connect to source vm.
>>>
>>>
>>> But, we need to configure this password to target vm, as I think that qemu
>>> migration process don't copy the password between both spice server right
>>> ?
>>> So we need to store this password somewhere on the host, which seem to be
>>> bad for security. (Seem that libvirt store it in guest config xml)
>> ovirt's vdsm sets to the destination host the same ticket that was set
>> upon the original connection.
>>>
>>> Is it possible to generate a new ticket for target vm, and send it to the
>>> client ? (I don't see any option in qmp client_migrate_info )
>>>
>> I don't think there is a way to do it without changing
>> client_migrate_info and the protocol. Even if we would have a password
>> option in client_migrate_info, I don't know if libvirt can retrieve this
>> information.
>>
>
> So upon migration, libvirt/ovirt will set the dest VM with the same old password? That sounds sane to me in general, but looks kinda against an expiry-based ticket. It would be worth asking the ovirt folks.
>
Yes, they reset the same password, with the same expiration time, at the 
moment the destination is up (the expiration time is one of the reasons 
why we need to connect to the destination before migration really begins).