[Spice-devel] seamless spice migration : question about password/ticket for target vm

Alexandre DERUMIER aderumier at odiso.com
Tue Jul 23 03:50:21 PDT 2013 

For information:

As workaround, we have made a patch to qmp query-spice, to retrieve the current spice ticket from spice server.

https://git.proxmox.com/?p=pve-qemu-kvm.git;a=blob;f=debian/patches/modify-query-spice.patch;h=38efb043714a43e0fc695d8d6a8fc1ce08d7c2d4;hb=e2236adef4f70c8e63d0211876483deb9cd5f640


----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: "Marc-André Lureau" <mlureau at redhat.com> 
Cc: "spice-devel" <spice-devel at lists.freedesktop.org> 
Envoyé: Mardi 23 Juillet 2013 06:55:33 
Objet: Re: [Spice-devel] seamless spice migration : question about password/ticket for target vm 

>>So upon migration, libvirt/ovirt will set the dest VM with the same old password? That sounds sane to me in general, but looks kinda against an expiry-based ticket. 

Yes, that's why I think is strange too. When a ticked is expired, it shouldn't be reused and stored. 

I don't known too much the spice procotol, but I see 3 workaround: 

1) extend client_info_migrate to send a new ticket/password. 

2) when we use qmp set_password, change the spice server password and send this password to clients currently connected. (So we can renew the ticket like this) 

3) In the case of seamless migration, why does the client need to resend the password, if the session state is restored ? Maybe use some kind of session cookie ? 



(Note, I'm working on this for Proxmox integration, I don't known if I can easily implement something like this, without changing spice client ? I can hack qemu or spice server). 



----- Mail original ----- 

De: "Marc-André Lureau" <mlureau at redhat.com> 
À: "Yonit Halperin" <yhalperi at redhat.com> 
Cc: "Alexandre DERUMIER" <aderumier at odiso.com>, "spice-devel" <spice-devel at lists.freedesktop.org> 
Envoyé: Lundi 22 Juillet 2013 18:50:43 
Objet: Re: [Spice-devel] seamless spice migration : question about password/ticket for target vm 

Hi 

----- Mensaje original ----- 
> Hi, 
> On 07/22/2013 08:04 AM, Alexandre DERUMIER wrote: 
> > Hi, 
> > 
> > I'm trying to do migration, and I have a question about password on target 
> > vm. 
> > 
> > 
> > If I understand, client try to connect to target vm with same password 
> > (temporary ticket) used to connect to source vm. 
> > 
> > 
> > But, we need to configure this password to target vm, as I think that qemu 
> > migration process don't copy the password between both spice server right 
> > ? 
> > So we need to store this password somewhere on the host, which seem to be 
> > bad for security. (Seem that libvirt store it in guest config xml) 
> ovirt's vdsm sets to the destination host the same ticket that was set 
> upon the original connection. 
> > 
> > Is it possible to generate a new ticket for target vm, and send it to the 
> > client ? (I don't see any option in qmp client_migrate_info ) 
> > 
> I don't think there is a way to do it without changing 
> client_migrate_info and the protocol. Even if we would have a password 
> option in client_migrate_info, I don't know if libvirt can retrieve this 
> information. 
> 

So upon migration, libvirt/ovirt will set the dest VM with the same old password? That sounds sane to me in general, but looks kinda against an expiry-based ticket. It would be worth asking the ovirt folks. 
_______________________________________________ 
Spice-devel mailing list 
Spice-devel at lists.freedesktop.org 
http://lists.freedesktop.org/mailman/listinfo/spice-devel

More information about the Spice-devel mailing list