[Spice-devel] seamless spice migration : question about password/ticket for target vm

David Jaša djasa at redhat.com
Tue Jul 23 03:55:02 PDT 2013 

Alexandre DERUMIER píše v Út 23. 07. 2013 v 06:55 +0200:
> >>So upon migration, libvirt/ovirt will set the dest VM with the same old password? That sounds sane to me in general, but looks kinda against an expiry-based ticket. 
> 
> Yes, that's why I think is strange too. When a ticked is expired, it shouldn't be reused and stored.
> 
> I don't known too much the spice procotol, but I see 3 workaround:
> 
> 1) extend client_info_migrate to send a new ticket/password.

That IMO makes most sense.

David

> 
> 2) when we use qmp set_password, change the spice server password and send this password to clients currently connected. (So we can renew the ticket like this)
> 
> 3) In the case of seamless migration, why does the client need to resend the password, if the session state is restored ? Maybe use some kind of session cookie ?
> 
> 
> 
> (Note, I'm working on this for Proxmox integration, I don't known if I can easily implement something like this, without changing spice client ? I can hack qemu or spice server).
> 
> 
> 
> ----- Mail original ----- 
> 
> De: "Marc-André Lureau" <mlureau at redhat.com> 
> À: "Yonit Halperin" <yhalperi at redhat.com> 
> Cc: "Alexandre DERUMIER" <aderumier at odiso.com>, "spice-devel" <spice-devel at lists.freedesktop.org> 
> Envoyé: Lundi 22 Juillet 2013 18:50:43 
> Objet: Re: [Spice-devel] seamless spice migration : question about password/ticket for target vm 
> 
> Hi 
> 
> ----- Mensaje original ----- 
> > Hi, 
> > On 07/22/2013 08:04 AM, Alexandre DERUMIER wrote: 
> > > Hi, 
> > > 
> > > I'm trying to do migration, and I have a question about password on target 
> > > vm. 
> > > 
> > > 
> > > If I understand, client try to connect to target vm with same password 
> > > (temporary ticket) used to connect to source vm. 
> > > 
> > > 
> > > But, we need to configure this password to target vm, as I think that qemu 
> > > migration process don't copy the password between both spice server right 
> > > ? 
> > > So we need to store this password somewhere on the host, which seem to be 
> > > bad for security. (Seem that libvirt store it in guest config xml) 
> > ovirt's vdsm sets to the destination host the same ticket that was set 
> > upon the original connection. 
> > > 
> > > Is it possible to generate a new ticket for target vm, and send it to the 
> > > client ? (I don't see any option in qmp client_migrate_info ) 
> > > 
> > I don't think there is a way to do it without changing 
> > client_migrate_info and the protocol. Even if we would have a password 
> > option in client_migrate_info, I don't know if libvirt can retrieve this 
> > information. 
> > 
> 
> So upon migration, libvirt/ovirt will set the dest VM with the same old password? That sounds sane to me in general, but looks kinda against an expiry-based ticket. It would be worth asking the ovirt folks. 
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel

-- 

David Jaša, RHCE

SPICE QE based in Brno
GPG Key:     22C33E24 
Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5727 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20130723/97b038c8/attachment-0001.bin>

More information about the Spice-devel mailing list