[pve-devel] some spice news
aderumier at odiso.com
Mon Apr 8 10:00:48 CEST 2013
I have worked on a spice demo implementation for proxmox last week,
I 'll try to send patches this week.
How it's works:
- compilation of pve-qemu-kvm with spice support.
- I had used spice packages from debian sid, libspice-protocol-dev,libspice-server-dev,libspice-server1.
(But I think we can compile our own package, as they are already some more recent package)
- I have installed squid on each proxmox, used as CONNECT proxy for spice
- each qemu spice server listen on a tcp socket. So we need to filter with iptables, to avoid expose the port outside.
Qemu only support tcp, but spice protocol seem to support unix socket since some month. I don't have found a patch for qemu.
But I don't known is unix socket can work with spice seamless migration.
- for now, I can't get tls work, I don't known why,maybe but implementation is easy. (http://spice-space.org/page/SSLConnection)
- When user click on "spice console" button:
1) -a temporary spice password/tolen is generated, I have reused assemble_vnc_ticket.
2) - this password is configured with qmp in vm, with a timeout of 20sec.
I known you want user authentification, maybe can we hack qemu to handle this. (As assemble_vnc_ticket put user login in pass).
But I think it's enough secure like this, as you need to be authenticated to proxmox, to generate the ticket, and the ticket is transmit with ssl
3) -a spice configuration file is generated with application/x-spice-configuration mime type, and downloaded by the client.
file format example is:
file format spec is available here : http://git.fedorahosted.org/cgit/virt-viewer.git/tree/src/virt-viewer-file.c
Then user should associate application/x-spice-configuration, with remote-viewer application.
(remote-viewer is available in virt-viewer package on debian, windows package is available http://spice-space.org/download/gtk/windows/virt-viewer-0.5.3_x64.exe )
-Note that 3), can be replaced with spice-xpi, to avoid download of a conf file.
But spice-xpi is not yet available on windows (support is added in git, but I don't known how to build it).
And spice-xpi is not yet packaged for debian, or maybe other linux distrib.
- User connected through squid proxy on port 3128, then tunneled to right kvm server. (So we need only port 3128 open to outside).
4) when a live migration occur, the new host/port value is automaticly send to client. (spice seamless-migration)
More information about the pve-devel