[pve-devel] some spice news

Alexandre DERUMIER aderumier at odiso.com
Mon Apr 8 10:00:48 CEST 2013 

Hi, 

I have worked on a spice demo implementation for proxmox last week,
I 'll try to send patches this week.


How it's works:

- compilation of pve-qemu-kvm with spice support.
- I had used spice packages from debian sid, libspice-protocol-dev,libspice-server-dev,libspice-server1.
   (But I think we can compile our own package, as they are already some more recent package)
- I have installed squid on each proxmox, used as CONNECT proxy for spice

- each qemu spice server listen on a tcp socket. So we need to filter with iptables, to avoid expose the port outside.
  Qemu only support tcp, but spice protocol seem to support unix socket since some month. I don't have found a patch for qemu.
  But I don't known is unix socket can work with spice seamless migration.


- for now, I can't get tls work, I don't known why,maybe  but implementation is easy. (http://spice-space.org/page/SSLConnection)

- When user click on "spice console" button:

  1) -a temporary spice password/tolen is generated, I have reused assemble_vnc_ticket.
  2) - this password is configured with qmp in vm, with a timeout of 20sec.

     I known you want user authentification, maybe can we hack qemu to handle this. (As assemble_vnc_ticket put user login in pass).
     But I think it's enough secure like this, as you need to be authenticated to proxmox, to generate the ticket, and the ticket is transmit with ssl


  3) -a spice configuration file is generated with application/x-spice-configuration mime type, and downloaded by the client.
  file format example is:

  [virt-viewer]
  type=spice
  host=kvmnode2
  pass=BASE64TICKET
  port=xxxx
  proxy=http://kvmnode1:3128

  file format spec is available here : http://git.fedorahosted.org/cgit/virt-viewer.git/tree/src/virt-viewer-file.c

  Then user should associate application/x-spice-configuration, with remote-viewer application.

  (remote-viewer is available in virt-viewer package on debian, windows package is available http://spice-space.org/download/gtk/windows/virt-viewer-0.5.3_x64.exe )

  -Note that 3), can be replaced with spice-xpi, to avoid download of a conf file. 
   But spice-xpi is not yet available on windows (support is added in git, but I don't known how to build it).
   And spice-xpi is not yet packaged for debian, or maybe other linux distrib.


- User connected through squid proxy on port 3128, then tunneled to right kvm server. (So we need only port 3128 open to outside).


 4) when a live migration occur, the new host/port value is automaticly send to client. (spice seamless-migration)

More information about the pve-devel mailing list