[pve-devel] some spice news

Alexandre DERUMIER aderumier at odiso.com
Mon Apr 8 13:59:20 CEST 2013


I have found a working spice socket qemu patch ! 
It was for qemu on illumos smartos, and a bit old, But I have make some modifications and it's work fine.

so, we can have this:

client----->squid proxy---> socat tunnel---->kvm unix socket

and only need to export squid proxy port to outside world :)

----- Mail original ----- 

De: "Alexandre DERUMIER" <aderumier at odiso.com> 
À: pve-devel at pve.proxmox.com 
Envoyé: Lundi 8 Avril 2013 10:00:48 
Objet: [pve-devel] some spice news 


I have worked on a spice demo implementation for proxmox last week, 
I 'll try to send patches this week. 

How it's works: 

- compilation of pve-qemu-kvm with spice support. 
- I had used spice packages from debian sid, libspice-protocol-dev,libspice-server-dev,libspice-server1. 
(But I think we can compile our own package, as they are already some more recent package) 
- I have installed squid on each proxmox, used as CONNECT proxy for spice 

- each qemu spice server listen on a tcp socket. So we need to filter with iptables, to avoid expose the port outside. 
Qemu only support tcp, but spice protocol seem to support unix socket since some month. I don't have found a patch for qemu. 
But I don't known is unix socket can work with spice seamless migration. 

- for now, I can't get tls work, I don't known why,maybe but implementation is easy. (http://spice-space.org/page/SSLConnection) 

- When user click on "spice console" button: 

1) -a temporary spice password/tolen is generated, I have reused assemble_vnc_ticket. 
2) - this password is configured with qmp in vm, with a timeout of 20sec. 

I known you want user authentification, maybe can we hack qemu to handle this. (As assemble_vnc_ticket put user login in pass). 
But I think it's enough secure like this, as you need to be authenticated to proxmox, to generate the ticket, and the ticket is transmit with ssl 

3) -a spice configuration file is generated with application/x-spice-configuration mime type, and downloaded by the client. 
file format example is: 


file format spec is available here : http://git.fedorahosted.org/cgit/virt-viewer.git/tree/src/virt-viewer-file.c 

Then user should associate application/x-spice-configuration, with remote-viewer application. 

(remote-viewer is available in virt-viewer package on debian, windows package is available http://spice-space.org/download/gtk/windows/virt-viewer-0.5.3_x64.exe ) 

-Note that 3), can be replaced with spice-xpi, to avoid download of a conf file. 
But spice-xpi is not yet available on windows (support is added in git, but I don't known how to build it). 
And spice-xpi is not yet packaged for debian, or maybe other linux distrib. 

- User connected through squid proxy on port 3128, then tunneled to right kvm server. (So we need only port 3128 open to outside). 

4) when a live migration occur, the new host/port value is automaticly send to client. (spice seamless-migration) 

pve-devel mailing list 
pve-devel at pve.proxmox.com 

More information about the pve-devel mailing list