[pve-devel] [PATCH] spice-tls: test with spice listening on tcp localhost instead unix socket

Wed Jul 17 05:35:45 CEST 2013

dirty fast implementation:

- tcp port is "61$vmid";

spice config file :

tls-port = vmid
host = localhost

Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
 PVE/API2/Qemu.pm  |   23 ++++++++++++++---------
 PVE/QemuServer.pm |   13 ++++++++-----
 2 files changed, 22 insertions(+), 14 deletions(-)

diff --git a/PVE/API2/Qemu.pm b/PVE/API2/Qemu.pm
index 5996720..f36ff5f 100644
--- a/PVE/API2/Qemu.pm
+++ b/PVE/API2/Qemu.pm
@@ -1345,8 +1345,9 @@ __PACKAGE__->register_method({
 	    type => { type => 'string' },
 	    password => { type => 'string' },
 	    proxy => { type => 'string' },
-	    host => { type => 'string' },
-	    port => { type => 'integer' },
+	    "tls-ciphers" => { type => 'string' },
+	    ca => { type => 'string' },
+	    "tls-port" => { type => 'integer' },
 	},
     },
     code => sub {
@@ -1376,21 +1377,25 @@ __PACKAGE__->register_method({
 
 	# allow access for group www-data to the spice socket,
 	# so that spiceproxy can access it
-	my $socket =  PVE::QemuServer::spice_socket($vmid);
-	my $gid = getgrnam('www-data') || die "getgrnam failed - $!\n";
-	chown 0, $gid, $socket;
-	chmod 0770, $socket;
+	#my $socket =  PVE::QemuServer::spice_socket($vmid);
+	#my $gid = getgrnam('www-data') || die "getgrnam failed - $!\n";
+	#chown 0, $gid, $socket;
+	#chmod 0770, $socket;
 
 	# fimxe: ??
 	my $host = `hostname -f` || PVE::INotify::nodename();
 	chomp $host;
-
+	my $sslcert = PVE::Tools::file_get_contents("/etc/pve/pve-root-ca.pem", 8192);
+	$sslcert =~ s/\n/\\n/g;
 	return {
 	    type => 'spice',
-	    host => $proxyticket,
+#	    host => $proxyticket,  #disable for now, break tls hostname verification
+	    host => 'localhost',
 	    proxy => "http://$host:3128",
-	    port => 1, # not used for now
+	    "tls-port" => $vmid, 
+	    "tls-ciphers" => "DES-CBC3-SHA",
 	    password => $ticket,
+	    ca => $sslcert,
 	    'delete-this-file' => 1,
 	};
     }});
diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm
index 321f6a9..5f2a32f 100644
--- a/PVE/QemuServer.pm
+++ b/PVE/QemuServer.pm
@@ -2441,12 +2441,14 @@ sub config_to_command {
 	my $pciaddr = print_pci_addr("spice", $bridges);
 
 	# todo: enable tls
-	#my $x509 = "x509-key-file=/etc/pve/local/pve-ssl.key";
-	#$x509 .= ",x509-cert-file=/etc/pve/local/pve-ssl.pem";
-	#$x509 .= ",x509-cacert-file=/etc/pve/pve-root-ca.pem";
+	my $x509 = "x509-key-file=/etc/pve/local/pve-ssl.key";
+	$x509 .= ",x509-cert-file=/etc/pve/local/pve-ssl.pem";
+	$x509 .= ",x509-cacert-file=/etc/pve/pve-root-ca.pem";
 
 	my $socket = spice_socket($vmid);
-	push @$cmd, '-spice', "unix=$socket";
+#	push @$cmd, '-spice', "unix=$socket,$x509,tls-ciphers=DES-CBC3-SHA";
+	push @$cmd, '-spice',"tls-port=$socket,addr=127.0.0.1,$x509,tls-ciphers=DES-CBC3-SHA";
+
 	push @$cmd, '-device', "virtio-serial,id=spice$pciaddr";
 	push @$cmd, '-chardev', "spicevmc,id=vdagent,name=vdagent";
 	push @$cmd, '-device', "virtserialport,chardev=vdagent,name=com.redhat.spice.0";
@@ -2577,7 +2579,8 @@ sub vnc_socket {
 
 sub spice_socket {
     my ($vmid) = @_;
-    return "${var_run_tmpdir}/$vmid.spice";
+    #return "${var_run_tmpdir}/$vmid.spice";
+    return "61$vmid";
 }
 
 sub qmp_socket {
-- 
1.7.10.4


