On 12/12/2009 07:40 PM, Anthony Liguori wrote:
If Spice can crash a guest, that indicates to me that Spice is
maintaining guest visible state. That is difficult architecturally
because if we want to do something like introduce a secure sandbox for
running guest visible emulation, libspice would have to be part of that
sandbox which would seem to be difficult.
The VNC server cannot crash a guest by comparison.
That's not accurate:
https://bugzilla.redhat.com/show_bug.cgi?id=505641 - (CVE-2009-3616)
CVE-2009-3616 Remote VNC client can cause any QEMU VNC server to crash
with a double-free
and again: https://bugzilla.redhat.com/show_bug.cgi?id=495646 - Get
segfault when changing vnc password
Why vnc server code should be protected and spice server not?
In addition, like Izik said, the qxl device/driver pair is a must. QXL
is a great addition even in 'old' vnc mode since it supports lots of
goodies. In addition for caching it also allows s3 state (qxl d3) for
the OS, unlike Cirrus.
More VNC bugs that we run into:
https://bugzilla.redhat.com/show_bug.cgi?id=507880 - qemu hangs during
VNC connection from RHEVM
https://bugzilla.redhat.com/show_bug.cgi?id=490344 - QEMU: Cannot VNC
to a VM if a VNC is already opened to it
https://bugzilla.redhat.com/show_bug.cgi?id=497524 - QEMU: Early BIOS
error message cannot be seen after reboot in VNC
https://bugzilla.redhat.com/show_bug.cgi?id=501263 - KVM: VNC screen is
sometimes corrupted (at boot?)
If we'll break spice to components we have the following (and I'm not a
spice expert):
1. QXL device/driver pair
Is anyone debate we should have it in qemu?
We should attach it SDL and vnc backend too anyway.
2. VDI (Virtual Desktop Interface)
http://www.spice-space.org/vdi.html
It's an abstraction layer for graphics/keyboard/mouse/sound
/usb/serial.
We need it anyway regardless of spice. What is our user like to
switch from vnc to SDL on runtime? It's good for usb-over-ip for
remoting, for various mouse modes, etc.
3. Spice server
Shared library, in the same address space of qemu (like vnc server).
Very sophisticated peace of code.
4. Spice client - independent.
So #1 shouldn't run into any opposition.
We can discuss why #2 is good, the layering separation between
guest/host seems good idea to me.
As for #3, this is a library. If we have #2, one can even use a separate
address space for sanity reasons. From my experience with spice (through
all Red Hat QA), 99.9% of failures originated in qemu..
HTH,
Dor
FWIW, I don't see any reason why Spice couldn't be made to be separate
from guest emulation. I think it would just require the right
interfacing in qemu. I think that's purely an implementation detail.
Regards,
Anthony Liguori