Re: [Spice-devel] seamless spice migration : question about password/ticket for target vm
So upon migration, libvirt/ovirt will set the dest VM with the same old password? That sounds sane to me in general, but looks kinda against an expiry-based ticket. Yes, that's why I think is strange too. When a ticked is expired, it shouldn't be reused and stored. I don't known too much the spice procotol, but I see 3 workaround: 1) extend client_info_migrate to send a new ticket/password. 2) when we use qmp set_password, change the spice server password and send this password to clients currently connected. (So we can renew the ticket like this) 3) In the case of seamless migration, why does the client need to resend the password, if the session state is restored ? Maybe use some kind of session cookie ? (Note, I'm working on this for Proxmox integration, I don't known if I can easily implement something like this, without changing spice client ? I can hack qemu or spice server). - Mail original - De: Marc-André Lureau mlur...@redhat.com À: Yonit Halperin yhalp...@redhat.com Cc: Alexandre DERUMIER aderum...@odiso.com, spice-devel spice-devel@lists.freedesktop.org Envoyé: Lundi 22 Juillet 2013 18:50:43 Objet: Re: [Spice-devel] seamless spice migration : question about password/ticket for target vm Hi - Mensaje original - Hi, On 07/22/2013 08:04 AM, Alexandre DERUMIER wrote: Hi, I'm trying to do migration, and I have a question about password on target vm. If I understand, client try to connect to target vm with same password (temporary ticket) used to connect to source vm. But, we need to configure this password to target vm, as I think that qemu migration process don't copy the password between both spice server right ? So we need to store this password somewhere on the host, which seem to be bad for security. (Seem that libvirt store it in guest config xml) ovirt's vdsm sets to the destination host the same ticket that was set upon the original connection. Is it possible to generate a new ticket for target vm, and send it to the client ? (I don't see any option in qmp client_migrate_info ) I don't think there is a way to do it without changing client_migrate_info and the protocol. Even if we would have a password option in client_migrate_info, I don't know if libvirt can retrieve this information. So upon migration, libvirt/ovirt will set the dest VM with the same old password? That sounds sane to me in general, but looks kinda against an expiry-based ticket. It would be worth asking the ovirt folks. ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] seamless spice migration : question about password/ticket for target vm
Alexandre DERUMIER píše v Út 23. 07. 2013 v 06:55 +0200: So upon migration, libvirt/ovirt will set the dest VM with the same old password? That sounds sane to me in general, but looks kinda against an expiry-based ticket. Yes, that's why I think is strange too. When a ticked is expired, it shouldn't be reused and stored. I don't known too much the spice procotol, but I see 3 workaround: 1) extend client_info_migrate to send a new ticket/password. That IMO makes most sense. David 2) when we use qmp set_password, change the spice server password and send this password to clients currently connected. (So we can renew the ticket like this) 3) In the case of seamless migration, why does the client need to resend the password, if the session state is restored ? Maybe use some kind of session cookie ? (Note, I'm working on this for Proxmox integration, I don't known if I can easily implement something like this, without changing spice client ? I can hack qemu or spice server). - Mail original - De: Marc-André Lureau mlur...@redhat.com À: Yonit Halperin yhalp...@redhat.com Cc: Alexandre DERUMIER aderum...@odiso.com, spice-devel spice-devel@lists.freedesktop.org Envoyé: Lundi 22 Juillet 2013 18:50:43 Objet: Re: [Spice-devel] seamless spice migration : question about password/ticket for target vm Hi - Mensaje original - Hi, On 07/22/2013 08:04 AM, Alexandre DERUMIER wrote: Hi, I'm trying to do migration, and I have a question about password on target vm. If I understand, client try to connect to target vm with same password (temporary ticket) used to connect to source vm. But, we need to configure this password to target vm, as I think that qemu migration process don't copy the password between both spice server right ? So we need to store this password somewhere on the host, which seem to be bad for security. (Seem that libvirt store it in guest config xml) ovirt's vdsm sets to the destination host the same ticket that was set upon the original connection. Is it possible to generate a new ticket for target vm, and send it to the client ? (I don't see any option in qmp client_migrate_info ) I don't think there is a way to do it without changing client_migrate_info and the protocol. Even if we would have a password option in client_migrate_info, I don't know if libvirt can retrieve this information. So upon migration, libvirt/ovirt will set the dest VM with the same old password? That sounds sane to me in general, but looks kinda against an expiry-based ticket. It would be worth asking the ovirt folks. ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel -- David Jaša, RHCE SPICE QE based in Brno GPG Key: 22C33E24 Fingerprint: 513A 060B D1B4 2A72 7F0D 0278 B125 CD00 22C3 3E24 smime.p7s Description: S/MIME cryptographic signature ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] seamless spice migration : question about password/ticket for target vm
Hi, On 07/22/2013 08:04 AM, Alexandre DERUMIER wrote: Hi, I'm trying to do migration, and I have a question about password on target vm. If I understand, client try to connect to target vm with same password (temporary ticket) used to connect to source vm. But, we need to configure this password to target vm, as I think that qemu migration process don't copy the password between both spice server right ? So we need to store this password somewhere on the host, which seem to be bad for security. (Seem that libvirt store it in guest config xml) ovirt's vdsm sets to the destination host the same ticket that was set upon the original connection. Is it possible to generate a new ticket for target vm, and send it to the client ? (I don't see any option in qmp client_migrate_info ) I don't think there is a way to do it without changing client_migrate_info and the protocol. Even if we would have a password option in client_migrate_info, I don't know if libvirt can retrieve this information. Regards, Yonit. Best Regards, Alexandre ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] seamless spice migration : question about password/ticket for target vm
Hi - Mensaje original - Hi, On 07/22/2013 08:04 AM, Alexandre DERUMIER wrote: Hi, I'm trying to do migration, and I have a question about password on target vm. If I understand, client try to connect to target vm with same password (temporary ticket) used to connect to source vm. But, we need to configure this password to target vm, as I think that qemu migration process don't copy the password between both spice server right ? So we need to store this password somewhere on the host, which seem to be bad for security. (Seem that libvirt store it in guest config xml) ovirt's vdsm sets to the destination host the same ticket that was set upon the original connection. Is it possible to generate a new ticket for target vm, and send it to the client ? (I don't see any option in qmp client_migrate_info ) I don't think there is a way to do it without changing client_migrate_info and the protocol. Even if we would have a password option in client_migrate_info, I don't know if libvirt can retrieve this information. So upon migration, libvirt/ovirt will set the dest VM with the same old password? That sounds sane to me in general, but looks kinda against an expiry-based ticket. It would be worth asking the ovirt folks. ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel
Re: [Spice-devel] seamless spice migration : question about password/ticket for target vm
On 07/22/2013 12:50 PM, Marc-André Lureau wrote: Hi - Mensaje original - Hi, On 07/22/2013 08:04 AM, Alexandre DERUMIER wrote: Hi, I'm trying to do migration, and I have a question about password on target vm. If I understand, client try to connect to target vm with same password (temporary ticket) used to connect to source vm. But, we need to configure this password to target vm, as I think that qemu migration process don't copy the password between both spice server right ? So we need to store this password somewhere on the host, which seem to be bad for security. (Seem that libvirt store it in guest config xml) ovirt's vdsm sets to the destination host the same ticket that was set upon the original connection. Is it possible to generate a new ticket for target vm, and send it to the client ? (I don't see any option in qmp client_migrate_info ) I don't think there is a way to do it without changing client_migrate_info and the protocol. Even if we would have a password option in client_migrate_info, I don't know if libvirt can retrieve this information. So upon migration, libvirt/ovirt will set the dest VM with the same old password? That sounds sane to me in general, but looks kinda against an expiry-based ticket. It would be worth asking the ovirt folks. Yes, they reset the same password, with the same expiration time, at the moment the destination is up (the expiration time is one of the reasons why we need to connect to the destination before migration really begins). ___ Spice-devel mailing list Spice-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/spice-devel