[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [PATCH 12/15] qapi: add change-vnc-listen (v2)
|
From: |
Daniel P. Berrange |
|
Subject: |
Re: [Qemu-devel] [PATCH 12/15] qapi: add change-vnc-listen (v2) |
|
Date: |
Mon, 12 Sep 2011 10:17:21 +0100 |
|
User-agent: |
Mutt/1.5.21 (2010-09-15) |
On Fri, Sep 02, 2011 at 05:50:05PM -0300, Luiz Capitulino wrote:
> On Fri, 2 Sep 2011 12:34:55 -0500
> Anthony Liguori <address@hidden> wrote:
>
> > New QMP only command to change the VNC server's listening address.
> >
> > Signed-off-by: Anthony Liguori <address@hidden>
> > ---
> > v1 -> v2
> > - Enhanced docs (Luiz)
> > ---
> > qapi-schema.json | 15 +++++++++++++++
> > qmp-commands.hx | 8 ++++++++
> > qmp.c | 7 +++++++
> > 3 files changed, 30 insertions(+), 0 deletions(-)
> >
> > diff --git a/qapi-schema.json b/qapi-schema.json
> > index 350cf1c..0c6c9b8 100644
> > --- a/qapi-schema.json
> > +++ b/qapi-schema.json
> > @@ -109,3 +109,18 @@
> > # string. Existing clients are unaffected by executing this
> > command.
> > ##
> > { 'command': 'change-vnc-password', 'data': {'password': 'str'} }
> > +
> > +##
> > +# @change-vnc-listen:
> > +#
> > +# Change the host that the VNC server listens on.
> > +#
> > +# @target: the new server specification to listen on
> > +#
> > +# Since: 1.0
> > +#
> > +# Notes: At this moment in time, the behavior of existing client
> > connections
> > +# when this command is executed is undefined. The authentication
> > +# settings may change after executing this command.
>
> It seems to completely disable authentication. At least when using
> password auth. I'd be very clear about that.
That is really bad, since even if we have another command to set the
authentication mode, this creates a designed-in race condition. To be
securely race-free, we need to be able to set the desired auth mode
first, and then change the listen address without it affecting auth.
change-vnc-auth tls
change-vnc-listen 123.2.3.5:5901
If we really want vnc-listen to have possible side-effects on auth,
then we need to be able to put the VNC server in an offline mode
while making a sequence of configuration changes eg, something like
change-vnc-status offline
change-vnc-listen 123.2.3.5:5901
change-vnc-auth tls
change-vnc-status online
No incoming client connections would be allowed while it is offline
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
- Re: [Qemu-devel] [PATCH 04/15] qapi: use middle mode in QMP server (v2), (continued)
- [Qemu-devel] [PATCH 05/15] qapi: convert query-name, Anthony Liguori, 2011/09/02
- [Qemu-devel] [PATCH 07/15] monitor: expose readline state, Anthony Liguori, 2011/09/02
- [Qemu-devel] [PATCH 08/15] qerror: add additional parameter to QERR_DEVICE_ENCRYPTED, Anthony Liguori, 2011/09/02
- [Qemu-devel] [PATCH 06/15] block: add unsafe_probe, Anthony Liguori, 2011/09/02
- [Qemu-devel] [PATCH 09/15] qapi: convert eject (qmp and hmp) to QAPI, Anthony Liguori, 2011/09/02
- [Qemu-devel] [PATCH 10/15] qapi: convert block_passwd and add set-blockdev-password, Anthony Liguori, 2011/09/02
- [Qemu-devel] [PATCH 11/15] qapi: add change-vnc-password (v2), Anthony Liguori, 2011/09/02
- [Qemu-devel] [PATCH 12/15] qapi: add change-vnc-listen (v2), Anthony Liguori, 2011/09/02
- [Qemu-devel] [PATCH 13/15] qapi: introduce drive-change (v2), Anthony Liguori, 2011/09/02
- [Qemu-devel] [PATCH 14/15] qapi: convert change (v2), Anthony Liguori, 2011/09/02
- [Qemu-devel] [PATCH 15/15] vnc: don't demote authentication protocol when disabling login, Anthony Liguori, 2011/09/02
- Re: [Qemu-devel] [PATCH 00/15] Convert commands to QAPI (batch 1) (v2), Alexander Graf, 2011/09/07