[libvirt] VNC sharePolicy not working as expected

Michal Privoznik mprivozn at redhat.com
Wed Apr 16 08:47:42 UTC 2014 

On 15.04.2014 09:01, Kekane, Abhishek wrote:
> Hi All,
> Greetings!!!
>
> We are using KVM hypervisor driver for running OpenStack IaaS. Couple of
> months back we have reported one security issue [1] in OS.
> Basically we want to limit on the number of vnc client connections that
> can be opened by users for a given VM.
>
>  >From libvirt 1.0.6 version onwards share policy feature is supported
> to control the way consoles are accessed by the user.
> Presently it is possible to configure share policy for vnc in 3
> different ways:-
> 1. allow-exclusive, allows clients to ask for exclusive access by
> dropping other connections
> 2. force-share, This is the default value, It allows multiple clients to
> connect to the console in parallel sharing the same session
> 3. ignore, welcomes every connection unconditionally
>
> In openstack nova for libvirt driver I am able to configure the
> sharePolicy value to graphics element of domain's xml.
>
> <graphics type="vnc" autoport="yes" keymap="en-us" listen="127.0.0.1"
> sharePolicy="force-shared">
>      <listen type='address' address='127.0.0.1'/>
> </graphics>
> <graphics type="vnc" autoport="yes" keymap="en-us" listen="127.0.0.1"
> sharePolicy="allow-exclusive">
>      <listen type='address' address='127.0.0.1'/>
> </graphics>
> <graphics type="vnc" autoport="yes" keymap="en-us" listen="127.0.0.1"
> sharePolicy="ignore">
>      <listen type='address' address='127.0.0.1'/>
> </graphics>
>
> But while testing I am not able to get expected results for
> allow-exclusive and ignore sharePolicy.
> For allow-exclusive sharePolicy previous connections are not getting
> dropped and console contents are getting shared among all open consoles.
> For ignore sharePolicy also contents are getting shared among all open
> consoles.
>
> I am using libvirt version 1.1.1 and qemu version is 1.5.0.

If libvirt is constructing the qemu command line properly (look for -vnc 
...,share=force-shared) then I'd say it's a qemu bug.

Michal

More information about the libvir-list mailing list