Hi All,
Greetings!!!
We are using KVM hypervisor driver for running OpenStack IaaS. Couple of months
back we have reported one security issue [1] in OS.
Basically we want to limit on the number of vnc client connections that can be
opened by users for a given VM.
>From libvirt 1.0.6 version onwards share policy feature is supported to
>control the way consoles are accessed by the user.
Presently it is possible to configure share policy for vnc in 3 different ways:-
1. allow-exclusive, allows clients to ask for exclusive access by dropping
other connections
2. force-share, This is the default value, It allows multiple clients to
connect to the console in parallel sharing the same session
3. ignore, welcomes every connection unconditionally
In openstack nova for libvirt driver I am able to configure the sharePolicy
value to graphics element of domain's xml.
<graphics type="vnc" autoport="yes" keymap="en-us" listen="127.0.0.1"
sharePolicy="force-shared">
<listen type='address' address='127.0.0.1'/>
</graphics>
<graphics type="vnc" autoport="yes" keymap="en-us" listen="127.0.0.1"
sharePolicy="allow-exclusive">
<listen type='address' address='127.0.0.1'/>
</graphics>
<graphics type="vnc" autoport="yes" keymap="en-us" listen="127.0.0.1"
sharePolicy="ignore">
<listen type='address' address='127.0.0.1'/>
</graphics>
But while testing I am not able to get expected results for allow-exclusive and
ignore sharePolicy.
For allow-exclusive sharePolicy previous connections are not getting dropped
and console contents are getting shared among all open consoles.
For ignore sharePolicy also contents are getting shared among all open consoles.
I am using libvirt version 1.1.1 and qemu version is 1.5.0.
We want to restrict only single authorized user to connect to the console
dropping previously connected users automatically by using allow-exclusive
sharePolicy.
Please let me know what else is required to get this worked successfully.
[1] : https://bugs.launchpad.net/nova/+bug/1227575
Thanks,
Abhishek
______________________________________________________________________
Disclaimer:This email and any attachments are sent in strictest confidence for
the sole use of the addressee and may contain legally privileged, confidential,
and proprietary data. If you are not the intended recipient, please advise the
sender by replying promptly to this email and then delete and destroy this
email and any attachments without any further use, copying or forwarding
