Add tls_ciphers and use_vdagent options

Signed-off-by: Andrea Spadaccini <spadaccio@google.com>
Reviewed-by: Michael Hanselmann <hansmi@google.com>

diff --git a/lib/constants.py b/lib/constants.py
index c9e1c5c..dfb541a 100644 (file)
--- a/lib/constants.py
+++ b/lib/constants.py
@@ -687,6 +687,8 @@ HV_KVM_SPICE_ZLIB_GLZ_IMG_COMPR = "spice_zlib_glz_wan_compression"
 HV_KVM_SPICE_STREAMING_VIDEO_DETECTION = "spice_streaming_video"
 HV_KVM_SPICE_AUDIO_COMPR = "spice_playback_compression"
 HV_KVM_SPICE_USE_TLS = "spice_use_tls"
 HV_KVM_SPICE_STREAMING_VIDEO_DETECTION = "spice_streaming_video"
 HV_KVM_SPICE_AUDIO_COMPR = "spice_playback_compression"
 HV_KVM_SPICE_USE_TLS = "spice_use_tls"

+HV_KVM_SPICE_TLS_CIPHERS = "spice_tls_ciphers"
+HV_KVM_SPICE_USE_VDAGENT = "spice_use_vdagent"

 HV_ACPI = "acpi"
 HV_PAE = "pae"
 HV_USE_BOOTLOADER = "use_bootloader"
 HV_ACPI = "acpi"
 HV_PAE = "pae"
 HV_USE_BOOTLOADER = "use_bootloader"

@@ -739,6 +741,8 @@ HVS_PARAMETER_TYPES = {
   HV_KVM_SPICE_STREAMING_VIDEO_DETECTION: VTYPE_STRING,
   HV_KVM_SPICE_AUDIO_COMPR: VTYPE_BOOL,
   HV_KVM_SPICE_USE_TLS: VTYPE_BOOL,
   HV_KVM_SPICE_STREAMING_VIDEO_DETECTION: VTYPE_STRING,
   HV_KVM_SPICE_AUDIO_COMPR: VTYPE_BOOL,
   HV_KVM_SPICE_USE_TLS: VTYPE_BOOL,

+  HV_KVM_SPICE_TLS_CIPHERS: VTYPE_STRING,
+  HV_KVM_SPICE_USE_VDAGENT: VTYPE_BOOL,

   HV_ACPI: VTYPE_BOOL,
   HV_PAE: VTYPE_BOOL,
   HV_USE_BOOTLOADER: VTYPE_BOOL,
   HV_ACPI: VTYPE_BOOL,
   HV_PAE: VTYPE_BOOL,
   HV_USE_BOOTLOADER: VTYPE_BOOL,

@@ -1365,6 +1369,8 @@ HVC_DEFAULTS = {
     HV_KVM_SPICE_STREAMING_VIDEO_DETECTION: "",
     HV_KVM_SPICE_AUDIO_COMPR: True,
     HV_KVM_SPICE_USE_TLS: False,
     HV_KVM_SPICE_STREAMING_VIDEO_DETECTION: "",
     HV_KVM_SPICE_AUDIO_COMPR: True,
     HV_KVM_SPICE_USE_TLS: False,

+    HV_KVM_SPICE_TLS_CIPHERS: OPENSSL_CIPHERS,
+    HV_KVM_SPICE_USE_VDAGENT: True,

     HV_KVM_FLOPPY_IMAGE_PATH: "",
     HV_CDROM_IMAGE_PATH: "",
     HV_KVM_CDROM2_IMAGE_PATH: "",
     HV_KVM_FLOPPY_IMAGE_PATH: "",
     HV_CDROM_IMAGE_PATH: "",
     HV_KVM_CDROM2_IMAGE_PATH: "",

diff --git a/lib/hypervisor/hv_kvm.py b/lib/hypervisor/hv_kvm.py
index ad7cc2d..2f1b67d 100644 (file)
--- a/lib/hypervisor/hv_kvm.py
+++ b/lib/hypervisor/hv_kvm.py
@@ -433,6 +433,8 @@ class KVMHypervisor(hv_base.BaseHypervisor):
         constants.HT_KVM_SPICE_VALID_VIDEO_STREAM_DETECTION_OPTIONS),
     constants.HV_KVM_SPICE_AUDIO_COMPR: hv_base.NO_CHECK,
     constants.HV_KVM_SPICE_USE_TLS: hv_base.NO_CHECK,
         constants.HT_KVM_SPICE_VALID_VIDEO_STREAM_DETECTION_OPTIONS),
     constants.HV_KVM_SPICE_AUDIO_COMPR: hv_base.NO_CHECK,
     constants.HV_KVM_SPICE_USE_TLS: hv_base.NO_CHECK,

+    constants.HV_KVM_SPICE_TLS_CIPHERS: hv_base.NO_CHECK,
+    constants.HV_KVM_SPICE_USE_VDAGENT: hv_base.NO_CHECK,

     constants.HV_KVM_FLOPPY_IMAGE_PATH: hv_base.OPT_FILE_CHECK,
     constants.HV_CDROM_IMAGE_PATH: hv_base.OPT_FILE_CHECK,
     constants.HV_KVM_CDROM2_IMAGE_PATH: hv_base.OPT_FILE_CHECK,
     constants.HV_KVM_FLOPPY_IMAGE_PATH: hv_base.OPT_FILE_CHECK,
     constants.HV_CDROM_IMAGE_PATH: hv_base.OPT_FILE_CHECK,
     constants.HV_KVM_CDROM2_IMAGE_PATH: hv_base.OPT_FILE_CHECK,

@@ -1037,6 +1039,9 @@ class KVMHypervisor(hv_base.BaseHypervisor):
             instance.network_port, constants.SPICE_CACERT_FILE)
         spice_arg = "%s,x509-key-file=%s,x509-cert-file=%s" % (spice_arg,
             constants.SPICE_CERT_FILE, constants.SPICE_CERT_FILE)
             instance.network_port, constants.SPICE_CACERT_FILE)
         spice_arg = "%s,x509-key-file=%s,x509-cert-file=%s" % (spice_arg,
             constants.SPICE_CERT_FILE, constants.SPICE_CERT_FILE)

+        tls_ciphers = hvp[constants.HV_KVM_SPICE_TLS_CIPHERS]
+        if tls_ciphers:
+          spice_arg = "%s,tls-ciphers=%s" % (spice_arg, tls_ciphers)

       else:
         spice_arg = "%s,port=%s" % (spice_arg, instance.network_port)
 
       else:
         spice_arg = "%s,port=%s" % (spice_arg, instance.network_port)
 

@@ -1065,6 +1070,8 @@ class KVMHypervisor(hv_base.BaseHypervisor):
       # Audio compression, by default in qemu-kvm it is on
       if not hvp[constants.HV_KVM_SPICE_AUDIO_COMPR]:
         spice_arg = "%s,playback-compression=off" % spice_arg
       # Audio compression, by default in qemu-kvm it is on
       if not hvp[constants.HV_KVM_SPICE_AUDIO_COMPR]:
         spice_arg = "%s,playback-compression=off" % spice_arg

+      if not hvp[constants.HV_KVM_SPICE_USE_VDAGENT]:
+        spice_arg = "%s,agent-mouse=off" % spice_arg

 
       logging.info("KVM: SPICE will listen on port %s", instance.network_port)
       kvm_cmd.extend(["-spice", spice_arg])
 
       logging.info("KVM: SPICE will listen on port %s", instance.network_port)
       kvm_cmd.extend(["-spice", spice_arg])

diff --git a/man/gnt-instance.rst b/man/gnt-instance.rst
index 16bf89b..9d88938 100644 (file)
--- a/man/gnt-instance.rst
+++ b/man/gnt-instance.rst
@@ -359,6 +359,17 @@ spice\_use\_tls
     Specifies that the SPICE server must use TLS to encrypt all the
     traffic with the client.
 
     Specifies that the SPICE server must use TLS to encrypt all the
     traffic with the client.
 

+spice\_tls\_ciphers
+    Valid for the KVM hypervisor.
+
+    Specifies a list of comma-separated ciphers that SPICE should use
+    for TLS connections. For the format, see man cipher(1).
+
+spice\_use\_vdagent
+    Valid for the KVM hypervisor.
+
+    Enables or disables passing mouse events via SPICE vdagent.
+

 acpi
     Valid for the Xen HVM and KVM hypervisors.
 
 acpi
     Valid for the Xen HVM and KVM hypervisors.