Add tls_ciphers and use_vdagent options

Signed-off-by: Andrea Spadaccini <spadaccio@google.com>
Reviewed-by: Michael Hanselmann <hansmi@google.com>

diff --git a/lib/constants.py b/lib/constants.py
index c9e1c5c..dfb541a 100644 (file)
--- a/lib/constants.py
+++ b/lib/constants.py
@@ -687,6 +687,8 @@ HV_KVM_SPICE_ZLIB_GLZ_IMG_COMPR = "spice_zlib_glz_wan_compression"
 HV_KVM_SPICE_STREAMING_VIDEO_DETECTION = "spice_streaming_video"
 HV_KVM_SPICE_AUDIO_COMPR = "spice_playback_compression"
 HV_KVM_SPICE_USE_TLS = "spice_use_tls"
+HV_KVM_SPICE_TLS_CIPHERS = "spice_tls_ciphers"
+HV_KVM_SPICE_USE_VDAGENT = "spice_use_vdagent"
 HV_ACPI = "acpi"
 HV_PAE = "pae"
 HV_USE_BOOTLOADER = "use_bootloader"
@@ -739,6 +741,8 @@ HVS_PARAMETER_TYPES = {
   HV_KVM_SPICE_STREAMING_VIDEO_DETECTION: VTYPE_STRING,
   HV_KVM_SPICE_AUDIO_COMPR: VTYPE_BOOL,
   HV_KVM_SPICE_USE_TLS: VTYPE_BOOL,
+  HV_KVM_SPICE_TLS_CIPHERS: VTYPE_STRING,
+  HV_KVM_SPICE_USE_VDAGENT: VTYPE_BOOL,
   HV_ACPI: VTYPE_BOOL,
   HV_PAE: VTYPE_BOOL,
   HV_USE_BOOTLOADER: VTYPE_BOOL,
@@ -1365,6 +1369,8 @@ HVC_DEFAULTS = {
     HV_KVM_SPICE_STREAMING_VIDEO_DETECTION: "",
     HV_KVM_SPICE_AUDIO_COMPR: True,
     HV_KVM_SPICE_USE_TLS: False,
+    HV_KVM_SPICE_TLS_CIPHERS: OPENSSL_CIPHERS,
+    HV_KVM_SPICE_USE_VDAGENT: True,
     HV_KVM_FLOPPY_IMAGE_PATH: "",
     HV_CDROM_IMAGE_PATH: "",
     HV_KVM_CDROM2_IMAGE_PATH: "",

diff --git a/lib/hypervisor/hv_kvm.py b/lib/hypervisor/hv_kvm.py
index ad7cc2d..2f1b67d 100644 (file)
--- a/lib/hypervisor/hv_kvm.py
+++ b/lib/hypervisor/hv_kvm.py
@@ -433,6 +433,8 @@ class KVMHypervisor(hv_base.BaseHypervisor):
         constants.HT_KVM_SPICE_VALID_VIDEO_STREAM_DETECTION_OPTIONS),
     constants.HV_KVM_SPICE_AUDIO_COMPR: hv_base.NO_CHECK,
     constants.HV_KVM_SPICE_USE_TLS: hv_base.NO_CHECK,
+    constants.HV_KVM_SPICE_TLS_CIPHERS: hv_base.NO_CHECK,
+    constants.HV_KVM_SPICE_USE_VDAGENT: hv_base.NO_CHECK,
     constants.HV_KVM_FLOPPY_IMAGE_PATH: hv_base.OPT_FILE_CHECK,
     constants.HV_CDROM_IMAGE_PATH: hv_base.OPT_FILE_CHECK,
     constants.HV_KVM_CDROM2_IMAGE_PATH: hv_base.OPT_FILE_CHECK,
@@ -1037,6 +1039,9 @@ class KVMHypervisor(hv_base.BaseHypervisor):
             instance.network_port, constants.SPICE_CACERT_FILE)
         spice_arg = "%s,x509-key-file=%s,x509-cert-file=%s" % (spice_arg,
             constants.SPICE_CERT_FILE, constants.SPICE_CERT_FILE)
+        tls_ciphers = hvp[constants.HV_KVM_SPICE_TLS_CIPHERS]
+        if tls_ciphers:
+          spice_arg = "%s,tls-ciphers=%s" % (spice_arg, tls_ciphers)
       else:
         spice_arg = "%s,port=%s" % (spice_arg, instance.network_port)
 
@@ -1065,6 +1070,8 @@ class KVMHypervisor(hv_base.BaseHypervisor):
       # Audio compression, by default in qemu-kvm it is on
       if not hvp[constants.HV_KVM_SPICE_AUDIO_COMPR]:
         spice_arg = "%s,playback-compression=off" % spice_arg
+      if not hvp[constants.HV_KVM_SPICE_USE_VDAGENT]:
+        spice_arg = "%s,agent-mouse=off" % spice_arg
 
       logging.info("KVM: SPICE will listen on port %s", instance.network_port)
       kvm_cmd.extend(["-spice", spice_arg])

diff --git a/man/gnt-instance.rst b/man/gnt-instance.rst
index 16bf89b..9d88938 100644 (file)
--- a/man/gnt-instance.rst
+++ b/man/gnt-instance.rst
@@ -359,6 +359,17 @@ spice\_use\_tls
     Specifies that the SPICE server must use TLS to encrypt all the
     traffic with the client.
 
+spice\_tls\_ciphers
+    Valid for the KVM hypervisor.
+
+    Specifies a list of comma-separated ciphers that SPICE should use
+    for TLS connections. For the format, see man cipher(1).
+
+spice\_use\_vdagent
+    Valid for the KVM hypervisor.
+
+    Enables or disables passing mouse events via SPICE vdagent.
+
 acpi
     Valid for the Xen HVM and KVM hypervisors.