[Qemu-devel] VNC Password

[Qemu-devel] VNC Password

[Volkan YAZICI]

Hi,

I use "-monitor stdio -vnc localhost:1" arguments to start qemu from
command line and connect to the related qemu instance using a vnc
viewer. Despite I know it's possible to use something like "-vnc
localhost:1,password=foo", I don't want to type password in the command
line. (Neither using "change vnc password" in the qemu command line is
very practical when you're starting related qemu instance as a daemon.)
How can I make vnc read password from a file?

BTW, is vnc option poorly documented or I'm missing something? I checked
this[1] and this[2] but none supplied a useful information.
Documentation pointers are welcome too.


Regards.

[1] http://bellard.org/qemu/qemu-doc.html
[2] http://calamari.reverse-dns.net:980/cgi-bin/moin.cgi/VNCusage

Re: [Qemu-devel] VNC Password

[Daniel P. Berrange]

On Thu, Oct 23, 2008 at 01:24:38PM +0300, Volkan YAZICI wrote:
> Hi,
> 
> I use "-monitor stdio -vnc localhost:1" arguments to start qemu from
> command line and connect to the related qemu instance using a vnc
> viewer. Despite I know it's possible to use something like "-vnc
> localhost:1,password=foo", I don't want to type password in the command
> line. (Neither using "change vnc password" in the qemu command line is
> very practical when you're starting related qemu instance as a daemon.)
> How can I make vnc read password from a file?

If you want daemonized instances, and wish to use the monitor, then
rather than using '-monitor stdio', it'd be better to have it connect
to something like a UNIX socket, eg

   -monitor unix:/var/run/qemu/mysock,server -vnc localhost:1,password

Then, you can have a simple command line tool to send & receive
individual monitor commands via that socket. 

> BTW, is vnc option poorly documented or I'm missing something? I checked
> this[1] and this[2] but none supplied a useful information.
> Documentation pointers are welcome too.
> 
> 
> Regards.
> 
> [1] http://bellard.org/qemu/qemu-doc.html

Take a look at

  "3.10 VNC security"

  http://bellard.org/qemu/qemu-doc.html#SEC36

There's also some docs under

  "3.3 Invocation"

  http://bellard.org/qemu/qemu-doc.html#SEC10

Regards,
Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

[Qemu-devel] Re: VNC Password

[Volkan YAZICI]

On Thu, 23 Oct 2008, "Daniel P. Berrange" <berrange@redhat.com> writes:
> If you want daemonized instances, and wish to use the monitor, then
> rather than using '-monitor stdio', it'd be better to have it connect
> to something like a UNIX socket, eg
>
>    -monitor unix:/var/run/qemu/mysock,server

Excuse my ignorance, but when I use above command, qemu types "QEMU
waiting for connection on: /var/run/qemu/monitor.preprod" on the command
line and hangs at that state. Is this something expected? If so how can
I connect to it or make it drop into qemu command line?

(BTW, while doing above things, I'm in the console and X and any other X
relevant parts are totally closed.)

> -vnc localhost:1,password

I used "-vnc localhost:1". While I can see qemu-system-x86 listens on
port 5901

  $ nc 192.168.1.10 5901
  (UNKNOWN) [192.168.1.10] 5901 (?) : Connection refused


Regards.

Re: [Qemu-devel] Re: VNC Password

[Gerd Hoffmann]

Volkan YAZICI wrote:
> On Thu, 23 Oct 2008, "Daniel P. Berrange" <berrange@redhat.com> writes:
>> If you want daemonized instances, and wish to use the monitor, then
>> rather than using '-monitor stdio', it'd be better to have it connect
>> to something like a UNIX socket, eg
>>
>>    -monitor unix:/var/run/qemu/mysock,server
> 
> Excuse my ignorance, but when I use above command, qemu types "QEMU
> waiting for connection on: /var/run/qemu/monitor.preprod" on the command
> line and hangs at that state. Is this something expected?

Yes.  If you don't want that, add ",nowait".

>> -vnc localhost:1,password
> 
> I used "-vnc localhost:1". While I can see qemu-system-x86 listens on
> port 5901
> 
>   $ nc 192.168.1.10 5901
>   (UNKNOWN) [192.168.1.10] 5901 (?) : Connection refused

Try "nc localhost:5001" instead.  Qemu listens on the loopback interface
only if you specify display "localhost:1".  netstat should show that.

cheers,
  Gerd

[Qemu-devel] Re: VNC Password

[Volkan YAZICI]

On Thu, 23 Oct 2008, Gerd Hoffmann <kraxel@redhat.com> writes:
> Volkan YAZICI wrote:
>> On Thu, 23 Oct 2008, "Daniel P. Berrange" <berrange@redhat.com> writes:
>>> If you want daemonized instances, and wish to use the monitor, then
>>> rather than using '-monitor stdio', it'd be better to have it connect
>>> to something like a UNIX socket, eg
>>>
>>>    -monitor unix:/var/run/qemu/mysock,server
>> 
>> Excuse my ignorance, but when I use above command, qemu types "QEMU
>> waiting for connection on: /var/run/qemu/monitor.preprod" on the command
>> line and hangs at that state. Is this something expected?
>
> Yes.  If you don't want that, add ",nowait".

This time it complains with an interesting error message:

  # rlwrap /usr/local/sbin/qemu-preprod
  qemu: could not open monitor device 'unix:/var/run/qemu/preprod.monitor,nowait'

  # ls -l /var/run/qemu/preprod.monitor
  -rw-r--r-- 1 root root 0 2008-10-23 14:56 /var/run/qemu/preprod.monitor

BTW, how can I connect to the monitor session -- if I can get it right
at last -- that will be pointed by /var/run/qemu/preprod.monitor?
  
> Try "nc localhost:5001" instead.  Qemu listens on the loopback interface
> only if you specify display "localhost:1".  netstat should show that.

Umm... Actually, no. I can see it listens on 5901.


Regards.

Re: [Qemu-devel] Re: VNC Password

[Gerd Hoffmann]

Volkan YAZICI wrote:
> This time it complains with an interesting error message:
> 
>   # rlwrap /usr/local/sbin/qemu-preprod
>   qemu: could not open monitor device 'unix:/var/run/qemu/preprod.monitor,nowait'

You need both server and nowait.

> BTW, how can I connect to the monitor session -- if I can get it right
> at last -- that will be pointed by /var/run/qemu/preprod.monitor?

netcat can connect to unix sockets.

>> Try "nc localhost:5001" instead.  Qemu listens on the loopback interface
>> only if you specify display "localhost:1".  netstat should show that.
> 
> Umm... Actually, no. I can see it listens on 5901.

like this?

[root@zweiblum ~]# netstat -tna | grep 5900
tcp        0      0 127.0.0.1:5900   0.0.0.0:*     LISTEN
                    ^^^^^^^^^
                    this is the address of the loopback interface
                    aka 'localhost'

cheers,
  Gerd

Re: [Qemu-devel] Re: VNC Password

[Anthony Liguori]

[-- Attachment #1: Type: text/plain, Size: 1673 bytes --]

Volkan YAZICI wrote:
> On Thu, 23 Oct 2008, Gerd Hoffmann <kraxel@redhat.com> writes:
>   
>> Volkan YAZICI wrote:
>>     
>>> On Thu, 23 Oct 2008, "Daniel P. Berrange" <berrange@redhat.com> writes:
>>>       
>>>> If you want daemonized instances, and wish to use the monitor, then
>>>> rather than using '-monitor stdio', it'd be better to have it connect
>>>> to something like a UNIX socket, eg
>>>>
>>>>    -monitor unix:/var/run/qemu/mysock,server
>>>>         
>>> Excuse my ignorance, but when I use above command, qemu types "QEMU
>>> waiting for connection on: /var/run/qemu/monitor.preprod" on the command
>>> line and hangs at that state. Is this something expected?
>>>       
>> Yes.  If you don't want that, add ",nowait".
>>     
>
> This time it complains with an interesting error message:
>
>   # rlwrap /usr/local/sbin/qemu-preprod
>   qemu: could not open monitor device 'unix:/var/run/qemu/preprod.monitor,nowait'
>   

You need unix:/var/run/qemu/preprod.monitor,server,nowait

I use the following program to send commands to the monitor.  You would 
use it like:

$ qemu-remote /var/run/qemu/preprod.monitor help

Regards,

Anthony Liguori

>   # ls -l /var/run/qemu/preprod.monitor
>   -rw-r--r-- 1 root root 0 2008-10-23 14:56 /var/run/qemu/preprod.monitor
>
> BTW, how can I connect to the monitor session -- if I can get it right
> at last -- that will be pointed by /var/run/qemu/preprod.monitor?
>   
>   
>> Try "nc localhost:5001" instead.  Qemu listens on the loopback interface
>> only if you specify display "localhost:1".  netstat should show that.
>>     
>
> Umm... Actually, no. I can see it listens on 5901.
>
>
> Regards.
>
>
>   


[-- Attachment #2: qemu-remote --]
[-- Type: text/plain, Size: 576 bytes --]

#!/usr/bin/env python

import socket, sys

if len(sys.argv) < 2:
    print 'Usage: %s SOCKET' % sys.argv[1]
    sys.exit(1)

s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
s.connect(sys.argv[1])
s.sendall('%s\n' % ' '.join(sys.argv[2:]))

buf = ''
while not buf.endswith('\n(qemu) '):
    buf += s.recv(1)

noend = False
buf = ''
while not buf.endswith('\n(qemu) '):
    t = s.recv(1)
    if len(t) == 0:
        noend = True
        break
    buf += t

if not noend:
    buf = buf[:-7]

_, buf = buf.split('\n', 1)

sys.stdout.write(buf)
sys.stdout.flush()

s.close()

Re: [Qemu-devel] VNC Password

[Gerd Hoffmann]

> I use "-monitor stdio -vnc localhost:1" arguments to start qemu from
> command line and connect to the related qemu instance using a vnc
> viewer. Despite I know it's possible to use something like "-vnc
> localhost:1,password=foo", I don't want to type password in the command
> line. (Neither using "change vnc password" in the qemu command line is
> very practical when you're starting related qemu instance as a daemon.)

<shameless plug>
You might want to check out http://dl.bytesex.org/releases/qemu-gtk/
then.  It can deal with "-vnc $host:$display,password" just fine.  Sets
a random password via monitor, then connects to the vnc server using the
password just set.  Password is never stored anywhere, it sets a new
random one each time you start the ui to see the screen of your VM.
</shameless plug>

cheers,
  Gerd

[Qemu-devel] Re: VNC Password

[Volkan YAZICI]

On Thu, 23 Oct 2008, Gerd Hoffmann <kraxel@redhat.com> writes:
> <shameless plug>
> You might want to check out http://dl.bytesex.org/releases/qemu-gtk/
> then.  It can deal with "-vnc $host:$display,password" just fine.  Sets
> a random password via monitor, then connects to the vnc server using the
> password just set.  Password is never stored anywhere, it sets a new
> random one each time you start the ui to see the screen of your VM.
> </shameless plug>

That's not something I'd want to use while I'm trying to get rid of any
kind of X dependencies.


Regards.

Re: [Qemu-devel] Re: VNC Password

[Gerd Hoffmann]

Volkan YAZICI wrote:
> On Thu, 23 Oct 2008, Gerd Hoffmann <kraxel@redhat.com> writes:
>> <shameless plug>
>> You might want to check out http://dl.bytesex.org/releases/qemu-gtk/
>> then.  It can deal with "-vnc $host:$display,password" just fine.  Sets
>> a random password via monitor, then connects to the vnc server using the
>> password just set.  Password is never stored anywhere, it sets a new
>> random one each time you start the ui to see the screen of your VM.
>> </shameless plug>
> 
> That's not something I'd want to use while I'm trying to get rid of any
> kind of X dependencies.

qemu-gtk can handle that remotely too.  monitor must listen on tcp then
though, which you might not want to do for security reasons ...

Back to the original question: read password from file isn't implemented
as far I know.

cheers,
  Gerd

Re: [Qemu-devel] Re: VNC Password

[François Revol]

> Volkan YAZICI wrote:
> > On Thu, 23 Oct 2008, Gerd Hoffmann <kraxel@redhat.com> writes:
> >> <shameless plug>
> >> You might want to check out http://dl.bytesex.org/releases/qemu-gtk/
> > > > >> then.  It can deal with "-vnc $host:$display,password" just fine.
> > > Sets
> >> a random password via monitor, then connects to the vnc server
> > > using the
> >> password just set.  Password is never stored anywhere, it sets a
> > > new
> >> random one each time you start the ui to see the screen of your
> > > VM.
> >> </shameless plug>
> >
> > That's not something I'd want to use while I'm trying to get rid of
> > any
> > kind of X dependencies.
>
> qemu-gtk can handle that remotely too.  monitor must listen on tcp
> then
> though, which you might not want to do for security reasons ...
>
> Back to the original question: read password from file isn't
> implemented
> as far I know.

When I want to specify passwords on command line I usually do something
like:

read p
qemu ...,$p

That makes sure it's not stored in the history.

You can as well use read p < afile

If you really don't want to have the string as part of the environment
you can try command substitution...

qemu ...,$(cat afile)

Alike, the real password won't be stored inthe history.

man bash should help :)

François.

Re: [Qemu-devel] Re: VNC Password

[Laurent Vivier]

Le jeudi 23 octobre 2008 à 17:10 +0200, François Revol a écrit :
> > Volkan YAZICI wrote:
> > > On Thu, 23 Oct 2008, Gerd Hoffmann <kraxel@redhat.com> writes:
> > >> <shameless plug>
> > >> You might want to check out http://dl.bytesex.org/releases/qemu-gtk/
> > > > > >> then.  It can deal with "-vnc $host:$display,password" just fine.  
> > > > Sets
> > >> a random password via monitor, then connects to the vnc server 
> > > > using the
> > >> password just set.  Password is never stored anywhere, it sets a 
> > > > new
> > >> random one each time you start the ui to see the screen of your 
> > > > VM.
> > >> </shameless plug>
> > > 
> > > That's not something I'd want to use while I'm trying to get rid of 
> > > any
> > > kind of X dependencies.
> > 
> > qemu-gtk can handle that remotely too.  monitor must listen on tcp 
> > then
> > though, which you might not want to do for security reasons ...
> > 
> > Back to the original question: read password from file isn't 
> > implemented
> > as far I know.
> 
> When I want to specify passwords on command line I usually do something 
> like:
> 
> read p
> qemu ...,$p
> 
> That makes sure it's not stored in the history.

but everyone can see it with a "ps -ef".

> You can as well use read p < afile
> 
> If you really don't want to have the string as part of the environment 
> you can try command substitution...
> 
> qemu ...,$(cat afile)

ditto

> Alike, the real password won't be stored inthe history.
> 
> man bash should help :)
> 
> François.
> 
> 
> 
-- 
------------------ Laurent.Vivier@bull.net  ------------------
"Tout ce qui est impossible reste à accomplir"    Jules Verne
"Things are only impossible until they're not" Jean-Luc Picard

Re: [Qemu-devel] Re: VNC Password

[François Revol]

> > When I want to specify passwords on command line I usually do
> > something
> > like:
> >
> > read p
> > qemu ...,$p
> >
> > That makes sure it's not stored in the history.
>
> but everyone can see it with a "ps -ef".

Wait, you mean you're not alone on your own box ?
Indeed, won't work that way...

I suppose you won't work around adding some code then.

François.

Re: [Qemu-devel] Re: VNC Password

[Jamie Lokier]

François Revol wrote:
> > > read p
> > > qemu ...,$p
> > >
> > > That makes sure it's not stored in the history.
> >
> > but everyone can see it with a "ps -ef".
> 
> Wait, you mean you're not alone on your own box ?
> Indeed, won't work that way...

If you were alone, you wouldn't need a VNC password...

-- Jamie

Re: [Qemu-devel] Re: VNC Password

[François Revol]

> François Revol wrote:
> > > > read p
> > > > qemu ...,$p
> > > >
> > > > That makes sure it's not stored in the history.
> > >
> > > but everyone can see it with a "ps -ef".
> >
> > Wait, you mean you're not alone on your own box ?
> > Indeed, won't work that way...
>
> If you were alone, you wouldn't need a VNC password...

You can be alone on your box in a dangerous network...

Anyway.

François.

Re: [Qemu-devel] Re: VNC Password

[Gerd Hoffmann]

François Revol wrote:
>> François Revol wrote:
>>>>> read p
>>>>> qemu ...,$p
>>>>>
>>>>> That makes sure it's not stored in the history.
>>>> but everyone can see it with a "ps -ef".
>>> Wait, you mean you're not alone on your own box ?
>>> Indeed, won't work that way...
>> If you were alone, you wouldn't need a VNC password...
> 
> You can be alone on your box in a dangerous network...

You can bind to localhost then.

cheers,
  Gerd