diff --git a/lib/constants.py b/lib/constants.py
index c9e1c5c7f3566b506e21c487cbb58752d4ef8030..dfb541a75b3563c64a93531d75963d45d0648f04 100644
--- a/lib/constants.py
+++ b/lib/constants.py
@@ -687,6 +687,8 @@ HV_KVM_SPICE_ZLIB_GLZ_IMG_COMPR = "spice_zlib_glz_wan_compression"
HV_KVM_SPICE_STREAMING_VIDEO_DETECTION = "spice_streaming_video"
HV_KVM_SPICE_AUDIO_COMPR = "spice_playback_compression"
HV_KVM_SPICE_USE_TLS = "spice_use_tls"
+HV_KVM_SPICE_TLS_CIPHERS = "spice_tls_ciphers"
+HV_KVM_SPICE_USE_VDAGENT = "spice_use_vdagent"
HV_ACPI = "acpi"
HV_PAE = "pae"
HV_USE_BOOTLOADER = "use_bootloader"
@@ -739,6 +741,8 @@ HVS_PARAMETER_TYPES = {
HV_KVM_SPICE_STREAMING_VIDEO_DETECTION: VTYPE_STRING,
HV_KVM_SPICE_AUDIO_COMPR: VTYPE_BOOL,
HV_KVM_SPICE_USE_TLS: VTYPE_BOOL,
+ HV_KVM_SPICE_TLS_CIPHERS: VTYPE_STRING,
+ HV_KVM_SPICE_USE_VDAGENT: VTYPE_BOOL,
HV_ACPI: VTYPE_BOOL,
HV_PAE: VTYPE_BOOL,
HV_USE_BOOTLOADER: VTYPE_BOOL,
@@ -1365,6 +1369,8 @@ HVC_DEFAULTS = {
HV_KVM_SPICE_STREAMING_VIDEO_DETECTION: "",
HV_KVM_SPICE_AUDIO_COMPR: True,
HV_KVM_SPICE_USE_TLS: False,
+ HV_KVM_SPICE_TLS_CIPHERS: OPENSSL_CIPHERS,
+ HV_KVM_SPICE_USE_VDAGENT: True,
HV_KVM_FLOPPY_IMAGE_PATH: "",
HV_CDROM_IMAGE_PATH: "",
HV_KVM_CDROM2_IMAGE_PATH: "",
diff --git a/lib/hypervisor/hv_kvm.py b/lib/hypervisor/hv_kvm.py
index ad7cc2d33f8d49ccdf83b04eb029823d54cd130e..2f1b67dbffa06745ae34fcf62725a2e6d9946b9f 100644
--- a/lib/hypervisor/hv_kvm.py
+++ b/lib/hypervisor/hv_kvm.py
@@ -433,6 +433,8 @@ class KVMHypervisor(hv_base.BaseHypervisor):
constants.HT_KVM_SPICE_VALID_VIDEO_STREAM_DETECTION_OPTIONS),
constants.HV_KVM_SPICE_AUDIO_COMPR: hv_base.NO_CHECK,
constants.HV_KVM_SPICE_USE_TLS: hv_base.NO_CHECK,
+ constants.HV_KVM_SPICE_TLS_CIPHERS: hv_base.NO_CHECK,
+ constants.HV_KVM_SPICE_USE_VDAGENT: hv_base.NO_CHECK,
constants.HV_KVM_FLOPPY_IMAGE_PATH: hv_base.OPT_FILE_CHECK,
constants.HV_CDROM_IMAGE_PATH: hv_base.OPT_FILE_CHECK,
constants.HV_KVM_CDROM2_IMAGE_PATH: hv_base.OPT_FILE_CHECK,
@@ -1037,6 +1039,9 @@ class KVMHypervisor(hv_base.BaseHypervisor):
instance.network_port, constants.SPICE_CACERT_FILE)
spice_arg = "%s,x509-key-file=%s,x509-cert-file=%s" % (spice_arg,
constants.SPICE_CERT_FILE, constants.SPICE_CERT_FILE)
+ tls_ciphers = hvp[constants.HV_KVM_SPICE_TLS_CIPHERS]
+ if tls_ciphers:
+ spice_arg = "%s,tls-ciphers=%s" % (spice_arg, tls_ciphers)
else:
spice_arg = "%s,port=%s" % (spice_arg, instance.network_port)
@@ -1065,6 +1070,8 @@ class KVMHypervisor(hv_base.BaseHypervisor):
# Audio compression, by default in qemu-kvm it is on
if not hvp[constants.HV_KVM_SPICE_AUDIO_COMPR]:
spice_arg = "%s,playback-compression=off" % spice_arg
+ if not hvp[constants.HV_KVM_SPICE_USE_VDAGENT]:
+ spice_arg = "%s,agent-mouse=off" % spice_arg
logging.info("KVM: SPICE will listen on port %s", instance.network_port)
kvm_cmd.extend(["-spice", spice_arg])
diff --git a/man/gnt-instance.rst b/man/gnt-instance.rst
index 16bf89baf7522e4b0da5feb4b25c401f3b275596..9d88938d025346389c45a5543a2647a129cab3fe 100644
--- a/man/gnt-instance.rst
+++ b/man/gnt-instance.rst
@@ -359,6 +359,17 @@ spice\_use\_tls
Specifies that the SPICE server must use TLS to encrypt all the
traffic with the client.
+spice\_tls\_ciphers
+ Valid for the KVM hypervisor.
+
+ Specifies a list of comma-separated ciphers that SPICE should use
+ for TLS connections. For the format, see man cipher(1).
+
+spice\_use\_vdagent
+ Valid for the KVM hypervisor.
+
+ Enables or disables passing mouse events via SPICE vdagent.
+
acpi
Valid for the Xen HVM and KVM hypervisors.