VM raw.qemu spice doesn't take password

LXD Support
1

Ubuntu focal
lxd git-7d7624d 25936 latest/edge

config:

architecture: x86_64
config:
  image.architecture: amd64
  image.description: Ubuntu jammy amd64 (20231010_07:42)
  image.os: Ubuntu
  image.release: jammy
  image.serial: "20231010_07:42"
  image.type: disk-kvm.img
  image.variant: desktop
  raw.qemu: -device virtio-vga -spice port=51010,addr=192.168.1.80,ipv4=on,disable-ticketing=off,password=XYZ
  volatile.base_image: c95913eb01576a7dc7fcfa11661e6d1794413aca2a88495b09db9e02e9862554
  volatile.cloud-init.instance-id: afefeade-b578-4f76-9223-210d7ad8d742
  volatile.eth0.hwaddr: 00:16:3e:1c:ee:80
  volatile.uuid: f75b268a-04f9-4498-89ed-0994edfff303
  volatile.uuid.generation: f75b268a-04f9-4498-89ed-0994edfff303
  volatile.vsock_id: "3344965123"
devices: {}
ephemeral: false
profiles:
- desk2
stateful: false
description: ""

Error: Failed to run: forklimits limit=memlock:unlimited:unlimited fd=3 fd=4 – /snap/lxd/25936/bin/qemu-system-x86_64 -S -name jam-desk -uuid f75b268a-04f9-4498-89ed-0994edfff303 -daemonize -cpu host -nographic -serial chardev:console -nodefaults -no-user-config -sandbox on,obsolete=deny,elevateprivileges=allow,spawn=allow,resourcecontrol=deny -readconfig /var/snap/lxd/common/lxd/logs/101_jam-desk/qemu.conf -spice unix=on,disable-ticketing=on,addr=/var/snap/lxd/common/lxd/logs/101_jam-desk/qemu.spice -pidfile /var/snap/lxd/common/lxd/logs/101_jam-desk/qemu.pid -D /var/snap/lxd/common/lxd/logs/101_jam-desk/qemu.log -smbios type=2,manufacturer=Canonical Ltd.,product=LXD -runas lxd -device virtio-vga -spice port=51010,addr=192.168.1.80,ipv4=on,disable-ticketing=off,password=XYZ: qemu-system-x86_64: -spice port=51010,addr=192.168.1.80,ipv4=on,disable-ticketing=off,password=XYZ: Invalid parameter 'password
: exit status 1

It previousely had worked with those parameters. I also have tried passwd=XYZ instead of password, same error occured.
By removing password from raw.qemu, instance can start without issues.

2

Qemu replacing plain password

Currently when using SPICE the “password” option provides the password
in plain text on the command line. This is insecure as it is visible
to all processes on the host. As an alternative, the password can be
provided separately via the monitor.
This introduces a “password-secret” option which lets the password be
provided up front.

Now there are 2 ways providing a password:

  1. Qemu monitor cli
  2. Inline on the command line

As for option 2, an object secret is created with an id.

Actual password is either provided directly on the command line as data
-object secret,id=secvnc0,data=ODc1MzkzMTk=,format=base64

or referred to a file (plain or AES-256)
-object secret,id=secvnc0,file=vnc-password.txt
-object secret,id=secmaster,file=masterkey.data,format=base64

or linux keyring
-object secret_keyring,id=secvnc0,serial=1729

In case of providing a password file, where can that file be placed to be visible/readable by qemu?