On 9/10/23 13:00, Kamil Jońca wrote: > (Posted few days ago on qemu group but no reactions) > > Do I understand correctly that ssl shoudl be configured independently > for libvirt and each hypervisor? > I asked because I configured libvirt connection as > > qemu+tls://bambus.kjonca/system?pkipath=... This is a libvirt connection. It specifies how libvirt APIs are passed between client and server. > > (and on bambus in /etc/libvirt/libvirtd.conf) I set > key_file = ... > cert_file = ... > ca_file = ... > > But after connect and lauching (on bambus) vm I tried to snif traffic to > bambus:5900 on client) and wireshark was able to detect "VNC"\ This is graphical console connection. It's independent of libvirt connection (libvirt does not wrap this inside a libvirt connection). There were some discussions about this IIRC, but the problem is: while libvirt's RPC has support for streaming data between host and client, it does not allow multiplexing (i.e. packing multiple streams into a single channel). That's why it's not used for graphical console, which typically require more connections. BUT it can be used for "simpler" - serial consoles (virsh console). > protocol (BTW not spice?), so I am confused. Maybe you configured VNC for your guest? > should I configure in /etc/libvirt/qemu.conf > > spice_tls option and certificates ? Correct. This is the route you want to go. But since you configured your guest to use VNC then you want to set vnc_tls* in qemu.conf. Michal
