Re: Question about encryption and tls

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On 9/10/23 13:00, Kamil Jońca wrote:
> (Posted few days ago on qemu group but no reactions)
> Do I understand correctly that ssl shoudl be configured independently
> for libvirt and each hypervisor?
> I asked because I configured libvirt connection as
> qemu+tls://bambus.kjonca/system?pkipath=...

This is a libvirt connection. It specifies how libvirt APIs are passed
between client and server.

> (and on bambus in /etc/libvirt/libvirtd.conf) I set
> key_file = ...
> cert_file = ...
> ca_file = ...
> But after connect and lauching (on bambus) vm I tried to snif traffic to
>  bambus:5900 on client) and wireshark was able to detect "VNC"\

This is graphical console connection. It's independent of libvirt
connection (libvirt does not wrap this inside a libvirt connection).
There were some discussions about this IIRC, but the problem is: while
libvirt's RPC has support for streaming data between host and client, it
does not allow multiplexing (i.e. packing multiple streams into a single
channel). That's why it's not used for graphical console, which
typically require more connections. BUT it can be used for "simpler" -
serial consoles (virsh console).

>  protocol (BTW not spice?), so I am confused.

Maybe you configured VNC for your guest?

>  should I configure in  /etc/libvirt/qemu.conf
> spice_tls option and certificates ?

Correct. This is the route you want to go. But since you configured your
guest to use VNC then you want to set vnc_tls* in qemu.conf.


[Index of Archives]     [Virt Tools]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux