On Sun, Sep 10, 2023 at 01:00:21PM +0200, Kamil Jońca wrote:
(Posted few days ago on qemu group but no reactions) Do I understand correctly that ssl shoudl be configured independently for libvirt and each hypervisor?
It depends what you are asking about. There are various connections, each of you can configure separately.
I asked because I configured libvirt connection as qemu+tls://bambus.kjonca/system?pkipath=...
This ^^ uses TLS to communicate between the libvirt client and server, e.g. virsh.
(and on bambus in /etc/libvirt/libvirtd.conf) I set key_file = ... cert_file = ... ca_file = ... But after connect and lauching (on bambus) vm I tried to snif traffic to bambus:5900 on client) and wireshark was able to detect "VNC"
For VNC that is another connection which you need to configure separately. And that is because there might be various requirements for various use cases.
protocol (BTW not spice?), so I am confused. should I configure in /etc/libvirt/qemu.conf
There is default_tls which should be enough to start, then you need to turn on tls usage for want. There's vnc_tls, spice_tls, vxhs_tls, nbd_tls, migrate_tls, backup_tls, and you can even configure different certificates for each of them.
spice_tls option and certificates ?
That, and also don't forget to configure the domain XML so that it uses what you want, probably something like: <graphics type='spice' tlsPort='-1'/> and then some, check the following for more details: https://libvirt.org/formatdomain.html#graphical-framebuffers
KJ
Attachment:
signature.asc
Description: PGP signature
