Re: Question about encryption and tls
On 9/10/23 13:00, Kamil Jońca wrote:
(Posted few days ago on qemu group but no reactions)
Do I understand correctly that ssl shoudl be configured independently
for libvirt and each hypervisor?
I asked because I configured libvirt connection as
qemu+tls://bambus.kjonca/system?pkipath=...
This is a libvirt connection. It specifies how libvirt APIs are passed
between client and server.
(and on bambus in /etc/libvirt/libvirtd.conf) I set
key_file = ...
cert_file = ...
ca_file = ...
But after connect and lauching (on bambus) vm I tried to snif traffic to
bambus:5900 on client) and wireshark was able to detect "VNC"\
This is graphical console connection. It's independent of libvirt
connection (libvirt does not wrap this inside a libvirt connection).
There were some discussions about this IIRC, but the problem is: while
libvirt's RPC has support for streaming data between host and client, it
does not allow multiplexing (i.e. packing multiple streams into a single
channel). That's why it's not used for graphical console, which
typically require more connections. BUT it can be used for "simpler" -
serial consoles (virsh console).
protocol (BTW not spice?), so I am confused.
Maybe you configured VNC for your guest?
should I configure in /etc/libvirt/qemu.conf
spice_tls option and certificates ?
Correct. This is the route you want to go. But since you configured your
guest to use VNC then you want to set vnc_tls* in qemu.conf.
Michal