On 9/10/23 13:00, Kamil Jońca wrote:
(Posted few days ago on qemu group but no reactions)
Do I understand correctly that ssl shoudl be configured independently for libvirt and each hypervisor? I asked because I configured libvirt connection as
qemu+tls://bambus.kjonca/system?pkipath=...
This is a libvirt connection. It specifies how libvirt APIs are passed between client and server.
(and on bambus in /etc/libvirt/libvirtd.conf) I set key_file = ... cert_file = ... ca_file = ...
But after connect and lauching (on bambus) vm I tried to snif traffic to bambus:5900 on client) and wireshark was able to detect "VNC"\
This is graphical console connection. It's independent of libvirt connection (libvirt does not wrap this inside a libvirt connection). There were some discussions about this IIRC, but the problem is: while libvirt's RPC has support for streaming data between host and client, it does not allow multiplexing (i.e. packing multiple streams into a single channel). That's why it's not used for graphical console, which typically require more connections. BUT it can be used for "simpler" - serial consoles (virsh console).
protocol (BTW not spice?), so I am confused.
Maybe you configured VNC for your guest?
should I configure in /etc/libvirt/qemu.conf
spice_tls option and certificates ?
Correct. This is the route you want to go. But since you configured your guest to use VNC then you want to set vnc_tls* in qemu.conf. Michal