Re: Question about encryption and tls
On Sun, Sep 10, 2023 at 01:00:21PM +0200, Kamil Jońca wrote:
(Posted few days ago on qemu group but no reactions)
Do I understand correctly that ssl shoudl be configured independently
for libvirt and each hypervisor?
It depends what you are asking about. There are various connections,
each of you can configure separately.
I asked because I configured libvirt connection as
qemu+tls://bambus.kjonca/system?pkipath=...
This ^^ uses TLS to communicate between the libvirt client and server,
e.g. virsh.
(and on bambus in /etc/libvirt/libvirtd.conf) I set
key_file = ...
cert_file = ...
ca_file = ...
But after connect and lauching (on bambus) vm I tried to snif traffic to
bambus:5900 on client) and wireshark was able to detect "VNC"
For VNC that is another connection which you need to configure
separately. And that is because there might be various requirements for
various use cases.
protocol (BTW not spice?), so I am confused.
should I configure in /etc/libvirt/qemu.conf
There is default_tls which should be enough to start, then you need to
turn on tls usage for want. There's vnc_tls, spice_tls, vxhs_tls,
nbd_tls, migrate_tls, backup_tls, and you can even configure different
certificates for each of them.
spice_tls option and certificates ?
That, and also don't forget to configure the domain XML so that it uses
what you want, probably something like:
<graphics type='spice' tlsPort='-1'/>
and then some, check the following for more details:
https://libvirt.org/formatdomain.html#graphical-framebuffers
KJ
Attachments:
- signature.asc (application/pgp-signature — 833 bytes)