
(Posted few days ago on qemu group but no reactions) Do I understand correctly that ssl shoudl be configured independently for libvirt and each hypervisor? I asked because I configured libvirt connection as qemu+tls://bambus.kjonca/system?pkipath=... (and on bambus in /etc/libvirt/libvirtd.conf) I set key_file = ... cert_file = ... ca_file = ... But after connect and lauching (on bambus) vm I tried to snif traffic to bambus:5900 on client) and wireshark was able to detect "VNC" protocol (BTW not spice?), so I am confused. should I configure in /etc/libvirt/qemu.conf spice_tls option and certificates ? KJ

On 9/10/23 13:00, Kamil Jońca wrote:
(Posted few days ago on qemu group but no reactions)
Do I understand correctly that ssl shoudl be configured independently for libvirt and each hypervisor? I asked because I configured libvirt connection as
qemu+tls://bambus.kjonca/system?pkipath=...
This is a libvirt connection. It specifies how libvirt APIs are passed between client and server.
(and on bambus in /etc/libvirt/libvirtd.conf) I set key_file = ... cert_file = ... ca_file = ...
But after connect and lauching (on bambus) vm I tried to snif traffic to bambus:5900 on client) and wireshark was able to detect "VNC"\
This is graphical console connection. It's independent of libvirt connection (libvirt does not wrap this inside a libvirt connection). There were some discussions about this IIRC, but the problem is: while libvirt's RPC has support for streaming data between host and client, it does not allow multiplexing (i.e. packing multiple streams into a single channel). That's why it's not used for graphical console, which typically require more connections. BUT it can be used for "simpler" - serial consoles (virsh console).
protocol (BTW not spice?), so I am confused.
Maybe you configured VNC for your guest?
should I configure in /etc/libvirt/qemu.conf
spice_tls option and certificates ?
Correct. This is the route you want to go. But since you configured your guest to use VNC then you want to set vnc_tls* in qemu.conf. Michal

On Sun, Sep 10, 2023 at 01:00:21PM +0200, Kamil Jońca wrote:
(Posted few days ago on qemu group but no reactions)
Do I understand correctly that ssl shoudl be configured independently for libvirt and each hypervisor?
It depends what you are asking about. There are various connections, each of you can configure separately.
I asked because I configured libvirt connection as
qemu+tls://bambus.kjonca/system?pkipath=...
This ^^ uses TLS to communicate between the libvirt client and server, e.g. virsh.
(and on bambus in /etc/libvirt/libvirtd.conf) I set key_file = ... cert_file = ... ca_file = ...
But after connect and lauching (on bambus) vm I tried to snif traffic to bambus:5900 on client) and wireshark was able to detect "VNC"
For VNC that is another connection which you need to configure separately. And that is because there might be various requirements for various use cases.
protocol (BTW not spice?), so I am confused. should I configure in /etc/libvirt/qemu.conf
There is default_tls which should be enough to start, then you need to turn on tls usage for want. There's vnc_tls, spice_tls, vxhs_tls, nbd_tls, migrate_tls, backup_tls, and you can even configure different certificates for each of them.
spice_tls option and certificates ?
That, and also don't forget to configure the domain XML so that it uses what you want, probably something like: <graphics type='spice' tlsPort='-1'/> and then some, check the following for more details: https://libvirt.org/formatdomain.html#graphical-framebuffers
KJ

Martin Kletzander <mkletzan@redhat.com> writes:
<graphics type='spice' tlsPort='-1'/>
and then some, check the following for more details:
https://libvirt.org/formatdomain.html#graphical-framebuffers
KJ
Well, I think I configured it, but there is another problem: I am able to connect with remote viewer (when vm is running): --8<---------------cut here---------------start------------->8--- remote-viewer --spice-ca-file=/home/kjonca/.config/libvirt/ssl/cacert.pem 'spice://bambus.kjonca?tls-port=5900' --8<---------------cut here---------------end--------------->8--- but I am not able to connect with virt-manager. Got message: --8<---------------cut here---------------start------------->8--- Viewer was disconnected. Encountered SPICE error-tls --8<---------------cut here---------------end--------------->8--- KJ

Kamil Jońca <kjonca@poczta.onet.pl> writes: [...]
but I am not able to connect with virt-manager. Got message:
Viewer was disconnected. Encountered SPICE error-tls
After some stracing I found that CA used by qemu should be in /etc/ssl/certs/ca-certificates.crt (on client machine) is any way to specify this CA? "?pkipath=/home/kjonca/.config/libvirt/ssl" seems not to be passed during connection to vm console. KJ
participants (3)
-
Kamil Jońca
-
Martin Kletzander
-
Michal Prívozník