Question about encryption and tls
Michal Prívozník
mprivozn at redhat.com
Mon Sep 11 06:55:34 UTC 2023
On 9/10/23 13:00, Kamil Jońca wrote:
> (Posted few days ago on qemu group but no reactions)
>
> Do I understand correctly that ssl shoudl be configured independently
> for libvirt and each hypervisor?
> I asked because I configured libvirt connection as
>
> qemu+tls://bambus.kjonca/system?pkipath=...
This is a libvirt connection. It specifies how libvirt APIs are passed
between client and server.
>
> (and on bambus in /etc/libvirt/libvirtd.conf) I set
> key_file = ...
> cert_file = ...
> ca_file = ...
>
> But after connect and lauching (on bambus) vm I tried to snif traffic to
> bambus:5900 on client) and wireshark was able to detect "VNC"\
This is graphical console connection. It's independent of libvirt
connection (libvirt does not wrap this inside a libvirt connection).
There were some discussions about this IIRC, but the problem is: while
libvirt's RPC has support for streaming data between host and client, it
does not allow multiplexing (i.e. packing multiple streams into a single
channel). That's why it's not used for graphical console, which
typically require more connections. BUT it can be used for "simpler" -
serial consoles (virsh console).
> protocol (BTW not spice?), so I am confused.
Maybe you configured VNC for your guest?
> should I configure in /etc/libvirt/qemu.conf
>
> spice_tls option and certificates ?
Correct. This is the route you want to go. But since you configured your
guest to use VNC then you want to set vnc_tls* in qemu.conf.
Michal
More information about the libvirt-users
mailing list