libvirt users - Sep 2023 - Question about encryption and tls

On Sun, Sep 10, 2023 at 01:00:21PM +0200, Kamil Jo?ca
wrote:
>(Posted few days ago on qemu group but no reactions)
>
>Do I understand correctly that ssl shoudl be configured independently
>for libvirt and each hypervisor?
It depends what you are asking about.  There are various connections,
each of you can configure separately.
>I asked because I configured libvirt connection as
>
>qemu+tls://bambus.kjonca/system?pkipath=...
>
This ^^ uses TLS to communicate between the libvirt client and server,
e.g. virsh.
>(and on bambus in /etc/libvirt/libvirtd.conf) I set
>key_file = ...
>cert_file = ...
>ca_file = ...
>
>But after connect and lauching (on bambus) vm I tried to snif traffic to
> bambus:5900 on client) and wireshark was able to detect "VNC"
For VNC that is another connection which you need to configure
separately.  And that is because there might be various requirements for
various use cases.
> protocol (BTW not spice?), so I am confused.
> should I configure in  /etc/libvirt/qemu.conf
>
There is default_tls which should be enough to start, then you need to
turn on tls usage for want.  There's vnc_tls, spice_tls, vxhs_tls,
nbd_tls, migrate_tls, backup_tls, and you can even configure different
certificates for each of them.
>spice_tls option and certificates ?
>
That, and also don't forget to configure the domain XML so that it uses
what you want, probably something like:

<graphics type='spice' tlsPort='-1'/>

and then some, check the following for more details:

https://libvirt.org/formatdomain.html#graphical-framebuffers
>KJ
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL:
<http://listman.redhat.com/archives/libvirt-users/attachments/20230911/110cab96/attachment.sig>

Martin Kletzander <mkletzan at redhat.com>
writes:
>
> <graphics type='spice' tlsPort='-1'/>
>
> and then some, check the following for more details:
>
> https://libvirt.org/formatdomain.html#graphical-framebuffers
>
>>KJ
>>
Well, I think I configured it, but there is another problem:
I am able to connect with remote viewer (when vm is running):
--8<---------------cut here---------------start------------->8---
remote-viewer --spice-ca-file=/home/kjonca/.config/libvirt/ssl/cacert.pem
'spice://bambus.kjonca?tls-port=5900'
--8<---------------cut here---------------end--------------->8---
but I am not able to connect with virt-manager. Got message:

--8<---------------cut here---------------start------------->8---
Viewer was disconnected.
Encountered SPICE error-tls
--8<---------------cut here---------------end--------------->8---

KJ

Kamil Jo?ca <kjonca at poczta.onet.pl> writes:

[...]
>
> but I am not able to connect with virt-manager. Got message:
>
> Viewer was disconnected.
> Encountered SPICE error-tls
After some stracing I found that CA used by qemu should be in
/etc/ssl/certs/ca-certificates.crt (on client machine)
is any way to specify this CA?
"?pkipath=/home/kjonca/.config/libvirt/ssl"
seems not to be passed during connection to vm console.

KJ