Bug 882945

Summary: RFE: qemu: allow configuring VNC TLS per-VM
Product: [Community] Virtualization Tools Reporter: david.pravec
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Severity: medium Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: berrange, crobinso
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard: LibvirtFirstBug
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-17 16:40:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description david.pravec 2012-12-03 12:46:27 UTC
Description of problem:

I need to use vnc_tls  only on some guests, leaving some guests with unsecure vnc.

It should  really be possible to turn off (or on) tls in XML config, so it could be used only on selected domains.

Version-Release number of selected component (if applicable):
app-emulation/libvirt-1.0.0:0 on gentoo

How reproducible:

Enabling vnc_tls in /etc/libvirt/qemu.conf
and placing certificates on right places makes all vnc servers to use tls.

Expected results:
I need some way to disable tls on some clients, its not configurable using XML => i need to make whole machine tls/x509 or unsecure.

Comment 1 Cole Robinson 2016-03-21 22:48:12 UTC
Yeah certainly this seems useful, at least if only for testing.

The bit in qemu_command.c is:

    if (cfg->vncTLS) {
        virBufferAddLit(&opt, ",tls");
        if (cfg->vncTLSx509verify)
            virBufferAsprintf(&opt, ",x509verify=%s", cfg->vncTLSx509certdir);
            virBufferAsprintf(&opt, ",x509=%s", cfg->vncTLSx509certdir);

cfg->vncTLS is /etc/libvirt/qemu.conf vnc_tls
cfg->vncTLSx509verify is /etc/libvirt/qemu.conf vnc_tls_x509_verify
cfg->vncTLSx509certdir is /etc/libvirt/qemu.conf vnc_tls_x509_cert_dir

Maybe this could be new XML:

<graphics type='vnc'>
  <tls enable='yes' verify='yes' certdir='/path/to/certdir'/>

That could also be used to disable tls for a one off VM if qemu.conf vnc_tls=1. Something similar could be done for spice graphics too

If anyone wants to take a stab, I suggest discussing on libvir-list to finalize the XML first.

Comment 2 Cole Robinson 2016-04-15 14:57:32 UTC
See https://bugzilla.redhat.com/show_bug.cgi?id=825939#c3 for an example commit extending the XML format and qemu handling

Comment 3 Daniel Berrangé 2020-04-17 16:40:08 UTC
This issue is now tracked at  https://gitlab.com/libvirt/libvirt/-/issues/15