Bug 882945 - RFE: qemu: allow configuring VNC TLS per-VM
Summary: RFE: qemu: allow configuring VNC TLS per-VM
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: Virtualization Tools
Classification: Community
Component: libvirt
Version: unspecified
Hardware: All
OS: All
unspecified
medium
Target Milestone: ---
Assignee: Libvirt Maintainers
QA Contact:
URL:
Whiteboard: LibvirtFirstBug
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-12-03 12:46 UTC by david.pravec
Modified: 2020-04-17 16:40 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-17 16:40:08 UTC


Attachments (Terms of Use)

Description david.pravec 2012-12-03 12:46:27 UTC
Description of problem:

I need to use vnc_tls  only on some guests, leaving some guests with unsecure vnc.

It should  really be possible to turn off (or on) tls in XML config, so it could be used only on selected domains.

Version-Release number of selected component (if applicable):
app-emulation/libvirt-1.0.0:0 on gentoo

How reproducible:

Enabling vnc_tls in /etc/libvirt/qemu.conf
and placing certificates on right places makes all vnc servers to use tls.

Expected results:
I need some way to disable tls on some clients, its not configurable using XML => i need to make whole machine tls/x509 or unsecure.

Comment 1 Cole Robinson 2016-03-21 22:48:12 UTC
Yeah certainly this seems useful, at least if only for testing.

The bit in qemu_command.c is:

    if (cfg->vncTLS) {
        virBufferAddLit(&opt, ",tls");
        if (cfg->vncTLSx509verify)
            virBufferAsprintf(&opt, ",x509verify=%s", cfg->vncTLSx509certdir);
        else
            virBufferAsprintf(&opt, ",x509=%s", cfg->vncTLSx509certdir);
    }


cfg->vncTLS is /etc/libvirt/qemu.conf vnc_tls
cfg->vncTLSx509verify is /etc/libvirt/qemu.conf vnc_tls_x509_verify
cfg->vncTLSx509certdir is /etc/libvirt/qemu.conf vnc_tls_x509_cert_dir

Maybe this could be new XML:

<graphics type='vnc'>
  <tls enable='yes' verify='yes' certdir='/path/to/certdir'/>
</graphics>

That could also be used to disable tls for a one off VM if qemu.conf vnc_tls=1. Something similar could be done for spice graphics too

If anyone wants to take a stab, I suggest discussing on libvir-list to finalize the XML first.

Comment 2 Cole Robinson 2016-04-15 14:57:32 UTC
See https://bugzilla.redhat.com/show_bug.cgi?id=825939#c3 for an example commit extending the XML format and qemu handling

Comment 3 Daniel Berrangé 2020-04-17 16:40:08 UTC
This issue is now tracked at  https://gitlab.com/libvirt/libvirt/-/issues/15


Note You need to log in before you can comment on or make changes to this bug.