I’m running Minione for evaluation purposes and trying to configure secure SPICE connection over TLS. So far, I’ve done the following:
in /etc/libvirt/qemu.conf, I’ve set the following:
spice_tls = 1
spice_tls_x509_cert_dir = “/etc/pki/libvirt-spice”
created required certificates
restarted libvirtd service (systemctl restart libvirtd)
But, I still can connect over insecure connection. When I look at generated domain XML for my VM, I see the following:
<graphics type='spice' listen='0.0.0.0' port='5905'/>
Looking at libvirt documentation here, I would need something like this:
<graphics type='spice' port='5905' tlsPort='5906' defaultMode="secure">
But, I have no idea how to generate that. I can tweak XML by hand, but I doubt it will be picked up when I restart the machine?
I thought I can ass this in /etc/one/vmm_exec/vmm_exec_kvm.conf under SPICE_OPTIONS, but from what I can see here, it will just append this section after the tag.
So, my question is, is there a way to customize tag configuration? I suppose I could patch the source code and recompile, but then I would have to do it on every update. Looking to avoid this.
I thought maybe using a hook to modify XML before the machine is launched. Is that possible? And if so, what state should trigger the hook?