Configure SPICE over TLS

I’m running Minione for evaluation purposes and trying to configure secure SPICE connection over TLS. So far, I’ve done the following:

  1. in /etc/libvirt/qemu.conf, I’ve set the following:

    spice_tls = 1
    spice_tls_x509_cert_dir = “/etc/pki/libvirt-spice”

  2. created required certificates

  3. restarted libvirtd service (systemctl restart libvirtd)

But, I still can connect over insecure connection. When I look at generated domain XML for my VM, I see the following:

<graphics type='spice' listen='' port='5905'/>

Looking at libvirt documentation here, I would need something like this:

<graphics type='spice' port='5905' tlsPort='5906' defaultMode="secure">

But, I have no idea how to generate that. I can tweak XML by hand, but I doubt it will be picked up when I restart the machine?
I thought I can ass this in /etc/one/vmm_exec/vmm_exec_kvm.conf under SPICE_OPTIONS, but from what I can see here, it will just append this section after the tag.

So, my question is, is there a way to customize tag configuration? I suppose I could patch the source code and recompile, but then I would have to do it on every update. Looking to avoid this.
I thought maybe using a hook to modify XML before the machine is launched. Is that possible? And if so, what state should trigger the hook?


I am also looking for a solution to this problem. Any instructions on how to use SPICE TLS in OpenNebula? In version 6.2, it was also not possible to detect any changes in this regard. Perhaps we can use the RAW section for this in the Virtual Machine Template or in another config?

Hi @Dganic,

I think this thread could help?

Hmm. Please note that OpenNebula mange the VNC ports so most probably you’ll need to offset the tlsPort with something like port+30000

Hope this helps.

Best Regards,
Anton Todorov

I couldn’t get this to work. So, what I did was have SPICE run on local host only, and then use SSH tunnel to connect the client.

This setup worked perfectly.