From Fedora Project Wiki
Description
Setup
Make sure you have a guest , which could be started successfully
How to test
- force off the running guest
- go the guest detail pannel , remove the Display VNC device
- click the Add Hardware button at the left bottom
- Add Graphics -> Type SPICE server
- Check OFF the Automatically allocation
- Specify the Port to 5901 TLS port to 5902
- Click Finish , and back to guest detail overview pannel , click Apply button
- modify the followings in /etc/libvirt/qemu.conf
- -# spice_tls = 1
- + spice_tls = 1
- -# spice_tls_x509_cert_dir = ''/etc/pki/libvirt-spice''
- + spice_tls_x509_cert_dir = ''/etc/pki/libvirt-spice''
- perform the following script, to generate the cert files for ssl , and then copy *.pem file info /etc/pkil/libvirt-spice directory
- #!/bin/bash
- SERVER_KEY=server-key.pem
- # creating a key for our ca
- if [ ! -e ca-key.pem ]; then
- openssl genrsa -des3 -out ca-key.pem 1024
- fi
- # creating a ca
- if [ ! -e ca-cert.pem ]; then
- openssl req -new -x509 -days 1095 -key ca-key.pem -out ca-cert.pem -subj ''/C=IL/L=Raanana/O=Red Hat/CN=my CA''
- fi
- # create server key
- if [ ! -e $SERVER_KEY ]; then
- openssl genrsa -out $SERVER_KEY 1024
- fi
- # create a certificate signing request (csr)
- if [ ! -e server-key.csr ]; then
- openssl req -new -key $SERVER_KEY -out server-key.csr -subj ''/C=IL/L=Raanana/O=Red Hat/CN=my server''
- fi
- # signing our server certificate with this ca
- if [ ! -e server-cert.pem ]; then
- openssl x509 -req -days 1095 -in server-key.csr -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem
- fi
- # now create a key that doesn't require a passphrase
- openssl rsa -in $SERVER_KEY -out $SERVER_KEY.insecure
- mv $SERVER_KEY $SERVER_KEY.secure
- mv $SERVER_KEY.insecure $SERVER_KEY
- # show the results (no other effect)
- openssl rsa -noout -text -in $SERVER_KEY
- openssl rsa -noout -text -in ca-key.pem
- openssl req -noout -text -in server-key.csr
- openssl x509 -noout -text -in server-cert.pem
- openssl x509 -noout -text -in ca-cert.pem
- # copy *.pem file to /etc/pki/libvirt-spice
- if [[ -d ''/etc/pki/libvirt-spice'' ]]
- then
- cp ./*.pem /etc/pki/libvirt-spice
- else
- mkdir /etc/pki/libvirt-spice
- cp ./*.pem /etc/pki/libvirt-spice
- fi
- # echo --host-subject
- echo ''your --host-subject is'' \'' `openssl x509 -noout -text -in server-cert.pem | grep Subject: | cut -f 10- -d '' ''` \''
- restart libvirtd to rescan the configuration
- # service libvirtd restart
- Start the guest
- # virsh start guest
- Access the guest via following command line
- # spicec -h 127.0.0.1 -p 5901 -s 5902 --host-subject ''C=IL,L=Raanana,O=Red Hat,CN=my CA''
Expected Results
- Make sure you CAN access the spice interface via private 127.0.0.1 with TLS port set