From Fedora Project Wiki
Description
Setup
Make sure you have a guest, which could be started successfully
How to test
- force off the running guest
- go the guest detail pannel, remove the "Display VNC" device
- click the "Add Hardware" button at the left bottom
- Add "Graphics" -> Type "SPICE server"
- Check OFF the "Automatically allocation"
- Specify the Port to 5901 TLS port to 5902
- Click Finish , and back to guest detail overview panel, click Apply button
- modify the followings in /etc/libvirt/qemu.conf
-# spice_tls = 1 + spice_tls = 1 -# spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice" + spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
- perform the following script, to generate the cert files for ssl , and then copy *.pem file info
/etc/pkil/libvirt-spice
directory#!/bin/bash SERVER_KEY=server-key.pem # creating a key for our ca if [ ! -e ca-key.pem ]; then openssl genrsa -des3 -out ca-key.pem 1024 fi # creating a ca if [ ! -e ca-cert.pem ]; then openssl req -new -x509 -days 1095 -key ca-key.pem -out ca-cert.pem -subj "/C=IL/L=Raanana/O=Red Hat/CN=my CA" fi # create server key if [ ! -e $SERVER_KEY ]; then openssl genrsa -out $SERVER_KEY 1024 fi # create a certificate signing request (csr) if [ ! -e server-key.csr ]; then openssl req -new -key $SERVER_KEY -out server-key.csr -subj "/C=IL/L=Raanana/O=Red Hat/CN=my server" fi # signing our server certificate with this ca if [ ! -e server-cert.pem ]; then openssl x509 -req -days 1095 -in server-key.csr -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem fi # now create a key that doesn't require a passphrase openssl rsa -in $SERVER_KEY -out $SERVER_KEY.insecure mv $SERVER_KEY $SERVER_KEY.secure mv $SERVER_KEY.insecure $SERVER_KEY # show the results (no other effect) openssl rsa -noout -text -in $SERVER_KEY openssl rsa -noout -text -in ca-key.pem openssl req -noout -text -in server-key.csr openssl x509 -noout -text -in server-cert.pem openssl x509 -noout -text -in ca-cert.pem # copy *.pem file to /etc/pki/libvirt-spice if [[ -d "/etc/pki/libvirt-spice" ]] then cp ./*.pem /etc/pki/libvirt-spice else mkdir /etc/pki/libvirt-spice cp ./*.pem /etc/pki/libvirt-spice fi # echo --host-subject echo "your --host-subject is" \" `openssl x509 -noout -text -in server-cert.pem | grep Subject: | cut -f 10- -d " "` \"
- restart libvirtd to rescan the configuration:
service libvirtd restart
- Start the guest:
virsh start <guest>
- Access the guest via following command line
spicec -h 127.0.0.1 -p 5901 -s 5902 --host-subject "C=IL,L=Raanana,O=Red Hat,CN=my CA"
Expected Results
- Make sure you CAN access the spice interface via private 127.0.0.1 with TLS port set