How to create KVM guest with SPICE graphics but TLS disabled using virt-install?

Okay, I worked around it on my own. In the option:

--graphics spice,port=20001,listen=127.0.0.1

remove the port parameter such that it becomes:

--graphics spice,listen=127.0.0.1

You need to configure the <graphics /> element in the libvirt XML configuration file then. My invocation of virt-install gave me this:

<graphics type='spice' autoport='yes' listen='127.0.0.1'>
  <listen type='address' address='127.0.0.1'/>
</graphics>

There is one caveat. I finished the installation while SPICE was still connected to the default auto-connected port (5900 in my case). If you shut down the guest prior to finishing the installation the whole process initiated by virt-install will be interrupted.

In order to change it one should shut down the guest and the edit the XML to something like the following, using virsh edit vmname (where vmname should be replaced with your name):

<graphics type='spice' autoport='no' port='20001' listen='127.0.0.1'>
  <listen type='address' address='127.0.0.1'/>
</graphics>

Possible workaround for "port in use" conflicts. Use any of the local net addresses other than 127.0.0.1 from 127.0.0.0/24, e.g. 127.0.0.2 etc to listen on.

NOTE: If someone can come up with a better (i.e. actual) solution, I'll accept that other answer. This writeup is mostly for others that may run into the same issue.

the solution is to tell kvm/virt to use as default an insecure connection.

<graphics type='spice' autoport='yes' listen='0.0.0.0' defaultMode='insecure'>
  <listen type='address' address='0.0.0.0'/>
</graphics>

Set the defaultMode to insecure and you can use even autoport='yes' and everything is fine.

One hint, when you search the port, you have to use domdisplay:

[root@kvm repo]# virsh domdisplay --domain openshift1
spice://localhost:5900

I don't know if this is a bug or correct behavior, but the output of virsh domdisplay --domain openshift1 shows localhost instead of 0.0.0.0. But you can connect from external with the server-ip/dns to your guest vm's. Be sure the firewall let you connect to these ports and even kvm/virt does listen to 0.0.0.0 like shown above.

If this helps...

listen=0.0.0.0,  <-- listen on any interface
port=5962, <-- specify non-secure port
tlsport=,  <-- do not request TLS
defaultMode='insecure'  <-- allow insecure

virt-install \
...
    --graphics spice,listen=0.0.0.0,port=5962,tlsport=,defaultMode='insecure' \
...

Resulting XML:

    <graphics type='spice' port='5962' autoport='no' listen='0.0.0.0' defaultMode='insecure'>
      <listen type='address' address='0.0.0.0'/>
      <image compression='off'/>
    </graphics>