[libvirt] Re: [et-mgmt-tools] Virt-Manager, libvirt & TLS
On Thu, Jul 24, 2008 at 11:13:28AM +0100, Geoff Wiener wrote:
Hi!
This is my first post to either of these list, I have been lurking,
(sorry to cross post but I don't know if this is a virt-manager or
libvirt question). So first off thank you to everyone for all your
efforts. I think libvirt and virt-manager are excellent! I've built
a pair of server s in the lab with a Xen stack and have been attempting
to get virt-manager 0.5.4 to communicate with, first libvirt 0.4.2 and
then libvirt 0.4.4 using TLS across the network in a "client / server"
configuration unsuccessfully. All the machines are on the same subnet
(192.168.4.x/24). I can make Virt-Manager communicate with Libvirt
over TCP without authentication so now that I know the installation
works I want to further secure it using TLS.
/usr/local/etc/libvirt/libvirtd.conf
Listen_tcp = 1
auth_unix_ro = "none"
auth_unix_rw="none"
auth_tcp="none"
That's all fine.
I followed the configuration notes at:
http://libvirt.org/remote.html with a couple of exceptions:
1. I already have a linux based CA that I use with OpenVPN so I used that CA root
certificate and just generated client and server cert / key pairs for my client and server
(I tested with just one server)
That's fine - any CA will do the job.
2. I reverted back to the default libvirtd.conf to setup for
TLS and
noticed that the default paths for the certificate locations were not in
line with the documentation on the web page but there were commented sections
as follows that matched the documentation, so I uncommented them:
key_file = "/etc/pki/libvirt/private/serverkey.pem"
cert_file = "/etc/pki/libvirt/servercert.pem"
ca_file = "/etc/pki/CA/cacert.pem"
No need to uncomment any of these - its fine to use the the default
settings built-in to libvirt
#crl_file = "/etc/pki/CA/crl.pem"
Note: I did not uncomment the CRL_FILE path as I do not want to use a CRL at this time
Ok, no problem there.
3. On the server I execute "libvirtd -listen
-verbose" (libvirtd output) attached
4. virt-manager 0.5.4 (as root) , File, Open Connection
Hypervisor: Xen
Connection: Remote SSL/TLS with x509 certificate
Hostname: vxen-01.aenigmacorp.com (I have a host entry for this machine)
The virt-manager console reports "unable to open a connection to the libvirt
management daemon". Verify that the "libvirtd" daemon has been started.
Then,
in details there is a lot of info (see virt-manager output)
I'd recommend getting it working using virsh as a client first - this gives clearer
diagnostics. Once virsh is working, then virt-manager should just work too, although
it has an extra step required for VNC access.
That about sums it up. I have not read any instructions that ask me
to copy
the CA root certificate to the client, is that required? And if so where would
I put it.
Yes, the CA certificate needs to be on all machines - in the same location as
for the server - /etc/pki/CA/cacert.pem. The client server needs to be in the
loication /etc/pki/libvirt/clientcert.pem
There are some additional docs on the virt-manager wiki about the VNC
setup steps too
http://virt-manager.org/page/RemoteTLS
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|