On Thu, Jul 24, 2008 at 11:13:28AM +0100, Geoff Wiener wrote:
Hi!
This is my first post to either of these list, I have been lurking, (sorry to cross post but I don't know if this is a virt-manager or libvirt question). So first off thank you to everyone for all your efforts. I think libvirt and virt-manager are excellent! I've built a pair of server s in the lab with a Xen stack and have been attempting to get virt-manager 0.5.4 to communicate with, first libvirt 0.4.2 and then libvirt 0.4.4 using TLS across the network in a "client / server" configuration unsuccessfully. All the machines are on the same subnet (192.168.4.x/24). I can make Virt-Manager communicate with Libvirt over TCP without authentication so now that I know the installation works I want to further secure it using TLS.
/usr/local/etc/libvirt/libvirtd.conf
Listen_tcp = 1
auth_unix_ro = "none"
auth_unix_rw="none"
auth_tcp="none"
That's all fine.
I followed the configuration notes at: http://libvirt.org/remote.html with a couple of exceptions:
1. I already have a linux based CA that I use with OpenVPN so I used that CA root certificate and just generated client and server cert / key pairs for my client and server (I tested with just one server)
That's fine - any CA will do the job.
2. I reverted back to the default libvirtd.conf to setup for TLS and noticed that the default paths for the certificate locations were not in line with the documentation on the web page but there were commented sections as follows that matched the documentation, so I uncommented them:
key_file = "/etc/pki/libvirt/private/serverkey.pem" cert_file = "/etc/pki/libvirt/servercert.pem" ca_file = "/etc/pki/CA/cacert.pem"
No need to uncomment any of these - its fine to use the the default settings built-in to libvirt
#crl_file = "/etc/pki/CA/crl.pem" Note: I did not uncomment the CRL_FILE path as I do not want to use a CRL at this time
Ok, no problem there.
3. On the server I execute "libvirtd -listen -verbose" (libvirtd output) attached
4. virt-manager 0.5.4 (as root) , File, Open Connection Hypervisor: Xen
Connection: Remote SSL/TLS with x509 certificate
Hostname: vxen-01.aenigmacorp.com (I have a host entry for this machine)
The virt-manager console reports "unable to open a connection to the libvirt management daemon". Verify that the "libvirtd" daemon has been started. Then, in details there is a lot of info (see virt-manager output)
I'd recommend getting it working using virsh as a client first - this gives clearer diagnostics. Once virsh is working, then virt-manager should just work too, although it has an extra step required for VNC access.
That about sums it up. I have not read any instructions that ask me to copy the CA root certificate to the client, is that required? And if so where would I put it.
Yes, the CA certificate needs to be on all machines - in the same location as for the server - /etc/pki/CA/cacert.pem. The client server needs to be in the loication /etc/pki/libvirt/clientcert.pem There are some additional docs on the virt-manager wiki about the VNC setup steps too http://virt-manager.org/page/RemoteTLS Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|