[Libvir] trouble using ssh tunnel for remote hypervisor
From the documentation, it seems xen:// transport implies TLS, and requires an host name, so it is quite normal it fails here (I didn't generated any certificate). But how can I force libvirtd to use xen:///
Hello. I'm trying to use ssh tunnel for remote hypervisor access. However, I'm can't make it working... [guillaume@oberkampf ~]$ LC_ALL=C virsh --connect xen+ssh://root@acacia.futurs.inria.fr list --all libvir: error : could not connect to xen:// error: failed to connect to the hypervisor error: no valid connection On the remote host: [root@acacia ~]# libvirtd --verbose libvir: error : could not connect to xen:// It seems the error lies between libvirtd and the local hypervisor. And indeed, local usage of virsh with xen:// URLs fail: [root@acacia ~]# LC_ALL=C virsh -c xen:// list libvir: error : could not connect to xen:// error: failed to connect to the hypervisor error: no valid connection Using xen:///, instead of xen://, as explained at http://libvirt.org/uri.html, is OK, despite a few error messages: [root@acacia ~]# LC_ALL=C virsh -c xen:/// list libvir: Remote error : No such file or directory libvir: warning : Failed to find the network: Is the daemon running ? Id Name State ---------------------------------- 0 Domain-0 running 1 barman blocked 2 cocktail blocked 3 mojito blocked transport then ? I don't see anything related in libvirt configuration documentation at http://libvirt.org/remote.html ? Neither about how to configure it for listening on unix transport, as explained in svn+ssh transport requirements on the same page (but I presume it is the default) ? Also, from where does those error and warning come ? [root@acacia ~]# LC_ALL=C virsh -c xen:/// list libvir: Remote error : No such file or directory libvir: warning : Failed to find the network: Is the daemon running ? [..] I'm using libvirt 0.3.2 on mandriva 2007.1, with xen 3.1.0. -- Guillaume Rousse Moyens Informatiques - INRIA Futurs Tel: 01 69 35 69 62
On Wed, Sep 26, 2007 at 11:47:40PM +0200, Guillaume Rousse wrote:
Hello.
I'm trying to use ssh tunnel for remote hypervisor access. However, I'm can't make it working...
[guillaume@oberkampf ~]$ LC_ALL=C virsh --connect xen+ssh://root@acacia.futurs.inria.fr list --all
You are missing a trailing '/' on the URI - when strip the hostname to make the remote uri, we end up with xen:// which is rejected by libxml's URI parser. Simply add a '/' after the hostname and you should be fine. It is rather annoying that libxml's parser rejects uris only ending in two /, but not three. We should probably automatically add an extra trailing / if we find we only have two, because its a common mistake.
libvir: error : could not connect to xen:// error: failed to connect to the hypervisor error: no valid connection
On the remote host: [root@acacia ~]# libvirtd --verbose libvir: error : could not connect to xen://
It seems the error lies between libvirtd and the local hypervisor. And indeed, local usage of virsh with xen:// URLs fail: [root@acacia ~]# LC_ALL=C virsh -c xen:// list
Yep, xen:// is not a valid URI for libxml parser.
libvir: error : could not connect to xen:// error: failed to connect to the hypervisor error: no valid connection
Using xen:///, instead of xen://, as explained at http://libvirt.org/uri.html, is OK, despite a few error messages: [root@acacia ~]# LC_ALL=C virsh -c xen:/// list libvir: Remote error : No such file or directory libvir: warning : Failed to find the network: Is the daemon running ?
That is harmless unless you want to use the networking APIs.
From the documentation, it seems xen:// transport implies TLS, and requires an host name, so it is quite normal it fails here (I didn't generated any certificate). But how can I force libvirtd to use xen:/// transport then ? I don't see anything related in libvirt configuration documentation at http://libvirt.org/remote.html ? Neither about how to configure it for listening on unix transport, as explained in svn+ssh transport requirements on the same page (but I presume it is the default) ?
The daemon libvirtd will always listen for UNIX socket connections. You have to explicitly turn on TCP support, after having setup certificates. If using SSH, then we simply tunnel to the UNIX socket over SSH so all you need do is start the libvirtd daemon on the remote host.
Also, from where does those error and warning come ? [root@acacia ~]# LC_ALL=C virsh -c xen:/// list libvir: Remote error : No such file or directory libvir: warning : Failed to find the network: Is the daemon running ?
That is a sign that the libvirtd daemon is notrunning on the host in questions. Regards, Dan. -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|
Daniel P. Berrange a écrit :
On Wed, Sep 26, 2007 at 11:47:40PM +0200, Guillaume Rousse wrote:
Hello.
I'm trying to use ssh tunnel for remote hypervisor access. However, I'm can't make it working...
[guillaume@oberkampf ~]$ LC_ALL=C virsh --connect xen+ssh://root@acacia.futurs.inria.fr list --all
You are missing a trailing '/' on the URI - when strip the hostname to make the remote uri, we end up with xen:// which is rejected by libxml's URI parser. Simply add a '/' after the hostname and you should be fine. Ahhhhhhh.... Thanks a lot.
It is rather annoying that libxml's parser rejects uris only ending in two /, but not three. We should probably automatically add an extra trailing / if we find we only have two, because its a common mistake. It would be more idiots-proof :)
[..]
From the documentation, it seems xen:// transport implies TLS, and requires an host name, so it is quite normal it fails here (I didn't generated any certificate). But how can I force libvirtd to use xen:/// transport then ? I don't see anything related in libvirt configuration documentation at http://libvirt.org/remote.html ? Neither about how to configure it for listening on unix transport, as explained in svn+ssh transport requirements on the same page (but I presume it is the default) ?
The daemon libvirtd will always listen for UNIX socket connections. You have to explicitly turn on TCP support, after having setup certificates. If using SSH, then we simply tunnel to the UNIX socket over SSH so all you need do is start the libvirtd daemon on the remote host. Can you rephrase the documentation a little bit then ? It seems to imply you have to do some additional libvirtd configuration for ssh transport usage.
Also, from where does those error and warning come ? [root@acacia ~]# LC_ALL=C virsh -c xen:/// list libvir: Remote error : No such file or directory libvir: warning : Failed to find the network: Is the daemon running ?
That is a sign that the libvirtd daemon is notrunning on the host in questions. However it is running: [root@acacia ~]# service libvirtd start Lancement du service libvirtd : [ OK ] [root@acacia ~]# LC_ALL=C virsh -c xen:/// list libvir: Remote error : No such file or directory libvir: warning : Failed to find the network: Is the daemon running ? Id Name State
0 Domain-0 running 1 barman blocked 2 cocktail blocked 3 mojito blocked [root@acacia ~]# service libvirtd status libvirtd (pid 19102) est en cours d'exécution... -- Guillaume Rousse Moyens Informatiques - INRIA Futurs Tel: 01 69 35 69 62
Guillaume Rousse wrote:
Daniel P. Berrange a écrit :
The daemon libvirtd will always listen for UNIX socket connections. You have to explicitly turn on TCP support, after having setup certificates. If using SSH, then we simply tunnel to the UNIX socket over SSH so all you need do is start the libvirtd daemon on the remote host. Can you rephrase the documentation a little bit then ? It seems to imply you have to do some additional libvirtd configuration for ssh transport usage.
Suggested change to the documentation attached.
Also, from where does those error and warning come ? [root@acacia ~]# LC_ALL=C virsh -c xen:/// list libvir: Remote error : No such file or directory libvir: warning : Failed to find the network: Is the daemon running ? That is a sign that the libvirtd daemon is notrunning on the host in questions.
Well sometimes, but also it can be a sign that virsh is trying to use the wrong Unix socket, or that the Unix socket has the wrong permissions or is otherwise inaccessible. Try: /usr/sbin/libvirtd --help (which should print out all the paths expected by libvirtd) and: strace virsh -c xen:/// list which should tell you what socket virsh is trying to connect on. In any case this warning can be ignored unless you want to manipulate networks. Rich. -- Emerging Technologies, Red Hat - http://et.redhat.com/~rjones/ Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SL4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 03798903
On Thu, Sep 27, 2007 at 10:37:47AM +0100, Richard W.M. Jones wrote:
Guillaume Rousse wrote:
Daniel P. Berrange a écrit :
The daemon libvirtd will always listen for UNIX socket connections. You have to explicitly turn on TCP support, after having setup certificates. If using SSH, then we simply tunnel to the UNIX socket over SSH so all you need do is start the libvirtd daemon on the remote host. Can you rephrase the documentation a little bit then ? It seems to imply you have to do some additional libvirtd configuration for ssh transport usage.
Suggested change to the documentation attached.
Also, from where does those error and warning come ? [root@acacia ~]# LC_ALL=C virsh -c xen:/// list libvir: Remote error : No such file or directory libvir: warning : Failed to find the network: Is the daemon running ? That is a sign that the libvirtd daemon is notrunning on the host in questions.
Well sometimes, but also it can be a sign that virsh is trying to use the wrong Unix socket, or that the Unix socket has the wrong permissions or is otherwise inaccessible. Try:
Actually on my F8 test machine I saw this yesterday, but I rebooted the machine to another OS in the meantime.
/usr/sbin/libvirtd --help
(which should print out all the paths expected by libvirtd) and:
strace virsh -c xen:/// list
which should tell you what socket virsh is trying to connect on.
In any case this warning can be ignored unless you want to manipulate networks.
Still if this occurs on a default installation, it would be great to avoid it, sorry I didn't took the time to chase it yesterday :-\ Daniel -- Red Hat Virtualization group http://redhat.com/virtualization/ Daniel Veillard | virtualization library http://libvirt.org/ veillard@redhat.com | libxml GNOME XML XSLT toolkit http://xmlsoft.org/ http://veillard.com/ | Rpmfind RPM search engine http://rpmfind.net/
participants (4)
-
Daniel P. Berrange -
Daniel Veillard -
Guillaume Rousse -
Richard W.M. Jones