[libvirt-users] How to migrate over TCP without certs
Hey guys, I have a private network and I trust it! /me hides behind trees... So, in order to exercise my trust, I wanna migrate guests over TCP; with and without shared storage. This is: - I want to migrate from host1 to host2; which have shared storage; over TCP without certs - I want to migrate from host1 to host99, which don't have shared storage, over TCP without certs I am asking because, every time I try anythng, it complains: error: Cannot read CA certificate '/etc/pki/CA/cacert.pem': No such file or directory If I need to setup this cacert, no problem; point me to it! Anyway, thank you for taking the time to read this email. Fedora 17 x86_64 libvirt-0.9.11.5-3.fc17.x86_64 qemu-kvm-1.0.1-1.fc17.x86_64 private network on vlan2, Dual 10 Gbps bonded (20, perhaps?) -- It's hard to be free... but I love to struggle. Love isn't asked for; it's just given. Respect isn't asked for; it's earned! Renich Bon Ciric http://www.woralelandia.com/ http://www.introbella.com/
On Wed, Sep 12, 2012 at 07:20:15PM -0500, Renich Bon Ciric wrote:
Hey guys,
I have a private network and I trust it! /me hides behind trees...
So, in order to exercise my trust, I wanna migrate guests over TCP; with and without shared storage.
This is:
- I want to migrate from host1 to host2; which have shared storage; over TCP without certs - I want to migrate from host1 to host99, which don't have shared storage, over TCP without certs
I am asking because, every time I try anythng, it complains: error: Cannot read CA certificate '/etc/pki/CA/cacert.pem': No such file or directory
If I need to setup this cacert, no problem; point me to it!
The libvirtd config defaults to TLS, so you need to explicitly turn that off by editing /etc/libvirt/libvirtd.conf and set listen_tls=0 and listen_tcp=1 Even though you "trust" your network, I'd still advise doing some level of auth. If you configure SASL with TCP, and use the Digest-MD5 protocol for SASL you'll get reasonably strong password auth + channel encryption. http://libvirt.org/auth.html#ACL_server_username Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
On 09/13/2012 02:20 AM, Renich Bon Ciric wrote:
Hey guys,
I have a private network and I trust it! /me hides behind trees...
So, in order to exercise my trust, I wanna migrate guests over TCP; with and without shared storage.
This is:
- I want to migrate from host1 to host2; which have shared storage; over TCP without certs - I want to migrate from host1 to host99, which don't have shared storage, over TCP without certs
I am asking because, every time I try anythng, it complains: error: Cannot read CA certificate '/etc/pki/CA/cacert.pem': No such file or directory
If I need to setup this cacert, no problem; point me to it!
I'd be glad to help with setting up the certs if you want. I've always found it long, hard and stressing, but there is a _great_ how-to [1] that makes it super fast and easy. Plus it's fun and it's free ;-) Feel free to ask if you have any more questions. Have a nice day, Martin [1] http://libvirt.org/remote.html#Remote_certificates
On Thu, Sep 13, 2012 at 11:33:16AM +0200, Martin Kletzander wrote:
On 09/13/2012 02:20 AM, Renich Bon Ciric wrote:
Hey guys,
I have a private network and I trust it! /me hides behind trees...
So, in order to exercise my trust, I wanna migrate guests over TCP; with and without shared storage.
This is:
- I want to migrate from host1 to host2; which have shared storage; over TCP without certs - I want to migrate from host1 to host99, which don't have shared storage, over TCP without certs
I am asking because, every time I try anythng, it complains: error: Cannot read CA certificate '/etc/pki/CA/cacert.pem': No such file or directory
If I need to setup this cacert, no problem; point me to it!
I'd be glad to help with setting up the certs if you want. I've always found it long, hard and stressing, but there is a _great_ how-to [1] that makes it super fast and easy. Plus it's fun and it's free ;-) Feel free to ask if you have any more questions.
I write a slightly stupid script to try to automate some of that https://www.redhat.com/archives/libvir-list/2012-February/msg00774.html Happy to see people improve that and turn it into something we can ship as supported by libvirt Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
Hey guys, thanks a lot for the replies and all. Honestly, I ended up setting up the certs. Here's a little script I made (yeah, another one...) to ease the pain. Feel free to modify as you please. -- It's hard to be free... but I love to struggle. Love isn't asked for; it's just given. Respect isn't asked for; it's earned! Renich Bon Ciric http://www.woralelandia.com/ http://www.introbella.com/
On 09/20/2012 09:04 AM, Renich Bon Ciric wrote:
This would be the updated version.
Can you convince your mailer to send scripts as type text/plain instead of application/octet-stream? It would make inline review a lot easier. -- Eric Blake eblake@redhat.com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
On Thu, Sep 20, 2012 at 10:16 AM, Eric Blake <eblake@redhat.com> wrote:
Can you convince your mailer to send scripts as type text/plain instead of application/octet-stream? It would make inline review a lot easier.
Ah, sorry. Gmail online interface... I'll see if there is something... I doubt it, though. I will use Evolution for any future attachments, ok? -- It's hard to be free... but I love to struggle. Love isn't asked for; it's just given. Respect isn't asked for; it's earned! Renich Bon Ciric http://www.woralelandia.com/ http://www.introbella.com/
participants (4)
-
Daniel P. Berrange -
Eric Blake -
Martin Kletzander -
Renich Bon Ciric