[et-mgmt-tools] Virt-Manager, libvirt & TLS
Daniel P. Berrange
berrange at redhat.com
Thu Jul 24 11:18:35 UTC 2008
On Thu, Jul 24, 2008 at 11:13:28AM +0100, Geoff Wiener wrote:
> Hi!
>
>
>
> This is my first post to either of these list, I have been lurking,
> (sorry to cross post but I don't know if this is a virt-manager or
> libvirt question). So first off thank you to everyone for all your
> efforts. I think libvirt and virt-manager are excellent! I've built
> a pair of server s in the lab with a Xen stack and have been attempting
> to get virt-manager 0.5.4 to communicate with, first libvirt 0.4.2 and
> then libvirt 0.4.4 using TLS across the network in a "client / server"
> configuration unsuccessfully. All the machines are on the same subnet
> (192.168.4.x/24). I can make Virt-Manager communicate with Libvirt
> over TCP without authentication so now that I know the installation
> works I want to further secure it using TLS.
>
> /usr/local/etc/libvirt/libvirtd.conf
>
>
>
> Listen_tcp = 1
>
> auth_unix_ro = "none"
>
> auth_unix_rw="none"
>
> auth_tcp="none"
That's all fine.
> I followed the configuration notes at: http://libvirt.org/remote.html with a couple of exceptions:
>
> 1. I already have a linux based CA that I use with OpenVPN so I used that CA root certificate and just generated client and server cert / key pairs for my client and server (I tested with just one server)
That's fine - any CA will do the job.
> 2. I reverted back to the default libvirtd.conf to setup for TLS and
> noticed that the default paths for the certificate locations were not in
> line with the documentation on the web page but there were commented sections
> as follows that matched the documentation, so I uncommented them:
>
> key_file = "/etc/pki/libvirt/private/serverkey.pem"
> cert_file = "/etc/pki/libvirt/servercert.pem"
> ca_file = "/etc/pki/CA/cacert.pem"
No need to uncomment any of these - its fine to use the the default
settings built-in to libvirt
>
> #crl_file = "/etc/pki/CA/crl.pem"
> Note: I did not uncomment the CRL_FILE path as I do not want to use a CRL at this time
Ok, no problem there.
> 3. On the server I execute "libvirtd -listen -verbose" (libvirtd output) attached
>
> 4. virt-manager 0.5.4 (as root) , File, Open Connection
> Hypervisor: Xen
>
> Connection: Remote SSL/TLS with x509 certificate
>
> Hostname: vxen-01.aenigmacorp.com (I have a host entry for this machine)
>
>
>
> The virt-manager console reports "unable to open a connection to the libvirt
> management daemon". Verify that the "libvirtd" daemon has been started. Then,
> in details there is a lot of info (see virt-manager output)
I'd recommend getting it working using virsh as a client first - this gives clearer
diagnostics. Once virsh is working, then virt-manager should just work too, although
it has an extra step required for VNC access.
> That about sums it up. I have not read any instructions that ask me to copy
> the CA root certificate to the client, is that required? And if so where would
> I put it.
Yes, the CA certificate needs to be on all machines - in the same location as
for the server - /etc/pki/CA/cacert.pem. The client server needs to be in the
loication /etc/pki/libvirt/clientcert.pem
There are some additional docs on the virt-manager wiki about the VNC
setup steps too
http://virt-manager.org/page/RemoteTLS
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
More information about the et-mgmt-tools
mailing list