[et-mgmt-tools] Virt-Manager, libvirt & TLS

Daniel P. Berrange berrange at redhat.com
Thu Jul 24 11:18:35 UTC 2008


On Thu, Jul 24, 2008 at 11:13:28AM +0100, Geoff Wiener wrote:
> Hi!
> 
>  
> 
> This is my first post to either of these list, I have been lurking,
> (sorry to cross post but I don't know if this is a virt-manager or 
> libvirt question).  So first off thank you to everyone for all your
> efforts. I think libvirt and virt-manager are excellent!  I've built
> a pair of server s in the lab with a Xen stack and have been attempting
> to get virt-manager 0.5.4 to communicate with, first libvirt 0.4.2 and
> then libvirt 0.4.4 using TLS across the network in a "client / server"
> configuration unsuccessfully.  All the machines are on the same subnet
>  (192.168.4.x/24).  I can make Virt-Manager communicate with Libvirt 
> over TCP without authentication so now that I know the installation 
> works I want to further secure it using TLS.
> 

> /usr/local/etc/libvirt/libvirtd.conf
> 
>  
> 
> Listen_tcp = 1
> 
> auth_unix_ro = "none"
> 
> auth_unix_rw="none"
> 
> auth_tcp="none"

That's all fine.

> I followed the configuration notes at:   http://libvirt.org/remote.html with a couple of exceptions:
> 
> 1.       I already have a linux based CA that I use with OpenVPN so I used that CA root certificate and just generated client and server cert / key pairs for my client and server (I tested with just one server)

That's fine - any CA will do the job.

> 2.       I reverted back to the default libvirtd.conf to setup for TLS and 
> noticed that the default paths for the certificate locations were not in 
> line with the documentation on the web page but there were commented sections
> as follows that matched the documentation, so I uncommented them:
>
> key_file = "/etc/pki/libvirt/private/serverkey.pem"
> cert_file = "/etc/pki/libvirt/servercert.pem"
> ca_file = "/etc/pki/CA/cacert.pem"

No need to uncomment any of these - its fine to use the the default
settings built-in to libvirt

> 
> #crl_file = "/etc/pki/CA/crl.pem"
> Note:  I did not uncomment the CRL_FILE path as I do not want to use a CRL at this time

Ok, no problem there.

> 3.       On the server I execute "libvirtd -listen -verbose" (libvirtd output) attached
> 
> 4.       virt-manager 0.5.4 (as root) , File, Open Connection
> Hypervisor: Xen
> 
> Connection: Remote SSL/TLS with x509 certificate
> 
> Hostname:  vxen-01.aenigmacorp.com (I have a host entry for this machine)
> 
>  
> 
> The virt-manager console reports "unable to open a connection to the libvirt 
> management daemon".  Verify that the "libvirtd" daemon has been started.  Then,
> in details there is a lot of info (see virt-manager output)

I'd recommend getting it working using  virsh as a client first - this gives clearer
diagnostics. Once virsh is working, then virt-manager should just work too, although
it has an extra step required for VNC access.


> That about sums it up.  I have not read any instructions that ask me to copy 
> the CA root certificate to the client, is that required?  And if so where would
> I put it.

Yes, the CA certificate needs to be on all machines - in the same location as
for the server - /etc/pki/CA/cacert.pem. The client server needs to be in the
loication /etc/pki/libvirt/clientcert.pem

There are some additional docs on the virt-manager wiki about the VNC
setup steps too

http://virt-manager.org/page/RemoteTLS


Daniel
-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|




More information about the et-mgmt-tools mailing list