<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@MS Mincho";}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:286816393;
mso-list-type:hybrid;
mso-list-template-ids:1552436226 134807567 134807577 134807579 134807567 134807577 134807579 134807567 134807577 134807579;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1
{mso-list-id:703866064;
mso-list-type:hybrid;
mso-list-template-ids:-57478598 134807567 134807577 134807579 134807567 134807577 134807579 134807567 134807577 134807579;}
@list l1:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2
{mso-list-id:727459560;
mso-list-type:hybrid;
mso-list-template-ids:-1732988564 134807567 134807577 134807579 134807567 134807577 134807579 134807567 134807577 134807579;}
@list l2:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l3
{mso-list-id:877200969;
mso-list-type:hybrid;
mso-list-template-ids:-2068021014 134807567 134807577 134807579 134807567 134807577 134807579 134807567 134807577 134807579;}
@list l3:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:18.0pt;
text-indent:-18.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-GB link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal>Hi!<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>This is my first post to either of these list, I have been
lurking, (sorry to cross post but I don’t know if this is a virt-manager
or libvirt question). So first off thank you to everyone for all your efforts.
I think libvirt and virt-manager are excellent! I’ve built a pair of
server s in the lab with a Xen stack and have been attempting to get
virt-manager 0.5.4 to communicate with, first libvirt 0.4.2 and then libvirt
0.4.4 using TLS across the network in a “client / server”
configuration unsuccessfully. All the machines are on the same subnet
(192.168.4.x/24). I can make Virt-Manager communicate with Libvirt over TCP
without authentication so now that I know the installation works I want to
further secure it using TLS.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I’ve read everything I can get my hands on, subscribe
to the lists and feel that I must be making a simple error ;I could really use
a fresh perspective. I would really appreciate any feedback you can offer.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Here’s my configuration and testing method.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><u>Workstation<o:p></o:p></u></p>
<p class=MsoNormal>Ubuntu Hardy Heron 64 bit<o:p></o:p></p>
<p class=MsoNormal>Virt-manager 0.5.4<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><u>Server<o:p></o:p></u></p>
<p class=MsoNormal><span lang=FR-CH>Distribution = CentOS 5.1 (64 bit)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=FR-CH>Kernel = 2.6.18.8-xen (compiled from
source)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=FR-CH>Xen = 3.2.1.gz<o:p></o:p></span></p>
<p class=MsoNormal><span lang=FR-CH><o:p> </o:p></span></p>
<p class=MsoNormal>virsh # version<o:p></o:p></p>
<p class=MsoNormal>Compiled against library: libvir 0.4.4<o:p></o:p></p>
<p class=MsoNormal>Using library: libvir 0.4.4<o:p></o:p></p>
<p class=MsoNormal>Using API: Xen 3.0.1<o:p></o:p></p>
<p class=MsoNormal>Running hypervisor: Xen 3.2.0<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>/usr/local/etc/libvirt/libvirtd.conf<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Listen_tcp = 1<o:p></o:p></p>
<p class=MsoNormal>auth_unix_ro = “none”<o:p></o:p></p>
<p class=MsoNormal>auth_unix_rw=”none”<o:p></o:p></p>
<p class=MsoNormal>auth_tcp=”none”<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>In this configuration I can use “Remove Password or
Kerberos” to connect. I just enter the hostname of the Xen machine and Virt-Manager
lets me see all the Domains that are running (or shutdown if I virsh define
them) as well as look at their consoles (if the vfb is configured correctly).<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I followed the configuration notes at: <a
href="http://libvirt.org/remote.html">http://libvirt.org/remote.html</a> with a
couple of exceptions:<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l0 level1 lfo1'><![if !supportLists]><span
style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'>
</span></span><![endif]><span dir=LTR></span>I already have a linux based CA
that I use with OpenVPN so I used that CA root certificate and just generated
client and server cert / key pairs for my client and server (I tested with just
one server)<o:p></o:p></p>
<p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l0 level1 lfo1'><![if !supportLists]><span
style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'>
</span></span><![endif]><span dir=LTR></span>I reverted back to the default
libvirtd.conf to setup for TLS and noticed that the default paths for the
certificate locations were not in line with the documentation on the web page but
there were commented sections as follows that matched the documentation, so I
uncommented them:<br>
key_file = “/etc/pki/libvirt/private/serverkey.pem”<br>
cert_file = “/etc/pki/libvirt/servercert.pem”<br>
ca_file = “/etc/pki/CA/cacert.pem”<o:p></o:p></p>
<p class=MsoListParagraph>#crl_file = “/etc/pki/CA/crl.pem”<br>
Note: I did not uncomment the CRL_FILE path as I do not want to use a CRL at
this time<o:p></o:p></p>
<p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l0 level1 lfo1'><![if !supportLists]><span
style='mso-list:Ignore'>3.<span style='font:7.0pt "Times New Roman"'>
</span></span><![endif]><span dir=LTR></span>On the server I execute “libvirtd
–listen –verbose” (libvirtd output) attached<o:p></o:p></p>
<p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l0 level1 lfo1'><![if !supportLists]><span
style='mso-list:Ignore'>4.<span style='font:7.0pt "Times New Roman"'>
</span></span><![endif]><span dir=LTR></span>virt-manager 0.5.4 (as root) ,
File, Open Connection<br>
Hypervisor: Xen<o:p></o:p></p>
<p class=MsoListParagraph>Connection: Remote SSL/TLS with x509 certificate<o:p></o:p></p>
<p class=MsoListParagraph>Hostname: vxen-01.aenigmacorp.com (I have a host
entry for this machine)<o:p></o:p></p>
<p class=MsoListParagraph><o:p> </o:p></p>
<p class=MsoListParagraph>The virt-manager console reports “unable to open
a connection to the libvirt management daemon”. Verify that the “libvirtd”
daemon has been started. Then, in details there is a lot of info (see
virt-manager output)<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l0 level1 lfo1'><![if !supportLists]><span
style='mso-list:Ignore'>5.<span style='font:7.0pt "Times New Roman"'>
</span></span><![endif]><span dir=LTR></span>If I tail /root/.virt-manager/virt-manager.log
I get the following output (see virt-manager.log) <o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>That about sums it up. I have not read any instructions
that ask me to copy the CA root certificate to the client, is that required?
And if so where would I put it. Also, whenever I attempt to connect there are
no errors appearing in the libvirtd output, which is a bit surprising. I would
have expected that by using –verbose on the libvirtd command line that i
would see more info. Lin 94 in the libvirt.py script is definitely trying to
do some kind of authentication but I don’t really know what to do to
troubleshot this next? I still don’t know if my issue is related to the
client or the server?<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Any advice would be greatly appreciated.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Many thanks<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Geoff Wiener<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoListParagraph><o:p> </o:p></p>
<p class=MsoListParagraph><o:p> </o:p></p>
<p class=MsoListParagraph><o:p> </o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</body>
</html>