[libvirt] Virt-Manager, libvirt & TLS

Geoff Wiener gwiener at aenigmacorp.com
Thu Jul 24 10:13:28 UTC 2008 

Hi!

 

This is my first post to either of these list, I have been lurking, (sorry to cross post but I don't know if this is a virt-manager or libvirt question).  So first off thank you to everyone for all your efforts. I think libvirt and virt-manager are excellent!  I've built a pair of server s in the lab with a Xen stack and have been attempting to get virt-manager 0.5.4 to communicate with, first libvirt 0.4.2 and then libvirt 0.4.4 using TLS across the network in a "client / server" configuration unsuccessfully.  All the machines are on the same subnet (192.168.4.x/24).  I can make Virt-Manager communicate with Libvirt over TCP without authentication so now that I know the installation works I want to further secure it using TLS.

 

I've read everything I can get my hands on, subscribe to the lists and feel that I must be making a simple error ;I could really use a fresh perspective.  I would really appreciate any feedback you can offer.

 

Here's my configuration and testing method.

 

Workstation

Ubuntu Hardy Heron 64 bit

Virt-manager 0.5.4

 

Server

Distribution =    CentOS 5.1 (64 bit)

Kernel = 2.6.18.8-xen (compiled from source)

Xen = 3.2.1.gz

 

virsh # version

Compiled against library: libvir 0.4.4

Using library: libvir 0.4.4

Using API: Xen 3.0.1

Running hypervisor: Xen 3.2.0

 

/usr/local/etc/libvirt/libvirtd.conf

 

Listen_tcp = 1

auth_unix_ro = "none"

auth_unix_rw="none"

auth_tcp="none"

 

In this configuration I can use "Remove Password or Kerberos" to connect.  I just enter the hostname of the Xen machine and Virt-Manager lets me see all the Domains that are running (or shutdown if I virsh define them) as well as look at their consoles (if the vfb is configured correctly).

 

I followed the configuration notes at:   http://libvirt.org/remote.html with a couple of exceptions:

 

1.       I already have a linux based CA that I use with OpenVPN so I used that CA root certificate and just generated client and server cert / key pairs for my client and server (I tested with just one server)

2.       I reverted back to the default libvirtd.conf to setup for TLS and noticed that the default paths for the certificate locations were not in line with the documentation on the web page but there were commented sections as follows that matched the documentation, so I uncommented them:
key_file = "/etc/pki/libvirt/private/serverkey.pem"
cert_file = "/etc/pki/libvirt/servercert.pem"
ca_file = "/etc/pki/CA/cacert.pem"

#crl_file = "/etc/pki/CA/crl.pem"
Note:  I did not uncomment the CRL_FILE path as I do not want to use a CRL at this time

3.       On the server I execute "libvirtd -listen -verbose" (libvirtd output) attached

4.       virt-manager 0.5.4 (as root) , File, Open Connection
Hypervisor: Xen

Connection: Remote SSL/TLS with x509 certificate

Hostname:  vxen-01.aenigmacorp.com (I have a host entry for this machine)

 

The virt-manager console reports "unable to open a connection to the libvirt management daemon".  Verify that the "libvirtd" daemon has been started.  Then, in details there is a lot of info (see virt-manager output)

 

5.       If I tail /root/.virt-manager/virt-manager.log I get the following output (see virt-manager.log) 

 

That about sums it up.  I have not read any instructions that ask me to copy the CA root certificate to the client, is that required?  And if so where would I put it.  Also, whenever I attempt to connect there are no errors appearing in the libvirtd output, which is a bit surprising.  I would have expected that by using -verbose on the libvirtd command line that i would see more info.  Lin 94 in the libvirt.py script is definitely trying to do some kind of authentication but I don't really know what to do to troubleshot this next?  I still don't know if my issue is related to the client or the server?

 

Any advice would be greatly appreciated.

 

Many thanks

 

Geoff Wiener

 

 

 

 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20080724/2636ee36/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: libvirtd output
Type: application/octet-stream
Size: 5047 bytes
Desc: libvirtd output
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20080724/2636ee36/attachment-0003.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: virt-manager output
Type: application/octet-stream
Size: 523 bytes
Desc: virt-manager output
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20080724/2636ee36/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: virt-manager.log
Type: application/octet-stream
Size: 1697 bytes
Desc: virt-manager.log
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20080724/2636ee36/attachment-0005.obj>

More information about the libvir-list mailing list