[libvirt] A script for setting up x509 certs for libvirt/spice/vnc

Alex Jia ajia at redhat.com
Fri Feb 17 15:10:10 UTC 2012


Daniel, Great! I want it.

Thanks,
Alex


----- Original Message -----
From: "Daniel P. Berrange" <berrange at redhat.com>
To: libvir-list at redhat.com
Sent: Friday, February 17, 2012 10:22:25 PM
Subject: [libvirt] A script for setting up x509 certs for libvirt/spice/vnc

After 4 years of swearing at the pain of setting up x509 certs, I finally
decided to try to write a script to automate it.

I'm attaching a very raw proof of concept called "virt-pki-admin.pl".

It does the following

 * Create CA key+cert
 * Create server + client keys+cert & sign with the CA
 * Copy server/client certs to remote hosts into correct directories

which is sufficient to get up & running with libvirtd/virt-manager/virsh
etc using x509

eg,

  // Create a self-signed CA
  $ virt-pki-admin.pl init "Evil CA"

  // Add some servers
  virt-pki-admin add_server "Evil Moonbase" alpha.moonbase.evil.com
  virt-pki-admin add_server "Evil Moonbase" beta.moonbase.evil.com
  virt-pki-admin add_server "Evil Moonbase" gamma.moonbase.evil.com

  // And some clients
  virt-pki-admin add_client "Evil Henchmen" up.moonbase.evil.com
  virt-pki-admin add_client "Evil Henchmen" down.moonbase.evil.com
  virt-pki-admin add_client "Evil Henchmen" strange.moonbase.evil.com

  // Copy the server certs/keys via the SSH root account
  virt-pki-admin deploy_server alpha.moonbase.evil.com
  virt-pki-admin deploy_server beta.moonbase.evil.com
  virt-pki-admin deploy_server gamma.moonbase.evil.com

  // Copy the client certs/keys via the SSH root account
  virt-pki-admin deploy_client up.moonbase.evil.com
  virt-pki-admin deploy_client down.moonbase.evil.com
  virt-pki-admin deploy_client strange.moonbase.evil.com

  // Copy the client certs/keys via the SSH $USER account
  virt-pki-admin deploy_user_client up.moonbase.evil.com
  virt-pki-admin deploy_user_client down.moonbase.evil.com
  virt-pki-admin deploy_user_client strange.moonbase.evil.com


With that, if you are logged into 'root' on any of 'up', 'down', or 'strange'
you can connect to any server using qemu+tls://hostname/system. Likewise
for non-root accounts, which also have setup GTK-VNC and SPICE-GTK certs
to allow graphical access to QEMU using x509 certs.

WIth some more work I plan to submit this to libvirt, but for now here
is the script in case it is useful

BTW it stores all certs & keys in $HOME/.libvirt/pki/ on the machine
used to run the command. You can safely experiment with any of the
commands *except* the 'deploy_' ones, without messing up your current
x509 config

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list at redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list




More information about the libvir-list mailing list