[libvirt-users] Virt-v2v

[Matthias Bolte]

2010/10/21 Mike Hall <MHall at astc.nt.gov.au>:
> Usual prologue: we're testing on CentOS 5.5, RHEL subscriptions purchased.
>
> Now trying to use virt-v2v to transfer Win2008 Server guest from ESXi host to KVM host.
>
> Have enabled SSH on ESXi host, and can connect using esx+ssh://esxhost, but procedure fails because nc isn't found on ESXi. Fair enough. BTW, ESXi looks like a radically cut down RH system (/etc/sysconfig being the give-away)?

libvirt doesn't use ssh or any other transports described at [1] for
ESX. libvirt connects directly to the ESX server using HTTPS without
the need for a libvirtd on the ESX server or any libvirt provided
transport.

> So, using esx:// connection method which presumably uses TLS ...

Well, it uses HTTPS, but it doesn't use the TLS transport as described at [1].

>
> Connection commands I'm trying to use:
>
> virt-v2v -f virt-v2v.conf -ic esx://esxhost/?no_verify=1 -op vm_nfs 'HPTRIM Sandbox'

This one is probably the correct one, at least the libvirt connection
URI in it is correct.

> virt-v2v -f virt-v2v.conf -ic esx://esxhost/ -op vm_nfs 'HPTRIM Sandbox'

This one requires that your client computer can verify the HTTPS SSL
certificates installed on the ESX server, but this is unlikely unless
you manually replaced them by certificates that are signed by a known
CA. The no_verify=1 parameter in the first command tells libvirt to
ignore verification errors with this certificates so that it works
with the certificates that come with the ESX server by default.

Note that this HTTPS SSL certificates have nothing to do with the
certificates mention in [1].

> I have eliminated libvirt error messages (all #38) relating to /etc/pki/CA/cacert.pem and /etc/pki/libvirt/private/clientkey.pem by creating those files on KVM host according to info on this page:
>
> http://libvirt.org/remote.html#Remote_libvirtd_configuration

Configuring the KVM host with proper certificates is a good idea.

> Now I am down to a simple connection refused error message:
>
> virt-v2v: Failed to connect to esx://esxhost/: libvirt error code: 38, message: unable to connect to 'esxhost': Connection refused
>
> I have also tried suggestion on webpage above regarding these libvirtd.conf settings and restarted libvirtd:
>
> tls_no_verify_certificate = 1
> key_file = ""
> cert_file = ""
> ca_file = ""
> crl_file = ""
>
> ... But no change.

libvirt doesn't require a libvirtd on the ESX server.

> The problem may well be the TLS certificates, PKI isn't one of my strong points. I believe the hostnames in the certificates are correct. Which certificates (if any) should be copied to the ESXi host (client or server)?
> Should I copy any certificates from /etc/vmware/ssl to the KVM host, if so which certificate (rui.crt or rui.key) and where to?
>
> There doesn't appear to be anything resembling an iptables firewall in place on the ESXi host.
>
> Anyway, any suggestions on what the problem could be greatly appreciated.

The first line of your mail gives me the relevant hint. You use CentOS
5.5 and this one comes with libvirt 0.6.5 IIRC, but ESX support was
added to libvirt in 0.7.0. The error messages you get from libvirt are
misleading and have been improved in libvirt 0.8.3.

limohua and Osier already gave the right hints, so I'm basically just
summarize it here. :)

As Osier points out, even if your libvirt is recent enough in general
it might have been compiled without ESX support. In that case you'll
get the same misleading error messages about refused connections or
missing certificates (form libvirt 0.7.0 until 0.8.3).

In order to fix this problem you probably need to update your libvirt
version and make sure that it is compiled with ESX support.

As this seems to be a common problem I'm improving the documentation
about this right now.

[1] http://libvirt.org/remote.html

Matthias