FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora/Linux Management Tools

 
 
LinkBack Thread Tools
 
Old 07-24-2008, 10:13 AM
"Geoff Wiener"
 
Default Virt-Manager, libvirt & TLS

Hi!


*


This is my first post to either of these list, I have been
lurking, (sorry to cross post but I don’t know if this is a virt-manager
or libvirt question).* So first off thank you to everyone for all your efforts.
I think libvirt and virt-manager are excellent!* I’ve built a pair of
server s in the lab with a Xen stack and have been attempting to get
virt-manager 0.5.4 to communicate with, first libvirt 0.4.2 and then libvirt
0.4.4 using TLS across the network in a “client / server”
configuration unsuccessfully.* All the machines are on the same subnet
(192.168.4.x/24).* I can make Virt-Manager communicate with Libvirt over TCP
without authentication so now that I know the installation works I want to
further secure it using TLS.


*


I’ve read everything I can get my hands on, subscribe
to the lists and feel that I must be making a simple error ;I could really use
a fresh perspective.* I would really appreciate any feedback you can offer.


*


Here’s my configuration and testing method.


*


Workstation


Ubuntu Hardy Heron 64 bit


Virt-manager 0.5.4


*


Server


Distribution = ** CentOS 5.1 (64 bit)


Kernel = 2.6.18.8-xen (compiled from
source)


Xen = 3.2.1.gz


*


virsh # version


Compiled against library: libvir 0.4.4


Using library: libvir 0.4.4


Using API: Xen 3.0.1


Running hypervisor: Xen 3.2.0


*


/usr/local/etc/libvirt/libvirtd.conf


*


Listen_tcp = 1


auth_unix_ro = “none”


auth_unix_rw=”none”


auth_tcp=”none”


*


In this configuration I can use “Remove Password or
Kerberos” to connect.* I just enter the hostname of the Xen machine and Virt-Manager
lets me see all the Domains that are running (or shutdown if I virsh define
them) as well as look at their consoles (if the vfb is configured correctly).


*


I followed the configuration notes at:* *http://libvirt.org/remote.html with a
couple of exceptions:


*


1.******
I already have a linux based CA
that I use with OpenVPN so I used that CA root certificate and just generated
client and server cert / key pairs for my client and server (I tested with just
one server)


2.******
I reverted back to the default
libvirtd.conf to setup for TLS and noticed that the default paths for the
certificate locations were not in line with the documentation on the web page but
there were commented sections as follows that matched the documentation, so I
uncommented them:

key_file = “/etc/pki/libvirt/private/serverkey.pem”

cert_file = “/etc/pki/libvirt/servercert.pem”

ca_file = “/etc/pki/CA/cacert.pem”


#crl_file = “/etc/pki/CA/crl.pem”

Note:* I did not uncomment the CRL_FILE path as I do not want to use a CRL at
this time


3.******
On the server I execute “libvirtd
–listen –verbose” (libvirtd output) attached


4.******
virt-manager 0.5.4 (as root) ,
File, Open Connection

Hypervisor: Xen


Connection: Remote SSL/TLS with x509 certificate


Hostname:* vxen-01.aenigmacorp.com (I have a host
entry for this machine)


*


The virt-manager console reports “unable to open
a connection to the libvirt management daemon”.* Verify that the “libvirtd”
daemon has been started.* Then, in details there is a lot of info (see
virt-manager output)


*


5.******
If I tail /root/.virt-manager/virt-manager.log
I get the following output (see virt-manager.log)


*


That about sums it up.* I have not read any instructions
that ask me to copy the CA root certificate to the client, is that required?*
And if so where would I put it.* Also, whenever I attempt to connect there are
no errors appearing in the libvirtd output, which is a bit surprising.* I would
have expected that by using –verbose on the libvirtd command line that i
would see more info.* Lin 94 in the libvirt.py script is definitely trying to
do some kind of authentication but I don’t really know what to do to
troubleshot this next?* I still don’t know if my issue is related to the
client or the server?


*


Any advice would be greatly appreciated.


*


Many thanks


*


Geoff Wiener


*


*


*


*


*


*


*







_______________________________________________
et-mgmt-tools mailing list
et-mgmt-tools@redhat.com
https://www.redhat.com/mailman/listinfo/et-mgmt-tools
 
Old 07-24-2008, 11:18 AM
"Daniel P. Berrange"
 
Default Virt-Manager, libvirt & TLS

On Thu, Jul 24, 2008 at 11:13:28AM +0100, Geoff Wiener wrote:
> Hi!
>
>
>
> This is my first post to either of these list, I have been lurking,
> (sorry to cross post but I don't know if this is a virt-manager or
> libvirt question). So first off thank you to everyone for all your
> efforts. I think libvirt and virt-manager are excellent! I've built
> a pair of server s in the lab with a Xen stack and have been attempting
> to get virt-manager 0.5.4 to communicate with, first libvirt 0.4.2 and
> then libvirt 0.4.4 using TLS across the network in a "client / server"
> configuration unsuccessfully. All the machines are on the same subnet
> (192.168.4.x/24). I can make Virt-Manager communicate with Libvirt
> over TCP without authentication so now that I know the installation
> works I want to further secure it using TLS.
>

> /usr/local/etc/libvirt/libvirtd.conf
>
>
>
> Listen_tcp = 1
>
> auth_unix_ro = "none"
>
> auth_unix_rw="none"
>
> auth_tcp="none"

That's all fine.

> I followed the configuration notes at: http://libvirt.org/remote.html with a couple of exceptions:
>
> 1. I already have a linux based CA that I use with OpenVPN so I used that CA root certificate and just generated client and server cert / key pairs for my client and server (I tested with just one server)

That's fine - any CA will do the job.

> 2. I reverted back to the default libvirtd.conf to setup for TLS and
> noticed that the default paths for the certificate locations were not in
> line with the documentation on the web page but there were commented sections
> as follows that matched the documentation, so I uncommented them:
>
> key_file = "/etc/pki/libvirt/private/serverkey.pem"
> cert_file = "/etc/pki/libvirt/servercert.pem"
> ca_file = "/etc/pki/CA/cacert.pem"

No need to uncomment any of these - its fine to use the the default
settings built-in to libvirt

>
> #crl_file = "/etc/pki/CA/crl.pem"
> Note: I did not uncomment the CRL_FILE path as I do not want to use a CRL at this time

Ok, no problem there.

> 3. On the server I execute "libvirtd -listen -verbose" (libvirtd output) attached
>
> 4. virt-manager 0.5.4 (as root) , File, Open Connection
> Hypervisor: Xen
>
> Connection: Remote SSL/TLS with x509 certificate
>
> Hostname: vxen-01.aenigmacorp.com (I have a host entry for this machine)
>
>
>
> The virt-manager console reports "unable to open a connection to the libvirt
> management daemon". Verify that the "libvirtd" daemon has been started. Then,
> in details there is a lot of info (see virt-manager output)

I'd recommend getting it working using virsh as a client first - this gives clearer
diagnostics. Once virsh is working, then virt-manager should just work too, although
it has an extra step required for VNC access.


> That about sums it up. I have not read any instructions that ask me to copy
> the CA root certificate to the client, is that required? And if so where would
> I put it.

Yes, the CA certificate needs to be on all machines - in the same location as
for the server - /etc/pki/CA/cacert.pem. The client server needs to be in the
loication /etc/pki/libvirt/clientcert.pem

There are some additional docs on the virt-manager wiki about the VNC
setup steps too

http://virt-manager.org/page/RemoteTLS


Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

_______________________________________________
et-mgmt-tools mailing list
et-mgmt-tools@redhat.com
https://www.redhat.com/mailman/listinfo/et-mgmt-tools
 
Old 07-24-2008, 07:34 PM
"Geoff Wiener"
 
Default Virt-Manager, libvirt & TLS

Hi Daniel;

Thanks for the quick response and for your help, this is working now. If you are interested in the gory details they are detailed below, at least I'll document them here for the sake of others on the list. See "Gory Details - start"

While I have your attention I have another question if you don't mind.

I have done all this because I wanted to see if I could use virsh to live migrate a VM between physical hosts. Actually I wanted to use libvirt but virsh is my easiest way to talk to libvirt. My two physical xen servers are connecting to the same iSCSI SAN LUN formatted and mounted with ocfs2. I have a PV vm residing on the LUN (centos 5.1 - 2.6.8.18-xen). If I use standard xen config files and don't "define" my guest using virsh (xml) I can use the XM commands to migrate without any trouble. If I try to "define" the guest and then use XM to migrate it everything gets confused. So I thought I would "define" the guest and then try to use virsh to migrate. The same confusion takes place.

I just did this and got some weird behaviour. I started the VM "centpv" up on host2 and then asked it to migrate to host1 using virsh from the (now working) client. The migration worked as expected. I was able to disconnect my VNC connection to the VM on host2 and connect it to the machine on host1. This where it gets weird.

Host2 (Source)

virsh # list --all
Id Name State
----------------------------------
0 Domain-0 running
- centpv shut off
- xi-ad-01 shut off
- xi3mps01h shut off


Host 1 (destination)

virsh # list --all
Id Name State
----------------------------------
0 Domain-0 running
1 centpv blocked

As you can see centpv is now listed on both machines. The state on host2 is shutoff which is technically correct. The VM is actually running on host 1. Host 1 has it as running. If you look at virt-manager you get an even more confusing story. Host1 says that centpv is "shutoff" until you highlight the machine then it says its running, and it quickly switches to saying it's shutoff. Host 2 claims the machine is still running.

Killing virt-manager and re spawning it helps somewhat in that now host1 knows the machine is running. Host 2 thinks its shutdown. (Reflecting what is listed by virsh).

The next thing I did was to "virsh undefine centpv" from host2. That also worked. Now all is right with the world.

How can I find out more about how the "define" command works? (read the source code?) If the machine is "defined" doesn’t this place a hard entry in the local xenstore on the Xen machine on which it was defined?. I have to go read up on xenstore as I'm not that familiar with it yet. Do we need to migrate and then undefine the machine once the machine lands at the destination?

Finally could these issues be related to the way virsh handles the libvirt "migrate" or is this a problem with libvirt? My next plan is to work up a python script that will talk directly to libvirt and execute a migration. This will take me some time as I don't know python... but let's see what happens. In the interest of time (and my sanity) does anyone have any basic python script that talk directly to libvirt that they would be willing to share?

Thanks in advance.


Gory Details - start.

Your suggestion to use Virsh in the first instance was key.

>From the Ubuntu workstation when I tried to connect to vxen-01 using virsh I immediately got an error relating to the missing CA.crt (which we both suspected was an issue). After copying the root cert to the correct location I was given a different error message:

libvir: QEMU error : internal error cannot create bridge 'virbr0' : File exists

>From which I googled my way to the following post: http://bbs.archlinux.org/viewtopic.php?id=5147

So I checked iptables and despite the fact that I don't remember configuring it, there were rules present. I think libvirtd does some stuff to iptables. After shutting down iptables and kicking the libvirtD I stopped getting that error. Now both virsh and virt-manager are working using TLS.

Strangely the URI I had to use for virt-manager and virsh were different.

Virt-manager URI = xen://vxen-01.domain.com
Virsh URI = xen://vxen-01.domain.com/

Virsh needed the trailing "/". Without it I get console messages (on the server) that say "libvir: error : invalid argument in could not parse connection URI". I have typed it exactly, that grammar problem is not a typo, that's what it says.

Best Regards

-----Original Message-----
From: libvir-list-bounces@redhat.com [mailto:libvir-list-bounces@redhat.com] On Behalf Of Daniel P. Berrange
Sent: 24 July 2008 12:19
To: Fedora/Linux Management Tools
Cc: libvir-list@redhat.com
Subject: [libvirt] Re: [et-mgmt-tools] Virt-Manager, libvirt & TLS

On Thu, Jul 24, 2008 at 11:13:28AM +0100, Geoff Wiener wrote:
> Hi!
>
>
>
> This is my first post to either of these list, I have been lurking,
> (sorry to cross post but I don't know if this is a virt-manager or
> libvirt question). So first off thank you to everyone for all your
> efforts. I think libvirt and virt-manager are excellent! I've built
> a pair of server s in the lab with a Xen stack and have been attempting
> to get virt-manager 0.5.4 to communicate with, first libvirt 0.4.2 and
> then libvirt 0.4.4 using TLS across the network in a "client / server"
> configuration unsuccessfully. All the machines are on the same subnet
> (192.168.4.x/24). I can make Virt-Manager communicate with Libvirt
> over TCP without authentication so now that I know the installation
> works I want to further secure it using TLS.
>

> /usr/local/etc/libvirt/libvirtd.conf
>
>
>
> Listen_tcp = 1
>
> auth_unix_ro = "none"
>
> auth_unix_rw="none"
>
> auth_tcp="none"

That's all fine.

> I followed the configuration notes at: http://libvirt.org/remote.html with a couple of exceptions:
>
> 1. I already have a linux based CA that I use with OpenVPN so I used that CA root certificate and just generated client and server cert / key pairs for my client and server (I tested with just one server)

That's fine - any CA will do the job.

> 2. I reverted back to the default libvirtd.conf to setup for TLS and
> noticed that the default paths for the certificate locations were not in
> line with the documentation on the web page but there were commented sections
> as follows that matched the documentation, so I uncommented them:
>
> key_file = "/etc/pki/libvirt/private/serverkey.pem"
> cert_file = "/etc/pki/libvirt/servercert.pem"
> ca_file = "/etc/pki/CA/cacert.pem"

No need to uncomment any of these - its fine to use the the default
settings built-in to libvirt

>
> #crl_file = "/etc/pki/CA/crl.pem"
> Note: I did not uncomment the CRL_FILE path as I do not want to use a CRL at this time

Ok, no problem there.

> 3. On the server I execute "libvirtd -listen -verbose" (libvirtd output) attached
>
> 4. virt-manager 0.5.4 (as root) , File, Open Connection
> Hypervisor: Xen
>
> Connection: Remote SSL/TLS with x509 certificate
>
> Hostname: vxen-01.aenigmacorp.com (I have a host entry for this machine)
>
>
>
> The virt-manager console reports "unable to open a connection to the libvirt
> management daemon". Verify that the "libvirtd" daemon has been started. Then,
> in details there is a lot of info (see virt-manager output)

I'd recommend getting it working using virsh as a client first - this gives clearer
diagnostics. Once virsh is working, then virt-manager should just work too, although
it has an extra step required for VNC access.


> That about sums it up. I have not read any instructions that ask me to copy
> the CA root certificate to the client, is that required? And if so where would
> I put it.

Yes, the CA certificate needs to be on all machines - in the same location as
for the server - /etc/pki/CA/cacert.pem. The client server needs to be in the
loication /etc/pki/libvirt/clientcert.pem

There are some additional docs on the virt-manager wiki about the VNC
setup steps too

http://virt-manager.org/page/RemoteTLS


Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

--
Libvir-list mailing list
Libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

_______________________________________________
et-mgmt-tools mailing list
et-mgmt-tools@redhat.com
https://www.redhat.com/mailman/listinfo/et-mgmt-tools
 

Thread Tools




All times are GMT. The time now is 11:01 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org