2009/12/30 Richard W.M. Jones <rjones@xxxxxxxxxx>: > I'm playing with VMWare ESX 4.0 and I decided to try driving it from > libvirt [git version]. Here are some random questions and issues I > encountered, in no particular order. > > Listing domains works fine, but: > > (a) I have to specify ?no_verify=1 to get it to ignore the lack of > valid https certificate. Is there some documentation on how to set up > certificates correctly? [vSphere gives exactly the same error] The default ESX certificates are autogenerated and self-signed ones. The 'ESX Configuration Guide' [1] suggest to replace them by CA-signed ones. The 'ESX Configuration Guide' [1] contains a section about 'Replace a Default Certificate with a CA-Signed Certificate'. I created new self-signed certificates as described on the libvirt website [2] and copied them to the ESX server servercert.pem -> /etc/vmware/ssl/rui.crt serverkey.pem -> /etc/vmware/ssl/rui.key Then restart the hostd process either with service mgmt-vmware restart or if that doesn't work (like with my ESXi 3.5 on USB flash drive) use /etc/init.d/hostd restart On my Ubuntu box I copied the cacert.pem to /usr/share/ca-certificates/esx-certs/cacert.pem, appended esx-certs/cacert.pem to /etc/ca-certificates.conf and executed update-ca-certificates. After this libcurl can verify the ESX server certificate. libvirt uses explicit paths for its certificates for a remote TLS connection using gnutls. This is possible with libcurl too, using the CURLOPT_CAINFO option. For example the ESX driver could use LIBVIRT_CACERT as the remote driver does, but this would require the ESX server certificates to be signed by the same CA as the libvirtd certificates, because libcurl doesn't fall back to the system CA certificates if verification with the explicitly specified CA fails. > (b) I have to type the root password (of the ESX server) each time. > Can I avoid that? > > $ sudo ./tools/virsh -c 'esx://192.168.2.121/?no_verify=1' list --all > Enter username for 192.168.2.121 [root]: > Enter root password for 192.168.2.121: > Id Name State > ---------------------------------- > - TestLinux shut off > - TestWin shut off The ESX driver needs to login to the ESX server. virsh uses the default auth callback that asks you to type in the credentials (see virConnectAuthCallbackDefault in libvirt.c). Currently the only option for automatic handling is policykit, but that doesn't work for the ESX driver because policykit is not meant to provide credentials. A possible way to "automatically" provide the credentials is to pass them in the connection URI like this: esx://<user>:<pass>@hostname. But this is currently not implemented in the ESX driver. Another option would be to add new automatic authentication methods to virConnectAuthCallbackDefault based on VIR_CRED_EXTERNAL and to change the ESX driver to use them. > (c) Starting domains doesn't seem to work, and the error message is > obscure: > > $ sudo ./tools/virsh -c 'esx://192.168.2.121/?no_verify=1' start TestLinux > Enter username for 192.168.2.121 [root]: > Enter root password for 192.168.2.121: > error: Failed to start domain TestLinux > error: internal error HTTP response code 500 for call to 'PowerOnVM_Task'. Fault: ServerFaultCode - The operation is not allowed in the current state. > > Is this to do with the "ask questions" API that was discussed on this > list before? Specifying auto_answer=0 or auto_answer=1 didn't make > any difference. No, the error message would say that there is a question blocking the task. This message comes directly from the ESX server, as part of the 500er response. I've never seen this error message from the ESX server before. Many errors reported by the ESX server contain a details section, but the deserialization of this details requires many new SOAP types and I haven't implemented this yet. Can you start the domain using the VI client? Maybe the domain really is in a state where it cannot be started. Can you reproduce this error with other domains? > (d) dumpxml XML output looks very good, and consistent with the other > drivers. However it produces an odd <source file> attribute: > > <disk type='file' device='disk'> > <driver name='lsilogic'/> > <source file='[Storage1] TestLinux/TestLinux.vmdk'/> > <target dev='sda' bus='scsi'/> > </disk> > <disk type='file' device='cdrom'> > <source file='[Storage1] Fedora-12-x86_64-Live.iso'/> > <target dev='hdc' bus='ide'/> > </disk> What's wrong with it in your opinion? The <source file> attribute is correct. See the ESX driver website section [3] about this. > (e) pool-list, net-list are not supported by the driver. > > That's a particular problem for me because I was really hoping to use > the storage APIs from libvirt to access the VMDK files that contain > domains (eg. [Storage1] TestLinux/TestLinux.vmdk in the example > above). Is support for storage (particularly) and/or networks on the > horizon for this driver? > > Rich. > I plan to implement the ESX driver as complete as possible, this includes network and storage handling. I've took a look at this some time ago and saw some problems. For examples datastores don't have a UUID, so I may need to make them up and store them somewhere like the IBM Power driver does it for the domain UUIDs, the libvirt network model cannot represent a vSwitch ... I think these drivers are much harder to implemented than the main ESX driver, so don't expect any news on this in the next weeks, but stay tuned :) What do you mean by "to access the VMDK files that contain domains", just list them? What part of the storage driver would that involve? [1] http://www.vmware.com/pdf/vsphere4/r40/vsp_40_esx_server_config.pdf [2] http://www.libvirt.org/remote.html#Remote_certificates [3] http://www.libvirt.org/drvesx.html#xmlspecial Matthias -- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list