virt-v2v connect to the ESX through libvirt ESX driver, here is the link, http://www.libvirt.org/drvesx.html why not just try the simple way to see what's going on, you could set virsh -c esx://esxhost/?no_verify=1 btw, hope the below mail can help something, 2010/7/3 adrian wyssen<wyssenadrian gmail com>: Hello everyoneI am really new to libvirt and I have to use it with ESXi. I was writingcode for listing the virtual machines in a ESXi server. If I connect me withthe virsh to the ESXi server, it works. But since I can not create anycertificates on the server (ESXi does not have any console...) I have to usethe no_verify option (esx://host/?no_verify=1)I want to do the same with the API, but when I use this string in the uriparameter of the following codeconn = virConnectOpenAuth(uri, virConnectAuthPtrDefault, 0);the system returns "libvir: Remote error : Cannot access CA certificate'/etc/pki/CA/cacert.pem': No such file or directoryNo connection to hypervisor"What method can I use to be able to connect to the server by ignoring themissing certificate? Another question is: Are there any example codes forusing ESX(i), because as I said I am really new with libvirt and I did notfind any examples.Thanks a lot for your help.Adrian The certificates libvirt is complaining about have nothing to do with the certificates for ESX(i). By default libvirt uses a TLS connection to a remote libvirtd (a daemon). This daemon is used to allow remote management of hypervisors that don't have remote capabilities on their own, like QEMU. For ESX(i) this daemon is not necessary, because libvirt directly uses the remote SOAP API provided by the ESX(i) server. By default libvirt uses a HTTPS connection to the ESX(i) server. Proper HTTPS requires correctly configured SSL certificates, this certificates are different from the certificates for libvirt's TLS connection to libvirtd. In case of a default ESX(i) installation the ESX(i) server has auto-generated self-signed certificates. And in general those cannot be verified by your client because your client doesn't have the cacert.pem that corresponds to the private key that the ESX(i) server used to sign the auto-generated self-signed certificates. That's the reason why libvirt allows you to disable those certificate check by appending ?no_verify=1 to the URI. libvirt complains here about the for the TLS connection to a remote libvirtd. This is a bit cryptic error that appears because libvirt don't know what to do with the URI you gave to it and as last option it tries to connect to a libvirtd on the remote server hoping that the libvirtd there knows what to do with the URI. The typical reason why this happens is that your libvirt is build without ESX support. But you said 'virsh -c esx://host/?no_verify=1'. Therefore, I assume that's not the case here. Could it be that you have multiple version of libvirt installed? One that has ESX support enabled and is used by virsh and one that has ESX support disabled and that your program links against? Regarding example code: There is no special ESX libvirt example code, because libvirt is designed to provide hypervisor independent API. You can take a look at the examples directory. For example the hellolibvirt example: ./examples/hellolibvirt/hellolibvirt esx://host/?no_verify=1 If that still gives you that certificate error, try: LIBVIRT_DEBUG=1 LIBVIRT_LOG_OUTPUTS=1:stderr ./examples/hellolibvirt/hellolibvirt esx://host/?no_verify=1 It should list lines like 13:13:23.189: debug : virRegisterDriver:927 : registering ESX as driver 5 ... 13:13:23.189: debug : do_open:1242 : trying driver 5 (ESX) ... If there is no virRegisterDriver or do_open line regarding ESX then your libvirt is build without ESX support. But i wonder why virsh works then. Recent (unreleased) libvirt has better error reporting for this situation and tells you when you try to use an URI scheme that was disabled, instead of reporting unexpected certificate errors. Matthias On 10/21/2010 03:25 PM, Mike Hall wrote: Usual prologue: we're testing on CentOS 5.5, RHEL subscriptions purchased. Now trying to use virt-v2v to transfer Win2008 Server guest from ESXi host to KVM host. Have enabled SSH on ESXi host, and can connect using esx+ssh://esxhost, but procedure fails because nc isn't found on ESXi. Fair enough. BTW, ESXi looks like a radically cut down RH system (/etc/sysconfig being the give-away)? So, using esx:// connection method which presumably uses TLS ... Connection commands I'm trying to use: virt-v2v -f virt-v2v.conf -ic esx://esxhost/?no_verify=1 -op vm_nfs 'HPTRIM Sandbox' virt-v2v -f virt-v2v.conf -ic esx://esxhost/ -op vm_nfs 'HPTRIM Sandbox' I have eliminated libvirt error messages (all #38) relating to /etc/pki/CA/cacert.pem and /etc/pki/libvirt/private/clientkey.pem by creating those files on KVM host according to info on this page: http://libvirt.org/remote.html#Remote_libvirtd_configuration Now I am down to a simple connection refused error message: virt-v2v: Failed to connect to esx://esxhost/: libvirt error code: 38, message: unable to connect to 'esxhost': Connection refused I have also tried suggestion on webpage above regarding these libvirtd.conf settings and restarted libvirtd: tls_no_verify_certificate = 1 key_file = "" cert_file = "" ca_file = "" crl_file = "" ... But no change. The problem may well be the TLS certificates, PKI isn't one of my strong points. I believe the hostnames in the certificates are correct. Which certificates (if any) should be copied to the ESXi host (client or server)? Should I copy any certificates from /etc/vmware/ssl to the KVM host, if so which certificate (rui.crt or rui.key) and where to? There doesn't appear to be anything resembling an iptables firewall in place on the ESXi host. Anyway, any suggestions on what the problem could be greatly appreciated. Michael Hall IT Communications Officer Alice Springs Town Council _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users -- Old soldiers never die, they just fade away Mohua Li +86 10 6260 8263 (Direct),IRC,moli 9/F, North Tower C, Raycom Infotech Park ,NO.2 KeXueYuanNanLu, HaiDian District Beijing, 100190 |
