On 08/20/2010 12:59 AM, Cole Robinson wrote:
On 08/12/2010 10:29 AM, Lars Kellogg-Stedman wrote:
Hello all,
I'm trying to get virsh (and virt-manager) to talk to a remote libvirt
instance. I cannot for the life of me figure out how to tell either
tool where to find client or CA certificates. Do they *really* need
to access the ones in /etc/pki? In particular, the client seems to
want to read the *server's* private key, which for obvious reasons is
only readable by root.
I feel like I must be missing something obvious...if someone can point
me towards a solution I would really appreciate it. Thanks!
Hi Lars,
There wasn't a mention a which type of certificates you're trying to
use, so I'll assume TLS, as that's what /etc/pki is for.
virsh
*****
With virsh, it is hard coded to use a server wide path for its client
certificate. (found this out yesterday) It's been mentioned
there's an RFE for having that configurable, but it's not something I've
looked into.
$ ls -la /etc/pki/libvirt/clientcert.pem
/etc/pki/libvirt/private/clientkey.pem
-rw-r--r-- 1 root root 1220 Aug 19 02:34 /etc/pki/libvirt/clientcert.pem
-rw-r--r-- 1 root root 1675 Aug 19 02:32
/etc/pki/libvirt/private/clientkey.pem
$
It also needs the CA Certificate (not the key) here:
/etc/pki/CA/cacert.pem
$ sudo ls -la /etc/pki/CA/cacert.pem
-rw-r--r-- 1 root root 1070 Aug 19 01:06 /etc/pki/CA/cacert.pem
$
Real life example of it working
*******************************
$ virsh -c qemu://host1/system
Welcome to virsh, the virtualization interactive terminal.
Type: 'help' for help with commands
'quit' to quit
virsh #
(the qemu:// bit works there without saying qemu+tls://, because TLS
is the default)
virt-manager
************
virt-manager though, uses the client certificate in a different spot.
It has them per user, and they're stored in:
~/.pki/libvirt-vnc/clientcert.pem
~/.pki/libvirt-vnc/private/clientkey.pem
It needs the CA Certificate in:
~/.pki/CA/ca-cert.pem
$ ls -la ~/.pki/libvirt-vnc/clientcert.pem
~/.pki/libvirt-vnc/private/clientkey.pem ~/.pki/CA/ca-cert.pem
$ ls -la ~/.pki/libvirt-vnc/clientcert.pem
~/.pki/libvirt-vnc/private/clientkey.pem ~/.pki/CA/ca-cert.pem
-rw-r--r-- 1 jc jc 1070 Aug 19 20:48
/export/backend/home/jc/.pki/CA/ca-cert.pem
-rw-r--r-- 1 jc jc 1220 Aug 19 20:48
/export/backend/home/jc/.pki/libvirt-vnc/clientcert.pem
lrwxrwxrwx 1 jc jc 16 Aug 19 21:14
/export/backend/home/jc/.pki/libvirt-vnc/private/clientkey.pem ->
../clientkey.pem
$
You'll be able to see that pointing to the keys in my home dir.
Something you'll notice is that in this instance, my clientkey.pem is
itself NOT in the "private" sub-dir. It's in a folder below that, with
a link in the private sub-dir, which is good enough.
I have it this way only because I created it in a different spot
initially when trying to get it to work, and it turns out that
virt-viewer (another VNC viewing thing) needs it there instead. i.e. in
the directory below "private".
Anyway, the above works. :)
If you have troubles with the TLS key generation, the docs on the
libvirt.org site work:
http://libvirt.org/remote.html
And the paths for virt-manager are given on the last part of this page:
http://virt-manager.org/page/RemoteTLS#virt-manager.2Fvirsh.2Fvirt-viewer_client_setup
If it's relevant, I'm running everything under Fedora 13 right now, so
that means libvirt-0.8.2-1.fc13.x86_64 and
qemu-kvm-0.12.3-8.fc13.x86_64.
Similar. All of the above is on an F13 workstation as well.
All good now? :)
Regards and best wishes,
Justin Clift
--
Salasaga - Open Source eLearning IDE
http://www.salasaga.org
