How to access libvirtd from remote server

admin — Mon, 01 Mar 2010 23:42:22 +0000

Libvirt is a toolkit to interact with several virtualization platform from a single interface. Considering you can stop and start virtual machines through this API, security is quite important. Libvirt offers several options to give authenticated access from remote machines. By default most distributions disable remote network access for libvirtd. However, I would like to access libvirtd on some of my KVM servers from a single management host to gather some information. The documentation on how to set this up is not too good, so I decided to write up a short how-to.

Step 1: Enable network access for libvirtd
First enable network access for libvirtd on the KVM server(s). On CentOS/RHEL this is done by uncommenting or adding the following line in /etc/sysconfig/libvirtd:
LIBVIRTD_ARGS="--listen"

Step 2: Install a CA on the management server
Install the Perl certificate tools:
yum install openssl-perl
Create Certificate authority:
cd /etc/pki/tls/misc/ ./CA.pl -newca
Example output:
./CA.pl -newca CA certificate filename (or enter to create)


Making CA certificate ...

Generating a 1024 bit RSA private key

..........++++++

.............++++++

writing new private key to '../../CA/private/cakey.pem'

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:XX

State or Province Name (full name) [Berkshire]:XX

Locality Name (eg, city) [Newbury]:XXXXX

Organization Name (eg, company) [My Company Ltd]:XXXXX

Organizational Unit Name (eg, section) []:XXXX

Common Name (eg, your name or your server's hostname) []:CA XXX XXX

Email Address []:XXX
Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for ../../CA/private/cakey.pem:

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number:

            d8:95:24:xx:xx:xx:13:9b

        Validity

            Not Before: Feb 25 23:14:08 2010 GMT

            Not After : Feb 24 23:14:08 2013 GMT

        Subject:

            countryName               = XX

            stateOrProvinceName       = XX

            organizationName          = XXXX

            organizationalUnitName    = XXXX

            commonName                = CA XXX XXX

            emailAddress              = XXXXX

        X509v3 extensions:

            X509v3 Subject Key Identifier:

                XXX

            X509v3 Authority Key Identifier:

                keyid:XXXX

                DirName:/C=XX/ST=XX/O=XXX/OU=XXXX/CN=CA XXX XXX/emailAddress=XXX

                serial:XXX
            X509v3 Basic Constraints:

                CA:TRUE

Certificate is to be certified until Feb 24 23:14:08 2013 GMT (1095 days)

Write out database with 1 new entries Data Base Updated

Step 3: Create CSR’s
openssl genrsa -des3 -out kvm-server1.tmp openssl rsa -in kvm-server1.tmp -out kvm-server1.key openssl genrsa -des3 -out mgmt-host.tmp openssl rsa -in mgmt-host.tmp -out mgmt-host.key openssl req -new -key kvm-server1.key -out kvm-server1.csr openssl req -new -key mgmt-host.key -out mgmt-host.csr

Step 4: Sign the certificates
openssl ca -config /etc/pki/tls/openssl.cnf -policy policy_anything -out /root/mgmt-host.crt -infiles /root/mgmt-host.csr openssl ca -config /etc/pki/tls/openssl.cnf -policy policy_anything -out /root/kvm-server1.crt -infiles /root/kvm-server1.csr
Example output:
Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: d8:95:24:4b:4e:b1:13:9c Validity Not Before: Feb 25 23:31:40 2010 GMT Not After : Feb 25 23:31:40 2011 GMT Subject: countryName = XX stateOrProvinceName = XX localityName = XX organizationName = XX organizationalUnitName = XX commonName = mgmt-host.xxx.nl emailAddress = xxxxx X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 6C:EA:8B:C1:D6:XX:B6:6B:5B:18:02 X509v3 Authority Key Identifier: keyid:C9:36:4A:XXXX:6F:FD:2E:86


Certificate is to be certified until Feb 25 23:31:40 2011 GMT (365 days)

Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

Step 5: Copy over the certificates to the correct location
On the management host (mgmt-host):
mkdir /etc/pki/libvirt mkdir /etc/pki/libvirt/private mkdir /etc/pki/libvirt-vnc

cp /root/mgmt-host.key /etc/pki/libvirt/private/clientkey.pem cp /root/mgmt-host.key /etc/pki/libvirt-vnc/clientkey.pem cp /root/mgmt-host.crt /etc/pki/libvirt/clientcert.pem cp /root/mgmt-host.crt /etc/pki/libvirt-vnc/clientcert.pem

Transfer the key and certificate files to the KVM server (kvm-server1). Ideally, you create the key and CSR on the host itself, so you only have to transfer the certificate. Then, copy the certificates and CA to the correct location on the KVM (libvirtd) server:

mkdir /etc/pki/libvirt mkdir /etc/pki/libvirt/private mkdir /etc/pki/libvirt-vnc


cp kvm-server1.key /etc/pki/libvirt/private/serverkey.pem

cp kvm-server1.key /etc/pki/libvirt-vnc/server-key.pem

cp kvm-server1.crt /etc/pki//libvirt/servercert.pem cp kvm-server1.crt /etc/pki/libvirt-vnc/server-cert.pem

Make sure the CA generated on the management server is available on the KVM server in the following file:
/etc/pki/CA/cacert.pem

Step 6: Reload libvirtd
/etc/init.d/libvirtd reload

Step 7: Test
With these certificates setup, you should be able to access libvirtd on kvm-server1 from mgmt-host. Use the following command to test:
virsh -c qemu://kvm-server1.xxxx.nl/system Welcome to virsh, the virtualization interactive terminal.


Type:  'help' for help with commands

       'quit' to quit

virsh #
Use the list command to see a list of running guests on the server. This only works if these guests have also been created via libvirtd. Manually started KVM guests will not show up in this list.

Rogierm's Blog » openssl

How to access libvirtd from remote server