Wednesday, February 9, 2011

Libvirt utilities over TLS

If you are running libvirt on a different host and you don't trust the devices in your network path, you should use TLS. You can of course use ssh :). To use TLS/SSL with libvirt, you should have:
  • Access to CA henceforth known as 'the CA'.
  • Server key, server cert signed by the CA.
  • Client key, client cert signed by the CA.
If you don't have a CA, it's easy to generate one using openSSL or better use certtool (man 1 certtool) from gnutls binaries.

Once you have a CA, have a look at the libvirtd help on your server.
xen02:~/pki# libvirtd -h
libvirtd: invalid option -- 'h'
Usage:
libvirtd [options]
Options:
-v | --verbose Verbose messages.
-d | --daemon Run as a daemon & write PID file.
-l | --listen Listen for TCP/IP connections.
-t | --timeout Exit after timeout period.
-f | --config Configuration file.
| --version Display version information.
-p | --pid-file Change name of PID file.
.......
TLS:
CA certificate: /etc/pki/CA/cacert.pem
Server certificate: /etc/pki/libvirt/servercert.pem
Server private key: /etc/pki/libvirt/private/serverkey.pem
.......
From the output above, it's evident that you will need to copy the CA's certificate to /etc/pki/CA/cacert.pem, generate a server key, a server CSR then get the CSR to the CA. The CA will then provision you with a server cert which you can place in the appropriate path.

You will need to enable TLS in /etc/libvirt/libvirtd.conf
listen_tls = 1
You will probably want to enable TLS authentication for VNC as well as listening on interfaces other than localhost:
vnc_listen = "0.0.0.0"
vnc_tls = 1
#Read the documentation for this
vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
vnc_tls_x509_verify = 1
Here's my PKI directory
PKI directory listing
$ find /etc/pki/
/etc/pki/
/etc/pki/libvirt-vnc
/etc/pki/libvirt-vnc/ca-cert.pem
/etc/pki/libvirt-vnc/server-key.pem
/etc/pki/libvirt-vnc/server-cert.pem
/etc/pki/libvirt
/etc/pki/libvirt/servercert.pem
/etc/pki/libvirt/private
/etc/pki/libvirt/private/serverkey.pem
/etc/pki/CA
/etc/pki/CA/cacert.pem
To make life easier, You can make VNC and libvirt to share the same keys and certs.
Restart the libvirt service
/etc/init.d/libvirt-bin restart
The client requires a similar PKI setup. The same CA should sign the server and client certs.
$ find /etc/pki/
/etc/pki/
/etc/pki/CA
/etc/pki/CA/cacert.pem
/etc/pki/libvirt
/etc/pki/libvirt/private
/etc/pki/libvirt/private/clientkey.pem
/etc/pki/libvirt/clientcert.pem
Add a connection from your virt-manager that utilizes TLS or use the virsh tools:
virt-viewer -c qemu+tls://xen02.example.net/system box2
virsh -c qemu+tls://xen02.example.net/system list
Id Name State
----------------------------------
7 box1 running
10 box2 running
11 box3 running
13 box4 running
14 box5 running
15 box6 running
16 box7 running


No comments:

Post a Comment