Libvirt utilities over TLS

If you are running libvirt on a different host and you don't trust the devices in your network path, you should use TLS. You can of course use ssh :). To use TLS/SSL with libvirt, you should have:

• Access to CA henceforth known as 'the CA'.
• Server key, server cert signed by the CA.
• Client key, client cert signed by the CA.

If you don't have a CA, it's easy to generate one using openSSL or better use certtool (man 1 certtool) from gnutls binaries.

Once you have a CA, have a look at the libvirtd help on your server.

xen02:~/pki# libvirtd -h

libvirtd: invalid option -- 'h'

Usage:

libvirtd [options]

Options:

-v | --verbose Verbose messages.

-d | --daemon Run as a daemon & write PID file.

-l | --listen Listen for TCP/IP connections.

-t | --timeout Exit after timeout period.

-f | --config Configuration file.

| --version Display version information.

-p | --pid-file Change name of PID file.

.......

TLS:

CA certificate: /etc/pki/CA/cacert.pem

Server certificate: /etc/pki/libvirt/servercert.pem

Server private key: /etc/pki/libvirt/private/serverkey.pem

.......

From the output above, it's evident that you will need to copy the CA's certificate to /etc/pki/CA/cacert.pem, generate a server key, a server CSR then get the CSR to the CA. The CA will then provision you with a server cert which you can place in the appropriate path.

You will need to enable TLS in /etc/libvirt/libvirtd.conf

listen_tls = 1

You will probably want to enable TLS authentication for VNC as well as listening on interfaces other than localhost:

vnc_listen = "0.0.0.0"

vnc_tls = 1

#Read the documentation for this

vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"

vnc_tls_x509_verify = 1

Here's my PKI directory

PKI directory listing

$ find /etc/pki/

/etc/pki/

/etc/pki/libvirt-vnc

/etc/pki/libvirt-vnc/ca-cert.pem

/etc/pki/libvirt-vnc/server-key.pem

/etc/pki/libvirt-vnc/server-cert.pem

/etc/pki/libvirt

/etc/pki/libvirt/servercert.pem

/etc/pki/libvirt/private

/etc/pki/libvirt/private/serverkey.pem

/etc/pki/CA

/etc/pki/CA/cacert.pem

To make life easier, You can make VNC and libvirt to share the same keys and certs.

Restart the libvirt service

/etc/init.d/libvirt-bin restart

The client requires a similar PKI setup. The same CA should sign the server and client certs.

$ find /etc/pki/

/etc/pki/

/etc/pki/CA

/etc/pki/CA/cacert.pem

/etc/pki/libvirt

/etc/pki/libvirt/private

/etc/pki/libvirt/private/clientkey.pem

/etc/pki/libvirt/clientcert.pem

Add a connection from your virt-manager that utilizes TLS or use the virsh tools:

virt-viewer -c qemu+tls://xen02.example.net/system box2

virsh -c qemu+tls://xen02.example.net/system list

Id Name State

----------------------------------

7 box1 running

10 box2 running

11 box3 running

13 box4 running

14 box5 running

15 box6 running

16 box7 running