virsh remote

由 datahunter 在四, 16/04/2015 - 12:40 發表

最後更新: 2021-07-19

介紹

virsh connect to remote host

URL

system & session mode daemon

qemu:///system # connects to a system mode daemon
qemu:///session # connects to a session mode daemon

transports

transports: tls, unix, ssh, tcp ...

i.e. qemu+ssh:

virsh -c qemu+ssh://[email protected]/system list

i.e. qemu+tcp

virsh -c qemu+tcp://127.0.0.1/system list

URI aliases

/etc/libvirt/libvirt.conf

uri_aliases = [
  "hail=qemu+ssh://[email protected]/system",
  "sleet=qemu+ssh://[email protected]/system",
]

tls transports

# On hypervisor

安裝建立 crt 的 tools

yum install gnutls-utils # C7

apt-get install gnutls-bin # U18

mkdir /etc/libvirt/tls

chmod 700 /etc/libvirt/tls # 安全理由

cd /etc/libvirt/tls

建立 CA

certtool --generate-privkey > ca.key

ca.info

cn = libvirt
ca
cert_signing_key

certtool --generate-self-signed \
--load-privkey ca.key \
--template ca.info \
--outfile ca.crt

Create a crt for the server

certtool --generate-privkey > server.key

server.info

organization = IT
cn = server
tls_www_server
encryption_key
signing_key

certtool --generate-certificate \
--load-privkey server.key \
--load-ca-certificate ca.crt \
--load-ca-privkey ca.key \
--template server.info \
--outfile server.crt

Issuing a client certificate

certtool --generate-privkey > client1.key

client.info

country = CN
state = HONG KONG
locality = MK
organization = IT
cn = client1
tls_www_client
encryption_key
signing_key

certtool --generate-certificate \
--load-privkey client1.key \
--load-ca-certificate ca.crt \
--load-ca-privkey ca.key \
--template client.info \
--outfile client1.crt

放 ca.crt, server.* 去安全位置

chown libvirt-qemu /etc/libvirt/tls -R

chmod 600 /etc/libvirt/tls/*

libvirtd 設定

/etc/default/libvirtd

libvirtd_opts="--listen"

/etc/libvirt/libvirtd.conf

ca_file = "/etc/libvirt/tls/ca.crt"
key_file = "/etc/libvirt/tls/server.key"
cert_file = "/etc/libvirt/tls/server.crt"

# client certificate check
tls_no_verify_certificate 0

# client IP address check
tls_no_verify_address 0

On Client (virsh)

/etc/libvirt/libvirt.conf

uri_aliases = [
  "server=qemu+tls://server/system"
]

uri_default = "server"

crt 及 key 要放到以下位置

# Ver 4.5.0 (2018-07-02) # Centos 7 跟機

/etc/pki/CA/cacert.pem
/etc/pki/libvirt/private/clientkey.pem
/etc/pki/libvirt/clientcert.pem

/etc/hosts

# hypervisor
192.168.88.150  server

Restricting access

/etc/libvirt/libvirtd.conf

tls_allowed_dn_list = ["Client1_DN",
                        "Client2_DN",
                        "..."]

DN = Distinguished Name

Country(C)
State(ST)
Locality/City(L)
Organization(O)
Common Name(CN)

DN = "C=AU,O=libvirt.org,L=Brisbane,ST=Queensland,CN=host1"

查看 DN

openssl x509 -noout -text -in client1.crt | grep Subject

Subject: CN = client1, O = IT, L = MK, ST = HONG KONG, C = CN

SASL

# This is the Cyrus SASL API implementation
# adding authentication support to connection-based protocols.
# ANONYMOUS, CRAM-MD5, DIGEST-MD5, NTLM, OTP, PLAIN, or LOGIN
# RFC 2222
apt-get install libsasl2-2 libsasl2-modules

Client's username is not on the list of allowed clients

# By default, no Username's are checked
sasl_allowed_username_list

瀏覽次數： 75265

夢想家

virsh remote

介紹

URL

URI aliases

tls transports

SASL