mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-22 05:35:25 +00:00
* docs/libvir.html docs/remote.html: update the remote page,
add an index * docs/pki_check.sh: shell script to check the PKI and client/server environment. Daniel
This commit is contained in:
parent
f36c70775a
commit
62442d578d
@ -1,3 +1,10 @@
|
||||
Thu Jul 12 17:48:40 CEST 2007 Daniel Veillard <veillard@redhat.com>
|
||||
|
||||
* docs/libvir.html docs/remote.html: update the remote page,
|
||||
add an index
|
||||
* docs/pki_check.sh: shell script to check the PKI and client/server
|
||||
environment.
|
||||
|
||||
Thu Jul 12 11:15:17 EST 2007 Daniel P. Berrange <berrange@redhat.com>
|
||||
|
||||
* src/remote_internal.c: Explicitly check certificate/key files
|
||||
|
@ -1432,6 +1432,27 @@ use the mailing-list if you don't get an answer there.</p>
|
||||
Libvirt allows you to access hypervisors running on remote
|
||||
machines through authenticated and encrypted connections.
|
||||
</p>
|
||||
<ul>
|
||||
<li><a href="#Remote_basic_usage">Basic usage</a></li>
|
||||
<li><a href="#Remote_transports">Transports</a></li>
|
||||
<li><a href="#Remote_URI_reference">Remote URIs</a>
|
||||
<ul>
|
||||
<li><a href="#Remote_URI_parameters">Extra parameters</a></li>
|
||||
</ul></li>
|
||||
<li><a href="#Remote_certificates">Generating TLS certificates</a>
|
||||
<ul>
|
||||
<li><a href="#Remote_PKI">Public Key Infrastructure set up</a></li>
|
||||
<li><a href="#Remote_TLS_background">Background to TLS certificates</a></li>
|
||||
<li><a href="#Remote_TLS_CA">Setting up a Certificate Authority (CA)</a></li>
|
||||
<li><a href="#Remote_TLS_server_certificates">Issuing server certificates</a></li>
|
||||
<li><a href="#Remote_TLS_client_certificates">Issuing client certificates</a></li>
|
||||
<li><a href="#Remote_TLS_troubleshooting">Troubleshooting TLS certificate problems</a></li>
|
||||
</ul></li>
|
||||
<li><a href="#Remote_libvirtd_configuration">libvirtd configuration file</a></li>
|
||||
<li><a href="#Remote_IPv6">IPv6 support</a></li>
|
||||
<li><a href="#Remote_limitations">Limitations</a></li>
|
||||
<li><a href="#Remote_implementation_notes">Implementation notes</a></li>
|
||||
</ul>
|
||||
|
||||
<h3><a name="Remote_basic_usage">Basic usage</a></h3>
|
||||
|
||||
@ -1680,7 +1701,7 @@ Note that parameter values must be
|
||||
|
||||
<h3><a name="Remote_certificates">Generating TLS certificates</a></h3>
|
||||
|
||||
<h4>Public Key Infrastructure set up</h4>
|
||||
<h4><a name="Remote_PKI">Public Key Infrastructure set up</a></h4>
|
||||
|
||||
<p>
|
||||
If you are unsure how to create TLS certificates, skip to the
|
||||
@ -2038,15 +2059,19 @@ cp clientcert.pem /etc/pki/libvirt/clientcert.pem
|
||||
<dd>
|
||||
<p>
|
||||
On the server side, run the libvirtd server with
|
||||
the '--remote' and '--verbose' options while the
|
||||
the '--listen' and '--verbose' options while the
|
||||
client is connecting. The verbose log messages should
|
||||
tell you enough to diagnose the problem.
|
||||
</p>
|
||||
</dd>
|
||||
</dl>
|
||||
<p> You can use the <a href="pki_check.sh">pki_check.sh</a> shell script
|
||||
to analyze the setup on the client or server machines, preferably as root.
|
||||
It will try to point out the possible problems and provide solutions to
|
||||
fix the set up up to a point where you have secure remote access.</p>
|
||||
|
||||
|
||||
<h3><a name="Remote_libvirtd_configuration">libvirtd configuration</a></h3>
|
||||
<h3><a name="Remote_libvirtd_configuration">libvirtd configuration file</a></h3>
|
||||
|
||||
<p>
|
||||
Libvirtd (the remote daemon) is configured from a file called
|
||||
@ -2059,6 +2084,8 @@ the command line using <code>-f filename</code> or
|
||||
This file should contain lines of the form below.
|
||||
Blank lines and comments beginning with <code>#</code> are ignored.
|
||||
</p>
|
||||
<pre>setting = value</pre>
|
||||
<p>The following settings, values and default are:</p>
|
||||
|
||||
<table class="top_table">
|
||||
<tr>
|
||||
|
260
docs/pki_check.sh
Executable file
260
docs/pki_check.sh
Executable file
@ -0,0 +1,260 @@
|
||||
#!/bin/sh
|
||||
#
|
||||
# This shell script checks the TLS certificates and options needed
|
||||
# for the secure client/server support of libvirt as documented at
|
||||
# http://libvirt.org/remote.html#Remote_certificates
|
||||
#
|
||||
# Daniel Veillard <veillard@redhat.com>
|
||||
#
|
||||
USER=`who am i | awk '{ print $1 }'`
|
||||
SERVER=1
|
||||
CLIENT=1
|
||||
PORT=16514
|
||||
#
|
||||
# First get certtool
|
||||
#
|
||||
CERTOOL=`which certtool 2>/dev/null`
|
||||
if [ ! -x $CERTOOL ]
|
||||
then
|
||||
echo Could not locate the certtool program
|
||||
echo make sure the gnutls-utils package is installed
|
||||
exit 1
|
||||
fi
|
||||
echo Found $CERTOOL
|
||||
|
||||
#
|
||||
# Check the directory structure
|
||||
#
|
||||
PKI="/etc/pki"
|
||||
if [ ! -d $PKI ]
|
||||
then
|
||||
echo the $PKI directory is missing, it is usually
|
||||
echo installed as part of the filesystem or openssl packages
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ ! -r $PKI ]
|
||||
then
|
||||
echo the $PKI directory is not readable by $USER
|
||||
echo "as root do: chmod a+rx $PKI"
|
||||
exit 1
|
||||
fi
|
||||
if [ ! -x $PKI ]
|
||||
then
|
||||
echo the $PKI directory is not listable by $USER
|
||||
echo "as root do: chmod a+rx $PKI"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
CA="$PKI/CA"
|
||||
if [ ! -d $CA ]
|
||||
then
|
||||
echo the $CA directory is missing, it is usually
|
||||
echo installed as part of the or openssl package
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ ! -r $CA ]
|
||||
then
|
||||
echo the $CA directory is not readable by $USER
|
||||
echo "as root do: chmod a+rx $CA"
|
||||
exit 1
|
||||
fi
|
||||
if [ ! -x $CA ]
|
||||
then
|
||||
echo the $CA directory is not listable by $USER
|
||||
echo "as root do: chmod a+rx $CA"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
LIBVIRT="$PKI/libvirt"
|
||||
if [ ! -d $LIBVIRT ]
|
||||
then
|
||||
echo the $LIBVIRT directory is missing, it is usually
|
||||
echo installed by the libvirt package
|
||||
echo "as root do: mkdir -m 755 $LIBVIRT ; chown root:root $LIBVIRT"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ ! -r $LIBVIRT ]
|
||||
then
|
||||
echo the $LIBVIRT directory is not readable by $USER
|
||||
echo "as root do: chown root:root $LIBVIRT ; chmod 755 $LIBVIRT"
|
||||
exit 1
|
||||
fi
|
||||
if [ ! -x $LIBVIRT ]
|
||||
then
|
||||
echo the $LIBVIRT directory is not listable by $USER
|
||||
echo "as root do: chown root:root $LIBVIRT ; chmod 755 $LIBVIRT"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
LIBVIRTP="$LIBVIRT/private"
|
||||
if [ ! -d $LIBVIRTP ]
|
||||
then
|
||||
echo the $LIBVIRTP directory is missing, it is usually
|
||||
echo installed by the libvirt package
|
||||
echo "as root do: mkdir -m 755 $LIBVIRTP ; chown root:root $LIBVIRTP"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ ! -r $LIBVIRTP ]
|
||||
then
|
||||
echo the $LIBVIRTP directory is not readable by $USER
|
||||
echo "as root do: chown root:root $LIBVIRTP ; chmod 755 $LIBVIRTP"
|
||||
exit 1
|
||||
fi
|
||||
if [ ! -x $LIBVIRTP ]
|
||||
then
|
||||
echo the $LIBVIRTP directory is not listable by $USER
|
||||
echo "as root do: chown root:root $LIBVIRTP ; chmod 755 $LIBVIRTP"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
#
|
||||
# Now check the certificates
|
||||
# First the CA certificate
|
||||
#
|
||||
if [ ! -f $CA/cacert.pem ]
|
||||
then
|
||||
echo the CA certificate $CA/cacert.pem is missing while it
|
||||
echo should be installed on both client and servers
|
||||
echo "see http://libvirt.org/remote.html#Remote_TLS_CA"
|
||||
echo on how to install it
|
||||
exit 1
|
||||
fi
|
||||
if [ ! -r $CA/cacert.pem ]
|
||||
then
|
||||
echo the CA certificate $CA/cacert.pem is not readable by $USER
|
||||
echo "as root do: chmod 644 $CA/cacert.pem"
|
||||
exit 1
|
||||
fi
|
||||
ORG=`$CERTOOL -i --infile $CA/cacert.pem | grep Issuer | sed 's+Issuer: CN=++'`
|
||||
if [ "$ORG" == "" ]
|
||||
then
|
||||
echo the CA certificate $CA/cacert.pem does not define the organization
|
||||
echo it should probably regenerated
|
||||
echo "see http://libvirt.org/remote.html#Remote_TLS_CA"
|
||||
echo on how to regenerate it
|
||||
exit 1
|
||||
fi
|
||||
echo Found CA certificate $CA/cacert.pem for $ORG
|
||||
|
||||
# Second the client certificates
|
||||
|
||||
if [ -f $LIBVIRT/clientcert.pem ]
|
||||
then
|
||||
if [ ! -r $LIBVIRT/clientcert.pem ]
|
||||
then
|
||||
echo Client certificate $LIBVIRT/clientcert.pem should be world readable
|
||||
echo "as root do: chown root:root $LIBVIRT/clientcert.pem ; chmod 644 $LIBVIRT/clientcert.pem"
|
||||
else
|
||||
S_ORG=`$CERTOOL -i --infile $LIBVIRT/clientcert.pem | grep Subject: | sed 's+.*O=\([a-zA-Z \._-]*\).*+\1+'`
|
||||
if [ "$ORG" != "$S_ORG" ]
|
||||
then
|
||||
echo The CA certificate and the client certificate do not match
|
||||
echo CA organization: $ORG
|
||||
echo Client organization: $S_ORG
|
||||
fi
|
||||
CLIENT=`$CERTOOL -i --infile $LIBVIRT/clientcert.pem | grep Subject: | sed 's+.*CN=\(.[a-zA-Z \._-]*\).*+\1+'`
|
||||
echo Found client certificate $LIBVIRT/clientcert.pem for $CLIENT
|
||||
if [ ! -e $LIBVIRTP/clientkey.pem ]
|
||||
then
|
||||
echo Missing client private key $LIBVIRTP/clientkey.pem
|
||||
else
|
||||
echo Found client private key $LIBVIRTP/clientkey.pem
|
||||
OWN=`ls -l $LIBVIRTP/clientkey.pem | awk '{ print $3 }'`
|
||||
MOD=`ls -l $LIBVIRTP/clientkey.pem | awk '{ print $1 }'`
|
||||
if [ "$OWN" != "root" ]
|
||||
then
|
||||
echo The client private key should be owned by root
|
||||
echo "as root do: chown root $LIBVIRTP/clientkey.pem"
|
||||
fi
|
||||
if [ "$MOD" != "-rw-r--r--" ]
|
||||
then
|
||||
echo The client private key need to be read by client tools
|
||||
echo "as root do: chmod 644 $LIBVIRTP/clientkey.pem"
|
||||
fi
|
||||
fi
|
||||
|
||||
fi
|
||||
else
|
||||
echo Did not found $LIBVIRT/clientcert.pem client certificate
|
||||
echo The machine cannot act as a client
|
||||
echo "see http://libvirt.org/remote.html#Remote_TLS_client_certificates"
|
||||
echo on how to regenerate it
|
||||
CLIENT=0
|
||||
fi
|
||||
|
||||
# Third the server certificates
|
||||
|
||||
if [ -f $LIBVIRT/servercert.pem ]
|
||||
then
|
||||
if [ ! -r $LIBVIRT/servercert.pem ]
|
||||
then
|
||||
echo Server certificate $LIBVIRT/servercert.pem should be world readable
|
||||
echo "as root do: chown root:root $LIBVIRT/servercert.pem ; chmod 644 $LIBVIRT/servercert.pem"
|
||||
else
|
||||
S_ORG=`$CERTOOL -i --infile $LIBVIRT/servercert.pem | grep Subject: | sed 's+.*O=\([a-zA-Z\. _-]*\).*+\1+'`
|
||||
if [ "$ORG" != "$S_ORG" ]
|
||||
then
|
||||
echo The CA certificate and the server certificate do not match
|
||||
echo CA organization: $ORG
|
||||
echo Server organization: $S_ORG
|
||||
fi
|
||||
S_HOST=`$CERTOOL -i --infile $LIBVIRT/servercert.pem | grep Subject: | sed 's+.*CN=\([a-zA-Z\. _-]*\)+\1+'`
|
||||
if [ "$S_HOST" != "`hostname -s`" -a "$S_HOST" != "`hostname`" ]
|
||||
then
|
||||
echo The server certificate does not seem to match the host name
|
||||
echo hostname: '"'`hostname`'"'
|
||||
echo Server certificate CN: '"'$S_HOST'"'
|
||||
fi
|
||||
echo Found server certificate $LIBVIRT/servercert.pem for $S_HOST
|
||||
if [ ! -e $LIBVIRTP/serverkey.pem ]
|
||||
then
|
||||
echo Missing server private key $LIBVIRTP/serverkey.pem
|
||||
else
|
||||
echo Found server private key $LIBVIRTP/serverkey.pem
|
||||
OWN=`ls -l $LIBVIRTP/serverkey.pem | awk '{ print $3 }'`
|
||||
MOD=`ls -l $LIBVIRTP/serverkey.pem | awk '{ print $1 }'`
|
||||
if [ "$OWN" != "root" ]
|
||||
then
|
||||
echo The server private key should be owned by root
|
||||
echo "as root do: chown root $LIBVIRTP/serverkey.pem"
|
||||
fi
|
||||
if [ "$MOD" != "-rw-------" ]
|
||||
then
|
||||
echo The server private key need to be read only by root
|
||||
echo "as root do: chmod 600 $LIBVIRTP/serverkey.pem"
|
||||
fi
|
||||
fi
|
||||
|
||||
fi
|
||||
else
|
||||
echo Did not found $LIBVIRT/servercert.pem server certificate
|
||||
echo The machine cannot act as a server
|
||||
echo "see http://libvirt.org/remote.html#Remote_TLS_server_certificates"
|
||||
echo on how to regenerate it
|
||||
SERVER=0
|
||||
fi
|
||||
|
||||
if [ "$SERVER" = "1" ]
|
||||
then
|
||||
if [ -r /etc/sysconfig/libvirtd ]
|
||||
then
|
||||
if [ "`grep '^LIBVIRTD_ARGS' /etc/sysconfig/libvirtd | grep -- '--listen'`" = "" ]
|
||||
then
|
||||
echo Make sure /etc/sysconfig/libvirtd is setup to listen to
|
||||
echo TCP/IP connections and restart the libvirtd service
|
||||
fi
|
||||
fi
|
||||
if [ -r /etc/sysconfig/iptables ]
|
||||
then
|
||||
if [ "`grep $PORT /etc/sysconfig/iptables`" = "" ]
|
||||
then
|
||||
echo Make sure /etc/sysconfig/iptables is setup to allow
|
||||
echo incoming TCP/IP connections on port $PORT and
|
||||
echo restart the iptables service
|
||||
fi
|
||||
fi
|
||||
fi
|
@ -3,7 +3,24 @@
|
||||
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /><link rel="stylesheet" type="text/css" href="libvirt.css" /><link rel="SHORTCUT ICON" href="/32favicon.png" /><title>Remote support</title></head><body><div id="container"><div id="intro"><div id="adjustments"></div><div id="pageHeader"></div><div id="content2"><h1 class="style1">Remote support</h1><p>
|
||||
Libvirt allows you to access hypervisors running on remote
|
||||
machines through authenticated and encrypted connections.
|
||||
</p><h3><a name="Remote_basic_usage" id="Remote_basic_usage">Basic usage</a></h3><p>
|
||||
</p><ul><li><a href="#Remote_basic_usage">Basic usage</a></li>
|
||||
<li><a href="#Remote_transports">Transports</a></li>
|
||||
<li><a href="#Remote_URI_reference">Remote URIs</a>
|
||||
<ul><li><a href="#Remote_URI_parameters">Extra parameters</a></li>
|
||||
</ul></li>
|
||||
<li><a href="#Remote_certificates">Generating TLS certificates</a>
|
||||
<ul><li><a href="#Remote_PKI">Public Key Infrastructure set up</a></li>
|
||||
<li><a href="#Remote_TLS_background">Background to TLS certificates</a></li>
|
||||
<li><a href="#Remote_TLS_CA">Setting up a Certificate Authority (CA)</a></li>
|
||||
<li><a href="#Remote_TLS_server_certificates">Issuing server certificates</a></li>
|
||||
<li><a href="#Remote_TLS_client_certificates">Issuing client certificates</a></li>
|
||||
<li><a href="#Remote_TLS_troubleshooting">Troubleshooting TLS certificate problems</a></li>
|
||||
</ul></li>
|
||||
<li><a href="#Remote_libvirtd_configuration">libvirtd configuration file</a></li>
|
||||
<li><a href="#Remote_IPv6">IPv6 support</a></li>
|
||||
<li><a href="#Remote_limitations">Limitations</a></li>
|
||||
<li><a href="#Remote_implementation_notes">Implementation notes</a></li>
|
||||
</ul><h3><a name="Remote_basic_usage" id="Remote_basic_usage">Basic usage</a></h3><p>
|
||||
On the remote machine, <code>libvirtd</code> should be running.
|
||||
See <a href="#Remote_libvirtd_configuration">the section
|
||||
on configuring libvirtd</a> for more information.
|
||||
@ -178,7 +195,7 @@ Note that parameter values must be
|
||||
</td>
|
||||
</tr><tr><td colspan="2"></td>
|
||||
<td> Example: <code>no_verify=1</code> </td>
|
||||
</tr></table><h3><a name="Remote_certificates" id="Remote_certificates">Generating TLS certificates</a></h3><h4>Public Key Infrastructure set up</h4><p>
|
||||
</tr></table><h3><a name="Remote_certificates" id="Remote_certificates">Generating TLS certificates</a></h3><h4><a name="Remote_PKI" id="Remote_PKI">Public Key Infrastructure set up</a></h4><p>
|
||||
If you are unsure how to create TLS certificates, skip to the
|
||||
next section.
|
||||
</p><table class="top_table"><tr><th> Location </th>
|
||||
@ -415,12 +432,15 @@ cp clientcert.pem /etc/pki/libvirt/clientcert.pem
|
||||
<dd>
|
||||
<p>
|
||||
On the server side, run the libvirtd server with
|
||||
the '--remote' and '--verbose' options while the
|
||||
the '--listen' and '--verbose' options while the
|
||||
client is connecting. The verbose log messages should
|
||||
tell you enough to diagnose the problem.
|
||||
</p>
|
||||
</dd>
|
||||
</dl><h3><a name="Remote_libvirtd_configuration" id="Remote_libvirtd_configuration">libvirtd configuration</a></h3><p>
|
||||
</dl><p> You can use the <a href="pki_check.sh">pki_check.sh</a> shell script
|
||||
to analyze the setup on the client or server machines, preferably as root.
|
||||
It will try to point out the possible problems and provide solutions to
|
||||
fix the set up up to a point where you have secure remote access.</p><h3><a name="Remote_libvirtd_configuration" id="Remote_libvirtd_configuration">libvirtd configuration file</a></h3><p>
|
||||
Libvirtd (the remote daemon) is configured from a file called
|
||||
<code>/etc/libvirt/libvirtd.conf</code>, or specified on
|
||||
the command line using <code>-f filename</code> or
|
||||
@ -428,7 +448,7 @@ the command line using <code>-f filename</code> or
|
||||
</p><p>
|
||||
This file should contain lines of the form below.
|
||||
Blank lines and comments beginning with <code>#</code> are ignored.
|
||||
</p><table class="top_table"><tr><th> Line </th>
|
||||
</p><pre>setting = value</pre><p>The following settings, values and default are:</p><table class="top_table"><tr><th> Line </th>
|
||||
<th> Default </th>
|
||||
<th> Meaning </th>
|
||||
</tr><tr><td> listen_tls <i>[0|1]</i> </td>
|
||||
|
Loading…
Reference in New Issue
Block a user