I have a headless server running
libvirtd with a
qemu backend and I wanted to securely connect to it with
virt-manager on my laptop. There are
several ways to do this, I decided to try TLS with a
private PKI for transport encryption and peer authentication.
I wrote a script to generate a Certificate Authority (CA) certificate, then generate certificates for the client and the server that are both signed by the CA certificate.
The server runnning libvirtd needs to be configured to support TLS connections.
On Debian systems the libvirtd configuration is in
/etc/libvirt/libvirtd.conf. The relevant default
configuration values were good and I didn't make any changes to this file.
listen_tls = 1 tls_port = "16514" key_file = "/etc/pki/libvirt/private/serverkey.pem" cert_file = "/etc/pki/libvirt/servercert.pem" ca_file = "/etc/pki/CA/cacert.pem" tls_no_verify_certificate = 0
On the server, I needed to enable access to the port 16514 through the filewall.
Debian has systemd unit for libvirt socket activation via the TLS port
/lib/systemd/system/libvirtd-tls.socket. This means
libvirtd will start when a connection to port 16514 is made.
I'm now able to connect to my server with
virsh on my laptop.
$ virsh -c qemu+tls://hypervisor.tarnbarford.net:16514/system list Id Name State ------------------------------ 1 bacula running 2 loadbalancer running 3 mail-server running 4 tarnbarford running 5 monitoring running 7 bab-website running 8 owncloud running 9 icinga running 10 dns running 11 ns1 running
I can connect to the serial console of the virtual machines, which is pretty useful when working with headless servers.
$ virsh -c qemu+tls://hypervisor.tarnbarford.net:16514/system console tarnbarford Connected to domain 'tarnbarford' Escape character is ^] (Ctrl + ]) tarnbarford login:
And I can connect
virt-manager to work with
libvirtd on my server.
The VNC and SPICE connections are directly from virtual
machine emulators, not via
libvirtd so this needs to be setup separately. I'd
really like to get this working smoothly, so I expect to post something about