I have a headless server running libvirtd with a KVM/qemu backend and I wanted to securely connect to it with virsh and virt-manager on my laptop. There are several ways to do this, I decided to try TLS with a private PKI for transport encryption and peer authentication.

I wrote a script to generate a Certificate Authority (CA) certificate, then generate certificates for the client and the server that are both signed by the CA certificate.

The server runnning libvirtd needs to be configured to support TLS connections. On Debian systems the libvirtd configuration is in /etc/libvirt/libvirtd.conf. The relevant default configuration values were good and I didn't make any changes to this file.

listen_tls = 1
tls_port = "16514"
key_file = "/etc/pki/libvirt/private/serverkey.pem"
cert_file = "/etc/pki/libvirt/servercert.pem"
ca_file = "/etc/pki/CA/cacert.pem"
tls_no_verify_certificate = 0

For libvirtd itself, I only needed to copy the server certificates into the locations specified in the configuration files and then restart the service.

On the server, I needed to enable access to the port 16514 through the filewall.

Debian has systemd unit for libvirt socket activation via the TLS port /lib/systemd/system/libvirtd-tls.socket. This means libvirtd will start when a connection to port 16514 is made.

For the client I needed to copy my client certificates to the locations to where libvirt expects them.

I'm now able to connect to my server with virsh on my laptop.

$ virsh -c qemu+tls://hypervisor.tarnbarford.net:16514/system list
 Id   Name           State
 1    bacula         running
 2    loadbalancer   running
 3    mail-server    running
 4    tarnbarford    running
 5    monitoring     running
 7    bab-website    running
 8    owncloud       running
 9    icinga         running
 10   dns            running
 11   ns1            running

I can connect to the serial console of the virtual machines, which is pretty useful when working with headless servers.

$ virsh -c qemu+tls://hypervisor.tarnbarford.net:16514/system console tarnbarford
Connected to domain 'tarnbarford'
Escape character is ^] (Ctrl + ])

tarnbarford login:

And I can connect virt-manager to work with libvirtd on my server.

What isn't yet working is using virt-viewer with VNC or SPICE to conect to the displays of the virtual machines.

The VNC and SPICE connections are directly from virtual machine emulators, not via libvirtd so this needs to be setup separately. I'd really like to get this working smoothly, so I expect to post something about this soon.