Contents |
Remote management over TLS/SSL
The more scalable, but complicated, way to manage virtual machines remotely is to leverage TLS/SSL. This is the same technology used by web browsers for secure connections. In essence the libvirt management connection will open a TCP port for incoming connections, which is securely encrypted and authenticated based on x509 certificates. In addition the VNC console for each guest virtual machine will be setup to use TLS with x509 certificate authentication.
Pros/Cons of TLS/SSL
- Pro: No need to give users shell accounts on the remote machines being managed.
- Pro: Certificate revocation lists can be used to revoke access to users.
- Con: Extra firewall rules needed to access the management service or VNC console
Steps to setup TLS/SSL access for virt-manager
The following short guide assuming you are starting from scratch and don't have any TLS/SSL certificate knowledge. If you are lucky enough to have a certificate management server you can probably skip the first steps.
libvirt server setup =
The libvirt website has a walkthrough on creating certificates, and placing them in the correct places on the server (ie, /etc/pki/libvirt). Consult http://libvirt.org/remote.html
Xen VNC Server
The Xen VNC server can have TLS enabled by editing the main configuration file
/etc/xen/xend-config.sxp
The following config parameter should be uncommented:
(vnc-tls 1)
It then requires, that the /etc/xen/vnc directory be populated with 3 files:
- ca-cert.pem - The CA certificate
- server-cert.pem - The Server certificate signed by the CA
- server-key.pem - The server private key
This provides encryption of the data channel. If clients are to continue using passwords for authentication it is practical to stop here. It may be desirable to also require that clients present their own x509 certificate as a form of authentication. To enable this use
(vnc-x509-verify 1)
KVM VNC Server
The KVM VNC server can be TLS enabled by editing the main libvirt daemon configuration file for the QEMU driver
/etc/libvirt/qemu.conf
The following config parameter should be uncommented:
#vnc_tls=1
It then requires, that the /etc/pki/libvirt-vnc directory be populated with 3 files:
- ca-cert.pem - The CA certificate
- server-cert.pem - The Server certificate signed by the CA
- server-key.pem - The server private key
This provides encryption of the data channel. If clients are to continue using passwords for authentication it is practical to stop here. It may be desirable to also require that clients present their own x509 certificate as a form of authentication. To enable this use
#vnc_tls_x509_verify=1
NB. Latest libvirt releases run QEMU as a dedicated user account 'qemu:qemu', so make sure that user/group has permission to read the certificate files in /etc/pki/libvirt-vnc
virt-manager/virsh/virt-viewer client setup
The setup for clients is slightly inconsistent at this time. To enable the use of the libvirt management API over TLS, the CA and client certificates need to be placed in /etc/pki. For details on this consult http://libvirt.org/remote.html
In the virt-manager UI, then use the 'SSL/TLS' transport mechansim when connecting to a host.
For virsh/virt-viewer, the qemu://hostname.domainname/system or xen://hostname.domainname/ URIs should be used.
To enable the use of SSL/TLS for VNC, it is neccessary to put the CA & client certificates into $HOME/.pki, providing three files
- CA/ca-cert.pem - The CA certificate
- libvirt-vnc/clientcert.pem - The client certificate signed by the CA
- libvirt-vnc/private/clientkey.pem - The client private key
Views
Personal tools
Toolbox
