diff --git a/docs/remote.html b/docs/remote.html index 30750bc980..57fc5376c4 100644 --- a/docs/remote.html +++ b/docs/remote.html @@ -582,7 +582,7 @@ client is connecting. The verbose log messages should tell you enough to diagnose the problem.
-You can use the pki_check.sh shell script +
You can use the virt-pki-validate shell script to analyze the setup on the client or server machines, preferably as root. It will try to point out the possible problems and provide solutions to fix the set up up to a point where you have secure remote access.
diff --git a/docs/remote.html.in b/docs/remote.html.in index 4941913444..2716ebe2b0 100644 --- a/docs/remote.html.in +++ b/docs/remote.html.in @@ -622,7 +622,7 @@ tell you enough to diagnose the problem. -You can use the pki_check.sh shell script +
You can use the virt-pki-validate shell script to analyze the setup on the client or server machines, preferably as root. It will try to point out the possible problems and provide solutions to fix the set up up to a point where you have secure remote access.
diff --git a/libvirt.spec.in b/libvirt.spec.in index 550ce5f22b..cb2b27432a 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -704,8 +704,10 @@ fi %{_mandir}/man1/virsh.1* %{_mandir}/man1/virt-xml-validate.1* +%{_mandir}/man1/virt-pki-validate.1* %{_bindir}/virsh %{_bindir}/virt-xml-validate +%{_bindir}/virt-pki-validate %{_libdir}/lib*.so.* %dir %{_datadir}/libvirt/ diff --git a/mingw32-libvirt.spec.in b/mingw32-libvirt.spec.in index 769c3ff120..867a8493ea 100644 --- a/mingw32-libvirt.spec.in +++ b/mingw32-libvirt.spec.in @@ -80,6 +80,7 @@ rm -rf $RPM_BUILD_ROOT %{_mingw32_bindir}/libvirt-0.dll %{_mingw32_bindir}/virsh.exe %{_mingw32_bindir}/virt-xml-validate +%{_mingw32_bindir}/virt-pki-validate %{_mingw32_libdir}/libvirt.dll.a %{_mingw32_libdir}/libvirt.la @@ -105,6 +106,7 @@ rm -rf $RPM_BUILD_ROOT %{_mingw32_mandir}/man1/virsh.1* %{_mingw32_mandir}/man1/virt-xml-validate.1* +%{_mingw32_mandir}/man1/virt-pki-validate.1* %changelog diff --git a/tools/.gitignore b/tools/.gitignore index f2928730b0..51f1f666bc 100644 --- a/tools/.gitignore +++ b/tools/.gitignore @@ -1,4 +1,5 @@ virt-xml-validate +virt-pki-validate *.1 Makefile Makefile.in diff --git a/tools/Makefile.am b/tools/Makefile.am index e5333ceea2..81698a4b30 100644 --- a/tools/Makefile.am +++ b/tools/Makefile.am @@ -8,12 +8,12 @@ ICON_FILES = \ libvirt_win_icon_64x64.ico \ virsh_win_icon.rc -EXTRA_DIST = $(ICON_FILES) virt-xml-validate.in virsh.pod +EXTRA_DIST = $(ICON_FILES) virt-xml-validate.in virt-pki-validate.in virsh.pod -bin_SCRIPTS = virt-xml-validate +bin_SCRIPTS = virt-xml-validate virt-pki-validate bin_PROGRAMS = virsh -man1_MANS = virt-xml-validate.1 virsh.1 +man1_MANS = virt-xml-validate.1 virt-pki-validate.1 virsh.1 virt-xml-validate: virt-xml-validate.in Makefile @@ -23,7 +23,12 @@ virt-xml-validate: virt-xml-validate.in Makefile virt-xml-validate.1: virt-xml-validate $(POD2MAN) $< $@ +virt-pki-validate: virt-pki-validate.in Makefile + sed -e 's,@SYSCONFDIR@,$(sysconfdir),' < $< > $@ || (rm $@ && exit 1) + chmod +x $@ +virt-pki-validate.1: virt-pki-validate + $(POD2MAN) $< $@ virsh_SOURCES = \ console.c console.h \ diff --git a/docs/pki_check.sh b/tools/virt-pki-validate.in similarity index 81% rename from docs/pki_check.sh rename to tools/virt-pki-validate.in index 10cdb7d146..f3d3218481 100755 --- a/docs/pki_check.sh +++ b/tools/virt-pki-validate.in @@ -25,7 +25,7 @@ echo Found $CERTOOL # # Check the directory structure # -PKI="/etc/pki" +PKI="$(SYSCONFDIR)/pki" if [ ! -d $PKI ] then echo the $PKI directory is missing, it is usually @@ -240,21 +240,74 @@ fi if [ "$SERVER" = "1" ] then - if [ -r /etc/sysconfig/libvirtd ] + if [ -r $(SYSCONFDIR)/sysconfig/libvirtd ] then - if [ "`grep '^LIBVIRTD_ARGS' /etc/sysconfig/libvirtd | grep -- '--listen'`" = "" ] + if [ "`grep '^LIBVIRTD_ARGS' $(SYSCONFDIR)/sysconfig/libvirtd | grep -- '--listen'`" = "" ] then - echo Make sure /etc/sysconfig/libvirtd is setup to listen to + echo Make sure $(SYSCONFDIR)/sysconfig/libvirtd is setup to listen to echo TCP/IP connections and restart the libvirtd service fi fi - if [ -r /etc/sysconfig/iptables ] + if [ -r $(SYSCONFDIR)/sysconfig/iptables ] then - if [ "`grep $PORT /etc/sysconfig/iptables`" = "" ] + if [ "`grep $PORT $(SYSCONFDIR)/sysconfig/iptables`" = "" ] then - echo Make sure /etc/sysconfig/iptables is setup to allow + echo Make sure $(SYSCONFDIR)/sysconfig/iptables is setup to allow echo incoming TCP/IP connections on port $PORT and echo restart the iptables service fi fi fi + + +exit 0 + +: <<=cut +=pod + +=head1 NAME + + virt-pki-validate - validate libvirt PKI files are configured correctly + +=head1 SYNOPSIS + + virt-pki-validate + +=head1 DESCRIPTION + +This tool validates that the neccessary PKI files are configured for +a secure libvirt server or client using the TLS encryption protocol. +It will report any missing certificate or key files on the host. It +should be run as root to ensure it can read all the neccessary files + +=head1 EXIT STATUS + +Upon successful validation, an exit status of 0 will be set. Upon +failure a non-zero status will be set. + +=head1 AUTHOR + +Richard Jones + +=head1 BUGS + +Report any bugs discovered to the libvirt community via the +mailing list C