* docs/libvir.html docs/remote.html: update the remote page,

add an index
* docs/pki_check.sh: shell script to check the PKI and client/server
  environment.
Daniel
This commit is contained in:
Daniel Veillard 2007-07-12 15:47:19 +00:00
parent f36c70775a
commit 62442d578d
4 changed files with 322 additions and 8 deletions

View File

@ -1,3 +1,10 @@
Thu Jul 12 17:48:40 CEST 2007 Daniel Veillard <veillard@redhat.com>
* docs/libvir.html docs/remote.html: update the remote page,
add an index
* docs/pki_check.sh: shell script to check the PKI and client/server
environment.
Thu Jul 12 11:15:17 EST 2007 Daniel P. Berrange <berrange@redhat.com>
* src/remote_internal.c: Explicitly check certificate/key files

View File

@ -1432,6 +1432,27 @@ use the mailing-list if you don't get an answer there.</p>
Libvirt allows you to access hypervisors running on remote
machines through authenticated and encrypted connections.
</p>
<ul>
<li><a href="#Remote_basic_usage">Basic usage</a></li>
<li><a href="#Remote_transports">Transports</a></li>
<li><a href="#Remote_URI_reference">Remote URIs</a>
<ul>
<li><a href="#Remote_URI_parameters">Extra parameters</a></li>
</ul></li>
<li><a href="#Remote_certificates">Generating TLS certificates</a>
<ul>
<li><a href="#Remote_PKI">Public Key Infrastructure set up</a></li>
<li><a href="#Remote_TLS_background">Background to TLS certificates</a></li>
<li><a href="#Remote_TLS_CA">Setting up a Certificate Authority (CA)</a></li>
<li><a href="#Remote_TLS_server_certificates">Issuing server certificates</a></li>
<li><a href="#Remote_TLS_client_certificates">Issuing client certificates</a></li>
<li><a href="#Remote_TLS_troubleshooting">Troubleshooting TLS certificate problems</a></li>
</ul></li>
<li><a href="#Remote_libvirtd_configuration">libvirtd configuration file</a></li>
<li><a href="#Remote_IPv6">IPv6 support</a></li>
<li><a href="#Remote_limitations">Limitations</a></li>
<li><a href="#Remote_implementation_notes">Implementation notes</a></li>
</ul>
<h3><a name="Remote_basic_usage">Basic usage</a></h3>
@ -1680,7 +1701,7 @@ Note that parameter values must be
<h3><a name="Remote_certificates">Generating TLS certificates</a></h3>
<h4>Public Key Infrastructure set up</h4>
<h4><a name="Remote_PKI">Public Key Infrastructure set up</a></h4>
<p>
If you are unsure how to create TLS certificates, skip to the
@ -2038,15 +2059,19 @@ cp clientcert.pem /etc/pki/libvirt/clientcert.pem
<dd>
<p>
On the server side, run the libvirtd server with
the '--remote' and '--verbose' options while the
the '--listen' and '--verbose' options while the
client is connecting. The verbose log messages should
tell you enough to diagnose the problem.
</p>
</dd>
</dl>
<p> You can use the <a href="pki_check.sh">pki_check.sh</a> shell script
to analyze the setup on the client or server machines, preferably as root.
It will try to point out the possible problems and provide solutions to
fix the set up up to a point where you have secure remote access.</p>
<h3><a name="Remote_libvirtd_configuration">libvirtd configuration</a></h3>
<h3><a name="Remote_libvirtd_configuration">libvirtd configuration file</a></h3>
<p>
Libvirtd (the remote daemon) is configured from a file called
@ -2059,6 +2084,8 @@ the command line using <code>-f filename</code> or
This file should contain lines of the form below.
Blank lines and comments beginning with <code>#</code> are ignored.
</p>
<pre>setting = value</pre>
<p>The following settings, values and default are:</p>
<table class="top_table">
<tr>

260
docs/pki_check.sh Executable file
View File

@ -0,0 +1,260 @@
#!/bin/sh
#
# This shell script checks the TLS certificates and options needed
# for the secure client/server support of libvirt as documented at
# http://libvirt.org/remote.html#Remote_certificates
#
# Daniel Veillard <veillard@redhat.com>
#
USER=`who am i | awk '{ print $1 }'`
SERVER=1
CLIENT=1
PORT=16514
#
# First get certtool
#
CERTOOL=`which certtool 2>/dev/null`
if [ ! -x $CERTOOL ]
then
echo Could not locate the certtool program
echo make sure the gnutls-utils package is installed
exit 1
fi
echo Found $CERTOOL
#
# Check the directory structure
#
PKI="/etc/pki"
if [ ! -d $PKI ]
then
echo the $PKI directory is missing, it is usually
echo installed as part of the filesystem or openssl packages
exit 1
fi
if [ ! -r $PKI ]
then
echo the $PKI directory is not readable by $USER
echo "as root do: chmod a+rx $PKI"
exit 1
fi
if [ ! -x $PKI ]
then
echo the $PKI directory is not listable by $USER
echo "as root do: chmod a+rx $PKI"
exit 1
fi
CA="$PKI/CA"
if [ ! -d $CA ]
then
echo the $CA directory is missing, it is usually
echo installed as part of the or openssl package
exit 1
fi
if [ ! -r $CA ]
then
echo the $CA directory is not readable by $USER
echo "as root do: chmod a+rx $CA"
exit 1
fi
if [ ! -x $CA ]
then
echo the $CA directory is not listable by $USER
echo "as root do: chmod a+rx $CA"
exit 1
fi
LIBVIRT="$PKI/libvirt"
if [ ! -d $LIBVIRT ]
then
echo the $LIBVIRT directory is missing, it is usually
echo installed by the libvirt package
echo "as root do: mkdir -m 755 $LIBVIRT ; chown root:root $LIBVIRT"
exit 1
fi
if [ ! -r $LIBVIRT ]
then
echo the $LIBVIRT directory is not readable by $USER
echo "as root do: chown root:root $LIBVIRT ; chmod 755 $LIBVIRT"
exit 1
fi
if [ ! -x $LIBVIRT ]
then
echo the $LIBVIRT directory is not listable by $USER
echo "as root do: chown root:root $LIBVIRT ; chmod 755 $LIBVIRT"
exit 1
fi
LIBVIRTP="$LIBVIRT/private"
if [ ! -d $LIBVIRTP ]
then
echo the $LIBVIRTP directory is missing, it is usually
echo installed by the libvirt package
echo "as root do: mkdir -m 755 $LIBVIRTP ; chown root:root $LIBVIRTP"
exit 1
fi
if [ ! -r $LIBVIRTP ]
then
echo the $LIBVIRTP directory is not readable by $USER
echo "as root do: chown root:root $LIBVIRTP ; chmod 755 $LIBVIRTP"
exit 1
fi
if [ ! -x $LIBVIRTP ]
then
echo the $LIBVIRTP directory is not listable by $USER
echo "as root do: chown root:root $LIBVIRTP ; chmod 755 $LIBVIRTP"
exit 1
fi
#
# Now check the certificates
# First the CA certificate
#
if [ ! -f $CA/cacert.pem ]
then
echo the CA certificate $CA/cacert.pem is missing while it
echo should be installed on both client and servers
echo "see http://libvirt.org/remote.html#Remote_TLS_CA"
echo on how to install it
exit 1
fi
if [ ! -r $CA/cacert.pem ]
then
echo the CA certificate $CA/cacert.pem is not readable by $USER
echo "as root do: chmod 644 $CA/cacert.pem"
exit 1
fi
ORG=`$CERTOOL -i --infile $CA/cacert.pem | grep Issuer | sed 's+Issuer: CN=++'`
if [ "$ORG" == "" ]
then
echo the CA certificate $CA/cacert.pem does not define the organization
echo it should probably regenerated
echo "see http://libvirt.org/remote.html#Remote_TLS_CA"
echo on how to regenerate it
exit 1
fi
echo Found CA certificate $CA/cacert.pem for $ORG
# Second the client certificates
if [ -f $LIBVIRT/clientcert.pem ]
then
if [ ! -r $LIBVIRT/clientcert.pem ]
then
echo Client certificate $LIBVIRT/clientcert.pem should be world readable
echo "as root do: chown root:root $LIBVIRT/clientcert.pem ; chmod 644 $LIBVIRT/clientcert.pem"
else
S_ORG=`$CERTOOL -i --infile $LIBVIRT/clientcert.pem | grep Subject: | sed 's+.*O=\([a-zA-Z \._-]*\).*+\1+'`
if [ "$ORG" != "$S_ORG" ]
then
echo The CA certificate and the client certificate do not match
echo CA organization: $ORG
echo Client organization: $S_ORG
fi
CLIENT=`$CERTOOL -i --infile $LIBVIRT/clientcert.pem | grep Subject: | sed 's+.*CN=\(.[a-zA-Z \._-]*\).*+\1+'`
echo Found client certificate $LIBVIRT/clientcert.pem for $CLIENT
if [ ! -e $LIBVIRTP/clientkey.pem ]
then
echo Missing client private key $LIBVIRTP/clientkey.pem
else
echo Found client private key $LIBVIRTP/clientkey.pem
OWN=`ls -l $LIBVIRTP/clientkey.pem | awk '{ print $3 }'`
MOD=`ls -l $LIBVIRTP/clientkey.pem | awk '{ print $1 }'`
if [ "$OWN" != "root" ]
then
echo The client private key should be owned by root
echo "as root do: chown root $LIBVIRTP/clientkey.pem"
fi
if [ "$MOD" != "-rw-r--r--" ]
then
echo The client private key need to be read by client tools
echo "as root do: chmod 644 $LIBVIRTP/clientkey.pem"
fi
fi
fi
else
echo Did not found $LIBVIRT/clientcert.pem client certificate
echo The machine cannot act as a client
echo "see http://libvirt.org/remote.html#Remote_TLS_client_certificates"
echo on how to regenerate it
CLIENT=0
fi
# Third the server certificates
if [ -f $LIBVIRT/servercert.pem ]
then
if [ ! -r $LIBVIRT/servercert.pem ]
then
echo Server certificate $LIBVIRT/servercert.pem should be world readable
echo "as root do: chown root:root $LIBVIRT/servercert.pem ; chmod 644 $LIBVIRT/servercert.pem"
else
S_ORG=`$CERTOOL -i --infile $LIBVIRT/servercert.pem | grep Subject: | sed 's+.*O=\([a-zA-Z\. _-]*\).*+\1+'`
if [ "$ORG" != "$S_ORG" ]
then
echo The CA certificate and the server certificate do not match
echo CA organization: $ORG
echo Server organization: $S_ORG
fi
S_HOST=`$CERTOOL -i --infile $LIBVIRT/servercert.pem | grep Subject: | sed 's+.*CN=\([a-zA-Z\. _-]*\)+\1+'`
if [ "$S_HOST" != "`hostname -s`" -a "$S_HOST" != "`hostname`" ]
then
echo The server certificate does not seem to match the host name
echo hostname: '"'`hostname`'"'
echo Server certificate CN: '"'$S_HOST'"'
fi
echo Found server certificate $LIBVIRT/servercert.pem for $S_HOST
if [ ! -e $LIBVIRTP/serverkey.pem ]
then
echo Missing server private key $LIBVIRTP/serverkey.pem
else
echo Found server private key $LIBVIRTP/serverkey.pem
OWN=`ls -l $LIBVIRTP/serverkey.pem | awk '{ print $3 }'`
MOD=`ls -l $LIBVIRTP/serverkey.pem | awk '{ print $1 }'`
if [ "$OWN" != "root" ]
then
echo The server private key should be owned by root
echo "as root do: chown root $LIBVIRTP/serverkey.pem"
fi
if [ "$MOD" != "-rw-------" ]
then
echo The server private key need to be read only by root
echo "as root do: chmod 600 $LIBVIRTP/serverkey.pem"
fi
fi
fi
else
echo Did not found $LIBVIRT/servercert.pem server certificate
echo The machine cannot act as a server
echo "see http://libvirt.org/remote.html#Remote_TLS_server_certificates"
echo on how to regenerate it
SERVER=0
fi
if [ "$SERVER" = "1" ]
then
if [ -r /etc/sysconfig/libvirtd ]
then
if [ "`grep '^LIBVIRTD_ARGS' /etc/sysconfig/libvirtd | grep -- '--listen'`" = "" ]
then
echo Make sure /etc/sysconfig/libvirtd is setup to listen to
echo TCP/IP connections and restart the libvirtd service
fi
fi
if [ -r /etc/sysconfig/iptables ]
then
if [ "`grep $PORT /etc/sysconfig/iptables`" = "" ]
then
echo Make sure /etc/sysconfig/iptables is setup to allow
echo incoming TCP/IP connections on port $PORT and
echo restart the iptables service
fi
fi
fi

View File

@ -3,7 +3,24 @@
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /><link rel="stylesheet" type="text/css" href="libvirt.css" /><link rel="SHORTCUT ICON" href="/32favicon.png" /><title>Remote support</title></head><body><div id="container"><div id="intro"><div id="adjustments"></div><div id="pageHeader"></div><div id="content2"><h1 class="style1">Remote support</h1><p>
Libvirt allows you to access hypervisors running on remote
machines through authenticated and encrypted connections.
</p><h3><a name="Remote_basic_usage" id="Remote_basic_usage">Basic usage</a></h3><p>
</p><ul><li><a href="#Remote_basic_usage">Basic usage</a></li>
<li><a href="#Remote_transports">Transports</a></li>
<li><a href="#Remote_URI_reference">Remote URIs</a>
<ul><li><a href="#Remote_URI_parameters">Extra parameters</a></li>
</ul></li>
<li><a href="#Remote_certificates">Generating TLS certificates</a>
<ul><li><a href="#Remote_PKI">Public Key Infrastructure set up</a></li>
<li><a href="#Remote_TLS_background">Background to TLS certificates</a></li>
<li><a href="#Remote_TLS_CA">Setting up a Certificate Authority (CA)</a></li>
<li><a href="#Remote_TLS_server_certificates">Issuing server certificates</a></li>
<li><a href="#Remote_TLS_client_certificates">Issuing client certificates</a></li>
<li><a href="#Remote_TLS_troubleshooting">Troubleshooting TLS certificate problems</a></li>
</ul></li>
<li><a href="#Remote_libvirtd_configuration">libvirtd configuration file</a></li>
<li><a href="#Remote_IPv6">IPv6 support</a></li>
<li><a href="#Remote_limitations">Limitations</a></li>
<li><a href="#Remote_implementation_notes">Implementation notes</a></li>
</ul><h3><a name="Remote_basic_usage" id="Remote_basic_usage">Basic usage</a></h3><p>
On the remote machine, <code>libvirtd</code> should be running.
See <a href="#Remote_libvirtd_configuration">the section
on configuring libvirtd</a> for more information.
@ -178,7 +195,7 @@ Note that parameter values must be
</td>
</tr><tr><td colspan="2"></td>
<td> Example: <code>no_verify=1</code> </td>
</tr></table><h3><a name="Remote_certificates" id="Remote_certificates">Generating TLS certificates</a></h3><h4>Public Key Infrastructure set up</h4><p>
</tr></table><h3><a name="Remote_certificates" id="Remote_certificates">Generating TLS certificates</a></h3><h4><a name="Remote_PKI" id="Remote_PKI">Public Key Infrastructure set up</a></h4><p>
If you are unsure how to create TLS certificates, skip to the
next section.
</p><table class="top_table"><tr><th> Location </th>
@ -415,12 +432,15 @@ cp clientcert.pem /etc/pki/libvirt/clientcert.pem
<dd>
<p>
On the server side, run the libvirtd server with
the '--remote' and '--verbose' options while the
the '--listen' and '--verbose' options while the
client is connecting. The verbose log messages should
tell you enough to diagnose the problem.
</p>
</dd>
</dl><h3><a name="Remote_libvirtd_configuration" id="Remote_libvirtd_configuration">libvirtd configuration</a></h3><p>
</dl><p> You can use the <a href="pki_check.sh">pki_check.sh</a> shell script
to analyze the setup on the client or server machines, preferably as root.
It will try to point out the possible problems and provide solutions to
fix the set up up to a point where you have secure remote access.</p><h3><a name="Remote_libvirtd_configuration" id="Remote_libvirtd_configuration">libvirtd configuration file</a></h3><p>
Libvirtd (the remote daemon) is configured from a file called
<code>/etc/libvirt/libvirtd.conf</code>, or specified on
the command line using <code>-f filename</code> or
@ -428,7 +448,7 @@ the command line using <code>-f filename</code> or
</p><p>
This file should contain lines of the form below.
Blank lines and comments beginning with <code>#</code> are ignored.
</p><table class="top_table"><tr><th> Line </th>
</p><pre>setting = value</pre><p>The following settings, values and default are:</p><table class="top_table"><tr><th> Line </th>
<th> Default </th>
<th> Meaning </th>
</tr><tr><td> listen_tls <i>[0|1]</i> </td>