10:14 a.m.
Hi,
I have couple of RHEV hosts (ovpxen,RHV2, RHV10 etc) and i'm trying to
connect from one of the client machine (C1). All the RHEV host have libvirt
modified by vdsm. It looks like the below
## beginning of configuration section by vdsm-4.10.2
listen_addr="0.0.0.0"
unix_sock_group="kvm"
unix_sock_rw_perms="0770"
auth_unix_rw="sasl"
host_uuid="036118ab-705f-4aeb-9a13-013dc8af6b41"
keepalive_interval=-1
log_outputs="1:file:/var/log/libvirtd.log"
log_filters="3:virobject 3:virfile 2:virnetlink 3:cgroup 3:event 3:json
1:libvirt 1:util 1:qemu"
ca_file="/etc/pki/vdsm/certs/cacert.pem"
cert_file="/etc/pki/vdsm/certs/vdsmcert.pem"
key_file="/etc/pki/vdsm/keys/vdsmkey.pem"
## end of configuration section by vdsm-4.10.2
# ls
bkp-2013-08-16_110734_cacert.pem cacert.pem vdsmcert.pem
bkp-2013-08-16_110734_vdsmcert.pem engine_web_ca.pem
[root@ovpxen certs]# pwd
/etc/pki/vdsm/certs
[root@ovpxen certs]# certtool -i --infile engine_web_ca.pem | head
X.509 Certificate Information:
Version: 3
Serial Number (hex): 09
Issuer: C=US,O=HP,CN=CA-IWFVM00772.hpswlabs.adapps.hp.com.64431
Validity:
Not Before: Wed Jan 23 13:24:14 UTC 2013
Not After: Sun Jan 22 07:54:14 UTC 2023
Subject: C=US,O=HP,CN=CA-IWFVM00772.hpswlabs.adapps.hp.com.64431
Subject Public Key Algorithm: RSA
Modulus (bits 1024):
certtool -i --infile cacert.pem | head
X.509 Certificate Information:
Version: 3
Serial Number (hex): 09
Issuer: C=US,O=HP,CN=CA-IWFVM00772.hpswlabs.adapps.hp.com.64431
Validity:
Not Before: Wed Jan 23 13:24:14 UTC 2013
Not After: Sun Jan 22 07:54:14 UTC 2023
Subject: C=US,O=HP,CN=CA-IWFVM00772.hpswlabs.adapps.hp.com.64431
Subject Public Key Algorithm: RSA
Modulus (bits 1024):
[root@ovpxen certs]# certtool -i --infile vdsmcert.pem | head
X.509 Certificate Information:
Version: 3
Serial Number (hex): 0c
Issuer: C=US,O=HP,CN=CA-IWFVM00772.hpswlabs.adapps.hp.com.64431
Validity:
Not Before: Thu Aug 15 11:09:22 UTC 2013
Not After: Wed Aug 15 05:39:22 UTC 2018
Subject: O=HP,CN=16.184.46.53
Subject Public Key Algorithm: RSA
Modulus (bits 2048):
Now from the client C1 which cert should i place in /etc/pki/CA/cacert.pem
so that i can access from the client using the URI
qemu+tls://ovpxen.ind.hp.com/system. Please note the host
IWFVM00772.hpswlabs.adapps.hp.com is ovirt managed host. It is not the
client.
My problem here is i can't change the hypervisor hosts as there are too
many of them and it is configured by vdsm . What certs should i take from
host so that i can use it in the client so that i can connect to multiple
hosts from the client using virsh or virt-manager . I need tls as remote
protocol as i'm trying to automate commands.
Regards,
Navin
12:28 p.m.
On 08/16/2013 04:14 AM, navin p wrote:
Hi,
I have couple of RHEV hosts (ovpxen,RHV2, RHV10 etc) and i'm trying
to connect from one of the client machine (C1). All the RHEV host have
libvirt modified by vdsm. It looks like the below
## beginning of configuration section by vdsm-4.10.2
listen_addr="0.0.0.0"
unix_sock_group="kvm"
unix_sock_rw_perms="0770"
auth_unix_rw="sasl"
host_uuid="036118ab-705f-4aeb-9a13-013dc8af6b41"
keepalive_interval=-1
log_outputs="1:file:/var/log/libvirtd.log"
log_filters="3:virobject 3:virfile 2:virnetlink 3:cgroup 3:event 3:json
1:libvirt 1:util 1:qemu"
ca_file="/etc/pki/vdsm/certs/cacert.pem"
cert_file="/etc/pki/vdsm/certs/vdsmcert.pem"
key_file="/etc/pki/vdsm/keys/vdsmkey.pem"
## end of configuration section by vdsm-4.10.2
# ls
bkp-2013-08-16_110734_cacert.pem cacert.pem vdsmcert.pem
bkp-2013-08-16_110734_vdsmcert.pem engine_web_ca.pem
[root@ovpxen certs]# pwd
/etc/pki/vdsm/certs
[root@ovpxen certs]# certtool -i --infile engine_web_ca.pem | head
X.509 Certificate Information:
Version: 3
Serial Number (hex): 09
Issuer: C=US,O=HP,CN=CA-IWFVM00772.hpswlabs.adapps.hp.com.64431
Validity:
Not Before: Wed Jan 23 13:24:14 UTC 2013
Not After: Sun Jan 22 07:54:14 UTC 2023
Subject: C=US,O=HP,CN=CA-IWFVM00772.hpswlabs.adapps.hp.com.64431
Subject Public Key Algorithm: RSA
Modulus (bits 1024):
certtool -i --infile cacert.pem | head
X.509 Certificate Information:
Version: 3
Serial Number (hex): 09
Issuer: C=US,O=HP,CN=CA-IWFVM00772.hpswlabs.adapps.hp.com.64431
Validity:
Not Before: Wed Jan 23 13:24:14 UTC 2013
Not After: Sun Jan 22 07:54:14 UTC 2023
Subject: C=US,O=HP,CN=CA-IWFVM00772.hpswlabs.adapps.hp.com.64431
Subject Public Key Algorithm: RSA
Modulus (bits 1024):
[root@ovpxen certs]# certtool -i --infile vdsmcert.pem | head
X.509 Certificate Information:
Version: 3
Serial Number (hex): 0c
Issuer: C=US,O=HP,CN=CA-IWFVM00772.hpswlabs.adapps.hp.com.64431
Validity:
Not Before: Thu Aug 15 11:09:22 UTC 2013
Not After: Wed Aug 15 05:39:22 UTC 2018
Subject: O=HP,CN=16.184.46.53
Subject Public Key Algorithm: RSA
Modulus (bits 2048):
Now from the client C1 which cert should i place in
/etc/pki/CA/cacert.pem so that i can access from the client using the URI
qemu+tls://ovpxen.ind.hp.com/system <http://ovpxen.ind.hp.com/system>;.
Please note the host IWFVM00772.hpswlabs.adapps.hp.com
<http://IWFVM00772.hpswlabs.adapps.hp.com> is ovirt managed host. It is
not the client.
My problem here is i can't change the hypervisor hosts as there are too
many of them and it is configured by vdsm . What certs should i take
from host so that i can use it in the client so that i can connect to
multiple hosts from the client using virsh or virt-manager . I need tls
as remote protocol as i'm trying to automate commands.
you should be able to do read-only access without special config iirc.
taking actions requires the vdsm password, but worth discussing if you
want to take actions under the feet of vdsm what they would be.
1:05 p.m.
On Thu, Aug 22, 2013 at 06:28:20AM -0400, Itamar Heim wrote:
On 08/16/2013 04:14 AM, navin p wrote:
>Hi,
> I have couple of RHEV hosts (ovpxen,RHV2, RHV10 etc) and i'm trying
>to connect from one of the client machine (C1). All the RHEV host have
>libvirt modified by vdsm. It looks like the below
>
>
>## beginning of configuration section by vdsm-4.10.2
>listen_addr="0.0.0.0"
>unix_sock_group="kvm"
>unix_sock_rw_perms="0770"
>auth_unix_rw="sasl"
>host_uuid="036118ab-705f-4aeb-9a13-013dc8af6b41"
>keepalive_interval=-1
>log_outputs="1:file:/var/log/libvirtd.log"
>log_filters="3:virobject 3:virfile 2:virnetlink 3:cgroup 3:event 3:json
>1:libvirt 1:util 1:qemu"
>ca_file="/etc/pki/vdsm/certs/cacert.pem"
>cert_file="/etc/pki/vdsm/certs/vdsmcert.pem"
>key_file="/etc/pki/vdsm/keys/vdsmkey.pem"
>## end of configuration section by vdsm-4.10.2
>
>
>
>
># ls
>bkp-2013-08-16_110734_cacert.pem cacert.pem vdsmcert.pem
>bkp-2013-08-16_110734_vdsmcert.pem engine_web_ca.pem
>[root@ovpxen certs]# pwd
>/etc/pki/vdsm/certs
>[root@ovpxen certs]# certtool -i --infile engine_web_ca.pem | head
>X.509 Certificate Information:
> Version: 3
> Serial Number (hex): 09
> Issuer: C=US,O=HP,CN=CA-IWFVM00772.hpswlabs.adapps.hp.com.64431
> Validity:
> Not Before: Wed Jan 23 13:24:14 UTC 2013
> Not After: Sun Jan 22 07:54:14 UTC 2023
> Subject: C=US,O=HP,CN=CA-IWFVM00772.hpswlabs.adapps.hp.com.64431
> Subject Public Key Algorithm: RSA
> Modulus (bits 1024):
>
>certtool -i --infile cacert.pem | head
>X.509 Certificate Information:
> Version: 3
> Serial Number (hex): 09
> Issuer: C=US,O=HP,CN=CA-IWFVM00772.hpswlabs.adapps.hp.com.64431
> Validity:
> Not Before: Wed Jan 23 13:24:14 UTC 2013
> Not After: Sun Jan 22 07:54:14 UTC 2023
> Subject: C=US,O=HP,CN=CA-IWFVM00772.hpswlabs.adapps.hp.com.64431
> Subject Public Key Algorithm: RSA
> Modulus (bits 1024):
>[root@ovpxen certs]# certtool -i --infile vdsmcert.pem | head
>X.509 Certificate Information:
> Version: 3
> Serial Number (hex): 0c
> Issuer: C=US,O=HP,CN=CA-IWFVM00772.hpswlabs.adapps.hp.com.64431
> Validity:
> Not Before: Thu Aug 15 11:09:22 UTC 2013
> Not After: Wed Aug 15 05:39:22 UTC 2018
> Subject: O=HP,CN=16.184.46.53
> Subject Public Key Algorithm: RSA
> Modulus (bits 2048):
>
>
>Now from the client C1 which cert should i place in
>/etc/pki/CA/cacert.pem so that i can access from the client using the URI
>qemu+tls://ovpxen.ind.hp.com/system <http://ovpxen.ind.hp.com/system>;.
> Please note the host IWFVM00772.hpswlabs.adapps.hp.com
><http://IWFVM00772.hpswlabs.adapps.hp.com> is ovirt managed host. It is
>not the client.
>
>
>My problem here is i can't change the hypervisor hosts as there are too
>many of them and it is configured by vdsm . What certs should i take
>from host so that i can use it in the client so that i can connect to
>multiple hosts from the client using virsh or virt-manager . I need tls
>as remote protocol as i'm trying to automate commands.
>
you should be able to do read-only access without special config iirc.
taking actions requires the vdsm password, but worth discussing if
you want to take actions under the feet of vdsm what they would be.
As Itamar said, you should really know what you are doing - an oVirt
cluster should have only ONE manager, which is Engine. Direct connection
to Vdsm/libvirt/qemu can easily lead to DoS and data corruption.
But to your question: C1 should not only have a cert, it should have its
own Engine-certified key as well. Your easiest way to get it is to add
C1 as an oVirt host. This generates a key/cert pair and configures
libvirt to use them as a client.
Dan.
4238
days inactive
4270
days old
2 comments
3 participants
participants (3)
-
Dan Kenigsberg -
Itamar Heim -
navin p