[Users] RHEV-m hosts with certs configured
Dan Kenigsberg
danken at redhat.com
Tue Sep 17 11:05:11 UTC 2013
On Thu, Aug 22, 2013 at 06:28:20AM -0400, Itamar Heim wrote:
> On 08/16/2013 04:14 AM, navin p wrote:
> >Hi,
> > I have couple of RHEV hosts (ovpxen,RHV2, RHV10 etc) and i'm trying
> >to connect from one of the client machine (C1). All the RHEV host have
> >libvirt modified by vdsm. It looks like the below
> >
> >
> >## beginning of configuration section by vdsm-4.10.2
> >listen_addr="0.0.0.0"
> >unix_sock_group="kvm"
> >unix_sock_rw_perms="0770"
> >auth_unix_rw="sasl"
> >host_uuid="036118ab-705f-4aeb-9a13-013dc8af6b41"
> >keepalive_interval=-1
> >log_outputs="1:file:/var/log/libvirtd.log"
> >log_filters="3:virobject 3:virfile 2:virnetlink 3:cgroup 3:event 3:json
> >1:libvirt 1:util 1:qemu"
> >ca_file="/etc/pki/vdsm/certs/cacert.pem"
> >cert_file="/etc/pki/vdsm/certs/vdsmcert.pem"
> >key_file="/etc/pki/vdsm/keys/vdsmkey.pem"
> >## end of configuration section by vdsm-4.10.2
> >
> >
> >
> >
> ># ls
> >bkp-2013-08-16_110734_cacert.pem cacert.pem vdsmcert.pem
> >bkp-2013-08-16_110734_vdsmcert.pem engine_web_ca.pem
> >[root at ovpxen certs]# pwd
> >/etc/pki/vdsm/certs
> >[root at ovpxen certs]# certtool -i --infile engine_web_ca.pem | head
> >X.509 Certificate Information:
> > Version: 3
> > Serial Number (hex): 09
> > Issuer: C=US,O=HP,CN=CA-IWFVM00772.hpswlabs.adapps.hp.com.64431
> > Validity:
> > Not Before: Wed Jan 23 13:24:14 UTC 2013
> > Not After: Sun Jan 22 07:54:14 UTC 2023
> > Subject: C=US,O=HP,CN=CA-IWFVM00772.hpswlabs.adapps.hp.com.64431
> > Subject Public Key Algorithm: RSA
> > Modulus (bits 1024):
> >
> >certtool -i --infile cacert.pem | head
> >X.509 Certificate Information:
> > Version: 3
> > Serial Number (hex): 09
> > Issuer: C=US,O=HP,CN=CA-IWFVM00772.hpswlabs.adapps.hp.com.64431
> > Validity:
> > Not Before: Wed Jan 23 13:24:14 UTC 2013
> > Not After: Sun Jan 22 07:54:14 UTC 2023
> > Subject: C=US,O=HP,CN=CA-IWFVM00772.hpswlabs.adapps.hp.com.64431
> > Subject Public Key Algorithm: RSA
> > Modulus (bits 1024):
> >[root at ovpxen certs]# certtool -i --infile vdsmcert.pem | head
> >X.509 Certificate Information:
> > Version: 3
> > Serial Number (hex): 0c
> > Issuer: C=US,O=HP,CN=CA-IWFVM00772.hpswlabs.adapps.hp.com.64431
> > Validity:
> > Not Before: Thu Aug 15 11:09:22 UTC 2013
> > Not After: Wed Aug 15 05:39:22 UTC 2018
> > Subject: O=HP,CN=16.184.46.53
> > Subject Public Key Algorithm: RSA
> > Modulus (bits 2048):
> >
> >
> >Now from the client C1 which cert should i place in
> >/etc/pki/CA/cacert.pem so that i can access from the client using the URI
> >qemu+tls://ovpxen.ind.hp.com/system <http://ovpxen.ind.hp.com/system>.
> > Please note the host IWFVM00772.hpswlabs.adapps.hp.com
> ><http://IWFVM00772.hpswlabs.adapps.hp.com> is ovirt managed host. It is
> >not the client.
> >
> >
> >My problem here is i can't change the hypervisor hosts as there are too
> >many of them and it is configured by vdsm . What certs should i take
> >from host so that i can use it in the client so that i can connect to
> >multiple hosts from the client using virsh or virt-manager . I need tls
> >as remote protocol as i'm trying to automate commands.
> >
>
> you should be able to do read-only access without special config iirc.
> taking actions requires the vdsm password, but worth discussing if
> you want to take actions under the feet of vdsm what they would be.
As Itamar said, you should really know what you are doing - an oVirt
cluster should have only ONE manager, which is Engine. Direct connection
to Vdsm/libvirt/qemu can easily lead to DoS and data corruption.
But to your question: C1 should not only have a cert, it should have its
own Engine-certified key as well. Your easiest way to get it is to add
C1 as an oVirt host. This generates a key/cert pair and configures
libvirt to use them as a client.
Dan.
More information about the Users
mailing list