• QEMU KVM Libvirt手册(10):Managing Virtual Machines with libvirt


    libvirt is a library that provides a common API for managing popular virtualization solutions, among them KVM and Xen.

    使用virt-install创建image

    qemu-img create -f qcow2 /tmp/centos5.8.img 10G

    virt-install --virt-type qemu --name centos-5.8 --ram 2048 --noreboot --disk path=/tmp/centos5.8.img,format=qcow2,bus=virtio,device=disk --cdrom=/tmp/CentOS-5.8-x86_64-bin-DVD-1of2.iso --network network=default --graphics vnc,listen=0.0.0.0 --noautoconsole

    qemu-img convert -O qcow2 -c centos-5.8.img centos-5.8.1.qcow2

    使用virt-clone来复制instance

    必须是在虚拟机关闭的状态下

    root:/home/cliu8/images# virt-clone -o ubuntu-14.04 -n ubuntu-14.04.new -f ubuntu-14.04.new.qcow2
    Cloning ubuntu-14.04.img                                                                              | 1.6 GB     00:03    

    Clone 'ubuntu-14.04.new' created successfully.
    root:/home/cliu8/images# virsh list --all
    Id    Name                           State
    ----------------------------------------------------
    -     ubuntu-14.04                   shut off
    -     ubuntu-14.04.new               shut off

    root:/home/cliu8/images# ls -l
    total 24368572
    -rwxrwxrwx  1 root         root   1717043200 Jul 14 07:07 ubuntu-14.04.img
    -rwxr-xr-x  1 root         root   1717043200 Jul 14 21:35 ubuntu-14.04.new.qcow2

    使用virt-top查看instance统计信息

    -1                Start by displaying pCPUs (default: tasks)

    -2                Start by displaying network interfaces

    virt-top 21:45:58 - x86_64 20/20CPU 1200MHz 64359MB
    13 domains, 8 active, 8 running, 0 sleeping, 0 paused, 5 inactive D:0 O:0 X:0
    CPU: 3.6%  Mem: 29696 MB (29696 MB by guests)

       ID S RXBY TXBY RXPK TXPK DOMAIN       INTERFACE                                                                          
        9 R  29K 8106   37   43 baremetal_2  vnet3
        3 R  15K  40K   80   71 baremetal_0  vnet2
        6 R  10K 7760   37   37 baremetal_4  vnet5
        2 R  150    0    3    0 seed         vnet1
        5 R  150    0    3    0 baremetal_5  vnet4
        7 R  150    0    3    0 baremetal_3  vnet6
        2 R   52    0    1    0 seed         vnet0
       47 R    0    0    0    0 instance-000 tap82945112-d4
       10 R    0    0    0    0 baremetal_1  vnet7

    -3                Start by displaying block devices

    virt-top 21:47:15 - x86_64 20/20CPU 1200MHz 64359MB
    13 domains, 8 active, 8 running, 0 sleeping, 0 paused, 5 inactive D:0 O:0 X:0
    CPU: 2.3%  Mem: 29696 MB (29696 MB by guests)

       ID S RDBY WRBY RDRQ WRRQ DOMAIN       DEVICE                                                                             
        6 R  29M  12K  232    2 baremetal_4  sda
        5 R  29M 4096  232    1 baremetal_5  sda
        9 R 4096  44K    1    6 baremetal_2  sda
        3 R    0  48K    0    6 baremetal_0  sda
       10 R    0    0    0    0 baremetal_1  sda
        7 R    0  52K    0    2 baremetal_3  sda
        2 R    0  68K    0    1 seed         sda
       47 R    0    0    0    0 instance-000 vda
        2 R    0    0    0    0 seed         vda

    使用virsh管理Instance

    qemu:///session: a normal user with the local QEMU-/KVM-Hypervisor (connection type session).

    qemu+unix:///session: a normal user with the local QEMU-/KVM-Hypervisor (connection type session).

    qemu:///system: user root with the local QEMU-/KVM-Hypervisor (connection type system).

    qemu+unix:///system: user root with the local QEMU-/KVM-Hypervisor (connection type system).

    qemu+ssh://root@example.com/system: user root with a QEMU-/KVM-Hypervisor on the node example.com via SSH tunnel.

    qemu+tcp://example.com/system: a QEMU-/KVM-Hypervisor on the node example.com protected with with SASL / Kerberos.

    List running and inactive guests as user roots on a remote host over a TLS connection
    virsh -c qemu+tls://root@mercury.example.com/system list --all
    List running and inactive guests as user tux on a remote host over an SSH tunnel
    virsh -c qemu+ssh://tux@mercury.example.com/system list –inactive
    注意ssh tunnel和tls方式不同

    Connecting and Authorizing

    authentication的方法有下面几种:

    • Access control for UNIX sockets with permissions and group ownership. This method is available for libvirtd connections only.
    • Access control for UNIX sockets with PolicyKit. This method is available for local libvirtd connections only.
    • Username and password authentication with SASL (Simple Authentication and Security Layer). This method is available for both, libvirtd and VNC connections. Using SASL does not require real user accounts on the server, since it uses its own database to store usernames and passwords. Connections authenticated with SASL are encrypted.
    • Kerberos authentication. This method, available for libvirtd connections only, is not covered in this manual. Please refer to http://libvirt.org/auth.html#ACL_server_kerberos for details.
    • Single password authentication. This method is available for VNC connections only.

    libvirtd authentication is configured in /etc/libvirt/libvirtd.conf.

    libvirt offers two sockets: a read-only socket for monitoring purposes and a read-write socket to be used for management operations.

    By default, both sockets are owned by root.root.

    Default access permissions on the read-write socket are restricted to the user root (0700) and fully open on the read-only socket (0777).

    # virsh define ubuntu-14.04.xml                      
    error: Failed to define domain from ubuntu-14.04.xml
    error: unknown OS type hvm

    则运行

    # virsh capabilities
    <capabilities>

      <host>
        <uuid>004a7ff2-faec-de11-81d0-b9f76e39343c</uuid>
        <cpu>
          <arch>x86_64</arch>
          <model>Westmere</model>
          <vendor>Intel</vendor>
          <topology sockets='1' cores='2' threads='2'/>
          <feature name='rdtscp'/>
          <feature name='pcid'/>
          <feature name='pdcm'/>
          <feature name='xtpr'/>
          <feature name='tm2'/>
          <feature name='est'/>
          <feature name='smx'/>
          <feature name='vmx'/>
          <feature name='ds_cpl'/>
          <feature name='monitor'/>
          <feature name='dtes64'/>
          <feature name='pclmuldq'/>
          <feature name='pbe'/>
          <feature name='tm'/>
          <feature name='ht'/>
          <feature name='ss'/>
          <feature name='acpi'/>
          <feature name='ds'/>
          <feature name='vme'/>
        </cpu>
        <power_management>
          <suspend_mem/>
          <suspend_disk/>
          <suspend_hybrid/>
        </power_management>
        <migration_features>
          <live/>
          <uri_transports>
            <uri_transport>tcp</uri_transport>
          </uri_transports>
        </migration_features>
        <topology>
          <cells num='1'>
            <cell id='0'>
              <memory unit='KiB'>3836492</memory>
              <cpus num='4'>
                <cpu id='0' socket_id='0' core_id='0' siblings='0-1'/>
                <cpu id='1' socket_id='0' core_id='0' siblings='0-1'/>
                <cpu id='2' socket_id='0' core_id='2' siblings='2-3'/>
                <cpu id='3' socket_id='0' core_id='2' siblings='2-3'/>
              </cpus>
            </cell>
          </cells>
        </topology>
        <secmodel>
          <model>apparmor</model>
          <doi>0</doi>
        </secmodel>
        <secmodel>
          <model>dac</model>
          <doi>0</doi>
          <baselabel type='kvm'>+118:+128</baselabel>
          <baselabel type='qemu'>+118:+128</baselabel>
        </secmodel>
      </host>

      <guest>
        <os_type>hvm</os_type>
        <arch name='i686'>
          <wordsize>32</wordsize>
          <emulator>/usr/bin/qemu-system-i386</emulator>
          <machine canonical='pc-i440fx-trusty' maxCpus='255'>pc</machine>
          <machine maxCpus='255'>pc-0.12</machine>
          <machine maxCpus='255'>pc-1.3</machine>
          <machine maxCpus='255'>pc-q35-1.6</machine>
          <machine maxCpus='255'>pc-q35-1.5</machine>
          <machine maxCpus='1'>xenpv</machine>
          <machine maxCpus='255'>pc-i440fx-1.6</machine>
          <machine maxCpus='255'>pc-i440fx-1.7</machine>
          <machine maxCpus='255'>pc-0.11</machine>
          <machine maxCpus='255'>pc-0.10</machine>
          <machine maxCpus='255'>pc-1.2</machine>
          <machine maxCpus='1'>isapc</machine>
          <machine maxCpus='255'>pc-q35-1.4</machine>
          <machine maxCpus='128'>xenfv</machine>
          <machine maxCpus='255'>pc-0.15</machine>
          <machine maxCpus='255'>pc-0.14</machine>
          <machine maxCpus='255'>pc-i440fx-1.5</machine>
          <machine canonical='pc-q35-2.0' maxCpus='255'>q35</machine>
          <machine maxCpus='255'>pc-i440fx-1.4</machine>
          <machine maxCpus='255'>pc-1.1</machine>
          <machine maxCpus='255'>pc-q35-1.7</machine>
          <machine maxCpus='255'>pc-1.0</machine>
          <machine maxCpus='255'>pc-i440fx-2.0</machine>
          <machine maxCpus='255'>pc-0.13</machine>
          <domain type='qemu'>
          </domain>
          <domain type='kvm'>
            <emulator>/usr/bin/kvm-spice</emulator>
            <machine canonical='pc-i440fx-trusty' maxCpus='255'>pc</machine>
            <machine maxCpus='255'>pc-1.3</machine>
            <machine maxCpus='255'>pc-0.12</machine>
            <machine maxCpus='255'>pc-q35-1.6</machine>
            <machine maxCpus='255'>pc-q35-1.5</machine>
            <machine maxCpus='1'>xenpv</machine>
            <machine maxCpus='255'>pc-i440fx-1.6</machine>
            <machine maxCpus='255'>pc-i440fx-1.7</machine>
            <machine maxCpus='255'>pc-0.11</machine>
            <machine maxCpus='255'>pc-1.2</machine>
            <machine maxCpus='255'>pc-0.10</machine>
            <machine maxCpus='1'>isapc</machine>
            <machine maxCpus='255'>pc-q35-1.4</machine>
            <machine maxCpus='128'>xenfv</machine>
            <machine maxCpus='255'>pc-0.15</machine>
            <machine maxCpus='255'>pc-0.14</machine>
            <machine maxCpus='255'>pc-i440fx-1.5</machine>
            <machine maxCpus='255'>pc-i440fx-1.4</machine>
            <machine canonical='pc-q35-2.0' maxCpus='255'>q35</machine>
            <machine maxCpus='255'>pc-1.1</machine>
            <machine maxCpus='255'>pc-q35-1.7</machine>
            <machine maxCpus='255'>pc-1.0</machine>
            <machine maxCpus='255'>pc-i440fx-2.0</machine>
            <machine maxCpus='255'>pc-0.13</machine>
          </domain>
        </arch>
        <features>
          <cpuselection/>
          <deviceboot/>
          <acpi default='on' toggle='yes'/>
          <apic default='on' toggle='no'/>
          <pae/>
          <nonpae/>
        </features>
      </guest>

      <guest>
        <os_type>hvm</os_type>
        <arch name='x86_64'>
          <wordsize>64</wordsize>
          <emulator>/usr/bin/qemu-system-x86_64</emulator>
          <machine canonical='pc-i440fx-trusty' maxCpus='255'>pc</machine>
          <machine maxCpus='255'>pc-1.3</machine>
          <machine maxCpus='255'>pc-0.12</machine>
          <machine maxCpus='255'>pc-q35-1.6</machine>
          <machine maxCpus='255'>pc-q35-1.5</machine>
          <machine maxCpus='1'>xenpv</machine>
          <machine maxCpus='255'>pc-i440fx-1.6</machine>
          <machine maxCpus='255'>pc-i440fx-1.7</machine>
          <machine maxCpus='255'>pc-0.11</machine>
          <machine maxCpus='255'>pc-1.2</machine>
          <machine maxCpus='255'>pc-0.10</machine>
          <machine maxCpus='1'>isapc</machine>
          <machine maxCpus='255'>pc-q35-1.4</machine>
          <machine maxCpus='128'>xenfv</machine>
          <machine maxCpus='255'>pc-0.15</machine>
          <machine maxCpus='255'>pc-0.14</machine>
          <machine maxCpus='255'>pc-i440fx-1.5</machine>
          <machine maxCpus='255'>pc-i440fx-1.4</machine>
          <machine canonical='pc-q35-2.0' maxCpus='255'>q35</machine>
          <machine maxCpus='255'>pc-1.1</machine>
          <machine maxCpus='255'>pc-q35-1.7</machine>
          <machine maxCpus='255'>pc-1.0</machine>
          <machine maxCpus='255'>pc-i440fx-2.0</machine>
          <machine maxCpus='255'>pc-0.13</machine>
          <domain type='qemu'>
          </domain>
          <domain type='kvm'>
            <emulator>/usr/bin/kvm-spice</emulator>
            <machine canonical='pc-i440fx-trusty' maxCpus='255'>pc</machine>
            <machine maxCpus='255'>pc-1.3</machine>
            <machine maxCpus='255'>pc-0.12</machine>
            <machine maxCpus='255'>pc-q35-1.6</machine>
            <machine maxCpus='255'>pc-q35-1.5</machine>
            <machine maxCpus='1'>xenpv</machine>
            <machine maxCpus='255'>pc-i440fx-1.6</machine>
            <machine maxCpus='255'>pc-i440fx-1.7</machine>
            <machine maxCpus='255'>pc-0.11</machine>
            <machine maxCpus='255'>pc-1.2</machine>
            <machine maxCpus='255'>pc-0.10</machine>
            <machine maxCpus='1'>isapc</machine>
            <machine maxCpus='255'>pc-q35-1.4</machine>
            <machine maxCpus='128'>xenfv</machine>
            <machine maxCpus='255'>pc-0.15</machine>
            <machine maxCpus='255'>pc-0.14</machine>
            <machine maxCpus='255'>pc-i440fx-1.5</machine>
            <machine maxCpus='255'>pc-i440fx-1.4</machine>
            <machine canonical='pc-q35-2.0' maxCpus='255'>q35</machine>
            <machine maxCpus='255'>pc-1.1</machine>
            <machine maxCpus='255'>pc-q35-1.7</machine>
            <machine maxCpus='255'>pc-1.0</machine>
            <machine maxCpus='255'>pc-i440fx-2.0</machine>
            <machine maxCpus='255'>pc-0.13</machine>
          </domain>
        </arch>
        <features>
          <cpuselection/>
          <deviceboot/>
          <acpi default='on' toggle='yes'/>
          <apic default='on' toggle='no'/>
        </features>
      </guest>

    </capabilities>

    此后便可以

    root@popsuper1982:/home/cliu8/images# virsh define ubuntu-14.04.xml
    Domain ubuntu-14.04 defined from ubuntu-14.04.xml

    Access Control for UNIX Sockets with Permissions and Group Ownership

    Change the configuration in /etc/libvirt/libvirtd.conf as follows:

           unix_sock_group = "libvirt"
           unix_sock_rw_perms = "0770"
           auth_unix_rw = "none"

    Group ownership will be set to group libvirt.

    Sets the access permissions for the socket (srwxrwx---).

    Disables other authentication methods (PolicyKit or SASL). Access is solely controlled by the socket permissions.

    默认情况下

    unix_sock_group = "libvirtd"

    unix_sock_ro_perms = "0777"

    unix_sock_rw_perms = "0770"

    在没把cliu8添加到libvirtd的group里面的时候

    $ virsh list
    error: failed to connect to the hypervisor
    error: no valid connection
    error: Failed to connect socket to '/var/run/libvirt/libvirt-sock': Permission denied

    添加到group之后

    sudo usermod -G libvirtd -a cliu8

    $ virsh list
    Id    Name                           State
    ----------------------------------------------------
    48    instance-00000025              running
    49    instance-00000026              running
    50    instance-00000027              running

    这个时候,使用ssh tunnel远程访问,也是可以的了

    $ virsh -c qemu+ssh://cliu8@16.158.166.150/system list
    cliu8@16.158.166.150's password:
    Id    Name                           State
    ----------------------------------------------------
    3     ubuntu-14.04                   running

    Local Access Control for UNIX Sockets with PolicyKit

    no libvirt configuration changes are needed.

    With PolicyKit authorization enabled, permissions on both sockets default to 0777 and each application trying to access a socket needs to authenticate via PolicyKit.

    Authentication with PolicyKit can only be used for local connections on the VM Host Server itself

    Two policies for accessing libvirt's sockets exist:

    • org.libvirt.unix.monitor: accessing the read-only socket
    • org.libvirt.unix.manage: accessing the read-write socket
    polkit-auth --user tux --grant org.libvirt.unix.manage    # grant privilege
    polkit-auth --user tux --revoke org.libvirt.unix.manage   # revoke privilege

    Username and Password Authentication with SASL

    SASL provides username and password authentication as well as data encryption (digest-md5, by default).

    Since SASL maintains its own user database, the users do not need to exist on the VM Host Server.

    SASL is required by TCP connections and on top of TLS/SSL connections.

    To configure SASL authentication, proceed as follows:

    1. Change the configuration in /etc/libvirt/libvirtd.conf as follows:

      1. To enable SASL for TCP connections:

        auth_tcp = "sasl"
      2. To enable SASL for TLS/SSL connections:

        auth_tls = "sasl"
    2. Restart libvirtd:

      rclibvirtd restart
    3. The libvirt SASL configuration file is located at /etc/sasl2/libvirtd.conf. Normally, there is no need to change the defaults. However, if using SASL on top of TLS, you may turn off session encryption to avoid additional overhead— TLS connections are already encrypted— by commenting the mech_list. For TCP connections this parameter must be set to digest-md5:

      mech_list: digest-md5   # mandatory for TCP connections
      #mech_list: digest-md5   # apply default (username+password) TLS/SSL only!
    4. By default, no SASL users are configured, so no logins are possible. Use the following commands to add, list, and delete users:

      mercury:~ # saslpasswd2 -a libvirt tux                  # add user tux
      Password: 
      Again (for verification): 
      mercury:~ # sasldblistusers2 -f /etc/libvirt/passwd.db  # list users
      tux@mercury.example.com: userPassword
      mercury:~ # saslpasswd2 -a libvirt -d tux               # delete user tux
    如果使用qemu+tcp://连接,则应该enable digest-md5,这样交互会被加密。
    如果使用qemu+tls://连接,则应该disable digest-md5,这样交互就不会被md5加密一次,然后再被TLS加密一次

    修改/etc/libvirt/libvirtd.conf

    listen_tls = 1

    listen_tcp = 1

    对于unix socket我们不auth

    auth_unix_ro = "none"

    auth_unix_rw = "none"

    tls_port = "16514"

    tcp_port = "16509"

    属于这个group的则放行

    unix_sock_group = "libvirtd"

    unix_sock_ro_perms = "0777"

    unix_sock_rw_perms = "0770"

    对于tcp或者tls则auth

    auth_tcp = "sasl"

    对于tls需要configure下面的

    auth_tls = "sasl"

    key_file = "/etc/pki/libvirt/private/serverkey.pem"

    cert_file = "/etc/pki/libvirt/servercert.pem"

    ca_file = "/etc/pki/CA/cacert.pem"

    创建key和certificate

    /////////////////////////////Create the Certificate Authority Certificate
    # cat certificate_authority_template.info
    cn = libvirt.org
    ca
    cert_signing_key

    apt-get install gnutls-bin

    (umask 277 && certtool --generate-privkey > certificate_authority_key.pem)

    # cat certificate_authority_key.pem
    -----BEGIN RSA PRIVATE KEY-----
    MIIFfQIBAAKCATEA6VlhWPP0oNt6wVdIXMQZWiyzUc8sNzFkP1K86vgb2z/tlX3B
    D1bNTCHVo/2TeCmHyv4ae3kBxmnB0YST928Yh/lbn3q4wayrqIwf/MnY9Sm16h7j
    P53x/1aD6u1IMKxh5TlGIlOXVwlsbFjef/Wl2EZGeRlNvm8c0Cwci+8cvsqWXofv
    NoN6mxseAxhxYHD1cxsR5gE+h0O5eqpLAZkhaXZOIg7mpbwjSNkErR5Wt5CLAbu7
    cqr5PLqxmirTRd7ThIJOQAfaH+m3RzuWbeD4G7DBmNDfm8n5xtkyWEOOmuZqp2+p
    wt/IYHuH9dH0JRrEPLsX/oOhBkiLpRqzAJHZJiqNc9zloYWkGikfHcH7FE9Rj0uc
    GRVJfN49DstHhLb/0t0eKtZ3WRjfwYI5pA9HUQIDAQABAoIBMBSyITCm/mDP5nzE
    VX4oxEjboxHT6ouAnXACUhAS7kGNU3CJRTirjay9aXnQcSZcpJcL32RpEI+87Hw9
    InR1DXtt0cL8uusuedEKkIG2kz/3MZOwpp4LT53CWhPZdKggedQ/NqmvuUH2a3/W
    h/FYY5uha/mslVkY+Li72NJOZEHFrP14V+6BTbv49Tn4DoIrspFBat536MhNPYhj
    FNAS7BMqPCx8t/51b8jUuM+TITItuG24bdMsy67w3Xc2Xi3pdS7rc67b31TUMiD7
    G0C3uPtNr7uSKVGH6NPDyWZvWgraN91Ls76qIt+felwBBF0uPPIuV8Vr30z0M+MQ
    GJNoxtFwwG9q+sQpb38MKbx0e6Vbuig9Mp44i2T6B/zFlf1Wt8hyYYXgbno8B7zZ
    TjklO7kCgZkA8l86tIPD6+d5E9HhBLeZwxuSdZuXigqDjgqztuvzxhWyESnRykZI
    /0yZcv/haFWpbLYtOcspNxaea34yxwY3saf89M/7mQmAJDAE1OwgOZEu0+CQ83fy
    pL9byKPH++lUYkZEjlvfTOoLMxDajGLhT6dsW3G6WvAfucX8EoAQaDAHbadyLNLP
    J661EQ1s+IDLaFNqTRdawc0CgZkA9nhGBkQPYh6Xq/TWuOV1+wrVbZrPrcQnrGm0
    HR6i/YUKlzr/PHjq8BpfcA7oW4R2uvTkKIpc81Z6TFvwIYneMjOT2TFOnFmQQr6F
    lfOJHnd2XnEy+xMAb0b3aiSZChbgLE9EnnGuHIg/a/8Z8pL/VnmUO3a6ZEWZHomW
    O5nkjCRd6ed86/f4C/j8sTUyg6NoF3zYkKJPZ5UCgZkAqdDrMts3hKvz+10MCeAS
    Dc/duCVB8egX8IezDzEW5e0BjGD+qnjAYI/s29RIvG94e8DQwzODNyPT74DGVwgW
    MZV/+I9YuwsbCz/RwtWGZo9AfhdTuCKMkb25s0R9tBTxmMGe+xeHxz4chrUCS2Zk
    cwjdNNzkMx8XO3RqfxPXawhry/qMVreFiUoxdzcu6JZk7j2ztzvrzOkCgZkAxDAy
    1TQB5sGhS6CF9wG36w/RmgBcBd6ZEfXGCFPlu9XV+1Fb7//0SxFDHMjRDmAfvmvG
    3bpdiNkyWmvodlnvA5jovD8yauQkH+zWGumTISxIjZ6fzRlwBCPCN7xQEabp5Hto
    jJLC3DVb/pQ+TEfUdjoq0zaL4dtAqf0tF95E/YTJOLIqTw7AZI9aXZiR0BUXe3LG
    VELO4A0CgZkAwF78LboWjR9+LGrXu0taaoLymhxltpC81BRWEXjPZ3rj0IEMxITw
    9mQAMXdJzXiARoIu/sarLb/wphVSia2QO8x0Q65De526jUUCZjP/wYgl0X8S7Mu+
    r3FcApmGyoh+Vy8txyV3uJVh5xbsxF60fSenswQd+VPdJ01XJCbnLbVFH/5iQw4a
    NzjF/UlXfBI0/NMSIYP5DnQ=
    -----END RSA PRIVATE KEY-----

    root@popsuper1982:/home/cliu8/keys/certtool# ls -la certificate_authority_key.pem
    -r-------- 1 root root 1972 Jul 15 22:28 certificate_authority_key.pem

    # certtool --generate-self-signed --template certificate_authority_template.info --load-privkey certificate_authority_key.pem --outfile certificate_authority_certificate.pem
    # certtool --generate-self-signed --template certificate_authority_template.info --load-privkey certificate_authority_key.pem --outfile certificate_authority_certificate.pem
    Generating a self signed certificate...
    X.509 Certificate Information:
            Version: 3
            Serial Number (hex): 53c53b4d
            Validity:
                    Not Before: Tue Jul 15 14:31:41 UTC 2014
                    Not After: Wed Jul 15 14:31:41 UTC 2015
            Subject: CN=libvirt.org
            Subject Public Key Algorithm: RSA
            Certificate Security Level: Normal
                    Modulus (bits 2432):
                            00:e9:59:61:58:f3:f4:a0:db:7a:c1:57:48:5c:c4:19
                            5a:2c:b3:51:cf:2c:37:31:64:3f:52:bc:ea:f8:1b:db
                            3f:ed:95:7d:c1:0f:56:cd:4c:21:d5:a3:fd:93:78:29
                            87:ca:fe:1a:7b:79:01:c6:69:c1:d1:84:93:f7:6f:18
                            87:f9:5b:9f:7a:b8:c1:ac:ab:a8:8c:1f:fc:c9:d8:f5
                            29:b5:ea:1e:e3:3f:9d:f1:ff:56:83:ea:ed:48:30:ac
                            61:e5:39:46:22:53:97:57:09:6c:6c:58:de:7f:f5:a5
                            d8:46:46:79:19:4d:be:6f:1c:d0:2c:1c:8b:ef:1c:be
                            ca:96:5e:87:ef:36:83:7a:9b:1b:1e:03:18:71:60:70
                            f5:73:1b:11:e6:01:3e:87:43:b9:7a:aa:4b:01:99:21
                            69:76:4e:22:0e:e6:a5:bc:23:48:d9:04:ad:1e:56:b7
                            90:8b:01:bb:bb:72:aa:f9:3c:ba:b1:9a:2a:d3:45:de
                            d3:84:82:4e:40:07:da:1f:e9:b7:47:3b:96:6d:e0:f8
                            1b:b0:c1:98:d0:df:9b:c9:f9:c6:d9:32:58:43:8e:9a
                            e6:6a:a7:6f:a9:c2:df:c8:60:7b:87:f5:d1:f4:25:1a
                            c4:3c:bb:17:fe:83:a1:06:48:8b:a5:1a:b3:00:91:d9
                            26:2a:8d:73:dc:e5:a1:85:a4:1a:29:1f:1d:c1:fb:14
                            4f:51:8f:4b:9c:19:15:49:7c:de:3d:0e:cb:47:84:b6
                            ff:d2:dd:1e:2a:d6:77:59:18:df:c1:82:39:a4:0f:47
                            51
                    Exponent (bits 24):
                            01:00:01
            Extensions:
                    Basic Constraints (critical):
                            Certificate Authority (CA): TRUE
                    Key Usage (critical):
                            Certificate signing.
                    Subject Key Identifier (not critical):
                            f113e5356c2b30271aa1f1bb6183676edee28ed7
    Other Information:
            Public Key Id:
                    f113e5356c2b30271aa1f1bb6183676edee28ed7

    Signing certificate...

    # cat certificate_authority_certificate.pem
    -----BEGIN CERTIFICATE-----
    MIIDTTCCAgWgAwIBAgIEU8U7TTANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwts
    aWJ2aXJ0Lm9yZzAeFw0xNDA3MTUxNDMxNDFaFw0xNTA3MTUxNDMxNDFaMBYxFDAS
    BgNVBAMTC2xpYnZpcnQub3JnMIIBUjANBgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKC
    ATEA6VlhWPP0oNt6wVdIXMQZWiyzUc8sNzFkP1K86vgb2z/tlX3BD1bNTCHVo/2T
    eCmHyv4ae3kBxmnB0YST928Yh/lbn3q4wayrqIwf/MnY9Sm16h7jP53x/1aD6u1I
    MKxh5TlGIlOXVwlsbFjef/Wl2EZGeRlNvm8c0Cwci+8cvsqWXofvNoN6mxseAxhx
    YHD1cxsR5gE+h0O5eqpLAZkhaXZOIg7mpbwjSNkErR5Wt5CLAbu7cqr5PLqxmirT
    Rd7ThIJOQAfaH+m3RzuWbeD4G7DBmNDfm8n5xtkyWEOOmuZqp2+pwt/IYHuH9dH0
    JRrEPLsX/oOhBkiLpRqzAJHZJiqNc9zloYWkGikfHcH7FE9Rj0ucGRVJfN49DstH
    hLb/0t0eKtZ3WRjfwYI5pA9HUQIDAQABo0MwQTAPBgNVHRMBAf8EBTADAQH/MA8G
    A1UdDwEB/wQFAwMHBAAwHQYDVR0OBBYEFPET5TVsKzAnGqHxu2GDZ27e4o7XMA0G
    CSqGSIb3DQEBCwUAA4IBMQBYPjJmkdduz+ZjoOb/4TLrRd7vt+dv88/uW1YGO5v8
    doYBOGbo/KKp0bq//TDs8ILl666wu0VeXOSTvvGn6vhVAzttqWmtDgKzvs5E9KGE
    N+7O7vPvPooLdKo1hXkXp7S3VrAenHbyqXAff/zV8jzDZkeEtaGJ1vlMs4pz3owU
    nMX9ndojP4aXdq9B+ny1RyYPGofL7zpjgwocc/ubBgu1iRtDN4emHarnjZM6fHkN
    HV8QlZgBAoObChXs+zSws/nkkS+FPFBGfJSwSjn6AmmGsBHo0KTmN+tkoNZlg6YN
    tYHjllz34D5BH5hOmIeEQNSspFdhbE3aK9AqYOHEM99nhDKxiiKhKVgrux3WaiJi
    yhanGVlwILFiFtoY/6rREIa88jWB1Lxjg88XqlNelqky
    -----END CERTIFICATE-----

    # ls -la certificate_authority_certificate.pem
    -r-------- 1 root root 1204 Jul 15 22:31 certificate_authority_certificate.pem

    # cp certificate_authority_certificate.pem /etc/pki/CA/cacert.pem

    chmod 444 /etc/pki/CA/cacert.pem

    scp -r certificate_authority_certificate.pem cliu8@16.158.166.197:/home/cliu8/

    on 16.158.166.197
    cp certificate_authority_certificate.pem /etc/pki/CA/cacert.pem

    /////////////////////////Creating Transport Layer Security Server Certificates for libvirt
    # cat popsuper1982_server_template.info
    organization = libvirt.org
    cn = popsuper1982
    tls_www_server
    encryption_key
    signing_key

    (umask 277 && certtool --generate-privkey > popsuper1982_server_key.pem)

    # (umask 277 && certtool --generate-privkey > popsuper1982_server_key.pem)
    Generating a 2432 bit RSA private key...

    # certtool --generate-certificate --template popsuper1982_server_template.info --load-privkey popsuper1982_server_key.pem --load-ca-certificate certificate_authority_certificate.pem --load-ca-privkey certificate_authority_key.pem --outfile popsuper1982_server_certificate.pem

    # certtool --generate-certificate --template popsuper1982_server_template.info --load-privkey popsuper1982_server_key.pem --load-ca-certificate certificate_authority_certificate.pem --load-ca-privkey certificate_authority_key.pem --outfile popsuper1982_server_certificate.pem
    Generating a signed certificate...
    X.509 Certificate Information:
            Version: 3
            Serial Number (hex): 53c55255
            Validity:
                    Not Before: Tue Jul 15 16:09:57 UTC 2014
                    Not After: Wed Jul 15 16:09:57 UTC 2015
            Subject: O=libvirt.org,CN=popsuper1982
            Subject Public Key Algorithm: RSA
            Certificate Security Level: Normal
                    Modulus (bits 2432):
                            00:ca:e5:92:4f:d8:14:f4:e2:26:26:88:5a:b4:fd:0e
                            ee:86:c6:e8:15:b2:4f:36:6d:8a:b1:23:75:80:b1:0a
                            72:e0:6c:a0:06:ce:03:43:12:2c:6f:e9:ee:bf:21:d2
                            93:82:02:74:14:50:17:fc:f8:21:ec:a6:66:29:9f:d7
                            c3:63:35:50:82:f2:30:9a:12:3b:3e:5a:d1:68:29:7a
                            eb:18:10:7a:69:f8:0b:aa:1a:d9:2d:8b:e4:b3:1b:81
                            c7:de:a8:9f:08:1d:d0:85:db:af:cc:08:00:9b:c1:5a
                            31:f8:9a:43:01:42:88:11:91:35:73:df:57:b9:ce:83
                            34:91:70:ee:29:4b:88:dd:f2:7a:16:1d:c1:36:4d:8b
                            28:7b:05:ba:42:b1:63:8a:92:f8:3d:0c:d1:a2:d8:24
                            92:29:de:c7:8a:73:1d:1e:ec:d3:72:4a:7e:7a:a1:43
                            85:fa:85:ab:58:a3:67:03:4a:48:62:04:b3:f4:8e:f5
                            f0:16:fb:24:28:75:d7:1d:43:52:bc:08:9d:3e:d0:38
                            7d:36:9b:1b:f5:81:0c:17:fd:ba:1b:10:bb:1b:69:cf
                            eb:c1:54:4e:99:ed:ff:15:71:11:9a:63:31:9d:0f:7b
                            b2:31:a2:4c:49:2a:ee:d1:3c:80:c0:98:e0:6c:63:6b
                            52:9a:b5:d6:0b:6c:34:13:86:d6:ab:c4:4d:9a:ff:ae
                            be:60:b2:a7:e3:3d:b4:63:05:d3:f0:f9:69:01:35:97
                            1c:52:48:24:75:b5:73:96:b5:fb:bc:8e:2e:62:7c:5c
                            17
                    Exponent (bits 24):
                            01:00:01
            Extensions:
                    Basic Constraints (critical):
                            Certificate Authority (CA): FALSE
                    Key Purpose (not critical):
                            TLS WWW Server.
                    Key Usage (critical):
                            Digital signature.
                            Key encipherment.
                    Subject Key Identifier (not critical):
                            0570b6cf340118f7d44dd67c0ca6ffbbb7a4871c
                    Authority Key Identifier (not critical):
                            f113e5356c2b30271aa1f1bb6183676edee28ed7
    Other Information:
            Public Key Id:
                    0570b6cf340118f7d44dd67c0ca6ffbbb7a4871c

    Signing certificate...

    cp popsuper1982_server_certificate.pem /etc/pki/libvirt/servercert.pem

    cp popsuper1982_server_key.pem /etc/pki/libvirt/private/serverkey.pem

    ///////////////////////Creating Transport Layer Security Client Certificates for libvirt

    # cat escto-bj-hp-z620_client_template.info
    country = CN
    state = Beijing
    locality = Beijing
    organization = libvirt.org
    cn = escto-bj-hp-z620
    tls_www_client
    encryption_key
    signing_key

    (umask 277 && certtool --generate-privkey > escto-bj-hp-z620_client_key.pem)

    # (umask 277 && certtool --generate-privkey > escto-bj-hp-z620_client_key.pem)
    Generating a 2432 bit RSA private key...

    # certtool --generate-certificate --template escto-bj-hp-z620_client_template.info --load-privkey escto-bj-hp-z620_client_key.pem --load-ca-certificate certificate_authority_certificate.pem --load-ca-privkey certificate_authority_key.pem --outfile escto-bj-hp-z620_client_certificate.pem

    # certtool --generate-certificate --template escto-bj-hp-z620_client_template.info --load-privkey escto-bj-hp-z620_client_key.pem --load-ca-certificate certificate_authority_certificate.pem --load-ca-privkey certificate_authority_key.pem --outfile escto-bj-hp-z620_client_certificate.pem
    Generating a signed certificate...
    X.509 Certificate Information:
            Version: 3
            Serial Number (hex): 53c55678
            Validity:
                    Not Before: Tue Jul 15 16:27:36 UTC 2014
                    Not After: Wed Jul 15 16:27:36 UTC 2015
            Subject: C=CN,O=libvirt.org,L=Beijing,ST=Beijing,CN=escto-bj-hp-z620
            Subject Public Key Algorithm: RSA
            Certificate Security Level: Normal
                    Modulus (bits 2432):
                            00:9f:5c:d7:89:2c:0b:fe:e7:38:21:1d:2a:da:92:eb
                            82:91:96:3c:f3:22:28:a3:d6:3d:70:68:27:a1:2b:3a
                            3e:79:03:55:ea:1b:eb:1f:81:90:71:3d:41:4c:99:f2
                            96:46:22:e0:33:91:bb:5b:38:83:a5:3f:d7:0a:25:dd
                            f0:90:cf:0d:4a:18:b3:0d:db:01:5f:70:78:1b:63:01
                            ac:6f:32:8b:79:cc:51:0f:d4:45:1e:6f:b8:d8:84:57
                            af:ca:e8:3e:58:0a:79:89:0d:99:e2:8a:b2:2c:85:dc
                            40:15:7c:52:9b:46:66:a0:0f:6c:52:7d:e8:1b:b4:06
                            5a:d9:7f:30:84:d0:37:66:2a:3f:53:50:33:99:93:b7
                            8d:a2:74:cd:4d:ca:76:b5:df:2f:47:f9:e2:1a:7b:91
                            49:20:be:c9:ca:9b:f1:2c:f1:40:1a:66:37:2e:ac:23
                            3f:3d:44:de:0f:2d:d2:60:63:22:2d:49:28:98:c0:b7
                            9f:70:be:51:b8:d3:10:1d:40:3d:3e:6f:1a:f1:a2:1b
                            5c:2e:68:8b:05:99:7b:0b:5c:9c:78:54:8f:de:ae:7e
                            75:6d:fb:af:cc:ea:3c:be:9d:25:57:d1:3d:ef:27:66
                            c3:93:2f:62:f0:43:31:64:df:df:20:b6:b8:df:8a:85
                            77:38:9b:3d:85:e1:67:1b:e6:b4:9b:e0:30:4e:6c:62
                            c1:07:72:57:ad:bc:fc:f0:0c:d8:d4:12:ac:eb:80:ee
                            04:b2:b0:10:e4:d6:71:68:2b:ee:e6:98:23:9a:df:c7
                            95
                    Exponent (bits 24):
                            01:00:01
            Extensions:
                    Basic Constraints (critical):
                            Certificate Authority (CA): FALSE
                    Key Purpose (not critical):
                            TLS WWW Client.
                    Key Usage (critical):
                            Digital signature.
                            Key encipherment.
                    Subject Key Identifier (not critical):
                            f4385711f8089b39ba2c13869aa816114d378190
                    Authority Key Identifier (not critical):
                            f113e5356c2b30271aa1f1bb6183676edee28ed7
    Other Information:
            Public Key Id:
                    f4385711f8089b39ba2c13869aa816114d378190

    Signing certificate...

    root@popsuper1982:/home/cliu8/keys/certtool# scp escto-bj-hp-z620_client_certificate.pem cliu8@16.158.166.197:/home/cliu8/
    cliu8@16.158.166.197's password:
    escto-bj-hp-z620_client_certificate.pem                                                    100% 1379     1.4KB/s   00:00   
    root@popsuper1982:/home/cliu8/keys/certtool# scp escto-bj-hp-z620_client_key.pem cliu8@16.158.166.197:/home/cliu8/       
    cliu8@16.158.166.197's password:
    escto-bj-hp-z620_client_key.pem                                                            100% 1968     1.9KB/s   00:00 

    修改/etc/hosts文件

    16.158.166.150  popsuper1982
    16.158.166.197  escto-bj-hp-z620

    修改/etc/default/libvirt-bin

    #cat /etc/default/libvirt-bin

    # Defaults for libvirt-bin initscript (/etc/init.d/libvirt-bin)

    # This is a POSIX shell fragment

    # Start libvirtd to handle qemu/kvm:

    start_libvirtd="yes"

    # options passed to libvirtd, add "-l" to listen on tcp

    libvirtd_opts="-d -l"

    # pass in location of kerberos keytab

    #export KRB5_KTNAME=/etc/libvirt/libvirt.keytab

    重启libvirt-bin

    root@popsuper1982:/home/cliu8# netstat -na | grep 16509
    tcp        0      0 0.0.0.0:16509           0.0.0.0:*               LISTEN    
    tcp6       0      0 :::16509                :::*                    LISTEN    
    root@popsuper1982:/home/cliu8# netstat -na | grep 16514
    tcp        0      0 0.0.0.0:16514           0.0.0.0:*               LISTEN    
    tcp6       0      0 :::16514                :::*                    LISTEN    

    注意对sasl的配置

    # cat /etc/sasl2/libvirt.conf
    # If you want to use the non-TLS socket, then you *must* include
    # the GSSAPI or DIGEST-MD5 mechanisms, because they are the only
    # ones that can offer session encryption as well as authentication.
    #
    # If you're only using TLS, then you can turn on any mechanisms
    # you like for authentication, because TLS provides the encryption
    #
    # Default to a simple username+password mechanism
    mech_list: digest-md5

    # Before you can use GSSAPI, you need a service principle on the
    # KDC server for libvirt, and that to be exported to the keytab
    # file listed below
    #mech_list: gssapi
    #
    # You can also list many mechanisms at once, then the user can choose
    # by adding  '?auth=sasl.gssapi' to their libvirt URI, eg
    #   qemu+tcp://hostname/system?auth=sasl.gssapi
    #mech_list: digest-md5 gssapi

    # Some older builds of MIT kerberos on Linux ignore this option &
    # instead need KRB5_KTNAME env var.
    # For modern Linux, and other OS, this should be sufficient
    #
    # There is no default value here, uncomment if you need this
    #keytab: /etc/libvirt/krb5.tab

    # If using digest-md5 for username/passwds, then this is the file
    # containing the passwds. Use 'saslpasswd2 -a libvirt [username]'
    # to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it
    sasldb_path: /etc/libvirt/passwd.db

    添加用户

    saslpasswd2 -a libvirt test1

    注意这里必须是libvirt,这是application的名字,只有输入libvirt,才会使用配置/etc/sasl2/libvirt.conf,结果才会写到/etc/libvirt/passwd.db

    下面的命令才有正确的输出

    # sasldblistusers2 -f /etc/libvirt/passwd.db
    test1@popsuper1982: userPassword

    这个时候从远程登录tcp

    $ virsh -c qemu+tcp://16.158.166.150/system list --all
    Please enter your authentication name: test1@popsuper1982
    Please enter your password:
    Id    Name                           State
    ----------------------------------------------------
    -     ubuntu-14.04                   shut off

    如果远程连接tls,则需要配置/etc/pki/CA/cacert.pem

    在client机器上escto-bj-hp-z620

    # tree --charset ASCII /etc/pki/
    /etc/pki/
    |-- CA
    |   `-- cacert.pem
    |-- libvirt
    |   |-- clientcert.pem
    |   `-- private
    |       `-- clientkey.pem
    `-- nssdb -> /var/lib/nssdb

    在server机器上popsuper1982

    # tree --charset ASCII /etc/pki/
    /etc/pki/
    |-- CA
    |   `-- cacert.pem
    |-- libvirt
    |   |-- private
    |   |   `-- serverkey.pem
    |   `-- servercert.pem
    `-- nssdb -> /var/lib/nssdb

    # virsh -c qemu+tls://popsuper1982/system list --all
    Please enter your authentication name: test1@popsuper1982
    Please enter your password:
    Id    Name                           State
    ----------------------------------------------------
    -     ubuntu-14.04                   shut off

    需要用hostname才能通过认证

    VNC Authentication

    Since access to the graphical console of a VM Guest is not controlled by libvirt, but rather by QEMU

    The main configuration file is /etc/libvirt/qemu.conf.

    Two authentication types are available: SASL and single password authentication. If you are using SASL for libvirt authentication, it is strongly recommended to use it for VNC authentication as well—it is possible to share the same database.

    ln -s /etc/sasl2/libvirt.conf /etc/sasl2/qemu.conf
    /etc/libvirt/qemu.conf
    vnc_listen = "0.0.0.0"
    vnc_sasl = 1
    Currently only the same VNC viewers that also support TLS/SSL connections, support SASL authentication, namely Virtual Machine Manager, virt-viewer, and vinagre.

    Single Password Authentication

    <graphics type='vnc' port='-1' autoport='yes' passwd='PASSWORD'/>
  • 相关阅读:
    tensorflow 2.0 学习 (十) 拟合与过拟合问题
    tensorflow 2.0 学习 (九) tensorboard可视化功能认识
    tensorflow 2.0 学习 (八) keras模块的认识
    tensorflow 2.0 学习 (七) 反向传播代码逐步实现
    tensorflow 2.0 学习 (六) Himmelblua函数求极值
    tensorflow 2.0 学习 (五)MPG全连接网络训练与测试
    arp协议简单介绍
    Pthread spinlock自旋锁
    线程和进程状态
    内核态(内核空间)和用户态(用户空间)的区别和联系·
  • 原文地址:https://www.cnblogs.com/popsuper1982/p/3845194.html
Copyright © 2020-2023  润新知