QEMU KVM Libvirt手册(10):Managing Virtual Machines with libvirt
libvirt
is a library that provides a common API for managing popular virtualization solutions, among them KVM and Xen.
使用virt-install创建image
qemu-img create -f qcow2 /tmp/centos5.8.img 10G
virt-install --virt-type qemu --name centos-5.8 --ram 2048 --noreboot --disk path=/tmp/centos5.8.img,format=qcow2,bus=virtio,device=disk --cdrom=/tmp/CentOS-5.8-x86_64-bin-DVD-1of2.iso --network network=default --graphics vnc,listen=0.0.0.0 --noautoconsole
qemu-img convert -O qcow2 -c centos-5.8.img centos-5.8.1.qcow2
使用virt-clone来复制instance
必须是在虚拟机关闭的状态下
root:/home/cliu8/images# virt-clone -o ubuntu-14.04 -n ubuntu-14.04.new -f ubuntu-14.04.new.qcow2
Cloning ubuntu-14.04.img | 1.6 GB 00:03
Clone 'ubuntu-14.04.new' created successfully.
root:/home/cliu8/images# virsh list --all
Id Name State
----------------------------------------------------
- ubuntu-14.04 shut off
- ubuntu-14.04.new shut off
root:/home/cliu8/images# ls -l
total 24368572
-rwxrwxrwx 1 root root 1717043200 Jul 14 07:07 ubuntu-14.04.img
-rwxr-xr-x 1 root root 1717043200 Jul 14 21:35 ubuntu-14.04.new.qcow2
使用virt-top查看instance统计信息
-1 Start by displaying pCPUs (default: tasks)
-2 Start by displaying network interfaces
virt-top 21:45:58 - x86_64 20/20CPU 1200MHz 64359MB
13 domains, 8 active, 8 running, 0 sleeping, 0 paused, 5 inactive D:0 O:0 X:0
CPU: 3.6% Mem: 29696 MB (29696 MB by guests)
ID S RXBY TXBY RXPK TXPK DOMAIN INTERFACE
9 R 29K 8106 37 43 baremetal_2 vnet3
3 R 15K 40K 80 71 baremetal_0 vnet2
6 R 10K 7760 37 37 baremetal_4 vnet5
2 R 150 0 3 0 seed vnet1
5 R 150 0 3 0 baremetal_5 vnet4
7 R 150 0 3 0 baremetal_3 vnet6
2 R 52 0 1 0 seed vnet0
47 R 0 0 0 0 instance-000 tap82945112-d4
10 R 0 0 0 0 baremetal_1 vnet7
-3 Start by displaying block devices
virt-top 21:47:15 - x86_64 20/20CPU 1200MHz 64359MB
13 domains, 8 active, 8 running, 0 sleeping, 0 paused, 5 inactive D:0 O:0 X:0
CPU: 2.3% Mem: 29696 MB (29696 MB by guests)
ID S RDBY WRBY RDRQ WRRQ DOMAIN DEVICE
6 R 29M 12K 232 2 baremetal_4 sda
5 R 29M 4096 232 1 baremetal_5 sda
9 R 4096 44K 1 6 baremetal_2 sda
3 R 0 48K 0 6 baremetal_0 sda
10 R 0 0 0 0 baremetal_1 sda
7 R 0 52K 0 2 baremetal_3 sda
2 R 0 68K 0 1 seed sda
47 R 0 0 0 0 instance-000 vda
2 R 0 0 0 0 seed vda
使用virsh管理Instance
qemu:///session: a normal user with the local QEMU-/KVM-Hypervisor (connection type session).
qemu+unix:///session: a normal user with the local QEMU-/KVM-Hypervisor (connection type session).
qemu:///system: user root with the local QEMU-/KVM-Hypervisor (connection type system).
qemu+unix:///system: user root with the local QEMU-/KVM-Hypervisor (connection type system).
qemu+ssh://root@example.com/system: user root with a QEMU-/KVM-Hypervisor on the node example.com via SSH tunnel.
qemu+tcp://example.com/system: a QEMU-/KVM-Hypervisor on the node example.com protected with with SASL / Kerberos.
root
s on a remote host over a TLS connection
virsh -c qemu+tls://root@mercury.example.com/system list --all
virsh -c qemu+ssh://tux@mercury.example.com/system list –inactive
注意ssh tunnel和tls方式不同
Connecting and Authorizing
authentication的方法有下面几种:
- Access control for UNIX sockets with permissions and group ownership. This method is available for
libvirtd
connections only. - Access control for UNIX sockets with PolicyKit. This method is available for local
libvirtd
connections only. - Username and password authentication with SASL (Simple Authentication and Security Layer). This method is available for both,
libvirtd
and VNC connections. Using SASL does not require real user accounts on the server, since it uses its own database to store usernames and passwords. Connections authenticated with SASL are encrypted. - Kerberos authentication. This method, available for
libvirtd
connections only, is not covered in this manual. Please refer to http://libvirt.org/auth.html#ACL_server_kerberos for details. - Single password authentication. This method is available for VNC connections only.
libvirtd
authentication is configured in /etc/libvirt/libvirtd.conf
.
libvirt
offers two sockets: a read-only socket for monitoring purposes and a read-write socket to be used for management operations.
By default, both sockets are owned by root.root
.
Default access permissions on the read-write socket are restricted to the user root
(0700
) and fully open on the read-only socket (0777
).
# virsh define ubuntu-14.04.xml
error: Failed to define domain from ubuntu-14.04.xml
error: unknown OS type hvm
则运行
# virsh capabilities
<capabilities>
<host>
<uuid>004a7ff2-faec-de11-81d0-b9f76e39343c</uuid>
<cpu>
<arch>x86_64</arch>
<model>Westmere</model>
<vendor>Intel</vendor>
<topology sockets='1' cores='2' threads='2'/>
<feature name='rdtscp'/>
<feature name='pcid'/>
<feature name='pdcm'/>
<feature name='xtpr'/>
<feature name='tm2'/>
<feature name='est'/>
<feature name='smx'/>
<feature name='vmx'/>
<feature name='ds_cpl'/>
<feature name='monitor'/>
<feature name='dtes64'/>
<feature name='pclmuldq'/>
<feature name='pbe'/>
<feature name='tm'/>
<feature name='ht'/>
<feature name='ss'/>
<feature name='acpi'/>
<feature name='ds'/>
<feature name='vme'/>
</cpu>
<power_management>
<suspend_mem/>
<suspend_disk/>
<suspend_hybrid/>
</power_management>
<migration_features>
<live/>
<uri_transports>
<uri_transport>tcp</uri_transport>
</uri_transports>
</migration_features>
<topology>
<cells num='1'>
<cell id='0'>
<memory unit='KiB'>3836492</memory>
<cpus num='4'>
<cpu id='0' socket_id='0' core_id='0' siblings='0-1'/>
<cpu id='1' socket_id='0' core_id='0' siblings='0-1'/>
<cpu id='2' socket_id='0' core_id='2' siblings='2-3'/>
<cpu id='3' socket_id='0' core_id='2' siblings='2-3'/>
</cpus>
</cell>
</cells>
</topology>
<secmodel>
<model>apparmor</model>
<doi>0</doi>
</secmodel>
<secmodel>
<model>dac</model>
<doi>0</doi>
<baselabel type='kvm'>+118:+128</baselabel>
<baselabel type='qemu'>+118:+128</baselabel>
</secmodel>
</host>
<guest>
<os_type>hvm</os_type>
<arch name='i686'>
<wordsize>32</wordsize>
<emulator>/usr/bin/qemu-system-i386</emulator>
<machine canonical='pc-i440fx-trusty' maxCpus='255'>pc</machine>
<machine maxCpus='255'>pc-0.12</machine>
<machine maxCpus='255'>pc-1.3</machine>
<machine maxCpus='255'>pc-q35-1.6</machine>
<machine maxCpus='255'>pc-q35-1.5</machine>
<machine maxCpus='1'>xenpv</machine>
<machine maxCpus='255'>pc-i440fx-1.6</machine>
<machine maxCpus='255'>pc-i440fx-1.7</machine>
<machine maxCpus='255'>pc-0.11</machine>
<machine maxCpus='255'>pc-0.10</machine>
<machine maxCpus='255'>pc-1.2</machine>
<machine maxCpus='1'>isapc</machine>
<machine maxCpus='255'>pc-q35-1.4</machine>
<machine maxCpus='128'>xenfv</machine>
<machine maxCpus='255'>pc-0.15</machine>
<machine maxCpus='255'>pc-0.14</machine>
<machine maxCpus='255'>pc-i440fx-1.5</machine>
<machine canonical='pc-q35-2.0' maxCpus='255'>q35</machine>
<machine maxCpus='255'>pc-i440fx-1.4</machine>
<machine maxCpus='255'>pc-1.1</machine>
<machine maxCpus='255'>pc-q35-1.7</machine>
<machine maxCpus='255'>pc-1.0</machine>
<machine maxCpus='255'>pc-i440fx-2.0</machine>
<machine maxCpus='255'>pc-0.13</machine>
<domain type='qemu'>
</domain>
<domain type='kvm'>
<emulator>/usr/bin/kvm-spice</emulator>
<machine canonical='pc-i440fx-trusty' maxCpus='255'>pc</machine>
<machine maxCpus='255'>pc-1.3</machine>
<machine maxCpus='255'>pc-0.12</machine>
<machine maxCpus='255'>pc-q35-1.6</machine>
<machine maxCpus='255'>pc-q35-1.5</machine>
<machine maxCpus='1'>xenpv</machine>
<machine maxCpus='255'>pc-i440fx-1.6</machine>
<machine maxCpus='255'>pc-i440fx-1.7</machine>
<machine maxCpus='255'>pc-0.11</machine>
<machine maxCpus='255'>pc-1.2</machine>
<machine maxCpus='255'>pc-0.10</machine>
<machine maxCpus='1'>isapc</machine>
<machine maxCpus='255'>pc-q35-1.4</machine>
<machine maxCpus='128'>xenfv</machine>
<machine maxCpus='255'>pc-0.15</machine>
<machine maxCpus='255'>pc-0.14</machine>
<machine maxCpus='255'>pc-i440fx-1.5</machine>
<machine maxCpus='255'>pc-i440fx-1.4</machine>
<machine canonical='pc-q35-2.0' maxCpus='255'>q35</machine>
<machine maxCpus='255'>pc-1.1</machine>
<machine maxCpus='255'>pc-q35-1.7</machine>
<machine maxCpus='255'>pc-1.0</machine>
<machine maxCpus='255'>pc-i440fx-2.0</machine>
<machine maxCpus='255'>pc-0.13</machine>
</domain>
</arch>
<features>
<cpuselection/>
<deviceboot/>
<acpi default='on' toggle='yes'/>
<apic default='on' toggle='no'/>
<pae/>
<nonpae/>
</features>
</guest>
<guest>
<os_type>hvm</os_type>
<arch name='x86_64'>
<wordsize>64</wordsize>
<emulator>/usr/bin/qemu-system-x86_64</emulator>
<machine canonical='pc-i440fx-trusty' maxCpus='255'>pc</machine>
<machine maxCpus='255'>pc-1.3</machine>
<machine maxCpus='255'>pc-0.12</machine>
<machine maxCpus='255'>pc-q35-1.6</machine>
<machine maxCpus='255'>pc-q35-1.5</machine>
<machine maxCpus='1'>xenpv</machine>
<machine maxCpus='255'>pc-i440fx-1.6</machine>
<machine maxCpus='255'>pc-i440fx-1.7</machine>
<machine maxCpus='255'>pc-0.11</machine>
<machine maxCpus='255'>pc-1.2</machine>
<machine maxCpus='255'>pc-0.10</machine>
<machine maxCpus='1'>isapc</machine>
<machine maxCpus='255'>pc-q35-1.4</machine>
<machine maxCpus='128'>xenfv</machine>
<machine maxCpus='255'>pc-0.15</machine>
<machine maxCpus='255'>pc-0.14</machine>
<machine maxCpus='255'>pc-i440fx-1.5</machine>
<machine maxCpus='255'>pc-i440fx-1.4</machine>
<machine canonical='pc-q35-2.0' maxCpus='255'>q35</machine>
<machine maxCpus='255'>pc-1.1</machine>
<machine maxCpus='255'>pc-q35-1.7</machine>
<machine maxCpus='255'>pc-1.0</machine>
<machine maxCpus='255'>pc-i440fx-2.0</machine>
<machine maxCpus='255'>pc-0.13</machine>
<domain type='qemu'>
</domain>
<domain type='kvm'>
<emulator>/usr/bin/kvm-spice</emulator>
<machine canonical='pc-i440fx-trusty' maxCpus='255'>pc</machine>
<machine maxCpus='255'>pc-1.3</machine>
<machine maxCpus='255'>pc-0.12</machine>
<machine maxCpus='255'>pc-q35-1.6</machine>
<machine maxCpus='255'>pc-q35-1.5</machine>
<machine maxCpus='1'>xenpv</machine>
<machine maxCpus='255'>pc-i440fx-1.6</machine>
<machine maxCpus='255'>pc-i440fx-1.7</machine>
<machine maxCpus='255'>pc-0.11</machine>
<machine maxCpus='255'>pc-1.2</machine>
<machine maxCpus='255'>pc-0.10</machine>
<machine maxCpus='1'>isapc</machine>
<machine maxCpus='255'>pc-q35-1.4</machine>
<machine maxCpus='128'>xenfv</machine>
<machine maxCpus='255'>pc-0.15</machine>
<machine maxCpus='255'>pc-0.14</machine>
<machine maxCpus='255'>pc-i440fx-1.5</machine>
<machine maxCpus='255'>pc-i440fx-1.4</machine>
<machine canonical='pc-q35-2.0' maxCpus='255'>q35</machine>
<machine maxCpus='255'>pc-1.1</machine>
<machine maxCpus='255'>pc-q35-1.7</machine>
<machine maxCpus='255'>pc-1.0</machine>
<machine maxCpus='255'>pc-i440fx-2.0</machine>
<machine maxCpus='255'>pc-0.13</machine>
</domain>
</arch>
<features>
<cpuselection/>
<deviceboot/>
<acpi default='on' toggle='yes'/>
<apic default='on' toggle='no'/>
</features>
</guest>
</capabilities>
此后便可以
root@popsuper1982:/home/cliu8/images# virsh define ubuntu-14.04.xml
Domain ubuntu-14.04 defined from ubuntu-14.04.xml
Access Control for UNIX Sockets with Permissions and Group Ownership
Change the configuration in /etc/libvirt/libvirtd.conf
as follows:
unix_sock_group = "libvirt"
unix_sock_rw_perms = "0770"
auth_unix_rw = "none"
Group ownership will be set to group libvirt
.
Sets the access permissions for the socket (srwxrwx---
).
Disables other authentication methods (PolicyKit or SASL). Access is solely controlled by the socket permissions.
默认情况下
unix_sock_group = "libvirtd"
unix_sock_ro_perms = "0777"
unix_sock_rw_perms = "0770"
在没把cliu8添加到libvirtd的group里面的时候
$ virsh list
error: failed to connect to the hypervisor
error: no valid connection
error: Failed to connect socket to '/var/run/libvirt/libvirt-sock': Permission denied
添加到group之后
sudo usermod -G libvirtd -a cliu8
$ virsh list
Id Name State
----------------------------------------------------
48 instance-00000025 running
49 instance-00000026 running
50 instance-00000027 running
这个时候,使用ssh tunnel远程访问,也是可以的了
$ virsh -c qemu+ssh://cliu8@16.158.166.150/system list
cliu8@16.158.166.150's password:
Id Name State
----------------------------------------------------
3 ubuntu-14.04 running
Local Access Control for UNIX Sockets with PolicyKit
no libvirt
configuration changes are needed.
With PolicyKit authorization enabled, permissions on both sockets default to 0777
and each application trying to access a socket needs to authenticate via PolicyKit.
Authentication with PolicyKit can only be used for local connections on the VM Host Server itself
Two policies for accessing libvirt
's sockets exist:
- org.libvirt.unix.monitor: accessing the read-only socket
- org.libvirt.unix.manage: accessing the read-write socket
polkit-auth --user tux --grant org.libvirt.unix.manage # grant privilege
polkit-auth --user tux --revoke org.libvirt.unix.manage # revoke privilege
Username and Password Authentication with SASL
SASL provides username and password authentication as well as data encryption (digest-md5, by default).
Since SASL maintains its own user database, the users do not need to exist on the VM Host Server.
SASL is required by TCP connections and on top of TLS/SSL connections.
To configure SASL authentication, proceed as follows:
Change the configuration in
/etc/libvirt/libvirtd.conf
as follows:To enable SASL for TCP connections:
auth_tcp = "sasl"
To enable SASL for TLS/SSL connections:
auth_tls = "sasl"
Restart
libvirtd
:rclibvirtd restart
The libvirt SASL configuration file is located at
/etc/sasl2/libvirtd.conf
. Normally, there is no need to change the defaults. However, if using SASL on top of TLS, you may turn off session encryption to avoid additional overhead— TLS connections are already encrypted— by commenting themech_list
. For TCP connections this parameter must be set to digest-md5:mech_list: digest-md5 # mandatory for TCP connections
#mech_list: digest-md5 # apply default (username+password) TLS/SSL only!By default, no SASL users are configured, so no logins are possible. Use the following commands to add, list, and delete users:
mercury:~ # saslpasswd2 -a libvirt tux # add user tux
Password:
Again (for verification):
mercury:~ # sasldblistusers2 -f /etc/libvirt/passwd.db # list users
tux@mercury.example.com: userPassword
mercury:~ # saslpasswd2 -a libvirt -d tux # delete user tux
如果使用qemu+tcp://连接,则应该enable digest-md5,这样交互会被加密。
如果使用qemu+tls://连接,则应该disable digest-md5,这样交互就不会被md5加密一次,然后再被TLS加密一次
修改/etc/libvirt/libvirtd.conf
listen_tls = 1
listen_tcp = 1
对于unix socket我们不auth
auth_unix_ro = "none"
auth_unix_rw = "none"
tls_port = "16514"
tcp_port = "16509"
属于这个group的则放行
unix_sock_group = "libvirtd"
unix_sock_ro_perms = "0777"
unix_sock_rw_perms = "0770"
对于tcp或者tls则auth
auth_tcp = "sasl"
对于tls需要configure下面的
auth_tls = "sasl"
key_file = "/etc/pki/libvirt/private/serverkey.pem"
cert_file = "/etc/pki/libvirt/servercert.pem"
ca_file = "/etc/pki/CA/cacert.pem"
创建key和certificate
/////////////////////////////Create the Certificate Authority Certificate
# cat certificate_authority_template.info
cn = libvirt.org
ca
cert_signing_key
apt-get install gnutls-bin
(umask 277 && certtool --generate-privkey > certificate_authority_key.pem)
# cat certificate_authority_key.pem
-----BEGIN RSA PRIVATE KEY-----
MIIFfQIBAAKCATEA6VlhWPP0oNt6wVdIXMQZWiyzUc8sNzFkP1K86vgb2z/tlX3B
D1bNTCHVo/2TeCmHyv4ae3kBxmnB0YST928Yh/lbn3q4wayrqIwf/MnY9Sm16h7j
P53x/1aD6u1IMKxh5TlGIlOXVwlsbFjef/Wl2EZGeRlNvm8c0Cwci+8cvsqWXofv
NoN6mxseAxhxYHD1cxsR5gE+h0O5eqpLAZkhaXZOIg7mpbwjSNkErR5Wt5CLAbu7
cqr5PLqxmirTRd7ThIJOQAfaH+m3RzuWbeD4G7DBmNDfm8n5xtkyWEOOmuZqp2+p
wt/IYHuH9dH0JRrEPLsX/oOhBkiLpRqzAJHZJiqNc9zloYWkGikfHcH7FE9Rj0uc
GRVJfN49DstHhLb/0t0eKtZ3WRjfwYI5pA9HUQIDAQABAoIBMBSyITCm/mDP5nzE
VX4oxEjboxHT6ouAnXACUhAS7kGNU3CJRTirjay9aXnQcSZcpJcL32RpEI+87Hw9
InR1DXtt0cL8uusuedEKkIG2kz/3MZOwpp4LT53CWhPZdKggedQ/NqmvuUH2a3/W
h/FYY5uha/mslVkY+Li72NJOZEHFrP14V+6BTbv49Tn4DoIrspFBat536MhNPYhj
FNAS7BMqPCx8t/51b8jUuM+TITItuG24bdMsy67w3Xc2Xi3pdS7rc67b31TUMiD7
G0C3uPtNr7uSKVGH6NPDyWZvWgraN91Ls76qIt+felwBBF0uPPIuV8Vr30z0M+MQ
GJNoxtFwwG9q+sQpb38MKbx0e6Vbuig9Mp44i2T6B/zFlf1Wt8hyYYXgbno8B7zZ
TjklO7kCgZkA8l86tIPD6+d5E9HhBLeZwxuSdZuXigqDjgqztuvzxhWyESnRykZI
/0yZcv/haFWpbLYtOcspNxaea34yxwY3saf89M/7mQmAJDAE1OwgOZEu0+CQ83fy
pL9byKPH++lUYkZEjlvfTOoLMxDajGLhT6dsW3G6WvAfucX8EoAQaDAHbadyLNLP
J661EQ1s+IDLaFNqTRdawc0CgZkA9nhGBkQPYh6Xq/TWuOV1+wrVbZrPrcQnrGm0
HR6i/YUKlzr/PHjq8BpfcA7oW4R2uvTkKIpc81Z6TFvwIYneMjOT2TFOnFmQQr6F
lfOJHnd2XnEy+xMAb0b3aiSZChbgLE9EnnGuHIg/a/8Z8pL/VnmUO3a6ZEWZHomW
O5nkjCRd6ed86/f4C/j8sTUyg6NoF3zYkKJPZ5UCgZkAqdDrMts3hKvz+10MCeAS
Dc/duCVB8egX8IezDzEW5e0BjGD+qnjAYI/s29RIvG94e8DQwzODNyPT74DGVwgW
MZV/+I9YuwsbCz/RwtWGZo9AfhdTuCKMkb25s0R9tBTxmMGe+xeHxz4chrUCS2Zk
cwjdNNzkMx8XO3RqfxPXawhry/qMVreFiUoxdzcu6JZk7j2ztzvrzOkCgZkAxDAy
1TQB5sGhS6CF9wG36w/RmgBcBd6ZEfXGCFPlu9XV+1Fb7//0SxFDHMjRDmAfvmvG
3bpdiNkyWmvodlnvA5jovD8yauQkH+zWGumTISxIjZ6fzRlwBCPCN7xQEabp5Hto
jJLC3DVb/pQ+TEfUdjoq0zaL4dtAqf0tF95E/YTJOLIqTw7AZI9aXZiR0BUXe3LG
VELO4A0CgZkAwF78LboWjR9+LGrXu0taaoLymhxltpC81BRWEXjPZ3rj0IEMxITw
9mQAMXdJzXiARoIu/sarLb/wphVSia2QO8x0Q65De526jUUCZjP/wYgl0X8S7Mu+
r3FcApmGyoh+Vy8txyV3uJVh5xbsxF60fSenswQd+VPdJ01XJCbnLbVFH/5iQw4a
NzjF/UlXfBI0/NMSIYP5DnQ=
-----END RSA PRIVATE KEY-----
root@popsuper1982:/home/cliu8/keys/certtool# ls -la certificate_authority_key.pem
-r-------- 1 root root 1972 Jul 15 22:28 certificate_authority_key.pem
# certtool --generate-self-signed --template certificate_authority_template.info --load-privkey certificate_authority_key.pem --outfile certificate_authority_certificate.pem
# certtool --generate-self-signed --template certificate_authority_template.info --load-privkey certificate_authority_key.pem --outfile certificate_authority_certificate.pem
Generating a self signed certificate...
X.509 Certificate Information:
Version: 3
Serial Number (hex): 53c53b4d
Validity:
Not Before: Tue Jul 15 14:31:41 UTC 2014
Not After: Wed Jul 15 14:31:41 UTC 2015
Subject: CN=libvirt.org
Subject Public Key Algorithm: RSA
Certificate Security Level: Normal
Modulus (bits 2432):
00:e9:59:61:58:f3:f4:a0:db:7a:c1:57:48:5c:c4:19
5a:2c:b3:51:cf:2c:37:31:64:3f:52:bc:ea:f8:1b:db
3f:ed:95:7d:c1:0f:56:cd:4c:21:d5:a3:fd:93:78:29
87:ca:fe:1a:7b:79:01:c6:69:c1:d1:84:93:f7:6f:18
87:f9:5b:9f:7a:b8:c1:ac:ab:a8:8c:1f:fc:c9:d8:f5
29:b5:ea:1e:e3:3f:9d:f1:ff:56:83:ea:ed:48:30:ac
61:e5:39:46:22:53:97:57:09:6c:6c:58:de:7f:f5:a5
d8:46:46:79:19:4d:be:6f:1c:d0:2c:1c:8b:ef:1c:be
ca:96:5e:87:ef:36:83:7a:9b:1b:1e:03:18:71:60:70
f5:73:1b:11:e6:01:3e:87:43:b9:7a:aa:4b:01:99:21
69:76:4e:22:0e:e6:a5:bc:23:48:d9:04:ad:1e:56:b7
90:8b:01:bb:bb:72:aa:f9:3c:ba:b1:9a:2a:d3:45:de
d3:84:82:4e:40:07:da:1f:e9:b7:47:3b:96:6d:e0:f8
1b:b0:c1:98:d0:df:9b:c9:f9:c6:d9:32:58:43:8e:9a
e6:6a:a7:6f:a9:c2:df:c8:60:7b:87:f5:d1:f4:25:1a
c4:3c:bb:17:fe:83:a1:06:48:8b:a5:1a:b3:00:91:d9
26:2a:8d:73:dc:e5:a1:85:a4:1a:29:1f:1d:c1:fb:14
4f:51:8f:4b:9c:19:15:49:7c:de:3d:0e:cb:47:84:b6
ff:d2:dd:1e:2a:d6:77:59:18:df:c1:82:39:a4:0f:47
51
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): TRUE
Key Usage (critical):
Certificate signing.
Subject Key Identifier (not critical):
f113e5356c2b30271aa1f1bb6183676edee28ed7
Other Information:
Public Key Id:
f113e5356c2b30271aa1f1bb6183676edee28ed7
Signing certificate...
# cat certificate_authority_certificate.pem
-----BEGIN CERTIFICATE-----
MIIDTTCCAgWgAwIBAgIEU8U7TTANBgkqhkiG9w0BAQsFADAWMRQwEgYDVQQDEwts
aWJ2aXJ0Lm9yZzAeFw0xNDA3MTUxNDMxNDFaFw0xNTA3MTUxNDMxNDFaMBYxFDAS
BgNVBAMTC2xpYnZpcnQub3JnMIIBUjANBgkqhkiG9w0BAQEFAAOCAT8AMIIBOgKC
ATEA6VlhWPP0oNt6wVdIXMQZWiyzUc8sNzFkP1K86vgb2z/tlX3BD1bNTCHVo/2T
eCmHyv4ae3kBxmnB0YST928Yh/lbn3q4wayrqIwf/MnY9Sm16h7jP53x/1aD6u1I
MKxh5TlGIlOXVwlsbFjef/Wl2EZGeRlNvm8c0Cwci+8cvsqWXofvNoN6mxseAxhx
YHD1cxsR5gE+h0O5eqpLAZkhaXZOIg7mpbwjSNkErR5Wt5CLAbu7cqr5PLqxmirT
Rd7ThIJOQAfaH+m3RzuWbeD4G7DBmNDfm8n5xtkyWEOOmuZqp2+pwt/IYHuH9dH0
JRrEPLsX/oOhBkiLpRqzAJHZJiqNc9zloYWkGikfHcH7FE9Rj0ucGRVJfN49DstH
hLb/0t0eKtZ3WRjfwYI5pA9HUQIDAQABo0MwQTAPBgNVHRMBAf8EBTADAQH/MA8G
A1UdDwEB/wQFAwMHBAAwHQYDVR0OBBYEFPET5TVsKzAnGqHxu2GDZ27e4o7XMA0G
CSqGSIb3DQEBCwUAA4IBMQBYPjJmkdduz+ZjoOb/4TLrRd7vt+dv88/uW1YGO5v8
doYBOGbo/KKp0bq//TDs8ILl666wu0VeXOSTvvGn6vhVAzttqWmtDgKzvs5E9KGE
N+7O7vPvPooLdKo1hXkXp7S3VrAenHbyqXAff/zV8jzDZkeEtaGJ1vlMs4pz3owU
nMX9ndojP4aXdq9B+ny1RyYPGofL7zpjgwocc/ubBgu1iRtDN4emHarnjZM6fHkN
HV8QlZgBAoObChXs+zSws/nkkS+FPFBGfJSwSjn6AmmGsBHo0KTmN+tkoNZlg6YN
tYHjllz34D5BH5hOmIeEQNSspFdhbE3aK9AqYOHEM99nhDKxiiKhKVgrux3WaiJi
yhanGVlwILFiFtoY/6rREIa88jWB1Lxjg88XqlNelqky
-----END CERTIFICATE-----
# ls -la certificate_authority_certificate.pem
-r-------- 1 root root 1204 Jul 15 22:31 certificate_authority_certificate.pem
# cp certificate_authority_certificate.pem /etc/pki/CA/cacert.pem
chmod 444 /etc/pki/CA/cacert.pem
scp -r certificate_authority_certificate.pem cliu8@16.158.166.197:/home/cliu8/
on 16.158.166.197
cp certificate_authority_certificate.pem /etc/pki/CA/cacert.pem
/////////////////////////Creating Transport Layer Security Server Certificates for libvirt
# cat popsuper1982_server_template.info
organization = libvirt.org
cn = popsuper1982
tls_www_server
encryption_key
signing_key
(umask 277 && certtool --generate-privkey > popsuper1982_server_key.pem)
# (umask 277 && certtool --generate-privkey > popsuper1982_server_key.pem)
Generating a 2432 bit RSA private key...
# certtool --generate-certificate --template popsuper1982_server_template.info --load-privkey popsuper1982_server_key.pem --load-ca-certificate certificate_authority_certificate.pem --load-ca-privkey certificate_authority_key.pem --outfile popsuper1982_server_certificate.pem
# certtool --generate-certificate --template popsuper1982_server_template.info --load-privkey popsuper1982_server_key.pem --load-ca-certificate certificate_authority_certificate.pem --load-ca-privkey certificate_authority_key.pem --outfile popsuper1982_server_certificate.pem
Generating a signed certificate...
X.509 Certificate Information:
Version: 3
Serial Number (hex): 53c55255
Validity:
Not Before: Tue Jul 15 16:09:57 UTC 2014
Not After: Wed Jul 15 16:09:57 UTC 2015
Subject: O=libvirt.org,CN=popsuper1982
Subject Public Key Algorithm: RSA
Certificate Security Level: Normal
Modulus (bits 2432):
00:ca:e5:92:4f:d8:14:f4:e2:26:26:88:5a:b4:fd:0e
ee:86:c6:e8:15:b2:4f:36:6d:8a:b1:23:75:80:b1:0a
72:e0:6c:a0:06:ce:03:43:12:2c:6f:e9:ee:bf:21:d2
93:82:02:74:14:50:17:fc:f8:21:ec:a6:66:29:9f:d7
c3:63:35:50:82:f2:30:9a:12:3b:3e:5a:d1:68:29:7a
eb:18:10:7a:69:f8:0b:aa:1a:d9:2d:8b:e4:b3:1b:81
c7:de:a8:9f:08:1d:d0:85:db:af:cc:08:00:9b:c1:5a
31:f8:9a:43:01:42:88:11:91:35:73:df:57:b9:ce:83
34:91:70:ee:29:4b:88:dd:f2:7a:16:1d:c1:36:4d:8b
28:7b:05:ba:42:b1:63:8a:92:f8:3d:0c:d1:a2:d8:24
92:29:de:c7:8a:73:1d:1e:ec:d3:72:4a:7e:7a:a1:43
85:fa:85:ab:58:a3:67:03:4a:48:62:04:b3:f4:8e:f5
f0:16:fb:24:28:75:d7:1d:43:52:bc:08:9d:3e:d0:38
7d:36:9b:1b:f5:81:0c:17:fd:ba:1b:10:bb:1b:69:cf
eb:c1:54:4e:99:ed:ff:15:71:11:9a:63:31:9d:0f:7b
b2:31:a2:4c:49:2a:ee:d1:3c:80:c0:98:e0:6c:63:6b
52:9a:b5:d6:0b:6c:34:13:86:d6:ab:c4:4d:9a:ff:ae
be:60:b2:a7:e3:3d:b4:63:05:d3:f0:f9:69:01:35:97
1c:52:48:24:75:b5:73:96:b5:fb:bc:8e:2e:62:7c:5c
17
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): FALSE
Key Purpose (not critical):
TLS WWW Server.
Key Usage (critical):
Digital signature.
Key encipherment.
Subject Key Identifier (not critical):
0570b6cf340118f7d44dd67c0ca6ffbbb7a4871c
Authority Key Identifier (not critical):
f113e5356c2b30271aa1f1bb6183676edee28ed7
Other Information:
Public Key Id:
0570b6cf340118f7d44dd67c0ca6ffbbb7a4871c
Signing certificate...
cp popsuper1982_server_certificate.pem /etc/pki/libvirt/servercert.pem
cp popsuper1982_server_key.pem /etc/pki/libvirt/private/serverkey.pem
///////////////////////Creating Transport Layer Security Client Certificates for libvirt
# cat escto-bj-hp-z620_client_template.info
country = CN
state = Beijing
locality = Beijing
organization = libvirt.org
cn = escto-bj-hp-z620
tls_www_client
encryption_key
signing_key
(umask 277 && certtool --generate-privkey > escto-bj-hp-z620_client_key.pem)
# (umask 277 && certtool --generate-privkey > escto-bj-hp-z620_client_key.pem)
Generating a 2432 bit RSA private key...
# certtool --generate-certificate --template escto-bj-hp-z620_client_template.info --load-privkey escto-bj-hp-z620_client_key.pem --load-ca-certificate certificate_authority_certificate.pem --load-ca-privkey certificate_authority_key.pem --outfile escto-bj-hp-z620_client_certificate.pem
# certtool --generate-certificate --template escto-bj-hp-z620_client_template.info --load-privkey escto-bj-hp-z620_client_key.pem --load-ca-certificate certificate_authority_certificate.pem --load-ca-privkey certificate_authority_key.pem --outfile escto-bj-hp-z620_client_certificate.pem
Generating a signed certificate...
X.509 Certificate Information:
Version: 3
Serial Number (hex): 53c55678
Validity:
Not Before: Tue Jul 15 16:27:36 UTC 2014
Not After: Wed Jul 15 16:27:36 UTC 2015
Subject: C=CN,O=libvirt.org,L=Beijing,ST=Beijing,CN=escto-bj-hp-z620
Subject Public Key Algorithm: RSA
Certificate Security Level: Normal
Modulus (bits 2432):
00:9f:5c:d7:89:2c:0b:fe:e7:38:21:1d:2a:da:92:eb
82:91:96:3c:f3:22:28:a3:d6:3d:70:68:27:a1:2b:3a
3e:79:03:55:ea:1b:eb:1f:81:90:71:3d:41:4c:99:f2
96:46:22:e0:33:91:bb:5b:38:83:a5:3f:d7:0a:25:dd
f0:90:cf:0d:4a:18:b3:0d:db:01:5f:70:78:1b:63:01
ac:6f:32:8b:79:cc:51:0f:d4:45:1e:6f:b8:d8:84:57
af:ca:e8:3e:58:0a:79:89:0d:99:e2:8a:b2:2c:85:dc
40:15:7c:52:9b:46:66:a0:0f:6c:52:7d:e8:1b:b4:06
5a:d9:7f:30:84:d0:37:66:2a:3f:53:50:33:99:93:b7
8d:a2:74:cd:4d:ca:76:b5:df:2f:47:f9:e2:1a:7b:91
49:20:be:c9:ca:9b:f1:2c:f1:40:1a:66:37:2e:ac:23
3f:3d:44:de:0f:2d:d2:60:63:22:2d:49:28:98:c0:b7
9f:70:be:51:b8:d3:10:1d:40:3d:3e:6f:1a:f1:a2:1b
5c:2e:68:8b:05:99:7b:0b:5c:9c:78:54:8f:de:ae:7e
75:6d:fb:af:cc:ea:3c:be:9d:25:57:d1:3d:ef:27:66
c3:93:2f:62:f0:43:31:64:df:df:20:b6:b8:df:8a:85
77:38:9b:3d:85:e1:67:1b:e6:b4:9b:e0:30:4e:6c:62
c1:07:72:57:ad:bc:fc:f0:0c:d8:d4:12:ac:eb:80:ee
04:b2:b0:10:e4:d6:71:68:2b:ee:e6:98:23:9a:df:c7
95
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): FALSE
Key Purpose (not critical):
TLS WWW Client.
Key Usage (critical):
Digital signature.
Key encipherment.
Subject Key Identifier (not critical):
f4385711f8089b39ba2c13869aa816114d378190
Authority Key Identifier (not critical):
f113e5356c2b30271aa1f1bb6183676edee28ed7
Other Information:
Public Key Id:
f4385711f8089b39ba2c13869aa816114d378190
Signing certificate...
root@popsuper1982:/home/cliu8/keys/certtool# scp escto-bj-hp-z620_client_certificate.pem cliu8@16.158.166.197:/home/cliu8/
cliu8@16.158.166.197's password:
escto-bj-hp-z620_client_certificate.pem 100% 1379 1.4KB/s 00:00
root@popsuper1982:/home/cliu8/keys/certtool# scp escto-bj-hp-z620_client_key.pem cliu8@16.158.166.197:/home/cliu8/
cliu8@16.158.166.197's password:
escto-bj-hp-z620_client_key.pem 100% 1968 1.9KB/s 00:00
修改/etc/hosts文件
16.158.166.150 popsuper1982
16.158.166.197 escto-bj-hp-z620
修改/etc/default/libvirt-bin
#cat /etc/default/libvirt-bin
# Defaults for libvirt-bin initscript (/etc/init.d/libvirt-bin)
# This is a POSIX shell fragment
# Start libvirtd to handle qemu/kvm:
start_libvirtd="yes"
# options passed to libvirtd, add "-l" to listen on tcp
libvirtd_opts="-d -l"
# pass in location of kerberos keytab
#export KRB5_KTNAME=/etc/libvirt/libvirt.keytab
重启libvirt-bin
root@popsuper1982:/home/cliu8# netstat -na | grep 16509
tcp 0 0 0.0.0.0:16509 0.0.0.0:* LISTEN
tcp6 0 0 :::16509 :::* LISTEN
root@popsuper1982:/home/cliu8# netstat -na | grep 16514
tcp 0 0 0.0.0.0:16514 0.0.0.0:* LISTEN
tcp6 0 0 :::16514 :::* LISTEN
注意对sasl的配置
# cat /etc/sasl2/libvirt.conf
# If you want to use the non-TLS socket, then you *must* include
# the GSSAPI or DIGEST-MD5 mechanisms, because they are the only
# ones that can offer session encryption as well as authentication.
#
# If you're only using TLS, then you can turn on any mechanisms
# you like for authentication, because TLS provides the encryption
#
# Default to a simple username+password mechanism
mech_list: digest-md5
# Before you can use GSSAPI, you need a service principle on the
# KDC server for libvirt, and that to be exported to the keytab
# file listed below
#mech_list: gssapi
#
# You can also list many mechanisms at once, then the user can choose
# by adding '?auth=sasl.gssapi' to their libvirt URI, eg
# qemu+tcp://hostname/system?auth=sasl.gssapi
#mech_list: digest-md5 gssapi
# Some older builds of MIT kerberos on Linux ignore this option &
# instead need KRB5_KTNAME env var.
# For modern Linux, and other OS, this should be sufficient
#
# There is no default value here, uncomment if you need this
#keytab: /etc/libvirt/krb5.tab
# If using digest-md5 for username/passwds, then this is the file
# containing the passwds. Use 'saslpasswd2 -a libvirt [username]'
# to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it
sasldb_path: /etc/libvirt/passwd.db
添加用户
saslpasswd2 -a libvirt test1
注意这里必须是libvirt,这是application的名字,只有输入libvirt,才会使用配置/etc/sasl2/libvirt.conf,结果才会写到/etc/libvirt/passwd.db
下面的命令才有正确的输出
# sasldblistusers2 -f /etc/libvirt/passwd.db
test1@popsuper1982: userPassword
这个时候从远程登录tcp
$ virsh -c qemu+tcp://16.158.166.150/system list --all
Please enter your authentication name: test1@popsuper1982
Please enter your password:
Id Name State
----------------------------------------------------
- ubuntu-14.04 shut off
如果远程连接tls,则需要配置/etc/pki/CA/cacert.pem
在client机器上escto-bj-hp-z620
# tree --charset ASCII /etc/pki/
/etc/pki/
|-- CA
| `-- cacert.pem
|-- libvirt
| |-- clientcert.pem
| `-- private
| `-- clientkey.pem
`-- nssdb -> /var/lib/nssdb
在server机器上popsuper1982
# tree --charset ASCII /etc/pki/
/etc/pki/
|-- CA
| `-- cacert.pem
|-- libvirt
| |-- private
| | `-- serverkey.pem
| `-- servercert.pem
`-- nssdb -> /var/lib/nssdb
# virsh -c qemu+tls://popsuper1982/system list --all
Please enter your authentication name: test1@popsuper1982
Please enter your password:
Id Name State
----------------------------------------------------
- ubuntu-14.04 shut off
需要用hostname才能通过认证
VNC Authentication
Since access to the graphical console of a VM Guest is not controlled by libvirt
, but rather by QEMU
The main configuration file is /etc/libvirt/qemu.conf
.
Two authentication types are available: SASL and single password authentication. If you are using SASL for libvirt
authentication, it is strongly recommended to use it for VNC authentication as well—it is possible to share the same database.
ln -s /etc/sasl2/libvirt.conf /etc/sasl2/qemu.conf
/etc/libvirt/qemu.conf
vnc_listen = "0.0.0.0"
vnc_sasl = 1
Currently only the same VNC viewers that also support TLS/SSL connections, support SASL authentication, namely Virtual Machine Manager, virt-viewer, and vinagre.
Single Password Authentication
<graphics type='vnc' port='-1' autoport='yes' passwd='PASSWORD'/>
QEMU KVM Libvirt手册(10):Managing Virtual Machines with libvirt的更多相关文章
- QEMU KVM Libvirt手册(11): Managing Storage
When managing a VM Guest on the VM Host Server itself, it is possible to access the complete file sy ...
- KVM 介绍(8):使用 libvirt 迁移 QEMU/KVM 虚机和 Nova 虚机 [Nova Libvirt QEMU/KVM Live Migration]
学习 KVM 的系列文章: (1)介绍和安装 (2)CPU 和 内存虚拟化 (3)I/O QEMU 全虚拟化和准虚拟化(Para-virtulizaiton) (4)I/O PCI/PCIe设备直接分 ...
- QEMU KVM Libvirt手册(10): KVM的各种限制
Overcommits KVM allows for both memory and disk space overcommit. However, hard errors resulting fro ...
- QEMU KVM libvirt手册(4) – images
RAW raw是默认的格式,格式简单,容易转换为其他的格式.需要文件系统的支持才能支持sparse file 创建image # qemu-img create -f raw flat.img 10G ...
- QEMU KVM Libvirt(12): Live Migration
由于KVM的架构为 Libvirt –> qemu –> KVM 所以对于live migration有两种方式,一种是qemu + KVM自己的方式,一种是libvirt的方式,当然li ...
- PatentTips - Enhancing the usability of virtual machines
BACKGROUND Virtualization technology enables a single host computer running a virtual machine monito ...
- QEMU KVM libvirt手册(2): monitor
Administrating Virtual Machines with QEMU Monitor When QEMU is running, a monitor console is provide ...
- QEMU KVM libvirt 手册(3) - Storage Media
访问Hard Drive 使用-hda –hdb qemu-system-x86_64 -enable-kvm -name ubuntutest -m 2048 -hda ubuntutest.im ...
- QEMU KVM libvirt 手册(1): 安装
安装 对虚拟化的支持通常在BIOS中是禁掉的,必须开启才可以. 对于Intel CPU,我们可以通过下面的命令查看是否支持虚拟化. # grep "vmx" /proc/cpuin ...
随机推荐
- SpingBoot+Mybaits+Vue,更新学习
1.DTO 2.实体类 3.Controller层,UpdatePrize/{id}为接口 4.Service层 5.Impl实现层 之后就可以更新数据了. 6.Vue链接接口 7.请求,解析,返回值 ...
- vertical-align作用的前提++图片不上下居中
5.3.2 vertical-align作用的前提 很多人,尤其CSS新手,会问这么一个问题:“为什么我设置了vertical-align却没任何作用?” 因为vertical-align起作用是有前 ...
- 高可用Redis(十):Redis原生命令搭建集群
1.搭建Redis Cluster主要步骤 1.配置开启节点 2.meet 3.指派槽 4.主从关系分配 2.环境说明 两台虚拟机,IP地址分别为:192.168.81.100和192.168.81. ...
- Python爬取指定重量的快递价格
目录 一.获取查询接口 二.获取相关数据 三.编写爬虫脚本 四.查看查询效果 背景:现在这个时代,快递横飞.我们想寄一个快递,给出的选择也是多种多样的(根据快递的大小.送达的时间.寄送的距离及价格.公 ...
- python 逻辑运算 ‘and’ ,'or' 在实战中的作用,代替if语句。
彩票程序:课上方法:import random # 生成一个随机两位数 作为一个中奖号码luck_num = random.randint(10,99)print(luck_num)luck_num_ ...
- Hive 2.1.1 学习笔记
1.修改conf下的配置文件cp -a hive-default.xml.template hive-site.xml2.进入bin目录启动hive./hive 报错Exception in thre ...
- Java类的继承与方法调用的一个小问题
public class Father { protected void server(int i){ switch (i){ case 1: methodone(); break; case 2: ...
- SpringCloud入门
一. 什么是 SpringCloud 什么是 SpringCloud:是一个服务治理平台,提供了一些服务框架.包含了:服务注册与发现.配置中心.消息中心 .负载均衡.数据监控等等. ...
- Linux磁盘和文件系统管理
1.检测并确认新硬盘 挂载好新的硬盘设备并启动主机后,Linux系统会自动检测并加载该硬盘,无须额外安装驱动.执行“fdisk -l”命令即可查看,确认新增硬盘的设备名称和位置.作用:列出当前系统中所 ...
- .net core Razor视图的TagHelper使用方法介绍
TagHelper TagHelper是ASP.NET 5的一个新特性.也许在你还没有听说过它的时候, 它已经在技术人员之间引起了大量讨论,甚至有一部分称它为服务器控件的回归.实际上它只不过是一个简化 ...