diff --git a/ChangeLog b/ChangeLog
index 1806893e3975a403815ebf95b30daf35387fbd19..c418deef39f39f7e1c7c290ec56cbd3dd6cedcad 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+Thu Jul 12 17:48:40 CEST 2007 Daniel Veillard
+
+ * docs/libvir.html docs/remote.html: update the remote page,
+ add an index
+ * docs/pki_check.sh: shell script to check the PKI and client/server
+ environment.
+
Thu Jul 12 11:15:17 EST 2007 Daniel P. Berrange
* src/remote_internal.c: Explicitly check certificate/key files
diff --git a/docs/libvir.html b/docs/libvir.html
index 69e3451f68a35289e1218d38d920b2d39f6613cc..0a64973aa43ca3ff4aec71fbc4409ad46687574a 100644
--- a/docs/libvir.html
+++ b/docs/libvir.html
@@ -1432,6 +1432,27 @@ use the mailing-list if you don't get an answer there.
Libvirt allows you to access hypervisors running on remote
machines through authenticated and encrypted connections.
+
If you are unsure how to create TLS certificates, skip to the
@@ -2038,15 +2059,19 @@ cp clientcert.pem /etc/pki/libvirt/clientcert.pem
On the server side, run the libvirtd server with
-the '--remote' and '--verbose' options while the
+the '--listen' and '--verbose' options while the
client is connecting. The verbose log messages should
tell you enough to diagnose the problem.
+
You can use the pki_check.sh shell script
+to analyze the setup on the client or server machines, preferably as root.
+It will try to point out the possible problems and provide solutions to
+fix the set up up to a point where you have secure remote access.
Libvirtd (the remote daemon) is configured from a file called
@@ -2059,6 +2084,8 @@ the command line using -f filename or
This file should contain lines of the form below.
Blank lines and comments beginning with # are ignored.
+
setting = value
+
The following settings, values and default are:
diff --git a/docs/pki_check.sh b/docs/pki_check.sh
new file mode 100755
index 0000000000000000000000000000000000000000..10cdb7d146513b2a378244ad791cb21df70cd44c
--- /dev/null
+++ b/docs/pki_check.sh
@@ -0,0 +1,260 @@
+#!/bin/sh
+#
+# This shell script checks the TLS certificates and options needed
+# for the secure client/server support of libvirt as documented at
+# http://libvirt.org/remote.html#Remote_certificates
+#
+# Daniel Veillard
+#
+USER=`who am i | awk '{ print $1 }'`
+SERVER=1
+CLIENT=1
+PORT=16514
+#
+# First get certtool
+#
+CERTOOL=`which certtool 2>/dev/null`
+if [ ! -x $CERTOOL ]
+then
+ echo Could not locate the certtool program
+ echo make sure the gnutls-utils package is installed
+ exit 1
+fi
+echo Found $CERTOOL
+
+#
+# Check the directory structure
+#
+PKI="/etc/pki"
+if [ ! -d $PKI ]
+then
+ echo the $PKI directory is missing, it is usually
+ echo installed as part of the filesystem or openssl packages
+ exit 1
+fi
+
+if [ ! -r $PKI ]
+then
+ echo the $PKI directory is not readable by $USER
+ echo "as root do: chmod a+rx $PKI"
+ exit 1
+fi
+if [ ! -x $PKI ]
+then
+ echo the $PKI directory is not listable by $USER
+ echo "as root do: chmod a+rx $PKI"
+ exit 1
+fi
+
+CA="$PKI/CA"
+if [ ! -d $CA ]
+then
+ echo the $CA directory is missing, it is usually
+ echo installed as part of the or openssl package
+ exit 1
+fi
+
+if [ ! -r $CA ]
+then
+ echo the $CA directory is not readable by $USER
+ echo "as root do: chmod a+rx $CA"
+ exit 1
+fi
+if [ ! -x $CA ]
+then
+ echo the $CA directory is not listable by $USER
+ echo "as root do: chmod a+rx $CA"
+ exit 1
+fi
+
+LIBVIRT="$PKI/libvirt"
+if [ ! -d $LIBVIRT ]
+then
+ echo the $LIBVIRT directory is missing, it is usually
+ echo installed by the libvirt package
+ echo "as root do: mkdir -m 755 $LIBVIRT ; chown root:root $LIBVIRT"
+ exit 1
+fi
+
+if [ ! -r $LIBVIRT ]
+then
+ echo the $LIBVIRT directory is not readable by $USER
+ echo "as root do: chown root:root $LIBVIRT ; chmod 755 $LIBVIRT"
+ exit 1
+fi
+if [ ! -x $LIBVIRT ]
+then
+ echo the $LIBVIRT directory is not listable by $USER
+ echo "as root do: chown root:root $LIBVIRT ; chmod 755 $LIBVIRT"
+ exit 1
+fi
+
+LIBVIRTP="$LIBVIRT/private"
+if [ ! -d $LIBVIRTP ]
+then
+ echo the $LIBVIRTP directory is missing, it is usually
+ echo installed by the libvirt package
+ echo "as root do: mkdir -m 755 $LIBVIRTP ; chown root:root $LIBVIRTP"
+ exit 1
+fi
+
+if [ ! -r $LIBVIRTP ]
+then
+ echo the $LIBVIRTP directory is not readable by $USER
+ echo "as root do: chown root:root $LIBVIRTP ; chmod 755 $LIBVIRTP"
+ exit 1
+fi
+if [ ! -x $LIBVIRTP ]
+then
+ echo the $LIBVIRTP directory is not listable by $USER
+ echo "as root do: chown root:root $LIBVIRTP ; chmod 755 $LIBVIRTP"
+ exit 1
+fi
+
+#
+# Now check the certificates
+# First the CA certificate
+#
+if [ ! -f $CA/cacert.pem ]
+then
+ echo the CA certificate $CA/cacert.pem is missing while it
+ echo should be installed on both client and servers
+ echo "see http://libvirt.org/remote.html#Remote_TLS_CA"
+ echo on how to install it
+ exit 1
+fi
+if [ ! -r $CA/cacert.pem ]
+then
+ echo the CA certificate $CA/cacert.pem is not readable by $USER
+ echo "as root do: chmod 644 $CA/cacert.pem"
+ exit 1
+fi
+ORG=`$CERTOOL -i --infile $CA/cacert.pem | grep Issuer | sed 's+Issuer: CN=++'`
+if [ "$ORG" == "" ]
+then
+ echo the CA certificate $CA/cacert.pem does not define the organization
+ echo it should probably regenerated
+ echo "see http://libvirt.org/remote.html#Remote_TLS_CA"
+ echo on how to regenerate it
+ exit 1
+fi
+echo Found CA certificate $CA/cacert.pem for $ORG
+
+# Second the client certificates
+
+if [ -f $LIBVIRT/clientcert.pem ]
+then
+ if [ ! -r $LIBVIRT/clientcert.pem ]
+ then
+ echo Client certificate $LIBVIRT/clientcert.pem should be world readable
+ echo "as root do: chown root:root $LIBVIRT/clientcert.pem ; chmod 644 $LIBVIRT/clientcert.pem"
+ else
+ S_ORG=`$CERTOOL -i --infile $LIBVIRT/clientcert.pem | grep Subject: | sed 's+.*O=\([a-zA-Z \._-]*\).*+\1+'`
+ if [ "$ORG" != "$S_ORG" ]
+ then
+ echo The CA certificate and the client certificate do not match
+ echo CA organization: $ORG
+ echo Client organization: $S_ORG
+ fi
+ CLIENT=`$CERTOOL -i --infile $LIBVIRT/clientcert.pem | grep Subject: | sed 's+.*CN=\(.[a-zA-Z \._-]*\).*+\1+'`
+ echo Found client certificate $LIBVIRT/clientcert.pem for $CLIENT
+ if [ ! -e $LIBVIRTP/clientkey.pem ]
+ then
+ echo Missing client private key $LIBVIRTP/clientkey.pem
+ else
+ echo Found client private key $LIBVIRTP/clientkey.pem
+ OWN=`ls -l $LIBVIRTP/clientkey.pem | awk '{ print $3 }'`
+ MOD=`ls -l $LIBVIRTP/clientkey.pem | awk '{ print $1 }'`
+ if [ "$OWN" != "root" ]
+ then
+ echo The client private key should be owned by root
+ echo "as root do: chown root $LIBVIRTP/clientkey.pem"
+ fi
+ if [ "$MOD" != "-rw-r--r--" ]
+ then
+ echo The client private key need to be read by client tools
+ echo "as root do: chmod 644 $LIBVIRTP/clientkey.pem"
+ fi
+ fi
+
+ fi
+else
+ echo Did not found $LIBVIRT/clientcert.pem client certificate
+ echo The machine cannot act as a client
+ echo "see http://libvirt.org/remote.html#Remote_TLS_client_certificates"
+ echo on how to regenerate it
+ CLIENT=0
+fi
+
+# Third the server certificates
+
+if [ -f $LIBVIRT/servercert.pem ]
+then
+ if [ ! -r $LIBVIRT/servercert.pem ]
+ then
+ echo Server certificate $LIBVIRT/servercert.pem should be world readable
+ echo "as root do: chown root:root $LIBVIRT/servercert.pem ; chmod 644 $LIBVIRT/servercert.pem"
+ else
+ S_ORG=`$CERTOOL -i --infile $LIBVIRT/servercert.pem | grep Subject: | sed 's+.*O=\([a-zA-Z\. _-]*\).*+\1+'`
+ if [ "$ORG" != "$S_ORG" ]
+ then
+ echo The CA certificate and the server certificate do not match
+ echo CA organization: $ORG
+ echo Server organization: $S_ORG
+ fi
+ S_HOST=`$CERTOOL -i --infile $LIBVIRT/servercert.pem | grep Subject: | sed 's+.*CN=\([a-zA-Z\. _-]*\)+\1+'`
+ if [ "$S_HOST" != "`hostname -s`" -a "$S_HOST" != "`hostname`" ]
+ then
+ echo The server certificate does not seem to match the host name
+ echo hostname: '"'`hostname`'"'
+ echo Server certificate CN: '"'$S_HOST'"'
+ fi
+ echo Found server certificate $LIBVIRT/servercert.pem for $S_HOST
+ if [ ! -e $LIBVIRTP/serverkey.pem ]
+ then
+ echo Missing server private key $LIBVIRTP/serverkey.pem
+ else
+ echo Found server private key $LIBVIRTP/serverkey.pem
+ OWN=`ls -l $LIBVIRTP/serverkey.pem | awk '{ print $3 }'`
+ MOD=`ls -l $LIBVIRTP/serverkey.pem | awk '{ print $1 }'`
+ if [ "$OWN" != "root" ]
+ then
+ echo The server private key should be owned by root
+ echo "as root do: chown root $LIBVIRTP/serverkey.pem"
+ fi
+ if [ "$MOD" != "-rw-------" ]
+ then
+ echo The server private key need to be read only by root
+ echo "as root do: chmod 600 $LIBVIRTP/serverkey.pem"
+ fi
+ fi
+
+ fi
+else
+ echo Did not found $LIBVIRT/servercert.pem server certificate
+ echo The machine cannot act as a server
+ echo "see http://libvirt.org/remote.html#Remote_TLS_server_certificates"
+ echo on how to regenerate it
+ SERVER=0
+fi
+
+if [ "$SERVER" = "1" ]
+then
+ if [ -r /etc/sysconfig/libvirtd ]
+ then
+ if [ "`grep '^LIBVIRTD_ARGS' /etc/sysconfig/libvirtd | grep -- '--listen'`" = "" ]
+ then
+ echo Make sure /etc/sysconfig/libvirtd is setup to listen to
+ echo TCP/IP connections and restart the libvirtd service
+ fi
+ fi
+ if [ -r /etc/sysconfig/iptables ]
+ then
+ if [ "`grep $PORT /etc/sysconfig/iptables`" = "" ]
+ then
+ echo Make sure /etc/sysconfig/iptables is setup to allow
+ echo incoming TCP/IP connections on port $PORT and
+ echo restart the iptables service
+ fi
+ fi
+fi
diff --git a/docs/remote.html b/docs/remote.html
index fe9e1b551906e8b0be2a2c8a1a446c9257173aea..22eaddefd150b41a5547a5f8d704b5af18b88de8 100644
--- a/docs/remote.html
+++ b/docs/remote.html
@@ -3,7 +3,24 @@
Remote support
Remote support
Libvirt allows you to access hypervisors running on remote
machines through authenticated and encrypted connections.
-
On the remote machine, libvirtd should be running.
See the section
on configuring libvirtd for more information.
@@ -178,7 +195,7 @@ Note that parameter values must be
On the server side, run the libvirtd server with
-the '--remote' and '--verbose' options while the
+the '--listen' and '--verbose' options while the
client is connecting. The verbose log messages should
tell you enough to diagnose the problem.
You can use the pki_check.sh shell script
+to analyze the setup on the client or server machines, preferably as root.
+It will try to point out the possible problems and provide solutions to
+fix the set up up to a point where you have secure remote access.
Libvirtd (the remote daemon) is configured from a file called
/etc/libvirt/libvirtd.conf, or specified on
the command line using -f filename or
@@ -428,7 +448,7 @@ the command line using -f filename or
This file should contain lines of the form below.
Blank lines and comments beginning with # are ignored.
-