From 62442d578d123de37ab27ae139f1270fc02e837c Mon Sep 17 00:00:00 2001 From: Daniel Veillard Date: Thu, 12 Jul 2007 15:47:19 +0000 Subject: [PATCH] * docs/libvir.html docs/remote.html: update the remote page, add an index * docs/pki_check.sh: shell script to check the PKI and client/server environment. Daniel --- ChangeLog | 7 ++ docs/libvir.html | 33 +++++- docs/pki_check.sh | 260 ++++++++++++++++++++++++++++++++++++++++++++++ docs/remote.html | 30 +++++- 4 files changed, 322 insertions(+), 8 deletions(-) create mode 100755 docs/pki_check.sh diff --git a/ChangeLog b/ChangeLog index 1806893e39..c418deef39 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +Thu Jul 12 17:48:40 CEST 2007 Daniel Veillard + + * docs/libvir.html docs/remote.html: update the remote page, + add an index + * docs/pki_check.sh: shell script to check the PKI and client/server + environment. + Thu Jul 12 11:15:17 EST 2007 Daniel P. Berrange * src/remote_internal.c: Explicitly check certificate/key files diff --git a/docs/libvir.html b/docs/libvir.html index 69e3451f68..0a64973aa4 100644 --- a/docs/libvir.html +++ b/docs/libvir.html @@ -1432,6 +1432,27 @@ use the mailing-list if you don't get an answer there.

Libvirt allows you to access hypervisors running on remote machines through authenticated and encrypted connections.

+

Basic usage

@@ -1680,7 +1701,7 @@ Note that parameter values must be

Generating TLS certificates

-

Public Key Infrastructure set up

+

Public Key Infrastructure set up

If you are unsure how to create TLS certificates, skip to the @@ -2038,15 +2059,19 @@ cp clientcert.pem /etc/pki/libvirt/clientcert.pem

On the server side, run the libvirtd server with -the '--remote' and '--verbose' options while the +the '--listen' and '--verbose' options while the client is connecting. The verbose log messages should tell you enough to diagnose the problem.

+

You can use the pki_check.sh shell script +to analyze the setup on the client or server machines, preferably as root. +It will try to point out the possible problems and provide solutions to +fix the set up up to a point where you have secure remote access.

-

libvirtd configuration

+

libvirtd configuration file

Libvirtd (the remote daemon) is configured from a file called @@ -2059,6 +2084,8 @@ the command line using -f filename or This file should contain lines of the form below. Blank lines and comments beginning with # are ignored.

+
setting = value
+

The following settings, values and default are:

diff --git a/docs/pki_check.sh b/docs/pki_check.sh new file mode 100755 index 0000000000..10cdb7d146 --- /dev/null +++ b/docs/pki_check.sh @@ -0,0 +1,260 @@ +#!/bin/sh +# +# This shell script checks the TLS certificates and options needed +# for the secure client/server support of libvirt as documented at +# http://libvirt.org/remote.html#Remote_certificates +# +# Daniel Veillard +# +USER=`who am i | awk '{ print $1 }'` +SERVER=1 +CLIENT=1 +PORT=16514 +# +# First get certtool +# +CERTOOL=`which certtool 2>/dev/null` +if [ ! -x $CERTOOL ] +then + echo Could not locate the certtool program + echo make sure the gnutls-utils package is installed + exit 1 +fi +echo Found $CERTOOL + +# +# Check the directory structure +# +PKI="/etc/pki" +if [ ! -d $PKI ] +then + echo the $PKI directory is missing, it is usually + echo installed as part of the filesystem or openssl packages + exit 1 +fi + +if [ ! -r $PKI ] +then + echo the $PKI directory is not readable by $USER + echo "as root do: chmod a+rx $PKI" + exit 1 +fi +if [ ! -x $PKI ] +then + echo the $PKI directory is not listable by $USER + echo "as root do: chmod a+rx $PKI" + exit 1 +fi + +CA="$PKI/CA" +if [ ! -d $CA ] +then + echo the $CA directory is missing, it is usually + echo installed as part of the or openssl package + exit 1 +fi + +if [ ! -r $CA ] +then + echo the $CA directory is not readable by $USER + echo "as root do: chmod a+rx $CA" + exit 1 +fi +if [ ! -x $CA ] +then + echo the $CA directory is not listable by $USER + echo "as root do: chmod a+rx $CA" + exit 1 +fi + +LIBVIRT="$PKI/libvirt" +if [ ! -d $LIBVIRT ] +then + echo the $LIBVIRT directory is missing, it is usually + echo installed by the libvirt package + echo "as root do: mkdir -m 755 $LIBVIRT ; chown root:root $LIBVIRT" + exit 1 +fi + +if [ ! -r $LIBVIRT ] +then + echo the $LIBVIRT directory is not readable by $USER + echo "as root do: chown root:root $LIBVIRT ; chmod 755 $LIBVIRT" + exit 1 +fi +if [ ! -x $LIBVIRT ] +then + echo the $LIBVIRT directory is not listable by $USER + echo "as root do: chown root:root $LIBVIRT ; chmod 755 $LIBVIRT" + exit 1 +fi + +LIBVIRTP="$LIBVIRT/private" +if [ ! -d $LIBVIRTP ] +then + echo the $LIBVIRTP directory is missing, it is usually + echo installed by the libvirt package + echo "as root do: mkdir -m 755 $LIBVIRTP ; chown root:root $LIBVIRTP" + exit 1 +fi + +if [ ! -r $LIBVIRTP ] +then + echo the $LIBVIRTP directory is not readable by $USER + echo "as root do: chown root:root $LIBVIRTP ; chmod 755 $LIBVIRTP" + exit 1 +fi +if [ ! -x $LIBVIRTP ] +then + echo the $LIBVIRTP directory is not listable by $USER + echo "as root do: chown root:root $LIBVIRTP ; chmod 755 $LIBVIRTP" + exit 1 +fi + +# +# Now check the certificates +# First the CA certificate +# +if [ ! -f $CA/cacert.pem ] +then + echo the CA certificate $CA/cacert.pem is missing while it + echo should be installed on both client and servers + echo "see http://libvirt.org/remote.html#Remote_TLS_CA" + echo on how to install it + exit 1 +fi +if [ ! -r $CA/cacert.pem ] +then + echo the CA certificate $CA/cacert.pem is not readable by $USER + echo "as root do: chmod 644 $CA/cacert.pem" + exit 1 +fi +ORG=`$CERTOOL -i --infile $CA/cacert.pem | grep Issuer | sed 's+Issuer: CN=++'` +if [ "$ORG" == "" ] +then + echo the CA certificate $CA/cacert.pem does not define the organization + echo it should probably regenerated + echo "see http://libvirt.org/remote.html#Remote_TLS_CA" + echo on how to regenerate it + exit 1 +fi +echo Found CA certificate $CA/cacert.pem for $ORG + +# Second the client certificates + +if [ -f $LIBVIRT/clientcert.pem ] +then + if [ ! -r $LIBVIRT/clientcert.pem ] + then + echo Client certificate $LIBVIRT/clientcert.pem should be world readable + echo "as root do: chown root:root $LIBVIRT/clientcert.pem ; chmod 644 $LIBVIRT/clientcert.pem" + else + S_ORG=`$CERTOOL -i --infile $LIBVIRT/clientcert.pem | grep Subject: | sed 's+.*O=\([a-zA-Z \._-]*\).*+\1+'` + if [ "$ORG" != "$S_ORG" ] + then + echo The CA certificate and the client certificate do not match + echo CA organization: $ORG + echo Client organization: $S_ORG + fi + CLIENT=`$CERTOOL -i --infile $LIBVIRT/clientcert.pem | grep Subject: | sed 's+.*CN=\(.[a-zA-Z \._-]*\).*+\1+'` + echo Found client certificate $LIBVIRT/clientcert.pem for $CLIENT + if [ ! -e $LIBVIRTP/clientkey.pem ] + then + echo Missing client private key $LIBVIRTP/clientkey.pem + else + echo Found client private key $LIBVIRTP/clientkey.pem + OWN=`ls -l $LIBVIRTP/clientkey.pem | awk '{ print $3 }'` + MOD=`ls -l $LIBVIRTP/clientkey.pem | awk '{ print $1 }'` + if [ "$OWN" != "root" ] + then + echo The client private key should be owned by root + echo "as root do: chown root $LIBVIRTP/clientkey.pem" + fi + if [ "$MOD" != "-rw-r--r--" ] + then + echo The client private key need to be read by client tools + echo "as root do: chmod 644 $LIBVIRTP/clientkey.pem" + fi + fi + + fi +else + echo Did not found $LIBVIRT/clientcert.pem client certificate + echo The machine cannot act as a client + echo "see http://libvirt.org/remote.html#Remote_TLS_client_certificates" + echo on how to regenerate it + CLIENT=0 +fi + +# Third the server certificates + +if [ -f $LIBVIRT/servercert.pem ] +then + if [ ! -r $LIBVIRT/servercert.pem ] + then + echo Server certificate $LIBVIRT/servercert.pem should be world readable + echo "as root do: chown root:root $LIBVIRT/servercert.pem ; chmod 644 $LIBVIRT/servercert.pem" + else + S_ORG=`$CERTOOL -i --infile $LIBVIRT/servercert.pem | grep Subject: | sed 's+.*O=\([a-zA-Z\. _-]*\).*+\1+'` + if [ "$ORG" != "$S_ORG" ] + then + echo The CA certificate and the server certificate do not match + echo CA organization: $ORG + echo Server organization: $S_ORG + fi + S_HOST=`$CERTOOL -i --infile $LIBVIRT/servercert.pem | grep Subject: | sed 's+.*CN=\([a-zA-Z\. _-]*\)+\1+'` + if [ "$S_HOST" != "`hostname -s`" -a "$S_HOST" != "`hostname`" ] + then + echo The server certificate does not seem to match the host name + echo hostname: '"'`hostname`'"' + echo Server certificate CN: '"'$S_HOST'"' + fi + echo Found server certificate $LIBVIRT/servercert.pem for $S_HOST + if [ ! -e $LIBVIRTP/serverkey.pem ] + then + echo Missing server private key $LIBVIRTP/serverkey.pem + else + echo Found server private key $LIBVIRTP/serverkey.pem + OWN=`ls -l $LIBVIRTP/serverkey.pem | awk '{ print $3 }'` + MOD=`ls -l $LIBVIRTP/serverkey.pem | awk '{ print $1 }'` + if [ "$OWN" != "root" ] + then + echo The server private key should be owned by root + echo "as root do: chown root $LIBVIRTP/serverkey.pem" + fi + if [ "$MOD" != "-rw-------" ] + then + echo The server private key need to be read only by root + echo "as root do: chmod 600 $LIBVIRTP/serverkey.pem" + fi + fi + + fi +else + echo Did not found $LIBVIRT/servercert.pem server certificate + echo The machine cannot act as a server + echo "see http://libvirt.org/remote.html#Remote_TLS_server_certificates" + echo on how to regenerate it + SERVER=0 +fi + +if [ "$SERVER" = "1" ] +then + if [ -r /etc/sysconfig/libvirtd ] + then + if [ "`grep '^LIBVIRTD_ARGS' /etc/sysconfig/libvirtd | grep -- '--listen'`" = "" ] + then + echo Make sure /etc/sysconfig/libvirtd is setup to listen to + echo TCP/IP connections and restart the libvirtd service + fi + fi + if [ -r /etc/sysconfig/iptables ] + then + if [ "`grep $PORT /etc/sysconfig/iptables`" = "" ] + then + echo Make sure /etc/sysconfig/iptables is setup to allow + echo incoming TCP/IP connections on port $PORT and + echo restart the iptables service + fi + fi +fi diff --git a/docs/remote.html b/docs/remote.html index fe9e1b5519..22eaddefd1 100644 --- a/docs/remote.html +++ b/docs/remote.html @@ -3,7 +3,24 @@ Remote support

Remote support

Libvirt allows you to access hypervisors running on remote machines through authenticated and encrypted connections. -

Basic usage

+

Basic usage

On the remote machine, libvirtd should be running. See the section on configuring libvirtd for more information. @@ -178,7 +195,7 @@ Note that parameter values must be

-
Example: no_verify=1

Generating TLS certificates

Public Key Infrastructure set up

+

Generating TLS certificates

Public Key Infrastructure set up

If you are unsure how to create TLS certificates, skip to the next section.

@@ -415,12 +432,15 @@ cp clientcert.pem /etc/pki/libvirt/clientcert.pem

On the server side, run the libvirtd server with -the '--remote' and '--verbose' options while the +the '--listen' and '--verbose' options while the client is connecting. The verbose log messages should tell you enough to diagnose the problem.

-

libvirtd configuration

+

You can use the pki_check.sh shell script +to analyze the setup on the client or server machines, preferably as root. +It will try to point out the possible problems and provide solutions to +fix the set up up to a point where you have secure remote access.

libvirtd configuration file

Libvirtd (the remote daemon) is configured from a file called /etc/libvirt/libvirtd.conf, or specified on the command line using -f filename or @@ -428,7 +448,7 @@ the command line using -f filename or

This file should contain lines of the form below. Blank lines and comments beginning with # are ignored. -

Location
+

setting = value

The following settings, values and default are:

Line
-- GitLab
Line Default Meaning
listen_tls [0|1]