Anastasiya Ruzhanskaya
2018-Nov-22 06:58 UTC
[libvirt-users] Remote and local connections at the same time (Centos 7)
Hello! I was investigating libvirt a year ago regarding it's remote control. I figured out necessary settings for configuring remote control in ubuntu (setting flags in libvirt setting files). Now I have several questions: 1) Are these flags the same for Centos? They did not worked for me. My flags for ubuntu are (for tcp for example): /etc/libvirt/libvirtd.conf : listen_tls = 0, listen_tcp = 1, listen_addr "0.0.0.0 " auth_- tcp = "none " /etc/init/libvirt-bin.conf: add -l (listen) : env libvirtd_opts = d -l" /etc/default/libvirt-bin add -l : libvirtd_opts = d -l" 2) Can the remote control be configured along with local on one machine? For example, in one configuration I want to run libvirt on this machine and accept incoming remote calls, and at the same time I want to be able to run virtual machines locally on the same machine. Are these two things somehow connected or I am free to set up both of them? As I see the flags touch not only libvirtd settings, but also libvirt settings.
Jiri Denemark
2018-Nov-22 09:31 UTC
Re: [libvirt-users] Remote and local connections at the same time (Centos 7)
On Thu, Nov 22, 2018 at 09:58:41 +0300, Anastasiya Ruzhanskaya wrote:> Hello! > I was investigating libvirt a year ago regarding it's remote control. I > figured out necessary settings for configuring remote control in ubuntu > (setting flags in libvirt setting files). Now I have several questions: > > 1) Are these flags the same for Centos? > They did not worked for me. > My flags for ubuntu are (for tcp for example): > > /etc/libvirt/libvirtd.conf : listen_tls = 0, listen_tcp = 1, listen_addr > "0.0.0.0 " auth_- > tcp = "none "These configuration options are the same in all distros. But, listening on TCP without any encryption and authentication is very dangerous and it should not be used. A connection to system libvirtd is equivalent to having a root account and I believe you don't want to provide root access to anyone connecting to an open TCP port, do you? See https://libvirt.org/remote.html for more details about remote access.> /etc/init/libvirt-bin.conf: add -l (listen) : env libvirtd_opts = d -l" > /etc/default/libvirt-bin add -l : libvirtd_opts = d -l"This is different in CentOS. You need to edit /etc/sysconfig/libvirtd file and uncomment LIBVIRTD_ARGS="--listen".> 2) Can the remote control be configured along with local on one machine?Yes, local access via UNIX sockets is always enabled. That is, enabling remote access as described above will allow you to connect to libvirtd both locally and remotely. Jirka
Anastasiya Ruzhanskaya
2018-Nov-22 10:29 UTC
Re: [libvirt-users] Remote and local connections at the same time (Centos 7)
Thank you for the answer! Yes, I use TLS when want to have encryption, tcp just for testing purpose. I am building my proxy for filtering traffic between two machines in virt-manager. Decryption of tls with, for example mitmproxy, is easy. But when user will choose sasl with default mechanism (gssapi) - it becomes harder to decrypt. Where should I look to find out how libvirt does this decryption when sasl is used? чт, 22 нояб. 2018 г. в 12:31, Jiri Denemark <jdenemar@redhat.com>:> On Thu, Nov 22, 2018 at 09:58:41 +0300, Anastasiya Ruzhanskaya wrote: > > Hello! > > I was investigating libvirt a year ago regarding it's remote control. I > > figured out necessary settings for configuring remote control in ubuntu > > (setting flags in libvirt setting files). Now I have several questions: > > > > 1) Are these flags the same for Centos? > > They did not worked for me. > > My flags for ubuntu are (for tcp for example): > > > > /etc/libvirt/libvirtd.conf : listen_tls = 0, listen_tcp = 1, listen_addr > > > "0.0.0.0 " auth_- > > tcp = "none " > > These configuration options are the same in all distros. But, listening > on TCP without any encryption and authentication is very dangerous and > it should not be used. A connection to system libvirtd is equivalent to > having a root account and I believe you don't want to provide root > access to anyone connecting to an open TCP port, do you? See > https://libvirt.org/remote.html for more details about remote access. > > > /etc/init/libvirt-bin.conf: add -l (listen) : env libvirtd_opts = d -l" > > /etc/default/libvirt-bin add -l : libvirtd_opts = d -l" > > This is different in CentOS. You need to edit /etc/sysconfig/libvirtd > file and uncomment LIBVIRTD_ARGS="--listen". > > > 2) Can the remote control be configured along with local on one machine? > > Yes, local access via UNIX sockets is always enabled. That is, enabling > remote access as described above will allow you to connect to libvirtd > both locally and remotely. > > Jirka >