libvirt users - Oct 2010 - Virt-v2v

Usual prologue: we're testing on CentOS 5.5, RHEL subscriptions purchased.

Now trying to use virt-v2v to transfer Win2008 Server guest from ESXi host to
KVM host.

Have enabled SSH on ESXi host, and can connect using esx+ssh://esxhost, but
procedure fails because nc isn't found on ESXi. Fair enough. BTW, ESXi looks
like a radically cut down RH system (/etc/sysconfig being the give-away)?

So, using esx:// connection method which presumably uses TLS ...


Connection commands I'm trying to use:

virt-v2v -f virt-v2v.conf -ic esx://esxhost/?no_verify=1 -op vm_nfs 'HPTRIM
Sandbox'
virt-v2v -f virt-v2v.conf -ic esx://esxhost/ -op vm_nfs 'HPTRIM Sandbox'

I have eliminated libvirt error messages (all #38) relating to
/etc/pki/CA/cacert.pem and /etc/pki/libvirt/private/clientkey.pem by creating
those files on KVM host according to info on this page:

http://libvirt.org/remote.html#Remote_libvirtd_configuration

Now I am down to a simple connection refused error message:

virt-v2v: Failed to connect to esx://esxhost/: libvirt error code: 38, message:
unable to connect to 'esxhost': Connection refused

I have also tried suggestion on webpage above regarding these libvirtd.conf
settings and restarted libvirtd:

tls_no_verify_certificate = 1
key_file = ""
cert_file = ""
ca_file = ""
crl_file = ""

... But no change.

The problem may well be the TLS certificates, PKI isn't one of my strong
points. I believe the hostnames in the certificates are correct. Which
certificates (if any) should be copied to the ESXi host (client or server)?
Should I copy any certificates from /etc/vmware/ssl to the KVM host, if so which
certificate (rui.crt or rui.key) and where to?

There doesn't appear to be anything resembling an iptables firewall in place
on the ESXi host.

Anyway, any suggestions on what the problem could be greatly appreciated.

Michael Hall
IT Communications Officer
Alice Springs Town Council

virt-v2v connect to the ESX through libvirt ESX driver, here is the link,

http://www.libvirt.org/drvesx.html

why not just try the simple way to see what's going on,  you could set

virsh -c  esx://esxhost/?no_verify=1

btw, hope the below mail can help something,

2010/7/3 adrian wyssen<wyssenadrian gmail com>:
>   Hello everyone
>   I am really new to libvirt and I have to use it with ESXi. I was writing
>   code for listing the virtual machines in a ESXi server. If I connect me
with
>   the virsh to the ESXi server, it works. But since I can not create any
>   certificates on the server (ESXi does not have any console...) I have to
use
>   the no_verify option (esx://host/?no_verify=1)
>   I want to do the same with the API, but when I use this string in the uri
>   parameter of the following code
>   conn = virConnectOpenAuth(uri, virConnectAuthPtrDefault, 0);
>   the system returns "libvir: Remote error : Cannot access CA
certificate
>   '/etc/pki/CA/cacert.pem': No such file or directory
>   No connection to hypervisor"
>   What method can I use to be able to connect to the server by ignoring the
>   missing certificate? Another question is: Are there any example codes for
>   using ESX(i), because as I said I am really new with libvirt and I did
not
>   find any examples.
>   Thanks a lot for your help.
>   Adrian
The certificates libvirt is complaining about have nothing to do with

the certificates for ESX(i).

By default libvirt uses a TLS connection to a remote libvirtd (a

daemon). This daemon is used to allow remote management of hypervisors

that don't have remote capabilities on their own, like QEMU. For

ESX(i) this daemon is not necessary, because libvirt directly uses the

remote SOAP API provided by the ESX(i) server.

By default libvirt uses a HTTPS connection to the ESX(i) server.

Proper HTTPS requires correctly configured SSL certificates, this

certificates are different from the certificates for libvirt's TLS

connection to libvirtd. In case of a default ESX(i) installation the

ESX(i) server has auto-generated self-signed certificates. And in

general those cannot be verified by your client because your client

doesn't have the cacert.pem that corresponds to the private key that

the ESX(i) server used to sign the auto-generated self-signed

certificates.

That's the reason why libvirt allows you to disable those certificate

check by appending ?no_verify=1 to the URI.

libvirt complains here about the for the TLS connection to a remote

libvirtd. This is a bit cryptic error that appears because libvirt

don't know what to do with the URI you gave to it and as last option

it tries to connect to a libvirtd on the remote server hoping that the

libvirtd there knows what to do with the URI.

The typical reason why this happens is that your libvirt is build

without ESX support. But you said 'virsh -c esx://host/?no_verify=1'.

Therefore, I assume that's not the case here.

Could it be that you have multiple version of libvirt installed? One

that has ESX support enabled and is used by virsh and one that has ESX

support disabled and that your program links against?

Regarding example code: There is no special ESX libvirt example code,

because libvirt is designed to provide hypervisor independent API.

You can take a look at the examples directory. For example the

hellolibvirt example:

    ./examples/hellolibvirt/hellolibvirt esx://host/?no_verify=1

If that still gives you that certificate error, try:

    LIBVIRT_DEBUG=1 LIBVIRT_LOG_OUTPUTS=1:stderr

./examples/hellolibvirt/hellolibvirt esx://host/?no_verify=1

It should list lines like

13:13:23.189: debug : virRegisterDriver:927 : registering ESX as driver 5

...

13:13:23.189: debug : do_open:1242 : trying driver 5 (ESX) ...

If there is no virRegisterDriver or do_open line regarding ESX then

your libvirt is build without ESX support. But i wonder why virsh

works then.

Recent (unreleased) libvirt has better error reporting for this

situation and tells you when you try to use an URI scheme that was

disabled, instead of reporting unexpected certificate errors.

Matthias





On 10/21/2010 03:25 PM, Mike Hall wrote:
> Usual prologue: we're testing on CentOS 5.5, RHEL subscriptions
purchased.
>
> Now trying to use virt-v2v to transfer Win2008 Server guest from ESXi host
to KVM host.
>
> Have enabled SSH on ESXi host, and can connect using esx+ssh://esxhost, but
procedure fails because nc isn't found on ESXi. Fair enough. BTW, ESXi looks
like a radically cut down RH system (/etc/sysconfig being the give-away)?
>
> So, using esx:// connection method which presumably uses TLS ...
>
>
> Connection commands I'm trying to use:
>
> virt-v2v -f virt-v2v.conf -ic esx://esxhost/?no_verify=1 -op vm_nfs
'HPTRIM Sandbox'
> virt-v2v -f virt-v2v.conf -ic esx://esxhost/ -op vm_nfs 'HPTRIM
Sandbox'
>
> I have eliminated libvirt error messages (all #38) relating to
/etc/pki/CA/cacert.pem and /etc/pki/libvirt/private/clientkey.pem by creating
those files on KVM host according to info on this page:
>
> http://libvirt.org/remote.html#Remote_libvirtd_configuration
>
> Now I am down to a simple connection refused error message:
>
> virt-v2v: Failed to connect to esx://esxhost/: libvirt error code: 38,
message: unable to connect to 'esxhost': Connection refused
>
> I have also tried suggestion on webpage above regarding these libvirtd.conf
settings and restarted libvirtd:
>
> tls_no_verify_certificate = 1
> key_file = ""
> cert_file = ""
> ca_file = ""
> crl_file = ""
>
> ... But no change.
>
> The problem may well be the TLS certificates, PKI isn't one of my
strong points. I believe the hostnames in the certificates are correct. Which
certificates (if any) should be copied to the ESXi host (client or server)?
> Should I copy any certificates from /etc/vmware/ssl to the KVM host, if so
which certificate (rui.crt or rui.key) and where to?
>
> There doesn't appear to be anything resembling an iptables firewall in
place on the ESXi host.
>
> Anyway, any suggestions on what the problem could be greatly appreciated.
>
> Michael Hall
> IT Communications Officer
> Alice Springs Town Council
>
> _______________________________________________
> libvirt-users mailing list
> libvirt-users at redhat.com
> https://www.redhat.com/mailman/listinfo/libvirt-users

-- 
Old soldiers never die, they just fade away

Mohua Li
+86 10 6260 8263 (Direct),IRC,moli
9/F, North Tower C, Raycom Infotech Park ,NO.2 KeXueYuanNanLu, HaiDian District
Beijing, 100190

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://listman.redhat.com/archives/libvirt-users/attachments/20101021/bbb19a79/attachment.htm>

I guess ESX driver is not compiled for your libvirt version.

To   if it's complied, e.g.

# strings /usr/lib64/libvirt.so.0.8.1 | grep esx -i

If you can't see the symbols like "esxDomainCreate,
esxDomainDestroy", it's
not.(In case of CentOS doesn't strip the symbols of libvirt.)

and in that case you need to recompile libvirt from source code and install 
it.

# ./autogen.sh --prefix=/usr --with-esx 
# ./configure
# make
# make install

Hope it works

- Osier
 
----- "Mike Hall" <MHall at astc.nt.gov.au> wrote:
> Usual prologue: we're testing on CentOS 5.5, RHEL subscriptions
> purchased.
> 
> Now trying to use virt-v2v to transfer Win2008 Server guest from ESXi
> host to KVM host.
> 
> Have enabled SSH on ESXi host, and can connect using
> esx+ssh://esxhost, but procedure fails because nc isn't found on ESXi.
> Fair enough. BTW, ESXi looks like a radically cut down RH system
> (/etc/sysconfig being the give-away)?
> 
> So, using esx:// connection method which presumably uses TLS ...
> 
> 
> Connection commands I'm trying to use:
> 
> virt-v2v -f virt-v2v.conf -ic esx://esxhost/?no_verify=1 -op vm_nfs
> 'HPTRIM Sandbox'
> virt-v2v -f virt-v2v.conf -ic esx://esxhost/ -op vm_nfs 'HPTRIM
> Sandbox'
> 
> I have eliminated libvirt error messages (all #38) relating to
> /etc/pki/CA/cacert.pem and /etc/pki/libvirt/private/clientkey.pem by
> creating those files on KVM host according to info on this page:
> 
> http://libvirt.org/remote.html#Remote_libvirtd_configuration
> 
> Now I am down to a simple connection refused error message:
> 
> virt-v2v: Failed to connect to esx://esxhost/: libvirt error code: 38,
> message: unable to connect to 'esxhost': Connection refused
> 
> I have also tried suggestion on webpage above regarding these
> libvirtd.conf settings and restarted libvirtd:
> 
> tls_no_verify_certificate = 1
> key_file = ""
> cert_file = ""
> ca_file = ""
> crl_file = ""
> 
> ... But no change.
> 
> The problem may well be the TLS certificates, PKI isn't one of my
> strong points. I believe the hostnames in the certificates are
> correct. Which certificates (if any) should be copied to the ESXi host
> (client or server)?
> Should I copy any certificates from /etc/vmware/ssl to the KVM host,
> if so which certificate (rui.crt or rui.key) and where to?
> 
> There doesn't appear to be anything resembling an iptables firewall in
> place on the ESXi host.
> 
> Anyway, any suggestions on what the problem could be greatly
> appreciated.
> 
> Michael Hall
> IT Communications Officer
> Alice Springs Town Council
> 
> _______________________________________________
> libvirt-users mailing list
> libvirt-users at redhat.com
> https://www.redhat.com/mailman/listinfo/libvirt-users

2010/10/21 Mike Hall <MHall at astc.nt.gov.au>:
> Usual prologue: we're testing on CentOS 5.5, RHEL subscriptions
purchased.
>
> Now trying to use virt-v2v to transfer Win2008 Server guest from ESXi host
to KVM host.
>
> Have enabled SSH on ESXi host, and can connect using esx+ssh://esxhost, but
procedure fails because nc isn't found on ESXi. Fair enough. BTW, ESXi looks
like a radically cut down RH system (/etc/sysconfig being the give-away)?
libvirt doesn't use ssh or any other transports described at [1] for
ESX. libvirt connects directly to the ESX server using HTTPS without
the need for a libvirtd on the ESX server or any libvirt provided
transport.
> So, using esx:// connection method which presumably uses TLS ...
Well, it uses HTTPS, but it doesn't use the TLS transport as described at
[1].
>
> Connection commands I'm trying to use:
>
> virt-v2v -f virt-v2v.conf -ic esx://esxhost/?no_verify=1 -op vm_nfs
'HPTRIM Sandbox'
This one is probably the correct one, at least the libvirt connection
URI in it is correct.
> virt-v2v -f virt-v2v.conf -ic esx://esxhost/ -op vm_nfs 'HPTRIM
Sandbox'
This one requires that your client computer can verify the HTTPS SSL
certificates installed on the ESX server, but this is unlikely unless
you manually replaced them by certificates that are signed by a known
CA. The no_verify=1 parameter in the first command tells libvirt to
ignore verification errors with this certificates so that it works
with the certificates that come with the ESX server by default.

Note that this HTTPS SSL certificates have nothing to do with the
certificates mention in [1].
> I have eliminated libvirt error messages (all #38) relating to
/etc/pki/CA/cacert.pem and /etc/pki/libvirt/private/clientkey.pem by creating
those files on KVM host according to info on this page:
>
> http://libvirt.org/remote.html#Remote_libvirtd_configuration
Configuring the KVM host with proper certificates is a good idea.
> Now I am down to a simple connection refused error message:
>
> virt-v2v: Failed to connect to esx://esxhost/: libvirt error code: 38,
message: unable to connect to 'esxhost': Connection refused
>
> I have also tried suggestion on webpage above regarding these libvirtd.conf
settings and restarted libvirtd:
>
> tls_no_verify_certificate = 1
> key_file = ""
> cert_file = ""
> ca_file = ""
> crl_file = ""
>
> ... But no change.
libvirt doesn't require a libvirtd on the ESX server.
> The problem may well be the TLS certificates, PKI isn't one of my
strong points. I believe the hostnames in the certificates are correct. Which
certificates (if any) should be copied to the ESXi host (client or server)?
> Should I copy any certificates from /etc/vmware/ssl to the KVM host, if so
which certificate (rui.crt or rui.key) and where to?
>
> There doesn't appear to be anything resembling an iptables firewall in
place on the ESXi host.
>
> Anyway, any suggestions on what the problem could be greatly appreciated.
The first line of your mail gives me the relevant hint. You use CentOS
5.5 and this one comes with libvirt 0.6.5 IIRC, but ESX support was
added to libvirt in 0.7.0. The error messages you get from libvirt are
misleading and have been improved in libvirt 0.8.3.

limohua and Osier already gave the right hints, so I'm basically just
summarize it here. :)

As Osier points out, even if your libvirt is recent enough in general
it might have been compiled without ESX support. In that case you'll
get the same misleading error messages about refused connections or
missing certificates (form libvirt 0.7.0 until 0.8.3).

In order to fix this problem you probably need to update your libvirt
version and make sure that it is compiled with ESX support.

As this seems to be a common problem I'm improving the documentation
about this right now.

[1] http://libvirt.org/remote.html

Matthias