On Thu, Aug 22, 2013 at 06:28:20AM -0400, Itamar Heim wrote: > On 08/16/2013 04:14 AM, navin p wrote: > >Hi, > > I have couple of RHEV hosts (ovpxen,RHV2, RHV10 etc) and i'm trying > >to connect from one of the client machine (C1). All the RHEV host have > >libvirt modified by vdsm. It looks like the below > > > > > >## beginning of configuration section by vdsm-4.10.2 > >listen_addr="0.0.0.0" > >unix_sock_group="kvm" > >unix_sock_rw_perms="0770" > >auth_unix_rw="sasl" > >host_uuid="036118ab-705f-4aeb-9a13-013dc8af6b41" > >keepalive_interval=-1 > >log_outputs="1:file:/var/log/libvirtd.log" > >log_filters="3:virobject 3:virfile 2:virnetlink 3:cgroup 3:event 3:json > >1:libvirt 1:util 1:qemu" > >ca_file="/etc/pki/vdsm/certs/cacert.pem" > >cert_file="/etc/pki/vdsm/certs/vdsmcert.pem" > >key_file="/etc/pki/vdsm/keys/vdsmkey.pem" > >## end of configuration section by vdsm-4.10.2 > > > > > > > > > ># ls > >bkp-2013-08-16_110734_cacert.pem cacert.pem vdsmcert.pem > >bkp-2013-08-16_110734_vdsmcert.pem engine_web_ca.pem > >[root@ovpxen certs]# pwd > >/etc/pki/vdsm/certs > >[root@ovpxen certs]# certtool -i --infile engine_web_ca.pem | head > >X.509 Certificate Information: > > Version: 3 > > Serial Number (hex): 09 > > Issuer: C=US,O=HP,CN=CA-IWFVM00772.hpswlabs.adapps.hp.com.64431 > > Validity: > > Not Before: Wed Jan 23 13:24:14 UTC 2013 > > Not After: Sun Jan 22 07:54:14 UTC 2023 > > Subject: C=US,O=HP,CN=CA-IWFVM00772.hpswlabs.adapps.hp.com.64431 > > Subject Public Key Algorithm: RSA > > Modulus (bits 1024): > > > >certtool -i --infile cacert.pem | head > >X.509 Certificate Information: > > Version: 3 > > Serial Number (hex): 09 > > Issuer: C=US,O=HP,CN=CA-IWFVM00772.hpswlabs.adapps.hp.com.64431 > > Validity: > > Not Before: Wed Jan 23 13:24:14 UTC 2013 > > Not After: Sun Jan 22 07:54:14 UTC 2023 > > Subject: C=US,O=HP,CN=CA-IWFVM00772.hpswlabs.adapps.hp.com.64431 > > Subject Public Key Algorithm: RSA > > Modulus (bits 1024): > >[root@ovpxen certs]# certtool -i --infile vdsmcert.pem | head > >X.509 Certificate Information: > > Version: 3 > > Serial Number (hex): 0c > > Issuer: C=US,O=HP,CN=CA-IWFVM00772.hpswlabs.adapps.hp.com.64431 > > Validity: > > Not Before: Thu Aug 15 11:09:22 UTC 2013 > > Not After: Wed Aug 15 05:39:22 UTC 2018 > > Subject: O=HP,CN=16.184.46.53 > > Subject Public Key Algorithm: RSA > > Modulus (bits 2048): > > > > > >Now from the client C1 which cert should i place in > >/etc/pki/CA/cacert.pem so that i can access from the client using the URI > >qemu+tls://ovpxen.ind.hp.com/system <http://ovpxen.ind.hp.com/system>. > > Please note the host IWFVM00772.hpswlabs.adapps.hp.com > ><http://IWFVM00772.hpswlabs.adapps.hp.com> is ovirt managed host. It is > >not the client. > > > > > >My problem here is i can't change the hypervisor hosts as there are too > >many of them and it is configured by vdsm . What certs should i take > >from host so that i can use it in the client so that i can connect to > >multiple hosts from the client using virsh or virt-manager . I need tls > >as remote protocol as i'm trying to automate commands. > > > > you should be able to do read-only access without special config iirc. > taking actions requires the vdsm password, but worth discussing if > you want to take actions under the feet of vdsm what they would be.
As Itamar said, you should really know what you are doing - an oVirt cluster should have only ONE manager, which is Engine. Direct connection to Vdsm/libvirt/qemu can easily lead to DoS and data corruption. But to your question: C1 should not only have a cert, it should have its own Engine-certified key as well. Your easiest way to get it is to add C1 as an oVirt host. This generates a key/cert pair and configures libvirt to use them as a client. Dan. _______________________________________________ Users mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/users
