Управление виртуализацией на основе libvirt: различия между версиями
Содержимое удалено Содержимое добавлено
Macumazan (обсуждение | вклад) |
|||
Строка 32:
==== TLS + SASL ====
===== Настройка сервера =====
Файл ''libvirtd.conf'':
<pre>
listen_tcp = 1
unix_sock_group = "kvm"
unix_sock_ro_perms = "0777"
unix_sock_rw_perms = "0770"
unix_sock_dir = "/var/run/libvirt"
auth_unix_ro = "sasl"
auth_tcp = "sasl"
auth_tls = "sasl"
</pre>
Скрипт для создания ключей и сертификатов:
<blockquote><source lang="bash">
#! /bin/bash
# CA name
CA_NAME="ca"
CA_NAME_INFO="cn = AYT
ca
cert_signing_key"
if [ ! -f "$CA_NAME".info ] ; then
echo -e "$CA_NAME_INFO" > "$CA_NAME".info
certtool --generate-privkey > "$CA_NAME"key.pem
certtool --generate-self-signed --load-privkey "$CA_NAME"key.pem \
--template "$CA_NAME".info --outfile "$CA_NAME"cert.pem
fi
SERVER_NAME="server"
SERVER_NAME_INFO="organization = AYT
cn = FQDN of server
tls_www_server
encryption_key
signing_key
"
if [ ! -f "$SERVER_NAME".info ] ; then
echo -e "$SERVER_NAME_INFO" > "$SERVER_NAME".info
certtool --generate-privkey > "$SERVER_NAME"key.pem
certtool --generate-certificate --load-privkey "$SERVER_NAME"key.pem \
--load-ca-certificate "$CA_NAME"cert.pem --load-ca-privkey "$CA_NAME"key.pem \
--template "$SERVER_NAME".info --outfile "$SERVER_NAME"cert.pem
fi
CLIENT_NAME="client"
CLIENT_NAME_INFO="country = RU
state = Moscow
locality = Moscow
organization = RH
cn = libvirt1cli
tls_www_client
encryption_key
signing_key
"
if [ ! -f "$CLIENT_NAME".info ] ; then
echo -e "$CLIENT_NAME_INFO" > "$CLIENT_NAME".info
certtool --generate-privkey > "$CLIENT_NAME"key.pem
certtool --generate-certificate --load-privkey "$CLIENT_NAME"key.pem \
--load-ca-certificate "$CA_NAME"cert.pem --load-ca-privkey "$CA_NAME"key.pem \
--template "$CLIENT_NAME".info --outfile "$CLIENT_NAME"cert.pem
fi
</source></blockquote>
Расположение сертификатов на сервере:
<pre>
/etc/pki/
|-- CA
| `-- cacert.pem
`-- libvirt
|-- clientcert.pem
|-- private
| `-- serverkey.pem
`-- servercert.pem
</pre>
Проверка сертификатов и их расположение:
<pre>
# virt-pki-validate</pre>
<pre>
Found /usr/bin/certtool
Found CA certificate /etc/pki/CA/cacert.pem for AYT
The CA certificate and the client certificate do not match
CA organization: AYT
Client organization: RH
Found client certificate /etc/pki/libvirt/clientcert.pem for libvirt
Missing client private key /etc/pki/libvirt/private/clientkey.pem
Found server certificate /etc/pki/libvirt/servercert.pem for FQDN.NAME
Found server private key /etc/pki/libvirt/private/serverkey.pem
</pre>
=== KVM ===
| |||