1、修改libivrt的配置文件/etc/libvirt/libivrtd.conf
listen_tls = 1
listen_tcp = 1
tls_port = "16514"
tcp_port = "16509"
listen_addr = "192.168.103.10"
2、制作安全证书
确保已经安装gnutls-utils包
[root@Intel ~]# cat ca.info
cn = Giant Interactive Group INC.
ca
cert_signing_key
[root@Intel ~]# cat server.info
organization = Giant Interactive Group INC.
cn = ztgame
tls_www_server
encryption_key
signing_key
[root@Intel ~]# cat client.info
country = China
state = ShangHai
locality = ShangHai
organization = Giant Interactive Group INC.
cn = client1
tls_www_client
encryption_key
signing_key
注:server.info中的cn = 段为服务器的hostname
a.制作ca
certtool --generate-privkey > cakey.pemcerttool --generate-self-signed --load-privkey cakey.pem \ --template ca.info --outfile cacert.pem把文件cacert.pem分别放到客户端及服务端的/etc/pki/CA/目录可以使用certtool -i --infile cacert.pem 查看证书信息b.制作server端的证书certtool --generate-privkey > serverkey.pemcerttool --generate-certificate --load-privkey serverkey.pem \
--load-ca-certificate cacert.pem --load-ca-privkey cakey.pem \
--template server.info --outfile servercert.pem两个文件分别放到服务器端的两个目录,如下:/etc/pki/libvirt/private/serverkey.pem/etc/pki/libvirt/servercert.pem
c.制作clien端的证书certtool --generate-privkey > clientkey.pemcerttool --generate-certificate --load-privkey clientkey.pem \
--load-ca-certificate cacert.pem --load-ca-privkey cakey.pem \
--template client.info --outfile clientcert.pem两个文件分别放到客户端的两个目录,如下:cp clientkey.pem /etc/pki/libvirt/private/clientkey.pem
cp clientcert.pem /etc/pki/libvirt/clientcert.pem
执行pki_check.sh检查下以调试的方式起动libvirtd --listen --verbose4、如果需要libvirtd以监听的方式启动,修改/etc/sysconfig/libvirtdLIBVIRTD_ARGS="--LISTEN"
附pki_check.sh的代码如下#!/bin/sh
#
# This shell script checks the TLS certificates and options needed
# for the secure client/server support of libvirt as documented at
#
#
# Daniel Veillard
#
USER=`who am i | awk '{ print $1 }'`
SERVER=1
CLIENT=1
PORT=16514
#
# First get certtool
#
CERTOOL=`which certtool 2>/dev/null`
if [ ! -x $CERTOOL ]
then
echo Could not locate the certtool program
echo make sure the gnutls-utils package is installed
exit 1
fi
echo Found $CERTOOL
#
# Check the directory structure
#
PKI="/etc/pki"
if [ ! -d $PKI ]
then
echo the $PKI directory is missing, it is usually
echo installed as part of the filesystem or openssl packages
exit 1
fi
if [ ! -r $PKI ]
then
echo the $PKI directory is not readable by $USER
echo "as root do: chmod a+rx $PKI"
exit 1
fi
if [ ! -x $PKI ]
then
echo the $PKI directory is not listable by $USER
echo "as root do: chmod a+rx $PKI"
exit 1
fi
CA="$PKI/CA"
if [ ! -d $CA ]
then
echo the $CA directory is missing, it is usually
echo installed as part of the or openssl package
exit 1
fi
if [ ! -r $CA ]
then
echo the $CA directory is not readable by $USER
echo "as root do: chmod a+rx $CA"
exit 1
fi
if [ ! -x $CA ]
then
echo the $CA directory is not listable by $USER
echo "as root do: chmod a+rx $CA"
exit 1
fi
LIBVIRT="$PKI/libvirt"
if [ ! -d $LIBVIRT ]
then
echo the $LIBVIRT directory is missing, it is usually
echo installed by the libvirt package
echo "as root do: mkdir -m 755 $LIBVIRT ; chown root:root $LIBVIRT"
exit 1
fi
if [ ! -r $LIBVIRT ]
then
echo the $LIBVIRT directory is not readable by $USER
echo "as root do: chown root:root $LIBVIRT ; chmod 755 $LIBVIRT"
exit 1
fi
if [ ! -x $LIBVIRT ]
then
echo the $LIBVIRT directory is not listable by $USER
echo "as root do: chown root:root $LIBVIRT ; chmod 755 $LIBVIRT"
exit 1
fi
LIBVIRTP="$LIBVIRT/private"
if [ ! -d $LIBVIRTP ]
then
echo the $LIBVIRTP directory is missing, it is usually
echo installed by the libvirt package
echo "as root do: mkdir -m 755 $LIBVIRTP ; chown root:root $LIBVIRTP"
exit 1
fi
if [ ! -r $LIBVIRTP ]
then
echo the $LIBVIRTP directory is not readable by $USER
echo "as root do: chown root:root $LIBVIRTP ; chmod 755 $LIBVIRTP"
exit 1
fi
if [ ! -x $LIBVIRTP ]
then
echo the $LIBVIRTP directory is not listable by $USER
echo "as root do: chown root:root $LIBVIRTP ; chmod 755 $LIBVIRTP"
exit 1
fi
#
# Now check the certificates
# First the CA certificate
#
if [ ! -f $CA/cacert.pem ]
then
echo the CA certificate $CA/cacert.pem is missing while it
echo should be installed on both client and servers
echo "see "
echo on how to install it
exit 1
fi
if [ ! -r $CA/cacert.pem ]
then
echo the CA certificate $CA/cacert.pem is not readable by $USER
echo "as root do: chmod 644 $CA/cacert.pem"
exit 1
fi
ORG=`$CERTOOL -i --infile $CA/cacert.pem | grep Issuer | sed 's+Issuer: CN=++'`
if [ "$ORG" == "" ]
then
echo the CA certificate $CA/cacert.pem does not define the organization
echo it should probably regenerated
echo "see "
echo on how to regenerate it
exit 1
fi
echo Found CA certificate $CA/cacert.pem for $ORG
# Second the client certificates
if [ -f $LIBVIRT/clientcert.pem ]
then
if [ ! -r $LIBVIRT/clientcert.pem ]
then
echo Client certificate $LIBVIRT/clientcert.pem should be world readable
echo "as root do: chown root:root $LIBVIRT/clientcert.pem ; chmod 644 $LIBVIRT/clientcert.pem"
else
S_ORG=`$CERTOOL -i --infile $LIBVIRT/clientcert.pem | grep Subject: | sed 's+.*O=\([a-zA-Z \._-]*\).*+\1+'`
if [ "$ORG" != "$S_ORG" ]
then
echo The CA certificate and the client certificate do not match
echo CA organization: $ORG
echo Client organization: $S_ORG
fi
CLIENT=`$CERTOOL -i --infile $LIBVIRT/clientcert.pem | grep Subject: | sed 's+.*CN=\(.[a-zA-Z \._-]*\).*+\1+'`
echo Found client certificate $LIBVIRT/clientcert.pem for $CLIENT
if [ ! -e $LIBVIRTP/clientkey.pem ]
then
echo Missing client private key $LIBVIRTP/clientkey.pem
else
echo Found client private key $LIBVIRTP/clientkey.pem
OWN=`ls -l $LIBVIRTP/clientkey.pem | awk '{ print $3 }'`
MOD=`ls -l $LIBVIRTP/clientkey.pem | awk '{ print $1 }'`
if [ "$OWN" != "root" ]
then
echo The client private key should be owned by root
echo "as root do: chown root $LIBVIRTP/clientkey.pem"
fi
if [ "$MOD" != "-rw-r--r--" ]
then
echo The client private key need to be read by client tools
echo "as root do: chmod 644 $LIBVIRTP/clientkey.pem"
fi
fi
fi
else
echo Did not found $LIBVIRT/clientcert.pem client certificate
echo The machine cannot act as a client
echo "see "
echo on how to regenerate it
CLIENT=0
fi
# Third the server certificates
if [ -f $LIBVIRT/servercert.pem ]
then
if [ ! -r $LIBVIRT/servercert.pem ]
then
echo Server certificate $LIBVIRT/servercert.pem should be world readable
echo "as root do: chown root:root $LIBVIRT/servercert.pem ; chmod 644 $LIBVIRT/servercert.pem"
else
S_ORG=`$CERTOOL -i --infile $LIBVIRT/servercert.pem | grep Subject: | sed 's+.*O=\([a-zA-Z\. _-]*\).*+\1+'`
if [ "$ORG" != "$S_ORG" ]
then
echo The CA certificate and the server certificate do not match
echo CA organization: $ORG
echo Server organization: $S_ORG
fi
S_HOST=`$CERTOOL -i --infile $LIBVIRT/servercert.pem | grep Subject: | sed 's+.*CN=\([a-zA-Z\. _-]*\)+\1+'`
if [ "$S_HOST" != "`hostname -s`" -a "$S_HOST" != "`hostname`" ]
then
echo The server certificate does not seem to match the host name
echo hostname: '"'`hostname`'"'
echo Server certificate CN: '"'$S_HOST'"'
fi
echo Found server certificate $LIBVIRT/servercert.pem for $S_HOST
if [ ! -e $LIBVIRTP/serverkey.pem ]
then
echo Missing server private key $LIBVIRTP/serverkey.pem
else
echo Found server private key $LIBVIRTP/serverkey.pem
OWN=`ls -l $LIBVIRTP/serverkey.pem | awk '{ print $3 }'`
MOD=`ls -l $LIBVIRTP/serverkey.pem | awk '{ print $1 }'`
if [ "$OWN" != "root" ]
then
echo The server private key should be owned by root
echo "as root do: chown root $LIBVIRTP/serverkey.pem"
fi
if [ "$MOD" != "-rw-------" ]
then
echo The server private key need to be read only by root
echo "as root do: chmod 600 $LIBVIRTP/serverkey.pem"
fi
fi
fi
else
echo Did not found $LIBVIRT/servercert.pem server certificate
echo The machine cannot act as a server
echo "see "
echo on how to regenerate it
SERVER=0
fi
if [ "$SERVER" = "1" ]
then
if [ -r /etc/sysconfig/libvirtd ]
then
if [ "`grep '^LIBVIRTD_ARGS' /etc/sysconfig/libvirtd | grep -- '--listen'`" = "" ]
then
echo Make sure /etc/sysconfig/libvirtd is setup to listen to
echo TCP/IP connections and restart the libvirtd service
fi
fi
if [ -r /etc/sysconfig/iptables ]
then
if [ "`grep $PORT /etc/sysconfig/iptables`" = "" ]
then
echo Make sure /etc/sysconfig/iptables is setup to allow
echo incoming TCP/IP connections on port $PORT and
echo restart the iptables service
fi
fi
fi
阅读(1634) | 评论(0) | 转发(0) |
