OpenVZ libvirt small howto

Published: 2015-10-02

I have been running my projects on openvz for about the past 10 years, I like it because it is stable and simple to handle. Meanwhile on my workstation I have been using libvirt in combination with kvm and qemu for about the same time to test operating systems and network setups as well as coding for certain environments.

libvirt is the management framework that made it easy for me to configure, deploy and run those machines, until a few weeks ago I did not come to my mind that libvirt has had a remote control ability for ages.

When I finally realized the true potential of that management framework and looked up their website, I saw a lot of working connection strings for… xen, qemu, vmware (of all things…), hyper-v and of course, openvz support.

Now for the base setup I had to install libvirt on the box, and make it listen to the external address via tcp. There are multiple ways to do this, and I decided to go with the ssl/tls road.

So I created a pair of certs, placed them into a subfolder I created under /etc/ssl, and then edited the file /etc/libvirt/libvirtd.conf, heres basically the important bits I changed:

listen_tcp = 0
listen_tls = 1
#tcp_port = tcpportno
tls_port = tlsportno
#listen_addr =
#auth_tcp = "sasl"
auth_tls = "sasl"
key_file = ...
ca_file = ...
cert_file = ...
#and for debugging
#tls_no_sanity_certificate = 1
#tls_no_verify_certificate = 1

Finally, I installed the sasl tools and setup a sasl user and password combination:

cd /etc/sasl2
vi /etc/sasl2/libvirt.conf:
mech_list: digest-md5
sasldb_path: /etc/libvirt/passwd.db
vi /etc/default/saslauthd:
service saslauthd restart
cd /etc/libvirt
saslpasswd2 -a libvirt myuser
service libvirt-bin restart
and to check:
sasldblistusers2 -f /etc/libvirt/passwd.db
should output something like this:
myuser@host: userPassword
and finally check if the tcp/tls port is open n up:
netstat -ntlp |grep libvirt
tcp        0      0 *               LISTEN      22045/libvirtd  
tcp6       0      0 :::16514                :::*                    LISTEN      22045/libvirtd

Now I have the following string added to my bashrc to access the openvz box, and it works like a charm:

alias openvz='virsh -c openvz://hostname/system?no_verify=1'