OpenVZ libvirt small howto
Published: 2015-10-02
libvirt is the management framework that made it easy for me to configure, deploy and run those machines, until a few weeks ago I did not come to my mind that libvirt has had a remote control ability for ages.
When I finally realized the true potential of that management framework and looked up their website, I saw a lot of working connection strings for… xen, qemu, vmware (of all things…), hyper-v and of course, openvz support.
Now for the base setup I had to install libvirt on the box, and make it listen to the external address via tcp. There are multiple ways to do this, and I decided to go with the ssl/tls road.
So I created a pair of certs, placed them into a subfolder I created under /etc/ssl, and then edited the file /etc/libvirt/libvirtd.conf, heres basically the important bits I changed:
listen_tcp = 0
...
listen_tls = 1
...
#tcp_port = tcpportno
...
tls_port = tlsportno
...
#listen_addr = 127.0.0.1
...
#auth_tcp = "sasl"
...
auth_tls = "sasl"
...
key_file = ...
ca_file = ...
cert_file = ...
...
#and for debugging
#tls_no_sanity_certificate = 1
#tls_no_verify_certificate = 1
Finally, I installed the sasl tools and setup a sasl user and password combination:
cd /etc/sasl2
vi /etc/sasl2/libvirt.conf:
=======================
mech_list: digest-md5
sasldb_path: /etc/libvirt/passwd.db
=======================
vi /etc/default/saslauthd:
=======================
...
START=yes
...
=======================
service saslauthd restart
cd /etc/libvirt
saslpasswd2 -a libvirt myuser
service libvirt-bin restart
and to check:
sasldblistusers2 -f /etc/libvirt/passwd.db
should output something like this:
myuser@host: userPassword
and finally check if the tcp/tls port is open n up:
netstat -ntlp |grep libvirt
tcp 0 0 0.0.0.0:16514 0.0.0.0:* LISTEN 22045/libvirtd
tcp6 0 0 :::16514 :::* LISTEN 22045/libvirtd
Now I have the following string added to my bashrc to access the openvz box, and it works like a charm:
alias openvz='virsh -c openvz://hostname/system?no_verify=1'