OpenVZ libvirt small howto
libvirt is the management framework that made it easy for me to configure, deploy and run those machines, until a few weeks ago I did not come to my mind that libvirt has had a remote control ability for ages.
When I finally realized the true potential of that management framework and looked up their website, I saw a lot of working connection strings for… xen, qemu, vmware (of all things…), hyper-v and of course, openvz support.
Now for the base setup I had to install libvirt on the box, and make it listen to the external address via tcp. There are multiple ways to do this, and I decided to go with the ssl/tls road.
So I created a pair of certs, placed them into a subfolder I created under /etc/ssl, and then edited the file /etc/libvirt/libvirtd.conf, heres basically the important bits I changed:
listen_tcp = 0 ... listen_tls = 1 ... #tcp_port = tcpportno ... tls_port = tlsportno ... #listen_addr = 127.0.0.1 ... #auth_tcp = "sasl" ... auth_tls = "sasl" ... key_file = ... ca_file = ... cert_file = ... ... #and for debugging #tls_no_sanity_certificate = 1 #tls_no_verify_certificate = 1
Finally, I installed the sasl tools and setup a sasl user and password combination:
cd /etc/sasl2 vi /etc/sasl2/libvirt.conf: ======================= mech_list: digest-md5 sasldb_path: /etc/libvirt/passwd.db ======================= vi /etc/default/saslauthd: ======================= ... START=yes ... ======================= service saslauthd restart cd /etc/libvirt saslpasswd2 -a libvirt myuser service libvirt-bin restart and to check: sasldblistusers2 -f /etc/libvirt/passwd.db should output something like this: myuser@host: userPassword and finally check if the tcp/tls port is open n up: netstat -ntlp |grep libvirt tcp 0 0 0.0.0.0:16514 0.0.0.0:* LISTEN 22045/libvirtd tcp6 0 0 :::16514 :::* LISTEN 22045/libvirtd
Now I have the following string added to my bashrc to access the openvz box, and it works like a charm:
alias openvz='virsh -c openvz://hostname/system?no_verify=1'