Unix Like

libvirtd: virNetTLSContextValidCertificate:994 : Unable to verify TLS peer: No certificate was found.

Jan 29 06:20:12 debian libvirtd[3363]: 2019-01-29 11:20:12.116+0000: 3363: error : virNetTLSContextValidCertificate:994 : Unable to verify TLS peer: No certificate was found.
Jan 29 06:20:12 debian libvirtd[3363]: 2019-01-29 11:20:12.116+0000: 3363: warning : virNetTLSContextCheckCertificate:1125 : Certificate check failed Unable to verify TLS peer: No certificate was found.
Jan 29 06:20:12 debian libvirtd[3363]: 2019-01-29 11:20:12.116+0000: 3363: error : virNetTLSContextCheckCertificate:1128 : authentication failed: Failed to verify peer's certificate

Jan 29 06:20:12 debian libvirtd[3363]: 2019-01-29 11:20:12.116+0000: 3363: error : virNetTLSContextValidCertificate:994 : Unable to verify TLS peer: No certificate was found.

Jan 29 06:20:12 debian libvirtd[3363]: 2019-01-29 11:20:12.116+0000: 3363: warning : virNetTLSContextCheckCertificate:1125 : Certificate check failed Unable to verify TLS peer: No certificate was found.

Jan 29 06:20:12 debian libvirtd[3363]: 2019-01-29 11:20:12.116+0000: 3363: error : virNetTLSContextCheckCertificate:1128 : authentication failed: Failed to verify peer's certificate

使用TLS连接libvirtd时，默认需要验证客户端是否拥有由CA签名的证书，详见libvirtd配置文件（/etc/libvirt/libvirtd.conf）：

# Flag to disable verification of client certificates
#
# Client certificate verification is the primary authentication mechanism.
# Any client which does not present a certificate signed by the CA
# will be rejected.
#
# Default is to always verify. Uncommenting this will disable
# verification - make sure an IP whitelist is set
#tls_no_verify_certificate = 1

# Flag to disable verification of client certificates

# Client certificate verification is the primary authentication mechanism.

# Any client which does not present a certificate signed by the CA

# will be rejected.

# Default is to always verify. Uncommenting this will disable

# verification - make sure an IP whitelist is set

#tls_no_verify_certificate = 1

取消此行的注释即可关闭此验证（当然你得启用其它身份认证途径）：

#tls_no_verify_certificate = 1

1	#tls_no_verify_certificate = 1

也可选择以让CA给客户端签发证书：

# 自行修改CA私钥与证书的路径
CA_KEY_FILE_PATH="/etc/pki/libvirt/private/cakey.pem"
CA_CERTIFICATE_FILE_PATH="/etc/pki/CA/cacert.pem"

# 客户端私钥，CSR，证书保存路径
PKI_PREFIX="/tmp/client_pki/"
CLIENT_PRIVATE_KEY_FILE_PATH="${PKI_PREFIX}/clientkey.pem"
CLIENT_CSR_FILE_PATH="${PKI_PREFIX}/clientcsr.pem"
CLIENT_CERTIFICATE_FILE_PATH="${PKI_PREFIX}/clientcert.pem"

oldUmask=$(umask)
umask 0077
mkdir -p ${PKI_PREFIX}

# 生成客户端私钥
openssl genrsa -out ${CLIENT_PRIVATE_KEY_FILE_PATH} 2048
# 生成客户端CSR，根据自己需要自行修改subjects
openssl req -new -key ${CLIENT_PRIVATE_KEY_FILE_PATH} -subj "/C=CN/ST=China/L=China/O=China/OU=China/CN=ClientCommonName" -out ${CLIENT_CSR_FILE_PATH}
# CA通过CSR签发证书，根据需要自行修改有效期
openssl x509 -req -in ${CLIENT_CSR_FILE_PATH} -CA ${CA_CERTIFICATE_FILE_PATH} -CAkey ${CA_KEY_FILE_PATH} -CAcreateserial -out ${CLIENT_CERTIFICATE_FILE_PATH} -days 3650
# 把CA证书放进去
cat ${CA_CERTIFICATE_FILE_PATH} > ${PKI_PREFIX}/cacert.pem

umask ${oldUmask}

# 把${PKI_PREFIX}传送到客户端
# scp -r ${PKI_PREFIX} username@host:~/libvirt-server-pki

# 自行修改CA私钥与证书的路径

CA_KEY_FILE_PATH="/etc/pki/libvirt/private/cakey.pem"

CA_CERTIFICATE_FILE_PATH="/etc/pki/CA/cacert.pem"

# 客户端私钥，CSR，证书保存路径

PKI_PREFIX="/tmp/client_pki/"

CLIENT_PRIVATE_KEY_FILE_PATH="${PKI_PREFIX}/clientkey.pem"

CLIENT_CSR_FILE_PATH="${PKI_PREFIX}/clientcsr.pem"

CLIENT_CERTIFICATE_FILE_PATH="${PKI_PREFIX}/clientcert.pem"

oldUmask=$(umask)

umask 0077

mkdir -p ${PKI_PREFIX}

# 生成客户端私钥

openssl genrsa -out ${CLIENT_PRIVATE_KEY_FILE_PATH} 2048

# 生成客户端CSR，根据自己需要自行修改subjects

openssl req -new -key ${CLIENT_PRIVATE_KEY_FILE_PATH} -subj "/C=CN/ST=China/L=China/O=China/OU=China/CN=ClientCommonName" -out ${CLIENT_CSR_FILE_PATH}

# CA通过CSR签发证书，根据需要自行修改有效期

openssl x509 -req -in ${CLIENT_CSR_FILE_PATH} -CA ${CA_CERTIFICATE_FILE_PATH} -CAkey ${CA_KEY_FILE_PATH} -CAcreateserial -out ${CLIENT_CERTIFICATE_FILE_PATH} -days 3650

# 把CA证书放进去

cat ${CA_CERTIFICATE_FILE_PATH} > ${PKI_PREFIX}/cacert.pem

umask ${oldUmask}

# 把${PKI_PREFIX}传送到客户端

# scp -r ${PKI_PREFIX} username@host:~/libvirt-server-pki

完成上面的操作后，把整个${PKI_PREFIX}目录打包到客户端服务器上，在libvirt connection uri上加上参数pkipath=${PKI_PREFIX}即可：

virsh --connect qemu+tls://LIBVIRT_SERVER_HOST/system?pkipath=${HOME}/libvirt-server-pki

1	virsh --connect qemu+tls://LIBVIRT_SERVER_HOST/system?pkipath=${HOME}/libvirt-server-pki

当然如果CA证书，客户端私钥以及证书都放在默认位置，可以不使用pkipath参数，详见References [1]。

References:

[1] https://libvirt.org/remote.html#Remote_URI_reference

Tags: libvirtd, tls, tls_no_verify_certificate

You might also like:

Unix Like, 操作系统, 服务器, 网络, 运营维护

Nginx ssl_preread传递客户端IP

ssl_preread是基于L4的反代方案，TLS SNI握手时客户端会提供域名，所以可以让Nginx在无需完成TLS握手的情况下，就根据域名进行后端服务器的选择。简单来讲，你只需要给后端服务器配置一个SSL证书，而提供反代功能的Nginx则无需配置。文档见此：http://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html 因为这是L4反代，所以通过“proxy_set_header”传递客户端IP的方法是行不通的。其实传递客户端IP的解决办法跟上一篇文章类似：L4(传输层)IP透明反向代理的实现(传递客户端真实IP)，ng […]

Unix Like, 服务器

双路超线程物理服务器的QEMU CPU affinity调整

首先运行 virsh capabilities 查看物理机物理核心及其线程与逻辑处理器（线程）的关系：

...
    <topology>
      <cells num='1'>
        <cell id='0'>
          <memory unit='KiB'>24671680</memory>
          <pages unit='KiB' size='4'>6167920</pages>
          <pages unit='KiB' size='2048'>0</pages>
          <distances>
            <sibling id='0' value='10'/>
          </distances>
          <cpus num='16'>
            <cpu id='0' socket_id='0' core_id='0' siblings='0,8'/>
            <cpu id='1' socket_id='0' core_id='1' siblings='1,9'/>
            <cpu id='2' socket_id='0' core_id='2' siblings='2,10'/>
            <cpu id='3' socket_id='0' core_id='3' siblings='3,11'/>
            <cpu id='4' socket_id='1' core_id='0' siblings='4,12'/>
            <cpu id='5' socket_id='1' core_id='1' siblings='5,13'/>
            <cpu id='6' socket_id='1' core_id='2' siblings='6,14'/>
            <cpu id='7' socket_id='1' core_id='3' siblings='7,15'/>
            <cpu id='8' socket_id='0' core_id='0' siblings='0,8'/>
            <cpu id='9' socket_id='0' core_id='1' siblings='1,9'/>
            <cpu id='10' socket_id='0' core_id='2' siblings='2,10'/>
            <cpu id='11' socket_id='0' core_id='3' siblings='3,11'/>
            <cpu id='12' socket_id='1' core_id='0' siblings='4,12'/>
            <cpu id='13' socket_id='1' core_id='1' siblings='5,13'/>
            <cpu id='14' socket_id='1' core_id='2' siblings='6,14'/>
            <cpu id='15' socket_id='1' core_id='3' siblings='7,15'/>
          </cpus>
        </cell>
      </cells>
    </topology>
    <cache>
      <bank id='0' level='3' type='both' size='8' unit='MiB' cpus='0-3,8-11'/>
      <bank id='1' level='3' type='both' size='8' unit='MiB' cpus='4-7,12-15'/>
    </cache>
...

...

</distances>

</cpus>

</cell>

</cells>

</topology>

<cache>

</cache>

...

其中的socket_id代表CPU的槽位，core_id代表CPU物理核心，siblings表示哪些逻辑处理器（线程）是属于同一个物理核心的。例如id为0以及8的逻辑处理器，都属于同一个CPU槽位且属于同一个物理核心。在这台物理机上建立的虚拟机，想得到最佳的性能，首先不要跨CPU插槽，其次，不要让多个虚拟机CPU共享同一个物理核心。根据上面的信息，4核心8线程的虚拟机CPU亲和度配置如下： [crayon-6623c99 […]