Chapter 23. Remote management of guests
This section explains how to remotely manage your guests using
ssh or TLS and SSL.
23.1. Remote management with SSH
The ssh package provides an encrypted network protocol which can securely send management functions to remote virtualization servers. The method described uses the
libvirt management connection securely tunneled over an SSH connection to manage the remote machines. All the authentication is done using SSH public key cryptography and passwords or passphrases gathered by your local SSH agent. In addition the VNC console for each guest virtual machine is tunneled over SSH.
SSH is usually configured by default so you probably already have SSH keys setup and no extra firewall rules needed to access the management service or VNC console.
Be aware of the issues with using SSH for remotely managing your virtual machines, including:
- you require root log in access to the remote machine for managing virtual machines,
- the initial connection setup process may be slow,
- there is no standard or trivial way to revoke a user's key on all hosts or guests, and
- ssh does not scale well with larger numbers of remote machines.
Configuring password less or password managed SSH access for
virt-manager The following instructions assume you are starting from scratch and do not already have SSH keys set up. If you have SSH keys set up and copied to the other systems you can skip this procedure.
Important
SSH keys are user dependent. Only the user who owns the key may access that key.
virt-manager must run as the user who owns the keys to connect to the remote host. That means, if the remote systems are managed by a non-root user virt-manager must be run in unprivileged mode. If the remote systems are managed by the local root user then the SSH keys must be own and created by root.
You cannot manage the local host as an unprivileged user with
virt-manager.
Optional: Changing user
Change user, if required. This example uses the local root user for remotely managing the other hosts and the local host.$ su -
Generating the SSH key pair
Generate a public key pair on the machinevirt-manageris used. This example uses the default key location, in the~/.ssh/directory.$ ssh-keygen -t rsa
Coping the keys to the remote hosts
Remote login without a password, or with a passphrase, requires an SSH key to be distributed to the systems being managed. Use the ssh-copy-id command to copy the key to root user at the system address provided (in the example,root@example.com).# ssh-copy-id -i ~/.ssh/id_rsa.pub
root@example.com root@example.com's password: Now try logging into the machine, with "ssh 'root@example.com'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expectingRepeat for other systems, as required.Optional: Add the passphrase to the ssh-agent
Add the passphrase for the SSH key to thessh-agent, if required. On the local host, use the following command to add the passphrase (if there was one) to enable password-less login.# ssh-add ~/.ssh/id_rsa.pub
The SSH key was added to the remote system.
The
libvirt daemon (libvirtd)
The libvirt daemon provide an interface for managing virtual machines. You must have the libvirtd daemon installed and running on every remote host that needs managing.
$ ssh root@somehost # chkconfig libvirtd on # service libvirtd start
After
libvirtd and SSH are configured you should be able to remotely access and manage your virtual machines. You should also be able to access your guests with VNC at this point.
Accessing remote hosts with virt-manager
Remote hosts can be managed with the virt-manager GUI tool. SSH keys must belong to the user executing virt-manager for password-less login to work.
- Start virt-manager.
- Open the -> menu.
- Input values for the hypervisor type, the connection, Connection->Remote tunnel over SSH, and enter the desired hostname, then click connection.
