Миграция VM5 на VM6 настройка Libvirt

Для миграции VM5 на VM6 вам в документацию нужно добавить информацию, что при миграции с CentOS 7, нужно внести изменения в Libvirt

cat /etc/sysconfig/libvirtd | grep LIBVIRTD_ARGS
Пример ответа

#LIBVIRTD_ARGS=”–listen”
Если строка LIBVIRTD_ARGS=”–listen” закомментирована:

для ОС CentOS 7 — раскомментируйте её:

AND

CHANGE

add on line

после

-A INPUT -p tcp -m tcp –dport 8081 -j ACCEPT

добавьте

Before

Перевыпуск TLS

Section 1. Main Directories Involved

In a default KVM installation on RHEL 7/CentOS 7, you get the following main directories:

CA Certificate Generation
To create a new KVM host server certificate with a duration period of more than 1 year, you first need to create a new CA certificate:

Create a file called certificate_authority_template.info and paste the following lines into:

Note: By default, the expiration_days variable worths 365 (1 year). Here, we use 2000 days, ie more than 5 years.

Then, generate a private CA key:

Generating a 2048 bit RSA private key…
Now, you can combine the CA template with the CA key to get the CA certificate:

Next, you need to copy the new public CA certificate to the right location with the right default name (cacert.pem):

Finally, you have to set the correct permissions:

KVM Host Certificate Generation

To create a new KVM host certificate, you need to copy the public CA certificate and the private CA key into the /etc/pki/libvirt/private directory:

Then, you need to go into the /etc/pki/libvirt/private directory:

You need to create a file called server_template.info and paste the following lines into:

Next, you need to generate a private KVM host key:

Generating a 2048 bit RSA private key…
Now, you can combine the server template with the private KVM host key to get the public KVM host certificate:

Next, you need to copy the new public KVM host certificate to the right location with the right default name (servercert.pem):

Finally, you have to set the correct permissions:

At this point, you should be able to start the libvirtd daemon:

KVM Client Certificate Generation

Optionally, you may need to create a new KVM client certificate.
Create a new file called client_template.info and paste the following lines into:

country = DE
state = Berlin
locality = Berlin
organization = mydomain.com
cn = kvm
tls_www_client
encryption_key
signing_key
expiration_days = 2000
Then, you need to generate a private KVM client key:

# (umask 277 && certtool –generate-privkey > clientkey.pem)
Generating a 2048 bit RSA private key…
Now, you can combine the client template with the private KVM client key to get the public KVM client certificate:

# certtool –generate-certificate \
–template client_template.info \
–load-privkey clientkey.pem \
–load-ca-certificate certificate_authority_certificate.pem \
–load-ca-privkey certificate_authority_key.pem \
–outfile client_certificate.pem
Next, you need to copy the new public KVM client certificate to the right location with the right default name (clientcert.pem):

# cp -p client_certificate.pem ../clientcert.pem
Finally, you have to set the correct permissions:

# chmod 400 /etc/pki/libvirt/private/clientkey.pem
# restorecon /etc/pki/libvirt/private/clientkey.pem
# chmod 400 /etc/pki/libvirt/clientcert.pem
# restorecon /etc/pki/libvirt/clientcert.pem
Source: Libvirt website.

Certificate Expiration Date
At any time you can ask for the expiration date of a given certificate (here servercert.pem):

# certtool -i –infile /etc/pki/libvirt/servercert.pem | grep “Not After”
Not After: Thu Jul 01 11:11:49 UTC 2021