Building libvirt with ESXi driver

Libvirt is a toolkit to manage virtual infrastructures. It is supposed to support VMWare ESXi hypervisor, but the package in Ubuntu 10 repository is compiled without necessary drivers (as of time of writing). One can find libvirt compilation instructions here, but they are not Ubuntu-specific nor mention ESXi.

Below are steps necessary to build libvirt with ESXi drivers. Tested on Turnkey LAMP appliance 11.1 which is based on Ubuntu 10.04.1 LTS. Similar steps should work for other Debian-based distributions.

1. Download the sources from libvirt website. I took 0.9.0 rc2.

2. Unpack it and 'cd' to the directory.

3. Install dependencies, build and install

sudo apt-get install gcc make libxml2-dev libgnutls-dev libdevmapper-dev libcurl4-gnutls-dev
./configure --prefix=/usr/local/libvirt-0.9.0 --with-esx
make
sudo make install

4. Run a test tool (from the source directory):

First we skip TLS certificate verification:

examples/hellolibvirt/hellolibvirt 'esx://192.168.X.X/?no_verify=1'
Attempting to connect to hypervisor
Enter username for 192.168.X.X [root]:
Enter root's password for 192.168.X.X:
Connected to hypervisor at "esx://192.168.X.X:443/?no_verify=1"
Hypervisor: "ESX" version: 4.1.0
There are 4 active and 1 inactive domains
Inactive domains:
U10-NESSUS
Disconnected from hypervisor

I have not managed to configure libvirt to accept self-signed certificate generated by ESXi server during installation. Apparently self-signed certs are not good. The certificate of ESXi server has to be signed by a CA, even if it is your own private CA.

Just to make it working as fast as possible, I used libvirt's instruction from "Setting up CA" and "Issuing Server certs" chapters from this web page to produce cacert.pem, serverkey.pem, and servercert.pem files. Will redo it later with TinyCA". On Ubuntu you have to install gnutls-bin package to get certtool program).

When creating server certificate, make sure you specify correct hostname of your ESXi server in CN. You will have to use exactly the same name in URLs later on.

Add your CA certificate to the list of approved CAs:

cat cacert.pem >> /etc/ssl/certs/ca-certificates.crt

Copy the server cert and key files to ESXi and reboot ESXi to make it use them:


scp serverkey.pem root@192.168.X.X:/etc/vmware/ssl/rui.key
scp servercert.pem root@192.168.X.X:/etc/vmware/ssl/rui.crt

Now you can rerun hellolibvirt with proper TLS certificate checking (replace 'myesxi' with the hostname of your ESXi server, the same you have specified when creating server certificate).

examples/hellolibvirt/hellolibvirt 'esx://myesxi/'

That's all, your libvirt should be working. I hope libvirt's support of ESXi is decent, will find out soon.

Comments

hello,

I tried to copy the servercert.pem and serverkey.pem generated using certtool as /etc/vmware/ssl/rui.crt and /etc/vmware/ssl/rui.key on the ESXi host. the VM (Centos 6.4) running on the host is the client and the CA. However, when I try to run 'virsh -c esx://root@/', I get -

error: internal error: curl_easy_perform() returned an error: Peer certificate cannot be authenticated with known CA certificates (60) : Peer certificate cannot be authenticated with known CA certificates

Generating the certificates using certtool work just fine for XenServer. But I do understand that the cacert.pem is installed in /etc/pki/CA/ on the client VM and the XenServer host. Doesn't this have to be installed on ESXi?

Shiva

Prior to ./configure you must run ./autogen.sh which requires the installation of libtool, autoconf, automake, autopoint, python-config, and xsltproc.