For remote management, libvirt
supports the following transport modes:
Transport Layer Security TLS 1.0 (SSL 3.1) authenticated and encrypted TCP/IP socket, usually listening on a public port number. To use this you will need to generate client and server certificates. The standard port is 16514.
Unix domain sockets are only accessible on the local machine. Sockets are not encrypted, and use UNIX permissions or SELinux for authentication. The standard socket names are /var/run/libvirt/libvirt-sock
and /var/run/libvirt/libvirt-sock-ro
(for read-only connections).
Transported over an Secure Shell protocol (SSH) connection. Requires Netcat (the nc package) installed. The libvirt daemon (libvirtd
) must be running on the remote machine. Port 22 must be open for SSH access. You should use some sort of ssh key management (for example, the ssh-agent
utility) or you will be prompted for a password.
The ext parameter is used for any external program which can make a connection to the remote machine by means outside the scope of libvirt. This usually covers third-party, unsupported security applications.
Unencrypted TCP/IP socket. Not recommended for production use, this is normally disabled, but an administrator can enable it for testing or use over a trusted network. The default port is 16509.
The default transport, if no other is specified, is tls.
A Uniform Resource Identifier (URI) is used by virsh
and libvirt
to connect to a remote host. URIs can also be used with the --connect
parameter for the virsh
command to execute single commands or migrations on remote hosts.
libvirt URIs take the general form (content in square brackets, "[]", represents optional functions):
driver[+transport]://[username@][hostname][:port]/[path][?extraparameters]
Either the transport method or the hostname must be provided in order to distinguish this from a local URI.
Examples of remote management parameters
Connect to a remote Xen hypervisor on the host named towada
, using SSH transport and the SSH username ccurran
.
xen+ssh://ccurran@towada/
Connect to a remote Xen hypervisor on the host named towada
using TLS.
xen://towada/
Connect to a remote Xen hypervisor on host towada
using TLS. The no_verify=1
tells libvirt not to verify the server's certificate.
xen://towada/?no_verify=1
Connect to a remote KVM hypervisor on host towada
using SSH.
qemu+ssh://towada/system
Testing examples
Connect to the local KVM hypervisor with a non-standard UNIX socket. The full path to the Unix socket is supplied explicitly in this case.
qemu+unix:///system?socket=/opt/libvirt/run/libvirt/libvirt-sock
Connect to the libvirt daemon with an unencrypted TCP/IP connection to the server with the IP address 10.1.1.10 on port 5000. This uses the test driver with default settings.
test+tcp://10.1.1.10:5000/default