Product SiteDocumentation Site

2.3.2. Data Transports

To cope with the wide variety of deployment environments, the libvirt RPC service supports a number of data transports, all of which can be configured with industry standard encryption and authentication capabilities.

Table 2.1. Transports

A TCP socket running the TLS protocol on the wire. This is the default data transport if none is explicitly requested, and uses a TCP connection on port 16514. At minimum it is necessary to configure the server with a x509 certificate authority and issue it a server certificate. The libvirtd server can, optionally, be configured to require clients to present x509 certificates as a means of authentication.
A TCP socket without the TLS protocol on the wire. This data transport should not be used on untrusted networks, unless the SASL authentication service has been enabled and configured with a plug-in that provides encryption. The TCP connection is made on port 16509.
A local only data transport, allowing users to connect to a libvirtd daemon running as a different user account. As it is only accessible on the local machine, it is unencrypted. The standard socket names are /var/run/libvirt/libvirt-sock for full management capabilities and /var/run/libvirt/libvirt-sock-ro for a socket restricted to read only operations.
The RPC data is tunneled over an SSH connection to the remote machine. It requires Netcat (nc) is installed on the remote machine and that libvirtd is running with the UNIX domain socket enabled. It is recommended that SSH be configured to not require password prompts to the client application. For example, if using SSH public key authentication it is recommended an ssh-agent by run to cache key credentials. GSSAPI is another useful authentication mode for the SSH transport allowing use of a pre-initialized Keberos credential cache.
Any external program that can make a connection to the remote machine by means that are outside the scope of libvirt. If none of the built-in data transports are satisfactory, this allows an application to provide a helper program to proxy RPC data over a custom channel.