ia64/xen-unstable

view tools/examples/xend-config.sxp @ 17712:91a9e28aed46

Make ssl relocation server listen on different port

This patch makes ssl relocation server listen on 8003 if enabled.

Whether to start ssl relocation server now controlled by
xend-relocation-ssl-server. So ssl and non-ssl relocation server can
run simultaneously. You can also only start ssl server or only start
non-ssl relocation server.

When mix deploy xen 3.2 server (has no ssl support) and 3.3 servers,
start ssl and non-ssl relocation server simultaneously can keep
backward compatibility.

It's also more reasonable to have separate ports for ssl and non-ssl.

In this patch, also renames xend-relocation-tls to xend-relocation-ssl.

Signed-off-by: Zhigang Wang <zhigang.x.wang@oracle.com>
author Keir Fraser <keir.fraser@citrix.com>
date Fri May 23 10:41:44 2008 +0100 (2008-05-23)
parents eb111919e8e0
children 20966aa89739
line source
1 # -*- sh -*-
3 #
4 # Xend configuration file.
5 #
7 # This example configuration is appropriate for an installation that
8 # utilizes a bridged network configuration. Access to xend via http
9 # is disabled.
11 # Commented out entries show the default for that entry, unless otherwise
12 # specified.
14 #(logfile /var/log/xen/xend.log)
15 #(loglevel DEBUG)
18 # The Xen-API server configuration.
19 #
20 # This value configures the ports, interfaces, and access controls for the
21 # Xen-API server. Each entry in the list starts with either unix, a port
22 # number, or an address:port pair. If this is "unix", then a UDP socket is
23 # opened, and this entry applies to that. If it is a port, then Xend will
24 # listen on all interfaces on that TCP port, and if it is an address:port
25 # pair, then Xend will listen on the specified port, using the interface with
26 # the specified address.
27 #
28 # The subsequent string configures the user-based access control for the
29 # listener in question. This can be one of "none" or "pam", indicating either
30 # that users should be allowed access unconditionally, or that the local
31 # Pluggable Authentication Modules configuration should be used. If this
32 # string is missing or empty, then "pam" is used.
33 #
34 # The final string gives the host-based access control for that listener. If
35 # this is missing or empty, then all connections are accepted. Otherwise,
36 # this should be a space-separated sequence of regular expressions; any host
37 # with a fully-qualified domain name or an IP address that matches one of
38 # these regular expressions will be accepted.
39 #
40 # Example: listen on TCP port 9363 on all interfaces, accepting connections
41 # only from machines in example.com or localhost, and allow access through
42 # the unix domain socket unconditionally:
43 #
44 # (xen-api-server ((9363 pam '^localhost$ example\\.com$')
45 # (unix none)))
46 #
47 # Optionally, the TCP Xen-API server can use SSL by specifying the private
48 # key and certificate location:
49 #
50 # (9367 pam '' /etc/xen/xen-api.key /etc/xen/xen-api.crt)
51 #
52 # Default:
53 # (xen-api-server ((unix)))
56 #(xend-http-server no)
57 #(xend-unix-server no)
58 #(xend-tcp-xmlrpc-server no)
59 #(xend-unix-xmlrpc-server yes)
60 #(xend-relocation-server no)
61 (xend-relocation-server yes)
62 #(xend-relocation-ssl-server no)
64 #(xend-unix-path /var/lib/xend/xend-socket)
67 # Address and port xend should use for the legacy TCP XMLRPC interface,
68 # if xend-tcp-xmlrpc-server is set.
69 #(xend-tcp-xmlrpc-server-address 'localhost')
70 #(xend-tcp-xmlrpc-server-port 8006)
72 # SSL key and certificate to use for the legacy TCP XMLRPC interface.
73 # Setting these will mean that this port serves only SSL connections as
74 # opposed to plaintext ones.
75 #(xend-tcp-xmlrpc-server-ssl-key-file /etc/xen/xmlrpc.key)
76 #(xend-tcp-xmlrpc-server-ssl-cert-file /etc/xen/xmlrpc.crt)
79 # Port xend should use for the HTTP interface, if xend-http-server is set.
80 #(xend-port 8000)
82 # Port xend should use for the relocation interface, if xend-relocation-server
83 # is set.
84 #(xend-relocation-port 8002)
86 # Port xend should use for the ssl relocation interface, if
87 # xend-relocation-ssl-server is set.
88 #(xend-relocation-ssl-port 8003)
90 # SSL key and certificate to use for the ssl relocation interface, if
91 # xend-relocation-ssl-server is set.
92 #(xend-relocation-server-ssl-key-file /etc/xen/xmlrpc.key)
93 #(xend-relocation-server-ssl-cert-file /etc/xen/xmlrpc.crt)
95 # Whether to use ssl as default when relocating.
96 #(xend-relocation-ssl no)
98 # Address xend should listen on for HTTP connections, if xend-http-server is
99 # set.
100 # Specifying 'localhost' prevents remote connections.
101 # Specifying the empty string '' (the default) allows all connections.
102 #(xend-address '')
103 #(xend-address localhost)
105 # Address xend should listen on for relocation-socket connections, if
106 # xend-relocation-server is set.
107 # Meaning and default as for xend-address above.
108 #(xend-relocation-address '')
110 # The hosts allowed to talk to the relocation port. If this is empty (the
111 # default), then all connections are allowed (assuming that the connection
112 # arrives on a port and interface on which we are listening; see
113 # xend-relocation-port and xend-relocation-address above). Otherwise, this
114 # should be a space-separated sequence of regular expressions. Any host with
115 # a fully-qualified domain name or an IP address that matches one of these
116 # regular expressions will be accepted.
117 #
118 # For example:
119 # (xend-relocation-hosts-allow '^localhost$ ^.*\\.example\\.org$')
120 #
121 #(xend-relocation-hosts-allow '')
122 (xend-relocation-hosts-allow '^localhost$ ^localhost\\.localdomain$')
124 # The limit (in kilobytes) on the size of the console buffer
125 #(console-limit 1024)
127 ##
128 # To bridge network traffic, like this:
129 #
130 # dom0: ----------------- bridge -> real eth0 -> the network
131 # |
132 # domU: fake eth0 -> vifN.0 -+
133 #
134 # use
135 #
136 # (network-script network-bridge)
137 #
138 # Your default ethernet device is used as the outgoing interface, by default.
139 # To use a different one (e.g. eth1) use
140 #
141 # (network-script 'network-bridge netdev=eth1')
142 #
143 # The bridge is named xenbr0, by default. To rename the bridge, use
144 #
145 # (network-script 'network-bridge bridge=<name>')
146 #
147 # It is possible to use the network-bridge script in more complicated
148 # scenarios, such as having two outgoing interfaces, with two bridges, and
149 # two fake interfaces per guest domain. To do things like this, write
150 # yourself a wrapper script, and call network-bridge from it, as appropriate.
151 #
152 (network-script network-bridge)
154 # The script used to control virtual interfaces. This can be overridden on a
155 # per-vif basis when creating a domain or a configuring a new vif. The
156 # vif-bridge script is designed for use with the network-bridge script, or
157 # similar configurations.
158 #
159 # If you have overridden the bridge name using
160 # (network-script 'network-bridge bridge=<name>') then you may wish to do the
161 # same here. The bridge name can also be set when creating a domain or
162 # configuring a new vif, but a value specified here would act as a default.
163 #
164 # If you are using only one bridge, the vif-bridge script will discover that,
165 # so there is no need to specify it explicitly.
166 #
167 (vif-script vif-bridge)
170 ## Use the following if network traffic is routed, as an alternative to the
171 # settings for bridged networking given above.
172 #(network-script network-route)
173 #(vif-script vif-route)
176 ## Use the following if network traffic is routed with NAT, as an alternative
177 # to the settings for bridged networking given above.
178 #(network-script network-nat)
179 #(vif-script vif-nat)
181 # dom0-min-mem is the lowest permissible memory level (in MB) for dom0.
182 # This is a minimum both for auto-ballooning (as enabled by
183 # enable-dom0-ballooning below) and for xm mem-set when applied to dom0.
184 (dom0-min-mem 196)
186 # Whether to enable auto-ballooning of dom0 to allow domUs to be created.
187 # If enable-dom0-ballooning = no, dom0 will never balloon out.
188 (enable-dom0-ballooning yes)
190 # In SMP system, dom0 will use dom0-cpus # of CPUS
191 # If dom0-cpus = 0, dom0 will take all cpus available
192 (dom0-cpus 0)
194 # Whether to enable core-dumps when domains crash.
195 #(enable-dump no)
197 # The tool used for initiating virtual TPM migration
198 #(external-migration-tool '')
200 # The interface for VNC servers to listen on. Defaults
201 # to 127.0.0.1 To restore old 'listen everywhere' behaviour
202 # set this to 0.0.0.0
203 #(vnc-listen '127.0.0.1')
205 # The default password for VNC console on HVM domain.
206 # Empty string is no authentication.
207 (vncpasswd '')
209 # The VNC server can be told to negotiate a TLS session
210 # to encryption all traffic, and provide x509 cert to
211 # clients enalbing them to verify server identity. The
212 # GTK-VNC widget, virt-viewer, virt-manager and VeNCrypt
213 # all support the VNC extension for TLS used in QEMU. The
214 # TightVNC/RealVNC/UltraVNC clients do not.
215 #
216 # To enable this create x509 certificates / keys in the
217 # directory /etc/xen/vnc
218 #
219 # ca-cert.pem - The CA certificate
220 # server-cert.pem - The Server certificate signed by the CA
221 # server-key.pem - The server private key
222 #
223 # and then uncomment this next line
224 # (vnc-tls 1)
226 # The certificate dir can be pointed elsewhere..
227 #
228 # (vnc-x509-cert-dir /etc/xen/vnc)
230 # The server can be told to request & validate an x509
231 # certificate from the client. Only clients with a cert
232 # signed by the trusted CA will be able to connect. This
233 # is more secure the password auth alone. Passwd auth can
234 # used at the same time if desired. To enable client cert
235 # checking uncomment this:
236 #
237 # (vnc-x509-verify 1)
239 # The default keymap to use for the VM's virtual keyboard
240 # when not specififed in VM's configuration
241 #(keymap 'en-us')
243 # Script to run when the label of a resource has changed.
244 #(resource-label-change-script '')