/conftest.*
/daemon/libvirtd*.logrotate
/daemon/libvirtd.policy
-/daemon/test_libvirtd.aug
/docs/aclperms.htmlinc
/docs/apibuild.py.stamp
/docs/devhelp/libvirt.devhelp
DISTCLEANFILES =
EXTRA_DIST = \
- libvirtd.conf \
libvirtd.policy.in \
libvirt.rules \
libvirtd.sasl \
libvirtd.sysctl \
- libvirtd.aug \
libvirtd.logrotate.in \
libvirtd.qemu.logrotate.in \
libvirtd.lxc.logrotate.in \
libvirtd.libxl.logrotate.in \
libvirtd.uml.logrotate.in \
- test_libvirtd.aug.in \
$(NULL)
BUILT_SOURCES =
if WITH_LIBVIRTD
-confdir = $(sysconfdir)/libvirt/
-conf_DATA = libvirtd.conf
-
-augeasdir = $(datadir)/augeas/lenses
-augeas_DATA = libvirtd.aug
-
-augeastestsdir = $(datadir)/augeas/lenses/tests
-augeastests_DATA = test_libvirtd.aug
-
-CLEANFILES += test_libvirtd.aug
-
if WITH_POLKIT
if WITH_POLKIT0
policydir = $(datadir)/PolicyKit/policy
uninstall-sysctl:
endif ! WITH_SYSCTL
-check-local: check-augeas
-
-AUG_GENTEST = $(PERL) $(top_srcdir)/build-aux/augeas-gentest.pl
-
-test_libvirtd.aug: test_libvirtd.aug.in $(srcdir)/libvirtd.conf
- $(AM_V_GEN)$(AUG_GENTEST) $(srcdir)/libvirtd.conf $< $@
-
-check-augeas: test_libvirtd.aug
- $(AM_V_GEN)if test -x '$(AUGPARSE)'; then \
- '$(AUGPARSE)' -I $(srcdir) test_libvirtd.aug; \
- fi
-
else ! WITH_LIBVIRTD
install-data-local: install-data-sasl
uninstall-local:: uninstall-data-sasl
+++ /dev/null
-(* /etc/libvirt/libvirtd.conf *)
-
-module Libvirtd =
- autoload xfm
-
- let eol = del /[ \t]*\n/ "\n"
- let value_sep = del /[ \t]*=[ \t]*/ " = "
- let indent = del /[ \t]*/ ""
-
- let array_sep = del /,[ \t\n]*/ ", "
- let array_start = del /\[[ \t\n]*/ "[ "
- let array_end = del /\]/ "]"
-
- let str_val = del /\"/ "\"" . store /[^\"]*/ . del /\"/ "\""
- let bool_val = store /0|1/
- let int_val = store /-?[0-9]+/
- let str_array_element = [ seq "el" . str_val ] . del /[ \t\n]*/ ""
- let str_array_val = counter "el" . array_start . ( str_array_element . ( array_sep . str_array_element ) * ) ? . array_end
-
- let str_entry (kw:string) = [ key kw . value_sep . str_val ]
- let bool_entry (kw:string) = [ key kw . value_sep . bool_val ]
- let int_entry (kw:string) = [ key kw . value_sep . int_val ]
- let str_array_entry (kw:string) = [ key kw . value_sep . str_array_val ]
-
-
- (* Config entry grouped by function - same order as example config *)
- let network_entry = bool_entry "listen_tls"
- | bool_entry "listen_tcp"
- | str_entry "tls_port"
- | str_entry "tcp_port"
- | str_entry "listen_addr"
- | bool_entry "mdns_adv"
- | str_entry "mdns_name"
-
- let sock_acl_entry = str_entry "unix_sock_group"
- | str_entry "unix_sock_ro_perms"
- | str_entry "unix_sock_rw_perms"
- | str_entry "unix_sock_admin_perms"
- | str_entry "unix_sock_dir"
-
- let authentication_entry = str_entry "auth_unix_ro"
- | str_entry "auth_unix_rw"
- | str_entry "auth_tcp"
- | str_entry "auth_tls"
-
- let certificate_entry = str_entry "key_file"
- | str_entry "cert_file"
- | str_entry "ca_file"
- | str_entry "crl_file"
-
- let authorization_entry = bool_entry "tls_no_verify_certificate"
- | bool_entry "tls_no_sanity_certificate"
- | str_array_entry "tls_allowed_dn_list"
- | str_array_entry "sasl_allowed_username_list"
- | str_array_entry "access_drivers"
- | str_entry "tls_priority"
-
- let processing_entry = int_entry "min_workers"
- | int_entry "max_workers"
- | int_entry "max_clients"
- | int_entry "max_queued_clients"
- | int_entry "max_anonymous_clients"
- | int_entry "max_client_requests"
- | int_entry "prio_workers"
-
- let admin_processing_entry = int_entry "admin_min_workers"
- | int_entry "admin_max_workers"
- | int_entry "admin_max_clients"
- | int_entry "admin_max_queued_clients"
- | int_entry "admin_max_client_requests"
-
- let logging_entry = int_entry "log_level"
- | str_entry "log_filters"
- | str_entry "log_outputs"
- | int_entry "log_buffer_size"
-
- let auditing_entry = int_entry "audit_level"
- | bool_entry "audit_logging"
-
- let keepalive_entry = int_entry "keepalive_interval"
- | int_entry "keepalive_count"
- | bool_entry "keepalive_required"
-
- let admin_keepalive_entry = int_entry "admin_keepalive_interval"
- | int_entry "admin_keepalive_count"
- | bool_entry "admin_keepalive_required"
-
- let misc_entry = str_entry "host_uuid"
- | str_entry "host_uuid_source"
- | int_entry "ovs_timeout"
-
- (* Each enty in the config is one of the following three ... *)
- let entry = network_entry
- | sock_acl_entry
- | authentication_entry
- | certificate_entry
- | authorization_entry
- | processing_entry
- | admin_processing_entry
- | logging_entry
- | auditing_entry
- | keepalive_entry
- | admin_keepalive_entry
- | misc_entry
- let comment = [ label "#comment" . del /#[ \t]*/ "# " . store /([^ \t\n][^\n]*)?/ . del /\n/ "\n" ]
- let empty = [ label "#empty" . eol ]
-
- let record = indent . entry . eol
-
- let lns = ( record | comment | empty ) *
-
- let filter = incl "/etc/libvirt/libvirtd.conf"
- . Util.stdexcl
-
- let xfm = transform lns filter
+++ /dev/null
-# Master libvirt daemon configuration file
-#
-# For further information consult https://libvirt.org/format.html
-#
-# NOTE: the tests/daemon-conf regression test script requires
-# that each "PARAMETER = VALUE" line in this file have the parameter
-# name just after a leading "#".
-
-#################################################################
-#
-# Network connectivity controls
-#
-
-# Flag listening for secure TLS connections on the public TCP/IP port.
-# NB, must pass the --listen flag to the libvirtd process for this to
-# have any effect.
-#
-# It is necessary to setup a CA and issue server certificates before
-# using this capability.
-#
-# This is enabled by default, uncomment this to disable it
-#listen_tls = 0
-
-# Listen for unencrypted TCP connections on the public TCP/IP port.
-# NB, must pass the --listen flag to the libvirtd process for this to
-# have any effect.
-#
-# Using the TCP socket requires SASL authentication by default. Only
-# SASL mechanisms which support data encryption are allowed. This is
-# DIGEST_MD5 and GSSAPI (Kerberos5)
-#
-# This is disabled by default, uncomment this to enable it.
-#listen_tcp = 1
-
-
-
-# Override the port for accepting secure TLS connections
-# This can be a port number, or service name
-#
-#tls_port = "16514"
-
-# Override the port for accepting insecure TCP connections
-# This can be a port number, or service name
-#
-#tcp_port = "16509"
-
-
-# Override the default configuration which binds to all network
-# interfaces. This can be a numeric IPv4/6 address, or hostname
-#
-# If the libvirtd service is started in parallel with network
-# startup (e.g. with systemd), binding to addresses other than
-# the wildcards (0.0.0.0/::) might not be available yet.
-#
-#listen_addr = "192.168.0.1"
-
-
-# Flag toggling mDNS advertizement of the libvirt service.
-#
-# Alternatively can disable for all services on a host by
-# stopping the Avahi daemon
-#
-# This is disabled by default, uncomment this to enable it
-#mdns_adv = 1
-
-# Override the default mDNS advertizement name. This must be
-# unique on the immediate broadcast network.
-#
-# The default is "Virtualization Host HOSTNAME", where HOSTNAME
-# is substituted for the short hostname of the machine (without domain)
-#
-#mdns_name = "Virtualization Host Joe Demo"
-
-
-#################################################################
-#
-# UNIX socket access controls
-#
-
-# Set the UNIX domain socket group ownership. This can be used to
-# allow a 'trusted' set of users access to management capabilities
-# without becoming root.
-#
-# This is restricted to 'root' by default.
-#unix_sock_group = "libvirt"
-
-# Set the UNIX socket permissions for the R/O socket. This is used
-# for monitoring VM status only
-#
-# Default allows any user. If setting group ownership, you may want to
-# restrict this too.
-#unix_sock_ro_perms = "0777"
-
-# Set the UNIX socket permissions for the R/W socket. This is used
-# for full management of VMs
-#
-# Default allows only root. If PolicyKit is enabled on the socket,
-# the default will change to allow everyone (eg, 0777)
-#
-# If not using PolicyKit and setting group ownership for access
-# control, then you may want to relax this too.
-#unix_sock_rw_perms = "0770"
-
-# Set the UNIX socket permissions for the admin interface socket.
-#
-# Default allows only owner (root), do not change it unless you are
-# sure to whom you are exposing the access to.
-#unix_sock_admin_perms = "0700"
-
-# Set the name of the directory in which sockets will be found/created.
-#unix_sock_dir = "/var/run/libvirt"
-
-
-
-#################################################################
-#
-# Authentication.
-#
-# - none: do not perform auth checks. If you can connect to the
-# socket you are allowed. This is suitable if there are
-# restrictions on connecting to the socket (eg, UNIX
-# socket permissions), or if there is a lower layer in
-# the network providing auth (eg, TLS/x509 certificates)
-#
-# - sasl: use SASL infrastructure. The actual auth scheme is then
-# controlled from /etc/sasl2/libvirt.conf. For the TCP
-# socket only GSSAPI & DIGEST-MD5 mechanisms will be used.
-# For non-TCP or TLS sockets, any scheme is allowed.
-#
-# - polkit: use PolicyKit to authenticate. This is only suitable
-# for use on the UNIX sockets. The default policy will
-# require a user to supply their own password to gain
-# full read/write access (aka sudo like), while anyone
-# is allowed read/only access.
-#
-# Set an authentication scheme for UNIX read-only sockets
-# By default socket permissions allow anyone to connect
-#
-# To restrict monitoring of domains you may wish to enable
-# an authentication mechanism here
-#auth_unix_ro = "none"
-
-# Set an authentication scheme for UNIX read-write sockets
-# By default socket permissions only allow root. If PolicyKit
-# support was compiled into libvirt, the default will be to
-# use 'polkit' auth.
-#
-# If the unix_sock_rw_perms are changed you may wish to enable
-# an authentication mechanism here
-#auth_unix_rw = "none"
-
-# Change the authentication scheme for TCP sockets.
-#
-# If you don't enable SASL, then all TCP traffic is cleartext.
-# Don't do this outside of a dev/test scenario. For real world
-# use, always enable SASL and use the GSSAPI or DIGEST-MD5
-# mechanism in /etc/sasl2/libvirt.conf
-#auth_tcp = "sasl"
-
-# Change the authentication scheme for TLS sockets.
-#
-# TLS sockets already have encryption provided by the TLS
-# layer, and limited authentication is done by certificates
-#
-# It is possible to make use of any SASL authentication
-# mechanism as well, by using 'sasl' for this option
-#auth_tls = "none"
-
-
-# Change the API access control scheme
-#
-# By default an authenticated user is allowed access
-# to all APIs. Access drivers can place restrictions
-# on this. By default the 'nop' driver is enabled,
-# meaning no access control checks are done once a
-# client has authenticated with libvirtd
-#
-#access_drivers = [ "polkit" ]
-
-#################################################################
-#
-# TLS x509 certificate configuration
-#
-
-# Use of TLS requires that x509 certificates be issued. The default locations
-# for the certificate files is as follows:
-#
-# /etc/pki/CA/cacert.pem - The CA master certificate
-# /etc/pki/libvirt/servercert.pem - The server certificate signed with
-# the cacert.pem
-# /etc/pki/libvirt/private/serverkey.pem - The server private key
-#
-# It is possible to override the default locations by altering the 'key_file',
-# 'cert_file', and 'ca_file' values and uncommenting them below.
-#
-# NB, overriding the default of one location requires uncommenting and
-# possibly additionally overriding the other settings.
-#
-
-# Override the default server key file path
-#
-#key_file = "/etc/pki/libvirt/private/serverkey.pem"
-
-# Override the default server certificate file path
-#
-#cert_file = "/etc/pki/libvirt/servercert.pem"
-
-# Override the default CA certificate path
-#
-#ca_file = "/etc/pki/CA/cacert.pem"
-
-# Specify a certificate revocation list.
-#
-# Defaults to not using a CRL, uncomment to enable it
-#crl_file = "/etc/pki/CA/crl.pem"
-
-
-
-#################################################################
-#
-# Authorization controls
-#
-
-
-# Flag to disable verification of our own server certificates
-#
-# When libvirtd starts it performs some sanity checks against
-# its own certificates.
-#
-# Default is to always run sanity checks. Uncommenting this
-# will disable sanity checks which is not a good idea
-#tls_no_sanity_certificate = 1
-
-# Flag to disable verification of client certificates
-#
-# Client certificate verification is the primary authentication mechanism.
-# Any client which does not present a certificate signed by the CA
-# will be rejected.
-#
-# Default is to always verify. Uncommenting this will disable
-# verification - make sure an IP whitelist is set
-#tls_no_verify_certificate = 1
-
-
-# A whitelist of allowed x509 Distinguished Names
-# This list may contain wildcards such as
-#
-# "C=GB,ST=London,L=London,O=Red Hat,CN=*"
-#
-# See the POSIX fnmatch function for the format of the wildcards.
-#
-# NB If this is an empty list, no client can connect, so comment out
-# entirely rather than using empty list to disable these checks
-#
-# By default, no DN's are checked
-#tls_allowed_dn_list = ["DN1", "DN2"]
-
-
-# A whitelist of allowed SASL usernames. The format for username
-# depends on the SASL authentication mechanism. Kerberos usernames
-# look like username@REALM
-#
-# This list may contain wildcards such as
-#
-# "*@EXAMPLE.COM"
-#
-# See the POSIX fnmatch function for the format of the wildcards.
-#
-# NB If this is an empty list, no client can connect, so comment out
-# entirely rather than using empty list to disable these checks
-#
-# By default, no Username's are checked
-#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]
-
-
-# Override the compile time default TLS priority string. The
-# default is usually "NORMAL" unless overridden at build time.
-# Only set this is it is desired for libvirt to deviate from
-# the global default settings.
-#
-#tls_priority="NORMAL"
-
-
-#################################################################
-#
-# Processing controls
-#
-
-# The maximum number of concurrent client connections to allow
-# over all sockets combined.
-#max_clients = 5000
-
-# The maximum length of queue of connections waiting to be
-# accepted by the daemon. Note, that some protocols supporting
-# retransmission may obey this so that a later reattempt at
-# connection succeeds.
-#max_queued_clients = 1000
-
-# The maximum length of queue of accepted but not yet
-# authenticated clients. The default value is 20. Set this to
-# zero to turn this feature off.
-#max_anonymous_clients = 20
-
-# The minimum limit sets the number of workers to start up
-# initially. If the number of active clients exceeds this,
-# then more threads are spawned, up to max_workers limit.
-# Typically you'd want max_workers to equal maximum number
-# of clients allowed
-#min_workers = 5
-#max_workers = 20
-
-
-# The number of priority workers. If all workers from above
-# pool are stuck, some calls marked as high priority
-# (notably domainDestroy) can be executed in this pool.
-#prio_workers = 5
-
-# Limit on concurrent requests from a single client
-# connection. To avoid one client monopolizing the server
-# this should be a small fraction of the global max_workers
-# parameter.
-#max_client_requests = 5
-
-# Same processing controls, but this time for the admin interface.
-# For description of each option, be so kind to scroll few lines
-# upwards.
-
-#admin_min_workers = 1
-#admin_max_workers = 5
-#admin_max_clients = 5
-#admin_max_queued_clients = 5
-#admin_max_client_requests = 5
-
-#################################################################
-#
-# Logging controls
-#
-
-# Logging level: 4 errors, 3 warnings, 2 information, 1 debug
-# basically 1 will log everything possible
-# Note: Journald may employ rate limiting of the messages logged
-# and thus lock up the libvirt daemon. To use the debug level with
-# journald you have to specify it explicitly in 'log_outputs', otherwise
-# only information level messages will be logged.
-#log_level = 3
-
-# Logging filters:
-# A filter allows to select a different logging level for a given category
-# of logs
-# The format for a filter is one of:
-# x:name
-# x:+name
-
-# where name is a string which is matched against the category
-# given in the VIR_LOG_INIT() at the top of each libvirt source
-# file, e.g., "remote", "qemu", or "util.json" (the name in the
-# filter can be a substring of the full category name, in order
-# to match multiple similar categories), the optional "+" prefix
-# tells libvirt to log stack trace for each message matching
-# name, and x is the minimal level where matching messages should
-# be logged:
-
-# 1: DEBUG
-# 2: INFO
-# 3: WARNING
-# 4: ERROR
-#
-# Multiple filters can be defined in a single @filters, they just need to be
-# separated by spaces.
-#
-# e.g. to only get warning or errors from the remote layer and only errors
-# from the event layer:
-#log_filters="3:remote 4:event"
-
-# Logging outputs:
-# An output is one of the places to save logging information
-# The format for an output can be:
-# x:stderr
-# output goes to stderr
-# x:syslog:name
-# use syslog for the output and use the given name as the ident
-# x:file:file_path
-# output to a file, with the given filepath
-# x:journald
-# output to journald logging system
-# In all case the x prefix is the minimal level, acting as a filter
-# 1: DEBUG
-# 2: INFO
-# 3: WARNING
-# 4: ERROR
-#
-# Multiple outputs can be defined, they just need to be separated by spaces.
-# e.g. to log all warnings and errors to syslog under the libvirtd ident:
-#log_outputs="3:syslog:libvirtd"
-#
-
-# Log debug buffer size:
-#
-# This configuration option is no longer used, since the global
-# log buffer functionality has been removed. Please configure
-# suitable log_outputs/log_filters settings to obtain logs.
-#log_buffer_size = 64
-
-
-##################################################################
-#
-# Auditing
-#
-# This setting allows usage of the auditing subsystem to be altered:
-#
-# audit_level == 0 -> disable all auditing
-# audit_level == 1 -> enable auditing, only if enabled on host (default)
-# audit_level == 2 -> enable auditing, and exit if disabled on host
-#
-#audit_level = 2
-#
-# If set to 1, then audit messages will also be sent
-# via libvirt logging infrastructure. Defaults to 0
-#
-#audit_logging = 1
-
-###################################################################
-# UUID of the host:
-# Host UUID is read from one of the sources specified in host_uuid_source.
-#
-# - 'smbios': fetch the UUID from 'dmidecode -s system-uuid'
-# - 'machine-id': fetch the UUID from /etc/machine-id
-#
-# The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide
-# a valid UUID a temporary UUID will be generated.
-#
-# Another option is to specify host UUID in host_uuid.
-#
-# Keep the format of the example UUID below. UUID must not have all digits
-# be the same.
-
-# NB This default all-zeros UUID will not work. Replace
-# it with the output of the 'uuidgen' command and then
-# uncomment this entry
-#host_uuid = "00000000-0000-0000-0000-000000000000"
-#host_uuid_source = "smbios"
-
-###################################################################
-# Keepalive protocol:
-# This allows libvirtd to detect broken client connections or even
-# dead clients. A keepalive message is sent to a client after
-# keepalive_interval seconds of inactivity to check if the client is
-# still responding; keepalive_count is a maximum number of keepalive
-# messages that are allowed to be sent to the client without getting
-# any response before the connection is considered broken. In other
-# words, the connection is automatically closed approximately after
-# keepalive_interval * (keepalive_count + 1) seconds since the last
-# message received from the client. If keepalive_interval is set to
-# -1, libvirtd will never send keepalive requests; however clients
-# can still send them and the daemon will send responses. When
-# keepalive_count is set to 0, connections will be automatically
-# closed after keepalive_interval seconds of inactivity without
-# sending any keepalive messages.
-#
-#keepalive_interval = 5
-#keepalive_count = 5
-
-#
-# These configuration options are no longer used. There is no way to
-# restrict such clients from connecting since they first need to
-# connect in order to ask for keepalive.
-#
-#keepalive_required = 1
-#admin_keepalive_required = 1
-
-# Keepalive settings for the admin interface
-#admin_keepalive_interval = 5
-#admin_keepalive_count = 5
-
-###################################################################
-# Open vSwitch:
-# This allows to specify a timeout for openvswitch calls made by
-# libvirt. The ovs-vsctl utility is used for the configuration and
-# its timeout option is set by default to 5 seconds to avoid
-# potential infinite waits blocking libvirt.
-#
-#ovs_timeout = 5
+++ /dev/null
-module Test_libvirtd =
- ::CONFIG::
-
- test Libvirtd.lns get conf =
- { "listen_tls" = "0" }
- { "listen_tcp" = "1" }
- { "tls_port" = "16514" }
- { "tcp_port" = "16509" }
- { "listen_addr" = "192.168.0.1" }
- { "mdns_adv" = "1" }
- { "mdns_name" = "Virtualization Host Joe Demo" }
- { "unix_sock_group" = "libvirt" }
- { "unix_sock_ro_perms" = "0777" }
- { "unix_sock_rw_perms" = "0770" }
- { "unix_sock_admin_perms" = "0700" }
- { "unix_sock_dir" = "/var/run/libvirt" }
- { "auth_unix_ro" = "none" }
- { "auth_unix_rw" = "none" }
- { "auth_tcp" = "sasl" }
- { "auth_tls" = "none" }
- { "access_drivers"
- { "1" = "polkit" }
- }
- { "key_file" = "/etc/pki/libvirt/private/serverkey.pem" }
- { "cert_file" = "/etc/pki/libvirt/servercert.pem" }
- { "ca_file" = "/etc/pki/CA/cacert.pem" }
- { "crl_file" = "/etc/pki/CA/crl.pem" }
- { "tls_no_sanity_certificate" = "1" }
- { "tls_no_verify_certificate" = "1" }
- { "tls_allowed_dn_list"
- { "1" = "DN1"}
- { "2" = "DN2"}
- }
- { "sasl_allowed_username_list"
- { "1" = "joe@EXAMPLE.COM" }
- { "2" = "fred@EXAMPLE.COM" }
- }
- { "tls_priority" = "NORMAL" }
- { "max_clients" = "5000" }
- { "max_queued_clients" = "1000" }
- { "max_anonymous_clients" = "20" }
- { "min_workers" = "5" }
- { "max_workers" = "20" }
- { "prio_workers" = "5" }
- { "max_client_requests" = "5" }
- { "admin_min_workers" = "1" }
- { "admin_max_workers" = "5" }
- { "admin_max_clients" = "5" }
- { "admin_max_queued_clients" = "5" }
- { "admin_max_client_requests" = "5" }
- { "log_level" = "3" }
- { "log_filters" = "3:remote 4:event" }
- { "log_outputs" = "3:syslog:libvirtd" }
- { "log_buffer_size" = "64" }
- { "audit_level" = "2" }
- { "audit_logging" = "1" }
- { "host_uuid" = "00000000-0000-0000-0000-000000000000" }
- { "host_uuid_source" = "smbios" }
- { "keepalive_interval" = "5" }
- { "keepalive_count" = "5" }
- { "keepalive_required" = "1" }
- { "admin_keepalive_required" = "1" }
- { "admin_keepalive_interval" = "5" }
- { "admin_keepalive_count" = "5" }
- { "ovs_timeout" = "5" }
BUILT_SOURCES += $(LIBVIRTD_GENERATED)
+augeas_DATA += remote/libvirtd.aug
+
+augeastest_DATA += test_libvirtd.aug
+
+conf_DATA += remote/libvirtd.conf
+
+CLEANFILES += tets_libvirtd.aug
+
libvirtd_SOURCES = $(LIBVIRTD_SOURCES)
libvirtd_CFLAGS = \
$(NULL)
endif WITH_LIBVIRTD
+EXTRA_DIST += \
+ remote/test_libvirtd.aug.in \
+ remote/libvirtd.aug \
+ remote/libvirtd.conf \
+ $(NULL)
%protocol.c: %protocol.x %protocol.h $(srcdir)/rpc/genprotocol.pl
$(AM_V_GEN)$(PERL) -w $(srcdir)/rpc/genprotocol.pl $(RPCGEN) -c \
check-augeas-lockd \
check-augeas-libxl \
check-augeas-bhyve \
+ check-augeas-libvirtd \
$(NULL)
check-augeas: check-augeas-qemu check-augeas-lxc check-augeas-sanlock \
check-augeas-lockd check-augeas-virtlockd check-augeas-libxl \
- check-augeas-bhyve check-augeas-virtlogd
+ check-augeas-bhyve check-augeas-virtlogd check-augeas-libvirtd
AUG_GENTEST = $(PERL) $(top_srcdir)/build-aux/augeas-gentest.pl
EXTRA_DIST += $(top_srcdir)/build-aux/augeas-gentest.pl
'$(AUGPARSE)' -I $(srcdir)/logging test_virtlogd.aug; \
fi
+if WITH_LIBVIRTD
+test_libvirtd.aug: remote/test_libvirtd.aug.in \
+ remote/libvirtd.conf $(AUG_GENTEST)
+ $(AM_V_GEN)$(AUG_GENTEST) remote/libvirtd.conf $< $@
+
+check-augeas-libvirtd: test_libvirtd.aug
+ $(AM_V_GEN)if test -x '$(AUGPARSE)'; then \
+ '$(AUGPARSE)' -I $(srcdir)/remote test_libvirtd.aug; \
+ fi
+else ! WITH_LIBVIRTD
+check-augeas-libvirtd:
+endif ! WITH_LIBVIRTD
#
# Build our version script. This is composed of three parts:
#
--- /dev/null
+(* /etc/libvirt/libvirtd.conf *)
+
+module Libvirtd =
+ autoload xfm
+
+ let eol = del /[ \t]*\n/ "\n"
+ let value_sep = del /[ \t]*=[ \t]*/ " = "
+ let indent = del /[ \t]*/ ""
+
+ let array_sep = del /,[ \t\n]*/ ", "
+ let array_start = del /\[[ \t\n]*/ "[ "
+ let array_end = del /\]/ "]"
+
+ let str_val = del /\"/ "\"" . store /[^\"]*/ . del /\"/ "\""
+ let bool_val = store /0|1/
+ let int_val = store /-?[0-9]+/
+ let str_array_element = [ seq "el" . str_val ] . del /[ \t\n]*/ ""
+ let str_array_val = counter "el" . array_start . ( str_array_element . ( array_sep . str_array_element ) * ) ? . array_end
+
+ let str_entry (kw:string) = [ key kw . value_sep . str_val ]
+ let bool_entry (kw:string) = [ key kw . value_sep . bool_val ]
+ let int_entry (kw:string) = [ key kw . value_sep . int_val ]
+ let str_array_entry (kw:string) = [ key kw . value_sep . str_array_val ]
+
+
+ (* Config entry grouped by function - same order as example config *)
+ let network_entry = bool_entry "listen_tls"
+ | bool_entry "listen_tcp"
+ | str_entry "tls_port"
+ | str_entry "tcp_port"
+ | str_entry "listen_addr"
+ | bool_entry "mdns_adv"
+ | str_entry "mdns_name"
+
+ let sock_acl_entry = str_entry "unix_sock_group"
+ | str_entry "unix_sock_ro_perms"
+ | str_entry "unix_sock_rw_perms"
+ | str_entry "unix_sock_admin_perms"
+ | str_entry "unix_sock_dir"
+
+ let authentication_entry = str_entry "auth_unix_ro"
+ | str_entry "auth_unix_rw"
+ | str_entry "auth_tcp"
+ | str_entry "auth_tls"
+
+ let certificate_entry = str_entry "key_file"
+ | str_entry "cert_file"
+ | str_entry "ca_file"
+ | str_entry "crl_file"
+
+ let authorization_entry = bool_entry "tls_no_verify_certificate"
+ | bool_entry "tls_no_sanity_certificate"
+ | str_array_entry "tls_allowed_dn_list"
+ | str_array_entry "sasl_allowed_username_list"
+ | str_array_entry "access_drivers"
+ | str_entry "tls_priority"
+
+ let processing_entry = int_entry "min_workers"
+ | int_entry "max_workers"
+ | int_entry "max_clients"
+ | int_entry "max_queued_clients"
+ | int_entry "max_anonymous_clients"
+ | int_entry "max_client_requests"
+ | int_entry "prio_workers"
+
+ let admin_processing_entry = int_entry "admin_min_workers"
+ | int_entry "admin_max_workers"
+ | int_entry "admin_max_clients"
+ | int_entry "admin_max_queued_clients"
+ | int_entry "admin_max_client_requests"
+
+ let logging_entry = int_entry "log_level"
+ | str_entry "log_filters"
+ | str_entry "log_outputs"
+ | int_entry "log_buffer_size"
+
+ let auditing_entry = int_entry "audit_level"
+ | bool_entry "audit_logging"
+
+ let keepalive_entry = int_entry "keepalive_interval"
+ | int_entry "keepalive_count"
+ | bool_entry "keepalive_required"
+
+ let admin_keepalive_entry = int_entry "admin_keepalive_interval"
+ | int_entry "admin_keepalive_count"
+ | bool_entry "admin_keepalive_required"
+
+ let misc_entry = str_entry "host_uuid"
+ | str_entry "host_uuid_source"
+ | int_entry "ovs_timeout"
+
+ (* Each enty in the config is one of the following three ... *)
+ let entry = network_entry
+ | sock_acl_entry
+ | authentication_entry
+ | certificate_entry
+ | authorization_entry
+ | processing_entry
+ | admin_processing_entry
+ | logging_entry
+ | auditing_entry
+ | keepalive_entry
+ | admin_keepalive_entry
+ | misc_entry
+ let comment = [ label "#comment" . del /#[ \t]*/ "# " . store /([^ \t\n][^\n]*)?/ . del /\n/ "\n" ]
+ let empty = [ label "#empty" . eol ]
+
+ let record = indent . entry . eol
+
+ let lns = ( record | comment | empty ) *
+
+ let filter = incl "/etc/libvirt/libvirtd.conf"
+ . Util.stdexcl
+
+ let xfm = transform lns filter
--- /dev/null
+# Master libvirt daemon configuration file
+#
+# For further information consult https://libvirt.org/format.html
+#
+# NOTE: the tests/daemon-conf regression test script requires
+# that each "PARAMETER = VALUE" line in this file have the parameter
+# name just after a leading "#".
+
+#################################################################
+#
+# Network connectivity controls
+#
+
+# Flag listening for secure TLS connections on the public TCP/IP port.
+# NB, must pass the --listen flag to the libvirtd process for this to
+# have any effect.
+#
+# It is necessary to setup a CA and issue server certificates before
+# using this capability.
+#
+# This is enabled by default, uncomment this to disable it
+#listen_tls = 0
+
+# Listen for unencrypted TCP connections on the public TCP/IP port.
+# NB, must pass the --listen flag to the libvirtd process for this to
+# have any effect.
+#
+# Using the TCP socket requires SASL authentication by default. Only
+# SASL mechanisms which support data encryption are allowed. This is
+# DIGEST_MD5 and GSSAPI (Kerberos5)
+#
+# This is disabled by default, uncomment this to enable it.
+#listen_tcp = 1
+
+
+
+# Override the port for accepting secure TLS connections
+# This can be a port number, or service name
+#
+#tls_port = "16514"
+
+# Override the port for accepting insecure TCP connections
+# This can be a port number, or service name
+#
+#tcp_port = "16509"
+
+
+# Override the default configuration which binds to all network
+# interfaces. This can be a numeric IPv4/6 address, or hostname
+#
+# If the libvirtd service is started in parallel with network
+# startup (e.g. with systemd), binding to addresses other than
+# the wildcards (0.0.0.0/::) might not be available yet.
+#
+#listen_addr = "192.168.0.1"
+
+
+# Flag toggling mDNS advertizement of the libvirt service.
+#
+# Alternatively can disable for all services on a host by
+# stopping the Avahi daemon
+#
+# This is disabled by default, uncomment this to enable it
+#mdns_adv = 1
+
+# Override the default mDNS advertizement name. This must be
+# unique on the immediate broadcast network.
+#
+# The default is "Virtualization Host HOSTNAME", where HOSTNAME
+# is substituted for the short hostname of the machine (without domain)
+#
+#mdns_name = "Virtualization Host Joe Demo"
+
+
+#################################################################
+#
+# UNIX socket access controls
+#
+
+# Set the UNIX domain socket group ownership. This can be used to
+# allow a 'trusted' set of users access to management capabilities
+# without becoming root.
+#
+# This is restricted to 'root' by default.
+#unix_sock_group = "libvirt"
+
+# Set the UNIX socket permissions for the R/O socket. This is used
+# for monitoring VM status only
+#
+# Default allows any user. If setting group ownership, you may want to
+# restrict this too.
+#unix_sock_ro_perms = "0777"
+
+# Set the UNIX socket permissions for the R/W socket. This is used
+# for full management of VMs
+#
+# Default allows only root. If PolicyKit is enabled on the socket,
+# the default will change to allow everyone (eg, 0777)
+#
+# If not using PolicyKit and setting group ownership for access
+# control, then you may want to relax this too.
+#unix_sock_rw_perms = "0770"
+
+# Set the UNIX socket permissions for the admin interface socket.
+#
+# Default allows only owner (root), do not change it unless you are
+# sure to whom you are exposing the access to.
+#unix_sock_admin_perms = "0700"
+
+# Set the name of the directory in which sockets will be found/created.
+#unix_sock_dir = "/var/run/libvirt"
+
+
+
+#################################################################
+#
+# Authentication.
+#
+# - none: do not perform auth checks. If you can connect to the
+# socket you are allowed. This is suitable if there are
+# restrictions on connecting to the socket (eg, UNIX
+# socket permissions), or if there is a lower layer in
+# the network providing auth (eg, TLS/x509 certificates)
+#
+# - sasl: use SASL infrastructure. The actual auth scheme is then
+# controlled from /etc/sasl2/libvirt.conf. For the TCP
+# socket only GSSAPI & DIGEST-MD5 mechanisms will be used.
+# For non-TCP or TLS sockets, any scheme is allowed.
+#
+# - polkit: use PolicyKit to authenticate. This is only suitable
+# for use on the UNIX sockets. The default policy will
+# require a user to supply their own password to gain
+# full read/write access (aka sudo like), while anyone
+# is allowed read/only access.
+#
+# Set an authentication scheme for UNIX read-only sockets
+# By default socket permissions allow anyone to connect
+#
+# To restrict monitoring of domains you may wish to enable
+# an authentication mechanism here
+#auth_unix_ro = "none"
+
+# Set an authentication scheme for UNIX read-write sockets
+# By default socket permissions only allow root. If PolicyKit
+# support was compiled into libvirt, the default will be to
+# use 'polkit' auth.
+#
+# If the unix_sock_rw_perms are changed you may wish to enable
+# an authentication mechanism here
+#auth_unix_rw = "none"
+
+# Change the authentication scheme for TCP sockets.
+#
+# If you don't enable SASL, then all TCP traffic is cleartext.
+# Don't do this outside of a dev/test scenario. For real world
+# use, always enable SASL and use the GSSAPI or DIGEST-MD5
+# mechanism in /etc/sasl2/libvirt.conf
+#auth_tcp = "sasl"
+
+# Change the authentication scheme for TLS sockets.
+#
+# TLS sockets already have encryption provided by the TLS
+# layer, and limited authentication is done by certificates
+#
+# It is possible to make use of any SASL authentication
+# mechanism as well, by using 'sasl' for this option
+#auth_tls = "none"
+
+
+# Change the API access control scheme
+#
+# By default an authenticated user is allowed access
+# to all APIs. Access drivers can place restrictions
+# on this. By default the 'nop' driver is enabled,
+# meaning no access control checks are done once a
+# client has authenticated with libvirtd
+#
+#access_drivers = [ "polkit" ]
+
+#################################################################
+#
+# TLS x509 certificate configuration
+#
+
+# Use of TLS requires that x509 certificates be issued. The default locations
+# for the certificate files is as follows:
+#
+# /etc/pki/CA/cacert.pem - The CA master certificate
+# /etc/pki/libvirt/servercert.pem - The server certificate signed with
+# the cacert.pem
+# /etc/pki/libvirt/private/serverkey.pem - The server private key
+#
+# It is possible to override the default locations by altering the 'key_file',
+# 'cert_file', and 'ca_file' values and uncommenting them below.
+#
+# NB, overriding the default of one location requires uncommenting and
+# possibly additionally overriding the other settings.
+#
+
+# Override the default server key file path
+#
+#key_file = "/etc/pki/libvirt/private/serverkey.pem"
+
+# Override the default server certificate file path
+#
+#cert_file = "/etc/pki/libvirt/servercert.pem"
+
+# Override the default CA certificate path
+#
+#ca_file = "/etc/pki/CA/cacert.pem"
+
+# Specify a certificate revocation list.
+#
+# Defaults to not using a CRL, uncomment to enable it
+#crl_file = "/etc/pki/CA/crl.pem"
+
+
+
+#################################################################
+#
+# Authorization controls
+#
+
+
+# Flag to disable verification of our own server certificates
+#
+# When libvirtd starts it performs some sanity checks against
+# its own certificates.
+#
+# Default is to always run sanity checks. Uncommenting this
+# will disable sanity checks which is not a good idea
+#tls_no_sanity_certificate = 1
+
+# Flag to disable verification of client certificates
+#
+# Client certificate verification is the primary authentication mechanism.
+# Any client which does not present a certificate signed by the CA
+# will be rejected.
+#
+# Default is to always verify. Uncommenting this will disable
+# verification - make sure an IP whitelist is set
+#tls_no_verify_certificate = 1
+
+
+# A whitelist of allowed x509 Distinguished Names
+# This list may contain wildcards such as
+#
+# "C=GB,ST=London,L=London,O=Red Hat,CN=*"
+#
+# See the POSIX fnmatch function for the format of the wildcards.
+#
+# NB If this is an empty list, no client can connect, so comment out
+# entirely rather than using empty list to disable these checks
+#
+# By default, no DN's are checked
+#tls_allowed_dn_list = ["DN1", "DN2"]
+
+
+# A whitelist of allowed SASL usernames. The format for username
+# depends on the SASL authentication mechanism. Kerberos usernames
+# look like username@REALM
+#
+# This list may contain wildcards such as
+#
+# "*@EXAMPLE.COM"
+#
+# See the POSIX fnmatch function for the format of the wildcards.
+#
+# NB If this is an empty list, no client can connect, so comment out
+# entirely rather than using empty list to disable these checks
+#
+# By default, no Username's are checked
+#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]
+
+
+# Override the compile time default TLS priority string. The
+# default is usually "NORMAL" unless overridden at build time.
+# Only set this is it is desired for libvirt to deviate from
+# the global default settings.
+#
+#tls_priority="NORMAL"
+
+
+#################################################################
+#
+# Processing controls
+#
+
+# The maximum number of concurrent client connections to allow
+# over all sockets combined.
+#max_clients = 5000
+
+# The maximum length of queue of connections waiting to be
+# accepted by the daemon. Note, that some protocols supporting
+# retransmission may obey this so that a later reattempt at
+# connection succeeds.
+#max_queued_clients = 1000
+
+# The maximum length of queue of accepted but not yet
+# authenticated clients. The default value is 20. Set this to
+# zero to turn this feature off.
+#max_anonymous_clients = 20
+
+# The minimum limit sets the number of workers to start up
+# initially. If the number of active clients exceeds this,
+# then more threads are spawned, up to max_workers limit.
+# Typically you'd want max_workers to equal maximum number
+# of clients allowed
+#min_workers = 5
+#max_workers = 20
+
+
+# The number of priority workers. If all workers from above
+# pool are stuck, some calls marked as high priority
+# (notably domainDestroy) can be executed in this pool.
+#prio_workers = 5
+
+# Limit on concurrent requests from a single client
+# connection. To avoid one client monopolizing the server
+# this should be a small fraction of the global max_workers
+# parameter.
+#max_client_requests = 5
+
+# Same processing controls, but this time for the admin interface.
+# For description of each option, be so kind to scroll few lines
+# upwards.
+
+#admin_min_workers = 1
+#admin_max_workers = 5
+#admin_max_clients = 5
+#admin_max_queued_clients = 5
+#admin_max_client_requests = 5
+
+#################################################################
+#
+# Logging controls
+#
+
+# Logging level: 4 errors, 3 warnings, 2 information, 1 debug
+# basically 1 will log everything possible
+# Note: Journald may employ rate limiting of the messages logged
+# and thus lock up the libvirt daemon. To use the debug level with
+# journald you have to specify it explicitly in 'log_outputs', otherwise
+# only information level messages will be logged.
+#log_level = 3
+
+# Logging filters:
+# A filter allows to select a different logging level for a given category
+# of logs
+# The format for a filter is one of:
+# x:name
+# x:+name
+
+# where name is a string which is matched against the category
+# given in the VIR_LOG_INIT() at the top of each libvirt source
+# file, e.g., "remote", "qemu", or "util.json" (the name in the
+# filter can be a substring of the full category name, in order
+# to match multiple similar categories), the optional "+" prefix
+# tells libvirt to log stack trace for each message matching
+# name, and x is the minimal level where matching messages should
+# be logged:
+
+# 1: DEBUG
+# 2: INFO
+# 3: WARNING
+# 4: ERROR
+#
+# Multiple filters can be defined in a single @filters, they just need to be
+# separated by spaces.
+#
+# e.g. to only get warning or errors from the remote layer and only errors
+# from the event layer:
+#log_filters="3:remote 4:event"
+
+# Logging outputs:
+# An output is one of the places to save logging information
+# The format for an output can be:
+# x:stderr
+# output goes to stderr
+# x:syslog:name
+# use syslog for the output and use the given name as the ident
+# x:file:file_path
+# output to a file, with the given filepath
+# x:journald
+# output to journald logging system
+# In all case the x prefix is the minimal level, acting as a filter
+# 1: DEBUG
+# 2: INFO
+# 3: WARNING
+# 4: ERROR
+#
+# Multiple outputs can be defined, they just need to be separated by spaces.
+# e.g. to log all warnings and errors to syslog under the libvirtd ident:
+#log_outputs="3:syslog:libvirtd"
+#
+
+# Log debug buffer size:
+#
+# This configuration option is no longer used, since the global
+# log buffer functionality has been removed. Please configure
+# suitable log_outputs/log_filters settings to obtain logs.
+#log_buffer_size = 64
+
+
+##################################################################
+#
+# Auditing
+#
+# This setting allows usage of the auditing subsystem to be altered:
+#
+# audit_level == 0 -> disable all auditing
+# audit_level == 1 -> enable auditing, only if enabled on host (default)
+# audit_level == 2 -> enable auditing, and exit if disabled on host
+#
+#audit_level = 2
+#
+# If set to 1, then audit messages will also be sent
+# via libvirt logging infrastructure. Defaults to 0
+#
+#audit_logging = 1
+
+###################################################################
+# UUID of the host:
+# Host UUID is read from one of the sources specified in host_uuid_source.
+#
+# - 'smbios': fetch the UUID from 'dmidecode -s system-uuid'
+# - 'machine-id': fetch the UUID from /etc/machine-id
+#
+# The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide
+# a valid UUID a temporary UUID will be generated.
+#
+# Another option is to specify host UUID in host_uuid.
+#
+# Keep the format of the example UUID below. UUID must not have all digits
+# be the same.
+
+# NB This default all-zeros UUID will not work. Replace
+# it with the output of the 'uuidgen' command and then
+# uncomment this entry
+#host_uuid = "00000000-0000-0000-0000-000000000000"
+#host_uuid_source = "smbios"
+
+###################################################################
+# Keepalive protocol:
+# This allows libvirtd to detect broken client connections or even
+# dead clients. A keepalive message is sent to a client after
+# keepalive_interval seconds of inactivity to check if the client is
+# still responding; keepalive_count is a maximum number of keepalive
+# messages that are allowed to be sent to the client without getting
+# any response before the connection is considered broken. In other
+# words, the connection is automatically closed approximately after
+# keepalive_interval * (keepalive_count + 1) seconds since the last
+# message received from the client. If keepalive_interval is set to
+# -1, libvirtd will never send keepalive requests; however clients
+# can still send them and the daemon will send responses. When
+# keepalive_count is set to 0, connections will be automatically
+# closed after keepalive_interval seconds of inactivity without
+# sending any keepalive messages.
+#
+#keepalive_interval = 5
+#keepalive_count = 5
+
+#
+# These configuration options are no longer used. There is no way to
+# restrict such clients from connecting since they first need to
+# connect in order to ask for keepalive.
+#
+#keepalive_required = 1
+#admin_keepalive_required = 1
+
+# Keepalive settings for the admin interface
+#admin_keepalive_interval = 5
+#admin_keepalive_count = 5
+
+###################################################################
+# Open vSwitch:
+# This allows to specify a timeout for openvswitch calls made by
+# libvirt. The ovs-vsctl utility is used for the configuration and
+# its timeout option is set by default to 5 seconds to avoid
+# potential infinite waits blocking libvirt.
+#
+#ovs_timeout = 5
--- /dev/null
+module Test_libvirtd =
+ ::CONFIG::
+
+ test Libvirtd.lns get conf =
+ { "listen_tls" = "0" }
+ { "listen_tcp" = "1" }
+ { "tls_port" = "16514" }
+ { "tcp_port" = "16509" }
+ { "listen_addr" = "192.168.0.1" }
+ { "mdns_adv" = "1" }
+ { "mdns_name" = "Virtualization Host Joe Demo" }
+ { "unix_sock_group" = "libvirt" }
+ { "unix_sock_ro_perms" = "0777" }
+ { "unix_sock_rw_perms" = "0770" }
+ { "unix_sock_admin_perms" = "0700" }
+ { "unix_sock_dir" = "/var/run/libvirt" }
+ { "auth_unix_ro" = "none" }
+ { "auth_unix_rw" = "none" }
+ { "auth_tcp" = "sasl" }
+ { "auth_tls" = "none" }
+ { "access_drivers"
+ { "1" = "polkit" }
+ }
+ { "key_file" = "/etc/pki/libvirt/private/serverkey.pem" }
+ { "cert_file" = "/etc/pki/libvirt/servercert.pem" }
+ { "ca_file" = "/etc/pki/CA/cacert.pem" }
+ { "crl_file" = "/etc/pki/CA/crl.pem" }
+ { "tls_no_sanity_certificate" = "1" }
+ { "tls_no_verify_certificate" = "1" }
+ { "tls_allowed_dn_list"
+ { "1" = "DN1"}
+ { "2" = "DN2"}
+ }
+ { "sasl_allowed_username_list"
+ { "1" = "joe@EXAMPLE.COM" }
+ { "2" = "fred@EXAMPLE.COM" }
+ }
+ { "tls_priority" = "NORMAL" }
+ { "max_clients" = "5000" }
+ { "max_queued_clients" = "1000" }
+ { "max_anonymous_clients" = "20" }
+ { "min_workers" = "5" }
+ { "max_workers" = "20" }
+ { "prio_workers" = "5" }
+ { "max_client_requests" = "5" }
+ { "admin_min_workers" = "1" }
+ { "admin_max_workers" = "5" }
+ { "admin_max_clients" = "5" }
+ { "admin_max_queued_clients" = "5" }
+ { "admin_max_client_requests" = "5" }
+ { "log_level" = "3" }
+ { "log_filters" = "3:remote 4:event" }
+ { "log_outputs" = "3:syslog:libvirtd" }
+ { "log_buffer_size" = "64" }
+ { "audit_level" = "2" }
+ { "audit_logging" = "1" }
+ { "host_uuid" = "00000000-0000-0000-0000-000000000000" }
+ { "host_uuid_source" = "smbios" }
+ { "keepalive_interval" = "5" }
+ { "keepalive_count" = "5" }
+ { "keepalive_required" = "1" }
+ { "admin_keepalive_required" = "1" }
+ { "admin_keepalive_interval" = "5" }
+ { "admin_keepalive_count" = "5" }
+ { "ovs_timeout" = "5" }
projects / libvirt.git / commitdiff