(\.p[yl]$$|\.spec\.in$$|^docs/|^(src/util/virfile\.c|src/libvirt-stream\.c|tests/vir.+mock\.c)$$)
exclude_file_name_regexp--sc_prohibit_empty_lines_at_EOF = \
- (^tests/(qemuhelp|nodeinfo|virpcitest)data/|\.diff|tests/confdata/no-newline\.conf$$)
+ (^tests/(qemuhelp|nodeinfo|virpcitest)data/|\.diff|tests/virconfdata/no-newline\.conf$$)
_src2=src/(util/vircommand|libvirt|lxc/lxc_controller|locking/lock_daemon|logging/log_daemon)
exclude_file_name_regexp--sc_prohibit_fork_wrappers = \
capabilityschemadata \
capabilityschematest \
commanddata \
- confdata \
cputestdata \
domaincapsschemadata \
domaincapsschematest \
vboxsnapshotxmldata \
vircaps2xmldata \
vircgroupdata \
+ virconfdata \
virfiledata \
virmock.h \
virnetdaemondata \
xml2sexprdata \
xml2vmxdata
-test_helpers = commandhelper ssh test_conf
+test_helpers = commandhelper ssh virconftest
test_programs = virshtest sockettest \
nodeinfotest virbuftest \
commandtest seclabeltest \
libvirtd_test_scripts = \
libvirtd-fail \
libvirtd-pool \
- test_conf.sh \
+ virconftest.sh \
virsh-all \
virsh-cpuset \
virsh-define-dev-segfault \
testutils.c testutils.h
virshtest_LDADD = $(LDADDS)
-test_conf_SOURCES = \
- test_conf.c
-test_conf_LDADD = $(LDADDS)
+virconftest_SOURCES = \
+ virconftest.c
+virconftest_LDADD = $(LDADDS)
nodeinfotest_SOURCES = \
nodeinfotest.c testutils.h testutils.c
+++ /dev/null
-kernel="/boot/vmlinuz-2.6.15-1.2054_FC5xenU"
-ramdisk="/boot/initrd-2.6.15-1.2054_FC5xenU.img"
-memory=128 # should be enough
-name="fc4"
-vif = [ 'mac=aa:00:00:00:00:11, bridge=xenbr0', ]
-disk = ['file:/xen/fc4.img,sda1,w']
-root = "/dev/sda1"
-extra = "ro selinux=0 3"
-on_reboot = 'restart'
-# just for testing ...
-tst = [ 1, 2, [ 3, 4 ], 5]
+++ /dev/null
-kernel = "/boot/vmlinuz-2.6.15-1.2054_FC5xenU"
-ramdisk = "/boot/initrd-2.6.15-1.2054_FC5xenU.img"
-memory = 128 # should be enough
-name = "fc4"
-vif = [ "mac=aa:00:00:00:00:11, bridge=xenbr0" ]
-disk = [ "file:/xen/fc4.img,sda1,w" ]
-root = "/dev/sda1"
-extra = "ro selinux=0 3"
-on_reboot = "restart"
-# just for testing ...
-tst = [ 1, 2, [ 3, 4 ], 5 ]
+++ /dev/null
-# Master libvirt daemon configuration file
-#
-# For further information consult http://libvirt.org/format.html
-
-
-#################################################################
-#
-# Network connectivitiy controls
-#
-
-# Flag listening for secure TLS connections on the public TCP/IP port.
-# NB, must pass the --listen flag to the libvirtd process for this to
-# have any effect.
-#
-# It is necessary to setup a CA and issue server certificates before
-# using this capability.
-#
-# This is enabled by default, uncomment this to disable it
-listen_tls = 0
-
-# Listen for unencrypted TCP connections on the public TCP/IP port.
-# NB, must pass the --listen flag to the libvirtd process for this to
-# have any effect.
-#
-# Using the TCP socket requires SASL authentication by default. Only
-# SASL mechanisms which support data encryption are allowed. This is
-# DIGEST_MD5 and GSSAPI (Kerberos5)
-#
-# This is disabled by default, uncomment this to enable it.
-listen_tcp = 1
-
-
-
-# Override the port for accepting secure TLS connections
-# This can be a port number, or service name
-#
-tls_port = "16514"
-
-# Override the port for accepting insecure TCP connections
-# This can be a port number, or service name
-#
-tcp_port = "16509"
-
-
-
-# Flag toggling mDNS advertizement of the libvirt service.
-#
-# Alternatively can disable for all services on a host by
-# stopping the Avahi daemon
-#
-# This is disabled by default, uncomment this to enable it
-mdns_adv = 1
-
-# Override the default mDNS advertizement name. This must be
-# unique on the immediate broadcast network.
-#
-# The default is "Virtualization Host HOSTNAME", where HOSTNAME
-# is subsituted for the short hostname of the machine (without domain)
-#
-mdns_name = "Virtualization Host Joe Demo"
-
-
-#################################################################
-#
-# UNIX socket access controls
-#
-
-# Set the UNIX domain socket group ownership. This can be used to
-# allow a 'trusted' set of users access to management capabilities
-# without becoming root.
-#
-# This is restricted to 'root' by default.
-unix_sock_group = "libvirt"
-
-# Set the UNIX socket permissions for the R/O socket. This is used
-# for monitoring VM status only
-#
-# Default allows any user. If setting group ownership may want to
-# restrict this to:
-unix_sock_ro_perms = "0777"
-
-# Set the UNIX socket permissions for the R/W socket. This is used
-# for full management of VMs
-#
-# Default allows only root. If PolicyKit is enabled on the socket,
-# the default will change to allow everyone (eg, 0777)
-#
-# If not using PolicyKit and setting group ownership for access
-# control then you may want to relax this to:
-unix_sock_rw_perms = "0770"
-
-# Set the UNIX socket permissions for the admin interface socket.
-#
-# Default allows only owner (root), do not change it unless you are
-# sure to whom you are exposing the access to
-unix_sock_admin_perms = "0700"
-
-
-
-#################################################################
-#
-# Authentication.
-#
-# - none: do not perform auth checks. If you can connect to the
-# socket you are allowed. This is suitable if there are
-# restrictions on connecting to the socket (eg, UNIX
-# socket permissions), or if there is a lower layer in
-# the network providing auth (eg, TLS/x509 certificates)
-#
-# - sasl: use SASL infrastructure. The actual auth scheme is then
-# controlled from /etc/sasl2/libvirt.conf. For the TCP
-# socket only GSSAPI & DIGEST-MD5 mechanisms will be used.
-# For non-TCP or TLS sockets, any scheme is allowed.
-#
-# - polkit: use PolicyKit to authenticate. This is only suitable
-# for use on the UNIX sockets. The default policy will
-# require a user to supply their own password to gain
-# full read/write access (aka sudo like), while anyone
-# is allowed read/only access.
-#
-# Set an authentication scheme for UNIX read-only sockets
-# By default socket permissions allow anyone to connect
-#
-# To restrict monitoring of domains you may wish to enable
-# an authentication mechanism here
-auth_unix_ro = "none"
-
-# Set an authentication scheme for UNIX read-write sockets
-# By default socket permissions only allow root. If PolicyKit
-# support was compiled into libvirt, the default will be to
-# use 'polkit' auth.
-#
-# If the unix_sock_rw_perms are changed you may wish to enable
-# an authentication mechanism here
-auth_unix_rw = "none"
-
-# Change the authentication scheme for TCP sockets.
-#
-# If you don't enable SASL, then all TCP traffic is cleartext.
-# Don't do this outside of a dev/test scenario. For real world
-# use, always enable SASL and use the GSSAPI or DIGEST-MD5
-# mechanism in /etc/sasl2/libvirt.conf
-auth_tcp = "sasl"
-
-# Change the authentication scheme for TLS sockets.
-#
-# TLS sockets already have encryption provided by the TLS
-# layer, and limited authentication is done by certificates
-#
-# It is possible to make use of any SASL authentication
-# mechanism as well, by using 'sasl' for this option
-auth_tls = "none"
-
-
-
-#################################################################
-#
-# TLS x509 certificate configuration
-#
-
-
-# Override the default server key file path
-#
-key_file = "/etc/pki/libvirt/private/serverkey.pem"
-
-# Override the default server certificate file path
-#
-cert_file = "/etc/pki/libvirt/servercert.pem"
-
-# Override the default CA certificate path
-#
-ca_file = "/etc/pki/CA/cacert.pem"
-
-# Specify a certificate revocation list.
-#
-# Defaults to not using a CRL, uncomment to enable it
-crl_file = "/etc/pki/CA/crl.pem"
-
-
-
-#################################################################
-#
-# Authorization controls
-#
-
-
-# Flag to disable verification of client certificates
-#
-# Client certificate verification is the primary authentication mechanism.
-# Any client which does not present a certificate signed by the CA
-# will be rejected.
-#
-# Default is to always verify. Uncommenting this will disable
-# verification - make sure an IP whitelist is set
-tls_no_verify_certificate = 1
-
-
-# A whitelist of allowed x509 Distinguished Names
-# This list may contain wildcards such as
-#
-# "C=GB,ST=London,L=London,O=Red Hat,CN=*"
-#
-# See the POSIX fnmatch function for the format of the wildcards.
-#
-# NB If this is an empty list, no client can connect, so comment out
-# entirely rather than using empty list to disable these checks
-#
-# By default, no DN's are checked
-tls_allowed_dn_list = ["DN1", "DN2"]
-
-
-# A whitelist of allowed SASL usernames. The format for usernames
-# depends on the SASL authentication mechanism. Kerberos usernames
-# look like username@REALM
-#
-# This list may contain wildcards such as
-#
-# "*@EXAMPLE.COM"
-#
-# See the POSIX fnmatch function for the format of the wildcards.
-#
-# NB If this is an empty list, no client can connect, so comment out
-# entirely rather than using empty list to disable these checks
-#
-# By default, no Username's are checked
-sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]
-
-# UUID of the host:
-# Provide the UUID of the host here in case the command
-# 'dmidecode -s system-uuid' does not provide a valid uuid. In case
-# 'dmidecode' does not provide a valid UUID and none is provided here, a
-# temporary UUID will be generated.
-# Keep the format of the example UUID below.
-
-host_uuid = "8510b1a1-1afa-4da6-8111-785fae202c1e"
+++ /dev/null
-# Master libvirt daemon configuration file
-#
-# For further information consult http://libvirt.org/format.html
-#################################################################
-#
-# Network connectivitiy controls
-#
-# Flag listening for secure TLS connections on the public TCP/IP port.
-# NB, must pass the --listen flag to the libvirtd process for this to
-# have any effect.
-#
-# It is necessary to setup a CA and issue server certificates before
-# using this capability.
-#
-# This is enabled by default, uncomment this to disable it
-listen_tls = 0
-# Listen for unencrypted TCP connections on the public TCP/IP port.
-# NB, must pass the --listen flag to the libvirtd process for this to
-# have any effect.
-#
-# Using the TCP socket requires SASL authentication by default. Only
-# SASL mechanisms which support data encryption are allowed. This is
-# DIGEST_MD5 and GSSAPI (Kerberos5)
-#
-# This is disabled by default, uncomment this to enable it.
-listen_tcp = 1
-# Override the port for accepting secure TLS connections
-# This can be a port number, or service name
-#
-tls_port = "16514"
-# Override the port for accepting insecure TCP connections
-# This can be a port number, or service name
-#
-tcp_port = "16509"
-# Flag toggling mDNS advertizement of the libvirt service.
-#
-# Alternatively can disable for all services on a host by
-# stopping the Avahi daemon
-#
-# This is disabled by default, uncomment this to enable it
-mdns_adv = 1
-# Override the default mDNS advertizement name. This must be
-# unique on the immediate broadcast network.
-#
-# The default is "Virtualization Host HOSTNAME", where HOSTNAME
-# is subsituted for the short hostname of the machine (without domain)
-#
-mdns_name = "Virtualization Host Joe Demo"
-#################################################################
-#
-# UNIX socket access controls
-#
-# Set the UNIX domain socket group ownership. This can be used to
-# allow a 'trusted' set of users access to management capabilities
-# without becoming root.
-#
-# This is restricted to 'root' by default.
-unix_sock_group = "libvirt"
-# Set the UNIX socket permissions for the R/O socket. This is used
-# for monitoring VM status only
-#
-# Default allows any user. If setting group ownership may want to
-# restrict this to:
-unix_sock_ro_perms = "0777"
-# Set the UNIX socket permissions for the R/W socket. This is used
-# for full management of VMs
-#
-# Default allows only root. If PolicyKit is enabled on the socket,
-# the default will change to allow everyone (eg, 0777)
-#
-# If not using PolicyKit and setting group ownership for access
-# control then you may want to relax this to:
-unix_sock_rw_perms = "0770"
-# Set the UNIX socket permissions for the admin interface socket.
-#
-# Default allows only owner (root), do not change it unless you are
-# sure to whom you are exposing the access to
-unix_sock_admin_perms = "0700"
-#################################################################
-#
-# Authentication.
-#
-# - none: do not perform auth checks. If you can connect to the
-# socket you are allowed. This is suitable if there are
-# restrictions on connecting to the socket (eg, UNIX
-# socket permissions), or if there is a lower layer in
-# the network providing auth (eg, TLS/x509 certificates)
-#
-# - sasl: use SASL infrastructure. The actual auth scheme is then
-# controlled from /etc/sasl2/libvirt.conf. For the TCP
-# socket only GSSAPI & DIGEST-MD5 mechanisms will be used.
-# For non-TCP or TLS sockets, any scheme is allowed.
-#
-# - polkit: use PolicyKit to authenticate. This is only suitable
-# for use on the UNIX sockets. The default policy will
-# require a user to supply their own password to gain
-# full read/write access (aka sudo like), while anyone
-# is allowed read/only access.
-#
-# Set an authentication scheme for UNIX read-only sockets
-# By default socket permissions allow anyone to connect
-#
-# To restrict monitoring of domains you may wish to enable
-# an authentication mechanism here
-auth_unix_ro = "none"
-# Set an authentication scheme for UNIX read-write sockets
-# By default socket permissions only allow root. If PolicyKit
-# support was compiled into libvirt, the default will be to
-# use 'polkit' auth.
-#
-# If the unix_sock_rw_perms are changed you may wish to enable
-# an authentication mechanism here
-auth_unix_rw = "none"
-# Change the authentication scheme for TCP sockets.
-#
-# If you don't enable SASL, then all TCP traffic is cleartext.
-# Don't do this outside of a dev/test scenario. For real world
-# use, always enable SASL and use the GSSAPI or DIGEST-MD5
-# mechanism in /etc/sasl2/libvirt.conf
-auth_tcp = "sasl"
-# Change the authentication scheme for TLS sockets.
-#
-# TLS sockets already have encryption provided by the TLS
-# layer, and limited authentication is done by certificates
-#
-# It is possible to make use of any SASL authentication
-# mechanism as well, by using 'sasl' for this option
-auth_tls = "none"
-#################################################################
-#
-# TLS x509 certificate configuration
-#
-# Override the default server key file path
-#
-key_file = "/etc/pki/libvirt/private/serverkey.pem"
-# Override the default server certificate file path
-#
-cert_file = "/etc/pki/libvirt/servercert.pem"
-# Override the default CA certificate path
-#
-ca_file = "/etc/pki/CA/cacert.pem"
-# Specify a certificate revocation list.
-#
-# Defaults to not using a CRL, uncomment to enable it
-crl_file = "/etc/pki/CA/crl.pem"
-#################################################################
-#
-# Authorization controls
-#
-# Flag to disable verification of client certificates
-#
-# Client certificate verification is the primary authentication mechanism.
-# Any client which does not present a certificate signed by the CA
-# will be rejected.
-#
-# Default is to always verify. Uncommenting this will disable
-# verification - make sure an IP whitelist is set
-tls_no_verify_certificate = 1
-# A whitelist of allowed x509 Distinguished Names
-# This list may contain wildcards such as
-#
-# "C=GB,ST=London,L=London,O=Red Hat,CN=*"
-#
-# See the POSIX fnmatch function for the format of the wildcards.
-#
-# NB If this is an empty list, no client can connect, so comment out
-# entirely rather than using empty list to disable these checks
-#
-# By default, no DN's are checked
-tls_allowed_dn_list = [ "DN1", "DN2" ]
-# A whitelist of allowed SASL usernames. The format for usernames
-# depends on the SASL authentication mechanism. Kerberos usernames
-# look like username@REALM
-#
-# This list may contain wildcards such as
-#
-# "*@EXAMPLE.COM"
-#
-# See the POSIX fnmatch function for the format of the wildcards.
-#
-# NB If this is an empty list, no client can connect, so comment out
-# entirely rather than using empty list to disable these checks
-#
-# By default, no Username's are checked
-sasl_allowed_username_list = [ "joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]
-# UUID of the host:
-# Provide the UUID of the host here in case the command
-# 'dmidecode -s system-uuid' does not provide a valid uuid. In case
-# 'dmidecode' does not provide a valid UUID and none is provided here, a
-# temporary UUID will be generated.
-# Keep the format of the example UUID below.
-host_uuid = "8510b1a1-1afa-4da6-8111-785fae202c1e"
+++ /dev/null
-log_level=1
\ No newline at end of file
+++ /dev/null
-log_level = 1
+++ /dev/null
-#include <config.h>
-
-#include <unistd.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <errno.h>
-#include "virconf.h"
-#include "viralloc.h"
-
-int main(int argc, char **argv)
-{
- int ret, exit_code = EXIT_FAILURE;
- virConfPtr conf = NULL;
- int len = 10000;
- char *buffer = NULL;
-
- if (argc != 2) {
- fprintf(stderr, "Usage: %s conf_file\n", argv[0]);
- goto cleanup;
- }
-
- if (VIR_ALLOC_N_QUIET(buffer, len) < 0) {
- fprintf(stderr, "out of memory\n");
- goto cleanup;
- }
- conf = virConfReadFile(argv[1], 0);
- if (conf == NULL) {
- fprintf(stderr, "Failed to process %s\n", argv[1]);
- goto cleanup;
- }
- ret = virConfWriteMem(buffer, &len, conf);
- if (ret < 0) {
- fprintf(stderr, "Failed to serialize %s back\n", argv[1]);
- goto cleanup;
- }
- if (fwrite(buffer, 1, len, stdout) != len) {
- fprintf(stderr, "Write failed: %s\n", strerror(errno));
- goto cleanup;
- }
-
- exit_code = EXIT_SUCCESS;
-
- cleanup:
- VIR_FREE(buffer);
- virConfFree(conf);
- return exit_code;
-}
+++ /dev/null
-#!/bin/sh
-
-test -z "$srcdir" && srcdir=$(pwd)
-
-. "$srcdir/test-lib.sh"
-
-test_intro $this_test
-
-fail=0
-i=0
-data_dir=$abs_srcdir/confdata
-for f in $(cd "$data_dir" && echo *.conf)
-do
- i=`expr $i + 1`
- "$abs_builddir/test_conf" "$data_dir/$f" > "$f-actual"
- expected="$data_dir"/`echo "$f" | sed s+\.conf$+\.out+`
- if compare "$expected" "$f-actual"; then
- ret=0
- else
- ret=1
- fail=1
- fi
- test_result $i "$f" $ret
-done
-
-test_final $i $fail
-
-(exit $fail); exit $fail
--- /dev/null
+kernel="/boot/vmlinuz-2.6.15-1.2054_FC5xenU"
+ramdisk="/boot/initrd-2.6.15-1.2054_FC5xenU.img"
+memory=128 # should be enough
+name="fc4"
+vif = [ 'mac=aa:00:00:00:00:11, bridge=xenbr0', ]
+disk = ['file:/xen/fc4.img,sda1,w']
+root = "/dev/sda1"
+extra = "ro selinux=0 3"
+on_reboot = 'restart'
+# just for testing ...
+tst = [ 1, 2, [ 3, 4 ], 5]
--- /dev/null
+kernel = "/boot/vmlinuz-2.6.15-1.2054_FC5xenU"
+ramdisk = "/boot/initrd-2.6.15-1.2054_FC5xenU.img"
+memory = 128 # should be enough
+name = "fc4"
+vif = [ "mac=aa:00:00:00:00:11, bridge=xenbr0" ]
+disk = [ "file:/xen/fc4.img,sda1,w" ]
+root = "/dev/sda1"
+extra = "ro selinux=0 3"
+on_reboot = "restart"
+# just for testing ...
+tst = [ 1, 2, [ 3, 4 ], 5 ]
--- /dev/null
+# Master libvirt daemon configuration file
+#
+# For further information consult http://libvirt.org/format.html
+
+
+#################################################################
+#
+# Network connectivitiy controls
+#
+
+# Flag listening for secure TLS connections on the public TCP/IP port.
+# NB, must pass the --listen flag to the libvirtd process for this to
+# have any effect.
+#
+# It is necessary to setup a CA and issue server certificates before
+# using this capability.
+#
+# This is enabled by default, uncomment this to disable it
+listen_tls = 0
+
+# Listen for unencrypted TCP connections on the public TCP/IP port.
+# NB, must pass the --listen flag to the libvirtd process for this to
+# have any effect.
+#
+# Using the TCP socket requires SASL authentication by default. Only
+# SASL mechanisms which support data encryption are allowed. This is
+# DIGEST_MD5 and GSSAPI (Kerberos5)
+#
+# This is disabled by default, uncomment this to enable it.
+listen_tcp = 1
+
+
+
+# Override the port for accepting secure TLS connections
+# This can be a port number, or service name
+#
+tls_port = "16514"
+
+# Override the port for accepting insecure TCP connections
+# This can be a port number, or service name
+#
+tcp_port = "16509"
+
+
+
+# Flag toggling mDNS advertizement of the libvirt service.
+#
+# Alternatively can disable for all services on a host by
+# stopping the Avahi daemon
+#
+# This is disabled by default, uncomment this to enable it
+mdns_adv = 1
+
+# Override the default mDNS advertizement name. This must be
+# unique on the immediate broadcast network.
+#
+# The default is "Virtualization Host HOSTNAME", where HOSTNAME
+# is subsituted for the short hostname of the machine (without domain)
+#
+mdns_name = "Virtualization Host Joe Demo"
+
+
+#################################################################
+#
+# UNIX socket access controls
+#
+
+# Set the UNIX domain socket group ownership. This can be used to
+# allow a 'trusted' set of users access to management capabilities
+# without becoming root.
+#
+# This is restricted to 'root' by default.
+unix_sock_group = "libvirt"
+
+# Set the UNIX socket permissions for the R/O socket. This is used
+# for monitoring VM status only
+#
+# Default allows any user. If setting group ownership may want to
+# restrict this to:
+unix_sock_ro_perms = "0777"
+
+# Set the UNIX socket permissions for the R/W socket. This is used
+# for full management of VMs
+#
+# Default allows only root. If PolicyKit is enabled on the socket,
+# the default will change to allow everyone (eg, 0777)
+#
+# If not using PolicyKit and setting group ownership for access
+# control then you may want to relax this to:
+unix_sock_rw_perms = "0770"
+
+# Set the UNIX socket permissions for the admin interface socket.
+#
+# Default allows only owner (root), do not change it unless you are
+# sure to whom you are exposing the access to
+unix_sock_admin_perms = "0700"
+
+
+
+#################################################################
+#
+# Authentication.
+#
+# - none: do not perform auth checks. If you can connect to the
+# socket you are allowed. This is suitable if there are
+# restrictions on connecting to the socket (eg, UNIX
+# socket permissions), or if there is a lower layer in
+# the network providing auth (eg, TLS/x509 certificates)
+#
+# - sasl: use SASL infrastructure. The actual auth scheme is then
+# controlled from /etc/sasl2/libvirt.conf. For the TCP
+# socket only GSSAPI & DIGEST-MD5 mechanisms will be used.
+# For non-TCP or TLS sockets, any scheme is allowed.
+#
+# - polkit: use PolicyKit to authenticate. This is only suitable
+# for use on the UNIX sockets. The default policy will
+# require a user to supply their own password to gain
+# full read/write access (aka sudo like), while anyone
+# is allowed read/only access.
+#
+# Set an authentication scheme for UNIX read-only sockets
+# By default socket permissions allow anyone to connect
+#
+# To restrict monitoring of domains you may wish to enable
+# an authentication mechanism here
+auth_unix_ro = "none"
+
+# Set an authentication scheme for UNIX read-write sockets
+# By default socket permissions only allow root. If PolicyKit
+# support was compiled into libvirt, the default will be to
+# use 'polkit' auth.
+#
+# If the unix_sock_rw_perms are changed you may wish to enable
+# an authentication mechanism here
+auth_unix_rw = "none"
+
+# Change the authentication scheme for TCP sockets.
+#
+# If you don't enable SASL, then all TCP traffic is cleartext.
+# Don't do this outside of a dev/test scenario. For real world
+# use, always enable SASL and use the GSSAPI or DIGEST-MD5
+# mechanism in /etc/sasl2/libvirt.conf
+auth_tcp = "sasl"
+
+# Change the authentication scheme for TLS sockets.
+#
+# TLS sockets already have encryption provided by the TLS
+# layer, and limited authentication is done by certificates
+#
+# It is possible to make use of any SASL authentication
+# mechanism as well, by using 'sasl' for this option
+auth_tls = "none"
+
+
+
+#################################################################
+#
+# TLS x509 certificate configuration
+#
+
+
+# Override the default server key file path
+#
+key_file = "/etc/pki/libvirt/private/serverkey.pem"
+
+# Override the default server certificate file path
+#
+cert_file = "/etc/pki/libvirt/servercert.pem"
+
+# Override the default CA certificate path
+#
+ca_file = "/etc/pki/CA/cacert.pem"
+
+# Specify a certificate revocation list.
+#
+# Defaults to not using a CRL, uncomment to enable it
+crl_file = "/etc/pki/CA/crl.pem"
+
+
+
+#################################################################
+#
+# Authorization controls
+#
+
+
+# Flag to disable verification of client certificates
+#
+# Client certificate verification is the primary authentication mechanism.
+# Any client which does not present a certificate signed by the CA
+# will be rejected.
+#
+# Default is to always verify. Uncommenting this will disable
+# verification - make sure an IP whitelist is set
+tls_no_verify_certificate = 1
+
+
+# A whitelist of allowed x509 Distinguished Names
+# This list may contain wildcards such as
+#
+# "C=GB,ST=London,L=London,O=Red Hat,CN=*"
+#
+# See the POSIX fnmatch function for the format of the wildcards.
+#
+# NB If this is an empty list, no client can connect, so comment out
+# entirely rather than using empty list to disable these checks
+#
+# By default, no DN's are checked
+tls_allowed_dn_list = ["DN1", "DN2"]
+
+
+# A whitelist of allowed SASL usernames. The format for usernames
+# depends on the SASL authentication mechanism. Kerberos usernames
+# look like username@REALM
+#
+# This list may contain wildcards such as
+#
+# "*@EXAMPLE.COM"
+#
+# See the POSIX fnmatch function for the format of the wildcards.
+#
+# NB If this is an empty list, no client can connect, so comment out
+# entirely rather than using empty list to disable these checks
+#
+# By default, no Username's are checked
+sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]
+
+# UUID of the host:
+# Provide the UUID of the host here in case the command
+# 'dmidecode -s system-uuid' does not provide a valid uuid. In case
+# 'dmidecode' does not provide a valid UUID and none is provided here, a
+# temporary UUID will be generated.
+# Keep the format of the example UUID below.
+
+host_uuid = "8510b1a1-1afa-4da6-8111-785fae202c1e"
--- /dev/null
+# Master libvirt daemon configuration file
+#
+# For further information consult http://libvirt.org/format.html
+#################################################################
+#
+# Network connectivitiy controls
+#
+# Flag listening for secure TLS connections on the public TCP/IP port.
+# NB, must pass the --listen flag to the libvirtd process for this to
+# have any effect.
+#
+# It is necessary to setup a CA and issue server certificates before
+# using this capability.
+#
+# This is enabled by default, uncomment this to disable it
+listen_tls = 0
+# Listen for unencrypted TCP connections on the public TCP/IP port.
+# NB, must pass the --listen flag to the libvirtd process for this to
+# have any effect.
+#
+# Using the TCP socket requires SASL authentication by default. Only
+# SASL mechanisms which support data encryption are allowed. This is
+# DIGEST_MD5 and GSSAPI (Kerberos5)
+#
+# This is disabled by default, uncomment this to enable it.
+listen_tcp = 1
+# Override the port for accepting secure TLS connections
+# This can be a port number, or service name
+#
+tls_port = "16514"
+# Override the port for accepting insecure TCP connections
+# This can be a port number, or service name
+#
+tcp_port = "16509"
+# Flag toggling mDNS advertizement of the libvirt service.
+#
+# Alternatively can disable for all services on a host by
+# stopping the Avahi daemon
+#
+# This is disabled by default, uncomment this to enable it
+mdns_adv = 1
+# Override the default mDNS advertizement name. This must be
+# unique on the immediate broadcast network.
+#
+# The default is "Virtualization Host HOSTNAME", where HOSTNAME
+# is subsituted for the short hostname of the machine (without domain)
+#
+mdns_name = "Virtualization Host Joe Demo"
+#################################################################
+#
+# UNIX socket access controls
+#
+# Set the UNIX domain socket group ownership. This can be used to
+# allow a 'trusted' set of users access to management capabilities
+# without becoming root.
+#
+# This is restricted to 'root' by default.
+unix_sock_group = "libvirt"
+# Set the UNIX socket permissions for the R/O socket. This is used
+# for monitoring VM status only
+#
+# Default allows any user. If setting group ownership may want to
+# restrict this to:
+unix_sock_ro_perms = "0777"
+# Set the UNIX socket permissions for the R/W socket. This is used
+# for full management of VMs
+#
+# Default allows only root. If PolicyKit is enabled on the socket,
+# the default will change to allow everyone (eg, 0777)
+#
+# If not using PolicyKit and setting group ownership for access
+# control then you may want to relax this to:
+unix_sock_rw_perms = "0770"
+# Set the UNIX socket permissions for the admin interface socket.
+#
+# Default allows only owner (root), do not change it unless you are
+# sure to whom you are exposing the access to
+unix_sock_admin_perms = "0700"
+#################################################################
+#
+# Authentication.
+#
+# - none: do not perform auth checks. If you can connect to the
+# socket you are allowed. This is suitable if there are
+# restrictions on connecting to the socket (eg, UNIX
+# socket permissions), or if there is a lower layer in
+# the network providing auth (eg, TLS/x509 certificates)
+#
+# - sasl: use SASL infrastructure. The actual auth scheme is then
+# controlled from /etc/sasl2/libvirt.conf. For the TCP
+# socket only GSSAPI & DIGEST-MD5 mechanisms will be used.
+# For non-TCP or TLS sockets, any scheme is allowed.
+#
+# - polkit: use PolicyKit to authenticate. This is only suitable
+# for use on the UNIX sockets. The default policy will
+# require a user to supply their own password to gain
+# full read/write access (aka sudo like), while anyone
+# is allowed read/only access.
+#
+# Set an authentication scheme for UNIX read-only sockets
+# By default socket permissions allow anyone to connect
+#
+# To restrict monitoring of domains you may wish to enable
+# an authentication mechanism here
+auth_unix_ro = "none"
+# Set an authentication scheme for UNIX read-write sockets
+# By default socket permissions only allow root. If PolicyKit
+# support was compiled into libvirt, the default will be to
+# use 'polkit' auth.
+#
+# If the unix_sock_rw_perms are changed you may wish to enable
+# an authentication mechanism here
+auth_unix_rw = "none"
+# Change the authentication scheme for TCP sockets.
+#
+# If you don't enable SASL, then all TCP traffic is cleartext.
+# Don't do this outside of a dev/test scenario. For real world
+# use, always enable SASL and use the GSSAPI or DIGEST-MD5
+# mechanism in /etc/sasl2/libvirt.conf
+auth_tcp = "sasl"
+# Change the authentication scheme for TLS sockets.
+#
+# TLS sockets already have encryption provided by the TLS
+# layer, and limited authentication is done by certificates
+#
+# It is possible to make use of any SASL authentication
+# mechanism as well, by using 'sasl' for this option
+auth_tls = "none"
+#################################################################
+#
+# TLS x509 certificate configuration
+#
+# Override the default server key file path
+#
+key_file = "/etc/pki/libvirt/private/serverkey.pem"
+# Override the default server certificate file path
+#
+cert_file = "/etc/pki/libvirt/servercert.pem"
+# Override the default CA certificate path
+#
+ca_file = "/etc/pki/CA/cacert.pem"
+# Specify a certificate revocation list.
+#
+# Defaults to not using a CRL, uncomment to enable it
+crl_file = "/etc/pki/CA/crl.pem"
+#################################################################
+#
+# Authorization controls
+#
+# Flag to disable verification of client certificates
+#
+# Client certificate verification is the primary authentication mechanism.
+# Any client which does not present a certificate signed by the CA
+# will be rejected.
+#
+# Default is to always verify. Uncommenting this will disable
+# verification - make sure an IP whitelist is set
+tls_no_verify_certificate = 1
+# A whitelist of allowed x509 Distinguished Names
+# This list may contain wildcards such as
+#
+# "C=GB,ST=London,L=London,O=Red Hat,CN=*"
+#
+# See the POSIX fnmatch function for the format of the wildcards.
+#
+# NB If this is an empty list, no client can connect, so comment out
+# entirely rather than using empty list to disable these checks
+#
+# By default, no DN's are checked
+tls_allowed_dn_list = [ "DN1", "DN2" ]
+# A whitelist of allowed SASL usernames. The format for usernames
+# depends on the SASL authentication mechanism. Kerberos usernames
+# look like username@REALM
+#
+# This list may contain wildcards such as
+#
+# "*@EXAMPLE.COM"
+#
+# See the POSIX fnmatch function for the format of the wildcards.
+#
+# NB If this is an empty list, no client can connect, so comment out
+# entirely rather than using empty list to disable these checks
+#
+# By default, no Username's are checked
+sasl_allowed_username_list = [ "joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]
+# UUID of the host:
+# Provide the UUID of the host here in case the command
+# 'dmidecode -s system-uuid' does not provide a valid uuid. In case
+# 'dmidecode' does not provide a valid UUID and none is provided here, a
+# temporary UUID will be generated.
+# Keep the format of the example UUID below.
+host_uuid = "8510b1a1-1afa-4da6-8111-785fae202c1e"
--- /dev/null
+log_level=1
\ No newline at end of file
--- /dev/null
+log_level = 1
--- /dev/null
+#include <config.h>
+
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <errno.h>
+#include "virconf.h"
+#include "viralloc.h"
+
+int main(int argc, char **argv)
+{
+ int ret, exit_code = EXIT_FAILURE;
+ virConfPtr conf = NULL;
+ int len = 10000;
+ char *buffer = NULL;
+
+ if (argc != 2) {
+ fprintf(stderr, "Usage: %s conf_file\n", argv[0]);
+ goto cleanup;
+ }
+
+ if (VIR_ALLOC_N_QUIET(buffer, len) < 0) {
+ fprintf(stderr, "out of memory\n");
+ goto cleanup;
+ }
+ conf = virConfReadFile(argv[1], 0);
+ if (conf == NULL) {
+ fprintf(stderr, "Failed to process %s\n", argv[1]);
+ goto cleanup;
+ }
+ ret = virConfWriteMem(buffer, &len, conf);
+ if (ret < 0) {
+ fprintf(stderr, "Failed to serialize %s back\n", argv[1]);
+ goto cleanup;
+ }
+ if (fwrite(buffer, 1, len, stdout) != len) {
+ fprintf(stderr, "Write failed: %s\n", strerror(errno));
+ goto cleanup;
+ }
+
+ exit_code = EXIT_SUCCESS;
+
+ cleanup:
+ VIR_FREE(buffer);
+ virConfFree(conf);
+ return exit_code;
+}
--- /dev/null
+#!/bin/sh
+
+test -z "$srcdir" && srcdir=$(pwd)
+
+. "$srcdir/test-lib.sh"
+
+test_intro $this_test
+
+fail=0
+i=0
+data_dir=$abs_srcdir/confdata
+for f in $(cd "$data_dir" && echo *.conf)
+do
+ i=`expr $i + 1`
+ "$abs_builddir/test_conf" "$data_dir/$f" > "$f-actual"
+ expected="$data_dir"/`echo "$f" | sed s+\.conf$+\.out+`
+ if compare "$expected" "$f-actual"; then
+ ret=0
+ else
+ ret=1
+ fail=1
+ fi
+ test_result $i "$f" $ret
+done
+
+test_final $i $fail
+
+(exit $fail); exit $fail
projects / libvirt.git / commitdiff