/src/remote/*_client_bodies.h
/src/remote/*_protocol.[ch]
/src/remote/*_stubs.h
+/src/remote/libvirtd.conf
/src/remote/test_libvirtd.aug
/src/rpc/virkeepaliveprotocol.[ch]
/src/rpc/virnetprotocol.[ch]
$(LIBVIRTD_SOURCES) \
remote/test_libvirtd.aug.in \
remote/libvirtd.aug \
- remote/libvirtd.conf \
+ remote/libvirtd.conf.in \
remote/libvirtd.policy \
remote/libvirtd.rules \
remote/libvirtd.sasl \
$(REMOTE_DRIVER_GENERATED) \
$(LIBVIRTD_GENERATED) \
$(NULL)
+CLEANFILES += \
+ remote/libvirtd.conf \
+ $(NULL)
if WITH_REMOTE
noinst_LTLIBRARIES += libvirt_driver_remote.la
augeastest_DATA += remote/test_libvirtd.aug
-conf_DATA += remote/libvirtd.conf
+nodist_conf_DATA += remote/libvirtd.conf
man8_MANS += libvirtd.8
$(LIBSOCKET) \
$(NULL)
+remote/libvirtd.conf: remote/libvirtd.conf.in
+ $(AM_V_GEN)$(SED) \
+ -e '/[@]CUT_ENABLE_IP[@]/d' \
+ -e '/[@]END[@]/d' \
+ -e 's|[@]DAEMON_NAME[@]|libvirtd|' \
+ $< > $@
+
INSTALL_DATA_DIRS += remote
install-data-remote:
remote/test_libvirtd.aug: remote/test_libvirtd.aug.in \
remote/libvirtd.conf $(AUG_GENTEST)
- $(AM_V_GEN)$(AUG_GENTEST) $(srcdir)/remote/libvirtd.conf $< > $@
+ $(AM_V_GEN)$(AUG_GENTEST) remote/libvirtd.conf $< > $@
if WITH_SYSCTL
# Use $(prefix)/lib rather than $(libdir), since man sysctl.d insists on
+++ /dev/null
-# Master libvirt daemon configuration file
-#
-
-#################################################################
-#
-# Network connectivity controls
-#
-
-# Flag listening for secure TLS connections on the public TCP/IP port.
-# NB, must pass the --listen flag to the libvirtd process for this to
-# have any effect.
-#
-# This setting is not required or honoured if using systemd socket
-# activation.
-#
-# It is necessary to setup a CA and issue server certificates before
-# using this capability.
-#
-# This is enabled by default, uncomment this to disable it
-#listen_tls = 0
-
-# Listen for unencrypted TCP connections on the public TCP/IP port.
-# NB, must pass the --listen flag to the libvirtd process for this to
-# have any effect.
-#
-# This setting is not required or honoured if using systemd socket
-# activation.
-#
-# Using the TCP socket requires SASL authentication by default. Only
-# SASL mechanisms which support data encryption are allowed. This is
-# DIGEST_MD5 and GSSAPI (Kerberos5)
-#
-# This is disabled by default, uncomment this to enable it.
-#listen_tcp = 1
-
-
-
-# Override the port for accepting secure TLS connections
-# This can be a port number, or service name
-#
-# This setting is not required or honoured if using systemd socket
-# activation with systemd version >= 227
-#
-#tls_port = "16514"
-
-# Override the port for accepting insecure TCP connections
-# This can be a port number, or service name
-#
-# This setting is not required or honoured if using systemd socket
-# activation with systemd version >= 227
-#
-#tcp_port = "16509"
-
-
-# Override the default configuration which binds to all network
-# interfaces. This can be a numeric IPv4/6 address, or hostname
-#
-# This setting is not required or honoured if using systemd socket
-# activation.
-#
-# If the libvirtd service is started in parallel with network
-# startup (e.g. with systemd), binding to addresses other than
-# the wildcards (0.0.0.0/::) might not be available yet.
-#
-#listen_addr = "192.168.0.1"
-
-
-#################################################################
-#
-# UNIX socket access controls
-#
-
-# Set the UNIX domain socket group ownership. This can be used to
-# allow a 'trusted' set of users access to management capabilities
-# without becoming root.
-#
-# This setting is not required or honoured if using systemd socket
-# activation.
-#
-# This is restricted to 'root' by default.
-#unix_sock_group = "libvirt"
-
-# Set the UNIX socket permissions for the R/O socket. This is used
-# for monitoring VM status only
-#
-# This setting is not required or honoured if using systemd socket
-# activation.
-#
-# Default allows any user. If setting group ownership, you may want to
-# restrict this too.
-#unix_sock_ro_perms = "0777"
-
-# Set the UNIX socket permissions for the R/W socket. This is used
-# for full management of VMs
-#
-# This setting is not required or honoured if using systemd socket
-# activation.
-#
-# Default allows only root. If PolicyKit is enabled on the socket,
-# the default will change to allow everyone (eg, 0777)
-#
-# If not using PolicyKit and setting group ownership for access
-# control, then you may want to relax this too.
-#unix_sock_rw_perms = "0770"
-
-# Set the UNIX socket permissions for the admin interface socket.
-#
-# This setting is not required or honoured if using systemd socket
-# activation.
-#
-# Default allows only owner (root), do not change it unless you are
-# sure to whom you are exposing the access to.
-#unix_sock_admin_perms = "0700"
-
-# Set the name of the directory in which sockets will be found/created.
-#
-# This setting is not required or honoured if using systemd socket
-# activation with systemd version >= 227
-#
-#unix_sock_dir = "/var/run/libvirt"
-
-
-
-#################################################################
-#
-# Authentication.
-#
-# - none: do not perform auth checks. If you can connect to the
-# socket you are allowed. This is suitable if there are
-# restrictions on connecting to the socket (eg, UNIX
-# socket permissions), or if there is a lower layer in
-# the network providing auth (eg, TLS/x509 certificates)
-#
-# - sasl: use SASL infrastructure. The actual auth scheme is then
-# controlled from /etc/sasl2/libvirt.conf. For the TCP
-# socket only GSSAPI & DIGEST-MD5 mechanisms will be used.
-# For non-TCP or TLS sockets, any scheme is allowed.
-#
-# - polkit: use PolicyKit to authenticate. This is only suitable
-# for use on the UNIX sockets. The default policy will
-# require a user to supply their own password to gain
-# full read/write access (aka sudo like), while anyone
-# is allowed read/only access.
-#
-# Set an authentication scheme for UNIX read-only sockets
-# By default socket permissions allow anyone to connect
-#
-# To restrict monitoring of domains you may wish to enable
-# an authentication mechanism here
-#auth_unix_ro = "none"
-
-# Set an authentication scheme for UNIX read-write sockets
-# By default socket permissions only allow root. If PolicyKit
-# support was compiled into libvirt, the default will be to
-# use 'polkit' auth.
-#
-# If the unix_sock_rw_perms are changed you may wish to enable
-# an authentication mechanism here
-#auth_unix_rw = "none"
-
-# Change the authentication scheme for TCP sockets.
-#
-# If you don't enable SASL, then all TCP traffic is cleartext.
-# Don't do this outside of a dev/test scenario. For real world
-# use, always enable SASL and use the GSSAPI or DIGEST-MD5
-# mechanism in /etc/sasl2/libvirt.conf
-#auth_tcp = "sasl"
-
-# Change the authentication scheme for TLS sockets.
-#
-# TLS sockets already have encryption provided by the TLS
-# layer, and limited authentication is done by certificates
-#
-# It is possible to make use of any SASL authentication
-# mechanism as well, by using 'sasl' for this option
-#auth_tls = "none"
-
-
-# Change the API access control scheme
-#
-# By default an authenticated user is allowed access
-# to all APIs. Access drivers can place restrictions
-# on this. By default the 'nop' driver is enabled,
-# meaning no access control checks are done once a
-# client has authenticated with libvirtd
-#
-#access_drivers = [ "polkit" ]
-
-#################################################################
-#
-# TLS x509 certificate configuration
-#
-
-# Use of TLS requires that x509 certificates be issued. The default locations
-# for the certificate files is as follows:
-#
-# /etc/pki/CA/cacert.pem - The CA master certificate
-# /etc/pki/libvirt/servercert.pem - The server certificate signed with
-# the cacert.pem
-# /etc/pki/libvirt/private/serverkey.pem - The server private key
-#
-# It is possible to override the default locations by altering the 'key_file',
-# 'cert_file', and 'ca_file' values and uncommenting them below.
-#
-# NB, overriding the default of one location requires uncommenting and
-# possibly additionally overriding the other settings.
-#
-
-# Override the default server key file path
-#
-#key_file = "/etc/pki/libvirt/private/serverkey.pem"
-
-# Override the default server certificate file path
-#
-#cert_file = "/etc/pki/libvirt/servercert.pem"
-
-# Override the default CA certificate path
-#
-#ca_file = "/etc/pki/CA/cacert.pem"
-
-# Specify a certificate revocation list.
-#
-# Defaults to not using a CRL, uncomment to enable it
-#crl_file = "/etc/pki/CA/crl.pem"
-
-
-
-#################################################################
-#
-# Authorization controls
-#
-
-
-# Flag to disable verification of our own server certificates
-#
-# When libvirtd starts it performs some sanity checks against
-# its own certificates.
-#
-# Default is to always run sanity checks. Uncommenting this
-# will disable sanity checks which is not a good idea
-#tls_no_sanity_certificate = 1
-
-# Flag to disable verification of client certificates
-#
-# Client certificate verification is the primary authentication mechanism.
-# Any client which does not present a certificate signed by the CA
-# will be rejected.
-#
-# Default is to always verify. Uncommenting this will disable
-# verification - make sure an IP whitelist is set
-#tls_no_verify_certificate = 1
-
-
-# A whitelist of allowed x509 Distinguished Names
-# This list may contain wildcards such as
-#
-# "C=GB,ST=London,L=London,O=Red Hat,CN=*"
-#
-# See the POSIX fnmatch function for the format of the wildcards.
-#
-# NB If this is an empty list, no client can connect, so comment out
-# entirely rather than using empty list to disable these checks
-#
-# By default, no DN's are checked
-#tls_allowed_dn_list = ["DN1", "DN2"]
-
-
-# A whitelist of allowed SASL usernames. The format for username
-# depends on the SASL authentication mechanism. Kerberos usernames
-# look like username@REALM
-#
-# This list may contain wildcards such as
-#
-# "*@EXAMPLE.COM"
-#
-# See the POSIX fnmatch function for the format of the wildcards.
-#
-# NB If this is an empty list, no client can connect, so comment out
-# entirely rather than using empty list to disable these checks
-#
-# By default, no Username's are checked
-#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]
-
-
-# Override the compile time default TLS priority string. The
-# default is usually "NORMAL" unless overridden at build time.
-# Only set this is it is desired for libvirt to deviate from
-# the global default settings.
-#
-#tls_priority="NORMAL"
-
-
-#################################################################
-#
-# Processing controls
-#
-
-# The maximum number of concurrent client connections to allow
-# over all sockets combined.
-#max_clients = 5000
-
-# The maximum length of queue of connections waiting to be
-# accepted by the daemon. Note, that some protocols supporting
-# retransmission may obey this so that a later reattempt at
-# connection succeeds.
-#max_queued_clients = 1000
-
-# The maximum length of queue of accepted but not yet
-# authenticated clients. The default value is 20. Set this to
-# zero to turn this feature off.
-#max_anonymous_clients = 20
-
-# The minimum limit sets the number of workers to start up
-# initially. If the number of active clients exceeds this,
-# then more threads are spawned, up to max_workers limit.
-# Typically you'd want max_workers to equal maximum number
-# of clients allowed
-#min_workers = 5
-#max_workers = 20
-
-
-# The number of priority workers. If all workers from above
-# pool are stuck, some calls marked as high priority
-# (notably domainDestroy) can be executed in this pool.
-#prio_workers = 5
-
-# Limit on concurrent requests from a single client
-# connection. To avoid one client monopolizing the server
-# this should be a small fraction of the global max_workers
-# parameter.
-#max_client_requests = 5
-
-# Same processing controls, but this time for the admin interface.
-# For description of each option, be so kind to scroll few lines
-# upwards.
-
-#admin_min_workers = 1
-#admin_max_workers = 5
-#admin_max_clients = 5
-#admin_max_queued_clients = 5
-#admin_max_client_requests = 5
-
-#################################################################
-#
-# Logging controls
-#
-
-# Logging level: 4 errors, 3 warnings, 2 information, 1 debug
-# basically 1 will log everything possible
-#
-# WARNING: USE OF THIS IS STRONGLY DISCOURAGED.
-#
-# WARNING: It outputs too much information to practically read.
-# WARNING: The "log_filters" setting is recommended instead.
-#
-# WARNING: Journald applies rate limiting of messages and so libvirt
-# WARNING: will limit "log_level" to only allow values 3 or 4 if
-# WARNING: journald is the current output.
-#
-# WARNING: USE OF THIS IS STRONGLY DISCOURAGED.
-#log_level = 3
-
-# Logging filters:
-# A filter allows to select a different logging level for a given category
-# of logs. The format for a filter is one of:
-#
-# level:match
-# level:+match
-#
-# where 'match' is a string which is matched against the category
-# given in the VIR_LOG_INIT() at the top of each libvirt source
-# file, e.g., "remote", "qemu", or "util.json". The 'match' in the
-# filter matches using shell wildcard syntax (see 'man glob(7)').
-# The 'match' is always treated as a substring match. IOW a match
-# string 'foo' is equivalent to '*foo*'.
-#
-# If 'match' contains the optional "+" prefix, it tells libvirt
-# to log stack trace for each message matching name.
-#
-# 'level' is the minimal level where matching messages should
-# be logged:
-#
-# 1: DEBUG
-# 2: INFO
-# 3: WARNING
-# 4: ERROR
-#
-# Multiple filters can be defined in a single @log_filters, they just need
-# to be separated by spaces. Note that libvirt performs "first" match, i.e.
-# if there are concurrent filters, the first one that matches will be applied,
-# given the order in @log_filters.
-#
-# A typical need is to capture information from a hypervisor driver,
-# public API entrypoints and some of the utility code. Some utility
-# code is very verbose and is generally not desired. Taking the QEMU
-# hypervisor as an example, a suitable filter string for debugging
-# might be to turn off object, json & event logging, but enable the
-# rest of the util code:
-#
-#log_filters="1:qemu 1:libvirt 4:object 4:json 4:event 1:util"
-
-# Logging outputs:
-# An output is one of the places to save logging information
-# The format for an output can be:
-# level:stderr
-# output goes to stderr
-# level:syslog:name
-# use syslog for the output and use the given name as the ident
-# level:file:file_path
-# output to a file, with the given filepath
-# level:journald
-# output to journald logging system
-# In all cases 'level' is the minimal priority, acting as a filter
-# 1: DEBUG
-# 2: INFO
-# 3: WARNING
-# 4: ERROR
-#
-# Multiple outputs can be defined, they just need to be separated by spaces.
-# e.g. to log all warnings and errors to syslog under the libvirtd ident:
-#log_outputs="3:syslog:libvirtd"
-
-
-##################################################################
-#
-# Auditing
-#
-# This setting allows usage of the auditing subsystem to be altered:
-#
-# audit_level == 0 -> disable all auditing
-# audit_level == 1 -> enable auditing, only if enabled on host (default)
-# audit_level == 2 -> enable auditing, and exit if disabled on host
-#
-#audit_level = 2
-#
-# If set to 1, then audit messages will also be sent
-# via libvirt logging infrastructure. Defaults to 0
-#
-#audit_logging = 1
-
-###################################################################
-# UUID of the host:
-# Host UUID is read from one of the sources specified in host_uuid_source.
-#
-# - 'smbios': fetch the UUID from 'dmidecode -s system-uuid'
-# - 'machine-id': fetch the UUID from /etc/machine-id
-#
-# The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide
-# a valid UUID a temporary UUID will be generated.
-#
-# Another option is to specify host UUID in host_uuid.
-#
-# Keep the format of the example UUID below. UUID must not have all digits
-# be the same.
-
-# NB This default all-zeros UUID will not work. Replace
-# it with the output of the 'uuidgen' command and then
-# uncomment this entry
-#host_uuid = "00000000-0000-0000-0000-000000000000"
-#host_uuid_source = "smbios"
-
-###################################################################
-# Keepalive protocol:
-# This allows libvirtd to detect broken client connections or even
-# dead clients. A keepalive message is sent to a client after
-# keepalive_interval seconds of inactivity to check if the client is
-# still responding; keepalive_count is a maximum number of keepalive
-# messages that are allowed to be sent to the client without getting
-# any response before the connection is considered broken. In other
-# words, the connection is automatically closed approximately after
-# keepalive_interval * (keepalive_count + 1) seconds since the last
-# message received from the client. If keepalive_interval is set to
-# -1, libvirtd will never send keepalive requests; however clients
-# can still send them and the daemon will send responses. When
-# keepalive_count is set to 0, connections will be automatically
-# closed after keepalive_interval seconds of inactivity without
-# sending any keepalive messages.
-#
-#keepalive_interval = 5
-#keepalive_count = 5
-
-#
-# These configuration options are no longer used. There is no way to
-# restrict such clients from connecting since they first need to
-# connect in order to ask for keepalive.
-#
-#keepalive_required = 1
-#admin_keepalive_required = 1
-
-# Keepalive settings for the admin interface
-#admin_keepalive_interval = 5
-#admin_keepalive_count = 5
-
-###################################################################
-# Open vSwitch:
-# This allows to specify a timeout for openvswitch calls made by
-# libvirt. The ovs-vsctl utility is used for the configuration and
-# its timeout option is set by default to 5 seconds to avoid
-# potential infinite waits blocking libvirt.
-#
-#ovs_timeout = 5
--- /dev/null
+# Master libvirt daemon configuration file
+#
+
+@CUT_ENABLE_IP@
+#################################################################
+#
+# Network connectivity controls
+#
+
+# Flag listening for secure TLS connections on the public TCP/IP port.
+# NB, must pass the --listen flag to the @DAEMON_NAME@ process for this to
+# have any effect.
+#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
+# It is necessary to setup a CA and issue server certificates before
+# using this capability.
+#
+# This is enabled by default, uncomment this to disable it
+#listen_tls = 0
+
+# Listen for unencrypted TCP connections on the public TCP/IP port.
+# NB, must pass the --listen flag to the @DAEMON_NAME@ process for this to
+# have any effect.
+#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
+# Using the TCP socket requires SASL authentication by default. Only
+# SASL mechanisms which support data encryption are allowed. This is
+# DIGEST_MD5 and GSSAPI (Kerberos5)
+#
+# This is disabled by default, uncomment this to enable it.
+#listen_tcp = 1
+
+
+
+# Override the port for accepting secure TLS connections
+# This can be a port number, or service name
+#
+# This setting is not required or honoured if using systemd socket
+# activation with systemd version >= 227
+#
+#tls_port = "16514"
+
+# Override the port for accepting insecure TCP connections
+# This can be a port number, or service name
+#
+# This setting is not required or honoured if using systemd socket
+# activation with systemd version >= 227
+#
+#tcp_port = "16509"
+
+
+# Override the default configuration which binds to all network
+# interfaces. This can be a numeric IPv4/6 address, or hostname
+#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
+# If the @DAEMON_NAME@ service is started in parallel with network
+# startup (e.g. with systemd), binding to addresses other than
+# the wildcards (0.0.0.0/::) might not be available yet.
+#
+#listen_addr = "192.168.0.1"
+
+
+@END@
+#################################################################
+#
+# UNIX socket access controls
+#
+
+# Set the UNIX domain socket group ownership. This can be used to
+# allow a 'trusted' set of users access to management capabilities
+# without becoming root.
+#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
+# This is restricted to 'root' by default.
+#unix_sock_group = "libvirt"
+
+# Set the UNIX socket permissions for the R/O socket. This is used
+# for monitoring VM status only
+#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
+# Default allows any user. If setting group ownership, you may want to
+# restrict this too.
+#unix_sock_ro_perms = "0777"
+
+# Set the UNIX socket permissions for the R/W socket. This is used
+# for full management of VMs
+#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
+# Default allows only root. If PolicyKit is enabled on the socket,
+# the default will change to allow everyone (eg, 0777)
+#
+# If not using PolicyKit and setting group ownership for access
+# control, then you may want to relax this too.
+#unix_sock_rw_perms = "0770"
+
+# Set the UNIX socket permissions for the admin interface socket.
+#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
+# Default allows only owner (root), do not change it unless you are
+# sure to whom you are exposing the access to.
+#unix_sock_admin_perms = "0700"
+
+# Set the name of the directory in which sockets will be found/created.
+#
+# This setting is not required or honoured if using systemd socket
+# activation with systemd version >= 227
+#
+#unix_sock_dir = "/var/run/libvirt"
+
+
+
+#################################################################
+#
+# Authentication.
+#
+# - none: do not perform auth checks. If you can connect to the
+# socket you are allowed. This is suitable if there are
+# restrictions on connecting to the socket (eg, UNIX
+# socket permissions), or if there is a lower layer in
+# the network providing auth (eg, TLS/x509 certificates)
+#
+# - sasl: use SASL infrastructure. The actual auth scheme is then
+# controlled from /etc/sasl2/libvirt.conf. For the TCP
+# socket only GSSAPI & DIGEST-MD5 mechanisms will be used.
+# For non-TCP or TLS sockets, any scheme is allowed.
+#
+# - polkit: use PolicyKit to authenticate. This is only suitable
+# for use on the UNIX sockets. The default policy will
+# require a user to supply their own password to gain
+# full read/write access (aka sudo like), while anyone
+# is allowed read/only access.
+#
+# Set an authentication scheme for UNIX read-only sockets
+# By default socket permissions allow anyone to connect
+#
+# To restrict monitoring of domains you may wish to enable
+# an authentication mechanism here
+#auth_unix_ro = "none"
+
+# Set an authentication scheme for UNIX read-write sockets
+# By default socket permissions only allow root. If PolicyKit
+# support was compiled into libvirt, the default will be to
+# use 'polkit' auth.
+#
+# If the unix_sock_rw_perms are changed you may wish to enable
+# an authentication mechanism here
+#auth_unix_rw = "none"
+@CUT_ENABLE_IP@
+
+# Change the authentication scheme for TCP sockets.
+#
+# If you don't enable SASL, then all TCP traffic is cleartext.
+# Don't do this outside of a dev/test scenario. For real world
+# use, always enable SASL and use the GSSAPI or DIGEST-MD5
+# mechanism in /etc/sasl2/libvirt.conf
+#auth_tcp = "sasl"
+
+# Change the authentication scheme for TLS sockets.
+#
+# TLS sockets already have encryption provided by the TLS
+# layer, and limited authentication is done by certificates
+#
+# It is possible to make use of any SASL authentication
+# mechanism as well, by using 'sasl' for this option
+#auth_tls = "none"
+@END@
+
+
+# Change the API access control scheme
+#
+# By default an authenticated user is allowed access
+# to all APIs. Access drivers can place restrictions
+# on this. By default the 'nop' driver is enabled,
+# meaning no access control checks are done once a
+# client has authenticated with @DAEMON_NAME@
+#
+#access_drivers = [ "polkit" ]
+
+@CUT_ENABLE_IP@
+#################################################################
+#
+# TLS x509 certificate configuration
+#
+
+# Use of TLS requires that x509 certificates be issued. The default locations
+# for the certificate files is as follows:
+#
+# /etc/pki/CA/cacert.pem - The CA master certificate
+# /etc/pki/libvirt/servercert.pem - The server certificate signed with
+# the cacert.pem
+# /etc/pki/libvirt/private/serverkey.pem - The server private key
+#
+# It is possible to override the default locations by altering the 'key_file',
+# 'cert_file', and 'ca_file' values and uncommenting them below.
+#
+# NB, overriding the default of one location requires uncommenting and
+# possibly additionally overriding the other settings.
+#
+
+# Override the default server key file path
+#
+#key_file = "/etc/pki/libvirt/private/serverkey.pem"
+
+# Override the default server certificate file path
+#
+#cert_file = "/etc/pki/libvirt/servercert.pem"
+
+# Override the default CA certificate path
+#
+#ca_file = "/etc/pki/CA/cacert.pem"
+
+# Specify a certificate revocation list.
+#
+# Defaults to not using a CRL, uncomment to enable it
+#crl_file = "/etc/pki/CA/crl.pem"
+
+
+
+@END@
+#################################################################
+#
+# Authorization controls
+#
+
+
+@CUT_ENABLE_IP@
+# Flag to disable verification of our own server certificates
+#
+# When @DAEMON_NAME@ starts it performs some sanity checks against
+# its own certificates.
+#
+# Default is to always run sanity checks. Uncommenting this
+# will disable sanity checks which is not a good idea
+#tls_no_sanity_certificate = 1
+
+# Flag to disable verification of client certificates
+#
+# Client certificate verification is the primary authentication mechanism.
+# Any client which does not present a certificate signed by the CA
+# will be rejected.
+#
+# Default is to always verify. Uncommenting this will disable
+# verification - make sure an IP whitelist is set
+#tls_no_verify_certificate = 1
+
+
+# A whitelist of allowed x509 Distinguished Names
+# This list may contain wildcards such as
+#
+# "C=GB,ST=London,L=London,O=Red Hat,CN=*"
+#
+# See the POSIX fnmatch function for the format of the wildcards.
+#
+# NB If this is an empty list, no client can connect, so comment out
+# entirely rather than using empty list to disable these checks
+#
+# By default, no DN's are checked
+#tls_allowed_dn_list = ["DN1", "DN2"]
+
+
+# Override the compile time default TLS priority string. The
+# default is usually "NORMAL" unless overridden at build time.
+# Only set this is it is desired for libvirt to deviate from
+# the global default settings.
+#
+#tls_priority="NORMAL"
+
+
+@END@
+# A whitelist of allowed SASL usernames. The format for username
+# depends on the SASL authentication mechanism. Kerberos usernames
+# look like username@REALM
+#
+# This list may contain wildcards such as
+#
+# "*@EXAMPLE.COM"
+#
+# See the POSIX fnmatch function for the format of the wildcards.
+#
+# NB If this is an empty list, no client can connect, so comment out
+# entirely rather than using empty list to disable these checks
+#
+# By default, no Username's are checked
+#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]
+
+
+#################################################################
+#
+# Processing controls
+#
+
+# The maximum number of concurrent client connections to allow
+# over all sockets combined.
+#max_clients = 5000
+
+# The maximum length of queue of connections waiting to be
+# accepted by the daemon. Note, that some protocols supporting
+# retransmission may obey this so that a later reattempt at
+# connection succeeds.
+#max_queued_clients = 1000
+
+# The maximum length of queue of accepted but not yet
+# authenticated clients. The default value is 20. Set this to
+# zero to turn this feature off.
+#max_anonymous_clients = 20
+
+# The minimum limit sets the number of workers to start up
+# initially. If the number of active clients exceeds this,
+# then more threads are spawned, up to max_workers limit.
+# Typically you'd want max_workers to equal maximum number
+# of clients allowed
+#min_workers = 5
+#max_workers = 20
+
+
+# The number of priority workers. If all workers from above
+# pool are stuck, some calls marked as high priority
+# (notably domainDestroy) can be executed in this pool.
+#prio_workers = 5
+
+# Limit on concurrent requests from a single client
+# connection. To avoid one client monopolizing the server
+# this should be a small fraction of the global max_workers
+# parameter.
+#max_client_requests = 5
+
+# Same processing controls, but this time for the admin interface.
+# For description of each option, be so kind to scroll few lines
+# upwards.
+
+#admin_min_workers = 1
+#admin_max_workers = 5
+#admin_max_clients = 5
+#admin_max_queued_clients = 5
+#admin_max_client_requests = 5
+
+#################################################################
+#
+# Logging controls
+#
+
+# Logging level: 4 errors, 3 warnings, 2 information, 1 debug
+# basically 1 will log everything possible
+#
+# WARNING: USE OF THIS IS STRONGLY DISCOURAGED.
+#
+# WARNING: It outputs too much information to practically read.
+# WARNING: The "log_filters" setting is recommended instead.
+#
+# WARNING: Journald applies rate limiting of messages and so libvirt
+# WARNING: will limit "log_level" to only allow values 3 or 4 if
+# WARNING: journald is the current output.
+#
+# WARNING: USE OF THIS IS STRONGLY DISCOURAGED.
+#log_level = 3
+
+# Logging filters:
+# A filter allows to select a different logging level for a given category
+# of logs. The format for a filter is one of:
+#
+# level:match
+# level:+match
+#
+# where 'match' is a string which is matched against the category
+# given in the VIR_LOG_INIT() at the top of each libvirt source
+# file, e.g., "remote", "qemu", or "util.json". The 'match' in the
+# filter matches using shell wildcard syntax (see 'man glob(7)').
+# The 'match' is always treated as a substring match. IOW a match
+# string 'foo' is equivalent to '*foo*'.
+#
+# If 'match' contains the optional "+" prefix, it tells libvirt
+# to log stack trace for each message matching name.
+#
+# 'level' is the minimal level where matching messages should
+# be logged:
+#
+# 1: DEBUG
+# 2: INFO
+# 3: WARNING
+# 4: ERROR
+#
+# Multiple filters can be defined in a single @log_filters, they just need
+# to be separated by spaces. Note that libvirt performs "first" match, i.e.
+# if there are concurrent filters, the first one that matches will be applied,
+# given the order in @log_filters.
+#
+# A typical need is to capture information from a hypervisor driver,
+# public API entrypoints and some of the utility code. Some utility
+# code is very verbose and is generally not desired. Taking the QEMU
+# hypervisor as an example, a suitable filter string for debugging
+# might be to turn off object, json & event logging, but enable the
+# rest of the util code:
+#
+#log_filters="1:qemu 1:libvirt 4:object 4:json 4:event 1:util"
+
+# Logging outputs:
+# An output is one of the places to save logging information
+# The format for an output can be:
+# level:stderr
+# output goes to stderr
+# level:syslog:name
+# use syslog for the output and use the given name as the ident
+# level:file:file_path
+# output to a file, with the given filepath
+# level:journald
+# output to journald logging system
+# In all cases 'level' is the minimal priority, acting as a filter
+# 1: DEBUG
+# 2: INFO
+# 3: WARNING
+# 4: ERROR
+#
+# Multiple outputs can be defined, they just need to be separated by spaces.
+# e.g. to log all warnings and errors to syslog under the @DAEMON_NAME@ ident:
+#log_outputs="3:syslog:@DAEMON_NAME@"
+
+
+##################################################################
+#
+# Auditing
+#
+# This setting allows usage of the auditing subsystem to be altered:
+#
+# audit_level == 0 -> disable all auditing
+# audit_level == 1 -> enable auditing, only if enabled on host (default)
+# audit_level == 2 -> enable auditing, and exit if disabled on host
+#
+#audit_level = 2
+#
+# If set to 1, then audit messages will also be sent
+# via libvirt logging infrastructure. Defaults to 0
+#
+#audit_logging = 1
+
+###################################################################
+# UUID of the host:
+# Host UUID is read from one of the sources specified in host_uuid_source.
+#
+# - 'smbios': fetch the UUID from 'dmidecode -s system-uuid'
+# - 'machine-id': fetch the UUID from /etc/machine-id
+#
+# The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide
+# a valid UUID a temporary UUID will be generated.
+#
+# Another option is to specify host UUID in host_uuid.
+#
+# Keep the format of the example UUID below. UUID must not have all digits
+# be the same.
+
+# NB This default all-zeros UUID will not work. Replace
+# it with the output of the 'uuidgen' command and then
+# uncomment this entry
+#host_uuid = "00000000-0000-0000-0000-000000000000"
+#host_uuid_source = "smbios"
+
+###################################################################
+# Keepalive protocol:
+# This allows @DAEMON_NAME@ to detect broken client connections or even
+# dead clients. A keepalive message is sent to a client after
+# keepalive_interval seconds of inactivity to check if the client is
+# still responding; keepalive_count is a maximum number of keepalive
+# messages that are allowed to be sent to the client without getting
+# any response before the connection is considered broken. In other
+# words, the connection is automatically closed approximately after
+# keepalive_interval * (keepalive_count + 1) seconds since the last
+# message received from the client. If keepalive_interval is set to
+# -1, @DAEMON_NAME@ will never send keepalive requests; however clients
+# can still send them and the daemon will send responses. When
+# keepalive_count is set to 0, connections will be automatically
+# closed after keepalive_interval seconds of inactivity without
+# sending any keepalive messages.
+#
+#keepalive_interval = 5
+#keepalive_count = 5
+
+#
+# These configuration options are no longer used. There is no way to
+# restrict such clients from connecting since they first need to
+# connect in order to ask for keepalive.
+#
+#keepalive_required = 1
+#admin_keepalive_required = 1
+
+# Keepalive settings for the admin interface
+#admin_keepalive_interval = 5
+#admin_keepalive_count = 5
+
+###################################################################
+# Open vSwitch:
+# This allows to specify a timeout for openvswitch calls made by
+# libvirt. The ovs-vsctl utility is used for the configuration and
+# its timeout option is set by default to 5 seconds to avoid
+# potential infinite waits blocking libvirt.
+#
+#ovs_timeout = 5
{ "1" = "DN1"}
{ "2" = "DN2"}
}
+ { "tls_priority" = "NORMAL" }
{ "sasl_allowed_username_list"
{ "1" = "joe@EXAMPLE.COM" }
{ "2" = "fred@EXAMPLE.COM" }
}
- { "tls_priority" = "NORMAL" }
{ "max_clients" = "5000" }
{ "max_queued_clients" = "1000" }
{ "max_anonymous_clients" = "20" }
projects / libvirt.git / commitdiff