(* Config entry grouped by function - same order as example config *)
+ let default_tls_entry = str_entry "default_tls_x509_cert_dir"
+ | bool_entry "default_tls_x509_verify"
+
let vnc_entry = str_entry "vnc_listen"
| bool_entry "vnc_auto_unix_socket"
| bool_entry "vnc_tls"
let nvram_entry = str_array_entry "nvram"
(* Each entry in the config is one of the following ... *)
- let entry = vnc_entry
+ let entry = default_tls_entry
+ | vnc_entry
| spice_entry
| nogfx_entry
| remote_display_entry
# All settings described here are optional - if omitted, sensible
# defaults are used.
+# Use of TLS requires that x509 certificates be issued. The default is
+# to keep them in /etc/pki/qemu. This directory must contain
+#
+# ca-cert.pem - the CA master certificate
+# server-cert.pem - the server certificate signed with ca-cert.pem
+# server-key.pem - the server private key
+#
+# and optionally may contain
+#
+# dh-params.pem - the DH params configuration file
+#
+#default_tls_x509_cert_dir = "/etc/pki/qemu"
+
+
+# The default TLS configuration only uses certificates for the server
+# allowing the client to verify the server's identity and establish
+# an encrypted channel.
+#
+# It is possible to use x509 certificates for authentication too, by
+# issuing a x509 certificate to every client who needs to connect.
+#
+# Enabling this option will reject any client who does not have a
+# certificate signed by the CA in /etc/pki/qemu/ca-cert.pem
+#
+#default_tls_x509_verify = 1
+
# VNC is configured to listen on 127.0.0.1 by default.
# To make it listen on all public interfaces, uncomment
# this next option.
#vnc_tls = 1
-# Use of TLS requires that x509 certificates be issued. The
-# default it to keep them in /etc/pki/libvirt-vnc. This directory
-# must contain
-#
-# ca-cert.pem - the CA master certificate
-# server-cert.pem - the server certificate signed with ca-cert.pem
-# server-key.pem - the server private key
-#
-# This option allows the certificate directory to be changed
+# In order to override the default TLS certificate location for
+# vnc certificates, supply a valid path to the certificate directory.
+# If the provided path does not exist then the default_tls_x509_cert_dir
+# path will be used.
#
#vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
# Enabling this option will reject any client who does not have a
# certificate signed by the CA in /etc/pki/libvirt-vnc/ca-cert.pem
#
+# If this option is not supplied, it will be set to the value of
+# "default_tls_x509_verify".
+#
#vnc_tls_x509_verify = 1
#spice_tls = 1
-# Use of TLS requires that x509 certificates be issued. The
-# default it to keep them in /etc/pki/libvirt-spice. This directory
-# must contain
-#
-# ca-cert.pem - the CA master certificate
-# server-cert.pem - the server certificate signed with ca-cert.pem
-# server-key.pem - the server private key
-#
-# This option allows the certificate directory to be changed.
+# In order to override the default TLS certificate location for
+# spice certificates, supply a valid path to the certificate directory.
+# If the provided path does not exist then the default_tls_x509_cert_dir
+# path will be used.
#
#spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
if (virAsprintf(&cfg->autostartDir, "%s/qemu/autostart", cfg->configBaseDir) < 0)
goto error;
-
- if (VIR_STRDUP(cfg->vncListen, "127.0.0.1") < 0)
+ /* Set the default directory to find TLS X.509 certificates.
+ * This will then be used as a fallback if the service specific
+ * directory doesn't exist (although we don't check if this exists).
+ */
+ if (VIR_STRDUP(cfg->defaultTLSx509certdir,
+ SYSCONFDIR "/pki/qemu") < 0)
goto error;
- if (VIR_STRDUP(cfg->vncTLSx509certdir, SYSCONFDIR "/pki/libvirt-vnc") < 0)
+ if (VIR_STRDUP(cfg->vncListen, "127.0.0.1") < 0)
goto error;
if (VIR_STRDUP(cfg->spiceListen, "127.0.0.1") < 0)
goto error;
- if (VIR_STRDUP(cfg->spiceTLSx509certdir,
- SYSCONFDIR "/pki/libvirt-spice") < 0)
- goto error;
+ /*
+ * If a "SYSCONFDIR" + "pki/libvirt-<val>" exists, then assume someone
+ * has created a val specific area to place service specific certificates.
+ *
+ * If the service specific directory doesn't exist, 'assume' that the
+ * user has created and populated the "SYSCONFDIR" + "pki/libvirt-default".
+ */
+#define SET_TLS_X509_CERT_DEFAULT(val) \
+ do { \
+ if (virFileExists(SYSCONFDIR "/pki/libvirt-"#val)) { \
+ if (VIR_STRDUP(cfg->val ## TLSx509certdir, \
+ SYSCONFDIR "/pki/libvirt-"#val) < 0) \
+ goto error; \
+ } else { \
+ if (VIR_STRDUP(cfg->val ## TLSx509certdir, \
+ cfg->defaultTLSx509certdir) < 0) \
+ goto error; \
+ } \
+ } while (false);
+
+ SET_TLS_X509_CERT_DEFAULT(vnc);
+ SET_TLS_X509_CERT_DEFAULT(spice);
+
+#undef SET_TLS_X509_CERT_DEFAULT
cfg->remotePortMin = QEMU_REMOTE_PORT_MIN;
cfg->remotePortMax = QEMU_REMOTE_PORT_MAX;
VIR_FREE(cfg->channelTargetDir);
VIR_FREE(cfg->nvramDir);
+ VIR_FREE(cfg->defaultTLSx509certdir);
+
VIR_FREE(cfg->vncTLSx509certdir);
VIR_FREE(cfg->vncListen);
VIR_FREE(cfg->vncPassword);
{
virConfPtr conf = NULL;
int ret = -1;
+ int rv;
size_t i, j;
char *stdioHandler = NULL;
char *user = NULL, *group = NULL;
if (!(conf = virConfReadFile(filename, 0)))
goto cleanup;
+ if (virConfGetValueString(conf, "default_tls_x509_cert_dir", &cfg->defaultTLSx509certdir) < 0)
+ goto cleanup;
+ if (virConfGetValueBool(conf, "default_tls_x509_verify", &cfg->defaultTLSx509verify) < 0)
+ goto cleanup;
if (virConfGetValueBool(conf, "vnc_auto_unix_socket", &cfg->vncAutoUnixSocket) < 0)
goto cleanup;
if (virConfGetValueBool(conf, "vnc_tls", &cfg->vncTLS) < 0)
goto cleanup;
- if (virConfGetValueBool(conf, "vnc_tls_x509_verify", &cfg->vncTLSx509verify) < 0)
+ if ((rv = virConfGetValueBool(conf, "vnc_tls_x509_verify", &cfg->vncTLSx509verify)) < 0)
goto cleanup;
+ if (rv == 0)
+ cfg->vncTLSx509verify = cfg->defaultTLSx509verify;
if (virConfGetValueString(conf, "vnc_tls_x509_cert_dir", &cfg->vncTLSx509certdir) < 0)
goto cleanup;
if (virConfGetValueString(conf, "vnc_listen", &cfg->vncListen) < 0)
char *channelTargetDir;
char *nvramDir;
+ char *defaultTLSx509certdir;
+ bool defaultTLSx509verify;
+
bool vncAutoUnixSocket;
bool vncTLS;
bool vncTLSx509verify;
::CONFIG::
test Libvirtd_qemu.lns get conf =
+{ "default_tls_x509_cert_dir" = "/etc/pki/qemu" }
+{ "default_tls_x509_verify" = "1" }
{ "vnc_listen" = "0.0.0.0" }
{ "vnc_auto_unix_socket" = "1" }
{ "vnc_tls" = "1" }
projects / libvirt.git / commitdiff