From: Cole Robinson Date: Thu, 21 Apr 2016 15:36:05 +0000 (-0400) Subject: tests: rename test_conf -> virconftest X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=4839822faf059fe24c161dae7458529de386ac55;p=libvirt.git tests: rename test_conf -> virconftest And confdata to virconfdata, since 'conf' can mean a few different things in libvirt --- diff --git a/cfg.mk b/cfg.mk index 09ff9fa9ca..cc5ea9ee1d 100644 --- a/cfg.mk +++ b/cfg.mk @@ -1179,7 +1179,7 @@ exclude_file_name_regexp--sc_prohibit_close = \ (\.p[yl]$$|\.spec\.in$$|^docs/|^(src/util/virfile\.c|src/libvirt-stream\.c|tests/vir.+mock\.c)$$) exclude_file_name_regexp--sc_prohibit_empty_lines_at_EOF = \ - (^tests/(qemuhelp|nodeinfo|virpcitest)data/|\.diff|tests/confdata/no-newline\.conf$$) + (^tests/(qemuhelp|nodeinfo|virpcitest)data/|\.diff|tests/virconfdata/no-newline\.conf$$) _src2=src/(util/vircommand|libvirt|lxc/lxc_controller|locking/lock_daemon|logging/log_daemon) exclude_file_name_regexp--sc_prohibit_fork_wrappers = \ diff --git a/tests/Makefile.am b/tests/Makefile.am index edf7b22c43..a803e84945 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -81,7 +81,6 @@ EXTRA_DIST = \ capabilityschemadata \ capabilityschematest \ commanddata \ - confdata \ cputestdata \ domaincapsschemadata \ domaincapsschematest \ @@ -142,6 +141,7 @@ EXTRA_DIST = \ vboxsnapshotxmldata \ vircaps2xmldata \ vircgroupdata \ + virconfdata \ virfiledata \ virmock.h \ virnetdaemondata \ @@ -158,7 +158,7 @@ EXTRA_DIST = \ xml2sexprdata \ xml2vmxdata -test_helpers = commandhelper ssh test_conf +test_helpers = commandhelper ssh virconftest test_programs = virshtest sockettest \ nodeinfotest virbuftest \ commandtest seclabeltest \ @@ -370,7 +370,7 @@ test_scripts = \ libvirtd_test_scripts = \ libvirtd-fail \ libvirtd-pool \ - test_conf.sh \ + virconftest.sh \ virsh-all \ virsh-cpuset \ virsh-define-dev-segfault \ @@ -857,9 +857,9 @@ virshtest_SOURCES = \ testutils.c testutils.h virshtest_LDADD = $(LDADDS) -test_conf_SOURCES = \ - test_conf.c -test_conf_LDADD = $(LDADDS) +virconftest_SOURCES = \ + virconftest.c +virconftest_LDADD = $(LDADDS) nodeinfotest_SOURCES = \ nodeinfotest.c testutils.h testutils.c diff --git a/tests/confdata/fc4.conf b/tests/confdata/fc4.conf deleted file mode 100644 index b64a0c49ef..0000000000 --- a/tests/confdata/fc4.conf +++ /dev/null @@ -1,11 +0,0 @@ -kernel="/boot/vmlinuz-2.6.15-1.2054_FC5xenU" -ramdisk="/boot/initrd-2.6.15-1.2054_FC5xenU.img" -memory=128 # should be enough -name="fc4" -vif = [ 'mac=aa:00:00:00:00:11, bridge=xenbr0', ] -disk = ['file:/xen/fc4.img,sda1,w'] -root = "/dev/sda1" -extra = "ro selinux=0 3" -on_reboot = 'restart' -# just for testing ... -tst = [ 1, 2, [ 3, 4 ], 5] diff --git a/tests/confdata/fc4.out b/tests/confdata/fc4.out deleted file mode 100644 index a4638da645..0000000000 --- a/tests/confdata/fc4.out +++ /dev/null @@ -1,11 +0,0 @@ -kernel = "/boot/vmlinuz-2.6.15-1.2054_FC5xenU" -ramdisk = "/boot/initrd-2.6.15-1.2054_FC5xenU.img" -memory = 128 # should be enough -name = "fc4" -vif = [ "mac=aa:00:00:00:00:11, bridge=xenbr0" ] -disk = [ "file:/xen/fc4.img,sda1,w" ] -root = "/dev/sda1" -extra = "ro selinux=0 3" -on_reboot = "restart" -# just for testing ... -tst = [ 1, 2, [ 3, 4 ], 5 ] diff --git a/tests/confdata/libvirtd.conf b/tests/confdata/libvirtd.conf deleted file mode 100644 index 5029c4c2e7..0000000000 --- a/tests/confdata/libvirtd.conf +++ /dev/null @@ -1,235 +0,0 @@ -# Master libvirt daemon configuration file -# -# For further information consult http://libvirt.org/format.html - - -################################################################# -# -# Network connectivitiy controls -# - -# Flag listening for secure TLS connections on the public TCP/IP port. -# NB, must pass the --listen flag to the libvirtd process for this to -# have any effect. -# -# It is necessary to setup a CA and issue server certificates before -# using this capability. -# -# This is enabled by default, uncomment this to disable it -listen_tls = 0 - -# Listen for unencrypted TCP connections on the public TCP/IP port. -# NB, must pass the --listen flag to the libvirtd process for this to -# have any effect. -# -# Using the TCP socket requires SASL authentication by default. Only -# SASL mechanisms which support data encryption are allowed. This is -# DIGEST_MD5 and GSSAPI (Kerberos5) -# -# This is disabled by default, uncomment this to enable it. -listen_tcp = 1 - - - -# Override the port for accepting secure TLS connections -# This can be a port number, or service name -# -tls_port = "16514" - -# Override the port for accepting insecure TCP connections -# This can be a port number, or service name -# -tcp_port = "16509" - - - -# Flag toggling mDNS advertizement of the libvirt service. -# -# Alternatively can disable for all services on a host by -# stopping the Avahi daemon -# -# This is disabled by default, uncomment this to enable it -mdns_adv = 1 - -# Override the default mDNS advertizement name. This must be -# unique on the immediate broadcast network. -# -# The default is "Virtualization Host HOSTNAME", where HOSTNAME -# is subsituted for the short hostname of the machine (without domain) -# -mdns_name = "Virtualization Host Joe Demo" - - -################################################################# -# -# UNIX socket access controls -# - -# Set the UNIX domain socket group ownership. This can be used to -# allow a 'trusted' set of users access to management capabilities -# without becoming root. -# -# This is restricted to 'root' by default. -unix_sock_group = "libvirt" - -# Set the UNIX socket permissions for the R/O socket. This is used -# for monitoring VM status only -# -# Default allows any user. If setting group ownership may want to -# restrict this to: -unix_sock_ro_perms = "0777" - -# Set the UNIX socket permissions for the R/W socket. This is used -# for full management of VMs -# -# Default allows only root. If PolicyKit is enabled on the socket, -# the default will change to allow everyone (eg, 0777) -# -# If not using PolicyKit and setting group ownership for access -# control then you may want to relax this to: -unix_sock_rw_perms = "0770" - -# Set the UNIX socket permissions for the admin interface socket. -# -# Default allows only owner (root), do not change it unless you are -# sure to whom you are exposing the access to -unix_sock_admin_perms = "0700" - - - -################################################################# -# -# Authentication. -# -# - none: do not perform auth checks. If you can connect to the -# socket you are allowed. This is suitable if there are -# restrictions on connecting to the socket (eg, UNIX -# socket permissions), or if there is a lower layer in -# the network providing auth (eg, TLS/x509 certificates) -# -# - sasl: use SASL infrastructure. The actual auth scheme is then -# controlled from /etc/sasl2/libvirt.conf. For the TCP -# socket only GSSAPI & DIGEST-MD5 mechanisms will be used. -# For non-TCP or TLS sockets, any scheme is allowed. -# -# - polkit: use PolicyKit to authenticate. This is only suitable -# for use on the UNIX sockets. The default policy will -# require a user to supply their own password to gain -# full read/write access (aka sudo like), while anyone -# is allowed read/only access. -# -# Set an authentication scheme for UNIX read-only sockets -# By default socket permissions allow anyone to connect -# -# To restrict monitoring of domains you may wish to enable -# an authentication mechanism here -auth_unix_ro = "none" - -# Set an authentication scheme for UNIX read-write sockets -# By default socket permissions only allow root. If PolicyKit -# support was compiled into libvirt, the default will be to -# use 'polkit' auth. -# -# If the unix_sock_rw_perms are changed you may wish to enable -# an authentication mechanism here -auth_unix_rw = "none" - -# Change the authentication scheme for TCP sockets. -# -# If you don't enable SASL, then all TCP traffic is cleartext. -# Don't do this outside of a dev/test scenario. For real world -# use, always enable SASL and use the GSSAPI or DIGEST-MD5 -# mechanism in /etc/sasl2/libvirt.conf -auth_tcp = "sasl" - -# Change the authentication scheme for TLS sockets. -# -# TLS sockets already have encryption provided by the TLS -# layer, and limited authentication is done by certificates -# -# It is possible to make use of any SASL authentication -# mechanism as well, by using 'sasl' for this option -auth_tls = "none" - - - -################################################################# -# -# TLS x509 certificate configuration -# - - -# Override the default server key file path -# -key_file = "/etc/pki/libvirt/private/serverkey.pem" - -# Override the default server certificate file path -# -cert_file = "/etc/pki/libvirt/servercert.pem" - -# Override the default CA certificate path -# -ca_file = "/etc/pki/CA/cacert.pem" - -# Specify a certificate revocation list. -# -# Defaults to not using a CRL, uncomment to enable it -crl_file = "/etc/pki/CA/crl.pem" - - - -################################################################# -# -# Authorization controls -# - - -# Flag to disable verification of client certificates -# -# Client certificate verification is the primary authentication mechanism. -# Any client which does not present a certificate signed by the CA -# will be rejected. -# -# Default is to always verify. Uncommenting this will disable -# verification - make sure an IP whitelist is set -tls_no_verify_certificate = 1 - - -# A whitelist of allowed x509 Distinguished Names -# This list may contain wildcards such as -# -# "C=GB,ST=London,L=London,O=Red Hat,CN=*" -# -# See the POSIX fnmatch function for the format of the wildcards. -# -# NB If this is an empty list, no client can connect, so comment out -# entirely rather than using empty list to disable these checks -# -# By default, no DN's are checked -tls_allowed_dn_list = ["DN1", "DN2"] - - -# A whitelist of allowed SASL usernames. The format for usernames -# depends on the SASL authentication mechanism. Kerberos usernames -# look like username@REALM -# -# This list may contain wildcards such as -# -# "*@EXAMPLE.COM" -# -# See the POSIX fnmatch function for the format of the wildcards. -# -# NB If this is an empty list, no client can connect, so comment out -# entirely rather than using empty list to disable these checks -# -# By default, no Username's are checked -sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ] - -# UUID of the host: -# Provide the UUID of the host here in case the command -# 'dmidecode -s system-uuid' does not provide a valid uuid. In case -# 'dmidecode' does not provide a valid UUID and none is provided here, a -# temporary UUID will be generated. -# Keep the format of the example UUID below. - -host_uuid = "8510b1a1-1afa-4da6-8111-785fae202c1e" diff --git a/tests/confdata/libvirtd.out b/tests/confdata/libvirtd.out deleted file mode 100644 index 4d7ed47a90..0000000000 --- a/tests/confdata/libvirtd.out +++ /dev/null @@ -1,192 +0,0 @@ -# Master libvirt daemon configuration file -# -# For further information consult http://libvirt.org/format.html -################################################################# -# -# Network connectivitiy controls -# -# Flag listening for secure TLS connections on the public TCP/IP port. -# NB, must pass the --listen flag to the libvirtd process for this to -# have any effect. -# -# It is necessary to setup a CA and issue server certificates before -# using this capability. -# -# This is enabled by default, uncomment this to disable it -listen_tls = 0 -# Listen for unencrypted TCP connections on the public TCP/IP port. -# NB, must pass the --listen flag to the libvirtd process for this to -# have any effect. -# -# Using the TCP socket requires SASL authentication by default. Only -# SASL mechanisms which support data encryption are allowed. This is -# DIGEST_MD5 and GSSAPI (Kerberos5) -# -# This is disabled by default, uncomment this to enable it. -listen_tcp = 1 -# Override the port for accepting secure TLS connections -# This can be a port number, or service name -# -tls_port = "16514" -# Override the port for accepting insecure TCP connections -# This can be a port number, or service name -# -tcp_port = "16509" -# Flag toggling mDNS advertizement of the libvirt service. -# -# Alternatively can disable for all services on a host by -# stopping the Avahi daemon -# -# This is disabled by default, uncomment this to enable it -mdns_adv = 1 -# Override the default mDNS advertizement name. This must be -# unique on the immediate broadcast network. -# -# The default is "Virtualization Host HOSTNAME", where HOSTNAME -# is subsituted for the short hostname of the machine (without domain) -# -mdns_name = "Virtualization Host Joe Demo" -################################################################# -# -# UNIX socket access controls -# -# Set the UNIX domain socket group ownership. This can be used to -# allow a 'trusted' set of users access to management capabilities -# without becoming root. -# -# This is restricted to 'root' by default. -unix_sock_group = "libvirt" -# Set the UNIX socket permissions for the R/O socket. This is used -# for monitoring VM status only -# -# Default allows any user. If setting group ownership may want to -# restrict this to: -unix_sock_ro_perms = "0777" -# Set the UNIX socket permissions for the R/W socket. This is used -# for full management of VMs -# -# Default allows only root. If PolicyKit is enabled on the socket, -# the default will change to allow everyone (eg, 0777) -# -# If not using PolicyKit and setting group ownership for access -# control then you may want to relax this to: -unix_sock_rw_perms = "0770" -# Set the UNIX socket permissions for the admin interface socket. -# -# Default allows only owner (root), do not change it unless you are -# sure to whom you are exposing the access to -unix_sock_admin_perms = "0700" -################################################################# -# -# Authentication. -# -# - none: do not perform auth checks. If you can connect to the -# socket you are allowed. This is suitable if there are -# restrictions on connecting to the socket (eg, UNIX -# socket permissions), or if there is a lower layer in -# the network providing auth (eg, TLS/x509 certificates) -# -# - sasl: use SASL infrastructure. The actual auth scheme is then -# controlled from /etc/sasl2/libvirt.conf. For the TCP -# socket only GSSAPI & DIGEST-MD5 mechanisms will be used. -# For non-TCP or TLS sockets, any scheme is allowed. -# -# - polkit: use PolicyKit to authenticate. This is only suitable -# for use on the UNIX sockets. The default policy will -# require a user to supply their own password to gain -# full read/write access (aka sudo like), while anyone -# is allowed read/only access. -# -# Set an authentication scheme for UNIX read-only sockets -# By default socket permissions allow anyone to connect -# -# To restrict monitoring of domains you may wish to enable -# an authentication mechanism here -auth_unix_ro = "none" -# Set an authentication scheme for UNIX read-write sockets -# By default socket permissions only allow root. If PolicyKit -# support was compiled into libvirt, the default will be to -# use 'polkit' auth. -# -# If the unix_sock_rw_perms are changed you may wish to enable -# an authentication mechanism here -auth_unix_rw = "none" -# Change the authentication scheme for TCP sockets. -# -# If you don't enable SASL, then all TCP traffic is cleartext. -# Don't do this outside of a dev/test scenario. For real world -# use, always enable SASL and use the GSSAPI or DIGEST-MD5 -# mechanism in /etc/sasl2/libvirt.conf -auth_tcp = "sasl" -# Change the authentication scheme for TLS sockets. -# -# TLS sockets already have encryption provided by the TLS -# layer, and limited authentication is done by certificates -# -# It is possible to make use of any SASL authentication -# mechanism as well, by using 'sasl' for this option -auth_tls = "none" -################################################################# -# -# TLS x509 certificate configuration -# -# Override the default server key file path -# -key_file = "/etc/pki/libvirt/private/serverkey.pem" -# Override the default server certificate file path -# -cert_file = "/etc/pki/libvirt/servercert.pem" -# Override the default CA certificate path -# -ca_file = "/etc/pki/CA/cacert.pem" -# Specify a certificate revocation list. -# -# Defaults to not using a CRL, uncomment to enable it -crl_file = "/etc/pki/CA/crl.pem" -################################################################# -# -# Authorization controls -# -# Flag to disable verification of client certificates -# -# Client certificate verification is the primary authentication mechanism. -# Any client which does not present a certificate signed by the CA -# will be rejected. -# -# Default is to always verify. Uncommenting this will disable -# verification - make sure an IP whitelist is set -tls_no_verify_certificate = 1 -# A whitelist of allowed x509 Distinguished Names -# This list may contain wildcards such as -# -# "C=GB,ST=London,L=London,O=Red Hat,CN=*" -# -# See the POSIX fnmatch function for the format of the wildcards. -# -# NB If this is an empty list, no client can connect, so comment out -# entirely rather than using empty list to disable these checks -# -# By default, no DN's are checked -tls_allowed_dn_list = [ "DN1", "DN2" ] -# A whitelist of allowed SASL usernames. The format for usernames -# depends on the SASL authentication mechanism. Kerberos usernames -# look like username@REALM -# -# This list may contain wildcards such as -# -# "*@EXAMPLE.COM" -# -# See the POSIX fnmatch function for the format of the wildcards. -# -# NB If this is an empty list, no client can connect, so comment out -# entirely rather than using empty list to disable these checks -# -# By default, no Username's are checked -sasl_allowed_username_list = [ "joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ] -# UUID of the host: -# Provide the UUID of the host here in case the command -# 'dmidecode -s system-uuid' does not provide a valid uuid. In case -# 'dmidecode' does not provide a valid UUID and none is provided here, a -# temporary UUID will be generated. -# Keep the format of the example UUID below. -host_uuid = "8510b1a1-1afa-4da6-8111-785fae202c1e" diff --git a/tests/confdata/no-newline.conf b/tests/confdata/no-newline.conf deleted file mode 100644 index 77e082e153..0000000000 --- a/tests/confdata/no-newline.conf +++ /dev/null @@ -1 +0,0 @@ -log_level=1 \ No newline at end of file diff --git a/tests/confdata/no-newline.out b/tests/confdata/no-newline.out deleted file mode 100644 index c00176146c..0000000000 --- a/tests/confdata/no-newline.out +++ /dev/null @@ -1 +0,0 @@ -log_level = 1 diff --git a/tests/test_conf.c b/tests/test_conf.c deleted file mode 100644 index 4d05d8dd10..0000000000 --- a/tests/test_conf.c +++ /dev/null @@ -1,48 +0,0 @@ -#include - -#include -#include -#include -#include -#include -#include "virconf.h" -#include "viralloc.h" - -int main(int argc, char **argv) -{ - int ret, exit_code = EXIT_FAILURE; - virConfPtr conf = NULL; - int len = 10000; - char *buffer = NULL; - - if (argc != 2) { - fprintf(stderr, "Usage: %s conf_file\n", argv[0]); - goto cleanup; - } - - if (VIR_ALLOC_N_QUIET(buffer, len) < 0) { - fprintf(stderr, "out of memory\n"); - goto cleanup; - } - conf = virConfReadFile(argv[1], 0); - if (conf == NULL) { - fprintf(stderr, "Failed to process %s\n", argv[1]); - goto cleanup; - } - ret = virConfWriteMem(buffer, &len, conf); - if (ret < 0) { - fprintf(stderr, "Failed to serialize %s back\n", argv[1]); - goto cleanup; - } - if (fwrite(buffer, 1, len, stdout) != len) { - fprintf(stderr, "Write failed: %s\n", strerror(errno)); - goto cleanup; - } - - exit_code = EXIT_SUCCESS; - - cleanup: - VIR_FREE(buffer); - virConfFree(conf); - return exit_code; -} diff --git a/tests/test_conf.sh b/tests/test_conf.sh deleted file mode 100755 index 2920e28316..0000000000 --- a/tests/test_conf.sh +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/sh - -test -z "$srcdir" && srcdir=$(pwd) - -. "$srcdir/test-lib.sh" - -test_intro $this_test - -fail=0 -i=0 -data_dir=$abs_srcdir/confdata -for f in $(cd "$data_dir" && echo *.conf) -do - i=`expr $i + 1` - "$abs_builddir/test_conf" "$data_dir/$f" > "$f-actual" - expected="$data_dir"/`echo "$f" | sed s+\.conf$+\.out+` - if compare "$expected" "$f-actual"; then - ret=0 - else - ret=1 - fail=1 - fi - test_result $i "$f" $ret -done - -test_final $i $fail - -(exit $fail); exit $fail diff --git a/tests/virconfdata/fc4.conf b/tests/virconfdata/fc4.conf new file mode 100644 index 0000000000..b64a0c49ef --- /dev/null +++ b/tests/virconfdata/fc4.conf @@ -0,0 +1,11 @@ +kernel="/boot/vmlinuz-2.6.15-1.2054_FC5xenU" +ramdisk="/boot/initrd-2.6.15-1.2054_FC5xenU.img" +memory=128 # should be enough +name="fc4" +vif = [ 'mac=aa:00:00:00:00:11, bridge=xenbr0', ] +disk = ['file:/xen/fc4.img,sda1,w'] +root = "/dev/sda1" +extra = "ro selinux=0 3" +on_reboot = 'restart' +# just for testing ... +tst = [ 1, 2, [ 3, 4 ], 5] diff --git a/tests/virconfdata/fc4.out b/tests/virconfdata/fc4.out new file mode 100644 index 0000000000..a4638da645 --- /dev/null +++ b/tests/virconfdata/fc4.out @@ -0,0 +1,11 @@ +kernel = "/boot/vmlinuz-2.6.15-1.2054_FC5xenU" +ramdisk = "/boot/initrd-2.6.15-1.2054_FC5xenU.img" +memory = 128 # should be enough +name = "fc4" +vif = [ "mac=aa:00:00:00:00:11, bridge=xenbr0" ] +disk = [ "file:/xen/fc4.img,sda1,w" ] +root = "/dev/sda1" +extra = "ro selinux=0 3" +on_reboot = "restart" +# just for testing ... +tst = [ 1, 2, [ 3, 4 ], 5 ] diff --git a/tests/virconfdata/libvirtd.conf b/tests/virconfdata/libvirtd.conf new file mode 100644 index 0000000000..5029c4c2e7 --- /dev/null +++ b/tests/virconfdata/libvirtd.conf @@ -0,0 +1,235 @@ +# Master libvirt daemon configuration file +# +# For further information consult http://libvirt.org/format.html + + +################################################################# +# +# Network connectivitiy controls +# + +# Flag listening for secure TLS connections on the public TCP/IP port. +# NB, must pass the --listen flag to the libvirtd process for this to +# have any effect. +# +# It is necessary to setup a CA and issue server certificates before +# using this capability. +# +# This is enabled by default, uncomment this to disable it +listen_tls = 0 + +# Listen for unencrypted TCP connections on the public TCP/IP port. +# NB, must pass the --listen flag to the libvirtd process for this to +# have any effect. +# +# Using the TCP socket requires SASL authentication by default. Only +# SASL mechanisms which support data encryption are allowed. This is +# DIGEST_MD5 and GSSAPI (Kerberos5) +# +# This is disabled by default, uncomment this to enable it. +listen_tcp = 1 + + + +# Override the port for accepting secure TLS connections +# This can be a port number, or service name +# +tls_port = "16514" + +# Override the port for accepting insecure TCP connections +# This can be a port number, or service name +# +tcp_port = "16509" + + + +# Flag toggling mDNS advertizement of the libvirt service. +# +# Alternatively can disable for all services on a host by +# stopping the Avahi daemon +# +# This is disabled by default, uncomment this to enable it +mdns_adv = 1 + +# Override the default mDNS advertizement name. This must be +# unique on the immediate broadcast network. +# +# The default is "Virtualization Host HOSTNAME", where HOSTNAME +# is subsituted for the short hostname of the machine (without domain) +# +mdns_name = "Virtualization Host Joe Demo" + + +################################################################# +# +# UNIX socket access controls +# + +# Set the UNIX domain socket group ownership. This can be used to +# allow a 'trusted' set of users access to management capabilities +# without becoming root. +# +# This is restricted to 'root' by default. +unix_sock_group = "libvirt" + +# Set the UNIX socket permissions for the R/O socket. This is used +# for monitoring VM status only +# +# Default allows any user. If setting group ownership may want to +# restrict this to: +unix_sock_ro_perms = "0777" + +# Set the UNIX socket permissions for the R/W socket. This is used +# for full management of VMs +# +# Default allows only root. If PolicyKit is enabled on the socket, +# the default will change to allow everyone (eg, 0777) +# +# If not using PolicyKit and setting group ownership for access +# control then you may want to relax this to: +unix_sock_rw_perms = "0770" + +# Set the UNIX socket permissions for the admin interface socket. +# +# Default allows only owner (root), do not change it unless you are +# sure to whom you are exposing the access to +unix_sock_admin_perms = "0700" + + + +################################################################# +# +# Authentication. +# +# - none: do not perform auth checks. If you can connect to the +# socket you are allowed. This is suitable if there are +# restrictions on connecting to the socket (eg, UNIX +# socket permissions), or if there is a lower layer in +# the network providing auth (eg, TLS/x509 certificates) +# +# - sasl: use SASL infrastructure. The actual auth scheme is then +# controlled from /etc/sasl2/libvirt.conf. For the TCP +# socket only GSSAPI & DIGEST-MD5 mechanisms will be used. +# For non-TCP or TLS sockets, any scheme is allowed. +# +# - polkit: use PolicyKit to authenticate. This is only suitable +# for use on the UNIX sockets. The default policy will +# require a user to supply their own password to gain +# full read/write access (aka sudo like), while anyone +# is allowed read/only access. +# +# Set an authentication scheme for UNIX read-only sockets +# By default socket permissions allow anyone to connect +# +# To restrict monitoring of domains you may wish to enable +# an authentication mechanism here +auth_unix_ro = "none" + +# Set an authentication scheme for UNIX read-write sockets +# By default socket permissions only allow root. If PolicyKit +# support was compiled into libvirt, the default will be to +# use 'polkit' auth. +# +# If the unix_sock_rw_perms are changed you may wish to enable +# an authentication mechanism here +auth_unix_rw = "none" + +# Change the authentication scheme for TCP sockets. +# +# If you don't enable SASL, then all TCP traffic is cleartext. +# Don't do this outside of a dev/test scenario. For real world +# use, always enable SASL and use the GSSAPI or DIGEST-MD5 +# mechanism in /etc/sasl2/libvirt.conf +auth_tcp = "sasl" + +# Change the authentication scheme for TLS sockets. +# +# TLS sockets already have encryption provided by the TLS +# layer, and limited authentication is done by certificates +# +# It is possible to make use of any SASL authentication +# mechanism as well, by using 'sasl' for this option +auth_tls = "none" + + + +################################################################# +# +# TLS x509 certificate configuration +# + + +# Override the default server key file path +# +key_file = "/etc/pki/libvirt/private/serverkey.pem" + +# Override the default server certificate file path +# +cert_file = "/etc/pki/libvirt/servercert.pem" + +# Override the default CA certificate path +# +ca_file = "/etc/pki/CA/cacert.pem" + +# Specify a certificate revocation list. +# +# Defaults to not using a CRL, uncomment to enable it +crl_file = "/etc/pki/CA/crl.pem" + + + +################################################################# +# +# Authorization controls +# + + +# Flag to disable verification of client certificates +# +# Client certificate verification is the primary authentication mechanism. +# Any client which does not present a certificate signed by the CA +# will be rejected. +# +# Default is to always verify. Uncommenting this will disable +# verification - make sure an IP whitelist is set +tls_no_verify_certificate = 1 + + +# A whitelist of allowed x509 Distinguished Names +# This list may contain wildcards such as +# +# "C=GB,ST=London,L=London,O=Red Hat,CN=*" +# +# See the POSIX fnmatch function for the format of the wildcards. +# +# NB If this is an empty list, no client can connect, so comment out +# entirely rather than using empty list to disable these checks +# +# By default, no DN's are checked +tls_allowed_dn_list = ["DN1", "DN2"] + + +# A whitelist of allowed SASL usernames. The format for usernames +# depends on the SASL authentication mechanism. Kerberos usernames +# look like username@REALM +# +# This list may contain wildcards such as +# +# "*@EXAMPLE.COM" +# +# See the POSIX fnmatch function for the format of the wildcards. +# +# NB If this is an empty list, no client can connect, so comment out +# entirely rather than using empty list to disable these checks +# +# By default, no Username's are checked +sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ] + +# UUID of the host: +# Provide the UUID of the host here in case the command +# 'dmidecode -s system-uuid' does not provide a valid uuid. In case +# 'dmidecode' does not provide a valid UUID and none is provided here, a +# temporary UUID will be generated. +# Keep the format of the example UUID below. + +host_uuid = "8510b1a1-1afa-4da6-8111-785fae202c1e" diff --git a/tests/virconfdata/libvirtd.out b/tests/virconfdata/libvirtd.out new file mode 100644 index 0000000000..4d7ed47a90 --- /dev/null +++ b/tests/virconfdata/libvirtd.out @@ -0,0 +1,192 @@ +# Master libvirt daemon configuration file +# +# For further information consult http://libvirt.org/format.html +################################################################# +# +# Network connectivitiy controls +# +# Flag listening for secure TLS connections on the public TCP/IP port. +# NB, must pass the --listen flag to the libvirtd process for this to +# have any effect. +# +# It is necessary to setup a CA and issue server certificates before +# using this capability. +# +# This is enabled by default, uncomment this to disable it +listen_tls = 0 +# Listen for unencrypted TCP connections on the public TCP/IP port. +# NB, must pass the --listen flag to the libvirtd process for this to +# have any effect. +# +# Using the TCP socket requires SASL authentication by default. Only +# SASL mechanisms which support data encryption are allowed. This is +# DIGEST_MD5 and GSSAPI (Kerberos5) +# +# This is disabled by default, uncomment this to enable it. +listen_tcp = 1 +# Override the port for accepting secure TLS connections +# This can be a port number, or service name +# +tls_port = "16514" +# Override the port for accepting insecure TCP connections +# This can be a port number, or service name +# +tcp_port = "16509" +# Flag toggling mDNS advertizement of the libvirt service. +# +# Alternatively can disable for all services on a host by +# stopping the Avahi daemon +# +# This is disabled by default, uncomment this to enable it +mdns_adv = 1 +# Override the default mDNS advertizement name. This must be +# unique on the immediate broadcast network. +# +# The default is "Virtualization Host HOSTNAME", where HOSTNAME +# is subsituted for the short hostname of the machine (without domain) +# +mdns_name = "Virtualization Host Joe Demo" +################################################################# +# +# UNIX socket access controls +# +# Set the UNIX domain socket group ownership. This can be used to +# allow a 'trusted' set of users access to management capabilities +# without becoming root. +# +# This is restricted to 'root' by default. +unix_sock_group = "libvirt" +# Set the UNIX socket permissions for the R/O socket. This is used +# for monitoring VM status only +# +# Default allows any user. If setting group ownership may want to +# restrict this to: +unix_sock_ro_perms = "0777" +# Set the UNIX socket permissions for the R/W socket. This is used +# for full management of VMs +# +# Default allows only root. If PolicyKit is enabled on the socket, +# the default will change to allow everyone (eg, 0777) +# +# If not using PolicyKit and setting group ownership for access +# control then you may want to relax this to: +unix_sock_rw_perms = "0770" +# Set the UNIX socket permissions for the admin interface socket. +# +# Default allows only owner (root), do not change it unless you are +# sure to whom you are exposing the access to +unix_sock_admin_perms = "0700" +################################################################# +# +# Authentication. +# +# - none: do not perform auth checks. If you can connect to the +# socket you are allowed. This is suitable if there are +# restrictions on connecting to the socket (eg, UNIX +# socket permissions), or if there is a lower layer in +# the network providing auth (eg, TLS/x509 certificates) +# +# - sasl: use SASL infrastructure. The actual auth scheme is then +# controlled from /etc/sasl2/libvirt.conf. For the TCP +# socket only GSSAPI & DIGEST-MD5 mechanisms will be used. +# For non-TCP or TLS sockets, any scheme is allowed. +# +# - polkit: use PolicyKit to authenticate. This is only suitable +# for use on the UNIX sockets. The default policy will +# require a user to supply their own password to gain +# full read/write access (aka sudo like), while anyone +# is allowed read/only access. +# +# Set an authentication scheme for UNIX read-only sockets +# By default socket permissions allow anyone to connect +# +# To restrict monitoring of domains you may wish to enable +# an authentication mechanism here +auth_unix_ro = "none" +# Set an authentication scheme for UNIX read-write sockets +# By default socket permissions only allow root. If PolicyKit +# support was compiled into libvirt, the default will be to +# use 'polkit' auth. +# +# If the unix_sock_rw_perms are changed you may wish to enable +# an authentication mechanism here +auth_unix_rw = "none" +# Change the authentication scheme for TCP sockets. +# +# If you don't enable SASL, then all TCP traffic is cleartext. +# Don't do this outside of a dev/test scenario. For real world +# use, always enable SASL and use the GSSAPI or DIGEST-MD5 +# mechanism in /etc/sasl2/libvirt.conf +auth_tcp = "sasl" +# Change the authentication scheme for TLS sockets. +# +# TLS sockets already have encryption provided by the TLS +# layer, and limited authentication is done by certificates +# +# It is possible to make use of any SASL authentication +# mechanism as well, by using 'sasl' for this option +auth_tls = "none" +################################################################# +# +# TLS x509 certificate configuration +# +# Override the default server key file path +# +key_file = "/etc/pki/libvirt/private/serverkey.pem" +# Override the default server certificate file path +# +cert_file = "/etc/pki/libvirt/servercert.pem" +# Override the default CA certificate path +# +ca_file = "/etc/pki/CA/cacert.pem" +# Specify a certificate revocation list. +# +# Defaults to not using a CRL, uncomment to enable it +crl_file = "/etc/pki/CA/crl.pem" +################################################################# +# +# Authorization controls +# +# Flag to disable verification of client certificates +# +# Client certificate verification is the primary authentication mechanism. +# Any client which does not present a certificate signed by the CA +# will be rejected. +# +# Default is to always verify. Uncommenting this will disable +# verification - make sure an IP whitelist is set +tls_no_verify_certificate = 1 +# A whitelist of allowed x509 Distinguished Names +# This list may contain wildcards such as +# +# "C=GB,ST=London,L=London,O=Red Hat,CN=*" +# +# See the POSIX fnmatch function for the format of the wildcards. +# +# NB If this is an empty list, no client can connect, so comment out +# entirely rather than using empty list to disable these checks +# +# By default, no DN's are checked +tls_allowed_dn_list = [ "DN1", "DN2" ] +# A whitelist of allowed SASL usernames. The format for usernames +# depends on the SASL authentication mechanism. Kerberos usernames +# look like username@REALM +# +# This list may contain wildcards such as +# +# "*@EXAMPLE.COM" +# +# See the POSIX fnmatch function for the format of the wildcards. +# +# NB If this is an empty list, no client can connect, so comment out +# entirely rather than using empty list to disable these checks +# +# By default, no Username's are checked +sasl_allowed_username_list = [ "joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ] +# UUID of the host: +# Provide the UUID of the host here in case the command +# 'dmidecode -s system-uuid' does not provide a valid uuid. In case +# 'dmidecode' does not provide a valid UUID and none is provided here, a +# temporary UUID will be generated. +# Keep the format of the example UUID below. +host_uuid = "8510b1a1-1afa-4da6-8111-785fae202c1e" diff --git a/tests/virconfdata/no-newline.conf b/tests/virconfdata/no-newline.conf new file mode 100644 index 0000000000..77e082e153 --- /dev/null +++ b/tests/virconfdata/no-newline.conf @@ -0,0 +1 @@ +log_level=1 \ No newline at end of file diff --git a/tests/virconfdata/no-newline.out b/tests/virconfdata/no-newline.out new file mode 100644 index 0000000000..c00176146c --- /dev/null +++ b/tests/virconfdata/no-newline.out @@ -0,0 +1 @@ +log_level = 1 diff --git a/tests/virconftest.c b/tests/virconftest.c new file mode 100644 index 0000000000..4d05d8dd10 --- /dev/null +++ b/tests/virconftest.c @@ -0,0 +1,48 @@ +#include + +#include +#include +#include +#include +#include +#include "virconf.h" +#include "viralloc.h" + +int main(int argc, char **argv) +{ + int ret, exit_code = EXIT_FAILURE; + virConfPtr conf = NULL; + int len = 10000; + char *buffer = NULL; + + if (argc != 2) { + fprintf(stderr, "Usage: %s conf_file\n", argv[0]); + goto cleanup; + } + + if (VIR_ALLOC_N_QUIET(buffer, len) < 0) { + fprintf(stderr, "out of memory\n"); + goto cleanup; + } + conf = virConfReadFile(argv[1], 0); + if (conf == NULL) { + fprintf(stderr, "Failed to process %s\n", argv[1]); + goto cleanup; + } + ret = virConfWriteMem(buffer, &len, conf); + if (ret < 0) { + fprintf(stderr, "Failed to serialize %s back\n", argv[1]); + goto cleanup; + } + if (fwrite(buffer, 1, len, stdout) != len) { + fprintf(stderr, "Write failed: %s\n", strerror(errno)); + goto cleanup; + } + + exit_code = EXIT_SUCCESS; + + cleanup: + VIR_FREE(buffer); + virConfFree(conf); + return exit_code; +} diff --git a/tests/virconftest.sh b/tests/virconftest.sh new file mode 100755 index 0000000000..2920e28316 --- /dev/null +++ b/tests/virconftest.sh @@ -0,0 +1,28 @@ +#!/bin/sh + +test -z "$srcdir" && srcdir=$(pwd) + +. "$srcdir/test-lib.sh" + +test_intro $this_test + +fail=0 +i=0 +data_dir=$abs_srcdir/confdata +for f in $(cd "$data_dir" && echo *.conf) +do + i=`expr $i + 1` + "$abs_builddir/test_conf" "$data_dir/$f" > "$f-actual" + expected="$data_dir"/`echo "$f" | sed s+\.conf$+\.out+` + if compare "$expected" "$f-actual"; then + ret=0 + else + ret=1 + fail=1 + fi + test_result $i "$f" $ret +done + +test_final $i $fail + +(exit $fail); exit $fail