On Tue, Jul 30, 2019 at 12:48:03PM +0200, Christophe de Dinechin wrote:
>
> Daniel P. Berrangé writes:
>
> > Prepare for reusing libvirtd config to create other daemons by making
> > the config parameters for IP sockets conditionally defined by the make
> > rules.
> >
> > The main libvirtd daemon will retain IP listen ability, but all the
> > driver specific daemons will be local UNIX sockets only. Apps needing
> > IP connectivity will connect via the libvirtd daemon which will proxy
> > to the driver specfic daemon.
> >
> > Reviewed-by: Andrea Bolognani <abologna@xxxxxxxxxx>
> > Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>
> > diff --git a/src/remote/libvirtd.conf b/src/remote/libvirtd.conf.in
> > similarity index 95%
> > rename from src/remote/libvirtd.conf
> > rename to src/remote/libvirtd.conf.in
> > index b63b8d61b7..e351a8c190 100644
> > --- a/src/remote/libvirtd.conf
> > +++ b/src/remote/libvirtd.conf.in
> > @@ -1,13 +1,14 @@
> > # Master libvirt daemon configuration file
> > #
> >
> > +@CUT_ENABLE_IP@
> > #################################################################
> > #
> > # Network connectivity controls
> > #
> >
> > # Flag listening for secure TLS connections on the public TCP/IP port.
> > -# NB, must pass the --listen flag to the libvirtd process for this to
> > +# NB, must pass the --listen flag to the @DAEMON_NAME@ process for this to
> > # have any effect.
> > #
> > # This setting is not required or honoured if using systemd socket
> > @@ -20,7 +21,7 @@
> > #listen_tls = 0
> >
> > # Listen for unencrypted TCP connections on the public TCP/IP port.
> > -# NB, must pass the --listen flag to the libvirtd process for this to
> > +# NB, must pass the --listen flag to the @DAEMON_NAME@ process for this to
> > # have any effect.
> > #
> > # This setting is not required or honoured if using systemd socket
> > @@ -58,13 +59,14 @@
> > # This setting is not required or honoured if using systemd socket
> > # activation.
> > #
> > -# If the libvirtd service is started in parallel with network
> > +# If the @DAEMON_NAME@ service is started in parallel with network
> > # startup (e.g. with systemd), binding to addresses other than
> > # the wildcards (0.0.0.0/::) might not be available yet.
> > #
> > #listen_addr = "192.168.0.1"
> >
> >
> > +@END@
> > #################################################################
> > #
> > # UNIX socket access controls
> > @@ -157,6 +159,7 @@
> > # If the unix_sock_rw_perms are changed you may wish to enable
> > # an authentication mechanism here
> > #auth_unix_rw = "none"
> > +@CUT_ENABLE_IP@
> >
> > # Change the authentication scheme for TCP sockets.
> > #
> > @@ -174,6 +177,7 @@
> > # It is possible to make use of any SASL authentication
> > # mechanism as well, by using 'sasl' for this option
> > #auth_tls = "none"
> > +@END@
> >
> >
> > # Change the API access control scheme
> > @@ -182,10 +186,11 @@
> > # to all APIs. Access drivers can place restrictions
> > # on this. By default the 'nop' driver is enabled,
> > # meaning no access control checks are done once a
> > -# client has authenticated with libvirtd
> > +# client has authenticated with @DAEMON_NAME@
> > #
> > #access_drivers = [ "polkit" ]
> >
> > +@CUT_ENABLE_IP@
> > #################################################################
> > #
> > # TLS x509 certificate configuration
> > @@ -225,15 +230,17 @@
> >
> >
> >
> > +@END@
> > #################################################################
> > #
> > # Authorization controls
> > #
> >
> >
> > +@CUT_ENABLE_IP@
> > # Flag to disable verification of our own server certificates
> > #
> > -# When libvirtd starts it performs some sanity checks against
> > +# When @DAEMON_NAME@ starts it performs some sanity checks against
> > # its own certificates.
> > #
> > # Default is to always run sanity checks. Uncommenting this
> > @@ -265,6 +272,15 @@
> > #tls_allowed_dn_list = ["DN1", "DN2"]
> >
> >
> > +# Override the compile time default TLS priority string. The
> > +# default is usually "NORMAL" unless overridden at build time.
> > +# Only set this is it is desired for libvirt to deviate from
> > +# the global default settings.
> > +#
> > +#tls_priority="NORMAL"
> > +
> > +
> > +@END@
> > # A whitelist of allowed SASL usernames. The format for username
> > # depends on the SASL authentication mechanism. Kerberos usernames
> > # look like username@REALM
> > @@ -282,14 +298,6 @@
> > #sasl_allowed_username_list = ["joe@xxxxxxxxxxx", "fred@xxxxxxxxxxx" ]
> >
> >
> > -# Override the compile time default TLS priority string. The
> > -# default is usually "NORMAL" unless overridden at build time.
> > -# Only set this is it is desired for libvirt to deviate from
> > -# the global default settings.
> > -#
> > -#tls_priority="NORMAL"
> > -
> > -
> > #################################################################
> > #
> > # Processing controls
> > @@ -417,8 +425,8 @@
> > # 4: ERROR
> > #
> > # Multiple outputs can be defined, they just need to be separated by spaces.
> > -# e.g. to log all warnings and errors to syslog under the libvirtd ident:
> > -#log_outputs="3:syslog:libvirtd"
> > +# e.g. to log all warnings and errors to syslog under the @DAEMON_NAME@ ident:
> > +#log_outputs="3:syslog:@DAEMON_NAME@"
> >
> >
> > ##################################################################
> > @@ -461,7 +469,7 @@
> >
> > ###################################################################
> > # Keepalive protocol:
> > -# This allows libvirtd to detect broken client connections or even
> > +# This allows @DAEMON_NAME@ to detect broken client connections or even
> > # dead clients. A keepalive message is sent to a client after
> > # keepalive_interval seconds of inactivity to check if the client is
> > # still responding; keepalive_count is a maximum number of keepalive
> > @@ -470,7 +478,7 @@
> > # words, the connection is automatically closed approximately after
> > # keepalive_interval * (keepalive_count + 1) seconds since the last
> > # message received from the client. If keepalive_interval is set to
> > -# -1, libvirtd will never send keepalive requests; however clients
> > +# -1, @DAEMON_NAME@ will never send keepalive requests; however clients
> > # can still send them and the daemon will send responses. When
> > # keepalive_count is set to 0, connections will be automatically
> > # closed after keepalive_interval seconds of inactivity without
> > diff --git a/src/remote/test_libvirtd.aug.in b/src/remote/test_libvirtd.aug.in
> > index 6c51b7b9e7..d768b30b55 100644
> > --- a/src/remote/test_libvirtd.aug.in
> > +++ b/src/remote/test_libvirtd.aug.in
> > @@ -29,11 +29,11 @@ module Test_libvirtd =
> > { "1" = "DN1"}
> > { "2" = "DN2"}
> > }
> > + { "tls_priority" = "NORMAL" }
>
> I'm curious about this change? Is that because you changed the order
> in the source code? Does that depend on ENABLE_IP?
Yes, because I moved the config parameter in libvirtd.conf, this
influences the order seen in the augeas unit test here, as its
input is auto-generated from from the libvirtd.conf
>
> > { "sasl_allowed_username_list"
> > { "1" = "joe@xxxxxxxxxxx" }
> > { "2" = "fred@xxxxxxxxxxx" }
> > }
> > - { "tls_priority" = "NORMAL" }
> > { "max_clients" = "5000" }
> > { "max_queued_clients" = "1000" }
> > { "max_anonymous_clients" = "20" }
> > --
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
