libvirt/tests/confdata/libvirtd.conf

# Master libvirt daemon configuration file
#
# For further information consult http://libvirt.org/format.html


#################################################################
#
# Network connectivitiy controls
#

# Flag listening for secure TLS connections on the public TCP/IP port.
# NB, must pass the --listen flag to the libvirtd process for this to
# have any effect.
#
# It is necessary to setup a CA and issue server certificates before
# using this capability.
#
# This is enabled by default, uncomment this to disable it
listen_tls = 0

# Listen for unencrypted TCP connections on the public TCP/IP port.
# NB, must pass the --listen flag to the libvirtd process for this to
# have any effect.
#
# Using the TCP socket requires SASL authentication by default. Only
# SASL mechanisms which support data encryption are allowed. This is
# DIGEST_MD5 and GSSAPI (Kerberos5)
#
# This is disabled by default, uncomment this to enable it.
listen_tcp = 1


# Override the port for accepting secure TLS connections
# This can be a port number, or service name
#
tls_port = "16514"

# Override the port for accepting insecure TCP connections
# This can be a port number, or service name
#
tcp_port = "16509"


# Flag toggling mDNS advertizement of the libvirt service.
#
# Alternatively can disable for all services on a host by
# stopping the Avahi daemon
#
# This is enabled by default, uncomment this to disable it
mdns_adv = 0

# Override the default mDNS advertizement name. This must be
# unique on the immediate broadcast network.
#
# The default is "Virtualization Host HOSTNAME", where HOSTNAME
# is subsituted for the short hostname of the machine (without domain)
#
mdns_name = "Virtualization Host Joe Demo"


#################################################################
#
# UNIX socket access controls
#

# Set the UNIX domain socket group ownership. This can be used to
# allow a 'trusted' set of users access to management capabilities
# without becoming root.
#
# This is restricted to 'root' by default.
unix_sock_group = "libvirt"

# Set the UNIX socket permissions for the R/O socket. This is used
# for monitoring VM status only
#
# Default allows any user. If setting group ownership may want to
# restrict this to:
unix_sock_ro_perms = "0777"

# Set the UNIX socket permissions for the R/W socket. This is used
# for full management of VMs
#
# Default allows only root. If PolicyKit is enabled on the socket,
# the default will change to allow everyone (eg, 0777)
#
# If not using PolicyKit and setting group ownership for access
# control then you may want to relax this to:
unix_sock_rw_perms = "0770"


#################################################################
#
# Authentication.
#
#  - none: do not perform auth checks. If you can connect to the
#          socket you are allowed. This is suitable if there are
#          restrictions on connecting to the socket (eg, UNIX
#          socket permissions), or if there is a lower layer in
#          the network providing auth (eg, TLS/x509 certificates)
#
#  - sasl: use SASL infrastructure. The actual auth scheme is then
#          controlled from /etc/sasl2/libvirt.conf. For the TCP
#          socket only GSSAPI & DIGEST-MD5 mechanisms will be used.
#          For non-TCP or TLS sockets,  any scheme is allowed.
#
#  - polkit: use PolicyKit to authenticate. This is only suitable
#            for use on the UNIX sockets. The default policy will
#            require a user to supply their own password to gain
#            full read/write access (aka sudo like), while anyone
#            is allowed read/only access.
#
# Set an authentication scheme for UNIX read-only sockets
# By default socket permissions allow anyone to connect
#
# To restrict monitoring of domains you may wish to enable
# an authentication mechanism here
auth_unix_ro = "none"

# Set an authentication scheme for UNIX read-write sockets
# By default socket permissions only allow root. If PolicyKit
# support was compiled into libvirt, the default will be to
# use 'polkit' auth.
#
# If the unix_sock_rw_perms are changed you may wish to enable
# an authentication mechanism here
auth_unix_rw = "none"

# Change the authentication scheme for TCP sockets.
#
# If you don't enable SASL, then all TCP traffic is cleartext.
# Don't do this outside of a dev/test scenario. For real world
# use, always enable SASL and use the GSSAPI or DIGEST-MD5
# mechanism in /etc/sasl2/libvirt.conf
auth_tcp = "sasl"

# Change the authentication scheme for TLS sockets.
#
# TLS sockets already have encryption provided by the TLS
# layer, and limited authentication is done by certificates
#
# It is possible to make use of any SASL authentication
# mechanism as well, by using 'sasl' for this option
auth_tls = "none"


#################################################################
#
# TLS x509 certificate configuration
#


# Override the default server key file path
#
key_file = "/etc/pki/libvirt/private/serverkey.pem"

# Override the default server certificate file path
#
cert_file = "/etc/pki/libvirt/servercert.pem"

# Override the default CA certificate path
#
ca_file = "/etc/pki/CA/cacert.pem"

# Specify a certificate revocation list.
#
# Defaults to not using a CRL, uncomment to enable it
crl_file = "/etc/pki/CA/crl.pem"


#################################################################
#
# Authorization controls
#


# Flag to disable verification of client certificates
#
# Client certificate verification is the primary authentication mechanism.
# Any client which does not present a certificate signed by the CA
# will be rejected.
#
# Default is to always verify. Uncommenting this will disable
# verification - make sure an IP whitelist is set
tls_no_verify_certificate = 1


# A whitelist of allowed x509  Distinguished Names
# This list may contain wildcards such as
#
#    "C=GB,ST=London,L=London,O=Red Hat,CN=*"
#
# See the POSIX fnmatch function for the format of the wildcards.
#
# NB If this is an empty list, no client can connect, so comment out
# entirely rather than using empty list to disable these checks
#
# By default, no DN's are checked
tls_allowed_dn_list = ["DN1", "DN2"]


# A whitelist of allowed SASL usernames. The format for usernames
# depends on the SASL authentication mechanism. Kerberos usernames
# look like username@REALM
#
# This list may contain wildcards such as
#
#    "*@EXAMPLE.COM"
#
# See the POSIX fnmatch function for the format of the wildcards.
#
# NB If this is an empty list, no client can connect, so comment out
# entirely rather than using empty list to disable these checks
#
# By default, no Username's are checked
sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]

# UUID of the host:
# Provide the UUID of the host here in case the command
# 'dmidecode -s system-uuid' does not provide a valid uuid. In case
# 'dmidecode' does not provide a valid UUID and none is provided here, a
# temporary UUID will be generated.
# Keep the format of the example UUID below.

host_uuid = "8510b1a1-1afa-4da6-8111-785fae202c1e"
Fix config file reading to not truncate large files 2008-01-07 15:21:33 +00:00			`# Master libvirt daemon configuration file`
			`#`
			`# For further information consult http://libvirt.org/format.html`


			`#################################################################`
			`#`
			`# Network connectivitiy controls`
			`#`

			`# Flag listening for secure TLS connections on the public TCP/IP port.`
			`# NB, must pass the --listen flag to the libvirtd process for this to`
			`# have any effect.`
			`#`
* NEWS virsh.1 docs//* include/libvirt/libvirt.h[.in] qemud/mdns.h src/libvirt.c src/qemu.conf src/remote_internal.c src/xend_internal.c tests/confdata/libvirtd.conf tests/confdata/libvirtd.out: patch from Atsushi SAKAI fixing a ot more typo Daniel 2008-03-17 10:27:31 +00:00			`# It is necessary to setup a CA and issue server certificates before`
Fix config file reading to not truncate large files 2008-01-07 15:21:33 +00:00			`# using this capability.`
			`#`
			`# This is enabled by default, uncomment this to disable it`
			`listen_tls = 0`

			`# Listen for unencrypted TCP connections on the public TCP/IP port.`
			`# NB, must pass the --listen flag to the libvirtd process for this to`
			`# have any effect.`
			`#`
			`# Using the TCP socket requires SASL authentication by default. Only`
			`# SASL mechanisms which support data encryption are allowed. This is`
			`# DIGEST_MD5 and GSSAPI (Kerberos5)`
			`#`
			`# This is disabled by default, uncomment this to enable it.`
			`listen_tcp = 1`



			`# Override the port for accepting secure TLS connections`
			`# This can be a port number, or service name`
			`#`
			`tls_port = "16514"`

			`# Override the port for accepting insecure TCP connections`
			`# This can be a port number, or service name`
			`#`
			`tcp_port = "16509"`



			`# Flag toggling mDNS advertizement of the libvirt service.`
			`#`
			`# Alternatively can disable for all services on a host by`
			`# stopping the Avahi daemon`
			`#`
			`# This is enabled by default, uncomment this to disable it`
			`mdns_adv = 0`

			`# Override the default mDNS advertizement name. This must be`
			`# unique on the immediate broadcast network.`
			`#`
			`# The default is "Virtualization Host HOSTNAME", where HOSTNAME`
			`# is subsituted for the short hostname of the machine (without domain)`
			`#`
			`mdns_name = "Virtualization Host Joe Demo"`


			`#################################################################`
			`#`
			`# UNIX socket access controls`
			`#`

			`# Set the UNIX domain socket group ownership. This can be used to`
			`# allow a 'trusted' set of users access to management capabilities`
			`# without becoming root.`
			`#`
			`# This is restricted to 'root' by default.`
			`unix_sock_group = "libvirt"`

			`# Set the UNIX socket permissions for the R/O socket. This is used`
			`# for monitoring VM status only`
			`#`
			`# Default allows any user. If setting group ownership may want to`
			`# restrict this to:`
			`unix_sock_ro_perms = "0777"`

			`# Set the UNIX socket permissions for the R/W socket. This is used`
			`# for full management of VMs`
			`#`
			`# Default allows only root. If PolicyKit is enabled on the socket,`
			`# the default will change to allow everyone (eg, 0777)`
			`#`
			`# If not using PolicyKit and setting group ownership for access`
			`# control then you may want to relax this to:`
			`unix_sock_rw_perms = "0770"`



			`#################################################################`
			`#`
			`# Authentication.`
			`#`
			`# - none: do not perform auth checks. If you can connect to the`
			`# socket you are allowed. This is suitable if there are`
			`# restrictions on connecting to the socket (eg, UNIX`
			`# socket permissions), or if there is a lower layer in`
			`# the network providing auth (eg, TLS/x509 certificates)`
			`#`
			`# - sasl: use SASL infrastructure. The actual auth scheme is then`
			`# controlled from /etc/sasl2/libvirt.conf. For the TCP`
			`# socket only GSSAPI & DIGEST-MD5 mechanisms will be used.`
			`# For non-TCP or TLS sockets, any scheme is allowed.`
			`#`
			`# - polkit: use PolicyKit to authenticate. This is only suitable`
			`# for use on the UNIX sockets. The default policy will`
			`# require a user to supply their own password to gain`
			`# full read/write access (aka sudo like), while anyone`
			`# is allowed read/only access.`
			`#`
			`# Set an authentication scheme for UNIX read-only sockets`
			`# By default socket permissions allow anyone to connect`
			`#`
			`# To restrict monitoring of domains you may wish to enable`
			`# an authentication mechanism here`
			`auth_unix_ro = "none"`

			`# Set an authentication scheme for UNIX read-write sockets`
			`# By default socket permissions only allow root. If PolicyKit`
			`# support was compiled into libvirt, the default will be to`
			`# use 'polkit' auth.`
			`#`
			`# If the unix_sock_rw_perms are changed you may wish to enable`
			`# an authentication mechanism here`
			`auth_unix_rw = "none"`

			`# Change the authentication scheme for TCP sockets.`
			`#`
			`# If you don't enable SASL, then all TCP traffic is cleartext.`
			`# Don't do this outside of a dev/test scenario. For real world`
			`# use, always enable SASL and use the GSSAPI or DIGEST-MD5`
			`# mechanism in /etc/sasl2/libvirt.conf`
			`auth_tcp = "sasl"`

			`# Change the authentication scheme for TLS sockets.`
			`#`
			`# TLS sockets already have encryption provided by the TLS`
			`# layer, and limited authentication is done by certificates`
			`#`
			`# It is possible to make use of any SASL authentication`
			`# mechanism as well, by using 'sasl' for this option`
			`auth_tls = "none"`



			`#################################################################`
			`#`
			`# TLS x509 certificate configuration`
			`#`


			`# Override the default server key file path`
			`#`
			`key_file = "/etc/pki/libvirt/private/serverkey.pem"`

			`# Override the default server certificate file path`
			`#`
			`cert_file = "/etc/pki/libvirt/servercert.pem"`

			`# Override the default CA certificate path`
			`#`
			`ca_file = "/etc/pki/CA/cacert.pem"`

			`# Specify a certificate revocation list.`
			`#`
			`# Defaults to not using a CRL, uncomment to enable it`
			`crl_file = "/etc/pki/CA/crl.pem"`



			`#################################################################`
			`#`
			`# Authorization controls`
			`#`


			`# Flag to disable verification of client certificates`
			`#`
			`# Client certificate verification is the primary authentication mechanism.`
			`# Any client which does not present a certificate signed by the CA`
			`# will be rejected.`
			`#`
			`# Default is to always verify. Uncommenting this will disable`
			`# verification - make sure an IP whitelist is set`
			`tls_no_verify_certificate = 1`


			`# A whitelist of allowed x509 Distinguished Names`
			`# This list may contain wildcards such as`
			`#`
			`# "C=GB,ST=London,L=London,O=Red Hat,CN=*"`
			`#`
			`# See the POSIX fnmatch function for the format of the wildcards.`
			`#`
			`# NB If this is an empty list, no client can connect, so comment out`
			`# entirely rather than using empty list to disable these checks`
			`#`
			`# By default, no DN's are checked`
			`tls_allowed_dn_list = ["DN1", "DN2"]`


			`# A whitelist of allowed SASL usernames. The format for usernames`
			`# depends on the SASL authentication mechanism. Kerberos usernames`
			`# look like username@REALM`
			`#`
			`# This list may contain wildcards such as`
			`#`
			`# "*@EXAMPLE.COM"`
			`#`
			`# See the POSIX fnmatch function for the format of the wildcards.`
			`#`
			`# NB If this is an empty list, no client can connect, so comment out`
			`# entirely rather than using empty list to disable these checks`
			`#`
			`# By default, no Username's are checked`
			`sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]`
Expose a host UUID in the capabilities XML Allow for a host UUID in the capabilities XML. Local drivers will initialize this from the SMBIOS data. If a sanity check shows SMBIOS uuid is invalid, allow an override from the libvirtd.conf configuration file * daemon/libvirtd.c, daemon/libvirtd.conf: Support a host_uuid configuration option * docs/schemas/capability.rng: Add optional host uuid field * src/conf/capabilities.c, src/conf/capabilities.h: Include host UUID in XML * src/libvirt_private.syms: Export new uuid.h functions * src/lxc/lxc_conf.c, src/qemu/qemu_driver.c, src/uml/uml_conf.c: Set host UUID in capabilities * src/util/uuid.c, src/util/uuid.h: Support for host UUIDs * src/node_device/node_device_udev.c: Use the host UUID functions * tests/confdata/libvirtd.conf, tests/confdata/libvirtd.out: Add new host_uuid config option to test 2010-05-25 14:33:51 +00:00
			`# UUID of the host:`
			`# Provide the UUID of the host here in case the command`
			`# 'dmidecode -s system-uuid' does not provide a valid uuid. In case`
			`# 'dmidecode' does not provide a valid UUID and none is provided here, a`
			`# temporary UUID will be generated.`
			`# Keep the format of the example UUID below.`

			`host_uuid = "8510b1a1-1afa-4da6-8111-785fae202c1e"`