2008-09-04 10:44:23 +00:00
|
|
|
(* /etc/libvirt/qemu.conf *)
|
|
|
|
|
|
|
|
module Libvirtd_qemu =
|
|
|
|
autoload xfm
|
|
|
|
|
|
|
|
let eol = del /[ \t]*\n/ "\n"
|
|
|
|
let value_sep = del /[ \t]*=[ \t]*/ " = "
|
|
|
|
let indent = del /[ \t]*/ ""
|
|
|
|
|
|
|
|
let array_sep = del /,[ \t\n]*/ ", "
|
|
|
|
let array_start = del /\[[ \t\n]*/ "[ "
|
|
|
|
let array_end = del /\]/ "]"
|
|
|
|
|
|
|
|
let str_val = del /\"/ "\"" . store /[^\"]*/ . del /\"/ "\""
|
|
|
|
let bool_val = store /0|1/
|
2011-04-05 14:17:28 +02:00
|
|
|
let int_val = store /[0-9]+/
|
2008-09-04 10:44:23 +00:00
|
|
|
let str_array_element = [ seq "el" . str_val ] . del /[ \t\n]*/ ""
|
|
|
|
let str_array_val = counter "el" . array_start . ( str_array_element . ( array_sep . str_array_element ) * ) ? . array_end
|
|
|
|
|
|
|
|
let str_entry (kw:string) = [ key kw . value_sep . str_val ]
|
|
|
|
let bool_entry (kw:string) = [ key kw . value_sep . bool_val ]
|
2011-04-05 14:17:28 +02:00
|
|
|
let int_entry (kw:string) = [ key kw . value_sep . int_val ]
|
2008-09-04 10:44:23 +00:00
|
|
|
let str_array_entry (kw:string) = [ key kw . value_sep . str_array_val ]
|
|
|
|
|
2015-03-18 11:14:55 +00:00
|
|
|
let unlimited_val = del /\"/ "\"" . store /unlimited/ . del /\"/ "\""
|
|
|
|
let limits_entry (kw:string) = [ key kw . value_sep . unlimited_val ] | [ key kw . value_sep . int_val ]
|
|
|
|
|
2008-09-04 10:44:23 +00:00
|
|
|
|
|
|
|
(* Config entry grouped by function - same order as example config *)
|
2016-06-14 14:14:31 -04:00
|
|
|
let default_tls_entry = str_entry "default_tls_x509_cert_dir"
|
|
|
|
| bool_entry "default_tls_x509_verify"
|
2016-09-08 10:04:59 -04:00
|
|
|
| str_entry "default_tls_x509_secret_uuid"
|
2016-06-14 14:14:31 -04:00
|
|
|
|
2008-09-04 10:44:23 +00:00
|
|
|
let vnc_entry = str_entry "vnc_listen"
|
2011-01-28 13:52:20 -07:00
|
|
|
| bool_entry "vnc_auto_unix_socket"
|
2008-09-04 10:44:23 +00:00
|
|
|
| bool_entry "vnc_tls"
|
|
|
|
| str_entry "vnc_tls_x509_cert_dir"
|
2019-01-15 00:09:23 +01:00
|
|
|
| str_entry "vnc_tls_x509_secret_uuid"
|
2008-09-04 10:44:23 +00:00
|
|
|
| bool_entry "vnc_tls_x509_verify"
|
2009-01-29 17:50:00 +00:00
|
|
|
| str_entry "vnc_password"
|
2009-03-16 13:54:26 +00:00
|
|
|
| bool_entry "vnc_sasl"
|
|
|
|
| str_entry "vnc_sasl_dir"
|
2012-05-25 11:20:43 +01:00
|
|
|
| bool_entry "vnc_allow_host_audio"
|
|
|
|
|
|
|
|
let spice_entry = str_entry "spice_listen"
|
2012-05-24 15:04:47 -04:00
|
|
|
| bool_entry "spice_tls"
|
|
|
|
| str_entry "spice_tls_x509_cert_dir"
|
2016-05-18 14:11:20 +02:00
|
|
|
| bool_entry "spice_auto_unix_socket"
|
2012-05-25 11:18:24 +01:00
|
|
|
| str_entry "spice_password"
|
2012-02-24 14:13:06 +00:00
|
|
|
| bool_entry "spice_sasl"
|
|
|
|
| str_entry "spice_sasl_dir"
|
2012-05-25 11:20:43 +01:00
|
|
|
|
2016-06-14 15:52:37 -04:00
|
|
|
let chardev_entry = bool_entry "chardev_tls"
|
|
|
|
| str_entry "chardev_tls_x509_cert_dir"
|
|
|
|
| bool_entry "chardev_tls_x509_verify"
|
2016-09-08 10:04:59 -04:00
|
|
|
| str_entry "chardev_tls_x509_secret_uuid"
|
2016-06-14 15:52:37 -04:00
|
|
|
|
2017-02-24 16:44:32 -05:00
|
|
|
let migrate_entry = str_entry "migrate_tls_x509_cert_dir"
|
|
|
|
| bool_entry "migrate_tls_x509_verify"
|
|
|
|
| str_entry "migrate_tls_x509_secret_uuid"
|
|
|
|
|
2013-08-17 15:30:47 -04:00
|
|
|
let nogfx_entry = bool_entry "nographics_allow_host_audio"
|
|
|
|
|
2012-06-18 10:22:07 +02:00
|
|
|
let remote_display_entry = int_entry "remote_display_port_min"
|
|
|
|
| int_entry "remote_display_port_max"
|
2013-04-30 16:26:43 +02:00
|
|
|
| int_entry "remote_websocket_port_min"
|
|
|
|
| int_entry "remote_websocket_port_max"
|
2012-06-18 10:22:07 +02:00
|
|
|
|
2012-05-25 11:20:43 +01:00
|
|
|
let security_entry = str_entry "security_driver"
|
Add two new security label types
Curently security labels can be of type 'dynamic' or 'static'.
If no security label is given, then 'dynamic' is assumed. The
current code takes advantage of this default, and avoids even
saving <seclabel> elements with type='dynamic' to disk. This
means if you temporarily change security driver, the guests
can all still start.
With the introduction of sVirt to LXC though, there needs to be
a new default of 'none' to allow unconfined LXC containers.
This patch introduces two new security label types
- default: the host configuration decides whether to run the
guest with type 'none' or 'dynamic' at guest start
- none: the guest will run unconfined by security policy
The 'none' label type will obviously be undesirable for some
deployments, so a new qemu.conf option allows a host admin to
mandate confined guests. It is also possible to turn off default
confinement
security_default_confined = 1|0 (default == 1)
security_require_confined = 1|0 (default == 0)
* src/conf/domain_conf.c, src/conf/domain_conf.h: Add new
seclabel types
* src/security/security_manager.c, src/security/security_manager.h:
Set default sec label types
* src/security/security_selinux.c: Handle 'none' seclabel type
* src/qemu/qemu.conf, src/qemu/qemu_conf.c, src/qemu/qemu_conf.h,
src/qemu/libvirtd_qemu.aug: New security config options
* src/qemu/qemu_driver.c: Tell security driver about default
config
2012-01-25 14:12:52 +00:00
|
|
|
| bool_entry "security_default_confined"
|
|
|
|
| bool_entry "security_require_confined"
|
2009-07-15 22:25:01 +01:00
|
|
|
| str_entry "user"
|
|
|
|
| str_entry "group"
|
2010-10-20 10:25:05 +02:00
|
|
|
| bool_entry "dynamic_ownership"
|
2009-07-22 16:08:04 +01:00
|
|
|
| str_array_entry "cgroup_controllers"
|
|
|
|
| str_array_entry "cgroup_device_acl"
|
2012-09-17 09:59:53 +02:00
|
|
|
| int_entry "seccomp_sandbox"
|
2016-11-18 16:34:45 +01:00
|
|
|
| str_array_entry "namespaces"
|
2012-05-25 11:20:43 +01:00
|
|
|
|
2019-01-14 21:18:18 +01:00
|
|
|
let save_entry = str_entry "save_image_format"
|
2010-10-28 16:31:46 +09:00
|
|
|
| str_entry "dump_image_format"
|
2013-10-09 18:05:43 +02:00
|
|
|
| str_entry "snapshot_image_format"
|
2010-12-08 14:19:17 +08:00
|
|
|
| str_entry "auto_dump_path"
|
2011-07-19 15:54:48 -06:00
|
|
|
| bool_entry "auto_dump_bypass_cache"
|
|
|
|
| bool_entry "auto_start_bypass_cache"
|
2012-05-25 11:20:43 +01:00
|
|
|
|
|
|
|
let process_entry = str_entry "hugetlbfs_mount"
|
2010-05-27 19:17:55 -04:00
|
|
|
| bool_entry "clear_emulator_capabilities"
|
2013-03-25 15:25:30 +01:00
|
|
|
| str_entry "bridge_helper"
|
2017-12-15 10:42:40 +01:00
|
|
|
| str_entry "pr_helper"
|
2010-10-20 10:25:05 +02:00
|
|
|
| bool_entry "set_process_name"
|
2011-04-05 14:17:28 +02:00
|
|
|
| int_entry "max_processes"
|
2011-12-22 12:22:31 +01:00
|
|
|
| int_entry "max_files"
|
2015-03-18 11:14:55 +00:00
|
|
|
| limits_entry "max_core"
|
2016-08-03 16:20:19 +01:00
|
|
|
| bool_entry "dump_guest_core"
|
2015-11-03 11:13:25 +00:00
|
|
|
| str_entry "stdio_handler"
|
2012-05-25 11:20:43 +01:00
|
|
|
|
|
|
|
let device_entry = bool_entry "mac_filter"
|
|
|
|
| bool_entry "relaxed_acs_check"
|
|
|
|
| bool_entry "allow_disk_format_probing"
|
2010-10-26 15:04:46 +01:00
|
|
|
| str_entry "lock_manager"
|
2012-05-25 11:20:43 +01:00
|
|
|
|
|
|
|
let rpc_entry = int_entry "max_queued"
|
2011-09-16 13:50:56 +02:00
|
|
|
| int_entry "keepalive_interval"
|
|
|
|
| int_entry "keepalive_count"
|
2008-09-04 10:44:23 +00:00
|
|
|
|
2013-10-09 11:32:55 +02:00
|
|
|
let network_entry = str_entry "migration_address"
|
2013-10-18 18:28:14 +02:00
|
|
|
| int_entry "migration_port_min"
|
|
|
|
| int_entry "migration_port_max"
|
2014-05-20 14:08:05 +08:00
|
|
|
| str_entry "migration_host"
|
2013-10-09 11:32:55 +02:00
|
|
|
|
2014-04-09 15:23:45 +02:00
|
|
|
let log_entry = bool_entry "log_timestamp"
|
|
|
|
|
2014-08-07 16:59:21 +02:00
|
|
|
let nvram_entry = str_array_entry "nvram"
|
|
|
|
|
2016-09-22 01:04:18 +05:30
|
|
|
let gluster_debug_level_entry = int_entry "gluster_debug_level"
|
|
|
|
|
2017-02-02 13:27:31 +00:00
|
|
|
let memory_entry = str_entry "memory_backing_dir"
|
|
|
|
|
2017-08-30 11:32:33 -04:00
|
|
|
let vxhs_entry = bool_entry "vxhs_tls"
|
|
|
|
| str_entry "vxhs_tls_x509_cert_dir"
|
|
|
|
|
2018-05-31 20:21:48 +02:00
|
|
|
let nbd_entry = bool_entry "nbd_tls"
|
|
|
|
| str_entry "nbd_tls_x509_cert_dir"
|
|
|
|
|
2019-01-14 21:18:26 +01:00
|
|
|
let swtpm_entry = str_entry "swtpm_user"
|
|
|
|
| str_entry "swtpm_group"
|
2017-04-04 12:22:31 -04:00
|
|
|
|
2019-06-18 09:46:22 +02:00
|
|
|
let capability_filters_entry = str_array_entry "capability_filters"
|
|
|
|
|
2013-04-30 16:28:20 +02:00
|
|
|
(* Each entry in the config is one of the following ... *)
|
2016-06-14 14:14:31 -04:00
|
|
|
let entry = default_tls_entry
|
|
|
|
| vnc_entry
|
2012-05-25 11:20:43 +01:00
|
|
|
| spice_entry
|
2016-06-14 15:52:37 -04:00
|
|
|
| chardev_entry
|
2017-02-24 16:44:32 -05:00
|
|
|
| migrate_entry
|
2013-08-17 15:30:47 -04:00
|
|
|
| nogfx_entry
|
2012-06-18 10:22:07 +02:00
|
|
|
| remote_display_entry
|
2012-05-25 11:20:43 +01:00
|
|
|
| security_entry
|
|
|
|
| save_entry
|
|
|
|
| process_entry
|
|
|
|
| device_entry
|
|
|
|
| rpc_entry
|
2013-10-09 11:32:55 +02:00
|
|
|
| network_entry
|
2014-04-09 15:23:45 +02:00
|
|
|
| log_entry
|
2014-08-07 16:59:21 +02:00
|
|
|
| nvram_entry
|
2016-09-22 01:04:18 +05:30
|
|
|
| gluster_debug_level_entry
|
2017-02-02 13:27:31 +00:00
|
|
|
| memory_entry
|
2017-08-30 11:32:33 -04:00
|
|
|
| vxhs_entry
|
2018-05-31 20:21:48 +02:00
|
|
|
| nbd_entry
|
2019-01-14 21:18:26 +01:00
|
|
|
| swtpm_entry
|
2019-06-18 09:46:22 +02:00
|
|
|
| capability_filters_entry
|
2012-05-25 11:20:43 +01:00
|
|
|
|
2008-09-04 10:44:23 +00:00
|
|
|
let comment = [ label "#comment" . del /#[ \t]*/ "# " . store /([^ \t\n][^\n]*)?/ . del /\n/ "\n" ]
|
|
|
|
let empty = [ label "#empty" . eol ]
|
|
|
|
|
|
|
|
let record = indent . entry . eol
|
|
|
|
|
|
|
|
let lns = ( record | comment | empty ) *
|
|
|
|
|
|
|
|
let filter = incl "/etc/libvirt/qemu.conf"
|
|
|
|
. Util.stdexcl
|
|
|
|
|
|
|
|
let xfm = transform lns filter
|