2012-04-04 12:09:09 +00:00
|
|
|
/*
|
2018-02-20 13:16:28 +00:00
|
|
|
* remote_daemon_config.c: libvirtd config file handling
|
2012-04-04 12:09:09 +00:00
|
|
|
*
|
2018-02-20 13:16:28 +00:00
|
|
|
* Copyright (C) 2006-2018 Red Hat, Inc.
|
2012-04-04 12:09:09 +00:00
|
|
|
* Copyright (C) 2006 Daniel P. Berrange
|
|
|
|
*
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
* License as published by the Free Software Foundation; either
|
|
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
* Lesser General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Lesser General Public
|
2012-09-20 22:30:55 +00:00
|
|
|
* License along with this library. If not, see
|
2012-07-21 10:06:23 +00:00
|
|
|
* <http://www.gnu.org/licenses/>.
|
2012-04-04 12:09:09 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
#include <config.h>
|
|
|
|
|
2018-02-20 13:16:28 +00:00
|
|
|
#include "remote_daemon_config.h"
|
2012-12-12 16:35:35 +00:00
|
|
|
#include "virconf.h"
|
2012-12-12 18:06:53 +00:00
|
|
|
#include "viralloc.h"
|
2012-12-13 18:21:53 +00:00
|
|
|
#include "virerror.h"
|
2012-12-12 17:59:27 +00:00
|
|
|
#include "virlog.h"
|
2012-04-04 14:00:17 +00:00
|
|
|
#include "rpc/virnetserver.h"
|
2012-04-04 12:09:09 +00:00
|
|
|
#include "configmake.h"
|
2018-02-20 13:16:28 +00:00
|
|
|
#include "remote_protocol.h"
|
|
|
|
#include "remote_driver.h"
|
2017-02-07 15:16:42 +00:00
|
|
|
#include "util/virnetdevopenvswitch.h"
|
2013-04-03 10:36:23 +00:00
|
|
|
#include "virstring.h"
|
|
|
|
#include "virutil.h"
|
2012-04-04 12:09:09 +00:00
|
|
|
|
|
|
|
#define VIR_FROM_THIS VIR_FROM_CONF
|
|
|
|
|
2014-02-28 12:16:17 +00:00
|
|
|
VIR_LOG_INIT("daemon.libvirtd-config");
|
|
|
|
|
2012-04-04 12:09:09 +00:00
|
|
|
|
2014-03-18 08:19:33 +00:00
|
|
|
static int
|
2021-03-11 07:16:13 +00:00
|
|
|
remoteConfigGetAuth(virConf *conf,
|
2016-07-08 10:37:40 +00:00
|
|
|
const char *filename,
|
2014-03-18 08:19:33 +00:00
|
|
|
const char *key,
|
2016-07-08 10:37:40 +00:00
|
|
|
int *auth)
|
2014-03-18 08:19:33 +00:00
|
|
|
{
|
2016-07-08 10:37:40 +00:00
|
|
|
char *authstr = NULL;
|
2012-04-04 12:09:09 +00:00
|
|
|
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueString(conf, key, &authstr) < 0)
|
2012-04-04 12:09:09 +00:00
|
|
|
return -1;
|
|
|
|
|
2016-07-08 10:37:40 +00:00
|
|
|
if (!authstr)
|
2012-04-04 12:09:09 +00:00
|
|
|
return 0;
|
|
|
|
|
2016-07-08 10:37:40 +00:00
|
|
|
if (STREQ(authstr, "none")) {
|
2012-04-04 12:09:09 +00:00
|
|
|
*auth = VIR_NET_SERVER_SERVICE_AUTH_NONE;
|
2012-09-20 11:58:29 +00:00
|
|
|
#if WITH_SASL
|
2016-07-08 10:37:40 +00:00
|
|
|
} else if (STREQ(authstr, "sasl")) {
|
2012-04-04 12:09:09 +00:00
|
|
|
*auth = VIR_NET_SERVER_SERVICE_AUTH_SASL;
|
|
|
|
#endif
|
2016-07-08 10:37:40 +00:00
|
|
|
} else if (STREQ(authstr, "polkit")) {
|
2012-04-04 12:09:09 +00:00
|
|
|
*auth = VIR_NET_SERVER_SERVICE_AUTH_POLKIT;
|
|
|
|
} else {
|
2012-07-18 18:26:35 +00:00
|
|
|
virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
|
2016-07-08 10:37:40 +00:00
|
|
|
_("%s: %s: unsupported auth %s"),
|
|
|
|
filename, key, authstr);
|
|
|
|
VIR_FREE(authstr);
|
2012-04-04 12:09:09 +00:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2016-07-08 10:37:40 +00:00
|
|
|
VIR_FREE(authstr);
|
2012-04-04 12:09:09 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
int
|
|
|
|
daemonConfigFilePath(bool privileged, char **configfile)
|
|
|
|
{
|
|
|
|
if (privileged) {
|
2019-10-20 11:49:46 +00:00
|
|
|
*configfile = g_strdup(SYSCONFDIR "/libvirt/" DAEMON_NAME ".conf");
|
2012-04-04 12:09:09 +00:00
|
|
|
} else {
|
2019-12-19 22:47:30 +00:00
|
|
|
g_autofree char *configdir = NULL;
|
2012-04-04 12:09:09 +00:00
|
|
|
|
2019-12-19 08:38:30 +00:00
|
|
|
configdir = virGetUserConfigDirectory();
|
2012-04-04 12:09:09 +00:00
|
|
|
|
2019-10-22 13:26:14 +00:00
|
|
|
*configfile = g_strdup_printf("%s/%s.conf", configdir, DAEMON_NAME);
|
2012-04-04 12:09:09 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
struct daemonConfig*
|
2019-10-14 12:45:33 +00:00
|
|
|
daemonConfigNew(bool privileged G_GNUC_UNUSED)
|
2012-04-04 12:09:09 +00:00
|
|
|
{
|
|
|
|
struct daemonConfig *data;
|
|
|
|
|
2020-10-04 15:23:22 +00:00
|
|
|
data = g_new0(struct daemonConfig, 1);
|
2012-04-04 12:09:09 +00:00
|
|
|
|
2019-06-21 16:19:11 +00:00
|
|
|
#ifdef WITH_IP
|
remote: introduce virtproxyd daemon to handle IP connectivity
The libvirtd daemon provides the traditional libvirt experience where
all the drivers are in a single daemon, and is accessible over both
local UNIX sockets and remote IP sockets.
In the new world we're having a set of per-driver daemons which will
primarily be accessed locally via their own UNIX sockets.
We still, however, need to allow for case of applications which will
connect to libvirt remotely. These remote connections can be done as
TCP/TLS sockets, or by SSH tunnelling to the UNIX socket.
In the later case, the old libvirt.so clients will only know about
the path to the old libvirtd socket /var/run/libvirt/libvirt-sock,
and not the new driver sockets /var/run/libvirt/virtqemud-sock.
It is also not desirable to expose the main driver specific daemons
over IP directly to minimize their attack service.
Thus the virtproxyd daemon steps into place, to provide TCP/TLS sockets,
and back compat for the old libvirtd UNIX socket path(s). It will then
forward all RPC calls made to the appropriate driver specific daemon.
Essentially it is equivalent to the old libvirtd with absolutely no
drivers registered except for the remote driver (and other stateless
drivers in libvirt.so).
We could have modified libvirtd so none of the drivers are registed
to get the same end result. We could even add a libvirtd.conf parameter
to control whether the drivers are loaded to enable users to switch back
to the old world if we discover bugs in the split-daemon model. Using a
new daemon though has some advantages
- We can make virtproxyd and the virtXXXd per-driver daemons all
have "Conflicts: libvirtd.service" in their systemd unit files.
This will guarantee that libvirtd is never started at the same
time, as this would result in two daemons running the same driver.
Fortunately drivers use locking to protect themselves, but it is
better to avoid starting a daemon we know will conflict.
- It allows us to break CLI compat to remove the --listen parameter.
Both listen_tcp and listen_tls parameters in /etc/libvirtd/virtd.conf
will default to zero. Either TLS or TCP can be enabled exclusively
though virtd.conf without requiring the extra step of adding --listen.
- It allows us to set a strict SELinux policy over virtproxyd. For
back compat the libvirtd policy must continue to allow all drivers
to run. We can't easily give a second policy to libvirtd which
locks it down. By introducing a new virtproxyd we can set a strict
policy for that daemon only.
- It gets rid of the weird naming of having a daemon with "lib" in
its name. Now all normal daemons libvirt ships will have "virt"
as their prefix not "libvirt".
- Distros can more easily choose their upgrade path. They can
ship both sets of daemons in their packages, and choose to
either enable libvirtd, or enable the per-driver daemons and
virtproxyd out of the box. Users can easily override this if
desired by just tweaking which systemd units are active.
After some time we can deprecate use of libvirtd and after some more
time delete it entirely, leaving us in a pretty world filled with
prancing unicorns.
The main downside with introducing a new daemon, and with the
per-driver daemons in general, is figuring out the correct upgrade
path.
The conservative option is to leave libvirtd running if it was
an existing installation. Only use the new daemons & virtproxyd
on completely new installs.
The aggressive option is to disable libvirtd if already running
and activate all the new daemons.
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Christophe de Dinechin <dinechin@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-04 11:33:23 +00:00
|
|
|
# ifdef LIBVIRTD
|
2020-05-05 06:05:18 +00:00
|
|
|
data->listen_tls = true; /* Only honoured if --listen is set */
|
remote: introduce virtproxyd daemon to handle IP connectivity
The libvirtd daemon provides the traditional libvirt experience where
all the drivers are in a single daemon, and is accessible over both
local UNIX sockets and remote IP sockets.
In the new world we're having a set of per-driver daemons which will
primarily be accessed locally via their own UNIX sockets.
We still, however, need to allow for case of applications which will
connect to libvirt remotely. These remote connections can be done as
TCP/TLS sockets, or by SSH tunnelling to the UNIX socket.
In the later case, the old libvirt.so clients will only know about
the path to the old libvirtd socket /var/run/libvirt/libvirt-sock,
and not the new driver sockets /var/run/libvirt/virtqemud-sock.
It is also not desirable to expose the main driver specific daemons
over IP directly to minimize their attack service.
Thus the virtproxyd daemon steps into place, to provide TCP/TLS sockets,
and back compat for the old libvirtd UNIX socket path(s). It will then
forward all RPC calls made to the appropriate driver specific daemon.
Essentially it is equivalent to the old libvirtd with absolutely no
drivers registered except for the remote driver (and other stateless
drivers in libvirt.so).
We could have modified libvirtd so none of the drivers are registed
to get the same end result. We could even add a libvirtd.conf parameter
to control whether the drivers are loaded to enable users to switch back
to the old world if we discover bugs in the split-daemon model. Using a
new daemon though has some advantages
- We can make virtproxyd and the virtXXXd per-driver daemons all
have "Conflicts: libvirtd.service" in their systemd unit files.
This will guarantee that libvirtd is never started at the same
time, as this would result in two daemons running the same driver.
Fortunately drivers use locking to protect themselves, but it is
better to avoid starting a daemon we know will conflict.
- It allows us to break CLI compat to remove the --listen parameter.
Both listen_tcp and listen_tls parameters in /etc/libvirtd/virtd.conf
will default to zero. Either TLS or TCP can be enabled exclusively
though virtd.conf without requiring the extra step of adding --listen.
- It allows us to set a strict SELinux policy over virtproxyd. For
back compat the libvirtd policy must continue to allow all drivers
to run. We can't easily give a second policy to libvirtd which
locks it down. By introducing a new virtproxyd we can set a strict
policy for that daemon only.
- It gets rid of the weird naming of having a daemon with "lib" in
its name. Now all normal daemons libvirt ships will have "virt"
as their prefix not "libvirt".
- Distros can more easily choose their upgrade path. They can
ship both sets of daemons in their packages, and choose to
either enable libvirtd, or enable the per-driver daemons and
virtproxyd out of the box. Users can easily override this if
desired by just tweaking which systemd units are active.
After some time we can deprecate use of libvirtd and after some more
time delete it entirely, leaving us in a pretty world filled with
prancing unicorns.
The main downside with introducing a new daemon, and with the
per-driver daemons in general, is figuring out the correct upgrade
path.
The conservative option is to leave libvirtd running if it was
an existing installation. Only use the new daemons & virtproxyd
on completely new installs.
The aggressive option is to disable libvirtd if already running
and activate all the new daemons.
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Christophe de Dinechin <dinechin@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-04 11:33:23 +00:00
|
|
|
# else /* ! LIBVIRTD */
|
2020-05-05 06:05:18 +00:00
|
|
|
data->listen_tls = false; /* Always honoured, --listen doesn't exist. */
|
remote: introduce virtproxyd daemon to handle IP connectivity
The libvirtd daemon provides the traditional libvirt experience where
all the drivers are in a single daemon, and is accessible over both
local UNIX sockets and remote IP sockets.
In the new world we're having a set of per-driver daemons which will
primarily be accessed locally via their own UNIX sockets.
We still, however, need to allow for case of applications which will
connect to libvirt remotely. These remote connections can be done as
TCP/TLS sockets, or by SSH tunnelling to the UNIX socket.
In the later case, the old libvirt.so clients will only know about
the path to the old libvirtd socket /var/run/libvirt/libvirt-sock,
and not the new driver sockets /var/run/libvirt/virtqemud-sock.
It is also not desirable to expose the main driver specific daemons
over IP directly to minimize their attack service.
Thus the virtproxyd daemon steps into place, to provide TCP/TLS sockets,
and back compat for the old libvirtd UNIX socket path(s). It will then
forward all RPC calls made to the appropriate driver specific daemon.
Essentially it is equivalent to the old libvirtd with absolutely no
drivers registered except for the remote driver (and other stateless
drivers in libvirt.so).
We could have modified libvirtd so none of the drivers are registed
to get the same end result. We could even add a libvirtd.conf parameter
to control whether the drivers are loaded to enable users to switch back
to the old world if we discover bugs in the split-daemon model. Using a
new daemon though has some advantages
- We can make virtproxyd and the virtXXXd per-driver daemons all
have "Conflicts: libvirtd.service" in their systemd unit files.
This will guarantee that libvirtd is never started at the same
time, as this would result in two daemons running the same driver.
Fortunately drivers use locking to protect themselves, but it is
better to avoid starting a daemon we know will conflict.
- It allows us to break CLI compat to remove the --listen parameter.
Both listen_tcp and listen_tls parameters in /etc/libvirtd/virtd.conf
will default to zero. Either TLS or TCP can be enabled exclusively
though virtd.conf without requiring the extra step of adding --listen.
- It allows us to set a strict SELinux policy over virtproxyd. For
back compat the libvirtd policy must continue to allow all drivers
to run. We can't easily give a second policy to libvirtd which
locks it down. By introducing a new virtproxyd we can set a strict
policy for that daemon only.
- It gets rid of the weird naming of having a daemon with "lib" in
its name. Now all normal daemons libvirt ships will have "virt"
as their prefix not "libvirt".
- Distros can more easily choose their upgrade path. They can
ship both sets of daemons in their packages, and choose to
either enable libvirtd, or enable the per-driver daemons and
virtproxyd out of the box. Users can easily override this if
desired by just tweaking which systemd units are active.
After some time we can deprecate use of libvirtd and after some more
time delete it entirely, leaving us in a pretty world filled with
prancing unicorns.
The main downside with introducing a new daemon, and with the
per-driver daemons in general, is figuring out the correct upgrade
path.
The conservative option is to leave libvirtd running if it was
an existing installation. Only use the new daemons & virtproxyd
on completely new installs.
The aggressive option is to disable libvirtd if already running
and activate all the new daemons.
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Christophe de Dinechin <dinechin@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-04 11:33:23 +00:00
|
|
|
# endif /* ! LIBVIRTD */
|
2020-05-05 06:05:18 +00:00
|
|
|
data->listen_tcp = false;
|
2012-04-04 12:09:09 +00:00
|
|
|
|
2019-10-20 11:49:46 +00:00
|
|
|
data->tls_port = g_strdup(LIBVIRTD_TLS_PORT);
|
|
|
|
data->tcp_port = g_strdup(LIBVIRTD_TCP_PORT);
|
2019-06-21 16:19:11 +00:00
|
|
|
#endif /* !WITH_IP */
|
2012-04-04 12:09:09 +00:00
|
|
|
|
|
|
|
/* Only default to PolicyKit if running as root */
|
2013-01-08 22:19:00 +00:00
|
|
|
#if WITH_POLKIT
|
2012-04-04 12:09:09 +00:00
|
|
|
if (privileged) {
|
|
|
|
data->auth_unix_rw = REMOTE_AUTH_POLKIT;
|
|
|
|
data->auth_unix_ro = REMOTE_AUTH_POLKIT;
|
|
|
|
} else {
|
|
|
|
#endif
|
|
|
|
data->auth_unix_rw = REMOTE_AUTH_NONE;
|
|
|
|
data->auth_unix_ro = REMOTE_AUTH_NONE;
|
2013-01-08 22:19:00 +00:00
|
|
|
#if WITH_POLKIT
|
2012-04-04 12:09:09 +00:00
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2019-10-20 11:49:46 +00:00
|
|
|
data->unix_sock_rw_perms = g_strdup(data->auth_unix_rw == REMOTE_AUTH_POLKIT ? "0777" : "0700");
|
|
|
|
data->unix_sock_ro_perms = g_strdup("0777");
|
|
|
|
data->unix_sock_admin_perms = g_strdup("0700");
|
2012-04-04 12:09:09 +00:00
|
|
|
|
2019-06-21 16:19:11 +00:00
|
|
|
#ifdef WITH_IP
|
|
|
|
# if WITH_SASL
|
2012-04-04 12:09:09 +00:00
|
|
|
data->auth_tcp = REMOTE_AUTH_SASL;
|
2019-06-21 16:19:11 +00:00
|
|
|
# else
|
2012-04-04 12:09:09 +00:00
|
|
|
data->auth_tcp = REMOTE_AUTH_NONE;
|
2019-06-21 16:19:11 +00:00
|
|
|
# endif
|
2012-04-04 12:09:09 +00:00
|
|
|
data->auth_tls = REMOTE_AUTH_NONE;
|
2019-06-21 16:19:11 +00:00
|
|
|
#endif /* ! WITH_IP */
|
2012-04-04 12:09:09 +00:00
|
|
|
|
|
|
|
data->min_workers = 5;
|
|
|
|
data->max_workers = 20;
|
2014-03-04 17:55:24 +00:00
|
|
|
data->max_clients = 5000;
|
2016-02-29 13:33:20 +00:00
|
|
|
data->max_queued_clients = 1000;
|
2014-03-04 17:55:24 +00:00
|
|
|
data->max_anonymous_clients = 20;
|
2012-04-04 12:09:09 +00:00
|
|
|
|
|
|
|
data->prio_workers = 5;
|
|
|
|
|
|
|
|
data->max_client_requests = 5;
|
|
|
|
|
|
|
|
data->audit_level = 1;
|
2020-05-05 06:05:18 +00:00
|
|
|
data->audit_logging = false;
|
2012-04-04 12:09:09 +00:00
|
|
|
|
|
|
|
data->keepalive_interval = 5;
|
|
|
|
data->keepalive_count = 5;
|
|
|
|
|
2015-04-13 14:05:46 +00:00
|
|
|
data->admin_min_workers = 5;
|
|
|
|
data->admin_max_workers = 20;
|
|
|
|
data->admin_max_clients = 5000;
|
|
|
|
data->admin_max_queued_clients = 20;
|
|
|
|
data->admin_max_client_requests = 5;
|
|
|
|
|
|
|
|
data->admin_keepalive_interval = 5;
|
|
|
|
data->admin_keepalive_count = 5;
|
|
|
|
|
2017-02-07 15:16:42 +00:00
|
|
|
data->ovs_timeout = VIR_NETDEV_OVS_DEFAULT_TIMEOUT;
|
|
|
|
|
2012-04-04 12:09:09 +00:00
|
|
|
return data;
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
daemonConfigFree(struct daemonConfig *data)
|
|
|
|
{
|
|
|
|
char **tmp;
|
|
|
|
|
|
|
|
if (!data)
|
|
|
|
return;
|
|
|
|
|
2019-06-21 16:19:11 +00:00
|
|
|
#ifdef WITH_IP
|
2021-02-03 19:54:59 +00:00
|
|
|
g_free(data->listen_addr);
|
|
|
|
g_free(data->tls_port);
|
|
|
|
g_free(data->tcp_port);
|
2019-06-21 16:19:11 +00:00
|
|
|
#endif /* ! WITH_IP */
|
|
|
|
|
2013-06-28 17:10:10 +00:00
|
|
|
tmp = data->access_drivers;
|
|
|
|
while (tmp && *tmp) {
|
2021-02-03 19:54:59 +00:00
|
|
|
g_free(*tmp);
|
2013-06-28 17:10:10 +00:00
|
|
|
tmp++;
|
|
|
|
}
|
2021-02-03 19:54:59 +00:00
|
|
|
g_free(data->access_drivers);
|
2012-04-04 12:09:09 +00:00
|
|
|
|
2021-02-03 19:54:59 +00:00
|
|
|
g_free(data->unix_sock_admin_perms);
|
|
|
|
g_free(data->unix_sock_ro_perms);
|
|
|
|
g_free(data->unix_sock_rw_perms);
|
|
|
|
g_free(data->unix_sock_group);
|
|
|
|
g_free(data->unix_sock_dir);
|
2012-04-04 12:09:09 +00:00
|
|
|
|
2019-06-21 16:19:11 +00:00
|
|
|
tmp = data->sasl_allowed_username_list;
|
2012-04-04 12:09:09 +00:00
|
|
|
while (tmp && *tmp) {
|
2021-02-03 19:54:59 +00:00
|
|
|
g_free(*tmp);
|
2012-04-04 12:09:09 +00:00
|
|
|
tmp++;
|
|
|
|
}
|
2021-02-03 19:54:59 +00:00
|
|
|
g_free(data->sasl_allowed_username_list);
|
2012-04-04 12:09:09 +00:00
|
|
|
|
2019-06-21 16:19:11 +00:00
|
|
|
#ifdef WITH_IP
|
|
|
|
tmp = data->tls_allowed_dn_list;
|
2012-04-04 12:09:09 +00:00
|
|
|
while (tmp && *tmp) {
|
2021-02-03 19:54:59 +00:00
|
|
|
g_free(*tmp);
|
2012-04-04 12:09:09 +00:00
|
|
|
tmp++;
|
|
|
|
}
|
2021-02-03 19:54:59 +00:00
|
|
|
g_free(data->tls_allowed_dn_list);
|
2019-06-21 16:19:11 +00:00
|
|
|
|
2021-02-03 19:54:59 +00:00
|
|
|
g_free(data->tls_priority);
|
2012-04-04 12:09:09 +00:00
|
|
|
|
2021-02-03 19:54:59 +00:00
|
|
|
g_free(data->key_file);
|
|
|
|
g_free(data->ca_file);
|
|
|
|
g_free(data->cert_file);
|
|
|
|
g_free(data->crl_file);
|
2019-06-21 16:19:11 +00:00
|
|
|
#endif /* ! WITH_IP */
|
2012-04-04 12:09:09 +00:00
|
|
|
|
2021-02-03 19:54:59 +00:00
|
|
|
g_free(data->host_uuid);
|
|
|
|
g_free(data->host_uuid_source);
|
|
|
|
g_free(data->log_filters);
|
|
|
|
g_free(data->log_outputs);
|
2012-04-04 12:09:09 +00:00
|
|
|
|
2021-02-03 19:54:59 +00:00
|
|
|
g_free(data);
|
2012-04-04 12:09:09 +00:00
|
|
|
}
|
|
|
|
|
2012-04-04 12:14:19 +00:00
|
|
|
static int
|
|
|
|
daemonConfigLoadOptions(struct daemonConfig *data,
|
|
|
|
const char *filename,
|
2021-03-11 07:16:13 +00:00
|
|
|
virConf *conf)
|
2012-04-04 12:09:09 +00:00
|
|
|
{
|
2019-06-21 16:19:11 +00:00
|
|
|
#ifdef WITH_IP
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueBool(conf, "listen_tcp", &data->listen_tcp) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueBool(conf, "listen_tls", &data->listen_tls) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueString(conf, "tls_port", &data->tls_port) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueString(conf, "tcp_port", &data->tcp_port) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueString(conf, "listen_addr", &data->listen_addr) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2019-06-21 16:19:11 +00:00
|
|
|
#endif /* !WITH_IP */
|
2012-04-04 12:09:09 +00:00
|
|
|
|
2016-07-08 10:37:40 +00:00
|
|
|
if (remoteConfigGetAuth(conf, filename, "auth_unix_rw", &data->auth_unix_rw) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2013-01-08 22:19:00 +00:00
|
|
|
#if WITH_POLKIT
|
2012-04-04 12:09:09 +00:00
|
|
|
/* Change default perms to be wide-open if PolicyKit is enabled.
|
|
|
|
* Admin can always override in config file
|
|
|
|
*/
|
|
|
|
if (data->auth_unix_rw == REMOTE_AUTH_POLKIT) {
|
|
|
|
VIR_FREE(data->unix_sock_rw_perms);
|
2019-10-20 11:49:46 +00:00
|
|
|
data->unix_sock_rw_perms = g_strdup("0777");
|
2012-04-04 12:09:09 +00:00
|
|
|
}
|
|
|
|
#endif
|
2016-07-08 10:37:40 +00:00
|
|
|
if (remoteConfigGetAuth(conf, filename, "auth_unix_ro", &data->auth_unix_ro) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2019-06-21 16:19:11 +00:00
|
|
|
|
|
|
|
#ifdef WITH_IP
|
2016-07-08 10:37:40 +00:00
|
|
|
if (remoteConfigGetAuth(conf, filename, "auth_tcp", &data->auth_tcp) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2016-07-08 10:37:40 +00:00
|
|
|
if (remoteConfigGetAuth(conf, filename, "auth_tls", &data->auth_tls) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2019-06-21 16:19:11 +00:00
|
|
|
#endif /* ! WITH_IP */
|
2012-04-04 12:09:09 +00:00
|
|
|
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueStringList(conf, "access_drivers", false,
|
|
|
|
&data->access_drivers) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2013-04-17 11:01:24 +00:00
|
|
|
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueString(conf, "unix_sock_group", &data->unix_sock_group) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueString(conf, "unix_sock_admin_perms", &data->unix_sock_admin_perms) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueString(conf, "unix_sock_ro_perms", &data->unix_sock_ro_perms) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueString(conf, "unix_sock_rw_perms", &data->unix_sock_rw_perms) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2012-04-04 12:09:09 +00:00
|
|
|
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueString(conf, "unix_sock_dir", &data->unix_sock_dir) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2012-04-04 12:09:09 +00:00
|
|
|
|
2019-06-21 16:19:11 +00:00
|
|
|
#ifdef WITH_IP
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueBool(conf, "tls_no_sanity_certificate", &data->tls_no_sanity_certificate) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueBool(conf, "tls_no_verify_certificate", &data->tls_no_verify_certificate) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2012-04-04 12:09:09 +00:00
|
|
|
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueString(conf, "key_file", &data->key_file) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueString(conf, "cert_file", &data->cert_file) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueString(conf, "ca_file", &data->ca_file) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueString(conf, "crl_file", &data->crl_file) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2012-04-04 12:09:09 +00:00
|
|
|
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueStringList(conf, "tls_allowed_dn_list", false,
|
|
|
|
&data->tls_allowed_dn_list) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2012-04-04 12:09:09 +00:00
|
|
|
|
2019-06-21 16:19:11 +00:00
|
|
|
if (virConfGetValueString(conf, "tls_priority", &data->tls_priority) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2019-06-21 16:19:11 +00:00
|
|
|
#endif /* ! WITH_IP */
|
2012-04-04 12:09:09 +00:00
|
|
|
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueStringList(conf, "sasl_allowed_username_list", false,
|
|
|
|
&data->sasl_allowed_username_list) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2012-04-04 12:09:09 +00:00
|
|
|
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueUInt(conf, "min_workers", &data->min_workers) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueUInt(conf, "max_workers", &data->max_workers) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2018-07-03 11:37:36 +00:00
|
|
|
if (data->max_workers < 1) {
|
|
|
|
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
|
|
|
|
_("'max_workers' must be greater than 0"));
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2018-07-03 11:37:36 +00:00
|
|
|
}
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueUInt(conf, "max_clients", &data->max_clients) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueUInt(conf, "max_queued_clients", &data->max_queued_clients) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueUInt(conf, "max_anonymous_clients", &data->max_anonymous_clients) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2012-04-04 12:09:09 +00:00
|
|
|
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueUInt(conf, "prio_workers", &data->prio_workers) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2012-04-04 12:09:09 +00:00
|
|
|
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueUInt(conf, "max_client_requests", &data->max_client_requests) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2012-04-04 12:09:09 +00:00
|
|
|
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueUInt(conf, "admin_min_workers", &data->admin_min_workers) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueUInt(conf, "admin_max_workers", &data->admin_max_workers) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueUInt(conf, "admin_max_clients", &data->admin_max_clients) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueUInt(conf, "admin_max_queued_clients", &data->admin_max_queued_clients) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueUInt(conf, "admin_max_client_requests", &data->admin_max_client_requests) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2015-04-13 14:05:46 +00:00
|
|
|
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueUInt(conf, "audit_level", &data->audit_level) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueBool(conf, "audit_logging", &data->audit_logging) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2012-04-04 12:09:09 +00:00
|
|
|
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueString(conf, "host_uuid", &data->host_uuid) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueString(conf, "host_uuid_source", &data->host_uuid_source) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2012-04-04 12:09:09 +00:00
|
|
|
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueUInt(conf, "log_level", &data->log_level) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueString(conf, "log_filters", &data->log_filters) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueString(conf, "log_outputs", &data->log_outputs) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2012-04-04 12:09:09 +00:00
|
|
|
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueInt(conf, "keepalive_interval", &data->keepalive_interval) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueUInt(conf, "keepalive_count", &data->keepalive_count) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2012-04-04 12:09:09 +00:00
|
|
|
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueInt(conf, "admin_keepalive_interval", &data->admin_keepalive_interval) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2016-07-08 10:37:40 +00:00
|
|
|
if (virConfGetValueUInt(conf, "admin_keepalive_count", &data->admin_keepalive_count) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2015-04-13 14:05:46 +00:00
|
|
|
|
2017-02-07 15:16:42 +00:00
|
|
|
if (virConfGetValueUInt(conf, "ovs_timeout", &data->ovs_timeout) < 0)
|
2020-01-06 21:57:32 +00:00
|
|
|
return -1;
|
2017-02-07 15:16:42 +00:00
|
|
|
|
2012-04-04 12:09:09 +00:00
|
|
|
return 0;
|
|
|
|
}
|
2012-04-04 12:14:19 +00:00
|
|
|
|
|
|
|
|
|
|
|
/* Read the config file if it exists.
|
|
|
|
* Only used in the remote case, hence the name.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
daemonConfigLoadFile(struct daemonConfig *data,
|
|
|
|
const char *filename,
|
|
|
|
bool allow_missing)
|
|
|
|
{
|
2019-10-15 12:47:50 +00:00
|
|
|
g_autoptr(virConf) conf = NULL;
|
2012-04-04 12:14:19 +00:00
|
|
|
|
|
|
|
if (allow_missing &&
|
|
|
|
access(filename, R_OK) == -1 &&
|
|
|
|
errno == ENOENT)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
conf = virConfReadFile(filename, 0);
|
|
|
|
if (!conf)
|
|
|
|
return -1;
|
|
|
|
|
2019-09-09 15:56:26 +00:00
|
|
|
return daemonConfigLoadOptions(data, filename, conf);
|
2012-04-04 12:14:19 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
int daemonConfigLoadData(struct daemonConfig *data,
|
|
|
|
const char *filename,
|
|
|
|
const char *filedata)
|
|
|
|
{
|
2019-10-15 12:47:50 +00:00
|
|
|
g_autoptr(virConf) conf = NULL;
|
2012-04-04 12:14:19 +00:00
|
|
|
|
2017-08-07 15:12:02 +00:00
|
|
|
conf = virConfReadString(filedata, 0);
|
2012-04-04 12:14:19 +00:00
|
|
|
if (!conf)
|
|
|
|
return -1;
|
|
|
|
|
2019-09-09 15:56:26 +00:00
|
|
|
return daemonConfigLoadOptions(data, filename, conf);
|
2012-04-04 12:14:19 +00:00
|
|
|
}
|