remote: conditionalize IP socket config in libvirtd.conf

Prepare for reusing libvirtd config to create other daemons by making
the config parameters for IP sockets conditionally defined by the make
rules.

The main libvirtd daemon will retain IP listen ability, but all the
driver specific daemons will be local UNIX sockets only. Apps needing
IP connectivity will connect via the libvirtd daemon which will proxy
to the driver specfic daemon.

Reviewed-by: Christophe de Dinechin <dinechin@redhat.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

.gitignore

@@ -158,6 +158,7 @@
 /src/remote/*_client_bodies.h
 /src/remote/*_protocol.[ch]
 /src/remote/*_stubs.h
+/src/remote/libvirtd.conf
 /src/remote/test_libvirtd.aug
 /src/rpc/virkeepaliveprotocol.[ch]
 /src/rpc/virnetprotocol.[ch]

src/remote/Makefile.inc.am

@@ -76,7 +76,7 @@ EXTRA_DIST += \
 	$(LIBVIRTD_SOURCES) \
 	remote/test_libvirtd.aug.in \
 	remote/libvirtd.aug \
-	remote/libvirtd.conf \
+	remote/libvirtd.conf.in \
 	remote/libvirtd.policy \
 	remote/libvirtd.rules \
 	remote/libvirtd.sasl \
@@ -93,6 +93,9 @@ MAINTAINERCLEANFILES += \
 	$(REMOTE_DRIVER_GENERATED) \
 	$(LIBVIRTD_GENERATED) \
 	$(NULL)
+CLEANFILES += \
+	remote/libvirtd.conf \
+	$(NULL)
 
 if WITH_REMOTE
 noinst_LTLIBRARIES += libvirt_driver_remote.la
@@ -128,7 +131,7 @@ augeas_DATA += remote/libvirtd.aug
 
 augeastest_DATA += remote/test_libvirtd.aug
 
-conf_DATA += remote/libvirtd.conf
+nodist_conf_DATA += remote/libvirtd.conf
 
 man8_MANS += libvirtd.8
 
@@ -179,6 +182,13 @@ libvirtd_LDADD += \
 	$(LIBSOCKET) \
 	$(NULL)
 
+remote/libvirtd.conf: remote/libvirtd.conf.in
+	$(AM_V_GEN)$(SED) \
+		-e '/[@]CUT_ENABLE_IP[@]/d' \
+		-e '/[@]END[@]/d' \
+		-e 's|[@]DAEMON_NAME[@]|libvirtd|' \
+		$< > $@
+
 INSTALL_DATA_DIRS += remote
 
 install-data-remote:
@@ -189,7 +199,7 @@ uninstall-data-remote:
 
 remote/test_libvirtd.aug: remote/test_libvirtd.aug.in \
 		remote/libvirtd.conf $(AUG_GENTEST)
-	$(AM_V_GEN)$(AUG_GENTEST) $(srcdir)/remote/libvirtd.conf $< > $@
+	$(AM_V_GEN)$(AUG_GENTEST) remote/libvirtd.conf $< > $@
 
 if WITH_SYSCTL
 # Use $(prefix)/lib rather than $(libdir), since man sysctl.d insists on

src/remote/libvirtd.conf.in

@@ -1,13 +1,14 @@
 # Master libvirt daemon configuration file
 #
 
+@CUT_ENABLE_IP@
 #################################################################
 #
 # Network connectivity controls
 #
 
 # Flag listening for secure TLS connections on the public TCP/IP port.
-# NB, must pass the --listen flag to the libvirtd process for this to
+# NB, must pass the --listen flag to the @DAEMON_NAME@ process for this to
 # have any effect.
 #
 # This setting is not required or honoured if using systemd socket
@@ -20,7 +21,7 @@
 #listen_tls = 0
 
 # Listen for unencrypted TCP connections on the public TCP/IP port.
-# NB, must pass the --listen flag to the libvirtd process for this to
+# NB, must pass the --listen flag to the @DAEMON_NAME@ process for this to
 # have any effect.
 #
 # This setting is not required or honoured if using systemd socket
@@ -58,13 +59,14 @@
 # This setting is not required or honoured if using systemd socket
 # activation.
 #
-# If the libvirtd service is started in parallel with network
+# If the @DAEMON_NAME@ service is started in parallel with network
 # startup (e.g. with systemd), binding to addresses other than
 # the wildcards (0.0.0.0/::) might not be available yet.
 #
 #listen_addr = "192.168.0.1"
 
 
+@END@
 #################################################################
 #
 # UNIX socket access controls
@@ -157,6 +159,7 @@
 # If the unix_sock_rw_perms are changed you may wish to enable
 # an authentication mechanism here
 #auth_unix_rw = "none"
+@CUT_ENABLE_IP@
 
 # Change the authentication scheme for TCP sockets.
 #
@@ -174,6 +177,7 @@
 # It is possible to make use of any SASL authentication
 # mechanism as well, by using 'sasl' for this option
 #auth_tls = "none"
+@END@
 
 
 # Change the API access control scheme
@@ -182,10 +186,11 @@
 # to all APIs. Access drivers can place restrictions
 # on this. By default the 'nop' driver is enabled,
 # meaning no access control checks are done once a
-# client has authenticated with libvirtd
+# client has authenticated with @DAEMON_NAME@
 #
 #access_drivers = [ "polkit" ]
 
+@CUT_ENABLE_IP@
 #################################################################
 #
 # TLS x509 certificate configuration
@@ -225,15 +230,17 @@
 
 
 
+@END@
 #################################################################
 #
 # Authorization controls
 #
 
 
+@CUT_ENABLE_IP@
 # Flag to disable verification of our own server certificates
 #
-# When libvirtd starts it performs some sanity checks against
+# When @DAEMON_NAME@ starts it performs some sanity checks against
 # its own certificates.
 #
 # Default is to always run sanity checks. Uncommenting this
@@ -265,6 +272,15 @@
 #tls_allowed_dn_list = ["DN1", "DN2"]
 
 
+# Override the compile time default TLS priority string. The
+# default is usually "NORMAL" unless overridden at build time.
+# Only set this is it is desired for libvirt to deviate from
+# the global default settings.
+#
+#tls_priority="NORMAL"
+
+
+@END@
 # A whitelist of allowed SASL usernames. The format for username
 # depends on the SASL authentication mechanism. Kerberos usernames
 # look like username@REALM
@@ -282,14 +298,6 @@
 #sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]
 
 
-# Override the compile time default TLS priority string. The
-# default is usually "NORMAL" unless overridden at build time.
-# Only set this is it is desired for libvirt to deviate from
-# the global default settings.
-#
-#tls_priority="NORMAL"
-
-
 #################################################################
 #
 # Processing controls
@@ -417,8 +425,8 @@
 #    4: ERROR
 #
 # Multiple outputs can be defined, they just need to be separated by spaces.
-# e.g. to log all warnings and errors to syslog under the libvirtd ident:
+# e.g. to log all warnings and errors to syslog under the @DAEMON_NAME@ ident:
-#log_outputs="3:syslog:libvirtd"
+#log_outputs="3:syslog:@DAEMON_NAME@"
 
 
 ##################################################################
@@ -461,7 +469,7 @@
 
 ###################################################################
 # Keepalive protocol:
-# This allows libvirtd to detect broken client connections or even
+# This allows @DAEMON_NAME@ to detect broken client connections or even
 # dead clients.  A keepalive message is sent to a client after
 # keepalive_interval seconds of inactivity to check if the client is
 # still responding; keepalive_count is a maximum number of keepalive
@@ -470,7 +478,7 @@
 # words, the connection is automatically closed approximately after
 # keepalive_interval * (keepalive_count + 1) seconds since the last
 # message received from the client.  If keepalive_interval is set to
-# -1, libvirtd will never send keepalive requests; however clients
+# -1, @DAEMON_NAME@ will never send keepalive requests; however clients
 # can still send them and the daemon will send responses.  When
 # keepalive_count is set to 0, connections will be automatically
 # closed after keepalive_interval seconds of inactivity without

src/remote/test_libvirtd.aug.in

@@ -29,11 +29,11 @@ module Test_libvirtd =
              { "1" = "DN1"}
              { "2" = "DN2"}
         }
+        { "tls_priority" = "NORMAL" }
         { "sasl_allowed_username_list"
              { "1" = "joe@EXAMPLE.COM" }
              { "2" = "fred@EXAMPLE.COM" }
         }
-        { "tls_priority" = "NORMAL" }
         { "max_clients" = "5000" }
         { "max_queued_clients" = "1000" }
         { "max_anonymous_clients" = "20" }