From 85ef19558cf8df2c0d737fad3ac222fd05bc716a Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Fri, 12 Oct 2007 19:54:15 +0000 Subject: [PATCH] Added default example configs for libvirtd/qemu driver --- libvirt.spec.in | 2 + qemud/Makefile.am | 6 +- qemud/libvirtd.conf | 141 ++++++++++++++++++++++++++++++++++++++++++++ src/Makefile.am | 6 +- src/qemu.conf | 49 +++++++++++++++ 5 files changed, 202 insertions(+), 2 deletions(-) create mode 100644 qemud/libvirtd.conf create mode 100644 src/qemu.conf diff --git a/libvirt.spec.in b/libvirt.spec.in index 948c403149..4995eef891 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -129,6 +129,8 @@ fi %dir %attr(0700, root, root) %{_sysconfdir}/libvirt/qemu/networks/autostart %{_sysconfdir}/rc.d/init.d/libvirtd %config(noreplace) %{_sysconfdir}/sysconfig/libvirtd +%config(noreplace) %{_sysconfdir}/libvirt/libvirtd.conf +%config(noreplace) %{_sysconfdir}/libvirt/qemu.conf %dir %{_datadir}/libvirt/ %dir %{_datadir}/libvirt/networks/ %{_datadir}/libvirt/networks/default.xml diff --git a/qemud/Makefile.am b/qemud/Makefile.am index 9f5cdc431e..506fde5e2e 100644 --- a/qemud/Makefile.am +++ b/qemud/Makefile.am @@ -4,6 +4,9 @@ UUID=$(shell uuidgen) sbin_PROGRAMS = libvirtd +confdir = $(sysconfdir)/libvirt/ +conf_DATA = libvirtd.conf + # Distribute the generated files so that rpcgen isn't required on the # target machine (although almost any Unix machine will have it). EXTRA_DIST = libvirtd.init.in libvirtd.sysconf default-network.xml \ @@ -14,7 +17,8 @@ EXTRA_DIST = libvirtd.init.in libvirtd.sysconf default-network.xml \ remote_dispatch_prototypes.h \ remote_dispatch_localvars.h \ remote_dispatch_proc_switch.h \ - mdns.c mdns.h + mdns.c mdns.h \ + $(conf_DATA) libvirtd_SOURCES = \ qemud.c internal.h \ diff --git a/qemud/libvirtd.conf b/qemud/libvirtd.conf new file mode 100644 index 0000000000..51168b8575 --- /dev/null +++ b/qemud/libvirtd.conf @@ -0,0 +1,141 @@ +# Master libvirt daemon configuration file +# +# For further information consult http://libvirt.org/format.html + + +# Flag listening for secure TLS connections on the public TCP/IP port. +# NB, must pass the --listen flag to the libvirtd process for this to +# have any effect. +# +# It is neccessary to setup a CA and issue server certificates before +# using this capability. +# +# This is enabled by default, uncomment this to disable it +# listen_tls = 0 + +# Listen for unencrypted TCP connections on the public TCP/IP port. +# NB, must pass the --listen flag to the libvirtd process for this to +# have any effect. +# +# NB, this is insecure. Do not use except for development. +# +# This is disabled by default, uncomment this to enable it. +# listen_tcp = 1 + + + +# Override the port for accepting secure TLS connections +# This can be a port number, or service name +# +# tls_port = "16514" + +# Override the port for accepting insecure TCP connections +# This can be a port number, or service name +# +# tcp_port = "16509" + + + +# Flag toggling mDNS advertizement of the libvirt service. +# +# Alternatively can disable for all services on a host by +# stopping the Avahi daemon +# +# This is enabled by default, uncomment this to disable it +# mdns_adv = 0 + +# Override the default mDNS advertizement name. This must be +# unique on the immediate broadcast network. +# +# The default is "Virtualization Host HOSTNAME", where HOSTNAME +# is subsituted for the short hostname of the machine (without domain) +# +# mdns_name "Virtualization Host Joe Demo" + + + +# Set the UNIX domain socket group ownership. This can be used to +# allow a 'trusted' set of users access to management capabilities +# without becoming root. +# +# This is restricted to 'root' by default. +# unix_sock_group "libvirt" + +# Set the UNIX socket permissions for the R/O socket. This is used +# for monitoring VM status only +# +# Default allows any user. If setting group ownership may want to +# restrict this to: +# unix_sock_ro_perms "0777" + +# Set the UNIX socket permissions for the R/W socket. This is used +# for full management of VMs +# +# Default allows only root. If setting group ownership may want to +# relax this to: +# unix_sock_rw_perms "octal-perms" "0770" + + + +# Flag to disable verification of client certificates +# +# Client certificate verification is the primary authentication mechanism. +# Any client which does not present a certificate signed by the CA +# will be rejected. +# +# Default is to always verify. Uncommenting this will disable +# verification - make sure an IP whitelist is set +# tls_no_verify_certificate 1 + +# Flag to disable verification of client IP address +# +# Client IP address will be verified against the CommonName field +# of the x509 certificate. This has minimal security benefit since +# it is easy to spoof source IP. +# +# Uncommenting this will disable verification +# tls_no_verify_address 1 + +# Override the default server key file path +# +# key_file "/etc/pki/libvirt/private/serverkey.pem" + +# Override the default server certificate file path +# +# cert_file "/etc/pki/libvirt/servercert.pem" + +# Override the default CA certificate path +# +# ca_file "/etc/pki/CA/cacert.pem" + +# Specify a certificate revocation list. +# +# Defaults to not using a CRL, uncomment to enable it +# crl_file "/etc/pki/CA/crl.pem" + +# A whitelist of allowed x509 Distinguished Names +# This list may contain wildcards such as +# +# "C=GB,ST=London,L=London,O=Red Hat,CN=*" +# +# See the POSIX fnmatch function for the format of the wildcards. +# +# NB If this is an empty list, no client can connect, so comment out +# entirely rather than using empty list to disable these checks +# +# By default, no DN's are checked +# tls_allowed_dn_list ["DN1", "DN2"] + + +# A whitelist of allowed client IP addresses +# +# This list may contain wildcards such as 192.168.* See the POSIX fnmatch +# function for the format of the wildcards. +# +# NB If this is an empty list, no client can connect, so comment out +# entirely rather than using empty list to disable these checks +# +# By default, no IP's are checked. This can be IPv4 or IPv6 addresses +# tls_allowed_ip_list ["ip1", "ip2", "ip3"] + + diff --git a/src/Makefile.am b/src/Makefile.am index 48fd592871..4a250a8a17 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -17,7 +17,11 @@ DEPS = libvirt.la LDADDS = @STATIC_BINARIES@ $(WARN_CFLAGS) libvirt.la VIRSH_LIBS = @VIRSH_LIBS@ -EXTRA_DIST = libvirt_sym.version +confdir = $(sysconfdir)/libvirt/ +conf_DATA = qemu.conf + + +EXTRA_DIST = libvirt_sym.version $(conf_DATA) lib_LTLIBRARIES = libvirt.la libvirt_la_LIBADD = $(LIBXML_LIBS) $(GNUTLS_LIBS) diff --git a/src/qemu.conf b/src/qemu.conf new file mode 100644 index 0000000000..767cdd3a1e --- /dev/null +++ b/src/qemu.conf @@ -0,0 +1,49 @@ +# Master configuration file for the QEMU driver. +# All settings described here are optional - if omitted, sensible +# defaults are used. + +# VNC is configured to listen on 127.0.0.1 by default. +# To make it listen on all public interfaces, uncomment +# this next option. +# +# NB, strong recommendation to enable TLS + x509 certificate +# verification when allowing public access +# +# vnc_listen = "0.0.0.0" + + +# Enable use of TLS encryption on the VNC server. This requires +# a VNC client which supports the VeNCrypt protocol extension. +# Examples include vinagre, virt-viewer, virt-manager and vencrypt +# itself. UltraVNC, RealVNC, TightVNC do not support this +# +# It is neccessary to setup CA and issue a server certificate +# before enabling this. +# +# vnc_tls = 1 + + +# Use of TLS requires that x509 certificates be issued. The +# default it to keep them in /etc/pki/libvirt-vnc. This directory +# must contain +# +# ca-cert.pem - the CA master certificate +# server-cert.pem - the server certificate signed with ca-cert.pem +# server-key.pem - the server private key +# +# This option allows the certificate directory to be changed +# +# vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc" + + +# The default TLS configuration only uses certificates for the server +# allowing the client to verify the server's identity and establish +# and encrypted channel. +# +# It is possible to use x509 certificates for authentication too, by +# issuing a x509 certificate to every client who needs to connect. +# +# Enabling this option will reject any client who does not have a +# certificate signed by the CA in /etc/pki/libvirt-vnc/ca-cert.pem +# +# vnc_tls_x509_verify = 1