/* * remote_daemon_config.c: libvirtd config file handling * * Copyright (C) 2006-2018 Red Hat, Inc. * Copyright (C) 2006 Daniel P. Berrange * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public * License as published by the Free Software Foundation; either * version 2.1 of the License, or (at your option) any later version. * * This library is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public * License along with this library. If not, see * . */ #include #include "remote_daemon_config.h" #include "virconf.h" #include "viralloc.h" #include "virerror.h" #include "virlog.h" #include "rpc/virnetserver.h" #include "configmake.h" #include "remote_protocol.h" #include "remote_driver.h" #include "util/virnetdevopenvswitch.h" #include "virstring.h" #include "virutil.h" #define VIR_FROM_THIS VIR_FROM_CONF VIR_LOG_INIT("daemon.libvirtd-config"); static int remoteConfigGetAuth(virConfPtr conf, const char *filename, const char *key, int *auth) { char *authstr = NULL; if (virConfGetValueString(conf, key, &authstr) < 0) return -1; if (!authstr) return 0; if (STREQ(authstr, "none")) { *auth = VIR_NET_SERVER_SERVICE_AUTH_NONE; #if WITH_SASL } else if (STREQ(authstr, "sasl")) { *auth = VIR_NET_SERVER_SERVICE_AUTH_SASL; #endif } else if (STREQ(authstr, "polkit")) { *auth = VIR_NET_SERVER_SERVICE_AUTH_POLKIT; } else { virReportError(VIR_ERR_CONFIG_UNSUPPORTED, _("%s: %s: unsupported auth %s"), filename, key, authstr); VIR_FREE(authstr); return -1; } VIR_FREE(authstr); return 0; } int daemonConfigFilePath(bool privileged, char **configfile) { if (privileged) { if (VIR_STRDUP(*configfile, SYSCONFDIR "/libvirt/" DAEMON_NAME ".conf") < 0) goto error; } else { char *configdir = NULL; if (!(configdir = virGetUserConfigDirectory())) goto error; if (virAsprintf(configfile, "%s/%s.conf", configdir, DAEMON_NAME) < 0) { VIR_FREE(configdir); goto error; } VIR_FREE(configdir); } return 0; error: return -1; } struct daemonConfig* daemonConfigNew(bool privileged ATTRIBUTE_UNUSED) { struct daemonConfig *data; if (VIR_ALLOC(data) < 0) return NULL; #ifdef WITH_IP # ifdef LIBVIRTD data->listen_tls = 1; /* Only honoured if --listen is set */ # else /* ! LIBVIRTD */ data->listen_tls = 0; /* Always honoured, --listen doesn't exist. */ # endif /* ! LIBVIRTD */ data->listen_tcp = 0; if (VIR_STRDUP(data->tls_port, LIBVIRTD_TLS_PORT) < 0 || VIR_STRDUP(data->tcp_port, LIBVIRTD_TCP_PORT) < 0) goto error; #endif /* !WITH_IP */ /* Only default to PolicyKit if running as root */ #if WITH_POLKIT if (privileged) { data->auth_unix_rw = REMOTE_AUTH_POLKIT; data->auth_unix_ro = REMOTE_AUTH_POLKIT; } else { #endif data->auth_unix_rw = REMOTE_AUTH_NONE; data->auth_unix_ro = REMOTE_AUTH_NONE; #if WITH_POLKIT } #endif if (VIR_STRDUP(data->unix_sock_rw_perms, data->auth_unix_rw == REMOTE_AUTH_POLKIT ? "0777" : "0700") < 0 || VIR_STRDUP(data->unix_sock_ro_perms, "0777") < 0 || VIR_STRDUP(data->unix_sock_admin_perms, "0700") < 0) goto error; #ifdef WITH_IP # if WITH_SASL data->auth_tcp = REMOTE_AUTH_SASL; # else data->auth_tcp = REMOTE_AUTH_NONE; # endif data->auth_tls = REMOTE_AUTH_NONE; #endif /* ! WITH_IP */ data->min_workers = 5; data->max_workers = 20; data->max_clients = 5000; data->max_queued_clients = 1000; data->max_anonymous_clients = 20; data->prio_workers = 5; data->max_client_requests = 5; data->audit_level = 1; data->audit_logging = 0; data->keepalive_interval = 5; data->keepalive_count = 5; data->admin_min_workers = 5; data->admin_max_workers = 20; data->admin_max_clients = 5000; data->admin_max_queued_clients = 20; data->admin_max_client_requests = 5; data->admin_keepalive_interval = 5; data->admin_keepalive_count = 5; data->ovs_timeout = VIR_NETDEV_OVS_DEFAULT_TIMEOUT; return data; error: daemonConfigFree(data); return NULL; } void daemonConfigFree(struct daemonConfig *data) { char **tmp; if (!data) return; #ifdef WITH_IP VIR_FREE(data->listen_addr); VIR_FREE(data->tls_port); VIR_FREE(data->tcp_port); #endif /* ! WITH_IP */ tmp = data->access_drivers; while (tmp && *tmp) { VIR_FREE(*tmp); tmp++; } VIR_FREE(data->access_drivers); VIR_FREE(data->unix_sock_admin_perms); VIR_FREE(data->unix_sock_ro_perms); VIR_FREE(data->unix_sock_rw_perms); VIR_FREE(data->unix_sock_group); VIR_FREE(data->unix_sock_dir); tmp = data->sasl_allowed_username_list; while (tmp && *tmp) { VIR_FREE(*tmp); tmp++; } VIR_FREE(data->sasl_allowed_username_list); #ifdef WITH_IP tmp = data->tls_allowed_dn_list; while (tmp && *tmp) { VIR_FREE(*tmp); tmp++; } VIR_FREE(data->tls_allowed_dn_list); VIR_FREE(data->tls_priority); VIR_FREE(data->key_file); VIR_FREE(data->ca_file); VIR_FREE(data->cert_file); VIR_FREE(data->crl_file); #endif /* ! WITH_IP */ VIR_FREE(data->host_uuid); VIR_FREE(data->host_uuid_source); VIR_FREE(data->log_filters); VIR_FREE(data->log_outputs); VIR_FREE(data); } static int daemonConfigLoadOptions(struct daemonConfig *data, const char *filename, virConfPtr conf) { #ifdef WITH_IP if (virConfGetValueBool(conf, "listen_tcp", &data->listen_tcp) < 0) goto error; if (virConfGetValueBool(conf, "listen_tls", &data->listen_tls) < 0) goto error; if (virConfGetValueString(conf, "tls_port", &data->tls_port) < 0) goto error; if (virConfGetValueString(conf, "tcp_port", &data->tcp_port) < 0) goto error; if (virConfGetValueString(conf, "listen_addr", &data->listen_addr) < 0) goto error; #endif /* !WITH_IP */ if (remoteConfigGetAuth(conf, filename, "auth_unix_rw", &data->auth_unix_rw) < 0) goto error; #if WITH_POLKIT /* Change default perms to be wide-open if PolicyKit is enabled. * Admin can always override in config file */ if (data->auth_unix_rw == REMOTE_AUTH_POLKIT) { VIR_FREE(data->unix_sock_rw_perms); if (VIR_STRDUP(data->unix_sock_rw_perms, "0777") < 0) goto error; } #endif if (remoteConfigGetAuth(conf, filename, "auth_unix_ro", &data->auth_unix_ro) < 0) goto error; #ifdef WITH_IP if (remoteConfigGetAuth(conf, filename, "auth_tcp", &data->auth_tcp) < 0) goto error; if (remoteConfigGetAuth(conf, filename, "auth_tls", &data->auth_tls) < 0) goto error; #endif /* ! WITH_IP */ if (virConfGetValueStringList(conf, "access_drivers", false, &data->access_drivers) < 0) goto error; if (virConfGetValueString(conf, "unix_sock_group", &data->unix_sock_group) < 0) goto error; if (virConfGetValueString(conf, "unix_sock_admin_perms", &data->unix_sock_admin_perms) < 0) goto error; if (virConfGetValueString(conf, "unix_sock_ro_perms", &data->unix_sock_ro_perms) < 0) goto error; if (virConfGetValueString(conf, "unix_sock_rw_perms", &data->unix_sock_rw_perms) < 0) goto error; if (virConfGetValueString(conf, "unix_sock_dir", &data->unix_sock_dir) < 0) goto error; #ifdef WITH_IP if (virConfGetValueBool(conf, "tls_no_sanity_certificate", &data->tls_no_sanity_certificate) < 0) goto error; if (virConfGetValueBool(conf, "tls_no_verify_certificate", &data->tls_no_verify_certificate) < 0) goto error; if (virConfGetValueString(conf, "key_file", &data->key_file) < 0) goto error; if (virConfGetValueString(conf, "cert_file", &data->cert_file) < 0) goto error; if (virConfGetValueString(conf, "ca_file", &data->ca_file) < 0) goto error; if (virConfGetValueString(conf, "crl_file", &data->crl_file) < 0) goto error; if (virConfGetValueStringList(conf, "tls_allowed_dn_list", false, &data->tls_allowed_dn_list) < 0) goto error; if (virConfGetValueString(conf, "tls_priority", &data->tls_priority) < 0) goto error; #endif /* ! WITH_IP */ if (virConfGetValueStringList(conf, "sasl_allowed_username_list", false, &data->sasl_allowed_username_list) < 0) goto error; if (virConfGetValueUInt(conf, "min_workers", &data->min_workers) < 0) goto error; if (virConfGetValueUInt(conf, "max_workers", &data->max_workers) < 0) goto error; if (data->max_workers < 1) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("'max_workers' must be greater than 0")); goto error; } if (virConfGetValueUInt(conf, "max_clients", &data->max_clients) < 0) goto error; if (virConfGetValueUInt(conf, "max_queued_clients", &data->max_queued_clients) < 0) goto error; if (virConfGetValueUInt(conf, "max_anonymous_clients", &data->max_anonymous_clients) < 0) goto error; if (virConfGetValueUInt(conf, "prio_workers", &data->prio_workers) < 0) goto error; if (virConfGetValueUInt(conf, "max_client_requests", &data->max_client_requests) < 0) goto error; if (virConfGetValueUInt(conf, "admin_min_workers", &data->admin_min_workers) < 0) goto error; if (virConfGetValueUInt(conf, "admin_max_workers", &data->admin_max_workers) < 0) goto error; if (virConfGetValueUInt(conf, "admin_max_clients", &data->admin_max_clients) < 0) goto error; if (virConfGetValueUInt(conf, "admin_max_queued_clients", &data->admin_max_queued_clients) < 0) goto error; if (virConfGetValueUInt(conf, "admin_max_client_requests", &data->admin_max_client_requests) < 0) goto error; if (virConfGetValueUInt(conf, "audit_level", &data->audit_level) < 0) goto error; if (virConfGetValueBool(conf, "audit_logging", &data->audit_logging) < 0) goto error; if (virConfGetValueString(conf, "host_uuid", &data->host_uuid) < 0) goto error; if (virConfGetValueString(conf, "host_uuid_source", &data->host_uuid_source) < 0) goto error; if (virConfGetValueUInt(conf, "log_level", &data->log_level) < 0) goto error; if (virConfGetValueString(conf, "log_filters", &data->log_filters) < 0) goto error; if (virConfGetValueString(conf, "log_outputs", &data->log_outputs) < 0) goto error; if (virConfGetValueInt(conf, "keepalive_interval", &data->keepalive_interval) < 0) goto error; if (virConfGetValueUInt(conf, "keepalive_count", &data->keepalive_count) < 0) goto error; if (virConfGetValueInt(conf, "admin_keepalive_interval", &data->admin_keepalive_interval) < 0) goto error; if (virConfGetValueUInt(conf, "admin_keepalive_count", &data->admin_keepalive_count) < 0) goto error; if (virConfGetValueUInt(conf, "ovs_timeout", &data->ovs_timeout) < 0) goto error; return 0; error: return -1; } /* Read the config file if it exists. * Only used in the remote case, hence the name. */ int daemonConfigLoadFile(struct daemonConfig *data, const char *filename, bool allow_missing) { VIR_AUTOPTR(virConf) conf = NULL; if (allow_missing && access(filename, R_OK) == -1 && errno == ENOENT) return 0; conf = virConfReadFile(filename, 0); if (!conf) return -1; return daemonConfigLoadOptions(data, filename, conf); } int daemonConfigLoadData(struct daemonConfig *data, const char *filename, const char *filedata) { VIR_AUTOPTR(virConf) conf = NULL; conf = virConfReadString(filedata, 0); if (!conf) return -1; return daemonConfigLoadOptions(data, filename, conf); }