mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-11-05 04:41:20 +00:00
5f75ec90fe
The term "access control list" better describes the concept involved. Reviewed-by: Peter Krempa <pkrempa@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
183 lines
6.7 KiB
Plaintext
183 lines
6.7 KiB
Plaintext
# Master libvirt daemon configuration file
|
|
#
|
|
# For further information consult https://libvirt.org/format.html
|
|
#################################################################
|
|
#
|
|
# Network connectivitiy controls
|
|
#
|
|
# Flag listening for secure TLS connections on the public TCP/IP port.
|
|
# NB, must pass the --listen flag to the libvirtd process for this to
|
|
# have any effect.
|
|
#
|
|
# It is necessary to setup a CA and issue server certificates before
|
|
# using this capability.
|
|
#
|
|
# This is enabled by default, uncomment this to disable it
|
|
listen_tls = 0
|
|
# Listen for unencrypted TCP connections on the public TCP/IP port.
|
|
# NB, must pass the --listen flag to the libvirtd process for this to
|
|
# have any effect.
|
|
#
|
|
# Using the TCP socket requires SASL authentication by default. Only
|
|
# SASL mechanisms which support data encryption are allowed. This is
|
|
# DIGEST_MD5 and GSSAPI (Kerberos5)
|
|
#
|
|
# This is disabled by default, uncomment this to enable it.
|
|
listen_tcp = 1
|
|
# Override the port for accepting secure TLS connections
|
|
# This can be a port number, or service name
|
|
#
|
|
tls_port = "16514"
|
|
# Override the port for accepting insecure TCP connections
|
|
# This can be a port number, or service name
|
|
#
|
|
tcp_port = "16509"
|
|
#################################################################
|
|
#
|
|
# UNIX socket access controls
|
|
#
|
|
# Set the UNIX domain socket group ownership. This can be used to
|
|
# allow a 'trusted' set of users access to management capabilities
|
|
# without becoming root.
|
|
#
|
|
# This is restricted to 'root' by default.
|
|
unix_sock_group = "libvirt"
|
|
# Set the UNIX socket permissions for the R/O socket. This is used
|
|
# for monitoring VM status only
|
|
#
|
|
# Default allows any user. If setting group ownership may want to
|
|
# restrict this to:
|
|
unix_sock_ro_perms = "0777"
|
|
# Set the UNIX socket permissions for the R/W socket. This is used
|
|
# for full management of VMs
|
|
#
|
|
# Default allows only root. If PolicyKit is enabled on the socket,
|
|
# the default will change to allow everyone (eg, 0777)
|
|
#
|
|
# If not using PolicyKit and setting group ownership for access
|
|
# control then you may want to relax this to:
|
|
unix_sock_rw_perms = "0770"
|
|
# Set the UNIX socket permissions for the admin interface socket.
|
|
#
|
|
# Default allows only owner (root), do not change it unless you are
|
|
# sure to whom you are exposing the access to
|
|
unix_sock_admin_perms = "0700"
|
|
#################################################################
|
|
#
|
|
# Authentication.
|
|
#
|
|
# - none: do not perform auth checks. If you can connect to the
|
|
# socket you are allowed. This is suitable if there are
|
|
# restrictions on connecting to the socket (eg, UNIX
|
|
# socket permissions), or if there is a lower layer in
|
|
# the network providing auth (eg, TLS/x509 certificates)
|
|
#
|
|
# - sasl: use SASL infrastructure. The actual auth scheme is then
|
|
# controlled from /etc/sasl2/libvirt.conf. For the TCP
|
|
# socket only GSSAPI & DIGEST-MD5 mechanisms will be used.
|
|
# For non-TCP or TLS sockets, any scheme is allowed.
|
|
#
|
|
# - polkit: use PolicyKit to authenticate. This is only suitable
|
|
# for use on the UNIX sockets. The default policy will
|
|
# require a user to supply their own password to gain
|
|
# full read/write access (aka sudo like), while anyone
|
|
# is allowed read/only access.
|
|
#
|
|
# Set an authentication scheme for UNIX read-only sockets
|
|
# By default socket permissions allow anyone to connect
|
|
#
|
|
# To restrict monitoring of domains you may wish to enable
|
|
# an authentication mechanism here
|
|
auth_unix_ro = "none"
|
|
# Set an authentication scheme for UNIX read-write sockets
|
|
# By default socket permissions only allow root. If PolicyKit
|
|
# support was compiled into libvirt, the default will be to
|
|
# use 'polkit' auth.
|
|
#
|
|
# If the unix_sock_rw_perms are changed you may wish to enable
|
|
# an authentication mechanism here
|
|
auth_unix_rw = "none"
|
|
# Change the authentication scheme for TCP sockets.
|
|
#
|
|
# If you don't enable SASL, then all TCP traffic is cleartext.
|
|
# Don't do this outside of a dev/test scenario. For real world
|
|
# use, always enable SASL and use the GSSAPI or DIGEST-MD5
|
|
# mechanism in /etc/sasl2/libvirt.conf
|
|
auth_tcp = "sasl"
|
|
# Change the authentication scheme for TLS sockets.
|
|
#
|
|
# TLS sockets already have encryption provided by the TLS
|
|
# layer, and limited authentication is done by certificates
|
|
#
|
|
# It is possible to make use of any SASL authentication
|
|
# mechanism as well, by using 'sasl' for this option
|
|
auth_tls = "none"
|
|
#################################################################
|
|
#
|
|
# TLS x509 certificate configuration
|
|
#
|
|
# Override the default server key file path
|
|
#
|
|
key_file = "/etc/pki/libvirt/private/serverkey.pem"
|
|
# Override the default server certificate file path
|
|
#
|
|
cert_file = "/etc/pki/libvirt/servercert.pem"
|
|
# Override the default CA certificate path
|
|
#
|
|
ca_file = "/etc/pki/CA/cacert.pem"
|
|
# Specify a certificate revocation list.
|
|
#
|
|
# Defaults to not using a CRL, uncomment to enable it
|
|
crl_file = "/etc/pki/CA/crl.pem"
|
|
#################################################################
|
|
#
|
|
# Authorization controls
|
|
#
|
|
# Flag to disable verification of client certificates
|
|
#
|
|
# Client certificate verification is the primary authentication mechanism.
|
|
# Any client which does not present a certificate signed by the CA
|
|
# will be rejected.
|
|
#
|
|
# Default is to always verify. Uncommenting this will disable
|
|
# verification.
|
|
tls_no_verify_certificate = 1
|
|
# An access control list of allowed x509 Distinguished Names
|
|
# This list may contain wildcards such as
|
|
#
|
|
# "C=GB,ST=London,L=London,O=Red Hat,CN=*"
|
|
#
|
|
# See the g_pattern_match function for the format of the wildcards.
|
|
#
|
|
# https://developer.gnome.org/glib/stable/glib-Glob-style-pattern-matching.html
|
|
#
|
|
# NB If this is an empty list, no client can connect, so comment out
|
|
# entirely rather than using empty list to disable these checks
|
|
#
|
|
# By default, no DN's are checked
|
|
tls_allowed_dn_list = [ "DN1", "DN2" ]
|
|
# An access control list of allowed SASL usernames. The format for usernames
|
|
# depends on the SASL authentication mechanism. Kerberos usernames
|
|
# look like username@REALM
|
|
#
|
|
# This list may contain wildcards such as
|
|
#
|
|
# "*@EXAMPLE.COM"
|
|
#
|
|
# See the g_pattern_match function for the format of the wildcards.
|
|
#
|
|
# https://developer.gnome.org/glib/stable/glib-Glob-style-pattern-matching.html
|
|
#
|
|
# NB If this is an empty list, no client can connect, so comment out
|
|
# entirely rather than using empty list to disable these checks
|
|
#
|
|
# By default, no Username's are checked
|
|
sasl_allowed_username_list = [ "joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]
|
|
# UUID of the host:
|
|
# Provide the UUID of the host here in case the command
|
|
# 'dmidecode -s system-uuid' does not provide a valid uuid. In case
|
|
# 'dmidecode' does not provide a valid UUID and none is provided here, a
|
|
# temporary UUID will be generated.
|
|
# Keep the format of the example UUID below.
|
|
host_uuid = "8510b1a1-1afa-4da6-8111-785fae202c1e"
|