mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-11-06 13:20:20 +00:00
07f9b6f019
When libvirtd starts it it will sanity check its own certs, and before libvirt clients connect to a remote server they will sanity check their own certs. This patch allows such sanity checking to be skipped. There is no strong reason to need to do this, other than to bypass possible libvirt bugs in sanity checking, or for testing purposes. libvirt.conf gains tls_no_sanity_certificate parameter to go along with tls_no_verify_certificate. The remote driver client URIs gain a no_sanity URI parameter * daemon/test_libvirtd.aug, daemon/libvirtd.conf, daemon/libvirtd.c, daemon/libvirtd.aug: Add parameter to allow cert sanity checks to be skipped * src/remote/remote_driver.c: Add no_sanity parameter to skip cert checks * src/rpc/virnettlscontext.c, src/rpc/virnettlscontext.h: Add new parameter for skipping sanity checks independantly of skipping session cert validation checks
88 lines
3.3 KiB
Plaintext
88 lines
3.3 KiB
Plaintext
(* /etc/libvirt/libvirtd.conf *)
|
|
|
|
module Libvirtd =
|
|
autoload xfm
|
|
|
|
let eol = del /[ \t]*\n/ "\n"
|
|
let value_sep = del /[ \t]*=[ \t]*/ " = "
|
|
let indent = del /[ \t]*/ ""
|
|
|
|
let array_sep = del /,[ \t\n]*/ ", "
|
|
let array_start = del /\[[ \t\n]*/ "[ "
|
|
let array_end = del /\]/ "]"
|
|
|
|
let str_val = del /\"/ "\"" . store /[^\"]*/ . del /\"/ "\""
|
|
let bool_val = store /0|1/
|
|
let int_val = store /[0-9]+/
|
|
let str_array_element = [ seq "el" . str_val ] . del /[ \t\n]*/ ""
|
|
let str_array_val = counter "el" . array_start . ( str_array_element . ( array_sep . str_array_element ) * ) ? . array_end
|
|
|
|
let str_entry (kw:string) = [ key kw . value_sep . str_val ]
|
|
let bool_entry (kw:string) = [ key kw . value_sep . bool_val ]
|
|
let int_entry (kw:string) = [ key kw . value_sep . int_val ]
|
|
let str_array_entry (kw:string) = [ key kw . value_sep . str_array_val ]
|
|
|
|
|
|
(* Config entry grouped by function - same order as example config *)
|
|
let network_entry = bool_entry "listen_tls"
|
|
| bool_entry "listen_tcp"
|
|
| str_entry "tls_port"
|
|
| str_entry "tcp_port"
|
|
| str_entry "listen_addr"
|
|
| bool_entry "mdns_adv"
|
|
| str_entry "mdns_name"
|
|
|
|
let sock_acl_entry = str_entry "unix_sock_group"
|
|
| str_entry "unix_sock_ro_perms"
|
|
| str_entry "unix_sock_rw_perms"
|
|
| str_entry "unix_sock_dir"
|
|
|
|
let authentication_entry = str_entry "auth_unix_ro"
|
|
| str_entry "auth_unix_rw"
|
|
| str_entry "auth_tcp"
|
|
| str_entry "auth_tls"
|
|
|
|
let certificate_entry = str_entry "key_file"
|
|
| str_entry "cert_file"
|
|
| str_entry "ca_file"
|
|
| str_entry "crl_file"
|
|
|
|
let authorization_entry = bool_entry "tls_no_verify_certificate"
|
|
| bool_entry "tls_no_sanity_certificate"
|
|
| str_array_entry "tls_allowed_dn_list"
|
|
| str_array_entry "sasl_allowed_username_list"
|
|
|
|
let processing_entry = int_entry "min_workers"
|
|
| int_entry "max_workers"
|
|
| int_entry "max_clients"
|
|
| int_entry "max_requests"
|
|
| int_entry "max_client_requests"
|
|
|
|
let logging_entry = int_entry "log_level"
|
|
| str_entry "log_filters"
|
|
| str_entry "log_outputs"
|
|
|
|
let auditing_entry = int_entry "audit_level"
|
|
| bool_entry "audit_logging"
|
|
|
|
(* Each enty in the config is one of the following three ... *)
|
|
let entry = network_entry
|
|
| sock_acl_entry
|
|
| authentication_entry
|
|
| certificate_entry
|
|
| authorization_entry
|
|
| processing_entry
|
|
| logging_entry
|
|
| auditing_entry
|
|
let comment = [ label "#comment" . del /#[ \t]*/ "# " . store /([^ \t\n][^\n]*)?/ . del /\n/ "\n" ]
|
|
let empty = [ label "#empty" . eol ]
|
|
|
|
let record = indent . entry . eol
|
|
|
|
let lns = ( record | comment | empty ) *
|
|
|
|
let filter = incl "/etc/libvirt/libvirtd.conf"
|
|
. Util.stdexcl
|
|
|
|
let xfm = transform lns filter
|