mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-11-02 11:21:12 +00:00
f4c3acdf35
* qemud/libvirtd_qemu.aug, qemud/test_libvirtd_qemu.aug, src/qemu.conf: Add 'cgroups_controllers' and 'cgroups_device_acl' parameters * src/qemu_conf.h, src/qemu_conf.c: Load & parse configuration params for cgroups * src/qemu_driver.c: Only use cgroups controllers that are activated, and use configured device whitelist instead of default, if set.
187 lines
7.0 KiB
Plaintext
187 lines
7.0 KiB
Plaintext
module Test_libvirtd_qemu =
|
|
|
|
let conf = "# Master configuration file for the QEMU driver.
|
|
# All settings described here are optional - if omitted, sensible
|
|
# defaults are used.
|
|
|
|
# VNC is configured to listen on 127.0.0.1 by default.
|
|
# To make it listen on all public interfaces, uncomment
|
|
# this next option.
|
|
#
|
|
# NB, strong recommendation to enable TLS + x509 certificate
|
|
# verification when allowing public access
|
|
#
|
|
vnc_listen = \"0.0.0.0\"
|
|
|
|
|
|
# Enable use of TLS encryption on the VNC server. This requires
|
|
# a VNC client which supports the VeNCrypt protocol extension.
|
|
# Examples include vinagre, virt-viewer, virt-manager and vencrypt
|
|
# itself. UltraVNC, RealVNC, TightVNC do not support this
|
|
#
|
|
# It is necessary to setup CA and issue a server certificate
|
|
# before enabling this.
|
|
#
|
|
vnc_tls = 1
|
|
|
|
|
|
# Use of TLS requires that x509 certificates be issued. The
|
|
# default it to keep them in /etc/pki/libvirt-vnc. This directory
|
|
# must contain
|
|
#
|
|
# ca-cert.pem - the CA master certificate
|
|
# server-cert.pem - the server certificate signed with ca-cert.pem
|
|
# server-key.pem - the server private key
|
|
#
|
|
# This option allows the certificate directory to be changed
|
|
#
|
|
vnc_tls_x509_cert_dir = \"/etc/pki/libvirt-vnc\"
|
|
|
|
|
|
# The default TLS configuration only uses certificates for the server
|
|
# allowing the client to verify the server's identity and establish
|
|
# and encrypted channel.
|
|
#
|
|
# It is possible to use x509 certificates for authentication too, by
|
|
# issuing a x509 certificate to every client who needs to connect.
|
|
#
|
|
# Enabling this option will reject any client who does not have a
|
|
# certificate signed by the CA in /etc/pki/libvirt-vnc/ca-cert.pem
|
|
#
|
|
vnc_tls_x509_verify = 1
|
|
|
|
|
|
# The default VNC password. Only 8 letters are significant for
|
|
# VNC passwords. This parameter is only used if the per-domain
|
|
# XML config does not already provide a password. To allow
|
|
# access without passwords, leave this commented out. An empty
|
|
# string will still enable passwords, but be rejected by QEMU
|
|
# effectively preventing any use of VNC. Obviously change this
|
|
# example here before you set this
|
|
#
|
|
vnc_password = \"XYZ12345\"
|
|
|
|
|
|
# Enable use of SASL encryption on the VNC server. This requires
|
|
# a VNC client which supports the SASL protocol extension.
|
|
# Examples include vinagre, virt-viewer and virt-manager
|
|
# itself. UltraVNC, RealVNC, TightVNC do not support this
|
|
#
|
|
# It is necessary to configure /etc/sasl2/qemu.conf to choose
|
|
# the desired SASL plugin (eg, GSSPI for Kerberos)
|
|
#
|
|
vnc_sasl = 1
|
|
|
|
|
|
# The default SASL configuration file is located in /etc/sasl2/
|
|
# When running libvirtd unprivileged, it may be desirable to
|
|
# override the configs in this location. Set this parameter to
|
|
# point to the directory, and create a qemu.conf in that location
|
|
#
|
|
vnc_sasl_dir = \"/some/directory/sasl2\"
|
|
|
|
user = \"root\"
|
|
|
|
group = \"root\"
|
|
|
|
cgroup_controllers = [ \"cpu\", \"devices\" ]
|
|
|
|
cgroup_device_acl = [ \"/dev/null\", \"/dev/full\", \"/dev/zero\" ]
|
|
"
|
|
|
|
test Libvirtd_qemu.lns get conf =
|
|
{ "#comment" = "Master configuration file for the QEMU driver." }
|
|
{ "#comment" = "All settings described here are optional - if omitted, sensible" }
|
|
{ "#comment" = "defaults are used." }
|
|
{ "#empty" }
|
|
{ "#comment" = "VNC is configured to listen on 127.0.0.1 by default." }
|
|
{ "#comment" = "To make it listen on all public interfaces, uncomment" }
|
|
{ "#comment" = "this next option." }
|
|
{ "#comment" = "" }
|
|
{ "#comment" = "NB, strong recommendation to enable TLS + x509 certificate" }
|
|
{ "#comment" = "verification when allowing public access" }
|
|
{ "#comment" = "" }
|
|
{ "vnc_listen" = "0.0.0.0" }
|
|
{ "#empty" }
|
|
{ "#empty" }
|
|
{ "#comment" = "Enable use of TLS encryption on the VNC server. This requires" }
|
|
{ "#comment" = "a VNC client which supports the VeNCrypt protocol extension." }
|
|
{ "#comment" = "Examples include vinagre, virt-viewer, virt-manager and vencrypt" }
|
|
{ "#comment" = "itself. UltraVNC, RealVNC, TightVNC do not support this" }
|
|
{ "#comment" = "" }
|
|
{ "#comment" = "It is necessary to setup CA and issue a server certificate" }
|
|
{ "#comment" = "before enabling this." }
|
|
{ "#comment" = "" }
|
|
{ "vnc_tls" = "1" }
|
|
{ "#empty" }
|
|
{ "#empty" }
|
|
{ "#comment" = "Use of TLS requires that x509 certificates be issued. The" }
|
|
{ "#comment" = "default it to keep them in /etc/pki/libvirt-vnc. This directory" }
|
|
{ "#comment" = "must contain" }
|
|
{ "#comment" = "" }
|
|
{ "#comment" = "ca-cert.pem - the CA master certificate" }
|
|
{ "#comment" = "server-cert.pem - the server certificate signed with ca-cert.pem" }
|
|
{ "#comment" = "server-key.pem - the server private key" }
|
|
{ "#comment" = "" }
|
|
{ "#comment" = "This option allows the certificate directory to be changed" }
|
|
{ "#comment" = "" }
|
|
{ "vnc_tls_x509_cert_dir" = "/etc/pki/libvirt-vnc" }
|
|
{ "#empty" }
|
|
{ "#empty" }
|
|
{ "#comment" = "The default TLS configuration only uses certificates for the server" }
|
|
{ "#comment" = "allowing the client to verify the server's identity and establish" }
|
|
{ "#comment" = "and encrypted channel." }
|
|
{ "#comment" = "" }
|
|
{ "#comment" = "It is possible to use x509 certificates for authentication too, by" }
|
|
{ "#comment" = "issuing a x509 certificate to every client who needs to connect." }
|
|
{ "#comment" = "" }
|
|
{ "#comment" = "Enabling this option will reject any client who does not have a" }
|
|
{ "#comment" = "certificate signed by the CA in /etc/pki/libvirt-vnc/ca-cert.pem" }
|
|
{ "#comment" = "" }
|
|
{ "vnc_tls_x509_verify" = "1" }
|
|
{ "#empty" }
|
|
{ "#empty" }
|
|
{ "#comment" = "The default VNC password. Only 8 letters are significant for" }
|
|
{ "#comment" = "VNC passwords. This parameter is only used if the per-domain" }
|
|
{ "#comment" = "XML config does not already provide a password. To allow" }
|
|
{ "#comment" = "access without passwords, leave this commented out. An empty" }
|
|
{ "#comment" = "string will still enable passwords, but be rejected by QEMU" }
|
|
{ "#comment" = "effectively preventing any use of VNC. Obviously change this" }
|
|
{ "#comment" = "example here before you set this" }
|
|
{ "#comment" = "" }
|
|
{ "vnc_password" = "XYZ12345" }
|
|
{ "#empty" }
|
|
{ "#empty" }
|
|
{ "#comment" = "Enable use of SASL encryption on the VNC server. This requires" }
|
|
{ "#comment" = "a VNC client which supports the SASL protocol extension." }
|
|
{ "#comment" = "Examples include vinagre, virt-viewer and virt-manager" }
|
|
{ "#comment" = "itself. UltraVNC, RealVNC, TightVNC do not support this" }
|
|
{ "#comment" = "" }
|
|
{ "#comment" = "It is necessary to configure /etc/sasl2/qemu.conf to choose" }
|
|
{ "#comment" = "the desired SASL plugin (eg, GSSPI for Kerberos)" }
|
|
{ "#comment" = "" }
|
|
{ "vnc_sasl" = "1" }
|
|
{ "#empty" }
|
|
{ "#empty" }
|
|
{ "#comment" = "The default SASL configuration file is located in /etc/sasl2/" }
|
|
{ "#comment" = "When running libvirtd unprivileged, it may be desirable to" }
|
|
{ "#comment" = "override the configs in this location. Set this parameter to" }
|
|
{ "#comment" = "point to the directory, and create a qemu.conf in that location" }
|
|
{ "#comment" = "" }
|
|
{ "vnc_sasl_dir" = "/some/directory/sasl2" }
|
|
{ "#empty" }
|
|
{ "user"= "root" }
|
|
{ "#empty" }
|
|
{ "group" = "root" }
|
|
{ "#empty" }
|
|
{ "cgroup_controllers"
|
|
{ "1" = "cpu" }
|
|
{ "2" = "devices" }
|
|
}
|
|
{ "#empty" }
|
|
{ "cgroup_device_acl"
|
|
{ "1" = "/dev/null" }
|
|
{ "2" = "/dev/full" }
|
|
{ "3" = "/dev/zero" }
|
|
}
|