[libvirt] [PATCH v3 12/48] remote: conditionalize IP socket config in libvirtd.conf

Daniel P. Berrangé berrange at redhat.com
Tue Jul 30 10:58:49 UTC 2019 

On Tue, Jul 30, 2019 at 12:48:03PM +0200, Christophe de Dinechin wrote:
> 
> Daniel P. Berrangé writes:
> 
> > Prepare for reusing libvirtd config to create other daemons by making
> > the config parameters for IP sockets conditionally defined by the make
> > rules.
> >
> > The main libvirtd daemon will retain IP listen ability, but all the
> > driver specific daemons will be local UNIX sockets only. Apps needing
> > IP connectivity will connect via the libvirtd daemon which will proxy
> > to the driver specfic daemon.
> >
> > Reviewed-by: Andrea Bolognani <abologna at redhat.com>
> > Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>


> > diff --git a/src/remote/libvirtd.conf b/src/remote/libvirtd.conf.in
> > similarity index 95%
> > rename from src/remote/libvirtd.conf
> > rename to src/remote/libvirtd.conf.in
> > index b63b8d61b7..e351a8c190 100644
> > --- a/src/remote/libvirtd.conf
> > +++ b/src/remote/libvirtd.conf.in
> > @@ -1,13 +1,14 @@
> >  # Master libvirt daemon configuration file
> >  #
> >
> > + at CUT_ENABLE_IP@
> >  #################################################################
> >  #
> >  # Network connectivity controls
> >  #
> >
> >  # Flag listening for secure TLS connections on the public TCP/IP port.
> > -# NB, must pass the --listen flag to the libvirtd process for this to
> > +# NB, must pass the --listen flag to the @DAEMON_NAME@ process for this to
> >  # have any effect.
> >  #
> >  # This setting is not required or honoured if using systemd socket
> > @@ -20,7 +21,7 @@
> >  #listen_tls = 0
> >
> >  # Listen for unencrypted TCP connections on the public TCP/IP port.
> > -# NB, must pass the --listen flag to the libvirtd process for this to
> > +# NB, must pass the --listen flag to the @DAEMON_NAME@ process for this to
> >  # have any effect.
> >  #
> >  # This setting is not required or honoured if using systemd socket
> > @@ -58,13 +59,14 @@
> >  # This setting is not required or honoured if using systemd socket
> >  # activation.
> >  #
> > -# If the libvirtd service is started in parallel with network
> > +# If the @DAEMON_NAME@ service is started in parallel with network
> >  # startup (e.g. with systemd), binding to addresses other than
> >  # the wildcards (0.0.0.0/::) might not be available yet.
> >  #
> >  #listen_addr = "192.168.0.1"
> >
> >
> > + at END@
> >  #################################################################
> >  #
> >  # UNIX socket access controls
> > @@ -157,6 +159,7 @@
> >  # If the unix_sock_rw_perms are changed you may wish to enable
> >  # an authentication mechanism here
> >  #auth_unix_rw = "none"
> > + at CUT_ENABLE_IP@
> >
> >  # Change the authentication scheme for TCP sockets.
> >  #
> > @@ -174,6 +177,7 @@
> >  # It is possible to make use of any SASL authentication
> >  # mechanism as well, by using 'sasl' for this option
> >  #auth_tls = "none"
> > + at END@
> >
> >
> >  # Change the API access control scheme
> > @@ -182,10 +186,11 @@
> >  # to all APIs. Access drivers can place restrictions
> >  # on this. By default the 'nop' driver is enabled,
> >  # meaning no access control checks are done once a
> > -# client has authenticated with libvirtd
> > +# client has authenticated with @DAEMON_NAME@
> >  #
> >  #access_drivers = [ "polkit" ]
> >
> > + at CUT_ENABLE_IP@
> >  #################################################################
> >  #
> >  # TLS x509 certificate configuration
> > @@ -225,15 +230,17 @@
> >
> >
> >
> > + at END@
> >  #################################################################
> >  #
> >  # Authorization controls
> >  #
> >
> >
> > + at CUT_ENABLE_IP@
> >  # Flag to disable verification of our own server certificates
> >  #
> > -# When libvirtd starts it performs some sanity checks against
> > +# When @DAEMON_NAME@ starts it performs some sanity checks against
> >  # its own certificates.
> >  #
> >  # Default is to always run sanity checks. Uncommenting this
> > @@ -265,6 +272,15 @@
> >  #tls_allowed_dn_list = ["DN1", "DN2"]
> >
> >
> > +# Override the compile time default TLS priority string. The
> > +# default is usually "NORMAL" unless overridden at build time.
> > +# Only set this is it is desired for libvirt to deviate from
> > +# the global default settings.
> > +#
> > +#tls_priority="NORMAL"
> > +
> > +
> > + at END@
> >  # A whitelist of allowed SASL usernames. The format for username
> >  # depends on the SASL authentication mechanism. Kerberos usernames
> >  # look like username at REALM
> > @@ -282,14 +298,6 @@
> >  #sasl_allowed_username_list = ["joe at EXAMPLE.COM", "fred at EXAMPLE.COM" ]
> >
> >
> > -# Override the compile time default TLS priority string. The
> > -# default is usually "NORMAL" unless overridden at build time.
> > -# Only set this is it is desired for libvirt to deviate from
> > -# the global default settings.
> > -#
> > -#tls_priority="NORMAL"
> > -
> > -
> >  #################################################################
> >  #
> >  # Processing controls
> > @@ -417,8 +425,8 @@
> >  #    4: ERROR
> >  #
> >  # Multiple outputs can be defined, they just need to be separated by spaces.
> > -# e.g. to log all warnings and errors to syslog under the libvirtd ident:
> > -#log_outputs="3:syslog:libvirtd"
> > +# e.g. to log all warnings and errors to syslog under the @DAEMON_NAME@ ident:
> > +#log_outputs="3:syslog:@DAEMON_NAME@"
> >
> >
> >  ##################################################################
> > @@ -461,7 +469,7 @@
> >
> >  ###################################################################
> >  # Keepalive protocol:
> > -# This allows libvirtd to detect broken client connections or even
> > +# This allows @DAEMON_NAME@ to detect broken client connections or even
> >  # dead clients.  A keepalive message is sent to a client after
> >  # keepalive_interval seconds of inactivity to check if the client is
> >  # still responding; keepalive_count is a maximum number of keepalive
> > @@ -470,7 +478,7 @@
> >  # words, the connection is automatically closed approximately after
> >  # keepalive_interval * (keepalive_count + 1) seconds since the last
> >  # message received from the client.  If keepalive_interval is set to
> > -# -1, libvirtd will never send keepalive requests; however clients
> > +# -1, @DAEMON_NAME@ will never send keepalive requests; however clients
> >  # can still send them and the daemon will send responses.  When
> >  # keepalive_count is set to 0, connections will be automatically
> >  # closed after keepalive_interval seconds of inactivity without
> > diff --git a/src/remote/test_libvirtd.aug.in b/src/remote/test_libvirtd.aug.in
> > index 6c51b7b9e7..d768b30b55 100644
> > --- a/src/remote/test_libvirtd.aug.in
> > +++ b/src/remote/test_libvirtd.aug.in
> > @@ -29,11 +29,11 @@ module Test_libvirtd =
> >               { "1" = "DN1"}
> >               { "2" = "DN2"}
> >          }
> > +        { "tls_priority" = "NORMAL" }
> 
> I'm curious about this change? Is that because you changed the order
> in the source code? Does that depend on ENABLE_IP?

Yes, because I moved the config parameter in libvirtd.conf, this
influences the order seen in the augeas unit test here, as its
input is auto-generated from from the libvirtd.conf

> 
> >          { "sasl_allowed_username_list"
> >               { "1" = "joe at EXAMPLE.COM" }
> >               { "2" = "fred at EXAMPLE.COM" }
> >          }
> > -        { "tls_priority" = "NORMAL" }
> >          { "max_clients" = "5000" }
> >          { "max_queued_clients" = "1000" }
> >          { "max_anonymous_clients" = "20" }
> > --

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list