Re: [libvirt] [PATCH v3 12/48] remote: conditionalize IP socket config in libvirtd.conf

Daniel P. Berrangé writes: > Prepare for reusing libvirtd config to create other daemons by making > the config parameters for IP sockets conditionally defined by the make > rules. > > The main libvirtd daemon will retain IP listen ability, but all the > driver specific daemons will be local UNIX sockets only. Apps needing > IP connectivity will connect via the libvirtd daemon which will proxy > to the driver specfic daemon. > > Reviewed-by: Andrea Bolognani <abologna(a)redhat.com&gt; > Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com&gt;

> diff --git a/src/remote/libvirtd.conf b/src/remote/libvirtd.conf.in > similarity index 95% > rename from src/remote/libvirtd.conf > rename to src/remote/libvirtd.conf.in > index b63b8d61b7..e351a8c190 100644 > --- a/src/remote/libvirtd.conf > +++ b/src/remote/libvirtd.conf.in > @@ -1,13 +1,14 @@ > # Master libvirt daemon configuration file > # > > +@CUT_ENABLE_IP@ > ################################################################# > # > # Network connectivity controls > # > > # Flag listening for secure TLS connections on the public TCP/IP port. > -# NB, must pass the --listen flag to the libvirtd process for this to > +# NB, must pass the --listen flag to the @DAEMON_NAME@ process for this to > # have any effect. > # > # This setting is not required or honoured if using systemd socket > @@ -20,7 +21,7 @@ > #listen_tls = 0 > > # Listen for unencrypted TCP connections on the public TCP/IP port. > -# NB, must pass the --listen flag to the libvirtd process for this to > +# NB, must pass the --listen flag to the @DAEMON_NAME@ process for this to > # have any effect. > # > # This setting is not required or honoured if using systemd socket > @@ -58,13 +59,14 @@ > # This setting is not required or honoured if using systemd socket > # activation. > # > -# If the libvirtd service is started in parallel with network > +# If the @DAEMON_NAME@ service is started in parallel with network > # startup (e.g. with systemd), binding to addresses other than > # the wildcards (0.0.0.0/::) might not be available yet. > # > #listen_addr = "192.168.0.1" > > > +@END@ > ################################################################# > # > # UNIX socket access controls > @@ -157,6 +159,7 @@ > # If the unix_sock_rw_perms are changed you may wish to enable > # an authentication mechanism here > #auth_unix_rw = "none" > +@CUT_ENABLE_IP@ > > # Change the authentication scheme for TCP sockets. > # > @@ -174,6 +177,7 @@ > # It is possible to make use of any SASL authentication > # mechanism as well, by using 'sasl' for this option > #auth_tls = "none" > +@END@ > > > # Change the API access control scheme > @@ -182,10 +186,11 @@ > # to all APIs. Access drivers can place restrictions > # on this. By default the 'nop' driver is enabled, > # meaning no access control checks are done once a > -# client has authenticated with libvirtd > +# client has authenticated with @DAEMON_NAME@ > # > #access_drivers = [ "polkit" ] > > +@CUT_ENABLE_IP@ > ################################################################# > # > # TLS x509 certificate configuration > @@ -225,15 +230,17 @@ > > > > +@END@ > ################################################################# > # > # Authorization controls > # > > > +@CUT_ENABLE_IP@ > # Flag to disable verification of our own server certificates > # > -# When libvirtd starts it performs some sanity checks against > +# When @DAEMON_NAME@ starts it performs some sanity checks against > # its own certificates. > # > # Default is to always run sanity checks. Uncommenting this > @@ -265,6 +272,15 @@ > #tls_allowed_dn_list = ["DN1", "DN2"] > > > +# Override the compile time default TLS priority string. The > +# default is usually "NORMAL" unless overridden at build time. > +# Only set this is it is desired for libvirt to deviate from > +# the global default settings. > +# > +#tls_priority="NORMAL" > + > + > +@END@ > # A whitelist of allowed SASL usernames. The format for username > # depends on the SASL authentication mechanism. Kerberos usernames > # look like username@REALM > @@ -282,14 +298,6 @@ > #sasl_allowed_username_list = [&quot;joe(a)EXAMPLE.COM&quot;, &quot;fred(a)EXAMPLE.COM&quot; ] > > > -# Override the compile time default TLS priority string. The > -# default is usually "NORMAL" unless overridden at build time. > -# Only set this is it is desired for libvirt to deviate from > -# the global default settings. > -# > -#tls_priority="NORMAL" > - > - > ################################################################# > # > # Processing controls > @@ -417,8 +425,8 @@ > # 4: ERROR > # > # Multiple outputs can be defined, they just need to be separated by spaces. > -# e.g. to log all warnings and errors to syslog under the libvirtd ident: > -#log_outputs="3:syslog:libvirtd" > +# e.g. to log all warnings and errors to syslog under the @DAEMON_NAME@ ident: > +#log_outputs="3:syslog:@DAEMON_NAME@" > > > ################################################################## > @@ -461,7 +469,7 @@ > > ################################################################### > # Keepalive protocol: > -# This allows libvirtd to detect broken client connections or even > +# This allows @DAEMON_NAME@ to detect broken client connections or even > # dead clients. A keepalive message is sent to a client after > # keepalive_interval seconds of inactivity to check if the client is > # still responding; keepalive_count is a maximum number of keepalive > @@ -470,7 +478,7 @@ > # words, the connection is automatically closed approximately after > # keepalive_interval * (keepalive_count + 1) seconds since the last > # message received from the client. If keepalive_interval is set to > -# -1, libvirtd will never send keepalive requests; however clients > +# -1, @DAEMON_NAME@ will never send keepalive requests; however clients > # can still send them and the daemon will send responses. When > # keepalive_count is set to 0, connections will be automatically > # closed after keepalive_interval seconds of inactivity without > diff --git a/src/remote/test_libvirtd.aug.in b/src/remote/test_libvirtd.aug.in > index 6c51b7b9e7..d768b30b55 100644 > --- a/src/remote/test_libvirtd.aug.in > +++ b/src/remote/test_libvirtd.aug.in > @@ -29,11 +29,11 @@ module Test_libvirtd = > { "1" = "DN1"} > { "2" = "DN2"} > } > + { "tls_priority" = "NORMAL" } I'm curious about this change? Is that because you changed the order in the source code? Does that depend on ENABLE_IP?

> { "sasl_allowed_username_list" > { "1" = &quot;joe(a)EXAMPLE.COM&quot; } > { "2" = &quot;fred(a)EXAMPLE.COM&quot; } > } > - { "tls_priority" = "NORMAL" } > { "max_clients" = "5000" } > { "max_queued_clients" = "1000" } > { "max_anonymous_clients" = "20" } > --