10:08 a.m.
Add a "tls_priority" config option to /etc/libvirt/libvirtd.conf
to allow the administrator to override the built-in default
setting. This only affects the server side configuration.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
daemon/libvirtd-config.c | 2 ++
daemon/libvirtd-config.h | 1 +
daemon/libvirtd.aug | 1 +
daemon/libvirtd.c | 4 ++--
daemon/libvirtd.conf | 9 ++++++++-
daemon/test_libvirtd.aug.in | 1 +
6 files changed, 15 insertions(+), 3 deletions(-)
diff --git a/daemon/libvirtd-config.c b/daemon/libvirtd-config.c
index 45280e9..940bd4b 100644
--- a/daemon/libvirtd-config.c
+++ b/daemon/libvirtd-config.c
@@ -367,6 +367,7 @@ daemonConfigFree(struct daemonConfig *data)
tmp++;
}
VIR_FREE(data->sasl_allowed_username_list);
+ VIR_FREE(data->tls_priority);
VIR_FREE(data->key_file);
VIR_FREE(data->ca_file);
@@ -442,6 +443,7 @@ daemonConfigLoadOptions(struct daemonConfig *data,
&data->sasl_allowed_username_list, filename)
< 0)
goto error;
+ GET_CONF_STR(conf, filename, tls_priority);
GET_CONF_UINT(conf, filename, min_workers);
GET_CONF_UINT(conf, filename, max_workers);
diff --git a/daemon/libvirtd-config.h b/daemon/libvirtd-config.h
index 672e9ad..b9098a8 100644
--- a/daemon/libvirtd-config.h
+++ b/daemon/libvirtd-config.h
@@ -56,6 +56,7 @@ struct daemonConfig {
int tls_no_sanity_certificate;
char **tls_allowed_dn_list;
char **sasl_allowed_username_list;
+ char *tls_priority;
char *key_file;
char *cert_file;
diff --git a/daemon/libvirtd.aug b/daemon/libvirtd.aug
index 7a81723..2b8df66 100644
--- a/daemon/libvirtd.aug
+++ b/daemon/libvirtd.aug
@@ -53,6 +53,7 @@ module Libvirtd =
| str_array_entry "tls_allowed_dn_list"
| str_array_entry "sasl_allowed_username_list"
| str_array_entry "access_drivers"
+ | str_entry "tls_priority"
let processing_entry = int_entry "min_workers"
| int_entry "max_workers"
diff --git a/daemon/libvirtd.c b/daemon/libvirtd.c
index b844af4..a1e2015 100644
--- a/daemon/libvirtd.c
+++ b/daemon/libvirtd.c
@@ -585,7 +585,7 @@ daemonSetupNetworking(virNetServerPtr srv,
config->cert_file,
config->key_file,
(const char
*const*)config->tls_allowed_dn_list,
- NULL,
+ config->tls_priority,
config->tls_no_sanity_certificate ? false : true,
config->tls_no_verify_certificate ? false : true)))
goto cleanup;
@@ -593,7 +593,7 @@ daemonSetupNetworking(virNetServerPtr srv,
if (!(ctxt = virNetTLSContextNewServerPath(NULL,
!privileged,
(const char
*const*)config->tls_allowed_dn_list,
- NULL,
+ config->tls_priority,
config->tls_no_sanity_certificate ? false : true,
config->tls_no_verify_certificate ? false : true)))
goto cleanup;
diff --git a/daemon/libvirtd.conf b/daemon/libvirtd.conf
index 1c1fa7f..3b957e5 100644
--- a/daemon/libvirtd.conf
+++ b/daemon/libvirtd.conf
@@ -242,7 +242,7 @@
#tls_allowed_dn_list = ["DN1", "DN2"]
-# A whitelist of allowed SASL usernames. The format for usernames
+# A whitelist of allowed SASL usernames. The format for username
# depends on the SASL authentication mechanism. Kerberos usernames
# look like username@REALM
#
@@ -259,6 +259,13 @@
#sasl_allowed_username_list = ["joe(a)EXAMPLE.COM", "fred(a)EXAMPLE.COM"
]
+# Override the compile time default TLS priority string. The
+# default is usually "NORMAL" unless overridden at build time.
+# Only set this is it is desired for libvirt to deviate from
+# the global default settings.
+#
+#tls_priority="NORMAL"
+
#################################################################
#
diff --git a/daemon/test_libvirtd.aug.in b/daemon/test_libvirtd.aug.in
index 7a03603..1fb182c 100644
--- a/daemon/test_libvirtd.aug.in
+++ b/daemon/test_libvirtd.aug.in
@@ -35,6 +35,7 @@ module Test_libvirtd =
{ "1" = "joe(a)EXAMPLE.COM" }
{ "2" = "fred(a)EXAMPLE.COM" }
}
+ { "tls_priority" = "NORMAL" }
{ "max_clients" = "5000" }
{ "max_queued_clients" = "1000" }
{ "max_anonymous_clients" = "20" }
--
2.5.5