11:04 a.m.
Prepare for reusing libvirtd config to create other daemons by making
the config parameters for IP sockets conditionally defined by the make
rules.
The main libvirtd daemon will retain IP listen ability, but all the
driver specific daemons will be local UNIX sockets only. Apps needing
IP connectivity will connect via the libvirtd daemon which will proxy
to the driver specfic daemon.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/remote/Makefile.inc.am | 12 +++++-
.../{libvirtd.conf => libvirtd.conf.in} | 42 +++++++++++--------
src/remote/test_libvirtd.aug.in | 2 +-
3 files changed, 37 insertions(+), 19 deletions(-)
rename src/remote/{libvirtd.conf => libvirtd.conf.in} (95%)
diff --git a/src/remote/Makefile.inc.am b/src/remote/Makefile.inc.am
index 25921437e2..4bc71346f2 100644
--- a/src/remote/Makefile.inc.am
+++ b/src/remote/Makefile.inc.am
@@ -71,7 +71,7 @@ EXTRA_DIST += \
$(LIBVIRTD_SOURCES) \
remote/test_libvirtd.aug.in \
remote/libvirtd.aug \
- remote/libvirtd.conf \
+ remote/libvirtd.conf.in \
remote/libvirtd.policy \
remote/libvirtd.rules \
remote/libvirtd.sasl \
@@ -88,6 +88,9 @@ MAINTAINERCLEANFILES += \
$(REMOTE_DRIVER_GENERATED) \
$(LIBVIRTD_GENERATED) \
$(NULL)
+CLEANFILES += \
+ remote/libvirtd.conf \
+ $(NULL)
if WITH_REMOTE
noinst_LTLIBRARIES += libvirt_driver_remote.la
@@ -178,6 +181,13 @@ libvirtd_LDADD += \
$(LIBSOCKET) \
$(NULL)
+remote/libvirtd.conf: remote/libvirtd.conf.in
+ $(AM_V_GEN)sed \
+ -e '/:: CUT ENABLE_IP ::/d' \
+ -e '/:: END ::/d' \
+ -e 's/:: DAEMON_NAME ::/libvirtd/' \
+ < $^ > $@
+
INSTALL_DATA_DIRS += remote
install-data-remote:
diff --git a/src/remote/libvirtd.conf b/src/remote/libvirtd.conf.in
similarity index 95%
rename from src/remote/libvirtd.conf
rename to src/remote/libvirtd.conf.in
index bbeb053495..39da576e68 100644
--- a/src/remote/libvirtd.conf
+++ b/src/remote/libvirtd.conf.in
@@ -1,13 +1,14 @@
# Master libvirt daemon configuration file
#
+:: CUT ENABLE_IP ::
#################################################################
#
# Network connectivity controls
#
# Flag listening for secure TLS connections on the public TCP/IP port.
-# NB, must pass the --listen flag to the libvirtd process for this to
+# NB, must pass the --listen flag to the :: DAEMON_NAME :: process for this to
# have any effect.
#
# It is necessary to setup a CA and issue server certificates before
@@ -17,7 +18,7 @@
#listen_tls = 0
# Listen for unencrypted TCP connections on the public TCP/IP port.
-# NB, must pass the --listen flag to the libvirtd process for this to
+# NB, must pass the --listen flag to the :: DAEMON_NAME :: process for this to
# have any effect.
#
# Using the TCP socket requires SASL authentication by default. Only
@@ -43,13 +44,14 @@
# Override the default configuration which binds to all network
# interfaces. This can be a numeric IPv4/6 address, or hostname
#
-# If the libvirtd service is started in parallel with network
+# If the :: DAEMON_NAME :: service is started in parallel with network
# startup (e.g. with systemd), binding to addresses other than
# the wildcards (0.0.0.0/::) might not be available yet.
#
#listen_addr = "192.168.0.1"
+:: END ::
#################################################################
#
# UNIX socket access controls
@@ -126,6 +128,7 @@
# If the unix_sock_rw_perms are changed you may wish to enable
# an authentication mechanism here
#auth_unix_rw = "none"
+:: CUT ENABLE_IP ::
# Change the authentication scheme for TCP sockets.
#
@@ -143,6 +146,7 @@
# It is possible to make use of any SASL authentication
# mechanism as well, by using 'sasl' for this option
#auth_tls = "none"
+:: END ::
# Change the API access control scheme
@@ -151,10 +155,11 @@
# to all APIs. Access drivers can place restrictions
# on this. By default the 'nop' driver is enabled,
# meaning no access control checks are done once a
-# client has authenticated with libvirtd
+# client has authenticated with :: DAEMON_NAME ::
#
#access_drivers = [ "polkit" ]
+:: CUT ENABLE_IP ::
#################################################################
#
# TLS x509 certificate configuration
@@ -194,15 +199,17 @@
+:: END ::
#################################################################
#
# Authorization controls
#
+:: CUT ENABLE_IP ::
# Flag to disable verification of our own server certificates
#
-# When libvirtd starts it performs some sanity checks against
+# When :: DAEMON_NAME :: starts it performs some sanity checks against
# its own certificates.
#
# Default is to always run sanity checks. Uncommenting this
@@ -234,6 +241,15 @@
#tls_allowed_dn_list = ["DN1", "DN2"]
+# Override the compile time default TLS priority string. The
+# default is usually "NORMAL" unless overridden at build time.
+# Only set this is it is desired for libvirt to deviate from
+# the global default settings.
+#
+#tls_priority="NORMAL"
+
+
+:: END ::
# A whitelist of allowed SASL usernames. The format for username
# depends on the SASL authentication mechanism. Kerberos usernames
# look like username@REALM
@@ -251,14 +267,6 @@
#sasl_allowed_username_list = ["joe(a)EXAMPLE.COM", "fred(a)EXAMPLE.COM"
]
-# Override the compile time default TLS priority string. The
-# default is usually "NORMAL" unless overridden at build time.
-# Only set this is it is desired for libvirt to deviate from
-# the global default settings.
-#
-#tls_priority="NORMAL"
-
-
#################################################################
#
# Processing controls
@@ -386,8 +394,8 @@
# 4: ERROR
#
# Multiple outputs can be defined, they just need to be separated by spaces.
-# e.g. to log all warnings and errors to syslog under the libvirtd ident:
-#log_outputs="3:syslog:libvirtd"
+# e.g. to log all warnings and errors to syslog under the :: DAEMON_NAME :: ident:
+#log_outputs="3:syslog::: DAEMON_NAME ::"
##################################################################
@@ -430,7 +438,7 @@
###################################################################
# Keepalive protocol:
-# This allows libvirtd to detect broken client connections or even
+# This allows :: DAEMON_NAME :: to detect broken client connections or even
# dead clients. A keepalive message is sent to a client after
# keepalive_interval seconds of inactivity to check if the client is
# still responding; keepalive_count is a maximum number of keepalive
@@ -439,7 +447,7 @@
# words, the connection is automatically closed approximately after
# keepalive_interval * (keepalive_count + 1) seconds since the last
# message received from the client. If keepalive_interval is set to
-# -1, libvirtd will never send keepalive requests; however clients
+# -1, :: DAEMON_NAME :: will never send keepalive requests; however clients
# can still send them and the daemon will send responses. When
# keepalive_count is set to 0, connections will be automatically
# closed after keepalive_interval seconds of inactivity without
diff --git a/src/remote/test_libvirtd.aug.in b/src/remote/test_libvirtd.aug.in
index ad6450a569..a4c7b4afe8 100644
--- a/src/remote/test_libvirtd.aug.in
+++ b/src/remote/test_libvirtd.aug.in
@@ -29,11 +29,11 @@ module Test_libvirtd =
{ "1" = "DN1"}
{ "2" = "DN2"}
}
+ { "tls_priority" = "NORMAL" }
{ "sasl_allowed_username_list"
{ "1" = "joe(a)EXAMPLE.COM" }
{ "2" = "fred(a)EXAMPLE.COM" }
}
- { "tls_priority" = "NORMAL" }
{ "max_clients" = "5000" }
{ "max_queued_clients" = "1000" }
{ "max_anonymous_clients" = "20" }
--
2.21.0