The anchor name was not fixed when the 'formatstorage' document was converted to rst. Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- docs/formatsecret.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/formatsecret.rst b/docs/formatsecret.rst index bb2217041a..03c2836843 100644 --- a/docs/formatsecret.rst +++ b/docs/formatsecret.rst @@ -63,10 +63,10 @@ See `Setting secret values in virsh`_ on how to set the value of the secret using ``virsh secret-set-value``. The volume type secret can be supplied either in volume XML during creation of a -`storage volume <formatstorage.html#StorageVol>`__ in order to provide the -passphrase to encrypt the volume or in domain XML `disk -device <formatdomain.html#elementsDisks>`__ in order to provide the passphrase -to decrypt the volume, :since:`since 2.1.0` . An example follows: +`storage volume <formatstorage.html#storage-volume-xml>`__ in order to provide +the passphrase to encrypt the volume or in domain XML +`disk device <formatdomain.html#elementsDisks>`__ in order to provide the +passphrase to decrypt the volume, :since:`since 2.1.0` . An example follows: :: -- 2.35.1

From: Pavel Hrdina <phrdina@redhat.com> Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- docs/storage.html.in | 96 ++++++++++++++++++++++---------------------- 1 file changed, 48 insertions(+), 48 deletions(-) diff --git a/docs/storage.html.in b/docs/storage.html.in index b2cf343933..8fb2cec9bd 100644 --- a/docs/storage.html.in +++ b/docs/storage.html.in @@ -96,7 +96,7 @@ operation can be used to create it. </p> - <h3>Example pool input definition</h3> + <h3>Example directory pool input definition</h3> <pre> <pool type="dir"> <name>virtimages</name> @@ -105,12 +105,12 @@ </target> </pool></pre> - <h3>Valid pool format types</h3> + <h3>Valid directory pool format types</h3> <p> The directory pool does not use the pool format type element. </p> - <h3>Valid volume format types</h3> + <h3>Valid directory volume format types</h3> <p> One of the following options: </p> @@ -148,7 +148,7 @@ required. </p> - <h3>Example pool input</h3> + <h3>Example filesystem pool input</h3> <pre> <pool type="fs"> <name>virtimages</name> @@ -160,7 +160,7 @@ </target> </pool></pre> - <h3>Valid pool format types</h3> + <h3>Valid filesystem pool format types</h3> <p> The filesystem pool supports the following formats: </p> @@ -207,7 +207,7 @@ </li> </ul> - <h3>Valid volume format types</h3> + <h3>Valid filesystem volume format types</h3> <p> The valid volume types are the same as for the <code>directory</code> pool type. @@ -224,7 +224,7 @@ protocol, which generally tries a mount via NFS first. </p> - <h3>Example pool input</h3> + <h3>Example network filesystem pool input</h3> <pre> <pool type="netfs"> <name>virtimages</name> @@ -238,7 +238,7 @@ </target> </pool></pre> - <h3>Valid pool format types</h3> + <h3>Valid network filesystem pool format types</h3> <p> The network filesystem pool supports the following formats: </p> @@ -261,7 +261,7 @@ </li> </ul> - <h3>Valid volume format types</h3> + <h3>Valid network filesystem volume format types</h3> <p> The valid volume types are the same as for the <code>directory</code> pool type. @@ -278,7 +278,7 @@ of storage from the volume group. </p> - <h3>Example pool input</h3> + <h3>Example logical pool input</h3> <pre> <pool type="logical"> <name>HostVG</name> @@ -292,14 +292,14 @@ </target> </pool></pre> - <h3>Valid pool format types</h3> + <h3>Valid logical pool format types</h3> <p> The logical volume pool supports only the <code>lvm2</code> format, although not supplying a format value will result in automatic selection of the<code>lvm2</code> format. </p> - <h3>Valid volume format types</h3> + <h3>Valid logical volume format types</h3> <p> The logical volume pool does not use the volume format type element. </p> @@ -315,7 +315,7 @@ It will default to using <code>dos</code> as the pool source format. </p> - <h3>Example pool input</h3> + <h3>Example disk pool input</h3> <pre> <pool type="disk"> <name>sda</name> @@ -327,7 +327,7 @@ </target> </pool></pre> - <h3>Valid pool format types</h3> + <h3>Valid disk pool format types</h3> <p> The disk volume pool accepts the following pool format types, representing the common partition table types: @@ -374,7 +374,7 @@ in <code>parted</code>. </p> - <h3>Valid volume format types</h3> + <h3>Valid disk volume format types</h3> <p> The disk volume pool accepts the following volume format types, representing the common partition entry types: @@ -423,7 +423,7 @@ on the same host will fail the duplicate source pool checks. </p> - <h3>Example pool input</h3> + <h3>Example iSCSI pool input</h3> <pre> <pool type="iscsi"> <name>virtimages</name> @@ -436,12 +436,12 @@ </target> </pool></pre> - <h3>Valid pool format types</h3> + <h3>Valid iSCSI pool format types</h3> <p> The iSCSI volume pool does not use the pool format type element. </p> - <h3>Valid volume format types</h3> + <h3>Valid iSCSI volume format types</h3> <p> The iSCSI volume pool does not use the volume format type element. </p> @@ -453,7 +453,7 @@ It requires a host, a path which is the target IQN, and an initiator IQN. </p> - <h3>Example pool input</h3> + <h3>Example iSCSI direct pool input</h3> <pre> <pool type="iscsi-direct"> <name>virtimages</name> @@ -466,12 +466,12 @@ </source> </pool></pre> - <h3>Valid pool format types</h3> + <h3>Valid iSCSI direct pool format types</h3> <p> The iSCSI direct volume pool does not use the pool format type element. </p> - <h3>Valid volume format types</h3> + <h3>Valid iSCSI direct volume format types</h3> <p> The iSCSI direct volume pool does not use the volume format type element. </p> @@ -486,7 +486,7 @@ <span class="since">Since 0.6.2</span> </p> - <h3>Example pool input</h3> + <h3>Example SCSI pool input</h3> <pre> <pool type="scsi"> <name>virtimages</name> @@ -498,12 +498,12 @@ </target> </pool></pre> - <h3>Valid pool format types</h3> + <h3>Valid SCSI pool format types</h3> <p> The SCSI volume pool does not use the pool format type element. </p> - <h3>Valid volume format types</h3> + <h3>Valid SCSI volume format types</h3> <p> The SCSI volume pool does not use the volume format type element. </p> @@ -522,7 +522,7 @@ <span class="since">Since 0.7.1</span> </p> - <h3>Example pool input</h3> + <h3>Example multipath pool input</h3> <pre> <pool type="mpath"> <name>virtimages</name> @@ -531,12 +531,12 @@ </target> </pool></pre> - <h3>Valid pool format types</h3> + <h3>Valid multipath pool format types</h3> <p> The Multipath volume pool does not use the pool format type element. </p> - <h3>Valid volume format types</h3> + <h3>Valid multipath volume format types</h3> <p> The Multipath volume pool does not use the volume format type element. </p> @@ -562,7 +562,7 @@ <span class="since">Since 0.9.13</span> </p> - <h3>Example pool input</h3> + <h3>Example RBD pool input</h3> <pre> <pool type="rbd"> <name>myrbdpool</name> @@ -577,7 +577,7 @@ </source> </pool></pre> - <h3>Example volume output</h3> + <h3>Example RBD volume output</h3> <pre> <volume> <name>myvol</name> @@ -597,19 +597,19 @@ </target> </volume></pre> - <h3>Example disk attachment</h3> + <h3>Example RBD disk attachment</h3> <p>RBD images can be attached to QEMU guests when QEMU is built with RBD support. Information about attaching a RBD image to a guest can be found at <a href="formatdomain.html#elementsDisks">format domain</a> page.</p> - <h3>Valid pool format types</h3> + <h3>Valid RBD pool format types</h3> <p> The RBD pool does not use the pool format type element. </p> - <h3>Valid volume format types</h3> + <h3>Valid RBD volume format types</h3> <p> Only raw volumes are supported. </p> @@ -626,7 +626,7 @@ <span class="since">Since 0.9.13</span> </p> - <h3>Example pool input</h3> + <h3>Example Sheepdog pool input</h3> <pre> <pool type="sheepdog"> <name>mysheeppool</name> @@ -636,7 +636,7 @@ </source> </pool></pre> - <h3>Example volume output</h3> + <h3>Example Sheepdog volume output</h3> <pre> <volume> <name>myvol</name> @@ -656,19 +656,19 @@ </target> </volume></pre> - <h3>Example disk attachment</h3> + <h3>Example Sheepdog disk attachment</h3> <p>Sheepdog images can be attached to QEMU guests. Information about attaching a Sheepdog image to a guest can be found at the <a href="formatdomain.html#elementsDisks">format domain</a> page.</p> - <h3>Valid pool format types</h3> + <h3>Valid Sheepdog pool format types</h3> <p> The Sheepdog pool does not use the pool format type element. </p> - <h3>Valid volume format types</h3> + <h3>Valid Sheepdog volume format types</h3> <p> The Sheepdog pool does not use the volume format type element. </p> @@ -696,7 +696,7 @@ <span class="since">Since 1.2.0</span> </p> - <h3>Example pool input</h3> + <h3>Example Gluster pool input</h3> <p>A gluster volume corresponds to a libvirt storage pool. If a gluster volume could be mounted as <code>mount -t glusterfs localhost:/volname /some/path</code>, then the following example @@ -722,7 +722,7 @@ </source> </pool></pre> - <h3>Example volume output</h3> + <h3>Example Gluster volume output</h3> <p>Libvirt storage volumes associated with a gluster pool correspond to the files that can be found when mounting the gluster volume. The <code>name</code> is the path relative to @@ -741,19 +741,19 @@ <allocation unit='bytes'>53687091200</allocation> </volume></pre> - <h3>Example disk attachment</h3> + <h3>Example Gluster disk attachment</h3> <p>Files within a gluster volume can be attached to QEMU guests. Information about attaching a Gluster image to a guest can be found at the <a href="formatdomain.html#elementsDisks">format domain</a> page.</p> - <h3>Valid pool format types</h3> + <h3>Valid Gluster pool format types</h3> <p> The Gluster pool does not use the pool format type element. </p> - <h3>Valid volume format types</h3> + <h3>Valid Gluster volume format types</h3> <p> The valid volume types are the same as for the <code>directory</code> pool type. @@ -777,7 +777,7 @@ <p><span class="since">Since 1.2.8</span></p>. - <h3>Example pool input</h3> + <h3>Example ZFS pool input</h3> <pre> <pool type="zfs"> <name>myzfspool</name> @@ -788,12 +788,12 @@ </source> </pool></pre> - <h3>Valid pool format types</h3> + <h3>Valid ZFS pool format types</h3> <p> The ZFS volume pool does not use the pool format type element. </p> - <h3>Valid volume format types</h3> + <h3>Valid ZFS volume format types</h3> <p> The ZFS volume pool does not use the volume format type element. </p> @@ -808,7 +808,7 @@ </p> <p>Please refer to the Virtuozzo Storage documentation for details on storage management and usage.</p> - <h3>Example pool input</h3> + <h3>Example vstorage pool input</h3> <p>In order to create storage pool with Virtuozzo Storage backend you have to provide cluster name and be authorized within the cluster.</p> <pre> @@ -822,12 +822,12 @@ </target> </pool></pre> - <h3>Valid pool format types</h3> + <h3>Valid vstorage pool format types</h3> <p> The Vstorage volume pool does not use the pool format type element. </p> - <h3>Valid volume format types</h3> + <h3>Valid vstorage volume format types</h3> <p>The valid volume types are the same as for the directory pool.</p> </body> </html> -- 2.35.1

Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- docs/kbase/tlscerts.rst | 4 +- docs/meson.build | 2 +- docs/remote.html.in | 297 ---------------------------------------- docs/remote.rst | 219 +++++++++++++++++++++++++++++ 4 files changed, 222 insertions(+), 300 deletions(-) delete mode 100644 docs/remote.html.in create mode 100644 docs/remote.rst diff --git a/docs/kbase/tlscerts.rst b/docs/kbase/tlscerts.rst index c6636770e6..962253e853 100644 --- a/docs/kbase/tlscerts.rst +++ b/docs/kbase/tlscerts.rst @@ -89,7 +89,7 @@ clients. There are two distinct checks involved: - The server should know that only permitted clients are connecting. This can be done based on client's IP address, or on client's IP address and client's certificate. Checking done by the server. May be enabled and disabled in the - `libvirtd.conf file <remote.html#Remote_libvirtd_configuration>`__. + `libvirtd.conf file <remote.html#libvirtd-configuration-file>`__. For full certificate checking you will need to have certificates issued by a recognised `Certificate Authority @@ -99,7 +99,7 @@ CA, you can set up your own CA and tell your server(s) and clients to trust certificates issues by your own CA. Follow the instructions in the next section. Be aware that the `default configuration for -libvirtd <remote.html#Remote_libvirtd_configuration>`__ allows any client to +libvirtd <remote.html#libvirtd-configuration-file>`__ allows any client to connect provided they have a valid certificate issued by the CA for their own IP address. You may want to change this to make it less (or more) permissive, depending on your needs. diff --git a/docs/meson.build b/docs/meson.build index a18def58a4..aa866bec51 100644 --- a/docs/meson.build +++ b/docs/meson.build @@ -19,7 +19,6 @@ docs_assets = [ docs_html_in_files = [ 'index', - 'remote', 'uri', ] @@ -97,6 +96,7 @@ docs_rst_files = [ 'platforms', 'programming-languages', 'python', + 'remote', 'securityprocess', 'storage', 'strategy', diff --git a/docs/remote.html.in b/docs/remote.html.in deleted file mode 100644 index 3a5258a0d5..0000000000 --- a/docs/remote.html.in +++ /dev/null @@ -1,297 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE html> -<html xmlns="http://www.w3.org/1999/xhtml"> - <body> - <h1 >Remote support</h1> - <p> -Libvirt allows you to access hypervisors running on remote -machines through authenticated and encrypted connections. -</p> - <ul id="toc"></ul> - - <h2> - <a id="Remote_basic_usage">Basic usage</a> - </h2> - <p> -On the remote machine, <code>libvirtd</code> should be running in general. -See <a href="#Remote_libvirtd_configuration">the section -on configuring libvirtd</a> for more information. -</p> - <p> - Not all hypervisors supported by libvirt require a running - <code>libvirtd</code>. If you want to connect to a VMware ESX/ESXi or - GSX server then <code>libvirtd</code> is not necessary. See the - <a href="drvesx.html">VMware ESX page</a> for details. - </p> - <p> -To tell libvirt that you want to access a remote resource, -you should supply a hostname in the normal <a href="uri.html">URI</a> that is passed -to <code>virConnectOpen</code> (or <code>virsh -c ...</code>). -For example, if you normally use <code>qemu:///system</code> -to access the system-wide QEMU daemon, then to access -the system-wide QEMU daemon on a remote machine called -<code>compute1.libvirt.org</code> you would use -<code>qemu://compute1.libvirt.org/system</code>. -</p> - <p> -The <a href="uri.html#URI_remote">section on remote URIs</a> -describes in more detail these remote URIs. -</p> - <p> -From an API point of view, apart from the change in URI, the -API should behave the same. For example, ordinary calls -are routed over the remote connection transparently, and -values or errors from the remote side are returned to you -as if they happened locally. Some differences you may notice: -</p> - <ul> - <li> Additional errors can be generated, specifically ones -relating to failures in the remote transport itself. </li> - <li> Remote calls are handled synchronously, so they will be -much slower than, say, direct hypervisor calls. </li> - </ul> - <h2> - <a id="Remote_transports">Transports</a> - </h2> - <p> -Remote libvirt supports a range of transports: -</p> - <dl> - <dt><code>tls</code></dt> - <dd><a href="https://en.wikipedia.org/wiki/Transport_Layer_Security" title="Transport Layer Security">TLS</a> - 1.0 (SSL 3.1) authenticated and encrypted TCP/IP socket, usually - listening on a public port number. To use this you will need to - <a href="kbase/tlscerts.html" title="Generating TLS certificates">generate client and - server certificates</a>. - The standard port is 16514. - </dd> - <dt><code>unix</code></dt> - <dd> Unix domain socket. Since this is only accessible on the - local machine, it is not encrypted, and uses Unix permissions or - SELinux for authentication. - The standard socket names are - <code>/var/run/libvirt/libvirt-sock</code> and - <code>/var/run/libvirt/libvirt-sock-ro</code> (the latter - for read-only connections). - </dd> - <dt><code>ssh</code></dt> - <dd> Transported over an ordinary - <a href="https://www.openssh.com/" title="OpenSSH homepage">ssh - (secure shell)</a> connection. - Requires <a href="http://netcat.sourceforge.net/">Netcat (nc)</a> - installed and libvirtd should be running - on the remote machine. You should use some sort of - ssh key management (eg. - <a href="http://mah.everybody.org/docs/ssh" title="Using ssh-agent with ssh">ssh-agent</a>) - otherwise programs which use - this transport will stop to ask for a password. </dd> - <dt><code>ext</code></dt> - <dd> Any external program which can make a connection to the - remote machine by means outside the scope of libvirt. </dd> - <dt><code>tcp</code></dt> - <dd> Unencrypted TCP/IP socket. Not recommended for production - use, this is normally disabled, but an administrator can enable - it for testing or use over a trusted network. - The standard port is 16509. </dd> - <dt><code>libssh2</code></dt> - <dd> Transport over the SSH protocol using - <a href="https://libssh2.org/" title="libssh2 homepage">libssh2</a> instead -of the OpenSSH binary. This transport uses the libvirt authentication callback for -all ssh authentication calls and therefore supports keyboard-interactive authentication -even with graphical management applications. As with the classic ssh transport -netcat is required on the remote side.</dd> - <dt><code>libssh</code></dt> - <dd> Transport over the SSH protocol using - <a href="https://libssh.org/" title="libssh homepage">libssh</a> instead -of the OpenSSH binary. This transport uses the libvirt authentication callback for -all ssh authentication calls and therefore supports keyboard-interactive authentication -even with graphical management applications. As with the classic ssh transport -netcat is required on the remote side.</dd> - </dl> - <p> - The choice of transport is determined by the <a href="uri.html#URI_remote">URI scheme</a>, - with <code>tls</code> as the default if no explicit transport is requested. - </p> - <h2> - <a id="Remote_libvirtd_configuration">libvirtd configuration file</a> - </h2> - <p> -Libvirtd (the remote daemon) is configured from a file called -<code>/etc/libvirt/libvirtd.conf</code>, or specified on -the command line using <code>-f filename</code> or -<code>--config filename</code>. -</p> - <p> -This file should contain lines of the form below. -Blank lines and comments beginning with <code>#</code> are ignored. -</p> - <pre>setting = value</pre> - <p>The following settings, values and default are:</p> - <table class="top_table"> - <tr> - <th> Line </th> - <th> Default </th> - <th> Meaning </th> - </tr> - <tr> - <td> listen_tls <i>[0|1]</i> </td> - <td> 1 (on) </td> - <td> - Listen for secure TLS connections on the public TCP/IP port. - Note: it is also necessary to start the server in listening mode - by running it with --listen or adding a LIBVIRTD_ARGS="--listen" - line to /etc/sysconfig/libvirtd. -</td> - </tr> - <tr> - <td> listen_tcp <i>[0|1]</i> </td> - <td> 0 (off) </td> - <td> - Listen for unencrypted TCP connections on the public TCP/IP port. - Note: it is also necessary to start the server in listening mode. -</td> - </tr> - <tr> - <td> tls_port <i>"service"</i> </td> - <td> "16514" </td> - <td> - The port number or service name to listen on for secure TLS connections. -</td> - </tr> - <tr> - <td> tcp_port <i>"service"</i> </td> - <td> "16509" </td> - <td> - The port number or service name to listen on for unencrypted TCP connections. -</td> - </tr> - <tr> - <td> unix_sock_group <i>"groupname"</i> </td> - <td> "root" </td> - <td> - The UNIX group to own the UNIX domain socket. If the socket permissions allow - group access, then applications running under matching group can access the - socket. Only valid if running as root -</td> - </tr> - <tr> - <td> unix_sock_ro_perms <i>"octal-perms"</i> </td> - <td> "0777" </td> - <td> - The permissions for the UNIX domain socket for read-only client connections. - The default allows any user to monitor domains. -</td> - </tr> - <tr> - <td> unix_sock_rw_perms <i>"octal-perms"</i> </td> - <td> "0700" </td> - <td> - The permissions for the UNIX domain socket for read-write client connections. - The default allows only root to manage domains. -</td> - </tr> - <tr> - <td> tls_no_verify_certificate <i>[0|1]</i> </td> - <td> 0 (certificates are verified) </td> - <td> - If set to 1 then if a client certificate check fails, it is not an error. -</td> - </tr> - <tr> - <td> tls_no_verify_address <i>[0|1]</i> </td> - <td> 0 (addresses are verified) </td> - <td> - If set to 1 then if a client IP address check fails, it is not an error. -</td> - </tr> - <tr> - <td> key_file <i>"filename"</i> </td> - <td> "/etc/pki/libvirt/ private/serverkey.pem" </td> - <td> - Change the path used to find the server's private key. - If you set this to an empty string, then no private key is loaded. -</td> - </tr> - <tr> - <td> cert_file <i>"filename"</i> </td> - <td> "/etc/pki/libvirt/ servercert.pem" </td> - <td> - Change the path used to find the server's certificate. - If you set this to an empty string, then no certificate is loaded. -</td> - </tr> - <tr> - <td> ca_file <i>"filename"</i> </td> - <td> "/etc/pki/CA/cacert.pem" </td> - <td> - Change the path used to find the trusted CA certificate. - If you set this to an empty string, then no trusted CA certificate is loaded. -</td> - </tr> - <tr> - <td> crl_file <i>"filename"</i> </td> - <td> (no CRL file is used) </td> - <td> - Change the path used to find the CA certificate revocation list (CRL) file. - If you set this to an empty string, then no CRL is loaded. -</td> - </tr> - <tr> - <td> tls_allowed_dn_list ["DN1", "DN2"] </td> - <td> (none - DNs are not checked) </td> - <td> - <p> - Enable an access control list of client certificate Distinguished - Names (DNs) which can connect to the TLS port on this server. - </p> - <p> - The default is that DNs are not checked. - </p> - <p> - This list may contain wildcards such as <code>"C=GB,ST=London,L=London,O=Libvirt Project,CN=*"</code> - Any * matches in the string matches any number of consecutive characters, - like a simplified <code>glob(7)</code>. - </p> - <p> - Note that if this is an empty list, <i>no client can connect</i>. - </p> - <p> - Note also that GnuTLS returns DNs without spaces - after commas between the fields (and this is what we check against), - but the <code>openssl x509</code> tool shows spaces. - </p> - To make it easy to see the order of the fields in the DN a helper executable - <code>virt-pki-query-dn</code> is provided for this particular use case. - <p> -</p> - </td> - </tr> - </table> - <h2> - <a id="Remote_IPv6">IPv6 support</a> - </h2> - <p> -The libvirtd service and libvirt remote client driver both use the -<code>getaddrinfo()</code> functions for name resolution and are -thus fully IPv6 enabled. ie, if a server has IPv6 address configured -the daemon will listen for incoming connections on both IPv4 and IPv6 -protocols. If a client has an IPv6 address configured and the DNS -address resolved for a service is reachable over IPv6, then an IPv6 -connection will be made, otherwise IPv4 will be used. In summary it -should just 'do the right thing(tm)'. -</p> - <h2> - <a id="Remote_limitations">Limitations</a> - </h2> - <ul> - <li> Fine-grained authentication: libvirt in general, -but in particular the remote case should support more -fine-grained authentication for operations, rather than -just read-write/read-only as at present. -</li> - </ul> - <p> -Please come and discuss these issues and more on <a href="https://www.redhat.com/mailman/listinfo/libvir-list" title="libvir-list mailing list">the mailing list</a>. -</p> - </body> -</html> diff --git a/docs/remote.rst b/docs/remote.rst new file mode 100644 index 0000000000..100df95e1f --- /dev/null +++ b/docs/remote.rst @@ -0,0 +1,219 @@ +============== +Remote support +============== + +Libvirt allows you to access hypervisors running on remote machines through +authenticated and encrypted connections. + +.. contents:: + +Basic usage +----------- + +On the remote machine, ``libvirtd`` should be running in general. See +`libvirtd configuration file`_ section on how to configure ``libvirtd``. + +Not all hypervisors supported by libvirt require a running ``libvirtd``. If you +want to connect to a VMware ESX/ESXi or GSX server then ``libvirtd`` is not +necessary. See the `VMware ESX page <drvesx.html>`__ for details. + +To tell libvirt that you want to access a remote resource, you should supply a +hostname in the normal `URI <uri.html>`__ that is passed to ``virConnectOpen`` +(or ``virsh -c ...``). For example, if you normally use ``qemu:///system`` to +access the system-wide QEMU daemon, then to access the system-wide QEMU daemon +on a remote machine called ``compute1.libvirt.org`` you would use +``qemu://compute1.libvirt.org/system``. + +The `section on remote URIs <uri.html#URI_remote>`__ describes in more detail +these remote URIs. + +From an API point of view, apart from the change in URI, the API should behave +the same. For example, ordinary calls are routed over the remote connection +transparently, and values or errors from the remote side are returned to you as +if they happened locally. Some differences you may notice: + +- Additional errors can be generated, specifically ones relating to failures in + the remote transport itself. +- Remote calls are handled synchronously, so they will be much slower than, + say, direct hypervisor calls. + +Transports +---------- + +Remote libvirt supports a range of transports: + +``tls`` + `TLS <https://en.wikipedia.org/wiki/Transport_Layer_Security>`__ 1.0 (SSL + 3.1) authenticated and encrypted TCP/IP socket, usually listening on a public + port number. To use this you will need to `generate client and server + certificates <kbase/tlscerts.html>`__. The standard port is 16514. +``unix`` + Unix domain socket. Since this is only accessible on the local machine, it is + not encrypted, and uses Unix permissions or SELinux for authentication. The + standard socket names are ``/var/run/libvirt/libvirt-sock`` and + ``/var/run/libvirt/libvirt-sock-ro`` (the latter for read-only connections). +``ssh`` + Transported over an ordinary `ssh (secure + shell) <https://www.openssh.com/>`__ connection. Requires `Netcat + (nc) <http://netcat.sourceforge.net/>`__ installed and libvirtd should be + running on the remote machine. You should use some sort of ssh key management + (eg. `ssh-agent <http://mah.everybody.org/docs/ssh>`__) otherwise programs + which use this transport will stop to ask for a password. +``ext`` + Any external program which can make a connection to the remote machine by + means outside the scope of libvirt. +``tcp`` + Unencrypted TCP/IP socket. Not recommended for production use, this is + normally disabled, but an administrator can enable it for testing or use over + a trusted network. The standard port is 16509. +``libssh2`` + Transport over the SSH protocol using `libssh2 <https://libssh2.org/>`__ + instead of the OpenSSH binary. This transport uses the libvirt authentication + callback for all ssh authentication calls and therefore supports + keyboard-interactive authentication even with graphical management + applications. As with the classic ssh transport netcat is required on the + remote side. +``libssh`` + Transport over the SSH protocol using `libssh <https://libssh.org/>`__ + instead of the OpenSSH binary. This transport uses the libvirt authentication + callback for all ssh authentication calls and therefore supports + keyboard-interactive authentication even with graphical management + applications. As with the classic ssh transport netcat is required on the + remote side. + +The choice of transport is determined by the `URI +scheme <uri.html#URI_remote>`__, with ``tls`` as the default if no explicit +transport is requested. + +libvirtd configuration file +--------------------------- + +Libvirtd (the remote daemon) is configured from a file called +``/etc/libvirt/libvirtd.conf``, or specified on the command line using +``-f filename`` or ``--config filename``. + +This file should contain lines of the form below. Blank lines and comments +beginning with ``#`` are ignored. + +:: + + setting = value + +The following settings, values and default are: + +.. list-table:: + :header-rows: 1 + + * - Line + - Default + - Meaning + + * - listen_tls *[0|1]* + - 1 (on) + - Listen for secure TLS connections on the public TCP/IP port. + Note: it is also necessary to start the server in listening mode + by running it with --listen or adding a LIBVIRTD_ARGS="--listen" line to + /etc/sysconfig/libvirtd. + + * - listen_tcp *[0|1]* + - 0 (off) + - Listen for unencrypted TCP connections on the public TCP/IP port. Note: + it is also necessary to start the server in listening mode. + + * - tls_port *"service"* + - "16514" + - The port number or service name to listen on for secure TLS connections. + + * - tcp_port *"service"* + - "16509" + - The port number or service name to listen on for unencrypted TCP + connections. + + * - unix_sock_group *"groupname"* + - "root" + - The UNIX group to own the UNIX domain socket. If the socket permissions + allow group access, then applications running under matching group can + access the socket. Only valid if running as root + + * - unix_sock_ro_perms *"octal-perms"* + - "0777" + - The permissions for the UNIX domain socket for read-only client + connections. The default allows any user to monitor domains. + + * - unix_sock_rw_perms *"octal-perms"* + - "0700" + - The permissions for the UNIX domain socket for read-write client + connections. The default allows only root to manage domains. + + * - tls_no_verify_certificate *[0|1]* + - 0 (certificates are verified) + - If set to 1 then if a client certificate check fails, it is not an + error. + + * - tls_no_verify_address *[0|1]* + - 0 (addresses are verified) + - If set to 1 then if a client IP address check fails, it is not an + error. + + * - key_file *"filename"* + - "/etc/pki/libvirt/private/serverkey.pem" + - Change the path used to find the server's private key. If you set this + to an empty string, then no private key is loaded. + + * - cert_file *"filename"* + - "/etc/pki/libvirt/servercert.pem" + - Change the path used to find the server's certificate. If you set this + to an empty string, then no certificate is loaded. + + * - ca_file *"filename"* + - "/etc/pki/CA/cacert.pem" + - Change the path used to find the trusted CA certificate. If you set this + to an empty string, then no trusted CA certificate is loaded. + + * - crl_file *"filename"* + - (no CRL file is used) + - Change the path used to find the CA certificate revocation list (CRL) + file. If you set this to an empty string, then no CRL is loaded. + + * - tls_allowed_dn_list ["DN1", "DN2"] + - (none - DNs are not checked) + - Enable an access control list of client certificate Distinguished Names + (DNs) which can connect to the TLS port on this server. + + The default is that DNs are not checked. + + This list may contain wildcards such as + ``"C=GB,ST=London,L=London,O=Libvirt Project,CN=*"`` + Any * matches in the string matches any number of consecutive characters, + like a simplified ``glob(7)``. + + Note that if this is an empty list, *no client can connect*. + + Note also that GnuTLS returns DNs without spaces after commas between + the fields (and this is what we check against), but the ``openssl x509`` + tool shows spaces. + + To make it easy to see the order of the fields in the DN a helper + executable ``virt-pki-query-dn`` is provided for this particular use + case. + +IPv6 support +------------ + +The libvirtd service and libvirt remote client driver both use the +``getaddrinfo()`` functions for name resolution and are thus fully IPv6 enabled. +ie, if a server has IPv6 address configured the daemon will listen for incoming +connections on both IPv4 and IPv6 protocols. If a client has an IPv6 address +configured and the DNS address resolved for a service is reachable over IPv6, +then an IPv6 connection will be made, otherwise IPv4 will be used. In summary it +should just 'do the right thing(tm)'. + +Limitations +----------- + +- Fine-grained authentication: libvirt in general, but in particular the remote + case should support more fine-grained authentication for operations, rather + than just read-write/read-only as at present. + +Please come and discuss these issues and more on `the mailing +list <https://www.redhat.com/mailman/listinfo/libvir-list>`__. -- 2.35.1

Adjust links in the process. Note that the conversion to the table is temporary and upcoming patch will modify it for better readability. Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- docs/meson.build | 2 +- docs/uri.html.in | 507 ----------------------------------------------- docs/uri.rst | 447 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 448 insertions(+), 508 deletions(-) delete mode 100644 docs/uri.html.in create mode 100644 docs/uri.rst diff --git a/docs/meson.build b/docs/meson.build index aa866bec51..d71f6006dd 100644 --- a/docs/meson.build +++ b/docs/meson.build @@ -19,7 +19,6 @@ docs_assets = [ docs_html_in_files = [ 'index', - 'uri', ] docs_rst_files = [ @@ -106,6 +105,7 @@ docs_rst_files = [ 'testapi', 'testsuites', 'testtck', + 'uri', 'windows', ] diff --git a/docs/uri.html.in b/docs/uri.html.in deleted file mode 100644 index 61917e77b4..0000000000 --- a/docs/uri.html.in +++ /dev/null @@ -1,507 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE html> -<html xmlns="http://www.w3.org/1999/xhtml"> - <body> - <h1 >Connection URIs</h1> - - <ul id="toc"></ul> - <p> -Since libvirt supports many different kinds of virtualization -(often referred to as "drivers" or "hypervisors"), we need a -way to be able to specify which driver a connection refers to. -Additionally we may want to refer to a driver on a remote -machine over the network. -</p> - <p> -To this end, libvirt uses URIs as used on the Web and as defined in <a href="https://www.ietf.org/rfc/rfc2396.txt">RFC 2396</a>. This page -documents libvirt URIs. -</p> - <h2><a id="URI_libvirt">Specifying URIs to libvirt</a></h2> - - <p> - The URI is passed as the <code>name</code> parameter to - <a href="html/libvirt-libvirt-host.html#virConnectOpen"> - <code>virConnectOpen</code> - </a> - or - <a href="html/libvirt-libvirt-host.html#virConnectOpenReadOnly"> - <code>virConnectOpenReadOnly</code> - </a>. - For example: -</p> - <pre> -virConnectPtr conn = virConnectOpenReadOnly (<b>"test:///default"</b>); -</pre> - <h2> - <a id="URI_config">Configuring URI aliases</a> - </h2> - - <p> -To simplify life for administrators, it is possible to setup URI aliases in a -libvirt client configuration file. The configuration file is <code>/etc/libvirt/libvirt.conf</code> -for the root user, or <code>$XDG_CONFIG_HOME/libvirt/libvirt.conf</code> for any unprivileged user. -In this file, the following syntax can be used to setup aliases - </p> - -<pre> -uri_aliases = [ - "hail=qemu+ssh://root@hail.cloud.example.com/system", - "sleet=qemu+ssh://root@sleet.cloud.example.com/system", -] -</pre> - -<p> - A URI alias should be a string made up from the characters - <code>a-Z, 0-9, _, -</code>. Following the <code>=</code> - can be any libvirt URI string, including arbitrary URI parameters. - URI aliases will apply to any application opening a libvirt - connection, unless it has explicitly passed the <code>VIR_CONNECT_NO_ALIASES</code> - parameter to <code>virConnectOpenAuth</code>. If the passed in - URI contains characters outside the allowed alias character - set, no alias lookup will be attempted. -</p> - - <h2><a id="URI_default">Default URI choice</a></h2> - - <p> -If the URI passed to <code>virConnectOpen*</code> is NULL, then libvirt will use the following -logic to determine what URI to use. -</p> - - <ol> - <li>The environment variable <code>LIBVIRT_DEFAULT_URI</code></li> - <li>The client configuration file <code>uri_default</code> parameter</li> - <li>Probe each hypervisor in turn until one that works is found</li> - </ol> - - <h2> - <a id="URI_virsh">Specifying URIs to virsh, virt-manager and virt-install</a> - </h2> - <p> -In virsh use the <code>-c</code> or <code>--connect</code> option: -</p> - <pre> -virsh <b>-c test:///default</b> list -</pre> - <p> -If virsh finds the environment variable -<code>VIRSH_DEFAULT_CONNECT_URI</code> set, it will try this URI by -default. Use of this environment variable is, however, deprecated -now that libvirt supports <code>LIBVIRT_DEFAULT_URI</code> itself. -</p> - <p> -When using the interactive virsh shell, you can also use the -<code>connect</code> <i>URI</i> command to reconnect to another -hypervisor. -</p> - <p> -In virt-manager use the <code>-c</code> or <code>--connect=</code><i>URI</i> option: -</p> - <pre> -virt-manager <b>-c test:///default</b> -</pre> - <p> -In virt-install use the <code>--connect=</code><i>URI</i> option: -</p> - <pre> -virt-install <b>--connect=test:///default</b> <i>[other options]</i> -</pre> - <h2> - <a id="URI_xen">xen:///system URI</a> - </h2> - <p> - <i>This section describes a feature which is new in libvirt > -0.2.3. For libvirt ≤ 0.2.3 use <a href="#URI_legacy_xen"><code>"xen"</code></a>.</i> - </p> - <p> -To access a Xen hypervisor running on the local machine -use the URI <code>xen:///system</code>. -</p> - <h2> - <a id="URI_qemu">qemu:///... QEMU and KVM URIs</a> - </h2> - <p> -To use QEMU support in libvirt you must be running the -<code>libvirtd</code> daemon (named <code>libvirt_qemud</code> -in releases prior to 0.3.0). The purpose of this -daemon is to manage qemu instances. -</p> - <p> -The <code>libvirtd</code> daemon should be started by the -init scripts when the machine boots. It should appear as -a process <code>libvirtd --daemon</code> running as root -in the background and will handle qemu instances on behalf -of all users of the machine (among other things). </p> - <p> -So to connect to the daemon, one of two different URIs is used: -</p> - <ul> - <li><code>qemu:///system</code> connects to a system mode daemon. </li> - <li><code>qemu:///session</code> connects to a session mode daemon. </li> - </ul> - <p> -(If you do <code>libvirtd --help</code>, the daemon will print -out the paths of the Unix domain socket(s) that it listens on in -the various different modes). -</p> - <p> -KVM URIs are identical. You select between qemu, qemu accelerated and -KVM guests in the <a href="format.html#KVM1">guest XML as described -here</a>. -</p> - <h2> - <a id="URI_remote">Remote URIs</a> - </h2> - <p> -Remote URIs have the general form ("[...]" meaning an optional part): -</p> - <p><code>driver</code>[<code>+transport</code>]<code>://</code>[<code>username@</code>][<code>hostname</code>][<code>:port</code>]<code>/</code>[<code>path</code>][<code>?extraparameters</code>] -</p> - <p> -Either the transport or the hostname must be given in order -to distinguish this from a local URI. -</p> - <p> -Some examples: -</p> - <ul> - <li><code>xen+ssh://rjones@towada/system</code><br/> — Connect to a -remote Xen hypervisor on host <code>towada</code> using ssh transport and ssh -username <code>rjones</code>. -</li> - <li><code>xen://towada/system</code><br/> — Connect to a -remote Xen hypervisor on host <code>towada</code> using TLS. -</li> - <li><code>xen://towada/system?no_verify=1</code><br/> — Connect to a -remote Xen hypervisor on host <code>towada</code> using TLS. Do not verify -the server's certificate. -</li> - <li><code>qemu+unix:///system?socket=/opt/libvirt/run/libvirt/libvirt-sock</code><br/> — -Connect to the local qemu instances over a non-standard -Unix socket (the full path to the Unix socket is -supplied explicitly in this case). -</li> - <li><code>test+tcp://localhost:5000/default</code><br/> — -Connect to a libvirtd daemon offering unencrypted TCP/IP connections -on localhost port 5000 and use the test driver with default -settings. -</li> -<li><code>qemu+libssh2://user@host/system?known_hosts=/home/user/.ssh/known_hosts</code><br/> — -Connect to a remote host using a ssh connection with the libssh2 driver -and use a different known_hosts file.</li> -<li><code>qemu+libssh://user@host/system?known_hosts=/home/user/.ssh/known_hosts</code><br/> — -Connect to a remote host using a ssh connection with the libssh driver -and use a different known_hosts file.</li> - </ul> - <h3> - <a id="Remote_URI_parameters">Extra parameters</a> - </h3> - <p> -Extra parameters can be added to remote URIs as part -of the query string (the part following <q><code>?</code></q>). -Remote URIs understand the extra parameters shown below. -Any others are passed unmodified through to the back end. -Note that parameter values must be -<a href="http://xmlsoft.org/html/libxml-uri.html#xmlURIEscapeStr">URI-escaped</a>. -</p> - <table class="top_table"> - <tr> - <th> Name </th> - <th> Transports </th> - <th> Meaning </th> - </tr> - <tr> - <td> - <code>name</code> - </td> - <td> - <i>any transport</i> - </td> - <td> - The name passed to the remote virConnectOpen function. The - name is normally formed by removing transport, hostname, port - number, username and extra parameters from the remote URI, but in certain - very complex cases it may be better to supply the name explicitly. -</td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>name=qemu:///system</code> </td> - </tr> - <tr> - <td> - <code>tls_priority</code> - </td> - <td> tls </td> - <td> - A valid GNUTLS priority string -</td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>tls_priority=NORMAL:-VERS-SSL3.0</code> </td> - </tr> - <tr> - <td> - <code>mode</code> - </td> - <td> unix, ssh, libssh, libssh2 </td> - <td> - <dl> - <dt><code>auto</code></dt><dd>automatically determine the daemon</dd> - <dt><code>direct</code></dt><dd>connect to per-driver daemons</dd> - <dt><code>legacy</code></dt><dd>connect to libvirtd</dd> - </dl> - Can also be set in <code>libvirt.conf</code> as <code>remote_mode</code> - </td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>mode=direct</code> </td> - </tr> - <tr> - <td> - <code>proxy</code> - </td> - <td>auto, netcat, native </td> - <td> - <dl> - <dt><code>auto</code></dt><dd>try native, fallback to netcat</dd> - <dt><code>netcat</code></dt><dd>only use netcat</dd> - <dt><code>native</code></dt><dd>only use native</dd> - </dl> - Can also be set in <code>libvirt.conf</code> as <code>remote_proxy</code> - </td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>proxy=native</code> </td> - </tr> - <tr> - <td> - <code>command</code> - </td> - <td> ssh, ext </td> - <td> - The external command. For ext transport this is required. - For ssh the default is <code>ssh</code>. - The PATH is searched for the command. -</td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>command=/opt/openssh/bin/ssh</code> </td> - </tr> - <tr> - <td> - <code>socket</code> - </td> - <td> unix, ssh, libssh2, libssh </td> - <td> - The path to the Unix domain socket, which overrides the - compiled-in default. For ssh transport, this is passed to - the remote netcat command (see next). -</td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>socket=/opt/libvirt/run/libvirt/libvirt-sock</code> </td> - </tr> - <tr> - <td> - <code>netcat</code> - </td> - <td> ssh, libssh2, libssh </td> - <td> - The name of the netcat command on the remote machine. - The default is <code>nc</code>. This is not permitted - when using the <code>native</code> proxy mode. For ssh - transport, libvirt constructs an ssh command which looks - like: - -<pre><i>command</i> -p <i>port</i> [-l <i>username</i>] <i>hostname</i> <i>netcat</i> -U <i>socket</i> -</pre> - - where <i>port</i>, <i>username</i>, <i>hostname</i> can be - specified as part of the remote URI, and <i>command</i>, <i>netcat</i> - and <i>socket</i> come from extra parameters (or - sensible defaults). - -</td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>netcat=/opt/netcat/bin/nc</code> </td> - </tr> - - <tr> - <td> - <code>keyfile</code> - </td> - <td> ssh, libssh2, libssh </td> - <td> - The name of the private key file to use to authentication to the remote - machine. If this option is not used the default keys are used. - </td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>keyfile=/root/.ssh/example_key</code> </td> - </tr> - - <tr> - <td> - <code>no_verify</code> - </td> - <td> ssh, tls </td> - <td> - SSH: If set to a non-zero value, this disables client's strict host key - checking making it auto-accept new host keys. Existing host keys will - still be validated. - <br/> - <br/> - TLS: If set to a non-zero value, this disables client checks of the - server's certificate. Note that to disable server checks of - the client's certificate or IP address you must - <a href="#Remote_libvirtd_configuration">change the libvirtd - configuration</a>. -</td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>no_verify=1</code> </td> - </tr> - <tr> - <td> - <code>no_tty</code> - </td> - <td> ssh </td> - <td> - If set to a non-zero value, this stops ssh from asking for - a password if it cannot log in to the remote machine automatically - (eg. using ssh-agent etc.). Use this when you don't have access - to a terminal - for example in graphical programs which use libvirt. -</td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>no_tty=1</code> </td> - </tr> - <tr> - <td> - <code>pkipath</code> - </td> - <td> tls</td> - <td> - Specifies x509 certificates path for the client. If any of - the CA certificate, client certificate, or client key is - missing, the connection will fail with a fatal error. - </td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>pkipath=/tmp/pki/client</code> </td> - </tr> - <tr> - <td> - <code>known_hosts</code> - </td> - <td> libssh2, libssh </td> - <td> - Path to the known_hosts file to verify the host key against. LibSSH2 and - libssh support OpenSSH-style known_hosts files, although LibSSH2 does not - support all key types, so using files created by the OpenSSH binary may - result into truncating the known_hosts file. Thus, with LibSSH2 it's - recommended to use the default known_hosts file is located in libvirt's - client local configuration directory e.g.: ~/.config/libvirt/known_hosts. - Note: Use absolute paths. -</td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>known_hosts=/root/.ssh/known_hosts</code> </td> - </tr> - <tr> - <td> - <code>known_hosts_verify</code> - </td> - <td> libssh2, libssh </td> - <td> - If set to <code>normal</code> (default), then the user will be - asked to accept new host keys. If set to <code>auto</code>, new - host keys will be auto-accepted, but existing host keys will - still be validated. If set to <code>ignore</code>, this disables - client's strict host key checking. - </td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>known_hosts_verify=ignore</code> </td> - </tr> - <tr> - <td> - <code>sshauth</code> - </td> - <td> libssh2, libssh </td> - <td> - A comma separated list of authentication methods to use. Default (is - "agent,privkey,password,keyboard-interactive". The order of the methods - is preserved. Some methods may require additional parameters. -</td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>sshauth=privkey,agent</code> </td> - </tr> - </table> - <h2> - <a id="URI_test">test:///... Test URIs</a> - </h2> - <p> -The test driver is a dummy hypervisor for test purposes. -The URIs supported are: -</p> - <ul> - <li><code>test:///default</code> connects to a default set of -host definitions built into the driver. </li> - <li><code>test:///path/to/host/definitions</code> connects to -a set of host definitions held in the named file. -</li> - </ul> - <h2> - <a id="URI_legacy">Other & legacy URI formats</a> - </h2> - <h3> - <a id="URI_NULL">NULL and empty string URIs</a> - </h3> - <p> -Libvirt allows you to pass a <code>NULL</code> pointer to -<code>virConnectOpen*</code>. Empty string (<code>""</code>) acts in -the same way. Traditionally this has meant -<q>connect to the local Xen hypervisor</q>. However in future this -may change to mean <q>connect to the best available hypervisor</q>. -</p> - <p> -The theory is that if, for example, Xen is unavailable but the -machine is running an OpenVZ kernel, then we should not try to -connect to the Xen hypervisor since that is obviously the wrong -thing to do. -</p> - <p> -In any case applications linked to libvirt can continue to pass -<code>NULL</code> as a default choice, but should always allow the -user to override the URI, either by constructing one or by allowing -the user to type a URI in directly (if that is appropriate). If your -application wishes to connect specifically to a Xen hypervisor, then -for future proofing it should choose a full <a href="#URI_xen"><code>xen:///system</code> URI</a>. -</p> - <h3> - <a id="URI_legacy_xen">Legacy: <code>"xen"</code></a> - </h3> - <p> -Another legacy URI is to specify name as the string -<code>"xen"</code>. This will continue to refer to the Xen -hypervisor. However you should prefer a full <a href="#URI_xen"><code>xen:///system</code> URI</a> in all future code. -</p> - </body> -</html> diff --git a/docs/uri.rst b/docs/uri.rst new file mode 100644 index 0000000000..949032e0ff --- /dev/null +++ b/docs/uri.rst @@ -0,0 +1,447 @@ +=============== +Connection URIs +=============== + +.. contents:: + +Since libvirt supports many different kinds of virtualization (often referred to +as "drivers" or "hypervisors"), we need a way to be able to specify which driver +a connection refers to. Additionally we may want to refer to a driver on a +remote machine over the network. + +To this end, libvirt uses URIs as used on the Web and as defined in `RFC +2396 <https://www.ietf.org/rfc/rfc2396.txt>`__. This page documents libvirt +URIs. + +Specifying URIs to libvirt +-------------------------- + +The URI is passed as the ``name`` parameter to +`virConnectOpen <html/libvirt-libvirt-host.html#virConnectOpen>`__ or +`virConnectOpenReadOnly <html/libvirt-libvirt-host.html#virConnectOpenReadOnly>`__ +. For example: + +:: + + virConnectPtr conn = virConnectOpenReadOnly ("test:///default"); + +Configuring URI aliases +----------------------- + +To simplify life for administrators, it is possible to setup URI aliases in a +libvirt client configuration file. The configuration file is +``/etc/libvirt/libvirt.conf`` for the root user, or +``$XDG_CONFIG_HOME/libvirt/libvirt.conf`` for any unprivileged user. In this +file, the following syntax can be used to setup aliases + +:: + + uri_aliases = [ + "hail=qemu+ssh://root@hail.cloud.example.com/system", + "sleet=qemu+ssh://root@sleet.cloud.example.com/system", + ] + +A URI alias should be a string made up from the characters ``a-Z, 0-9, _, -``. +Following the ``=`` can be any libvirt URI string, including arbitrary URI +parameters. URI aliases will apply to any application opening a libvirt +connection, unless it has explicitly passed the ``VIR_CONNECT_NO_ALIASES`` +parameter to ``virConnectOpenAuth``. If the passed in URI contains characters +outside the allowed alias character set, no alias lookup will be attempted. + +Default URI choice +------------------ + +If the URI passed to ``virConnectOpen*`` is NULL, then libvirt will use the +following logic to determine what URI to use. + +#. The environment variable ``LIBVIRT_DEFAULT_URI`` +#. The client configuration file ``uri_default`` parameter +#. Probe each hypervisor in turn until one that works is found + +Specifying URIs to virsh, virt-manager and virt-install +------------------------------------------------------- + +In virsh use the ``-c`` or ``--connect`` option: + +:: + + virsh -c test:///default list + +If virsh finds the environment variable ``VIRSH_DEFAULT_CONNECT_URI`` set, it +will try this URI by default. Use of this environment variable is, however, +deprecated now that libvirt supports ``LIBVIRT_DEFAULT_URI`` itself. + +When using the interactive virsh shell, you can also use the ``connect`` *URI* +command to reconnect to another hypervisor. + +In virt-manager use the ``-c`` or ``--connect=``\ *URI* option: + +:: + + virt-manager -c test:///default + +In virt-install use the ``--connect=``\ *URI* option: + +:: + + virt-install --connect=test:///default [other options] + +xen:///system URI +----------------- + +*This section describes a feature which is new in libvirt > 0.2.3. For libvirt ≤ +0.2.3 use* `Legacy: "xen"`_ *URI*. + +To access a Xen hypervisor running on the local machine use the URI +``xen:///system``. + +qemu:///... QEMU and KVM URIs +----------------------------- + +To use QEMU support in libvirt you must be running the ``libvirtd`` daemon +(named ``libvirt_qemud`` in releases prior to 0.3.0). The purpose of this daemon +is to manage qemu instances. + +The ``libvirtd`` daemon should be started by the init scripts when the machine +boots. It should appear as a process ``libvirtd --daemon`` running as root in +the background and will handle qemu instances on behalf of all users of the +machine (among other things). + +So to connect to the daemon, one of two different URIs is used: + +- ``qemu:///system`` connects to a system mode daemon. +- ``qemu:///session`` connects to a session mode daemon. + +(If you do ``libvirtd --help``, the daemon will print out the paths of the Unix +domain socket(s) that it listens on in the various different modes). + +KVM URIs are identical. You select between qemu, qemu accelerated and KVM guests +in the `guest XML as described here <format.html#KVM1>`__. + +Remote URIs +----------- + +Remote URIs have the general form ("[...]" meaning an optional part): + +:: + + driver[+transport]://[username@][hostname][:port]/[path][?extraparameters] + +Either the transport or the hostname must be given in order to distinguish this +from a local URI. + +Some examples: + +- ``xen+ssh://rjones@towada/system`` + — Connect to a remote Xen hypervisor on host ``towada`` using ssh transport + and ssh username ``rjones``. +- ``xen://towada/system`` + — Connect to a remote Xen hypervisor on host ``towada`` using TLS. +- ``xen://towada/system?no_verify=1`` + — Connect to a remote Xen hypervisor on host ``towada`` using TLS. Do not + verify the server's certificate. +- ``qemu+unix:///system?socket=/opt/libvirt/run/libvirt/libvirt-sock`` + — Connect to the local qemu instances over a non-standard Unix socket (the + full path to the Unix socket is supplied explicitly in this case). +- ``test+tcp://localhost:5000/default`` + — Connect to a libvirtd daemon offering unencrypted TCP/IP connections on + localhost port 5000 and use the test driver with default settings. +- ``qemu+libssh2://user@host/system?known_hosts=/home/user/.ssh/known_hosts`` + — Connect to a remote host using a ssh connection with the libssh2 driver and + use a different known_hosts file. +- ``qemu+libssh://user@host/system?known_hosts=/home/user/.ssh/known_hosts`` + — Connect to a remote host using a ssh connection with the libssh driver and + use a different known_hosts file. + +Extra parameters +~~~~~~~~~~~~~~~~ + +Extra parameters can be added to remote URIs as part of the query string (the +part following ``?``). Remote URIs understand the extra parameters shown +below. Any others are passed unmodified through to the back end. Note that +parameter values must be +`URI-escaped <http://xmlsoft.org/html/libxml-uri.html#xmlURIEscapeStr>`__. + ++-------------------------+-------------------------+-------------------------+ +| Name | Transports | Meaning | ++=========================+=========================+=========================+ +| ``name`` | *any transport* | The name passed to the | +| | | remote virConnectOpen | +| | | function. The name is | +| | | normally formed by | +| | | removing transport, | +| | | hostname, port number, | +| | | username and extra | +| | | parameters from the | +| | | remote URI, but in | +| | | certain very complex | +| | | cases it may be better | +| | | to supply the name | +| | | explicitly. | ++-------------------------+-------------------------+-------------------------+ +| | | Example: | +| | | ``name=qemu:///system`` | ++-------------------------+-------------------------+-------------------------+ +| ``tls_priority`` | tls | A valid GNUTLS priority | +| | | string | ++-------------------------+-------------------------+-------------------------+ +| | | Example: | +| | | ``tls_priorit | +| | | y=NORMAL:-VERS-SSL3.0`` | ++-------------------------+-------------------------+-------------------------+ +| ``mode`` | unix, ssh, libssh, | ``auto`` | +| | libssh2 | automatically | +| | | determine the daemon | +| | | ``direct`` | +| | | connect to | +| | | per-driver daemons | +| | | ``legacy`` | +| | | connect to libvirtd | +| | | | +| | | Can also be set in | +| | | ``libvirt.conf`` as | +| | | ``remote_mode`` | ++-------------------------+-------------------------+-------------------------+ +| | | Example: | +| | | ``mode=direct`` | ++-------------------------+-------------------------+-------------------------+ +| ``proxy`` | auto, netcat, native | ``auto`` | +| | | try native, fallback | +| | | to netcat | +| | | ``netcat`` | +| | | only use netcat | +| | | ``native`` | +| | | only use native | +| | | | +| | | Can also be set in | +| | | ``libvirt.conf`` as | +| | | ``remote_proxy`` | ++-------------------------+-------------------------+-------------------------+ +| | | Example: | +| | | ``proxy=native`` | ++-------------------------+-------------------------+-------------------------+ +| ``command`` | ssh, ext | The external command. | +| | | For ext transport this | +| | | is required. For ssh | +| | | the default is ``ssh``. | +| | | The PATH is searched | +| | | for the command. | ++-------------------------+-------------------------+-------------------------+ +| | | Example: | +| | | ``command | +| | | =/opt/openssh/bin/ssh`` | ++-------------------------+-------------------------+-------------------------+ +| ``socket`` | unix, ssh, libssh2, | The path to the Unix | +| | libssh | domain socket, which | +| | | overrides the | +| | | compiled-in default. | +| | | For ssh transport, this | +| | | is passed to the remote | +| | | netcat command (see | +| | | next). | ++-------------------------+-------------------------+-------------------------+ +| | | Example: | +| | | `` | +| | | socket=/opt/libvirt/run | +| | | /libvirt/libvirt-sock`` | ++-------------------------+-------------------------+-------------------------+ +| ``netcat`` | ssh, libssh2, libssh | The name of the netcat | +| | | command on the remote | +| | | machine. The default is | +| | | ``nc``. This is not | +| | | permitted when using | +| | | the ``native`` proxy | +| | | mode. For ssh | +| | | transport, libvirt | +| | | constructs an ssh | +| | | command which looks | +| | | like: | +| | | | +| | | ``command -p port`` | +| | | ``[-l username]`` | +| | | ``hostname`` or | +| | | | +| | | ``netcat -U socket`` | +| | | | +| | | where *port*, | +| | | *username*, *hostname* | +| | | can be specified as | +| | | part of the remote URI, | +| | | and *command*, *netcat* | +| | | and *socket* come from | +| | | extra parameters (or | +| | | sensible defaults). | ++-------------------------+-------------------------+-------------------------+ +| | | Example: | +| | | ``netc | +| | | at=/opt/netcat/bin/nc`` | ++-------------------------+-------------------------+-------------------------+ +| ``keyfile`` | ssh, libssh2, libssh | The name of the private | +| | | key file to use to | +| | | authentication to the | +| | | remote machine. If this | +| | | option is not used the | +| | | default keys are used. | ++-------------------------+-------------------------+-------------------------+ +| | | Example: | +| | | ``keyfile=/ | +| | | root/.ssh/example_key`` | ++-------------------------+-------------------------+-------------------------+ +| ``no_verify`` | ssh, tls | SSH: If set to a | +| | | non-zero value, this | +| | | disables client's | +| | | strict host key | +| | | checking making it | +| | | auto-accept new host | +| | | keys. Existing host | +| | | keys will still be | +| | | validated. | +| | | TLS: If set to a | +| | | non-zero value, this | +| | | disables client checks | +| | | of the server's | +| | | certificate. Note that | +| | | to disable server | +| | | checks of the client's | +| | | certificate or IP | +| | | address you must | +| | | `change the libvirtd | +| | | conf | +| | | iguration <#Remote_libv | +| | | irtd_configuration>`__. | ++-------------------------+-------------------------+-------------------------+ +| | | Example: | +| | | ``no_verify=1`` | ++-------------------------+-------------------------+-------------------------+ +| ``no_tty`` | ssh | If set to a non-zero | +| | | value, this stops ssh | +| | | from asking for a | +| | | password if it cannot | +| | | log in to the remote | +| | | machine automatically | +| | | (eg. using ssh-agent | +| | | etc.). Use this when | +| | | you don't have access | +| | | to a terminal - for | +| | | example in graphical | +| | | programs which use | +| | | libvirt. | ++-------------------------+-------------------------+-------------------------+ +| | | Example: ``no_tty=1`` | ++-------------------------+-------------------------+-------------------------+ +| ``pkipath`` | tls | Specifies x509 | +| | | certificates path for | +| | | the client. If any of | +| | | the CA certificate, | +| | | client certificate, or | +| | | client key is missing, | +| | | the connection will | +| | | fail with a fatal | +| | | error. | ++-------------------------+-------------------------+-------------------------+ +| | | Example: | +| | | ``pk | +| | | ipath=/tmp/pki/client`` | ++-------------------------+-------------------------+-------------------------+ +| ``known_hosts`` | libssh2, libssh | Path to the known_hosts | +| | | file to verify the host | +| | | key against. LibSSH2 | +| | | and libssh support | +| | | OpenSSH-style | +| | | known_hosts files, | +| | | although LibSSH2 does | +| | | not support all key | +| | | types, so using files | +| | | created by the OpenSSH | +| | | binary may result into | +| | | truncating the | +| | | known_hosts file. Thus, | +| | | with LibSSH2 it's | +| | | recommended to use the | +| | | default known_hosts | +| | | file is located in | +| | | libvirt's client local | +| | | configuration directory | +| | | e.g.: | +| | | ~/.conf | +| | | ig/libvirt/known_hosts. | +| | | Note: Use absolute | +| | | paths. | ++-------------------------+-------------------------+-------------------------+ +| | | Example: | +| | | ``known_hosts=/ | +| | | root/.ssh/known_hosts`` | ++-------------------------+-------------------------+-------------------------+ +| ``known_hosts_verify`` | libssh2, libssh | If set to ``normal`` | +| | | (default), then the | +| | | user will be asked to | +| | | accept new host keys. | +| | | If set to ``auto``, new | +| | | host keys will be | +| | | auto-accepted, but | +| | | existing host keys will | +| | | still be validated. If | +| | | set to ``ignore``, this | +| | | disables client's | +| | | strict host key | +| | | checking. | ++-------------------------+-------------------------+-------------------------+ +| | | Example: | +| | | ``know | +| | | n_hosts_verify=ignore`` | ++-------------------------+-------------------------+-------------------------+ +| ``sshauth`` | libssh2, libssh | A comma separated list | +| | | of authentication | +| | | methods to use. Default | +| | | (is | +| | | "agent,privkey,password | +| | | ,keyboard-interactive". | +| | | The order of the | +| | | methods is preserved. | +| | | Some methods may | +| | | require additional | +| | | parameters. | ++-------------------------+-------------------------+-------------------------+ +| | | Example: | +| | | `` | +| | | sshauth=privkey,agent`` | ++-------------------------+-------------------------+-------------------------+ + +test:///... Test URIs +--------------------- + +The test driver is a dummy hypervisor for test purposes. The URIs supported are: + +- ``test:///default`` connects to a default set of host definitions built into + the driver. +- ``test:///path/to/host/definitions`` connects to a set of host definitions + held in the named file. + +Other & legacy URI formats +-------------------------- + +NULL and empty string URIs +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Libvirt allows you to pass a ``NULL`` pointer to ``virConnectOpen*``. Empty +string (``""``) acts in the same way. Traditionally this has meant “connect to +the local Xen hypervisor”. However in future this may change to mean “connect to +the best available hypervisor”. + +The theory is that if, for example, Xen is unavailable but the machine is +running an OpenVZ kernel, then we should not try to connect to the Xen +hypervisor since that is obviously the wrong thing to do. + +In any case applications linked to libvirt can continue to pass ``NULL`` as a +default choice, but should always allow the user to override the URI, either by +constructing one or by allowing the user to type a URI in directly (if that is +appropriate). If your application wishes to connect specifically to a Xen +hypervisor, then for future proofing it should choose a full +`xen:///system URI`_. + +Legacy: ``"xen"`` +~~~~~~~~~~~~~~~~~ + +Another legacy URI is to specify name as the string ``"xen"``. This will +continue to refer to the Xen hypervisor. However you should prefer a full +`xen:///system URI`_ in all future code. -- 2.35.1

Mention the legacy 'xen' string usage under the Xen hypervisor uri section. Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- docs/uri.rst | 16 +++------------- 1 file changed, 3 insertions(+), 13 deletions(-) diff --git a/docs/uri.rst b/docs/uri.rst index 80c2d780c3..97a72dc37d 100644 --- a/docs/uri.rst +++ b/docs/uri.rst @@ -91,12 +91,12 @@ In virt-install use the ``--connect=``\ *URI* option: xen:///system URI ----------------- -*This section describes a feature which is new in libvirt > 0.2.3. For libvirt ≤ -0.2.3 use* `Legacy: "xen"`_ *URI*. - To access a Xen hypervisor running on the local machine use the URI ``xen:///system``. +Historically libvirt 0.2.2 and previous versions required to use the name +``"xen"`` to refer to the Xen hypervisor. + qemu:///... QEMU and KVM URIs ----------------------------- @@ -418,13 +418,3 @@ The test driver is a dummy hypervisor for test purposes. The URIs supported are: the driver. - ``test:///path/to/host/definitions`` connects to a set of host definitions held in the named file. - -Other & legacy URI formats --------------------------- - -Legacy: ``"xen"`` -~~~~~~~~~~~~~~~~~ - -Another legacy URI is to specify name as the string ``"xen"``. This will -continue to refer to the Xen hypervisor. However you should prefer a full -`xen:///system URI`_ in all future code. -- 2.35.1

Avoid the table and add a brief description of the transport protocol. Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- docs/uri.rst | 474 +++++++++++++++++++++++++-------------------------- 1 file changed, 228 insertions(+), 246 deletions(-) diff --git a/docs/uri.rst b/docs/uri.rst index 714a0c4c21..4efd634087 100644 --- a/docs/uri.rst +++ b/docs/uri.rst @@ -168,8 +168,11 @@ Some examples: — Connect to a remote host using a ssh connection with the libssh driver and use a different known_hosts file. -Extra parameters -~~~~~~~~~~~~~~~~ +Transport configuration +~~~~~~~~~~~~~~~~~~~~~~~ + +The remote driver supports multiple transport protocols and approaches which are +configurable via the URI. Extra parameters can be added to remote URIs as part of the query string (the part following ``?``). Remote URIs understand the extra parameters shown @@ -177,247 +180,226 @@ below. Any others are passed unmodified through to the back end. Note that parameter values must be `URI-escaped <http://xmlsoft.org/html/libxml-uri.html#xmlURIEscapeStr>`__. -+-------------------------+-------------------------+-------------------------+ -| Name | Transports | Meaning | -+=========================+=========================+=========================+ -| ``name`` | *any transport* | The name passed to the | -| | | remote virConnectOpen | -| | | function. The name is | -| | | normally formed by | -| | | removing transport, | -| | | hostname, port number, | -| | | username and extra | -| | | parameters from the | -| | | remote URI, but in | -| | | certain very complex | -| | | cases it may be better | -| | | to supply the name | -| | | explicitly. | -+-------------------------+-------------------------+-------------------------+ -| | | Example: | -| | | ``name=qemu:///system`` | -+-------------------------+-------------------------+-------------------------+ -| ``tls_priority`` | tls | A valid GNUTLS priority | -| | | string | -+-------------------------+-------------------------+-------------------------+ -| | | Example: | -| | | ``tls_priorit | -| | | y=NORMAL:-VERS-SSL3.0`` | -+-------------------------+-------------------------+-------------------------+ -| ``mode`` | unix, ssh, libssh, | ``auto`` | -| | libssh2 | automatically | -| | | determine the daemon | -| | | ``direct`` | -| | | connect to | -| | | per-driver daemons | -| | | ``legacy`` | -| | | connect to libvirtd | -| | | | -| | | Can also be set in | -| | | ``libvirt.conf`` as | -| | | ``remote_mode`` | -+-------------------------+-------------------------+-------------------------+ -| | | Example: | -| | | ``mode=direct`` | -+-------------------------+-------------------------+-------------------------+ -| ``proxy`` | auto, netcat, native | ``auto`` | -| | | try native, fallback | -| | | to netcat | -| | | ``netcat`` | -| | | only use netcat | -| | | ``native`` | -| | | only use native | -| | | | -| | | Can also be set in | -| | | ``libvirt.conf`` as | -| | | ``remote_proxy`` | -+-------------------------+-------------------------+-------------------------+ -| | | Example: | -| | | ``proxy=native`` | -+-------------------------+-------------------------+-------------------------+ -| ``command`` | ssh, ext | The external command. | -| | | For ext transport this | -| | | is required. For ssh | -| | | the default is ``ssh``. | -| | | The PATH is searched | -| | | for the command. | -+-------------------------+-------------------------+-------------------------+ -| | | Example: | -| | | ``command | -| | | =/opt/openssh/bin/ssh`` | -+-------------------------+-------------------------+-------------------------+ -| ``socket`` | unix, ssh, libssh2, | The path to the Unix | -| | libssh | domain socket, which | -| | | overrides the | -| | | compiled-in default. | -| | | For ssh transport, this | -| | | is passed to the remote | -| | | netcat command (see | -| | | next). | -+-------------------------+-------------------------+-------------------------+ -| | | Example: | -| | | `` | -| | | socket=/opt/libvirt/run | -| | | /libvirt/libvirt-sock`` | -+-------------------------+-------------------------+-------------------------+ -| ``netcat`` | ssh, libssh2, libssh | The name of the netcat | -| | | command on the remote | -| | | machine. The default is | -| | | ``nc``. This is not | -| | | permitted when using | -| | | the ``native`` proxy | -| | | mode. For ssh | -| | | transport, libvirt | -| | | constructs an ssh | -| | | command which looks | -| | | like: | -| | | | -| | | ``command -p port`` | -| | | ``[-l username]`` | -| | | ``hostname`` or | -| | | | -| | | ``netcat -U socket`` | -| | | | -| | | where *port*, | -| | | *username*, *hostname* | -| | | can be specified as | -| | | part of the remote URI, | -| | | and *command*, *netcat* | -| | | and *socket* come from | -| | | extra parameters (or | -| | | sensible defaults). | -+-------------------------+-------------------------+-------------------------+ -| | | Example: | -| | | ``netc | -| | | at=/opt/netcat/bin/nc`` | -+-------------------------+-------------------------+-------------------------+ -| ``keyfile`` | ssh, libssh2, libssh | The name of the private | -| | | key file to use to | -| | | authentication to the | -| | | remote machine. If this | -| | | option is not used the | -| | | default keys are used. | -+-------------------------+-------------------------+-------------------------+ -| | | Example: | -| | | ``keyfile=/ | -| | | root/.ssh/example_key`` | -+-------------------------+-------------------------+-------------------------+ -| ``no_verify`` | ssh, tls | SSH: If set to a | -| | | non-zero value, this | -| | | disables client's | -| | | strict host key | -| | | checking making it | -| | | auto-accept new host | -| | | keys. Existing host | -| | | keys will still be | -| | | validated. | -| | | TLS: If set to a | -| | | non-zero value, this | -| | | disables client checks | -| | | of the server's | -| | | certificate. Note that | -| | | to disable server | -| | | checks of the client's | -| | | certificate or IP | -| | | address you must | -| | | `change the libvirtd | -| | | conf | -| | | iguration <#Remote_libv | -| | | irtd_configuration>`__. | -+-------------------------+-------------------------+-------------------------+ -| | | Example: | -| | | ``no_verify=1`` | -+-------------------------+-------------------------+-------------------------+ -| ``no_tty`` | ssh | If set to a non-zero | -| | | value, this stops ssh | -| | | from asking for a | -| | | password if it cannot | -| | | log in to the remote | -| | | machine automatically | -| | | (eg. using ssh-agent | -| | | etc.). Use this when | -| | | you don't have access | -| | | to a terminal - for | -| | | example in graphical | -| | | programs which use | -| | | libvirt. | -+-------------------------+-------------------------+-------------------------+ -| | | Example: ``no_tty=1`` | -+-------------------------+-------------------------+-------------------------+ -| ``pkipath`` | tls | Specifies x509 | -| | | certificates path for | -| | | the client. If any of | -| | | the CA certificate, | -| | | client certificate, or | -| | | client key is missing, | -| | | the connection will | -| | | fail with a fatal | -| | | error. | -+-------------------------+-------------------------+-------------------------+ -| | | Example: | -| | | ``pk | -| | | ipath=/tmp/pki/client`` | -+-------------------------+-------------------------+-------------------------+ -| ``known_hosts`` | libssh2, libssh | Path to the known_hosts | -| | | file to verify the host | -| | | key against. LibSSH2 | -| | | and libssh support | -| | | OpenSSH-style | -| | | known_hosts files, | -| | | although LibSSH2 does | -| | | not support all key | -| | | types, so using files | -| | | created by the OpenSSH | -| | | binary may result into | -| | | truncating the | -| | | known_hosts file. Thus, | -| | | with LibSSH2 it's | -| | | recommended to use the | -| | | default known_hosts | -| | | file is located in | -| | | libvirt's client local | -| | | configuration directory | -| | | e.g.: | -| | | ~/.conf | -| | | ig/libvirt/known_hosts. | -| | | Note: Use absolute | -| | | paths. | -+-------------------------+-------------------------+-------------------------+ -| | | Example: | -| | | ``known_hosts=/ | -| | | root/.ssh/known_hosts`` | -+-------------------------+-------------------------+-------------------------+ -| ``known_hosts_verify`` | libssh2, libssh | If set to ``normal`` | -| | | (default), then the | -| | | user will be asked to | -| | | accept new host keys. | -| | | If set to ``auto``, new | -| | | host keys will be | -| | | auto-accepted, but | -| | | existing host keys will | -| | | still be validated. If | -| | | set to ``ignore``, this | -| | | disables client's | -| | | strict host key | -| | | checking. | -+-------------------------+-------------------------+-------------------------+ -| | | Example: | -| | | ``know | -| | | n_hosts_verify=ignore`` | -+-------------------------+-------------------------+-------------------------+ -| ``sshauth`` | libssh2, libssh | A comma separated list | -| | | of authentication | -| | | methods to use. Default | -| | | (is | -| | | "agent,privkey,password | -| | | ,keyboard-interactive". | -| | | The order of the | -| | | methods is preserved. | -| | | Some methods may | -| | | require additional | -| | | parameters. | -+-------------------------+-------------------------+-------------------------+ -| | | Example: | -| | | `` | -| | | sshauth=privkey,agent`` | -+-------------------------+-------------------------+-------------------------+ +All transports support the following parameters: + + ``name`` + + The name passed to the remote ``virConnectOpen`` function. The name is + normally formed by removing transport, hostname, port number, username and + extra parameters from the remote URI, but in certain very complex cases it + may be better to supply the name explicitly. + + **Example:** ``name=qemu:///system`` + +``ssh`` transport +^^^^^^^^^^^^^^^^^ + +The ``ssh`` transport uses the standard SSH protocol via the system installed +binary. + +Supported extra parameters: + + ``mode`` + See the info on the `mode parameter`_. + ``proxy`` + See the info on the `proxy parameter`_. + ``command`` + Path to the ``ssh`` binary to use. + + **Example:** ``command=/opt/openssh/bin/ssh`` + ``socket`` + See the info on the `socket parameter`_. + ``netcat`` + See the info on the `netcat parameter`_. + ``keyfile`` + See the info on the `keyfile parameter`_. + ``no_verify`` + If set to a non-zero value, this disables client's strict host key checking + making it auto-accept new host keys. Existing host keys will still be + validated. + + **Example:** ``no_verify=1`` + ``no_tty`` + If set to a non-zero value, this stops ssh from asking for a password if it + cannot log in to the remote machine automatically (eg. using ssh-agent + etc.). Use this when you don't have access to a terminal - for example in + graphical programs which use libvirt. + + **Example:** ``no_tty=1`` + +``libssh`` and ``libssh2`` transport +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Same as the ``ssh`` transport but the SSH client is handled directly by using +either ``libssh`` or ``libssh2`` to handle the SSH protocol without spawning an +extra process. + +Supported extra parameters: + + ``mode`` + See the info on the `mode parameter`_. + ``proxy`` + See the info on the `proxy parameter`_. + ``socket`` + See the info on the `socket parameter`_. + ``netcat`` + See the info on the `netcat parameter`_. + ``keyfile`` + See the info on the `keyfile parameter`_. + ``known_hosts`` + Path to the known_hosts file to verify the host key against. LibSSH2 and + libssh support OpenSSH-style known_hosts files, although LibSSH2 does not + support all key types, so using files created by the OpenSSH binary may + result into truncating the known_hosts file. Thus, with LibSSH2 it's + recommended to use the default known_hosts file is located in libvirt's + client local configuration directory e.g.: ~/.conf ig/libvirt/known_hosts. + + *Note:* Use absolute paths. + + **Example:** ``known_hosts=/root/.ssh/known_hosts`` + + ``known_hosts_verify`` + If set to ``normal`` (default), then the user will be asked to accept new + host keys. If set to ``auto``, new host keys will be auto-accepted, but + existing host keys will still be validated. If set to ``ignore``, this + disables client's strict host key checking. + + **Example:** ``known_hosts_verify=ignore`` + + ``sshauth`` + A comma separated list of authentication methods to use. Default (is + "agent,privkey,password ,keyboard-interactive". The order of the methods + is preserved. Some methods may require additional parameters. + + **Example:** ``sshauth=privkey,agent`` + +``tls`` transport +^^^^^^^^^^^^^^^^^ + +This transport uses a TCP connection to the socket. The data is encrypted using +TLS to ensure security. Note that TLS certificates must be setup for this to +work. + +Supported extra parameters: + + ``tls_priority`` + A valid GNUTLS priority string. + + **Example:** ``tls_priority=NORMAL:-VERS-SSL3.0`` + + ``no_verify`` + If set to a non-zero value, this disables client checks of the server's + certificate. Note that to disable server checks of the client's certificate + or IP address you must `change the libvirtd configuration + <#Remote_libvirtd_configuration>`__ + + **Example:** ``no_verify=1`` + + ``pkipath`` + + Specifies x509 certificates path for the client. If any of the CA + certificate, client certificate, or client key is missing, the connection + will fail with a fatal error. + + **Example:** ``pkipath=/tmp/pki/client`` + +``unix`` transport +^^^^^^^^^^^^^^^^^^ + +This transport uses an unix domain socket is used to connect to the daemon. +This is the most common case. In most cases no extra parameters are needed. + +Supported extra parameters: + + ``mode`` + See the info on the `mode parameter`_. + ``socket`` + See the info on the `socket parameter`_. + +``ext`` transport +^^^^^^^^^^^^^^^^^ + +The ``ext`` transport invokes the user specified command to transport the +libvirt RPC protocol to the destination. The command must be able to handle +the proper connection. Standard input/output is used for the communication. + +Supported extra parameters: + + ``command`` + The external command launched to tunnel the data to the destination. + +``tcp`` transport +^^^^^^^^^^^^^^^^^ + +The ``tcp`` transport uses plain unencrypted TCP connection to libvirt. This +is insecure and should not be used. This transport has no additional arguments. + +Common extra parameters +~~~~~~~~~~~~~~~~~~~~~~~ + +Certain extra parameters are shared between multiple protocols. See the list of +transport protocols above for specific usage. + +``mode`` parameter +^^^^^^^^^^^^^^^^^^ + +Controls whether to connect to per-driver daemons or libvirtd. + +Supported values: + + ``auto`` + automatically determine the daemon + ``direct`` + connect to per-driver daemons + ``legacy`` + connect to libvirtd + +Default is ``auto``. Can also be set in ``libvirt.conf`` as ``remote_mode``. + +**Example:** ``mode=direct`` + +``proxy`` parameter +^^^^^^^^^^^^^^^^^^^ + +Controls which proxy binary is used on the remote side of connection to connect +to the daemon. + +Supported values: + + ``auto`` + try native, fallback to netcat + ``netcat`` + only use netcat + ``native`` + use the libvirt native proxy binary + +Default is ``auto``. Can also be set in ``libvirt.conf`` as ``remote_proxy``. + +**Example:** ``proxy=native`` + +``socket`` parameter +^^^^^^^^^^^^^^^^^^^^ + +The path to the Unix domain socket, which overrides the compiled-in default. +This may be passed to the remote proxy command (See. `proxy parameter`). + +**Example:** ``socket=/opt/libvirt/run/libvirt/libvirt-sock`` + +``netcat`` parameter +^^^^^^^^^^^^^^^^^^^^ +The name of the netcat command on the remote machine. The default is ``nc``. +This is not permitted when using the ``native`` proxy mode. + +The command used here is used on the remote side of the connection as: + + ``netcat -U socket`` + +**Example:** ``netcat=/opt/netcat/bin/nc`` + +``keyfile`` parameter +^^^^^^^^^^^^^^^^^^^^^ + +The name of the private key file to use to authentication to the remote +machine. If this option is not used the default keys are used. + +**Example:** ``keyfile=/root/.ssh/example_key`` -- 2.35.1

Modify the name of the 'IRC discussion' paragraph to just 'IRC' so that the links keep working and remove the raw HTML anchors. Adjustment is needed for documents which were using the '#email' anchor which has now become '#mailing-lists'. Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- docs/contact.rst | 11 ++--------- docs/contribute.rst | 10 +++++----- docs/page.xsl | 2 +- docs/securityprocess.rst | 4 ++-- 4 files changed, 10 insertions(+), 17 deletions(-) diff --git a/docs/contact.rst b/docs/contact.rst index 75b1239301..19e1b66a52 100644 --- a/docs/contact.rst +++ b/docs/contact.rst @@ -1,6 +1,3 @@ -.. role:: anchor(raw) - :format: html - =================================== Contacting the project contributors =================================== @@ -17,8 +14,6 @@ issues <securityprocess.html>`__ that should be used instead. So if your issue has security implications, ignore the rest of this page and follow the `security process <securityprocess.html>`__ instead. -:anchor:`<a id="email"/>` - Mailing lists ------------- @@ -78,10 +73,8 @@ discussion. Wherever possible, please generate the patches by using regarding developing libvirt and/or contributing is available on our `Contributor Guidelines <hacking.html>`__ page. -:anchor:`<a id="irc"/>` - -IRC discussion --------------- +IRC +--- Some of the libvirt developers may be found on IRC on the `OFTC IRC <https://oftc.net>`__ network. Use the settings: diff --git a/docs/contribute.rst b/docs/contribute.rst index c95c8b59d2..6ed5426b8a 100644 --- a/docs/contribute.rst +++ b/docs/contribute.rst @@ -67,7 +67,7 @@ to libvirt. If you have ideas for other contributions feel free to follow them. have, or run into trouble with managing an existing deployment. While some users may be able to contact a software vendor to obtain support, it is common to rely on community help forums such as `libvirt users mailing - list <contact.html#email>`__, or sites such as + list <contact.html#mailing-lists>`__, or sites such as `stackoverflow. <https://stackoverflow.com/questions/tagged/libvirt>`__ People who are familiar with libvirt and have ability & desire to help other users are encouraged to participate in these help forums. @@ -82,10 +82,10 @@ for communication between contributors: Mailing lists ~~~~~~~~~~~~~ -The project has a number of `mailing lists <contact.html#email>`__ for general -communication between contributors. In general any design discussions and review -of contributions will take place on the mailing lists, so it is important for -all contributors to follow the traffic. +The project has a number of `mailing lists <contact.html#mailing-lists>`__ for +general communication between contributors. In general any design discussions +and review of contributions will take place on the mailing lists, so it is +important for all contributors to follow the traffic. Instant messaging / chat ~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/docs/page.xsl b/docs/page.xsl index 7d0203cf62..0a0b017482 100644 --- a/docs/page.xsl +++ b/docs/page.xsl @@ -172,7 +172,7 @@ <div id="contact"> <h3>Contact</h3> <ul> - <li><a href="{$href_base}contact.html#email">email</a></li> + <li><a href="{$href_base}contact.html#mailng-lists">email</a></li> <li><a href="{$href_base}contact.html#irc">irc</a></li> </ul> </div> diff --git a/docs/securityprocess.rst b/docs/securityprocess.rst index fe64e94f80..23f7a39e96 100644 --- a/docs/securityprocess.rst +++ b/docs/securityprocess.rst @@ -35,8 +35,8 @@ format in the `libvirt-security-notice GIT repository <https://gitlab.com/libvirt/libvirt-security-notice>`__ and `published online <https://security.libvirt.org>`__ in text, HTML and XML formats. Security notices are published on the `libvirt-announce mailing -list <https://libvirt.org/contact.html#email>`__ when any embargo is lifted, or -as soon as triaged if already public knowledge. +list <https://libvirt.org/contact.html#mailing-lists>`__ when any embargo is +lifted, or as soon as triaged if already public knowledge. Security team ------------- -- 2.35.1

Modify the gitlab templates linking to it and remove the raw HTML. Note that also the default template needs to be changed directly in gitlab. Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- .gitlab/issue_templates/bug.md | 2 +- docs/bugs.rst | 5 ----- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/.gitlab/issue_templates/bug.md b/.gitlab/issue_templates/bug.md index b2d1e46490..8a54cc2da4 100644 --- a/.gitlab/issue_templates/bug.md +++ b/.gitlab/issue_templates/bug.md @@ -1,4 +1,4 @@ -<!-- See https://libvirt.org/bugs.html#quality for guidance --> +<!-- See https://libvirt.org/bugs.html#how-to-file-high-quality-bug-reports --> ## Software environment - Operating system: diff --git a/docs/bugs.rst b/docs/bugs.rst index 152d734592..b5d2e42b0c 100644 --- a/docs/bugs.rst +++ b/docs/bugs.rst @@ -1,6 +1,3 @@ -.. role:: anchor(raw) - :format: html - ============= Bug reporting ============= @@ -79,8 +76,6 @@ Linux Distribution specific bug reports like to have your procedure for filing bugs mentioned here, please mail the libvirt development list. -:anchor:`<a id="quality"/>` - How to file high quality bug reports ------------------------------------ -- 2.35.1