[PATCH 00/15] docs: Convert some pages to rST and clean up (part 6)

After this series only 2 non-generated HTML files remain: - index.html.in - 404.html.in It is possible to convert these but the utility of doing so may not be great for now. Additionally this series cleans up some long-broken links and removes unneeded raw HTML passthrough to declare anchors. Pavel Hrdina (2): docs: storage: rename headers to remove duplicate names docs: Convert 'storage' page to rst Peter Krempa (13): docs: formatsecret: Correct link to storage volume XML definition Correct links to TLS certificate setup page docs: Convert 'remote' page to rst docs: remote: Remove 'Limitations' paragraph docs: Convert 'uri' page to rst docs: uri: Remove old 'NULL URI' section docs: uri: Consolidate paragraphs on Xen URIs docs: uri: Move the 'test' hypervisor under a 'local hypervisors heading docs: uri: Rewrite section about transport protocols and extra parameters docs: governance: Remove unused HTML anchors docs: contact: Remove HTML anchors and adjust documents using them docs: bugs: Remove raw HTML anchor 'quality' docs: formatdomain: Remove old unreferenced HTML anchors .gitlab/issue_templates/bug.md | 2 +- docs/bugs.rst | 5 - docs/contact.rst | 11 +- docs/contribute.rst | 10 +- docs/drvesx.rst | 5 +- docs/formatdomain.rst | 112 ----- docs/formatsecret.rst | 8 +- docs/governance.rst | 5 - docs/kbase/tlscerts.rst | 4 +- docs/meson.build | 6 +- docs/page.xsl | 2 +- docs/remote.html.in | 297 ------------ docs/remote.rst | 209 +++++++++ docs/securityprocess.rst | 4 +- docs/storage.html.in | 833 --------------------------------- docs/storage.rst | 790 +++++++++++++++++++++++++++++++ docs/uri.html.in | 507 -------------------- docs/uri.rst | 405 ++++++++++++++++ tools/virt-pki-validate.in | 10 +- 19 files changed, 1431 insertions(+), 1794 deletions(-) delete mode 100644 docs/remote.html.in create mode 100644 docs/remote.rst delete mode 100644 docs/storage.html.in create mode 100644 docs/storage.rst delete mode 100644 docs/uri.html.in create mode 100644 docs/uri.rst -- 2.35.1

The anchor name was not fixed when the 'formatstorage' document was converted to rst. Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- docs/formatsecret.rst | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/formatsecret.rst b/docs/formatsecret.rst index bb2217041a..03c2836843 100644 --- a/docs/formatsecret.rst +++ b/docs/formatsecret.rst @@ -63,10 +63,10 @@ See `Setting secret values in virsh`_ on how to set the value of the secret using ``virsh secret-set-value``. The volume type secret can be supplied either in volume XML during creation of a -`storage volume <formatstorage.html#StorageVol>`__ in order to provide the -passphrase to encrypt the volume or in domain XML `disk -device <formatdomain.html#elementsDisks>`__ in order to provide the passphrase -to decrypt the volume, :since:`since 2.1.0` . An example follows: +`storage volume <formatstorage.html#storage-volume-xml>`__ in order to provide +the passphrase to encrypt the volume or in domain XML +`disk device <formatdomain.html#elementsDisks>`__ in order to provide the +passphrase to decrypt the volume, :since:`since 2.1.0` . An example follows: :: -- 2.35.1

When the setup of TLS certs was originally split out of 'docs/remote.html' ( df99aa311a33e87d4 ) links refering to it were not fixed. Adjust them to point to the correct document. Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- docs/drvesx.rst | 5 ++--- tools/virt-pki-validate.in | 10 +++++----- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/docs/drvesx.rst b/docs/drvesx.rst index 9ef6b74161..81625d6f10 100644 --- a/docs/drvesx.rst +++ b/docs/drvesx.rst @@ -231,9 +231,8 @@ There are also other causes for connection problems than those related to error: Cannot access CA certificate '/etc/pki/CA/cacert.pem': No such file or directory Don't let this error message confuse you. Setting up certificates as - described on the `remote transport - mechanism <remote.html#Remote_certificates>`__ page does not help, as this is - not a certificate related problem. + described on the `tls certificates <kbase/tlscerts.html>`__ page does not + help, as this is not a certificate related problem. To fix this problem you need to update your libvirt to 0.7.0 or newer. You may also see this error when you use a libvirt version that contains the ESX diff --git a/tools/virt-pki-validate.in b/tools/virt-pki-validate.in index 2f7404bd94..7100eafb63 100644 --- a/tools/virt-pki-validate.in +++ b/tools/virt-pki-validate.in @@ -2,7 +2,7 @@ # # This shell script checks the TLS certificates and options needed # for the secure client/server support of libvirt as documented at -# https://libvirt.org/remote.html#Remote_certificates +# https://libvirt.org/kbase/tlscerts.html # # Copyright (C) 2009-2013 Red Hat, Inc. # @@ -166,7 +166,7 @@ if [ ! -f "$CA/cacert.pem" ] then echo the CA certificate $CA/cacert.pem is missing while it echo should be installed on both client and servers - echo "see https://libvirt.org/remote.html#Remote_TLS_CA" + echo "see https://libvirt.org/kbase/tlscerts.html#setting-up-a-certificate-authority-c..." echo on how to install it exit 1 fi @@ -186,7 +186,7 @@ if [ "$ORG" = "" ] then echo the CA certificate $CA/cacert.pem does not define the organization echo it should probably regenerated - echo "see https://libvirt.org/remote.html#Remote_TLS_CA" + echo "see https://libvirt.org/kbase/tlscerts.html#setting-up-a-certificate-authority-c..." echo on how to regenerate it exit 1 fi @@ -234,7 +234,7 @@ then else echo Did not find "$LIBVIRT/clientcert.pem" client certificate echo The machine cannot act as a client - echo "see https://libvirt.org/remote.html#Remote_TLS_client_certificates" + echo "see https://libvirt.org/kbase/tlscerts.html#issuing-client-certificates" echo on how to regenerate it CLIENT=0 fi @@ -287,7 +287,7 @@ then else echo Did not find $LIBVIRT/servercert.pem server certificate echo The machine cannot act as a server - echo "see https://libvirt.org/remote.html#Remote_TLS_server_certificates" + echo "see https://libvirt.org/kbase/tlscerts.html#issuing-server-certificates" echo on how to regenerate it SERVER=0 fi -- 2.35.1

From: Pavel Hrdina <phrdina@redhat.com> Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- docs/storage.html.in | 96 ++++++++++++++++++++++---------------------- 1 file changed, 48 insertions(+), 48 deletions(-) diff --git a/docs/storage.html.in b/docs/storage.html.in index b2cf343933..8fb2cec9bd 100644 --- a/docs/storage.html.in +++ b/docs/storage.html.in @@ -96,7 +96,7 @@ operation can be used to create it. </p> - <h3>Example pool input definition</h3> + <h3>Example directory pool input definition</h3> <pre> <pool type="dir"> <name>virtimages</name> @@ -105,12 +105,12 @@ </target> </pool></pre> - <h3>Valid pool format types</h3> + <h3>Valid directory pool format types</h3> <p> The directory pool does not use the pool format type element. </p> - <h3>Valid volume format types</h3> + <h3>Valid directory volume format types</h3> <p> One of the following options: </p> @@ -148,7 +148,7 @@ required. </p> - <h3>Example pool input</h3> + <h3>Example filesystem pool input</h3> <pre> <pool type="fs"> <name>virtimages</name> @@ -160,7 +160,7 @@ </target> </pool></pre> - <h3>Valid pool format types</h3> + <h3>Valid filesystem pool format types</h3> <p> The filesystem pool supports the following formats: </p> @@ -207,7 +207,7 @@ </li> </ul> - <h3>Valid volume format types</h3> + <h3>Valid filesystem volume format types</h3> <p> The valid volume types are the same as for the <code>directory</code> pool type. @@ -224,7 +224,7 @@ protocol, which generally tries a mount via NFS first. </p> - <h3>Example pool input</h3> + <h3>Example network filesystem pool input</h3> <pre> <pool type="netfs"> <name>virtimages</name> @@ -238,7 +238,7 @@ </target> </pool></pre> - <h3>Valid pool format types</h3> + <h3>Valid network filesystem pool format types</h3> <p> The network filesystem pool supports the following formats: </p> @@ -261,7 +261,7 @@ </li> </ul> - <h3>Valid volume format types</h3> + <h3>Valid network filesystem volume format types</h3> <p> The valid volume types are the same as for the <code>directory</code> pool type. @@ -278,7 +278,7 @@ of storage from the volume group. </p> - <h3>Example pool input</h3> + <h3>Example logical pool input</h3> <pre> <pool type="logical"> <name>HostVG</name> @@ -292,14 +292,14 @@ </target> </pool></pre> - <h3>Valid pool format types</h3> + <h3>Valid logical pool format types</h3> <p> The logical volume pool supports only the <code>lvm2</code> format, although not supplying a format value will result in automatic selection of the<code>lvm2</code> format. </p> - <h3>Valid volume format types</h3> + <h3>Valid logical volume format types</h3> <p> The logical volume pool does not use the volume format type element. </p> @@ -315,7 +315,7 @@ It will default to using <code>dos</code> as the pool source format. </p> - <h3>Example pool input</h3> + <h3>Example disk pool input</h3> <pre> <pool type="disk"> <name>sda</name> @@ -327,7 +327,7 @@ </target> </pool></pre> - <h3>Valid pool format types</h3> + <h3>Valid disk pool format types</h3> <p> The disk volume pool accepts the following pool format types, representing the common partition table types: @@ -374,7 +374,7 @@ in <code>parted</code>. </p> - <h3>Valid volume format types</h3> + <h3>Valid disk volume format types</h3> <p> The disk volume pool accepts the following volume format types, representing the common partition entry types: @@ -423,7 +423,7 @@ on the same host will fail the duplicate source pool checks. </p> - <h3>Example pool input</h3> + <h3>Example iSCSI pool input</h3> <pre> <pool type="iscsi"> <name>virtimages</name> @@ -436,12 +436,12 @@ </target> </pool></pre> - <h3>Valid pool format types</h3> + <h3>Valid iSCSI pool format types</h3> <p> The iSCSI volume pool does not use the pool format type element. </p> - <h3>Valid volume format types</h3> + <h3>Valid iSCSI volume format types</h3> <p> The iSCSI volume pool does not use the volume format type element. </p> @@ -453,7 +453,7 @@ It requires a host, a path which is the target IQN, and an initiator IQN. </p> - <h3>Example pool input</h3> + <h3>Example iSCSI direct pool input</h3> <pre> <pool type="iscsi-direct"> <name>virtimages</name> @@ -466,12 +466,12 @@ </source> </pool></pre> - <h3>Valid pool format types</h3> + <h3>Valid iSCSI direct pool format types</h3> <p> The iSCSI direct volume pool does not use the pool format type element. </p> - <h3>Valid volume format types</h3> + <h3>Valid iSCSI direct volume format types</h3> <p> The iSCSI direct volume pool does not use the volume format type element. </p> @@ -486,7 +486,7 @@ <span class="since">Since 0.6.2</span> </p> - <h3>Example pool input</h3> + <h3>Example SCSI pool input</h3> <pre> <pool type="scsi"> <name>virtimages</name> @@ -498,12 +498,12 @@ </target> </pool></pre> - <h3>Valid pool format types</h3> + <h3>Valid SCSI pool format types</h3> <p> The SCSI volume pool does not use the pool format type element. </p> - <h3>Valid volume format types</h3> + <h3>Valid SCSI volume format types</h3> <p> The SCSI volume pool does not use the volume format type element. </p> @@ -522,7 +522,7 @@ <span class="since">Since 0.7.1</span> </p> - <h3>Example pool input</h3> + <h3>Example multipath pool input</h3> <pre> <pool type="mpath"> <name>virtimages</name> @@ -531,12 +531,12 @@ </target> </pool></pre> - <h3>Valid pool format types</h3> + <h3>Valid multipath pool format types</h3> <p> The Multipath volume pool does not use the pool format type element. </p> - <h3>Valid volume format types</h3> + <h3>Valid multipath volume format types</h3> <p> The Multipath volume pool does not use the volume format type element. </p> @@ -562,7 +562,7 @@ <span class="since">Since 0.9.13</span> </p> - <h3>Example pool input</h3> + <h3>Example RBD pool input</h3> <pre> <pool type="rbd"> <name>myrbdpool</name> @@ -577,7 +577,7 @@ </source> </pool></pre> - <h3>Example volume output</h3> + <h3>Example RBD volume output</h3> <pre> <volume> <name>myvol</name> @@ -597,19 +597,19 @@ </target> </volume></pre> - <h3>Example disk attachment</h3> + <h3>Example RBD disk attachment</h3> <p>RBD images can be attached to QEMU guests when QEMU is built with RBD support. Information about attaching a RBD image to a guest can be found at <a href="formatdomain.html#elementsDisks">format domain</a> page.</p> - <h3>Valid pool format types</h3> + <h3>Valid RBD pool format types</h3> <p> The RBD pool does not use the pool format type element. </p> - <h3>Valid volume format types</h3> + <h3>Valid RBD volume format types</h3> <p> Only raw volumes are supported. </p> @@ -626,7 +626,7 @@ <span class="since">Since 0.9.13</span> </p> - <h3>Example pool input</h3> + <h3>Example Sheepdog pool input</h3> <pre> <pool type="sheepdog"> <name>mysheeppool</name> @@ -636,7 +636,7 @@ </source> </pool></pre> - <h3>Example volume output</h3> + <h3>Example Sheepdog volume output</h3> <pre> <volume> <name>myvol</name> @@ -656,19 +656,19 @@ </target> </volume></pre> - <h3>Example disk attachment</h3> + <h3>Example Sheepdog disk attachment</h3> <p>Sheepdog images can be attached to QEMU guests. Information about attaching a Sheepdog image to a guest can be found at the <a href="formatdomain.html#elementsDisks">format domain</a> page.</p> - <h3>Valid pool format types</h3> + <h3>Valid Sheepdog pool format types</h3> <p> The Sheepdog pool does not use the pool format type element. </p> - <h3>Valid volume format types</h3> + <h3>Valid Sheepdog volume format types</h3> <p> The Sheepdog pool does not use the volume format type element. </p> @@ -696,7 +696,7 @@ <span class="since">Since 1.2.0</span> </p> - <h3>Example pool input</h3> + <h3>Example Gluster pool input</h3> <p>A gluster volume corresponds to a libvirt storage pool. If a gluster volume could be mounted as <code>mount -t glusterfs localhost:/volname /some/path</code>, then the following example @@ -722,7 +722,7 @@ </source> </pool></pre> - <h3>Example volume output</h3> + <h3>Example Gluster volume output</h3> <p>Libvirt storage volumes associated with a gluster pool correspond to the files that can be found when mounting the gluster volume. The <code>name</code> is the path relative to @@ -741,19 +741,19 @@ <allocation unit='bytes'>53687091200</allocation> </volume></pre> - <h3>Example disk attachment</h3> + <h3>Example Gluster disk attachment</h3> <p>Files within a gluster volume can be attached to QEMU guests. Information about attaching a Gluster image to a guest can be found at the <a href="formatdomain.html#elementsDisks">format domain</a> page.</p> - <h3>Valid pool format types</h3> + <h3>Valid Gluster pool format types</h3> <p> The Gluster pool does not use the pool format type element. </p> - <h3>Valid volume format types</h3> + <h3>Valid Gluster volume format types</h3> <p> The valid volume types are the same as for the <code>directory</code> pool type. @@ -777,7 +777,7 @@ <p><span class="since">Since 1.2.8</span></p>. - <h3>Example pool input</h3> + <h3>Example ZFS pool input</h3> <pre> <pool type="zfs"> <name>myzfspool</name> @@ -788,12 +788,12 @@ </source> </pool></pre> - <h3>Valid pool format types</h3> + <h3>Valid ZFS pool format types</h3> <p> The ZFS volume pool does not use the pool format type element. </p> - <h3>Valid volume format types</h3> + <h3>Valid ZFS volume format types</h3> <p> The ZFS volume pool does not use the volume format type element. </p> @@ -808,7 +808,7 @@ </p> <p>Please refer to the Virtuozzo Storage documentation for details on storage management and usage.</p> - <h3>Example pool input</h3> + <h3>Example vstorage pool input</h3> <p>In order to create storage pool with Virtuozzo Storage backend you have to provide cluster name and be authorized within the cluster.</p> <pre> @@ -822,12 +822,12 @@ </target> </pool></pre> - <h3>Valid pool format types</h3> + <h3>Valid vstorage pool format types</h3> <p> The Vstorage volume pool does not use the pool format type element. </p> - <h3>Valid volume format types</h3> + <h3>Valid vstorage volume format types</h3> <p>The valid volume types are the same as for the directory pool.</p> </body> </html> -- 2.35.1

From: Pavel Hrdina <phrdina@redhat.com> Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- docs/meson.build | 2 +- docs/storage.html.in | 833 ------------------------------------------- docs/storage.rst | 790 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 791 insertions(+), 834 deletions(-) delete mode 100644 docs/storage.html.in create mode 100644 docs/storage.rst diff --git a/docs/meson.build b/docs/meson.build index eff3813cd6..a18def58a4 100644 --- a/docs/meson.build +++ b/docs/meson.build @@ -20,7 +20,6 @@ docs_assets = [ docs_html_in_files = [ 'index', 'remote', - 'storage', 'uri', ] @@ -99,6 +98,7 @@ docs_rst_files = [ 'programming-languages', 'python', 'securityprocess', + 'storage', 'strategy', 'styleguide', 'submitting-patches', diff --git a/docs/storage.html.in b/docs/storage.html.in deleted file mode 100644 index 8fb2cec9bd..0000000000 --- a/docs/storage.html.in +++ /dev/null @@ -1,833 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE html> -<html xmlns="http://www.w3.org/1999/xhtml"> - <body> - <h1 >Storage Management</h1> - <p> - Libvirt provides storage management on the physical host through - storage pools and volumes. - </p> - <p> - A storage pool is a quantity of storage set aside by an - administrator, often a dedicated storage administrator, for use - by virtual machines. Storage pools are divided into storage - volumes either by the storage administrator or the system - administrator, and the volumes are assigned to VMs as block - devices. - </p> - <p> - For example, the storage administrator responsible for an NFS - server creates a share to store virtual machines' data. The - system administrator defines a pool on the virtualization host - with the details of the share - (e.g. nfs.example.com:/path/to/share should be mounted on - /vm_data). When the pool is started, libvirt mounts the share - on the specified directory, just as if the system administrator - logged in and executed 'mount nfs.example.com:/path/to/share - /vmdata'. If the pool is configured to autostart, libvirt - ensures that the NFS share is mounted on the directory specified - when libvirt is started. - </p> - <p> - Once the pool is started, the files in the NFS share are - reported as volumes, and the storage volumes' paths may be - queried using the libvirt APIs. The volumes' paths can then be - copied into the section of a VM's XML definition describing the - source storage for the VM's block devices. In the case of NFS, - an application using the libvirt APIs can create and delete - volumes in the pool (files in the NFS share) up to the limit of - the size of the pool (the storage capacity of the share). Not - all pool types support creating and deleting volumes. Stopping - the pool (somewhat unfortunately referred to by virsh and the - API as "pool-destroy") undoes the start operation, in this case, - unmounting the NFS share. The data on the share is not modified - by the destroy operation, despite the name. See man virsh for - more details. - </p> - <p> - A second example is an iSCSI pool. A storage administrator - provisions an iSCSI target to present a set of LUNs to the host - running the VMs. When libvirt is configured to manage that - iSCSI target as a pool, libvirt will ensure that the host logs - into the iSCSI target and libvirt can then report the available - LUNs as storage volumes. The volumes' paths can be queried and - used in VM's XML definitions as in the NFS example. In this - case, the LUNs are defined on the iSCSI server, and libvirt - cannot create and delete volumes. - </p> - <p> - Storage pools and volumes are not required for the proper - operation of VMs. Pools and volumes provide a way for libvirt - to ensure that a particular piece of storage will be available - for a VM, but some administrators will prefer to manage their - own storage and VMs will operate properly without any pools or - volumes defined. On systems that do not use pools, system - administrators must ensure the availability of the VMs' storage - using whatever tools they prefer, for example, adding the NFS - share to the host's fstab so that the share is mounted at boot - time. - </p> - <p> - If at this point the value of pools and volumes over traditional - system administration tools is unclear, note that one of the - features of libvirt is its remote protocol, so it's possible to - manage all aspects of a virtual machine's lifecycle as well as - the configuration of the resources required by the VM. These - operations can be performed on a remote host entirely within the - libvirt API. In other words, a management application using - libvirt can enable a user to perform all the required tasks for - configuring the host for a VM: allocating resources, running the - VM, shutting it down and deallocating the resources, without - requiring shell access or any other control channel. - </p> - <p> - Libvirt supports the following storage pool types: - </p> - <ul id="toc"></ul> - - <h2><a id="StorageBackendDir">Directory pool</a></h2> - <p> - A pool with a type of <code>dir</code> provides the means to manage - files within a directory. The files can be fully allocated raw files, - sparsely allocated raw files, or one of the special disk formats - such as <code>qcow2</code>, <code>vmdk</code>, etc as supported - by the <code>qemu-img</code> program. If the directory does not exist - at the time the pool is defined, the <code>build</code> - operation can be used to create it. - </p> - - <h3>Example directory pool input definition</h3> - <pre> -<pool type="dir"> - <name>virtimages</name> - <target> - <path>/var/lib/virt/images</path> - </target> -</pool></pre> - - <h3>Valid directory pool format types</h3> - <p> - The directory pool does not use the pool format type element. - </p> - - <h3>Valid directory volume format types</h3> - <p> - One of the following options: - </p> - <ul> - <li><code>raw</code>: a plain file</li> - <li><code>bochs</code>: Bochs disk image format</li> - <li><code>cloop</code>: compressed loopback disk image format</li> - <li><code>cow</code>: User Mode Linux disk image format</li> - <li><code>dmg</code>: Mac disk image format</li> - <li><code>iso</code>: CDROM disk image format</li> - <li><code>qcow</code>: QEMU v1 disk image format</li> - <li><code>qcow2</code>: QEMU v2 disk image format</li> - <li><code>qed</code>: QEMU Enhanced Disk image format</li> - <li><code>vmdk</code>: VMware disk image format</li> - <li><code>vpc</code>: VirtualPC disk image format</li> - </ul> - <p> - When listing existing volumes all these formats are supported - natively. When creating new volumes, only a subset may be - available. The <code>raw</code> type is guaranteed always - available. The <code>qcow2</code> type can be created if - the <code>qemu-img</code> tool is present. The others are - dependent on support of the <code>qemu-img</code> tool. - - </p> - - <h2><a id="StorageBackendFS">Filesystem pool</a></h2> - <p> - This is a variant of the directory pool. Instead of creating a - directory on an existing mounted filesystem though, it expects - a source block device to be named. This block device will be - mounted and files managed in the directory of its mount point. - It will default to allowing the kernel to automatically discover - the filesystem type, though it can be specified manually if - required. - </p> - - <h3>Example filesystem pool input</h3> - <pre> -<pool type="fs"> - <name>virtimages</name> - <source> - <device path="/dev/VolGroup00/VirtImages"/> - </source> - <target> - <path>/var/lib/virt/images</path> - </target> -</pool></pre> - - <h3>Valid filesystem pool format types</h3> - <p> - The filesystem pool supports the following formats: - </p> - <ul> - <li><code>auto</code> - automatically determine format</li> - <li> - <code>ext2</code> - </li> - <li> - <code>ext3</code> - </li> - <li> - <code>ext4</code> - </li> - <li> - <code>ufs</code> - </li> - <li> - <code>iso9660</code> - </li> - <li> - <code>udf</code> - </li> - <li> - <code>gfs</code> - </li> - <li> - <code>gfs2</code> - </li> - <li> - <code>vfat</code> - </li> - <li> - <code>hfs+</code> - </li> - <li> - <code>xfs</code> - </li> - <li> - <code>ocfs2</code> - </li> - <li> - <code>vmfs</code> - </li> - </ul> - - <h3>Valid filesystem volume format types</h3> - <p> - The valid volume types are the same as for the <code>directory</code> - pool type. - </p> - - - <h2><a id="StorageBackendNetFS">Network filesystem pool</a></h2> - <p> - This is a variant of the filesystem pool. Instead of requiring - a local block device as the source, it requires the name of a - host and path of an exported directory. It will mount this network - filesystem and manage files within the directory of its mount - point. It will default to using <code>auto</code> as the - protocol, which generally tries a mount via NFS first. - </p> - - <h3>Example network filesystem pool input</h3> - <pre> -<pool type="netfs"> - <name>virtimages</name> - <source> - <host name="nfs.example.com"/> - <dir path="/var/lib/virt/images"/> - <format type='nfs'/> - </source> - <target> - <path>/var/lib/virt/images</path> - </target> -</pool></pre> - - <h3>Valid network filesystem pool format types</h3> - <p> - The network filesystem pool supports the following formats: - </p> - <ul> - <li><code>auto</code> - automatically determine format</li> - <li> - <code>nfs</code> - </li> - <li> - <code>glusterfs</code> - use the glusterfs FUSE file system. - For now, the <code>dir</code> specified as the source can only - be a gluster volume name, as gluster does not provide a way to - directly mount subdirectories within a volume. (To bypass the - file system completely, see - the <a href="#StorageBackendGluster">gluster</a> pool.) - </li> - <li> - <code>cifs</code> - use the SMB (samba) or CIFS file system. - The mount will use "-o guest" to mount the directory anonymously. - </li> - </ul> - - <h3>Valid network filesystem volume format types</h3> - <p> - The valid volume types are the same as for the <code>directory</code> - pool type. - </p> - - - <h2><a id="StorageBackendLogical">Logical volume pool</a></h2> - <p> - This provides a pool based on an LVM volume group. For a - pre-defined LVM volume group, simply providing the group - name is sufficient, while to build a new group requires - providing a list of source devices to serve as physical - volumes. Volumes will be allocated by carving out chunks - of storage from the volume group. - </p> - - <h3>Example logical pool input</h3> - <pre> -<pool type="logical"> - <name>HostVG</name> - <source> - <device path="/dev/sda1"/> - <device path="/dev/sdb1"/> - <device path="/dev/sdc1"/> - </source> - <target> - <path>/dev/HostVG</path> - </target> -</pool></pre> - - <h3>Valid logical pool format types</h3> - <p> - The logical volume pool supports only the <code>lvm2</code> format, - although not supplying a format value will result in automatic - selection of the<code>lvm2</code> format. - </p> - - <h3>Valid logical volume format types</h3> - <p> - The logical volume pool does not use the volume format type element. - </p> - - - <h2><a id="StorageBackendDisk">Disk pool</a></h2> - <p> - This provides a pool based on a physical disk. Volumes are created - by adding partitions to the disk. Disk pools have constraints - on the size and placement of volumes. The 'free extents' - information will detail the regions which are available for creating - new volumes. A volume cannot span across two different free extents. - It will default to using <code>dos</code> as the pool source format. - </p> - - <h3>Example disk pool input</h3> - <pre> -<pool type="disk"> - <name>sda</name> - <source> - <device path='/dev/sda'/> - </source> - <target> - <path>/dev</path> - </target> -</pool></pre> - - <h3>Valid disk pool format types</h3> - <p> - The disk volume pool accepts the following pool format types, representing - the common partition table types: - </p> - <ul> - <li> - <code>dos</code> - </li> - <li> - <code>dvh</code> - </li> - <li> - <code>gpt</code> - </li> - <li> - <code>mac</code> - </li> - <li> - <code>bsd</code> - </li> - <li> - <code>pc98</code> - </li> - <li> - <code>sun</code> - </li> - <li> - <code>lvm2</code> - </li> - </ul> - <p> - The formats <code>dos</code> ("msdos" in parted terminology, - good for BIOS systems) or <code>gpt</code> (good for UEFI - systems) are recommended for best portability - the latter is - needed for disks larger than 2TB. Note that the <code>lvm2</code> - format refers to the physical volume format (i.e. the whole - disk is a physical volume - not the usual usage of LVM where - physical volumes are partitions). This is not really - a partition table and such pool cannot be built by libvirt, - only detected. - </p> - <p> - Building a pool of a certain format depends on its availability - in <code>parted</code>. - </p> - - <h3>Valid disk volume format types</h3> - <p> - The disk volume pool accepts the following volume format types, representing - the common partition entry types: - </p> - <ul> - <li> - <code>none</code> - </li> - <li> - <code>linux</code> - </li> - <li> - <code>fat16</code> - </li> - <li> - <code>fat32</code> - </li> - <li> - <code>linux-swap</code> - </li> - <li> - <code>linux-lvm</code> - </li> - <li> - <code>linux-raid</code> - </li> - <li> - <code>extended</code> - </li> - </ul> - - - <h2><a id="StorageBackendISCSI">iSCSI pool</a></h2> - <p> - This provides a pool based on an iSCSI target. Volumes must be - pre-allocated on the iSCSI server, and cannot be created via - the libvirt APIs. Since /dev/XXX names may change each time libvirt - logs into the iSCSI target, it is recommended to configure the pool - to use <code>/dev/disk/by-path</code> or <code>/dev/disk/by-id</code> - for the target path. These provide persistent stable naming for LUNs - </p> - <p> - The libvirt iSCSI storage backend does not resolve the provided - host name or IP address when finding the available target IQN's - on the host; therefore, defining two pools to use the same IQN - on the same host will fail the duplicate source pool checks. - </p> - - <h3>Example iSCSI pool input</h3> - <pre> -<pool type="iscsi"> - <name>virtimages</name> - <source> - <host name="iscsi.example.com"/> - <device path="iqn.2013-06.com.example:iscsi-pool"/> - </source> - <target> - <path>/dev/disk/by-path</path> - </target> -</pool></pre> - - <h3>Valid iSCSI pool format types</h3> - <p> - The iSCSI volume pool does not use the pool format type element. - </p> - - <h3>Valid iSCSI volume format types</h3> - <p> - The iSCSI volume pool does not use the volume format type element. - </p> - - <h2><a id="StorageBackendISCSIDirect">iSCSI direct pool</a></h2> - <p> - This is a variant of the iSCSI pool. Instead of using iscsiadm, it uses - libiscsi. - It requires a host, a path which is the target IQN, and an initiator IQN. - </p> - - <h3>Example iSCSI direct pool input</h3> - <pre> -<pool type="iscsi-direct"> - <name>virtimages</name> - <source> - <host name="iscsi.example.com"/> - <device path="iqn.2013-06.com.example:iscsi-pool"/> - <initiator> - <iqn name="iqn.2013-06.com.example:iscsi-initiator"/> - </initiator> - </source> -</pool></pre> - - <h3>Valid iSCSI direct pool format types</h3> - <p> - The iSCSI direct volume pool does not use the pool format type element. - </p> - - <h3>Valid iSCSI direct volume format types</h3> - <p> - The iSCSI direct volume pool does not use the volume format type element. - </p> - - <h2><a id="StorageBackendSCSI">SCSI pool</a></h2> - <p> - This provides a pool based on a SCSI HBA. Volumes are preexisting SCSI - LUNs, and cannot be created via the libvirt APIs. Since /dev/XXX names - aren't generally stable, it is recommended to configure the pool - to use <code>/dev/disk/by-path</code> or <code>/dev/disk/by-id</code> - for the target path. These provide persistent stable naming for LUNs - <span class="since">Since 0.6.2</span> - </p> - - <h3>Example SCSI pool input</h3> - <pre> -<pool type="scsi"> - <name>virtimages</name> - <source> - <adapter name="host0"/> - </source> - <target> - <path>/dev/disk/by-path</path> - </target> -</pool></pre> - - <h3>Valid SCSI pool format types</h3> - <p> - The SCSI volume pool does not use the pool format type element. - </p> - - <h3>Valid SCSI volume format types</h3> - <p> - The SCSI volume pool does not use the volume format type element. - </p> - - <h2><a id="StorageBackendMultipath">Multipath pool</a></h2> - <p> - This provides a pool that contains all the multipath devices on the - host. Therefore, only one Multipath pool may be configured per host. - Volume creating is not supported via the libvirt APIs. - The target element is actually ignored, but one is required to appease - the libvirt XML parser.<br/> - <br/> - Configuring multipathing is not currently supported, this just covers - the case where users want to discover all the available multipath - devices, and assign them to guests. - <span class="since">Since 0.7.1</span> - </p> - - <h3>Example multipath pool input</h3> - <pre> -<pool type="mpath"> - <name>virtimages</name> - <target> - <path>/dev/mapper</path> - </target> -</pool></pre> - - <h3>Valid multipath pool format types</h3> - <p> - The Multipath volume pool does not use the pool format type element. - </p> - - <h3>Valid multipath volume format types</h3> - <p> - The Multipath volume pool does not use the volume format type element. - </p> - - <h2><a id="StorageBackendRBD">RBD pool</a></h2> - <p> - This storage driver provides a pool which contains all RBD - images in a RADOS pool. RBD (RADOS Block Device) is part - of the Ceph distributed storage project.<br/> - This backend <i>only</i> supports QEMU with RBD support. Kernel RBD - which exposes RBD devices as block devices in /dev is <i>not</i> - supported. RBD images created with this storage backend - can be accessed through kernel RBD if configured manually, but - this backend does not provide mapping for these images.<br/> - Images created with this backend can be attached to QEMU guests - when QEMU is build with RBD support (Since QEMU 0.14.0). The - backend supports cephx authentication for communication with the - Ceph cluster. Storing the cephx authentication key is done with - the libvirt secret mechanism. The UUID in the example pool input - refers to the UUID of the stored secret.<br /> - The port attribute for a Ceph monitor does not have to be provided. - If not provided librados will use the default Ceph monitor port. - <span class="since">Since 0.9.13</span> - </p> - - <h3>Example RBD pool input</h3> - <pre> -<pool type="rbd"> - <name>myrbdpool</name> - <source> - <name>rbdpool</name> - <host name='1.2.3.4'/> - <host name='my.ceph.monitor'/> - <host name='third.ceph.monitor' port='6789'/> - <auth username='admin' type='ceph'> - <secret uuid='2ec115d7-3a88-3ceb-bc12-0ac909a6fd87'/> - </auth> - </source> -</pool></pre> - - <h3>Example RBD volume output</h3> - <pre> -<volume> - <name>myvol</name> - <key>rbd/myvol</key> - <source> - </source> - <capacity unit='bytes'>53687091200</capacity> - <allocation unit='bytes'>53687091200</allocation> - <target> - <path>rbd:rbd/myvol</path> - <format type='unknown'/> - <permissions> - <mode>00</mode> - <owner>0</owner> - <group>0</group> - </permissions> - </target> -</volume></pre> - - <h3>Example RBD disk attachment</h3> - <p>RBD images can be attached to QEMU guests when QEMU is built - with RBD support. Information about attaching a RBD image to a - guest can be found - at <a href="formatdomain.html#elementsDisks">format domain</a> - page.</p> - - <h3>Valid RBD pool format types</h3> - <p> - The RBD pool does not use the pool format type element. - </p> - - <h3>Valid RBD volume format types</h3> - <p> - Only raw volumes are supported. - </p> - - <h2><a id="StorageBackendSheepdog">Sheepdog pool</a></h2> - <p> - This provides a pool based on a Sheepdog Cluster. - Sheepdog is a distributed storage system for QEMU/KVM. - It provides highly available block level storage volumes that - can be attached to QEMU/KVM virtual machines. - - The cluster must already be formatted. - - <span class="since">Since 0.9.13</span> - </p> - - <h3>Example Sheepdog pool input</h3> - <pre> -<pool type="sheepdog"> - <name>mysheeppool</name> - <source> - <name>mysheeppool</name> - <host name='localhost' port='7000'/> - </source> -</pool></pre> - - <h3>Example Sheepdog volume output</h3> - <pre> -<volume> - <name>myvol</name> - <key>sheep/myvol</key> - <source> - </source> - <capacity unit='bytes'>53687091200</capacity> - <allocation unit='bytes'>53687091200</allocation> - <target> - <path>sheepdog:myvol</path> - <format type='unknown'/> - <permissions> - <mode>00</mode> - <owner>0</owner> - <group>0</group> - </permissions> - </target> -</volume></pre> - - <h3>Example Sheepdog disk attachment</h3> - <p>Sheepdog images can be attached to QEMU guests. - Information about attaching a Sheepdog image to a - guest can be found - at the <a href="formatdomain.html#elementsDisks">format domain</a> - page.</p> - - <h3>Valid Sheepdog pool format types</h3> - <p> - The Sheepdog pool does not use the pool format type element. - </p> - - <h3>Valid Sheepdog volume format types</h3> - <p> - The Sheepdog pool does not use the volume format type element. - </p> - - <h2><a id="StorageBackendGluster">Gluster pool</a></h2> - <p> - This provides a pool based on native Gluster access. Gluster is - a distributed file system that can be exposed to the user via - FUSE, NFS or SMB (see the <a href="#StorageBackendNetfs">netfs</a> - pool for that usage); but for minimal overhead, the ideal access - is via native access (only possible for QEMU/KVM compiled with - libgfapi support). - - The cluster and storage volume must already be running, and it - is recommended that the volume be configured with <code>gluster - volume set $volname storage.owner-uid=$uid</code> - and <code>gluster volume set $volname - storage.owner-gid=$gid</code> for the uid and gid that qemu will - be run as. It may also be necessary to - set <code>rpc-auth-allow-insecure on</code> for the glusterd - service, as well as <code>gluster set $volname - server.allow-insecure on</code>, to allow access to the gluster - volume. - - <span class="since">Since 1.2.0</span> - </p> - - <h3>Example Gluster pool input</h3> - <p>A gluster volume corresponds to a libvirt storage pool. If a - gluster volume could be mounted as <code>mount -t glusterfs - localhost:/volname /some/path</code>, then the following example - will describe the same pool without having to create a local - mount point. Remember that with gluster, the mount point can be - through any machine in the cluster, and gluster will - automatically pick the ideal transport to the actual bricks - backing the gluster volume, even if on a different host than the - one named in the <code>host</code> designation. - The <code><name></code> element is always the volume name - (no slash). The pool source also supports an - optional <code><dir></code> element with - a <code>path</code> attribute that lists the absolute name of a - subdirectory relative to the gluster volume to use instead of - the top-level directory of the volume.</p> - <pre> -<pool type="gluster"> - <name>myglusterpool</name> - <source> - <name>volname</name> - <host name='localhost'/> - <dir path='/'/> - </source> -</pool></pre> - - <h3>Example Gluster volume output</h3> - <p>Libvirt storage volumes associated with a gluster pool - correspond to the files that can be found when mounting the - gluster volume. The <code>name</code> is the path relative to - the effective mount specified for the pool; and - the <code>key</code> is a string that identifies a single volume - uniquely. Currently the <code>key</code> attribute consists of the - URI of the volume but it may be changed to a UUID of the volume - in the future.</p> - <pre> -<volume> - <name>myfile</name> - <key>gluster://localhost/volname/myfile</key> - <source> - </source> - <capacity unit='bytes'>53687091200</capacity> - <allocation unit='bytes'>53687091200</allocation> -</volume></pre> - - <h3>Example Gluster disk attachment</h3> - <p>Files within a gluster volume can be attached to QEMU guests. - Information about attaching a Gluster image to a - guest can be found - at the <a href="formatdomain.html#elementsDisks">format domain</a> - page.</p> - - <h3>Valid Gluster pool format types</h3> - <p> - The Gluster pool does not use the pool format type element. - </p> - - <h3>Valid Gluster volume format types</h3> - <p> - The valid volume types are the same as for the <code>directory</code> - pool type. - </p> - - <h2><a id="StorageBackendZFS">ZFS pool</a></h2> - <p> - This provides a pool based on the ZFS filesystem. Initially it was developed - for FreeBSD, and <span class="since">since 1.3.2</span> experimental support - for <a href="https://zfsonlinux.org/">ZFS on Linux</a> version 0.6.4 or newer - is available. - </p> - - <p>A pool could either be created manually using the <code>zpool create</code> - command and its name specified in the source section or <span class="since"> - since 1.2.9</span> source devices could be specified to create a pool using - libvirt. - </p> - - <p>Please refer to the ZFS documentation for details on a pool creation.</p> - - <p><span class="since">Since 1.2.8</span></p>. - - <h3>Example ZFS pool input</h3> - <pre> -<pool type="zfs"> - <name>myzfspool</name> - <source> - <name>zpoolname</name> - <device path="/dev/ada1"/> - <device path="/dev/ada2"/> - </source> -</pool></pre> - - <h3>Valid ZFS pool format types</h3> - <p> - The ZFS volume pool does not use the pool format type element. - </p> - - <h3>Valid ZFS volume format types</h3> - <p> - The ZFS volume pool does not use the volume format type element. - </p> - <h2><a id="StorageBackendVstorage">Vstorage pool</a></h2> - <p> - This provides a pool based on Virtuozzo storage. Virtuozzo Storage is - a highly available distributed software-defined storage with built-in - replication and disaster recovery. More detailed information about - Virtuozzo storage and its management can be found here: - - <a href="https://openvz.org/Virtuozzo_Storage">Virtuozzo Storage</a>). - </p> - <p>Please refer to the Virtuozzo Storage documentation for details - on storage management and usage.</p> - <h3>Example vstorage pool input</h3> - <p>In order to create storage pool with Virtuozzo Storage backend you - have to provide cluster name and be authorized within the cluster.</p> - <pre> -<pool type="vstorage"> - <name>myvstoragepool</name> - <source> - <name>clustername</name> - </source> - <target> - <path>/mnt/clustername</path> - </target> -</pool></pre> - - <h3>Valid vstorage pool format types</h3> - <p> - The Vstorage volume pool does not use the pool format type element. - </p> - - <h3>Valid vstorage volume format types</h3> - <p>The valid volume types are the same as for the directory pool.</p> - </body> -</html> diff --git a/docs/storage.rst b/docs/storage.rst new file mode 100644 index 0000000000..b860648628 --- /dev/null +++ b/docs/storage.rst @@ -0,0 +1,790 @@ +.. role:: since + +================== +Storage Management +================== + +Libvirt provides storage management on the physical host through storage pools +and volumes. + +A storage pool is a quantity of storage set aside by an administrator, often a +dedicated storage administrator, for use by virtual machines. Storage pools are +divided into storage volumes either by the storage administrator or the system +administrator, and the volumes are assigned to VMs as block devices. + +For example, the storage administrator responsible for an NFS server creates a +share to store virtual machines' data. The system administrator defines a pool +on the virtualization host with the details of the share (e.g. +nfs.example.com:/path/to/share should be mounted on /vm_data). When the pool is +started, libvirt mounts the share on the specified directory, just as if the +system administrator logged in and executed 'mount +nfs.example.com:/path/to/share /vmdata'. If the pool is configured to autostart, +libvirt ensures that the NFS share is mounted on the directory specified when +libvirt is started. + +Once the pool is started, the files in the NFS share are reported as volumes, +and the storage volumes' paths may be queried using the libvirt APIs. The +volumes' paths can then be copied into the section of a VM's XML definition +describing the source storage for the VM's block devices. In the case of NFS, an +application using the libvirt APIs can create and delete volumes in the pool +(files in the NFS share) up to the limit of the size of the pool (the storage +capacity of the share). Not all pool types support creating and deleting +volumes. Stopping the pool (somewhat unfortunately referred to by virsh and the +API as "pool-destroy") undoes the start operation, in this case, unmounting the +NFS share. The data on the share is not modified by the destroy operation, +despite the name. See man virsh for more details. + +A second example is an iSCSI pool. A storage administrator provisions an iSCSI +target to present a set of LUNs to the host running the VMs. When libvirt is +configured to manage that iSCSI target as a pool, libvirt will ensure that the +host logs into the iSCSI target and libvirt can then report the available LUNs +as storage volumes. The volumes' paths can be queried and used in VM's XML +definitions as in the NFS example. In this case, the LUNs are defined on the +iSCSI server, and libvirt cannot create and delete volumes. + +Storage pools and volumes are not required for the proper operation of VMs. +Pools and volumes provide a way for libvirt to ensure that a particular piece of +storage will be available for a VM, but some administrators will prefer to +manage their own storage and VMs will operate properly without any pools or +volumes defined. On systems that do not use pools, system administrators must +ensure the availability of the VMs' storage using whatever tools they prefer, +for example, adding the NFS share to the host's fstab so that the share is +mounted at boot time. + +If at this point the value of pools and volumes over traditional system +administration tools is unclear, note that one of the features of libvirt is its +remote protocol, so it's possible to manage all aspects of a virtual machine's +lifecycle as well as the configuration of the resources required by the VM. +These operations can be performed on a remote host entirely within the libvirt +API. In other words, a management application using libvirt can enable a user to +perform all the required tasks for configuring the host for a VM: allocating +resources, running the VM, shutting it down and deallocating the resources, +without requiring shell access or any other control channel. + +Libvirt supports the following storage pool types: + +.. contents:: + +Directory pool +-------------- + +A pool with a type of ``dir`` provides the means to manage files within a +directory. The files can be fully allocated raw files, sparsely allocated raw +files, or one of the special disk formats such as ``qcow2``, ``vmdk``, etc as +supported by the ``qemu-img`` program. If the directory does not exist at the +time the pool is defined, the ``build`` operation can be used to create it. + +Example directory pool input definition +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +:: + + <pool type="dir"> + <name>virtimages</name> + <target> + <path>/var/lib/virt/images</path> + </target> + </pool> + +Valid directory pool format types +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The directory pool does not use the pool format type element. + +Valid directory volume format types +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +One of the following options: + +- ``raw``: a plain file + +- ``bochs``: Bochs disk image format + +- ``cloop``: compressed loopback disk image format + +- ``cow``: User Mode Linux disk image format + +- ``dmg``: Mac disk image format + +- ``iso``: CDROM disk image format + +- ``qcow``: QEMU v1 disk image format + +- ``qcow2``: QEMU v2 disk image format + +- ``qed``: QEMU Enhanced Disk image format + +- ``vmdk``: VMware disk image format + +- ``vpc``: VirtualPC disk image format + +When listing existing volumes all these formats are supported natively. When +creating new volumes, only a subset may be available. The ``raw`` type is +guaranteed always available. The ``qcow2`` type can be created if the +``qemu-img`` tool is present. The others are dependent on support of the +``qemu-img`` tool. + +Filesystem pool +--------------- + +This is a variant of the directory pool. Instead of creating a directory on an +existing mounted filesystem though, it expects a source block device to be +named. This block device will be mounted and files managed in the directory of +its mount point. It will default to allowing the kernel to automatically +discover the filesystem type, though it can be specified manually if required. + +Example filesystem pool input +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +:: + + <pool type="fs"> + <name>virtimages</name> + <source> + <device path="/dev/VolGroup00/VirtImages"/> + </source> + <target> + <path>/var/lib/virt/images</path> + </target> + </pool> + +Valid filesystem pool format types +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The filesystem pool supports the following formats: + +- ``auto`` - automatically determine format + +- ``ext2`` + +- ``ext3`` + +- ``ext4`` + +- ``ufs`` + +- ``iso9660`` + +- ``udf`` + +- ``gfs`` + +- ``gfs2`` + +- ``vfat`` + +- ``hfs+`` + +- ``xfs`` + +- ``ocfs2`` + +- ``vmfs`` + +Valid filesystem volume format types +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The valid volume types are the same as for the ``directory`` pool type. + +Network filesystem pool +----------------------- + +This is a variant of the filesystem pool. Instead of requiring a local block +device as the source, it requires the name of a host and path of an exported +directory. It will mount this network filesystem and manage files within the +directory of its mount point. It will default to using ``auto`` as the protocol, +which generally tries a mount via NFS first. + +Example network filesystem pool input +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +:: + + <pool type="netfs"> + <name>virtimages</name> + <source> + <host name="nfs.example.com"/> + <dir path="/var/lib/virt/images"/> + <format type='nfs'/> + </source> + <target> + <path>/var/lib/virt/images</path> + </target> + </pool> + +Valid network filesystem pool format types +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The network filesystem pool supports the following formats: + +- ``auto`` - automatically determine format + +- ``nfs`` + +- ``glusterfs`` - use the glusterfs FUSE file system. For now, the ``dir`` + specified as the source can only be a gluster volume name, as gluster does + not provide a way to directly mount subdirectories within a volume. (To + bypass the file system completely, see the `Gluster pool`_). + +- ``cifs`` - use the SMB (samba) or CIFS file system. The mount will use "-o + guest" to mount the directory anonymously. + +Valid network filesystem volume format types +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The valid volume types are the same as for the ``directory`` pool type. + +Logical volume pool +------------------- + +This provides a pool based on an LVM volume group. For a pre-defined LVM volume +group, simply providing the group name is sufficient, while to build a new group +requires providing a list of source devices to serve as physical volumes. +Volumes will be allocated by carving out chunks of storage from the volume +group. + +Example logical pool input +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +:: + + <pool type="logical"> + <name>HostVG</name> + <source> + <device path="/dev/sda1"/> + <device path="/dev/sdb1"/> + <device path="/dev/sdc1"/> + </source> + <target> + <path>/dev/HostVG</path> + </target> + </pool> + +Valid logical pool format types +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The logical volume pool supports only the ``lvm2`` format, although not +supplying a format value will result in automatic selection of the\ ``lvm2`` +format. + +Valid logical volume format types +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The logical volume pool does not use the volume format type element. + +Disk pool +--------- + +This provides a pool based on a physical disk. Volumes are created by adding +partitions to the disk. Disk pools have constraints on the size and placement of +volumes. The 'free extents' information will detail the regions which are +available for creating new volumes. A volume cannot span across two different +free extents. It will default to using ``dos`` as the pool source format. + +Example disk pool input +~~~~~~~~~~~~~~~~~~~~~~~ + +:: + + <pool type="disk"> + <name>sda</name> + <source> + <device path='/dev/sda'/> + </source> + <target> + <path>/dev</path> + </target> + </pool> + +Valid disk pool format types +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The disk volume pool accepts the following pool format types, representing the +common partition table types: + +- ``dos`` + +- ``dvh`` + +- ``gpt`` + +- ``mac`` + +- ``bsd`` + +- ``pc98`` + +- ``sun`` + +- ``lvm2`` + +The formats ``dos`` ("msdos" in parted terminology, good for BIOS systems) or +``gpt`` (good for UEFI systems) are recommended for best portability - the +latter is needed for disks larger than 2TB. Note that the ``lvm2`` format refers +to the physical volume format (i.e. the whole disk is a physical volume - not +the usual usage of LVM where physical volumes are partitions). This is not +really a partition table and such pool cannot be built by libvirt, only +detected. + +Building a pool of a certain format depends on its availability in ``parted``. + +Valid disk volume format types +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The disk volume pool accepts the following volume format types, representing the +common partition entry types: + +- ``none`` + +- ``linux`` + +- ``fat16`` + +- ``fat32`` + +- ``linux-swap`` + +- ``linux-lvm`` + +- ``linux-raid`` + +- ``extended`` + +iSCSI pool +---------- + +This provides a pool based on an iSCSI target. Volumes must be pre-allocated on +the iSCSI server, and cannot be created via the libvirt APIs. Since /dev/XXX +names may change each time libvirt logs into the iSCSI target, it is recommended +to configure the pool to use ``/dev/disk/by-path`` or ``/dev/disk/by-id`` for +the target path. These provide persistent stable naming for LUNs + +The libvirt iSCSI storage backend does not resolve the provided host name or IP +address when finding the available target IQN's on the host; therefore, defining +two pools to use the same IQN on the same host will fail the duplicate source +pool checks. + +Example iSCSI pool input +~~~~~~~~~~~~~~~~~~~~~~~~ + +:: + + <pool type="iscsi"> + <name>virtimages</name> + <source> + <host name="iscsi.example.com"/> + <device path="iqn.2013-06.com.example:iscsi-pool"/> + </source> + <target> + <path>/dev/disk/by-path</path> + </target> + </pool> + +Valid iSCSI pool format types +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The iSCSI volume pool does not use the pool format type element. + +Valid iSCSI volume format types +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The iSCSI volume pool does not use the volume format type element. + +iSCSI direct pool +----------------- + +This is a variant of the iSCSI pool. Instead of using iscsiadm, it uses +libiscsi. It requires a host, a path which is the target IQN, and an initiator +IQN. + +Example iSCSI direct pool input +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +:: + + <pool type="iscsi-direct"> + <name>virtimages</name> + <source> + <host name="iscsi.example.com"/> + <device path="iqn.2013-06.com.example:iscsi-pool"/> + <initiator> + <iqn name="iqn.2013-06.com.example:iscsi-initiator"/> + </initiator> + </source> + </pool> + +Valid iSCSI direct pool format types +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The iSCSI direct volume pool does not use the pool format type element. + +Valid iSCSI direct volume format types +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The iSCSI direct volume pool does not use the volume format type element. + +SCSI pool +--------- + +This provides a pool based on a SCSI HBA. Volumes are preexisting SCSI LUNs, and +cannot be created via the libvirt APIs. Since /dev/XXX names aren't generally +stable, it is recommended to configure the pool to use ``/dev/disk/by-path`` or +``/dev/disk/by-id`` for the target path. These provide persistent stable naming +for LUNs :since:`Since 0.6.2` + +Example SCSI pool input +~~~~~~~~~~~~~~~~~~~~~~~ + +:: + + <pool type="scsi"> + <name>virtimages</name> + <source> + <adapter name="host0"/> + </source> + <target> + <path>/dev/disk/by-path</path> + </target> + </pool> + +Valid SCSI pool format types +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The SCSI volume pool does not use the pool format type element. + +Valid SCSI volume format types +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The SCSI volume pool does not use the volume format type element. + +Multipath pool +-------------- + +This provides a pool that contains all the multipath devices on the host. +Therefore, only one Multipath pool may be configured per host. Volume creating +is not supported via the libvirt APIs. The target element is actually ignored, +but one is required to appease the libvirt XML parser. + +Configuring multipathing is not currently supported, this just covers the case +where users want to discover all the available multipath devices, and assign +them to guests. :since:`Since 0.7.1` + +Example multipath pool input +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +:: + + <pool type="mpath"> + <name>virtimages</name> + <target> + <path>/dev/mapper</path> + </target> + </pool> + +Valid multipath pool format types +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Multipath volume pool does not use the pool format type element. + +Valid multipath volume format types +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Multipath volume pool does not use the volume format type element. + +RBD pool +-------- + +This storage driver provides a pool which contains all RBD images in a RADOS +pool. RBD (RADOS Block Device) is part of the Ceph distributed storage project. + +This backend *only* supports QEMU with RBD support. Kernel RBD which exposes RBD +devices as block devices in /dev is *not* supported. RBD images created with +this storage backend can be accessed through kernel RBD if configured manually, +but this backend does not provide mapping for these images. + +Images created with this backend can be attached to QEMU guests when QEMU is +build with RBD support (Since QEMU 0.14.0). The backend supports cephx +authentication for communication with the Ceph cluster. Storing the cephx +authentication key is done with the libvirt secret mechanism. The UUID in the +example pool input refers to the UUID of the stored secret. + +The port attribute for a Ceph monitor does not have to be provided. If not +provided librados will use the default Ceph monitor port. :since:`Since 0.9.13` + +Example RBD pool input +~~~~~~~~~~~~~~~~~~~~~~ + +:: + + <pool type="rbd"> + <name>myrbdpool</name> + <source> + <name>rbdpool</name> + <host name='1.2.3.4'/> + <host name='my.ceph.monitor'/> + <host name='third.ceph.monitor' port='6789'/> + <auth username='admin' type='ceph'> + <secret uuid='2ec115d7-3a88-3ceb-bc12-0ac909a6fd87'/> + </auth> + </source> + </pool> + +Example RBD volume output +~~~~~~~~~~~~~~~~~~~~~~~~~ + +:: + + <volume> + <name>myvol</name> + <key>rbd/myvol</key> + <source> + </source> + <capacity unit='bytes'>53687091200</capacity> + <allocation unit='bytes'>53687091200</allocation> + <target> + <path>rbd:rbd/myvol</path> + <format type='unknown'/> + <permissions> + <mode>00</mode> + <owner>0</owner> + <group>0</group> + </permissions> + </target> + </volume> + +Example RBD disk attachment +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +RBD images can be attached to QEMU guests when QEMU is built with RBD support. +Information about attaching a RBD image to a guest can be found at `format +domain <formatdomain.html#elementsDisks>`__ page. + +Valid RBD pool format types +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The RBD pool does not use the pool format type element. + +Valid RBD volume format types +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Only raw volumes are supported. + +Sheepdog pool +------------- + +This provides a pool based on a Sheepdog Cluster. Sheepdog is a distributed +storage system for QEMU/KVM. It provides highly available block level storage +volumes that can be attached to QEMU/KVM virtual machines. The cluster must +already be formatted. :since:`Since 0.9.13` + +Example Sheepdog pool input +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +:: + + <pool type="sheepdog"> + <name>mysheeppool</name> + <source> + <name>mysheeppool</name> + <host name='localhost' port='7000'/> + </source> + </pool> + +Example Sheepdog volume output +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +:: + + <volume> + <name>myvol</name> + <key>sheep/myvol</key> + <source> + </source> + <capacity unit='bytes'>53687091200</capacity> + <allocation unit='bytes'>53687091200</allocation> + <target> + <path>sheepdog:myvol</path> + <format type='unknown'/> + <permissions> + <mode>00</mode> + <owner>0</owner> + <group>0</group> + </permissions> + </target> + </volume> + +Example Sheepdog disk attachment +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Sheepdog images can be attached to QEMU guests. Information about attaching a +Sheepdog image to a guest can be found at the `format +domain <formatdomain.html#elementsDisks>`__ page. + +Valid Sheepdog pool format types +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Sheepdog pool does not use the pool format type element. + +Valid Sheepdog volume format types +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Sheepdog pool does not use the volume format type element. + +Gluster pool +------------ + +This provides a pool based on native Gluster access. Gluster is a distributed +file system that can be exposed to the user via FUSE, NFS or SMB (see the +`Network filesystem pool`_ for that usage); but for minimal overhead, +the ideal access is via native access (only possible for QEMU/KVM compiled with +libgfapi support). The cluster and storage volume must already be running, and +it is recommended that the volume be configured with +``gluster volume set $volname storage.owner-uid=$uid`` and +``gluster volume set $volname storage.owner-gid=$gid`` for the uid and gid +that qemu will be run as. It may also be necessary to set +``rpc-auth-allow-insecure on`` for the glusterd service, as well as +``gluster set $volname server.allow-insecure on``, to allow access to the +gluster volume. :since:`Since 1.2.0` + +Example Gluster pool input +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +A gluster volume corresponds to a libvirt storage pool. If a gluster volume +could be mounted as ``mount -t glusterfs localhost:/volname /some/path``, +then the following example will describe the same pool without having to create +a local mount point. Remember that with gluster, the mount point can be through +any machine in the cluster, and gluster will automatically pick the ideal +transport to the actual bricks backing the gluster volume, even if on a +different host than the one named in the ``host`` designation. The ``<name>`` +element is always the volume name (no slash). The pool source also supports an +optional ``<dir>`` element with a ``path`` attribute that lists the absolute +name of a subdirectory relative to the gluster volume to use instead of the +top-level directory of the volume. + +:: + + <pool type="gluster"> + <name>myglusterpool</name> + <source> + <name>volname</name> + <host name='localhost'/> + <dir path='/'/> + </source> + </pool> + +Example Gluster volume output +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Libvirt storage volumes associated with a gluster pool correspond to the files +that can be found when mounting the gluster volume. The ``name`` is the path +relative to the effective mount specified for the pool; and the ``key`` is a +string that identifies a single volume uniquely. Currently the ``key`` attribute +consists of the URI of the volume but it may be changed to a UUID of the volume +in the future. + +:: + + <volume> + <name>myfile</name> + <key>gluster://localhost/volname/myfile</key> + <source> + </source> + <capacity unit='bytes'>53687091200</capacity> + <allocation unit='bytes'>53687091200</allocation> + </volume> + +Example Gluster disk attachment +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Files within a gluster volume can be attached to QEMU guests. Information about +attaching a Gluster image to a guest can be found at the `format +domain <formatdomain.html#elementsDisks>`__ page. + +Valid Gluster pool format types +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Gluster pool does not use the pool format type element. + +Valid Gluster volume format types +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The valid volume types are the same as for the ``directory`` pool type. + +ZFS pool +-------- + +This provides a pool based on the ZFS filesystem. Initially it was developed for +FreeBSD, and :since:`since 1.3.2` experimental support for `ZFS on +Linux <https://zfsonlinux.org/>`__ version 0.6.4 or newer is available. + +A pool could either be created manually using the ``zpool create`` command and +its name specified in the source section or :since:` since 1.2.9` source devices +could be specified to create a pool using libvirt. + +Please refer to the ZFS documentation for details on a pool creation. + +:since:`Since 1.2.8` + +Example ZFS pool input +~~~~~~~~~~~~~~~~~~~~~~ + +:: + + <pool type="zfs"> + <name>myzfspool</name> + <source> + <name>zpoolname</name> + <device path="/dev/ada1"/> + <device path="/dev/ada2"/> + </source> + </pool> + +Valid ZFS pool format types +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The ZFS volume pool does not use the pool format type element. + +Valid ZFS volume format types +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The ZFS volume pool does not use the volume format type element. + +Vstorage pool +------------- + +This provides a pool based on Virtuozzo storage. Virtuozzo Storage is a highly +available distributed software-defined storage with built-in replication and +disaster recovery. More detailed information about Virtuozzo storage and its +management can be found here: `Virtuozzo +Storage <https://openvz.org/Virtuozzo_Storage>`__). + +Please refer to the Virtuozzo Storage documentation for details on storage +management and usage. + +Example vstorage pool input +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +In order to create storage pool with Virtuozzo Storage backend you have to +provide cluster name and be authorized within the cluster. + +:: + + <pool type="vstorage"> + <name>myvstoragepool</name> + <source> + <name>clustername</name> + </source> + <target> + <path>/mnt/clustername</path> + </target> + </pool> + +Valid vstorage pool format types +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Vstorage volume pool does not use the pool format type element. + +Valid vstorage volume format types +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The valid volume types are the same as for the directory pool. -- 2.35.1

Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- docs/kbase/tlscerts.rst | 4 +- docs/meson.build | 2 +- docs/remote.html.in | 297 ---------------------------------------- docs/remote.rst | 219 +++++++++++++++++++++++++++++ 4 files changed, 222 insertions(+), 300 deletions(-) delete mode 100644 docs/remote.html.in create mode 100644 docs/remote.rst diff --git a/docs/kbase/tlscerts.rst b/docs/kbase/tlscerts.rst index c6636770e6..962253e853 100644 --- a/docs/kbase/tlscerts.rst +++ b/docs/kbase/tlscerts.rst @@ -89,7 +89,7 @@ clients. There are two distinct checks involved: - The server should know that only permitted clients are connecting. This can be done based on client's IP address, or on client's IP address and client's certificate. Checking done by the server. May be enabled and disabled in the - `libvirtd.conf file <remote.html#Remote_libvirtd_configuration>`__. + `libvirtd.conf file <remote.html#libvirtd-configuration-file>`__. For full certificate checking you will need to have certificates issued by a recognised `Certificate Authority @@ -99,7 +99,7 @@ CA, you can set up your own CA and tell your server(s) and clients to trust certificates issues by your own CA. Follow the instructions in the next section. Be aware that the `default configuration for -libvirtd <remote.html#Remote_libvirtd_configuration>`__ allows any client to +libvirtd <remote.html#libvirtd-configuration-file>`__ allows any client to connect provided they have a valid certificate issued by the CA for their own IP address. You may want to change this to make it less (or more) permissive, depending on your needs. diff --git a/docs/meson.build b/docs/meson.build index a18def58a4..aa866bec51 100644 --- a/docs/meson.build +++ b/docs/meson.build @@ -19,7 +19,6 @@ docs_assets = [ docs_html_in_files = [ 'index', - 'remote', 'uri', ] @@ -97,6 +96,7 @@ docs_rst_files = [ 'platforms', 'programming-languages', 'python', + 'remote', 'securityprocess', 'storage', 'strategy', diff --git a/docs/remote.html.in b/docs/remote.html.in deleted file mode 100644 index 3a5258a0d5..0000000000 --- a/docs/remote.html.in +++ /dev/null @@ -1,297 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE html> -<html xmlns="http://www.w3.org/1999/xhtml"> - <body> - <h1 >Remote support</h1> - <p> -Libvirt allows you to access hypervisors running on remote -machines through authenticated and encrypted connections. -</p> - <ul id="toc"></ul> - - <h2> - <a id="Remote_basic_usage">Basic usage</a> - </h2> - <p> -On the remote machine, <code>libvirtd</code> should be running in general. -See <a href="#Remote_libvirtd_configuration">the section -on configuring libvirtd</a> for more information. -</p> - <p> - Not all hypervisors supported by libvirt require a running - <code>libvirtd</code>. If you want to connect to a VMware ESX/ESXi or - GSX server then <code>libvirtd</code> is not necessary. See the - <a href="drvesx.html">VMware ESX page</a> for details. - </p> - <p> -To tell libvirt that you want to access a remote resource, -you should supply a hostname in the normal <a href="uri.html">URI</a> that is passed -to <code>virConnectOpen</code> (or <code>virsh -c ...</code>). -For example, if you normally use <code>qemu:///system</code> -to access the system-wide QEMU daemon, then to access -the system-wide QEMU daemon on a remote machine called -<code>compute1.libvirt.org</code> you would use -<code>qemu://compute1.libvirt.org/system</code>. -</p> - <p> -The <a href="uri.html#URI_remote">section on remote URIs</a> -describes in more detail these remote URIs. -</p> - <p> -From an API point of view, apart from the change in URI, the -API should behave the same. For example, ordinary calls -are routed over the remote connection transparently, and -values or errors from the remote side are returned to you -as if they happened locally. Some differences you may notice: -</p> - <ul> - <li> Additional errors can be generated, specifically ones -relating to failures in the remote transport itself. </li> - <li> Remote calls are handled synchronously, so they will be -much slower than, say, direct hypervisor calls. </li> - </ul> - <h2> - <a id="Remote_transports">Transports</a> - </h2> - <p> -Remote libvirt supports a range of transports: -</p> - <dl> - <dt><code>tls</code></dt> - <dd><a href="https://en.wikipedia.org/wiki/Transport_Layer_Security" title="Transport Layer Security">TLS</a> - 1.0 (SSL 3.1) authenticated and encrypted TCP/IP socket, usually - listening on a public port number. To use this you will need to - <a href="kbase/tlscerts.html" title="Generating TLS certificates">generate client and - server certificates</a>. - The standard port is 16514. - </dd> - <dt><code>unix</code></dt> - <dd> Unix domain socket. Since this is only accessible on the - local machine, it is not encrypted, and uses Unix permissions or - SELinux for authentication. - The standard socket names are - <code>/var/run/libvirt/libvirt-sock</code> and - <code>/var/run/libvirt/libvirt-sock-ro</code> (the latter - for read-only connections). - </dd> - <dt><code>ssh</code></dt> - <dd> Transported over an ordinary - <a href="https://www.openssh.com/" title="OpenSSH homepage">ssh - (secure shell)</a> connection. - Requires <a href="http://netcat.sourceforge.net/">Netcat (nc)</a> - installed and libvirtd should be running - on the remote machine. You should use some sort of - ssh key management (eg. - <a href="http://mah.everybody.org/docs/ssh" title="Using ssh-agent with ssh">ssh-agent</a>) - otherwise programs which use - this transport will stop to ask for a password. </dd> - <dt><code>ext</code></dt> - <dd> Any external program which can make a connection to the - remote machine by means outside the scope of libvirt. </dd> - <dt><code>tcp</code></dt> - <dd> Unencrypted TCP/IP socket. Not recommended for production - use, this is normally disabled, but an administrator can enable - it for testing or use over a trusted network. - The standard port is 16509. </dd> - <dt><code>libssh2</code></dt> - <dd> Transport over the SSH protocol using - <a href="https://libssh2.org/" title="libssh2 homepage">libssh2</a> instead -of the OpenSSH binary. This transport uses the libvirt authentication callback for -all ssh authentication calls and therefore supports keyboard-interactive authentication -even with graphical management applications. As with the classic ssh transport -netcat is required on the remote side.</dd> - <dt><code>libssh</code></dt> - <dd> Transport over the SSH protocol using - <a href="https://libssh.org/" title="libssh homepage">libssh</a> instead -of the OpenSSH binary. This transport uses the libvirt authentication callback for -all ssh authentication calls and therefore supports keyboard-interactive authentication -even with graphical management applications. As with the classic ssh transport -netcat is required on the remote side.</dd> - </dl> - <p> - The choice of transport is determined by the <a href="uri.html#URI_remote">URI scheme</a>, - with <code>tls</code> as the default if no explicit transport is requested. - </p> - <h2> - <a id="Remote_libvirtd_configuration">libvirtd configuration file</a> - </h2> - <p> -Libvirtd (the remote daemon) is configured from a file called -<code>/etc/libvirt/libvirtd.conf</code>, or specified on -the command line using <code>-f filename</code> or -<code>--config filename</code>. -</p> - <p> -This file should contain lines of the form below. -Blank lines and comments beginning with <code>#</code> are ignored. -</p> - <pre>setting = value</pre> - <p>The following settings, values and default are:</p> - <table class="top_table"> - <tr> - <th> Line </th> - <th> Default </th> - <th> Meaning </th> - </tr> - <tr> - <td> listen_tls <i>[0|1]</i> </td> - <td> 1 (on) </td> - <td> - Listen for secure TLS connections on the public TCP/IP port. - Note: it is also necessary to start the server in listening mode - by running it with --listen or adding a LIBVIRTD_ARGS="--listen" - line to /etc/sysconfig/libvirtd. -</td> - </tr> - <tr> - <td> listen_tcp <i>[0|1]</i> </td> - <td> 0 (off) </td> - <td> - Listen for unencrypted TCP connections on the public TCP/IP port. - Note: it is also necessary to start the server in listening mode. -</td> - </tr> - <tr> - <td> tls_port <i>"service"</i> </td> - <td> "16514" </td> - <td> - The port number or service name to listen on for secure TLS connections. -</td> - </tr> - <tr> - <td> tcp_port <i>"service"</i> </td> - <td> "16509" </td> - <td> - The port number or service name to listen on for unencrypted TCP connections. -</td> - </tr> - <tr> - <td> unix_sock_group <i>"groupname"</i> </td> - <td> "root" </td> - <td> - The UNIX group to own the UNIX domain socket. If the socket permissions allow - group access, then applications running under matching group can access the - socket. Only valid if running as root -</td> - </tr> - <tr> - <td> unix_sock_ro_perms <i>"octal-perms"</i> </td> - <td> "0777" </td> - <td> - The permissions for the UNIX domain socket for read-only client connections. - The default allows any user to monitor domains. -</td> - </tr> - <tr> - <td> unix_sock_rw_perms <i>"octal-perms"</i> </td> - <td> "0700" </td> - <td> - The permissions for the UNIX domain socket for read-write client connections. - The default allows only root to manage domains. -</td> - </tr> - <tr> - <td> tls_no_verify_certificate <i>[0|1]</i> </td> - <td> 0 (certificates are verified) </td> - <td> - If set to 1 then if a client certificate check fails, it is not an error. -</td> - </tr> - <tr> - <td> tls_no_verify_address <i>[0|1]</i> </td> - <td> 0 (addresses are verified) </td> - <td> - If set to 1 then if a client IP address check fails, it is not an error. -</td> - </tr> - <tr> - <td> key_file <i>"filename"</i> </td> - <td> "/etc/pki/libvirt/ private/serverkey.pem" </td> - <td> - Change the path used to find the server's private key. - If you set this to an empty string, then no private key is loaded. -</td> - </tr> - <tr> - <td> cert_file <i>"filename"</i> </td> - <td> "/etc/pki/libvirt/ servercert.pem" </td> - <td> - Change the path used to find the server's certificate. - If you set this to an empty string, then no certificate is loaded. -</td> - </tr> - <tr> - <td> ca_file <i>"filename"</i> </td> - <td> "/etc/pki/CA/cacert.pem" </td> - <td> - Change the path used to find the trusted CA certificate. - If you set this to an empty string, then no trusted CA certificate is loaded. -</td> - </tr> - <tr> - <td> crl_file <i>"filename"</i> </td> - <td> (no CRL file is used) </td> - <td> - Change the path used to find the CA certificate revocation list (CRL) file. - If you set this to an empty string, then no CRL is loaded. -</td> - </tr> - <tr> - <td> tls_allowed_dn_list ["DN1", "DN2"] </td> - <td> (none - DNs are not checked) </td> - <td> - <p> - Enable an access control list of client certificate Distinguished - Names (DNs) which can connect to the TLS port on this server. - </p> - <p> - The default is that DNs are not checked. - </p> - <p> - This list may contain wildcards such as <code>"C=GB,ST=London,L=London,O=Libvirt Project,CN=*"</code> - Any * matches in the string matches any number of consecutive characters, - like a simplified <code>glob(7)</code>. - </p> - <p> - Note that if this is an empty list, <i>no client can connect</i>. - </p> - <p> - Note also that GnuTLS returns DNs without spaces - after commas between the fields (and this is what we check against), - but the <code>openssl x509</code> tool shows spaces. - </p> - To make it easy to see the order of the fields in the DN a helper executable - <code>virt-pki-query-dn</code> is provided for this particular use case. - <p> -</p> - </td> - </tr> - </table> - <h2> - <a id="Remote_IPv6">IPv6 support</a> - </h2> - <p> -The libvirtd service and libvirt remote client driver both use the -<code>getaddrinfo()</code> functions for name resolution and are -thus fully IPv6 enabled. ie, if a server has IPv6 address configured -the daemon will listen for incoming connections on both IPv4 and IPv6 -protocols. If a client has an IPv6 address configured and the DNS -address resolved for a service is reachable over IPv6, then an IPv6 -connection will be made, otherwise IPv4 will be used. In summary it -should just 'do the right thing(tm)'. -</p> - <h2> - <a id="Remote_limitations">Limitations</a> - </h2> - <ul> - <li> Fine-grained authentication: libvirt in general, -but in particular the remote case should support more -fine-grained authentication for operations, rather than -just read-write/read-only as at present. -</li> - </ul> - <p> -Please come and discuss these issues and more on <a href="https://www.redhat.com/mailman/listinfo/libvir-list" title="libvir-list mailing list">the mailing list</a>. -</p> - </body> -</html> diff --git a/docs/remote.rst b/docs/remote.rst new file mode 100644 index 0000000000..100df95e1f --- /dev/null +++ b/docs/remote.rst @@ -0,0 +1,219 @@ +============== +Remote support +============== + +Libvirt allows you to access hypervisors running on remote machines through +authenticated and encrypted connections. + +.. contents:: + +Basic usage +----------- + +On the remote machine, ``libvirtd`` should be running in general. See +`libvirtd configuration file`_ section on how to configure ``libvirtd``. + +Not all hypervisors supported by libvirt require a running ``libvirtd``. If you +want to connect to a VMware ESX/ESXi or GSX server then ``libvirtd`` is not +necessary. See the `VMware ESX page <drvesx.html>`__ for details. + +To tell libvirt that you want to access a remote resource, you should supply a +hostname in the normal `URI <uri.html>`__ that is passed to ``virConnectOpen`` +(or ``virsh -c ...``). For example, if you normally use ``qemu:///system`` to +access the system-wide QEMU daemon, then to access the system-wide QEMU daemon +on a remote machine called ``compute1.libvirt.org`` you would use +``qemu://compute1.libvirt.org/system``. + +The `section on remote URIs <uri.html#URI_remote>`__ describes in more detail +these remote URIs. + +From an API point of view, apart from the change in URI, the API should behave +the same. For example, ordinary calls are routed over the remote connection +transparently, and values or errors from the remote side are returned to you as +if they happened locally. Some differences you may notice: + +- Additional errors can be generated, specifically ones relating to failures in + the remote transport itself. +- Remote calls are handled synchronously, so they will be much slower than, + say, direct hypervisor calls. + +Transports +---------- + +Remote libvirt supports a range of transports: + +``tls`` + `TLS <https://en.wikipedia.org/wiki/Transport_Layer_Security>`__ 1.0 (SSL + 3.1) authenticated and encrypted TCP/IP socket, usually listening on a public + port number. To use this you will need to `generate client and server + certificates <kbase/tlscerts.html>`__. The standard port is 16514. +``unix`` + Unix domain socket. Since this is only accessible on the local machine, it is + not encrypted, and uses Unix permissions or SELinux for authentication. The + standard socket names are ``/var/run/libvirt/libvirt-sock`` and + ``/var/run/libvirt/libvirt-sock-ro`` (the latter for read-only connections). +``ssh`` + Transported over an ordinary `ssh (secure + shell) <https://www.openssh.com/>`__ connection. Requires `Netcat + (nc) <http://netcat.sourceforge.net/>`__ installed and libvirtd should be + running on the remote machine. You should use some sort of ssh key management + (eg. `ssh-agent <http://mah.everybody.org/docs/ssh>`__) otherwise programs + which use this transport will stop to ask for a password. +``ext`` + Any external program which can make a connection to the remote machine by + means outside the scope of libvirt. +``tcp`` + Unencrypted TCP/IP socket. Not recommended for production use, this is + normally disabled, but an administrator can enable it for testing or use over + a trusted network. The standard port is 16509. +``libssh2`` + Transport over the SSH protocol using `libssh2 <https://libssh2.org/>`__ + instead of the OpenSSH binary. This transport uses the libvirt authentication + callback for all ssh authentication calls and therefore supports + keyboard-interactive authentication even with graphical management + applications. As with the classic ssh transport netcat is required on the + remote side. +``libssh`` + Transport over the SSH protocol using `libssh <https://libssh.org/>`__ + instead of the OpenSSH binary. This transport uses the libvirt authentication + callback for all ssh authentication calls and therefore supports + keyboard-interactive authentication even with graphical management + applications. As with the classic ssh transport netcat is required on the + remote side. + +The choice of transport is determined by the `URI +scheme <uri.html#URI_remote>`__, with ``tls`` as the default if no explicit +transport is requested. + +libvirtd configuration file +--------------------------- + +Libvirtd (the remote daemon) is configured from a file called +``/etc/libvirt/libvirtd.conf``, or specified on the command line using +``-f filename`` or ``--config filename``. + +This file should contain lines of the form below. Blank lines and comments +beginning with ``#`` are ignored. + +:: + + setting = value + +The following settings, values and default are: + +.. list-table:: + :header-rows: 1 + + * - Line + - Default + - Meaning + + * - listen_tls *[0|1]* + - 1 (on) + - Listen for secure TLS connections on the public TCP/IP port. + Note: it is also necessary to start the server in listening mode + by running it with --listen or adding a LIBVIRTD_ARGS="--listen" line to + /etc/sysconfig/libvirtd. + + * - listen_tcp *[0|1]* + - 0 (off) + - Listen for unencrypted TCP connections on the public TCP/IP port. Note: + it is also necessary to start the server in listening mode. + + * - tls_port *"service"* + - "16514" + - The port number or service name to listen on for secure TLS connections. + + * - tcp_port *"service"* + - "16509" + - The port number or service name to listen on for unencrypted TCP + connections. + + * - unix_sock_group *"groupname"* + - "root" + - The UNIX group to own the UNIX domain socket. If the socket permissions + allow group access, then applications running under matching group can + access the socket. Only valid if running as root + + * - unix_sock_ro_perms *"octal-perms"* + - "0777" + - The permissions for the UNIX domain socket for read-only client + connections. The default allows any user to monitor domains. + + * - unix_sock_rw_perms *"octal-perms"* + - "0700" + - The permissions for the UNIX domain socket for read-write client + connections. The default allows only root to manage domains. + + * - tls_no_verify_certificate *[0|1]* + - 0 (certificates are verified) + - If set to 1 then if a client certificate check fails, it is not an + error. + + * - tls_no_verify_address *[0|1]* + - 0 (addresses are verified) + - If set to 1 then if a client IP address check fails, it is not an + error. + + * - key_file *"filename"* + - "/etc/pki/libvirt/private/serverkey.pem" + - Change the path used to find the server's private key. If you set this + to an empty string, then no private key is loaded. + + * - cert_file *"filename"* + - "/etc/pki/libvirt/servercert.pem" + - Change the path used to find the server's certificate. If you set this + to an empty string, then no certificate is loaded. + + * - ca_file *"filename"* + - "/etc/pki/CA/cacert.pem" + - Change the path used to find the trusted CA certificate. If you set this + to an empty string, then no trusted CA certificate is loaded. + + * - crl_file *"filename"* + - (no CRL file is used) + - Change the path used to find the CA certificate revocation list (CRL) + file. If you set this to an empty string, then no CRL is loaded. + + * - tls_allowed_dn_list ["DN1", "DN2"] + - (none - DNs are not checked) + - Enable an access control list of client certificate Distinguished Names + (DNs) which can connect to the TLS port on this server. + + The default is that DNs are not checked. + + This list may contain wildcards such as + ``"C=GB,ST=London,L=London,O=Libvirt Project,CN=*"`` + Any * matches in the string matches any number of consecutive characters, + like a simplified ``glob(7)``. + + Note that if this is an empty list, *no client can connect*. + + Note also that GnuTLS returns DNs without spaces after commas between + the fields (and this is what we check against), but the ``openssl x509`` + tool shows spaces. + + To make it easy to see the order of the fields in the DN a helper + executable ``virt-pki-query-dn`` is provided for this particular use + case. + +IPv6 support +------------ + +The libvirtd service and libvirt remote client driver both use the +``getaddrinfo()`` functions for name resolution and are thus fully IPv6 enabled. +ie, if a server has IPv6 address configured the daemon will listen for incoming +connections on both IPv4 and IPv6 protocols. If a client has an IPv6 address +configured and the DNS address resolved for a service is reachable over IPv6, +then an IPv6 connection will be made, otherwise IPv4 will be used. In summary it +should just 'do the right thing(tm)'. + +Limitations +----------- + +- Fine-grained authentication: libvirt in general, but in particular the remote + case should support more fine-grained authentication for operations, rather + than just read-write/read-only as at present. + +Please come and discuss these issues and more on `the mailing +list <https://www.redhat.com/mailman/listinfo/libvir-list>`__. -- 2.35.1

The paragraph talks about lack of fine grained access control which was already added a long time ago. Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- docs/remote.rst | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/docs/remote.rst b/docs/remote.rst index 100df95e1f..933166144d 100644 --- a/docs/remote.rst +++ b/docs/remote.rst @@ -207,13 +207,3 @@ connections on both IPv4 and IPv6 protocols. If a client has an IPv6 address configured and the DNS address resolved for a service is reachable over IPv6, then an IPv6 connection will be made, otherwise IPv4 will be used. In summary it should just 'do the right thing(tm)'. - -Limitations ------------ - -- Fine-grained authentication: libvirt in general, but in particular the remote - case should support more fine-grained authentication for operations, rather - than just read-write/read-only as at present. - -Please come and discuss these issues and more on `the mailing -list <https://www.redhat.com/mailman/listinfo/libvir-list>`__. -- 2.35.1

Adjust links in the process. Note that the conversion to the table is temporary and upcoming patch will modify it for better readability. Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- docs/meson.build | 2 +- docs/uri.html.in | 507 ----------------------------------------------- docs/uri.rst | 447 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 448 insertions(+), 508 deletions(-) delete mode 100644 docs/uri.html.in create mode 100644 docs/uri.rst diff --git a/docs/meson.build b/docs/meson.build index aa866bec51..d71f6006dd 100644 --- a/docs/meson.build +++ b/docs/meson.build @@ -19,7 +19,6 @@ docs_assets = [ docs_html_in_files = [ 'index', - 'uri', ] docs_rst_files = [ @@ -106,6 +105,7 @@ docs_rst_files = [ 'testapi', 'testsuites', 'testtck', + 'uri', 'windows', ] diff --git a/docs/uri.html.in b/docs/uri.html.in deleted file mode 100644 index 61917e77b4..0000000000 --- a/docs/uri.html.in +++ /dev/null @@ -1,507 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<!DOCTYPE html> -<html xmlns="http://www.w3.org/1999/xhtml"> - <body> - <h1 >Connection URIs</h1> - - <ul id="toc"></ul> - <p> -Since libvirt supports many different kinds of virtualization -(often referred to as "drivers" or "hypervisors"), we need a -way to be able to specify which driver a connection refers to. -Additionally we may want to refer to a driver on a remote -machine over the network. -</p> - <p> -To this end, libvirt uses URIs as used on the Web and as defined in <a href="https://www.ietf.org/rfc/rfc2396.txt">RFC 2396</a>. This page -documents libvirt URIs. -</p> - <h2><a id="URI_libvirt">Specifying URIs to libvirt</a></h2> - - <p> - The URI is passed as the <code>name</code> parameter to - <a href="html/libvirt-libvirt-host.html#virConnectOpen"> - <code>virConnectOpen</code> - </a> - or - <a href="html/libvirt-libvirt-host.html#virConnectOpenReadOnly"> - <code>virConnectOpenReadOnly</code> - </a>. - For example: -</p> - <pre> -virConnectPtr conn = virConnectOpenReadOnly (<b>"test:///default"</b>); -</pre> - <h2> - <a id="URI_config">Configuring URI aliases</a> - </h2> - - <p> -To simplify life for administrators, it is possible to setup URI aliases in a -libvirt client configuration file. The configuration file is <code>/etc/libvirt/libvirt.conf</code> -for the root user, or <code>$XDG_CONFIG_HOME/libvirt/libvirt.conf</code> for any unprivileged user. -In this file, the following syntax can be used to setup aliases - </p> - -<pre> -uri_aliases = [ - "hail=qemu+ssh://root@hail.cloud.example.com/system", - "sleet=qemu+ssh://root@sleet.cloud.example.com/system", -] -</pre> - -<p> - A URI alias should be a string made up from the characters - <code>a-Z, 0-9, _, -</code>. Following the <code>=</code> - can be any libvirt URI string, including arbitrary URI parameters. - URI aliases will apply to any application opening a libvirt - connection, unless it has explicitly passed the <code>VIR_CONNECT_NO_ALIASES</code> - parameter to <code>virConnectOpenAuth</code>. If the passed in - URI contains characters outside the allowed alias character - set, no alias lookup will be attempted. -</p> - - <h2><a id="URI_default">Default URI choice</a></h2> - - <p> -If the URI passed to <code>virConnectOpen*</code> is NULL, then libvirt will use the following -logic to determine what URI to use. -</p> - - <ol> - <li>The environment variable <code>LIBVIRT_DEFAULT_URI</code></li> - <li>The client configuration file <code>uri_default</code> parameter</li> - <li>Probe each hypervisor in turn until one that works is found</li> - </ol> - - <h2> - <a id="URI_virsh">Specifying URIs to virsh, virt-manager and virt-install</a> - </h2> - <p> -In virsh use the <code>-c</code> or <code>--connect</code> option: -</p> - <pre> -virsh <b>-c test:///default</b> list -</pre> - <p> -If virsh finds the environment variable -<code>VIRSH_DEFAULT_CONNECT_URI</code> set, it will try this URI by -default. Use of this environment variable is, however, deprecated -now that libvirt supports <code>LIBVIRT_DEFAULT_URI</code> itself. -</p> - <p> -When using the interactive virsh shell, you can also use the -<code>connect</code> <i>URI</i> command to reconnect to another -hypervisor. -</p> - <p> -In virt-manager use the <code>-c</code> or <code>--connect=</code><i>URI</i> option: -</p> - <pre> -virt-manager <b>-c test:///default</b> -</pre> - <p> -In virt-install use the <code>--connect=</code><i>URI</i> option: -</p> - <pre> -virt-install <b>--connect=test:///default</b> <i>[other options]</i> -</pre> - <h2> - <a id="URI_xen">xen:///system URI</a> - </h2> - <p> - <i>This section describes a feature which is new in libvirt > -0.2.3. For libvirt ≤ 0.2.3 use <a href="#URI_legacy_xen"><code>"xen"</code></a>.</i> - </p> - <p> -To access a Xen hypervisor running on the local machine -use the URI <code>xen:///system</code>. -</p> - <h2> - <a id="URI_qemu">qemu:///... QEMU and KVM URIs</a> - </h2> - <p> -To use QEMU support in libvirt you must be running the -<code>libvirtd</code> daemon (named <code>libvirt_qemud</code> -in releases prior to 0.3.0). The purpose of this -daemon is to manage qemu instances. -</p> - <p> -The <code>libvirtd</code> daemon should be started by the -init scripts when the machine boots. It should appear as -a process <code>libvirtd --daemon</code> running as root -in the background and will handle qemu instances on behalf -of all users of the machine (among other things). </p> - <p> -So to connect to the daemon, one of two different URIs is used: -</p> - <ul> - <li><code>qemu:///system</code> connects to a system mode daemon. </li> - <li><code>qemu:///session</code> connects to a session mode daemon. </li> - </ul> - <p> -(If you do <code>libvirtd --help</code>, the daemon will print -out the paths of the Unix domain socket(s) that it listens on in -the various different modes). -</p> - <p> -KVM URIs are identical. You select between qemu, qemu accelerated and -KVM guests in the <a href="format.html#KVM1">guest XML as described -here</a>. -</p> - <h2> - <a id="URI_remote">Remote URIs</a> - </h2> - <p> -Remote URIs have the general form ("[...]" meaning an optional part): -</p> - <p><code>driver</code>[<code>+transport</code>]<code>://</code>[<code>username@</code>][<code>hostname</code>][<code>:port</code>]<code>/</code>[<code>path</code>][<code>?extraparameters</code>] -</p> - <p> -Either the transport or the hostname must be given in order -to distinguish this from a local URI. -</p> - <p> -Some examples: -</p> - <ul> - <li><code>xen+ssh://rjones@towada/system</code><br/> — Connect to a -remote Xen hypervisor on host <code>towada</code> using ssh transport and ssh -username <code>rjones</code>. -</li> - <li><code>xen://towada/system</code><br/> — Connect to a -remote Xen hypervisor on host <code>towada</code> using TLS. -</li> - <li><code>xen://towada/system?no_verify=1</code><br/> — Connect to a -remote Xen hypervisor on host <code>towada</code> using TLS. Do not verify -the server's certificate. -</li> - <li><code>qemu+unix:///system?socket=/opt/libvirt/run/libvirt/libvirt-sock</code><br/> — -Connect to the local qemu instances over a non-standard -Unix socket (the full path to the Unix socket is -supplied explicitly in this case). -</li> - <li><code>test+tcp://localhost:5000/default</code><br/> — -Connect to a libvirtd daemon offering unencrypted TCP/IP connections -on localhost port 5000 and use the test driver with default -settings. -</li> -<li><code>qemu+libssh2://user@host/system?known_hosts=/home/user/.ssh/known_hosts</code><br/> — -Connect to a remote host using a ssh connection with the libssh2 driver -and use a different known_hosts file.</li> -<li><code>qemu+libssh://user@host/system?known_hosts=/home/user/.ssh/known_hosts</code><br/> — -Connect to a remote host using a ssh connection with the libssh driver -and use a different known_hosts file.</li> - </ul> - <h3> - <a id="Remote_URI_parameters">Extra parameters</a> - </h3> - <p> -Extra parameters can be added to remote URIs as part -of the query string (the part following <q><code>?</code></q>). -Remote URIs understand the extra parameters shown below. -Any others are passed unmodified through to the back end. -Note that parameter values must be -<a href="http://xmlsoft.org/html/libxml-uri.html#xmlURIEscapeStr">URI-escaped</a>. -</p> - <table class="top_table"> - <tr> - <th> Name </th> - <th> Transports </th> - <th> Meaning </th> - </tr> - <tr> - <td> - <code>name</code> - </td> - <td> - <i>any transport</i> - </td> - <td> - The name passed to the remote virConnectOpen function. The - name is normally formed by removing transport, hostname, port - number, username and extra parameters from the remote URI, but in certain - very complex cases it may be better to supply the name explicitly. -</td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>name=qemu:///system</code> </td> - </tr> - <tr> - <td> - <code>tls_priority</code> - </td> - <td> tls </td> - <td> - A valid GNUTLS priority string -</td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>tls_priority=NORMAL:-VERS-SSL3.0</code> </td> - </tr> - <tr> - <td> - <code>mode</code> - </td> - <td> unix, ssh, libssh, libssh2 </td> - <td> - <dl> - <dt><code>auto</code></dt><dd>automatically determine the daemon</dd> - <dt><code>direct</code></dt><dd>connect to per-driver daemons</dd> - <dt><code>legacy</code></dt><dd>connect to libvirtd</dd> - </dl> - Can also be set in <code>libvirt.conf</code> as <code>remote_mode</code> - </td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>mode=direct</code> </td> - </tr> - <tr> - <td> - <code>proxy</code> - </td> - <td>auto, netcat, native </td> - <td> - <dl> - <dt><code>auto</code></dt><dd>try native, fallback to netcat</dd> - <dt><code>netcat</code></dt><dd>only use netcat</dd> - <dt><code>native</code></dt><dd>only use native</dd> - </dl> - Can also be set in <code>libvirt.conf</code> as <code>remote_proxy</code> - </td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>proxy=native</code> </td> - </tr> - <tr> - <td> - <code>command</code> - </td> - <td> ssh, ext </td> - <td> - The external command. For ext transport this is required. - For ssh the default is <code>ssh</code>. - The PATH is searched for the command. -</td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>command=/opt/openssh/bin/ssh</code> </td> - </tr> - <tr> - <td> - <code>socket</code> - </td> - <td> unix, ssh, libssh2, libssh </td> - <td> - The path to the Unix domain socket, which overrides the - compiled-in default. For ssh transport, this is passed to - the remote netcat command (see next). -</td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>socket=/opt/libvirt/run/libvirt/libvirt-sock</code> </td> - </tr> - <tr> - <td> - <code>netcat</code> - </td> - <td> ssh, libssh2, libssh </td> - <td> - The name of the netcat command on the remote machine. - The default is <code>nc</code>. This is not permitted - when using the <code>native</code> proxy mode. For ssh - transport, libvirt constructs an ssh command which looks - like: - -<pre><i>command</i> -p <i>port</i> [-l <i>username</i>] <i>hostname</i> <i>netcat</i> -U <i>socket</i> -</pre> - - where <i>port</i>, <i>username</i>, <i>hostname</i> can be - specified as part of the remote URI, and <i>command</i>, <i>netcat</i> - and <i>socket</i> come from extra parameters (or - sensible defaults). - -</td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>netcat=/opt/netcat/bin/nc</code> </td> - </tr> - - <tr> - <td> - <code>keyfile</code> - </td> - <td> ssh, libssh2, libssh </td> - <td> - The name of the private key file to use to authentication to the remote - machine. If this option is not used the default keys are used. - </td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>keyfile=/root/.ssh/example_key</code> </td> - </tr> - - <tr> - <td> - <code>no_verify</code> - </td> - <td> ssh, tls </td> - <td> - SSH: If set to a non-zero value, this disables client's strict host key - checking making it auto-accept new host keys. Existing host keys will - still be validated. - <br/> - <br/> - TLS: If set to a non-zero value, this disables client checks of the - server's certificate. Note that to disable server checks of - the client's certificate or IP address you must - <a href="#Remote_libvirtd_configuration">change the libvirtd - configuration</a>. -</td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>no_verify=1</code> </td> - </tr> - <tr> - <td> - <code>no_tty</code> - </td> - <td> ssh </td> - <td> - If set to a non-zero value, this stops ssh from asking for - a password if it cannot log in to the remote machine automatically - (eg. using ssh-agent etc.). Use this when you don't have access - to a terminal - for example in graphical programs which use libvirt. -</td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>no_tty=1</code> </td> - </tr> - <tr> - <td> - <code>pkipath</code> - </td> - <td> tls</td> - <td> - Specifies x509 certificates path for the client. If any of - the CA certificate, client certificate, or client key is - missing, the connection will fail with a fatal error. - </td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>pkipath=/tmp/pki/client</code> </td> - </tr> - <tr> - <td> - <code>known_hosts</code> - </td> - <td> libssh2, libssh </td> - <td> - Path to the known_hosts file to verify the host key against. LibSSH2 and - libssh support OpenSSH-style known_hosts files, although LibSSH2 does not - support all key types, so using files created by the OpenSSH binary may - result into truncating the known_hosts file. Thus, with LibSSH2 it's - recommended to use the default known_hosts file is located in libvirt's - client local configuration directory e.g.: ~/.config/libvirt/known_hosts. - Note: Use absolute paths. -</td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>known_hosts=/root/.ssh/known_hosts</code> </td> - </tr> - <tr> - <td> - <code>known_hosts_verify</code> - </td> - <td> libssh2, libssh </td> - <td> - If set to <code>normal</code> (default), then the user will be - asked to accept new host keys. If set to <code>auto</code>, new - host keys will be auto-accepted, but existing host keys will - still be validated. If set to <code>ignore</code>, this disables - client's strict host key checking. - </td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>known_hosts_verify=ignore</code> </td> - </tr> - <tr> - <td> - <code>sshauth</code> - </td> - <td> libssh2, libssh </td> - <td> - A comma separated list of authentication methods to use. Default (is - "agent,privkey,password,keyboard-interactive". The order of the methods - is preserved. Some methods may require additional parameters. -</td> - </tr> - <tr> - <td colspan="2"/> - <td> Example: <code>sshauth=privkey,agent</code> </td> - </tr> - </table> - <h2> - <a id="URI_test">test:///... Test URIs</a> - </h2> - <p> -The test driver is a dummy hypervisor for test purposes. -The URIs supported are: -</p> - <ul> - <li><code>test:///default</code> connects to a default set of -host definitions built into the driver. </li> - <li><code>test:///path/to/host/definitions</code> connects to -a set of host definitions held in the named file. -</li> - </ul> - <h2> - <a id="URI_legacy">Other & legacy URI formats</a> - </h2> - <h3> - <a id="URI_NULL">NULL and empty string URIs</a> - </h3> - <p> -Libvirt allows you to pass a <code>NULL</code> pointer to -<code>virConnectOpen*</code>. Empty string (<code>""</code>) acts in -the same way. Traditionally this has meant -<q>connect to the local Xen hypervisor</q>. However in future this -may change to mean <q>connect to the best available hypervisor</q>. -</p> - <p> -The theory is that if, for example, Xen is unavailable but the -machine is running an OpenVZ kernel, then we should not try to -connect to the Xen hypervisor since that is obviously the wrong -thing to do. -</p> - <p> -In any case applications linked to libvirt can continue to pass -<code>NULL</code> as a default choice, but should always allow the -user to override the URI, either by constructing one or by allowing -the user to type a URI in directly (if that is appropriate). If your -application wishes to connect specifically to a Xen hypervisor, then -for future proofing it should choose a full <a href="#URI_xen"><code>xen:///system</code> URI</a>. -</p> - <h3> - <a id="URI_legacy_xen">Legacy: <code>"xen"</code></a> - </h3> - <p> -Another legacy URI is to specify name as the string -<code>"xen"</code>. This will continue to refer to the Xen -hypervisor. However you should prefer a full <a href="#URI_xen"><code>xen:///system</code> URI</a> in all future code. -</p> - </body> -</html> diff --git a/docs/uri.rst b/docs/uri.rst new file mode 100644 index 0000000000..949032e0ff --- /dev/null +++ b/docs/uri.rst @@ -0,0 +1,447 @@ +=============== +Connection URIs +=============== + +.. contents:: + +Since libvirt supports many different kinds of virtualization (often referred to +as "drivers" or "hypervisors"), we need a way to be able to specify which driver +a connection refers to. Additionally we may want to refer to a driver on a +remote machine over the network. + +To this end, libvirt uses URIs as used on the Web and as defined in `RFC +2396 <https://www.ietf.org/rfc/rfc2396.txt>`__. This page documents libvirt +URIs. + +Specifying URIs to libvirt +-------------------------- + +The URI is passed as the ``name`` parameter to +`virConnectOpen <html/libvirt-libvirt-host.html#virConnectOpen>`__ or +`virConnectOpenReadOnly <html/libvirt-libvirt-host.html#virConnectOpenReadOnly>`__ +. For example: + +:: + + virConnectPtr conn = virConnectOpenReadOnly ("test:///default"); + +Configuring URI aliases +----------------------- + +To simplify life for administrators, it is possible to setup URI aliases in a +libvirt client configuration file. The configuration file is +``/etc/libvirt/libvirt.conf`` for the root user, or +``$XDG_CONFIG_HOME/libvirt/libvirt.conf`` for any unprivileged user. In this +file, the following syntax can be used to setup aliases + +:: + + uri_aliases = [ + "hail=qemu+ssh://root@hail.cloud.example.com/system", + "sleet=qemu+ssh://root@sleet.cloud.example.com/system", + ] + +A URI alias should be a string made up from the characters ``a-Z, 0-9, _, -``. +Following the ``=`` can be any libvirt URI string, including arbitrary URI +parameters. URI aliases will apply to any application opening a libvirt +connection, unless it has explicitly passed the ``VIR_CONNECT_NO_ALIASES`` +parameter to ``virConnectOpenAuth``. If the passed in URI contains characters +outside the allowed alias character set, no alias lookup will be attempted. + +Default URI choice +------------------ + +If the URI passed to ``virConnectOpen*`` is NULL, then libvirt will use the +following logic to determine what URI to use. + +#. The environment variable ``LIBVIRT_DEFAULT_URI`` +#. The client configuration file ``uri_default`` parameter +#. Probe each hypervisor in turn until one that works is found + +Specifying URIs to virsh, virt-manager and virt-install +------------------------------------------------------- + +In virsh use the ``-c`` or ``--connect`` option: + +:: + + virsh -c test:///default list + +If virsh finds the environment variable ``VIRSH_DEFAULT_CONNECT_URI`` set, it +will try this URI by default. Use of this environment variable is, however, +deprecated now that libvirt supports ``LIBVIRT_DEFAULT_URI`` itself. + +When using the interactive virsh shell, you can also use the ``connect`` *URI* +command to reconnect to another hypervisor. + +In virt-manager use the ``-c`` or ``--connect=``\ *URI* option: + +:: + + virt-manager -c test:///default + +In virt-install use the ``--connect=``\ *URI* option: + +:: + + virt-install --connect=test:///default [other options] + +xen:///system URI +----------------- + +*This section describes a feature which is new in libvirt > 0.2.3. For libvirt ≤ +0.2.3 use* `Legacy: "xen"`_ *URI*. + +To access a Xen hypervisor running on the local machine use the URI +``xen:///system``. + +qemu:///... QEMU and KVM URIs +----------------------------- + +To use QEMU support in libvirt you must be running the ``libvirtd`` daemon +(named ``libvirt_qemud`` in releases prior to 0.3.0). The purpose of this daemon +is to manage qemu instances. + +The ``libvirtd`` daemon should be started by the init scripts when the machine +boots. It should appear as a process ``libvirtd --daemon`` running as root in +the background and will handle qemu instances on behalf of all users of the +machine (among other things). + +So to connect to the daemon, one of two different URIs is used: + +- ``qemu:///system`` connects to a system mode daemon. +- ``qemu:///session`` connects to a session mode daemon. + +(If you do ``libvirtd --help``, the daemon will print out the paths of the Unix +domain socket(s) that it listens on in the various different modes). + +KVM URIs are identical. You select between qemu, qemu accelerated and KVM guests +in the `guest XML as described here <format.html#KVM1>`__. + +Remote URIs +----------- + +Remote URIs have the general form ("[...]" meaning an optional part): + +:: + + driver[+transport]://[username@][hostname][:port]/[path][?extraparameters] + +Either the transport or the hostname must be given in order to distinguish this +from a local URI. + +Some examples: + +- ``xen+ssh://rjones@towada/system`` + — Connect to a remote Xen hypervisor on host ``towada`` using ssh transport + and ssh username ``rjones``. +- ``xen://towada/system`` + — Connect to a remote Xen hypervisor on host ``towada`` using TLS. +- ``xen://towada/system?no_verify=1`` + — Connect to a remote Xen hypervisor on host ``towada`` using TLS. Do not + verify the server's certificate. +- ``qemu+unix:///system?socket=/opt/libvirt/run/libvirt/libvirt-sock`` + — Connect to the local qemu instances over a non-standard Unix socket (the + full path to the Unix socket is supplied explicitly in this case). +- ``test+tcp://localhost:5000/default`` + — Connect to a libvirtd daemon offering unencrypted TCP/IP connections on + localhost port 5000 and use the test driver with default settings. +- ``qemu+libssh2://user@host/system?known_hosts=/home/user/.ssh/known_hosts`` + — Connect to a remote host using a ssh connection with the libssh2 driver and + use a different known_hosts file. +- ``qemu+libssh://user@host/system?known_hosts=/home/user/.ssh/known_hosts`` + — Connect to a remote host using a ssh connection with the libssh driver and + use a different known_hosts file. + +Extra parameters +~~~~~~~~~~~~~~~~ + +Extra parameters can be added to remote URIs as part of the query string (the +part following ``?``). Remote URIs understand the extra parameters shown +below. Any others are passed unmodified through to the back end. Note that +parameter values must be +`URI-escaped <http://xmlsoft.org/html/libxml-uri.html#xmlURIEscapeStr>`__. + ++-------------------------+-------------------------+-------------------------+ +| Name | Transports | Meaning | ++=========================+=========================+=========================+ +| ``name`` | *any transport* | The name passed to the | +| | | remote virConnectOpen | +| | | function. The name is | +| | | normally formed by | +| | | removing transport, | +| | | hostname, port number, | +| | | username and extra | +| | | parameters from the | +| | | remote URI, but in | +| | | certain very complex | +| | | cases it may be better | +| | | to supply the name | +| | | explicitly. | ++-------------------------+-------------------------+-------------------------+ +| | | Example: | +| | | ``name=qemu:///system`` | ++-------------------------+-------------------------+-------------------------+ +| ``tls_priority`` | tls | A valid GNUTLS priority | +| | | string | ++-------------------------+-------------------------+-------------------------+ +| | | Example: | +| | | ``tls_priorit | +| | | y=NORMAL:-VERS-SSL3.0`` | ++-------------------------+-------------------------+-------------------------+ +| ``mode`` | unix, ssh, libssh, | ``auto`` | +| | libssh2 | automatically | +| | | determine the daemon | +| | | ``direct`` | +| | | connect to | +| | | per-driver daemons | +| | | ``legacy`` | +| | | connect to libvirtd | +| | | | +| | | Can also be set in | +| | | ``libvirt.conf`` as | +| | | ``remote_mode`` | ++-------------------------+-------------------------+-------------------------+ +| | | Example: | +| | | ``mode=direct`` | ++-------------------------+-------------------------+-------------------------+ +| ``proxy`` | auto, netcat, native | ``auto`` | +| | | try native, fallback | +| | | to netcat | +| | | ``netcat`` | +| | | only use netcat | +| | | ``native`` | +| | | only use native | +| | | | +| | | Can also be set in | +| | | ``libvirt.conf`` as | +| | | ``remote_proxy`` | ++-------------------------+-------------------------+-------------------------+ +| | | Example: | +| | | ``proxy=native`` | ++-------------------------+-------------------------+-------------------------+ +| ``command`` | ssh, ext | The external command. | +| | | For ext transport this | +| | | is required. For ssh | +| | | the default is ``ssh``. | +| | | The PATH is searched | +| | | for the command. | ++-------------------------+-------------------------+-------------------------+ +| | | Example: | +| | | ``command | +| | | =/opt/openssh/bin/ssh`` | ++-------------------------+-------------------------+-------------------------+ +| ``socket`` | unix, ssh, libssh2, | The path to the Unix | +| | libssh | domain socket, which | +| | | overrides the | +| | | compiled-in default. | +| | | For ssh transport, this | +| | | is passed to the remote | +| | | netcat command (see | +| | | next). | ++-------------------------+-------------------------+-------------------------+ +| | | Example: | +| | | `` | +| | | socket=/opt/libvirt/run | +| | | /libvirt/libvirt-sock`` | ++-------------------------+-------------------------+-------------------------+ +| ``netcat`` | ssh, libssh2, libssh | The name of the netcat | +| | | command on the remote | +| | | machine. The default is | +| | | ``nc``. This is not | +| | | permitted when using | +| | | the ``native`` proxy | +| | | mode. For ssh | +| | | transport, libvirt | +| | | constructs an ssh | +| | | command which looks | +| | | like: | +| | | | +| | | ``command -p port`` | +| | | ``[-l username]`` | +| | | ``hostname`` or | +| | | | +| | | ``netcat -U socket`` | +| | | | +| | | where *port*, | +| | | *username*, *hostname* | +| | | can be specified as | +| | | part of the remote URI, | +| | | and *command*, *netcat* | +| | | and *socket* come from | +| | | extra parameters (or | +| | | sensible defaults). | ++-------------------------+-------------------------+-------------------------+ +| | | Example: | +| | | ``netc | +| | | at=/opt/netcat/bin/nc`` | ++-------------------------+-------------------------+-------------------------+ +| ``keyfile`` | ssh, libssh2, libssh | The name of the private | +| | | key file to use to | +| | | authentication to the | +| | | remote machine. If this | +| | | option is not used the | +| | | default keys are used. | ++-------------------------+-------------------------+-------------------------+ +| | | Example: | +| | | ``keyfile=/ | +| | | root/.ssh/example_key`` | ++-------------------------+-------------------------+-------------------------+ +| ``no_verify`` | ssh, tls | SSH: If set to a | +| | | non-zero value, this | +| | | disables client's | +| | | strict host key | +| | | checking making it | +| | | auto-accept new host | +| | | keys. Existing host | +| | | keys will still be | +| | | validated. | +| | | TLS: If set to a | +| | | non-zero value, this | +| | | disables client checks | +| | | of the server's | +| | | certificate. Note that | +| | | to disable server | +| | | checks of the client's | +| | | certificate or IP | +| | | address you must | +| | | `change the libvirtd | +| | | conf | +| | | iguration <#Remote_libv | +| | | irtd_configuration>`__. | ++-------------------------+-------------------------+-------------------------+ +| | | Example: | +| | | ``no_verify=1`` | ++-------------------------+-------------------------+-------------------------+ +| ``no_tty`` | ssh | If set to a non-zero | +| | | value, this stops ssh | +| | | from asking for a | +| | | password if it cannot | +| | | log in to the remote | +| | | machine automatically | +| | | (eg. using ssh-agent | +| | | etc.). Use this when | +| | | you don't have access | +| | | to a terminal - for | +| | | example in graphical | +| | | programs which use | +| | | libvirt. | ++-------------------------+-------------------------+-------------------------+ +| | | Example: ``no_tty=1`` | ++-------------------------+-------------------------+-------------------------+ +| ``pkipath`` | tls | Specifies x509 | +| | | certificates path for | +| | | the client. If any of | +| | | the CA certificate, | +| | | client certificate, or | +| | | client key is missing, | +| | | the connection will | +| | | fail with a fatal | +| | | error. | ++-------------------------+-------------------------+-------------------------+ +| | | Example: | +| | | ``pk | +| | | ipath=/tmp/pki/client`` | ++-------------------------+-------------------------+-------------------------+ +| ``known_hosts`` | libssh2, libssh | Path to the known_hosts | +| | | file to verify the host | +| | | key against. LibSSH2 | +| | | and libssh support | +| | | OpenSSH-style | +| | | known_hosts files, | +| | | although LibSSH2 does | +| | | not support all key | +| | | types, so using files | +| | | created by the OpenSSH | +| | | binary may result into | +| | | truncating the | +| | | known_hosts file. Thus, | +| | | with LibSSH2 it's | +| | | recommended to use the | +| | | default known_hosts | +| | | file is located in | +| | | libvirt's client local | +| | | configuration directory | +| | | e.g.: | +| | | ~/.conf | +| | | ig/libvirt/known_hosts. | +| | | Note: Use absolute | +| | | paths. | ++-------------------------+-------------------------+-------------------------+ +| | | Example: | +| | | ``known_hosts=/ | +| | | root/.ssh/known_hosts`` | ++-------------------------+-------------------------+-------------------------+ +| ``known_hosts_verify`` | libssh2, libssh | If set to ``normal`` | +| | | (default), then the | +| | | user will be asked to | +| | | accept new host keys. | +| | | If set to ``auto``, new | +| | | host keys will be | +| | | auto-accepted, but | +| | | existing host keys will | +| | | still be validated. If | +| | | set to ``ignore``, this | +| | | disables client's | +| | | strict host key | +| | | checking. | ++-------------------------+-------------------------+-------------------------+ +| | | Example: | +| | | ``know | +| | | n_hosts_verify=ignore`` | ++-------------------------+-------------------------+-------------------------+ +| ``sshauth`` | libssh2, libssh | A comma separated list | +| | | of authentication | +| | | methods to use. Default | +| | | (is | +| | | "agent,privkey,password | +| | | ,keyboard-interactive". | +| | | The order of the | +| | | methods is preserved. | +| | | Some methods may | +| | | require additional | +| | | parameters. | ++-------------------------+-------------------------+-------------------------+ +| | | Example: | +| | | `` | +| | | sshauth=privkey,agent`` | ++-------------------------+-------------------------+-------------------------+ + +test:///... Test URIs +--------------------- + +The test driver is a dummy hypervisor for test purposes. The URIs supported are: + +- ``test:///default`` connects to a default set of host definitions built into + the driver. +- ``test:///path/to/host/definitions`` connects to a set of host definitions + held in the named file. + +Other & legacy URI formats +-------------------------- + +NULL and empty string URIs +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Libvirt allows you to pass a ``NULL`` pointer to ``virConnectOpen*``. Empty +string (``""``) acts in the same way. Traditionally this has meant “connect to +the local Xen hypervisor”. However in future this may change to mean “connect to +the best available hypervisor”. + +The theory is that if, for example, Xen is unavailable but the machine is +running an OpenVZ kernel, then we should not try to connect to the Xen +hypervisor since that is obviously the wrong thing to do. + +In any case applications linked to libvirt can continue to pass ``NULL`` as a +default choice, but should always allow the user to override the URI, either by +constructing one or by allowing the user to type a URI in directly (if that is +appropriate). If your application wishes to connect specifically to a Xen +hypervisor, then for future proofing it should choose a full +`xen:///system URI`_. + +Legacy: ``"xen"`` +~~~~~~~~~~~~~~~~~ + +Another legacy URI is to specify name as the string ``"xen"``. This will +continue to refer to the Xen hypervisor. However you should prefer a full +`xen:///system URI`_ in all future code. -- 2.35.1

On 4/22/22 14:23, Peter Krempa wrote:
Adjust links in the process.
Note that the conversion to the table is temporary and upcoming patch will modify it for better readability.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- docs/meson.build | 2 +- docs/uri.html.in | 507 ----------------------------------------------- docs/uri.rst | 447 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 448 insertions(+), 508 deletions(-) delete mode 100644 docs/uri.html.in create mode 100644 docs/uri.rst
diff --git a/docs/uri.rst b/docs/uri.rst new file mode 100644 index 0000000000..949032e0ff --- /dev/null +++ b/docs/uri.rst
+ +Other & legacy URI formats +-------------------------- + +NULL and empty string URIs +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Libvirt allows you to pass a ``NULL`` pointer to ``virConnectOpen*``. Empty +string (``""``) acts in the same way. Traditionally this has meant “connect to +the local Xen hypervisor�?. However in future this may change to mean “connect to +the best available hypervisor�?.
This does not look correct. Maybe this is causing the problem? Michal

On Fri, Apr 22, 2022 at 16:05:57 +0200, Michal Prívozník wrote:
On 4/22/22 14:23, Peter Krempa wrote:
Adjust links in the process.
Note that the conversion to the table is temporary and upcoming patch will modify it for better readability.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- docs/meson.build | 2 +- docs/uri.html.in | 507 ----------------------------------------------- docs/uri.rst | 447 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 448 insertions(+), 508 deletions(-) delete mode 100644 docs/uri.html.in create mode 100644 docs/uri.rst
diff --git a/docs/uri.rst b/docs/uri.rst new file mode 100644 index 0000000000..949032e0ff --- /dev/null +++ b/docs/uri.rst
+ +Other & legacy URI formats +-------------------------- + +NULL and empty string URIs +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Libvirt allows you to pass a ``NULL`` pointer to ``virConnectOpen*``. Empty +string (``""``) acts in the same way. Traditionally this has meant “connect to +the local Xen hypervisor�?. However in future this may change to mean “connect to +the best available hypervisor�?.
This does not look correct. Maybe this is causing the problem?
Gah ... unicode quotes :D. I think I might even get rid of these in later patches. git fetch https://gitlab.com/pipo.sk/libvirt.git docs-anchor-final You can pull from here. Or I can remove them and re-send.

We now have an paragraph about default URI choice if the passed pointer is NULL. Add the two related bits from the 'NULL and empty string URIs' from the legacy section to the current one and remove the old stuff. Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- docs/uri.rst | 25 ++++--------------------- 1 file changed, 4 insertions(+), 21 deletions(-) diff --git a/docs/uri.rst b/docs/uri.rst index 949032e0ff..80c2d780c3 100644 --- a/docs/uri.rst +++ b/docs/uri.rst @@ -51,13 +51,15 @@ outside the allowed alias character set, no alias lookup will be attempted. Default URI choice ------------------ -If the URI passed to ``virConnectOpen*`` is NULL, then libvirt will use the -following logic to determine what URI to use. +If the URI passed to ``virConnectOpen*`` is NULL or empty string, then libvirt +will use the following logic to determine what URI to use. #. The environment variable ``LIBVIRT_DEFAULT_URI`` #. The client configuration file ``uri_default`` parameter #. Probe each hypervisor in turn until one that works is found +Historically an empty URI was equivalent to ``xen:///system``. + Specifying URIs to virsh, virt-manager and virt-install ------------------------------------------------------- @@ -420,25 +422,6 @@ The test driver is a dummy hypervisor for test purposes. The URIs supported are: Other & legacy URI formats -------------------------- -NULL and empty string URIs -~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Libvirt allows you to pass a ``NULL`` pointer to ``virConnectOpen*``. Empty -string (``""``) acts in the same way. Traditionally this has meant “connect to -the local Xen hypervisor”. However in future this may change to mean “connect to -the best available hypervisor”. - -The theory is that if, for example, Xen is unavailable but the machine is -running an OpenVZ kernel, then we should not try to connect to the Xen -hypervisor since that is obviously the wrong thing to do. - -In any case applications linked to libvirt can continue to pass ``NULL`` as a -default choice, but should always allow the user to override the URI, either by -constructing one or by allowing the user to type a URI in directly (if that is -appropriate). If your application wishes to connect specifically to a Xen -hypervisor, then for future proofing it should choose a full -`xen:///system URI`_. - Legacy: ``"xen"`` ~~~~~~~~~~~~~~~~~ -- 2.35.1

Mention the legacy 'xen' string usage under the Xen hypervisor uri section. Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- docs/uri.rst | 16 +++------------- 1 file changed, 3 insertions(+), 13 deletions(-) diff --git a/docs/uri.rst b/docs/uri.rst index 80c2d780c3..97a72dc37d 100644 --- a/docs/uri.rst +++ b/docs/uri.rst @@ -91,12 +91,12 @@ In virt-install use the ``--connect=``\ *URI* option: xen:///system URI ----------------- -*This section describes a feature which is new in libvirt > 0.2.3. For libvirt ≤ -0.2.3 use* `Legacy: "xen"`_ *URI*. - To access a Xen hypervisor running on the local machine use the URI ``xen:///system``. +Historically libvirt 0.2.2 and previous versions required to use the name +``"xen"`` to refer to the Xen hypervisor. + qemu:///... QEMU and KVM URIs ----------------------------- @@ -418,13 +418,3 @@ The test driver is a dummy hypervisor for test purposes. The URIs supported are: the driver. - ``test:///path/to/host/definitions`` connects to a set of host definitions held in the named file. - -Other & legacy URI formats --------------------------- - -Legacy: ``"xen"`` -~~~~~~~~~~~~~~~~~ - -Another legacy URI is to specify name as the string ``"xen"``. This will -continue to refer to the Xen hypervisor. However you should prefer a full -`xen:///system URI`_ in all future code. -- 2.35.1

Add a new heading 'Local hypervisor URIs' and move the sections about 'qemu', 'xen' and 'test' under it. Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- docs/uri.rst | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/docs/uri.rst b/docs/uri.rst index 97a72dc37d..714a0c4c21 100644 --- a/docs/uri.rst +++ b/docs/uri.rst @@ -88,8 +88,11 @@ In virt-install use the ``--connect=``\ *URI* option: virt-install --connect=test:///default [other options] +Local hypervisor URIs +--------------------- + xen:///system URI ------------------ +~~~~~~~~~~~~~~~~~ To access a Xen hypervisor running on the local machine use the URI ``xen:///system``. @@ -98,7 +101,7 @@ Historically libvirt 0.2.2 and previous versions required to use the name ``"xen"`` to refer to the Xen hypervisor. qemu:///... QEMU and KVM URIs ------------------------------ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To use QEMU support in libvirt you must be running the ``libvirtd`` daemon (named ``libvirt_qemud`` in releases prior to 0.3.0). The purpose of this daemon @@ -120,6 +123,16 @@ domain socket(s) that it listens on in the various different modes). KVM URIs are identical. You select between qemu, qemu accelerated and KVM guests in the `guest XML as described here <format.html#KVM1>`__. +test:///... Test URIs +~~~~~~~~~~~~~~~~~~~~~ + +The test driver is a dummy hypervisor for test purposes. The URIs supported are: + +- ``test:///default`` connects to a default set of host definitions built into + the driver. +- ``test:///path/to/host/definitions`` connects to a set of host definitions + held in the named file. + Remote URIs ----------- @@ -408,13 +421,3 @@ parameter values must be | | | `` | | | | sshauth=privkey,agent`` | +-------------------------+-------------------------+-------------------------+ - -test:///... Test URIs ---------------------- - -The test driver is a dummy hypervisor for test purposes. The URIs supported are: - -- ``test:///default`` connects to a default set of host definitions built into - the driver. -- ``test:///path/to/host/definitions`` connects to a set of host definitions - held in the named file. -- 2.35.1

Avoid the table and add a brief description of the transport protocol. Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- docs/uri.rst | 474 +++++++++++++++++++++++++-------------------------- 1 file changed, 228 insertions(+), 246 deletions(-) diff --git a/docs/uri.rst b/docs/uri.rst index 714a0c4c21..4efd634087 100644 --- a/docs/uri.rst +++ b/docs/uri.rst @@ -168,8 +168,11 @@ Some examples: — Connect to a remote host using a ssh connection with the libssh driver and use a different known_hosts file. -Extra parameters -~~~~~~~~~~~~~~~~ +Transport configuration +~~~~~~~~~~~~~~~~~~~~~~~ + +The remote driver supports multiple transport protocols and approaches which are +configurable via the URI. Extra parameters can be added to remote URIs as part of the query string (the part following ``?``). Remote URIs understand the extra parameters shown @@ -177,247 +180,226 @@ below. Any others are passed unmodified through to the back end. Note that parameter values must be `URI-escaped <http://xmlsoft.org/html/libxml-uri.html#xmlURIEscapeStr>`__. -+-------------------------+-------------------------+-------------------------+ -| Name | Transports | Meaning | -+=========================+=========================+=========================+ -| ``name`` | *any transport* | The name passed to the | -| | | remote virConnectOpen | -| | | function. The name is | -| | | normally formed by | -| | | removing transport, | -| | | hostname, port number, | -| | | username and extra | -| | | parameters from the | -| | | remote URI, but in | -| | | certain very complex | -| | | cases it may be better | -| | | to supply the name | -| | | explicitly. | -+-------------------------+-------------------------+-------------------------+ -| | | Example: | -| | | ``name=qemu:///system`` | -+-------------------------+-------------------------+-------------------------+ -| ``tls_priority`` | tls | A valid GNUTLS priority | -| | | string | -+-------------------------+-------------------------+-------------------------+ -| | | Example: | -| | | ``tls_priorit | -| | | y=NORMAL:-VERS-SSL3.0`` | -+-------------------------+-------------------------+-------------------------+ -| ``mode`` | unix, ssh, libssh, | ``auto`` | -| | libssh2 | automatically | -| | | determine the daemon | -| | | ``direct`` | -| | | connect to | -| | | per-driver daemons | -| | | ``legacy`` | -| | | connect to libvirtd | -| | | | -| | | Can also be set in | -| | | ``libvirt.conf`` as | -| | | ``remote_mode`` | -+-------------------------+-------------------------+-------------------------+ -| | | Example: | -| | | ``mode=direct`` | -+-------------------------+-------------------------+-------------------------+ -| ``proxy`` | auto, netcat, native | ``auto`` | -| | | try native, fallback | -| | | to netcat | -| | | ``netcat`` | -| | | only use netcat | -| | | ``native`` | -| | | only use native | -| | | | -| | | Can also be set in | -| | | ``libvirt.conf`` as | -| | | ``remote_proxy`` | -+-------------------------+-------------------------+-------------------------+ -| | | Example: | -| | | ``proxy=native`` | -+-------------------------+-------------------------+-------------------------+ -| ``command`` | ssh, ext | The external command. | -| | | For ext transport this | -| | | is required. For ssh | -| | | the default is ``ssh``. | -| | | The PATH is searched | -| | | for the command. | -+-------------------------+-------------------------+-------------------------+ -| | | Example: | -| | | ``command | -| | | =/opt/openssh/bin/ssh`` | -+-------------------------+-------------------------+-------------------------+ -| ``socket`` | unix, ssh, libssh2, | The path to the Unix | -| | libssh | domain socket, which | -| | | overrides the | -| | | compiled-in default. | -| | | For ssh transport, this | -| | | is passed to the remote | -| | | netcat command (see | -| | | next). | -+-------------------------+-------------------------+-------------------------+ -| | | Example: | -| | | `` | -| | | socket=/opt/libvirt/run | -| | | /libvirt/libvirt-sock`` | -+-------------------------+-------------------------+-------------------------+ -| ``netcat`` | ssh, libssh2, libssh | The name of the netcat | -| | | command on the remote | -| | | machine. The default is | -| | | ``nc``. This is not | -| | | permitted when using | -| | | the ``native`` proxy | -| | | mode. For ssh | -| | | transport, libvirt | -| | | constructs an ssh | -| | | command which looks | -| | | like: | -| | | | -| | | ``command -p port`` | -| | | ``[-l username]`` | -| | | ``hostname`` or | -| | | | -| | | ``netcat -U socket`` | -| | | | -| | | where *port*, | -| | | *username*, *hostname* | -| | | can be specified as | -| | | part of the remote URI, | -| | | and *command*, *netcat* | -| | | and *socket* come from | -| | | extra parameters (or | -| | | sensible defaults). | -+-------------------------+-------------------------+-------------------------+ -| | | Example: | -| | | ``netc | -| | | at=/opt/netcat/bin/nc`` | -+-------------------------+-------------------------+-------------------------+ -| ``keyfile`` | ssh, libssh2, libssh | The name of the private | -| | | key file to use to | -| | | authentication to the | -| | | remote machine. If this | -| | | option is not used the | -| | | default keys are used. | -+-------------------------+-------------------------+-------------------------+ -| | | Example: | -| | | ``keyfile=/ | -| | | root/.ssh/example_key`` | -+-------------------------+-------------------------+-------------------------+ -| ``no_verify`` | ssh, tls | SSH: If set to a | -| | | non-zero value, this | -| | | disables client's | -| | | strict host key | -| | | checking making it | -| | | auto-accept new host | -| | | keys. Existing host | -| | | keys will still be | -| | | validated. | -| | | TLS: If set to a | -| | | non-zero value, this | -| | | disables client checks | -| | | of the server's | -| | | certificate. Note that | -| | | to disable server | -| | | checks of the client's | -| | | certificate or IP | -| | | address you must | -| | | `change the libvirtd | -| | | conf | -| | | iguration <#Remote_libv | -| | | irtd_configuration>`__. | -+-------------------------+-------------------------+-------------------------+ -| | | Example: | -| | | ``no_verify=1`` | -+-------------------------+-------------------------+-------------------------+ -| ``no_tty`` | ssh | If set to a non-zero | -| | | value, this stops ssh | -| | | from asking for a | -| | | password if it cannot | -| | | log in to the remote | -| | | machine automatically | -| | | (eg. using ssh-agent | -| | | etc.). Use this when | -| | | you don't have access | -| | | to a terminal - for | -| | | example in graphical | -| | | programs which use | -| | | libvirt. | -+-------------------------+-------------------------+-------------------------+ -| | | Example: ``no_tty=1`` | -+-------------------------+-------------------------+-------------------------+ -| ``pkipath`` | tls | Specifies x509 | -| | | certificates path for | -| | | the client. If any of | -| | | the CA certificate, | -| | | client certificate, or | -| | | client key is missing, | -| | | the connection will | -| | | fail with a fatal | -| | | error. | -+-------------------------+-------------------------+-------------------------+ -| | | Example: | -| | | ``pk | -| | | ipath=/tmp/pki/client`` | -+-------------------------+-------------------------+-------------------------+ -| ``known_hosts`` | libssh2, libssh | Path to the known_hosts | -| | | file to verify the host | -| | | key against. LibSSH2 | -| | | and libssh support | -| | | OpenSSH-style | -| | | known_hosts files, | -| | | although LibSSH2 does | -| | | not support all key | -| | | types, so using files | -| | | created by the OpenSSH | -| | | binary may result into | -| | | truncating the | -| | | known_hosts file. Thus, | -| | | with LibSSH2 it's | -| | | recommended to use the | -| | | default known_hosts | -| | | file is located in | -| | | libvirt's client local | -| | | configuration directory | -| | | e.g.: | -| | | ~/.conf | -| | | ig/libvirt/known_hosts. | -| | | Note: Use absolute | -| | | paths. | -+-------------------------+-------------------------+-------------------------+ -| | | Example: | -| | | ``known_hosts=/ | -| | | root/.ssh/known_hosts`` | -+-------------------------+-------------------------+-------------------------+ -| ``known_hosts_verify`` | libssh2, libssh | If set to ``normal`` | -| | | (default), then the | -| | | user will be asked to | -| | | accept new host keys. | -| | | If set to ``auto``, new | -| | | host keys will be | -| | | auto-accepted, but | -| | | existing host keys will | -| | | still be validated. If | -| | | set to ``ignore``, this | -| | | disables client's | -| | | strict host key | -| | | checking. | -+-------------------------+-------------------------+-------------------------+ -| | | Example: | -| | | ``know | -| | | n_hosts_verify=ignore`` | -+-------------------------+-------------------------+-------------------------+ -| ``sshauth`` | libssh2, libssh | A comma separated list | -| | | of authentication | -| | | methods to use. Default | -| | | (is | -| | | "agent,privkey,password | -| | | ,keyboard-interactive". | -| | | The order of the | -| | | methods is preserved. | -| | | Some methods may | -| | | require additional | -| | | parameters. | -+-------------------------+-------------------------+-------------------------+ -| | | Example: | -| | | `` | -| | | sshauth=privkey,agent`` | -+-------------------------+-------------------------+-------------------------+ +All transports support the following parameters: + + ``name`` + + The name passed to the remote ``virConnectOpen`` function. The name is + normally formed by removing transport, hostname, port number, username and + extra parameters from the remote URI, but in certain very complex cases it + may be better to supply the name explicitly. + + **Example:** ``name=qemu:///system`` + +``ssh`` transport +^^^^^^^^^^^^^^^^^ + +The ``ssh`` transport uses the standard SSH protocol via the system installed +binary. + +Supported extra parameters: + + ``mode`` + See the info on the `mode parameter`_. + ``proxy`` + See the info on the `proxy parameter`_. + ``command`` + Path to the ``ssh`` binary to use. + + **Example:** ``command=/opt/openssh/bin/ssh`` + ``socket`` + See the info on the `socket parameter`_. + ``netcat`` + See the info on the `netcat parameter`_. + ``keyfile`` + See the info on the `keyfile parameter`_. + ``no_verify`` + If set to a non-zero value, this disables client's strict host key checking + making it auto-accept new host keys. Existing host keys will still be + validated. + + **Example:** ``no_verify=1`` + ``no_tty`` + If set to a non-zero value, this stops ssh from asking for a password if it + cannot log in to the remote machine automatically (eg. using ssh-agent + etc.). Use this when you don't have access to a terminal - for example in + graphical programs which use libvirt. + + **Example:** ``no_tty=1`` + +``libssh`` and ``libssh2`` transport +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Same as the ``ssh`` transport but the SSH client is handled directly by using +either ``libssh`` or ``libssh2`` to handle the SSH protocol without spawning an +extra process. + +Supported extra parameters: + + ``mode`` + See the info on the `mode parameter`_. + ``proxy`` + See the info on the `proxy parameter`_. + ``socket`` + See the info on the `socket parameter`_. + ``netcat`` + See the info on the `netcat parameter`_. + ``keyfile`` + See the info on the `keyfile parameter`_. + ``known_hosts`` + Path to the known_hosts file to verify the host key against. LibSSH2 and + libssh support OpenSSH-style known_hosts files, although LibSSH2 does not + support all key types, so using files created by the OpenSSH binary may + result into truncating the known_hosts file. Thus, with LibSSH2 it's + recommended to use the default known_hosts file is located in libvirt's + client local configuration directory e.g.: ~/.conf ig/libvirt/known_hosts. + + *Note:* Use absolute paths. + + **Example:** ``known_hosts=/root/.ssh/known_hosts`` + + ``known_hosts_verify`` + If set to ``normal`` (default), then the user will be asked to accept new + host keys. If set to ``auto``, new host keys will be auto-accepted, but + existing host keys will still be validated. If set to ``ignore``, this + disables client's strict host key checking. + + **Example:** ``known_hosts_verify=ignore`` + + ``sshauth`` + A comma separated list of authentication methods to use. Default (is + "agent,privkey,password ,keyboard-interactive". The order of the methods + is preserved. Some methods may require additional parameters. + + **Example:** ``sshauth=privkey,agent`` + +``tls`` transport +^^^^^^^^^^^^^^^^^ + +This transport uses a TCP connection to the socket. The data is encrypted using +TLS to ensure security. Note that TLS certificates must be setup for this to +work. + +Supported extra parameters: + + ``tls_priority`` + A valid GNUTLS priority string. + + **Example:** ``tls_priority=NORMAL:-VERS-SSL3.0`` + + ``no_verify`` + If set to a non-zero value, this disables client checks of the server's + certificate. Note that to disable server checks of the client's certificate + or IP address you must `change the libvirtd configuration + <#Remote_libvirtd_configuration>`__ + + **Example:** ``no_verify=1`` + + ``pkipath`` + + Specifies x509 certificates path for the client. If any of the CA + certificate, client certificate, or client key is missing, the connection + will fail with a fatal error. + + **Example:** ``pkipath=/tmp/pki/client`` + +``unix`` transport +^^^^^^^^^^^^^^^^^^ + +This transport uses an unix domain socket is used to connect to the daemon. +This is the most common case. In most cases no extra parameters are needed. + +Supported extra parameters: + + ``mode`` + See the info on the `mode parameter`_. + ``socket`` + See the info on the `socket parameter`_. + +``ext`` transport +^^^^^^^^^^^^^^^^^ + +The ``ext`` transport invokes the user specified command to transport the +libvirt RPC protocol to the destination. The command must be able to handle +the proper connection. Standard input/output is used for the communication. + +Supported extra parameters: + + ``command`` + The external command launched to tunnel the data to the destination. + +``tcp`` transport +^^^^^^^^^^^^^^^^^ + +The ``tcp`` transport uses plain unencrypted TCP connection to libvirt. This +is insecure and should not be used. This transport has no additional arguments. + +Common extra parameters +~~~~~~~~~~~~~~~~~~~~~~~ + +Certain extra parameters are shared between multiple protocols. See the list of +transport protocols above for specific usage. + +``mode`` parameter +^^^^^^^^^^^^^^^^^^ + +Controls whether to connect to per-driver daemons or libvirtd. + +Supported values: + + ``auto`` + automatically determine the daemon + ``direct`` + connect to per-driver daemons + ``legacy`` + connect to libvirtd + +Default is ``auto``. Can also be set in ``libvirt.conf`` as ``remote_mode``. + +**Example:** ``mode=direct`` + +``proxy`` parameter +^^^^^^^^^^^^^^^^^^^ + +Controls which proxy binary is used on the remote side of connection to connect +to the daemon. + +Supported values: + + ``auto`` + try native, fallback to netcat + ``netcat`` + only use netcat + ``native`` + use the libvirt native proxy binary + +Default is ``auto``. Can also be set in ``libvirt.conf`` as ``remote_proxy``. + +**Example:** ``proxy=native`` + +``socket`` parameter +^^^^^^^^^^^^^^^^^^^^ + +The path to the Unix domain socket, which overrides the compiled-in default. +This may be passed to the remote proxy command (See. `proxy parameter`). + +**Example:** ``socket=/opt/libvirt/run/libvirt/libvirt-sock`` + +``netcat`` parameter +^^^^^^^^^^^^^^^^^^^^ +The name of the netcat command on the remote machine. The default is ``nc``. +This is not permitted when using the ``native`` proxy mode. + +The command used here is used on the remote side of the connection as: + + ``netcat -U socket`` + +**Example:** ``netcat=/opt/netcat/bin/nc`` + +``keyfile`` parameter +^^^^^^^^^^^^^^^^^^^^^ + +The name of the private key file to use to authentication to the remote +machine. If this option is not used the default keys are used. + +**Example:** ``keyfile=/root/.ssh/example_key`` -- 2.35.1

The 'codeofconduct' anchor is unused as of 523f2de82e0f523bd552947 . Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- docs/governance.rst | 5 ----- 1 file changed, 5 deletions(-) diff --git a/docs/governance.rst b/docs/governance.rst index df90ce678d..44dd54d4a0 100644 --- a/docs/governance.rst +++ b/docs/governance.rst @@ -1,6 +1,3 @@ -.. role:: anchor(raw) - :format: html - ================== Project governance ================== @@ -13,8 +10,6 @@ the ongoing development of the project's work. This pages describes how that participation takes place and how contributors earn merit, and thus influence, within the community. -:anchor:`<a id="codeofconduct"/>` - Code of conduct --------------- -- 2.35.1

Modify the name of the 'IRC discussion' paragraph to just 'IRC' so that the links keep working and remove the raw HTML anchors. Adjustment is needed for documents which were using the '#email' anchor which has now become '#mailing-lists'. Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- docs/contact.rst | 11 ++--------- docs/contribute.rst | 10 +++++----- docs/page.xsl | 2 +- docs/securityprocess.rst | 4 ++-- 4 files changed, 10 insertions(+), 17 deletions(-) diff --git a/docs/contact.rst b/docs/contact.rst index 75b1239301..19e1b66a52 100644 --- a/docs/contact.rst +++ b/docs/contact.rst @@ -1,6 +1,3 @@ -.. role:: anchor(raw) - :format: html - =================================== Contacting the project contributors =================================== @@ -17,8 +14,6 @@ issues <securityprocess.html>`__ that should be used instead. So if your issue has security implications, ignore the rest of this page and follow the `security process <securityprocess.html>`__ instead. -:anchor:`<a id="email"/>` - Mailing lists ------------- @@ -78,10 +73,8 @@ discussion. Wherever possible, please generate the patches by using regarding developing libvirt and/or contributing is available on our `Contributor Guidelines <hacking.html>`__ page. -:anchor:`<a id="irc"/>` - -IRC discussion --------------- +IRC +--- Some of the libvirt developers may be found on IRC on the `OFTC IRC <https://oftc.net>`__ network. Use the settings: diff --git a/docs/contribute.rst b/docs/contribute.rst index c95c8b59d2..6ed5426b8a 100644 --- a/docs/contribute.rst +++ b/docs/contribute.rst @@ -67,7 +67,7 @@ to libvirt. If you have ideas for other contributions feel free to follow them. have, or run into trouble with managing an existing deployment. While some users may be able to contact a software vendor to obtain support, it is common to rely on community help forums such as `libvirt users mailing - list <contact.html#email>`__, or sites such as + list <contact.html#mailing-lists>`__, or sites such as `stackoverflow. <https://stackoverflow.com/questions/tagged/libvirt>`__ People who are familiar with libvirt and have ability & desire to help other users are encouraged to participate in these help forums. @@ -82,10 +82,10 @@ for communication between contributors: Mailing lists ~~~~~~~~~~~~~ -The project has a number of `mailing lists <contact.html#email>`__ for general -communication between contributors. In general any design discussions and review -of contributions will take place on the mailing lists, so it is important for -all contributors to follow the traffic. +The project has a number of `mailing lists <contact.html#mailing-lists>`__ for +general communication between contributors. In general any design discussions +and review of contributions will take place on the mailing lists, so it is +important for all contributors to follow the traffic. Instant messaging / chat ~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/docs/page.xsl b/docs/page.xsl index 7d0203cf62..0a0b017482 100644 --- a/docs/page.xsl +++ b/docs/page.xsl @@ -172,7 +172,7 @@ <div id="contact"> <h3>Contact</h3> <ul> - <li><a href="{$href_base}contact.html#email">email</a></li> + <li><a href="{$href_base}contact.html#mailng-lists">email</a></li> <li><a href="{$href_base}contact.html#irc">irc</a></li> </ul> </div> diff --git a/docs/securityprocess.rst b/docs/securityprocess.rst index fe64e94f80..23f7a39e96 100644 --- a/docs/securityprocess.rst +++ b/docs/securityprocess.rst @@ -35,8 +35,8 @@ format in the `libvirt-security-notice GIT repository <https://gitlab.com/libvirt/libvirt-security-notice>`__ and `published online <https://security.libvirt.org>`__ in text, HTML and XML formats. Security notices are published on the `libvirt-announce mailing -list <https://libvirt.org/contact.html#email>`__ when any embargo is lifted, or -as soon as triaged if already public knowledge. +list <https://libvirt.org/contact.html#mailing-lists>`__ when any embargo is +lifted, or as soon as triaged if already public knowledge. Security team ------------- -- 2.35.1

On a Friday in 2022, Peter Krempa wrote:
Modify the name of the 'IRC discussion' paragraph to just 'IRC' so that the links keep working and remove the raw HTML anchors.
Adjustment is needed for documents which were using the '#email' anchor which has now become '#mailing-lists'.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- docs/contact.rst | 11 ++--------- docs/contribute.rst | 10 +++++----- docs/page.xsl | 2 +- docs/securityprocess.rst | 4 ++-- 4 files changed, 10 insertions(+), 17 deletions(-)
diff --git a/docs/page.xsl b/docs/page.xsl index 7d0203cf62..0a0b017482 100644 --- a/docs/page.xsl +++ b/docs/page.xsl @@ -172,7 +172,7 @@ <div id="contact"> <h3>Contact</h3> <ul> - <li><a href="{$href_base}contact.html#email">email</a></li> + <li><a href="{$href_base}contact.html#mailng-lists">email</a></li>
s/mailng/mailing/ Jano
<li><a href="{$href_base}contact.html#irc">irc</a></li> </ul> </div>

Modify the gitlab templates linking to it and remove the raw HTML. Note that also the default template needs to be changed directly in gitlab. Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- .gitlab/issue_templates/bug.md | 2 +- docs/bugs.rst | 5 ----- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/.gitlab/issue_templates/bug.md b/.gitlab/issue_templates/bug.md index b2d1e46490..8a54cc2da4 100644 --- a/.gitlab/issue_templates/bug.md +++ b/.gitlab/issue_templates/bug.md @@ -1,4 +1,4 @@ -<!-- See https://libvirt.org/bugs.html#quality for guidance --> +<!-- See https://libvirt.org/bugs.html#how-to-file-high-quality-bug-reports --> ## Software environment - Operating system: diff --git a/docs/bugs.rst b/docs/bugs.rst index 152d734592..b5d2e42b0c 100644 --- a/docs/bugs.rst +++ b/docs/bugs.rst @@ -1,6 +1,3 @@ -.. role:: anchor(raw) - :format: html - ============= Bug reporting ============= @@ -79,8 +76,6 @@ Linux Distribution specific bug reports like to have your procedure for filing bugs mentioned here, please mail the libvirt development list. -:anchor:`<a id="quality"/>` - How to file high quality bug reports ------------------------------------ -- 2.35.1

Most of the anchors that were forward ported to formatdomain.rst when it was converted are not actually referenced by our documentation. Since it's now quite some time after the conversion was done we can remove them. Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- docs/formatdomain.rst | 112 ------------------------------------------ 1 file changed, 112 deletions(-) diff --git a/docs/formatdomain.rst b/docs/formatdomain.rst index 6c4096713a..9be305f3e6 100644 --- a/docs/formatdomain.rst +++ b/docs/formatdomain.rst @@ -285,8 +285,6 @@ them in production. case the boot fails (according to BIOS). The value is in milliseconds with maximum of ``65535`` and special value ``-1`` disables the reboot. -:anchor:`<a id="elementsOSBootloader"/>` - Host bootloader ~~~~~~~~~~~~~~~ @@ -312,8 +310,6 @@ also uses a host bootloader, either ``bhyveload`` or ``grub-bhyve``. The optional ``bootloader_args`` element allows command line arguments to be passed to the bootloader. :since:`Since 0.2.3` -:anchor:`<a id="elementsOSKernel"/>` - Direct kernel boot ~~~~~~~~~~~~~~~~~~ @@ -1226,8 +1222,6 @@ Block I/O Tuning ``write_iops_sec`` Write I/O operations per second limit. :since:`Since 1.2.2` -:anchor:`<a id="resPartition"/>` - Resource partitioning --------------------- @@ -1811,8 +1805,6 @@ manager will take its default action. ``ignore`` Keep the domain running as if nothing happened. -:anchor:`<a id="elementsPowerManagement"/>` - Power Management ---------------- @@ -2129,8 +2121,6 @@ are: tb-cache The size of translation block cache size an integer (a multiple of MiB) :since:`8.0.0` =========== ============================================== =================================================== ============== -:anchor:`<a id="elementsTime"/>` - Time keeping ------------ @@ -2251,8 +2241,6 @@ Windows, however, expects it to be in so called 'localtime'. The ``present`` attribute can be "yes" or "no" to specify whether a particular timer is available to the guest. -:anchor:`<a id="elementsPerf"/>` - Performance monitoring events ----------------------------- @@ -3306,8 +3294,6 @@ paravirtualized driver is specified via the ``disk`` element. disk's hardware sector size which can be relevant for the alignment of disk data. -:anchor:`<a id="elementsFilesystems"/>` - Filesystems ~~~~~~~~~~~ @@ -3978,8 +3964,6 @@ pcie-root-port. ( :since:`since 1.2.19` ) </devices> ... -:anchor:`<a id="elementsLease"/>` - Device leases ~~~~~~~~~~~~~ @@ -4019,8 +4003,6 @@ acquired. Host device assignment ~~~~~~~~~~~~~~~~~~~~~~ -:anchor:`<a id="elementsHostDevSubsys"/>` - USB / PCI / SCSI devices ^^^^^^^^^^^^^^^^^^^^^^^^ @@ -4313,8 +4295,6 @@ or: Note: Although ``shareable`` was introduced :since:`in 1.0.6` , it did not work as as expected until :since:`1.2.2` . -:anchor:`<a id="elementsHostDevCaps"/>` - Block / character devices ^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -4365,8 +4345,6 @@ after 1.0.1 for LXC` : used. For network interfaces, the name of the interface is provided in the "interface" element. -:anchor:`<a id="elementsRedir"/>` - Redirected devices ~~~~~~~~~~~~~~~~~~ @@ -4417,8 +4395,6 @@ after 0.9.5 (KVM only)` : ``-1`` can be used to allow any value for them. ``allow`` attribute is mandatory, 'yes' means allow, 'no' for deny. -:anchor:`<a id="elementsSmartcard"/>` - Smartcard devices ~~~~~~~~~~~~~~~~~ @@ -4536,8 +4512,6 @@ to provide network interface device naming, that is stable across changes in PCI addresses assigned to the device. This value is required to be unique across all devices and be between 1 and (16*1024-1). -:anchor:`<a id="elementsNICSVirtual"/>` - Virtual network ^^^^^^^^^^^^^^^ @@ -4622,8 +4596,6 @@ virtualport, connection of the interface will fail. </devices> ... -:anchor:`<a id="elementsNICSBridge"/>` - Bridge to LAN ^^^^^^^^^^^^^ @@ -4704,8 +4676,6 @@ to the interface. </devices> ... -:anchor:`<a id="elementsNICSSlirp"/>` - Userspace SLIRP stack ^^^^^^^^^^^^^^^^^^^^^ @@ -4734,8 +4704,6 @@ to add an IPv6 address to the interface. ``address``. Optionally, address </devices> ... -:anchor:`<a id="elementsNICSEthernet"/>` - Generic ethernet connection ^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -4903,8 +4871,6 @@ should be provided by the network administrator. :since:`Since 0.8.2` </devices> ... -:anchor:`<a id="elementsNICSHostdev"/>` - PCI Passthrough ^^^^^^^^^^^^^^^ @@ -4962,8 +4928,6 @@ or stopping the guest. </devices> ... -:anchor:`<a id="elementsNICSVDPA"/>` - vDPA devices ^^^^^^^^^^^^ @@ -4986,8 +4950,6 @@ requires QEMU 5.1.0 or newer)` </devices> ... -:anchor:`<a id="elementsTeaming"/>` - Teaming a virtio/hostdev NIC pair ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -5116,8 +5078,6 @@ management software must properly modify the interface XML during migration so that the virtio device remains connected to the same network segment before and after migration. -:anchor:`<a id="elementsNICSMulticast"/>` - Multicast tunnel ^^^^^^^^^^^^^^^^ @@ -5141,8 +5101,6 @@ must be from the multicast address block. </devices> ... -:anchor:`<a id="elementsNICSTCP"/>` - TCP tunnel ^^^^^^^^^^ @@ -5170,8 +5128,6 @@ appropriate routing. </devices> ... -:anchor:`<a id="elementsNICSUDP"/>` - UDP unicast tunnel ^^^^^^^^^^^^^^^^^^ @@ -5195,8 +5151,6 @@ which the UDP socket packets will originate from the QEMU host. :since:`Since </devices> ... -:anchor:`<a id="elementsNICSModel"/>` - Setting the NIC model ^^^^^^^^^^^^^^^^^^^^^ @@ -5230,8 +5184,6 @@ ne2k_pci pcnet rtl8139 e1000 virtio. :since:`Since 5.2.0` , See `Virtio transitional devices <#elementsVirtioTransitional>`__ for more details. -:anchor:`<a id="elementsDriverBackendOptions"/>` - Setting NIC driver-specific options ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -5376,8 +5328,6 @@ sub-elements: options. By default, the supported offloads are enabled by QEMU. :since:`Since 1.2.9 (QEMU only)` -:anchor:`<a id="elementsBackendOptions"/>` - Setting network backend-specific options ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -5444,8 +5394,6 @@ the ``guest`` element should be used, as in the following snippet: </devices> ... -:anchor:`<a id="elementsNICSBoot"/>` - Specifying boot order ^^^^^^^^^^^^^^^^^^^^^ @@ -5467,8 +5415,6 @@ be tried during boot sequence. The per-device ``boot`` elements cannot be used together with general boot elements in `BIOS bootloader <#elementsOSBIOS>`__ section. :since:`Since 0.8.8` -:anchor:`<a id="elementsNICSROM"/>` - Interface ROM BIOS configuration ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -5495,8 +5441,6 @@ used to point to a binary file to be presented to the guest as the device's ROM BIOS. This can be useful to provide an alternative boot ROM for a network device. :since:`Since 0.9.10 (QEMU and KVM only)` . -:anchor:`<a id="elementDomain"/>` - Setting up a network backend in a driver domain ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -5630,8 +5574,6 @@ each other; if there is a guest on the same bridge that doesn't have ``isolated='yes'``, even the isolated guests will be able to communicate with it.) -:anchor:`<a id="elementLink"/>` - Modifying virtual link state ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -5701,8 +5643,6 @@ one attribute, ``max``, to tweak, in element ``frames`` for the ``rx`` group, which accepts a non-negative integer that specifies the maximum number of packets that will be received before an interrupt. :since:`Since 3.3.0` -:anchor:`<a id="ipconfig"/>` - IP configuration ^^^^^^^^^^^^^^^^ @@ -5812,8 +5752,6 @@ connection is lost. It has two attributes ``enabled`` (which accepts ``yes`` and ``no``) and ``timeout`` which specifies the amount of seconds after which hypervisor tries to reconnect. -:anchor:`<a id="elementNwfilter"/>` - Traffic filtering with NWFilter ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -5848,8 +5786,6 @@ nwfilter via the ``name`` and ``value`` attributes. See the `nwfilter <formatnwfilter.html#usage-of-variables-in-filters>`__ docs for info on parameters. -:anchor:`<a id="elementsInput"/>` - Input devices ~~~~~~~~~~~~~ @@ -5908,8 +5844,6 @@ The subelement ``driver`` can be used to tune the virtio options of the device: `Virtio-specific options <#elementsVirtio>`__ can also be set. ( :since:`Since 3.5.0` ) -:anchor:`<a id="elementsHub"/>` - Hub devices ~~~~~~~~~~~ @@ -6379,15 +6313,11 @@ are "yes" and "no" and ``timeout`` which is in seconds. The ``reconnect`` attribute is valid only for ``connect`` mode. :since:`Since 3.7.0 (QEMU driver only)` . -:anchor:`<a id="elementsCharGuestInterface"/>` - Guest interface ^^^^^^^^^^^^^^^ A character device presents itself to the guest as one of the following types. -:anchor:`<a id="elementCharParallel"/>` - Parallel port ''''''''''''' @@ -6479,8 +6409,6 @@ address. For the relationship between serial ports and consoles, `see below <#elementCharSerialAndConsole>`__. -:anchor:`<a id="elementCharConsole"/>` - Console ''''''' @@ -6609,8 +6537,6 @@ following configurations: will be treated the same and will result in a single emulated serial console being available to the guest. -:anchor:`<a id="elementCharChannel"/>` - Channel ''''''' @@ -6690,8 +6616,6 @@ Host interface A character device presents itself to the host as one of the following types. -:anchor:`<a id="elementsCharSTDIO"/>` - Domain logfile '''''''''''''' @@ -6708,8 +6632,6 @@ virtual machine's logfile </devices> ... -:anchor:`<a id="elementsCharFle"/>` - Device logfile '''''''''''''' @@ -6727,8 +6649,6 @@ file. </devices> ... -:anchor:`<a id="elementsCharVC"/>` - Virtual console ''''''''''''''' @@ -6745,8 +6665,6 @@ This is typically accessed via a special hotkey sequence such as "ctrl+alt+3" </devices> ... -:anchor:`<a id="elementsCharNull"/>` - Null device ''''''''''' @@ -6763,8 +6681,6 @@ input. All data written is discarded. </devices> ... -:anchor:`<a id="elementsCharPTY"/>` - Pseudo TTY '''''''''' @@ -6807,8 +6723,6 @@ port. </devices> ... -:anchor:`<a id="elementsCharPipe"/>` - Named pipe '''''''''' @@ -6825,8 +6739,6 @@ The character device writes output to a named pipe. See pipe(7) for more info. </devices> ... -:anchor:`<a id="elementsCharTCP"/>` - TCP client/server ''''''''''''''''' @@ -6907,8 +6819,6 @@ to use the host TLS environment if either the ``chardev_tls_x509_cert_dir`` or </devices> ... -:anchor:`<a id="elementsCharUDP"/>` - UDP network console ''''''''''''''''''' @@ -6927,8 +6837,6 @@ packets. This is a lossy service. </devices> ... -:anchor:`<a id="elementsCharUNIX"/>` - UNIX domain socket client/server '''''''''''''''''''''''''''''''' @@ -6946,8 +6854,6 @@ from local clients. </devices> ... -:anchor:`<a id="elementsCharSpiceport"/>` - Spice channel ''''''''''''' @@ -6968,8 +6874,6 @@ domains with or without `spice graphics <#elementsGraphics>`__. </devices> ... -:anchor:`<a id="elementsNmdm"/>` - Nmdm device ''''''''''' @@ -6995,8 +6899,6 @@ The ``source`` element has these attributes: Slave device of the pair, that is passed to the clients for connection to the guest console. Device is specified by a fully qualified path. -:anchor:`<a id="elementsSound"/>` - Sound devices ~~~~~~~~~~~~~ @@ -7391,8 +7293,6 @@ defaults to 'WAV' with QEMU. :since:`Since 7.2.0, qemu` -:anchor:`<a id="elementsWatchdog"/>` - Watchdog device ~~~~~~~~~~~~~~~ @@ -7455,8 +7355,6 @@ feature is planned for a future version of libvirt. Note 2: the directory to save dump files can be configured by ``auto_dump_path`` in file /etc/libvirt/qemu.conf. -:anchor:`<a id="elementsMemBalloon"/>` - Memory balloon device ~~~~~~~~~~~~~~~~~~~~~ @@ -7533,8 +7431,6 @@ Example: manually added device with static PCI slot 2 requested For model ``virtio`` memballoon, `Virtio-specific options <#elementsVirtio>`__ can also be set. ( :since:`Since 3.5.0` ) -:anchor:`<a id="elementsRng"/>` - Random number generator device ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -7729,8 +7625,6 @@ Example: usage of the TPM Emulator encrypted. The ``secret`` must reference a secret object that holds the passphrase from which the encryption key will be derived. -:anchor:`<a id="elementsNVRAM"/>` - NVRAM device ~~~~~~~~~~~~ @@ -7756,8 +7650,6 @@ Example: usage of NVRAM configuration ``reg`` Device address -:anchor:`<a id="elementsPanic"/>` - panic device ~~~~~~~~~~~~ @@ -7801,8 +7693,6 @@ Example: usage of panic configuration specify an address, and doing so is forbidden altogether for s390, pseries and hyperv models. -:anchor:`<a id="elementsShmem"/>` - Shared memory device ~~~~~~~~~~~~~~~~~~~~ @@ -8364,8 +8254,6 @@ spec <https://support.amd.com/TechDocs/55766_SEV-KM_API_Specification.pdf>`__ session blob defined in the SEV API spec. See SEV spec LAUNCH_START section for the session blob format. -:anchor:`<a id="examples"/>` - Example configs =============== -- 2.35.1

On 4/22/22 14:23, Peter Krempa wrote:
After this series only 2 non-generated HTML files remain: - index.html.in - 404.html.in
It is possible to convert these but the utility of doing so may not be great for now.
Additionally this series cleans up some long-broken links and removes unneeded raw HTML passthrough to declare anchors.
Pavel Hrdina (2): docs: storage: rename headers to remove duplicate names docs: Convert 'storage' page to rst
Peter Krempa (13): docs: formatsecret: Correct link to storage volume XML definition Correct links to TLS certificate setup page docs: Convert 'remote' page to rst docs: remote: Remove 'Limitations' paragraph docs: Convert 'uri' page to rst docs: uri: Remove old 'NULL URI' section docs: uri: Consolidate paragraphs on Xen URIs docs: uri: Move the 'test' hypervisor under a 'local hypervisors heading docs: uri: Rewrite section about transport protocols and extra parameters docs: governance: Remove unused HTML anchors docs: contact: Remove HTML anchors and adjust documents using them docs: bugs: Remove raw HTML anchor 'quality' docs: formatdomain: Remove old unreferenced HTML anchors
.gitlab/issue_templates/bug.md | 2 +- docs/bugs.rst | 5 - docs/contact.rst | 11 +- docs/contribute.rst | 10 +- docs/drvesx.rst | 5 +- docs/formatdomain.rst | 112 ----- docs/formatsecret.rst | 8 +- docs/governance.rst | 5 - docs/kbase/tlscerts.rst | 4 +- docs/meson.build | 6 +- docs/page.xsl | 2 +- docs/remote.html.in | 297 ------------ docs/remote.rst | 209 +++++++++ docs/securityprocess.rst | 4 +- docs/storage.html.in | 833 --------------------------------- docs/storage.rst | 790 +++++++++++++++++++++++++++++++ docs/uri.html.in | 507 -------------------- docs/uri.rst | 405 ++++++++++++++++ tools/virt-pki-validate.in | 10 +- 19 files changed, 1431 insertions(+), 1794 deletions(-) delete mode 100644 docs/remote.html.in create mode 100644 docs/remote.rst delete mode 100644 docs/storage.html.in create mode 100644 docs/storage.rst delete mode 100644 docs/uri.html.in create mode 100644 docs/uri.rst
I'm having troubles applying these cleanly. In fact, patch 08/15 does not apply at all: Applying: docs: uri: Remove old 'NULL URI' section error: patch failed: docs/uri.rst:420 error: docs/uri.rst: patch does not apply Patch failed at 0008 docs: uri: Remove old 'NULL URI' section Do these depend on some other yet not merged patches? Michal

On 4/22/22 14:23, Peter Krempa wrote:
After this series only 2 non-generated HTML files remain: - index.html.in - 404.html.in
It is possible to convert these but the utility of doing so may not be great for now.
Additionally this series cleans up some long-broken links and removes unneeded raw HTML passthrough to declare anchors.
Pavel Hrdina (2): docs: storage: rename headers to remove duplicate names docs: Convert 'storage' page to rst
Peter Krempa (13): docs: formatsecret: Correct link to storage volume XML definition Correct links to TLS certificate setup page docs: Convert 'remote' page to rst docs: remote: Remove 'Limitations' paragraph docs: Convert 'uri' page to rst docs: uri: Remove old 'NULL URI' section docs: uri: Consolidate paragraphs on Xen URIs docs: uri: Move the 'test' hypervisor under a 'local hypervisors heading docs: uri: Rewrite section about transport protocols and extra parameters docs: governance: Remove unused HTML anchors docs: contact: Remove HTML anchors and adjust documents using them docs: bugs: Remove raw HTML anchor 'quality' docs: formatdomain: Remove old unreferenced HTML anchors
.gitlab/issue_templates/bug.md | 2 +- docs/bugs.rst | 5 - docs/contact.rst | 11 +- docs/contribute.rst | 10 +- docs/drvesx.rst | 5 +- docs/formatdomain.rst | 112 ----- docs/formatsecret.rst | 8 +- docs/governance.rst | 5 - docs/kbase/tlscerts.rst | 4 +- docs/meson.build | 6 +- docs/page.xsl | 2 +- docs/remote.html.in | 297 ------------ docs/remote.rst | 209 +++++++++ docs/securityprocess.rst | 4 +- docs/storage.html.in | 833 --------------------------------- docs/storage.rst | 790 +++++++++++++++++++++++++++++++ docs/uri.html.in | 507 -------------------- docs/uri.rst | 405 ++++++++++++++++ tools/virt-pki-validate.in | 10 +- 19 files changed, 1431 insertions(+), 1794 deletions(-) delete mode 100644 docs/remote.html.in create mode 100644 docs/remote.rst delete mode 100644 docs/storage.html.in create mode 100644 docs/storage.rst delete mode 100644 docs/uri.html.in create mode 100644 docs/uri.rst
Yeah, I still not quite understand what went wrong, but after I checked out your branch on gitlab I can give you my: Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Thanks, Michal
participants (3)
-
Ján Tomko
-
Michal Prívozník
-
Peter Krempa