changeset:   1147:7481eafdde8d
user:        berrange
date:        Fri Oct 12 18:54:15 2007 +0000
files:       libvirt.spec.in qemud/Makefile.am qemud/libvirtd.conf src/Makefile.am src/qemu.conf
description:
Added default example configs for libvirtd/qemu driver


diff -r c48e81e685a3 -r 7481eafdde8d qemud/libvirtd.conf
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/qemud/libvirtd.conf	Fri Oct 12 18:54:15 2007 +0000
@@ -0,0 +1,141 @@
+# Master libvirt daemon configuration file
+#
+# For further information consult http://libvirt.org/format.html
+
+
+# Flag listening for secure TLS connections on the public TCP/IP port.
+# NB, must pass the --listen flag to the libvirtd process for this to
+# have any effect.
+#
+# It is neccessary to setup a CA and issue server certificates before
+# using this capability.
+#
+# This is enabled by default, uncomment this to disable it
+# listen_tls = 0
+
+# Listen for unencrypted TCP connections on the public TCP/IP port.
+# NB, must pass the --listen flag to the libvirtd process for this to
+# have any effect.
+#
+# NB, this is insecure. Do not use except for development.
+#
+# This is disabled by default, uncomment this to enable it.
+# listen_tcp = 1
+
+
+
+# Override the port for accepting secure TLS connections
+# This can be a port number, or service name
+#
+# tls_port = "16514"
+
+# Override the port for accepting insecure TCP connections
+# This can be a port number, or service name
+# 
+# tcp_port = "16509"
+
+
+
+# Flag toggling mDNS advertizement of the libvirt service.
+#
+# Alternatively can disable for all services on a host by
+# stopping the Avahi daemon
+#
+# This is enabled by default, uncomment this to disable it
+# mdns_adv = 0
+
+# Override the default mDNS advertizement name. This must be
+# unique on the immediate broadcast network.
+# 
+# The default is "Virtualization Host HOSTNAME", where HOSTNAME
+# is subsituted for the short hostname of the machine (without domain)
+#
+# mdns_name "Virtualization Host Joe Demo" 
+
+
+
+# Set the UNIX domain socket group ownership. This can be used to
+# allow a 'trusted' set of users access to management capabilities
+# without becoming root.
+# 
+# This is restricted to 'root' by default. 
+# unix_sock_group "libvirt"
+
+# Set the UNIX socket permissions for the R/O socket. This is used
+# for monitoring VM status only
+#
+# Default allows any user. If setting group ownership may want to
+# restrict this to:
+# unix_sock_ro_perms "0777"
+
+# Set the UNIX socket permissions for the R/W socket. This is used
+# for full management of VMs
+#
+# Default allows only root. If setting group ownership may want to
+# relax this to:
+# unix_sock_rw_perms "octal-perms" 	"0770"
+
+
+
+# Flag to disable verification of client certificates
+#
+# Client certificate verification is the primary authentication mechanism.
+# Any client which does not present a certificate signed by the CA
+# will be rejected.
+#
+# Default is to always verify. Uncommenting this will disable
+# verification - make sure an IP whitelist is set
+# tls_no_verify_certificate 1 
+
+# Flag to disable verification of client IP address
+#
+# Client IP address will be verified against the CommonName field
+# of the x509 certificate. This has minimal security benefit since
+# it is easy to spoof source IP.
+#
+# Uncommenting this will disable verification
+# tls_no_verify_address 1
+
+# Override the default server key file path
+#
+# key_file "/etc/pki/libvirt/private/serverkey.pem"
+
+# Override the default server certificate file path
+#
+# cert_file "/etc/pki/libvirt/servercert.pem"
+
+# Override the default CA certificate path
+#
+# ca_file "/etc/pki/CA/cacert.pem"
+
+# Specify a certificate revocation list.
+# 
+# Defaults to not using a CRL, uncomment to enable it
+# crl_file "/etc/pki/CA/crl.pem"
+
+# A whitelist of allowed x509  Distinguished Names
+# This list may contain wildcards such as 
+#
+#    "C=GB,ST=London,L=London,O=Red Hat,CN=*"
+#
+# See the POSIX fnmatch function for the format of the wildcards.
+#
+# NB If this is an empty list, no client can connect, so comment out
+# entirely rather than using empty list to disable these checks
+#
+# By default, no DN's are checked
+# tls_allowed_dn_list ["DN1", "DN2"]
+
+
+# A whitelist of allowed client IP addresses
+#
+# This list may contain wildcards such as 192.168.* See the POSIX fnmatch 
+# function for the format of the wildcards.
+#
+# NB If this is an empty list, no client can connect, so comment out
+# entirely rather than using empty list to disable these checks
+#
+# By default, no IP's are checked. This can be IPv4 or IPv6 addresses
+# tls_allowed_ip_list ["ip1", "ip2", "ip3"]
+
+
diff -r c48e81e685a3 -r 7481eafdde8d src/qemu.conf
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/qemu.conf	Fri Oct 12 18:54:15 2007 +0000
@@ -0,0 +1,49 @@
+# Master configuration file for the QEMU driver.
+# All settings described here are optional - if omitted, sensible
+# defaults are used.
+
+# VNC is configured to listen on 127.0.0.1 by default.
+# To make it listen on all public interfaces, uncomment
+# this next option.
+#
+# NB, strong recommendation to enable TLS + x509 certificate
+# verification when allowing public access
+#
+# vnc_listen = "0.0.0.0"
+
+
+# Enable use of TLS encryption on the VNC server. This requires
+# a VNC client which supports the VeNCrypt protocol extension.
+# Examples include vinagre, virt-viewer, virt-manager and vencrypt
+# itself. UltraVNC, RealVNC, TightVNC do not support this
+#
+# It is neccessary to setup CA and issue a server certificate
+# before enabling this.
+#
+# vnc_tls = 1
+
+
+# Use of TLS requires that x509 certificates be issued. The
+# default it to keep them in /etc/pki/libvirt-vnc. This directory
+# must contain
+#
+#  ca-cert.pem - the CA master certificate
+#  server-cert.pem - the server certificate signed with ca-cert.pem
+#  server-key.pem  - the server private key
+#
+# This option allows the certificate directory to be changed
+#
+# vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
+
+
+# The default TLS configuration only uses certificates for the server
+# allowing the client to verify the server's identity and establish
+# and encrypted channel. 
+#
+# It is possible to use x509 certificates for authentication too, by
+# issuing a x509 certificate to every client who needs to connect.
+# 
+# Enabling this option will reject any client who does not have a
+# certificate signed by the CA in /etc/pki/libvirt-vnc/ca-cert.pem
+#
+# vnc_tls_x509_verify = 1