|
Daniel P. Berrange |
fdd7e8 |
changeset: 1147:7481eafdde8d
|
|
Daniel P. Berrange |
fdd7e8 |
user: berrange
|
|
Daniel P. Berrange |
fdd7e8 |
date: Fri Oct 12 18:54:15 2007 +0000
|
|
Daniel P. Berrange |
fdd7e8 |
files: libvirt.spec.in qemud/Makefile.am qemud/libvirtd.conf src/Makefile.am src/qemu.conf
|
|
Daniel P. Berrange |
fdd7e8 |
description:
|
|
Daniel P. Berrange |
fdd7e8 |
Added default example configs for libvirtd/qemu driver
|
|
Daniel P. Berrange |
fdd7e8 |
|
|
Daniel P. Berrange |
fdd7e8 |
|
|
Daniel P. Berrange |
fdd7e8 |
diff -r c48e81e685a3 -r 7481eafdde8d qemud/libvirtd.conf
|
|
Daniel P. Berrange |
fdd7e8 |
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
|
|
Daniel P. Berrange |
fdd7e8 |
+++ b/qemud/libvirtd.conf Fri Oct 12 18:54:15 2007 +0000
|
|
Daniel P. Berrange |
fdd7e8 |
@@ -0,0 +1,141 @@
|
|
Daniel P. Berrange |
fdd7e8 |
+# Master libvirt daemon configuration file
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# For further information consult http://libvirt.org/format.html
|
|
Daniel P. Berrange |
fdd7e8 |
+
|
|
Daniel P. Berrange |
fdd7e8 |
+
|
|
Daniel P. Berrange |
fdd7e8 |
+# Flag listening for secure TLS connections on the public TCP/IP port.
|
|
Daniel P. Berrange |
fdd7e8 |
+# NB, must pass the --listen flag to the libvirtd process for this to
|
|
Daniel P. Berrange |
fdd7e8 |
+# have any effect.
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# It is neccessary to setup a CA and issue server certificates before
|
|
Daniel P. Berrange |
fdd7e8 |
+# using this capability.
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# This is enabled by default, uncomment this to disable it
|
|
Daniel P. Berrange |
fdd7e8 |
+# listen_tls = 0
|
|
Daniel P. Berrange |
fdd7e8 |
+
|
|
Daniel P. Berrange |
fdd7e8 |
+# Listen for unencrypted TCP connections on the public TCP/IP port.
|
|
Daniel P. Berrange |
fdd7e8 |
+# NB, must pass the --listen flag to the libvirtd process for this to
|
|
Daniel P. Berrange |
fdd7e8 |
+# have any effect.
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# NB, this is insecure. Do not use except for development.
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# This is disabled by default, uncomment this to enable it.
|
|
Daniel P. Berrange |
fdd7e8 |
+# listen_tcp = 1
|
|
Daniel P. Berrange |
fdd7e8 |
+
|
|
Daniel P. Berrange |
fdd7e8 |
+
|
|
Daniel P. Berrange |
fdd7e8 |
+
|
|
Daniel P. Berrange |
fdd7e8 |
+# Override the port for accepting secure TLS connections
|
|
Daniel P. Berrange |
fdd7e8 |
+# This can be a port number, or service name
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# tls_port = "16514"
|
|
Daniel P. Berrange |
fdd7e8 |
+
|
|
Daniel P. Berrange |
fdd7e8 |
+# Override the port for accepting insecure TCP connections
|
|
Daniel P. Berrange |
fdd7e8 |
+# This can be a port number, or service name
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# tcp_port = "16509"
|
|
Daniel P. Berrange |
fdd7e8 |
+
|
|
Daniel P. Berrange |
fdd7e8 |
+
|
|
Daniel P. Berrange |
fdd7e8 |
+
|
|
Daniel P. Berrange |
fdd7e8 |
+# Flag toggling mDNS advertizement of the libvirt service.
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# Alternatively can disable for all services on a host by
|
|
Daniel P. Berrange |
fdd7e8 |
+# stopping the Avahi daemon
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# This is enabled by default, uncomment this to disable it
|
|
Daniel P. Berrange |
fdd7e8 |
+# mdns_adv = 0
|
|
Daniel P. Berrange |
fdd7e8 |
+
|
|
Daniel P. Berrange |
fdd7e8 |
+# Override the default mDNS advertizement name. This must be
|
|
Daniel P. Berrange |
fdd7e8 |
+# unique on the immediate broadcast network.
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# The default is "Virtualization Host HOSTNAME", where HOSTNAME
|
|
Daniel P. Berrange |
fdd7e8 |
+# is subsituted for the short hostname of the machine (without domain)
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# mdns_name "Virtualization Host Joe Demo"
|
|
Daniel P. Berrange |
fdd7e8 |
+
|
|
Daniel P. Berrange |
fdd7e8 |
+
|
|
Daniel P. Berrange |
fdd7e8 |
+
|
|
Daniel P. Berrange |
fdd7e8 |
+# Set the UNIX domain socket group ownership. This can be used to
|
|
Daniel P. Berrange |
fdd7e8 |
+# allow a 'trusted' set of users access to management capabilities
|
|
Daniel P. Berrange |
fdd7e8 |
+# without becoming root.
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# This is restricted to 'root' by default.
|
|
Daniel P. Berrange |
fdd7e8 |
+# unix_sock_group "libvirt"
|
|
Daniel P. Berrange |
fdd7e8 |
+
|
|
Daniel P. Berrange |
fdd7e8 |
+# Set the UNIX socket permissions for the R/O socket. This is used
|
|
Daniel P. Berrange |
fdd7e8 |
+# for monitoring VM status only
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# Default allows any user. If setting group ownership may want to
|
|
Daniel P. Berrange |
fdd7e8 |
+# restrict this to:
|
|
Daniel P. Berrange |
fdd7e8 |
+# unix_sock_ro_perms "0777"
|
|
Daniel P. Berrange |
fdd7e8 |
+
|
|
Daniel P. Berrange |
fdd7e8 |
+# Set the UNIX socket permissions for the R/W socket. This is used
|
|
Daniel P. Berrange |
fdd7e8 |
+# for full management of VMs
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# Default allows only root. If setting group ownership may want to
|
|
Daniel P. Berrange |
fdd7e8 |
+# relax this to:
|
|
Daniel P. Berrange |
fdd7e8 |
+# unix_sock_rw_perms "octal-perms" "0770"
|
|
Daniel P. Berrange |
fdd7e8 |
+
|
|
Daniel P. Berrange |
fdd7e8 |
+
|
|
Daniel P. Berrange |
fdd7e8 |
+
|
|
Daniel P. Berrange |
fdd7e8 |
+# Flag to disable verification of client certificates
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# Client certificate verification is the primary authentication mechanism.
|
|
Daniel P. Berrange |
fdd7e8 |
+# Any client which does not present a certificate signed by the CA
|
|
Daniel P. Berrange |
fdd7e8 |
+# will be rejected.
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# Default is to always verify. Uncommenting this will disable
|
|
Daniel P. Berrange |
fdd7e8 |
+# verification - make sure an IP whitelist is set
|
|
Daniel P. Berrange |
fdd7e8 |
+# tls_no_verify_certificate 1
|
|
Daniel P. Berrange |
fdd7e8 |
+
|
|
Daniel P. Berrange |
fdd7e8 |
+# Flag to disable verification of client IP address
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# Client IP address will be verified against the CommonName field
|
|
Daniel P. Berrange |
fdd7e8 |
+# of the x509 certificate. This has minimal security benefit since
|
|
Daniel P. Berrange |
fdd7e8 |
+# it is easy to spoof source IP.
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# Uncommenting this will disable verification
|
|
Daniel P. Berrange |
fdd7e8 |
+# tls_no_verify_address 1
|
|
Daniel P. Berrange |
fdd7e8 |
+
|
|
Daniel P. Berrange |
fdd7e8 |
+# Override the default server key file path
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# key_file "/etc/pki/libvirt/private/serverkey.pem"
|
|
Daniel P. Berrange |
fdd7e8 |
+
|
|
Daniel P. Berrange |
fdd7e8 |
+# Override the default server certificate file path
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# cert_file "/etc/pki/libvirt/servercert.pem"
|
|
Daniel P. Berrange |
fdd7e8 |
+
|
|
Daniel P. Berrange |
fdd7e8 |
+# Override the default CA certificate path
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# ca_file "/etc/pki/CA/cacert.pem"
|
|
Daniel P. Berrange |
fdd7e8 |
+
|
|
Daniel P. Berrange |
fdd7e8 |
+# Specify a certificate revocation list.
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# Defaults to not using a CRL, uncomment to enable it
|
|
Daniel P. Berrange |
fdd7e8 |
+# crl_file "/etc/pki/CA/crl.pem"
|
|
Daniel P. Berrange |
fdd7e8 |
+
|
|
Daniel P. Berrange |
fdd7e8 |
+# A whitelist of allowed x509 Distinguished Names
|
|
Daniel P. Berrange |
fdd7e8 |
+# This list may contain wildcards such as
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# "C=GB,ST=London,L=London,O=Red Hat,CN=*"
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# See the POSIX fnmatch function for the format of the wildcards.
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# NB If this is an empty list, no client can connect, so comment out
|
|
Daniel P. Berrange |
fdd7e8 |
+# entirely rather than using empty list to disable these checks
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# By default, no DN's are checked
|
|
Daniel P. Berrange |
fdd7e8 |
+# tls_allowed_dn_list ["DN1", "DN2"]
|
|
Daniel P. Berrange |
fdd7e8 |
+
|
|
Daniel P. Berrange |
fdd7e8 |
+
|
|
Daniel P. Berrange |
fdd7e8 |
+# A whitelist of allowed client IP addresses
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# This list may contain wildcards such as 192.168.* See the POSIX fnmatch
|
|
Daniel P. Berrange |
fdd7e8 |
+# function for the format of the wildcards.
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# NB If this is an empty list, no client can connect, so comment out
|
|
Daniel P. Berrange |
fdd7e8 |
+# entirely rather than using empty list to disable these checks
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# By default, no IP's are checked. This can be IPv4 or IPv6 addresses
|
|
Daniel P. Berrange |
fdd7e8 |
+# tls_allowed_ip_list ["ip1", "ip2", "ip3"]
|
|
Daniel P. Berrange |
fdd7e8 |
+
|
|
Daniel P. Berrange |
fdd7e8 |
+
|
|
Daniel P. Berrange |
fdd7e8 |
diff -r c48e81e685a3 -r 7481eafdde8d src/qemu.conf
|
|
Daniel P. Berrange |
fdd7e8 |
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
|
|
Daniel P. Berrange |
fdd7e8 |
+++ b/src/qemu.conf Fri Oct 12 18:54:15 2007 +0000
|
|
Daniel P. Berrange |
fdd7e8 |
@@ -0,0 +1,49 @@
|
|
Daniel P. Berrange |
fdd7e8 |
+# Master configuration file for the QEMU driver.
|
|
Daniel P. Berrange |
fdd7e8 |
+# All settings described here are optional - if omitted, sensible
|
|
Daniel P. Berrange |
fdd7e8 |
+# defaults are used.
|
|
Daniel P. Berrange |
fdd7e8 |
+
|
|
Daniel P. Berrange |
fdd7e8 |
+# VNC is configured to listen on 127.0.0.1 by default.
|
|
Daniel P. Berrange |
fdd7e8 |
+# To make it listen on all public interfaces, uncomment
|
|
Daniel P. Berrange |
fdd7e8 |
+# this next option.
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# NB, strong recommendation to enable TLS + x509 certificate
|
|
Daniel P. Berrange |
fdd7e8 |
+# verification when allowing public access
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# vnc_listen = "0.0.0.0"
|
|
Daniel P. Berrange |
fdd7e8 |
+
|
|
Daniel P. Berrange |
fdd7e8 |
+
|
|
Daniel P. Berrange |
fdd7e8 |
+# Enable use of TLS encryption on the VNC server. This requires
|
|
Daniel P. Berrange |
fdd7e8 |
+# a VNC client which supports the VeNCrypt protocol extension.
|
|
Daniel P. Berrange |
fdd7e8 |
+# Examples include vinagre, virt-viewer, virt-manager and vencrypt
|
|
Daniel P. Berrange |
fdd7e8 |
+# itself. UltraVNC, RealVNC, TightVNC do not support this
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# It is neccessary to setup CA and issue a server certificate
|
|
Daniel P. Berrange |
fdd7e8 |
+# before enabling this.
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# vnc_tls = 1
|
|
Daniel P. Berrange |
fdd7e8 |
+
|
|
Daniel P. Berrange |
fdd7e8 |
+
|
|
Daniel P. Berrange |
fdd7e8 |
+# Use of TLS requires that x509 certificates be issued. The
|
|
Daniel P. Berrange |
fdd7e8 |
+# default it to keep them in /etc/pki/libvirt-vnc. This directory
|
|
Daniel P. Berrange |
fdd7e8 |
+# must contain
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# ca-cert.pem - the CA master certificate
|
|
Daniel P. Berrange |
fdd7e8 |
+# server-cert.pem - the server certificate signed with ca-cert.pem
|
|
Daniel P. Berrange |
fdd7e8 |
+# server-key.pem - the server private key
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# This option allows the certificate directory to be changed
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
|
|
Daniel P. Berrange |
fdd7e8 |
+
|
|
Daniel P. Berrange |
fdd7e8 |
+
|
|
Daniel P. Berrange |
fdd7e8 |
+# The default TLS configuration only uses certificates for the server
|
|
Daniel P. Berrange |
fdd7e8 |
+# allowing the client to verify the server's identity and establish
|
|
Daniel P. Berrange |
fdd7e8 |
+# and encrypted channel.
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# It is possible to use x509 certificates for authentication too, by
|
|
Daniel P. Berrange |
fdd7e8 |
+# issuing a x509 certificate to every client who needs to connect.
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# Enabling this option will reject any client who does not have a
|
|
Daniel P. Berrange |
fdd7e8 |
+# certificate signed by the CA in /etc/pki/libvirt-vnc/ca-cert.pem
|
|
Daniel P. Berrange |
fdd7e8 |
+#
|
|
Daniel P. Berrange |
fdd7e8 |
+# vnc_tls_x509_verify = 1
|
|
Daniel P. Berrange |
fdd7e8 |
|