rpms/libvirt/devel libvirt-0.3.3-example-config.patch, NONE, 1.1 libvirt-0.3.3-qemu-config.patch, NONE, 1.1 libvirt.spec, 1.66, 1.67
Daniel P. Berrange (berrange)
fedora-extras-commits at redhat.com
Mon Oct 15 18:23:35 UTC 2007
Author: berrange
Update of /cvs/pkgs/rpms/libvirt/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv4470
Modified Files:
libvirt.spec
Added Files:
libvirt-0.3.3-example-config.patch
libvirt-0.3.3-qemu-config.patch
Log Message:
Added backport of patch for qemu driver config file
libvirt-0.3.3-example-config.patch:
--- NEW FILE libvirt-0.3.3-example-config.patch ---
changeset: 1147:7481eafdde8d
user: berrange
date: Fri Oct 12 18:54:15 2007 +0000
files: libvirt.spec.in qemud/Makefile.am qemud/libvirtd.conf src/Makefile.am src/qemu.conf
description:
Added default example configs for libvirtd/qemu driver
diff -r c48e81e685a3 -r 7481eafdde8d qemud/libvirtd.conf
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/qemud/libvirtd.conf Fri Oct 12 18:54:15 2007 +0000
@@ -0,0 +1,141 @@
+# Master libvirt daemon configuration file
+#
+# For further information consult http://libvirt.org/format.html
+
+
+# Flag listening for secure TLS connections on the public TCP/IP port.
+# NB, must pass the --listen flag to the libvirtd process for this to
+# have any effect.
+#
+# It is neccessary to setup a CA and issue server certificates before
+# using this capability.
+#
+# This is enabled by default, uncomment this to disable it
+# listen_tls = 0
+
+# Listen for unencrypted TCP connections on the public TCP/IP port.
+# NB, must pass the --listen flag to the libvirtd process for this to
+# have any effect.
+#
+# NB, this is insecure. Do not use except for development.
+#
+# This is disabled by default, uncomment this to enable it.
+# listen_tcp = 1
+
+
+
+# Override the port for accepting secure TLS connections
+# This can be a port number, or service name
+#
+# tls_port = "16514"
+
+# Override the port for accepting insecure TCP connections
+# This can be a port number, or service name
+#
+# tcp_port = "16509"
+
+
+
+# Flag toggling mDNS advertizement of the libvirt service.
+#
+# Alternatively can disable for all services on a host by
+# stopping the Avahi daemon
+#
+# This is enabled by default, uncomment this to disable it
+# mdns_adv = 0
+
+# Override the default mDNS advertizement name. This must be
+# unique on the immediate broadcast network.
+#
+# The default is "Virtualization Host HOSTNAME", where HOSTNAME
+# is subsituted for the short hostname of the machine (without domain)
+#
+# mdns_name "Virtualization Host Joe Demo"
+
+
+
+# Set the UNIX domain socket group ownership. This can be used to
+# allow a 'trusted' set of users access to management capabilities
+# without becoming root.
+#
+# This is restricted to 'root' by default.
+# unix_sock_group "libvirt"
+
+# Set the UNIX socket permissions for the R/O socket. This is used
+# for monitoring VM status only
+#
+# Default allows any user. If setting group ownership may want to
+# restrict this to:
+# unix_sock_ro_perms "0777"
+
+# Set the UNIX socket permissions for the R/W socket. This is used
+# for full management of VMs
+#
+# Default allows only root. If setting group ownership may want to
+# relax this to:
+# unix_sock_rw_perms "octal-perms" "0770"
+
+
+
+# Flag to disable verification of client certificates
+#
+# Client certificate verification is the primary authentication mechanism.
+# Any client which does not present a certificate signed by the CA
+# will be rejected.
+#
+# Default is to always verify. Uncommenting this will disable
+# verification - make sure an IP whitelist is set
+# tls_no_verify_certificate 1
+
+# Flag to disable verification of client IP address
+#
+# Client IP address will be verified against the CommonName field
+# of the x509 certificate. This has minimal security benefit since
+# it is easy to spoof source IP.
+#
+# Uncommenting this will disable verification
+# tls_no_verify_address 1
+
+# Override the default server key file path
+#
+# key_file "/etc/pki/libvirt/private/serverkey.pem"
+
+# Override the default server certificate file path
+#
+# cert_file "/etc/pki/libvirt/servercert.pem"
+
+# Override the default CA certificate path
+#
+# ca_file "/etc/pki/CA/cacert.pem"
+
+# Specify a certificate revocation list.
+#
+# Defaults to not using a CRL, uncomment to enable it
+# crl_file "/etc/pki/CA/crl.pem"
+
+# A whitelist of allowed x509 Distinguished Names
+# This list may contain wildcards such as
+#
+# "C=GB,ST=London,L=London,O=Red Hat,CN=*"
+#
+# See the POSIX fnmatch function for the format of the wildcards.
+#
+# NB If this is an empty list, no client can connect, so comment out
+# entirely rather than using empty list to disable these checks
+#
+# By default, no DN's are checked
+# tls_allowed_dn_list ["DN1", "DN2"]
+
+
+# A whitelist of allowed client IP addresses
+#
+# This list may contain wildcards such as 192.168.* See the POSIX fnmatch
+# function for the format of the wildcards.
+#
+# NB If this is an empty list, no client can connect, so comment out
+# entirely rather than using empty list to disable these checks
+#
+# By default, no IP's are checked. This can be IPv4 or IPv6 addresses
+# tls_allowed_ip_list ["ip1", "ip2", "ip3"]
+
+
diff -r c48e81e685a3 -r 7481eafdde8d src/qemu.conf
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/qemu.conf Fri Oct 12 18:54:15 2007 +0000
@@ -0,0 +1,49 @@
+# Master configuration file for the QEMU driver.
+# All settings described here are optional - if omitted, sensible
+# defaults are used.
+
+# VNC is configured to listen on 127.0.0.1 by default.
+# To make it listen on all public interfaces, uncomment
+# this next option.
+#
+# NB, strong recommendation to enable TLS + x509 certificate
+# verification when allowing public access
+#
+# vnc_listen = "0.0.0.0"
+
+
+# Enable use of TLS encryption on the VNC server. This requires
+# a VNC client which supports the VeNCrypt protocol extension.
+# Examples include vinagre, virt-viewer, virt-manager and vencrypt
+# itself. UltraVNC, RealVNC, TightVNC do not support this
+#
+# It is neccessary to setup CA and issue a server certificate
+# before enabling this.
+#
+# vnc_tls = 1
+
+
+# Use of TLS requires that x509 certificates be issued. The
+# default it to keep them in /etc/pki/libvirt-vnc. This directory
+# must contain
+#
+# ca-cert.pem - the CA master certificate
+# server-cert.pem - the server certificate signed with ca-cert.pem
+# server-key.pem - the server private key
+#
+# This option allows the certificate directory to be changed
+#
+# vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
+
+
+# The default TLS configuration only uses certificates for the server
+# allowing the client to verify the server's identity and establish
+# and encrypted channel.
+#
+# It is possible to use x509 certificates for authentication too, by
+# issuing a x509 certificate to every client who needs to connect.
+#
+# Enabling this option will reject any client who does not have a
+# certificate signed by the CA in /etc/pki/libvirt-vnc/ca-cert.pem
+#
+# vnc_tls_x509_verify = 1
libvirt-0.3.3-qemu-config.patch:
--- NEW FILE libvirt-0.3.3-qemu-config.patch ---
changeset: 1146:c48e81e685a3
user: berrange
date: Fri Oct 12 15:05:44 2007 +0000
files: ChangeLog src/qemu_conf.c src/qemu_conf.h src/qemu_driver.c
description:
Added QEMU driver config file
diff -r 522efe7f7e8f -r c48e81e685a3 src/qemu_conf.c
--- a/src/qemu_conf.c Wed Oct 10 18:46:17 2007 +0000
+++ b/src/qemu_conf.c Fri Oct 12 15:05:44 2007 +0000
@@ -45,6 +45,7 @@
#include "qemu_conf.h"
#include "uuid.h"
#include "buf.h"
+#include "conf.h"
#define qemudLog(level, msg...) fprintf(stderr, msg)
@@ -65,6 +66,68 @@ void qemudReportError(virConnectPtr conn
__virRaiseError(conn, dom, net, VIR_FROM_QEMU, code, VIR_ERR_ERROR,
NULL, NULL, NULL, -1, -1, errorMessage);
}
+
+int qemudLoadDriverConfig(struct qemud_driver *driver,
+ const char *filename) {
+ virConfPtr conf;
+ virConfValuePtr p;
+
+ /* Setup 2 critical defaults */
+ strcpy(driver->vncListen, "127.0.0.1");
+ if (!(driver->vncTLSx509certdir = strdup(SYSCONF_DIR "/pki/libvirt-vnc"))) {
+ qemudReportError(NULL, NULL, NULL, VIR_ERR_NO_MEMORY,
+ "vncTLSx509certdir");
+ return -1;
+ }
+
+ /* Just check the file is readable before opening it, otherwise
+ * libvirt emits an error.
+ */
+ if (access (filename, R_OK) == -1) return 0;
+
+ conf = virConfReadFile (filename);
+ if (!conf) return 0;
+
+
+#define CHECK_TYPE(name,typ) if (p && p->type != (typ)) { \
+ qemudReportError(NULL, NULL, NULL, VIR_ERR_INTERNAL_ERROR, \
+ "remoteReadConfigFile: %s: %s: expected type " #typ "\n", \
+ filename, (name)); \
+ virConfFree(conf); \
+ return -1; \
+ }
+
+ p = virConfGetValue (conf, "vnc_tls");
+ CHECK_TYPE ("vnc_tls", VIR_CONF_LONG);
+ if (p) driver->vncTLS = p->l;
+
+ p = virConfGetValue (conf, "vnc_tls_x509_verify");
+ CHECK_TYPE ("vnc_tls_x509_verify", VIR_CONF_LONG);
+ if (p) driver->vncTLSx509verify = p->l;
+
+ p = virConfGetValue (conf, "vnc_tls_x509_cert_dir");
+ CHECK_TYPE ("vnc_tls_x509_cert_dir", VIR_CONF_STRING);
+ if (p && p->str) {
+ free(driver->vncTLSx509certdir);
+ if (!(driver->vncTLSx509certdir = strdup(p->str))) {
+ qemudReportError(NULL, NULL, NULL, VIR_ERR_NO_MEMORY,
+ "vncTLSx509certdir");
+ virConfFree(conf);
+ return -1;
+ }
+ }
+
+ p = virConfGetValue (conf, "vnc_listen");
+ CHECK_TYPE ("vnc_listen", VIR_CONF_STRING);
+ if (p && p->str) {
+ strncpy(driver->vncListen, p->str, sizeof(driver->vncListen));
+ driver->vncListen[sizeof(driver->vncListen)-1] = '\0';
+ }
+
+ virConfFree (conf);
+ return 0;
+}
+
struct qemud_vm *qemudFindVMByID(const struct qemud_driver *driver, int id) {
struct qemud_vm *vm = driver->vms;
@@ -1234,7 +1297,7 @@ static struct qemud_vm_def *qemudParseXM
if (vnclisten && *vnclisten)
strncpy(def->vncListen, (char *)vnclisten, BR_INET_ADDR_MAXLEN-1);
else
- strcpy(def->vncListen, "127.0.0.1");
+ strcpy(def->vncListen, driver->vncListen);
def->vncListen[BR_INET_ADDR_MAXLEN-1] = '\0';
xmlFree(vncport);
xmlFree(vnclisten);
@@ -1750,15 +1813,30 @@ int qemudBuildCommandLine(virConnectPtr
}
if (vm->def->graphicsType == QEMUD_GRAPHICS_VNC) {
- char vncdisplay[BR_INET_ADDR_MAXLEN+20];
+ char vncdisplay[PATH_MAX];
int ret;
- if (vm->qemuCmdFlags & QEMUD_CMD_FLAG_VNC_COLON)
- ret = snprintf(vncdisplay, sizeof(vncdisplay), "%s:%d",
+
+ if (vm->qemuCmdFlags & QEMUD_CMD_FLAG_VNC_COLON) {
+ char options[PATH_MAX] = "";
+ if (driver->vncTLS) {
+ strcat(options, ",tls");
+ if (driver->vncTLSx509verify) {
+ strcat(options, ",x509verify=");
+ } else {
+ strcat(options, ",x509=");
+ }
+ strncat(options, driver->vncTLSx509certdir,
+ sizeof(options) - (strlen(driver->vncTLSx509certdir)-1));
+ options[sizeof(options)-1] = '\0';
+ }
+ ret = snprintf(vncdisplay, sizeof(vncdisplay), "%s:%d%s",
vm->def->vncListen,
- vm->def->vncActivePort - 5900);
- else
+ vm->def->vncActivePort - 5900,
+ options);
+ } else {
ret = snprintf(vncdisplay, sizeof(vncdisplay), "%d",
vm->def->vncActivePort - 5900);
+ }
if (ret < 0 || ret >= (int)sizeof(vncdisplay))
goto error;
diff -r 522efe7f7e8f -r c48e81e685a3 src/qemu_conf.h
--- a/src/qemu_conf.h Wed Oct 10 18:46:17 2007 +0000
+++ b/src/qemu_conf.h Fri Oct 12 15:05:44 2007 +0000
@@ -289,6 +289,10 @@ struct qemud_driver {
char *networkConfigDir;
char *networkAutostartDir;
char logDir[PATH_MAX];
+ int vncTLS : 1;
+ int vncTLSx509verify : 1;
+ char *vncTLSx509certdir;
+ char vncListen[BR_INET_ADDR_MAXLEN];
};
@@ -311,6 +315,8 @@ void qemudReportError(virConnectPtr conn
ATTRIBUTE_FORMAT(printf,5,6);
+int qemudLoadDriverConfig(struct qemud_driver *driver,
+ const char *filename);
struct qemud_vm *qemudFindVMByID(const struct qemud_driver *driver,
int id);
diff -r 522efe7f7e8f -r c48e81e685a3 src/qemu_driver.c
--- a/src/qemu_driver.c Wed Oct 10 18:46:17 2007 +0000
+++ b/src/qemu_driver.c Fri Oct 12 15:05:44 2007 +0000
@@ -155,6 +155,7 @@ qemudStartup(void) {
uid_t uid = geteuid();
struct passwd *pw;
char *base = NULL;
+ char driverConf[PATH_MAX];
if (!(qemu_driver = calloc(1, sizeof(struct qemud_driver)))) {
return -1;
@@ -167,7 +168,7 @@ qemudStartup(void) {
if (snprintf(qemu_driver->logDir, PATH_MAX, "%s/log/libvirt/qemu", LOCAL_STATE_DIR) >= PATH_MAX)
goto snprintf_error;
- if ((base = strdup (SYSCONF_DIR "/libvirt/qemu")) == NULL)
+ if ((base = strdup (SYSCONF_DIR "/libvirt")) == NULL)
goto out_of_memory;
} else {
if (!(pw = getpwuid(uid))) {
@@ -179,7 +180,7 @@ qemudStartup(void) {
if (snprintf(qemu_driver->logDir, PATH_MAX, "%s/.libvirt/qemu/log", pw->pw_dir) >= PATH_MAX)
goto snprintf_error;
- if (asprintf (&base, "%s/.libvirt/qemu", pw->pw_dir) == -1) {
+ if (asprintf (&base, "%s/.libvirt", pw->pw_dir) == -1) {
qemudLog (QEMUD_ERR, "out of memory in asprintf");
goto out_of_memory;
}
@@ -188,24 +189,36 @@ qemudStartup(void) {
/* Configuration paths are either ~/.libvirt/qemu/... (session) or
* /etc/libvirt/qemu/... (system).
*/
- if (asprintf (&qemu_driver->configDir, "%s", base) == -1)
+ if (snprintf (driverConf, sizeof(driverConf), "%s/qemu.conf", base) == -1)
goto out_of_memory;
-
- if (asprintf (&qemu_driver->autostartDir, "%s/autostart", base) == -1)
+ driverConf[sizeof(driverConf)-1] = '\0';
+
+ if (asprintf (&qemu_driver->configDir, "%s/qemu", base) == -1)
goto out_of_memory;
- if (asprintf (&qemu_driver->networkConfigDir, "%s/networks", base) == -1)
+ if (asprintf (&qemu_driver->autostartDir, "%s/qemu/autostart", base) == -1)
goto out_of_memory;
- if (asprintf (&qemu_driver->networkAutostartDir, "%s/networks/autostart",
+ if (asprintf (&qemu_driver->networkConfigDir, "%s/qemu/networks", base) == -1)
+ goto out_of_memory;
+
+ if (asprintf (&qemu_driver->networkAutostartDir, "%s/qemu/networks/autostart",
base) == -1)
goto out_of_memory;
- if (qemudScanConfigs(qemu_driver) < 0)
+ free(base);
+
+ if (qemudLoadDriverConfig(qemu_driver, driverConf) < 0) {
qemudShutdown();
+ return -1;
+ }
+
+ if (qemudScanConfigs(qemu_driver) < 0) {
+ qemudShutdown();
+ return -1;
+ }
qemudAutostartConfigs(qemu_driver);
- free(base);
return 0;
snprintf_error:
Index: libvirt.spec
===================================================================
RCS file: /cvs/pkgs/rpms/libvirt/devel/libvirt.spec,v
retrieving revision 1.66
retrieving revision 1.67
diff -u -r1.66 -r1.67
--- libvirt.spec 10 Oct 2007 16:46:18 -0000 1.66
+++ libvirt.spec 15 Oct 2007 18:23:02 -0000 1.67
@@ -3,10 +3,14 @@
Summary: Library providing a simple API virtualization
Name: libvirt
Version: 0.3.3
-Release: 1%{?dist}%{?extra_release}
+Release: 2%{?dist}%{?extra_release}
License: LGPL
Group: Development/Libraries
Source: libvirt-%{version}.tar.gz
+Patch1: %{name}-%{version}-qemu-config.patch
+# NB, when removing this patch on next release, also remove the manual
+# config file copy in the install section of this spec file
+Patch2: %{name}-%{version}-example-config.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-root
URL: http://libvirt.org/
BuildRequires: python python-devel
@@ -66,6 +70,8 @@
%prep
%setup -q
+%patch1 -p1
+%patch2 -p1
%build
# Xen is availble only on i386 x86_64 ia64
@@ -89,6 +95,11 @@
rm -f $RPM_BUILD_ROOT%{_libdir}/python*/site-packages/*.a
install -d -m 0755 $RPM_BUILD_ROOT%{_localstatedir}/run/libvirt/
+# Copy files from patch2 into location
+install -d $RPM_BUILD_ROOT%{_sysconfdir}/libvirt
+install -m 0755 src/qemu.conf $RPM_BUILD_ROOT%{_sysconfdir}/libvirt/qemu.conf
+install -m 0755 qemud/libvirtd.conf $RPM_BUILD_ROOT%{_sysconfdir}/libvirt/libvirtd.conf
+
# We don't want to install /etc/libvirt/qemu/networks in the main %files list
# because if the admin wants to delete the default network completely, we don't
# want to end up re-incarnating it on every RPM upgrade.
@@ -144,6 +155,8 @@
%dir %attr(0700, root, root) %{_sysconfdir}/libvirt/qemu/networks/autostart
%{_sysconfdir}/rc.d/init.d/libvirtd
%config(noreplace) %{_sysconfdir}/sysconfig/libvirtd
+%config(noreplace) %{_sysconfdir}/libvirt/libvirtd.conf
+%config(noreplace) %{_sysconfdir}/libvirt/qemu.conf
%dir %{_datadir}/libvirt/
%dir %{_datadir}/libvirt/networks/
%{_datadir}/libvirt/networks/default.xml
@@ -183,6 +196,10 @@
%doc docs/examples/python
%changelog
+* Mon Oct 15 2007 Daniel P. Berrange <berrange at redhat.com> - 0.3.3-2.fc8
+- Added QEMU driver config file support
+- Added example config files
+
* Sun Sep 30 2007 Daniel Veillard <veillard at redhat.com> - 0.3.3-1
- Release of 0.3.3
- Avahi support
More information about the scm-commits
mailing list