[libvirt] [PATCH 09/13] Add configuration options for permissions on daemon's admin socket
Martin Kletzander
mkletzan at redhat.com
Tue Jun 16 09:58:26 UTC 2015
This is not going to be very widely used, but for some corner cases and
easier (unsafe) debugging, it might be nice.
Signed-off-by: Martin Kletzander <mkletzan at redhat.com>
---
daemon/libvirtd-config.c | 27 +++++++++++++++++++++++++--
daemon/libvirtd-config.h | 13 ++++++++++++-
daemon/libvirtd.aug | 13 +++++++++++++
daemon/libvirtd.conf | 24 ++++++++++++++++++++++++
daemon/test_libvirtd.aug.in | 9 +++++++++
tests/confdata/libvirtd.conf | 6 ++++++
tests/confdata/libvirtd.out | 5 +++++
7 files changed, 94 insertions(+), 3 deletions(-)
diff --git a/daemon/libvirtd-config.c b/daemon/libvirtd-config.c
index 3694455d46f4..10dcc423d2db 100644
--- a/daemon/libvirtd-config.c
+++ b/daemon/libvirtd-config.c
@@ -1,7 +1,7 @@
/*
* libvirtd-config.c: daemon start of day, guest process & i/o management
*
- * Copyright (C) 2006-2012, 2014 Red Hat, Inc.
+ * Copyright (C) 2006-2012, 2014, 2015 Red Hat, Inc.
* Copyright (C) 2006 Daniel P. Berrange
*
* This library is free software; you can redistribute it and/or
@@ -264,7 +264,8 @@ daemonConfigNew(bool privileged ATTRIBUTE_UNUSED)
if (VIR_STRDUP(data->unix_sock_rw_perms,
data->auth_unix_rw == REMOTE_AUTH_POLKIT ? "0777" : "0700") < 0 ||
- VIR_STRDUP(data->unix_sock_ro_perms, "0777") < 0)
+ VIR_STRDUP(data->unix_sock_ro_perms, "0777") < 0 ||
+ VIR_STRDUP(data->unix_sock_admin_perms, "0700") < 0)
goto error;
#if WITH_SASL
@@ -293,6 +294,16 @@ daemonConfigNew(bool privileged ATTRIBUTE_UNUSED)
data->keepalive_count = 5;
data->keepalive_required = 0;
+ data->admin_min_workers = 5;
+ data->admin_max_workers = 20;
+ data->admin_max_clients = 5000;
+ data->admin_max_queued_clients = 20;
+ data->admin_max_client_requests = 5;
+
+ data->admin_keepalive_interval = 5;
+ data->admin_keepalive_count = 5;
+ data->admin_keepalive_required = 0;
+
localhost = virGetHostname();
if (localhost == NULL) {
/* we couldn't resolve the hostname; assume that we are
@@ -337,6 +348,7 @@ daemonConfigFree(struct daemonConfig *data)
}
VIR_FREE(data->access_drivers);
+ VIR_FREE(data->unix_sock_admin_perms);
VIR_FREE(data->unix_sock_ro_perms);
VIR_FREE(data->unix_sock_rw_perms);
VIR_FREE(data->unix_sock_group);
@@ -404,6 +416,7 @@ daemonConfigLoadOptions(struct daemonConfig *data,
goto error;
GET_CONF_STR(conf, filename, unix_sock_group);
+ GET_CONF_STR(conf, filename, unix_sock_admin_perms);
GET_CONF_STR(conf, filename, unix_sock_ro_perms);
GET_CONF_STR(conf, filename, unix_sock_rw_perms);
@@ -441,6 +454,12 @@ daemonConfigLoadOptions(struct daemonConfig *data,
GET_CONF_INT(conf, filename, max_requests);
GET_CONF_UINT(conf, filename, max_client_requests);
+ GET_CONF_UINT(conf, filename, admin_min_workers);
+ GET_CONF_UINT(conf, filename, admin_max_workers);
+ GET_CONF_UINT(conf, filename, admin_max_clients);
+ GET_CONF_UINT(conf, filename, admin_max_queued_clients);
+ GET_CONF_UINT(conf, filename, admin_max_client_requests);
+
GET_CONF_UINT(conf, filename, audit_level);
GET_CONF_UINT(conf, filename, audit_logging);
@@ -454,6 +473,10 @@ daemonConfigLoadOptions(struct daemonConfig *data,
GET_CONF_UINT(conf, filename, keepalive_count);
GET_CONF_UINT(conf, filename, keepalive_required);
+ GET_CONF_INT(conf, filename, admin_keepalive_interval);
+ GET_CONF_UINT(conf, filename, admin_keepalive_count);
+ GET_CONF_UINT(conf, filename, admin_keepalive_required);
+
return 0;
error:
diff --git a/daemon/libvirtd-config.h b/daemon/libvirtd-config.h
index c9969955b809..9cdae1a0cb59 100644
--- a/daemon/libvirtd-config.h
+++ b/daemon/libvirtd-config.h
@@ -1,7 +1,7 @@
/*
* libvirtd-config.h: daemon start of day, guest process & i/o management
*
- * Copyright (C) 2006-2012 Red Hat, Inc.
+ * Copyright (C) 2006-2012, 2015 Red Hat, Inc.
* Copyright (C) 2006 Daniel P. Berrange
*
* This library is free software; you can redistribute it and/or
@@ -35,6 +35,7 @@ struct daemonConfig {
char *tls_port;
char *tcp_port;
+ char *unix_sock_admin_perms;
char *unix_sock_ro_perms;
char *unix_sock_rw_perms;
char *unix_sock_group;
@@ -81,6 +82,16 @@ struct daemonConfig {
int keepalive_interval;
unsigned int keepalive_count;
int keepalive_required;
+
+ int admin_min_workers;
+ int admin_max_workers;
+ int admin_max_clients;
+ int admin_max_queued_clients;
+ int admin_max_client_requests;
+
+ int admin_keepalive_interval;
+ unsigned int admin_keepalive_count;
+ int admin_keepalive_required;
};
diff --git a/daemon/libvirtd.aug b/daemon/libvirtd.aug
index 5a0807c368be..a70aa1dddf90 100644
--- a/daemon/libvirtd.aug
+++ b/daemon/libvirtd.aug
@@ -35,6 +35,7 @@ module Libvirtd =
let sock_acl_entry = str_entry "unix_sock_group"
| str_entry "unix_sock_ro_perms"
| str_entry "unix_sock_rw_perms"
+ | str_entry "unix_sock_admin_perms"
| str_entry "unix_sock_dir"
let authentication_entry = str_entry "auth_unix_ro"
@@ -62,6 +63,12 @@ module Libvirtd =
| int_entry "max_client_requests"
| int_entry "prio_workers"
+ let admin_processing_entry = int_entry "admin_min_workers"
+ | int_entry "admin_max_workers"
+ | int_entry "admin_max_clients"
+ | int_entry "admin_max_queued_clients"
+ | int_entry "admin_max_client_requests"
+
let logging_entry = int_entry "log_level"
| str_entry "log_filters"
| str_entry "log_outputs"
@@ -74,6 +81,10 @@ module Libvirtd =
| int_entry "keepalive_count"
| bool_entry "keepalive_required"
+ let admin_keepalive_entry = int_entry "admin_keepalive_interval"
+ | int_entry "admin_keepalive_count"
+ | bool_entry "admin_keepalive_required"
+
let misc_entry = str_entry "host_uuid"
(* Each enty in the config is one of the following three ... *)
@@ -83,9 +94,11 @@ module Libvirtd =
| certificate_entry
| authorization_entry
| processing_entry
+ | admin_processing_entry
| logging_entry
| auditing_entry
| keepalive_entry
+ | admin_keepalive_entry
| misc_entry
let comment = [ label "#comment" . del /#[ \t]*/ "# " . store /([^ \t\n][^\n]*)?/ . del /\n/ "\n" ]
let empty = [ label "#empty" . eol ]
diff --git a/daemon/libvirtd.conf b/daemon/libvirtd.conf
index 069ef3abbaed..ac06cdd79103 100644
--- a/daemon/libvirtd.conf
+++ b/daemon/libvirtd.conf
@@ -106,9 +106,17 @@
# control, then you may want to relax this too.
#unix_sock_rw_perms = "0770"
+# Set the UNIX socket permissions for the admin interface socket.
+#
+# Default allows only owner (root), do not change it unless you are
+# sure to whom you are exposing the access to.
+#unix_sock_admin_perms = "0700"
+
# Set the name of the directory in which sockets will be found/created.
#unix_sock_dir = "/var/run/libvirt"
+
+
#################################################################
#
# Authentication.
@@ -307,6 +315,16 @@
# and max_workers parameter
#max_client_requests = 5
+# Same processing controls, but this time for the admin interface.
+# For description of each option, be so kind to scroll few lines
+# upwards.
+
+#admin_min_workers = 1
+#admin_max_workers = 5
+#admin_max_clients = 5
+#admin_max_queued_clients = 5
+#admin_max_client_requests = 5
+
#################################################################
#
# Logging controls
@@ -427,3 +445,9 @@
# support keepalive protocol. Defaults to 0.
#
#keepalive_required = 1
+
+# Keepalive settings for the admin interface
+#admin_keepalive_interval = 5
+#admin_keepalive_count = 5
+#
+#admin_keepalive_required = 1
diff --git a/daemon/test_libvirtd.aug.in b/daemon/test_libvirtd.aug.in
index 37ff33d6032b..4921cbfb86b3 100644
--- a/daemon/test_libvirtd.aug.in
+++ b/daemon/test_libvirtd.aug.in
@@ -12,6 +12,7 @@ module Test_libvirtd =
{ "unix_sock_group" = "libvirt" }
{ "unix_sock_ro_perms" = "0777" }
{ "unix_sock_rw_perms" = "0770" }
+ { "unix_sock_admin_perms" = "0700" }
{ "unix_sock_dir" = "/var/run/libvirt" }
{ "auth_unix_ro" = "none" }
{ "auth_unix_rw" = "none" }
@@ -42,6 +43,11 @@ module Test_libvirtd =
{ "prio_workers" = "5" }
{ "max_requests" = "20" }
{ "max_client_requests" = "5" }
+ { "admin_min_workers" = "1" }
+ { "admin_max_workers" = "5" }
+ { "admin_max_clients" = "5" }
+ { "admin_max_queued_clients" = "5" }
+ { "admin_max_client_requests" = "5" }
{ "log_level" = "3" }
{ "log_filters" = "3:remote 4:event" }
{ "log_outputs" = "3:syslog:libvirtd" }
@@ -52,3 +58,6 @@ module Test_libvirtd =
{ "keepalive_interval" = "5" }
{ "keepalive_count" = "5" }
{ "keepalive_required" = "1" }
+ { "admin_keepalive_interval" = "5" }
+ { "admin_keepalive_count" = "5" }
+ { "admin_keepalive_required" = "1" }
diff --git a/tests/confdata/libvirtd.conf b/tests/confdata/libvirtd.conf
index 2f2ba4b2f142..5029c4c2e7df 100644
--- a/tests/confdata/libvirtd.conf
+++ b/tests/confdata/libvirtd.conf
@@ -89,6 +89,12 @@ unix_sock_ro_perms = "0777"
# control then you may want to relax this to:
unix_sock_rw_perms = "0770"
+# Set the UNIX socket permissions for the admin interface socket.
+#
+# Default allows only owner (root), do not change it unless you are
+# sure to whom you are exposing the access to
+unix_sock_admin_perms = "0700"
+
#################################################################
diff --git a/tests/confdata/libvirtd.out b/tests/confdata/libvirtd.out
index 171945da1aaf..4d7ed47a9002 100644
--- a/tests/confdata/libvirtd.out
+++ b/tests/confdata/libvirtd.out
@@ -71,6 +71,11 @@ unix_sock_ro_perms = "0777"
# If not using PolicyKit and setting group ownership for access
# control then you may want to relax this to:
unix_sock_rw_perms = "0770"
+# Set the UNIX socket permissions for the admin interface socket.
+#
+# Default allows only owner (root), do not change it unless you are
+# sure to whom you are exposing the access to
+unix_sock_admin_perms = "0700"
#################################################################
#
# Authentication.
--
2.4.3
More information about the libvir-list
mailing list