[libvirt] [PATCH v3 12/48] remote: conditionalize IP socket config in libvirtd.conf

Christophe de Dinechin dinechin at redhat.com
Tue Jul 30 10:48:03 UTC 2019 

Daniel P. Berrangé writes:

> Prepare for reusing libvirtd config to create other daemons by making
> the config parameters for IP sockets conditionally defined by the make
> rules.
>
> The main libvirtd daemon will retain IP listen ability, but all the
> driver specific daemons will be local UNIX sockets only. Apps needing
> IP connectivity will connect via the libvirtd daemon which will proxy
> to the driver specfic daemon.
>
> Reviewed-by: Andrea Bolognani <abologna at redhat.com>
> Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
> ---
>  .gitignore                                    |  1 +
>  src/remote/Makefile.inc.am                    | 16 +++++--
>  .../{libvirtd.conf => libvirtd.conf.in}       | 42 +++++++++++--------
>  src/remote/test_libvirtd.aug.in               |  2 +-
>  4 files changed, 40 insertions(+), 21 deletions(-)
>  rename src/remote/{libvirtd.conf => libvirtd.conf.in} (95%)
>
> diff --git a/.gitignore b/.gitignore
> index d75b24c743..a09f45af50 100644
> --- a/.gitignore
> +++ b/.gitignore
> @@ -158,6 +158,7 @@
>  /src/remote/*_client_bodies.h
>  /src/remote/*_protocol.[ch]
>  /src/remote/*_stubs.h
> +/src/remote/libvirtd.conf
>  /src/remote/test_libvirtd.aug
>  /src/rpc/virkeepaliveprotocol.[ch]
>  /src/rpc/virnetprotocol.[ch]
> diff --git a/src/remote/Makefile.inc.am b/src/remote/Makefile.inc.am
> index 2277bf49d2..93a7a6c14e 100644
> --- a/src/remote/Makefile.inc.am
> +++ b/src/remote/Makefile.inc.am
> @@ -76,7 +76,7 @@ EXTRA_DIST += \
>  	$(LIBVIRTD_SOURCES) \
>  	remote/test_libvirtd.aug.in \
>  	remote/libvirtd.aug \
> -	remote/libvirtd.conf \
> +	remote/libvirtd.conf.in \
>  	remote/libvirtd.policy \
>  	remote/libvirtd.rules \
>  	remote/libvirtd.sasl \
> @@ -93,6 +93,9 @@ MAINTAINERCLEANFILES += \
>  	$(REMOTE_DRIVER_GENERATED) \
>  	$(LIBVIRTD_GENERATED) \
>  	$(NULL)
> +CLEANFILES += \
> +	remote/libvirtd.conf \
> +	$(NULL)
>
>  if WITH_REMOTE
>  noinst_LTLIBRARIES += libvirt_driver_remote.la
> @@ -128,7 +131,7 @@ augeas_DATA += remote/libvirtd.aug
>
>  augeastest_DATA += remote/test_libvirtd.aug
>
> -conf_DATA += remote/libvirtd.conf
> +nodist_conf_DATA += remote/libvirtd.conf
>
>  man8_MANS += libvirtd.8
>
> @@ -179,6 +182,13 @@ libvirtd_LDADD += \
>  	$(LIBSOCKET) \
>  	$(NULL)
>
> +remote/libvirtd.conf: remote/libvirtd.conf.in
> +	$(AM_V_GEN)$(SED) \
> +		-e '/[@]CUT_ENABLE_IP[@]/d' \
> +		-e '/[@]END[@]/d' \
> +		-e 's|[@]DAEMON_NAME[@]|libvirtd|' \
> +		< $< > $@
> +
>  INSTALL_DATA_DIRS += remote
>
>  install-data-remote:
> @@ -189,7 +199,7 @@ uninstall-data-remote:
>
>  remote/test_libvirtd.aug: remote/test_libvirtd.aug.in \
>  		remote/libvirtd.conf $(AUG_GENTEST)
> -	$(AM_V_GEN)$(AUG_GENTEST) $(srcdir)/remote/libvirtd.conf $< > $@
> +	$(AM_V_GEN)$(AUG_GENTEST) remote/libvirtd.conf $< > $@
>
>  if WITH_SYSCTL
>  # Use $(prefix)/lib rather than $(libdir), since man sysctl.d insists on
> diff --git a/src/remote/libvirtd.conf b/src/remote/libvirtd.conf.in
> similarity index 95%
> rename from src/remote/libvirtd.conf
> rename to src/remote/libvirtd.conf.in
> index b63b8d61b7..e351a8c190 100644
> --- a/src/remote/libvirtd.conf
> +++ b/src/remote/libvirtd.conf.in
> @@ -1,13 +1,14 @@
>  # Master libvirt daemon configuration file
>  #
>
> + at CUT_ENABLE_IP@
>  #################################################################
>  #
>  # Network connectivity controls
>  #
>
>  # Flag listening for secure TLS connections on the public TCP/IP port.
> -# NB, must pass the --listen flag to the libvirtd process for this to
> +# NB, must pass the --listen flag to the @DAEMON_NAME@ process for this to
>  # have any effect.
>  #
>  # This setting is not required or honoured if using systemd socket
> @@ -20,7 +21,7 @@
>  #listen_tls = 0
>
>  # Listen for unencrypted TCP connections on the public TCP/IP port.
> -# NB, must pass the --listen flag to the libvirtd process for this to
> +# NB, must pass the --listen flag to the @DAEMON_NAME@ process for this to
>  # have any effect.
>  #
>  # This setting is not required or honoured if using systemd socket
> @@ -58,13 +59,14 @@
>  # This setting is not required or honoured if using systemd socket
>  # activation.
>  #
> -# If the libvirtd service is started in parallel with network
> +# If the @DAEMON_NAME@ service is started in parallel with network
>  # startup (e.g. with systemd), binding to addresses other than
>  # the wildcards (0.0.0.0/::) might not be available yet.
>  #
>  #listen_addr = "192.168.0.1"
>
>
> + at END@
>  #################################################################
>  #
>  # UNIX socket access controls
> @@ -157,6 +159,7 @@
>  # If the unix_sock_rw_perms are changed you may wish to enable
>  # an authentication mechanism here
>  #auth_unix_rw = "none"
> + at CUT_ENABLE_IP@
>
>  # Change the authentication scheme for TCP sockets.
>  #
> @@ -174,6 +177,7 @@
>  # It is possible to make use of any SASL authentication
>  # mechanism as well, by using 'sasl' for this option
>  #auth_tls = "none"
> + at END@
>
>
>  # Change the API access control scheme
> @@ -182,10 +186,11 @@
>  # to all APIs. Access drivers can place restrictions
>  # on this. By default the 'nop' driver is enabled,
>  # meaning no access control checks are done once a
> -# client has authenticated with libvirtd
> +# client has authenticated with @DAEMON_NAME@
>  #
>  #access_drivers = [ "polkit" ]
>
> + at CUT_ENABLE_IP@
>  #################################################################
>  #
>  # TLS x509 certificate configuration
> @@ -225,15 +230,17 @@
>
>
>
> + at END@
>  #################################################################
>  #
>  # Authorization controls
>  #
>
>
> + at CUT_ENABLE_IP@
>  # Flag to disable verification of our own server certificates
>  #
> -# When libvirtd starts it performs some sanity checks against
> +# When @DAEMON_NAME@ starts it performs some sanity checks against
>  # its own certificates.
>  #
>  # Default is to always run sanity checks. Uncommenting this
> @@ -265,6 +272,15 @@
>  #tls_allowed_dn_list = ["DN1", "DN2"]
>
>
> +# Override the compile time default TLS priority string. The
> +# default is usually "NORMAL" unless overridden at build time.
> +# Only set this is it is desired for libvirt to deviate from
> +# the global default settings.
> +#
> +#tls_priority="NORMAL"
> +
> +
> + at END@
>  # A whitelist of allowed SASL usernames. The format for username
>  # depends on the SASL authentication mechanism. Kerberos usernames
>  # look like username at REALM
> @@ -282,14 +298,6 @@
>  #sasl_allowed_username_list = ["joe at EXAMPLE.COM", "fred at EXAMPLE.COM" ]
>
>
> -# Override the compile time default TLS priority string. The
> -# default is usually "NORMAL" unless overridden at build time.
> -# Only set this is it is desired for libvirt to deviate from
> -# the global default settings.
> -#
> -#tls_priority="NORMAL"
> -
> -
>  #################################################################
>  #
>  # Processing controls
> @@ -417,8 +425,8 @@
>  #    4: ERROR
>  #
>  # Multiple outputs can be defined, they just need to be separated by spaces.
> -# e.g. to log all warnings and errors to syslog under the libvirtd ident:
> -#log_outputs="3:syslog:libvirtd"
> +# e.g. to log all warnings and errors to syslog under the @DAEMON_NAME@ ident:
> +#log_outputs="3:syslog:@DAEMON_NAME@"
>
>
>  ##################################################################
> @@ -461,7 +469,7 @@
>
>  ###################################################################
>  # Keepalive protocol:
> -# This allows libvirtd to detect broken client connections or even
> +# This allows @DAEMON_NAME@ to detect broken client connections or even
>  # dead clients.  A keepalive message is sent to a client after
>  # keepalive_interval seconds of inactivity to check if the client is
>  # still responding; keepalive_count is a maximum number of keepalive
> @@ -470,7 +478,7 @@
>  # words, the connection is automatically closed approximately after
>  # keepalive_interval * (keepalive_count + 1) seconds since the last
>  # message received from the client.  If keepalive_interval is set to
> -# -1, libvirtd will never send keepalive requests; however clients
> +# -1, @DAEMON_NAME@ will never send keepalive requests; however clients
>  # can still send them and the daemon will send responses.  When
>  # keepalive_count is set to 0, connections will be automatically
>  # closed after keepalive_interval seconds of inactivity without
> diff --git a/src/remote/test_libvirtd.aug.in b/src/remote/test_libvirtd.aug.in
> index 6c51b7b9e7..d768b30b55 100644
> --- a/src/remote/test_libvirtd.aug.in
> +++ b/src/remote/test_libvirtd.aug.in
> @@ -29,11 +29,11 @@ module Test_libvirtd =
>               { "1" = "DN1"}
>               { "2" = "DN2"}
>          }
> +        { "tls_priority" = "NORMAL" }

I'm curious about this change? Is that because you changed the order
in the source code? Does that depend on ENABLE_IP?

>          { "sasl_allowed_username_list"
>               { "1" = "joe at EXAMPLE.COM" }
>               { "2" = "fred at EXAMPLE.COM" }
>          }
> -        { "tls_priority" = "NORMAL" }
>          { "max_clients" = "5000" }
>          { "max_queued_clients" = "1000" }
>          { "max_anonymous_clients" = "20" }
> --
> 2.21.0

Reviewed-by: Christophe de Dinechin <dinechin at redhat.com>

--
Cheers,
Christophe de Dinechin (IRC c3d)

More information about the libvir-list mailing list