From 06ac56be973a9b0c9b08454b2d0a3d040522738c Mon Sep 17 00:00:00 2001 From: root Date: Sun, 26 Jun 2016 22:45:39 +0200 Subject: [PATCH] committing changes in /etc after emerge run Package changes: +app-emulation/libvirt-1.3.4 --- .etckeeper | 38 ++ conf.d/libvirt-guests | 68 +++ conf.d/libvirtd | 18 + init.d/libvirt-guests | 235 ++++++++ init.d/libvirtd | 35 ++ init.d/virtlockd | 24 + init.d/virtlogd | 24 + libvirt/libvirt-admin.conf | 16 + libvirt/libvirt.conf | 18 + libvirt/libvirtd.conf | 455 ++++++++++++++++ libvirt/nwfilter/allow-arp.xml | 3 + libvirt/nwfilter/allow-dhcp-server.xml | 24 + libvirt/nwfilter/allow-dhcp.xml | 21 + libvirt/nwfilter/allow-incoming-ipv4.xml | 3 + libvirt/nwfilter/allow-ipv4.xml | 3 + libvirt/nwfilter/clean-traffic.xml | 30 ++ libvirt/nwfilter/no-arp-ip-spoofing.xml | 9 + libvirt/nwfilter/no-arp-mac-spoofing.xml | 7 + libvirt/nwfilter/no-arp-spoofing.xml | 4 + libvirt/nwfilter/no-ip-multicast.xml | 9 + libvirt/nwfilter/no-ip-spoofing.xml | 14 + libvirt/nwfilter/no-mac-broadcast.xml | 8 + libvirt/nwfilter/no-mac-spoofing.xml | 10 + libvirt/nwfilter/no-other-l2-traffic.xml | 7 + libvirt/nwfilter/no-other-rarp-traffic.xml | 3 + libvirt/nwfilter/qemu-announce-self-rarp.xml | 14 + libvirt/nwfilter/qemu-announce-self.xml | 13 + libvirt/qemu-lockd.conf | 67 +++ libvirt/qemu.conf | 532 +++++++++++++++++++ libvirt/virt-login-shell.conf | 26 + libvirt/virtlockd.conf | 67 +++ libvirt/virtlogd.conf | 59 ++ logrotate.d/libvirtd | 9 + logrotate.d/libvirtd.libxl | 9 + logrotate.d/libvirtd.lxc | 9 + logrotate.d/libvirtd.qemu | 9 + logrotate.d/libvirtd.uml | 9 + 37 files changed, 1909 insertions(+) create mode 100644 conf.d/libvirt-guests create mode 100644 conf.d/libvirtd create mode 100755 init.d/libvirt-guests create mode 100755 init.d/libvirtd create mode 100755 init.d/virtlockd create mode 100755 init.d/virtlogd create mode 100644 libvirt/libvirt-admin.conf create mode 100644 libvirt/libvirt.conf create mode 100644 libvirt/libvirtd.conf create mode 100644 libvirt/nwfilter/allow-arp.xml create mode 100644 libvirt/nwfilter/allow-dhcp-server.xml create mode 100644 libvirt/nwfilter/allow-dhcp.xml create mode 100644 libvirt/nwfilter/allow-incoming-ipv4.xml create mode 100644 libvirt/nwfilter/allow-ipv4.xml create mode 100644 libvirt/nwfilter/clean-traffic.xml create mode 100644 libvirt/nwfilter/no-arp-ip-spoofing.xml create mode 100644 libvirt/nwfilter/no-arp-mac-spoofing.xml create mode 100644 libvirt/nwfilter/no-arp-spoofing.xml create mode 100644 libvirt/nwfilter/no-ip-multicast.xml create mode 100644 libvirt/nwfilter/no-ip-spoofing.xml create mode 100644 libvirt/nwfilter/no-mac-broadcast.xml create mode 100644 libvirt/nwfilter/no-mac-spoofing.xml create mode 100644 libvirt/nwfilter/no-other-l2-traffic.xml create mode 100644 libvirt/nwfilter/no-other-rarp-traffic.xml create mode 100644 libvirt/nwfilter/qemu-announce-self-rarp.xml create mode 100644 libvirt/nwfilter/qemu-announce-self.xml create mode 100644 libvirt/qemu-lockd.conf create mode 100644 libvirt/qemu.conf create mode 100644 libvirt/virt-login-shell.conf create mode 100644 libvirt/virtlockd.conf create mode 100644 libvirt/virtlogd.conf create mode 100644 logrotate.d/libvirtd create mode 100644 logrotate.d/libvirtd.libxl create mode 100644 logrotate.d/libvirtd.lxc create mode 100644 logrotate.d/libvirtd.qemu create mode 100644 logrotate.d/libvirtd.uml diff --git a/.etckeeper b/.etckeeper index c86fa1b..40d4178 100755 --- a/.etckeeper +++ b/.etckeeper @@ -73,6 +73,8 @@ maybe chmod 0644 'conf.d/ipmievd' maybe chmod 0644 'conf.d/iptables' maybe chmod 0644 'conf.d/keymaps' maybe chmod 0644 'conf.d/killprocs' +maybe chmod 0644 'conf.d/libvirt-guests' +maybe chmod 0644 'conf.d/libvirtd' maybe chmod 0644 'conf.d/localmount' maybe chmod 0644 'conf.d/lvm' maybe chmod 0644 'conf.d/mdadm' @@ -553,6 +555,8 @@ maybe chmod 0755 'init.d/iptables' maybe chmod 0755 'init.d/keymaps' maybe chmod 0755 'init.d/killprocs' maybe chmod 0755 'init.d/kmod-static-nodes' +maybe chmod 0755 'init.d/libvirt-guests' +maybe chmod 0755 'init.d/libvirtd' maybe chmod 0755 'init.d/local' maybe chmod 0755 'init.d/localmount' maybe chmod 0755 'init.d/loopback' @@ -610,6 +614,8 @@ maybe chmod 0755 'init.d/udev' maybe chmod 0755 'init.d/unbound' maybe chmod 0755 'init.d/urandom' maybe chmod 0755 'init.d/uwsgi' +maybe chmod 0755 'init.d/virtlockd' +maybe chmod 0755 'init.d/virtlogd' maybe chmod 0755 'init.d/virtualbox-guest-additions' maybe chmod 0644 'inittab' maybe chmod 0644 'inputrc' @@ -657,6 +663,33 @@ maybe chmod 0644 'lftp/lftp.conf' maybe chmod 0755 'libnl' maybe chmod 0644 'libnl/classid' maybe chmod 0644 'libnl/pktloc' +maybe chmod 0755 'libvirt' +maybe chmod 0644 'libvirt/libvirt-admin.conf' +maybe chmod 0644 'libvirt/libvirt.conf' +maybe chmod 0644 'libvirt/libvirtd.conf' +maybe chmod 0755 'libvirt/nwfilter' +maybe chmod 0644 'libvirt/nwfilter/allow-arp.xml' +maybe chmod 0644 'libvirt/nwfilter/allow-dhcp-server.xml' +maybe chmod 0644 'libvirt/nwfilter/allow-dhcp.xml' +maybe chmod 0644 'libvirt/nwfilter/allow-incoming-ipv4.xml' +maybe chmod 0644 'libvirt/nwfilter/allow-ipv4.xml' +maybe chmod 0644 'libvirt/nwfilter/clean-traffic.xml' +maybe chmod 0644 'libvirt/nwfilter/no-arp-ip-spoofing.xml' +maybe chmod 0644 'libvirt/nwfilter/no-arp-mac-spoofing.xml' +maybe chmod 0644 'libvirt/nwfilter/no-arp-spoofing.xml' +maybe chmod 0644 'libvirt/nwfilter/no-ip-multicast.xml' +maybe chmod 0644 'libvirt/nwfilter/no-ip-spoofing.xml' +maybe chmod 0644 'libvirt/nwfilter/no-mac-broadcast.xml' +maybe chmod 0644 'libvirt/nwfilter/no-mac-spoofing.xml' +maybe chmod 0644 'libvirt/nwfilter/no-other-l2-traffic.xml' +maybe chmod 0644 'libvirt/nwfilter/no-other-rarp-traffic.xml' +maybe chmod 0644 'libvirt/nwfilter/qemu-announce-self-rarp.xml' +maybe chmod 0644 'libvirt/nwfilter/qemu-announce-self.xml' +maybe chmod 0644 'libvirt/qemu-lockd.conf' +maybe chmod 0644 'libvirt/qemu.conf' +maybe chmod 0644 'libvirt/virt-login-shell.conf' +maybe chmod 0644 'libvirt/virtlockd.conf' +maybe chmod 0644 'libvirt/virtlogd.conf' maybe chmod 0755 'local.d' maybe chmod 0644 'local.d/README' maybe chmod 0755 'local.d/motd.start' @@ -669,6 +702,11 @@ maybe chmod 0755 'logrotate.d' maybe chmod 0644 'logrotate.d/.keep_app-admin_logrotate-0' maybe chmod 0644 'logrotate.d/elog-save-summary' maybe chmod 0644 'logrotate.d/hibernate-script' +maybe chmod 0644 'logrotate.d/libvirtd' +maybe chmod 0644 'logrotate.d/libvirtd.libxl' +maybe chmod 0644 'logrotate.d/libvirtd.lxc' +maybe chmod 0644 'logrotate.d/libvirtd.qemu' +maybe chmod 0644 'logrotate.d/libvirtd.uml' maybe chmod 0644 'logrotate.d/openrc' maybe chmod 0644 'logrotate.d/pm-utils' maybe chmod 0644 'logrotate.d/ppd' diff --git a/conf.d/libvirt-guests b/conf.d/libvirt-guests new file mode 100644 index 0000000..ed2ce58 --- /dev/null +++ b/conf.d/libvirt-guests @@ -0,0 +1,68 @@ +# /etc/conf.d/libvirtd + +# LIBVIRT_URIS +# space separated list of libvirt URIs to communicate with to start/stop guests +# Valid values are anything that can be passed to 'virsh connect' + +#LIBVIRT_URIS="qemu:///system" + + +# LIBVIRT_SHUTDOWN +# Valid options: +# * managedsave - Performs a state save external to the VM (for hypervisors +# supporting this operation). qemu-kvm will stop the CPU +# and save off all state to a separate file. When the +# machine is started again, it will resume like nothing +# ever happened. This is guarenteed to always successfully +# stop your machine and restart it. +# +# * shutdown - Sends an ACPI shutdown (think of this as a request to +# your guest to shutdown). There is no way to distinguish +# between guests that are ignoring the shutdown request or +# are stuck or are taking a long time to shutdown. We will +# wait LIBVIRT_MAXWAIT seconds before yanking the power +# out. +# +# * destroy - Immediately stop all running guests. Use with caution as +# this can leave the guest in a corrupted state and might +# lead to data loss. +# + +#LIBVIRT_SHUTDOWN="managedsave" + + +# LIBVIRT_MAXWAIT +# Timeout in seconds until stopping a guest and "pulling the plug" on the +# guest +# Valid values are any integer over 0 + +#LIBVIRT_MAXWAIT="500" + + +# LIBVIRT_START +# If this value is set to 'no', then guests and networks that were shutdown +# by this script when it was stopped will not be started when it is started +# back up. +# Valid values are yes or no + +#LIBVIRT_START="yes" + + +# LIBVIRT_IGNORE_AUTOSTART +# If the VM is marked for autostart in its XML configuration then we won't +# save its start when the init script is stopped. The result is that when +# the init script starts back up, no attempt will be made to start the VM or +# confirm it is started. +# Valid values are yes or no + +#LIBVIRT_IGNORE_AUTOSTART="no" + + +# LIBVIRT_NET_SHUTDOWN +# If libvirtd created networks for you (e.g. NATed networks) then this init +# script will shut them down for you if this is set to 'yes'. Otherwise, +# the networks will be left running. For this option to be useful you must +# have enabled the 'virt-network' USE flag and have had libvirt create a +# NATed network for you. Valid values: 'yes' or 'no' + +#LIBVIRT_NET_SHUTDOWN="yes" diff --git a/conf.d/libvirtd b/conf.d/libvirtd new file mode 100644 index 0000000..c326531 --- /dev/null +++ b/conf.d/libvirtd @@ -0,0 +1,18 @@ +# /etc/conf.d/libvirtd + +# Startup dependency +# libvirtd typically requires all networks to be up and settled which +# is what rc_need="net" provides. However if you only use specific networks +# for libvirtd, you may override this. Or if you only use libvirtd locally. +rc_need="net" + +# The termination timeout (start-stop-daemon parameter "retry") ensures +# that the service will be terminated within a given time (25 + 5 seconds +# per default) when you are stopping the service. +#LIBVIRTD_TERMTIMEOUT="TERM/25/KILL/5" + +# LIBVIRTD_OPTS +# You may want to add '--listen' to have libvirtd listen for tcp/ip connections +# if you want to use libvirt for remote control +# Please consult 'libvirtd --help' for more options +#LIBVIRTD_OPTS="--listen" diff --git a/init.d/libvirt-guests b/init.d/libvirt-guests new file mode 100755 index 0000000..9db6d95 --- /dev/null +++ b/init.d/libvirt-guests @@ -0,0 +1,235 @@ +#!/sbin/openrc-run + +description="Virtual Machine Management (libvirt) Guests" + +depend() { + use libvirtd +} + +# set the default to QEMU +[ -z "${LIBVIRT_URIS}" ] && LIBVIRT_URIS="qemu:///system" + +# default to suspending the VM via managedsave +case "${LIBVIRT_SHUTDOWN}" in + managedsave|shutdown|destroy) ;; + *) LIBVIRT_SHUTDOWN="managedsave" ;; +esac + +# default to 500 seconds +[ -z ${LIBVIRT_MAXWAIT} ] && LIBVIRT_MAXWAIT=500 + +gueststatefile="/var/lib/libvirt/libvirt-guests.state" +netstatefile="/var/lib/libvirt/libvirt-net.state" + +do_virsh() { + local hvuri=$1 + shift + + # if unset, default to qemu + [ -z ${hvuri} ] && hvuri="qemu:///system" + # if only qemu was supplied then correct the value + [ "xqemu" = x${hvuri} ] && hvuri="qemu:///system" + + # Silence errors because virsh always throws an error about + # not finding the hypervisor version when connecting to libvirtd + # lastly strip the blank line at the end + LC_ALL=C virsh -c ${hvuri} "$@" 2>/dev/null | head -n -1 +} + +libvirtd_dom_list() { + # Only work with domains by their UUIDs + local hvuri=$1 + shift + + do_virsh "${hvuri}" list --uuid $@ +} + +libvirtd_dom_count() { + local hvuri=$1 + shift + + libvirtd_dom_list "${hvuri}" $@ | wc -l +} + +libvirtd_net_list() { + # Only work with networks by their UUIDs + local hvuri=$1 + shift + + do_virsh "${hvuri}" net-list --uuid $@ +} + +libvirtd_net_count() { + local hvuri=$1 + shift + + libvirtd_net_list "${hvuri}" $@ | wc -l +} + +libvirtd_dom_stop() { + # stops all persistent or transient domains for a given URI + # $1 - uri + # $2 - persisent/transient + + local uri=$1 + local persist=$2 + local shutdown_type=${LIBVIRT_SHUTDOWN} + local counter=${LIBVIRT_MAXWAIT} + local dom_name= + local dom_as= + local dom_ids= + local uuid= + local dom_count= + + [ "${persist}" = "--transient" ] && shutdown_type="shutdown" + [ -n "${counter}" ] || counter=500 + + einfo " Shutting down domain(s) ..." + + # grab all persistent or transient domains running + dom_ids=$(libvirtd_dom_list ${uri} ${persist}) + + for uuid in ${dom_ids}; do + # Get the name + dom_name=$(do_virsh ${uri} domname ${uuid}) + einfo " ${dom_name}" + # Get autostart state + dom_as=$(do_virsh ${uri} dominfo ${uuid} | \ + awk '$1 == "Autostart:" { print $2 }') + + if [ "${persist}" = "--persistent" ]; then + # Save our running state only if LIBVIRT_IGNORE_AUTOSTART != yes + if [ "x${LIBVIRT_IGNORE_AUTOSTART}" = "xyes" ] && \ + [ ${dom_as} = "enabled" ]; then + : + else + echo "${uri} ${uuid}" >> ${gueststatefile} + fi + + fi + + # Now let's stop it + do_virsh "${uri}" ${shutdown_type} ${uuid} > /dev/null + + done + + dom_count="$(libvirtd_dom_count ${uri} ${persist})" + while [ ${dom_count} -gt 0 ] && [ ${counter} -gt 0 ] ; do + dom_count="$(libvirtd_dom_count ${uri} ${persist})" + sleep 1 + if [ "${shutdown_type}" = "shutdown" ]; then + counter=$((${counter} - 1)) + fi + echo -n "." + done + + if [ "${shutdown_type}" = "shutdown" ]; then + # grab all domains still running + dom_ids=$(libvirtd_dom_list ${uri} ${persist}) + for uuid in ${dom_ids}; do + dom_name=$(do_virsh ${uri} domname ${uuid}) + eerror " ${dom_name} forcibly stopped" + do_virsh "${uri}" destroy ${uuid} > /dev/null + done + fi +} + +libvirtd_net_stop() { + # stops all persistent or transient domains for a given URI + # $1 - uri + # $2 - persisent/transient + + local uri=$1 + local persist=$2 + local uuid= + local net_name= + + if [ "${LIBVIRT_NET_SHUTDOWN}" != "no" ]; then + + einfo " Shutting down network(s):" + for uuid in $(libvirtd_net_list ${uri} ${persist}); do + net_name=$(do_virsh ${uri} net-name ${uuid}) + einfo " ${net_name}" + + if [ "${persist}" = "--persistent" ]; then + # Save our running state + echo "${uri} ${uuid}" >> ${netstatefile} + + fi + + # Actually stop the network + do_virsh qemu net-destroy ${uuid} > /dev/null + done + + fi +} + +start() { + local uri= + local uuid= + local name= + + for uri in ${LIBVIRT_URIS}; do + do_virsh "${uri}" connect + if [ $? -ne 0 ]; then + eerror "Failed to connect to '${uri}'. Domains may not start." + fi + done + + [ ! -e "${netstatefile}" ] && touch "${netstatefile}" + [ ! -e "${gueststatefile}" ] && touch "${gueststatefile}" + + # if the user didn't want to start any guests up then respect their wish + [ "x${LIBVIRT_START}" = "xno" ] && return 0 + + # start networks + ebegin "Starting libvirt networks" + while read -r uri uuid + do + # ignore trash + [ -z "${uri}" ] || [ -z "${uuid}" ] && continue + + name=$(do_virsh "${uri}" net-name ${uuid}) + einfo " ${name}" + do_virsh "${uri}" net-start ${uuid} > /dev/null + done <"${netstatefile}" + eend 0 + + # start domains + ebegin "Starting libvirt domains" + while read -r uri uuid + do + # ignore trash + [ -z "${uri}" ] || [ -z "${uuid}" ] && continue + + name=$(do_virsh "${uri}" domname ${uuid}) + einfo " ${name}" + do_virsh "${uri}" start ${uuid} > /dev/null + done <"${gueststatefile}" + eend 0 +} + +stop() { + local counter= + local dom_name= + local net_name= + local dom_ids= + local uuid= + local dom_count= + + rm -f "${gueststatefile}" + [ $? -ne 0 ] && eerror "Unable to save domain state" + rm -f "${netstatefile}" + [ $? -ne 0 ] && eerror "Unable to save net state" + + for uri in ${LIBVIRT_URIS}; do + einfo "Stopping libvirt domains and networks for ${uri}" + + libvirtd_dom_stop "${uri}" "--persistent" + libvirtd_dom_stop "${uri}" "--transient" + libvirtd_net_stop "${uri}" "--persistent" + libvirtd_net_stop "${uri}" "--transient" + + einfo "Done stopping domains and networks for ${uri}" + done +} diff --git a/init.d/libvirtd b/init.d/libvirtd new file mode 100755 index 0000000..5b0caca --- /dev/null +++ b/init.d/libvirtd @@ -0,0 +1,35 @@ +#!/sbin/openrc-run +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +description="Virtual Machine Management daemon (libvirt)" + +LIBVIRTD_OPTS=${LIBVIRTD_OPTS:-"${LIBVIRTD_OPTS}"} +LIBVIRTD_TIMEOUT=${LIBVIRTD_TERMTIMEOUT:-"TERM/25/KILL/5"} + +command="/usr/sbin/libvirtd" +command_args="-d ${LIBVIRTD_OPTS}" +start_stop_daemon_args="--env KRB5_KTNAME=/etc/libvirt/krb5.tab" +pidfile="/var/run/libvirtd.pid" +retry="${LIBVIRTD_TERMTIMEOUT}" + +depend() { + need virtlogd + use dbus virtlockd + after ntp-client ntpd nfs nfsmount portmap rpc.statd iptables ip6tables ebtables corosync sanlock cgconfig xenconsoled + + + + +} + +start_pre() { + # Test configuration directories in /etc/libvirt/ to be either not + # present or a directory, i.e. not a regular file, bug #532892 + + checkpath --directory /etc/libvirt/lxc || return 1 + checkpath --directory /etc/libvirt/nwfilter || return 1 + checkpath --directory /etc/libvirt/qemu || return 1 + checkpath --directory /etc/libvirt/storage || return 1 +} diff --git a/init.d/virtlockd b/init.d/virtlockd new file mode 100755 index 0000000..251b86a --- /dev/null +++ b/init.d/virtlockd @@ -0,0 +1,24 @@ +#!/sbin/openrc-run +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +description="libvirt virtual machine lock manager" +command="/usr/sbin/virtlockd" +command_args="-d" +pidfile="/var/run/virtlockd.pid" + +extra_started_commands="reload" +description_reload="re-exec the daemon, while maintaining locks and clients" + + +depend() { + after ntp-client ntpd nfs nfsmount corosync +} + +reload() { + ebegin "re-exec() virtlockd" + + start-stop-daemon --signal SIGUSR1 \ + --exec "${command}" --pidfile "${pidfile}" +} diff --git a/init.d/virtlogd b/init.d/virtlogd new file mode 100755 index 0000000..0d3493b --- /dev/null +++ b/init.d/virtlogd @@ -0,0 +1,24 @@ +#!/sbin/openrc-run +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +description="libvirt virtual machine logging manager" +command="/usr/sbin/virtlogd" +command_args="-d" +pidfile="/var/run/virtlogd.pid" + +extra_started_commands="reload" +description_reload="re-exec the daemon, while maintaining open connections" + + +depend() { + after ntp-client ntpd nfs nfsmount corosync +} + +reload() { + ebegin "re-exec() virtlogd" + + start-stop-daemon --signal SIGUSR1 \ + --exec "${command}" --pidfile "${pidfile}" +} diff --git a/libvirt/libvirt-admin.conf b/libvirt/libvirt-admin.conf new file mode 100644 index 0000000..d7cf12a --- /dev/null +++ b/libvirt/libvirt-admin.conf @@ -0,0 +1,16 @@ +# +# This can be used to setup URI aliases for frequently +# used connection URIs. Aliases may contain only the +# characters a-Z, 0-9, _, -. +# +# Following the '=' may be any valid libvirt admin connection +# URI, including arbitrary parameters + +#uri_aliases = [ +# "admin=libvirtd:///system", +#] + +# This specifies the default location the client tries to connect to if no other +# URI is provided by the application + +#uri_default = "libvirtd:///system" diff --git a/libvirt/libvirt.conf b/libvirt/libvirt.conf new file mode 100644 index 0000000..da4dfbe --- /dev/null +++ b/libvirt/libvirt.conf @@ -0,0 +1,18 @@ +# +# This can be used to setup URI aliases for frequently +# used connection URIs. Aliases may contain only the +# characters a-Z, 0-9, _, -. +# +# Following the '=' may be any valid libvirt connection +# URI, including arbitrary parameters + +#uri_aliases = [ +# "hail=qemu+ssh://root@hail.cloud.example.com/system", +# "sleet=qemu+ssh://root@sleet.cloud.example.com/system", +#] + +# +# These can be used in cases when no URI is supplied by the application +# (@uri_default also prevents probing of the hypervisor driver). +# +#uri_default = "qemu:///system" diff --git a/libvirt/libvirtd.conf b/libvirt/libvirtd.conf new file mode 100644 index 0000000..d2c439c --- /dev/null +++ b/libvirt/libvirtd.conf @@ -0,0 +1,455 @@ +# Master libvirt daemon configuration file +# +# For further information consult http://libvirt.org/format.html +# +# NOTE: the tests/daemon-conf regression test script requires +# that each "PARAMETER = VALUE" line in this file have the parameter +# name just after a leading "#". + +################################################################# +# +# Network connectivity controls +# + +# Flag listening for secure TLS connections on the public TCP/IP port. +# NB, must pass the --listen flag to the libvirtd process for this to +# have any effect. +# +# It is necessary to setup a CA and issue server certificates before +# using this capability. +# +# This is enabled by default, uncomment this to disable it +#listen_tls = 0 + +# Listen for unencrypted TCP connections on the public TCP/IP port. +# NB, must pass the --listen flag to the libvirtd process for this to +# have any effect. +# +# Using the TCP socket requires SASL authentication by default. Only +# SASL mechanisms which support data encryption are allowed. This is +# DIGEST_MD5 and GSSAPI (Kerberos5) +# +# This is disabled by default, uncomment this to enable it. +#listen_tcp = 1 + + + +# Override the port for accepting secure TLS connections +# This can be a port number, or service name +# +#tls_port = "16514" + +# Override the port for accepting insecure TCP connections +# This can be a port number, or service name +# +#tcp_port = "16509" + + +# Override the default configuration which binds to all network +# interfaces. This can be a numeric IPv4/6 address, or hostname +# +# If the libvirtd service is started in parallel with network +# startup (e.g. with systemd), binding to addresses other than +# the wildcards (0.0.0.0/::) might not be available yet. +# +#listen_addr = "192.168.0.1" + + +# Flag toggling mDNS advertizement of the libvirt service. +# +# Alternatively can disable for all services on a host by +# stopping the Avahi daemon +# +# This is disabled by default, uncomment this to enable it +#mdns_adv = 1 + +# Override the default mDNS advertizement name. This must be +# unique on the immediate broadcast network. +# +# The default is "Virtualization Host HOSTNAME", where HOSTNAME +# is substituted for the short hostname of the machine (without domain) +# +#mdns_name = "Virtualization Host Joe Demo" + + +################################################################# +# +# UNIX socket access controls +# + +# Set the UNIX domain socket group ownership. This can be used to +# allow a 'trusted' set of users access to management capabilities +# without becoming root. +# +# This is restricted to 'root' by default. +#unix_sock_group = "libvirt" + +# Set the UNIX socket permissions for the R/O socket. This is used +# for monitoring VM status only +# +# Default allows any user. If setting group ownership, you may want to +# restrict this too. +#unix_sock_ro_perms = "0777" + +# Set the UNIX socket permissions for the R/W socket. This is used +# for full management of VMs +# +# Default allows only root. If PolicyKit is enabled on the socket, +# the default will change to allow everyone (eg, 0777) +# +# If not using PolicyKit and setting group ownership for access +# control, then you may want to relax this too. +#unix_sock_rw_perms = "0770" + +# Set the UNIX socket permissions for the admin interface socket. +# +# Default allows only owner (root), do not change it unless you are +# sure to whom you are exposing the access to. +#unix_sock_admin_perms = "0700" + +# Set the name of the directory in which sockets will be found/created. +#unix_sock_dir = "/var/run/libvirt" + + + +################################################################# +# +# Authentication. +# +# - none: do not perform auth checks. If you can connect to the +# socket you are allowed. This is suitable if there are +# restrictions on connecting to the socket (eg, UNIX +# socket permissions), or if there is a lower layer in +# the network providing auth (eg, TLS/x509 certificates) +# +# - sasl: use SASL infrastructure. The actual auth scheme is then +# controlled from /etc/sasl2/libvirt.conf. For the TCP +# socket only GSSAPI & DIGEST-MD5 mechanisms will be used. +# For non-TCP or TLS sockets, any scheme is allowed. +# +# - polkit: use PolicyKit to authenticate. This is only suitable +# for use on the UNIX sockets. The default policy will +# require a user to supply their own password to gain +# full read/write access (aka sudo like), while anyone +# is allowed read/only access. +# +# Set an authentication scheme for UNIX read-only sockets +# By default socket permissions allow anyone to connect +# +# To restrict monitoring of domains you may wish to enable +# an authentication mechanism here +#auth_unix_ro = "none" + +# Set an authentication scheme for UNIX read-write sockets +# By default socket permissions only allow root. If PolicyKit +# support was compiled into libvirt, the default will be to +# use 'polkit' auth. +# +# If the unix_sock_rw_perms are changed you may wish to enable +# an authentication mechanism here +#auth_unix_rw = "none" + +# Change the authentication scheme for TCP sockets. +# +# If you don't enable SASL, then all TCP traffic is cleartext. +# Don't do this outside of a dev/test scenario. For real world +# use, always enable SASL and use the GSSAPI or DIGEST-MD5 +# mechanism in /etc/sasl2/libvirt.conf +#auth_tcp = "sasl" + +# Change the authentication scheme for TLS sockets. +# +# TLS sockets already have encryption provided by the TLS +# layer, and limited authentication is done by certificates +# +# It is possible to make use of any SASL authentication +# mechanism as well, by using 'sasl' for this option +#auth_tls = "none" + + +# Change the API access control scheme +# +# By default an authenticated user is allowed access +# to all APIs. Access drivers can place restrictions +# on this. By default the 'nop' driver is enabled, +# meaning no access control checks are done once a +# client has authenticated with libvirtd +# +#access_drivers = [ "polkit" ] + +################################################################# +# +# TLS x509 certificate configuration +# + + +# Override the default server key file path +# +#key_file = "/etc/pki/libvirt/private/serverkey.pem" + +# Override the default server certificate file path +# +#cert_file = "/etc/pki/libvirt/servercert.pem" + +# Override the default CA certificate path +# +#ca_file = "/etc/pki/CA/cacert.pem" + +# Specify a certificate revocation list. +# +# Defaults to not using a CRL, uncomment to enable it +#crl_file = "/etc/pki/CA/crl.pem" + + + +################################################################# +# +# Authorization controls +# + + +# Flag to disable verification of our own server certificates +# +# When libvirtd starts it performs some sanity checks against +# its own certificates. +# +# Default is to always run sanity checks. Uncommenting this +# will disable sanity checks which is not a good idea +#tls_no_sanity_certificate = 1 + +# Flag to disable verification of client certificates +# +# Client certificate verification is the primary authentication mechanism. +# Any client which does not present a certificate signed by the CA +# will be rejected. +# +# Default is to always verify. Uncommenting this will disable +# verification - make sure an IP whitelist is set +#tls_no_verify_certificate = 1 + + +# A whitelist of allowed x509 Distinguished Names +# This list may contain wildcards such as +# +# "C=GB,ST=London,L=London,O=Red Hat,CN=*" +# +# See the POSIX fnmatch function for the format of the wildcards. +# +# NB If this is an empty list, no client can connect, so comment out +# entirely rather than using empty list to disable these checks +# +# By default, no DN's are checked +#tls_allowed_dn_list = ["DN1", "DN2"] + + +# A whitelist of allowed SASL usernames. The format for usernames +# depends on the SASL authentication mechanism. Kerberos usernames +# look like username@REALM +# +# This list may contain wildcards such as +# +# "*@EXAMPLE.COM" +# +# See the POSIX fnmatch function for the format of the wildcards. +# +# NB If this is an empty list, no client can connect, so comment out +# entirely rather than using empty list to disable these checks +# +# By default, no Username's are checked +#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ] + + + +################################################################# +# +# Processing controls +# + +# The maximum number of concurrent client connections to allow +# over all sockets combined. +#max_clients = 5000 + +# The maximum length of queue of connections waiting to be +# accepted by the daemon. Note, that some protocols supporting +# retransmission may obey this so that a later reattempt at +# connection succeeds. +#max_queued_clients = 1000 + +# The maximum length of queue of accepted but not yet +# authenticated clients. The default value is zero, meaning +# the feature is disabled. +#max_anonymous_clients = 20 + +# The minimum limit sets the number of workers to start up +# initially. If the number of active clients exceeds this, +# then more threads are spawned, up to max_workers limit. +# Typically you'd want max_workers to equal maximum number +# of clients allowed +#min_workers = 5 +#max_workers = 20 + + +# The number of priority workers. If all workers from above +# pool are stuck, some calls marked as high priority +# (notably domainDestroy) can be executed in this pool. +#prio_workers = 5 + +# Total global limit on concurrent RPC calls. Should be +# at least as large as max_workers. Beyond this, RPC requests +# will be read into memory and queued. This directly impacts +# memory usage, currently each request requires 256 KB of +# memory. So by default up to 5 MB of memory is used +# +# XXX this isn't actually enforced yet, only the per-client +# limit is used so far +#max_requests = 20 + +# Limit on concurrent requests from a single client +# connection. To avoid one client monopolizing the server +# this should be a small fraction of the global max_requests +# and max_workers parameter +#max_client_requests = 5 + +# Same processing controls, but this time for the admin interface. +# For description of each option, be so kind to scroll few lines +# upwards. + +#admin_min_workers = 1 +#admin_max_workers = 5 +#admin_max_clients = 5 +#admin_max_queued_clients = 5 +#admin_max_client_requests = 5 + +################################################################# +# +# Logging controls +# + +# Logging level: 4 errors, 3 warnings, 2 information, 1 debug +# basically 1 will log everything possible +# Note: Journald may employ rate limiting of the messages logged +# and thus lock up the libvirt daemon. To use the debug level with +# journald you have to specify it explicitly in 'log_outputs', otherwise +# only information level messages will be logged. +#log_level = 3 + +# Logging filters: +# A filter allows to select a different logging level for a given category +# of logs +# The format for a filter is one of: +# x:name +# x:+name + +# where name is a string which is matched against the category +# given in the VIR_LOG_INIT() at the top of each libvirt source +# file, e.g., "remote", "qemu", or "util.json" (the name in the +# filter can be a substring of the full category name, in order +# to match multiple similar categories), the optional "+" prefix +# tells libvirt to log stack trace for each message matching +# name, and x is the minimal level where matching messages should +# be logged: + +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple filters can be defined in a single @filters, they just need to be +# separated by spaces. +# +# e.g. to only get warning or errors from the remote layer and only errors +# from the event layer: +#log_filters="3:remote 4:event" + +# Logging outputs: +# An output is one of the places to save logging information +# The format for an output can be: +# x:stderr +# output goes to stderr +# x:syslog:name +# use syslog for the output and use the given name as the ident +# x:file:file_path +# output to a file, with the given filepath +# x:journald +# output to journald logging system +# In all case the x prefix is the minimal level, acting as a filter +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple outputs can be defined, they just need to be separated by spaces. +# e.g. to log all warnings and errors to syslog under the libvirtd ident: +#log_outputs="3:syslog:libvirtd" +# + +# Log debug buffer size: +# +# This configuration option is no longer used, since the global +# log buffer functionality has been removed. Please configure +# suitable log_outputs/log_filters settings to obtain logs. +#log_buffer_size = 64 + + +################################################################## +# +# Auditing +# +# This setting allows usage of the auditing subsystem to be altered: +# +# audit_level == 0 -> disable all auditing +# audit_level == 1 -> enable auditing, only if enabled on host (default) +# audit_level == 2 -> enable auditing, and exit if disabled on host +# +#audit_level = 2 +# +# If set to 1, then audit messages will also be sent +# via libvirt logging infrastructure. Defaults to 0 +# +#audit_logging = 1 + +################################################################### +# UUID of the host: +# Provide the UUID of the host here in case the command +# 'dmidecode -s system-uuid' does not provide a valid uuid. In case +# 'dmidecode' does not provide a valid UUID and none is provided here, a +# temporary UUID will be generated. +# Keep the format of the example UUID below. UUID must not have all digits +# be the same. + +# NB This default all-zeros UUID will not work. Replace +# it with the output of the 'uuidgen' command and then +# uncomment this entry +#host_uuid = "00000000-0000-0000-0000-000000000000" + +################################################################### +# Keepalive protocol: +# This allows libvirtd to detect broken client connections or even +# dead clients. A keepalive message is sent to a client after +# keepalive_interval seconds of inactivity to check if the client is +# still responding; keepalive_count is a maximum number of keepalive +# messages that are allowed to be sent to the client without getting +# any response before the connection is considered broken. In other +# words, the connection is automatically closed approximately after +# keepalive_interval * (keepalive_count + 1) seconds since the last +# message received from the client. If keepalive_interval is set to +# -1, libvirtd will never send keepalive requests; however clients +# can still send them and the daemon will send responses. When +# keepalive_count is set to 0, connections will be automatically +# closed after keepalive_interval seconds of inactivity without +# sending any keepalive messages. +# +#keepalive_interval = 5 +#keepalive_count = 5 + +# +# These configuration options are no longer used. There is no way to +# restrict such clients from connecting since they first need to +# connect in order to ask for keepalive. +# +#keepalive_required = 1 +#admin_keepalive_required = 1 + +# Keepalive settings for the admin interface +#admin_keepalive_interval = 5 +#admin_keepalive_count = 5 diff --git a/libvirt/nwfilter/allow-arp.xml b/libvirt/nwfilter/allow-arp.xml new file mode 100644 index 0000000..63a92b2 --- /dev/null +++ b/libvirt/nwfilter/allow-arp.xml @@ -0,0 +1,3 @@ + + + diff --git a/libvirt/nwfilter/allow-dhcp-server.xml b/libvirt/nwfilter/allow-dhcp-server.xml new file mode 100644 index 0000000..37e708e --- /dev/null +++ b/libvirt/nwfilter/allow-dhcp-server.xml @@ -0,0 +1,24 @@ + + + + + + + + + + + + + + diff --git a/libvirt/nwfilter/allow-dhcp.xml b/libvirt/nwfilter/allow-dhcp.xml new file mode 100644 index 0000000..d66d2b6 --- /dev/null +++ b/libvirt/nwfilter/allow-dhcp.xml @@ -0,0 +1,21 @@ + + + + + + + + + + + + + + diff --git a/libvirt/nwfilter/allow-incoming-ipv4.xml b/libvirt/nwfilter/allow-incoming-ipv4.xml new file mode 100644 index 0000000..dd1e50d --- /dev/null +++ b/libvirt/nwfilter/allow-incoming-ipv4.xml @@ -0,0 +1,3 @@ + + + diff --git a/libvirt/nwfilter/allow-ipv4.xml b/libvirt/nwfilter/allow-ipv4.xml new file mode 100644 index 0000000..28e930a --- /dev/null +++ b/libvirt/nwfilter/allow-ipv4.xml @@ -0,0 +1,3 @@ + + + diff --git a/libvirt/nwfilter/clean-traffic.xml b/libvirt/nwfilter/clean-traffic.xml new file mode 100644 index 0000000..b8cde9c --- /dev/null +++ b/libvirt/nwfilter/clean-traffic.xml @@ -0,0 +1,30 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/libvirt/nwfilter/no-arp-ip-spoofing.xml b/libvirt/nwfilter/no-arp-ip-spoofing.xml new file mode 100644 index 0000000..7365298 --- /dev/null +++ b/libvirt/nwfilter/no-arp-ip-spoofing.xml @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/libvirt/nwfilter/no-arp-mac-spoofing.xml b/libvirt/nwfilter/no-arp-mac-spoofing.xml new file mode 100644 index 0000000..71482bb --- /dev/null +++ b/libvirt/nwfilter/no-arp-mac-spoofing.xml @@ -0,0 +1,7 @@ + + + + + + + diff --git a/libvirt/nwfilter/no-arp-spoofing.xml b/libvirt/nwfilter/no-arp-spoofing.xml new file mode 100644 index 0000000..23f2d3c --- /dev/null +++ b/libvirt/nwfilter/no-arp-spoofing.xml @@ -0,0 +1,4 @@ + + + + diff --git a/libvirt/nwfilter/no-ip-multicast.xml b/libvirt/nwfilter/no-ip-multicast.xml new file mode 100644 index 0000000..edcf03f --- /dev/null +++ b/libvirt/nwfilter/no-ip-multicast.xml @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/libvirt/nwfilter/no-ip-spoofing.xml b/libvirt/nwfilter/no-ip-spoofing.xml new file mode 100644 index 0000000..f8c9573 --- /dev/null +++ b/libvirt/nwfilter/no-ip-spoofing.xml @@ -0,0 +1,14 @@ + + + + + + + + + + + + + + diff --git a/libvirt/nwfilter/no-mac-broadcast.xml b/libvirt/nwfilter/no-mac-broadcast.xml new file mode 100644 index 0000000..74e65bf --- /dev/null +++ b/libvirt/nwfilter/no-mac-broadcast.xml @@ -0,0 +1,8 @@ + + + + + + + + diff --git a/libvirt/nwfilter/no-mac-spoofing.xml b/libvirt/nwfilter/no-mac-spoofing.xml new file mode 100644 index 0000000..2d0468f --- /dev/null +++ b/libvirt/nwfilter/no-mac-spoofing.xml @@ -0,0 +1,10 @@ + + + + + + + + + + diff --git a/libvirt/nwfilter/no-other-l2-traffic.xml b/libvirt/nwfilter/no-other-l2-traffic.xml new file mode 100644 index 0000000..8bad86e --- /dev/null +++ b/libvirt/nwfilter/no-other-l2-traffic.xml @@ -0,0 +1,7 @@ + + + + + + diff --git a/libvirt/nwfilter/no-other-rarp-traffic.xml b/libvirt/nwfilter/no-other-rarp-traffic.xml new file mode 100644 index 0000000..7729996 --- /dev/null +++ b/libvirt/nwfilter/no-other-rarp-traffic.xml @@ -0,0 +1,3 @@ + + + diff --git a/libvirt/nwfilter/qemu-announce-self-rarp.xml b/libvirt/nwfilter/qemu-announce-self-rarp.xml new file mode 100644 index 0000000..b7a848a --- /dev/null +++ b/libvirt/nwfilter/qemu-announce-self-rarp.xml @@ -0,0 +1,14 @@ + + + + + + + + diff --git a/libvirt/nwfilter/qemu-announce-self.xml b/libvirt/nwfilter/qemu-announce-self.xml new file mode 100644 index 0000000..352db50 --- /dev/null +++ b/libvirt/nwfilter/qemu-announce-self.xml @@ -0,0 +1,13 @@ + + + + + + + + + + + + diff --git a/libvirt/qemu-lockd.conf b/libvirt/qemu-lockd.conf new file mode 100644 index 0000000..fa43760 --- /dev/null +++ b/libvirt/qemu-lockd.conf @@ -0,0 +1,67 @@ +# +# The default lockd behaviour is to acquire locks directly +# against each configured disk file / block device. If the +# application wishes to instead manually manage leases in +# the guest XML, then this parameter can be disabled +# +#auto_disk_leases = 0 + +# +# Flag to determine whether we allow starting of guests +# which do not have any elements defined in their +# configuration. +# +# If 'auto_disk_leases' is disabled, this setting defaults +# to enabled, otherwise it defaults to disabled. +# +#require_lease_for_disks = 1 + + +# +# The default lockd behaviour is to use the "direct" +# lockspace, where the locks are acquired against the +# actual file paths associated with the devices. +# +# Setting a directory here causes lockd to use "indirect" +# lockspace, where a hash of the file path is +# used to create a file in the lockspace directory. The +# locks are then held on these hash files instead. +# +# This can be useful if the file paths refer to block +# devices which are shared, since /dev fcntl() locks +# don't propagate across hosts. It is also useful if +# the filesystem does not support fcntl() locks. +# +# Typically this directory would be located on a shared +# filesystem visible to all hosts accessing the same +# storage. +# +#file_lockspace_dir = "/var/lib/libvirt/lockd/files" + + +# +# When using LVM volumes that can be visible across +# multiple, it is desirable to do locking based on +# the unique UUID associated with each volume, instead +# of their paths. Setting this path causes libvirt to +# do UUID based locking for LVM. +# +# Typically this directory would be located on a shared +# filesystem visible to all hosts accessing the same +# storage. +# +#lvm_lockspace_dir = "/var/lib/libvirt/lockd/lvmvolumes" + + +# +# When using SCSI volumes that can be visible across +# multiple, it is desirable to do locking based on +# the unique UUID associated with each volume, instead +# of their paths. Setting this path causes libvirt to +# do UUID based locking for SCSI. +# +# Typically this directory would be located on a shared +# filesystem visible to all hosts accessing the same +# storage. +# +#scsi_lockspace_dir = "/var/lib/libvirt/lockd/scsivolumes" diff --git a/libvirt/qemu.conf b/libvirt/qemu.conf new file mode 100644 index 0000000..4fa5e8a --- /dev/null +++ b/libvirt/qemu.conf @@ -0,0 +1,532 @@ +# Master configuration file for the QEMU driver. +# All settings described here are optional - if omitted, sensible +# defaults are used. + +# VNC is configured to listen on 127.0.0.1 by default. +# To make it listen on all public interfaces, uncomment +# this next option. +# +# NB, strong recommendation to enable TLS + x509 certificate +# verification when allowing public access +# +#vnc_listen = "0.0.0.0" + +# Enable this option to have VNC served over an automatically created +# unix socket. This prevents unprivileged access from users on the +# host machine, though most VNC clients do not support it. +# +# This will only be enabled for VNC configurations that do not have +# a hardcoded 'listen' or 'socket' value. This setting takes preference +# over vnc_listen. +# +#vnc_auto_unix_socket = 1 + +# Enable use of TLS encryption on the VNC server. This requires +# a VNC client which supports the VeNCrypt protocol extension. +# Examples include vinagre, virt-viewer, virt-manager and vencrypt +# itself. UltraVNC, RealVNC, TightVNC do not support this +# +# It is necessary to setup CA and issue a server certificate +# before enabling this. +# +#vnc_tls = 1 + + +# Use of TLS requires that x509 certificates be issued. The +# default it to keep them in /etc/pki/libvirt-vnc. This directory +# must contain +# +# ca-cert.pem - the CA master certificate +# server-cert.pem - the server certificate signed with ca-cert.pem +# server-key.pem - the server private key +# +# This option allows the certificate directory to be changed +# +#vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc" + + +# The default TLS configuration only uses certificates for the server +# allowing the client to verify the server's identity and establish +# an encrypted channel. +# +# It is possible to use x509 certificates for authentication too, by +# issuing a x509 certificate to every client who needs to connect. +# +# Enabling this option will reject any client who does not have a +# certificate signed by the CA in /etc/pki/libvirt-vnc/ca-cert.pem +# +#vnc_tls_x509_verify = 1 + + +# The default VNC password. Only 8 bytes are significant for +# VNC passwords. This parameter is only used if the per-domain +# XML config does not already provide a password. To allow +# access without passwords, leave this commented out. An empty +# string will still enable passwords, but be rejected by QEMU, +# effectively preventing any use of VNC. Obviously change this +# example here before you set this. +# +#vnc_password = "XYZ12345" + + +# Enable use of SASL encryption on the VNC server. This requires +# a VNC client which supports the SASL protocol extension. +# Examples include vinagre, virt-viewer and virt-manager +# itself. UltraVNC, RealVNC, TightVNC do not support this +# +# It is necessary to configure /etc/sasl2/qemu.conf to choose +# the desired SASL plugin (eg, GSSPI for Kerberos) +# +#vnc_sasl = 1 + + +# The default SASL configuration file is located in /etc/sasl2/ +# When running libvirtd unprivileged, it may be desirable to +# override the configs in this location. Set this parameter to +# point to the directory, and create a qemu.conf in that location +# +#vnc_sasl_dir = "/some/directory/sasl2" + + +# QEMU implements an extension for providing audio over a VNC connection, +# though if your VNC client does not support it, your only chance for getting +# sound output is through regular audio backends. By default, libvirt will +# disable all QEMU sound backends if using VNC, since they can cause +# permissions issues. Enabling this option will make libvirtd honor the +# QEMU_AUDIO_DRV environment variable when using VNC. +# +#vnc_allow_host_audio = 0 + + + +# SPICE is configured to listen on 127.0.0.1 by default. +# To make it listen on all public interfaces, uncomment +# this next option. +# +# NB, strong recommendation to enable TLS + x509 certificate +# verification when allowing public access +# +#spice_listen = "0.0.0.0" + + +# Enable use of TLS encryption on the SPICE server. +# +# It is necessary to setup CA and issue a server certificate +# before enabling this. +# +#spice_tls = 1 + + +# Use of TLS requires that x509 certificates be issued. The +# default it to keep them in /etc/pki/libvirt-spice. This directory +# must contain +# +# ca-cert.pem - the CA master certificate +# server-cert.pem - the server certificate signed with ca-cert.pem +# server-key.pem - the server private key +# +# This option allows the certificate directory to be changed. +# +#spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice" + + +# The default SPICE password. This parameter is only used if the +# per-domain XML config does not already provide a password. To +# allow access without passwords, leave this commented out. An +# empty string will still enable passwords, but be rejected by +# QEMU, effectively preventing any use of SPICE. Obviously change +# this example here before you set this. +# +#spice_password = "XYZ12345" + + +# Enable use of SASL encryption on the SPICE server. This requires +# a SPICE client which supports the SASL protocol extension. +# +# It is necessary to configure /etc/sasl2/qemu.conf to choose +# the desired SASL plugin (eg, GSSPI for Kerberos) +# +#spice_sasl = 1 + +# The default SASL configuration file is located in /etc/sasl2/ +# When running libvirtd unprivileged, it may be desirable to +# override the configs in this location. Set this parameter to +# point to the directory, and create a qemu.conf in that location +# +#spice_sasl_dir = "/some/directory/sasl2" + + +# By default, if no graphical front end is configured, libvirt will disable +# QEMU audio output since directly talking to alsa/pulseaudio may not work +# with various security settings. If you know what you're doing, enable +# the setting below and libvirt will passthrough the QEMU_AUDIO_DRV +# environment variable when using nographics. +# +#nographics_allow_host_audio = 1 + + +# Override the port for creating both VNC and SPICE sessions (min). +# This defaults to 5900 and increases for consecutive sessions +# or when ports are occupied, until it hits the maximum. +# +# Minimum must be greater than or equal to 5900 as lower number would +# result into negative vnc display number. +# +# Maximum must be less than 65536, because higher numbers do not make +# sense as a port number. +# +#remote_display_port_min = 5900 +#remote_display_port_max = 65535 + +# VNC WebSocket port policies, same rules apply as with remote display +# ports. VNC WebSockets use similar display <-> port mappings, with +# the exception being that ports start from 5700 instead of 5900. +# +#remote_websocket_port_min = 5700 +#remote_websocket_port_max = 65535 + +# The default security driver is SELinux. If SELinux is disabled +# on the host, then the security driver will automatically disable +# itself. If you wish to disable QEMU SELinux security driver while +# leaving SELinux enabled for the host in general, then set this +# to 'none' instead. It's also possible to use more than one security +# driver at the same time, for this use a list of names separated by +# comma and delimited by square brackets. For example: +# +# security_driver = [ "selinux", "apparmor" ] +# +# Notes: The DAC security driver is always enabled; as a result, the +# value of security_driver cannot contain "dac". The value "none" is +# a special value; security_driver can be set to that value in +# isolation, but it cannot appear in a list of drivers. +# +#security_driver = "selinux" + +# If set to non-zero, then the default security labeling +# will make guests confined. If set to zero, then guests +# will be unconfined by default. Defaults to 1. +#security_default_confined = 1 + +# If set to non-zero, then attempts to create unconfined +# guests will be blocked. Defaults to 0. +#security_require_confined = 1 + +# The user for QEMU processes run by the system instance. It can be +# specified as a user name or as a user id. The qemu driver will try to +# parse this value first as a name and then, if the name doesn't exist, +# as a user id. +# +# Since a sequence of digits is a valid user name, a leading plus sign +# can be used to ensure that a user id will not be interpreted as a user +# name. +# +# Some examples of valid values are: +# +# user = "qemu" # A user named "qemu" +# user = "+0" # Super user (uid=0) +# user = "100" # A user named "100" or a user with uid=100 +# +#user = "root" + +# The group for QEMU processes run by the system instance. It can be +# specified in a similar way to user. +#group = "root" + +# Whether libvirt should dynamically change file ownership +# to match the configured user/group above. Defaults to 1. +# Set to 0 to disable file ownership changes. +#dynamic_ownership = 1 + + +# What cgroup controllers to make use of with QEMU guests +# +# - 'cpu' - use for schedular tunables +# - 'devices' - use for device whitelisting +# - 'memory' - use for memory tunables +# - 'blkio' - use for block devices I/O tunables +# - 'cpuset' - use for CPUs and memory nodes +# - 'cpuacct' - use for CPUs statistics. +# +# NB, even if configured here, they won't be used unless +# the administrator has mounted cgroups, e.g.: +# +# mkdir /dev/cgroup +# mount -t cgroup -o devices,cpu,memory,blkio,cpuset none /dev/cgroup +# +# They can be mounted anywhere, and different controllers +# can be mounted in different locations. libvirt will detect +# where they are located. +# +#cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ] + +# This is the basic set of devices allowed / required by +# all virtual machines. +# +# As well as this, any configured block backed disks, +# all sound device, and all PTY devices are allowed. +# +# This will only need setting if newer QEMU suddenly +# wants some device we don't already know about. +# +#cgroup_device_acl = [ +# "/dev/null", "/dev/full", "/dev/zero", +# "/dev/random", "/dev/urandom", +# "/dev/ptmx", "/dev/kvm", "/dev/kqemu", +# "/dev/rtc","/dev/hpet", "/dev/vfio/vfio" +#] +# +# RDMA migration requires the following extra files to be added to the list: +# "/dev/infiniband/rdma_cm", +# "/dev/infiniband/issm0", +# "/dev/infiniband/issm1", +# "/dev/infiniband/umad0", +# "/dev/infiniband/umad1", +# "/dev/infiniband/uverbs0" + + +# The default format for Qemu/KVM guest save images is raw; that is, the +# memory from the domain is dumped out directly to a file. If you have +# guests with a large amount of memory, however, this can take up quite +# a bit of space. If you would like to compress the images while they +# are being saved to disk, you can also set "lzop", "gzip", "bzip2", or "xz" +# for save_image_format. Note that this means you slow down the process of +# saving a domain in order to save disk space; the list above is in descending +# order by performance and ascending order by compression ratio. +# +# save_image_format is used when you use 'virsh save' or 'virsh managedsave' +# at scheduled saving, and it is an error if the specified save_image_format +# is not valid, or the requested compression program can't be found. +# +# dump_image_format is used when you use 'virsh dump' at emergency +# crashdump, and if the specified dump_image_format is not valid, or +# the requested compression program can't be found, this falls +# back to "raw" compression. +# +# snapshot_image_format specifies the compression algorithm of the memory save +# image when an external snapshot of a domain is taken. This does not apply +# on disk image format. It is an error if the specified format isn't valid, +# or the requested compression program can't be found. +# +#save_image_format = "raw" +#dump_image_format = "raw" +#snapshot_image_format = "raw" + +# When a domain is configured to be auto-dumped when libvirtd receives a +# watchdog event from qemu guest, libvirtd will save dump files in directory +# specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump +# +#auto_dump_path = "/var/lib/libvirt/qemu/dump" + +# When a domain is configured to be auto-dumped, enabling this flag +# has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the +# virDomainCoreDump API. That is, the system will avoid using the +# file system cache while writing the dump file, but may cause +# slower operation. +# +#auto_dump_bypass_cache = 0 + +# When a domain is configured to be auto-started, enabling this flag +# has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag +# with the virDomainCreateWithFlags API. That is, the system will +# avoid using the file system cache when restoring any managed state +# file, but may cause slower operation. +# +#auto_start_bypass_cache = 0 + +# If provided by the host and a hugetlbfs mount point is configured, +# a guest may request huge page backing. When this mount point is +# unspecified here, determination of a host mount point in /proc/mounts +# will be attempted. Specifying an explicit mount overrides detection +# of the same in /proc/mounts. Setting the mount point to "" will +# disable guest hugepage backing. If desired, multiple mount points can +# be specified at once, separated by comma and enclosed in square +# brackets, for example: +# +# hugetlbfs_mount = ["/dev/hugepages2M", "/dev/hugepages1G"] +# +# The size of huge page served by specific mount point is determined by +# libvirt at the daemon startup. +# +# NB, within these mount points, guests will create memory backing +# files in a location of $MOUNTPOINT/libvirt/qemu +# +#hugetlbfs_mount = "/dev/hugepages" + + +# Path to the setuid helper for creating tap devices. This executable +# is used to create interfaces when libvirtd is +# running unprivileged. libvirt invokes the helper directly, instead +# of using "-netdev bridge", for security reasons. +#bridge_helper = "/usr/libexec/qemu-bridge-helper" + + + +# If clear_emulator_capabilities is enabled, libvirt will drop all +# privileged capabilities of the QEmu/KVM emulator. This is enabled by +# default. +# +# Warning: Disabling this option means that a compromised guest can +# exploit the privileges and possibly do damage to the host. +# +#clear_emulator_capabilities = 1 + + +# If enabled, libvirt will have QEMU set its process name to +# "qemu:VM_NAME", where VM_NAME is the name of the VM. The QEMU +# process will appear as "qemu:VM_NAME" in process listings and +# other system monitoring tools. By default, QEMU does not set +# its process title, so the complete QEMU command (emulator and +# its arguments) appear in process listings. +# +#set_process_name = 1 + + +# If max_processes is set to a positive integer, libvirt will use +# it to set the maximum number of processes that can be run by qemu +# user. This can be used to override default value set by host OS. +# The same applies to max_files which sets the limit on the maximum +# number of opened files. +# +#max_processes = 0 +#max_files = 0 + + + +# mac_filter enables MAC addressed based filtering on bridge ports. +# This currently requires ebtables to be installed. +# +#mac_filter = 1 + + +# By default, PCI devices below non-ACS switch are not allowed to be assigned +# to guests. By setting relaxed_acs_check to 1 such devices will be allowed to +# be assigned to guests. +# +#relaxed_acs_check = 1 + + +# If allow_disk_format_probing is enabled, libvirt will probe disk +# images to attempt to identify their format, when not otherwise +# specified in the XML. This is disabled by default. +# +# WARNING: Enabling probing is a security hole in almost all +# deployments. It is strongly recommended that users update their +# guest XML elements to include +# elements instead of enabling this option. +# +#allow_disk_format_probing = 1 + + +# In order to prevent accidentally starting two domains that +# share one writable disk, libvirt offers two approaches for +# locking files. The first one is sanlock, the other one, +# virtlockd, is then our own implementation. Accepted values +# are "sanlock" and "lockd". +# +#lock_manager = "lockd" + + + +# Set limit of maximum APIs queued on one domain. All other APIs +# over this threshold will fail on acquiring job lock. Specially, +# setting to zero turns this feature off. +# Note, that job lock is per domain. +# +#max_queued = 0 + +################################################################### +# Keepalive protocol: +# This allows qemu driver to detect broken connections to remote +# libvirtd during peer-to-peer migration. A keepalive message is +# sent to the daemon after keepalive_interval seconds of inactivity +# to check if the daemon is still responding; keepalive_count is a +# maximum number of keepalive messages that are allowed to be sent +# to the daemon without getting any response before the connection +# is considered broken. In other words, the connection is +# automatically closed approximately after +# keepalive_interval * (keepalive_count + 1) seconds since the last +# message received from the daemon. If keepalive_interval is set to +# -1, qemu driver will not send keepalive requests during +# peer-to-peer migration; however, the remote libvirtd can still +# send them and source libvirtd will send responses. When +# keepalive_count is set to 0, connections will be automatically +# closed after keepalive_interval seconds of inactivity without +# sending any keepalive messages. +# +#keepalive_interval = 5 +#keepalive_count = 5 + + + +# Use seccomp syscall whitelisting in QEMU. +# 1 = on, 0 = off, -1 = use QEMU default +# Defaults to -1. +# +#seccomp_sandbox = 1 + + +# Override the listen address for all incoming migrations. Defaults to +# 0.0.0.0, or :: if both host and qemu are capable of IPv6. +#migration_address = "0.0.0.0" + + +# The default hostname or IP address which will be used by a migration +# source for transferring migration data to this host. The migration +# source has to be able to resolve this hostname and connect to it so +# setting "localhost" will not work. By default, the host's configured +# hostname is used. +#migration_host = "host.example.com" + + +# Override the port range used for incoming migrations. +# +# Minimum must be greater than 0, however when QEMU is not running as root, +# setting the minimum to be lower than 1024 will not work. +# +# Maximum must not be greater than 65535. +# +#migration_port_min = 49152 +#migration_port_max = 49215 + + + +# Timestamp QEMU's log messages (if QEMU supports it) +# +# Defaults to 1. +# +#log_timestamp = 0 + + +# Location of master nvram file +# +# When a domain is configured to use UEFI instead of standard +# BIOS it may use a separate storage for UEFI variables. If +# that's the case libvirt creates the variable store per domain +# using this master file as image. Each UEFI firmware can, +# however, have different variables store. Therefore the nvram is +# a list of strings when a single item is in form of: +# ${PATH_TO_UEFI_FW}:${PATH_TO_UEFI_VARS}. +# Later, when libvirt creates per domain variable store, this list is +# searched for the master image. The UEFI firmware can be called +# differently for different guest architectures. For instance, it's OVMF +# for x86_64 and i686, but it's AAVMF for aarch64. The libvirt default +# follows this scheme. +#nvram = [ +# "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd", +# "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd" +#] + +# The backend to use for handling stdout/stderr output from +# QEMU processes. +# +# 'file': QEMU writes directly to a plain file. This is the +# historical default, but allows QEMU to inflict a +# denial of service attack on the host by exhausting +# filesystem space +# +# 'logd': QEMU writes to a pipe provided by virtlogd daemon. +# This is the current default, providing protection +# against denial of service by performing log file +# rollover when a size limit is hit. +# +#stdio_handler = "logd" diff --git a/libvirt/virt-login-shell.conf b/libvirt/virt-login-shell.conf new file mode 100644 index 0000000..835fd3f --- /dev/null +++ b/libvirt/virt-login-shell.conf @@ -0,0 +1,26 @@ +# Master configuration file for the virt-login-shell program. +# All settings described here are optional - if omitted, sensible +# defaults are used. + +# By default, virt-login-shell will connect you to a container running +# with the /bin/sh program. Modify the shell variable if you want your +# users to run a different shell or a setup container when joining a +# container. Shell commands must be a list of commands/options separated by +# comma and delimited by square brackets. Defaults to: /bin/sh -l. +# Modify and uncomment the following to modify the login shell. +# shell = [ "/bin/sh", "-l" ] + +# allowed_users specifies the user names of all users that are allowed to +# execute virt-login-shell. You can specify the users as a comma +# separated list of usernames or user groups. +# The list of names support glob syntax. +# To disallow all users (default) +# allowed_users = [] +# If you do not specify any names (default) then no one is allowed +# to use this executable. +# To allow fred and joe only +# allowed_users = ["fred", "joe"] +# To allow all users within a specific group prefix the group name with %. +# allowed_users = ["%engineers"] +# To allow all users specify the following +# allowed_users = [ "*" ] diff --git a/libvirt/virtlockd.conf b/libvirt/virtlockd.conf new file mode 100644 index 0000000..4c935d0 --- /dev/null +++ b/libvirt/virtlockd.conf @@ -0,0 +1,67 @@ +# Master virtlockd daemon configuration file +# + +################################################################# +# +# Logging controls +# + +# Logging level: 4 errors, 3 warnings, 2 information, 1 debug +# basically 1 will log everything possible +#log_level = 3 + +# Logging filters: +# A filter allows to select a different logging level for a given category +# of logs +# The format for a filter is one of: +# x:name +# x:+name +# where name is a string which is matched against source file name, +# e.g., "remote", "qemu", or "util/json", the optional "+" prefix +# tells libvirt to log stack trace for each message matching name, +# and x is the minimal level where matching messages should be logged: +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple filter can be defined in a single @filters, they just need to be +# separated by spaces. +# +# e.g. to only get warning or errors from the remote layer and only errors +# from the event layer: +#log_filters="3:remote 4:event" + +# Logging outputs: +# An output is one of the places to save logging information +# The format for an output can be: +# x:stderr +# output goes to stderr +# x:syslog:name +# use syslog for the output and use the given name as the ident +# x:file:file_path +# output to a file, with the given filepath +# In all case the x prefix is the minimal level, acting as a filter +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple output can be defined, they just need to be separated by spaces. +# e.g. to log all warnings and errors to syslog under the virtlockd ident: +#log_outputs="3:syslog:virtlockd" +# + +# Log debug buffer size: +# +# This configuration option is no longer used, since the global +# log buffer functionality has been removed. Please configure +# suitable log_outputs/log_filters settings to obtain logs. +#log_buffer_size = 64 + +# The maximum number of concurrent client connections to allow +# over all sockets combined. +# Each running virtual machine will require one open connection +# to virtlockd. So 'max_clients' will affect how many VMs can +# be run on a host +#max_clients = 1024 diff --git a/libvirt/virtlogd.conf b/libvirt/virtlogd.conf new file mode 100644 index 0000000..abb3633 --- /dev/null +++ b/libvirt/virtlogd.conf @@ -0,0 +1,59 @@ +# Master virtlogd daemon configuration file +# + +################################################################# +# +# Logging controls +# + +# Logging level: 4 errors, 3 warnings, 2 information, 1 debug +# basically 1 will log everything possible +#log_level = 3 + +# Logging filters: +# A filter allows to select a different logging level for a given category +# of logs +# The format for a filter is one of: +# x:name +# x:+name +# where name is a string which is matched against source file name, +# e.g., "remote", "qemu", or "util/json", the optional "+" prefix +# tells libvirt to log stack trace for each message matching name, +# and x is the minimal level where matching messages should be logged: +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple filter can be defined in a single @filters, they just need to be +# separated by spaces. +# +# e.g. to only get warning or errors from the remote layer and only errors +# from the event layer: +#log_filters="3:remote 4:event" + +# Logging outputs: +# An output is one of the places to save logging information +# The format for an output can be: +# x:stderr +# output goes to stderr +# x:syslog:name +# use syslog for the output and use the given name as the ident +# x:file:file_path +# output to a file, with the given filepath +# x:journald +# ouput to the systemd journal +# In all case the x prefix is the minimal level, acting as a filter +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple output can be defined, they just need to be separated by spaces. +# e.g. to log all warnings and errors to syslog under the virtlogd ident: +#log_outputs="3:syslog:virtlogd" +# + +# The maximum number of concurrent client connections to allow +# over all sockets combined. +#max_clients = 1024 diff --git a/logrotate.d/libvirtd b/logrotate.d/libvirtd new file mode 100644 index 0000000..869c879 --- /dev/null +++ b/logrotate.d/libvirtd @@ -0,0 +1,9 @@ +/var/log/libvirt/libvirtd.log { + weekly + missingok + rotate 4 + compress + delaycompress + copytruncate + minsize 100k +} diff --git a/logrotate.d/libvirtd.libxl b/logrotate.d/libvirtd.libxl new file mode 100644 index 0000000..c531513 --- /dev/null +++ b/logrotate.d/libvirtd.libxl @@ -0,0 +1,9 @@ +/var/log/libvirt/libxl/*.log { + weekly + missingok + rotate 4 + compress + delaycompress + copytruncate + minsize 100k +} diff --git a/logrotate.d/libvirtd.lxc b/logrotate.d/libvirtd.lxc new file mode 100644 index 0000000..af0adc2 --- /dev/null +++ b/logrotate.d/libvirtd.lxc @@ -0,0 +1,9 @@ +/var/log/libvirt/lxc/*.log { + weekly + missingok + rotate 4 + compress + delaycompress + copytruncate + minsize 100k +} diff --git a/logrotate.d/libvirtd.qemu b/logrotate.d/libvirtd.qemu new file mode 100644 index 0000000..6a866f9 --- /dev/null +++ b/logrotate.d/libvirtd.qemu @@ -0,0 +1,9 @@ +/var/log/libvirt/qemu/*.log { + weekly + missingok + rotate 4 + compress + delaycompress + copytruncate + minsize 100k +} diff --git a/logrotate.d/libvirtd.uml b/logrotate.d/libvirtd.uml new file mode 100644 index 0000000..441a905 --- /dev/null +++ b/logrotate.d/libvirtd.uml @@ -0,0 +1,9 @@ +/var/log/libvirt/uml/*.log { + weekly + missingok + rotate 4 + compress + delaycompress + copytruncate + minsize 100k +} -- 2.39.5