From b7742d517032986209b040d57051baad16a59df2 Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Thu, 31 Dec 2015 14:20:07 +0100 Subject: [PATCH] Current state --- config-archive/etc/default/grub | 15 +- config-archive/etc/default/grub.1 | 30 +- config-archive/etc/default/grub.2 | 47 ++ config-archive/etc/default/grub.dist | 2 +- config-archive/etc/libvirt/libvirtd.conf | 24 + config-archive/etc/libvirt/libvirtd.conf.1 | 434 ++++++++++++++++++ config-archive/etc/libvirt/libvirtd.conf.dist | 9 +- default/grub | 2 +- libvirt/libvirtd.conf | 9 +- 9 files changed, 554 insertions(+), 18 deletions(-) create mode 100644 config-archive/etc/default/grub.2 create mode 100644 config-archive/etc/libvirt/libvirtd.conf.1 diff --git a/config-archive/etc/default/grub b/config-archive/etc/default/grub index c4b11376..f9801015 100644 --- a/config-archive/etc/default/grub +++ b/config-archive/etc/default/grub @@ -1,6 +1,6 @@ -# Copyright 1999-2014 Gentoo Foundation +# Copyright 1999-2015 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-boot/grub/files/grub.default-3,v 1.4 2014/10/16 04:04:02 floppym Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-boot/grub/files/grub.default-3,v 1.5 2015/03/25 01:58:00 floppym Exp $ # # To populate all changes in this file you need to regenerate your # grub configuration file afterwards: @@ -63,3 +63,14 @@ GRUB_DISABLE_LINUX_UUID=true # Uncomment to disable generation of recovery mode menu entries #GRUB_DISABLE_RECOVERY=true + +# Uncomment to disable generation of the submenu and put all choices on +# the top-level menu. +# Besides the visual affect of no sub menu, this makes navigation of the +# menu easier for a user who can't see the screen. +#GRUB_DISABLE_SUBMENU=y + +# Uncomment to play a tone when the main menu is displayed. +# This is useful, for example, to allow users who can't see the screen +# to know when they can make a choice on the menu. +#GRUB_INIT_TUNE="60 800 1" diff --git a/config-archive/etc/default/grub.1 b/config-archive/etc/default/grub.1 index 321487b3..c4b11376 100644 --- a/config-archive/etc/default/grub.1 +++ b/config-archive/etc/default/grub.1 @@ -1,23 +1,34 @@ -# Copyright 1999-2013 Gentoo Foundation +# Copyright 1999-2014 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-boot/grub/files/grub.default-2,v 1.4 2013/09/21 18:10:55 floppym Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-boot/grub/files/grub.default-3,v 1.4 2014/10/16 04:04:02 floppym Exp $ # # To populate all changes in this file you need to regenerate your # grub configuration file afterwards: # 'grub2-mkconfig -o /boot/grub/grub.cfg' # # See the grub info page for documentation on possible variables and -# their associated values. +# their associated values. GRUB_DISTRIBUTOR="Bruni (Gentoo)" +# Default menu entry GRUB_DEFAULT=0 -GRUB_HIDDEN_TIMEOUT=5 -GRUB_HIDDEN_TIMEOUT_QUIET=true + +# Boot the default entry this many seconds after the menu is displayed +#GRUB_TIMEOUT=5 GRUB_TIMEOUT=10 +#GRUB_TIMEOUT_STYLE=menu # Append parameters to the linux kernel command line -# GRUB_CMDLINE_LINUX="" +#GRUB_CMDLINE_LINUX="" +# +# Examples: +# +# Boot with network interface renaming disabled +# GRUB_CMDLINE_LINUX="net.ifnames=0" +# +# Boot with systemd instead of sysvinit (openrc) +# GRUB_CMDLINE_LINUX="init=/usr/lib/systemd/systemd" # Append parameters to the linux kernel command line for non-recovery entries #GRUB_CMDLINE_LINUX_DEFAULT="" @@ -31,6 +42,13 @@ GRUB_TIMEOUT=10 #GRUB_GFXMODE=640x480 GRUB_GFXMODE=800x600 +# Set to 'text' to force the Linux kernel to boot in normal text +# mode, 'keep' to preserve the graphics mode set using +# 'GRUB_GFXMODE', 'WIDTHxHEIGHT'['xDEPTH'] to set a particular +# graphics mode, or a sequence of these separated by commas or +# semicolons to try several modes in sequence. +#GRUB_GFXPAYLOAD_LINUX= + # Path to theme spec txt file. # The starfield is by default provided with use truetype. # NOTE: when enabling custom theme, ensure you have required font/etc. diff --git a/config-archive/etc/default/grub.2 b/config-archive/etc/default/grub.2 new file mode 100644 index 00000000..321487b3 --- /dev/null +++ b/config-archive/etc/default/grub.2 @@ -0,0 +1,47 @@ +# Copyright 1999-2013 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sys-boot/grub/files/grub.default-2,v 1.4 2013/09/21 18:10:55 floppym Exp $ +# +# To populate all changes in this file you need to regenerate your +# grub configuration file afterwards: +# 'grub2-mkconfig -o /boot/grub/grub.cfg' +# +# See the grub info page for documentation on possible variables and +# their associated values. + +GRUB_DISTRIBUTOR="Bruni (Gentoo)" + +GRUB_DEFAULT=0 +GRUB_HIDDEN_TIMEOUT=5 +GRUB_HIDDEN_TIMEOUT_QUIET=true +GRUB_TIMEOUT=10 + +# Append parameters to the linux kernel command line +# GRUB_CMDLINE_LINUX="" + +# Append parameters to the linux kernel command line for non-recovery entries +#GRUB_CMDLINE_LINUX_DEFAULT="" + +# Uncomment to disable graphical terminal (grub-pc only) +#GRUB_TERMINAL=console + +# The resolution used on graphical terminal. +# Note that you can use only modes which your graphic card supports via VBE. +# You can see them in real GRUB with the command `vbeinfo'. +#GRUB_GFXMODE=640x480 +GRUB_GFXMODE=800x600 + +# Path to theme spec txt file. +# The starfield is by default provided with use truetype. +# NOTE: when enabling custom theme, ensure you have required font/etc. +#GRUB_THEME="/boot/grub/themes/starfield/theme.txt" + +# Background image used on graphical terminal. +# Can be in various bitmap formats. +#GRUB_BACKGROUND="/boot/grub/mybackground.png" + +# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to kernel +GRUB_DISABLE_LINUX_UUID=true + +# Uncomment to disable generation of recovery mode menu entries +#GRUB_DISABLE_RECOVERY=true diff --git a/config-archive/etc/default/grub.dist b/config-archive/etc/default/grub.dist index 8ff053fa..35ab767b 100644 --- a/config-archive/etc/default/grub.dist +++ b/config-archive/etc/default/grub.dist @@ -1,6 +1,6 @@ # Copyright 1999-2015 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-boot/grub/files/grub.default-3,v 1.5 2015/03/25 01:58:00 floppym Exp $ +# $Id$ # # To populate all changes in this file you need to regenerate your # grub configuration file afterwards: diff --git a/config-archive/etc/libvirt/libvirtd.conf b/config-archive/etc/libvirt/libvirtd.conf index a0f0bb4b..3fd232d1 100644 --- a/config-archive/etc/libvirt/libvirtd.conf +++ b/config-archive/etc/libvirt/libvirtd.conf @@ -107,9 +107,17 @@ unix_sock_group = "libvirt" # control, then you may want to relax this too. #unix_sock_rw_perms = "0770" +# Set the UNIX socket permissions for the admin interface socket. +# +# Default allows only owner (root), do not change it unless you are +# sure to whom you are exposing the access to. +#unix_sock_admin_perms = "0700" + # Set the name of the directory in which sockets will be found/created. #unix_sock_dir = "/var/run/libvirt" + + ################################################################# # # Authentication. @@ -310,6 +318,16 @@ auth_unix_rw = "polkit" # and max_workers parameter #max_client_requests = 5 +# Same processing controls, but this time for the admin interface. +# For description of each option, be so kind to scroll few lines +# upwards. + +#admin_min_workers = 1 +#admin_max_workers = 5 +#admin_max_clients = 5 +#admin_max_queued_clients = 5 +#admin_max_client_requests = 5 + ################################################################# # # Logging controls @@ -432,3 +450,9 @@ host_uuid = "56a41aab-92b8-4840-b9ef-39a41c8d6b01" # support keepalive protocol. Defaults to 0. # #keepalive_required = 1 + +# Keepalive settings for the admin interface +#admin_keepalive_interval = 5 +#admin_keepalive_count = 5 +# +#admin_keepalive_required = 1 diff --git a/config-archive/etc/libvirt/libvirtd.conf.1 b/config-archive/etc/libvirt/libvirtd.conf.1 new file mode 100644 index 00000000..a0f0bb4b --- /dev/null +++ b/config-archive/etc/libvirt/libvirtd.conf.1 @@ -0,0 +1,434 @@ +# Master libvirt daemon configuration file +# +# For further information consult http://libvirt.org/format.html +# +# NOTE: the tests/daemon-conf regression test script requires +# that each "PARAMETER = VALUE" line in this file have the parameter +# name just after a leading "#". + +################################################################# +# +# Network connectivity controls +# + +# Flag listening for secure TLS connections on the public TCP/IP port. +# NB, must pass the --listen flag to the libvirtd process for this to +# have any effect. +# +# It is necessary to setup a CA and issue server certificates before +# using this capability. +# +# This is enabled by default, uncomment this to disable it +#listen_tls = 0 + +# Listen for unencrypted TCP connections on the public TCP/IP port. +# NB, must pass the --listen flag to the libvirtd process for this to +# have any effect. +# +# Using the TCP socket requires SASL authentication by default. Only +# SASL mechanisms which support data encryption are allowed. This is +# DIGEST_MD5 and GSSAPI (Kerberos5) +# +# This is disabled by default, uncomment this to enable it. +listen_tcp = 1 + + + +# Override the port for accepting secure TLS connections +# This can be a port number, or service name +# +#tls_port = "16514" + +# Override the port for accepting insecure TCP connections +# This can be a port number, or service name +# +tcp_port = "1611" + + +# Override the default configuration which binds to all network +# interfaces. This can be a numeric IPv4/6 address, or hostname +# +# If the libvirtd service is started in parallel with network +# startup (e.g. with systemd), binding to addresses other than +# the wildcards (0.0.0.0/::) might not be available yet. +# +#listen_addr = "192.168.0.1" +listen_addr = "127.0.0.1" + + +# Flag toggling mDNS advertizement of the libvirt service. +# +# Alternatively can disable for all services on a host by +# stopping the Avahi daemon +# +# This is disabled by default, uncomment this to enable it +#mdns_adv = 1 + +# Override the default mDNS advertizement name. This must be +# unique on the immediate broadcast network. +# +# The default is "Virtualization Host HOSTNAME", where HOSTNAME +# is substituted for the short hostname of the machine (without domain) +# +#mdns_name = "Virtualization Host Joe Demo" + + +################################################################# +# +# UNIX socket access controls +# + +# Beware that if you are changing *any* of these options, and you use +# socket activation with systemd, you need to adjust the settings in +# the libvirtd.socket file as well since it could impose a security +# risk if you rely on file permission checking only. + +# Set the UNIX domain socket group ownership. This can be used to +# allow a 'trusted' set of users access to management capabilities +# without becoming root. +# +# This is restricted to 'root' by default. +unix_sock_group = "libvirt" + +# Set the UNIX socket permissions for the R/O socket. This is used +# for monitoring VM status only +# +# Default allows any user. If setting group ownership, you may want to +# restrict this too. +#unix_sock_ro_perms = "0777" + +# Set the UNIX socket permissions for the R/W socket. This is used +# for full management of VMs +# +# Default allows only root. If PolicyKit is enabled on the socket, +# the default will change to allow everyone (eg, 0777) +# +# If not using PolicyKit and setting group ownership for access +# control, then you may want to relax this too. +#unix_sock_rw_perms = "0770" + +# Set the name of the directory in which sockets will be found/created. +#unix_sock_dir = "/var/run/libvirt" + +################################################################# +# +# Authentication. +# +# - none: do not perform auth checks. If you can connect to the +# socket you are allowed. This is suitable if there are +# restrictions on connecting to the socket (eg, UNIX +# socket permissions), or if there is a lower layer in +# the network providing auth (eg, TLS/x509 certificates) +# +# - sasl: use SASL infrastructure. The actual auth scheme is then +# controlled from /etc/sasl2/libvirt.conf. For the TCP +# socket only GSSAPI & DIGEST-MD5 mechanisms will be used. +# For non-TCP or TLS sockets, any scheme is allowed. +# +# - polkit: use PolicyKit to authenticate. This is only suitable +# for use on the UNIX sockets. The default policy will +# require a user to supply their own password to gain +# full read/write access (aka sudo like), while anyone +# is allowed read/only access. +# +# Set an authentication scheme for UNIX read-only sockets +# By default socket permissions allow anyone to connect +# +# To restrict monitoring of domains you may wish to enable +# an authentication mechanism here +#auth_unix_ro = "none" + +# Set an authentication scheme for UNIX read-write sockets +# By default socket permissions only allow root. If PolicyKit +# support was compiled into libvirt, the default will be to +# use 'polkit' auth. +# +# If the unix_sock_rw_perms are changed you may wish to enable +# an authentication mechanism here +#auth_unix_rw = "none" +auth_unix_rw = "polkit" +#auth_unix_rw = "sasl" + +# Change the authentication scheme for TCP sockets. +# +# If you don't enable SASL, then all TCP traffic is cleartext. +# Don't do this outside of a dev/test scenario. For real world +# use, always enable SASL and use the GSSAPI or DIGEST-MD5 +# mechanism in /etc/sasl2/libvirt.conf +#auth_tcp = "sasl" + +# Change the authentication scheme for TLS sockets. +# +# TLS sockets already have encryption provided by the TLS +# layer, and limited authentication is done by certificates +# +# It is possible to make use of any SASL authentication +# mechanism as well, by using 'sasl' for this option +#auth_tls = "none" + + +# Change the API access control scheme +# +# By default an authenticated user is allowed access +# to all APIs. Access drivers can place restrictions +# on this. By default the 'nop' driver is enabled, +# meaning no access control checks are done once a +# client has authenticated with libvirtd +# +#access_drivers = [ "polkit" ] + +################################################################# +# +# TLS x509 certificate configuration +# + + +# Override the default server key file path +# +#key_file = "/etc/pki/libvirt/private/serverkey.pem" + +# Override the default server certificate file path +# +#cert_file = "/etc/pki/libvirt/servercert.pem" + +# Override the default CA certificate path +# +#ca_file = "/etc/pki/CA/cacert.pem" + +# Specify a certificate revocation list. +# +# Defaults to not using a CRL, uncomment to enable it +#crl_file = "/etc/pki/CA/crl.pem" + + + +################################################################# +# +# Authorization controls +# + + +# Flag to disable verification of our own server certificates +# +# When libvirtd starts it performs some sanity checks against +# its own certificates. +# +# Default is to always run sanity checks. Uncommenting this +# will disable sanity checks which is not a good idea +#tls_no_sanity_certificate = 1 + +# Flag to disable verification of client certificates +# +# Client certificate verification is the primary authentication mechanism. +# Any client which does not present a certificate signed by the CA +# will be rejected. +# +# Default is to always verify. Uncommenting this will disable +# verification - make sure an IP whitelist is set +#tls_no_verify_certificate = 1 + + +# A whitelist of allowed x509 Distinguished Names +# This list may contain wildcards such as +# +# "C=GB,ST=London,L=London,O=Red Hat,CN=*" +# +# See the POSIX fnmatch function for the format of the wildcards. +# +# NB If this is an empty list, no client can connect, so comment out +# entirely rather than using empty list to disable these checks +# +# By default, no DN's are checked +#tls_allowed_dn_list = ["DN1", "DN2"] + + +# A whitelist of allowed SASL usernames. The format for usernames +# depends on the SASL authentication mechanism. Kerberos usernames +# look like username@REALM +# +# This list may contain wildcards such as +# +# "*@EXAMPLE.COM" +# +# See the POSIX fnmatch function for the format of the wildcards. +# +# NB If this is an empty list, no client can connect, so comment out +# entirely rather than using empty list to disable these checks +# +# By default, no Username's are checked +#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ] + + + +################################################################# +# +# Processing controls +# + +# The maximum number of concurrent client connections to allow +# over all sockets combined. +#max_clients = 5000 + +# The maximum length of queue of connections waiting to be +# accepted by the daemon. Note, that some protocols supporting +# retransmission may obey this so that a later reattempt at +# connection succeeds. +#max_queued_clients = 1000 + +# The maximum length of queue of accepted but not yet +# authenticated clients. The default value is zero, meaning +# the feature is disabled. +#max_anonymous_clients = 20 + +# The minimum limit sets the number of workers to start up +# initially. If the number of active clients exceeds this, +# then more threads are spawned, up to max_workers limit. +# Typically you'd want max_workers to equal maximum number +# of clients allowed +#min_workers = 5 +#max_workers = 20 + + +# The number of priority workers. If all workers from above +# pool are stuck, some calls marked as high priority +# (notably domainDestroy) can be executed in this pool. +#prio_workers = 5 + +# Total global limit on concurrent RPC calls. Should be +# at least as large as max_workers. Beyond this, RPC requests +# will be read into memory and queued. This directly impacts +# memory usage, currently each request requires 256 KB of +# memory. So by default up to 5 MB of memory is used +# +# XXX this isn't actually enforced yet, only the per-client +# limit is used so far +#max_requests = 20 + +# Limit on concurrent requests from a single client +# connection. To avoid one client monopolizing the server +# this should be a small fraction of the global max_requests +# and max_workers parameter +#max_client_requests = 5 + +################################################################# +# +# Logging controls +# + +# Logging level: 4 errors, 3 warnings, 2 information, 1 debug +# basically 1 will log everything possible +# Note: Journald may employ rate limiting of the messages logged +# and thus lock up the libvirt daemon. To use the debug level with +# journald you have to specify it explicitly in 'log_outputs', otherwise +# only information level messages will be logged. +log_level = 2 + +# Logging filters: +# A filter allows to select a different logging level for a given category +# of logs +# The format for a filter is one of: +# x:name +# x:+name +# where name is a string which is matched against source file name, +# e.g., "remote", "qemu", or "util/json", the optional "+" prefix +# tells libvirt to log stack trace for each message matching name, +# and x is the minimal level where matching messages should be logged: +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple filters can be defined in a single @filters, they just need to be +# separated by spaces. +# +# e.g. to only get warning or errors from the remote layer and only errors +# from the event layer: +#log_filters="3:remote 4:event" + +# Logging outputs: +# An output is one of the places to save logging information +# The format for an output can be: +# x:stderr +# output goes to stderr +# x:syslog:name +# use syslog for the output and use the given name as the ident +# x:file:file_path +# output to a file, with the given filepath +# x:journald +# output to journald logging system +# In all case the x prefix is the minimal level, acting as a filter +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple outputs can be defined, they just need to be separated by spaces. +# e.g. to log all warnings and errors to syslog under the libvirtd ident: +#log_outputs="3:syslog:libvirtd" +log_outputs="2:syslog:libvirtd" +# + +# Log debug buffer size: +# +# This configuration option is no longer used, since the global +# log buffer functionality has been removed. Please configure +# suitable log_outputs/log_filters settings to obtain logs. +#log_buffer_size = 64 + + +################################################################## +# +# Auditing +# +# This setting allows usage of the auditing subsystem to be altered: +# +# audit_level == 0 -> disable all auditing +# audit_level == 1 -> enable auditing, only if enabled on host (default) +# audit_level == 2 -> enable auditing, and exit if disabled on host +# +#audit_level = 2 +# +# If set to 1, then audit messages will also be sent +# via libvirt logging infrastructure. Defaults to 0 +# +#audit_logging = 1 + +################################################################### +# UUID of the host: +# Provide the UUID of the host here in case the command +# 'dmidecode -s system-uuid' does not provide a valid uuid. In case +# 'dmidecode' does not provide a valid UUID and none is provided here, a +# temporary UUID will be generated. +# Keep the format of the example UUID below. UUID must not have all digits +# be the same. + +# NB This default all-zeros UUID will not work. Replace +# it with the output of the 'uuidgen' command and then +# uncomment this entry +#host_uuid = "00000000-0000-0000-0000-000000000000" +host_uuid = "56a41aab-92b8-4840-b9ef-39a41c8d6b01" + +################################################################### +# Keepalive protocol: +# This allows libvirtd to detect broken client connections or even +# dead clients. A keepalive message is sent to a client after +# keepalive_interval seconds of inactivity to check if the client is +# still responding; keepalive_count is a maximum number of keepalive +# messages that are allowed to be sent to the client without getting +# any response before the connection is considered broken. In other +# words, the connection is automatically closed approximately after +# keepalive_interval * (keepalive_count + 1) seconds since the last +# message received from the client. If keepalive_interval is set to +# -1, libvirtd will never send keepalive requests; however clients +# can still send them and the daemon will send responses. When +# keepalive_count is set to 0, connections will be automatically +# closed after keepalive_interval seconds of inactivity without +# sending any keepalive messages. +# +#keepalive_interval = 5 +#keepalive_count = 5 +# +# If set to 1, libvirtd will refuse to talk to clients that do not +# support keepalive protocol. Defaults to 0. +# +#keepalive_required = 1 diff --git a/config-archive/etc/libvirt/libvirtd.conf.dist b/config-archive/etc/libvirt/libvirtd.conf.dist index ac06cdd7..514e6e48 100644 --- a/config-archive/etc/libvirt/libvirtd.conf.dist +++ b/config-archive/etc/libvirt/libvirtd.conf.dist @@ -440,14 +440,15 @@ # #keepalive_interval = 5 #keepalive_count = 5 + # -# If set to 1, libvirtd will refuse to talk to clients that do not -# support keepalive protocol. Defaults to 0. +# These configuration options are no longer used. There is no way to +# restrict such clients from connecting since they first need to +# connect in order to ask for keepalive. # #keepalive_required = 1 +#admin_keepalive_required = 1 # Keepalive settings for the admin interface #admin_keepalive_interval = 5 #admin_keepalive_count = 5 -# -#admin_keepalive_required = 1 diff --git a/default/grub b/default/grub index f9801015..c3872038 100644 --- a/default/grub +++ b/default/grub @@ -1,6 +1,6 @@ # Copyright 1999-2015 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-boot/grub/files/grub.default-3,v 1.5 2015/03/25 01:58:00 floppym Exp $ +# $Id$ # # To populate all changes in this file you need to regenerate your # grub configuration file afterwards: diff --git a/libvirt/libvirtd.conf b/libvirt/libvirtd.conf index 3fd232d1..f0611c98 100644 --- a/libvirt/libvirtd.conf +++ b/libvirt/libvirtd.conf @@ -445,14 +445,15 @@ host_uuid = "56a41aab-92b8-4840-b9ef-39a41c8d6b01" # #keepalive_interval = 5 #keepalive_count = 5 + # -# If set to 1, libvirtd will refuse to talk to clients that do not -# support keepalive protocol. Defaults to 0. +# These configuration options are no longer used. There is no way to +# restrict such clients from connecting since they first need to +# connect in order to ask for keepalive. # #keepalive_required = 1 +#admin_keepalive_required = 1 # Keepalive settings for the admin interface #admin_keepalive_interval = 5 #admin_keepalive_count = 5 -# -#admin_keepalive_required = 1 -- 2.39.5