diff --git a/libvirt-0.3.3-example-config.patch b/libvirt-0.3.3-example-config.patch new file mode 100644 index 0000000..65c5ef4 --- /dev/null +++ b/libvirt-0.3.3-example-config.patch @@ -0,0 +1,207 @@ +changeset: 1147:7481eafdde8d +user: berrange +date: Fri Oct 12 18:54:15 2007 +0000 +files: libvirt.spec.in qemud/Makefile.am qemud/libvirtd.conf src/Makefile.am src/qemu.conf +description: +Added default example configs for libvirtd/qemu driver + + +diff -r c48e81e685a3 -r 7481eafdde8d qemud/libvirtd.conf +--- /dev/null Thu Jan 01 00:00:00 1970 +0000 ++++ b/qemud/libvirtd.conf Fri Oct 12 18:54:15 2007 +0000 +@@ -0,0 +1,141 @@ ++# Master libvirt daemon configuration file ++# ++# For further information consult http://libvirt.org/format.html ++ ++ ++# Flag listening for secure TLS connections on the public TCP/IP port. ++# NB, must pass the --listen flag to the libvirtd process for this to ++# have any effect. ++# ++# It is neccessary to setup a CA and issue server certificates before ++# using this capability. ++# ++# This is enabled by default, uncomment this to disable it ++# listen_tls = 0 ++ ++# Listen for unencrypted TCP connections on the public TCP/IP port. ++# NB, must pass the --listen flag to the libvirtd process for this to ++# have any effect. ++# ++# NB, this is insecure. Do not use except for development. ++# ++# This is disabled by default, uncomment this to enable it. ++# listen_tcp = 1 ++ ++ ++ ++# Override the port for accepting secure TLS connections ++# This can be a port number, or service name ++# ++# tls_port = "16514" ++ ++# Override the port for accepting insecure TCP connections ++# This can be a port number, or service name ++# ++# tcp_port = "16509" ++ ++ ++ ++# Flag toggling mDNS advertizement of the libvirt service. ++# ++# Alternatively can disable for all services on a host by ++# stopping the Avahi daemon ++# ++# This is enabled by default, uncomment this to disable it ++# mdns_adv = 0 ++ ++# Override the default mDNS advertizement name. This must be ++# unique on the immediate broadcast network. ++# ++# The default is "Virtualization Host HOSTNAME", where HOSTNAME ++# is subsituted for the short hostname of the machine (without domain) ++# ++# mdns_name "Virtualization Host Joe Demo" ++ ++ ++ ++# Set the UNIX domain socket group ownership. This can be used to ++# allow a 'trusted' set of users access to management capabilities ++# without becoming root. ++# ++# This is restricted to 'root' by default. ++# unix_sock_group "libvirt" ++ ++# Set the UNIX socket permissions for the R/O socket. This is used ++# for monitoring VM status only ++# ++# Default allows any user. If setting group ownership may want to ++# restrict this to: ++# unix_sock_ro_perms "0777" ++ ++# Set the UNIX socket permissions for the R/W socket. This is used ++# for full management of VMs ++# ++# Default allows only root. If setting group ownership may want to ++# relax this to: ++# unix_sock_rw_perms "octal-perms" "0770" ++ ++ ++ ++# Flag to disable verification of client certificates ++# ++# Client certificate verification is the primary authentication mechanism. ++# Any client which does not present a certificate signed by the CA ++# will be rejected. ++# ++# Default is to always verify. Uncommenting this will disable ++# verification - make sure an IP whitelist is set ++# tls_no_verify_certificate 1 ++ ++# Flag to disable verification of client IP address ++# ++# Client IP address will be verified against the CommonName field ++# of the x509 certificate. This has minimal security benefit since ++# it is easy to spoof source IP. ++# ++# Uncommenting this will disable verification ++# tls_no_verify_address 1 ++ ++# Override the default server key file path ++# ++# key_file "/etc/pki/libvirt/private/serverkey.pem" ++ ++# Override the default server certificate file path ++# ++# cert_file "/etc/pki/libvirt/servercert.pem" ++ ++# Override the default CA certificate path ++# ++# ca_file "/etc/pki/CA/cacert.pem" ++ ++# Specify a certificate revocation list. ++# ++# Defaults to not using a CRL, uncomment to enable it ++# crl_file "/etc/pki/CA/crl.pem" ++ ++# A whitelist of allowed x509 Distinguished Names ++# This list may contain wildcards such as ++# ++# "C=GB,ST=London,L=London,O=Red Hat,CN=*" ++# ++# See the POSIX fnmatch function for the format of the wildcards. ++# ++# NB If this is an empty list, no client can connect, so comment out ++# entirely rather than using empty list to disable these checks ++# ++# By default, no DN's are checked ++# tls_allowed_dn_list ["DN1", "DN2"] ++ ++ ++# A whitelist of allowed client IP addresses ++# ++# This list may contain wildcards such as 192.168.* See the POSIX fnmatch ++# function for the format of the wildcards. ++# ++# NB If this is an empty list, no client can connect, so comment out ++# entirely rather than using empty list to disable these checks ++# ++# By default, no IP's are checked. This can be IPv4 or IPv6 addresses ++# tls_allowed_ip_list ["ip1", "ip2", "ip3"] ++ ++ +diff -r c48e81e685a3 -r 7481eafdde8d src/qemu.conf +--- /dev/null Thu Jan 01 00:00:00 1970 +0000 ++++ b/src/qemu.conf Fri Oct 12 18:54:15 2007 +0000 +@@ -0,0 +1,49 @@ ++# Master configuration file for the QEMU driver. ++# All settings described here are optional - if omitted, sensible ++# defaults are used. ++ ++# VNC is configured to listen on 127.0.0.1 by default. ++# To make it listen on all public interfaces, uncomment ++# this next option. ++# ++# NB, strong recommendation to enable TLS + x509 certificate ++# verification when allowing public access ++# ++# vnc_listen = "0.0.0.0" ++ ++ ++# Enable use of TLS encryption on the VNC server. This requires ++# a VNC client which supports the VeNCrypt protocol extension. ++# Examples include vinagre, virt-viewer, virt-manager and vencrypt ++# itself. UltraVNC, RealVNC, TightVNC do not support this ++# ++# It is neccessary to setup CA and issue a server certificate ++# before enabling this. ++# ++# vnc_tls = 1 ++ ++ ++# Use of TLS requires that x509 certificates be issued. The ++# default it to keep them in /etc/pki/libvirt-vnc. This directory ++# must contain ++# ++# ca-cert.pem - the CA master certificate ++# server-cert.pem - the server certificate signed with ca-cert.pem ++# server-key.pem - the server private key ++# ++# This option allows the certificate directory to be changed ++# ++# vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc" ++ ++ ++# The default TLS configuration only uses certificates for the server ++# allowing the client to verify the server's identity and establish ++# and encrypted channel. ++# ++# It is possible to use x509 certificates for authentication too, by ++# issuing a x509 certificate to every client who needs to connect. ++# ++# Enabling this option will reject any client who does not have a ++# certificate signed by the CA in /etc/pki/libvirt-vnc/ca-cert.pem ++# ++# vnc_tls_x509_verify = 1 + diff --git a/libvirt-0.3.3-qemu-config.patch b/libvirt-0.3.3-qemu-config.patch new file mode 100644 index 0000000..7330433 --- /dev/null +++ b/libvirt-0.3.3-qemu-config.patch @@ -0,0 +1,230 @@ +changeset: 1146:c48e81e685a3 +user: berrange +date: Fri Oct 12 15:05:44 2007 +0000 +files: ChangeLog src/qemu_conf.c src/qemu_conf.h src/qemu_driver.c +description: +Added QEMU driver config file + + +diff -r 522efe7f7e8f -r c48e81e685a3 src/qemu_conf.c +--- a/src/qemu_conf.c Wed Oct 10 18:46:17 2007 +0000 ++++ b/src/qemu_conf.c Fri Oct 12 15:05:44 2007 +0000 +@@ -45,6 +45,7 @@ + #include "qemu_conf.h" + #include "uuid.h" + #include "buf.h" ++#include "conf.h" + + #define qemudLog(level, msg...) fprintf(stderr, msg) + +@@ -65,6 +66,68 @@ void qemudReportError(virConnectPtr conn + __virRaiseError(conn, dom, net, VIR_FROM_QEMU, code, VIR_ERR_ERROR, + NULL, NULL, NULL, -1, -1, errorMessage); + } ++ ++int qemudLoadDriverConfig(struct qemud_driver *driver, ++ const char *filename) { ++ virConfPtr conf; ++ virConfValuePtr p; ++ ++ /* Setup 2 critical defaults */ ++ strcpy(driver->vncListen, "127.0.0.1"); ++ if (!(driver->vncTLSx509certdir = strdup(SYSCONF_DIR "/pki/libvirt-vnc"))) { ++ qemudReportError(NULL, NULL, NULL, VIR_ERR_NO_MEMORY, ++ "vncTLSx509certdir"); ++ return -1; ++ } ++ ++ /* Just check the file is readable before opening it, otherwise ++ * libvirt emits an error. ++ */ ++ if (access (filename, R_OK) == -1) return 0; ++ ++ conf = virConfReadFile (filename); ++ if (!conf) return 0; ++ ++ ++#define CHECK_TYPE(name,typ) if (p && p->type != (typ)) { \ ++ qemudReportError(NULL, NULL, NULL, VIR_ERR_INTERNAL_ERROR, \ ++ "remoteReadConfigFile: %s: %s: expected type " #typ "\n", \ ++ filename, (name)); \ ++ virConfFree(conf); \ ++ return -1; \ ++ } ++ ++ p = virConfGetValue (conf, "vnc_tls"); ++ CHECK_TYPE ("vnc_tls", VIR_CONF_LONG); ++ if (p) driver->vncTLS = p->l; ++ ++ p = virConfGetValue (conf, "vnc_tls_x509_verify"); ++ CHECK_TYPE ("vnc_tls_x509_verify", VIR_CONF_LONG); ++ if (p) driver->vncTLSx509verify = p->l; ++ ++ p = virConfGetValue (conf, "vnc_tls_x509_cert_dir"); ++ CHECK_TYPE ("vnc_tls_x509_cert_dir", VIR_CONF_STRING); ++ if (p && p->str) { ++ free(driver->vncTLSx509certdir); ++ if (!(driver->vncTLSx509certdir = strdup(p->str))) { ++ qemudReportError(NULL, NULL, NULL, VIR_ERR_NO_MEMORY, ++ "vncTLSx509certdir"); ++ virConfFree(conf); ++ return -1; ++ } ++ } ++ ++ p = virConfGetValue (conf, "vnc_listen"); ++ CHECK_TYPE ("vnc_listen", VIR_CONF_STRING); ++ if (p && p->str) { ++ strncpy(driver->vncListen, p->str, sizeof(driver->vncListen)); ++ driver->vncListen[sizeof(driver->vncListen)-1] = '\0'; ++ } ++ ++ virConfFree (conf); ++ return 0; ++} ++ + + struct qemud_vm *qemudFindVMByID(const struct qemud_driver *driver, int id) { + struct qemud_vm *vm = driver->vms; +@@ -1234,7 +1297,7 @@ static struct qemud_vm_def *qemudParseXM + if (vnclisten && *vnclisten) + strncpy(def->vncListen, (char *)vnclisten, BR_INET_ADDR_MAXLEN-1); + else +- strcpy(def->vncListen, "127.0.0.1"); ++ strcpy(def->vncListen, driver->vncListen); + def->vncListen[BR_INET_ADDR_MAXLEN-1] = '\0'; + xmlFree(vncport); + xmlFree(vnclisten); +@@ -1750,15 +1813,30 @@ int qemudBuildCommandLine(virConnectPtr + } + + if (vm->def->graphicsType == QEMUD_GRAPHICS_VNC) { +- char vncdisplay[BR_INET_ADDR_MAXLEN+20]; ++ char vncdisplay[PATH_MAX]; + int ret; +- if (vm->qemuCmdFlags & QEMUD_CMD_FLAG_VNC_COLON) +- ret = snprintf(vncdisplay, sizeof(vncdisplay), "%s:%d", ++ ++ if (vm->qemuCmdFlags & QEMUD_CMD_FLAG_VNC_COLON) { ++ char options[PATH_MAX] = ""; ++ if (driver->vncTLS) { ++ strcat(options, ",tls"); ++ if (driver->vncTLSx509verify) { ++ strcat(options, ",x509verify="); ++ } else { ++ strcat(options, ",x509="); ++ } ++ strncat(options, driver->vncTLSx509certdir, ++ sizeof(options) - (strlen(driver->vncTLSx509certdir)-1)); ++ options[sizeof(options)-1] = '\0'; ++ } ++ ret = snprintf(vncdisplay, sizeof(vncdisplay), "%s:%d%s", + vm->def->vncListen, +- vm->def->vncActivePort - 5900); +- else ++ vm->def->vncActivePort - 5900, ++ options); ++ } else { + ret = snprintf(vncdisplay, sizeof(vncdisplay), "%d", + vm->def->vncActivePort - 5900); ++ } + if (ret < 0 || ret >= (int)sizeof(vncdisplay)) + goto error; + +diff -r 522efe7f7e8f -r c48e81e685a3 src/qemu_conf.h +--- a/src/qemu_conf.h Wed Oct 10 18:46:17 2007 +0000 ++++ b/src/qemu_conf.h Fri Oct 12 15:05:44 2007 +0000 +@@ -289,6 +289,10 @@ struct qemud_driver { + char *networkConfigDir; + char *networkAutostartDir; + char logDir[PATH_MAX]; ++ int vncTLS : 1; ++ int vncTLSx509verify : 1; ++ char *vncTLSx509certdir; ++ char vncListen[BR_INET_ADDR_MAXLEN]; + }; + + +@@ -311,6 +315,8 @@ void qemudReportError(virConnectPtr conn + ATTRIBUTE_FORMAT(printf,5,6); + + ++int qemudLoadDriverConfig(struct qemud_driver *driver, ++ const char *filename); + + struct qemud_vm *qemudFindVMByID(const struct qemud_driver *driver, + int id); +diff -r 522efe7f7e8f -r c48e81e685a3 src/qemu_driver.c +--- a/src/qemu_driver.c Wed Oct 10 18:46:17 2007 +0000 ++++ b/src/qemu_driver.c Fri Oct 12 15:05:44 2007 +0000 +@@ -155,6 +155,7 @@ qemudStartup(void) { + uid_t uid = geteuid(); + struct passwd *pw; + char *base = NULL; ++ char driverConf[PATH_MAX]; + + if (!(qemu_driver = calloc(1, sizeof(struct qemud_driver)))) { + return -1; +@@ -167,7 +168,7 @@ qemudStartup(void) { + if (snprintf(qemu_driver->logDir, PATH_MAX, "%s/log/libvirt/qemu", LOCAL_STATE_DIR) >= PATH_MAX) + goto snprintf_error; + +- if ((base = strdup (SYSCONF_DIR "/libvirt/qemu")) == NULL) ++ if ((base = strdup (SYSCONF_DIR "/libvirt")) == NULL) + goto out_of_memory; + } else { + if (!(pw = getpwuid(uid))) { +@@ -179,7 +180,7 @@ qemudStartup(void) { + if (snprintf(qemu_driver->logDir, PATH_MAX, "%s/.libvirt/qemu/log", pw->pw_dir) >= PATH_MAX) + goto snprintf_error; + +- if (asprintf (&base, "%s/.libvirt/qemu", pw->pw_dir) == -1) { ++ if (asprintf (&base, "%s/.libvirt", pw->pw_dir) == -1) { + qemudLog (QEMUD_ERR, "out of memory in asprintf"); + goto out_of_memory; + } +@@ -188,24 +189,36 @@ qemudStartup(void) { + /* Configuration paths are either ~/.libvirt/qemu/... (session) or + * /etc/libvirt/qemu/... (system). + */ +- if (asprintf (&qemu_driver->configDir, "%s", base) == -1) ++ if (snprintf (driverConf, sizeof(driverConf), "%s/qemu.conf", base) == -1) + goto out_of_memory; +- +- if (asprintf (&qemu_driver->autostartDir, "%s/autostart", base) == -1) ++ driverConf[sizeof(driverConf)-1] = '\0'; ++ ++ if (asprintf (&qemu_driver->configDir, "%s/qemu", base) == -1) + goto out_of_memory; + +- if (asprintf (&qemu_driver->networkConfigDir, "%s/networks", base) == -1) ++ if (asprintf (&qemu_driver->autostartDir, "%s/qemu/autostart", base) == -1) + goto out_of_memory; + +- if (asprintf (&qemu_driver->networkAutostartDir, "%s/networks/autostart", ++ if (asprintf (&qemu_driver->networkConfigDir, "%s/qemu/networks", base) == -1) ++ goto out_of_memory; ++ ++ if (asprintf (&qemu_driver->networkAutostartDir, "%s/qemu/networks/autostart", + base) == -1) + goto out_of_memory; + +- if (qemudScanConfigs(qemu_driver) < 0) ++ free(base); ++ ++ if (qemudLoadDriverConfig(qemu_driver, driverConf) < 0) { + qemudShutdown(); ++ return -1; ++ } ++ ++ if (qemudScanConfigs(qemu_driver) < 0) { ++ qemudShutdown(); ++ return -1; ++ } + qemudAutostartConfigs(qemu_driver); + +- free(base); + return 0; + + snprintf_error: + diff --git a/libvirt.spec b/libvirt.spec index a7d7cb6..e3e6a20 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -3,10 +3,14 @@ Summary: Library providing a simple API virtualization Name: libvirt Version: 0.3.3 -Release: 1%{?dist}%{?extra_release} +Release: 2%{?dist}%{?extra_release} License: LGPL Group: Development/Libraries Source: libvirt-%{version}.tar.gz +Patch1: %{name}-%{version}-qemu-config.patch +# NB, when removing this patch on next release, also remove the manual +# config file copy in the install section of this spec file +Patch2: %{name}-%{version}-example-config.patch BuildRoot: %{_tmppath}/%{name}-%{version}-root URL: http://libvirt.org/ BuildRequires: python python-devel @@ -66,6 +70,8 @@ of recent versions of Linux (and other OSes). %prep %setup -q +%patch1 -p1 +%patch2 -p1 %build # Xen is availble only on i386 x86_64 ia64 @@ -89,6 +95,11 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/python*/site-packages/*.la rm -f $RPM_BUILD_ROOT%{_libdir}/python*/site-packages/*.a install -d -m 0755 $RPM_BUILD_ROOT%{_localstatedir}/run/libvirt/ +# Copy files from patch2 into location +install -d $RPM_BUILD_ROOT%{_sysconfdir}/libvirt +install -m 0755 src/qemu.conf $RPM_BUILD_ROOT%{_sysconfdir}/libvirt/qemu.conf +install -m 0755 qemud/libvirtd.conf $RPM_BUILD_ROOT%{_sysconfdir}/libvirt/libvirtd.conf + # We don't want to install /etc/libvirt/qemu/networks in the main %files list # because if the admin wants to delete the default network completely, we don't # want to end up re-incarnating it on every RPM upgrade. @@ -144,6 +155,8 @@ fi %dir %attr(0700, root, root) %{_sysconfdir}/libvirt/qemu/networks/autostart %{_sysconfdir}/rc.d/init.d/libvirtd %config(noreplace) %{_sysconfdir}/sysconfig/libvirtd +%config(noreplace) %{_sysconfdir}/libvirt/libvirtd.conf +%config(noreplace) %{_sysconfdir}/libvirt/qemu.conf %dir %{_datadir}/libvirt/ %dir %{_datadir}/libvirt/networks/ %{_datadir}/libvirt/networks/default.xml @@ -183,6 +196,10 @@ fi %doc docs/examples/python %changelog +* Mon Oct 15 2007 Daniel P. Berrange - 0.3.3-2.fc8 +- Added QEMU driver config file support +- Added example config files + * Sun Sep 30 2007 Daniel Veillard - 0.3.3-1 - Release of 0.3.3 - Avahi support