Andrew Bogott has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/369615 )
Change subject: openstack: libvirtd.conf from Jessie package [1/2] ...................................................................... openstack: libvirtd.conf from Jessie package [1/2] Synchronize libvirtd.conf from libvirt-daemon-system 1.2.9-+deb8u4 installed from jessie/main. Comments/typos change only. Change-Id: Icf97bb5529fab767883f18f87f92ef3b73933ef0 --- M modules/openstack/templates/common/nova/libvirtd.conf.erb 1 file changed, 34 insertions(+), 22 deletions(-) Approvals: Andrew Bogott: Looks good to me, approved jenkins-bot: Verified diff --git a/modules/openstack/templates/common/nova/libvirtd.conf.erb b/modules/openstack/templates/common/nova/libvirtd.conf.erb index 42ac60a..2dbfe64 100644 --- a/modules/openstack/templates/common/nova/libvirtd.conf.erb +++ b/modules/openstack/templates/common/nova/libvirtd.conf.erb @@ -48,6 +48,10 @@ # Override the default configuration which binds to all network # interfaces. This can be a numeric IPv4/6 address, or hostname # +# If the libvirtd service is started in parallel with network +# startup (e.g. with systemd), binding to addresses other than +# the wildcards (0.0.0.0/::) might not be available yet. +# #listen_addr = "192.168.0.1" @@ -63,7 +67,7 @@ # unique on the immediate broadcast network. # # The default is "Virtualization Host HOSTNAME", where HOSTNAME -# is subsituted for the short hostname of the machine (without domain) +# is substituted for the short hostname of the machine (without domain) # #mdns_name = "Virtualization Host Joe Demo" @@ -72,6 +76,11 @@ # # UNIX socket access controls # + +# Beware that if you are changing *any* of these options, and you use +# socket activation with systemd, you need to adjust the settings in +# the libvirtd.socket file as well since it could impose a security +# risk if you rely on file permission checking only. # Set the UNIX domain socket group ownership. This can be used to # allow a 'trusted' set of users access to management capabilities @@ -83,8 +92,8 @@ # Set the UNIX socket permissions for the R/O socket. This is used # for monitoring VM status only # -# Default allows any user. If setting group ownership may want to -# restrict this to: +# Default allows any user. If setting group ownership, you may want to +# restrict this too. #unix_sock_ro_perms = "0777" # Set the UNIX socket permissions for the R/W socket. This is used @@ -94,7 +103,7 @@ # the default will change to allow everyone (eg, 0777) # # If not using PolicyKit and setting group ownership for access -# control then you may want to relax this to: +# control, then you may want to relax this too. unix_sock_rw_perms = "0770" # Set the name of the directory in which sockets will be found/created. @@ -113,7 +122,7 @@ # - sasl: use SASL infrastructure. The actual auth scheme is then # controlled from /etc/sasl2/libvirt.conf. For the TCP # socket only GSSAPI & DIGEST-MD5 mechanisms will be used. -# For non-TCP or TLS sockets, any scheme is allowed. +# For non-TCP or TLS sockets, any scheme is allowed. # # - polkit: use PolicyKit to authenticate. This is only suitable # for use on the UNIX sockets. The default policy will @@ -207,7 +216,7 @@ #tls_no_verify_certificate = 1 -# A whitelist of allowed x509 Distinguished Names +# A whitelist of allowed x509 Distinguished Names # This list may contain wildcards such as # # "C=GB,ST=London,L=London,O=Red Hat,CN=*" @@ -251,7 +260,7 @@ # The minimum limit sets the number of workers to start up # initially. If the number of active clients exceeds this, -# then more threads are spawned, upto max_workers limit. +# then more threads are spawned, up to max_workers limit. # Typically you'd want max_workers to equal maximum number # of clients allowed #min_workers = 5 @@ -259,15 +268,15 @@ # The number of priority workers. If all workers from above -# pool will stuck, some calls marked as high priority +# pool are stuck, some calls marked as high priority # (notably domainDestroy) can be executed in this pool. #prio_workers = 5 # Total global limit on concurrent RPC calls. Should be # at least as large as max_workers. Beyond this, RPC requests -# will be read into memory and queued. This directly impact +# will be read into memory and queued. This directly impacts # memory usage, currently each request requires 256 KB of -# memory. So by default upto 5 MB of memory is used +# memory. So by default up to 5 MB of memory is used # # XXX this isn't actually enforced yet, only the per-client # limit is used so far @@ -286,12 +295,16 @@ # Logging level: 4 errors, 3 warnings, 2 information, 1 debug # basically 1 will log everything possible +# Note: Journald may employ rate limiting of the messages logged +# and thus lock up the libvirt daemon. To use the debug level with +# journald you have to specify it explicitly in 'log_outputs', otherwise +# only information level messages will be logged. #log_level = 3 # Logging filters: # A filter allows to select a different logging level for a given category # of logs -# The format for a filter is: +# The format for a filter is one of: # x:name # where name is a match string e.g. remote or qemu # the x prefix is the minimal level where matching messages should be logged @@ -300,13 +313,12 @@ # 3: WARNING # 4: ERROR # -# Multiple filter can be defined in a single @filters, they just need to be +# Multiple filters can be defined in a single @filters, they just need to be # separated by spaces. # -# e.g: -# log_filters="3:remote 4:event" -# to only get warning or errors from the remote layer and only errors from -# the event layer. +# e.g. to only get warning or errors from the remote layer and only errors +# from the event layer: +#log_filters="3:remote 4:event" # Logging outputs: # An output is one of the places to save logging information @@ -323,10 +335,10 @@ # 3: WARNING # 4: ERROR # -# Multiple output can be defined, they just need to be separated by spaces. -# e.g.: -# log_outputs="3:syslog:libvirtd" -# to log all warnings and errors to syslog under the libvirtd ident +# Multiple outputs can be defined, they just need to be separated by spaces. +# e.g. to log all warnings and errors to syslog under the libvirtd ident: +#log_outputs="3:syslog:libvirtd" +# # Log debug buffer size: default 64 # The daemon keeps an internal debug log buffer which will be dumped in case @@ -370,7 +382,7 @@ ################################################################### # Keepalive protocol: # This allows libvirtd to detect broken client connections or even -# dead client. A keepalive message is sent to a client after +# dead clients. A keepalive message is sent to a client after # keepalive_interval seconds of inactivity to check if the client is # still responding; keepalive_count is a maximum number of keepalive # messages that are allowed to be sent to the client without getting @@ -379,7 +391,7 @@ # keepalive_interval * (keepalive_count + 1) seconds since the last # message received from the client. If keepalive_interval is set to # -1, libvirtd will never send keepalive requests; however clients -# can still send them and the deamon will send responses. When +# can still send them and the daemon will send responses. When # keepalive_count is set to 0, connections will be automatically # closed after keepalive_interval seconds of inactivity without # sending any keepalive messages. -- To view, visit https://gerrit.wikimedia.org/r/369615 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: Icf97bb5529fab767883f18f87f92ef3b73933ef0 Gerrit-PatchSet: 3 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Hashar <has...@free.fr> Gerrit-Reviewer: Alex Monk <kren...@gmail.com> Gerrit-Reviewer: Andrew Bogott <abog...@wikimedia.org> Gerrit-Reviewer: Hashar <has...@free.fr> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
