Re: [libvirt] [PATCH v3 12/48] remote: conditionalize IP socket config in libvirtd.conf
On Mon, 2019-07-29 at 18:10 +0100, Daniel P. Berrangé wrote: [...] > +remote/libvirtd.conf: remote/libvirtd.conf.in > + $(AM_V_GEN)$(SED) \ > + -e '/[@]CUT_ENABLE_IP[@]/d' \ > + -e '/[@]END[@]/d' \ > + -e 's|[@]DAEMON_NAME[@]|libvirtd|' \ > + < $< > $@ If you're going to respin anyway: $(SED) ... < $< > $@ and $(SED) ... $< > $@ are equivalent. -- Andrea Bolognani / Red Hat / Virtualization -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH v3 12/48] remote: conditionalize IP socket config in libvirtd.conf
On Tue, Jul 30, 2019 at 12:48:03PM +0200, Christophe de Dinechin wrote: > > Daniel P. Berrangé writes: > > > Prepare for reusing libvirtd config to create other daemons by making > > the config parameters for IP sockets conditionally defined by the make > > rules. > > > > The main libvirtd daemon will retain IP listen ability, but all the > > driver specific daemons will be local UNIX sockets only. Apps needing > > IP connectivity will connect via the libvirtd daemon which will proxy > > to the driver specfic daemon. > > > > Reviewed-by: Andrea Bolognani > > Signed-off-by: Daniel P. Berrangé > > diff --git a/src/remote/libvirtd.conf b/src/remote/libvirtd.conf.in > > similarity index 95% > > rename from src/remote/libvirtd.conf > > rename to src/remote/libvirtd.conf.in > > index b63b8d61b7..e351a8c190 100644 > > --- a/src/remote/libvirtd.conf > > +++ b/src/remote/libvirtd.conf.in > > @@ -1,13 +1,14 @@ > > # Master libvirt daemon configuration file > > # > > > > +@CUT_ENABLE_IP@ > > # > > # > > # Network connectivity controls > > # > > > > # Flag listening for secure TLS connections on the public TCP/IP port. > > -# NB, must pass the --listen flag to the libvirtd process for this to > > +# NB, must pass the --listen flag to the @DAEMON_NAME@ process for this to > > # have any effect. > > # > > # This setting is not required or honoured if using systemd socket > > @@ -20,7 +21,7 @@ > > #listen_tls = 0 > > > > # Listen for unencrypted TCP connections on the public TCP/IP port. > > -# NB, must pass the --listen flag to the libvirtd process for this to > > +# NB, must pass the --listen flag to the @DAEMON_NAME@ process for this to > > # have any effect. > > # > > # This setting is not required or honoured if using systemd socket > > @@ -58,13 +59,14 @@ > > # This setting is not required or honoured if using systemd socket > > # activation. > > # > > -# If the libvirtd service is started in parallel with network > > +# If the @DAEMON_NAME@ service is started in parallel with network > > # startup (e.g. with systemd), binding to addresses other than > > # the wildcards (0.0.0.0/::) might not be available yet. > > # > > #listen_addr = "192.168.0.1" > > > > > > +@END@ > > # > > # > > # UNIX socket access controls > > @@ -157,6 +159,7 @@ > > # If the unix_sock_rw_perms are changed you may wish to enable > > # an authentication mechanism here > > #auth_unix_rw = "none" > > +@CUT_ENABLE_IP@ > > > > # Change the authentication scheme for TCP sockets. > > # > > @@ -174,6 +177,7 @@ > > # It is possible to make use of any SASL authentication > > # mechanism as well, by using 'sasl' for this option > > #auth_tls = "none" > > +@END@ > > > > > > # Change the API access control scheme > > @@ -182,10 +186,11 @@ > > # to all APIs. Access drivers can place restrictions > > # on this. By default the 'nop' driver is enabled, > > # meaning no access control checks are done once a > > -# client has authenticated with libvirtd > > +# client has authenticated with @DAEMON_NAME@ > > # > > #access_drivers = [ "polkit" ] > > > > +@CUT_ENABLE_IP@ > > # > > # > > # TLS x509 certificate configuration > > @@ -225,15 +230,17 @@ > > > > > > > > +@END@ > > # > > # > > # Authorization controls > > # > > > > > > +@CUT_ENABLE_IP@ > > # Flag to disable verification of our own server certificates > > # > > -# When libvirtd starts it performs some sanity checks against > > +# When @DAEMON_NAME@ starts it performs some sanity checks against > > # its own certificates. > > # > > # Default is to always run sanity checks. Uncommenting this > > @@ -265,6 +272,15 @@ > > #tls_allowed_dn_list = ["DN1", "DN2"] > > > > > > +# Override the compile time default TLS priority string. The > > +# default is usually "NORMAL" unless overridden at build time. > > +# Only set this is it is desired for libvirt to deviate from > > +# the global default settings. > > +# > > +#tls_priority="NORMAL" > > + > > + > > +@END@ > > # A whitelist of allowed SASL usernames. The format for username > > # depends on the SASL authentication mechanism. Kerberos usernames > > # look like username@REALM > > @@ -282,14 +298,6 @@ > > #sasl_allowed_username_list = ["j...@example.com", "f...@example.com" ] > > > > > > -# Override the compile time default TLS priority string. The > > -# default is usually "NORMAL" unless overridden at build time. > > -# Only set this is it is desired for libvirt to deviate from > > -# the global default settings. > > -# > > -#tls_priority="NORMAL" > > - > > - > > # > > # > > # Processing controls > > @@ -417,8 +425,8 @@ > > #4: ERROR > > # > > # Multiple outputs can be
Re: [libvirt] [PATCH v3 12/48] remote: conditionalize IP socket config in libvirtd.conf
Daniel P. Berrangé writes:
> Prepare for reusing libvirtd config to create other daemons by making
> the config parameters for IP sockets conditionally defined by the make
> rules.
>
> The main libvirtd daemon will retain IP listen ability, but all the
> driver specific daemons will be local UNIX sockets only. Apps needing
> IP connectivity will connect via the libvirtd daemon which will proxy
> to the driver specfic daemon.
>
> Reviewed-by: Andrea Bolognani
> Signed-off-by: Daniel P. Berrangé
> ---
> .gitignore| 1 +
> src/remote/Makefile.inc.am| 16 +--
> .../{libvirtd.conf => libvirtd.conf.in} | 42 +++
> src/remote/test_libvirtd.aug.in | 2 +-
> 4 files changed, 40 insertions(+), 21 deletions(-)
> rename src/remote/{libvirtd.conf => libvirtd.conf.in} (95%)
>
> diff --git a/.gitignore b/.gitignore
> index d75b24c743..a09f45af50 100644
> --- a/.gitignore
> +++ b/.gitignore
> @@ -158,6 +158,7 @@
> /src/remote/*_client_bodies.h
> /src/remote/*_protocol.[ch]
> /src/remote/*_stubs.h
> +/src/remote/libvirtd.conf
> /src/remote/test_libvirtd.aug
> /src/rpc/virkeepaliveprotocol.[ch]
> /src/rpc/virnetprotocol.[ch]
> diff --git a/src/remote/Makefile.inc.am b/src/remote/Makefile.inc.am
> index 2277bf49d2..93a7a6c14e 100644
> --- a/src/remote/Makefile.inc.am
> +++ b/src/remote/Makefile.inc.am
> @@ -76,7 +76,7 @@ EXTRA_DIST += \
> $(LIBVIRTD_SOURCES) \
> remote/test_libvirtd.aug.in \
> remote/libvirtd.aug \
> - remote/libvirtd.conf \
> + remote/libvirtd.conf.in \
> remote/libvirtd.policy \
> remote/libvirtd.rules \
> remote/libvirtd.sasl \
> @@ -93,6 +93,9 @@ MAINTAINERCLEANFILES += \
> $(REMOTE_DRIVER_GENERATED) \
> $(LIBVIRTD_GENERATED) \
> $(NULL)
> +CLEANFILES += \
> + remote/libvirtd.conf \
> + $(NULL)
>
> if WITH_REMOTE
> noinst_LTLIBRARIES += libvirt_driver_remote.la
> @@ -128,7 +131,7 @@ augeas_DATA += remote/libvirtd.aug
>
> augeastest_DATA += remote/test_libvirtd.aug
>
> -conf_DATA += remote/libvirtd.conf
> +nodist_conf_DATA += remote/libvirtd.conf
>
> man8_MANS += libvirtd.8
>
> @@ -179,6 +182,13 @@ libvirtd_LDADD += \
> $(LIBSOCKET) \
> $(NULL)
>
> +remote/libvirtd.conf: remote/libvirtd.conf.in
> + $(AM_V_GEN)$(SED) \
> + -e '/[@]CUT_ENABLE_IP[@]/d' \
> + -e '/[@]END[@]/d' \
> + -e 's|[@]DAEMON_NAME[@]|libvirtd|' \
> + < $< > $@
> +
> INSTALL_DATA_DIRS += remote
>
> install-data-remote:
> @@ -189,7 +199,7 @@ uninstall-data-remote:
>
> remote/test_libvirtd.aug: remote/test_libvirtd.aug.in \
> remote/libvirtd.conf $(AUG_GENTEST)
> - $(AM_V_GEN)$(AUG_GENTEST) $(srcdir)/remote/libvirtd.conf $< > $@
> + $(AM_V_GEN)$(AUG_GENTEST) remote/libvirtd.conf $< > $@
>
> if WITH_SYSCTL
> # Use $(prefix)/lib rather than $(libdir), since man sysctl.d insists on
> diff --git a/src/remote/libvirtd.conf b/src/remote/libvirtd.conf.in
> similarity index 95%
> rename from src/remote/libvirtd.conf
> rename to src/remote/libvirtd.conf.in
> index b63b8d61b7..e351a8c190 100644
> --- a/src/remote/libvirtd.conf
> +++ b/src/remote/libvirtd.conf.in
> @@ -1,13 +1,14 @@
> # Master libvirt daemon configuration file
> #
>
> +@CUT_ENABLE_IP@
> #
> #
> # Network connectivity controls
> #
>
> # Flag listening for secure TLS connections on the public TCP/IP port.
> -# NB, must pass the --listen flag to the libvirtd process for this to
> +# NB, must pass the --listen flag to the @DAEMON_NAME@ process for this to
> # have any effect.
> #
> # This setting is not required or honoured if using systemd socket
> @@ -20,7 +21,7 @@
> #listen_tls = 0
>
> # Listen for unencrypted TCP connections on the public TCP/IP port.
> -# NB, must pass the --listen flag to the libvirtd process for this to
> +# NB, must pass the --listen flag to the @DAEMON_NAME@ process for this to
> # have any effect.
> #
> # This setting is not required or honoured if using systemd socket
> @@ -58,13 +59,14 @@
> # This setting is not required or honoured if using systemd socket
> # activation.
> #
> -# If the libvirtd service is started in parallel with network
> +# If the @DAEMON_NAME@ service is started in parallel with network
> # startup (e.g. with systemd), binding to addresses other than
> # the wildcards (0.0.0.0/::) might not be available yet.
> #
> #listen_addr = "192.168.0.1"
>
>
> +@END@
> #
> #
> # UNIX socket access controls
> @@ -157,6 +159,7 @@
> # If the unix_sock_rw_perms are changed you may wish to enable
> # an authentication mechanism here
> #auth_unix_rw = "none"
> +@CUT_ENABLE_IP@
>
> # Change the authentication scheme for TCP sockets.
> #
> @@ -174,6 +177,7 @@
> # It is possible to make use of any SASL authentication
> # mechanism
[libvirt] [PATCH v3 12/48] remote: conditionalize IP socket config in libvirtd.conf
Prepare for reusing libvirtd config to create other daemons by making
the config parameters for IP sockets conditionally defined by the make
rules.
The main libvirtd daemon will retain IP listen ability, but all the
driver specific daemons will be local UNIX sockets only. Apps needing
IP connectivity will connect via the libvirtd daemon which will proxy
to the driver specfic daemon.
Reviewed-by: Andrea Bolognani
Signed-off-by: Daniel P. Berrangé
---
.gitignore| 1 +
src/remote/Makefile.inc.am| 16 +--
.../{libvirtd.conf => libvirtd.conf.in} | 42 +++
src/remote/test_libvirtd.aug.in | 2 +-
4 files changed, 40 insertions(+), 21 deletions(-)
rename src/remote/{libvirtd.conf => libvirtd.conf.in} (95%)
diff --git a/.gitignore b/.gitignore
index d75b24c743..a09f45af50 100644
--- a/.gitignore
+++ b/.gitignore
@@ -158,6 +158,7 @@
/src/remote/*_client_bodies.h
/src/remote/*_protocol.[ch]
/src/remote/*_stubs.h
+/src/remote/libvirtd.conf
/src/remote/test_libvirtd.aug
/src/rpc/virkeepaliveprotocol.[ch]
/src/rpc/virnetprotocol.[ch]
diff --git a/src/remote/Makefile.inc.am b/src/remote/Makefile.inc.am
index 2277bf49d2..93a7a6c14e 100644
--- a/src/remote/Makefile.inc.am
+++ b/src/remote/Makefile.inc.am
@@ -76,7 +76,7 @@ EXTRA_DIST += \
$(LIBVIRTD_SOURCES) \
remote/test_libvirtd.aug.in \
remote/libvirtd.aug \
- remote/libvirtd.conf \
+ remote/libvirtd.conf.in \
remote/libvirtd.policy \
remote/libvirtd.rules \
remote/libvirtd.sasl \
@@ -93,6 +93,9 @@ MAINTAINERCLEANFILES += \
$(REMOTE_DRIVER_GENERATED) \
$(LIBVIRTD_GENERATED) \
$(NULL)
+CLEANFILES += \
+ remote/libvirtd.conf \
+ $(NULL)
if WITH_REMOTE
noinst_LTLIBRARIES += libvirt_driver_remote.la
@@ -128,7 +131,7 @@ augeas_DATA += remote/libvirtd.aug
augeastest_DATA += remote/test_libvirtd.aug
-conf_DATA += remote/libvirtd.conf
+nodist_conf_DATA += remote/libvirtd.conf
man8_MANS += libvirtd.8
@@ -179,6 +182,13 @@ libvirtd_LDADD += \
$(LIBSOCKET) \
$(NULL)
+remote/libvirtd.conf: remote/libvirtd.conf.in
+ $(AM_V_GEN)$(SED) \
+ -e '/[@]CUT_ENABLE_IP[@]/d' \
+ -e '/[@]END[@]/d' \
+ -e 's|[@]DAEMON_NAME[@]|libvirtd|' \
+ < $< > $@
+
INSTALL_DATA_DIRS += remote
install-data-remote:
@@ -189,7 +199,7 @@ uninstall-data-remote:
remote/test_libvirtd.aug: remote/test_libvirtd.aug.in \
remote/libvirtd.conf $(AUG_GENTEST)
- $(AM_V_GEN)$(AUG_GENTEST) $(srcdir)/remote/libvirtd.conf $< > $@
+ $(AM_V_GEN)$(AUG_GENTEST) remote/libvirtd.conf $< > $@
if WITH_SYSCTL
# Use $(prefix)/lib rather than $(libdir), since man sysctl.d insists on
diff --git a/src/remote/libvirtd.conf b/src/remote/libvirtd.conf.in
similarity index 95%
rename from src/remote/libvirtd.conf
rename to src/remote/libvirtd.conf.in
index b63b8d61b7..e351a8c190 100644
--- a/src/remote/libvirtd.conf
+++ b/src/remote/libvirtd.conf.in
@@ -1,13 +1,14 @@
# Master libvirt daemon configuration file
#
+@CUT_ENABLE_IP@
#
#
# Network connectivity controls
#
# Flag listening for secure TLS connections on the public TCP/IP port.
-# NB, must pass the --listen flag to the libvirtd process for this to
+# NB, must pass the --listen flag to the @DAEMON_NAME@ process for this to
# have any effect.
#
# This setting is not required or honoured if using systemd socket
@@ -20,7 +21,7 @@
#listen_tls = 0
# Listen for unencrypted TCP connections on the public TCP/IP port.
-# NB, must pass the --listen flag to the libvirtd process for this to
+# NB, must pass the --listen flag to the @DAEMON_NAME@ process for this to
# have any effect.
#
# This setting is not required or honoured if using systemd socket
@@ -58,13 +59,14 @@
# This setting is not required or honoured if using systemd socket
# activation.
#
-# If the libvirtd service is started in parallel with network
+# If the @DAEMON_NAME@ service is started in parallel with network
# startup (e.g. with systemd), binding to addresses other than
# the wildcards (0.0.0.0/::) might not be available yet.
#
#listen_addr = "192.168.0.1"
+@END@
#
#
# UNIX socket access controls
@@ -157,6 +159,7 @@
# If the unix_sock_rw_perms are changed you may wish to enable
# an authentication mechanism here
#auth_unix_rw = "none"
+@CUT_ENABLE_IP@
# Change the authentication scheme for TCP sockets.
#
@@ -174,6 +177,7 @@
# It is possible to make use of any SASL authentication
# mechanism as well, by using 'sasl' for this option
#auth_tls = "none"
+@END@
# Change the API access control scheme
@@ -182,10 +186,11 @@
# to all APIs. Access drivers can place restrictions
# on this. By default the 'nop' driver is enabled,
