File libvirt.defaults.patch of Package libvirt

Overview Repositories Revisions Requests Users Attributes Meta

File libvirt.defaults.patch of Package libvirt

From: Olaf Hering <olaf@aepfle.de>
Date: Wed, 21 Feb 2018 10:03:49 +0000
Subject: defaults

---
 src/remote/libvirtd.conf.in       | 10 ++++-----
 src/remote/remote_daemon_config.c |  5 +++--
 src/remote/test_libvirtd.aug.in   |  6 ++---
 3 files changed, 11 insertions(+), 10 deletions(-)

--- a/src/remote/libvirtd.conf.in
+++ b/src/remote/libvirtd.conf.in
@@ -10,42 +10,42 @@
 # Flag listening for secure TLS connections on the public TCP/IP port.
 #
 # To enable listening sockets with the 'libvirtd' daemon it's also required to
 # pass the '--listen' flag on the commandline of the daemon.
 # This is not needed with 'virtproxyd'.
 #
 # This setting is not required or honoured if using systemd socket
 # activation.
 #
 # It is necessary to setup a CA and issue server certificates before
 # using this capability.
 #
-# This is enabled by default, uncomment this to disable it
-#listen_tls = 0
+# This is disabled by default, uncomment this to enable it
+#listen_tls = 1
 
 # Listen for unencrypted TCP connections on the public TCP/IP port.
 #
 # To enable listening sockets with the 'libvirtd' daemon it's also required to
 # pass the '--listen' flag on the commandline of the daemon.
 # This is not needed with 'virtproxyd'.
 #
 # This setting is not required or honoured if using systemd socket
 # activation.
 #
 # Using the TCP socket requires SASL authentication by default. Only
 # SASL mechanisms which support data encryption are allowed. This is
 # DIGEST_MD5 and GSSAPI (Kerberos5)
 #
-# This is disabled by default, uncomment this to enable it.
-#listen_tcp = 1
+# This is enabled by default, uncomment this to disable it.
+#listen_tcp = 0
 
 
 
 # Override the port for accepting secure TLS connections
 # This can be a port number, or service name
 #
 # This setting is not required or honoured if using systemd socket
 # activation.
 #
 #tls_port = "16514"
 
 # Override the port for accepting insecure TCP connections
@@ -182,25 +182,25 @@
 # is essential to change the systemd SocketMode parameter
 # back to 0600, to avoid an insecure configuration.
 #
 #auth_unix_rw = "@default_auth@"
 @CUT_ENABLE_IP@
 
 # Change the authentication scheme for TCP sockets.
 #
 # If you don't enable SASL, then all TCP traffic is cleartext.
 # Don't do this outside of a dev/test scenario. For real world
 # use, always enable SASL and use the GSSAPI or DIGEST-MD5
 # mechanism in @sysconfdir@/sasl2/libvirt.conf
-#auth_tcp = "sasl"
+#auth_tcp = "none"
 
 # Change the authentication scheme for TLS sockets.
 #
 # TLS sockets already have encryption provided by the TLS
 # layer, and limited authentication is done by certificates
 #
 # It is possible to make use of any SASL authentication
 # mechanism as well, by using 'sasl' for this option
 #auth_tls = "none"
 
 # Enforce a minimum SSF value for TCP sockets
 #
--- a/src/remote/remote_daemon_config.c
+++ b/src/remote/remote_daemon_config.c
@@ -86,29 +86,29 @@ daemonConfigFilePath(bool privileged, char **configfile)
     }
 }
 
 struct daemonConfig*
 daemonConfigNew(bool privileged G_GNUC_UNUSED)
 {
     struct daemonConfig *data;
 
     data = g_new0(struct daemonConfig, 1);
 
 #ifdef WITH_IP
 # ifdef LIBVIRTD
-    data->listen_tls = true; /* Only honoured if --listen is set */
+    data->listen_tls = false; /* Only honoured if --listen is set */
 # else /* ! LIBVIRTD */
     data->listen_tls = false; /* Always honoured, --listen doesn't exist. */
 # endif /* ! LIBVIRTD */
-    data->listen_tcp = false;
+    data->listen_tcp = true;
 
     data->tls_port = g_strdup(LIBVIRTD_TLS_PORT);
     data->tcp_port = g_strdup(LIBVIRTD_TCP_PORT);
 #endif /* !WITH_IP */
 
     /* Only default to PolicyKit if running as root */
 #if WITH_POLKIT
     if (privileged) {
         data->auth_unix_rw = REMOTE_AUTH_POLKIT;
         data->auth_unix_ro = REMOTE_AUTH_POLKIT;
     } else {
 #endif
@@ -116,24 +116,25 @@ daemonConfigNew(bool privileged G_GNUC_UNUSED)
         data->auth_unix_ro = REMOTE_AUTH_NONE;
 #if WITH_POLKIT
     }
 #endif
 
     data->unix_sock_rw_perms = g_strdup(data->auth_unix_rw == REMOTE_AUTH_POLKIT ? "0777" : "0700");
     data->unix_sock_ro_perms = g_strdup("0777");
     data->unix_sock_admin_perms = g_strdup("0700");
 
 #ifdef WITH_IP
 # if WITH_SASL
     data->auth_tcp = REMOTE_AUTH_SASL;
+    data->auth_tcp = REMOTE_AUTH_NONE;
 # else
     data->auth_tcp = REMOTE_AUTH_NONE;
 # endif
     data->auth_tls = REMOTE_AUTH_NONE;
 #endif /* ! WITH_IP */
 
 #if WITH_IP
     data->tcp_min_ssf = 56; /* good enough for kerberos */
 #endif
 
     data->min_workers = 5;
     data->max_workers = 20;
--- a/src/remote/test_libvirtd.aug.in
+++ b/src/remote/test_libvirtd.aug.in
@@ -1,32 +1,32 @@
 module Test_@DAEMON_NAME@ =
    @CONFIG@
 
    test @DAEMON_NAME_UC@.lns get conf =
 @CUT_ENABLE_IP@
-        { "listen_tls" = "0" }
-        { "listen_tcp" = "1" }
+        { "listen_tls" = "1" }
+        { "listen_tcp" = "0" }
         { "tls_port" = "16514" }
         { "tcp_port" = "16509" }
         { "listen_addr" = "192.168.0.1" }
 @END@
         { "unix_sock_group" = "libvirt" }
         { "unix_sock_ro_perms" = "0777" }
         { "unix_sock_rw_perms" = "0770" }
         { "unix_sock_admin_perms" = "0700" }
         { "unix_sock_dir" = "@runstatedir@/libvirt" }
         { "auth_unix_ro" = "@default_auth@" }
         { "auth_unix_rw" = "@default_auth@" }
 @CUT_ENABLE_IP@
-        { "auth_tcp" = "sasl" }
+        { "auth_tcp" = "none" }
         { "auth_tls" = "none" }
         { "tcp_min_ssf" = "112" }
 @END@
         { "access_drivers"
              { "1" = "polkit" }
         }
 @CUT_ENABLE_IP@
         { "key_file" = "@sysconfdir@/pki/libvirt/private/serverkey.pem" }
         { "cert_file" = "@sysconfdir@/pki/libvirt/servercert.pem" }
         { "ca_file" = "@sysconfdir@/pki/CA/cacert.pem" }
         { "crl_file" = "@sysconfdir@/pki/CA/crl.pem" }
         { "tls_no_sanity_certificate" = "1" }

Places

File libvirt.defaults.patch of Package libvirt

Places