File libvirt.defaults.patch of Package libvirt
From: Olaf Hering <olaf@aepfle.de>
Date: Wed, 21 Feb 2018 10:03:49 +0000
Subject: defaults
---
src/admin/libvirt-admin.c | 30 +++++++++
src/remote/libvirtd.conf.in | 10 +--
src/remote/remote_daemon_config.c | 5 +-
src/remote/test_libvirtd.aug.in | 6 +-
4 files changed, 41 insertions(+), 10 deletions(-)
--- a/src/admin/libvirt-admin.c
+++ b/src/admin/libvirt-admin.c
@@ -17,24 +17,25 @@
* License along with this library. If not, see
* <http://www.gnu.org/licenses/>.
*/
#include <config.h>
#include "internal.h"
#include "datatypes.h"
#include "configmake.h"
#include "viralloc.h"
#include "virconf.h"
+#include "virfile.h"
#include "virlog.h"
#include "virnetclient.h"
#include "virobject.h"
#include "viruri.h"
#include "virutil.h"
#define VIR_FROM_THIS VIR_FROM_ADMIN
VIR_LOG_INIT("libvirt-admin");
#include "admin_remote.c"
@@ -168,32 +169,61 @@ virAdmGetDefaultURI(virConf *conf, char **uristr)
*uristr = g_strdup(defname);
VIR_DEBUG("Using LIBVIRT_ADMIN_DEFAULT_URI '%s'", *uristr);
} else {
if (virConfGetValueString(conf, "uri_default", uristr) < 0)
return -1;
if (*uristr) {
VIR_DEBUG("Using config file uri '%s'", *uristr);
} else {
/* Since we can't probe connecting via any hypervisor driver as libvirt
* does, if no explicit URI was given and neither the environment
* variable, nor the configuration parameter had previously been set,
+ */
+#if 0
+ /*
* we set the default admin server URI to 'libvirtd:///system' or
* 'libvirtd:///session' depending on the process's EUID.
*/
if (geteuid() == 0) {
*uristr = g_strdup("libvirtd:///system");
} else {
*uristr = g_strdup("libvirtd:///session");
}
+#else
+#define HYPERVISOR_CAPABILITIES "/proc/xen/capabilities"
+ if (virFileExists(HYPERVISOR_CAPABILITIES)) {
+ int status;
+ g_autofree char *output = NULL;
+ /*
+ * Don't load if not running on a Xen control domain (dom0). It is not
+ * sufficient to check for the file to exist as any guest can mount
+ * xenfs to /proc/xen.
+ */
+ status = virFileReadAll(HYPERVISOR_CAPABILITIES, 10, &output);
+ if (status >= 0)
+ status = strncmp(output, "control_d", 9);
+ if (status == 0) {
+ if (geteuid() == 0)
+ *uristr = g_strdup("xen:///system");
+ else
+ *uristr = g_strdup("xen:///session");
+ }
+ } else {
+ if (geteuid() == 0)
+ *uristr = g_strdup("qemu:///system");
+ else
+ *uristr = g_strdup("qemu:///session");
+ }
+#endif
}
}
return 0;
}
/**
* virAdmConnectOpen:
* @name: uri of the daemon to connect to, NULL for default
* @flags: bitwise-OR of virConnectFlags; so far the only supported flag is
* VIR_CONNECT_NO_ALIASES
*
--- a/src/remote/libvirtd.conf.in
+++ b/src/remote/libvirtd.conf.in
@@ -10,42 +10,42 @@
# Flag listening for secure TLS connections on the public TCP/IP port.
#
# To enable listening sockets with the 'libvirtd' daemon it's also required to
# pass the '--listen' flag on the commandline of the daemon.
# This is not needed with 'virtproxyd'.
#
# This setting is not required or honoured if using systemd socket
# activation.
#
# It is necessary to setup a CA and issue server certificates before
# using this capability.
#
-# This is enabled by default, uncomment this to disable it
-#listen_tls = 0
+# This is disabled by default, uncomment this to enable it
+#listen_tls = 1
# Listen for unencrypted TCP connections on the public TCP/IP port.
#
# To enable listening sockets with the 'libvirtd' daemon it's also required to
# pass the '--listen' flag on the commandline of the daemon.
# This is not needed with 'virtproxyd'.
#
# This setting is not required or honoured if using systemd socket
# activation.
#
# Using the TCP socket requires SASL authentication by default. Only
# SASL mechanisms which support data encryption are allowed. This is
# DIGEST_MD5 and GSSAPI (Kerberos5)
#
-# This is disabled by default, uncomment this to enable it.
-#listen_tcp = 1
+# This is enabled by default, uncomment this to disable it.
+#listen_tcp = 0
# Override the port for accepting secure TLS connections
# This can be a port number, or service name
#
# This setting is not required or honoured if using systemd socket
# activation.
#
#tls_port = "16514"
# Override the port for accepting insecure TCP connections
@@ -182,25 +182,25 @@
# is essential to change the systemd SocketMode parameter
# back to 0600, to avoid an insecure configuration.
#
#auth_unix_rw = "@default_auth@"
@CUT_ENABLE_IP@
# Change the authentication scheme for TCP sockets.
#
# If you don't enable SASL, then all TCP traffic is cleartext.
# Don't do this outside of a dev/test scenario. For real world
# use, always enable SASL and use the GSSAPI or DIGEST-MD5
# mechanism in @sysconfdir@/sasl2/libvirt.conf
-#auth_tcp = "sasl"
+#auth_tcp = "none"
# Change the authentication scheme for TLS sockets.
#
# TLS sockets already have encryption provided by the TLS
# layer, and limited authentication is done by certificates
#
# It is possible to make use of any SASL authentication
# mechanism as well, by using 'sasl' for this option
#auth_tls = "none"
# Enforce a minimum SSF value for TCP sockets
#
--- a/src/remote/remote_daemon_config.c
+++ b/src/remote/remote_daemon_config.c
@@ -86,29 +86,29 @@ daemonConfigFilePath(bool privileged, char **configfile)
}
}
struct daemonConfig*
daemonConfigNew(bool privileged G_GNUC_UNUSED)
{
struct daemonConfig *data;
data = g_new0(struct daemonConfig, 1);
#ifdef WITH_IP
# ifdef LIBVIRTD
- data->listen_tls = true; /* Only honoured if --listen is set */
+ data->listen_tls = false; /* Only honoured if --listen is set */
# else /* ! LIBVIRTD */
data->listen_tls = false; /* Always honoured, --listen doesn't exist. */
# endif /* ! LIBVIRTD */
- data->listen_tcp = false;
+ data->listen_tcp = true;
data->tls_port = g_strdup(LIBVIRTD_TLS_PORT);
data->tcp_port = g_strdup(LIBVIRTD_TCP_PORT);
#endif /* !WITH_IP */
/* Only default to PolicyKit if running as root */
#if WITH_POLKIT
if (privileged) {
data->auth_unix_rw = REMOTE_AUTH_POLKIT;
data->auth_unix_ro = REMOTE_AUTH_POLKIT;
} else {
#endif
@@ -116,24 +116,25 @@ daemonConfigNew(bool privileged G_GNUC_UNUSED)
data->auth_unix_ro = REMOTE_AUTH_NONE;
#if WITH_POLKIT
}
#endif
data->unix_sock_rw_perms = g_strdup(data->auth_unix_rw == REMOTE_AUTH_POLKIT ? "0777" : "0700");
data->unix_sock_ro_perms = g_strdup("0777");
data->unix_sock_admin_perms = g_strdup("0700");
#ifdef WITH_IP
# if WITH_SASL
data->auth_tcp = REMOTE_AUTH_SASL;
+ data->auth_tcp = REMOTE_AUTH_NONE;
# else
data->auth_tcp = REMOTE_AUTH_NONE;
# endif
data->auth_tls = REMOTE_AUTH_NONE;
#endif /* ! WITH_IP */
#if WITH_IP
data->tcp_min_ssf = 56; /* good enough for kerberos */
#endif
data->min_workers = 5;
data->max_workers = 20;
--- a/src/remote/test_libvirtd.aug.in
+++ b/src/remote/test_libvirtd.aug.in
@@ -1,32 +1,32 @@
module Test_@DAEMON_NAME@ =
@CONFIG@
test @DAEMON_NAME_UC@.lns get conf =
@CUT_ENABLE_IP@
- { "listen_tls" = "0" }
- { "listen_tcp" = "1" }
+ { "listen_tls" = "1" }
+ { "listen_tcp" = "0" }
{ "tls_port" = "16514" }
{ "tcp_port" = "16509" }
{ "listen_addr" = "192.168.0.1" }
@END@
{ "unix_sock_group" = "libvirt" }
{ "unix_sock_ro_perms" = "0777" }
{ "unix_sock_rw_perms" = "0770" }
{ "unix_sock_admin_perms" = "0700" }
{ "unix_sock_dir" = "@runstatedir@/libvirt" }
{ "auth_unix_ro" = "@default_auth@" }
{ "auth_unix_rw" = "@default_auth@" }
@CUT_ENABLE_IP@
- { "auth_tcp" = "sasl" }
+ { "auth_tcp" = "none" }
{ "auth_tls" = "none" }
{ "tcp_min_ssf" = "112" }
@END@
{ "access_drivers"
{ "1" = "polkit" }
}
@CUT_ENABLE_IP@
{ "key_file" = "@sysconfdir@/pki/libvirt/private/serverkey.pem" }
{ "cert_file" = "@sysconfdir@/pki/libvirt/servercert.pem" }
{ "ca_file" = "@sysconfdir@/pki/CA/cacert.pem" }
{ "crl_file" = "@sysconfdir@/pki/CA/crl.pem" }
{ "tls_no_sanity_certificate" = "1" }
