maybe chmod 0644 './conf.d/iptables'
maybe chmod 0644 './conf.d/keymaps'
maybe chmod 0644 './conf.d/killprocs'
+maybe chmod 0644 './conf.d/libvirtd'
maybe chmod 0644 './conf.d/localmount'
maybe chmod 0644 './conf.d/lvm'
maybe chmod 0644 './conf.d/mdadm'
maybe chmod 0755 './init.d/iptables'
maybe chmod 0755 './init.d/keymaps'
maybe chmod 0755 './init.d/killprocs'
+maybe chmod 0755 './init.d/libvirtd'
maybe chmod 0755 './init.d/lm_sensors'
maybe chmod 0755 './init.d/local'
maybe chmod 0755 './init.d/localmount'
maybe chmod 0755 './lftp'
maybe chmod 0644 './lftp/lftp.conf'
maybe chmod 0640 './libaudit.conf'
+maybe chmod 0755 './libvirt'
+maybe chmod 0644 './libvirt/libvirt.conf'
+maybe chmod 0644 './libvirt/libvirtd.conf'
+maybe chmod 0644 './libvirt/lxc.conf'
+maybe chmod 0755 './libvirt/nwfilter'
+maybe chmod 0644 './libvirt/nwfilter/allow-arp.xml'
+maybe chmod 0644 './libvirt/nwfilter/allow-dhcp-server.xml'
+maybe chmod 0644 './libvirt/nwfilter/allow-dhcp.xml'
+maybe chmod 0644 './libvirt/nwfilter/allow-incoming-ipv4.xml'
+maybe chmod 0644 './libvirt/nwfilter/allow-ipv4.xml'
+maybe chmod 0644 './libvirt/nwfilter/clean-traffic.xml'
+maybe chmod 0644 './libvirt/nwfilter/no-arp-ip-spoofing.xml'
+maybe chmod 0644 './libvirt/nwfilter/no-arp-mac-spoofing.xml'
+maybe chmod 0644 './libvirt/nwfilter/no-arp-spoofing.xml'
+maybe chmod 0644 './libvirt/nwfilter/no-ip-multicast.xml'
+maybe chmod 0644 './libvirt/nwfilter/no-ip-spoofing.xml'
+maybe chmod 0644 './libvirt/nwfilter/no-mac-broadcast.xml'
+maybe chmod 0644 './libvirt/nwfilter/no-mac-spoofing.xml'
+maybe chmod 0644 './libvirt/nwfilter/no-other-l2-traffic.xml'
+maybe chmod 0644 './libvirt/nwfilter/no-other-rarp-traffic.xml'
+maybe chmod 0644 './libvirt/nwfilter/qemu-announce-self-rarp.xml'
+maybe chmod 0644 './libvirt/nwfilter/qemu-announce-self.xml'
maybe chmod 0644 './lisp-config.lisp'
maybe chmod 0755 './local.d'
maybe chmod 0644 './local.d/README'
maybe chmod 0644 './logrotate.d/apache2'
maybe chmod 0644 './logrotate.d/elog-save-summary'
maybe chmod 0644 './logrotate.d/kdm'
+maybe chmod 0644 './logrotate.d/libvirtd'
+maybe chmod 0644 './logrotate.d/libvirtd.lxc'
+maybe chmod 0644 './logrotate.d/libvirtd.qemu'
+maybe chmod 0644 './logrotate.d/libvirtd.uml'
maybe chmod 0644 './logrotate.d/mysql'
maybe chmod 0644 './logrotate.d/openrc'
maybe chmod 0644 './logrotate.d/rsyncd'
maybe chmod 0644 './sane.d/xerox_mfp.conf'
maybe chmod 0755 './sasl2'
maybe chmod 0644 './sasl2/.keep_dev-libs_cyrus-sasl-2'
+maybe chmod 0644 './sasl2/libvirt.conf'
maybe chgrp mail './sasl2/sasldb2'
maybe chmod 0640 './sasl2/sasldb2'
maybe chmod 0644 './sasl2/smtpd.conf'
maybe chmod 0440 './sudoers'
maybe chmod 0750 './sudoers.d'
maybe chmod 0644 './sysctl.conf'
+maybe chmod 0755 './sysctl.d'
+maybe chmod 0644 './sysctl.d/libvirtd'
maybe chmod 0755 './syslog-ng'
maybe chmod 0644 './syslog-ng/modules.conf'
maybe chmod 0755 './syslog-ng/patterndb.d'
--- /dev/null
+# /etc/conf.d/libvirtd
+
+# LIBVIRTD_OPTS
+# You may want to add '--listen' to have libvirtd listen for tcp/ip connections
+# if you want to use libvirt for remote control
+# Please consult 'libvirtd --help' for more options
+#LIBVIRTD_OPTS="--listen"
+
+# LIBVIRTD_KVM_SHUTDOWN
+# Valid options:
+# * shutdown - Sends an ACPI shutdown (think when you tap the power button
+# on your machine and it begins a graceful shutdown). If your
+# VM ignores this, it will have the power yanked out from under
+# it in LIBVIRTD_KVM_SHUTDOWN_MAXWAIT seconds.
+# * managedsave - Performs a state save external to the VM. qemu-kvm will stop
+# stop the CPU and save off all state to a separate file. When
+# the machine is started again, it will resume like nothing ever
+# happened. This is guarenteed to always successfully stop your
+# machine and restart it. However it may take some time to finish.
+# * none - No attempts will be made to stop any VMs. If you are restarting your
+# machine the qemu-kvm process will be simply killed, which may result
+# in your VMs having disk corruption.
+LIBVIRTD_KVM_SHUTDOWN="managedsave"
+
+# LIBVIRTD_KVM_SHUTDOWN_MAXWAIT
+# Timeout in seconds until stopping libvirtd and "pulling the plug" on the
+# remaining VM's still in a running state
+#LIBVIRTD_KVM_SHUTDOWN_MAXWAIT="500"
+
+# LIBVIRTD_NET_SHUTDOWN
+# If libvirtd created networks for you (e.g. NATed networks) then this init
+# script will shut them down for you if this is set to 'yes'. Otherwise,
+# the networks will be left running once libvirt is shutdown. For this
+# option to be useful you must have enabled the 'virt-network' USE flag and
+# have had libvirt create a NATed network for you.
+# Valid values: 'yes' or 'no'
+#LIBVIRTD_NET_SHUTDOWN="yes"
--- /dev/null
+#!/sbin/runscript
+
+description="Virtual Machine Management daemon (libvirt)"
+extra_commands="halt"
+extra_started_commands="reload"
+description_halt="Stops the libvirt daemon without stopping your VMs"
+description_reload="Restarts the libvirt daemon without stopping your VMs"
+
+depend() {
+ need net
+ after ntp-client ntpd nfs iscsid nfsmount portmap rpc.statd iptables ip6tables ebtables ceph corosync sanlock cgconfig
+}
+
+libvirtd_virsh() {
+ # Silence errors because virsh always throws an error about
+ # not finding the hypervisor version when connecting to libvirtd
+ LC_ALL=C virsh -c qemu:///system "$@" 2>/dev/null
+}
+
+libvirtd_dom_list() {
+ # Make sure that it wouldn't be confused if the domain name
+ # contains the word running.
+ libvirtd_virsh list | awk '$3 == "running" { print $1 }'
+}
+
+libvirtd_dom_count() {
+ # Make sure that it wouldn't be confused if the domain name
+ # contains the word running.
+ libvirtd_virsh list | awk 'BEGIN { count = 0 } \
+ $3 == "running" { count++ } \
+ END { print count }'
+}
+
+libvirtd_net_list() {
+ # The purpose of the awk is to avoid networks with 'active' in the name
+ libvirtd_virsh net-list | awk '$2 == "active" { print $1 }'
+}
+
+libvirtd_net_count() {
+ # The purpose of the awk is to avoid networks with 'active' in the name
+ libvirtd_virsh net-list | awk 'BEGIN { count = 0 } \
+ $2 == "active" { count++ } \
+ END { print count }'
+}
+
+
+start() {
+ ebegin "Starting libvirtd"
+ start-stop-daemon --start \
+ --env KRB5_KTNAME=/etc/libvirt/krb5.tab \
+ --exec /usr/sbin/libvirtd -- -d ${LIBVIRTD_OPTS}
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping libvirtd"
+ # try to shutdown all (KVM/Qemu) domains
+ DOM_COUNT="$(libvirtd_dom_count)"
+ if [ "${LIBVIRTD_KVM_SHUTDOWN}" != "none" ] \
+ && [ "${DOM_COUNT}" != "0" ] ; then
+
+ einfo " Shutting down domain(s):"
+ for DOM_ID in $(libvirtd_dom_list) ; do
+ NAME="$(libvirtd_virsh domname ${DOM_ID} | head -n 1)"
+ einfo " ${NAME}"
+ libvirtd_virsh ${LIBVIRTD_KVM_SHUTDOWN} ${DOM_ID} > /dev/null
+ done
+
+ if [ -n "${LIBVIRTD_KVM_SHUTDOWN_MAXWAIT}" ] ; then
+ COUNTER="${LIBVIRTD_KVM_SHUTDOWN_MAXWAIT}"
+ else
+ COUNTER=500
+ fi
+
+ if [ "${LIBVIRTD_KVM_SHUTDOWN}" = "shutdown" ]; then
+ einfo " Waiting ${COUNTER} seconds while domains shutdown ..."
+ DOM_COUNT="$(libvirtd_dom_count)"
+ while [ ${DOM_COUNT} -gt 0 ] && [ ${COUNTER} -gt 0 ] ; do
+ DOM_COUNT="$(libvirtd_dom_count)"
+ sleep 1
+ COUNTER=$((${COUNTER} - 1))
+ echo -n "."
+ done
+ fi
+
+ DOM_COUNT="$(libvirtd_dom_count)"
+ if [ "${DOM_COUNT}" != "0" ] ; then
+ eerror " !!! Some guests are still running, stopping anyway"
+ fi
+
+ fi
+
+ NET_COUNT="$(libvirtd_net_count)"
+ if [ "${LIBVIRTD_NET_SHUTDOWN}" != "no" ] \
+ && [ "${NET_COUNT}" != "0" ]; then
+
+ einfo " Shutting down network(s):"
+ for NET_NAME in $(libvirtd_net_list); do
+ einfo " ${NET_NAME}"
+ libvirtd_virsh net-destroy ${NET_NAME} > /dev/null
+ done
+
+ NET_COUNT="$(libvirtd_net_count)"
+ if [ "${NET_COUNT}" != "0" ]; then
+ eerror " !!! Some networks are still active, stopping anyway"
+ fi
+ fi
+
+ # Now actually stop the daemon
+ start-stop-daemon --stop --quiet --exec \
+ /usr/sbin/libvirtd --pidfile=/var/run/libvirtd.pid
+ eend $?
+}
+
+halt() {
+ ebegin "Stopping libvirtd without shutting down your VMs"
+ start-stop-daemon --stop --quiet --exec \
+ /usr/sbin/libvirtd --pidfile=/var/run/libvirtd.pid
+ eend $?
+}
+
+reload() {
+ halt
+ start
+}
--- /dev/null
+#
+# This can be used to setup URI aliases for frequently
+# used connection URIs. Aliases may contain only the
+# characters a-Z, 0-9, _, -.
+#
+# Following the '=' may be any valid libvirt connection
+# URI, including arbitrary parameters
+
+#uri_aliases = [
+# "hail=qemu+ssh://root@hail.cloud.example.com/system",
+# "sleet=qemu+ssh://root@sleet.cloud.example.com/system",
+#]
--- /dev/null
+# Master libvirt daemon configuration file
+#
+# For further information consult http://libvirt.org/format.html
+#
+# NOTE: the tests/daemon-conf regression test script requires
+# that each "PARAMETER = VALUE" line in this file have the parameter
+# name just after a leading "#".
+
+#################################################################
+#
+# Network connectivity controls
+#
+
+# Flag listening for secure TLS connections on the public TCP/IP port.
+# NB, must pass the --listen flag to the libvirtd process for this to
+# have any effect.
+#
+# It is necessary to setup a CA and issue server certificates before
+# using this capability.
+#
+# This is enabled by default, uncomment this to disable it
+#listen_tls = 0
+
+# Listen for unencrypted TCP connections on the public TCP/IP port.
+# NB, must pass the --listen flag to the libvirtd process for this to
+# have any effect.
+#
+# Using the TCP socket requires SASL authentication by default. Only
+# SASL mechanisms which support data encryption are allowed. This is
+# DIGEST_MD5 and GSSAPI (Kerberos5)
+#
+# This is disabled by default, uncomment this to enable it.
+#listen_tcp = 1
+
+
+
+# Override the port for accepting secure TLS connections
+# This can be a port number, or service name
+#
+#tls_port = "16514"
+
+# Override the port for accepting insecure TCP connections
+# This can be a port number, or service name
+#
+#tcp_port = "16509"
+
+
+# Override the default configuration which binds to all network
+# interfaces. This can be a numeric IPv4/6 address, or hostname
+#
+#listen_addr = "192.168.0.1"
+
+
+# Flag toggling mDNS advertizement of the libvirt service.
+#
+# Alternatively can disable for all services on a host by
+# stopping the Avahi daemon
+#
+# This is enabled by default, uncomment this to disable it
+#mdns_adv = 0
+
+# Override the default mDNS advertizement name. This must be
+# unique on the immediate broadcast network.
+#
+# The default is "Virtualization Host HOSTNAME", where HOSTNAME
+# is subsituted for the short hostname of the machine (without domain)
+#
+#mdns_name = "Virtualization Host Joe Demo"
+
+
+#################################################################
+#
+# UNIX socket access controls
+#
+
+# Set the UNIX domain socket group ownership. This can be used to
+# allow a 'trusted' set of users access to management capabilities
+# without becoming root.
+#
+# This is restricted to 'root' by default.
+#unix_sock_group = "libvirt"
+
+# Set the UNIX socket permissions for the R/O socket. This is used
+# for monitoring VM status only
+#
+# Default allows any user. If setting group ownership may want to
+# restrict this to:
+#unix_sock_ro_perms = "0777"
+
+# Set the UNIX socket permissions for the R/W socket. This is used
+# for full management of VMs
+#
+# Default allows only root. If PolicyKit is enabled on the socket,
+# the default will change to allow everyone (eg, 0777)
+#
+# If not using PolicyKit and setting group ownership for access
+# control then you may want to relax this to:
+#unix_sock_rw_perms = "0770"
+
+# Set the name of the directory in which sockets will be found/created.
+#unix_sock_dir = "/var/run/libvirt"
+
+#################################################################
+#
+# Authentication.
+#
+# - none: do not perform auth checks. If you can connect to the
+# socket you are allowed. This is suitable if there are
+# restrictions on connecting to the socket (eg, UNIX
+# socket permissions), or if there is a lower layer in
+# the network providing auth (eg, TLS/x509 certificates)
+#
+# - sasl: use SASL infrastructure. The actual auth scheme is then
+# controlled from /etc/sasl2/libvirt.conf. For the TCP
+# socket only GSSAPI & DIGEST-MD5 mechanisms will be used.
+# For non-TCP or TLS sockets, any scheme is allowed.
+#
+# - polkit: use PolicyKit to authenticate. This is only suitable
+# for use on the UNIX sockets. The default policy will
+# require a user to supply their own password to gain
+# full read/write access (aka sudo like), while anyone
+# is allowed read/only access.
+#
+# Set an authentication scheme for UNIX read-only sockets
+# By default socket permissions allow anyone to connect
+#
+# To restrict monitoring of domains you may wish to enable
+# an authentication mechanism here
+#auth_unix_ro = "none"
+
+# Set an authentication scheme for UNIX read-write sockets
+# By default socket permissions only allow root. If PolicyKit
+# support was compiled into libvirt, the default will be to
+# use 'polkit' auth.
+#
+# If the unix_sock_rw_perms are changed you may wish to enable
+# an authentication mechanism here
+#auth_unix_rw = "none"
+
+# Change the authentication scheme for TCP sockets.
+#
+# If you don't enable SASL, then all TCP traffic is cleartext.
+# Don't do this outside of a dev/test scenario. For real world
+# use, always enable SASL and use the GSSAPI or DIGEST-MD5
+# mechanism in /etc/sasl2/libvirt.conf
+#auth_tcp = "sasl"
+
+# Change the authentication scheme for TLS sockets.
+#
+# TLS sockets already have encryption provided by the TLS
+# layer, and limited authentication is done by certificates
+#
+# It is possible to make use of any SASL authentication
+# mechanism as well, by using 'sasl' for this option
+#auth_tls = "none"
+
+
+
+#################################################################
+#
+# TLS x509 certificate configuration
+#
+
+
+# Override the default server key file path
+#
+#key_file = "/etc/pki/libvirt/private/serverkey.pem"
+
+# Override the default server certificate file path
+#
+#cert_file = "/etc/pki/libvirt/servercert.pem"
+
+# Override the default CA certificate path
+#
+#ca_file = "/etc/pki/CA/cacert.pem"
+
+# Specify a certificate revocation list.
+#
+# Defaults to not using a CRL, uncomment to enable it
+#crl_file = "/etc/pki/CA/crl.pem"
+
+
+
+#################################################################
+#
+# Authorization controls
+#
+
+
+# Flag to disable verification of our own server certificates
+#
+# When libvirtd starts it performs some sanity checks against
+# its own certificates.
+#
+# Default is to always run sanity checks. Uncommenting this
+# will disable sanity checks which is not a good idea
+#tls_no_sanity_certificate = 1
+
+# Flag to disable verification of client certificates
+#
+# Client certificate verification is the primary authentication mechanism.
+# Any client which does not present a certificate signed by the CA
+# will be rejected.
+#
+# Default is to always verify. Uncommenting this will disable
+# verification - make sure an IP whitelist is set
+#tls_no_verify_certificate = 1
+
+
+# A whitelist of allowed x509 Distinguished Names
+# This list may contain wildcards such as
+#
+# "C=GB,ST=London,L=London,O=Red Hat,CN=*"
+#
+# See the POSIX fnmatch function for the format of the wildcards.
+#
+# NB If this is an empty list, no client can connect, so comment out
+# entirely rather than using empty list to disable these checks
+#
+# By default, no DN's are checked
+#tls_allowed_dn_list = ["DN1", "DN2"]
+
+
+# A whitelist of allowed SASL usernames. The format for usernames
+# depends on the SASL authentication mechanism. Kerberos usernames
+# look like username@REALM
+#
+# This list may contain wildcards such as
+#
+# "*@EXAMPLE.COM"
+#
+# See the POSIX fnmatch function for the format of the wildcards.
+#
+# NB If this is an empty list, no client can connect, so comment out
+# entirely rather than using empty list to disable these checks
+#
+# By default, no Username's are checked
+#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]
+
+
+
+#################################################################
+#
+# Processing controls
+#
+
+# The maximum number of concurrent client connections to allow
+# over all sockets combined.
+#max_clients = 20
+
+
+# The minimum limit sets the number of workers to start up
+# initially. If the number of active clients exceeds this,
+# then more threads are spawned, upto max_workers limit.
+# Typically you'd want max_workers to equal maximum number
+# of clients allowed
+#min_workers = 5
+#max_workers = 20
+
+
+# The number of priority workers. If all workers from above
+# pool will stuck, some calls marked as high priority
+# (notably domainDestroy) can be executed in this pool.
+#prio_workers = 5
+
+# Total global limit on concurrent RPC calls. Should be
+# at least as large as max_workers. Beyond this, RPC requests
+# will be read into memory and queued. This directly impact
+# memory usage, currently each request requires 256 KB of
+# memory. So by default upto 5 MB of memory is used
+#
+# XXX this isn't actually enforced yet, only the per-client
+# limit is used so far
+#max_requests = 20
+
+# Limit on concurrent requests from a single client
+# connection. To avoid one client monopolizing the server
+# this should be a small fraction of the global max_requests
+# and max_workers parameter
+#max_client_requests = 5
+
+#################################################################
+#
+# Logging controls
+#
+
+# Logging level: 4 errors, 3 warnings, 2 information, 1 debug
+# basically 1 will log everything possible
+#log_level = 3
+
+# Logging filters:
+# A filter allows to select a different logging level for a given category
+# of logs
+# The format for a filter is:
+# x:name
+# where name is a match string e.g. remote or qemu
+# the x prefix is the minimal level where matching messages should be logged
+# 1: DEBUG
+# 2: INFO
+# 3: WARNING
+# 4: ERROR
+#
+# Multiple filter can be defined in a single @filters, they just need to be
+# separated by spaces.
+#
+# e.g:
+# log_filters="3:remote 4:event"
+# to only get warning or errors from the remote layer and only errors from
+# the event layer.
+
+# Logging outputs:
+# An output is one of the places to save logging information
+# The format for an output can be:
+# x:stderr
+# output goes to stderr
+# x:syslog:name
+# use syslog for the output and use the given name as the ident
+# x:file:file_path
+# output to a file, with the given filepath
+# In all case the x prefix is the minimal level, acting as a filter
+# 1: DEBUG
+# 2: INFO
+# 3: WARNING
+# 4: ERROR
+#
+# Multiple output can be defined, they just need to be separated by spaces.
+# e.g.:
+# log_outputs="3:syslog:libvirtd"
+# to log all warnings and errors to syslog under the libvirtd ident
+
+# Log debug buffer size: default 64
+# The daemon keeps an internal debug log buffer which will be dumped in case
+# of crash or upon receiving a SIGUSR2 signal. This setting allows to override
+# the default buffer size in kilobytes.
+# If value is 0 or less the debug log buffer is deactivated
+#log_buffer_size = 64
+
+
+##################################################################
+#
+# Auditing
+#
+# This setting allows usage of the auditing subsystem to be altered:
+#
+# audit_level == 0 -> disable all auditing
+# audit_level == 1 -> enable auditing, only if enabled on host (default)
+# audit_level == 2 -> enable auditing, and exit if disabled on host
+#
+#audit_level = 2
+#
+# If set to 1, then audit messages will also be sent
+# via libvirt logging infrastructure. Defaults to 0
+#
+#audit_logging = 1
+
+###################################################################
+# UUID of the host:
+# Provide the UUID of the host here in case the command
+# 'dmidecode -s system-uuid' does not provide a valid uuid. In case
+# 'dmidecode' does not provide a valid UUID and none is provided here, a
+# temporary UUID will be generated.
+# Keep the format of the example UUID below. UUID must not have all digits
+# be the same.
+
+# NB This default all-zeros UUID will not work. Replace
+# it with the output of the 'uuidgen' command and then
+# uncomment this entry
+#host_uuid = "00000000-0000-0000-0000-000000000000"
+
+###################################################################
+# Keepalive protocol:
+# This allows libvirtd to detect broken client connections or even
+# dead client. A keepalive message is sent to a client after
+# keepalive_interval seconds of inactivity to check if the client is
+# still responding; keepalive_count is a maximum number of keepalive
+# messages that are allowed to be sent to the client without getting
+# any response before the connection is considered broken. In other
+# words, the connection is automatically closed approximately after
+# keepalive_interval * (keepalive_count + 1) seconds since the last
+# message received from the client. If keepalive_interval is set to
+# -1, libvirtd will never send keepalive requests; however clients
+# can still send them and the deamon will send responses. When
+# keepalive_count is set to 0, connections will be automatically
+# closed after keepalive_interval seconds of inactivity without
+# sending any keepalive messages.
+#
+#keepalive_interval = 5
+#keepalive_count = 5
+#
+# If set to 1, libvirtd will refuse to talk to clients that do not
+# support keepalive protocol. Defaults to 0.
+#
+#keepalive_required = 1
--- /dev/null
+# Master configuration file for the LXC driver.
+# All settings described here are optional - if omitted, sensible
+# defaults are used.
+
+# By default, log messages generated by the lxc controller go to the
+# container logfile. It is also possible to accumulate log messages
+# from all lxc controllers along with libvirtd's log outputs. In this
+# case, the lxc controller will honor either LIBVIRT_LOG_OUTPUTS or
+# log_outputs from libvirtd.conf.
+#
+# This is disabled by default, uncomment below to enable it.
+#
+# log_with_libvirtd = 1
--- /dev/null
+<filter name='allow-arp' chain='arp'>
+ <rule direction='inout' action='accept'/>
+</filter>
--- /dev/null
+<filter name='allow-dhcp-server' chain='ipv4'>
+
+ <!-- accept outgoing DHCP requests -->
+ <!-- note, this rule must be evaluated before general MAC broadcast
+ traffic is discarded since DHCP requests use MAC broadcast -->
+ <rule action='accept' direction='out' priority='100'>
+ <ip srcipaddr='0.0.0.0'
+ dstipaddr='255.255.255.255'
+ protocol='udp'
+ srcportstart='68'
+ dstportstart='67' />
+ </rule>
+
+ <!-- accept incoming DHCP responses from a specific DHCP server
+ parameter DHPCSERVER needs to be passed from where this filter is
+ referenced -->
+ <rule action='accept' direction='in' priority='100' >
+ <ip srcipaddr='$DHCPSERVER'
+ protocol='udp'
+ srcportstart='67'
+ dstportstart='68'/>
+ </rule>
+
+</filter>
--- /dev/null
+<filter name='allow-dhcp' chain='ipv4'>
+
+ <!-- accept outgoing DHCP requests -->
+ <!-- not, this rule must be evaluated before general MAC broadcast
+ traffic is discarded since DHCP requests use MAC broadcast -->
+ <rule action='accept' direction='out' priority='100'>
+ <ip srcipaddr='0.0.0.0'
+ dstipaddr='255.255.255.255'
+ protocol='udp'
+ srcportstart='68'
+ dstportstart='67' />
+ </rule>
+
+ <!-- accept incoming DHCP responses from any DHCP server -->
+ <rule action='accept' direction='in' priority='100' >
+ <ip protocol='udp'
+ srcportstart='67'
+ dstportstart='68'/>
+ </rule>
+
+</filter>
--- /dev/null
+<filter name='allow-incoming-ipv4' chain='ipv4'>
+ <rule direction='in' action='accept'/>
+</filter>
--- /dev/null
+<filter name='allow-ipv4' chain='ipv4'>
+ <rule direction='inout' action='accept'/>
+</filter>
--- /dev/null
+<filter name='clean-traffic' chain='root'>
+ <!-- An example of a traffic filter enforcing clean traffic
+ from a VM by
+ - preventing MAC spoofing -->
+ <filterref filter='no-mac-spoofing'/>
+
+ <!-- preventing IP spoofing on outgoing, allow all IPv4 in incoming -->
+ <filterref filter='no-ip-spoofing'/>
+
+ <rule direction='out' action='accept' priority='-650'>
+ <mac protocolid='ipv4'/>
+ </rule>
+
+ <filterref filter='allow-incoming-ipv4'/>
+
+ <!-- preventing ARP spoofing/poisoning -->
+ <filterref filter='no-arp-spoofing'/>
+
+ <!-- accept all other incoming and outgoing ARP traffic -->
+ <rule action='accept' direction='inout' priority='-500'>
+ <mac protocolid='arp'/>
+ </rule>
+
+ <!-- preventing any other traffic than IPv4 and ARP -->
+ <filterref filter='no-other-l2-traffic'/>
+
+ <!-- allow qemu to send a self-announce upon migration end -->
+ <filterref filter='qemu-announce-self'/>
+
+</filter>
--- /dev/null
+<filter name='no-arp-ip-spoofing' chain='arp-ip' priority='-510'>
+ <!-- no arp spoofing -->
+ <!-- drop if ipaddr does not belong to guest -->
+ <rule action='return' direction='out' priority='400' >
+ <arp match='yes' arpsrcipaddr='$IP' />
+ </rule>
+ <!-- drop everything else -->
+ <rule action='drop' direction='out' priority='1000' />
+</filter>
--- /dev/null
+<filter name='no-arp-mac-spoofing' chain='arp-mac' priority='-520'>
+ <rule action='return' direction='out' priority='350' >
+ <arp match='yes' arpsrcmacaddr='$MAC'/>
+ </rule>
+ <!-- drop everything else -->
+ <rule action='drop' direction='out' priority='1000' />
+</filter>
--- /dev/null
+<filter name='no-arp-spoofing' chain='root'>
+ <filterref filter='no-arp-mac-spoofing'/>
+ <filterref filter='no-arp-ip-spoofing'/>
+</filter>
--- /dev/null
+<filter name='no-ip-multicast' chain='ipv4'>
+
+ <!-- drop if destination IP address is in the 224.0.0.0/4 subnet -->
+ <rule action='drop' direction='out'>
+ <ip dstipaddr='224.0.0.0' dstipmask='4' />
+ </rule>
+
+ <!-- not doing anything with receiving side ... -->
+</filter>
--- /dev/null
+<filter name='no-ip-spoofing' chain='ipv4-ip' priority='-710'>
+ <!-- allow DHCP requests -->
+ <rule action='accept' direction='out' priority='100'>
+ <ip srcipaddr='0.0.0.0' protocol='udp' srcportstart='68' srcportend='68'/>
+ </rule>
+
+ <!-- allow all known IP addresses -->
+ <rule direction='out' action='return' priority='500'>
+ <ip srcipaddr='$IP'/>
+ </rule>
+
+ <!-- drop everything else -->
+ <rule direction='out' action='drop' priority='1000'/>
+</filter>
--- /dev/null
+<filter name='no-mac-broadcast' chain='ipv4'>
+ <!-- drop if destination mac is bcast mac addr. -->
+ <rule action='drop' direction='out'>
+ <mac dstmacaddr='ff:ff:ff:ff:ff:ff' />
+ </rule>
+
+ <!-- not doing anything with receiving side ... -->
+</filter>
--- /dev/null
+<filter name='no-mac-spoofing' chain='mac' priority='-800'>
+ <!-- return packets with VM's MAC address as source address -->
+ <rule direction='out' action='return'>
+ <mac srcmacaddr='$MAC'/>
+ </rule>
+ <!-- drop everything else -->
+ <rule direction='out' action='drop'>
+ <mac/>
+ </rule>
+</filter>
--- /dev/null
+<filter name='no-other-l2-traffic'>
+
+ <!-- drop all other l2 traffic than for which rules have been
+ written for; i.e., drop all other than arp and ipv4 traffic -->
+ <rule action='drop' direction='inout' priority='1000'/>
+
+</filter>
--- /dev/null
+<filter name='no-other-rarp-traffic' chain='rarp'>
+ <rule action='drop' direction='inout' priority='1000'/>
+</filter>
--- /dev/null
+<filter name='qemu-announce-self-rarp' chain='rarp'>
+ <rule action='accept' direction='out' priority='500'>
+ <rarp opcode='Request_Reverse'
+ srcmacaddr='$MAC' dstmacaddr='ff:ff:ff:ff:ff:ff'
+ arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC'
+ arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/>
+ </rule>
+ <rule action='accept' direction='in' priority='500'>
+ <rarp opcode='Request_Reverse'
+ dstmacaddr='ff:ff:ff:ff:ff:ff'
+ arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC'
+ arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/>
+ </rule>
+</filter>
--- /dev/null
+<filter name='qemu-announce-self' chain='root'>
+ <!-- as of 4/26/2010 qemu sends out a bogus packet with
+ wrong rarp protocol ID -->
+ <!-- accept what is being sent now -->
+ <rule action='accept' direction='out'>
+ <mac protocolid='0x835'/>
+ </rule>
+
+ <!-- accept if it was changed to rarp -->
+ <filterref filter='qemu-announce-self-rarp'/>
+ <filterref filter='no-other-rarp-traffic'/>
+
+</filter>
--- /dev/null
+/var/log/libvirt/libvirtd.log {
+ weekly
+ missingok
+ rotate 4
+ compress
+ delaycompress
+ copytruncate
+ minsize 100k
+}
--- /dev/null
+/var/log/libvirt/lxc/*.log {
+ weekly
+ missingok
+ rotate 4
+ compress
+ delaycompress
+ copytruncate
+ minsize 100k
+}
--- /dev/null
+/var/log/libvirt/qemu/*.log {
+ weekly
+ missingok
+ rotate 4
+ compress
+ delaycompress
+ copytruncate
+ minsize 100k
+}
--- /dev/null
+/var/log/libvirt/uml/*.log {
+ weekly
+ missingok
+ rotate 4
+ compress
+ delaycompress
+ copytruncate
+ minsize 100k
+}
--- /dev/null
+# If you want to use the non-TLS socket, then you *must* include
+# the GSSAPI or DIGEST-MD5 mechanisms, because they are the only
+# ones that can offer session encryption as well as authentication.
+#
+# If you're only using TLS, then you can turn on any mechanisms
+# you like for authentication, because TLS provides the encryption
+#
+# Default to a simple username+password mechanism
+mech_list: digest-md5
+
+# Before you can use GSSAPI, you need a service principle on the
+# KDC server for libvirt, and that to be exported to the keytab
+# file listed below
+#mech_list: gssapi
+#
+# You can also list many mechanisms at once, then the user can choose
+# by adding '?auth=sasl.gssapi' to their libvirt URI, eg
+# qemu+tcp://hostname/system?auth=sasl.gssapi
+#mech_list: digest-md5 gssapi
+
+# MIT kerberos ignores this option & needs KRB5_KTNAME env var.
+# May be useful for other non-Linux OS though....
+keytab: /etc/libvirt/krb5.tab
+
+# If using digest-md5 for username/passwds, then this is the file
+# containing the passwds. Use 'saslpasswd2 -a libvirt [username]'
+# to add entries, and 'sasldblistusers2 -a libvirt' to browse it
+sasldb_path: /etc/libvirt/passwd.db
--- /dev/null
+# The kernel allocates aio memory on demand, and this number limits the
+# number of parallel aio requests; the only drawback of a larger limit is
+# that a malicious guest could issue parallel requests to cause the kernel
+# to set aside memory. Set this number at least as large as
+# 128 * (number of virtual disks on the host)
+# Libvirt uses a default of 1M requests to allow 8k disks, with at most
+# 64M of kernel memory if all disks hit an aio request at the same time.
+fs.aio-max-nr = 1048576
projects / config / samara / etc.git / commitdiff