From 506981b7326fd4dd5bbaf353eea7499093c11095 Mon Sep 17 00:00:00 2001 From: fbrehm Date: Mon, 5 Mar 2012 13:29:03 +0100 Subject: [PATCH] committing changes in /etc after emerge run Package changes: +app-emulation/libvirt-0.9.8 --- .etckeeper | 31 ++ conf.d/libvirtd | 37 ++ init.d/libvirtd | 125 ++++++ libvirt/libvirt.conf | 12 + libvirt/libvirtd.conf | 393 +++++++++++++++++++ libvirt/lxc.conf | 13 + libvirt/nwfilter/allow-arp.xml | 3 + libvirt/nwfilter/allow-dhcp-server.xml | 24 ++ libvirt/nwfilter/allow-dhcp.xml | 21 + libvirt/nwfilter/allow-incoming-ipv4.xml | 3 + libvirt/nwfilter/allow-ipv4.xml | 3 + libvirt/nwfilter/clean-traffic.xml | 30 ++ libvirt/nwfilter/no-arp-ip-spoofing.xml | 9 + libvirt/nwfilter/no-arp-mac-spoofing.xml | 7 + libvirt/nwfilter/no-arp-spoofing.xml | 4 + libvirt/nwfilter/no-ip-multicast.xml | 9 + libvirt/nwfilter/no-ip-spoofing.xml | 14 + libvirt/nwfilter/no-mac-broadcast.xml | 8 + libvirt/nwfilter/no-mac-spoofing.xml | 10 + libvirt/nwfilter/no-other-l2-traffic.xml | 7 + libvirt/nwfilter/no-other-rarp-traffic.xml | 3 + libvirt/nwfilter/qemu-announce-self-rarp.xml | 14 + libvirt/nwfilter/qemu-announce-self.xml | 13 + logrotate.d/libvirtd | 9 + logrotate.d/libvirtd.lxc | 9 + logrotate.d/libvirtd.qemu | 9 + logrotate.d/libvirtd.uml | 9 + sasl2/libvirt.conf | 28 ++ sysctl.d/libvirtd | 8 + 29 files changed, 865 insertions(+) create mode 100644 conf.d/libvirtd create mode 100755 init.d/libvirtd create mode 100644 libvirt/libvirt.conf create mode 100644 libvirt/libvirtd.conf create mode 100644 libvirt/lxc.conf create mode 100644 libvirt/nwfilter/allow-arp.xml create mode 100644 libvirt/nwfilter/allow-dhcp-server.xml create mode 100644 libvirt/nwfilter/allow-dhcp.xml create mode 100644 libvirt/nwfilter/allow-incoming-ipv4.xml create mode 100644 libvirt/nwfilter/allow-ipv4.xml create mode 100644 libvirt/nwfilter/clean-traffic.xml create mode 100644 libvirt/nwfilter/no-arp-ip-spoofing.xml create mode 100644 libvirt/nwfilter/no-arp-mac-spoofing.xml create mode 100644 libvirt/nwfilter/no-arp-spoofing.xml create mode 100644 libvirt/nwfilter/no-ip-multicast.xml create mode 100644 libvirt/nwfilter/no-ip-spoofing.xml create mode 100644 libvirt/nwfilter/no-mac-broadcast.xml create mode 100644 libvirt/nwfilter/no-mac-spoofing.xml create mode 100644 libvirt/nwfilter/no-other-l2-traffic.xml create mode 100644 libvirt/nwfilter/no-other-rarp-traffic.xml create mode 100644 libvirt/nwfilter/qemu-announce-self-rarp.xml create mode 100644 libvirt/nwfilter/qemu-announce-self.xml create mode 100644 logrotate.d/libvirtd create mode 100644 logrotate.d/libvirtd.lxc create mode 100644 logrotate.d/libvirtd.qemu create mode 100644 logrotate.d/libvirtd.uml create mode 100644 sasl2/libvirt.conf create mode 100644 sysctl.d/libvirtd diff --git a/.etckeeper b/.etckeeper index 375576d..2c7de88 100755 --- a/.etckeeper +++ b/.etckeeper @@ -244,6 +244,7 @@ maybe chmod 0644 './conf.d/ip6tables' maybe chmod 0644 './conf.d/iptables' maybe chmod 0644 './conf.d/keymaps' maybe chmod 0644 './conf.d/killprocs' +maybe chmod 0644 './conf.d/libvirtd' maybe chmod 0644 './conf.d/localmount' maybe chmod 0644 './conf.d/lvm' maybe chmod 0644 './conf.d/mdadm' @@ -960,6 +961,7 @@ maybe chmod 0755 './init.d/ip6tables' maybe chmod 0755 './init.d/iptables' maybe chmod 0755 './init.d/keymaps' maybe chmod 0755 './init.d/killprocs' +maybe chmod 0755 './init.d/libvirtd' maybe chmod 0755 './init.d/lm_sensors' maybe chmod 0755 './init.d/local' maybe chmod 0755 './init.d/localmount' @@ -1071,6 +1073,28 @@ maybe chmod 0440 './ldap.conf.sudo' maybe chmod 0755 './lftp' maybe chmod 0644 './lftp/lftp.conf' maybe chmod 0640 './libaudit.conf' +maybe chmod 0755 './libvirt' +maybe chmod 0644 './libvirt/libvirt.conf' +maybe chmod 0644 './libvirt/libvirtd.conf' +maybe chmod 0644 './libvirt/lxc.conf' +maybe chmod 0755 './libvirt/nwfilter' +maybe chmod 0644 './libvirt/nwfilter/allow-arp.xml' +maybe chmod 0644 './libvirt/nwfilter/allow-dhcp-server.xml' +maybe chmod 0644 './libvirt/nwfilter/allow-dhcp.xml' +maybe chmod 0644 './libvirt/nwfilter/allow-incoming-ipv4.xml' +maybe chmod 0644 './libvirt/nwfilter/allow-ipv4.xml' +maybe chmod 0644 './libvirt/nwfilter/clean-traffic.xml' +maybe chmod 0644 './libvirt/nwfilter/no-arp-ip-spoofing.xml' +maybe chmod 0644 './libvirt/nwfilter/no-arp-mac-spoofing.xml' +maybe chmod 0644 './libvirt/nwfilter/no-arp-spoofing.xml' +maybe chmod 0644 './libvirt/nwfilter/no-ip-multicast.xml' +maybe chmod 0644 './libvirt/nwfilter/no-ip-spoofing.xml' +maybe chmod 0644 './libvirt/nwfilter/no-mac-broadcast.xml' +maybe chmod 0644 './libvirt/nwfilter/no-mac-spoofing.xml' +maybe chmod 0644 './libvirt/nwfilter/no-other-l2-traffic.xml' +maybe chmod 0644 './libvirt/nwfilter/no-other-rarp-traffic.xml' +maybe chmod 0644 './libvirt/nwfilter/qemu-announce-self-rarp.xml' +maybe chmod 0644 './libvirt/nwfilter/qemu-announce-self.xml' maybe chmod 0644 './lisp-config.lisp' maybe chmod 0755 './local.d' maybe chmod 0644 './local.d/README' @@ -1083,6 +1107,10 @@ maybe chmod 0644 './logrotate.d/.keep_app-admin_logrotate-0' maybe chmod 0644 './logrotate.d/apache2' maybe chmod 0644 './logrotate.d/elog-save-summary' maybe chmod 0644 './logrotate.d/kdm' +maybe chmod 0644 './logrotate.d/libvirtd' +maybe chmod 0644 './logrotate.d/libvirtd.lxc' +maybe chmod 0644 './logrotate.d/libvirtd.qemu' +maybe chmod 0644 './logrotate.d/libvirtd.uml' maybe chmod 0644 './logrotate.d/mysql' maybe chmod 0644 './logrotate.d/openrc' maybe chmod 0644 './logrotate.d/rsyncd' @@ -1469,6 +1497,7 @@ maybe chmod 0644 './sane.d/v4l.conf' maybe chmod 0644 './sane.d/xerox_mfp.conf' maybe chmod 0755 './sasl2' maybe chmod 0644 './sasl2/.keep_dev-libs_cyrus-sasl-2' +maybe chmod 0644 './sasl2/libvirt.conf' maybe chgrp mail './sasl2/sasldb2' maybe chmod 0640 './sasl2/sasldb2' maybe chmod 0644 './sasl2/smtpd.conf' @@ -1572,6 +1601,8 @@ maybe chmod 0644 './ssl/private/.keep_dev-libs_openssl-0' maybe chmod 0440 './sudoers' maybe chmod 0750 './sudoers.d' maybe chmod 0644 './sysctl.conf' +maybe chmod 0755 './sysctl.d' +maybe chmod 0644 './sysctl.d/libvirtd' maybe chmod 0755 './syslog-ng' maybe chmod 0644 './syslog-ng/modules.conf' maybe chmod 0755 './syslog-ng/patterndb.d' diff --git a/conf.d/libvirtd b/conf.d/libvirtd new file mode 100644 index 0000000..9040157 --- /dev/null +++ b/conf.d/libvirtd @@ -0,0 +1,37 @@ +# /etc/conf.d/libvirtd + +# LIBVIRTD_OPTS +# You may want to add '--listen' to have libvirtd listen for tcp/ip connections +# if you want to use libvirt for remote control +# Please consult 'libvirtd --help' for more options +#LIBVIRTD_OPTS="--listen" + +# LIBVIRTD_KVM_SHUTDOWN +# Valid options: +# * shutdown - Sends an ACPI shutdown (think when you tap the power button +# on your machine and it begins a graceful shutdown). If your +# VM ignores this, it will have the power yanked out from under +# it in LIBVIRTD_KVM_SHUTDOWN_MAXWAIT seconds. +# * managedsave - Performs a state save external to the VM. qemu-kvm will stop +# stop the CPU and save off all state to a separate file. When +# the machine is started again, it will resume like nothing ever +# happened. This is guarenteed to always successfully stop your +# machine and restart it. However it may take some time to finish. +# * none - No attempts will be made to stop any VMs. If you are restarting your +# machine the qemu-kvm process will be simply killed, which may result +# in your VMs having disk corruption. +LIBVIRTD_KVM_SHUTDOWN="managedsave" + +# LIBVIRTD_KVM_SHUTDOWN_MAXWAIT +# Timeout in seconds until stopping libvirtd and "pulling the plug" on the +# remaining VM's still in a running state +#LIBVIRTD_KVM_SHUTDOWN_MAXWAIT="500" + +# LIBVIRTD_NET_SHUTDOWN +# If libvirtd created networks for you (e.g. NATed networks) then this init +# script will shut them down for you if this is set to 'yes'. Otherwise, +# the networks will be left running once libvirt is shutdown. For this +# option to be useful you must have enabled the 'virt-network' USE flag and +# have had libvirt create a NATed network for you. +# Valid values: 'yes' or 'no' +#LIBVIRTD_NET_SHUTDOWN="yes" diff --git a/init.d/libvirtd b/init.d/libvirtd new file mode 100755 index 0000000..3007359 --- /dev/null +++ b/init.d/libvirtd @@ -0,0 +1,125 @@ +#!/sbin/runscript + +description="Virtual Machine Management daemon (libvirt)" +extra_commands="halt" +extra_started_commands="reload" +description_halt="Stops the libvirt daemon without stopping your VMs" +description_reload="Restarts the libvirt daemon without stopping your VMs" + +depend() { + need net + after ntp-client ntpd nfs iscsid nfsmount portmap rpc.statd iptables ip6tables ebtables ceph corosync sanlock cgconfig +} + +libvirtd_virsh() { + # Silence errors because virsh always throws an error about + # not finding the hypervisor version when connecting to libvirtd + LC_ALL=C virsh -c qemu:///system "$@" 2>/dev/null +} + +libvirtd_dom_list() { + # Make sure that it wouldn't be confused if the domain name + # contains the word running. + libvirtd_virsh list | awk '$3 == "running" { print $1 }' +} + +libvirtd_dom_count() { + # Make sure that it wouldn't be confused if the domain name + # contains the word running. + libvirtd_virsh list | awk 'BEGIN { count = 0 } \ + $3 == "running" { count++ } \ + END { print count }' +} + +libvirtd_net_list() { + # The purpose of the awk is to avoid networks with 'active' in the name + libvirtd_virsh net-list | awk '$2 == "active" { print $1 }' +} + +libvirtd_net_count() { + # The purpose of the awk is to avoid networks with 'active' in the name + libvirtd_virsh net-list | awk 'BEGIN { count = 0 } \ + $2 == "active" { count++ } \ + END { print count }' +} + + +start() { + ebegin "Starting libvirtd" + start-stop-daemon --start \ + --env KRB5_KTNAME=/etc/libvirt/krb5.tab \ + --exec /usr/sbin/libvirtd -- -d ${LIBVIRTD_OPTS} + eend $? +} + +stop() { + ebegin "Stopping libvirtd" + # try to shutdown all (KVM/Qemu) domains + DOM_COUNT="$(libvirtd_dom_count)" + if [ "${LIBVIRTD_KVM_SHUTDOWN}" != "none" ] \ + && [ "${DOM_COUNT}" != "0" ] ; then + + einfo " Shutting down domain(s):" + for DOM_ID in $(libvirtd_dom_list) ; do + NAME="$(libvirtd_virsh domname ${DOM_ID} | head -n 1)" + einfo " ${NAME}" + libvirtd_virsh ${LIBVIRTD_KVM_SHUTDOWN} ${DOM_ID} > /dev/null + done + + if [ -n "${LIBVIRTD_KVM_SHUTDOWN_MAXWAIT}" ] ; then + COUNTER="${LIBVIRTD_KVM_SHUTDOWN_MAXWAIT}" + else + COUNTER=500 + fi + + if [ "${LIBVIRTD_KVM_SHUTDOWN}" = "shutdown" ]; then + einfo " Waiting ${COUNTER} seconds while domains shutdown ..." + DOM_COUNT="$(libvirtd_dom_count)" + while [ ${DOM_COUNT} -gt 0 ] && [ ${COUNTER} -gt 0 ] ; do + DOM_COUNT="$(libvirtd_dom_count)" + sleep 1 + COUNTER=$((${COUNTER} - 1)) + echo -n "." + done + fi + + DOM_COUNT="$(libvirtd_dom_count)" + if [ "${DOM_COUNT}" != "0" ] ; then + eerror " !!! Some guests are still running, stopping anyway" + fi + + fi + + NET_COUNT="$(libvirtd_net_count)" + if [ "${LIBVIRTD_NET_SHUTDOWN}" != "no" ] \ + && [ "${NET_COUNT}" != "0" ]; then + + einfo " Shutting down network(s):" + for NET_NAME in $(libvirtd_net_list); do + einfo " ${NET_NAME}" + libvirtd_virsh net-destroy ${NET_NAME} > /dev/null + done + + NET_COUNT="$(libvirtd_net_count)" + if [ "${NET_COUNT}" != "0" ]; then + eerror " !!! Some networks are still active, stopping anyway" + fi + fi + + # Now actually stop the daemon + start-stop-daemon --stop --quiet --exec \ + /usr/sbin/libvirtd --pidfile=/var/run/libvirtd.pid + eend $? +} + +halt() { + ebegin "Stopping libvirtd without shutting down your VMs" + start-stop-daemon --stop --quiet --exec \ + /usr/sbin/libvirtd --pidfile=/var/run/libvirtd.pid + eend $? +} + +reload() { + halt + start +} diff --git a/libvirt/libvirt.conf b/libvirt/libvirt.conf new file mode 100644 index 0000000..c54903c --- /dev/null +++ b/libvirt/libvirt.conf @@ -0,0 +1,12 @@ +# +# This can be used to setup URI aliases for frequently +# used connection URIs. Aliases may contain only the +# characters a-Z, 0-9, _, -. +# +# Following the '=' may be any valid libvirt connection +# URI, including arbitrary parameters + +#uri_aliases = [ +# "hail=qemu+ssh://root@hail.cloud.example.com/system", +# "sleet=qemu+ssh://root@sleet.cloud.example.com/system", +#] diff --git a/libvirt/libvirtd.conf b/libvirt/libvirtd.conf new file mode 100644 index 0000000..3eab2be --- /dev/null +++ b/libvirt/libvirtd.conf @@ -0,0 +1,393 @@ +# Master libvirt daemon configuration file +# +# For further information consult http://libvirt.org/format.html +# +# NOTE: the tests/daemon-conf regression test script requires +# that each "PARAMETER = VALUE" line in this file have the parameter +# name just after a leading "#". + +################################################################# +# +# Network connectivity controls +# + +# Flag listening for secure TLS connections on the public TCP/IP port. +# NB, must pass the --listen flag to the libvirtd process for this to +# have any effect. +# +# It is necessary to setup a CA and issue server certificates before +# using this capability. +# +# This is enabled by default, uncomment this to disable it +#listen_tls = 0 + +# Listen for unencrypted TCP connections on the public TCP/IP port. +# NB, must pass the --listen flag to the libvirtd process for this to +# have any effect. +# +# Using the TCP socket requires SASL authentication by default. Only +# SASL mechanisms which support data encryption are allowed. This is +# DIGEST_MD5 and GSSAPI (Kerberos5) +# +# This is disabled by default, uncomment this to enable it. +#listen_tcp = 1 + + + +# Override the port for accepting secure TLS connections +# This can be a port number, or service name +# +#tls_port = "16514" + +# Override the port for accepting insecure TCP connections +# This can be a port number, or service name +# +#tcp_port = "16509" + + +# Override the default configuration which binds to all network +# interfaces. This can be a numeric IPv4/6 address, or hostname +# +#listen_addr = "192.168.0.1" + + +# Flag toggling mDNS advertizement of the libvirt service. +# +# Alternatively can disable for all services on a host by +# stopping the Avahi daemon +# +# This is enabled by default, uncomment this to disable it +#mdns_adv = 0 + +# Override the default mDNS advertizement name. This must be +# unique on the immediate broadcast network. +# +# The default is "Virtualization Host HOSTNAME", where HOSTNAME +# is subsituted for the short hostname of the machine (without domain) +# +#mdns_name = "Virtualization Host Joe Demo" + + +################################################################# +# +# UNIX socket access controls +# + +# Set the UNIX domain socket group ownership. This can be used to +# allow a 'trusted' set of users access to management capabilities +# without becoming root. +# +# This is restricted to 'root' by default. +#unix_sock_group = "libvirt" + +# Set the UNIX socket permissions for the R/O socket. This is used +# for monitoring VM status only +# +# Default allows any user. If setting group ownership may want to +# restrict this to: +#unix_sock_ro_perms = "0777" + +# Set the UNIX socket permissions for the R/W socket. This is used +# for full management of VMs +# +# Default allows only root. If PolicyKit is enabled on the socket, +# the default will change to allow everyone (eg, 0777) +# +# If not using PolicyKit and setting group ownership for access +# control then you may want to relax this to: +#unix_sock_rw_perms = "0770" + +# Set the name of the directory in which sockets will be found/created. +#unix_sock_dir = "/var/run/libvirt" + +################################################################# +# +# Authentication. +# +# - none: do not perform auth checks. If you can connect to the +# socket you are allowed. This is suitable if there are +# restrictions on connecting to the socket (eg, UNIX +# socket permissions), or if there is a lower layer in +# the network providing auth (eg, TLS/x509 certificates) +# +# - sasl: use SASL infrastructure. The actual auth scheme is then +# controlled from /etc/sasl2/libvirt.conf. For the TCP +# socket only GSSAPI & DIGEST-MD5 mechanisms will be used. +# For non-TCP or TLS sockets, any scheme is allowed. +# +# - polkit: use PolicyKit to authenticate. This is only suitable +# for use on the UNIX sockets. The default policy will +# require a user to supply their own password to gain +# full read/write access (aka sudo like), while anyone +# is allowed read/only access. +# +# Set an authentication scheme for UNIX read-only sockets +# By default socket permissions allow anyone to connect +# +# To restrict monitoring of domains you may wish to enable +# an authentication mechanism here +#auth_unix_ro = "none" + +# Set an authentication scheme for UNIX read-write sockets +# By default socket permissions only allow root. If PolicyKit +# support was compiled into libvirt, the default will be to +# use 'polkit' auth. +# +# If the unix_sock_rw_perms are changed you may wish to enable +# an authentication mechanism here +#auth_unix_rw = "none" + +# Change the authentication scheme for TCP sockets. +# +# If you don't enable SASL, then all TCP traffic is cleartext. +# Don't do this outside of a dev/test scenario. For real world +# use, always enable SASL and use the GSSAPI or DIGEST-MD5 +# mechanism in /etc/sasl2/libvirt.conf +#auth_tcp = "sasl" + +# Change the authentication scheme for TLS sockets. +# +# TLS sockets already have encryption provided by the TLS +# layer, and limited authentication is done by certificates +# +# It is possible to make use of any SASL authentication +# mechanism as well, by using 'sasl' for this option +#auth_tls = "none" + + + +################################################################# +# +# TLS x509 certificate configuration +# + + +# Override the default server key file path +# +#key_file = "/etc/pki/libvirt/private/serverkey.pem" + +# Override the default server certificate file path +# +#cert_file = "/etc/pki/libvirt/servercert.pem" + +# Override the default CA certificate path +# +#ca_file = "/etc/pki/CA/cacert.pem" + +# Specify a certificate revocation list. +# +# Defaults to not using a CRL, uncomment to enable it +#crl_file = "/etc/pki/CA/crl.pem" + + + +################################################################# +# +# Authorization controls +# + + +# Flag to disable verification of our own server certificates +# +# When libvirtd starts it performs some sanity checks against +# its own certificates. +# +# Default is to always run sanity checks. Uncommenting this +# will disable sanity checks which is not a good idea +#tls_no_sanity_certificate = 1 + +# Flag to disable verification of client certificates +# +# Client certificate verification is the primary authentication mechanism. +# Any client which does not present a certificate signed by the CA +# will be rejected. +# +# Default is to always verify. Uncommenting this will disable +# verification - make sure an IP whitelist is set +#tls_no_verify_certificate = 1 + + +# A whitelist of allowed x509 Distinguished Names +# This list may contain wildcards such as +# +# "C=GB,ST=London,L=London,O=Red Hat,CN=*" +# +# See the POSIX fnmatch function for the format of the wildcards. +# +# NB If this is an empty list, no client can connect, so comment out +# entirely rather than using empty list to disable these checks +# +# By default, no DN's are checked +#tls_allowed_dn_list = ["DN1", "DN2"] + + +# A whitelist of allowed SASL usernames. The format for usernames +# depends on the SASL authentication mechanism. Kerberos usernames +# look like username@REALM +# +# This list may contain wildcards such as +# +# "*@EXAMPLE.COM" +# +# See the POSIX fnmatch function for the format of the wildcards. +# +# NB If this is an empty list, no client can connect, so comment out +# entirely rather than using empty list to disable these checks +# +# By default, no Username's are checked +#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ] + + + +################################################################# +# +# Processing controls +# + +# The maximum number of concurrent client connections to allow +# over all sockets combined. +#max_clients = 20 + + +# The minimum limit sets the number of workers to start up +# initially. If the number of active clients exceeds this, +# then more threads are spawned, upto max_workers limit. +# Typically you'd want max_workers to equal maximum number +# of clients allowed +#min_workers = 5 +#max_workers = 20 + + +# The number of priority workers. If all workers from above +# pool will stuck, some calls marked as high priority +# (notably domainDestroy) can be executed in this pool. +#prio_workers = 5 + +# Total global limit on concurrent RPC calls. Should be +# at least as large as max_workers. Beyond this, RPC requests +# will be read into memory and queued. This directly impact +# memory usage, currently each request requires 256 KB of +# memory. So by default upto 5 MB of memory is used +# +# XXX this isn't actually enforced yet, only the per-client +# limit is used so far +#max_requests = 20 + +# Limit on concurrent requests from a single client +# connection. To avoid one client monopolizing the server +# this should be a small fraction of the global max_requests +# and max_workers parameter +#max_client_requests = 5 + +################################################################# +# +# Logging controls +# + +# Logging level: 4 errors, 3 warnings, 2 information, 1 debug +# basically 1 will log everything possible +#log_level = 3 + +# Logging filters: +# A filter allows to select a different logging level for a given category +# of logs +# The format for a filter is: +# x:name +# where name is a match string e.g. remote or qemu +# the x prefix is the minimal level where matching messages should be logged +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple filter can be defined in a single @filters, they just need to be +# separated by spaces. +# +# e.g: +# log_filters="3:remote 4:event" +# to only get warning or errors from the remote layer and only errors from +# the event layer. + +# Logging outputs: +# An output is one of the places to save logging information +# The format for an output can be: +# x:stderr +# output goes to stderr +# x:syslog:name +# use syslog for the output and use the given name as the ident +# x:file:file_path +# output to a file, with the given filepath +# In all case the x prefix is the minimal level, acting as a filter +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple output can be defined, they just need to be separated by spaces. +# e.g.: +# log_outputs="3:syslog:libvirtd" +# to log all warnings and errors to syslog under the libvirtd ident + +# Log debug buffer size: default 64 +# The daemon keeps an internal debug log buffer which will be dumped in case +# of crash or upon receiving a SIGUSR2 signal. This setting allows to override +# the default buffer size in kilobytes. +# If value is 0 or less the debug log buffer is deactivated +#log_buffer_size = 64 + + +################################################################## +# +# Auditing +# +# This setting allows usage of the auditing subsystem to be altered: +# +# audit_level == 0 -> disable all auditing +# audit_level == 1 -> enable auditing, only if enabled on host (default) +# audit_level == 2 -> enable auditing, and exit if disabled on host +# +#audit_level = 2 +# +# If set to 1, then audit messages will also be sent +# via libvirt logging infrastructure. Defaults to 0 +# +#audit_logging = 1 + +################################################################### +# UUID of the host: +# Provide the UUID of the host here in case the command +# 'dmidecode -s system-uuid' does not provide a valid uuid. In case +# 'dmidecode' does not provide a valid UUID and none is provided here, a +# temporary UUID will be generated. +# Keep the format of the example UUID below. UUID must not have all digits +# be the same. + +# NB This default all-zeros UUID will not work. Replace +# it with the output of the 'uuidgen' command and then +# uncomment this entry +#host_uuid = "00000000-0000-0000-0000-000000000000" + +################################################################### +# Keepalive protocol: +# This allows libvirtd to detect broken client connections or even +# dead client. A keepalive message is sent to a client after +# keepalive_interval seconds of inactivity to check if the client is +# still responding; keepalive_count is a maximum number of keepalive +# messages that are allowed to be sent to the client without getting +# any response before the connection is considered broken. In other +# words, the connection is automatically closed approximately after +# keepalive_interval * (keepalive_count + 1) seconds since the last +# message received from the client. If keepalive_interval is set to +# -1, libvirtd will never send keepalive requests; however clients +# can still send them and the deamon will send responses. When +# keepalive_count is set to 0, connections will be automatically +# closed after keepalive_interval seconds of inactivity without +# sending any keepalive messages. +# +#keepalive_interval = 5 +#keepalive_count = 5 +# +# If set to 1, libvirtd will refuse to talk to clients that do not +# support keepalive protocol. Defaults to 0. +# +#keepalive_required = 1 diff --git a/libvirt/lxc.conf b/libvirt/lxc.conf new file mode 100644 index 0000000..7a5066f --- /dev/null +++ b/libvirt/lxc.conf @@ -0,0 +1,13 @@ +# Master configuration file for the LXC driver. +# All settings described here are optional - if omitted, sensible +# defaults are used. + +# By default, log messages generated by the lxc controller go to the +# container logfile. It is also possible to accumulate log messages +# from all lxc controllers along with libvirtd's log outputs. In this +# case, the lxc controller will honor either LIBVIRT_LOG_OUTPUTS or +# log_outputs from libvirtd.conf. +# +# This is disabled by default, uncomment below to enable it. +# +# log_with_libvirtd = 1 diff --git a/libvirt/nwfilter/allow-arp.xml b/libvirt/nwfilter/allow-arp.xml new file mode 100644 index 0000000..63a92b2 --- /dev/null +++ b/libvirt/nwfilter/allow-arp.xml @@ -0,0 +1,3 @@ + + + diff --git a/libvirt/nwfilter/allow-dhcp-server.xml b/libvirt/nwfilter/allow-dhcp-server.xml new file mode 100644 index 0000000..37e708e --- /dev/null +++ b/libvirt/nwfilter/allow-dhcp-server.xml @@ -0,0 +1,24 @@ + + + + + + + + + + + + + + diff --git a/libvirt/nwfilter/allow-dhcp.xml b/libvirt/nwfilter/allow-dhcp.xml new file mode 100644 index 0000000..d66d2b6 --- /dev/null +++ b/libvirt/nwfilter/allow-dhcp.xml @@ -0,0 +1,21 @@ + + + + + + + + + + + + + + diff --git a/libvirt/nwfilter/allow-incoming-ipv4.xml b/libvirt/nwfilter/allow-incoming-ipv4.xml new file mode 100644 index 0000000..dd1e50d --- /dev/null +++ b/libvirt/nwfilter/allow-incoming-ipv4.xml @@ -0,0 +1,3 @@ + + + diff --git a/libvirt/nwfilter/allow-ipv4.xml b/libvirt/nwfilter/allow-ipv4.xml new file mode 100644 index 0000000..28e930a --- /dev/null +++ b/libvirt/nwfilter/allow-ipv4.xml @@ -0,0 +1,3 @@ + + + diff --git a/libvirt/nwfilter/clean-traffic.xml b/libvirt/nwfilter/clean-traffic.xml new file mode 100644 index 0000000..b8cde9c --- /dev/null +++ b/libvirt/nwfilter/clean-traffic.xml @@ -0,0 +1,30 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/libvirt/nwfilter/no-arp-ip-spoofing.xml b/libvirt/nwfilter/no-arp-ip-spoofing.xml new file mode 100644 index 0000000..7365298 --- /dev/null +++ b/libvirt/nwfilter/no-arp-ip-spoofing.xml @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/libvirt/nwfilter/no-arp-mac-spoofing.xml b/libvirt/nwfilter/no-arp-mac-spoofing.xml new file mode 100644 index 0000000..71482bb --- /dev/null +++ b/libvirt/nwfilter/no-arp-mac-spoofing.xml @@ -0,0 +1,7 @@ + + + + + + + diff --git a/libvirt/nwfilter/no-arp-spoofing.xml b/libvirt/nwfilter/no-arp-spoofing.xml new file mode 100644 index 0000000..23f2d3c --- /dev/null +++ b/libvirt/nwfilter/no-arp-spoofing.xml @@ -0,0 +1,4 @@ + + + + diff --git a/libvirt/nwfilter/no-ip-multicast.xml b/libvirt/nwfilter/no-ip-multicast.xml new file mode 100644 index 0000000..edcf03f --- /dev/null +++ b/libvirt/nwfilter/no-ip-multicast.xml @@ -0,0 +1,9 @@ + + + + + + + + + diff --git a/libvirt/nwfilter/no-ip-spoofing.xml b/libvirt/nwfilter/no-ip-spoofing.xml new file mode 100644 index 0000000..cbed030 --- /dev/null +++ b/libvirt/nwfilter/no-ip-spoofing.xml @@ -0,0 +1,14 @@ + + + + + + + + + + + + + + diff --git a/libvirt/nwfilter/no-mac-broadcast.xml b/libvirt/nwfilter/no-mac-broadcast.xml new file mode 100644 index 0000000..74e65bf --- /dev/null +++ b/libvirt/nwfilter/no-mac-broadcast.xml @@ -0,0 +1,8 @@ + + + + + + + + diff --git a/libvirt/nwfilter/no-mac-spoofing.xml b/libvirt/nwfilter/no-mac-spoofing.xml new file mode 100644 index 0000000..2d0468f --- /dev/null +++ b/libvirt/nwfilter/no-mac-spoofing.xml @@ -0,0 +1,10 @@ + + + + + + + + + + diff --git a/libvirt/nwfilter/no-other-l2-traffic.xml b/libvirt/nwfilter/no-other-l2-traffic.xml new file mode 100644 index 0000000..8bad86e --- /dev/null +++ b/libvirt/nwfilter/no-other-l2-traffic.xml @@ -0,0 +1,7 @@ + + + + + + diff --git a/libvirt/nwfilter/no-other-rarp-traffic.xml b/libvirt/nwfilter/no-other-rarp-traffic.xml new file mode 100644 index 0000000..7729996 --- /dev/null +++ b/libvirt/nwfilter/no-other-rarp-traffic.xml @@ -0,0 +1,3 @@ + + + diff --git a/libvirt/nwfilter/qemu-announce-self-rarp.xml b/libvirt/nwfilter/qemu-announce-self-rarp.xml new file mode 100644 index 0000000..b7a848a --- /dev/null +++ b/libvirt/nwfilter/qemu-announce-self-rarp.xml @@ -0,0 +1,14 @@ + + + + + + + + diff --git a/libvirt/nwfilter/qemu-announce-self.xml b/libvirt/nwfilter/qemu-announce-self.xml new file mode 100644 index 0000000..352db50 --- /dev/null +++ b/libvirt/nwfilter/qemu-announce-self.xml @@ -0,0 +1,13 @@ + + + + + + + + + + + + diff --git a/logrotate.d/libvirtd b/logrotate.d/libvirtd new file mode 100644 index 0000000..869c879 --- /dev/null +++ b/logrotate.d/libvirtd @@ -0,0 +1,9 @@ +/var/log/libvirt/libvirtd.log { + weekly + missingok + rotate 4 + compress + delaycompress + copytruncate + minsize 100k +} diff --git a/logrotate.d/libvirtd.lxc b/logrotate.d/libvirtd.lxc new file mode 100644 index 0000000..af0adc2 --- /dev/null +++ b/logrotate.d/libvirtd.lxc @@ -0,0 +1,9 @@ +/var/log/libvirt/lxc/*.log { + weekly + missingok + rotate 4 + compress + delaycompress + copytruncate + minsize 100k +} diff --git a/logrotate.d/libvirtd.qemu b/logrotate.d/libvirtd.qemu new file mode 100644 index 0000000..6a866f9 --- /dev/null +++ b/logrotate.d/libvirtd.qemu @@ -0,0 +1,9 @@ +/var/log/libvirt/qemu/*.log { + weekly + missingok + rotate 4 + compress + delaycompress + copytruncate + minsize 100k +} diff --git a/logrotate.d/libvirtd.uml b/logrotate.d/libvirtd.uml new file mode 100644 index 0000000..441a905 --- /dev/null +++ b/logrotate.d/libvirtd.uml @@ -0,0 +1,9 @@ +/var/log/libvirt/uml/*.log { + weekly + missingok + rotate 4 + compress + delaycompress + copytruncate + minsize 100k +} diff --git a/sasl2/libvirt.conf b/sasl2/libvirt.conf new file mode 100644 index 0000000..e24a130 --- /dev/null +++ b/sasl2/libvirt.conf @@ -0,0 +1,28 @@ +# If you want to use the non-TLS socket, then you *must* include +# the GSSAPI or DIGEST-MD5 mechanisms, because they are the only +# ones that can offer session encryption as well as authentication. +# +# If you're only using TLS, then you can turn on any mechanisms +# you like for authentication, because TLS provides the encryption +# +# Default to a simple username+password mechanism +mech_list: digest-md5 + +# Before you can use GSSAPI, you need a service principle on the +# KDC server for libvirt, and that to be exported to the keytab +# file listed below +#mech_list: gssapi +# +# You can also list many mechanisms at once, then the user can choose +# by adding '?auth=sasl.gssapi' to their libvirt URI, eg +# qemu+tcp://hostname/system?auth=sasl.gssapi +#mech_list: digest-md5 gssapi + +# MIT kerberos ignores this option & needs KRB5_KTNAME env var. +# May be useful for other non-Linux OS though.... +keytab: /etc/libvirt/krb5.tab + +# If using digest-md5 for username/passwds, then this is the file +# containing the passwds. Use 'saslpasswd2 -a libvirt [username]' +# to add entries, and 'sasldblistusers2 -a libvirt' to browse it +sasldb_path: /etc/libvirt/passwd.db diff --git a/sysctl.d/libvirtd b/sysctl.d/libvirtd new file mode 100644 index 0000000..275482c --- /dev/null +++ b/sysctl.d/libvirtd @@ -0,0 +1,8 @@ +# The kernel allocates aio memory on demand, and this number limits the +# number of parallel aio requests; the only drawback of a larger limit is +# that a malicious guest could issue parallel requests to cause the kernel +# to set aside memory. Set this number at least as large as +# 128 * (number of virtual disks on the host) +# Libvirt uses a default of 1M requests to allow 8k disks, with at most +# 64M of kernel memory if all disks hit an aio request at the same time. +fs.aio-max-nr = 1048576 -- 2.39.5