From d08d9adcbe0b6f1f2d1cc2d3b6ecafb6e1a78934 Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Sun, 3 May 2020 18:12:22 +0200 Subject: [PATCH] committing changes in /etc after apt run Package changes: +libnetcf1 1:0.2.8-1ubuntu2 amd64 +libvirt-clients 4.0.0-1ubuntu8.15 amd64 +libvirt-daemon 4.0.0-1ubuntu8.15 amd64 +libvirt-daemon-driver-storage-rbd 4.0.0-1ubuntu8.15 amd64 +libvirt-daemon-system 4.0.0-1ubuntu8.15 amd64 +qemu-kvm 1:2.11+dfsg-1ubuntu7.23 amd64 --- .etckeeper | 66 ++ apparmor.d/abstractions/libvirt-lxc | 116 +++ apparmor.d/abstractions/libvirt-qemu | 223 +++++ apparmor.d/libvirt/TEMPLATE.lxc | 15 + apparmor.d/libvirt/TEMPLATE.qemu | 9 + .../local/usr.lib.libvirt.virt-aa-helper | 0 apparmor.d/local/usr.sbin.libvirtd | 0 apparmor.d/usr.lib.libvirt.virt-aa-helper | 88 ++ apparmor.d/usr.sbin.libvirtd | 133 +++ default/libvirt-guests | 50 ++ default/libvirtd | 17 + default/virtlockd | 3 + default/virtlogd | 3 + dnsmasq.d-available/libvirt-daemon | 2 + dnsmasq.d/libvirt-daemon | 1 + group | 3 + group- | 3 + gshadow | 3 + gshadow- | 3 + init.d/libvirt-guests | 632 ++++++++++++++ init.d/libvirtd | 232 ++++++ init.d/virtlogd | 161 ++++ libvirt/libvirt-admin.conf | 16 + libvirt/libvirt.conf | 18 + libvirt/libvirtd.conf | 468 +++++++++++ libvirt/libxl-lockd.conf | 67 ++ libvirt/libxl.conf | 43 + libvirt/lxc.conf | 31 + libvirt/nwfilter/allow-arp.xml | 11 + libvirt/nwfilter/allow-dhcp-server.xml | 16 + libvirt/nwfilter/allow-dhcp.xml | 16 + libvirt/nwfilter/allow-incoming-ipv4.xml | 11 + libvirt/nwfilter/allow-ipv4.xml | 11 + libvirt/nwfilter/clean-traffic.xml | 22 + libvirt/nwfilter/no-arp-ip-spoofing.xml | 14 + libvirt/nwfilter/no-arp-mac-spoofing.xml | 14 + libvirt/nwfilter/no-arp-spoofing.xml | 12 + libvirt/nwfilter/no-ip-multicast.xml | 13 + libvirt/nwfilter/no-ip-spoofing.xml | 17 + libvirt/nwfilter/no-mac-broadcast.xml | 13 + libvirt/nwfilter/no-mac-spoofing.xml | 16 + libvirt/nwfilter/no-other-l2-traffic.xml | 11 + libvirt/nwfilter/no-other-rarp-traffic.xml | 11 + libvirt/nwfilter/qemu-announce-self-rarp.xml | 16 + libvirt/nwfilter/qemu-announce-self.xml | 15 + libvirt/qemu-lockd.conf | 67 ++ libvirt/qemu-sanlock.conf | 69 ++ libvirt/qemu.conf | 783 ++++++++++++++++++ libvirt/qemu/networks/autostart/default.xml | 1 + libvirt/qemu/networks/default.xml | 19 + libvirt/virt-login-shell.conf | 48 ++ libvirt/virtlockd.conf | 67 ++ libvirt/virtlogd.conf | 67 ++ logrotate.d/libvirtd | 9 + logrotate.d/libvirtd.libxl | 8 + logrotate.d/libvirtd.lxc | 8 + logrotate.d/libvirtd.qemu | 8 + logrotate.d/libvirtd.uml | 8 + passwd | 2 + passwd- | 4 +- profile.d/libvirt-uri.sh | 27 + rc0.d/K01libvirt-guests | 1 + rc0.d/K01libvirtd | 1 + rc0.d/K01virtlogd | 1 + rc1.d/K01libvirt-guests | 1 + rc1.d/K01libvirtd | 1 + rc1.d/K01virtlogd | 1 + rc2.d/S01libvirt-guests | 1 + rc2.d/S01libvirtd | 1 + rc2.d/S01virtlogd | 1 + rc3.d/S01libvirt-guests | 1 + rc3.d/S01libvirtd | 1 + rc3.d/S01virtlogd | 1 + rc4.d/S01libvirt-guests | 1 + rc4.d/S01libvirtd | 1 + rc4.d/S01virtlogd | 1 + rc5.d/S01libvirt-guests | 1 + rc5.d/S01libvirtd | 1 + rc5.d/S01virtlogd | 1 + rc6.d/K01libvirt-guests | 1 + rc6.d/K01libvirtd | 1 + rc6.d/K01virtlogd | 1 + sasl2/libvirt.conf | 45 + shadow | 2 + shadow- | 2 + systemd/system/libvirt-bin.service | 1 + .../libvirt-guests.service | 1 + .../multi-user.target.wants/libvirtd.service | 1 + .../sockets.target.wants/virtlockd.socket | 1 + .../sockets.target.wants/virtlogd.socket | 1 + 90 files changed, 3914 insertions(+), 1 deletion(-) create mode 100644 apparmor.d/abstractions/libvirt-lxc create mode 100644 apparmor.d/abstractions/libvirt-qemu create mode 100644 apparmor.d/libvirt/TEMPLATE.lxc create mode 100644 apparmor.d/libvirt/TEMPLATE.qemu create mode 100644 apparmor.d/local/usr.lib.libvirt.virt-aa-helper create mode 100644 apparmor.d/local/usr.sbin.libvirtd create mode 100644 apparmor.d/usr.lib.libvirt.virt-aa-helper create mode 100644 apparmor.d/usr.sbin.libvirtd create mode 100644 default/libvirt-guests create mode 100644 default/libvirtd create mode 100644 default/virtlockd create mode 100644 default/virtlogd create mode 100644 dnsmasq.d-available/libvirt-daemon create mode 120000 dnsmasq.d/libvirt-daemon create mode 100755 init.d/libvirt-guests create mode 100755 init.d/libvirtd create mode 100755 init.d/virtlogd create mode 100644 libvirt/libvirt-admin.conf create mode 100644 libvirt/libvirt.conf create mode 100644 libvirt/libvirtd.conf create mode 100644 libvirt/libxl-lockd.conf create mode 100644 libvirt/libxl.conf create mode 100644 libvirt/lxc.conf create mode 100644 libvirt/nwfilter/allow-arp.xml create mode 100644 libvirt/nwfilter/allow-dhcp-server.xml create mode 100644 libvirt/nwfilter/allow-dhcp.xml create mode 100644 libvirt/nwfilter/allow-incoming-ipv4.xml create mode 100644 libvirt/nwfilter/allow-ipv4.xml create mode 100644 libvirt/nwfilter/clean-traffic.xml create mode 100644 libvirt/nwfilter/no-arp-ip-spoofing.xml create mode 100644 libvirt/nwfilter/no-arp-mac-spoofing.xml create mode 100644 libvirt/nwfilter/no-arp-spoofing.xml create mode 100644 libvirt/nwfilter/no-ip-multicast.xml create mode 100644 libvirt/nwfilter/no-ip-spoofing.xml create mode 100644 libvirt/nwfilter/no-mac-broadcast.xml create mode 100644 libvirt/nwfilter/no-mac-spoofing.xml create mode 100644 libvirt/nwfilter/no-other-l2-traffic.xml create mode 100644 libvirt/nwfilter/no-other-rarp-traffic.xml create mode 100644 libvirt/nwfilter/qemu-announce-self-rarp.xml create mode 100644 libvirt/nwfilter/qemu-announce-self.xml create mode 100644 libvirt/qemu-lockd.conf create mode 100644 libvirt/qemu-sanlock.conf create mode 100644 libvirt/qemu.conf create mode 120000 libvirt/qemu/networks/autostart/default.xml create mode 100644 libvirt/qemu/networks/default.xml create mode 100644 libvirt/virt-login-shell.conf create mode 100644 libvirt/virtlockd.conf create mode 100644 libvirt/virtlogd.conf create mode 100644 logrotate.d/libvirtd create mode 100644 logrotate.d/libvirtd.libxl create mode 100644 logrotate.d/libvirtd.lxc create mode 100644 logrotate.d/libvirtd.qemu create mode 100644 logrotate.d/libvirtd.uml create mode 100644 profile.d/libvirt-uri.sh create mode 120000 rc0.d/K01libvirt-guests create mode 120000 rc0.d/K01libvirtd create mode 120000 rc0.d/K01virtlogd create mode 120000 rc1.d/K01libvirt-guests create mode 120000 rc1.d/K01libvirtd create mode 120000 rc1.d/K01virtlogd create mode 120000 rc2.d/S01libvirt-guests create mode 120000 rc2.d/S01libvirtd create mode 120000 rc2.d/S01virtlogd create mode 120000 rc3.d/S01libvirt-guests create mode 120000 rc3.d/S01libvirtd create mode 120000 rc3.d/S01virtlogd create mode 120000 rc4.d/S01libvirt-guests create mode 120000 rc4.d/S01libvirtd create mode 120000 rc4.d/S01virtlogd create mode 120000 rc5.d/S01libvirt-guests create mode 120000 rc5.d/S01libvirtd create mode 120000 rc5.d/S01virtlogd create mode 120000 rc6.d/K01libvirt-guests create mode 120000 rc6.d/K01libvirtd create mode 120000 rc6.d/K01virtlogd create mode 100644 sasl2/libvirt.conf create mode 120000 systemd/system/libvirt-bin.service create mode 120000 systemd/system/multi-user.target.wants/libvirt-guests.service create mode 120000 systemd/system/multi-user.target.wants/libvirtd.service create mode 120000 systemd/system/sockets.target.wants/virtlockd.socket create mode 120000 systemd/system/sockets.target.wants/virtlogd.socket diff --git a/.etckeeper b/.etckeeper index 946ac9b..0cf1747 100755 --- a/.etckeeper +++ b/.etckeeper @@ -34,6 +34,8 @@ mkdir -p './initramfs-tools/scripts/nfs-top' mkdir -p './initramfs-tools/scripts/panic' mkdir -p './kernel/install.d' mkdir -p './libpaper.d' +mkdir -p './libvirt/hooks' +mkdir -p './libvirt/secrets' mkdir -p './mate-settings-daemon/xrandr' mkdir -p './molly-guard/messages.d' mkdir -p './network/interfaces.d' @@ -271,6 +273,8 @@ maybe chmod 0644 'apparmor.d/abstractions/kerberosclient' maybe chmod 0644 'apparmor.d/abstractions/launchpad-integration' maybe chmod 0644 'apparmor.d/abstractions/ldapclient' maybe chmod 0644 'apparmor.d/abstractions/libpam-systemd' +maybe chmod 0644 'apparmor.d/abstractions/libvirt-lxc' +maybe chmod 0644 'apparmor.d/abstractions/libvirt-qemu' maybe chmod 0644 'apparmor.d/abstractions/lightdm' maybe chmod 0644 'apparmor.d/abstractions/lightdm_chromium-browser' maybe chmod 0644 'apparmor.d/abstractions/likewise' @@ -338,6 +342,9 @@ maybe chmod 0644 'apparmor.d/abstractions/xdg-desktop' maybe chmod 0755 'apparmor.d/cache' maybe chmod 0755 'apparmor.d/disable' maybe chmod 0755 'apparmor.d/force-complain' +maybe chmod 0755 'apparmor.d/libvirt' +maybe chmod 0644 'apparmor.d/libvirt/TEMPLATE.lxc' +maybe chmod 0644 'apparmor.d/libvirt/TEMPLATE.qemu' maybe chmod 0644 'apparmor.d/lightdm-guest-session' maybe chmod 0755 'apparmor.d/local' maybe chmod 0644 'apparmor.d/local/README' @@ -349,10 +356,12 @@ maybe chmod 0644 'apparmor.d/local/usr.lib.libreoffice.program.oosplash' maybe chmod 0644 'apparmor.d/local/usr.lib.libreoffice.program.senddoc' maybe chmod 0644 'apparmor.d/local/usr.lib.libreoffice.program.soffice.bin' maybe chmod 0644 'apparmor.d/local/usr.lib.libreoffice.program.xpdfimport' +maybe chmod 0644 'apparmor.d/local/usr.lib.libvirt.virt-aa-helper' maybe chmod 0644 'apparmor.d/local/usr.sbin.chronyd' maybe chmod 0644 'apparmor.d/local/usr.sbin.cups-browsed' maybe chmod 0644 'apparmor.d/local/usr.sbin.cupsd' maybe chmod 0644 'apparmor.d/local/usr.sbin.ippusbxd' +maybe chmod 0644 'apparmor.d/local/usr.sbin.libvirtd' maybe chmod 0644 'apparmor.d/local/usr.sbin.named' maybe chmod 0644 'apparmor.d/local/usr.sbin.rsyslogd' maybe chmod 0644 'apparmor.d/local/usr.sbin.tcpdump' @@ -383,10 +392,12 @@ maybe chmod 0644 'apparmor.d/usr.lib.libreoffice.program.oosplash' maybe chmod 0644 'apparmor.d/usr.lib.libreoffice.program.senddoc' maybe chmod 0644 'apparmor.d/usr.lib.libreoffice.program.soffice.bin' maybe chmod 0644 'apparmor.d/usr.lib.libreoffice.program.xpdfimport' +maybe chmod 0644 'apparmor.d/usr.lib.libvirt.virt-aa-helper' maybe chmod 0644 'apparmor.d/usr.sbin.chronyd' maybe chmod 0644 'apparmor.d/usr.sbin.cups-browsed' maybe chmod 0644 'apparmor.d/usr.sbin.cupsd' maybe chmod 0644 'apparmor.d/usr.sbin.ippusbxd' +maybe chmod 0644 'apparmor.d/usr.sbin.libvirtd' maybe chmod 0644 'apparmor.d/usr.sbin.named' maybe chmod 0644 'apparmor.d/usr.sbin.rsyslogd' maybe chmod 0644 'apparmor.d/usr.sbin.tcpdump' @@ -1132,6 +1143,8 @@ maybe chmod 0755 'default/kdm.d' maybe chmod 0644 'default/kdm.d/10_desktop-base' maybe chmod 0644 'default/kerneloops' maybe chmod 0644 'default/keyboard' +maybe chmod 0644 'default/libvirt-guests' +maybe chmod 0644 'default/libvirtd' maybe chmod 0644 'default/locale' maybe chmod 0644 'default/mdadm' maybe chmod 0644 'default/motd-news' @@ -1151,6 +1164,8 @@ maybe chmod 0644 'default/speech-dispatcher' maybe chmod 0644 'default/ssh' maybe chmod 0644 'default/ufw' maybe chmod 0644 'default/useradd' +maybe chmod 0644 'default/virtlockd' +maybe chmod 0644 'default/virtlogd' maybe chmod 0644 'deluser.conf' maybe chmod 0755 'depmod.d' maybe chmod 0644 'depmod.d/ubuntu.conf' @@ -1193,6 +1208,9 @@ maybe chmod 0644 'dkms/template-dkms-mkdeb/debian/dirs' maybe chmod 0755 'dkms/template-dkms-mkdeb/debian/postinst' maybe chmod 0755 'dkms/template-dkms-mkdeb/debian/prerm' maybe chmod 0755 'dkms/template-dkms-mkdeb/debian/rules' +maybe chmod 0755 'dnsmasq.d' +maybe chmod 0755 'dnsmasq.d-available' +maybe chmod 0644 'dnsmasq.d-available/libvirt-daemon' maybe chmod 0755 'doc-base' maybe chmod 0755 'doc-base/documents' maybe chmod 0644 'doc-base/documents/README' @@ -1775,6 +1793,8 @@ maybe chmod 0755 'init.d/irqbalance' maybe chmod 0755 'init.d/kerneloops' maybe chmod 0755 'init.d/keyboard-setup.sh' maybe chmod 0755 'init.d/kmod' +maybe chmod 0755 'init.d/libvirt-guests' +maybe chmod 0755 'init.d/libvirtd' maybe chmod 0755 'init.d/lightdm' maybe chmod 0755 'init.d/lm-sensors' maybe chmod 0755 'init.d/lvm2' @@ -1802,6 +1822,7 @@ maybe chmod 0755 'init.d/ssh' maybe chmod 0755 'init.d/udev' maybe chmod 0755 'init.d/ufw' maybe chmod 0755 'init.d/uuidd' +maybe chmod 0755 'init.d/virtlogd' maybe chmod 0755 'init.d/x11-common' maybe chmod 0644 'init/anacron.conf' maybe chmod 0644 'init/lightdm.conf' @@ -1918,6 +1939,43 @@ maybe chmod 0755 'libreoffice' maybe chmod 0644 'libreoffice/psprint.conf' maybe chmod 0644 'libreoffice/soffice.sh' maybe chmod 0644 'libreoffice/sofficerc' +maybe chmod 0755 'libvirt' +maybe chmod 0755 'libvirt/hooks' +maybe chmod 0644 'libvirt/libvirt-admin.conf' +maybe chmod 0644 'libvirt/libvirt.conf' +maybe chmod 0644 'libvirt/libvirtd.conf' +maybe chmod 0644 'libvirt/libxl-lockd.conf' +maybe chmod 0644 'libvirt/libxl.conf' +maybe chmod 0644 'libvirt/lxc.conf' +maybe chmod 0755 'libvirt/nwfilter' +maybe chmod 0600 'libvirt/nwfilter/allow-arp.xml' +maybe chmod 0600 'libvirt/nwfilter/allow-dhcp-server.xml' +maybe chmod 0600 'libvirt/nwfilter/allow-dhcp.xml' +maybe chmod 0600 'libvirt/nwfilter/allow-incoming-ipv4.xml' +maybe chmod 0600 'libvirt/nwfilter/allow-ipv4.xml' +maybe chmod 0600 'libvirt/nwfilter/clean-traffic.xml' +maybe chmod 0600 'libvirt/nwfilter/no-arp-ip-spoofing.xml' +maybe chmod 0600 'libvirt/nwfilter/no-arp-mac-spoofing.xml' +maybe chmod 0600 'libvirt/nwfilter/no-arp-spoofing.xml' +maybe chmod 0600 'libvirt/nwfilter/no-ip-multicast.xml' +maybe chmod 0600 'libvirt/nwfilter/no-ip-spoofing.xml' +maybe chmod 0600 'libvirt/nwfilter/no-mac-broadcast.xml' +maybe chmod 0600 'libvirt/nwfilter/no-mac-spoofing.xml' +maybe chmod 0600 'libvirt/nwfilter/no-other-l2-traffic.xml' +maybe chmod 0600 'libvirt/nwfilter/no-other-rarp-traffic.xml' +maybe chmod 0600 'libvirt/nwfilter/qemu-announce-self-rarp.xml' +maybe chmod 0600 'libvirt/nwfilter/qemu-announce-self.xml' +maybe chmod 0755 'libvirt/qemu' +maybe chmod 0644 'libvirt/qemu-lockd.conf' +maybe chmod 0644 'libvirt/qemu-sanlock.conf' +maybe chmod 0600 'libvirt/qemu.conf' +maybe chmod 0755 'libvirt/qemu/networks' +maybe chmod 0755 'libvirt/qemu/networks/autostart' +maybe chmod 0600 'libvirt/qemu/networks/default.xml' +maybe chmod 0700 'libvirt/secrets' +maybe chmod 0644 'libvirt/virt-login-shell.conf' +maybe chmod 0644 'libvirt/virtlockd.conf' +maybe chmod 0644 'libvirt/virtlogd.conf' maybe chmod 0755 'lightdm' maybe chmod 0755 'lightdm/lightdm-gtk-greeter.conf.d' maybe chmod 0644 'lightdm/lightdm-gtk-greeter.conf.d/99_linuxmint.conf' @@ -1959,6 +2017,11 @@ maybe chmod 0644 'logrotate.d/btmp' maybe chmod 0644 'logrotate.d/chrony' maybe chmod 0644 'logrotate.d/cups-daemon' maybe chmod 0644 'logrotate.d/dpkg' +maybe chmod 0644 'logrotate.d/libvirtd' +maybe chmod 0644 'logrotate.d/libvirtd.libxl' +maybe chmod 0644 'logrotate.d/libvirtd.lxc' +maybe chmod 0644 'logrotate.d/libvirtd.qemu' +maybe chmod 0644 'logrotate.d/libvirtd.uml' maybe chmod 0644 'logrotate.d/lightdm' maybe chmod 0644 'logrotate.d/mintupdate' maybe chmod 0644 'logrotate.d/pm-utils' @@ -2246,6 +2309,7 @@ maybe chgrp 'users' 'profile.d/fbrehm.sh' maybe chmod 0644 'profile.d/fbrehm.sh' maybe chmod 0644 'profile.d/flatpak.sh' maybe chmod 0644 'profile.d/input-method-config.sh' +maybe chmod 0644 'profile.d/libvirt-uri.sh' maybe chmod 0644 'profile.d/vte-2.91.sh' maybe chmod 0644 'profile.d/xdg_dirs_desktop_session.sh' maybe chmod 0644 'protocols' @@ -2376,6 +2440,8 @@ maybe chmod 0644 'sane.d/umax.conf' maybe chmod 0644 'sane.d/umax1220u.conf' maybe chmod 0644 'sane.d/umax_pp.conf' maybe chmod 0644 'sane.d/xerox_mfp.conf' +maybe chmod 0755 'sasl2' +maybe chmod 0644 'sasl2/libvirt.conf' maybe chmod 0644 'screenrc' maybe chmod 0644 'securetty' maybe chmod 0755 'security' diff --git a/apparmor.d/abstractions/libvirt-lxc b/apparmor.d/abstractions/libvirt-lxc new file mode 100644 index 0000000..4bfb503 --- /dev/null +++ b/apparmor.d/abstractions/libvirt-lxc @@ -0,0 +1,116 @@ +# Last Modified: Fri Feb 7 13:01:36 2014 + + #include + + umount, + + # ignore DENIED message on / remount + deny mount options=(ro, remount) -> /, + + # allow tmpfs mounts everywhere + mount fstype=tmpfs, + + # allow mqueue mounts everywhere + mount fstype=mqueue, + + # allow fuse mounts everywhere + mount fstype=fuse.*, + + # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted + mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/, + deny @{PROC}/sys/fs/** wklx, + + # allow efivars to be mounted, writing to it will be blocked though + mount fstype=efivarfs -> /sys/firmware/efi/efivars/, + + # block some other dangerous paths + deny @{PROC}/sysrq-trigger rwklx, + deny @{PROC}/mem rwklx, + deny @{PROC}/kmem rwklx, + + # deny writes in /sys except for /sys/fs/cgroup, also allow + # fusectl, securityfs and debugfs to be mounted there (read-only) + mount fstype=fusectl -> /sys/fs/fuse/connections/, + mount fstype=securityfs -> /sys/kernel/security/, + mount fstype=debugfs -> /sys/kernel/debug/, + mount fstype=proc -> /proc/, + mount fstype=sysfs -> /sys/, + deny /sys/firmware/efi/efivars/** rwklx, + deny /sys/kernel/security/** rwklx, + + # generated by: lxc-generate-aa-rules.py container-rules.base + deny /proc/sys/[^kn]*{,/**} wklx, + deny /proc/sys/k[^e]*{,/**} wklx, + deny /proc/sys/ke[^r]*{,/**} wklx, + deny /proc/sys/ker[^n]*{,/**} wklx, + deny /proc/sys/kern[^e]*{,/**} wklx, + deny /proc/sys/kerne[^l]*{,/**} wklx, + deny /proc/sys/kernel/[^smhd]*{,/**} wklx, + deny /proc/sys/kernel/d[^o]*{,/**} wklx, + deny /proc/sys/kernel/do[^m]*{,/**} wklx, + deny /proc/sys/kernel/dom[^a]*{,/**} wklx, + deny /proc/sys/kernel/doma[^i]*{,/**} wklx, + deny /proc/sys/kernel/domai[^n]*{,/**} wklx, + deny /proc/sys/kernel/domain[^n]*{,/**} wklx, + deny /proc/sys/kernel/domainn[^a]*{,/**} wklx, + deny /proc/sys/kernel/domainna[^m]*{,/**} wklx, + deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx, + deny /proc/sys/kernel/domainname?*{,/**} wklx, + deny /proc/sys/kernel/h[^o]*{,/**} wklx, + deny /proc/sys/kernel/ho[^s]*{,/**} wklx, + deny /proc/sys/kernel/hos[^t]*{,/**} wklx, + deny /proc/sys/kernel/host[^n]*{,/**} wklx, + deny /proc/sys/kernel/hostn[^a]*{,/**} wklx, + deny /proc/sys/kernel/hostna[^m]*{,/**} wklx, + deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx, + deny /proc/sys/kernel/hostname?*{,/**} wklx, + deny /proc/sys/kernel/m[^s]*{,/**} wklx, + deny /proc/sys/kernel/ms[^g]*{,/**} wklx, + deny /proc/sys/kernel/msg*/** wklx, + deny /proc/sys/kernel/s[^he]*{,/**} wklx, + deny /proc/sys/kernel/se[^m]*{,/**} wklx, + deny /proc/sys/kernel/sem*/** wklx, + deny /proc/sys/kernel/sh[^m]*{,/**} wklx, + deny /proc/sys/kernel/shm*/** wklx, + deny /proc/sys/kernel?*{,/**} wklx, + deny /proc/sys/n[^e]*{,/**} wklx, + deny /proc/sys/ne[^t]*{,/**} wklx, + deny /proc/sys/net?*{,/**} wklx, + deny /sys/[^fdc]*{,/**} wklx, + deny /sys/c[^l]*{,/**} wklx, + deny /sys/cl[^a]*{,/**} wklx, + deny /sys/cla[^s]*{,/**} wklx, + deny /sys/clas[^s]*{,/**} wklx, + deny /sys/class/[^n]*{,/**} wklx, + deny /sys/class/n[^e]*{,/**} wklx, + deny /sys/class/ne[^t]*{,/**} wklx, + deny /sys/class/net?*{,/**} wklx, + deny /sys/class?*{,/**} wklx, + deny /sys/d[^e]*{,/**} wklx, + deny /sys/de[^v]*{,/**} wklx, + deny /sys/dev[^i]*{,/**} wklx, + deny /sys/devi[^c]*{,/**} wklx, + deny /sys/devic[^e]*{,/**} wklx, + deny /sys/device[^s]*{,/**} wklx, + deny /sys/devices/[^v]*{,/**} wklx, + deny /sys/devices/v[^i]*{,/**} wklx, + deny /sys/devices/vi[^r]*{,/**} wklx, + deny /sys/devices/vir[^t]*{,/**} wklx, + deny /sys/devices/virt[^u]*{,/**} wklx, + deny /sys/devices/virtu[^a]*{,/**} wklx, + deny /sys/devices/virtua[^l]*{,/**} wklx, + deny /sys/devices/virtual/[^n]*{,/**} wklx, + deny /sys/devices/virtual/n[^e]*{,/**} wklx, + deny /sys/devices/virtual/ne[^t]*{,/**} wklx, + deny /sys/devices/virtual/net?*{,/**} wklx, + deny /sys/devices/virtual?*{,/**} wklx, + deny /sys/devices?*{,/**} wklx, + deny /sys/f[^s]*{,/**} wklx, + deny /sys/fs/[^c]*{,/**} wklx, + deny /sys/fs/c[^g]*{,/**} wklx, + deny /sys/fs/cg[^r]*{,/**} wklx, + deny /sys/fs/cgr[^o]*{,/**} wklx, + deny /sys/fs/cgro[^u]*{,/**} wklx, + deny /sys/fs/cgrou[^p]*{,/**} wklx, + deny /sys/fs/cgroup?*{,/**} wklx, + deny /sys/fs?*{,/**} wklx, diff --git a/apparmor.d/abstractions/libvirt-qemu b/apparmor.d/abstractions/libvirt-qemu new file mode 100644 index 0000000..d75d148 --- /dev/null +++ b/apparmor.d/abstractions/libvirt-qemu @@ -0,0 +1,223 @@ +# Last Modified: Wed Sep 3 21:52:03 2014 + + #include + #include + #include + + # required for reading disk images + capability dac_override, + capability dac_read_search, + capability chown, + + # needed to drop privileges + capability setgid, + capability setuid, + + # for 9p + capability fsetid, + capability fowner, + + network inet stream, + network inet6 stream, + + ptrace (readby, tracedby) peer=/usr/sbin/libvirtd, + + signal (receive) peer=/usr/sbin/libvirtd, + + /dev/net/tun rw, + /dev/kvm rw, + /dev/ptmx rw, + /dev/kqemu rw, + @{PROC}/*/status r, + # When qemu is signaled to terminate, it will read cmdline of signaling + # process for reporting purposes. Allowing read access to a process + # cmdline may leak sensitive information embedded in the cmdline. + @{PROC}/@{pid}/cmdline r, + # Per man(5) proc, the kernel enforces that a thread may + # only modify its comm value or those in its thread group. + owner @{PROC}/@{pid}/task/@{tid}/comm rw, + @{PROC}/sys/kernel/cap_last_cap r, + owner @{PROC}/*/auxv r, + @{PROC}/sys/vm/overcommit_memory r, + + # For hostdev access. The actual devices will be added dynamically + /sys/bus/usb/devices/ r, + /sys/devices/**/usb[0-9]*/** r, + # libusb needs udev data about usb devices (~equal to content of lsusb -v) + /run/udev/data/c16[6,7]* r, + /run/udev/data/c18[0,8,9]* r, + /run/udev/data/+usb* r, + + # WARNING: this gives the guest direct access to host hardware and specific + # portions of shared memory. This is required for sound using ALSA with kvm, + # but may constitute a security risk. If your environment does not require + # the use of sound in your VMs, feel free to comment out or prepend 'deny' to + # the rules for files in /dev. + /{dev,run}/shm r, + /{dev,run}/shmpulse-shm* r, + /{dev,run}/shmpulse-shm* rwk, + /dev/snd/* rw, + capability ipc_lock, + # spice + owner /{dev,run}/shm/spice.* rw, + # 'kill' is not required for sound and is a security risk. Do not enable + # unless you absolutely need it. + deny capability kill, + + # Uncomment the following if you need access to /dev/fb* + #/dev/fb* rw, + + /etc/pulse/client.conf r, + @{HOME}/.pulse-cookie rwk, + owner /root/.pulse-cookie rwk, + owner /root/.pulse/ rw, + owner /root/.pulse/* rw, + /usr/share/alsa/** r, + owner /tmp/pulse-*/ rw, + owner /tmp/pulse-*/* rw, + /var/lib/dbus/machine-id r, + + # access to firmware's etc + /usr/share/kvm/** r, + /usr/share/qemu/** r, + /usr/share/qemu-kvm/** r, + /usr/share/bochs/** r, + /usr/share/openbios/** r, + /usr/share/openhackware/** r, + /usr/share/proll/** r, + /usr/share/vgabios/** r, + /usr/share/seabios/** r, + /usr/share/misc/sgabios.bin r, + /usr/share/ovmf/** r, + /usr/share/OVMF/** r, + /usr/share/AAVMF/** r, + /usr/share/qemu-efi/** r, + /usr/share/slof/** r, + + # pki for libvirt-vnc and libvirt-spice (LP: #901272, #1690140) + /etc/pki/CA/ r, + /etc/pki/CA/* r, + /etc/pki/libvirt{,-spice,-vnc}/ r, + /etc/pki/libvirt{,-spice,-vnc}/** r, + + # the various binaries + /usr/bin/kvm rmix, + /usr/bin/qemu rmix, + /usr/bin/qemu-kvm rmix, + /usr/bin/qemu-system-aarch64 rmix, + /usr/bin/qemu-system-alpha rmix, + /usr/bin/qemu-system-arm rmix, + /usr/bin/qemu-system-cris rmix, + /usr/bin/qemu-system-i386 rmix, + /usr/bin/qemu-system-lm32 rmix, + /usr/bin/qemu-system-m68k rmix, + /usr/bin/qemu-system-microblaze rmix, + /usr/bin/qemu-system-microblazeel rmix, + /usr/bin/qemu-system-mips rmix, + /usr/bin/qemu-system-mips64 rmix, + /usr/bin/qemu-system-mips64el rmix, + /usr/bin/qemu-system-mipsel rmix, + /usr/bin/qemu-system-moxie rmix, + /usr/bin/qemu-system-or32 rmix, + /usr/bin/qemu-system-ppc rmix, + /usr/bin/qemu-system-ppc64 rmix, + /usr/bin/qemu-system-ppcemb rmix, + /usr/bin/qemu-system-s390x rmix, + /usr/bin/qemu-system-sh4 rmix, + /usr/bin/qemu-system-sh4eb rmix, + /usr/bin/qemu-system-sparc rmix, + /usr/bin/qemu-system-sparc64 rmix, + /usr/bin/qemu-system-tricore rmix, + /usr/bin/qemu-system-unicore32 rmix, + /usr/bin/qemu-system-x86_64 rmix, + /usr/bin/qemu-system-xtensa rmix, + /usr/bin/qemu-system-xtensaeb rmix, + /usr/bin/qemu-aarch64 rmix, + /usr/bin/qemu-alpha rmix, + /usr/bin/qemu-arm rmix, + /usr/bin/qemu-armeb rmix, + /usr/bin/qemu-cris rmix, + /usr/bin/qemu-i386 rmix, + /usr/bin/qemu-m68k rmix, + /usr/bin/qemu-microblaze rmix, + /usr/bin/qemu-microblazeel rmix, + /usr/bin/qemu-mips rmix, + /usr/bin/qemu-mips64 rmix, + /usr/bin/qemu-mips64el rmix, + /usr/bin/qemu-mipsel rmix, + /usr/bin/qemu-mipsn32 rmix, + /usr/bin/qemu-mipsn32el rmix, + /usr/bin/qemu-or32 rmix, + /usr/bin/qemu-ppc rmix, + /usr/bin/qemu-ppc64 rmix, + /usr/bin/qemu-ppc64abi32 rmix, + /usr/bin/qemu-ppc64le rmix, + /usr/bin/qemu-s390x rmix, + /usr/bin/qemu-sh4 rmix, + /usr/bin/qemu-sh4eb rmix, + /usr/bin/qemu-sparc rmix, + /usr/bin/qemu-sparc32plus rmix, + /usr/bin/qemu-sparc64 rmix, + /usr/bin/qemu-unicore32 rmix, + /usr/bin/qemu-x86_64 rmix, + # for Debian/Ubuntu qemu-block-extra / RPMs qemu-block-* (LP: #1554761) + /usr/{lib,lib64}/qemu/*.so mr, + /usr/lib/@{multiarch}/qemu/*.so mr, + + # for save and resume + /{usr/,}bin/dash rmix, + /{usr/,}bin/dd rmix, + /{usr/,}bin/cat rmix, + + # for restore + /{usr/,}bin/bash rmix, + + # for usb access + /dev/bus/usb/ r, + /etc/udev/udev.conf r, + /sys/bus/ r, + /sys/class/ r, + + # for rbd + /etc/ceph/ceph.conf r, + + # for file-posix getting limits since 9103f1ce + /sys/devices/**/block/*/queue/max_segments r, + + # for ppc device-tree access + @{PROC}/device-tree/ r, + @{PROC}/device-tree/** r, + /sys/firmware/devicetree/** r, + + # allow connect with openGraphicsFD to work + unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd), + + # allow access to charm-specific ceph config and silence spurious + # denials (LP: #1403648). + /var/lib/charm/*/ceph.conf r, + deny /tmp/{,**} r, + deny /var/tmp/{,**} r, + + # kvm.powerpc executes/accesses this + /bin/uname rmix, + /usr/sbin/ppc64_cpu rmix, + /bin/grep rmix, + /sys/devices/system/cpu/subcores_per_core r, + /sys/devices/system/cpu/cpu*/online r, + + # for gathering information about available host resources + /sys/devices/system/cpu/ r, + /sys/devices/system/node/ r, + /sys/devices/system/node/node[0-9]*/meminfo r, + /sys/module/vhost/parameters/max_mem_regions r, + + # silence refusals to open lttng files (see LP: #1432644) + deny /dev/shm/lttng-ust-wait-* r, + deny /run/shm/lttng-ust-wait-* r, + + # for vfio hotplug on systems without static vfio (LP: #1775777) + /dev/vfio/vfio rw, + + # required for sasl GSSAPI plugin + /etc/gss/mech.d/ r, + /etc/gss/mech.d/* r, diff --git a/apparmor.d/libvirt/TEMPLATE.lxc b/apparmor.d/libvirt/TEMPLATE.lxc new file mode 100644 index 0000000..f1005dc --- /dev/null +++ b/apparmor.d/libvirt/TEMPLATE.lxc @@ -0,0 +1,15 @@ +# +# This profile is for the domain whose UUID matches this file. +# + +#include + +profile LIBVIRT_TEMPLATE flags=(attach_disconnected) { + #include + + # Globally allows everything to run under this profile + # These can be narrowed depending on the container's use. + file, + capability, + network, +} diff --git a/apparmor.d/libvirt/TEMPLATE.qemu b/apparmor.d/libvirt/TEMPLATE.qemu new file mode 100644 index 0000000..a327315 --- /dev/null +++ b/apparmor.d/libvirt/TEMPLATE.qemu @@ -0,0 +1,9 @@ +# +# This profile is for the domain whose UUID matches this file. +# + +#include + +profile LIBVIRT_TEMPLATE flags=(attach_disconnected) { + #include +} diff --git a/apparmor.d/local/usr.lib.libvirt.virt-aa-helper b/apparmor.d/local/usr.lib.libvirt.virt-aa-helper new file mode 100644 index 0000000..e69de29 diff --git a/apparmor.d/local/usr.sbin.libvirtd b/apparmor.d/local/usr.sbin.libvirtd new file mode 100644 index 0000000..e69de29 diff --git a/apparmor.d/usr.lib.libvirt.virt-aa-helper b/apparmor.d/usr.lib.libvirt.virt-aa-helper new file mode 100644 index 0000000..aa90ac7 --- /dev/null +++ b/apparmor.d/usr.lib.libvirt.virt-aa-helper @@ -0,0 +1,88 @@ +# Last Modified: Mon Apr 5 15:10:27 2010 +#include + +profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper { + #include + #include + #include + + # needed for searching directories + capability dac_override, + capability dac_read_search, + + # needed for when disk is on a network filesystem + network inet, + network inet6, + + deny @{PROC}/[0-9]*/mounts r, + @{PROC}/[0-9]*/net/psched r, + owner @{PROC}/[0-9]*/status r, + @{PROC}/filesystems r, + + /etc/libnl-3/classid r, + + # for hostdev + /sys/devices/ r, + /sys/devices/** r, + /sys/bus/usb/devices/ r, + deny /dev/sd* r, + deny /dev/vd* r, + deny /dev/dm-* r, + deny /dev/drbd[0-9]* r, + deny /dev/dasd* r, + deny /dev/nvme* r, + deny /dev/zd[0-9]* r, + deny /dev/mapper/ r, + deny /dev/mapper/* r, + + /usr/{lib,lib64}/libvirt/virt-aa-helper mr, + /{usr/,}sbin/apparmor_parser Ux, + + # for openvswitch + /{,var/}run/** rw, + + /etc/apparmor.d/libvirt/* r, + /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw, + + # for backingstore -- allow access to non-hidden files in @{HOME} as well + # as storage pools + audit deny @{HOME}/.* mrwkl, + audit deny @{HOME}/.*/ rw, + audit deny @{HOME}/.*/** mrwkl, + audit deny @{HOME}/bin/ rw, + audit deny @{HOME}/bin/** mrwkl, + @{HOME}/ r, + @{HOME}/** r, + /var/lib/libvirt/images/ r, + /var/lib/libvirt/images/** r, + # nova base images (LP: #907269) + /var/lib/nova/images/** r, + /var/lib/nova/instances/_base/** r, + # nova snapshots (LP: #1244694) + /var/lib/nova/instances/snapshots/** r, + # nova base/snapshot files in snapped nova (LP: #1644507) + /var/snap/nova-hypervisor/common/instances/_base/** r, + /var/snap/nova-hypervisor/common/instances/snapshots/** r, + # eucalyptus (LP: #564914) + /var/lib/eucalyptus/instances/**/disk* r, + # eucalyptus loader (LP: #637544) + /var/lib/eucalyptus/instances/**/loader* r, + # for uvtool + /var/lib/uvtool/libvirt/images/** r, + # for multipass + /var/snap/multipass/common/data/multipassd/vault/instances/** r, + /{media,mnt,opt,srv}/** r, + # For virt-sandbox + /{,var/}run/libvirt/**/[sv]d[a-z] r, + + /**.img r, + /**.raw r, + /**.qcow{,2} r, + /**.qed r, + /**.vmdk r, + /**.[iI][sS][oO] r, + /**/disk{,.*} r, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/apparmor.d/usr.sbin.libvirtd b/apparmor.d/usr.sbin.libvirtd new file mode 100644 index 0000000..cc0f4a5 --- /dev/null +++ b/apparmor.d/usr.sbin.libvirtd @@ -0,0 +1,133 @@ +# Last Modified: Mon Apr 5 15:03:58 2010 +#include +@{LIBVIRT}="libvirt" + +/usr/sbin/libvirtd flags=(attach_disconnected) { + #include + #include + + capability kill, + capability net_admin, + capability net_raw, + capability setgid, + capability sys_admin, + capability sys_module, + capability sys_ptrace, + capability sys_pacct, + capability sys_nice, + capability sys_chroot, + capability setuid, + capability dac_override, + capability dac_read_search, + capability fowner, + capability chown, + capability setpcap, + capability mknod, + capability fsetid, + capability audit_write, + capability ipc_lock, + + # Needed for vfio + capability sys_resource, + + mount options=(rw,rslave) -> /, + mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/, + + mount options=(rw, move) /dev/ -> /{var/,}run/libvirt/qemu/*.dev/, + mount options=(rw, move) /dev/hugepages/ -> /{var/,}run/libvirt/qemu/*.hugepages/, + mount options=(rw, move) /dev/mqueue/ -> /{var/,}run/libvirt/qemu/*.mqueue/, + mount options=(rw, move) /dev/pts/ -> /{var/,}run/libvirt/qemu/*.pts/, + mount options=(rw, move) /dev/shm/ -> /{var/,}run/libvirt/qemu/*.shm/, + + mount options=(rw, move) /{var/,}run/libvirt/qemu/*.dev/ -> /dev/, + mount options=(rw, move) /{var/,}run/libvirt/qemu/*.hugepages/ -> /dev/hugepages/, + mount options=(rw, move) /{var/,}run/libvirt/qemu/*.mqueue/ -> /dev/mqueue/, + mount options=(rw, move) /{var/,}run/libvirt/qemu/*.pts/ -> /dev/pts/, + mount options=(rw, move) /{var/,}run/libvirt/qemu/*.shm/ -> /dev/shm/, + + network inet stream, + network inet dgram, + network inet6 stream, + network inet6 dgram, + network netlink raw, + network packet dgram, + network packet raw, + + # for --p2p migrations + unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none), + + ptrace (read,trace) peer=unconfined, + ptrace (read,trace) peer=/usr/sbin/libvirtd, + ptrace (read,trace) peer=/usr/sbin/dnsmasq, + ptrace (read,trace) peer=libvirt-*, + + signal (send) peer=/usr/sbin/dnsmasq, + signal (read, send) peer=libvirt-*, + signal (send) set=("kill", "term") peer=unconfined, + + # Since libvirt 4.0 we also need the reverse direction (LP: #1741617) + unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*), + # unconfined also required if guests run without security module + unix (send, receive) type=stream addr=none peer=(label=unconfined), + + # required if guests run unconfined seclabel type='none' but libvirtd is confined + signal (read, send) peer=unconfined, + + # Very lenient profile for libvirtd since we want to first focus on confining + # the guests. Guests will have a very restricted profile. + / r, + /** rwmkl, + + /bin/* PUx, + /sbin/* PUx, + /usr/bin/* PUx, + /usr/sbin/virtlogd pix, + /usr/sbin/* PUx, + /{usr/,}lib/udev/scsi_id PUx, + /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx, + /usr/{lib,lib64}/xen/bin/* Ux, + /usr/lib/xen-*/bin/libxl-save-helper PUx, + /usr/lib/xen-*/bin/pygrub PUx, + + # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to + # read and run an ebtables script. + /var/lib/libvirt/virtd* ixr, + + # force the use of virt-aa-helper + audit deny /{usr/,}sbin/apparmor_parser rwxl, + audit deny /etc/apparmor.d/libvirt/** wxl, + audit deny /sys/kernel/security/apparmor/features rwxl, + audit deny /sys/kernel/security/apparmor/matching rwxl, + audit deny /sys/kernel/security/apparmor/.* rwxl, + /sys/kernel/security/apparmor/profiles r, + /usr/{lib,lib64}/libvirt/* PUxr, + /usr/{lib,lib64}/libvirt/libvirt_parthelper ix, + /usr/{lib,lib64}/libvirt/libvirt_iohelper ix, + /etc/libvirt/hooks/** rmix, + /etc/xen/scripts/** rmix, + + # allow changing to our UUID-based named profiles + change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*, + + /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper, + # child profile for bridge helper process + profile qemu_bridge_helper { + #include + + capability setuid, + capability setgid, + capability setpcap, + capability net_admin, + + network inet stream, + + /dev/net/tun rw, + /etc/qemu/** r, + owner @{PROC}/*/status r, + + /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix, + } + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/default/libvirt-guests b/default/libvirt-guests new file mode 100644 index 0000000..929e433 --- /dev/null +++ b/default/libvirt-guests @@ -0,0 +1,50 @@ +# URIs to check for running guests +# example: URIS='default xen:/// vbox+tcp://host/system lxc:///' +#URIS=default + +# action taken on host boot +# - start all guests which were running on shutdown are started on boot +# regardless on their autostart settings +# - ignore libvirt-guests init script won't start any guest on boot, however, +# guests marked as autostart will still be automatically started by +# libvirtd +#ON_BOOT=ignore + +# Number of seconds to wait between each guest start. Set to 0 to allow +# parallel startup. +#START_DELAY=0 + +# action taken on host shutdown +# - suspend all running guests are suspended using virsh managedsave +# - shutdown all running guests are asked to shutdown. Please be careful with +# this settings since there is no way to distinguish between a +# guest which is stuck or ignores shutdown requests and a guest +# which just needs a long time to shutdown. When setting +# ON_SHUTDOWN=shutdown, you must also set SHUTDOWN_TIMEOUT to a +# value suitable for your guests. +#ON_SHUTDOWN=shutdown + +# Number of guests will be shutdown concurrently, taking effect when +# "ON_SHUTDOWN" is set to "shutdown". If Set to 0, guests will be shutdown one +# after another. Number of guests on shutdown at any time will not exceed number +# set in this variable. +PARALLEL_SHUTDOWN=10 + +# Number of seconds we're willing to wait for a guest to shut down. If parallel +# shutdown is enabled, this timeout applies as a timeout for shutting down all +# guests on a single URI defined in the variable URIS. If this is 0, then there +# is no time out (use with caution, as guests might not respond to a shutdown +# request). The default value is 300 seconds (5 minutes). +SHUTDOWN_TIMEOUT=120 + +# If non-zero, try to bypass the file system cache when saving and +# restoring guests, even though this may give slower operation for +# some file systems. +#BYPASS_CACHE=0 + +# If non-zero, try to sync guest time on domain resume. Be aware, that +# this requires guest agent with support for time synchronization +# running in the guest. For instance, qemu-ga doesn't support guest time +# synchronization on Windows guests, but Linux ones. By default, this +# functionality is turned off. +#SYNC_TIME=1 diff --git a/default/libvirtd b/default/libvirtd new file mode 100644 index 0000000..042a541 --- /dev/null +++ b/default/libvirtd @@ -0,0 +1,17 @@ +# Defaults for libvirtd initscript (/etc/init.d/libvirtd) +# This is a POSIX shell fragment + +# Start libvirtd to handle qemu/kvm: +start_libvirtd="yes" + +# options passed to libvirtd, add "-l" to listen on tcp +#libvirtd_opts="" + +# pass in location of kerberos keytab +#export KRB5_KTNAME=/etc/libvirt/libvirt.keytab + +# Whether to mount a systemd like cgroup layout (only +# useful when not running systemd) +#mount_cgroups=yes +# Which cgroups to mount +#cgroups="memory devices" diff --git a/default/virtlockd b/default/virtlockd new file mode 100644 index 0000000..d44dc46 --- /dev/null +++ b/default/virtlockd @@ -0,0 +1,3 @@ +# +# Pass extra arguments to virtlockd +#VIRTLOCKD_ARGS= diff --git a/default/virtlogd b/default/virtlogd new file mode 100644 index 0000000..5886f35 --- /dev/null +++ b/default/virtlogd @@ -0,0 +1,3 @@ +# +# Pass extra arguments to virtlogd +#VIRTLOGD_ARGS= diff --git a/dnsmasq.d-available/libvirt-daemon b/dnsmasq.d-available/libvirt-daemon new file mode 100644 index 0000000..a7c3059 --- /dev/null +++ b/dnsmasq.d-available/libvirt-daemon @@ -0,0 +1,2 @@ +bind-interfaces +except-interface=virbr0 diff --git a/dnsmasq.d/libvirt-daemon b/dnsmasq.d/libvirt-daemon new file mode 120000 index 0000000..f35fb42 --- /dev/null +++ b/dnsmasq.d/libvirt-daemon @@ -0,0 +1 @@ +/etc/dnsmasq.d-available/libvirt-daemon \ No newline at end of file diff --git a/group b/group index fe82e87..7b14a90 100644 --- a/group +++ b/group @@ -73,3 +73,6 @@ kvm:x:133: rdma:x:134: _chrony:x:135: gdm:x:118: +libvirt:x:136:frank +libvirt-qemu:x:64055:libvirt-qemu +libvirt-dnsmasq:x:137: diff --git a/group- b/group- index 9686163..c8f9b9b 100644 --- a/group- +++ b/group- @@ -72,3 +72,6 @@ plex:x:963:frank kvm:x:133: rdma:x:134: _chrony:x:135: +gdm:x:118: +libvirt:x:136:frank +libvirt-qemu:x:64055:libvirt-qemu diff --git a/gshadow b/gshadow index a0df27c..8f0268c 100644 --- a/gshadow +++ b/gshadow @@ -73,3 +73,6 @@ kvm:!:: rdma:!:: _chrony:!:: gdm:!:: +libvirt:!::frank +libvirt-qemu:!::libvirt-qemu +libvirt-dnsmasq:!:: diff --git a/gshadow- b/gshadow- index 44bfc4c..4563eee 100644 --- a/gshadow- +++ b/gshadow- @@ -72,3 +72,6 @@ plex:!::frank kvm:!:: rdma:!:: _chrony:!:: +gdm:!:: +libvirt:!::frank +libvirt-qemu:!::libvirt-qemu diff --git a/init.d/libvirt-guests b/init.d/libvirt-guests new file mode 100755 index 0000000..d6c597e --- /dev/null +++ b/init.d/libvirt-guests @@ -0,0 +1,632 @@ +#!/bin/sh +# +### BEGIN INIT INFO +# Provides: libvirt-guests +# Required-Start: $remote_fs libvirtd +# Required-Stop: $remote_fs libvirtd +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: suspend/resume libvirt guests on shutdown/boot +# Description: This is a script for suspending active libvirt guests +# on shutdown and resuming them on next boot +# See http://libvirt.org +### END INIT INFO +# +# Copyright (C) 2011-2014 Red Hat, Inc. +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library. If not, see +# . + +sysconfdir=/etc +localstatedir=/var +libvirtd=/usr/sbin/libvirtd + +# Source gettext library. +# Make sure this file is recognized as having translations: _("dummy") +. /usr/bin/gettext.sh + +# Make sure calls to this script get redirected to systemctl when +# using systemd +. /lib/lsb/init-functions + +export TEXTDOMAIN="libvirt" TEXTDOMAINDIR="/usr/share/locale" + +URIS=default +ON_BOOT=ignore +ON_SHUTDOWN=shutdown +SHUTDOWN_TIMEOUT=300 +PARALLEL_SHUTDOWN=0 +START_DELAY=0 +BYPASS_CACHE=0 +CONNECT_RETRIES=10 +RETRIES_SLEEP=1 +SYNC_TIME=0 + +test -f "$sysconfdir"/default/libvirt-guests && + . "$sysconfdir"/default/libvirt-guests + +LISTFILE="$localstatedir"/lib/libvirt/libvirt-guests +VAR_SUBSYS_LIBVIRT_GUESTS="$localstatedir"/lock/libvirt-guests + +RETVAL=0 + +# Default URI is not correct in the Xen case as the non-accelerated +# qemu driver also gets initialized. +if [ -f "/proc/xen/capabilities" ]; then + if [ "$(cat /proc/xen/capabilities)" = "control_d" ]; then + LIBVIRT_DEFAULT_URI="xen:///" + export LIBVIRT_DEFAULT_URI + fi +fi + +# retval COMMAND ARGUMENTS... +# run command with arguments and convert non-zero return value to 1 and set +# the global return variable +retval() { + "$@" + if [ $? -ne 0 ]; then + RETVAL=1 + return 1 + else + return 0 + fi +} + +# run_virsh URI ARGUMENTS... +# start virsh and let it execute ARGUMENTS on URI +# If URI is "default" virsh is called without the "-c" argument +# (using libvirt's default connection) +run_virsh() { + uri=$1 + shift + + if [ "x$uri" = xdefault ]; then + virsh "$@" /dev/null + if [ $? -eq 0 ]; then + return 0; + fi + sleep ${RETRIES_SLEEP} + eval_gettext "Unable to connect to libvirt currently. Retrying .. \$i" + i=$(($i-1)) + done + eval_gettext "Can't connect to \$uri. Skipping." + echo + return 1 +} + +# list_guests URI PERSISTENT +# List running guests on URI. +# PERSISTENT argument options: +# --persistent: list only persistent guests +# --transient: list only transient guests +# [none]: list both persistent and transient guests +list_guests() { + uri=$1 + persistent=$2 + + list=$(run_virsh_c "$uri" list --uuid $persistent) + if [ $? -ne 0 ]; then + RETVAL=1 + return 1 + fi + + echo "$list" | sed "/00000000-0000-0000-0000-000000000000/d" +} + +# guest_name URI UUID +# return name of guest UUID on URI +guest_name() { + uri=$1 + uuid=$2 + + run_virsh "$uri" domname "$uuid" 2>/dev/null +} + +# guest_is_on URI UUID +# check if guest UUID on URI is running +# Result is returned by variable "guest_running" +guest_is_on() { + uri=$1 + uuid=$2 + + guest_running=false + id=$(run_virsh "$uri" domid "$uuid") + if [ $? -ne 0 ]; then + RETVAL=1 + return 1 + fi + + [ -n "$id" ] && [ "x$id" != x- ] && guest_running=true + return 0 +} + +# started +# Create the startup lock file +started() { + touch "$VAR_SUBSYS_LIBVIRT_GUESTS" +} + +# start +# Start or resume the guests +start() { + [ -f "$LISTFILE" ] || { started; return 0; } + + if [ "x$ON_BOOT" != xstart ]; then + gettext "libvirt-guests is configured not to start any guests on boot" + echo + rm -f "$LISTFILE" + started + return 0 + fi + + isfirst=true + bypass= + sync_time=false + test "x$BYPASS_CACHE" = x0 || bypass=--bypass-cache + test "x$SYNC_TIME" = x0 || sync_time=true + while read uri list; do + configured=false + set -f + for confuri in $URIS; do + set +f + if [ "x$confuri" = "x$uri" ]; then + configured=true + break + fi + done + set +f + if ! "$configured"; then + eval_gettext "Ignoring guests on \$uri URI"; echo + continue + fi + + test_connect "$uri" || continue + + eval_gettext "Resuming guests on \$uri URI..."; echo + for guest in $list; do + name=$(guest_name "$uri" "$guest") + eval_gettext "Resuming guest \$name: " + if guest_is_on "$uri" "$guest"; then + if "$guest_running"; then + gettext "already active"; echo + else + if "$isfirst"; then + isfirst=false + else + sleep $START_DELAY + fi + retval run_virsh "$uri" start $bypass "$name" \ + >/dev/null && \ + gettext "done"; echo + if "$sync_time"; then + run_virsh "$uri" domtime --sync "$name" >/dev/null + fi + fi + fi + done + done <"$LISTFILE" + + rm -f "$LISTFILE" + started +} + +# suspend_guest URI GUEST +# Do a managed save on a GUEST on URI. This function returns after the guest +# was saved. +suspend_guest() +{ + uri=$1 + guest=$2 + + name=$(guest_name "$uri" "$guest") + label=$(eval_gettext "Suspending \$name: ") + bypass= + slept=0 + test "x$BYPASS_CACHE" = x0 || bypass=--bypass-cache + printf '%s...\n' "$label" + run_virsh "$uri" managedsave $bypass "$guest" >/dev/null & + virsh_pid=$! + while true; do + sleep 1 + kill -0 "$virsh_pid" >/dev/null 2>&1 || break + + slept=$(($slept + 1)) + if [ $(($slept % 5)) -eq 0 ]; then + progress=$(run_virsh_c "$uri" domjobinfo "$guest" 2>/dev/null | \ + awk '/^Data processed:/{print $3, $4}') + if [ -n "$progress" ]; then + printf '%s%s\n' "$label" "$progress" + else + printf '%s%s\n' "$label" "..." + fi + fi + done + retval wait "$virsh_pid" && printf '%s%s\n' "$label" "$(gettext "done")" +} + +# shutdown_guest URI GUEST +# Start an ACPI shutdown of GUEST on URI. This function returns after the guest +# was successfully shutdown or the timeout defined by $SHUTDOWN_TIMEOUT expired. +shutdown_guest() +{ + uri=$1 + guest=$2 + + name=$(guest_name "$uri" "$guest") + eval_gettext "Starting shutdown on guest: \$name" + echo + retval run_virsh "$uri" shutdown "$guest" >/dev/null || return + timeout=$SHUTDOWN_TIMEOUT + check_timeout=false + if [ $timeout -gt 0 ]; then + check_timeout=true + format=$(eval_gettext "Waiting for guest %s to shut down, %d seconds left\n") + else + slept=0 + format=$(eval_gettext "Waiting for guest %s to shut down\n") + fi + while ! $check_timeout || [ "$timeout" -gt 0 ]; do + sleep 1 + guest_is_on "$uri" "$guest" || return + "$guest_running" || break + + if $check_timeout; then + if [ $(($timeout % 5)) -eq 0 ]; then + printf "$format" "$name" "$timeout" + fi + timeout=$(($timeout - 1)) + else + slept=$(($slept + 1)) + if [ $(($slept % 5)) -eq 0 ]; then + printf "$format" "$name" + fi + fi + done + + if guest_is_on "$uri" "$guest"; then + if "$guest_running"; then + eval_gettext "Shutdown of guest \$name failed to complete in time." + else + eval_gettext "Shutdown of guest \$name complete." + fi + echo + fi +} + +# shutdown_guest_async URI GUEST +# Start a ACPI shutdown of GUEST on URI. This function returns after the command +# was issued to libvirt to allow parallel shutdown. +shutdown_guest_async() +{ + uri=$1 + guest=$2 + + name=$(guest_name "$uri" "$guest") + eval_gettext "Starting shutdown on guest: \$name" + echo + retval run_virsh "$uri" shutdown "$guest" > /dev/null +} + +# guest_count GUEST_LIST +# Returns number of guests in GUEST_LIST +guest_count() +{ + set -- $1 + echo $# +} + +# check_guests_shutdown URI GUESTS +# check if shutdown is complete on guests in "GUESTS" and returns only +# guests that are still shutting down +# Result is returned in "guests_shutting_down" +check_guests_shutdown() +{ + uri=$1 + guests_to_check=$2 + + guests_shutting_down= + for guest in $guests_to_check; do + if ! guest_is_on "$uri" "$guest" >/dev/null 2>&1; then + eval_gettext "Failed to determine state of guest: \$guest. Not tracking it anymore." + echo + continue + fi + if "$guest_running"; then + guests_shutting_down="$guests_shutting_down $guest" + fi + done +} + +# print_guests_shutdown URI BEFORE AFTER +# Checks for differences in the lists BEFORE and AFTER and prints +# a shutdown complete notice for guests that have finished +print_guests_shutdown() +{ + uri=$1 + before=$2 + after=$3 + + for guest in $before; do + case " $after " in + *" $guest "*) continue;; + esac + + name=$(guest_name "$uri" "$guest") + if [ -n "$name" ]; then + eval_gettext "Shutdown of guest \$name complete." + echo + fi + done +} + +# shutdown_guests_parallel URI GUESTS +# Shutdown guests GUESTS on machine URI in parallel +shutdown_guests_parallel() +{ + uri=$1 + guests=$2 + + on_shutdown= + check_timeout=false + timeout=$SHUTDOWN_TIMEOUT + if [ $timeout -gt 0 ]; then + check_timeout=true + format=$(eval_gettext "Waiting for %d guests to shut down, %d seconds left\n") + else + slept=0 + format=$(eval_gettext "Waiting for %d guests to shut down\n") + fi + while [ -n "$on_shutdown" ] || [ -n "$guests" ]; do + while [ -n "$guests" ] && + [ $(guest_count "$on_shutdown") -lt "$PARALLEL_SHUTDOWN" ]; do + set -- $guests + guest=$1 + shift + guests=$* + if [ -z "$(echo $on_shutdown | grep $guest)" ] && + [ -n "$(guest_name "$uri" "$guest")" ]; then + shutdown_guest_async "$uri" "$guest" + on_shutdown="$on_shutdown $guest" + fi + done + sleep 1 + + set -- $guests + guestcount=$# + set -- $on_shutdown + shutdowncount=$# + + if $check_timeout; then + if [ $(($timeout % 5)) -eq 0 ]; then + printf "$format" $(($guestcount + $shutdowncount)) "$timeout" + fi + timeout=$(($timeout - 1)) + if [ $timeout -le 0 ]; then + eval_gettext "Timeout expired while shutting down domains"; echo + RETVAL=1 + return + fi + else + slept=$(($slept + 1)) + if [ $(($slept % 5)) -eq 0 ]; then + printf "$format" $(($guestcount + $shutdowncount)) + fi + fi + + on_shutdown_prev=$on_shutdown + check_guests_shutdown "$uri" "$on_shutdown" + on_shutdown="$guests_shutting_down" + print_guests_shutdown "$uri" "$on_shutdown_prev" "$on_shutdown" + done +} + +# stop +# Shutdown or save guests on the configured uris +stop() { + # last stop was not followed by start + [ -f "$LISTFILE" ] && return 0 + + suspending=true + if [ "x$ON_SHUTDOWN" = xshutdown ]; then + suspending=false + if [ $SHUTDOWN_TIMEOUT -lt 0 ]; then + gettext "SHUTDOWN_TIMEOUT must be equal or greater than 0" + echo + RETVAL=6 + return + fi + fi + + : >"$LISTFILE" + set -f + for uri in $URIS; do + set +f + + test_connect "$uri" || continue + + eval_gettext "Running guests on \$uri URI: " + + list=$(list_guests "$uri") + if [ $? -eq 0 ]; then + empty=true + for uuid in $list; do + "$empty" || printf ", " + printf %s "$(guest_name "$uri" "$uuid")" + empty=false + done + + if "$empty"; then + gettext "no running guests." + fi + echo + fi + + if "$suspending"; then + transient=$(list_guests "$uri" "--transient") + if [ $? -eq 0 ]; then + empty=true + for uuid in $transient; do + if "$empty"; then + eval_gettext "Not suspending transient guests on URI: \$uri: " + empty=false + else + printf ", " + fi + printf %s "$(guest_name "$uri" "$uuid")" + done + echo + # reload domain list to contain only persistent guests + list=$(list_guests "$uri" "--persistent") + if [ $? -ne 0 ]; then + eval_gettext "Failed to list persistent guests on \$uri" + echo + RETVAL=1 + set +f + return + fi + else + gettext "Failed to list transient guests" + echo + RETVAL=1 + set +f + return + fi + fi + + if [ -n "$list" ]; then + echo "$uri" $list >>"$LISTFILE" + fi + done + set +f + + if [ -s "$LISTFILE" ]; then + while read uri list; do + if "$suspending"; then + eval_gettext "Suspending guests on \$uri URI..."; echo + else + eval_gettext "Shutting down guests on \$uri URI..."; echo + fi + + if [ "$PARALLEL_SHUTDOWN" -gt 1 ] && + ! "$suspending"; then + shutdown_guests_parallel "$uri" "$list" + else + for guest in $list; do + if "$suspending"; then + suspend_guest "$uri" "$guest" + else + shutdown_guest "$uri" "$guest" + fi + done + fi + done <"$LISTFILE" + else + rm -f "$LISTFILE" + fi + + rm -f "$VAR_SUBSYS_LIBVIRT_GUESTS" +} + +# gueststatus +# List status of guests +gueststatus() { + set -f + for uri in $URIS; do + set +f + echo "* $uri URI:" + retval run_virsh "$uri" list | grep -v "Domain-0" || echo + done + set +f +} + +# rh_status +# Display current status: whether saved state exists, and whether start +# has been executed. +rh_status() { + if [ -f "$LISTFILE" ]; then + gettext "stopped, with saved guests"; echo + RETVAL=3 + else + if [ -f "$VAR_SUBSYS_LIBVIRT_GUESTS" ]; then + gettext "started"; echo + RETVAL=0 + else + gettext "stopped, with no saved guests"; echo + RETVAL=3 + fi + fi +} + +# usage [val] +# Display usage string, then exit with VAL (defaults to 2). +usage() { + program_name=$0 + eval_gettext "Usage: \$program_name {start|stop|status|restart|"\ +"condrestart|try-restart|reload|force-reload|gueststatus|shutdown}"; echo + exit ${1-2} +} + +# See how we were called. +if test $# != 1; then + usage +fi +case "$1" in + --help) + usage 0 + ;; + start|stop|gueststatus) + "$1" + ;; + restart) + stop && start + ;; + condrestart|try-restart) + [ -f "$VAR_SUBSYS_LIBVIRT_GUESTS" ] && stop && start + ;; + reload|force-reload) + # Nothing to do; we reread configuration on each invocation + ;; + status) + rh_status + ;; + shutdown) + ON_SHUTDOWN=shutdown + stop + ;; + *) + usage + ;; +esac +exit $RETVAL diff --git a/init.d/libvirtd b/init.d/libvirtd new file mode 100755 index 0000000..b6f0fef --- /dev/null +++ b/init.d/libvirtd @@ -0,0 +1,232 @@ +#! /bin/sh +# +# Init script for libvirtd +# +# (c) 2007 Guido Guenther +# based on the skeletons that comes with dh_make +# +### BEGIN INIT INFO +# Provides: libvirtd +# Required-Start: $network $local_fs $remote_fs $syslog virtlogd +# Required-Stop: $local_fs $remote_fs $syslog virtlogd +# Should-Start: avahi-daemon cgconfig +# Should-Stop: avahi-daemon cgconfig +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: libvirt management daemon +### END INIT INFO + +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin +export PATH +DAEMON=/usr/sbin/libvirtd +NAME=libvirtd +DESC="libvirt management daemon" +cgroups="cpuset cpu cpuacct devices freezer net_cls blkio perf_event" +! grep -qs cgroup_enable=memory /proc/cmdline || cgroups="$cgroups memory" + +test -x $DAEMON || exit 0 +. /lib/lsb/init-functions + +PIDFILE=/var/run/$NAME.pid +DODTIME=1 # Time to wait for the server to die, in seconds + +# Include libvirtd defaults if available +if [ -f /etc/default/libvirtd ] ; then + . /etc/default/libvirtd +fi + +check_start_libvirtd_option() { + if [ ! "$start_libvirtd" = "yes" ]; then + log_warning_msg "Not starting libvirt management daemon libvirtd, disabled via /etc/default/libvirtd" + return 1 + else + return 0 + fi +} + +running_pid() +{ + # Check if a given process pid's cmdline matches a given name + pid=$1 + name=$2 + [ -z "$pid" ] && return 1 + [ ! -d /proc/$pid ] && return 1 + cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1 |cut -d : -f 1` + # Is this the expected child? + [ "$cmd" != "$name" ] && return 1 + return 0 +} + +running() +{ +# Check if the process is running looking at /proc +# (works for all users) + # No pidfile, probably no daemon present + [ ! -f "$PIDFILE" ] && return 1 + # Obtain the pid and check it against the binary name + pid=`cat $PIDFILE` + running_pid $pid $DAEMON || return 1 + return 0 +} + +systemd_running() +{ + if [ -d /run/systemd/system ] ; then + return 0 + fi + return 1 +} + +mount_cgroups() +{ + if ! systemd_running + then + mount -t tmpfs cgroup_root /sys/fs/cgroup || return 1 + for M in $cgroups; do + mkdir /sys/fs/cgroup/$M || return 1 + mount -t cgroup -o rw,nosuid,nodev,noexec,relatime,$M "cgroup_${M}" "/sys/fs/cgroup/${M}" || return 1 + done + else + log_warning_msg "Systemd running, skipping cgroup mount." + fi + +} + +umount_cgroups() +{ + if ! systemd_running + then + for M in $cgroups; do + umount "cgroup_${M}" + rmdir /sys/fs/cgroup/$M + done + umount cgroup_root + else + log_warning_msg "Systemd running, skipping cgroup mount." + fi +} + +check_mount_cgroup_options() { + if [ ! "$mount_cgroups" = "yes" ]; then + return 1 + else + return 0 + fi +} + +force_stop() { +# Forcefully kill the process + [ ! -f "$PIDFILE" ] && return + if running ; then + kill -15 $pid + # Is it really dead? + [ -n "$DODTIME" ] && sleep "$DODTIME"s + if running ; then + kill -9 $pid + [ -n "$DODTIME" ] && sleep "$DODTIME"s + if running ; then + echo "Cannot kill $LABEL (pid=$pid)!" + exit 1 + fi + fi + fi + rm -f $PIDFILE + return 0 +} + +case "$1" in + start) + if check_start_libvirtd_option; then + log_daemon_msg "Starting $DESC" "$NAME" + if running ; then + log_progress_msg "already running" + log_end_msg 0 + exit 0 + fi + rm -f /var/run/libvirtd.pid + if check_mount_cgroup_options; then + if ! mount_cgroups;then + log_warning_msg "Can not mount cgroups layout" + exit 1 + fi + fi + start-stop-daemon --start --quiet --pidfile $PIDFILE \ + --exec $DAEMON -- -d $libvirtd_opts + if running; then + log_end_msg 0 + else + log_end_msg 1 + fi + fi + ;; + stop) + log_daemon_msg "Stopping $DESC" "$NAME" + if ! running ; then + log_progress_msg "not running" + log_end_msg 0 + exit 0 + fi + if check_mount_cgroup_options; then + umount_cgroups + fi + start-stop-daemon --stop --quiet --pidfile $PIDFILE \ + --exec $DAEMON + log_end_msg 0 + ;; + force-stop) + log_daemon_msg "Forcefully stopping $DESC" "$NAME" + force_stop + if ! running; then + log_end_msg 0 + else + log_end_msg 1 + fi + ;; + restart) + if check_start_libvirtd_option; then + log_daemon_msg "Restarting $DESC" "$DAEMON" + start-stop-daemon --oknodo --stop --quiet --pidfile \ + /var/run/$NAME.pid --exec $DAEMON + [ -n "$DODTIME" ] && sleep $DODTIME + start-stop-daemon --start --quiet --pidfile \ + /var/run/$NAME.pid --exec $DAEMON -- -d $libvirtd_opts + if running; then + log_end_msg 0 + else + log_end_msg 1 + fi + fi + ;; + reload|force-reload) + if running; then + log_daemon_msg "Reloading configuration of $DESC" "$NAME" + start-stop-daemon --stop --signal 1 --quiet --pidfile \ + /var/run/$NAME.pid --exec $DAEMON + log_end_msg 0 + else + log_warning_msg "libvirtd not running, doing nothing." + fi + ;; + status) + log_daemon_msg "Checking status of $DESC" "$NAME" + if running ; then + log_progress_msg "running" + log_end_msg 0 + else + log_progress_msg "not running" + log_end_msg 1 + if [ -f "$PIDFILE" ] ; then + exit 1 + else + exit 3 + fi + fi + ;; + *) + N=/etc/init.d/libvirtd + echo "Usage: $N {start|stop|restart|reload|force-reload|status|force-stop}" >&2 + exit 1 + ;; +esac + +exit 0 diff --git a/init.d/virtlogd b/init.d/virtlogd new file mode 100755 index 0000000..61157b5 --- /dev/null +++ b/init.d/virtlogd @@ -0,0 +1,161 @@ +#! /bin/sh +# +# Init script for virtlogd +# +# (c) 2015 Guido Guenther +# based on the skeletons that comes with dh_make +# +### BEGIN INIT INFO +# Provides: virtlogd +# Required-Start: $local_fs $remote_fs $syslog +# Required-Stop: $local_fs $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Libvirt logging daemon +### END INIT INFO + +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin +export PATH +DAEMON=/usr/sbin/virtlogd +NAME=virtlogd +DESC="libvirt logging daemon" + +test -x $DAEMON || exit 0 +. /lib/lsb/init-functions + +PIDFILE=/var/run/$NAME.pid +DODTIME=1 # Time to wait for the server to die, in seconds + +# Include libvirtd defaults if available +if [ -f /etc/default/virtlogd ] ; then + . /etc/default/virtlogd +fi + +running_pid() +{ + # Check if a given process pid's cmdline matches a given name + pid=$1 + name=$2 + [ -z "$pid" ] && return 1 + [ ! -d /proc/$pid ] && return 1 + cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1 |cut -d : -f 1` + # Is this the expected child? + [ "$cmd" != "$name" ] && return 1 + return 0 +} + +running() +{ +# Check if the process is running looking at /proc +# (works for all users) + # No pidfile, probably no daemon present + [ ! -f "$PIDFILE" ] && return 1 + # Obtain the pid and check it against the binary name + pid=`cat $PIDFILE` + running_pid $pid $DAEMON || return 1 + return 0 +} + +force_stop() { +# Forcefully kill the process + [ ! -f "$PIDFILE" ] && return + if running ; then + kill -15 $pid + # Is it really dead? + [ -n "$DODTIME" ] && sleep "$DODTIME"s + if running ; then + kill -9 $pid + [ -n "$DODTIME" ] && sleep "$DODTIME"s + if running ; then + echo "Cannot kill $LABEL (pid=$pid)!" + exit 1 + fi + fi + fi + rm -f $PIDFILE + return 0 +} + +case "$1" in + start) + log_daemon_msg "Starting $DESC" "$NAME" + if running ; then + log_progress_msg "already running" + log_end_msg 0 + exit 0 + fi + rm -f $PIDFILE + start-stop-daemon --start --quiet --pidfile $PIDFILE \ + --exec $DAEMON -- -d $VIRTLOGD_ARGS + if running; then + log_end_msg 0 + else + log_end_msg 1 + fi + ;; + stop) + log_daemon_msg "Stopping $DESC" "$NAME" + if ! running ; then + log_progress_msg "not running" + log_end_msg 0 + exit 0 + fi + start-stop-daemon --stop --quiet --pidfile $PIDFILE \ + --exec $DAEMON + log_end_msg 0 + ;; + force-stop) + log_daemon_msg "Forcefully stopping $DESC" "$NAME" + force_stop + if ! running; then + log_end_msg 0 + else + log_end_msg 1 + fi + ;; + restart) + log_daemon_msg "Restarting $DESC" "$DAEMON" + start-stop-daemon --oknodo --stop --quiet --pidfile \ + /var/run/$NAME.pid --exec $DAEMON + [ -n "$DODTIME" ] && sleep $DODTIME + start-stop-daemon --start --quiet --pidfile \ + /var/run/$NAME.pid --exec $DAEMON -- -d $libvirtd_opts + if running; then + log_end_msg 0 + else + log_end_msg 1 + fi + ;; + reload|force-reload) + if running; then + log_daemon_msg "Reloading configuration of $DESC" "$NAME" + start-stop-daemon --stop --signal 1 --quiet --pidfile \ + /var/run/$NAME.pid --exec $DAEMON + log_end_msg 0 + else + log_warning_msg "libvirtd not running, doing nothing." + fi + ;; + status) + log_daemon_msg "Checking status of $DESC" "$NAME" + if running ; then + log_progress_msg "running" + log_end_msg 0 + else + log_progress_msg "not running" + log_end_msg 1 + if [ -f "$PIDFILE" ] ; then + exit 1 + else + exit 3 + fi + fi + ;; + *) + N=/etc/init.d/libvirtd + echo "Usage: $N {start|stop|restart|reload|force-reload|status|force-stop}" >&2 + exit 1 + ;; +esac + +exit 0 diff --git a/libvirt/libvirt-admin.conf b/libvirt/libvirt-admin.conf new file mode 100644 index 0000000..d7cf12a --- /dev/null +++ b/libvirt/libvirt-admin.conf @@ -0,0 +1,16 @@ +# +# This can be used to setup URI aliases for frequently +# used connection URIs. Aliases may contain only the +# characters a-Z, 0-9, _, -. +# +# Following the '=' may be any valid libvirt admin connection +# URI, including arbitrary parameters + +#uri_aliases = [ +# "admin=libvirtd:///system", +#] + +# This specifies the default location the client tries to connect to if no other +# URI is provided by the application + +#uri_default = "libvirtd:///system" diff --git a/libvirt/libvirt.conf b/libvirt/libvirt.conf new file mode 100644 index 0000000..da4dfbe --- /dev/null +++ b/libvirt/libvirt.conf @@ -0,0 +1,18 @@ +# +# This can be used to setup URI aliases for frequently +# used connection URIs. Aliases may contain only the +# characters a-Z, 0-9, _, -. +# +# Following the '=' may be any valid libvirt connection +# URI, including arbitrary parameters + +#uri_aliases = [ +# "hail=qemu+ssh://root@hail.cloud.example.com/system", +# "sleet=qemu+ssh://root@sleet.cloud.example.com/system", +#] + +# +# These can be used in cases when no URI is supplied by the application +# (@uri_default also prevents probing of the hypervisor driver). +# +#uri_default = "qemu:///system" diff --git a/libvirt/libvirtd.conf b/libvirt/libvirtd.conf new file mode 100644 index 0000000..04a2fdf --- /dev/null +++ b/libvirt/libvirtd.conf @@ -0,0 +1,468 @@ +# Master libvirt daemon configuration file +# +# For further information consult https://libvirt.org/format.html +# +# NOTE: the tests/daemon-conf regression test script requires +# that each "PARAMETER = VALUE" line in this file have the parameter +# name just after a leading "#". + +################################################################# +# +# Network connectivity controls +# + +# Flag listening for secure TLS connections on the public TCP/IP port. +# NB, must pass the --listen flag to the libvirtd process for this to +# have any effect. +# +# It is necessary to setup a CA and issue server certificates before +# using this capability. +# +# This is enabled by default, uncomment this to disable it +#listen_tls = 0 + +# Listen for unencrypted TCP connections on the public TCP/IP port. +# NB, must pass the --listen flag to the libvirtd process for this to +# have any effect. +# +# Using the TCP socket requires SASL authentication by default. Only +# SASL mechanisms which support data encryption are allowed. This is +# DIGEST_MD5 and GSSAPI (Kerberos5) +# +# This is disabled by default, uncomment this to enable it. +#listen_tcp = 1 + + + +# Override the port for accepting secure TLS connections +# This can be a port number, or service name +# +#tls_port = "16514" + +# Override the port for accepting insecure TCP connections +# This can be a port number, or service name +# +#tcp_port = "16509" + + +# Override the default configuration which binds to all network +# interfaces. This can be a numeric IPv4/6 address, or hostname +# +# If the libvirtd service is started in parallel with network +# startup (e.g. with systemd), binding to addresses other than +# the wildcards (0.0.0.0/::) might not be available yet. +# +#listen_addr = "192.168.0.1" + + +# Flag toggling mDNS advertizement of the libvirt service. +# +# Alternatively can disable for all services on a host by +# stopping the Avahi daemon +# +# This is disabled by default, uncomment this to enable it +#mdns_adv = 1 + +# Override the default mDNS advertizement name. This must be +# unique on the immediate broadcast network. +# +# The default is "Virtualization Host HOSTNAME", where HOSTNAME +# is substituted for the short hostname of the machine (without domain) +# +#mdns_name = "Virtualization Host Joe Demo" + + +################################################################# +# +# UNIX socket access controls +# + +# Set the UNIX domain socket group ownership. This can be used to +# allow a 'trusted' set of users access to management capabilities +# without becoming root. +# +# This is restricted to 'root' by default. +unix_sock_group = "libvirt" + +# Set the UNIX socket permissions for the R/O socket. This is used +# for monitoring VM status only +# +# Default allows any user. If setting group ownership, you may want to +# restrict this too. +unix_sock_ro_perms = "0777" + +# Set the UNIX socket permissions for the R/W socket. This is used +# for full management of VMs +# +# Default allows only root. If PolicyKit is enabled on the socket, +# the default will change to allow everyone (eg, 0777) +# +# If not using PolicyKit and setting group ownership for access +# control, then you may want to relax this too. +unix_sock_rw_perms = "0770" + +# Set the UNIX socket permissions for the admin interface socket. +# +# Default allows only owner (root), do not change it unless you are +# sure to whom you are exposing the access to. +#unix_sock_admin_perms = "0700" + +# Set the name of the directory in which sockets will be found/created. +#unix_sock_dir = "/var/run/libvirt" + + + +################################################################# +# +# Authentication. +# +# - none: do not perform auth checks. If you can connect to the +# socket you are allowed. This is suitable if there are +# restrictions on connecting to the socket (eg, UNIX +# socket permissions), or if there is a lower layer in +# the network providing auth (eg, TLS/x509 certificates) +# +# - sasl: use SASL infrastructure. The actual auth scheme is then +# controlled from /etc/sasl2/libvirt.conf. For the TCP +# socket only GSSAPI & DIGEST-MD5 mechanisms will be used. +# For non-TCP or TLS sockets, any scheme is allowed. +# +# - polkit: use PolicyKit to authenticate. This is only suitable +# for use on the UNIX sockets. The default policy will +# require a user to supply their own password to gain +# full read/write access (aka sudo like), while anyone +# is allowed read/only access. +# +# Set an authentication scheme for UNIX read-only sockets +# By default socket permissions allow anyone to connect +# +# To restrict monitoring of domains you may wish to enable +# an authentication mechanism here +auth_unix_ro = "none" + +# Set an authentication scheme for UNIX read-write sockets +# By default socket permissions only allow root. If PolicyKit +# support was compiled into libvirt, the default will be to +# use 'polkit' auth. +# +# If the unix_sock_rw_perms are changed you may wish to enable +# an authentication mechanism here +auth_unix_rw = "none" + +# Change the authentication scheme for TCP sockets. +# +# If you don't enable SASL, then all TCP traffic is cleartext. +# Don't do this outside of a dev/test scenario. For real world +# use, always enable SASL and use the GSSAPI or DIGEST-MD5 +# mechanism in /etc/sasl2/libvirt.conf +#auth_tcp = "sasl" + +# Change the authentication scheme for TLS sockets. +# +# TLS sockets already have encryption provided by the TLS +# layer, and limited authentication is done by certificates +# +# It is possible to make use of any SASL authentication +# mechanism as well, by using 'sasl' for this option +#auth_tls = "none" + + +# Change the API access control scheme +# +# By default an authenticated user is allowed access +# to all APIs. Access drivers can place restrictions +# on this. By default the 'nop' driver is enabled, +# meaning no access control checks are done once a +# client has authenticated with libvirtd +# +#access_drivers = [ "polkit" ] + +################################################################# +# +# TLS x509 certificate configuration +# + + +# Override the default server key file path +# +#key_file = "/etc/pki/libvirt/private/serverkey.pem" + +# Override the default server certificate file path +# +#cert_file = "/etc/pki/libvirt/servercert.pem" + +# Override the default CA certificate path +# +#ca_file = "/etc/pki/CA/cacert.pem" + +# Specify a certificate revocation list. +# +# Defaults to not using a CRL, uncomment to enable it +#crl_file = "/etc/pki/CA/crl.pem" + + + +################################################################# +# +# Authorization controls +# + + +# Flag to disable verification of our own server certificates +# +# When libvirtd starts it performs some sanity checks against +# its own certificates. +# +# Default is to always run sanity checks. Uncommenting this +# will disable sanity checks which is not a good idea +#tls_no_sanity_certificate = 1 + +# Flag to disable verification of client certificates +# +# Client certificate verification is the primary authentication mechanism. +# Any client which does not present a certificate signed by the CA +# will be rejected. +# +# Default is to always verify. Uncommenting this will disable +# verification - make sure an IP whitelist is set +#tls_no_verify_certificate = 1 + + +# A whitelist of allowed x509 Distinguished Names +# This list may contain wildcards such as +# +# "C=GB,ST=London,L=London,O=Red Hat,CN=*" +# +# See the POSIX fnmatch function for the format of the wildcards. +# +# NB If this is an empty list, no client can connect, so comment out +# entirely rather than using empty list to disable these checks +# +# By default, no DN's are checked +#tls_allowed_dn_list = ["DN1", "DN2"] + + +# A whitelist of allowed SASL usernames. The format for username +# depends on the SASL authentication mechanism. Kerberos usernames +# look like username@REALM +# +# This list may contain wildcards such as +# +# "*@EXAMPLE.COM" +# +# See the POSIX fnmatch function for the format of the wildcards. +# +# NB If this is an empty list, no client can connect, so comment out +# entirely rather than using empty list to disable these checks +# +# By default, no Username's are checked +#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ] + + +# Override the compile time default TLS priority string. The +# default is usually "NORMAL" unless overridden at build time. +# Only set this is it is desired for libvirt to deviate from +# the global default settings. +# +#tls_priority="NORMAL" + + +################################################################# +# +# Processing controls +# + +# The maximum number of concurrent client connections to allow +# over all sockets combined. +#max_clients = 5000 + +# The maximum length of queue of connections waiting to be +# accepted by the daemon. Note, that some protocols supporting +# retransmission may obey this so that a later reattempt at +# connection succeeds. +#max_queued_clients = 1000 + +# The maximum length of queue of accepted but not yet +# authenticated clients. The default value is 20. Set this to +# zero to turn this feature off. +#max_anonymous_clients = 20 + +# The minimum limit sets the number of workers to start up +# initially. If the number of active clients exceeds this, +# then more threads are spawned, up to max_workers limit. +# Typically you'd want max_workers to equal maximum number +# of clients allowed +#min_workers = 5 +#max_workers = 20 + + +# The number of priority workers. If all workers from above +# pool are stuck, some calls marked as high priority +# (notably domainDestroy) can be executed in this pool. +#prio_workers = 5 + +# Limit on concurrent requests from a single client +# connection. To avoid one client monopolizing the server +# this should be a small fraction of the global max_workers +# parameter. +#max_client_requests = 5 + +# Same processing controls, but this time for the admin interface. +# For description of each option, be so kind to scroll few lines +# upwards. + +#admin_min_workers = 1 +#admin_max_workers = 5 +#admin_max_clients = 5 +#admin_max_queued_clients = 5 +#admin_max_client_requests = 5 + +################################################################# +# +# Logging controls +# + +# Logging level: 4 errors, 3 warnings, 2 information, 1 debug +# basically 1 will log everything possible +# Note: Journald may employ rate limiting of the messages logged +# and thus lock up the libvirt daemon. To use the debug level with +# journald you have to specify it explicitly in 'log_outputs', otherwise +# only information level messages will be logged. +#log_level = 3 + +# Logging filters: +# A filter allows to select a different logging level for a given category +# of logs +# The format for a filter is one of: +# x:name +# x:+name + +# where name is a string which is matched against the category +# given in the VIR_LOG_INIT() at the top of each libvirt source +# file, e.g., "remote", "qemu", or "util.json" (the name in the +# filter can be a substring of the full category name, in order +# to match multiple similar categories), the optional "+" prefix +# tells libvirt to log stack trace for each message matching +# name, and x is the minimal level where matching messages should +# be logged: + +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple filters can be defined in a single @filters, they just need to be +# separated by spaces. +# +# e.g. to only get warning or errors from the remote layer and only errors +# from the event layer: +#log_filters="3:remote 4:event" + +# Logging outputs: +# An output is one of the places to save logging information +# The format for an output can be: +# x:stderr +# output goes to stderr +# x:syslog:name +# use syslog for the output and use the given name as the ident +# x:file:file_path +# output to a file, with the given filepath +# x:journald +# output to journald logging system +# In all case the x prefix is the minimal level, acting as a filter +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple outputs can be defined, they just need to be separated by spaces. +# e.g. to log all warnings and errors to syslog under the libvirtd ident: +#log_outputs="3:syslog:libvirtd" +# + +# Log debug buffer size: +# +# This configuration option is no longer used, since the global +# log buffer functionality has been removed. Please configure +# suitable log_outputs/log_filters settings to obtain logs. +#log_buffer_size = 64 + + +################################################################## +# +# Auditing +# +# This setting allows usage of the auditing subsystem to be altered: +# +# audit_level == 0 -> disable all auditing +# audit_level == 1 -> enable auditing, only if enabled on host (default) +# audit_level == 2 -> enable auditing, and exit if disabled on host +# +#audit_level = 2 +# +# If set to 1, then audit messages will also be sent +# via libvirt logging infrastructure. Defaults to 0 +# +#audit_logging = 1 + +################################################################### +# UUID of the host: +# Host UUID is read from one of the sources specified in host_uuid_source. +# +# - 'smbios': fetch the UUID from 'dmidecode -s system-uuid' +# - 'machine-id': fetch the UUID from /etc/machine-id +# +# The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide +# a valid UUID a temporary UUID will be generated. +# +# Another option is to specify host UUID in host_uuid. +# +# Keep the format of the example UUID below. UUID must not have all digits +# be the same. + +# NB This default all-zeros UUID will not work. Replace +# it with the output of the 'uuidgen' command and then +# uncomment this entry +#host_uuid = "00000000-0000-0000-0000-000000000000" +#host_uuid_source = "smbios" + +################################################################### +# Keepalive protocol: +# This allows libvirtd to detect broken client connections or even +# dead clients. A keepalive message is sent to a client after +# keepalive_interval seconds of inactivity to check if the client is +# still responding; keepalive_count is a maximum number of keepalive +# messages that are allowed to be sent to the client without getting +# any response before the connection is considered broken. In other +# words, the connection is automatically closed approximately after +# keepalive_interval * (keepalive_count + 1) seconds since the last +# message received from the client. If keepalive_interval is set to +# -1, libvirtd will never send keepalive requests; however clients +# can still send them and the daemon will send responses. When +# keepalive_count is set to 0, connections will be automatically +# closed after keepalive_interval seconds of inactivity without +# sending any keepalive messages. +# +#keepalive_interval = 5 +#keepalive_count = 5 + +# +# These configuration options are no longer used. There is no way to +# restrict such clients from connecting since they first need to +# connect in order to ask for keepalive. +# +#keepalive_required = 1 +#admin_keepalive_required = 1 + +# Keepalive settings for the admin interface +#admin_keepalive_interval = 5 +#admin_keepalive_count = 5 + +################################################################### +# Open vSwitch: +# This allows to specify a timeout for openvswitch calls made by +# libvirt. The ovs-vsctl utility is used for the configuration and +# its timeout option is set by default to 5 seconds to avoid +# potential infinite waits blocking libvirt. +# +#ovs_timeout = 5 diff --git a/libvirt/libxl-lockd.conf b/libvirt/libxl-lockd.conf new file mode 100644 index 0000000..fa43760 --- /dev/null +++ b/libvirt/libxl-lockd.conf @@ -0,0 +1,67 @@ +# +# The default lockd behaviour is to acquire locks directly +# against each configured disk file / block device. If the +# application wishes to instead manually manage leases in +# the guest XML, then this parameter can be disabled +# +#auto_disk_leases = 0 + +# +# Flag to determine whether we allow starting of guests +# which do not have any elements defined in their +# configuration. +# +# If 'auto_disk_leases' is disabled, this setting defaults +# to enabled, otherwise it defaults to disabled. +# +#require_lease_for_disks = 1 + + +# +# The default lockd behaviour is to use the "direct" +# lockspace, where the locks are acquired against the +# actual file paths associated with the devices. +# +# Setting a directory here causes lockd to use "indirect" +# lockspace, where a hash of the file path is +# used to create a file in the lockspace directory. The +# locks are then held on these hash files instead. +# +# This can be useful if the file paths refer to block +# devices which are shared, since /dev fcntl() locks +# don't propagate across hosts. It is also useful if +# the filesystem does not support fcntl() locks. +# +# Typically this directory would be located on a shared +# filesystem visible to all hosts accessing the same +# storage. +# +#file_lockspace_dir = "/var/lib/libvirt/lockd/files" + + +# +# When using LVM volumes that can be visible across +# multiple, it is desirable to do locking based on +# the unique UUID associated with each volume, instead +# of their paths. Setting this path causes libvirt to +# do UUID based locking for LVM. +# +# Typically this directory would be located on a shared +# filesystem visible to all hosts accessing the same +# storage. +# +#lvm_lockspace_dir = "/var/lib/libvirt/lockd/lvmvolumes" + + +# +# When using SCSI volumes that can be visible across +# multiple, it is desirable to do locking based on +# the unique UUID associated with each volume, instead +# of their paths. Setting this path causes libvirt to +# do UUID based locking for SCSI. +# +# Typically this directory would be located on a shared +# filesystem visible to all hosts accessing the same +# storage. +# +#scsi_lockspace_dir = "/var/lib/libvirt/lockd/scsivolumes" diff --git a/libvirt/libxl.conf b/libvirt/libxl.conf new file mode 100644 index 0000000..264af7c --- /dev/null +++ b/libvirt/libxl.conf @@ -0,0 +1,43 @@ +# Master configuration file for the libxl driver. +# All settings described here are optional. If omitted, sensible +# defaults are used. + +# Enable autoballooning of domain0 +# +# By default, autoballooning of domain0 is enabled unless its memory +# is already limited with Xen's "dom0_mem=" parameter, in which case +# autoballooning is disabled. Override the default behavior with the +# autoballoon setting. +# +#autoballoon = 1 + + +# In order to prevent accidentally starting two domains that +# share one writable disk, libvirt offers two approaches for +# locking files: sanlock and virtlockd. sanlock is an external +# project which libvirt integrates with via the libvirt-lock-sanlock +# package. virtlockd is a libvirt implementation that is enabled with +# "lockd". Accepted values are "sanlock" and "lockd". +# +#lock_manager = "lockd" + + +# Keepalive protocol: +# This allows the libxl driver to detect broken connections to the +# remote libvirtd during peer-to-peer migration. A keepalive message +# is sent to the daemon after keepalive_interval seconds of inactivity +# to check if the daemon is still responding; keepalive_count is a +# maximum number of keepalive messages that are allowed to be sent to +# the daemon without getting any response before the connection is +# considered broken. In other words, the connection is automatically +# closed after approximately keepalive_interval * (keepalive_count + 1) +# seconds since the last message was received from the daemon. If +# keepalive_interval is set to -1, the libxl driver will not send +# keepalive requests during peer-to-peer migration; however, the remote +# libvirtd can still send them and source libvirtd will send responses. +# When keepalive_count is set to 0, connections will be automatically +# closed after keepalive_interval seconds of inactivity without sending +# any keepalive messages. +# +#keepalive_interval = 5 +#keepalive_count = 5 diff --git a/libvirt/lxc.conf b/libvirt/lxc.conf new file mode 100644 index 0000000..318a536 --- /dev/null +++ b/libvirt/lxc.conf @@ -0,0 +1,31 @@ +# Master configuration file for the LXC driver. +# All settings described here are optional - if omitted, sensible +# defaults are used. + +# By default, log messages generated by the lxc controller go to the +# container logfile. It is also possible to accumulate log messages +# from all lxc controllers along with libvirtd's log outputs. In this +# case, the lxc controller will honor either LIBVIRT_LOG_OUTPUTS or +# log_outputs from libvirtd.conf. +# +# This is disabled by default, uncomment below to enable it. +# +#log_with_libvirtd = 1 + + +# The default security driver is SELinux. If SELinux is disabled +# on the host, then the security driver will automatically disable +# itself. If you wish to disable LXC SELinux security driver while +# leaving SELinux enabled for the host in general, then set this +# to 'none' instead. +# +#security_driver = "selinux" + +# If set to non-zero, then the default security labeling +# will make guests confined. If set to zero, then guests +# will be unconfined by default. Defaults to 0. +#security_default_confined = 1 + +# If set to non-zero, then attempts to create unconfined +# guests will be blocked. Defaults to 0. +#security_require_confined = 1 diff --git a/libvirt/nwfilter/allow-arp.xml b/libvirt/nwfilter/allow-arp.xml new file mode 100644 index 0000000..c19bce5 --- /dev/null +++ b/libvirt/nwfilter/allow-arp.xml @@ -0,0 +1,11 @@ + + + + 49cdc163-2256-41bf-a493-83dd68636f4a + + diff --git a/libvirt/nwfilter/allow-dhcp-server.xml b/libvirt/nwfilter/allow-dhcp-server.xml new file mode 100644 index 0000000..cb30c59 --- /dev/null +++ b/libvirt/nwfilter/allow-dhcp-server.xml @@ -0,0 +1,16 @@ + + + + b45a2be5-4de7-41e5-9bf7-529cedb55419 + + + + + + + diff --git a/libvirt/nwfilter/allow-dhcp.xml b/libvirt/nwfilter/allow-dhcp.xml new file mode 100644 index 0000000..ea1f2e2 --- /dev/null +++ b/libvirt/nwfilter/allow-dhcp.xml @@ -0,0 +1,16 @@ + + + + fcce2359-479a-48f1-91b8-4ced48a02bac + + + + + + + diff --git a/libvirt/nwfilter/allow-incoming-ipv4.xml b/libvirt/nwfilter/allow-incoming-ipv4.xml new file mode 100644 index 0000000..16fe186 --- /dev/null +++ b/libvirt/nwfilter/allow-incoming-ipv4.xml @@ -0,0 +1,11 @@ + + + + 4c4ef777-1f4b-4f41-836b-551e6ba7bbfe + + diff --git a/libvirt/nwfilter/allow-ipv4.xml b/libvirt/nwfilter/allow-ipv4.xml new file mode 100644 index 0000000..a4c37e8 --- /dev/null +++ b/libvirt/nwfilter/allow-ipv4.xml @@ -0,0 +1,11 @@ + + + + f00ad379-eac4-4b69-a6e7-b9e1883204a1 + + diff --git a/libvirt/nwfilter/clean-traffic.xml b/libvirt/nwfilter/clean-traffic.xml new file mode 100644 index 0000000..6458c2b --- /dev/null +++ b/libvirt/nwfilter/clean-traffic.xml @@ -0,0 +1,22 @@ + + + + cc37ae21-ce67-427f-8fe6-59ca5a382055 + + + + + + + + + + + + + diff --git a/libvirt/nwfilter/no-arp-ip-spoofing.xml b/libvirt/nwfilter/no-arp-ip-spoofing.xml new file mode 100644 index 0000000..a463f46 --- /dev/null +++ b/libvirt/nwfilter/no-arp-ip-spoofing.xml @@ -0,0 +1,14 @@ + + + + e48edfe6-0f22-4dae-92b3-e30d65d0ffe9 + + + + + diff --git a/libvirt/nwfilter/no-arp-mac-spoofing.xml b/libvirt/nwfilter/no-arp-mac-spoofing.xml new file mode 100644 index 0000000..b0d6e7a --- /dev/null +++ b/libvirt/nwfilter/no-arp-mac-spoofing.xml @@ -0,0 +1,14 @@ + + + + 0cacea96-9a8e-44f9-a538-06f0b16d9633 + + + + + diff --git a/libvirt/nwfilter/no-arp-spoofing.xml b/libvirt/nwfilter/no-arp-spoofing.xml new file mode 100644 index 0000000..83dc61d --- /dev/null +++ b/libvirt/nwfilter/no-arp-spoofing.xml @@ -0,0 +1,12 @@ + + + + cc007e40-3015-4666-918c-a985b28f61c4 + + + diff --git a/libvirt/nwfilter/no-ip-multicast.xml b/libvirt/nwfilter/no-ip-multicast.xml new file mode 100644 index 0000000..46963a5 --- /dev/null +++ b/libvirt/nwfilter/no-ip-multicast.xml @@ -0,0 +1,13 @@ + + + + d9a3c4e8-6f6e-414c-aa69-d4f39de10f8c + + + + diff --git a/libvirt/nwfilter/no-ip-spoofing.xml b/libvirt/nwfilter/no-ip-spoofing.xml new file mode 100644 index 0000000..f64c0da --- /dev/null +++ b/libvirt/nwfilter/no-ip-spoofing.xml @@ -0,0 +1,17 @@ + + + + c4328ea7-72e0-4b6e-8ff1-98cdd1dcd6f6 + + + + + + + + diff --git a/libvirt/nwfilter/no-mac-broadcast.xml b/libvirt/nwfilter/no-mac-broadcast.xml new file mode 100644 index 0000000..958daf1 --- /dev/null +++ b/libvirt/nwfilter/no-mac-broadcast.xml @@ -0,0 +1,13 @@ + + + + 1c1e0a7f-9def-4601-8062-e6206d3f500c + + + + diff --git a/libvirt/nwfilter/no-mac-spoofing.xml b/libvirt/nwfilter/no-mac-spoofing.xml new file mode 100644 index 0000000..c20a30b --- /dev/null +++ b/libvirt/nwfilter/no-mac-spoofing.xml @@ -0,0 +1,16 @@ + + + + bbc85970-2e86-487a-969b-24eb96a29793 + + + + + + + diff --git a/libvirt/nwfilter/no-other-l2-traffic.xml b/libvirt/nwfilter/no-other-l2-traffic.xml new file mode 100644 index 0000000..9111fb3 --- /dev/null +++ b/libvirt/nwfilter/no-other-l2-traffic.xml @@ -0,0 +1,11 @@ + + + + 79adc489-a486-4d83-ae77-9cfc76357bcf + + diff --git a/libvirt/nwfilter/no-other-rarp-traffic.xml b/libvirt/nwfilter/no-other-rarp-traffic.xml new file mode 100644 index 0000000..ca7d2fb --- /dev/null +++ b/libvirt/nwfilter/no-other-rarp-traffic.xml @@ -0,0 +1,11 @@ + + + + 5e268392-e9bd-46fa-80fa-caedd8636615 + + diff --git a/libvirt/nwfilter/qemu-announce-self-rarp.xml b/libvirt/nwfilter/qemu-announce-self-rarp.xml new file mode 100644 index 0000000..b8e8aaf --- /dev/null +++ b/libvirt/nwfilter/qemu-announce-self-rarp.xml @@ -0,0 +1,16 @@ + + + + a2830f77-47f7-4124-b1bb-3a1a24499e81 + + + + + + + diff --git a/libvirt/nwfilter/qemu-announce-self.xml b/libvirt/nwfilter/qemu-announce-self.xml new file mode 100644 index 0000000..57f292a --- /dev/null +++ b/libvirt/nwfilter/qemu-announce-self.xml @@ -0,0 +1,15 @@ + + + + 9f30a1dc-a9f0-4968-8d08-ca1d18ec8063 + + + + + + diff --git a/libvirt/qemu-lockd.conf b/libvirt/qemu-lockd.conf new file mode 100644 index 0000000..fa43760 --- /dev/null +++ b/libvirt/qemu-lockd.conf @@ -0,0 +1,67 @@ +# +# The default lockd behaviour is to acquire locks directly +# against each configured disk file / block device. If the +# application wishes to instead manually manage leases in +# the guest XML, then this parameter can be disabled +# +#auto_disk_leases = 0 + +# +# Flag to determine whether we allow starting of guests +# which do not have any elements defined in their +# configuration. +# +# If 'auto_disk_leases' is disabled, this setting defaults +# to enabled, otherwise it defaults to disabled. +# +#require_lease_for_disks = 1 + + +# +# The default lockd behaviour is to use the "direct" +# lockspace, where the locks are acquired against the +# actual file paths associated with the devices. +# +# Setting a directory here causes lockd to use "indirect" +# lockspace, where a hash of the file path is +# used to create a file in the lockspace directory. The +# locks are then held on these hash files instead. +# +# This can be useful if the file paths refer to block +# devices which are shared, since /dev fcntl() locks +# don't propagate across hosts. It is also useful if +# the filesystem does not support fcntl() locks. +# +# Typically this directory would be located on a shared +# filesystem visible to all hosts accessing the same +# storage. +# +#file_lockspace_dir = "/var/lib/libvirt/lockd/files" + + +# +# When using LVM volumes that can be visible across +# multiple, it is desirable to do locking based on +# the unique UUID associated with each volume, instead +# of their paths. Setting this path causes libvirt to +# do UUID based locking for LVM. +# +# Typically this directory would be located on a shared +# filesystem visible to all hosts accessing the same +# storage. +# +#lvm_lockspace_dir = "/var/lib/libvirt/lockd/lvmvolumes" + + +# +# When using SCSI volumes that can be visible across +# multiple, it is desirable to do locking based on +# the unique UUID associated with each volume, instead +# of their paths. Setting this path causes libvirt to +# do UUID based locking for SCSI. +# +# Typically this directory would be located on a shared +# filesystem visible to all hosts accessing the same +# storage. +# +#scsi_lockspace_dir = "/var/lib/libvirt/lockd/scsivolumes" diff --git a/libvirt/qemu-sanlock.conf b/libvirt/qemu-sanlock.conf new file mode 100644 index 0000000..3c356be --- /dev/null +++ b/libvirt/qemu-sanlock.conf @@ -0,0 +1,69 @@ +# +# The default sanlock configuration requires the management +# application to manually define elements in the +# guest configuration, typically one lease per disk. An +# alternative is to enable "auto disk lease" mode. In this +# usage, libvirt will automatically create a lockspace and +# lease for each fully qualified disk path. This works if +# you are able to ensure stable, unique disk paths across +# all hosts in a network. +# +# Uncomment this to enable automatic lease creation. +# +# NB: the 'host_id' parameter must be set if enabling this +# +#auto_disk_leases = 1 + +# +# The default location in which lockspaces are created when +# automatic lease creation is enabled. For each unique disk +# path, a file $LEASE_DIR/NNNNNNNNNNNNNN will be created +# where 'NNNNNNNNNNNNNN' is the MD5 hash of the disk path. +# +# If this directory is on local storage, it will only protect +# against a VM being started twice on the same host, or two +# guests on the same host using the same disk path. If the +# directory is on NFS, then it can protect against concurrent +# usage across all hosts which have the share mounted. +# +# Recommendation is to just mount this default location as +# an NFS volume. Uncomment this, if you would prefer the mount +# point to be somewhere else. Moreover, please make sure +# sanlock daemon can access the specified path. +# +#disk_lease_dir = "/var/lib/libvirt/sanlock" + +# +# The unique ID for this host. +# +# IMPORTANT: *EVERY* host which can access the filesystem mounted +# at 'disk_lease_dir' *MUST* be given a different host ID. +# +# This parameter has no default and must be manually set if +# 'auto_disk_leases' is enabled +#host_id = 1 + +# +# Flag to determine whether we allow starting of guests +# which do not have any elements defined in their +# configuration. +# +# If 'auto_disk_leases' is disabled, this setting defaults +# to enabled, otherwise it defaults to disabled. +# +#require_lease_for_disks = 1 + +# +# Sanlock is able to kill qemu processes on IO timeout. By its internal +# implementation, the current default is 80 seconds. If you need to adjust +# the value change the following variable. Value of zero means use the +# default sanlock timeout. +#io_timeout = 0 + +# +# The combination of user and group under which the sanlock +# daemon runs. Libvirt will chown created files (like +# content of disk_lease_dir) to make sure sanlock daemon can +# access them. Accepted values are described in qemu.conf. +#user = "root" +#group = "root" diff --git a/libvirt/qemu.conf b/libvirt/qemu.conf new file mode 100644 index 0000000..62c4265 --- /dev/null +++ b/libvirt/qemu.conf @@ -0,0 +1,783 @@ +# Master configuration file for the QEMU driver. +# All settings described here are optional - if omitted, sensible +# defaults are used. + +# Use of TLS requires that x509 certificates be issued. The default is +# to keep them in /etc/pki/qemu. This directory must contain +# +# ca-cert.pem - the CA master certificate +# server-cert.pem - the server certificate signed with ca-cert.pem +# server-key.pem - the server private key +# +# and optionally may contain +# +# dh-params.pem - the DH params configuration file +# +# If the directory does not exist, libvirtd will fail to start. If the +# directory doesn't contain the necessary files, QEMU domains will fail +# to start if they are configured to use TLS. +# +# In order to overwrite the default path alter the following. This path +# definition will be used as the default path for other *_tls_x509_cert_dir +# configuration settings if their default path does not exist or is not +# specifically set. +# +#default_tls_x509_cert_dir = "/etc/pki/qemu" + + +# The default TLS configuration only uses certificates for the server +# allowing the client to verify the server's identity and establish +# an encrypted channel. +# +# It is possible to use x509 certificates for authentication too, by +# issuing an x509 certificate to every client who needs to connect. +# +# Enabling this option will reject any client who does not have a +# certificate signed by the CA in /etc/pki/qemu/ca-cert.pem +# +# The default_tls_x509_cert_dir directory must also contain +# +# client-cert.pem - the client certificate signed with the ca-cert.pem +# client-key.pem - the client private key +# +#default_tls_x509_verify = 1 + +# +# Libvirt assumes the server-key.pem file is unencrypted by default. +# To use an encrypted server-key.pem file, the password to decrypt +# the PEM file is required. This can be provided by creating a secret +# object in libvirt and then to uncomment this setting to set the UUID +# of the secret. +# +# NB This default all-zeros UUID will not work. Replace it with the +# output from the UUID for the TLS secret from a 'virsh secret-list' +# command and then uncomment the entry +# +#default_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" + + +# VNC is configured to listen on 127.0.0.1 by default. +# To make it listen on all public interfaces, uncomment +# this next option. +# +# NB, strong recommendation to enable TLS + x509 certificate +# verification when allowing public access +# +#vnc_listen = "0.0.0.0" + +# Enable this option to have VNC served over an automatically created +# unix socket. This prevents unprivileged access from users on the +# host machine, though most VNC clients do not support it. +# +# This will only be enabled for VNC configurations that have listen +# type=address but without any address specified. This setting takes +# preference over vnc_listen. +# +#vnc_auto_unix_socket = 1 + +# Enable use of TLS encryption on the VNC server. This requires +# a VNC client which supports the VeNCrypt protocol extension. +# Examples include vinagre, virt-viewer, virt-manager and vencrypt +# itself. UltraVNC, RealVNC, TightVNC do not support this +# +# It is necessary to setup CA and issue a server certificate +# before enabling this. +# +#vnc_tls = 1 + + +# In order to override the default TLS certificate location for +# vnc certificates, supply a valid path to the certificate directory. +# If the provided path does not exist, libvirtd will fail to start. +# If the path is not provided, but vnc_tls = 1, then the +# default_tls_x509_cert_dir path will be used. +# +#vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc" + + +# The default TLS configuration only uses certificates for the server +# allowing the client to verify the server's identity and establish +# an encrypted channel. +# +# It is possible to use x509 certificates for authentication too, by +# issuing an x509 certificate to every client who needs to connect. +# +# Enabling this option will reject any client that does not have a +# ca-cert.pem certificate signed by the CA in the vnc_tls_x509_cert_dir +# (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem +# files described in default_tls_x509_cert_dir. +# +# If this option is not supplied, it will be set to the value of +# "default_tls_x509_verify". +# +#vnc_tls_x509_verify = 1 + + +# The default VNC password. Only 8 bytes are significant for +# VNC passwords. This parameter is only used if the per-domain +# XML config does not already provide a password. To allow +# access without passwords, leave this commented out. An empty +# string will still enable passwords, but be rejected by QEMU, +# effectively preventing any use of VNC. Obviously change this +# example here before you set this. +# +#vnc_password = "XYZ12345" + + +# Enable use of SASL encryption on the VNC server. This requires +# a VNC client which supports the SASL protocol extension. +# Examples include vinagre, virt-viewer and virt-manager +# itself. UltraVNC, RealVNC, TightVNC do not support this +# +# It is necessary to configure /etc/sasl2/qemu.conf to choose +# the desired SASL plugin (eg, GSSPI for Kerberos) +# +#vnc_sasl = 1 + + +# The default SASL configuration file is located in /etc/sasl2/ +# When running libvirtd unprivileged, it may be desirable to +# override the configs in this location. Set this parameter to +# point to the directory, and create a qemu.conf in that location +# +#vnc_sasl_dir = "/some/directory/sasl2" + + +# QEMU implements an extension for providing audio over a VNC connection, +# though if your VNC client does not support it, your only chance for getting +# sound output is through regular audio backends. By default, libvirt will +# disable all QEMU sound backends if using VNC, since they can cause +# permissions issues. Enabling this option will make libvirtd honor the +# QEMU_AUDIO_DRV environment variable when using VNC. +# +#vnc_allow_host_audio = 0 + + + +# SPICE is configured to listen on 127.0.0.1 by default. +# To make it listen on all public interfaces, uncomment +# this next option. +# +# NB, strong recommendation to enable TLS + x509 certificate +# verification when allowing public access +# +#spice_listen = "0.0.0.0" + + +# Enable use of TLS encryption on the SPICE server. +# +# It is necessary to setup CA and issue a server certificate +# before enabling this. +# +#spice_tls = 1 + + +# In order to override the default TLS certificate location for +# spice certificates, supply a valid path to the certificate directory. +# If the provided path does not exist, libvirtd will fail to start. +# If the path is not provided, but spice_tls = 1, then the +# default_tls_x509_cert_dir path will be used. +# +#spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice" + + +# Enable this option to have SPICE served over an automatically created +# unix socket. This prevents unprivileged access from users on the +# host machine. +# +# This will only be enabled for SPICE configurations that have listen +# type=address but without any address specified. This setting takes +# preference over spice_listen. +# +#spice_auto_unix_socket = 1 + + +# The default SPICE password. This parameter is only used if the +# per-domain XML config does not already provide a password. To +# allow access without passwords, leave this commented out. An +# empty string will still enable passwords, but be rejected by +# QEMU, effectively preventing any use of SPICE. Obviously change +# this example here before you set this. +# +#spice_password = "XYZ12345" + + +# Enable use of SASL encryption on the SPICE server. This requires +# a SPICE client which supports the SASL protocol extension. +# +# It is necessary to configure /etc/sasl2/qemu.conf to choose +# the desired SASL plugin (eg, GSSPI for Kerberos) +# +#spice_sasl = 1 + +# The default SASL configuration file is located in /etc/sasl2/ +# When running libvirtd unprivileged, it may be desirable to +# override the configs in this location. Set this parameter to +# point to the directory, and create a qemu.conf in that location +# +#spice_sasl_dir = "/some/directory/sasl2" + +# Enable use of TLS encryption on the chardev TCP transports. +# +# It is necessary to setup CA and issue a server certificate +# before enabling this. +# +#chardev_tls = 1 + + +# In order to override the default TLS certificate location for character +# device TCP certificates, supply a valid path to the certificate directory. +# If the provided path does not exist, libvirtd will fail to start. +# If the path is not provided, but chardev_tls = 1, then the +# default_tls_x509_cert_dir path will be used. +# +#chardev_tls_x509_cert_dir = "/etc/pki/libvirt-chardev" + + +# The default TLS configuration only uses certificates for the server +# allowing the client to verify the server's identity and establish +# an encrypted channel. +# +# It is possible to use x509 certificates for authentication too, by +# issuing an x509 certificate to every client who needs to connect. +# +# Enabling this option will reject any client that does not have a +# ca-cert.pem certificate signed by the CA in the chardev_tls_x509_cert_dir +# (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem +# files described in default_tls_x509_cert_dir. +# +# If this option is not supplied, it will be set to the value of +# "default_tls_x509_verify". +# +#chardev_tls_x509_verify = 1 + + +# Uncomment and use the following option to override the default secret +# UUID provided in the default_tls_x509_secret_uuid parameter. +# +# NB This default all-zeros UUID will not work. Replace it with the +# output from the UUID for the TLS secret from a 'virsh secret-list' +# command and then uncomment the entry +# +#chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" + + +# Enable use of TLS encryption for all VxHS network block devices that +# don't specifically disable. +# +# When the VxHS network block device server is set up appropriately, +# x509 certificates are required for authentication between the clients +# (qemu processes) and the remote VxHS server. +# +# It is necessary to setup CA and issue the client certificate before +# enabling this. +# +#vxhs_tls = 1 + + +# In order to override the default TLS certificate location for VxHS +# backed storage, supply a valid path to the certificate directory. +# This is used to authenticate the VxHS block device clients to the VxHS +# server. +# +# If the provided path does not exist, libvirtd will fail to start. +# If the path is not provided, but vxhs_tls = 1, then the +# default_tls_x509_cert_dir path will be used. +# +# VxHS block device clients expect the client certificate and key to be +# present in the certificate directory along with the CA master certificate. +# If using the default environment, default_tls_x509_verify must be configured. +# Since this is only a client the server-key.pem certificate is not needed. +# Thus a VxHS directory must contain the following: +# +# ca-cert.pem - the CA master certificate +# client-cert.pem - the client certificate signed with the ca-cert.pem +# client-key.pem - the client private key +# +#vxhs_tls_x509_cert_dir = "/etc/pki/libvirt-vxhs" + + +# In order to override the default TLS certificate location for migration +# certificates, supply a valid path to the certificate directory. If the +# provided path does not exist, libvirtd will fail to start. If the path is +# not provided, but migrate_tls = 1, then the default_tls_x509_cert_dir path +# will be used. Once/if a default certificate is enabled/defined, migration +# will then be able to use the certificate via migration API flags. +# +#migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate" + + +# The default TLS configuration only uses certificates for the server +# allowing the client to verify the server's identity and establish +# an encrypted channel. +# +# It is possible to use x509 certificates for authentication too, by +# issuing an x509 certificate to every client who needs to connect. +# +# Enabling this option will reject any client that does not have a +# ca-cert.pem certificate signed by the CA in the migrate_tls_x509_cert_dir +# (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem +# files described in default_tls_x509_cert_dir. +# +# If this option is not supplied, it will be set to the value of +# "default_tls_x509_verify". +# +#migrate_tls_x509_verify = 1 + + +# Uncomment and use the following option to override the default secret +# UUID provided in the default_tls_x509_secret_uuid parameter. +# +# NB This default all-zeros UUID will not work. Replace it with the +# output from the UUID for the TLS secret from a 'virsh secret-list' +# command and then uncomment the entry +# +#migrate_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" + + +# By default, if no graphical front end is configured, libvirt will disable +# QEMU audio output since directly talking to alsa/pulseaudio may not work +# with various security settings. If you know what you're doing, enable +# the setting below and libvirt will passthrough the QEMU_AUDIO_DRV +# environment variable when using nographics. +# +#nographics_allow_host_audio = 1 + + +# Override the port for creating both VNC and SPICE sessions (min). +# This defaults to 5900 and increases for consecutive sessions +# or when ports are occupied, until it hits the maximum. +# +# Minimum must be greater than or equal to 5900 as lower number would +# result into negative vnc display number. +# +# Maximum must be less than 65536, because higher numbers do not make +# sense as a port number. +# +#remote_display_port_min = 5900 +#remote_display_port_max = 65535 + +# VNC WebSocket port policies, same rules apply as with remote display +# ports. VNC WebSockets use similar display <-> port mappings, with +# the exception being that ports start from 5700 instead of 5900. +# +#remote_websocket_port_min = 5700 +#remote_websocket_port_max = 65535 + +# The default security driver is SELinux. If SELinux is disabled +# on the host, then the security driver will automatically disable +# itself. If you wish to disable QEMU SELinux security driver while +# leaving SELinux enabled for the host in general, then set this +# to 'none' instead. It's also possible to use more than one security +# driver at the same time, for this use a list of names separated by +# comma and delimited by square brackets. For example: +# +# security_driver = [ "selinux", "apparmor" ] +# +# Notes: The DAC security driver is always enabled; as a result, the +# value of security_driver cannot contain "dac". The value "none" is +# a special value; security_driver can be set to that value in +# isolation, but it cannot appear in a list of drivers. +# +#security_driver = "selinux" + +# If set to non-zero, then the default security labeling +# will make guests confined. If set to zero, then guests +# will be unconfined by default. Defaults to 1. +#security_default_confined = 1 + +# If set to non-zero, then attempts to create unconfined +# guests will be blocked. Defaults to 0. +#security_require_confined = 1 + +# The user for QEMU processes run by the system instance. It can be +# specified as a user name or as a user id. The qemu driver will try to +# parse this value first as a name and then, if the name doesn't exist, +# as a user id. +# +# Since a sequence of digits is a valid user name, a leading plus sign +# can be used to ensure that a user id will not be interpreted as a user +# name. +# +# Some examples of valid values are: +# +# user = "qemu" # A user named "qemu" +# user = "+0" # Super user (uid=0) +# user = "100" # A user named "100" or a user with uid=100 +# +#user = "root" + +# The group for QEMU processes run by the system instance. It can be +# specified in a similar way to user. +#group = "root" + +# Whether libvirt should dynamically change file ownership +# to match the configured user/group above. Defaults to 1. +# Set to 0 to disable file ownership changes. +#dynamic_ownership = 1 + + +# What cgroup controllers to make use of with QEMU guests +# +# - 'cpu' - use for scheduler tunables +# - 'devices' - use for device whitelisting +# - 'memory' - use for memory tunables +# - 'blkio' - use for block devices I/O tunables +# - 'cpuset' - use for CPUs and memory nodes +# - 'cpuacct' - use for CPUs statistics. +# +# NB, even if configured here, they won't be used unless +# the administrator has mounted cgroups, e.g.: +# +# mkdir /dev/cgroup +# mount -t cgroup -o devices,cpu,memory,blkio,cpuset none /dev/cgroup +# +# They can be mounted anywhere, and different controllers +# can be mounted in different locations. libvirt will detect +# where they are located. +# +#cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ] + +# This is the basic set of devices allowed / required by +# all virtual machines. +# +# As well as this, any configured block backed disks, +# all sound device, and all PTY devices are allowed. +# +# This will only need setting if newer QEMU suddenly +# wants some device we don't already know about. +# +#cgroup_device_acl = [ +# "/dev/null", "/dev/full", "/dev/zero", +# "/dev/random", "/dev/urandom", +# "/dev/ptmx", "/dev/kvm", "/dev/kqemu", +# "/dev/rtc","/dev/hpet" +#] +# +# RDMA migration requires the following extra files to be added to the list: +# "/dev/infiniband/rdma_cm", +# "/dev/infiniband/issm0", +# "/dev/infiniband/issm1", +# "/dev/infiniband/umad0", +# "/dev/infiniband/umad1", +# "/dev/infiniband/uverbs0" + + +# The default format for QEMU/KVM guest save images is raw; that is, the +# memory from the domain is dumped out directly to a file. If you have +# guests with a large amount of memory, however, this can take up quite +# a bit of space. If you would like to compress the images while they +# are being saved to disk, you can also set "lzop", "gzip", "bzip2", or "xz" +# for save_image_format. Note that this means you slow down the process of +# saving a domain in order to save disk space; the list above is in descending +# order by performance and ascending order by compression ratio. +# +# save_image_format is used when you use 'virsh save' or 'virsh managedsave' +# at scheduled saving, and it is an error if the specified save_image_format +# is not valid, or the requested compression program can't be found. +# +# dump_image_format is used when you use 'virsh dump' at emergency +# crashdump, and if the specified dump_image_format is not valid, or +# the requested compression program can't be found, this falls +# back to "raw" compression. +# +# snapshot_image_format specifies the compression algorithm of the memory save +# image when an external snapshot of a domain is taken. This does not apply +# on disk image format. It is an error if the specified format isn't valid, +# or the requested compression program can't be found. +# +#save_image_format = "raw" +#dump_image_format = "raw" +#snapshot_image_format = "raw" + +# When a domain is configured to be auto-dumped when libvirtd receives a +# watchdog event from qemu guest, libvirtd will save dump files in directory +# specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump +# +#auto_dump_path = "/var/lib/libvirt/qemu/dump" + +# When a domain is configured to be auto-dumped, enabling this flag +# has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the +# virDomainCoreDump API. That is, the system will avoid using the +# file system cache while writing the dump file, but may cause +# slower operation. +# +#auto_dump_bypass_cache = 0 + +# When a domain is configured to be auto-started, enabling this flag +# has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag +# with the virDomainCreateWithFlags API. That is, the system will +# avoid using the file system cache when restoring any managed state +# file, but may cause slower operation. +# +#auto_start_bypass_cache = 0 + +# If provided by the host and a hugetlbfs mount point is configured, +# a guest may request huge page backing. When this mount point is +# unspecified here, determination of a host mount point in /proc/mounts +# will be attempted. Specifying an explicit mount overrides detection +# of the same in /proc/mounts. Setting the mount point to "" will +# disable guest hugepage backing. If desired, multiple mount points can +# be specified at once, separated by comma and enclosed in square +# brackets, for example: +# +# hugetlbfs_mount = ["/dev/hugepages2M", "/dev/hugepages1G"] +# +# The size of huge page served by specific mount point is determined by +# libvirt at the daemon startup. +# +# NB, within these mount points, guests will create memory backing +# files in a location of $MOUNTPOINT/libvirt/qemu +# +#hugetlbfs_mount = "/dev/hugepages" + + +# Path to the setuid helper for creating tap devices. This executable +# is used to create interfaces when libvirtd is +# running unprivileged. libvirt invokes the helper directly, instead +# of using "-netdev bridge", for security reasons. +#bridge_helper = "/usr/libexec/qemu-bridge-helper" + + + +# If clear_emulator_capabilities is enabled, libvirt will drop all +# privileged capabilities of the QEmu/KVM emulator. This is enabled by +# default. +# +# Warning: Disabling this option means that a compromised guest can +# exploit the privileges and possibly do damage to the host. +# +#clear_emulator_capabilities = 1 + + +# If enabled, libvirt will have QEMU set its process name to +# "qemu:VM_NAME", where VM_NAME is the name of the VM. The QEMU +# process will appear as "qemu:VM_NAME" in process listings and +# other system monitoring tools. By default, QEMU does not set +# its process title, so the complete QEMU command (emulator and +# its arguments) appear in process listings. +# +#set_process_name = 1 + + +# If max_processes is set to a positive integer, libvirt will use +# it to set the maximum number of processes that can be run by qemu +# user. This can be used to override default value set by host OS. +# The same applies to max_files which sets the limit on the maximum +# number of opened files. +# +#max_processes = 0 +#max_files = 0 + +# If max_core is set to a non-zero integer, then QEMU will be +# permitted to create core dumps when it crashes, provided its +# RAM size is smaller than the limit set. +# +# Be warned that the core dump will include a full copy of the +# guest RAM, if the 'dump_guest_core' setting has been enabled, +# or if the guest XML contains +# +# ...guest ram... +# +# If guest RAM is to be included, ensure the max_core limit +# is set to at least the size of the largest expected guest +# plus another 1GB for any QEMU host side memory mappings. +# +# As a special case it can be set to the string "unlimited" to +# to allow arbitrarily sized core dumps. +# +# By default the core dump size is set to 0 disabling all dumps +# +# Size is a positive integer specifying bytes or the +# string "unlimited" +# +#max_core = "unlimited" + +# Determine if guest RAM is included in QEMU core dumps. By +# default guest RAM will be excluded if a new enough QEMU is +# present. Setting this to '1' will force guest RAM to always +# be included in QEMU core dumps. +# +# This setting will be ignored if the guest XML has set the +# dumpcore attribute on the element. +# +#dump_guest_core = 1 + +# mac_filter enables MAC addressed based filtering on bridge ports. +# This currently requires ebtables to be installed. +# +#mac_filter = 1 + + +# By default, PCI devices below non-ACS switch are not allowed to be assigned +# to guests. By setting relaxed_acs_check to 1 such devices will be allowed to +# be assigned to guests. +# +#relaxed_acs_check = 1 + + +# If allow_disk_format_probing is enabled, libvirt will probe disk +# images to attempt to identify their format, when not otherwise +# specified in the XML. This is disabled by default. +# +# WARNING: Enabling probing is a security hole in almost all +# deployments. It is strongly recommended that users update their +# guest XML elements to include +# elements instead of enabling this option. +# +#allow_disk_format_probing = 1 + + +# In order to prevent accidentally starting two domains that +# share one writable disk, libvirt offers two approaches for +# locking files. The first one is sanlock, the other one, +# virtlockd, is then our own implementation. Accepted values +# are "sanlock" and "lockd". +# +#lock_manager = "lockd" + + + +# Set limit of maximum APIs queued on one domain. All other APIs +# over this threshold will fail on acquiring job lock. Specially, +# setting to zero turns this feature off. +# Note, that job lock is per domain. +# +#max_queued = 0 + +################################################################### +# Keepalive protocol: +# This allows qemu driver to detect broken connections to remote +# libvirtd during peer-to-peer migration. A keepalive message is +# sent to the daemon after keepalive_interval seconds of inactivity +# to check if the daemon is still responding; keepalive_count is a +# maximum number of keepalive messages that are allowed to be sent +# to the daemon without getting any response before the connection +# is considered broken. In other words, the connection is +# automatically closed approximately after +# keepalive_interval * (keepalive_count + 1) seconds since the last +# message received from the daemon. If keepalive_interval is set to +# -1, qemu driver will not send keepalive requests during +# peer-to-peer migration; however, the remote libvirtd can still +# send them and source libvirtd will send responses. When +# keepalive_count is set to 0, connections will be automatically +# closed after keepalive_interval seconds of inactivity without +# sending any keepalive messages. +# +#keepalive_interval = 5 +#keepalive_count = 5 + + + +# Use seccomp syscall whitelisting in QEMU. +# 1 = on, 0 = off, -1 = use QEMU default +# Defaults to -1. +# +#seccomp_sandbox = 1 + + +# Override the listen address for all incoming migrations. Defaults to +# 0.0.0.0, or :: if both host and qemu are capable of IPv6. +#migration_address = "0.0.0.0" + + +# The default hostname or IP address which will be used by a migration +# source for transferring migration data to this host. The migration +# source has to be able to resolve this hostname and connect to it so +# setting "localhost" will not work. By default, the host's configured +# hostname is used. +#migration_host = "host.example.com" + + +# Override the port range used for incoming migrations. +# +# Minimum must be greater than 0, however when QEMU is not running as root, +# setting the minimum to be lower than 1024 will not work. +# +# Maximum must not be greater than 65535. +# +#migration_port_min = 49152 +#migration_port_max = 49215 + + + +# Timestamp QEMU's log messages (if QEMU supports it) +# +# Defaults to 1. +# +#log_timestamp = 0 + + +# Location of master nvram file +# +# When a domain is configured to use UEFI instead of standard +# BIOS it may use a separate storage for UEFI variables. If +# that's the case libvirt creates the variable store per domain +# using this master file as image. Each UEFI firmware can, +# however, have different variables store. Therefore the nvram is +# a list of strings when a single item is in form of: +# ${PATH_TO_UEFI_FW}:${PATH_TO_UEFI_VARS}. +# Later, when libvirt creates per domain variable store, this list is +# searched for the master image. The UEFI firmware can be called +# differently for different guest architectures. For instance, it's OVMF +# for x86_64 and i686, but it's AAVMF for aarch64. The libvirt default +# follows this scheme. +#nvram = [ +# "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd", +# "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd", +# "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd", +# "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd" +#] + +# The backend to use for handling stdout/stderr output from +# QEMU processes. +# +# 'file': QEMU writes directly to a plain file. This is the +# historical default, but allows QEMU to inflict a +# denial of service attack on the host by exhausting +# filesystem space +# +# 'logd': QEMU writes to a pipe provided by virtlogd daemon. +# This is the current default, providing protection +# against denial of service by performing log file +# rollover when a size limit is hit. +# +#stdio_handler = "logd" + +# QEMU gluster libgfapi log level, debug levels are 0-9, with 9 being the +# most verbose, and 0 representing no debugging output. +# +# The current logging levels defined in the gluster GFAPI are: +# +# 0 - None +# 1 - Emergency +# 2 - Alert +# 3 - Critical +# 4 - Error +# 5 - Warning +# 6 - Notice +# 7 - Info +# 8 - Debug +# 9 - Trace +# +# Defaults to 4 +# +#gluster_debug_level = 9 + +# To enhance security, QEMU driver is capable of creating private namespaces +# for each domain started. Well, so far only "mount" namespace is supported. If +# enabled it means qemu process is unable to see all the devices on the system, +# only those configured for the domain in question. Libvirt then manages +# devices entries throughout the domain lifetime. This namespace is turned on +# by default. +#namespaces = [ "mount" ] + +# This directory is used for memoryBacking source if configured as file. +# NOTE: big files will be stored here +#memory_backing_dir = "/var/lib/libvirt/qemu/ram" + +# The following two values set the default RX/TX ring buffer size for virtio +# interfaces. These values are taken unless overridden in domain XML. For more +# info consult docs to corresponding attributes from domain XML. +#rx_queue_size = 1024 +#tx_queue_size = 1024 diff --git a/libvirt/qemu/networks/autostart/default.xml b/libvirt/qemu/networks/autostart/default.xml new file mode 120000 index 0000000..f19824e --- /dev/null +++ b/libvirt/qemu/networks/autostart/default.xml @@ -0,0 +1 @@ +/etc/libvirt/qemu/networks/default.xml \ No newline at end of file diff --git a/libvirt/qemu/networks/default.xml b/libvirt/qemu/networks/default.xml new file mode 100644 index 0000000..b72f1be --- /dev/null +++ b/libvirt/qemu/networks/default.xml @@ -0,0 +1,19 @@ + + + + default + a111fef7-d376-453e-916c-4acde8cdd18c + + + + + + + + + diff --git a/libvirt/virt-login-shell.conf b/libvirt/virt-login-shell.conf new file mode 100644 index 0000000..4a504b3 --- /dev/null +++ b/libvirt/virt-login-shell.conf @@ -0,0 +1,48 @@ +# Master configuration file for the virt-login-shell program. +# All settings described here are optional - if omitted, sensible +# defaults are used. + +# By default, virt-login-shell will connect you to a container running +# with the /bin/sh program. Modify the shell variable if you want your +# users to run a different shell or a setup container when joining a +# container. +# +# This can either be just the path to a shell binary: +# +# shell = "/bin/bash" +# +# Or can be the path and extra arguments +# +# shell = [ "/bin/bash", "--posix" ] +# +# Note there is no need to pass a '--login' / '-l' argument since +# virt-login-shell will always request a login shell + +# Normally virt-login-shell will always use the shell identified +# by the 'shell' configuration setting above. If the container +# is running a full OS, it might be desirable to allow the choice +# of shell to be delegated to the owner of the shell, by querying +# the /etc/passwd file inside the container +# +# To allow for that, uncomment the following: +# auto_shell = 1 +# +# NB, this should /not/ be used if any container is sharing the +# host filesystem /etc, as this would cause virt-login-shell to +# look at the host's /etc/passwd finding itself as the listed +# shell. Hilarious recursion would then ensue. + +# allowed_users specifies the user names of all users that are allowed to +# execute virt-login-shell. You can specify the users as a comma +# separated list of usernames or user groups. +# The list of names support glob syntax. +# To disallow all users (default) +# allowed_users = [] +# If you do not specify any names (default) then no one is allowed +# to use this executable. +# To allow fred and joe only +# allowed_users = ["fred", "joe"] +# To allow all users within a specific group prefix the group name with %. +# allowed_users = ["%engineers"] +# To allow all users specify the following +# allowed_users = [ "*" ] diff --git a/libvirt/virtlockd.conf b/libvirt/virtlockd.conf new file mode 100644 index 0000000..4c935d0 --- /dev/null +++ b/libvirt/virtlockd.conf @@ -0,0 +1,67 @@ +# Master virtlockd daemon configuration file +# + +################################################################# +# +# Logging controls +# + +# Logging level: 4 errors, 3 warnings, 2 information, 1 debug +# basically 1 will log everything possible +#log_level = 3 + +# Logging filters: +# A filter allows to select a different logging level for a given category +# of logs +# The format for a filter is one of: +# x:name +# x:+name +# where name is a string which is matched against source file name, +# e.g., "remote", "qemu", or "util/json", the optional "+" prefix +# tells libvirt to log stack trace for each message matching name, +# and x is the minimal level where matching messages should be logged: +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple filter can be defined in a single @filters, they just need to be +# separated by spaces. +# +# e.g. to only get warning or errors from the remote layer and only errors +# from the event layer: +#log_filters="3:remote 4:event" + +# Logging outputs: +# An output is one of the places to save logging information +# The format for an output can be: +# x:stderr +# output goes to stderr +# x:syslog:name +# use syslog for the output and use the given name as the ident +# x:file:file_path +# output to a file, with the given filepath +# In all case the x prefix is the minimal level, acting as a filter +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple output can be defined, they just need to be separated by spaces. +# e.g. to log all warnings and errors to syslog under the virtlockd ident: +#log_outputs="3:syslog:virtlockd" +# + +# Log debug buffer size: +# +# This configuration option is no longer used, since the global +# log buffer functionality has been removed. Please configure +# suitable log_outputs/log_filters settings to obtain logs. +#log_buffer_size = 64 + +# The maximum number of concurrent client connections to allow +# over all sockets combined. +# Each running virtual machine will require one open connection +# to virtlockd. So 'max_clients' will affect how many VMs can +# be run on a host +#max_clients = 1024 diff --git a/libvirt/virtlogd.conf b/libvirt/virtlogd.conf new file mode 100644 index 0000000..7ef1ac3 --- /dev/null +++ b/libvirt/virtlogd.conf @@ -0,0 +1,67 @@ +# Master virtlogd daemon configuration file +# + +################################################################# +# +# Logging controls +# + +# Logging level: 4 errors, 3 warnings, 2 information, 1 debug +# basically 1 will log everything possible +#log_level = 3 + +# Logging filters: +# A filter allows to select a different logging level for a given category +# of logs +# The format for a filter is one of: +# x:name +# x:+name +# where name is a string which is matched against source file name, +# e.g., "remote", "qemu", or "util/json", the optional "+" prefix +# tells libvirt to log stack trace for each message matching name, +# and x is the minimal level where matching messages should be logged: +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple filter can be defined in a single @filters, they just need to be +# separated by spaces. +# +# e.g. to only get warning or errors from the remote layer and only errors +# from the event layer: +#log_filters="3:remote 4:event" + +# Logging outputs: +# An output is one of the places to save logging information +# The format for an output can be: +# x:stderr +# output goes to stderr +# x:syslog:name +# use syslog for the output and use the given name as the ident +# x:file:file_path +# output to a file, with the given filepath +# x:journald +# ouput to the systemd journal +# In all case the x prefix is the minimal level, acting as a filter +# 1: DEBUG +# 2: INFO +# 3: WARNING +# 4: ERROR +# +# Multiple output can be defined, they just need to be separated by spaces. +# e.g. to log all warnings and errors to syslog under the virtlogd ident: +#log_outputs="3:syslog:virtlogd" +# + +# The maximum number of concurrent client connections to allow +# over all sockets combined. +#max_clients = 1024 + + +# Maximum file size before rolling over. Defaults to 2 MB +#max_size = 2097152 + +# Maximum number of backup files to keep. Defaults to 3, +# not including the primary active file +#max_backups = 3 diff --git a/logrotate.d/libvirtd b/logrotate.d/libvirtd new file mode 100644 index 0000000..869c879 --- /dev/null +++ b/logrotate.d/libvirtd @@ -0,0 +1,9 @@ +/var/log/libvirt/libvirtd.log { + weekly + missingok + rotate 4 + compress + delaycompress + copytruncate + minsize 100k +} diff --git a/logrotate.d/libvirtd.libxl b/logrotate.d/libvirtd.libxl new file mode 100644 index 0000000..4d957b6 --- /dev/null +++ b/logrotate.d/libvirtd.libxl @@ -0,0 +1,8 @@ +/var/log/libvirt/libxl/*.log { + weekly + missingok + rotate 4 + compress + delaycompress + copytruncate +} diff --git a/logrotate.d/libvirtd.lxc b/logrotate.d/libvirtd.lxc new file mode 100644 index 0000000..9136c3a --- /dev/null +++ b/logrotate.d/libvirtd.lxc @@ -0,0 +1,8 @@ +/var/log/libvirt/lxc/*.log { + weekly + missingok + rotate 4 + compress + delaycompress + copytruncate +} diff --git a/logrotate.d/libvirtd.qemu b/logrotate.d/libvirtd.qemu new file mode 100644 index 0000000..76e5809 --- /dev/null +++ b/logrotate.d/libvirtd.qemu @@ -0,0 +1,8 @@ +/var/log/libvirt/qemu/*.log { + weekly + missingok + rotate 4 + compress + delaycompress + copytruncate +} diff --git a/logrotate.d/libvirtd.uml b/logrotate.d/libvirtd.uml new file mode 100644 index 0000000..bf00c5d --- /dev/null +++ b/logrotate.d/libvirtd.uml @@ -0,0 +1,8 @@ +/var/log/libvirt/uml/*.log { + weekly + missingok + rotate 4 + compress + delaycompress + copytruncate +} diff --git a/passwd b/passwd index ea93674..aa6b4c8 100644 --- a/passwd +++ b/passwd @@ -54,3 +54,5 @@ kameu:x:1001:100:Karin Meusel:/home/kameu:/bin/sh plex:x:136:963:Plex Media Server:/var/lib/plexmediaserver:/bin/sh _chrony:x:126:135:Chrony daemon,,,:/var/lib/chrony:/usr/sbin/nologin gdm:x:112:118:Gnome Display Manager:/var/lib/gdm3:/bin/false +libvirt-qemu:x:64055:133:Libvirt Qemu,,,:/var/lib/libvirt:/usr/sbin/nologin +libvirt-dnsmasq:x:127:137:Libvirt Dnsmasq,,,:/var/lib/libvirt/dnsmasq:/usr/sbin/nologin diff --git a/passwd- b/passwd- index 4343090..7c52145 100644 --- a/passwd- +++ b/passwd- @@ -53,4 +53,6 @@ vivi:x:1006:100:Vivien Musterer:/home/vivi:/bin/sh kameu:x:1001:100:Karin Meusel:/home/kameu:/bin/sh plex:x:136:963:Plex Media Server:/var/lib/plexmediaserver:/bin/sh _chrony:x:126:135:Chrony daemon,,,:/var/lib/chrony:/usr/sbin/nologin -gdm:x:112:118::/var/lib/gdm3:/bin/false +gdm:x:112:118:Gnome Display Manager:/var/lib/gdm3:/bin/false +libvirt-qemu:x:64055:133:Libvirt Qemu,,,:/var/lib/libvirt:/usr/sbin/nologin +libvirt-dnsmasq:x:127:137::/var/lib/libvirt/dnsmasq:/usr/sbin/nologin diff --git a/profile.d/libvirt-uri.sh b/profile.d/libvirt-uri.sh new file mode 100644 index 0000000..f9bdc6d --- /dev/null +++ b/profile.d/libvirt-uri.sh @@ -0,0 +1,27 @@ +#!/bin/sh +# libvirt-uri.sh - Automatically switch default libvirt URI for user +# Copyright (C) 2015 Canonical Ltd. +# +# Authors: Stefan Bader +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, version 3 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +LIBVIRT_DEFAULT_URI="qemu:///system" +if [ -f /proc/xen/capabilities ]; then + if [ "$(cat /proc/xen/capabilities)" = "control_d" ]; then + LIBVIRT_DEFAULT_URI="xen:///" + fi +fi + +export LIBVIRT_DEFAULT_URI + diff --git a/rc0.d/K01libvirt-guests b/rc0.d/K01libvirt-guests new file mode 120000 index 0000000..68e782b --- /dev/null +++ b/rc0.d/K01libvirt-guests @@ -0,0 +1 @@ +../init.d/libvirt-guests \ No newline at end of file diff --git a/rc0.d/K01libvirtd b/rc0.d/K01libvirtd new file mode 120000 index 0000000..a33ddb8 --- /dev/null +++ b/rc0.d/K01libvirtd @@ -0,0 +1 @@ +../init.d/libvirtd \ No newline at end of file diff --git a/rc0.d/K01virtlogd b/rc0.d/K01virtlogd new file mode 120000 index 0000000..1a8dcee --- /dev/null +++ b/rc0.d/K01virtlogd @@ -0,0 +1 @@ +../init.d/virtlogd \ No newline at end of file diff --git a/rc1.d/K01libvirt-guests b/rc1.d/K01libvirt-guests new file mode 120000 index 0000000..68e782b --- /dev/null +++ b/rc1.d/K01libvirt-guests @@ -0,0 +1 @@ +../init.d/libvirt-guests \ No newline at end of file diff --git a/rc1.d/K01libvirtd b/rc1.d/K01libvirtd new file mode 120000 index 0000000..a33ddb8 --- /dev/null +++ b/rc1.d/K01libvirtd @@ -0,0 +1 @@ +../init.d/libvirtd \ No newline at end of file diff --git a/rc1.d/K01virtlogd b/rc1.d/K01virtlogd new file mode 120000 index 0000000..1a8dcee --- /dev/null +++ b/rc1.d/K01virtlogd @@ -0,0 +1 @@ +../init.d/virtlogd \ No newline at end of file diff --git a/rc2.d/S01libvirt-guests b/rc2.d/S01libvirt-guests new file mode 120000 index 0000000..68e782b --- /dev/null +++ b/rc2.d/S01libvirt-guests @@ -0,0 +1 @@ +../init.d/libvirt-guests \ No newline at end of file diff --git a/rc2.d/S01libvirtd b/rc2.d/S01libvirtd new file mode 120000 index 0000000..a33ddb8 --- /dev/null +++ b/rc2.d/S01libvirtd @@ -0,0 +1 @@ +../init.d/libvirtd \ No newline at end of file diff --git a/rc2.d/S01virtlogd b/rc2.d/S01virtlogd new file mode 120000 index 0000000..1a8dcee --- /dev/null +++ b/rc2.d/S01virtlogd @@ -0,0 +1 @@ +../init.d/virtlogd \ No newline at end of file diff --git a/rc3.d/S01libvirt-guests b/rc3.d/S01libvirt-guests new file mode 120000 index 0000000..68e782b --- /dev/null +++ b/rc3.d/S01libvirt-guests @@ -0,0 +1 @@ +../init.d/libvirt-guests \ No newline at end of file diff --git a/rc3.d/S01libvirtd b/rc3.d/S01libvirtd new file mode 120000 index 0000000..a33ddb8 --- /dev/null +++ b/rc3.d/S01libvirtd @@ -0,0 +1 @@ +../init.d/libvirtd \ No newline at end of file diff --git a/rc3.d/S01virtlogd b/rc3.d/S01virtlogd new file mode 120000 index 0000000..1a8dcee --- /dev/null +++ b/rc3.d/S01virtlogd @@ -0,0 +1 @@ +../init.d/virtlogd \ No newline at end of file diff --git a/rc4.d/S01libvirt-guests b/rc4.d/S01libvirt-guests new file mode 120000 index 0000000..68e782b --- /dev/null +++ b/rc4.d/S01libvirt-guests @@ -0,0 +1 @@ +../init.d/libvirt-guests \ No newline at end of file diff --git a/rc4.d/S01libvirtd b/rc4.d/S01libvirtd new file mode 120000 index 0000000..a33ddb8 --- /dev/null +++ b/rc4.d/S01libvirtd @@ -0,0 +1 @@ +../init.d/libvirtd \ No newline at end of file diff --git a/rc4.d/S01virtlogd b/rc4.d/S01virtlogd new file mode 120000 index 0000000..1a8dcee --- /dev/null +++ b/rc4.d/S01virtlogd @@ -0,0 +1 @@ +../init.d/virtlogd \ No newline at end of file diff --git a/rc5.d/S01libvirt-guests b/rc5.d/S01libvirt-guests new file mode 120000 index 0000000..68e782b --- /dev/null +++ b/rc5.d/S01libvirt-guests @@ -0,0 +1 @@ +../init.d/libvirt-guests \ No newline at end of file diff --git a/rc5.d/S01libvirtd b/rc5.d/S01libvirtd new file mode 120000 index 0000000..a33ddb8 --- /dev/null +++ b/rc5.d/S01libvirtd @@ -0,0 +1 @@ +../init.d/libvirtd \ No newline at end of file diff --git a/rc5.d/S01virtlogd b/rc5.d/S01virtlogd new file mode 120000 index 0000000..1a8dcee --- /dev/null +++ b/rc5.d/S01virtlogd @@ -0,0 +1 @@ +../init.d/virtlogd \ No newline at end of file diff --git a/rc6.d/K01libvirt-guests b/rc6.d/K01libvirt-guests new file mode 120000 index 0000000..68e782b --- /dev/null +++ b/rc6.d/K01libvirt-guests @@ -0,0 +1 @@ +../init.d/libvirt-guests \ No newline at end of file diff --git a/rc6.d/K01libvirtd b/rc6.d/K01libvirtd new file mode 120000 index 0000000..a33ddb8 --- /dev/null +++ b/rc6.d/K01libvirtd @@ -0,0 +1 @@ +../init.d/libvirtd \ No newline at end of file diff --git a/rc6.d/K01virtlogd b/rc6.d/K01virtlogd new file mode 120000 index 0000000..1a8dcee --- /dev/null +++ b/rc6.d/K01virtlogd @@ -0,0 +1 @@ +../init.d/virtlogd \ No newline at end of file diff --git a/sasl2/libvirt.conf b/sasl2/libvirt.conf new file mode 100644 index 0000000..9e7699c --- /dev/null +++ b/sasl2/libvirt.conf @@ -0,0 +1,45 @@ +# If you want to use the non-TLS socket, then you *must* pick a +# mechanism which provides session encryption as well as +# authentication. +# +# If you are only using TLS, then you can turn on any mechanisms +# you like for authentication, because TLS provides the encryption +# +# If you are only using UNIX, sockets then encryption is not +# required at all. +# +# Since SASL is the default for the libvirtd non-TLS socket, we +# pick a strong mechanism by default. +# +# NB, previously DIGEST-MD5 was set as the default mechanism for +# libvirt. Per RFC 6331 this is vulnerable to many serious security +# flaws and should no longer be used. Thus GSSAPI is now the default. +# +# To use GSSAPI requires that a libvirtd service principal is +# added to the Kerberos server for each host running libvirtd. +# This principal needs to be exported to the keytab file listed below +mech_list: gssapi + +# If using a TLS socket or UNIX socket only, it is possible to +# enable plugins which don't provide session encryption. The +# 'scram-sha-1' plugin allows plain username/password authentication +# to be performed +# +#mech_list: scram-sha-1 + +# +# You can also list many mechanisms at once, then the user can choose +# by adding '?auth=sasl.gssapi' to their libvirt URI, eg +# qemu+tcp://hostname/system?auth=sasl.gssapi +#mech_list: scram-sha-1 gssapi + +# Some older builds of MIT kerberos on Linux ignore this option & +# instead need KRB5_KTNAME env var. +# For modern Linux, and other OS, this should be sufficient +# +keytab: /etc/libvirt/krb5.tab + +# If using scram-sha-1 for username/passwds, then this is the file +# containing the passwds. Use 'saslpasswd2 -a libvirt [username]' +# to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it +#sasldb_path: /etc/libvirt/passwd.db diff --git a/shadow b/shadow index 72308d3..90c16ae 100644 --- a/shadow +++ b/shadow @@ -54,3 +54,5 @@ kameu:$6$5h/eHwOt$vHYM0Cxc6GsFbNjm5J4cdqjvmok6Ce9tSnP5Ox8MwDBHJ/ldTIId1ZGs4k8pa1 plex:!:18385:0:99999:7::: _chrony:*:18385:0:99999:7::: gdm:*:18385:0:99999:7::: +libvirt-qemu:!:18385:0:99999:7::: +libvirt-dnsmasq:!:18385:0:99999:7::: diff --git a/shadow- b/shadow- index 72308d3..90c16ae 100644 --- a/shadow- +++ b/shadow- @@ -54,3 +54,5 @@ kameu:$6$5h/eHwOt$vHYM0Cxc6GsFbNjm5J4cdqjvmok6Ce9tSnP5Ox8MwDBHJ/ldTIId1ZGs4k8pa1 plex:!:18385:0:99999:7::: _chrony:*:18385:0:99999:7::: gdm:*:18385:0:99999:7::: +libvirt-qemu:!:18385:0:99999:7::: +libvirt-dnsmasq:!:18385:0:99999:7::: diff --git a/systemd/system/libvirt-bin.service b/systemd/system/libvirt-bin.service new file mode 120000 index 0000000..bf818f9 --- /dev/null +++ b/systemd/system/libvirt-bin.service @@ -0,0 +1 @@ +/lib/systemd/system/libvirtd.service \ No newline at end of file diff --git a/systemd/system/multi-user.target.wants/libvirt-guests.service b/systemd/system/multi-user.target.wants/libvirt-guests.service new file mode 120000 index 0000000..d1d5309 --- /dev/null +++ b/systemd/system/multi-user.target.wants/libvirt-guests.service @@ -0,0 +1 @@ +/lib/systemd/system/libvirt-guests.service \ No newline at end of file diff --git a/systemd/system/multi-user.target.wants/libvirtd.service b/systemd/system/multi-user.target.wants/libvirtd.service new file mode 120000 index 0000000..bf818f9 --- /dev/null +++ b/systemd/system/multi-user.target.wants/libvirtd.service @@ -0,0 +1 @@ +/lib/systemd/system/libvirtd.service \ No newline at end of file diff --git a/systemd/system/sockets.target.wants/virtlockd.socket b/systemd/system/sockets.target.wants/virtlockd.socket new file mode 120000 index 0000000..8f7876f --- /dev/null +++ b/systemd/system/sockets.target.wants/virtlockd.socket @@ -0,0 +1 @@ +/lib/systemd/system/virtlockd.socket \ No newline at end of file diff --git a/systemd/system/sockets.target.wants/virtlogd.socket b/systemd/system/sockets.target.wants/virtlogd.socket new file mode 120000 index 0000000..a39fe54 --- /dev/null +++ b/systemd/system/sockets.target.wants/virtlogd.socket @@ -0,0 +1 @@ +/lib/systemd/system/virtlogd.socket \ No newline at end of file -- 2.39.5