Added default example configs for libvirtd/qemu driver

libvirt.spec.in

@@ -129,6 +129,8 @@ fi
 %dir %attr(0700, root, root) %{_sysconfdir}/libvirt/qemu/networks/autostart
 %{_sysconfdir}/rc.d/init.d/libvirtd
 %config(noreplace) %{_sysconfdir}/sysconfig/libvirtd
+%config(noreplace) %{_sysconfdir}/libvirt/libvirtd.conf
+%config(noreplace) %{_sysconfdir}/libvirt/qemu.conf
 %dir %{_datadir}/libvirt/
 %dir %{_datadir}/libvirt/networks/
 %{_datadir}/libvirt/networks/default.xml

qemud/Makefile.am

@@ -4,6 +4,9 @@ UUID=$(shell uuidgen)
 
 sbin_PROGRAMS = libvirtd
 
+confdir = $(sysconfdir)/libvirt/
+conf_DATA = libvirtd.conf
+
 # Distribute the generated files so that rpcgen isn't required on the
 # target machine (although almost any Unix machine will have it).
 EXTRA_DIST = libvirtd.init.in libvirtd.sysconf default-network.xml \
@@ -14,7 +17,8 @@ EXTRA_DIST = libvirtd.init.in libvirtd.sysconf default-network.xml \
 	remote_dispatch_prototypes.h \
 	remote_dispatch_localvars.h \
 	remote_dispatch_proc_switch.h \
-	mdns.c mdns.h
+	mdns.c mdns.h \
+        $(conf_DATA)
 
 libvirtd_SOURCES = \
 		qemud.c internal.h \

qemud/libvirtd.conf

+# Master libvirt daemon configuration file
+#
+# For further information consult http://libvirt.org/format.html
+
+
+# Flag listening for secure TLS connections on the public TCP/IP port.
+# NB, must pass the --listen flag to the libvirtd process for this to
+# have any effect.
+#
+# It is neccessary to setup a CA and issue server certificates before
+# using this capability.
+#
+# This is enabled by default, uncomment this to disable it
+# listen_tls = 0
+
+# Listen for unencrypted TCP connections on the public TCP/IP port.
+# NB, must pass the --listen flag to the libvirtd process for this to
+# have any effect.
+#
+# NB, this is insecure. Do not use except for development.
+#
+# This is disabled by default, uncomment this to enable it.
+# listen_tcp = 1
+
+
+
+# Override the port for accepting secure TLS connections
+# This can be a port number, or service name
+#
+# tls_port = "16514"
+
+# Override the port for accepting insecure TCP connections
+# This can be a port number, or service name
+# 
+# tcp_port = "16509"
+
+
+
+# Flag toggling mDNS advertizement of the libvirt service.
+#
+# Alternatively can disable for all services on a host by
+# stopping the Avahi daemon
+#
+# This is enabled by default, uncomment this to disable it
+# mdns_adv = 0
+
+# Override the default mDNS advertizement name. This must be
+# unique on the immediate broadcast network.
+# 
+# The default is "Virtualization Host HOSTNAME", where HOSTNAME
+# is subsituted for the short hostname of the machine (without domain)
+#
+# mdns_name "Virtualization Host Joe Demo" 
+
+
+
+# Set the UNIX domain socket group ownership. This can be used to
+# allow a 'trusted' set of users access to management capabilities
+# without becoming root.
+# 
+# This is restricted to 'root' by default. 
+# unix_sock_group "libvirt"
+
+# Set the UNIX socket permissions for the R/O socket. This is used
+# for monitoring VM status only
+#
+# Default allows any user. If setting group ownership may want to
+# restrict this to:
+# unix_sock_ro_perms "0777"
+
+# Set the UNIX socket permissions for the R/W socket. This is used
+# for full management of VMs
+#
+# Default allows only root. If setting group ownership may want to
+# relax this to:
+# unix_sock_rw_perms "octal-perms" 	"0770"
+
+
+
+# Flag to disable verification of client certificates
+#
+# Client certificate verification is the primary authentication mechanism.
+# Any client which does not present a certificate signed by the CA
+# will be rejected.
+#
+# Default is to always verify. Uncommenting this will disable
+# verification - make sure an IP whitelist is set
+# tls_no_verify_certificate 1 
+
+# Flag to disable verification of client IP address
+#
+# Client IP address will be verified against the CommonName field
+# of the x509 certificate. This has minimal security benefit since
+# it is easy to spoof source IP.
+#
+# Uncommenting this will disable verification
+# tls_no_verify_address 1
+
+# Override the default server key file path
+#
+# key_file "/etc/pki/libvirt/private/serverkey.pem"
+
+# Override the default server certificate file path
+#
+# cert_file "/etc/pki/libvirt/servercert.pem"
+
+# Override the default CA certificate path
+#
+# ca_file "/etc/pki/CA/cacert.pem"
+
+# Specify a certificate revocation list.
+# 
+# Defaults to not using a CRL, uncomment to enable it
+# crl_file "/etc/pki/CA/crl.pem"
+
+# A whitelist of allowed x509  Distinguished Names
+# This list may contain wildcards such as 
+#
+#    "C=GB,ST=London,L=London,O=Red Hat,CN=*"
+#
+# See the POSIX fnmatch function for the format of the wildcards.
+#
+# NB If this is an empty list, no client can connect, so comment out
+# entirely rather than using empty list to disable these checks
+#
+# By default, no DN's are checked
+# tls_allowed_dn_list ["DN1", "DN2"]
+
+
+# A whitelist of allowed client IP addresses
+#
+# This list may contain wildcards such as 192.168.* See the POSIX fnmatch 
+# function for the format of the wildcards.
+#
+# NB If this is an empty list, no client can connect, so comment out
+# entirely rather than using empty list to disable these checks
+#
+# By default, no IP's are checked. This can be IPv4 or IPv6 addresses
+# tls_allowed_ip_list ["ip1", "ip2", "ip3"]
+
+

src/Makefile.am

@@ -17,7 +17,11 @@ DEPS = libvirt.la
 LDADDS = @STATIC_BINARIES@ $(WARN_CFLAGS) libvirt.la
 VIRSH_LIBS = @VIRSH_LIBS@
 
-EXTRA_DIST = libvirt_sym.version
+confdir = $(sysconfdir)/libvirt/
+conf_DATA = qemu.conf
+
+
+EXTRA_DIST = libvirt_sym.version $(conf_DATA)
 
 lib_LTLIBRARIES = libvirt.la
 libvirt_la_LIBADD = $(LIBXML_LIBS) $(GNUTLS_LIBS)

src/qemu.conf

+# Master configuration file for the QEMU driver.
+# All settings described here are optional - if omitted, sensible
+# defaults are used.
+
+# VNC is configured to listen on 127.0.0.1 by default.
+# To make it listen on all public interfaces, uncomment
+# this next option.
+#
+# NB, strong recommendation to enable TLS + x509 certificate
+# verification when allowing public access
+#
+# vnc_listen = "0.0.0.0"
+
+
+# Enable use of TLS encryption on the VNC server. This requires
+# a VNC client which supports the VeNCrypt protocol extension.
+# Examples include vinagre, virt-viewer, virt-manager and vencrypt
+# itself. UltraVNC, RealVNC, TightVNC do not support this
+#
+# It is neccessary to setup CA and issue a server certificate
+# before enabling this.
+#
+# vnc_tls = 1
+
+
+# Use of TLS requires that x509 certificates be issued. The
+# default it to keep them in /etc/pki/libvirt-vnc. This directory
+# must contain
+#
+#  ca-cert.pem - the CA master certificate
+#  server-cert.pem - the server certificate signed with ca-cert.pem
+#  server-key.pem  - the server private key
+#
+# This option allows the certificate directory to be changed
+#
+# vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
+
+
+# The default TLS configuration only uses certificates for the server
+# allowing the client to verify the server's identity and establish
+# and encrypted channel. 
+#
+# It is possible to use x509 certificates for authentication too, by
+# issuing a x509 certificate to every client who needs to connect.
+# 
+# Enabling this option will reject any client who does not have a
+# certificate signed by the CA in /etc/pki/libvirt-vnc/ca-cert.pem
+#
+# vnc_tls_x509_verify = 1