The term "access control list" better describes the concept involved.
Reviewed-by: NPeter Krempa <pkrempa@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

The g_pattern_match function_simple is an acceptably close
approximation of fnmatch for libvirt's needs.

In contrast to fnmatch(), the '/' character can be matched
by the wildcards, there are no '[...]' character ranges and
'*' and '?' can not be escaped to include them literally in
a pattern.
Reviewed-by: NFabiano Fidêncio <fidencio@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

The log filters have supported the use of a "+" before the source match
string to request that a stack trace be emitted for every log message:

  commit 54856395
  Author: Daniel P. Berrange <berrange@redhat.com>
  Date:   Wed May 9 15:18:56 2012 +0100

    Allow stack traces to be included with log messages

    Sometimes it is useful to see the callpath for log messages.
    This change enhances the log filter syntax so that stack traces
    can be show by setting '1:+NAME' instead of '1:NAME'.

With the huge & ever increasing number of logging statements per file,
this will be incredibly verbose and have a major performance penalty.
This makes the feature impractical to use widely and as such it is not
worth the code maint cost.

Removing this seldom used feature allows us to drop the 'execinfo'
module in gnulib which provides the backtrace() function which doesn't
exist on non-Linux.

Users who want to get stack traces of parts of libvirt can use GDB,
or systemtap for live tracing with minimal perf impact.
Reviewed-by: NJán Tomko <jtomko@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

If a systemd socket uses /var/run in its path, systemd prints a warning
at runtime

[   15.139976] systemd[1]: /usr/lib/systemd/system/virtlockd.socket:5:
  ListenStream= references a path below legacy directory /var/run/,
  updating /var/run/libvirt/virtlockd-sock → /run/libvirt/virtlockd-sock;
  please update the unit file accordingly.

This minimal change updates the socket unit files to honour the
$runstatedir path.

There's no functional change by default yet since both expressions
expand to the same value.
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

Substitute in the @sysconfigdir@ value instead of /etc.
Reviewed-by: NChristophe de Dinechin <dinechin@redhat.com>
Reviewed-by: NAndrea Bolognani <abologna@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

Prepare for reusing libvirtd config to create other daemons by making
the config parameters for IP sockets conditionally defined by the make
rules.

The main libvirtd daemon will retain IP listen ability, but all the
driver specific daemons will be local UNIX sockets only. Apps needing
IP connectivity will connect via the libvirtd daemon which will proxy
to the driver specfic daemon.
Reviewed-by: NChristophe de Dinechin <dinechin@redhat.com>
Reviewed-by: NAndrea Bolognani <abologna@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

Certain libvirtd.conf settings are not honoured when using systemd
socket activation.

Certain systemd unit file settings must match those defined in
libvirtd.conf for systemd socket activation to work with systemd
version < 227, otherwise libvirtd cannot determine which inherited
FD to use for which service.
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

Libvirtd has long had integration with avahi for advertising libvirtd
using mDNS when TCP/TLS listening is enabled. For a long time the
virt-manager application had support for auto-detecting libvirtds
on the local network using mDNS, but this was removed last year

  commit fc8f8d5d7e3ba80a0771df19cf20e84a05ed2422
  Author: Cole Robinson <crobinso@redhat.com>
  Date:   Sat Oct 6 20:55:31 2018 -0400

    connect: Drop avahi support

    Libvirtd can advertise itself over avahi. The feature is disabled by
    default though and in practice I hear of no one actually using it
    and frankly I don't think it's all that useful

    The 'Open Connection' wizard has a disproportionate amount of code
    devoted to this feature, but I don't think it's useful or worth
    maintaining, so let's drop it

I've never heard of any other applications having support for using
mDNS to detect libvirtd instances. Though it is theoretically possible
something exists out there, it is clearly going to be a niche use case
in the virt ecosystem as a whole.

By removing avahi integration we can cut down the dependency chain for
the basic libvirtd install and reduce our code maint burden.
Reviewed-by: NJán Tomko <jtomko@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

The libvirtd.conf file has a comment pointing people to format.html
which has nothing todo with the configuration file format.

It also has a comment about tests/daemon-conf which no longer exists,
and even if it did exist such comment is not relevant to end users
when this file is installed in /etc/.
Reviewed-by: NMichal Privoznik <mprivozn@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

The only place where we have extra empty comment line.
Signed-off-by: NPavel Hrdina <phrdina@redhat.com>

Strongly recommend against use of the log_levels setting since it
creates overly verbose logs and has a serious performance impact.

Describe the log filter syntax better and mention use of shell
glob syntax. Also provide more realistic example of good settings
to use. The libvirtd example is biased towards QEMU, but when the
drivers split off each daemon can get its own more appropriate
example.
Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

This reverts commit 8daa593b.

There are two undesirable aspects to the impl

  - Only a bare wildcard is permitted
  - The wildcard match is not performed in the order listed
Reviewed-by: NJohn Ferlan <jferlan@redhat.com>
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

Since the introduction of log tuning capabilities to virt-admin by
@06b91785, this has been a much needed missing improvement on the way to
deprecate the global 'log_level'.
Signed-off-by: NErik Skultety <eskultet@redhat.com>

When applying the log filters, one has to define the more specific
filters before the generic ones, because the first filter that matches
will be applied. However, we've been missing this information in the
config, so it always has been a trial-error scenario figuring out that
e.g. '4:util 1:util.pci' doesn't actually enable verbose logging on the
src/util/virpci.c module because 4:util will be matched first.
Signed-off-by: NErik Skultety <eskultet@redhat.com>

The global log buffer feature was deleted in:

  commit c0c8c1d7
  Author: Daniel P. Berrange <berrange@redhat.com>
  Date:   Mon Mar 3 14:54:33 2014 +0000

    Remove global log buffer feature entirely

    A earlier commit changed the global log buffer so that it only
    records messages that are explicitly requested via the log
    filters setting. This removes the performance burden, and
    improves the signal/noise ratio for messages in the global
    buffer. At the same time though, it is somewhat pointless, since
    all the recorded log messages are already going to be sent to an
    explicit log output like syslog, stderr or the journal. The
    global log buffer is thus just duplicating this data on stderr
    upon crash.

    The log_buffer_size config parameter is left in the augeas
    lens to prevent breakage for users on upgrade. It is however
    completely ignored hereafter.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

This was in the 1.2.3 release, and 4 years is sufficient time for a
graceful upgrade path for augeas, so all remaining traces are now
removed.
Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

Signed-off-by: NDaniel P. Berrangé <berrange@redhat.com>

Provide more details related to the requirement that setting one
of the values requires setting all of them.
Signed-off-by: NChen Hanxiao <chenhanxiao@gmail.com>
Reviewed-by: NJohn Ferlan <jferlan@redhat.com>

This adds a rule to require https links for the libvirt, qemu
and kvm websites.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Since its introduction in f6134117 it was never
implemented nor there are plans to implement it. Drop it.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

Provide the ability to specify a default timeout value for
successful completion of openvswitch calls in the libvirtd
configuration file.
Signed-off-by: NBoris Fiuczynski <fiuczy@linux.vnet.ibm.com>
Reviewed-by: NBjoern Walk <bwalk@linux.vnet.ibm.com>
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

https://bugzilla.redhat.com/show_bug.cgi?id=1343442

When a client connects, it is placed into a queue. As soon as it
authenticate, it is taken out of that queue and placed into a
different one. Now, we have a setting in the daemon config file
that allows users to control the length of the queue of yet not
authenticated clients. By default, it has a value 20 but in the
description to the config knob we clam it's zero.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

Add a "tls_priority" config option to /etc/libvirt/libvirtd.conf
to allow the administrator to override the built-in default
setting. This only affects the server side configuration.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Daemon config parameter switch between reading host uuid
either from smbios or machine-id:

host_uuid_source = "smbios|machine-id"
Signed-off-by: NNikolay Shirokovskiy <nshirokovskiy@virtuozzo.com>

This reverts commit 1e9808d3.

We shouldn't advertise libvirtd.socket activation, since currently
it means VM/network/... autostart won't work as expected.

We tried to find a middle ground by installing the config file without
an [Install] section, since systemd won't allow .socket to be enabled
without one... or at least it did do that; presently on f24 it allows
activating the socket quite happily. This also caused user confusion[1]

Just remove the socket file. I've filed a new RFE to track coming up
with a solution to the autostart problem[2], we can point users at that
if there's more confusion:

[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1279348
[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1326136

The documentation (and comment in libvirtd.conf) says that the text in
a log filter is compared to the "source file name", and gives the
example of "util/json", but this is not correct (at least not since
commit 2835c1e7, possibly earlier). It is instead compared to the
string given in the VIR_LOG_INIT() macro invocation at the top of each
source file, which is always "similar to but not the same as" the
source file name (in the example above, the proper name is
"util.json", while the file name is "util/virjson.c"). This patch
corrects the misstatement in both the documentation and in
libvirtd.conf.

Since its introduction in 2011 (particularly in commit f4324e32),
the option doesn't work.  It just effectively disables all incoming
connections.  That's because the client private data that contain the
'keepalive_supported' boolean, are initialized to zeroes so the bool is
false and the only other place where the bool is used is when checking
whether the client supports keepalive.  Thus, according to the server,
no client supports keepalive.

Removing this instead of fixing it is better because a) apparently
nobody ever tried it since 2011 (4 years without one month) and b) we
cannot know whether the client supports keepalive until we get a ping or
pong keepalive packet.  And that won't happen until after we dispatched
the ConnectOpen call.

Another two reasons would be c) the keepalive_required was tracked on
the server level, but keepalive_supported was in private data of the
client as well as the check that was made in the remote layer, thus
making all other instances of virNetServer miss this feature unless they
all implemented it for themselves and d) we can always add it back in
case there is a request and a use-case for it.
Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>

This is not going to be very widely used, but for some corner cases and
easier (unsafe) debugging, it might be nice.
Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>

not yet not -> not yet.
Signed-off-by: NZhang Bo <oscar.zhangbo@huawei.com>

Signed-off-by: NMartin Kletzander <mkletzan@redhat.com>

Libvirt is really chatty when the DEBUG log level is enabled. When a
host uses journald we'd enable debug logging to journald when only
specifying the debug log level. As journald may employ rate throttling
this would lock up the daemon until it's able to flush all debug
messages.

This patch changes the default log level to VIR_LOG_INFO when using the
default (unconfigured) log output to journald.

To still allow debug logging to journald the user now has to explicitly
specify journald as a log output with priority 1 in the "log_outputs"
configuration option. This patch also changes the config file template
to be explicit about this change and notify the user about the possible
consequence of debug logging into journald.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1121955

Our docs didn't mention the explicit option to log into journald.

https://bugzilla.redhat.com/show_bug.cgi?id=1098659

With parallel boot, network addresses might not yet be assigned [1],
but binding to wildcard addresses should work.

For non-wildcard addresses, ADDRCONFIG is still used. Document this
in libvirtd.conf.

[1] http://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/

A earlier commit changed the global log buffer so that it only
records messages that are explicitly requested via the log
filters setting. This removes the performance burden, and
improves the signal/noise ratio for messages in the global
buffer. At the same time though, it is somewhat pointless, since
all the recorded log messages are already going to be sent to an
explicit log output like syslog, stderr or the journal. The
global log buffer is thus just duplicating this data on stderr
upon crash.

The log_buffer_size config parameter is left in the augeas
lens to prevent breakage for users on upgrade. It is however
completely ignored hereafter.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

https://bugzilla.redhat.com/show_bug.cgi?id=992980

This config tunable allows users to determine the maximum number of
accepted but yet not authenticated users.
Signed-off-by: NMichal Privoznik <mprivozn@redhat.com>

Noticed a misuse of 'to' while testing my event regression under
polkit ACLs, and decided to review the entire conf files for
other legibility bugs.

* daemon/libvirtd.conf: Use correct grammar.
* src/qemu/qemu.conf: Likewise.
Signed-off-by: NEric Blake <eblake@redhat.com>

This configuration knob lets user to set the length of queue of
connection requests waiting to be accept()-ed by the daemon. IOW, it
just controls the @backlog passed to listen:

  int listen(int sockfd, int backlog);

Add an access control driver that uses the pkcheck command
to check authorization requests. This is fairly inefficient,
particularly for cases where an API returns a list of objects
and needs to check permission for each object.

It would be desirable to use the polkit API but this links
to glib with abort-on-OOM behaviour, so can't be used. The
other alternative is to speak to dbus directly
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Add a new 'access_drivers' config parameter to the libvirtd.conf
configuration file. This allows admins to setup the default
access control drivers to use for API authorization. The same
driver is to be used by all internal drivers & APIs
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

Also make sure documentation in libvirtd.conf matches the one from
logging.html.