Add Augeas lens' for libvirtd.conf and qemu.conf

ChangeLog

@@ -1,3 +1,12 @@
+Thu Sep  4 11:43:20 BST 2008 Daniel P. Berrange <berrange@redhat.com>
+
+	Augeas config file support
+	* configure.in: Check for augparse tool for test suite
+	* libvirt.spec.in, qemud/Makefile.am, qemud/libvirtd.aug,
+	qemud/libvirtd_qemu.aug, qemud/test_libvirtd.aug,
+	qemud/test_libvirtd_qemu.aug: Augeas lens for processing
+	libvirtd.conf and qemu.conf
+
 Thu Sep  4 11:09:20 CEST 2008 Daniel Veillard <veillard@redhat.com>
 
 	* src/xend_internal.c: patch from John Levon shutting down a live

configure.in

@@ -100,7 +100,7 @@ AC_PATH_PROG([TAR], [tar], [/bin/tar])
 AC_PATH_PROG([XMLLINT], [xmllint], [/usr/bin/xmllint])
 AC_PATH_PROG([XMLCATALOG], [xmlcatalog], [/usr/bin/xmlcatalog])
 AC_PATH_PROG([XSLTPROC], [xsltproc], [/usr/bin/xsltproc])
-
+AC_PATH_PROG([AUGPARSE], [augparse], [/usr/bin/augparse])
 AC_PROG_MKDIR_P
 
 dnl External programs that we can use if they are available.

libvirt.spec.in

@@ -255,6 +255,10 @@ fi
 %dir %{_localstatedir}/lib/libvirt/
 %dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/images/
 %dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/boot/
+%{_datadir}/augeas/lenses/libvirtd.aug
+%{_datadir}/augeas/lenses/libvirtd_qemu.aug
+%{_datadir}/augeas/lenses/tests/test_libvirtd.aug
+%{_datadir}/augeas/lenses/tests/test_libvirtd_qemu.aug
 %if %{with_polkit}
 %{_datadir}/PolicyKit/policy/org.libvirt.unix.policy
 %endif

qemud/Makefile.am

@@ -24,6 +24,10 @@ EXTRA_DIST =						\
 	libvirtd.policy					\
 	libvirtd.sasl					\
 	libvirtd.sysconf				\
+	libvirtd.aug                                    \
+	libvirtd_qemu.aug                               \
+	test_libvirtd.aug                               \
+	test_libvirtd_qemu.aug                          \
 	$(AVAHI_SOURCES)				\
 	$(DAEMON_SOURCES)
 
@@ -56,6 +60,12 @@ sbin_PROGRAMS = libvirtd
 confdir = $(sysconfdir)/libvirt/
 conf_DATA = libvirtd.conf
 
+augeasdir = $(datadir)/augeas/lenses
+augeas_DATA = libvirtd.aug libvirtd_qemu.aug
+
+augeastestsdir = $(datadir)/augeas/lenses/tests
+augeastests_DATA = test_libvirtd.aug test_libvirtd_qemu.aug
+
 libvirtd_SOURCES = $(DAEMON_SOURCES)
 
 #-D_XOPEN_SOURCE=600 -D_XOPEN_SOURCE_EXTENDED=1 -D_POSIX_C_SOURCE=199506L
@@ -172,6 +182,9 @@ libvirtd.init: libvirtd.init.in
 	chmod a+x $@-t
 	mv $@-t $@
 
+check-local:
+	test -x $(AUGPARSE) && $(AUGPARSE) -I $(srcdir) test_libvirtd.aug
+
 else
 
 install-init:

qemud/libvirtd.aug

@@ -0,0 +1,69 @@
+(* /etc/libvirt/libvirtd.conf *)
+
+module Libvirtd =
+   autoload xfm
+
+   let eol   = del /[ \t]*\n/ "\n"
+   let value_sep   = del /[ \t]*=[ \t]*/  " = "
+   let indent = del /[ \t]*/ ""
+
+   let array_sep  = del /,[ \t\n]*/ ", "
+   let array_start = del /\[[ \t\n]*/ "[ "
+   let array_end = del /\]/ "]"
+
+   let str_val = del /\"/ "\"" . store /[^\"]*/ . del /\"/ "\""
+   let bool_val = store /0|1/
+   let str_array_element = [ seq "el" . str_val ] . del /[ \t\n]*/ ""
+   let str_array_val = counter "el" . array_start . ( str_array_element . ( array_sep . str_array_element ) * ) ? . array_end
+
+   let str_entry       (kw:string) = [ key kw . value_sep . str_val ]
+   let bool_entry      (kw:string) = [ key kw . value_sep . bool_val ]
+   let str_array_entry (kw:string) = [ key kw . value_sep . str_array_val ]
+
+
+   (* Config entry grouped by function - same order as example config *)
+   let network_entry = bool_entry "listen_tls"
+                     | bool_entry "listen_tcp"
+                     | str_entry "tls_port"
+                     | str_entry "tcp_port"
+                     | str_entry "listen_addr"
+                     | bool_entry "mdns_adv"
+                     | str_entry "mdns_name"
+
+   let sock_acl_entry = str_entry "unix_sock_group"
+                      | str_entry "unix_sock_ro_perms"
+                      | str_entry "unix_sock_rw_perms"
+
+   let authentication_entry = str_entry "auth_unix_ro"
+                            | str_entry "auth_unix_rw"
+                            | str_entry "auth_tcp"
+                            | str_entry "auth_tls"
+
+   let certificate_entry = str_entry "key_file"
+                         | str_entry "cert_file"
+                         | str_entry "ca_file"
+                         | str_entry "crl_file"
+
+   let authorization_entry = bool_entry "tls_no_verify_certificate"
+                           | str_array_entry "tls_allowed_dn_list"
+                           | str_array_entry "sasl_allowed_username_list"
+
+
+   (* Each enty in the config is one of the following three ... *)
+   let entry = network_entry
+             | sock_acl_entry
+             | authentication_entry
+             | certificate_entry
+             | authorization_entry
+   let comment = [ label "#comment" . del /#[ \t]*/ "# " .  store /([^ \t\n][^\n]*)?/ . del /\n/ "\n" ]
+   let empty = [ label "#empty" . eol ]
+
+   let record = indent . entry . eol
+
+   let lns = ( record | comment | empty ) *
+
+   let filter = incl "/etc/libvirt/libvirtd.conf"
+              . Util.stdexcl
+
+   let xfm = transform lns filter
+

qemud/libvirtd_qemu.aug

@@ -0,0 +1,43 @@
+(* /etc/libvirt/qemu.conf *)
+
+module Libvirtd_qemu =
+   autoload xfm
+
+   let eol   = del /[ \t]*\n/ "\n"
+   let value_sep   = del /[ \t]*=[ \t]*/  " = "
+   let indent = del /[ \t]*/ ""
+
+   let array_sep  = del /,[ \t\n]*/ ", "
+   let array_start = del /\[[ \t\n]*/ "[ "
+   let array_end = del /\]/ "]"
+
+   let str_val = del /\"/ "\"" . store /[^\"]*/ . del /\"/ "\""
+   let bool_val = store /0|1/
+   let str_array_element = [ seq "el" . str_val ] . del /[ \t\n]*/ ""
+   let str_array_val = counter "el" . array_start . ( str_array_element . ( array_sep . str_array_element ) * ) ? . array_end
+
+   let str_entry       (kw:string) = [ key kw . value_sep . str_val ]
+   let bool_entry      (kw:string) = [ key kw . value_sep . bool_val ]
+   let str_array_entry (kw:string) = [ key kw . value_sep . str_array_val ]
+
+
+   (* Config entry grouped by function - same order as example config *)
+   let vnc_entry = str_entry "vnc_listen"
+                 | bool_entry "vnc_tls"
+                 | str_entry "vnc_tls_x509_cert_dir"
+                 | bool_entry "vnc_tls_x509_verify"
+
+   (* Each enty in the config is one of the following three ... *)
+   let entry = vnc_entry
+   let comment = [ label "#comment" . del /#[ \t]*/ "# " .  store /([^ \t\n][^\n]*)?/ . del /\n/ "\n" ]
+   let empty = [ label "#empty" . eol ]
+
+   let record = indent . entry . eol
+
+   let lns = ( record | comment | empty ) *
+
+   let filter = incl "/etc/libvirt/qemu.conf"
+              . Util.stdexcl
+
+   let xfm = transform lns filter
+

qemud/test_libvirtd.aug

@@ -0,0 +1,463 @@
+module Test_libvirtd =
+   let conf = "# Master libvirt daemon configuration file
+#
+# For further information consult http://libvirt.org/format.html
+
+
+#################################################################
+#
+# Network connectivity controls
+#
+
+# Flag listening for secure TLS connections on the public TCP/IP port.
+# NB, must pass the --listen flag to the libvirtd process for this to
+# have any effect.
+#
+# It is necessary to setup a CA and issue server certificates before
+# using this capability.
+#
+# This is enabled by default, uncomment this to disable it
+listen_tls = 0
+
+# Listen for unencrypted TCP connections on the public TCP/IP port.
+# NB, must pass the --listen flag to the libvirtd process for this to
+# have any effect.
+#
+# Using the TCP socket requires SASL authentication by default. Only
+# SASL mechanisms which support data encryption are allowed. This is
+# DIGEST_MD5 and GSSAPI (Kerberos5)
+#
+# This is disabled by default, uncomment this to enable it.
+listen_tcp = 1
+
+
+
+# Override the port for accepting secure TLS connections
+# This can be a port number, or service name
+#
+tls_port = \"16514\"
+
+# Override the port for accepting insecure TCP connections
+# This can be a port number, or service name
+#
+tcp_port = \"16509\"
+
+
+# Override the default configuration which binds to all network
+# interfaces. This can be a numeric IPv4/6 address, or hostname
+#
+listen_addr = \"192.168.0.1\"
+
+
+# Flag toggling mDNS advertizement of the libvirt service.
+#
+# Alternatively can disable for all services on a host by
+# stopping the Avahi daemon
+#
+# This is enabled by default, uncomment this to disable it
+mdns_adv = 0
+
+# Override the default mDNS advertizement name. This must be
+# unique on the immediate broadcast network.
+#
+# The default is \"Virtualization Host HOSTNAME\", where HOSTNAME
+# is subsituted for the short hostname of the machine (without domain)
+#
+mdns_name = \"Virtualization Host Joe Demo\"
+
+
+#################################################################
+#
+# UNIX socket access controls
+#
+
+# Set the UNIX domain socket group ownership. This can be used to
+# allow a 'trusted' set of users access to management capabilities
+# without becoming root.
+#
+# This is restricted to 'root' by default.
+unix_sock_group = \"libvirt\"
+
+# Set the UNIX socket permissions for the R/O socket. This is used
+# for monitoring VM status only
+#
+# Default allows any user. If setting group ownership may want to
+# restrict this to:
+unix_sock_ro_perms = \"0777\"
+
+# Set the UNIX socket permissions for the R/W socket. This is used
+# for full management of VMs
+#
+# Default allows only root. If PolicyKit is enabled on the socket,
+# the default will change to allow everyone (eg, 0777)
+#
+# If not using PolicyKit and setting group ownership for access
+# control then you may want to relax this to:
+unix_sock_rw_perms = \"0770\"
+
+
+
+#################################################################
+#
+# Authentication.
+#
+#  - none: do not perform auth checks. If you can connect to the
+#          socket you are allowed. This is suitable if there are
+#          restrictions on connecting to the socket (eg, UNIX
+#          socket permissions), or if there is a lower layer in
+#          the network providing auth (eg, TLS/x509 certificates)
+#
+#  - sasl: use SASL infrastructure. The actual auth scheme is then
+#          controlled from /etc/sasl2/libvirt.conf. For the TCP
+#          socket only GSSAPI & DIGEST-MD5 mechanisms will be used.
+#          For non-TCP or TLS sockets,  any scheme is allowed.
+#
+#  - polkit: use PolicyKit to authenticate. This is only suitable
+#            for use on the UNIX sockets. The default policy will
+#            require a user to supply their own password to gain
+#            full read/write access (aka sudo like), while anyone
+#            is allowed read/only access.
+#
+# Set an authentication scheme for UNIX read-only sockets
+# By default socket permissions allow anyone to connect
+#
+# To restrict monitoring of domains you may wish to enable
+# an authentication mechanism here
+auth_unix_ro = \"none\"
+
+# Set an authentication scheme for UNIX read-write sockets
+# By default socket permissions only allow root. If PolicyKit
+# support was compiled into libvirt, the default will be to
+# use 'polkit' auth.
+#
+# If the unix_sock_rw_perms are changed you may wish to enable
+# an authentication mechanism here
+auth_unix_rw = \"none\"
+
+# Change the authentication scheme for TCP sockets.
+#
+# If you don't enable SASL, then all TCP traffic is cleartext.
+# Don't do this outside of a dev/test scenario. For real world
+# use, always enable SASL and use the GSSAPI or DIGEST-MD5
+# mechanism in /etc/sasl2/libvirt.conf
+auth_tcp = \"sasl\"
+
+# Change the authentication scheme for TLS sockets.
+#
+# TLS sockets already have encryption provided by the TLS
+# layer, and limited authentication is done by certificates
+#
+# It is possible to make use of any SASL authentication
+# mechanism as well, by using 'sasl' for this option
+auth_tls = \"none\"
+
+
+
+#################################################################
+#
+# TLS x509 certificate configuration
+#
+
+
+# Override the default server key file path
+#
+key_file = \"/etc/pki/libvirt/private/serverkey.pem\"
+
+# Override the default server certificate file path
+#
+cert_file = \"/etc/pki/libvirt/servercert.pem\"
+
+# Override the default CA certificate path
+#
+ca_file = \"/etc/pki/CA/cacert.pem\"
+
+# Specify a certificate revocation list.
+#
+# Defaults to not using a CRL, uncomment to enable it
+crl_file = \"/etc/pki/CA/crl.pem\"
+
+
+
+#################################################################
+#
+# Authorization controls
+#
+
+
+# Flag to disable verification of client certificates
+#
+# Client certificate verification is the primary authentication mechanism.
+# Any client which does not present a certificate signed by the CA
+# will be rejected.
+#
+# Default is to always verify. Uncommenting this will disable
+# verification - make sure an IP whitelist is set
+tls_no_verify_certificate = 1
+
+
+# A whitelist of allowed x509  Distinguished Names
+# This list may contain wildcards such as
+#
+#    \"C=GB,ST=London,L=London,O=Red Hat,CN=*\"
+#
+# See the POSIX fnmatch function for the format of the wildcards.
+#
+# NB If this is an empty list, no client can connect, so comment out
+# entirely rather than using empty list to disable these checks
+#
+# By default, no DN's are checked
+   tls_allowed_dn_list = [\"DN1\", \"DN2\"]
+
+
+# A whitelist of allowed SASL usernames. The format for usernames
+# depends on the SASL authentication mechanism. Kerberos usernames
+# look like username@REALM
+#
+# This list may contain wildcards such as
+#
+#    \"*@EXAMPLE.COM\"
+#
+# See the POSIX fnmatch function for the format of the wildcards.
+#
+# NB If this is an empty list, no client can connect, so comment out
+# entirely rather than using empty list to disable these checks
+#
+# By default, no Username's are checked
+sasl_allowed_username_list = [
+  \"joe@EXAMPLE.COM\",
+  \"fred@EXAMPLE.COM\"
+]
+"
+
+   test Libvirtd.lns get conf =
+        { "#comment" = "Master libvirt daemon configuration file" }
+        { "#comment" = "" }
+        { "#comment" = "For further information consult http://libvirt.org/format.html" }
+        { "#empty" }
+        { "#empty" }
+        { "#comment" = "################################################################" }
+        { "#comment" = "" }
+        { "#comment" = "Network connectivity controls" }
+        { "#comment" = "" }
+        { "#empty" }
+        { "#comment" = "Flag listening for secure TLS connections on the public TCP/IP port." }
+        { "#comment" = "NB, must pass the --listen flag to the libvirtd process for this to" }
+        { "#comment" = "have any effect." }
+        { "#comment" = "" }
+        { "#comment" = "It is necessary to setup a CA and issue server certificates before" }
+        { "#comment" = "using this capability." }
+        { "#comment" = "" }
+        { "#comment" = "This is enabled by default, uncomment this to disable it" }
+        { "listen_tls" = "0" }
+        { "#empty" }
+        { "#comment" = "Listen for unencrypted TCP connections on the public TCP/IP port." }
+        { "#comment" = "NB, must pass the --listen flag to the libvirtd process for this to" }
+        { "#comment" = "have any effect." }
+        { "#comment" = "" }
+        { "#comment" = "Using the TCP socket requires SASL authentication by default. Only" }
+        { "#comment" = "SASL mechanisms which support data encryption are allowed. This is" }
+        { "#comment" = "DIGEST_MD5 and GSSAPI (Kerberos5)" }
+        { "#comment" = "" }
+        { "#comment" = "This is disabled by default, uncomment this to enable it." }
+        { "listen_tcp" = "1" }
+        { "#empty" }
+        { "#empty" }
+        { "#empty" }
+        { "#comment" = "Override the port for accepting secure TLS connections" }
+        { "#comment" = "This can be a port number, or service name" }
+        { "#comment" = "" }
+        { "tls_port" = "16514" }
+        { "#empty" }
+        { "#comment" = "Override the port for accepting insecure TCP connections" }
+        { "#comment" = "This can be a port number, or service name" }
+        { "#comment" = "" }
+        { "tcp_port" = "16509" }
+        { "#empty" }
+        { "#empty" }
+        { "#comment" = "Override the default configuration which binds to all network" }
+        { "#comment" = "interfaces. This can be a numeric IPv4/6 address, or hostname" }
+        { "#comment" = "" }
+        { "listen_addr" = "192.168.0.1" }
+        { "#empty" }
+        { "#empty" }
+        { "#comment" = "Flag toggling mDNS advertizement of the libvirt service." }
+        { "#comment" = "" }
+        { "#comment" = "Alternatively can disable for all services on a host by" }
+        { "#comment" = "stopping the Avahi daemon" }
+        { "#comment" = "" }
+        { "#comment" = "This is enabled by default, uncomment this to disable it" }
+        { "mdns_adv" = "0" }
+        { "#empty" }
+        { "#comment" = "Override the default mDNS advertizement name. This must be" }
+        { "#comment" = "unique on the immediate broadcast network." }
+        { "#comment" = "" }
+        { "#comment" = "The default is \"Virtualization Host HOSTNAME\", where HOSTNAME" }
+        { "#comment" = "is subsituted for the short hostname of the machine (without domain)" }
+        { "#comment" = "" }
+        { "mdns_name" = "Virtualization Host Joe Demo" }
+        { "#empty" }
+        { "#empty" }
+        { "#comment" = "################################################################" }
+        { "#comment" = "" }
+        { "#comment" = "UNIX socket access controls" }
+        { "#comment" = "" }
+        { "#empty" }
+        { "#comment" = "Set the UNIX domain socket group ownership. This can be used to" }
+        { "#comment" = "allow a 'trusted' set of users access to management capabilities" }
+        { "#comment" = "without becoming root." }
+        { "#comment" = "" }
+        { "#comment" = "This is restricted to 'root' by default." }
+        { "unix_sock_group" = "libvirt" }
+        { "#empty" }
+        { "#comment" = "Set the UNIX socket permissions for the R/O socket. This is used" }
+        { "#comment" = "for monitoring VM status only" }
+        { "#comment" = "" }
+        { "#comment" = "Default allows any user. If setting group ownership may want to" }
+        { "#comment" = "restrict this to:" }
+        { "unix_sock_ro_perms" = "0777" }
+        { "#empty" }
+        { "#comment" = "Set the UNIX socket permissions for the R/W socket. This is used" }
+        { "#comment" = "for full management of VMs" }
+        { "#comment" = "" }
+        { "#comment" = "Default allows only root. If PolicyKit is enabled on the socket," }
+        { "#comment" = "the default will change to allow everyone (eg, 0777)" }
+        { "#comment" = "" }
+        { "#comment" = "If not using PolicyKit and setting group ownership for access" }
+        { "#comment" = "control then you may want to relax this to:" }
+        { "unix_sock_rw_perms" = "0770" }
+        { "#empty" }
+        { "#empty" }
+        { "#empty" }
+        { "#comment" = "################################################################" }
+        { "#comment" = "" }
+        { "#comment" = "Authentication." }
+        { "#comment" = "" }
+        { "#comment" = "- none: do not perform auth checks. If you can connect to the" }
+        { "#comment" = "socket you are allowed. This is suitable if there are" }
+        { "#comment" = "restrictions on connecting to the socket (eg, UNIX" }
+        { "#comment" = "socket permissions), or if there is a lower layer in" }
+        { "#comment" = "the network providing auth (eg, TLS/x509 certificates)" }
+        { "#comment" = "" }
+        { "#comment" = "- sasl: use SASL infrastructure. The actual auth scheme is then" }
+        { "#comment" = "controlled from /etc/sasl2/libvirt.conf. For the TCP" }
+        { "#comment" = "socket only GSSAPI & DIGEST-MD5 mechanisms will be used." }
+        { "#comment" = "For non-TCP or TLS sockets,  any scheme is allowed." }
+        { "#comment" = "" }
+        { "#comment" = "- polkit: use PolicyKit to authenticate. This is only suitable" }
+        { "#comment" = "for use on the UNIX sockets. The default policy will" }
+        { "#comment" = "require a user to supply their own password to gain" }
+        { "#comment" = "full read/write access (aka sudo like), while anyone" }
+        { "#comment" = "is allowed read/only access." }
+        { "#comment" = "" }
+        { "#comment" = "Set an authentication scheme for UNIX read-only sockets" }
+        { "#comment" = "By default socket permissions allow anyone to connect" }
+        { "#comment" = "" }
+        { "#comment" = "To restrict monitoring of domains you may wish to enable" }
+        { "#comment" = "an authentication mechanism here" }
+        { "auth_unix_ro" = "none" }
+        { "#empty" }
+        { "#comment" = "Set an authentication scheme for UNIX read-write sockets" }
+        { "#comment" = "By default socket permissions only allow root. If PolicyKit" }
+        { "#comment" = "support was compiled into libvirt, the default will be to" }
+        { "#comment" = "use 'polkit' auth." }
+        { "#comment" = "" }
+        { "#comment" = "If the unix_sock_rw_perms are changed you may wish to enable" }
+        { "#comment" = "an authentication mechanism here" }
+        { "auth_unix_rw" = "none" }
+        { "#empty" }
+        { "#comment" = "Change the authentication scheme for TCP sockets." }
+        { "#comment" = "" }
+        { "#comment" = "If you don't enable SASL, then all TCP traffic is cleartext." }
+        { "#comment" = "Don't do this outside of a dev/test scenario. For real world" }
+        { "#comment" = "use, always enable SASL and use the GSSAPI or DIGEST-MD5" }
+        { "#comment" = "mechanism in /etc/sasl2/libvirt.conf" }
+        { "auth_tcp" = "sasl" }
+        { "#empty" }
+        { "#comment" = "Change the authentication scheme for TLS sockets." }
+        { "#comment" = "" }
+        { "#comment" = "TLS sockets already have encryption provided by the TLS" }
+        { "#comment" = "layer, and limited authentication is done by certificates" }
+        { "#comment" = "" }
+        { "#comment" = "It is possible to make use of any SASL authentication" }
+        { "#comment" = "mechanism as well, by using 'sasl' for this option" }
+        { "auth_tls" = "none" }
+        { "#empty" }
+        { "#empty" }
+        { "#empty" }
+        { "#comment" = "################################################################" }
+        { "#comment" = "" }
+        { "#comment" = "TLS x509 certificate configuration" }
+        { "#comment" = "" }
+        { "#empty" }
+        { "#empty" }
+        { "#comment" = "Override the default server key file path" }
+        { "#comment" = "" }
+        { "key_file" = "/etc/pki/libvirt/private/serverkey.pem" }
+        { "#empty" }
+        { "#comment" = "Override the default server certificate file path" }
+        { "#comment" = "" }
+        { "cert_file" = "/etc/pki/libvirt/servercert.pem" }
+        { "#empty" }
+        { "#comment" = "Override the default CA certificate path" }
+        { "#comment" = "" }
+        { "ca_file" = "/etc/pki/CA/cacert.pem" }
+        { "#empty" }
+        { "#comment" = "Specify a certificate revocation list." }
+        { "#comment" = "" }
+        { "#comment" = "Defaults to not using a CRL, uncomment to enable it" }
+        { "crl_file" = "/etc/pki/CA/crl.pem" }
+        { "#empty" }
+        { "#empty" }
+        { "#empty" }
+        { "#comment" = "################################################################" }
+        { "#comment" = "" }
+        { "#comment" = "Authorization controls" }
+        { "#comment" = "" }
+        { "#empty" }
+        { "#empty" }
+        { "#comment" = "Flag to disable verification of client certificates" }
+        { "#comment" = "" }
+        { "#comment" = "Client certificate verification is the primary authentication mechanism." }
+        { "#comment" = "Any client which does not present a certificate signed by the CA" }
+        { "#comment" = "will be rejected." }
+        { "#comment" = "" }
+        { "#comment" = "Default is to always verify. Uncommenting this will disable" }
+        { "#comment" = "verification - make sure an IP whitelist is set" }
+        { "tls_no_verify_certificate" = "1" }
+        { "#empty" }
+        { "#empty" }
+        { "#comment" = "A whitelist of allowed x509  Distinguished Names" }
+        { "#comment" = "This list may contain wildcards such as" }
+        { "#comment" = "" }
+        { "#comment" = "\"C=GB,ST=London,L=London,O=Red Hat,CN=*\"" }
+        { "#comment" = "" }
+        { "#comment" = "See the POSIX fnmatch function for the format of the wildcards." }
+        { "#comment" = "" }
+        { "#comment" = "NB If this is an empty list, no client can connect, so comment out" }
+        { "#comment" = "entirely rather than using empty list to disable these checks" }
+        { "#comment" = "" }
+        { "#comment" = "By default, no DN's are checked" }
+        { "tls_allowed_dn_list"
+             { "1" = "DN1"}
+             { "2" = "DN2"}
+        }
+        { "#empty" }
+        { "#empty" }
+        { "#comment" = "A whitelist of allowed SASL usernames. The format for usernames" }
+        { "#comment" = "depends on the SASL authentication mechanism. Kerberos usernames" }
+        { "#comment" = "look like username@REALM" }
+        { "#comment" = "" }
+        { "#comment" = "This list may contain wildcards such as" }
+        { "#comment" = "" }
+        { "#comment" = "\"*@EXAMPLE.COM\"" }
+        { "#comment" = "" }
+        { "#comment" = "See the POSIX fnmatch function for the format of the wildcards." }
+        { "#comment" = "" }
+        { "#comment" = "NB If this is an empty list, no client can connect, so comment out" }
+        { "#comment" = "entirely rather than using empty list to disable these checks" }
+        { "#comment" = "" }
+        { "#comment" = "By default, no Username's are checked" }
+        { "sasl_allowed_username_list"
+             { "1" = "joe@EXAMPLE.COM" }
+             { "2" = "fred@EXAMPLE.COM" }
+        }

qemud/test_libvirtd_qemu.aug

@@ -0,0 +1,103 @@
+module Test_libvirtd_qemu =
+
+   let conf = "# Master configuration file for the QEMU driver.
+# All settings described here are optional - if omitted, sensible
+# defaults are used.
+
+# VNC is configured to listen on 127.0.0.1 by default.
+# To make it listen on all public interfaces, uncomment
+# this next option.
+#
+# NB, strong recommendation to enable TLS + x509 certificate
+# verification when allowing public access
+#
+vnc_listen = \"0.0.0.0\"
+
+
+# Enable use of TLS encryption on the VNC server. This requires
+# a VNC client which supports the VeNCrypt protocol extension.
+# Examples include vinagre, virt-viewer, virt-manager and vencrypt
+# itself. UltraVNC, RealVNC, TightVNC do not support this
+#
+# It is necessary to setup CA and issue a server certificate
+# before enabling this.
+#
+vnc_tls = 1
+
+
+# Use of TLS requires that x509 certificates be issued. The
+# default it to keep them in /etc/pki/libvirt-vnc. This directory
+# must contain
+#
+#  ca-cert.pem - the CA master certificate
+#  server-cert.pem - the server certificate signed with ca-cert.pem
+#  server-key.pem  - the server private key
+#
+# This option allows the certificate directory to be changed
+#
+vnc_tls_x509_cert_dir = \"/etc/pki/libvirt-vnc\"
+
+
+# The default TLS configuration only uses certificates for the server
+# allowing the client to verify the server's identity and establish
+# and encrypted channel.
+#
+# It is possible to use x509 certificates for authentication too, by
+# issuing a x509 certificate to every client who needs to connect.
+#
+# Enabling this option will reject any client who does not have a
+# certificate signed by the CA in /etc/pki/libvirt-vnc/ca-cert.pem
+#
+vnc_tls_x509_verify = 1
+"
+
+   test Libvirtd_qemu.lns get conf =
+{ "#comment" = "Master configuration file for the QEMU driver." }
+{ "#comment" = "All settings described here are optional - if omitted, sensible" }
+{ "#comment" = "defaults are used." }
+{ "#empty" }
+{ "#comment" = "VNC is configured to listen on 127.0.0.1 by default." }
+{ "#comment" = "To make it listen on all public interfaces, uncomment" }
+{ "#comment" = "this next option." }
+{ "#comment" = "" }
+{ "#comment" = "NB, strong recommendation to enable TLS + x509 certificate" }
+{ "#comment" = "verification when allowing public access" }
+{ "#comment" = "" }
+{ "vnc_listen" = "0.0.0.0" }
+{ "#empty" }
+{ "#empty" }
+{ "#comment" = "Enable use of TLS encryption on the VNC server. This requires" }
+{ "#comment" = "a VNC client which supports the VeNCrypt protocol extension." }
+{ "#comment" = "Examples include vinagre, virt-viewer, virt-manager and vencrypt" }
+{ "#comment" = "itself. UltraVNC, RealVNC, TightVNC do not support this" }
+{ "#comment" = "" }
+{ "#comment" = "It is necessary to setup CA and issue a server certificate" }
+{ "#comment" = "before enabling this." }
+{ "#comment" = "" }
+{ "vnc_tls" = "1" }
+{ "#empty" }
+{ "#empty" }
+{ "#comment" = "Use of TLS requires that x509 certificates be issued. The" }
+{ "#comment" = "default it to keep them in /etc/pki/libvirt-vnc. This directory" }
+{ "#comment" = "must contain" }
+{ "#comment" = "" }
+{ "#comment" = "ca-cert.pem - the CA master certificate" }
+{ "#comment" = "server-cert.pem - the server certificate signed with ca-cert.pem" }
+{ "#comment" = "server-key.pem  - the server private key" }
+{ "#comment" = "" }
+{ "#comment" = "This option allows the certificate directory to be changed" }
+{ "#comment" = "" }
+{ "vnc_tls_x509_cert_dir" = "/etc/pki/libvirt-vnc" }
+{ "#empty" }
+{ "#empty" }
+{ "#comment" = "The default TLS configuration only uses certificates for the server" }
+{ "#comment" = "allowing the client to verify the server's identity and establish" }
+{ "#comment" = "and encrypted channel." }
+{ "#comment" = "" }
+{ "#comment" = "It is possible to use x509 certificates for authentication too, by" }
+{ "#comment" = "issuing a x509 certificate to every client who needs to connect." }
+{ "#comment" = "" }
+{ "#comment" = "Enabling this option will reject any client who does not have a" }
+{ "#comment" = "certificate signed by the CA in /etc/pki/libvirt-vnc/ca-cert.pem" }
+{ "#comment" = "" }
+{ "vnc_tls_x509_verify" = "1" }