Commit Graph

35 Commits

Author SHA1 Message Date
Ján Tomko 6fab37da59 Prefer https: everywhere where possible
Use https: links for websites that support them.

The URIs which are used as namespace identifiers
are left alone.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
Reviewed-by: Neal Gompa <ngompa13@gmail.com>
2020-09-01 21:58:46 +02:00
Ján Tomko 4e7a27b610 Prefer https: for Wikipedia links
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
Reviewed-by: Neal Gompa <ngompa13@gmail.com>
2020-09-01 21:58:45 +02:00
Daniel P. Berrangé bfe9f25b49 docs: move docs about remote driver URIs into URI docs
The docs about remote URIs in uri.html are somewhat sparse with the full
docs being in remote.html. Move all the URI content from remote.html
into uri.html so the user only needs to look in one place for URI info.

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-12-04 15:48:28 +00:00
Daniel P. Berrangé df99aa311a docs: split TLS certificate setup into its own file
The generation and deployment of x509 certificates for TLS is complex
and verbose and thus deserves its own standalone page.

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-12-04 15:48:28 +00:00
Daniel P. Berrangé b18c273a24 remote: enable connecting to the per-driver daemons
Historically URIs handled by the remote driver will always connect to
the libvirtd UNIX socket. There will now be one daemon per driver, and
each of these has its own UNIX sockets to connect to.

It will still be possible to run the traditional monolithic libvirtd
though, which will have the original UNIX socket path.

In addition there is a virproxyd daemon that doesn't run any drivers,
but provides proxying for clients accessing libvirt over IP sockets, or
tunnelling to the legacy libvirtd UNIX socket path.

Finally when running inside a daemon, the remote driver must not reject
connections unconditionally. For example, the QEMU driver needs to be
able to connect to the network driver. The remote driver must thus be
willing to handle connections even when inside the daemon, provided no
local driver is registered.

This refactoring enables the remote driver to be able to connect to the
per-driver daemons. The URI parameter "mode" accepts the values "auto",
"direct" and "legacy" to control which daemons are connected to.

The client side libvirt.conf config file also supports a "remote_mode"
setting which is used if the URI parameter is not set.

If neither the config file or URI parameter set a mode, then "auto"
is used, whereby the client looks to see which sockets actually exist
right now.

The remote driver will only ever spawn the per-driver daemons, or
the legacy libvirtd. It won't ever try to spawn virtproxyd, as
that is only there for IP based connectivity, or for access from
legacy remote clients.

If connecting to a remote host over any kind of ssh tunnel, for now we
must assume only the legacy socket exists. A future patch will introduce
a netcat replacement that is tailored for libvirt to make remote
tunnelling easier.

The configure arg '--with-remote-default-mode=legacy|direct' allows
packagers to set a default at build time. If not given, it will default
to legacy mode.

Eventually the default will switch to direct mode. Distros can choose
to do the switch earlier if desired. The main blocker is testing and
suitable SELinux/AppArmor policies.

Reviewed-by: Andrea Bolognani <abologna@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-08-09 14:06:31 +01:00
Daniel P. Berrangé 5a148ce846 remote: delete the avahi mDNS support
Libvirtd has long had integration with avahi for advertising libvirtd
using mDNS when TCP/TLS listening is enabled. For a long time the
virt-manager application had support for auto-detecting libvirtds
on the local network using mDNS, but this was removed last year

  commit fc8f8d5d7e3ba80a0771df19cf20e84a05ed2422
  Author: Cole Robinson <crobinso@redhat.com>
  Date:   Sat Oct 6 20:55:31 2018 -0400

    connect: Drop avahi support

    Libvirtd can advertise itself over avahi. The feature is disabled by
    default though and in practice I hear of no one actually using it
    and frankly I don't think it's all that useful

    The 'Open Connection' wizard has a disproportionate amount of code
    devoted to this feature, but I don't think it's useful or worth
    maintaining, so let's drop it

I've never heard of any other applications having support for using
mDNS to detect libvirtd instances. Though it is theoretically possible
something exists out there, it is clearly going to be a niche use case
in the virt ecosystem as a whole.

By removing avahi integration we can cut down the dependency chain for
the basic libvirtd install and reduce our code maint burden.

Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-06-21 12:59:42 +01:00
Daniel P. Berrangé a8ea89d258 xen: encourage use of xen:///system URI as preferred format
Historically we have used a bare xen:/// URI for connecting to the
legacy Xen driver. The new libxl Xen driver follows the new practice
of allowing '/system' as a path, as well as bare '/' for compat with
the old Xen driver.

This documents xen:///system as the preferred format for Xen, leaving
xen:/// as an undocumented feature just for back-compat.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-04-12 16:52:01 +01:00
Daniel P. Berrange 25ff8dd29e docs: update instructions for TLS cert generation
Currently we only describe setting the CN field for server certs. This leads
to inevitable pain for users who set it to the fully qualified hostname and
then use a unqualified hostname or IP address to connect in the URI. Describe
the usage of Subject Alt Name extensions, to provide multiple hostnames and
IP addresses. This will help users avoid the classic mistake and is important
future proofing, since at least in browsers, TLS libraries no longer use the
CN field for validation, mandating use of SAN info instead.

Reviewed-by: John Ferlan <jferlan@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2017-12-07 09:21:04 +00:00
Daniel P. Berrange b1c81567c7 docs: switch to using HTML5 doctype declaration
The HTML5 doctype is simply

  <!DOCTYPE html>

no DTD is present because HTML5 is no longer defined as an
extension of SGML.

XSL has no way to natively output a doctype without a public
or system identifier, so we have to use an <xsl:text> hack
instead.

See also

  https://dev.w3.org/html5/html-author/#doctype-declaration

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2017-08-02 17:00:11 +01:00
Daniel P. Berrange 4e42ff6b7e docs: switch to using 'id' attribute instead of 'name' for links
The 'name' attribute on <a...> elements is deprecated in favour
of the 'id' attribute which is allowed on any element. HTML5
drops 'name' support entirely.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2017-08-02 17:00:11 +01:00
Erik Skultety 9c25d7a4ca docs: Utilize our XSLT list generating template more
Since we do have this template at hand, why not using it wherever
possible (list of supported pool types and remote access section).
Also, perform some stylistic micro adjustments.

Signed-off-by: Erik Skultety <eskultet@redhat.com>
2017-04-24 12:37:37 +02:00
Pino Toscano 9b39a9dcf4 docs: fix default value for sshauth option of libssh2/libssh
Both transports include "password" in their default authentication
methods.
2016-11-15 15:50:51 +01:00
Pino Toscano 22eaee8e01 remote: expose a new libssh transport
Implement in virtNetClient and VirNetSocket the needed functions to
expose a new libssh transport, providing all the options that the
libssh2 transport supports.
2016-11-15 15:50:51 +01:00
Daniel P. Berrange fb2236f9f7 Revert "syntax-check: Enforce <code> inside <dt> elements"
This reverts commit 1f29f3da06.

Assuming <dt> is always used to document symbols is way too
broad, requiring far too many exemptions to be marked to
avoid syntax check rules.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-11-11 12:15:05 +00:00
Daniel P. Berrange c255bc7185 docs: expand docs on user x509 cert locations
The layout in $HOME/.pki is different from that in /etc/pki
but we never tell anyone about this trap. Add docs showing
the required $HOME/.pki layout.
2016-09-19 11:02:26 +01:00
Daniel P. Berrange 416358d99d remote: allow TLS protocol/cipher priority override in URI
Add support for a "tls_priority" URI parameter in remote
driver URIs. eg

 qemu+tls://localhost/session?tls_priority=NORMAL:-VERS-SSL3.0

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-06-08 13:48:45 +01:00
Andrea Bolognani 1f29f3da06 syntax-check: Enforce <code> inside <dt> elements
Commit 61b070cf20 cleaned up a number of cases where the <dt>
element was used to document symbols, but the symbol itself was
not inside a <code> element.

To make sure we don't end up having to clean up again a few
months from now, introduce a syntax-check rule that can spot
such mistakes.

All existing exceptions are marked as such, with either file
or line granularity depending on the case.
2016-04-25 12:09:34 +02:00
Andrea Bolognani 61b070cf20 docs: Use <code> inside <dt> for symbols
Most of the time, the <dt> tag is used when providing
documentation for a symbol; enclose symbols in <code> tags to
style them appropriately.
2016-04-22 10:36:14 +02:00
Nehal J Wani 968a46923a Fix typos in various docs
Fix 8 minor spelling errors in docs/*.html.in
2013-12-02 10:21:26 +08:00
Daniel P. Berrange f2f9742d4d Fix multiple formatting problems in HTML docs
The rule generating the HTML docs passing the --html flag
to xsltproc. This makes it use the legacy HTML parser, which
either ignores or tries to fix all sorts of broken XML tags.
There's no reason why we should be writing broken XML in
the first place, so removing --html and adding the XHTML
doctype to all files forces us to create good XML.

This adds the XHTML doc type and fixes many, many XML tag
problems it exposes.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-05-03 15:56:15 +01:00
Ján Tomko 149c87b49d Various typos and misspellings 2012-10-12 00:03:43 +02:00
Peter Krempa 239c5d7138 libssh2_transport: Add docs to remote.html
Describe the existence of the transport driver and document the
configurable options.
2012-08-24 15:50:20 +02:00
Stef Walter 53e1d56dd4 Change the default of mdns_adv to false
* Don't advertise information on the network without consent of
   the user, either through manual configuration, or a user
   interface that drives this option.
 * Since libvirtd must be configured for network access anyway
   (for all but ssh), this setting was not useful "out of the box",
   so changing this default setting does not remove "out of the box"
   functionality.
2012-03-27 09:54:49 -06:00
Daniel P. Berrange 977ba05973 Add some docs about the RPC protocol and APIs
* remote.html.in: Remove obsolete notes about internals of the
  RPC protocol
* internals/rpc.html.in: Extensive docs on RPC protocol/API
* sitemap.html.in: Add new page
2011-08-12 13:54:10 +01:00
Oskari Saarenmaa 6b01c83a63 remote/ssh: optional "keyfile" parameter.
New optional parameter "keyfile" for ssh transport allows the user to select
the private key to be used to authenticate to the remote host.
2011-07-22 07:49:49 -06:00
Oskari Saarenmaa 9a0e6a8fae remote/ssh: support for no_verify.
Set StrictHostKeyChecking=no to auto-accept new ssh host keys if the
no_verify extra parameter was specified.  This won't disable host key
checking for already known hosts.  Includes a test and documentation.
2011-07-12 15:09:05 +02:00
Doug Goldstein fa4732724e docs: updates to CA cert and client cert/key info
Update the documentation to mention that the CA certificate and the
client cert/key pair can come from the user's location or the global
location independent of each other.

Signed-off-by: Doug Goldstein <cardoe@gentoo.org>
2011-05-10 14:56:53 -06:00
Osier Yang cc4447b68a docs: Add docs for new extra parameter pkipath
* docs/remote.html.in
2011-01-27 20:47:17 -07:00
Matthias Bolte 30b2945595 esx: Add documentation about certificates and connection problems 2010-10-22 22:08:22 +02:00
Justin Clift 5bc4307597 docs: fix the xml validity errors regarding name and id
Got sick of seeing the "validity error : ID Objects already defined"
errors, which this patch addresses.
2010-09-17 00:41:08 +10:00
Matthias Bolte d392f4db9d docs: Remove outdated information about remote limitations 2010-01-20 10:03:17 +01:00
Daniel P. Berrange 3decd4f9f1 Make pki_check.sh into an installed & supported tool
* docs/pki_check.sh: Move to tool/virt-pki-validate.in and add
  in POD man page documentation
* tools/.gitignore: Ignore generated virt-pki-validate file
* tools/Makefile.am: Install & build virt-pki-validate and
  virt-pki-validate.1
* docs/remote.html, docs/remote.html.in: Refer to new tool
  name virt-pki-validate
* libvirt.spec.in, mingw32-libvirt.spec.in: Add virt-pki-validate
  and virt-pki-validate.1 to files list
2009-09-21 14:41:46 +01:00
Daniel Veillard e43d1ae0c6 * NEWS configure.in libvirt.spec.in doc/* include/libvirt/libvirt.h:
release of 0.6.1
* po/*: rebuilt
* AUTHORS: updated to list new contributors
Daniel
2009-03-04 13:17:44 +00:00
Daniel Veillard 1290f50284 Notes on the use of listen_tls/listen_tcp
* docs/remote.html docs/remote.html.in: patch from Kenneth Nagin
  with Notes on the use of listen_tls/listen_tcp
Daniel
2008-05-20 15:55:00 +00:00
Daniel P. Berrange 9092c3d491 Split website out into one file per page. APply new layout and styling 2008-04-23 17:08:31 +00:00