diff --git a/libvirt/manifests/init.pp b/libvirt/manifests/init.pp index 4ae0614..b985724 100644 --- a/libvirt/manifests/init.pp +++ b/libvirt/manifests/init.pp @@ -6,11 +6,10 @@ class libvirt::client { realize(User["qemu"], Group["qemu"]) file { "/var/lib/qemu": - ensure => directory, - mode => "0700", - owner => "qemu", - group => "qemu", - require => [ User["qemu"], Group["qemu"], ], + ensure => directory, + mode => "0700", + owner => "qemu", + group => "qemu", } case $::operatingsystem { @@ -76,23 +75,20 @@ class libvirt::kvm inherits libvirt::client { "centos","redhat": { case $::operatingsystemrelease { /^5\./: { - package { ["kvm", "kmod-kvm"]: - ensure => installed, - before => Service["libvirtd"], - require => [ User["qemu"], Group["qemu"] ], - } + $package = [ "kvm", "kmod-kvm" ] + } + /^6\./: { + $package = [ "qemu-kvm", "ruby-libvirt" ] } default: { - package { "qemu-kvm": - ensure => installed, - before => Service["libvirtd"], - require => [ User["qemu"], Group["qemu"] ], - } - package { "ruby-libvirt": - ensure => installed, - } + $package = [ "qemu-kvm", "rubygem-ruby-libvirt", "virt-install" ] } } + package { $package: + ensure => installed, + before => Service["libvirtd"], + require => User["qemu"], + } file { "/etc/sysconfig/libvirt-guests": ensure => present, mode => "0644", @@ -106,7 +102,7 @@ class libvirt::kvm inherits libvirt::client { package { "qemu-kvm": ensure => installed, before => Service["libvirtd"], - require => [ User["qemu"], Group["qemu"] ], + require => User["qemu"], } package { "ruby-libvirt": ensure => installed, @@ -117,12 +113,16 @@ class libvirt::kvm inherits libvirt::client { } } - file { "/etc/libvirt/libvirtd.conf": - ensure => present, - mode => "0644", - owner => "root", - group => "root", - content => template("libvirt/libvirtd.conf.erb"), + augeas { "libvirtd.conf": + incl => "/etc/libvirt/libvirtd.conf", + lens => "Simplevars.lns", + changes => [ + "set unix_sock_group '\"${admingroup}\"'", + "set unix_sock_ro_perms '\"0770\"'", + "set unix_sock_rw_perms '\"0770\"'", + "set auth_unix_ro '\"none\"'", + "set auth_unix_rw '\"none\"'", + ], require => Package["libvirt"], notify => Service["libvirtd"], } diff --git a/libvirt/templates/libvirtd.conf.erb b/libvirt/templates/libvirtd.conf.erb deleted file mode 100644 index 501cbb5..0000000 --- a/libvirt/templates/libvirtd.conf.erb +++ /dev/null @@ -1,327 +0,0 @@ -# Master libvirt daemon configuration file -# -# For further information consult http://libvirt.org/format.html -# -# NOTE: the tests/daemon-conf regression test script requires -# that each "PARAMETER = VALUE" line in this file have the parameter -# name just after a leading "#". - -################################################################# -# -# Network connectivity controls -# - -# Flag listening for secure TLS connections on the public TCP/IP port. -# NB, must pass the --listen flag to the libvirtd process for this to -# have any effect. -# -# It is necessary to setup a CA and issue server certificates before -# using this capability. -# -# This is enabled by default, uncomment this to disable it -#listen_tls = 0 - -# Listen for unencrypted TCP connections on the public TCP/IP port. -# NB, must pass the --listen flag to the libvirtd process for this to -# have any effect. -# -# Using the TCP socket requires SASL authentication by default. Only -# SASL mechanisms which support data encryption are allowed. This is -# DIGEST_MD5 and GSSAPI (Kerberos5) -# -# This is disabled by default, uncomment this to enable it. -#listen_tcp = 1 - - - -# Override the port for accepting secure TLS connections -# This can be a port number, or service name -# -#tls_port = "16514" - -# Override the port for accepting insecure TCP connections -# This can be a port number, or service name -# -#tcp_port = "16509" - - -# Override the default configuration which binds to all network -# interfaces. This can be a numeric IPv4/6 address, or hostname -# -#listen_addr = "192.168.0.1" - - -# Flag toggling mDNS advertizement of the libvirt service. -# -# Alternatively can disable for all services on a host by -# stopping the Avahi daemon -# -# This is enabled by default, uncomment this to disable it -#mdns_adv = 0 - -# Override the default mDNS advertizement name. This must be -# unique on the immediate broadcast network. -# -# The default is "Virtualization Host HOSTNAME", where HOSTNAME -# is subsituted for the short hostname of the machine (without domain) -# -#mdns_name = "Virtualization Host Joe Demo" - - -################################################################# -# -# UNIX socket access controls -# - -# Set the UNIX domain socket group ownership. This can be used to -# allow a 'trusted' set of users access to management capabilities -# without becoming root. -# -# This is restricted to 'root' by default. -unix_sock_group = "<%= @libvirt_admingroup %>" - -# Set the UNIX socket permissions for the R/O socket. This is used -# for monitoring VM status only -# -# Default allows any user. If setting group ownership may want to -# restrict this to: -unix_sock_ro_perms = "0770" - -# Set the UNIX socket permissions for the R/W socket. This is used -# for full management of VMs -# -# Default allows only root. If PolicyKit is enabled on the socket, -# the default will change to allow everyone (eg, 0777) -# -# If not using PolicyKit and setting group ownership for access -# control then you may want to relax this to: -unix_sock_rw_perms = "0770" - -# Set the name of the directory in which sockets will be found/created. -#unix_sock_dir = "/var/run/libvirt" - -################################################################# -# -# Authentication. -# -# - none: do not perform auth checks. If you can connect to the -# socket you are allowed. This is suitable if there are -# restrictions on connecting to the socket (eg, UNIX -# socket permissions), or if there is a lower layer in -# the network providing auth (eg, TLS/x509 certificates) -# -# - sasl: use SASL infrastructure. The actual auth scheme is then -# controlled from /etc/sasl2/libvirt.conf. For the TCP -# socket only GSSAPI & DIGEST-MD5 mechanisms will be used. -# For non-TCP or TLS sockets, any scheme is allowed. -# -# - polkit: use PolicyKit to authenticate. This is only suitable -# for use on the UNIX sockets. The default policy will -# require a user to supply their own password to gain -# full read/write access (aka sudo like), while anyone -# is allowed read/only access. -# -# Set an authentication scheme for UNIX read-only sockets -# By default socket permissions allow anyone to connect -# -# To restrict monitoring of domains you may wish to enable -# an authentication mechanism here -auth_unix_ro = "none" - -# Set an authentication scheme for UNIX read-write sockets -# By default socket permissions only allow root. If PolicyKit -# support was compiled into libvirt, the default will be to -# use 'polkit' auth. -# -# If the unix_sock_rw_perms are changed you may wish to enable -# an authentication mechanism here -auth_unix_rw = "none" - -# Change the authentication scheme for TCP sockets. -# -# If you don't enable SASL, then all TCP traffic is cleartext. -# Don't do this outside of a dev/test scenario. For real world -# use, always enable SASL and use the GSSAPI or DIGEST-MD5 -# mechanism in /etc/sasl2/libvirt.conf -#auth_tcp = "sasl" - -# Change the authentication scheme for TLS sockets. -# -# TLS sockets already have encryption provided by the TLS -# layer, and limited authentication is done by certificates -# -# It is possible to make use of any SASL authentication -# mechanism as well, by using 'sasl' for this option -#auth_tls = "none" - - - -################################################################# -# -# TLS x509 certificate configuration -# - - -# Override the default server key file path -# -#key_file = "/etc/pki/libvirt/private/serverkey.pem" - -# Override the default server certificate file path -# -#cert_file = "/etc/pki/libvirt/servercert.pem" - -# Override the default CA certificate path -# -#ca_file = "/etc/pki/CA/cacert.pem" - -# Specify a certificate revocation list. -# -# Defaults to not using a CRL, uncomment to enable it -#crl_file = "/etc/pki/CA/crl.pem" - - - -################################################################# -# -# Authorization controls -# - - -# Flag to disable verification of client certificates -# -# Client certificate verification is the primary authentication mechanism. -# Any client which does not present a certificate signed by the CA -# will be rejected. -# -# Default is to always verify. Uncommenting this will disable -# verification - make sure an IP whitelist is set -#tls_no_verify_certificate = 1 - - -# A whitelist of allowed x509 Distinguished Names -# This list may contain wildcards such as -# -# "C=GB,ST=London,L=London,O=Red Hat,CN=*" -# -# See the POSIX fnmatch function for the format of the wildcards. -# -# NB If this is an empty list, no client can connect, so comment out -# entirely rather than using empty list to disable these checks -# -# By default, no DN's are checked -#tls_allowed_dn_list = ["DN1", "DN2"] - - -# A whitelist of allowed SASL usernames. The format for usernames -# depends on the SASL authentication mechanism. Kerberos usernames -# look like username@REALM -# -# This list may contain wildcards such as -# -# "*@EXAMPLE.COM" -# -# See the POSIX fnmatch function for the format of the wildcards. -# -# NB If this is an empty list, no client can connect, so comment out -# entirely rather than using empty list to disable these checks -# -# By default, no Username's are checked -#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ] - - - -################################################################# -# -# Processing controls -# - -# The maximum number of concurrent client connections to allow -# over all sockets combined. -#max_clients = 20 - - -# The minimum limit sets the number of workers to start up -# initially. If the number of active clients exceeds this, -# then more threads are spawned, upto max_workers limit. -# Typically you'd want max_workers to equal maximum number -# of clients allowed -#min_workers = 5 -#max_workers = 20 - -# Total global limit on concurrent RPC calls. Should be -# at least as large as max_workers. Beyond this, RPC requests -# will be read into memory and queued. This directly impact -# memory usage, currently each request requires 256 KB of -# memory. So by default upto 5 MB of memory is used -# -# XXX this isn't actually enforced yet, only the per-client -# limit is used so far -#max_requests = 20 - -# Limit on concurrent requests from a single client -# connection. To avoid one client monopolizing the server -# this should be a small fraction of the global max_requests -# and max_workers parameter -#max_client_requests = 5 - -################################################################# -# -# Logging controls -# - -# Logging level: 4 errors, 3 warnings, 2 informations, 1 debug -# basically 1 will log everything possible -#log_level = 3 - -# Logging filters: -# A filter allows to select a different logging level for a given category -# of logs -# The format for a filter is: -# x:name -# where name is a match string e.g. remote or qemu -# the x prefix is the minimal level where matching messages should be logged -# 1: DEBUG -# 2: INFO -# 3: WARNING -# 4: ERROR -# -# Multiple filter can be defined in a single @filters, they just need to be -# separated by spaces. -# -# e.g: -# log_filters="3:remote 4:event" -# to only get warning or errors from the remote layer and only errors from -# the event layer. - -# Logging outputs: -# An output is one of the places to save logging informations -# The format for an output can be: -# x:stderr -# output goes to stderr -# x:syslog:name -# use syslog for the output and use the given name as the ident -# x:file:file_path -# output to a file, with the given filepath -# In all case the x prefix is the minimal level, acting as a filter -# 1: DEBUG -# 2: INFO -# 3: WARNING -# 4: ERROR -# -# Multiple output can be defined, they just need to be separated by spaces. -# e.g.: -# log_outputs="3:syslog:libvirtd" -# to log all warnings and errors to syslog under the libvirtd ident - -# UUID of the host: -# Provide the UUID of the host here in case the command -# 'dmidecode -s system-uuid' does not provide a valid uuid. In case -# 'dmidecode' does not provide a valid UUID and none is provided here, a -# temporary UUID will be generated. -# Keep the format of the example UUID below. UUID must not have all digits -# be the same. - -# NB This default all-zeros UUID will not work. Replace -# it with the output of the 'uuidgen' command and then -# uncomment this entry -#host_uuid = "00000000-0000-0000-0000-000000000000"