2007-10-12 19:54:15 +00:00
|
|
|
# Master configuration file for the QEMU driver.
|
|
|
|
# All settings described here are optional - if omitted, sensible
|
|
|
|
# defaults are used.
|
|
|
|
|
|
|
|
# VNC is configured to listen on 127.0.0.1 by default.
|
|
|
|
# To make it listen on all public interfaces, uncomment
|
|
|
|
# this next option.
|
|
|
|
#
|
|
|
|
# NB, strong recommendation to enable TLS + x509 certificate
|
|
|
|
# verification when allowing public access
|
|
|
|
#
|
|
|
|
# vnc_listen = "0.0.0.0"
|
|
|
|
|
|
|
|
|
|
|
|
# Enable use of TLS encryption on the VNC server. This requires
|
|
|
|
# a VNC client which supports the VeNCrypt protocol extension.
|
|
|
|
# Examples include vinagre, virt-viewer, virt-manager and vencrypt
|
|
|
|
# itself. UltraVNC, RealVNC, TightVNC do not support this
|
|
|
|
#
|
2008-03-17 10:27:31 +00:00
|
|
|
# It is necessary to setup CA and issue a server certificate
|
2007-10-12 19:54:15 +00:00
|
|
|
# before enabling this.
|
|
|
|
#
|
|
|
|
# vnc_tls = 1
|
|
|
|
|
|
|
|
|
|
|
|
# Use of TLS requires that x509 certificates be issued. The
|
|
|
|
# default it to keep them in /etc/pki/libvirt-vnc. This directory
|
|
|
|
# must contain
|
|
|
|
#
|
|
|
|
# ca-cert.pem - the CA master certificate
|
|
|
|
# server-cert.pem - the server certificate signed with ca-cert.pem
|
|
|
|
# server-key.pem - the server private key
|
|
|
|
#
|
|
|
|
# This option allows the certificate directory to be changed
|
|
|
|
#
|
|
|
|
# vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
|
|
|
|
|
|
|
|
|
|
|
|
# The default TLS configuration only uses certificates for the server
|
|
|
|
# allowing the client to verify the server's identity and establish
|
2008-02-05 19:27:37 +00:00
|
|
|
# and encrypted channel.
|
2007-10-12 19:54:15 +00:00
|
|
|
#
|
|
|
|
# It is possible to use x509 certificates for authentication too, by
|
|
|
|
# issuing a x509 certificate to every client who needs to connect.
|
2008-02-05 19:27:37 +00:00
|
|
|
#
|
2007-10-12 19:54:15 +00:00
|
|
|
# Enabling this option will reject any client who does not have a
|
|
|
|
# certificate signed by the CA in /etc/pki/libvirt-vnc/ca-cert.pem
|
|
|
|
#
|
|
|
|
# vnc_tls_x509_verify = 1
|
2009-01-29 17:50:00 +00:00
|
|
|
|
|
|
|
|
|
|
|
# The default VNC password. Only 8 letters are significant for
|
|
|
|
# VNC passwords. This parameter is only used if the per-domain
|
|
|
|
# XML config does not already provide a password. To allow
|
|
|
|
# access without passwords, leave this commented out. An empty
|
|
|
|
# string will still enable passwords, but be rejected by QEMU
|
|
|
|
# effectively preventing any use of VNC. Obviously change this
|
|
|
|
# example here before you set this
|
|
|
|
#
|
|
|
|
# vnc_password = "XYZ12345"
|
2009-03-03 12:03:44 +00:00
|
|
|
|
|
|
|
|
2009-03-16 13:54:26 +00:00
|
|
|
# Enable use of SASL encryption on the VNC server. This requires
|
|
|
|
# a VNC client which supports the SASL protocol extension.
|
|
|
|
# Examples include vinagre, virt-viewer and virt-manager
|
|
|
|
# itself. UltraVNC, RealVNC, TightVNC do not support this
|
|
|
|
#
|
|
|
|
# It is necessary to configure /etc/sasl2/qemu.conf to choose
|
|
|
|
# the desired SASL plugin (eg, GSSPI for Kerberos)
|
|
|
|
#
|
|
|
|
# vnc_sasl = 1
|
|
|
|
|
|
|
|
|
|
|
|
# The default SASL configuration file is located in /etc/sasl2/
|
|
|
|
# When running libvirtd unprivileged, it may be desirable to
|
|
|
|
# override the configs in this location. Set this parameter to
|
|
|
|
# point to the directory, and create a qemu.conf in that location
|
|
|
|
#
|
|
|
|
# vnc_sasl_dir = "/some/directory/sasl2"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2009-03-03 12:03:44 +00:00
|
|
|
# The default security driver is SELinux. If SELinux is disabled
|
|
|
|
# on the host, then the security driver will automatically disable
|
|
|
|
# itself. If you wish to disable QEMU SELinux security driver while
|
|
|
|
# leaving SELinux enabled for the host in general, then set this
|
|
|
|
# to 'none' instead
|
|
|
|
#
|
|
|
|
# security_driver = "selinux"
|
2009-07-15 21:25:01 +00:00
|
|
|
|
|
|
|
|
|
|
|
# The user ID for QEMU processes run by the system instance
|
|
|
|
#user = "root"
|
|
|
|
|
|
|
|
# The group ID for QEMU processes run by the system instance
|
|
|
|
#group = "root"
|
2009-07-22 15:08:04 +00:00
|
|
|
|
|
|
|
|
|
|
|
# What cgroup controllers to make use of with QEMU guests
|
|
|
|
#
|
|
|
|
# - 'cpu' - use for schedular tunables
|
|
|
|
# - 'devices' - use for device whitelisting
|
|
|
|
#
|
|
|
|
# NB, even if configured here, they won't be used unless
|
|
|
|
# the adminsitrator has mounted cgroups. eg
|
|
|
|
#
|
|
|
|
# mkdir /dev/cgroup
|
|
|
|
# mount -t cgroup -o devices,cpu none /dev/cgroup
|
|
|
|
#
|
|
|
|
# They can be mounted anywhere, and different controlers
|
|
|
|
# can be mounted in different locations. libvirt will detect
|
|
|
|
# where they are located.
|
|
|
|
#
|
|
|
|
# cgroup_controllers = [ "cpu", "devices" ]
|
|
|
|
|
|
|
|
# This is the basic set of devices allowed / required by
|
|
|
|
# all virtual machines.
|
|
|
|
#
|
|
|
|
# As well as this, any configured block backed disks,
|
|
|
|
# all sound device, and all PTY devices are allowed.
|
|
|
|
#
|
|
|
|
# This will only need setting if newer QEMU suddenly
|
|
|
|
# wants some device we don't already know a bout.
|
|
|
|
#
|
|
|
|
#cgroup_device_acl = [
|
|
|
|
# "/dev/null", "/dev/full", "/dev/zero",
|
|
|
|
# "/dev/random", "/dev/urandom",
|
|
|
|
# "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
|
|
|
|
# "/dev/rtc", "/dev/hpet", "/dev/net/tun",
|
|
|
|
#]
|