2007-10-12 19:54:15 +00:00
|
|
|
# Master configuration file for the QEMU driver.
|
|
|
|
# All settings described here are optional - if omitted, sensible
|
|
|
|
# defaults are used.
|
|
|
|
|
|
|
|
# VNC is configured to listen on 127.0.0.1 by default.
|
|
|
|
# To make it listen on all public interfaces, uncomment
|
|
|
|
# this next option.
|
|
|
|
#
|
|
|
|
# NB, strong recommendation to enable TLS + x509 certificate
|
|
|
|
# verification when allowing public access
|
|
|
|
#
|
|
|
|
# vnc_listen = "0.0.0.0"
|
|
|
|
|
|
|
|
|
|
|
|
# Enable use of TLS encryption on the VNC server. This requires
|
|
|
|
# a VNC client which supports the VeNCrypt protocol extension.
|
|
|
|
# Examples include vinagre, virt-viewer, virt-manager and vencrypt
|
|
|
|
# itself. UltraVNC, RealVNC, TightVNC do not support this
|
|
|
|
#
|
2008-03-17 10:27:31 +00:00
|
|
|
# It is necessary to setup CA and issue a server certificate
|
2007-10-12 19:54:15 +00:00
|
|
|
# before enabling this.
|
|
|
|
#
|
|
|
|
# vnc_tls = 1
|
|
|
|
|
|
|
|
|
|
|
|
# Use of TLS requires that x509 certificates be issued. The
|
|
|
|
# default it to keep them in /etc/pki/libvirt-vnc. This directory
|
|
|
|
# must contain
|
|
|
|
#
|
|
|
|
# ca-cert.pem - the CA master certificate
|
|
|
|
# server-cert.pem - the server certificate signed with ca-cert.pem
|
|
|
|
# server-key.pem - the server private key
|
|
|
|
#
|
|
|
|
# This option allows the certificate directory to be changed
|
|
|
|
#
|
|
|
|
# vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
|
|
|
|
|
|
|
|
|
|
|
|
# The default TLS configuration only uses certificates for the server
|
|
|
|
# allowing the client to verify the server's identity and establish
|
2008-02-05 19:27:37 +00:00
|
|
|
# and encrypted channel.
|
2007-10-12 19:54:15 +00:00
|
|
|
#
|
|
|
|
# It is possible to use x509 certificates for authentication too, by
|
|
|
|
# issuing a x509 certificate to every client who needs to connect.
|
2008-02-05 19:27:37 +00:00
|
|
|
#
|
2007-10-12 19:54:15 +00:00
|
|
|
# Enabling this option will reject any client who does not have a
|
|
|
|
# certificate signed by the CA in /etc/pki/libvirt-vnc/ca-cert.pem
|
|
|
|
#
|
|
|
|
# vnc_tls_x509_verify = 1
|
2009-01-29 17:50:00 +00:00
|
|
|
|
|
|
|
|
|
|
|
# The default VNC password. Only 8 letters are significant for
|
|
|
|
# VNC passwords. This parameter is only used if the per-domain
|
|
|
|
# XML config does not already provide a password. To allow
|
|
|
|
# access without passwords, leave this commented out. An empty
|
|
|
|
# string will still enable passwords, but be rejected by QEMU
|
|
|
|
# effectively preventing any use of VNC. Obviously change this
|
|
|
|
# example here before you set this
|
|
|
|
#
|
|
|
|
# vnc_password = "XYZ12345"
|
2009-03-03 12:03:44 +00:00
|
|
|
|
|
|
|
|
2009-03-16 13:54:26 +00:00
|
|
|
# Enable use of SASL encryption on the VNC server. This requires
|
|
|
|
# a VNC client which supports the SASL protocol extension.
|
|
|
|
# Examples include vinagre, virt-viewer and virt-manager
|
|
|
|
# itself. UltraVNC, RealVNC, TightVNC do not support this
|
|
|
|
#
|
|
|
|
# It is necessary to configure /etc/sasl2/qemu.conf to choose
|
|
|
|
# the desired SASL plugin (eg, GSSPI for Kerberos)
|
|
|
|
#
|
|
|
|
# vnc_sasl = 1
|
|
|
|
|
|
|
|
|
|
|
|
# The default SASL configuration file is located in /etc/sasl2/
|
|
|
|
# When running libvirtd unprivileged, it may be desirable to
|
|
|
|
# override the configs in this location. Set this parameter to
|
|
|
|
# point to the directory, and create a qemu.conf in that location
|
|
|
|
#
|
|
|
|
# vnc_sasl_dir = "/some/directory/sasl2"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2009-03-03 12:03:44 +00:00
|
|
|
# The default security driver is SELinux. If SELinux is disabled
|
|
|
|
# on the host, then the security driver will automatically disable
|
|
|
|
# itself. If you wish to disable QEMU SELinux security driver while
|
|
|
|
# leaving SELinux enabled for the host in general, then set this
|
|
|
|
# to 'none' instead
|
|
|
|
#
|
|
|
|
# security_driver = "selinux"
|
2009-07-15 21:25:01 +00:00
|
|
|
|
|
|
|
|
|
|
|
# The user ID for QEMU processes run by the system instance
|
|
|
|
#user = "root"
|
|
|
|
|
|
|
|
# The group ID for QEMU processes run by the system instance
|
|
|
|
#group = "root"
|
2009-07-22 15:08:04 +00:00
|
|
|
|
|
|
|
|
|
|
|
# What cgroup controllers to make use of with QEMU guests
|
|
|
|
#
|
|
|
|
# - 'cpu' - use for schedular tunables
|
|
|
|
# - 'devices' - use for device whitelisting
|
|
|
|
#
|
|
|
|
# NB, even if configured here, they won't be used unless
|
|
|
|
# the adminsitrator has mounted cgroups. eg
|
|
|
|
#
|
|
|
|
# mkdir /dev/cgroup
|
|
|
|
# mount -t cgroup -o devices,cpu none /dev/cgroup
|
|
|
|
#
|
|
|
|
# They can be mounted anywhere, and different controlers
|
|
|
|
# can be mounted in different locations. libvirt will detect
|
|
|
|
# where they are located.
|
|
|
|
#
|
|
|
|
# cgroup_controllers = [ "cpu", "devices" ]
|
|
|
|
|
|
|
|
# This is the basic set of devices allowed / required by
|
|
|
|
# all virtual machines.
|
|
|
|
#
|
|
|
|
# As well as this, any configured block backed disks,
|
|
|
|
# all sound device, and all PTY devices are allowed.
|
|
|
|
#
|
|
|
|
# This will only need setting if newer QEMU suddenly
|
|
|
|
# wants some device we don't already know a bout.
|
|
|
|
#
|
|
|
|
#cgroup_device_acl = [
|
|
|
|
# "/dev/null", "/dev/full", "/dev/zero",
|
|
|
|
# "/dev/random", "/dev/urandom",
|
|
|
|
# "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
|
|
|
|
# "/dev/rtc", "/dev/hpet", "/dev/net/tun",
|
|
|
|
#]
|
Compressed save image format for Qemu.
Implement a compressed save image format for qemu. While ideally
we would have the choice between compressed/non-compressed
available to the libvirt API, unfortunately there is no "flags"
parameter to the virDomainSave() API. Therefore, implement this
as a qemu.conf option. gzip, bzip2, and lzma are implemented, and
it should be very easy to implement additional compression
methods.
One open question is if/how we should detect the compression
binaries. One way to do it is to do compile-time setting of the
paths (via configure.in), but that doesn't seem like a great thing
to do. My preferred solution is not to detect at all;
when we go to run the commands that need them, if they
aren't available, or aren't available in one of the standard paths,
then we'll fail. That's also the solution implemented in this patch.
In the future, we'll have a more robust (managed) save/restore API,
at which time we can expose this functionality properly in the API.
V2: get rid of redundant dd command and just use >> to append data.
V3: Add back the missing pieces for the enum and bumping the save version.
V4: Make the compressed field in the save_header an int.
Implement LZMA compression.
Signed-off-by: Chris Lalancette <clalance@redhat.com>
2009-08-07 11:34:05 +00:00
|
|
|
|
|
|
|
# The default format for Qemu/KVM guest save images is raw; that is, the
|
|
|
|
# memory from the domain is dumped out directly to a file. If you have
|
|
|
|
# guests with a large amount of memory, however, this can take up quite
|
|
|
|
# a bit of space. If you would like to compress the images while they
|
2009-08-28 18:13:47 +00:00
|
|
|
# are being saved to disk, you can also set "gzip", "bzip2", "lzma"
|
|
|
|
# or "lzop" for save_image_format. Note that this means you slow down
|
|
|
|
# the process of saving a domain in order to save disk space.
|
Compressed save image format for Qemu.
Implement a compressed save image format for qemu. While ideally
we would have the choice between compressed/non-compressed
available to the libvirt API, unfortunately there is no "flags"
parameter to the virDomainSave() API. Therefore, implement this
as a qemu.conf option. gzip, bzip2, and lzma are implemented, and
it should be very easy to implement additional compression
methods.
One open question is if/how we should detect the compression
binaries. One way to do it is to do compile-time setting of the
paths (via configure.in), but that doesn't seem like a great thing
to do. My preferred solution is not to detect at all;
when we go to run the commands that need them, if they
aren't available, or aren't available in one of the standard paths,
then we'll fail. That's also the solution implemented in this patch.
In the future, we'll have a more robust (managed) save/restore API,
at which time we can expose this functionality properly in the API.
V2: get rid of redundant dd command and just use >> to append data.
V3: Add back the missing pieces for the enum and bumping the save version.
V4: Make the compressed field in the save_header an int.
Implement LZMA compression.
Signed-off-by: Chris Lalancette <clalance@redhat.com>
2009-08-07 11:34:05 +00:00
|
|
|
#
|
|
|
|
# save_image_format = "raw"
|