Commit Graph

111 Commits

Author SHA1 Message Date
Fangge Jin
4e66123f89 qemu.conf: Re-word the description for *_tls_x509_verify
The original descirption for *_tls_x509_verify is a little misleading
by saying that "Enabling this option will reject any client who does
not have a ca-cert.pem certificate".

Signed-off-by: Fangge Jin <fjin@redhat.com>
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2020-10-09 10:18:45 +02:00
Peter Krempa
d37a2cd5ed qemu: conf: Add configuration of TLS environment for NBD transport of pull-backups
TLS is required to transport backed-up data securely when using
pull-mode backups.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
2020-07-07 12:58:19 +02:00
Peter Krempa
470d322e0c qemu: conf: Add configuration of TLS key encryption for 'vxhs' and 'nbd' disks
Until now libvirt didn't allow using encrypted TLS key for disk clients.

Add fields for configuring the secret and propagate defaults.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
2020-07-07 12:58:19 +02:00
Peter Krempa
72fdba7ffd qemu.conf: Remove misleading mention of 'migrate_tls'
There's no such parameter. Reword the sentence to account for enabling
TLS-encrypted migration using API flags.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
2020-07-07 12:58:18 +02:00
Daniel P. Berrangé
11fc562951 cgroup: remove use of the term 'whitelist' from cgroup code
The term "access control list" better describes the concept involved.

Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2020-06-26 15:37:51 +01:00
Ján Tomko
be611aa4de qemu: conf: fix stray comma
The qemu.conf change broke our augeas test:

qemu/test_libvirtd_qemu.aug:96.3-203.1:exception thrown in test
qemu/test_libvirtd_qemu.aug:96.8-.34:exception: Iterated lens matched less than it should
    Lens: ../../src/qemu/libvirtd_qemu.aug:170.13-.43:
      Last match: ../../src/qemu/libvirtd_qemu.aug:18.52-.113:
      Not matching: ../../src/qemu/libvirtd_qemu.aug:12.19-.31:
    Error encountered at 48:27 (1615 characters into string)
    <\n    "/dev/ptmx", "/dev/kvm"|=|,\n]\nsave_image_format = "raw>

Fixes: ab5ba57012
Signed-off-by: Ján Tomko <jtomko@redhat.com>
2020-05-19 10:59:33 +02:00
Paolo Bonzini
ab5ba57012 qemu: do not allow /dev/rtc or /dev/hpet access via the devices cgroup
The RTC and HPET modes for the QEMU emulation tick have been dropped
almost 9 years ago, in commit 25f3151ece1d5881826232bebccc21b588d4e03e.
Do not allow them in the devices cgroup policy.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2020-05-19 10:04:06 +02:00
Marc-André Lureau
6f3bc53407 qemu-conf: add configurable dbus-daemon location
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2020-03-24 15:57:33 +01:00
Ján Tomko
f04319a544 qemu: add virtiofsd_debug to qemu.conf
Add a 'virtiofsd_debug' option for tuning whether to run virtiofsd
in debug mode.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Tested-by: Andrea Bolognani <abologna@redhat.com>
2020-03-04 12:08:50 +01:00
Daniel P. Berrangé
1902356231 qemu: keep capabilities when running QEMU as root
When QEMU uid/gid is set to non-root this is pointless as if we just
used a regular setuid/setgid call, the process will have all its
capabilities cleared anyway by the kernel.

When QEMU uid/gid is set to root, this is almost (always?) never
what people actually want. People make QEMU run as root in order
to access some privileged resource that libvirt doesn't support
yet and this often requires capabilities. As a result they have
to go find the qemu.conf param to turn this off. This is not
viable for libguestfs - they want to control everything via the
XML security label to request running as root regardless of the
qemu.conf settings for user/group.

Clearing capabilities was implemented originally because there
was a proposal in Fedora to change permissions such that root,
with no capabilities would not be able to compromise the system.
ie a locked down root account. This never went anywhere though,
and as a result clearing capabilities when running as root does
not really get us any security benefit AFAICT. The root user
can easily do something like create a cronjob, which will then
faithfully be run with full capabilities, trivially bypassing
the restriction we place.

IOW, our clearing of capabilities is both useless from a security
POV, and breaks valid use cases when people need to run as root.

This removes the clear_emulator_capabilities configuration
option from qemu.conf, and always runs QEMU with capabilities
when root.  The behaviour when non-root is unchanged.

Reviewed-by: Cole Robinson <crobinso@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-12-11 16:01:20 +00:00
Michal Privoznik
75597f022a qemu: Warn verbosely if using old loader:nvram pairs
There are two ways for specifying loader:nvram pairs:

  1) --with-loader-nvram configure option
  2) nvram variable in qemu.conf

Since we have FW descriptors, using this old style is
discouraged, but not as strong as one would expect. Produce more
warnings:

  1) produce a warning if somebody tries the configure option
  2) produce a warning if somebody sets nvram variable and at
     least on FW descriptor was found

The reason for producing warning in case 1) is that package
maintainers, who set the configure option in the first place
should start moving towards FW descriptors and abandon the
configure option. After all, the warning is printed into config
output only in this case.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1763477

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-11-12 08:34:37 +01:00
Marc-André Lureau
b0baafe92c qemu-conf: add configurable slirp-helper location
A slirp helper is a process that provides user-mode networking through
a unix domain socket. It is expected to follow the following
specification:
https://gitlab.freedesktop.org/slirp/libslirp-rs/blob/master/src/bin/README.rst

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-09-06 12:47:47 +02:00
Jim Fehlig
d5572f62e3 qemu: Add support for overriding max threads per process limit
Some VM configurations may result in a large number of threads created by
the associated qemu process which can exceed the system default limit. The
maximum number of threads allowed per process is controlled by the pids
cgroup controller and is set to 16k when creating VMs with systemd's
machined service. The maximum number of threads per process is recorded
in the pids.max file under the machine's pids controller cgroup hierarchy,
e.g.

$cgrp-mnt/pids/machine.slice/machine-qemu\\x2d1\\x2dtest.scope/pids.max

Maximum threads per process is controlled with the TasksMax property of
the systemd scope for the machine. This patch adds an option to qemu.conf
which can be used to override the maximum number of threads allowed per
qemu process. If the value of option is greater than zero, it will be set
in the TasksMax property of the machine's scope after creating the machine.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-24 15:59:49 -06:00
Michal Privoznik
8695793d72 Revert "qemu: Temporary disable owner remembering"
This reverts commit fc3990c7e6.

Now that all the reported bugs are fixed let's turn the feature
back on.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-03 08:36:04 +02:00
Peter Krempa
30ce8f3163 qemu: conf: Add debug option to allow disabling qemu capabilities
In cases when e.g. a new feature breaks upstream behaviour it's useful
to allow users to disable the new feature to verify the regression and
possibly use it as a workaround until a fix is available.

The new qemu.conf option named "capability_filters" allows to remove
qemu capabilities from the detected bitmap.

This patch introduces the configuration infrastructure to parse the
option and pass it around.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2019-06-21 15:24:06 +02:00
Michal Privoznik
f308f71d83 qemu.conf: Make nvram list obsolete
Now that libvirt has firmware auto selection feature the nvram
config knob is more or less obsolete. It still makes sense in
cases where distro users are using does not provide FW descriptor
files, therefore I'm not removing it.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
2019-05-02 15:09:45 +02:00
Ján Tomko
060e07c3ca Remove remaining references to kqemu
We dropped support in commit 8e91a40 (November 2015), but some
occurrences still remained, even in live code.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reported-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
2019-02-19 08:33:50 +01:00
Erik Skultety
b644011918 qemu: conf: Remove /dev/sev from the default cgroup device acl list
We should not give domains access to something they don't necessarily
need by default. Remove it from the qemu driver docs too.

Signed-off-by: Erik Skultety <eskultet@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-02-01 12:39:41 +01:00
Ján Tomko
2c5dd1ee4c qemu.conf: add vnc_tls_x509_secret_uuid
Add an option that lets the user specify the secret
that unlocks the server TLS key.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2019-01-22 12:18:28 +01:00
Michal Privoznik
fc3990c7e6 qemu: Temporary disable owner remembering
Turns out, that there are few bugs that are not that trivial to
fix (e.g. around block jobs). Instead of rushing in not
thoroughly tested fixes disable the feature temporarily for the
release.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
ACKed-by: Peter Krempa <pkrempa@redhat.com>
2019-01-15 09:45:22 +01:00
Michal Privoznik
e05d8e570b qemu.conf: Allow users to enable/disable label remembering
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2018-12-19 15:32:48 +01:00
Michal Privoznik
466bea0117 qemu: Temporarily disable metadata locking
Turns out, there are couple of bugs that prevent this feature
from being operational. Given how close to the release we are
disable the feature temporarily. Hopefully, it can be enabled
back after all the bugs are fixed.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
2018-09-27 16:22:44 +02:00
Michal Privoznik
8b8aefb3d6 qemu_conf: Introduce metadata_lock_manager
This config option allows users to set and enable lock manager
for domain metadata. The lock manager is going to be used by
security drivers to serialize each other when changing a file
ownership or changing the SELinux label. The only supported lock
manager is 'lockd' for now.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-09-18 17:12:53 +02:00
Brijesh Singh
a9caa98159 qemu/cgroup: Add /dev/sev in shared devices list
QEMU uses /dev/sev device while creating the SEV guest, lets add /dev/sev
in the list of devices allowed to be accessed by the QEMU.

Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
2018-06-12 10:00:49 +02:00
Peter Krempa
c95f50cb02 qemu: conf: Remove 'allow_disk_format_probing' config option
The option is insecure and it has been long enough for users to migrate
their disk files to use explicit format. Drop the option and related
code.

The config parser still parses it and rejects statup if it's still
present in the config in enabled state.

The augeas lens is also kept so that users can disable it.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2018-06-08 09:26:37 +02:00
Stefan Berger
d9c087f57d qemu: Extend qemu_conf with tpm-emulator support
Extend qemu_conf with user and group for running the tpm-emulator
and add directories to the configuration for the locations of the
log, state, and socket of the tpm-emulator.

Also add these new directories to the QEMU Makefile.inc.am and
the RPM spec file libvirt.spec.in.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2018-06-06 10:48:41 -04:00
Peter Krempa
ca108ab789 qemu: conf: Add qemu.conf knobs for setting up TLS for NBD
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2018-06-05 08:14:00 +02:00
Michal Privoznik
8be74af168 qemu: Introduce pr_helper to qemu.conf
Just like we allow users overriding path to bridge-helper
detected at compile time we can allow them to override path to
qemu-pr-helper.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-05-11 09:02:56 +02:00
Ján Tomko
3527f9dde6 qemu: deny privilege elevation and spawn in seccomp
If QEMU uses a seccomp blacklist (since 2.11), -sandbox on
no longer tries to whitelist all the calls, but uses sets
of blacklists:
default (always blacklisted with -sandbox on)
obsolete (defaults to deny)
elevateprivileges (setuid & co, default: allow)
spawn (fork & execve, default: allow)
resourcecontrol (setaffinity, setscheduler, default: allow)

If these are supported, default to sandbox with all four
categories blacklisted.

https://bugzilla.redhat.com/show_bug.cgi?id=1492597

Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2018-04-17 16:29:38 +02:00
Ján Tomko
1943d89b72 Replace QEmu with QEMU
QEMU is the preferred spelling used on QEMU website.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
2018-04-01 17:42:29 +02:00
Daniel P. Berrangé
12bc2b817f Revert "qemu: Expose rx/tx_queue_size in qemu.conf too"
This reverts commit 038eb472a0.

On reflection adding defaults for arbitrary guest XML device config
settings to the qemu.conf is not a sustainable path. Removing the
support for rx/tx queue size so that it doesn't set a bad precedent.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-02-12 14:56:29 +00:00
Michal Privoznik
038eb472a0 qemu: Expose rx/tx_queue_size in qemu.conf too
In 2074ef6cd4 and c56cdf259 (and friends) we've added two
attributes to virtio NICs: rx_queue_size and tx_queue_size.
However, sysadmins might want to set these on per-host basis but
don't necessarily have an access to domain XML (e.g. because they
are generated by some other app). So let's expose them under
qemu.conf (the settings from domain XML still take precedence as
they are more specific ones).

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
2018-02-02 07:09:22 +01:00
Yuri Chornoivan
ca18914e8a Fix minor typos 2017-12-12 09:13:43 +01:00
John Ferlan
c9f7a04e28 qemu.conf: Clarify the various _tls_x509_cert_dir descriptions
https://bugzilla.redhat.com/show_bug.cgi?id=1458630

Apparantly commit id 'dc4c2f75a' wasn't specific enough, so here's
a few more clarifications.
2017-10-27 05:53:45 -04:00
Ashish Mittal
bd6fdcd806 conf: Introduce TLS options for VxHS block device clients
Add a new TLS X.509 certificate type - "vxhs". This will handle the
creation of a TLS certificate capability for properly configured
VxHS network block device clients.

The following describes the behavior of TLS for VxHS block device:

  (1) Two new options have been added in /etc/libvirt/qemu.conf
      to control TLS behavior with VxHS block devices
      "vxhs_tls" and "vxhs_tls_x509_cert_dir".
  (2) Setting "vxhs_tls=1" in /etc/libvirt/qemu.conf will enable
      TLS for VxHS block devices.
  (3) "vxhs_tls_x509_cert_dir" can be set to the full path where the
      TLS CA certificate and the client certificate and keys are saved.
      If this value is missing, the "default_tls_x509_cert_dir" will be
      used instead. If the environment is not configured properly the
      authentication to the VxHS server will fail.

Signed-off-by: Ashish Mittal <Ashish.Mittal@veritas.com>
Signed-off-by: John Ferlan <jferlan@redhat.com>
2017-09-28 09:45:14 -04:00
John Ferlan
dc4c2f75ab qemu: Check for existence of provided *_tls_x509_cert_dir
https://bugzilla.redhat.com/show_bug.cgi?id=1458630

Introduce virQEMUDriverConfigTLSDirResetDefaults in order to check
if the defaultTLSx509certdir was changed, then change the default
for any other *TLSx509certdir that was not set to the default default.

Introduce virQEMUDriverConfigValidate to validate the existence of
any of the *_tls_x509_cert_dir values that were uncommented/set,
incuding the default.

Update the qemu.conf description for default to describe the consequences
if the default directory path does not exist.

Signed-off-by: John Ferlan <jferlan@redhat.com>
2017-08-02 15:51:50 -04:00
dann frazier
123880d333 qemu: Add AAVMF32 to the list of known UEFIs
Add a path for UEFI VMs for AArch32 VMs, based on the path Debian is using.
libvirt is the de facto canonical location for defining where distros
should place these firmware images, so let's define this path here to try
and minimize distro fragmentation.
2017-07-21 14:36:54 -04:00
John Ferlan
3f3582d6d4 qemu: Update the TLS client verify descriptions for vnc and chardev
Update the descriptions to match the migrate option.

Signed-off-by: John Ferlan <jferlan@redhat.com>
2017-03-25 08:19:49 -04:00
John Ferlan
1415121a5e conf: Introduce migrate_tls_x509_cert_dir
Add a new TLS X.509 certificate type - "migrate". This will handle the
creation of a TLS certificate capability (and possibly repository) to
be used for migrations. Similar to chardev's, credentials will be handled
via a libvirt secrets; however, unlike chardev's enablement and usage
will be via a CLI flag instead of a conf flag and a domain XML attribute.

The migrations using the *x509_verify flag require the client-cert.pem
and client-key.pem files to be present in the TLS directory - so let's
also be sure to note that in the qemu.conf file.

Signed-off-by: John Ferlan <jferlan@redhat.com>
2017-03-25 08:19:49 -04:00
Philipp Hahn
d7dcea6f60 doc: fix writing of QEMU
QEMU should be written all upper or all lower case.
2017-03-08 17:33:07 +01:00
Michal Privoznik
b8e659aa98 qemuDomainGetHostdevPath: Create /dev/vfio/vfio iff needed
So far, we are allowing /dev/vfio/vfio in the devices cgroup
unconditionally (and creating it in the namespace too). Even if
domain has no hostdev assignment configured. This is potential
security hole. Therefore, when starting the domain (or
hotplugging a hostdev) create & allow /dev/vfio/vfio too (if
needed).

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
2017-02-20 07:21:58 +01:00
Jaroslav Safka
48d9e6cdcc qemu_conf: Add param memory_backing_dir
Add new parameter memory_backing_dir where files will be stored when memoryBacking
source is selected as file.

Value is stored inside char* memoryBackingDir
2017-02-09 14:27:19 +01:00
Michal Privoznik
661887f558 qemu: Let users opt-out from containerization
Given how intrusive previous patches are, it might happen that
there's a bug or imperfection. Lets give users a way out: if they
set 'namespaces' to an empty array in qemu.conf the feature is
suppressed.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-12-15 09:25:16 +01:00
Michal Privoznik
0c1bfd2c8d tests: Adapt to gluster_debug_level in qemu.conf
After a944bd92 we gained support for setting gluster debug level.
However, due to a space we haven't tested whether augeas file
actually works.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2016-11-21 10:50:48 +01:00
Prasanna Kumar Kalever
a944bd9259 qemu: conf: add option for tuning debug logging level
This helps in selecting log level of the gluster gfapi, output to stderr.
The option is 'gluster_debug_level', can be tuned by editing
'/etc/libvirt/qemu.conf'

Debug levels ranges 0-9, with 9 being the most verbose, and 0
representing no debugging output.  The default is the same as it was
before, which is a level of 4.  The current logging levels defined in
the gluster gfapi are:

    0 - None
    1 - Emergency
    2 - Alert
    3 - Critical
    4 - Error
    5 - Warning
    6 - Notice
    7 - Info
    8 - Debug
    9 - Trace

Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
2016-11-09 16:52:40 +01:00
John Ferlan
3b668bb51a conf: Introduce {default|chardev}_tls_x509_secret_uuid
Add a new qemu.conf variables to store the UUID for the secret that could
be used to present credentials to access the TLS chardev.  Since this will
be a server level and it's possible to use some sort of default, introduce
both the default and chardev logic at the same time making the setting of
the chardev check for it's own value, then if not present checking whether
the default value had been set.

Signed-off-by: John Ferlan <jferlan@redhat.com>
2016-10-19 15:40:29 -04:00
John Ferlan
3f60a9c32f conf: Introduce chartcp_tls_x509_cert_dir
Add a new TLS X.509 certificate type - "chardev". This will handle the
creation of a TLS certificate capability (and possibly repository) for
properly configured character device TCP backends.

Unlike the vnc and spice there is no "listen" or "passwd" associated. The
credentials eventually will be handled via a libvirt secret provided to
a specific backend.

Make use of the default verify option as well.

Signed-off-by: John Ferlan <jferlan@redhat.com>
2016-09-09 08:09:03 -04:00
John Ferlan
c12cb5ed73 conf: Add new default TLS X.509 certificate default directory
Rather than specify perhaps multiple TLS X.509 certificate directories,
let's create a "default" directory which can then be used if the service
(e.g. for now vnc and spice) does not supply a default directory.

Since the default for vnc and spice may have existed before without being
supplied, the default check will first check if the service specific path
exists and if so, set the cfg entry to that; otherwise, the default will
be set to the (now) new defaultTLSx509certdir.

Additionally add a "default_tls_x509_verify" entry which can also be used
to force the peer verification option (for vnc it's a x509verify option).
Add/alter the macro for the option being found in the config file to accept
the default value.

Signed-off-by: John Ferlan <jferlan@redhat.com>
2016-09-09 07:09:49 -04:00
Daniel P. Berrange
90e178f8bf qemu: allow turning off QEMU guest RAM dump globally
We already have the ability to turn off dumping of guest
RAM via the domain XML. This is not particularly useful
though, as it is under control of the management application.
What is needed is a way for the sysadmin to turn off guest
RAM defaults globally, regardless of whether the mgmt app
provides its own way to set this in the domain XML.

So this adds a 'dump_guest_core' option in /etc/libvirt/qemu.conf
which defaults to false. ie guest RAM will never be included in
the QEMU core dumps by default. This default is different from
historical practice, but is considered to be more suitable as
a default because

 a) guest RAM can be huge and so inflicts a DOS on the host
    I/O subsystem when dumping core for QEMU crashes

 b) guest RAM can contain alot of sensitive data belonging
    to the VM owner. This should not generally be copied
    around inside QEMU core dumps submitted to vendors for
    debugging

 c) guest RAM contents are rarely useful in diagnosing
    QEMU crashes

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-09-06 13:08:30 +01:00
Daniel P. Berrange
fa1ce97917 qemu: add a max_core setting to qemu.conf for core dump size
Currently the QEMU processes inherit their core dump rlimit
from libvirtd, which is really suboptimal. This change allows
their limit to be directly controlled from qemu.conf instead.
2016-09-06 13:08:30 +01:00