.. role:: since .. role:: anchor(raw) :format: html ================= Domain XML format ================= .. contents:: This section describes the XML format used to represent domains, there are variations on the format based on the kind of domains run and the options used to launch them. For hypervisor specific details consult the `driver docs `__ :anchor:`` Element and attribute overview ============================== The root element required for all virtual machines is named ``domain``. It has two attributes, the ``type`` specifies the hypervisor used for running the domain. The allowed values are driver specific, but include "xen", "kvm", "qemu" and "lxc". The second attribute is ``id`` which is a unique integer identifier for the running guest machine. Inactive machines have no id value. :anchor:`` General metadata ---------------- :: MyGuest 4dea22b3-1d52-d8f3-2516-782e98ab3fa0 43dc0cf8-809b-4adb-9bea-a9abb5f3d90e A short description - title - of the domain Some human readable description .. .. ... ``name`` The content of the ``name`` element provides a short name for the virtual machine. This name should consist only of alphanumeric characters and is required to be unique within the scope of a single host. It is often used to form the filename for storing the persistent configuration file. :since:`Since 0.0.1` ``uuid`` The content of the ``uuid`` element provides a globally unique identifier for the virtual machine. The format must be RFC 4122 compliant, eg ``3e3fce45-4f53-4fa7-bb32-11f34168b82b``. If omitted when defining/creating a new machine, a random UUID is generated. It is also possible to provide the UUID via a `sysinfo <#elementsSysinfo>`__ specification. :since:`Since 0.0.1, sysinfo since 0.8.7` ``genid`` :since:`Since 4.4.0` , the ``genid`` element can be used to add a Virtual Machine Generation ID which exposes a 128-bit, cryptographically random, integer value identifier, referred to as a Globally Unique Identifier (GUID) using the same format as the ``uuid``. The value is used to help notify the guest operating system when the virtual machine is re-executing something that has already executed before, such as: - VM starts executing a snapshot - VM is recovered from backup - VM is failover in a disaster recovery environment - VM is imported, copied, or cloned The guest operating system notices the change and is then able to react as appropriate by marking its copies of distributed databases as dirty, re-initializing its random number generator, etc. The libvirt XML parser will accept both a provided GUID value or just in which case a GUID will be generated and saved in the XML. For the transitions such as above, libvirt will change the GUID before re-executing. ``title`` The optional element ``title`` provides space for a short description of the domain. The title should not contain any newlines. :since:`Since 0.9.10` . ``description`` The content of the ``description`` element provides a human readable description of the virtual machine. This data is not used by libvirt in any way, it can contain any information the user wants. :since:`Since 0.7.2` ``metadata`` The ``metadata`` node can be used by applications to store custom metadata in the form of XML nodes/trees. Applications must use custom namespaces on their XML nodes/trees, with only one top-level element per namespace (if the application needs structure, they should have sub-elements to their namespace element). :since:`Since 0.9.10` :anchor:`` Operating system booting ------------------------ There are a number of different ways to boot virtual machines each with their own pros and cons. :anchor:`` BIOS bootloader ~~~~~~~~~~~~~~~ Booting via the BIOS is available for hypervisors supporting full virtualization. In this case the BIOS has a boot order priority (floppy, harddisk, cdrom, network) determining where to obtain/find the boot image. :: ... hvm /usr/lib/xen/boot/hvmloader /var/lib/libvirt/nvram/guest_VARS.fd ... ``firmware`` The ``firmware`` attribute allows management applications to automatically fill ```` and ```` elements and possibly enable some features required by selected firmware. Accepted values are ``bios`` and ``efi``. The selection process scans for files describing installed firmware images in specified location and uses the most specific one which fulfils domain requirements. The locations in order of preference (from generic to most specific one) are: - ``/usr/share/qemu/firmware`` - ``/etc/qemu/firmware`` - ``$XDG_CONFIG_HOME/qemu/firmware`` For more information refer to firmware metadata specification as described in ``docs/interop/firmware.json`` in QEMU repository. Regular users do not need to bother. :since:`Since 5.2.0 (QEMU and KVM only)` For VMware guests, this is set to ``efi`` when the guest uses UEFI, and it is not set when using BIOS. :since:`Since 5.3.0 (VMware ESX and Workstation/Player)` ``type`` The content of the ``type`` element specifies the type of operating system to be booted in the virtual machine. ``hvm`` indicates that the OS is one designed to run on bare metal, so requires full virtualization. ``linux`` (badly named!) refers to an OS that supports the Xen 3 hypervisor guest ABI. There are also two optional attributes, ``arch`` specifying the CPU architecture to virtualization, and ``machine`` referring to the machine type. The `Capabilities XML `__ provides details on allowed values for these. If ``arch`` is omitted then for most hypervisor drivers, the host native arch will be chosen. For the ``test``, ``ESX`` and ``VMWare`` hypervisor drivers, however, the ``i686`` arch will always be chosen even on an ``x86_64`` host. :since:`Since 0.0.1` ``firmware`` :since:`Since 7.2.0 QEMU/KVM only` When using firmware auto-selection there are different features enabled in the firmwares. The list of features can be used to limit what firmware should be automatically selected for the VM. The list of features can be specified using zero or more ``feature`` elements. Libvirt will take into consideration only the listed features and ignore the rest when selecting the firmware. ``feature`` The list of mandatory attributes: - ``enabled`` (accepted values are ``yes`` and ``no``) is used to tell libvirt if the feature must be enabled or not in the automatically selected firmware - ``name`` the name of the feature, the list of the features: - ``enrolled-keys`` whether the selected nvram template has default certificate enrolled. Firmware with Secure Boot feature but without enrolled keys will successfully boot non-signed binaries as well. Valid only for firmwares with Secure Boot feature. - ``secure-boot`` whether the firmware implements UEFI Secure boot feature. ``loader`` The optional ``loader`` tag refers to a firmware blob, which is specified by absolute path, used to assist the domain creation process. It is used by Xen fully virtualized domains as well as setting the QEMU BIOS file path for QEMU/KVM domains. :since:`Xen since 0.1.0, QEMU/KVM since 0.9.12` Then, :since:`since 1.2.8` it's possible for the element to have two optional attributes: ``readonly`` (accepted values are ``yes`` and ``no``) to reflect the fact that the image should be writable or read-only. The second attribute ``type`` accepts values ``rom`` and ``pflash``. It tells the hypervisor where in the guest memory the file should be mapped. For instance, if the loader path points to an UEFI image, ``type`` should be ``pflash``. Moreover, some firmwares may implement the Secure boot feature. Attribute ``secure`` can be used to tell the hypervisor that the firmware is capable of Secure Boot feature. It cannot be used to enable or disable the feature itself in the firmware. :since:`Since 2.1.0` ``nvram`` Some UEFI firmwares may want to use a non-volatile memory to store some variables. In the host, this is represented as a file and the absolute path to the file is stored in this element. Moreover, when the domain is started up libvirt copies so called master NVRAM store file defined in ``qemu.conf``. If needed, the ``template`` attribute can be used to per domain override map of master NVRAM stores from the config file. Note, that for transient domains if the NVRAM file has been created by libvirt it is left behind and it is management application's responsibility to save and remove file (if needed to be persistent). :since:`Since 1.2.8` ``boot`` The ``dev`` attribute takes one of the values "fd", "hd", "cdrom" or "network" and is used to specify the next boot device to consider. The ``boot`` element can be repeated multiple times to setup a priority list of boot devices to try in turn. Multiple devices of the same type are sorted according to their targets while preserving the order of buses. After defining the domain, its XML configuration returned by libvirt (through virDomainGetXMLDesc) lists devices in the sorted order. Once sorted, the first device is marked as bootable. Thus, e.g., a domain configured to boot from "hd" with vdb, hda, vda, and hdc disks assigned to it will boot from vda (the sorted list is vda, vdb, hda, hdc). Similar domain with hdc, vda, vdb, and hda disks will boot from hda (sorted disks are: hda, hdc, vda, vdb). It can be tricky to configure in the desired way, which is why per-device boot elements (see `disks <#elementsDisks>`__, `network interfaces <#elementsNICS>`__, and `USB and PCI devices <#elementsHostDev>`__ sections below) were introduced and they are the preferred way providing full control over booting order. The ``boot`` element and per-device boot elements are mutually exclusive. :since:`Since 0.1.3, per-device boot since 0.8.8` ``smbios`` How to populate SMBIOS information visible in the guest. The ``mode`` attribute must be specified, and is either "emulate" (let the hypervisor generate all values), "host" (copy all of Block 0 and Block 1, except for the UUID, from the host's SMBIOS values; the `virConnectGetSysinfo `__ call can be used to see what values are copied), or "sysinfo" (use the values in the `sysinfo <#elementsSysinfo>`__ element). If not specified, the hypervisor default is used. :since:`Since 0.8.7` Up till here the BIOS/UEFI configuration knobs are generic enough to be implemented by majority (if not all) firmwares out there. However, from now on not every single setting makes sense to all firmwares. For instance, ``rebootTimeout`` doesn't make sense for UEFI, ``useserial`` might not be usable with a BIOS firmware that doesn't produce any output onto serial line, etc. Moreover, firmwares don't usually export their capabilities for libvirt (or users) to check. And the set of their capabilities can change with every new release. Hence users are advised to try the settings they use before relying on them in production. ``bootmenu`` Whether or not to enable an interactive boot menu prompt on guest startup. The ``enable`` attribute can be either "yes" or "no". If not specified, the hypervisor default is used. :since:`Since 0.8.3` Additional attribute ``timeout`` takes the number of milliseconds the boot menu should wait until it times out. Allowed values are numbers in range [0, 65535] inclusive and it is ignored unless ``enable`` is set to "yes". :since:`Since 1.2.8` ``bios`` This element has attribute ``useserial`` with possible values ``yes`` or ``no``. It enables or disables Serial Graphics Adapter which allows users to see BIOS messages on a serial port. Therefore, one needs to have `serial port <#elementCharSerial>`__ defined. :since:`Since 0.9.4` . :since:`Since 0.10.2 (QEMU only)` there is another attribute, ``rebootTimeout`` that controls whether and after how long the guest should start booting again in case the boot fails (according to BIOS). The value is in milliseconds with maximum of ``65535`` and special value ``-1`` disables the reboot. :anchor:`` Host bootloader ~~~~~~~~~~~~~~~ Hypervisors employing paravirtualization do not usually emulate a BIOS, and instead the host is responsible to kicking off the operating system boot. This may use a pseudo-bootloader in the host to provide an interface to choose a kernel for the guest. An example is ``pygrub`` with Xen. The Bhyve hypervisor also uses a host bootloader, either ``bhyveload`` or ``grub-bhyve``. :: ... /usr/bin/pygrub --append single ... ``bootloader`` The content of the ``bootloader`` element provides a fully qualified path to the bootloader executable in the host OS. This bootloader will be run to choose which kernel to boot. The required output of the bootloader is dependent on the hypervisor in use. :since:`Since 0.1.0` ``bootloader_args`` The optional ``bootloader_args`` element allows command line arguments to be passed to the bootloader. :since:`Since 0.2.3` :anchor:`` Direct kernel boot ~~~~~~~~~~~~~~~~~~ When installing a new guest OS it is often useful to boot directly from a kernel and initrd stored in the host OS, allowing command line arguments to be passed directly to the installer. This capability is usually available for both para and full virtualized guests. :: ... hvm /usr/lib/xen/boot/hvmloader /root/f8-i386-vmlinuz /root/f8-i386-initrd console=ttyS0 ks=http://example.com/f8-i386/os/ /root/ppc.dtb /path/to/slic.dat
... ``type`` This element has the same semantics as described earlier in the `BIOS boot section <#elementsOSBIOS>`__ ``loader`` This element has the same semantics as described earlier in the `BIOS boot section <#elementsOSBIOS>`__ ``kernel`` The contents of this element specify the fully-qualified path to the kernel image in the host OS. ``initrd`` The contents of this element specify the fully-qualified path to the (optional) ramdisk image in the host OS. ``cmdline`` The contents of this element specify arguments to be passed to the kernel (or installer) at boot time. This is often used to specify an alternate primary console (eg serial port), or the installation media source / kickstart file ``dtb`` The contents of this element specify the fully-qualified path to the (optional) device tree binary (dtb) image in the host OS. :since:`Since 1.0.4` ``acpi`` The ``table`` element contains a fully-qualified path to the ACPI table. The ``type`` attribute contains the ACPI table type (currently only ``slic`` is supported) :since:`Since 1.3.5 (QEMU)` :since:`Since 5.9.0 (Xen)` :anchor:`
` Container boot ~~~~~~~~~~~~~~ When booting a domain using container based virtualization, instead of a kernel / boot image, a path to the init binary is required, using the ``init`` element. By default this will be launched with no arguments. To specify the initial argv, use the ``initarg`` element, repeated as many time as is required. The ``cmdline`` element, if set will be used to provide an equivalent to ``/proc/cmdline`` but will not affect init argv. To set environment variables, use the ``initenv`` element, one for each variable. To set a custom work directory for the init, use the ``initdir`` element. To run the init command as a given user or group, use the ``inituser`` or ``initgroup`` elements respectively. Both elements can be provided either a user (resp. group) id or a name. Prefixing the user or group id with a ``+`` will force it to be considered like a numeric value. Without this, it will be first tried as a user or group name. :: exe /bin/systemd --unit emergency.service some value /my/custom/cwd tester 1000 If you want to enable user namespace, set the ``idmap`` element. The ``uid`` and ``gid`` elements have three attributes: ``start`` First user ID in container. It must be '0'. ``target`` The first user ID in container will be mapped to this target user ID in host. ``count`` How many users in container are allowed to map to host's user. :: :anchor:`` SMBIOS System Information ------------------------- Some hypervisors allow control over what system information is presented to the guest (for example, SMBIOS fields can be populated by a hypervisor and inspected via the ``dmidecode`` command in the guest). The optional ``sysinfo`` element covers all such categories of information. :since:`Since 0.8.7` :: ... ... LENOVO Fedora Virt-Manager 0.9.4 LENOVO 20BE0061MC 0B98401 Pro W1KS427111E Dell Inc. 2.12 65X0XF2 40000101 Type3Sku1 myappname:some arbitrary data otherappname:more arbitrary data example value ... The ``sysinfo`` element has a mandatory attribute ``type`` that determine the layout of sub-elements, with supported values of: ``smbios`` Sub-elements call out specific SMBIOS values, which will affect the guest if used in conjunction with the ``smbios`` sub-element of the `os <#elementsOS>`__ element. Each sub-element of ``sysinfo`` names a SMBIOS block, and within those elements can be a list of ``entry`` elements that describe a field within the block. The following blocks and entries are recognized: ``bios`` This is block 0 of SMBIOS, with entry names drawn from: ``vendor`` BIOS Vendor's Name ``version`` BIOS Version ``date`` BIOS release date. If supplied, is in either mm/dd/yy or mm/dd/yyyy format. If the year portion of the string is two digits, the year is assumed to be 19yy. ``release`` System BIOS Major and Minor release number values concatenated together as one string separated by a period, for example, 10.22. ``system`` This is block 1 of SMBIOS, with entry names drawn from: ``manufacturer`` Manufacturer of BIOS ``product`` Product Name ``version`` Version of the product ``serial`` Serial number ``uuid`` Universal Unique ID number. If this entry is provided alongside a top-level `uuid <#elementsMetadata>`__ element, then the two values must match. ``sku`` SKU number to identify a particular configuration. ``family`` Identify the family a particular computer belongs to. ``baseBoard`` This is block 2 of SMBIOS. This element can be repeated multiple times to describe all the base boards; however, not all hypervisors necessarily support the repetition. The element can have the following children: ``manufacturer`` Manufacturer of BIOS ``product`` Product Name ``version`` Version of the product ``serial`` Serial number ``asset`` Asset tag ``location`` Location in chassis NB: Incorrectly supplied entries for the ``bios``, ``system`` or ``baseBoard`` blocks will be ignored without error. Other than ``uuid`` validation and ``date`` format checking, all values are passed as strings to the hypervisor driver. ``chassis`` :since:`Since 4.1.0,` this is block 3 of SMBIOS, with entry names drawn from: ``manufacturer`` Manufacturer of Chassis ``version`` Version of the Chassis ``serial`` Serial number ``asset`` Asset tag ``sku`` SKU number ``oemStrings`` This is block 11 of SMBIOS. This element should appear once and can have multiple ``entry`` child elements, each providing arbitrary string data. There are no restrictions on what data can be provided in the entries, however, if the data is intended to be consumed by an application in the guest, it is recommended to use the application name as a prefix in the string. ( :since:`Since 4.1.0` ) ``fwcfg`` Some hypervisors provide unified way to tweak how firmware configures itself, or may contain tables to be installed for the guest OS, for instance boot order, ACPI, SMBIOS, etc. It even allows users to define their own config blobs. In case of QEMU, these then appear under domain's sysfs (if the guest kernel has FW_CFG_SYSFS config option enabled), under ``/sys/firmware/qemu_fw_cfg``. Note, that these values apply regardless the ```` mode under ````. :since:`Since 6.5.0` **Please note that because of limited number of data slots use of fwcfg is strongly discouraged and should be used instead**. :: example value The ``sysinfo`` element can have multiple ``entry`` child elements. Each element then has mandatory ``name`` attribute, which defines the name of the blob and must begin with ``"opt/"`` and to avoid clashing with other names is advised to be in form ``"opt/$RFQDN/$name"`` where ``$RFQDN`` is a reverse fully qualified domain name you control. Then, the element can either contain the value (to set the blob value directly), or ``file`` attribute (to set the blob value from the file). :anchor:`` CPU Allocation -------------- :: ... 2 ... ``vcpu`` The content of this element defines the maximum number of virtual CPUs allocated for the guest OS, which must be between 1 and the maximum supported by the hypervisor. ``cpuset`` The optional attribute ``cpuset`` is a comma-separated list of physical CPU numbers that domain process and virtual CPUs can be pinned to by default. (NB: The pinning policy of domain process and virtual CPUs can be specified separately by ``cputune``. If the attribute ``emulatorpin`` of ``cputune`` is specified, the ``cpuset`` specified by ``vcpu`` here will be ignored. Similarly, for virtual CPUs which have the ``vcpupin`` specified, the ``cpuset`` specified by ``cpuset`` here will be ignored. For virtual CPUs which don't have ``vcpupin`` specified, each will be pinned to the physical CPUs specified by ``cpuset`` here). Each element in that list is either a single CPU number, a range of CPU numbers, or a caret followed by a CPU number to be excluded from a previous range. :since:`Since 0.4.4` ``current`` The optional attribute ``current`` can be used to specify whether fewer than the maximum number of virtual CPUs should be enabled. :since:`Since 0.8.5` ``placement`` The optional attribute ``placement`` can be used to indicate the CPU placement mode for domain process. The value can be either "static" or "auto", but defaults to ``placement`` of ``numatune`` or "static" if ``cpuset`` is specified. Using "auto" indicates the domain process will be pinned to the advisory nodeset from querying numad and the value of attribute ``cpuset`` will be ignored if it's specified. If both ``cpuset`` and ``placement`` are not specified or if ``placement`` is "static", but no ``cpuset`` is specified, the domain process will be pinned to all the available physical CPUs. :since:`Since 0.9.11 (QEMU and KVM only)` ``vcpus`` The vcpus element allows to control state of individual vCPUs. The ``id`` attribute specifies the vCPU id as used by libvirt in other places such as vCPU pinning, scheduler information and NUMA assignment. Note that the vCPU ID as seen in the guest may differ from libvirt ID in certain cases. Valid IDs are from 0 to the maximum vCPU count as set by the ``vcpu`` element minus 1. The ``enabled`` attribute allows to control the state of the vCPU. Valid values are ``yes`` and ``no``. ``hotpluggable`` controls whether given vCPU can be hotplugged and hotunplugged in cases when the CPU is enabled at boot. Note that all disabled vCPUs must be hotpluggable. Valid values are ``yes`` and ``no``. ``order`` allows to specify the order to add the online vCPUs. For hypervisors/platforms that require to insert multiple vCPUs at once the order may be duplicated across all vCPUs that need to be enabled at once. Specifying order is not necessary, vCPUs are then added in an arbitrary order. If order info is used, it must be used for all online vCPUs. Hypervisors may clear or update ordering information during certain operations to assure valid configuration. Note that hypervisors may create hotpluggable vCPUs differently from boot vCPUs thus special initialization may be necessary. Hypervisors may require that vCPUs enabled on boot which are not hotpluggable are clustered at the beginning starting with ID 0. It may be also required that vCPU 0 is always present and non-hotpluggable. Note that providing state for individual CPUs may be necessary to enable support of addressable vCPU hotplug and this feature may not be supported by all hypervisors. For QEMU the following conditions are required. vCPU 0 needs to be enabled and non-hotpluggable. On PPC64 along with it vCPUs that are in the same core need to be enabled as well. All non-hotpluggable CPUs present at boot need to be grouped after vCPU 0. :since:`Since 2.2.0 (QEMU only)` :anchor:`` IOThreads Allocation -------------------- IOThreads are dedicated event loop threads for supported disk devices to perform block I/O requests in order to improve scalability especially on an SMP host/guest with many LUNs. :since:`Since 1.2.8 (QEMU only)` :: ... 4 ... :: ... ... ``iothreads`` The content of this optional element defines the number of IOThreads to be assigned to the domain for use by supported target storage devices. There should be only 1 or 2 IOThreads per host CPU. There may be more than one supported device assigned to each IOThread. :since:`Since 1.2.8` ``iothreadids`` The optional ``iothreadids`` element provides the capability to specifically define the IOThread ID's for the domain. By default, IOThread ID's are sequentially numbered starting from 1 through the number of ``iothreads`` defined for the domain. The ``id`` attribute is used to define the IOThread ID. The ``id`` attribute must be a positive integer greater than 0. If there are less ``iothreadids`` defined than ``iothreads`` defined for the domain, then libvirt will sequentially fill ``iothreadids`` starting at 1 avoiding any predefined ``id``. If there are more ``iothreadids`` defined than ``iothreads`` defined for the domain, then the ``iothreads`` value will be adjusted accordingly. :since:`Since 1.2.15` :anchor:`` CPU Tuning ---------- :: ... 2048 1000000 -1 1000000 -1 1000000 -1 1000000 -1 ... ``cputune`` The optional ``cputune`` element provides details regarding the CPU tunable parameters for the domain. Note: for the qemu driver, the optional ``vcpupin`` and ``emulatorpin`` pinning settings are honored after the emulator is launched and NUMA constraints considered. This means that it is expected that other physical CPUs of the host will be used during this time by the domain, which will be reflected by the output of ``virsh cpu-stats``. :since:`Since 0.9.0` ``vcpupin`` The optional ``vcpupin`` element specifies which of host's physical CPUs the domain vCPU will be pinned to. If this is omitted, and attribute ``cpuset`` of element ``vcpu`` is not specified, the vCPU is pinned to all the physical CPUs by default. It contains two required attributes, the attribute ``vcpu`` specifies vCPU id, and the attribute ``cpuset`` is same as attribute ``cpuset`` of element ``vcpu``. (NB: Only qemu driver support) :since:`Since 0.9.0` ``emulatorpin`` The optional ``emulatorpin`` element specifies which of host physical CPUs the "emulator", a subset of a domain not including vCPU or iothreads will be pinned to. If this is omitted, and attribute ``cpuset`` of element ``vcpu`` is not specified, "emulator" is pinned to all the physical CPUs by default. It contains one required attribute ``cpuset`` specifying which physical CPUs to pin to. ``iothreadpin`` The optional ``iothreadpin`` element specifies which of host physical CPUs the IOThreads will be pinned to. If this is omitted and attribute ``cpuset`` of element ``vcpu`` is not specified, the IOThreads are pinned to all the physical CPUs by default. There are two required attributes, the attribute ``iothread`` specifies the IOThread ID and the attribute ``cpuset`` specifying which physical CPUs to pin to. See the ``iothreadids`` `description <#elementsIOThreadsAllocation>`__ for valid ``iothread`` values. :since:`Since 1.2.9` ``shares`` The optional ``shares`` element specifies the proportional weighted share for the domain. If this is omitted, it defaults to the OS provided defaults. NB, There is no unit for the value, it's a relative measure based on the setting of other VM, e.g. A VM configured with value 2048 will get twice as much CPU time as a VM configured with value 1024. The value should be in range [2, 262144]. :since:`Since 0.9.0` ``period`` The optional ``period`` element specifies the enforcement interval (unit: microseconds). Within ``period``, each vCPU of the domain will not be allowed to consume more than ``quota`` worth of runtime. The value should be in range [1000, 1000000]. A period with value 0 means no value. :since:`Only QEMU driver support since 0.9.4, LXC since 0.9.10` ``quota`` The optional ``quota`` element specifies the maximum allowed bandwidth (unit: microseconds). A domain with ``quota`` as any negative value indicates that the domain has infinite bandwidth for vCPU threads, which means that it is not bandwidth controlled. The value should be in range [1000, 17592186044415] or less than 0. A quota with value 0 means no value. You can use this feature to ensure that all vCPUs run at the same speed. :since:`Only QEMU driver support since 0.9.4, LXC since 0.9.10` ``global_period`` The optional ``global_period`` element specifies the enforcement CFS scheduler interval (unit: microseconds) for the whole domain in contrast with ``period`` which enforces the interval per vCPU. The value should be in range 1000, 1000000]. A ``global_period`` with value 0 means no value. :since:`Only QEMU driver support since 1.3.3` ``global_quota`` The optional ``global_quota`` element specifies the maximum allowed bandwidth (unit: microseconds) within a period for the whole domain. A domain with ``global_quota`` as any negative value indicates that the domain has infinite bandwidth, which means that it is not bandwidth controlled. The value should be in range [1000, 17592186044415] or less than 0. A ``global_quota`` with value 0 means no value. :since:`Only QEMU driver support since 1.3.3` ``emulator_period`` The optional ``emulator_period`` element specifies the enforcement interval (unit: microseconds). Within ``emulator_period``, emulator threads (those excluding vCPUs) of the domain will not be allowed to consume more than ``emulator_quota`` worth of runtime. The value should be in range [1000, 1000000]. A period with value 0 means no value. :since:`Only QEMU driver support since 0.10.0` ``emulator_quota`` The optional ``emulator_quota`` element specifies the maximum allowed bandwidth (unit: microseconds) for domain's emulator threads (those excluding vCPUs). A domain with ``emulator_quota`` as any negative value indicates that the domain has infinite bandwidth for emulator threads (those excluding vCPUs), which means that it is not bandwidth controlled. The value should be in range [1000, 17592186044415] or less than 0. A quota with value 0 means no value. :since:`Only QEMU driver support since 0.10.0` ``iothread_period`` The optional ``iothread_period`` element specifies the enforcement interval (unit: microseconds) for IOThreads. Within ``iothread_period``, each IOThread of the domain will not be allowed to consume more than ``iothread_quota`` worth of runtime. The value should be in range [1000, 1000000]. An iothread_period with value 0 means no value. :since:`Only QEMU driver support since 2.1.0` ``iothread_quota`` The optional ``iothread_quota`` element specifies the maximum allowed bandwidth (unit: microseconds) for IOThreads. A domain with ``iothread_quota`` as any negative value indicates that the domain IOThreads have infinite bandwidth, which means that it is not bandwidth controlled. The value should be in range [1000, 17592186044415] or less than 0. An ``iothread_quota`` with value 0 means no value. You can use this feature to ensure that all IOThreads run at the same speed. :since:`Only QEMU driver support since 2.1.0` ``vcpusched``, ``iothreadsched`` and ``emulatorsched`` The optional ``vcpusched``, ``iothreadsched`` and ``emulatorsched`` elements specify the scheduler type (values ``batch``, ``idle``, ``fifo``, ``rr``) for particular vCPU, IOThread and emulator threads respectively. For ``vcpusched`` and ``iothreadsched`` the attributes ``vcpus`` and ``iothreads`` select which vCPUs/IOThreads this setting applies to, leaving them out sets the default. The element ``emulatorsched`` does not have that attribute. Valid ``vcpus`` values start at 0 through one less than the number of vCPU's defined for the domain. Valid ``iothreads`` values are described in the ``iothreadids`` `description <#elementsIOThreadsAllocation>`__. If no ``iothreadids`` are defined, then libvirt numbers IOThreads from 1 to the number of ``iothreads`` available for the domain. For real-time schedulers (``fifo``, ``rr``), priority must be specified as well (and is ignored for non-real-time ones). The value range for the priority depends on the host kernel (usually 1-99). :since:`Since 1.2.13` ``emulatorsched`` :since:`since 5.3.0` ``cachetune`` :since:`Since 4.1.0` Optional ``cachetune`` element can control allocations for CPU caches using the resctrl on the host. Whether or not is this supported can be gathered from capabilities where some limitations like minimum size and required granularity are reported as well. The required attribute ``vcpus`` specifies to which vCPUs this allocation applies. A vCPU can only be member of one ``cachetune`` element allocation. The vCPUs specified by cachetune can be identical with those in memorytune, however they are not allowed to overlap. Supported subelements are: ``cache`` This optional element controls the allocation of CPU cache and has the following attributes: ``level`` Host cache level from which to allocate. ``id`` Host cache id from which to allocate. ``type`` Type of allocation. Can be ``code`` for code (instructions), ``data`` for data or ``both`` for both code and data (unified). Currently the allocation can be done only with the same type as the host supports, meaning you cannot request ``both`` for host with CDP (code/data prioritization) enabled. ``size`` The size of the region to allocate. The value by default is in bytes, but the ``unit`` attribute can be used to scale the value. ``unit`` (optional) If specified it is the unit such as KiB, MiB, GiB, or TiB (described in the ``memory`` element for `Memory Allocation <#elementsMemoryAllocation>`__) in which ``size`` is specified, defaults to bytes. ``monitor`` :since:`Since 4.10.0` The optional element ``monitor`` creates the cache monitor(s) for current cache allocation and has the following required attributes: ``level`` Host cache level the monitor belongs to. ``vcpus`` vCPU list the monitor applies to. A monitor's vCPU list can only be the member(s) of the vCPU list of the associated allocation. The default monitor has the same vCPU list as the associated allocation. For non-default monitors, overlapping vCPUs are not permitted. ``memorytune`` :since:`Since 4.7.0` Optional ``memorytune`` element can control allocations for memory bandwidth using the resctrl on the host. Whether or not is this supported can be gathered from capabilities where some limitations like minimum bandwidth and required granularity are reported as well. The required attribute ``vcpus`` specifies to which vCPUs this allocation applies. A vCPU can only be member of one ``memorytune`` element allocation. The ``vcpus`` specified by ``memorytune`` can be identical to those specified by ``cachetune``. However they are not allowed to overlap each other. Supported subelements are: ``node`` This element controls the allocation of CPU memory bandwidth and has the following attributes: ``id`` Host node id from which to allocate memory bandwidth. ``bandwidth`` The memory bandwidth to allocate from this node. The value by default is in percentage. :anchor:`` Memory Allocation ----------------- :: ... 1524288 524288 524288 ... ``memory`` The maximum allocation of memory for the guest at boot time. The memory allocation includes possible additional memory devices specified at start or hotplugged later. The units for this value are determined by the optional attribute ``unit``, which defaults to "KiB" (kibibytes, 2\ :sup:`10` or blocks of 1024 bytes). Valid units are "b" or "bytes" for bytes, "KB" for kilobytes (10\ :sup:`3` or 1,000 bytes), "k" or "KiB" for kibibytes (1024 bytes), "MB" for megabytes (10\ :sup:`6` or 1,000,000 bytes), "M" or "MiB" for mebibytes (2\ :sup:`20` or 1,048,576 bytes), "GB" for gigabytes (10\ :sup:`9` or 1,000,000,000 bytes), "G" or "GiB" for gibibytes (2\ :sup:`30` or 1,073,741,824 bytes), "TB" for terabytes (10\ :sup:`12` or 1,000,000,000,000 bytes), or "T" or "TiB" for tebibytes (2\ :sup:`40` or 1,099,511,627,776 bytes). However, the value will be rounded up to the nearest kibibyte by libvirt, and may be further rounded to the granularity supported by the hypervisor. Some hypervisors also enforce a minimum, such as 4000KiB. In case `NUMA <#elementsCPU>`__ is configured for the guest the ``memory`` element can be omitted. In the case of crash, optional attribute ``dumpCore`` can be used to control whether the guest memory should be included in the generated coredump or not (values "on", "off"). ``unit`` :since:`since 0.9.11` , ``dumpCore`` :since:`since 0.10.2 (QEMU only)` ``maxMemory`` The run time maximum memory allocation of the guest. The initial memory specified by either the ```` element or the NUMA cell size configuration can be increased by hot-plugging of memory to the limit specified by this element. The ``unit`` attribute behaves the same as for ````. The ``slots`` attribute specifies the number of slots available for adding memory to the guest. The bounds are hypervisor specific. Note that due to alignment of the memory chunks added via memory hotplug the full size allocation specified by this element may be impossible to achieve. :since:`Since 1.2.14 supported by the QEMU driver.` ``currentMemory`` The actual allocation of memory for the guest. This value can be less than the maximum allocation, to allow for ballooning up the guests memory on the fly. If this is omitted, it defaults to the same value as the ``memory`` element. The ``unit`` attribute behaves the same as for ``memory``. :anchor:`` Memory Backing -------------- :: ... ... The optional ``memoryBacking`` element may contain several elements that influence how virtual memory pages are backed by host pages. ``hugepages`` This tells the hypervisor that the guest should have its memory allocated using hugepages instead of the normal native page size. :since:`Since 1.2.5` it's possible to set hugepages more specifically per numa node. The ``page`` element is introduced. It has one compulsory attribute ``size`` which specifies which hugepages should be used (especially useful on systems supporting hugepages of different sizes). The default unit for the ``size`` attribute is kilobytes (multiplier of 1024). If you want to use different unit, use optional ``unit`` attribute. For systems with NUMA, the optional ``nodeset`` attribute may come handy as it ties given guest's NUMA nodes to certain hugepage sizes. From the example snippet, one gigabyte hugepages are used for every NUMA node except node number four. For the correct syntax see `this <#elementsNUMATuning>`__. ``nosharepages`` Instructs hypervisor to disable shared pages (memory merge, KSM) for this domain. :since:`Since 1.0.6` ``locked`` When set and supported by the hypervisor, memory pages belonging to the domain will be locked in host's memory and the host will not be allowed to swap them out, which might be required for some workloads such as real-time. For QEMU/KVM guests, the memory used by the QEMU process itself will be locked too: unlike guest memory, this is an amount libvirt has no way of figuring out in advance, so it has to remove the limit on locked memory altogether. Thus, enabling this option opens up to a potential security risk: the host will be unable to reclaim the locked memory back from the guest when it's running out of memory, which means a malicious guest allocating large amounts of locked memory could cause a denial-of-service attack on the host. Because of this, using this option is discouraged unless your workload demands it; even then, it's highly recommended to set a ``hard_limit`` (see `memory tuning <#elementsMemoryTuning>`__) on memory allocation suitable for the specific environment at the same time to mitigate the risks described above. :since:`Since 1.0.6` ``source`` Using the ``type`` attribute, it's possible to provide "file" to utilize file memorybacking or keep the default "anonymous". :since:`Since 4.10.0` , you may choose "memfd" backing. (QEMU/KVM only) ``access`` Using the ``mode`` attribute, specify if the memory is to be "shared" or "private". This can be overridden per numa node by ``memAccess``. ``allocation`` Using the ``mode`` attribute, specify when to allocate the memory by supplying either "immediate" or "ondemand". ``discard`` When set and supported by hypervisor the memory content is discarded just before guest shuts down (or when DIMM module is unplugged). Please note that this is just an optimization and is not guaranteed to work in all cases (e.g. when hypervisor crashes). :since:`Since 4.4.0` (QEMU/KVM only) :anchor:`` Memory Tuning ------------- :: ... 1 128 2 67108864 ... ``memtune`` The optional ``memtune`` element provides details regarding the memory tunable parameters for the domain. If this is omitted, it defaults to the OS provided defaults. For QEMU/KVM, the parameters are applied to the QEMU process as a whole. Thus, when counting them, one needs to add up guest RAM, guest video RAM, and some memory overhead of QEMU itself. The last piece is hard to determine so one needs guess and try. For each tunable, it is possible to designate which unit the number is in on input, using the same values as for ````. For backwards compatibility, output is always in KiB. ``unit`` :since:`since 0.9.11` Possible values for all \*_limit parameters are in range from 0 to VIR_DOMAIN_MEMORY_PARAM_UNLIMITED. ``hard_limit`` The optional ``hard_limit`` element is the maximum memory the guest can use. The units for this value are kibibytes (i.e. blocks of 1024 bytes). Users of QEMU and KVM are strongly advised not to set this limit as domain may get killed by the kernel if the guess is too low, and determining the memory needed for a process to run is an `undecidable problem `__; that said, if you already set ``locked`` in `memory backing <#elementsMemoryBacking>`__ because your workload demands it, you'll have to take into account the specifics of your deployment and figure out a value for ``hard_limit`` that is large enough to support the memory requirements of your guest, but small enough to protect your host against a malicious guest locking all memory. ``soft_limit`` The optional ``soft_limit`` element is the memory limit to enforce during memory contention. The units for this value are kibibytes (i.e. blocks of 1024 bytes) ``swap_hard_limit`` The optional ``swap_hard_limit`` element is the maximum memory plus swap the guest can use. The units for this value are kibibytes (i.e. blocks of 1024 bytes). This has to be more than hard_limit value provided ``min_guarantee`` The optional ``min_guarantee`` element is the guaranteed minimum memory allocation for the guest. The units for this value are kibibytes (i.e. blocks of 1024 bytes). This element is only supported by VMware ESX and OpenVZ drivers. :anchor:`` NUMA Node Tuning ---------------- :: ... ... ``numatune`` The optional ``numatune`` element provides details of how to tune the performance of a NUMA host via controlling NUMA policy for domain process. NB, only supported by QEMU driver. :since:`Since 0.9.3` ``memory`` The optional ``memory`` element specifies how to allocate memory for the domain process on a NUMA host. It contains several optional attributes. Attribute ``mode`` is either 'interleave', 'strict', 'preferred', or 'restrictive', defaults to 'strict'. The value 'restrictive' specifies using system default policy and only cgroups is used to restrict the memory nodes, and it requires setting mode to 'restrictive' in ``memnode`` elements. Attribute ``nodeset`` specifies the NUMA nodes, using the same syntax as attribute ``cpuset`` of element ``vcpu``. Attribute ``placement`` ( :since:`since 0.9.12` ) can be used to indicate the memory placement mode for domain process, its value can be either "static" or "auto", defaults to ``placement`` of ``vcpu``, or "static" if ``nodeset`` is specified. "auto" indicates the domain process will only allocate memory from the advisory nodeset returned from querying numad, and the value of attribute ``nodeset`` will be ignored if it's specified. If ``placement`` of ``vcpu`` is 'auto', and ``numatune`` is not specified, a default ``numatune`` with ``placement`` 'auto' and ``mode`` 'strict' will be added implicitly. :since:`Since 0.9.3` ``memnode`` Optional ``memnode`` elements can specify memory allocation policies per each guest NUMA node. For those nodes having no corresponding ``memnode`` element, the default from element ``memory`` will be used. Attribute ``cellid`` addresses guest NUMA node for which the settings are applied. Attributes ``mode`` and ``nodeset`` have the same meaning and syntax as in ``memory`` element. This setting is not compatible with automatic placement. :since:`QEMU Since 1.2.7` :anchor:`` Block I/O Tuning ---------------- :: ... 800 /dev/sda 1000 /dev/sdb 500 10000 10000 20000 20000 ... ``blkiotune`` The optional ``blkiotune`` element provides the ability to tune Blkio cgroup tunable parameters for the domain. If this is omitted, it defaults to the OS provided defaults. :since:`Since 0.8.8` ``weight`` The optional ``weight`` element is the overall I/O weight of the guest. The value should be in the range [100, 1000]. After kernel 2.6.39, the value could be in the range [10, 1000]. ``device`` The domain may have multiple ``device`` elements that further tune the weights for each host block device in use by the domain. Note that multiple `guest disks <#elementsDisks>`__ can share a single host block device, if they are backed by files within the same host file system, which is why this tuning parameter is at the global domain level rather than associated with each guest disk device (contrast this to the ` <#elementsDisks>`__ element which can apply to an individual ````). Each ``device`` element has two mandatory sub-elements, ``path`` describing the absolute path of the device, and ``weight`` giving the relative weight of that device, in the range [100, 1000]. After kernel 2.6.39, the value could be in the range [10, 1000]. :since:`Since 0.9.8` Additionally, the following optional sub-elements can be used: ``read_bytes_sec`` Read throughput limit in bytes per second. :since:`Since 1.2.2` ``write_bytes_sec`` Write throughput limit in bytes per second. :since:`Since 1.2.2` ``read_iops_sec`` Read I/O operations per second limit. :since:`Since 1.2.2` ``write_iops_sec`` Write I/O operations per second limit. :since:`Since 1.2.2` :anchor:`` Resource partitioning --------------------- Hypervisors may allow for virtual machines to be placed into resource partitions, potentially with nesting of said partitions. The ``resource`` element groups together configuration related to resource partitioning. It currently supports a child element ``partition`` whose content defines the absolute path of the resource partition in which to place the domain. If no partition is listed, then the domain will be placed in a default partition. It is the responsibility of the app/admin to ensure that the partition exists prior to starting the guest. Only the (hypervisor specific) default partition can be assumed to exist by default. :: ... /virtualmachines/production ... Resource partitions are currently supported by the QEMU and LXC drivers, which map partition paths to cgroups directories, in all mounted controllers. :since:`Since 1.0.5` :anchor:`` CPU model and topology ---------------------- Requirements for CPU model, its features and topology can be specified using the following collection of elements. :since:`Since 0.7.5` :: ... core2duo Intel ... :: ... :: ... :: ... In case no restrictions need to be put on CPU model and its features, a simpler ``cpu`` element can be used. :since:`Since 0.7.6` :: ... ... ``cpu`` The ``cpu`` element is the main container for describing guest CPU requirements. Its ``match`` attribute specifies how strictly the virtual CPU provided to the guest matches these requirements. :since:`Since 0.7.6` the ``match`` attribute can be omitted if ``topology`` is the only element within ``cpu``. Possible values for the ``match`` attribute are: ``minimum`` The specified CPU model and features describes the minimum requested CPU. A better CPU will be provided to the guest if it is possible with the requested hypervisor on the current host. This is a constrained ``host-model`` mode; the domain will not be created if the provided virtual CPU does not meet the requirements. ``exact`` The virtual CPU provided to the guest should exactly match the specification. If such CPU is not supported, libvirt will refuse to start the domain. ``strict`` The domain will not be created unless the host CPU exactly matches the specification. This is not very useful in practice and should only be used if there is a real reason. :since:`Since 0.8.5` the ``match`` attribute can be omitted and will default to ``exact``. Sometimes the hypervisor is not able to create a virtual CPU exactly matching the specification passed by libvirt. :since:`Since 3.2.0` , an optional ``check`` attribute can be used to request a specific way of checking whether the virtual CPU matches the specification. It is usually safe to omit this attribute when starting a domain and stick with the default value. Once the domain starts, libvirt will automatically change the ``check`` attribute to the best supported value to ensure the virtual CPU does not change when the domain is migrated to another host. The following values can be used: ``none`` Libvirt does no checking and it is up to the hypervisor to refuse to start the domain if it cannot provide the requested CPU. With QEMU this means no checking is done at all since the default behavior of QEMU is to emit warnings, but start the domain anyway. ``partial`` Libvirt will check the guest CPU specification before starting a domain, but the rest is left on the hypervisor. It can still provide a different virtual CPU. ``full`` The virtual CPU created by the hypervisor will be checked against the CPU specification and the domain will not be started unless the two CPUs match. :since:`Since 0.9.10` , an optional ``mode`` attribute may be used to make it easier to configure a guest CPU to be as close to host CPU as possible. Possible values for the ``mode`` attribute are: ``custom`` In this mode, the ``cpu`` element describes the CPU that should be presented to the guest. This is the default when no ``mode`` attribute is specified. This mode makes it so that a persistent guest will see the same hardware no matter what host the guest is booted on. ``host-model`` The ``host-model`` mode is essentially a shortcut to copying host CPU definition from capabilities XML into domain XML. Since the CPU definition is copied just before starting a domain, exactly the same XML can be used on different hosts while still providing the best guest CPU each host supports. The ``match`` attribute can't be used in this mode. Specifying CPU model is not supported either, but ``model``'s ``fallback`` attribute may still be used. Using the ``feature`` element, specific flags may be enabled or disabled specifically in addition to the host model. This may be used to fine tune features that can be emulated. :since:`(Since 1.1.1)` . Libvirt does not model every aspect of each CPU so the guest CPU will not match the host CPU exactly. On the other hand, the ABI provided to the guest is reproducible. During migration, complete CPU model definition is transferred to the destination host so the migrated guest will see exactly the same CPU model for the running instance of the guest, even if the destination host contains more capable CPUs or newer kernel; but shutting down and restarting the guest may present different hardware to the guest according to the capabilities of the new host. Prior to libvirt 3.2.0 and QEMU 2.9.0 detection of the host CPU model via QEMU is not supported. Thus the CPU configuration created using ``host-model`` may not work as expected. :since:`Since 3.2.0 and QEMU 2.9.0` this mode works the way it was designed and it is indicated by the ``fallback`` attribute set to ``forbid`` in the host-model CPU definition advertised in `domain capabilities XML `__. When ``fallback`` attribute is set to ``allow`` in the domain capabilities XML, it is recommended to use ``custom`` mode with just the CPU model from the host capabilities XML. :since:`Since 1.2.11` PowerISA allows processors to run VMs in binary compatibility mode supporting an older version of ISA. Libvirt on PowerPC architecture uses the ``host-model`` to signify a guest mode CPU running in binary compatibility mode. Example: When a user needs a power7 VM to run in compatibility mode on a Power8 host, this can be described in XML as follows : :: power7 ... ``host-passthrough`` With this mode, the CPU visible to the guest should be exactly the same as the host CPU even in the aspects that libvirt does not understand. Though the downside of this mode is that the guest environment cannot be reproduced on different hardware. Thus, if you hit any bugs, you are on your own. Further details of that CPU can be changed using ``feature`` elements. Migration of a guest using host-passthrough is dangerous if the source and destination hosts are not identical in both hardware, QEMU version, microcode version and configuration. If such a migration is attempted then the guest may hang or crash upon resuming execution on the destination host. Depending on hypervisor version the virtual CPU may or may not contain features which may block migration even to an identical host. :since:`Since 6.5.0` optional ``migratable`` attribute may be used to explicitly request such features to be removed from (``on``) or kept in (``off``) the virtual CPU. This attribute does not make migration to another host safer: even with ``migratable='on'`` migration will be dangerous unless both hosts are identical as described above. ``maximum`` When running a guest with hardware virtualization this CPU model is functionally identical to ``host-passthrough``, so refer to the docs above. When running a guest with CPU emulation, this CPU model will enable the maximum set of features that the emulation engine is able to support. Note that even with ``migratable='on'`` migration will be dangerous unless both hosts are running identical versions of the emulation code. :since:`Since 7.1.0` with the QEMU driver. Both ``host-model`` and ``host-passthrough`` modes make sense when a domain can run directly on the host CPUs (for example, domains with type ``kvm``). The actual host CPU is irrelevant for domains with emulated virtual CPUs (such as domains with type ``qemu``). However, for backward compatibility ``host-model`` may be implemented even for domains running on emulated CPUs in which case the best CPU the hypervisor is able to emulate may be used rather then trying to mimic the host CPU model. If an application does not care about a specific CPU, just wants the best featureset without a need for migration compatibility, the ``maximum`` model is a good choice on hypervisors where it is available. ``model`` The content of the ``model`` element specifies CPU model requested by the guest. The list of available CPU models and their definition can be found in directory ``cpu_map``, installed in libvirt's data directory. If a hypervisor is not able to use the exact CPU model, libvirt automatically falls back to a closest model supported by the hypervisor while maintaining the list of CPU features. :since:`Since 0.9.10` , an optional ``fallback`` attribute can be used to forbid this behavior, in which case an attempt to start a domain requesting an unsupported CPU model will fail. Supported values for ``fallback`` attribute are: ``allow`` (this is the default), and ``forbid``. The optional ``vendor_id`` attribute ( :since:`Since 0.10.0` ) can be used to set the vendor id seen by the guest. It must be exactly 12 characters long. If not set the vendor id of the host is used. Typical possible values are "AuthenticAMD" and "GenuineIntel". ``vendor`` :since:`Since 0.8.3` the content of the ``vendor`` element specifies CPU vendor requested by the guest. If this element is missing, the guest can be run on a CPU matching given features regardless on its vendor. The list of supported vendors can be found in ``cpu_map/*_vendors.xml``. ``topology`` The ``topology`` element specifies requested topology of virtual CPU provided to the guest. Four attributes, ``sockets``, ``dies``, ``cores``, and ``threads``, accept non-zero positive integer values. They refer to the number of CPU sockets per NUMA node, number of dies per socket, number of cores per die, and number of threads per core, respectively. The ``dies`` attribute is optional and will default to 1 if omitted, while the other attributes are all mandatory. Hypervisors may require that the maximum number of vCPUs specified by the ``cpus`` element equals to the number of vcpus resulting from the topology. ``feature`` The ``cpu`` element can contain zero or more ``feature`` elements used to fine-tune features provided by the selected CPU model. The list of known feature names can be found in the same file as CPU models. The meaning of each ``feature`` element depends on its ``policy`` attribute, which has to be set to one of the following values: ``force`` The virtual CPU will claim the feature is supported regardless of it being supported by host CPU. ``require`` Guest creation will fail unless the feature is supported by the host CPU or the hypervisor is able to emulate it. ``optional`` The feature will be supported by virtual CPU if and only if it is supported by host CPU. ``disable`` The feature will not be supported by virtual CPU. ``forbid`` Guest creation will fail if the feature is supported by host CPU. :since:`Since 0.8.5` the ``policy`` attribute can be omitted and will default to ``require``. Individual CPU feature names are specified as part of the ``name`` attribute. For example, to explicitly specify the 'pcid' feature with Intel IvyBridge CPU model: :: ... IvyBridge Intel ... ``cache`` :since:`Since 3.3.0` the ``cache`` element describes the virtual CPU cache. If the element is missing, the hypervisor will use a sensible default. ``level`` This optional attribute specifies which cache level is described by the element. Missing attribute means the element describes all CPU cache levels at once. Mixing ``cache`` elements with the ``level`` attribute set and those without the attribute is forbidden. ``mode`` The following values are supported: ``emulate`` The hypervisor will provide a fake CPU cache data. ``passthrough`` The real CPU cache data reported by the host CPU will be passed through to the virtual CPU. ``disable`` The virtual CPU will report no CPU cache of the specified level (or no cache at all if the ``level`` attribute is missing). Guest NUMA topology can be specified using the ``numa`` element. :since:`Since 0.9.8` :: ... ... ... ... Each ``cell`` element specifies a NUMA cell or a NUMA node. ``cpus`` specifies the CPU or range of CPUs that are part of the node. :since:`Since 6.5.0` For the qemu driver, if the emulator binary supports disjointed ``cpus`` ranges in each ``cell``, the sum of all CPUs declared in each ``cell`` will be matched with the maximum number of virtual CPUs declared in the ``vcpu`` element. This is done by filling any remaining CPUs into the first NUMA ``cell``. Users are encouraged to supply a complete NUMA topology, where the sum of the NUMA CPUs matches the maximum virtual CPUs number declared in ``vcpus``, to make the domain consistent across qemu and libvirt versions. ``memory`` specifies the node memory in kibibytes (i.e. blocks of 1024 bytes). :since:`Since 6.6.0` the ``cpus`` attribute is optional and if omitted a CPU-less NUMA node is created. :since:`Since 1.2.11` one can use an additional `unit <#elementsMemoryAllocation>`__ attribute to define units in which ``memory`` is specified. :since:`Since 1.2.7` all cells should have ``id`` attribute in case referring to some cell is necessary in the code, otherwise the cells are assigned ``id``\ s in the increasing order starting from 0. Mixing cells with and without the ``id`` attribute is not recommended as it may result in unwanted behaviour. :since:`Since 1.2.9` the optional attribute ``memAccess`` can control whether the memory is to be mapped as "shared" or "private". This is valid only for hugepages-backed memory and nvdimm modules. Each ``cell`` element can have an optional ``discard`` attribute which fine tunes the discard feature for given numa node as described under `Memory Backing <#elementsMemoryBacking>`__. Accepted values are ``yes`` and ``no``. :since:`Since 4.4.0` This guest NUMA specification is currently available only for QEMU/KVM and Xen. A NUMA hardware architecture supports the notion of distances between NUMA cells. :since:`Since 3.10.0` it is possible to define the distance between NUMA cells using the ``distances`` element within a NUMA ``cell`` description. The ``sibling`` sub-element is used to specify the distance value between sibling NUMA cells. For more details, see the chapter explaining the system's SLIT (System Locality Information Table) within the ACPI (Advanced Configuration and Power Interface) specification. :: ... ... ... ... Describing distances between NUMA cells is currently only supported by Xen and QEMU. If no ``distances`` are given to describe the SLIT data between different cells, it will default to a scheme using 10 for local and 20 for remote distances. :anchor:`` ACPI Heterogeneous Memory Attribute Table ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ :: ... ... ... ... :since:`Since 6.6.0` the ``cell`` element can have a ``cache`` child element which describes memory side cache for memory proximity domains. The ``cache`` element has a ``level`` attribute describing the cache level and thus the element can be repeated multiple times to describe different levels of the cache. The ``cache`` element then has following mandatory attributes: ``level`` Level of the cache this description refers to. ``associativity`` Describes cache associativity (accepted values are ``none``, ``direct`` and ``full``). ``policy`` Describes cache write associativity (accepted values are ``none``, ``writeback`` and ``writethrough``). The ``cache`` element has two mandatory child elements then: ``size`` and ``line`` which describe cache size and cache line size. Both elements accept two attributes: ``value`` and ``unit`` which set the value of corresponding cache attribute. The NUMA description has an optional ``interconnects`` element that describes the normalized memory read/write latency, read/write bandwidth between Initiator Proximity Domains (Processor or I/O) and Target Proximity Domains (Memory). The ``interconnects`` element can have zero or more ``latency`` child elements to describe latency between two memory nodes and zero or more ``bandwidth`` child elements to describe bandwidth between two memory nodes. Both these have the following mandatory attributes: ``initiator`` Refers to the source NUMA node ``target`` Refers to the target NUMA node ``type`` The type of the access. Accepted values: ``access``, ``read``, ``write`` ``value`` The actual value. For latency this is delay in nanoseconds, for bandwidth this value is in kibibytes per second. Use additional ``unit`` attribute to change the units. To describe latency from one NUMA node to a cache of another NUMA node the ``latency`` element has optional ``cache`` attribute which in combination with ``target`` attribute creates full reference to distant NUMA node's cache level. For instance, ``target='0' cache='1'`` refers to the first level cache of NUMA node 0. :anchor:`` Events configuration -------------------- It is sometimes necessary to override the default actions taken on various events. Not all hypervisors support all events and actions. The actions may be taken as a result of calls to libvirt APIs `virDomainReboot `__ , `virDomainShutdown `__ , or `virDomainShutdownFlags `__ . Using ``virsh reboot`` or ``virsh shutdown`` would also trigger the event. :: ... destroy restart restart poweroff ... The following collections of elements allow the actions to be specified when a guest OS triggers a lifecycle operation. A common use case is to force a reboot to be treated as a poweroff when doing the initial OS installation. This allows the VM to be re-configured for the first post-install bootup. ``on_poweroff`` The content of this element specifies the action to take when the guest requests a poweroff. ``on_reboot`` The content of this element specifies the action to take when the guest requests a reboot. ``on_crash`` The content of this element specifies the action to take when the guest crashes. Each of these states allow for the same four possible actions. ``destroy`` The domain will be terminated completely and all resources released. ``restart`` The domain will be terminated and then restarted with the same configuration. ``preserve`` The domain will be terminated and its resource preserved to allow analysis. ``rename-restart`` The domain will be terminated and then restarted with a new name. QEMU/KVM supports the ``on_poweroff`` and ``on_reboot`` events handling the ``destroy`` and ``restart`` actions. The ``preserve`` action for an ``on_reboot`` event is treated as a ``destroy`` and the ``rename-restart`` action for an ``on_poweroff`` event is treated as a ``restart`` event. The ``on_crash`` event supports these additional actions :since:`since 0.8.4` . ``coredump-destroy`` The crashed domain's core will be dumped, and then the domain will be terminated completely and all resources released ``coredump-restart`` The crashed domain's core will be dumped, and then the domain will be restarted with the same configuration :since:`Since 3.9.0` , the lifecycle events can be configured via the `virDomainSetLifecycleAction `__ API. The ``on_lockfailure`` element ( :since:`since 1.0.0` ) may be used to configure what action should be taken when a lock manager loses resource locks. The following actions are recognized by libvirt, although not all of them need to be supported by individual lock managers. When no action is specified, each lock manager will take its default action. ``poweroff`` The domain will be forcefully powered off. ``restart`` The domain will be powered off and started up again to reacquire its locks. ``pause`` The domain will be paused so that it can be manually resumed when lock issues are solved. ``ignore`` Keep the domain running as if nothing happened. :anchor:`` Power Management ---------------- :since:`Since 0.10.2` it is possible to forcibly enable or disable BIOS advertisements to the guest OS. (NB: Only qemu driver support) :: ... ... ``pm`` These elements enable ('yes') or disable ('no') BIOS support for S3 (suspend-to-mem) and S4 (suspend-to-disk) ACPI sleep states. If nothing is specified, then the hypervisor will be left with its default value. Note: This setting cannot prevent the guest OS from performing a suspend as the guest OS itself can choose to circumvent the unavailability of the sleep states (e.g. S4 by turning off completely). :anchor:`` Hypervisor features ------------------- Hypervisors may allow certain CPU / machine features to be toggled on/off. :: ... 16 48 ... All features are listed within the ``features`` element, omitting a togglable feature tag turns it off. The available features can be found by asking for the `capabilities XML `__ and `domain capabilities XML `__, but a common set for fully virtualized domains are: ``pae`` Physical address extension mode allows 32-bit guests to address more than 4 GB of memory. ``acpi`` ACPI is useful for power management, for example, with KVM guests it is required for graceful shutdown to work. ``apic`` APIC allows the use of programmable IRQ management. :since:`Since 0.10.2 (QEMU only)` there is an optional attribute ``eoi`` with values ``on`` and ``off`` which toggles the availability of EOI (End of Interrupt) for the guest. ``hap`` Depending on the ``state`` attribute (values ``on``, ``off``) enable or disable use of Hardware Assisted Paging. The default is ``on`` if the hypervisor detects availability of Hardware Assisted Paging. ``viridian`` Enable Viridian hypervisor extensions for paravirtualizing guest operating systems ``privnet`` Always create a private network namespace. This is automatically set if any interface devices are defined. This feature is only relevant for container based virtualization drivers, such as LXC. ``hyperv`` Enable various features improving behavior of guests running Microsoft Windows. =============== ====================================================================== ============================================ ======================================================= Feature Description Value Since =============== ====================================================================== ============================================ ======================================================= relaxed Relax constraints on timers on, off :since:`1.0.0 (QEMU 2.0)` vapic Enable virtual APIC on, off :since:`1.1.0 (QEMU 2.0)` spinlocks Enable spinlock support on, off; retries - at least 4095 :since:`1.1.0 (QEMU 2.0)` vpindex Virtual processor index on, off :since:`1.3.3 (QEMU 2.5)` runtime Processor time spent on running guest code and on behalf of guest code on, off :since:`1.3.3 (QEMU 2.5)` synic Enable Synthetic Interrupt Controller (SynIC) on, off :since:`1.3.3 (QEMU 2.6)` stimer Enable SynIC timers, optionally with Direct Mode support on, off; direct - on,off :since:`1.3.3 (QEMU 2.6), direct mode 5.7.0 (QEMU 4.1)` reset Enable hypervisor reset on, off :since:`1.3.3 (QEMU 2.5)` vendor_id Set hypervisor vendor id on, off; value - string, up to 12 characters :since:`1.3.3 (QEMU 2.5)` frequencies Expose frequency MSRs on, off :since:`4.7.0 (QEMU 2.12)` reenlightenment Enable re-enlightenment notification on migration on, off :since:`4.7.0 (QEMU 3.0)` tlbflush Enable PV TLB flush support on, off :since:`4.7.0 (QEMU 3.0)` ipi Enable PV IPI support on, off :since:`4.10.0 (QEMU 3.1)` evmcs Enable Enlightened VMCS on, off :since:`4.10.0 (QEMU 3.1)` =============== ====================================================================== ============================================ ======================================================= ``pvspinlock`` Notify the guest that the host supports paravirtual spinlocks for example by exposing the pvticketlocks mechanism. This feature can be explicitly disabled by using ``state='off'`` attribute. ``kvm`` Various features to change the behavior of the KVM hypervisor. ============== ============================================================================ ======= ============================ Feature Description Value Since ============== ============================================================================ ======= ============================ hidden Hide the KVM hypervisor from standard MSR based discovery on, off :since:`1.2.8 (QEMU 2.1.0)` hint-dedicated Allows a guest to enable optimizations when running on dedicated vCPUs on, off :since:`5.7.0 (QEMU 2.12.0)` poll-control Decrease IO completion latency by introducing a grace period of busy waiting on, off :since:`6.10.0 (QEMU 4.2)` ============== ============================================================================ ======= ============================ ``xen`` Various features to change the behavior of the Xen hypervisor. =========== ============================================== =================================================== ============== Feature Description Value Since =========== ============================================== =================================================== ============== e820_host Expose the host e820 to the guest (PV only) on, off :since:`6.3.0` passthrough Enable IOMMU mappings allowing PCI passthrough on, off; mode - optional string sync_pt or share_pt :since:`6.3.0` =========== ============================================== =================================================== ============== ``pmu`` Depending on the ``state`` attribute (values ``on``, ``off``, default ``on``) enable or disable the performance monitoring unit for the guest. :since:`Since 1.2.12` ``vmport`` Depending on the ``state`` attribute (values ``on``, ``off``, default ``on``) enable or disable the emulation of VMware IO port, for vmmouse etc. :since:`Since 1.2.16` ``gic`` Enable for architectures using a General Interrupt Controller instead of APIC in order to handle interrupts. For example, the 'aarch64' architecture uses ``gic`` instead of ``apic``. The optional attribute ``version`` specifies the GIC version; however, it may not be supported by all hypervisors. Accepted values are ``2``, ``3`` and ``host``. :since:`Since 1.2.16` ``smm`` Depending on the ``state`` attribute (values ``on``, ``off``, default ``on``) enable or disable System Management Mode. :since:`Since 2.1.0` Optional sub-element ``tseg`` can be used to specify the amount of memory dedicated to SMM's extended TSEG. That offers a fourth option size apart from the existing ones (1 MiB, 2 MiB and 8 MiB) that the guest OS (or rather loader) can choose from. The size can be specified as a value of that element, optional attribute ``unit`` can be used to specify the unit of the aforementioned value (defaults to 'MiB'). If set to 0 the extended size is not advertised and only the default ones (see above) are available. **If the VM is booting you should leave this option alone, unless you are very certain you know what you are doing.** This value is configurable due to the fact that the calculation cannot be done right with the guarantee that it will work correctly. In QEMU, the user-configurable extended TSEG feature was unavailable up to and including ``pc-q35-2.9``. Starting with ``pc-q35-2.10`` the feature is available, with default size 16 MiB. That should suffice for up to roughly 272 vCPUs, 5 GiB guest RAM in total, no hotplug memory range, and 32 GiB of 64-bit PCI MMIO aperture. Or for 48 vCPUs, with 1TB of guest RAM, no hotplug DIMM range, and 32GB of 64-bit PCI MMIO aperture. The values may also vary based on the loader the VM is using. Additional size might be needed for significantly higher vCPU counts or increased address space (that can be memory, maxMemory, 64-bit PCI MMIO aperture size; roughly 8 MiB of TSEG per 1 TiB of address space) which can also be rounded up. Due to the nature of this setting being similar to "how much RAM should the guest have" users are advised to either consult the documentation of the guest OS or loader (if there is any), or test this by trial-and-error changing the value until the VM boots successfully. Yet another guiding value for users might be the fact that 48 MiB should be enough for pretty large guests (240 vCPUs and 4TB guest RAM), but it is on purpose not set as default as 48 MiB of unavailable RAM might be too much for small guests (e.g. with 512 MiB of RAM). See `Memory Allocation <#elementsMemoryAllocation>`__ for more details about the ``unit`` attribute. :since:`Since 4.5.0` (QEMU only) ``ioapic`` Tune the I/O APIC. Possible values for the ``driver`` attribute are: ``kvm`` (default for KVM domains) and ``qemu`` which puts I/O APIC in userspace which is also known as a split I/O APIC mode. :since:`Since 3.4.0` (QEMU/KVM only) ``hpt`` Configure the HPT (Hash Page Table) of a pSeries guest. Possible values for the ``resizing`` attribute are ``enabled``, which causes HPT resizing to be enabled if both the guest and the host support it; ``disabled``, which causes HPT resizing to be disabled regardless of guest and host support; and ``required``, which prevents the guest from starting unless both the guest and the host support HPT resizing. If the attribute is not defined, the hypervisor default will be used. :since:`Since 3.10.0` (QEMU/KVM only). The optional ``maxpagesize`` subelement can be used to limit the usable page size for HPT guests. Common values are 64 KiB, 16 MiB and 16 GiB; when not specified, the hypervisor default will be used. :since:`Since 4.5.0` (QEMU/KVM only). ``vmcoreinfo`` Enable QEMU vmcoreinfo device to let the guest kernel save debug details. :since:`Since 4.4.0` (QEMU only) ``htm`` Configure HTM (Hardware Transational Memory) availability for pSeries guests. Possible values for the ``state`` attribute are ``on`` and ``off``. If the attribute is not defined, the hypervisor default will be used. :since:`Since 4.6.0` (QEMU/KVM only) ``nested-hv`` Configure nested HV availability for pSeries guests. This needs to be enabled from the host (L0) in order to be effective; having HV support in the (L1) guest is very desiderable if it's planned to run nested (L2) guests inside it, because it will result in those nested guests having much better performance than they would when using KVM PR or TCG. Possible values for the ``state`` attribute are ``on`` and ``off``. If the attribute is not defined, the hypervisor default will be used. :since:`Since 4.10.0` (QEMU/KVM only) ``msrs`` Some guests might require ignoring unknown Model Specific Registers (MSRs) reads and writes. It's possible to switch this by setting ``unknown`` attribute of ``msrs`` to ``ignore``. If the attribute is not defined, or set to ``fault``, unknown reads and writes will not be ignored. :since:`Since 5.1.0` (bhyve only) ``ccf-assist`` Configure ccf-assist (Count Cache Flush Assist) availability for pSeries guests. Possible values for the ``state`` attribute are ``on`` and ``off``. If the attribute is not defined, the hypervisor default will be used. :since:`Since 5.9.0` (QEMU/KVM only) ``cfpc`` Configure cfpc (Cache Flush on Privilege Change) availability for pSeries guests. Possible values for the ``value`` attribute are ``broken`` (no protection), ``workaround`` (software workaround available) and ``fixed`` (fixed in hardware). If the attribute is not defined, the hypervisor default will be used. :since:`Since 6.3.0` (QEMU/KVM only) ``sbbc`` Configure sbbc (Speculation Barrier Bounds Checking) availability for pSeries guests. Possible values for the ``value`` attribute are ``broken`` (no protection), ``workaround`` (software workaround available) and ``fixed`` (fixed in hardware). If the attribute is not defined, the hypervisor default will be used. :since:`Since 6.3.0` (QEMU/KVM only) ``ibs`` Configure ibs (Indirect Branch Speculation) availability for pSeries guests. Possible values for the ``value`` attribute are ``broken`` (no protection), ``workaround`` (count cache flush), ``fixed-ibs`` (fixed by serializing indirect branches), ``fixed-ccd`` (fixed by disabling the cache count) and ``fixed-na (fixed in hardware - no longer applicable)``. If the attribute is not defined, the hypervisor default will be used. :since:`Since 6.3.0` (QEMU/KVM only) :anchor:`` Time keeping ------------ The guest clock is typically initialized from the host clock. Most operating systems expect the hardware clock to be kept in UTC, and this is the default. Windows, however, expects it to be in so called 'localtime'. :: ... ... ``clock`` The ``offset`` attribute takes four possible values, allowing fine grained control over how the guest clock is synchronized to the host. NB, not all hypervisors support all modes. ``utc`` The guest clock will always be synchronized to UTC when booted. :since:`Since 0.9.11` 'utc' mode can be converted to 'variable' mode, which can be controlled by using the ``adjustment`` attribute. If the value is 'reset', the conversion is never done (not all hypervisors can synchronize to UTC on each boot; use of 'reset' will cause an error on those hypervisors). A numeric value forces the conversion to 'variable' mode using the value as the initial adjustment. The default ``adjustment`` is hypervisor specific. ``localtime`` The guest clock will be synchronized to the host's configured timezone when booted, if any. :since:`Since 0.9.11,` the ``adjustment`` attribute behaves the same as in 'utc' mode. ``timezone`` The guest clock will be synchronized to the requested timezone using the ``timezone`` attribute. :since:`Since 0.7.7` ``variable`` The guest clock will have an arbitrary offset applied relative to UTC or localtime, depending on the ``basis`` attribute. The delta relative to UTC (or localtime) is specified in seconds, using the ``adjustment`` attribute. The guest is free to adjust the RTC over time and expect that it will be honored at next reboot. This is in contrast to 'utc' and 'localtime' mode (with the optional attribute adjustment='reset'), where the RTC adjustments are lost at each reboot. :since:`Since 0.7.7` :since:`Since 0.9.11` the ``basis`` attribute can be either 'utc' (default) or 'localtime'. A ``clock`` may have zero or more ``timer`` sub-elements. :since:`Since 0.8.0` ``timer`` Each timer element requires a ``name`` attribute, and has other optional attributes that depend on the ``name`` specified. Various hypervisors support different combinations of attributes. ``name`` The ``name`` attribute selects which timer is being modified, and can be one of "platform" (currently unsupported), "hpet" (xen, qemu, lxc), "kvmclock" (qemu), "pit" (qemu), "rtc" (qemu, lxc), "tsc" (xen, qemu - :since:`since 3.2.0` ), "hypervclock" (qemu - :since:`since 1.2.2` ) or "armvtimer" (qemu - :since:`since 6.1.0` ). The ``hypervclock`` timer adds support for the reference time counter and the reference page for iTSC feature for guests running the Microsoft Windows operating system. ``track`` The ``track`` attribute specifies what the timer tracks, and can be "boot", "guest", or "wall", or "realtime". Only valid for ``name="rtc"`` or ``name="platform"``. ``tickpolicy`` The ``tickpolicy`` attribute determines what happens when QEMU misses a deadline for injecting a tick to the guest. This can happen, for example, because the guest was paused. ``delay`` Continue to deliver ticks at the normal rate. The guest OS will not notice anything is amiss, as from its point of view time will have continued to flow normally. The time in the guest should now be behind the time in the host by exactly the amount of time during which ticks have been missed. ``catchup`` Deliver ticks at a higher rate to catch up with the missed ticks. The guest OS will not notice anything is amiss, as from its point of view time will have continued to flow normally. Once the timer has managed to catch up with all the missing ticks, the time in the guest and in the host should match. ``merge`` Merge the missed tick(s) into one tick and inject. The guest time may be delayed, depending on how the OS reacts to the merging of ticks ``discard`` Throw away the missed ticks and continue with future injection normally. The guest OS will see the timer jump ahead by a potentially quite significant amount all at once, as if the intervening chunk of time had simply not existed; needless to say, such a sudden jump can easily confuse a guest OS which is not specifically prepared to deal with it. Assuming the guest OS can deal correctly with the time jump, the time in the guest and in the host should now match. If the policy is "catchup", there can be further details in the ``catchup`` sub-element. ``catchup`` The ``catchup`` element has three optional attributes, each a positive integer. The attributes are ``threshold``, ``slew``, and ``limit``. Note that hypervisors are not required to support all policies across all time sources ``frequency`` The ``frequency`` attribute is an unsigned integer specifying the frequency at which ``name="tsc"`` runs. ``mode`` The ``mode`` attribute controls how the ``name="tsc"`` timer is managed, and can be "auto", "native", "emulate", "paravirt", or "smpsafe". Other timers are always emulated. ``present`` The ``present`` attribute can be "yes" or "no" to specify whether a particular timer is available to the guest. :anchor:`` Performance monitoring events ----------------------------- Some platforms allow monitoring of performance of the virtual machine and the code executed inside. To enable the performance monitoring events you can either specify them in the ``perf`` element or enable them via ``virDomainSetPerfEvents`` API. The performance values are then retrieved using the virConnectGetAllDomainStats API. :since:`Since 2.0.0` :: ... ... =========================== ======================================================================================================================================================================================= ================================ event name Description stats parameter name =========================== ======================================================================================================================================================================================= ================================ ``cmt`` usage of l3 cache in bytes by applications running on the platform ``perf.cmt`` ``mbmt`` total system bandwidth from one level of cache ``perf.mbmt`` ``mbml`` bandwidth of memory traffic for a memory controller ``perf.mbml`` ``cpu_cycles`` the count of CPU cycles (total/elapsed) ``perf.cpu_cycles`` ``instructions`` the count of instructions by applications running on the platform ``perf.instructions`` ``cache_references`` the count of cache hits by applications running on the platform ``perf.cache_references`` ``cache_misses`` the count of cache misses by applications running on the platform ``perf.cache_misses`` ``branch_instructions`` the count of branch instructions by applications running on the platform ``perf.branch_instructions`` ``branch_misses`` the count of branch misses by applications running on the platform ``perf.branch_misses`` ``bus_cycles`` the count of bus cycles by applications running on the platform ``perf.bus_cycles`` ``stalled_cycles_frontend`` the count of stalled CPU cycles in the frontend of the instruction processor pipeline by applications running on the platform ``perf.stalled_cycles_frontend`` ``stalled_cycles_backend`` the count of stalled CPU cycles in the backend of the instruction processor pipeline by applications running on the platform ``perf.stalled_cycles_backend`` ``ref_cpu_cycles`` the count of total CPU cycles not affected by CPU frequency scaling by applications running on the platform ``perf.ref_cpu_cycles`` ``cpu_clock`` the count of CPU clock time, as measured by a monotonic high-resolution per-CPU timer, by applications running on the platform ``perf.cpu_clock`` ``task_clock`` the count of task clock time, as measured by a monotonic high-resolution CPU timer, specific to the task that is run by applications running on the platform ``perf.task_clock`` ``page_faults`` the count of page faults by applications running on the platform. This includes minor, major, invalid and other types of page faults ``perf.page_faults`` ``context_switches`` the count of context switches by applications running on the platform ``perf.context_switches`` ``cpu_migrations`` the count of CPU migrations, that is, where the process moved from one logical processor to another, by applications running on the platform ``perf.cpu_migrations`` ``page_faults_min`` the count of minor page faults, that is, where the page was present in the page cache, and therefore the fault avoided loading it from storage, by applications running on the platform ``perf.page_faults_min`` ``page_faults_maj`` the count of major page faults, that is, where the page was not present in the page cache, and therefore had to be fetched from storage, by applications running on the platform ``perf.page_faults_maj`` ``alignment_faults`` the count of alignment faults, that is when the load or store is not aligned properly, by applications running on the platform ``perf.alignment_faults`` ``emulation_faults`` the count of emulation faults, that is when the kernel traps on unimplemented instrucions and emulates them for user space, by applications running on the platform ``perf.emulation_faults`` =========================== ======================================================================================================================================================================================= ================================ :anchor:`` Devices ------- The final set of XML elements are all used to describe devices provided to the guest domain. All devices occur as children of the main ``devices`` element. :since:`Since 0.1.3` :: ... /usr/lib/xen/bin/qemu-dm ... ``emulator`` The contents of the ``emulator`` element specify the fully qualified path to the device model emulator binary. The `capabilities XML `__ specifies the recommended default emulator to use for each particular domain type / architecture combination. To help users identifying devices they care about, every device can have direct child ``alias`` element which then has ``name`` attribute where users can store identifier for the device. The identifier has to have "ua-" prefix and must be unique within the domain. Additionally, the identifier must consist only of the following characters: ``[a-zA-Z0-9_-]``. :since:`Since 3.9.0` :: ... :anchor:`` Hard drives, floppy disks, CDROMs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Any device that looks like a disk, be it a floppy, harddisk, cdrom, or paravirtualized driver is specified via the ``disk`` element. :: ... 10000000 400000 100000 ... ... ...
somevalue
... ``disk`` The ``disk`` element is the main container for describing disks and supports the following attributes: ``type`` Valid values are "file", "block", "dir" ( :since:`since 0.7.5` ), "network" ( :since:`since 0.8.7` ), or "volume" ( :since:`since 1.0.5` ), or "nvme" ( :since:`since 6.0.0` ), or "vhostuser" ( :since:`since 7.1.0` ) and refer to the underlying source for the disk. :since:`Since 0.0.3` ``device`` Indicates how the disk is to be exposed to the guest OS. Possible values for this attribute are "floppy", "disk", "cdrom", and "lun", defaulting to "disk". Using "lun" ( :since:`since 0.9.10` ) is only valid when the ``type`` is "block" or "network" for ``protocol='iscsi'`` or when the ``type`` is "volume" when using an iSCSI source ``pool`` for ``mode`` "host" or as an `NPIV `__ virtual Host Bus Adapter (vHBA) using a Fibre Channel storage pool. Configured in this manner, the LUN behaves identically to "disk", except that generic SCSI commands from the guest are accepted and passed through to the physical device. Also note that device='lun' will only be recognized for actual raw devices, but never for individual partitions or LVM partitions (in those cases, the kernel will reject the generic SCSI commands, making it identical to device='disk'). :since:`Since 0.1.4` ``model`` Indicates the emulated device model of the disk. Typically this is indicated solely by the ``bus`` property but for ``bus`` "virtio" the model can be specified further with "virtio-transitional", "virtio-non-transitional", or "virtio". See `Virtio transitional devices <#elementsVirtioTransitional>`__ for more details. :since:`Since 5.2.0` ``rawio`` Indicates whether the disk needs rawio capability. Valid settings are "yes" or "no" (default is "no"). If any one disk in a domain has rawio='yes', rawio capability will be enabled for all disks in the domain (because, in the case of QEMU, this capability can only be set on a per-process basis). This attribute is only valid when device is "lun". NB, ``rawio`` intends to confine the capability per-device, however, current QEMU implementation gives the domain process broader capability than that (per-process basis, affects all the domain disks). To confine the capability as much as possible for QEMU driver as this stage, ``sgio`` is recommended, it's more secure than ``rawio``. :since:`Since 0.9.10` ``sgio`` If supported by the hypervisor and OS, indicates whether unprivileged SG_IO commands are filtered for the disk. Valid settings are "filtered" or "unfiltered" where the default is "filtered". Only available when the ``device`` is 'lun'. :since:`Since 1.0.2` ``snapshot`` Indicates the default behavior of the disk during disk snapshots: "``internal``" requires a file format such as qcow2 that can store both the snapshot and the data changes since the snapshot; "``external``" will separate the snapshot from the live data; and "``no``" means the disk will not participate in snapshots. Read-only disks default to "``no``", while the default for other disks depends on the hypervisor's capabilities. Some hypervisors allow a per-snapshot choice as well, during `domain snapshot creation `__. Not all snapshot modes are supported; for example, enabling snapshots with a transient disk generally does not make sense. :since:`Since 0.9.5` ``source`` Representation of the disk ``source`` depends on the disk ``type`` attribute value as follows: ``file`` The ``file`` attribute specifies the fully-qualified path to the file holding the disk. :since:`Since 0.0.3` ``block`` The ``dev`` attribute specifies the fully-qualified path to the host device to serve as the disk. :since:`Since 0.0.3` ``dir`` The ``dir`` attribute specifies the fully-qualified path to the directory to use as the disk. :since:`Since 0.7.5` ``network`` The ``protocol`` attribute specifies the protocol to access to the requested image. Possible values are "nbd", "iscsi", "rbd", "sheepdog", "gluster", "vxhs", "nfs", "http", "https", "ftp", ftps", or "tftp". For any ``protocol`` other than ``nbd`` an additional attribute ``name`` is mandatory to specify which volume/image will be used. For "nbd", the ``name`` attribute is optional. TLS transport for NBD can be enabled by setting the ``tls`` attribute to ``yes``. For the QEMU hypervisor, usage of a TLS environment can also be globally controlled on the host by the ``nbd_tls`` and ``nbd_tls_x509_cert_dir`` in /etc/libvirt/qemu.conf. ('tls' :since:`Since 4.5.0` ) For protocols ``http`` and ``https`` an optional attribute ``query`` specifies the query string. ( :since:`Since 6.2.0` ) For "iscsi" ( :since:`since 1.0.4` ), the ``name`` attribute may include a logical unit number, separated from the target's name by a slash (e.g., ``iqn.2013-07.com.example:iscsi-pool/1``). If not specified, the default LUN is zero. For "vxhs" ( :since:`since 3.8.0` ), the ``name`` is the UUID of the volume, assigned by the HyperScale server. Additionally, an optional attribute ``tls`` (QEMU only) can be used to control whether a VxHS block device would utilize a hypervisor configured TLS X.509 certificate environment in order to encrypt the data channel. For the QEMU hypervisor, usage of a TLS environment can also be globally controlled on the host by the ``vxhs_tls`` and ``vxhs_tls_x509_cert_dir`` or ``default_tls_x509_cert_dir`` settings in the file /etc/libvirt/qemu.conf. If ``vxhs_tls`` is enabled, then unless the domain ``tls`` attribute is set to "no", libvirt will use the host configured TLS environment. If the ``tls`` attribute is set to "yes", then regardless of the qemu.conf setting, TLS authentication will be attempted. :since:`Since 0.8.7` ``volume`` The underlying disk source is represented by attributes ``pool`` and ``volume``. Attribute ``pool`` specifies the name of the `storage pool `__ (managed by libvirt) where the disk source resides. Attribute ``volume`` specifies the name of storage volume (managed by libvirt) used as the disk source. The value for the ``volume`` attribute will be the output from the "Name" column of a ``virsh vol-list [pool-name]`` command. Use the attribute ``mode`` ( :since:`since 1.1.1` ) to indicate how to represent the LUN as the disk source. Valid values are "direct" and "host". If ``mode`` is not specified, the default is to use "host". Using "direct" as the ``mode`` value indicates to use the `storage pool's `__ ``source`` element ``host`` attribute as the disk source to generate the libiscsi URI (e.g. 'file=iscsi://example.com:3260/iqn.2013-07.com.example:iscsi-pool/1'). Using "host" as the ``mode`` value indicates to use the LUN's path as it shows up on host (e.g. 'file=/dev/disk/by-path/ip-example.com:3260-iscsi-iqn.2013-07.com.example:iscsi-pool-lun-1'). Using a LUN from an iSCSI source pool provides the same features as a ``disk`` configured using ``type`` 'block' or 'network' and ``device`` of 'lun' with respect to how the LUN is presented to and may be used by the guest. :since:`Since 1.0.5` ``nvme`` To specify disk source for NVMe disk the ``source`` element has the following attributes: ``type`` The type of address specified in ``address`` sub-element. Currently, only ``pci`` value is accepted. ``managed`` This attribute instructs libvirt to detach NVMe controller automatically on domain startup (``yes``) or expect the controller to be detached by system administrator (``no``). ``namespace`` The namespace ID which should be assigned to the domain. According to NVMe standard, namespace numbers start from 1, including. The difference between ```` and ```` is that the latter is plain host device assignment with all its limitations (e.g. no live migration), while the former makes hypervisor to run the NVMe disk through hypervisor's block layer thus enabling all features provided by the layer (e.g. snapshots, domain migration, etc.). Moreover, since the NVMe disk is unbinded from its PCI driver, the host kernel storage stack is not involved (compared to passing say ``/dev/nvme0n1`` via ```` and therefore lower latencies can be achieved. ``vhostuser`` Enables the hypervisor to connect to another process using vhost-user protocol. Requires shared memory configured for the VM, for more details see ``access`` mode for `memoryBacking <#elementsMemoryBacking>`__ element. The ``source`` element has following mandatory attributes: ``type`` The type of char device. Currently only ``unix`` type is supported. ``path`` Path to the unix socket to be used as disk source. Note that the vhost server replaces both the disk frontend and backend thus almost all of the disk properties can't be configured via the ```` XML for this disk type. Additionally features such as blockjobs, incremental backups and snapshots are not supported for this disk type. With "file", "block", and "volume", one or more optional sub-elements ``seclabel``, `described below <#seclabel>`__ (and :since:`since 0.9.9` ), can be used to override the domain security labeling policy for just that source file. (NB, for "volume" type disk, ``seclabel`` is only valid when the specified storage volume is of 'file' or 'block' type). The ``source`` element may also have the ``index`` attribute with same semantics the ``index`` attribute of ``backingStore``. The ``source`` element may contain the following sub elements: ``host`` When the disk ``type`` is "network", the ``source`` may have zero or more ``host`` sub-elements used to specify the hosts to connect. The ``host`` element supports 4 attributes, viz. "name", "port", "transport" and "socket", which specify the hostname, the port number, transport type and path to socket, respectively. The meaning of this element and the number of the elements depend on the protocol attribute. ======== ======================================================= ============================================================ ================ Protocol Meaning Number of hosts Default port ======== ======================================================= ============================================================ ================ nbd a server running nbd-server only one 10809 iscsi an iSCSI server only one 3260 rbd monitor servers of RBD one or more librados default sheepdog one of the sheepdog servers (default is localhost:7000) zero or one 7000 gluster a server running glusterd daemon one or more ( :since:`Since 2.1.0` ), just one prior to that 24007 vxhs a server running Veritas HyperScale daemon only one 9999 nfs a server running Network File System only one ( :since:`Since 7.0.0` ) must be omitted ======== ======================================================= ============================================================ ================ gluster supports "tcp", "rdma", "unix" as valid values for the transport attribute. nbd supports "tcp" and "unix". Others only support "tcp". If nothing is specified, "tcp" is assumed. If the transport is "unix", the socket attribute specifies the path to an AF_UNIX socket. nfs only supports the use of a "tcp" transport, and does not support using a port at all so it must be omitted. ``snapshot`` The ``name`` attribute of ``snapshot`` element can optionally specify an internal snapshot name to be used as the source for storage protocols. Supported for 'rbd' :since:`since 1.2.11 (QEMU only).` ``config`` The ``file`` attribute for the ``config`` element provides a fully qualified path to a configuration file to be provided as a parameter to the client of a networked storage protocol. Supported for 'rbd' :since:`since 1.2.11 (QEMU only).` ``auth`` :since:`Since libvirt 3.9.0` , the ``auth`` element is supported for a disk ``type`` "network" that is using a ``source`` element with the ``protocol`` attributes "rbd" or "iscsi". If present, the ``auth`` element provides the authentication credentials needed to access the source. It includes a mandatory attribute ``username``, which identifies the username to use during authentication, as well as a sub-element ``secret`` with mandatory attribute ``type``, to tie back to a `libvirt secret object `__ that holds the actual password or other credentials (the domain XML intentionally does not expose the password, only the reference to the object that does manage the password). Known secret types are "ceph" for Ceph RBD network sources and "iscsi" for CHAP authentication of iSCSI targets. Both will require either a ``uuid`` attribute with the UUID of the secret object or a ``usage`` attribute matching the key that was specified in the secret object. ``encryption`` :since:`Since libvirt 3.9.0` , the ``encryption`` can be a sub-element of the ``source`` element for encrypted storage sources. If present, specifies how the storage source is encrypted See the `Storage Encryption `__ page for more information. Note that the 'qcow' format of encryption is broken and thus is no longer supported for use with disk images. ( :since:`Since libvirt 4.5.0` ) ``reservations`` :since:`Since libvirt 4.4.0` , the ``reservations`` can be a sub-element of the ``source`` element for storage sources (QEMU driver only). If present it enables persistent reservations for SCSI based disks. The element has one mandatory attribute ``managed`` with accepted values ``yes`` and ``no``. If ``managed`` is enabled libvirt prepares and manages any resources needed. When the persistent reservations are unmanaged, then the hypervisor acts as a client and the path to the server socket must be provided in the child element ``source``, which currently accepts only the following attributes: ``type`` with one value ``unix``, ``path`` path to the socket, and finally ``mode`` which accepts one value ``client`` specifying the role of hypervisor. It's recommended to allow libvirt manage the persistent reservations. ``initiator`` :since:`Since libvirt 4.7.0` , the ``initiator`` element is supported for a disk ``type`` "network" that is using a ``source`` element with the ``protocol`` attribute "iscsi". If present, the ``initiator`` element provides the initiator IQN needed to access the source via mandatory attribute ``name``. ``address`` For disk of type ``nvme`` this element specifies the PCI address of the host NVMe controller. :since:`Since 6.0.0` ``slices`` The ``slices`` element using its ``slice`` sub-elements allows configuring offset and size of either the location of the image format (``slice type='storage'``) inside the storage source or the guest data inside the image format container (future expansion). The ``offset`` and ``size`` values are in bytes. :since:`Since 6.1.0` ``ssl`` For ``https`` and ``ftps`` accessed storage it's possible to tweak the SSL transport parameters with this element. The ``verify`` attribute allows to turn on or off SSL certificate validation. Supported values are ``yes`` and ``no``. :since:`Since 6.2.0` ``cookies`` For ``http`` and ``https`` accessed storage it's possible to pass one or more cookies. The cookie name and value must conform to the HTTP specification. :since:`Since 6.2.0` ``readahead`` Specifies the size of the readahead buffer for protocols which support it. (all 'curl' based drivers in qemu). The size is in bytes. Note that '0' is considered as if the value is not provided. :since:`Since 6.2.0` ``timeout`` Specifies the connection timeout for protocols which support it. Note that '0' is considered as if the value is not provided. :since:`Since 6.2.0` ``identity`` When using an ``nfs`` protocol, this is used to provide information on the configuration of the user and group. The element has two attributes, ``user`` and ``group``. The user can provide these elements as user or group strings, or as user and group ID numbers directly if the string is formatted using a "+" at the beginning of the ID number. If either of these attributes is omitted, then that field is assumed to be the default value for the current system. If both ``user`` and ``group`` are intended to be default, then the entire element may be omitted. ``reconnect`` For disk type ``vhostuser`` configures reconnect timeout if the connection is lost. It has two mandatory attributes: ``enabled`` If the reconnect feature is enabled, accepts ``yes`` and ``no`` ``timeout`` The amount of seconds after which hypervisor tries to reconnect. For a "file" or "volume" disk type which represents a cdrom or floppy (the ``device`` attribute), it is possible to define policy what to do with the disk if the source file is not accessible. (NB, ``startupPolicy`` is not valid for "volume" disk unless the specified storage volume is of "file" type). This is done by the ``startupPolicy`` attribute ( :since:`since 0.9.7` ), accepting these values: ========= ===================================================================== mandatory fail if missing for any reason (the default) requisite fail if missing on boot up, drop if missing on migrate/restore/revert optional drop if missing at any start attempt ========= ===================================================================== :since:`Since 1.1.2` the ``startupPolicy`` is extended to support hard disks besides cdrom and floppy. On guest cold bootup, if a certain disk is not accessible or its disk chain is broken, with startupPolicy 'optional' the guest will drop this disk. This feature doesn't support migration currently. ``backingStore`` This element describes the backing store used by the disk specified by sibling ``source`` element. :since:`Since 1.2.4.` If the hypervisor driver does not support the `backingStoreInput `__ ( :since:`Since 5.10.0` ) domain feature the ``backingStore`` is ignored on input and only used for output to describe the detected backing chains of running domains. If ``backingStoreInput`` is supported the ``backingStore`` is used as the backing image of ``source`` or other ``backingStore`` overriding any backing image information recorded in the image metadata. An empty ``backingStore`` element means the sibling source is self-contained and is not based on any backing store. For the detected backing chain information to be accurate, the backing format must be correctly specified in the metadata of each file of the chain (files created by libvirt satisfy this property, but using existing external files for snapshot or block copy operations requires the end user to pre-create the file correctly). The following attributes are supported in ``backingStore``: ``type`` The ``type`` attribute represents the type of disk used by the backing store, see disk type attribute above for more details and possible values. ``index`` This attribute is only valid in output (and ignored on input) and it can be used to refer to a specific part of the disk chain when doing block operations (such as via the ``virDomainBlockRebase`` API). For example, ``vda[2]`` refers to the backing store with ``index='2'`` of the disk with ``vda`` target. Moreover, ``backingStore`` supports the following sub-elements: ``format`` The ``format`` element contains ``type`` attribute which specifies the internal format of the backing store, such as ``raw`` or ``qcow2``. The ``format`` element can contain ``metadata_cache`` subelement, which has identical semantics to the identically named subelement of ``driver`` of a ``disk``. ``source`` This element has the same structure as the ``source`` element in ``disk``. It specifies which file, device, or network location contains the data of the described backing store. ``backingStore`` If the backing store is not self-contained, the next element in the chain is described by nested ``backingStore`` element. ``mirror`` This element is present if the hypervisor has started a long-running block job operation, where the mirror location in the ``source`` sub-element will eventually have the same contents as the source, and with the file format in the sub-element ``format`` (which might differ from the format of the source). The details of the ``source`` sub-element are determined by the ``type`` attribute of the mirror, similar to what is done for the overall ``disk`` device element. The ``job`` attribute mentions which API started the operation ("copy" for the ``virDomainBlockRebase`` API, or "active-commit" for the ``virDomainBlockCommit`` API), :since:`since 1.2.7` . The attribute ``ready``, if present, tracks progress of the job: ``yes`` if the disk is known to be ready to pivot, or, :since:`since 1.2.7` , ``abort`` or ``pivot`` if the job is in the process of completing. If ``ready`` is not present, the disk is probably still copying. For now, this element only valid in output; it is ignored on input. The ``source`` sub-element exists for all two-phase jobs :since:`since 1.2.6` . Older libvirt supported only block copy to a file, :since:`since 0.9.12` ; for compatibility with older clients, such jobs include redundant information in the attributes ``file`` and ``format`` in the ``mirror`` element. ``target`` The ``target`` element controls the bus / device under which the disk is exposed to the guest OS. The ``dev`` attribute indicates the "logical" device name. The actual device name specified is not guaranteed to map to the device name in the guest OS. Treat it as a device ordering hint. The optional ``bus`` attribute specifies the type of disk device to emulate; possible values are driver specific, with typical values being "ide", "scsi", "virtio", "xen", "usb", "sata", or "sd" :since:`"sd" since 1.1.2` . If omitted, the bus type is inferred from the style of the device name (e.g. a device named 'sda' will typically be exported using a SCSI bus). The optional attribute ``tray`` indicates the tray status of the removable disks (i.e. CDROM or Floppy disk), the value can be either "open" or "closed", defaults to "closed". NB, the value of ``tray`` could be updated while the domain is running. The optional attribute ``removable`` sets the removable flag for USB disks, and its value can be either "on" or "off", defaulting to "off". The optional attribute ``rotation_rate`` sets the rotation rate of the storage for disks on a SCSI, IDE, or SATA bus. Values in the range 1025 to 65534 are used to indicate rotational media speed in revolutions per minute. A value of one is used to indicate solid state, or otherwise non-rotational, storage. These values are not required to match the values of the underlying host storage. :since:`Since 0.0.3`; ``bus`` attribute :since:`since 0.4.3`; ``tray`` attribute :since:`since 0.9.11`; "usb" attribute value :since:`since after 0.4.4`; "sata" attribute value :since:`since 0.9.7`; "removable" attribute value :since:`since 1.1.3`; "rotation_rate" attribute value :since:`since 7.3.0` ``iotune`` The optional ``iotune`` element provides the ability to provide additional per-device I/O tuning, with values that can vary for each device (contrast this to the ` <#elementsBlockTuning>`__ element, which applies globally to the domain). Currently, the only tuning available is Block I/O throttling for qemu. This element has optional sub-elements; any sub-element not specified or given with a value of 0 implies no limit. :since:`Since 0.9.8` ``total_bytes_sec`` The optional ``total_bytes_sec`` element is the total throughput limit in bytes per second. This cannot appear with ``read_bytes_sec`` or ``write_bytes_sec``. ``read_bytes_sec`` The optional ``read_bytes_sec`` element is the read throughput limit in bytes per second. ``write_bytes_sec`` The optional ``write_bytes_sec`` element is the write throughput limit in bytes per second. ``total_iops_sec`` The optional ``total_iops_sec`` element is the total I/O operations per second. This cannot appear with ``read_iops_sec`` or ``write_iops_sec``. ``read_iops_sec`` The optional ``read_iops_sec`` element is the read I/O operations per second. ``write_iops_sec`` The optional ``write_iops_sec`` element is the write I/O operations per second. ``total_bytes_sec_max`` The optional ``total_bytes_sec_max`` element is the maximum total throughput limit in bytes per second. This cannot appear with ``read_bytes_sec_max`` or ``write_bytes_sec_max``. ``read_bytes_sec_max`` The optional ``read_bytes_sec_max`` element is the maximum read throughput limit in bytes per second. ``write_bytes_sec_max`` The optional ``write_bytes_sec_max`` element is the maximum write throughput limit in bytes per second. ``total_iops_sec_max`` The optional ``total_iops_sec_max`` element is the maximum total I/O operations per second. This cannot appear with ``read_iops_sec_max`` or ``write_iops_sec_max``. ``read_iops_sec_max`` The optional ``read_iops_sec_max`` element is the maximum read I/O operations per second. ``write_iops_sec_max`` The optional ``write_iops_sec_max`` element is the maximum write I/O operations per second. ``size_iops_sec`` The optional ``size_iops_sec`` element is the size of I/O operations per second. :since:`Throughput limits since 1.2.11 and QEMU 1.7` ``group_name`` The optional ``group_name`` provides the cability to share I/O throttling quota between multiple drives. This prevents end-users from circumventing a hosting provider's throttling policy by splitting 1 large drive in N small drives and getting N times the normal throttling quota. Any name may be used. :since:`group_name since 3.0.0 and QEMU 2.4` ``total_bytes_sec_max_length`` The optional ``total_bytes_sec_max_length`` element is the maximum duration in seconds for the ``total_bytes_sec_max`` burst period. Only valid when the ``total_bytes_sec_max`` is set. ``read_bytes_sec_max_length`` The optional ``read_bytes_sec_max_length`` element is the maximum duration in seconds for the ``read_bytes_sec_max`` burst period. Only valid when the ``read_bytes_sec_max`` is set. ``write_bytes_sec_max`` The optional ``write_bytes_sec_max_length`` element is the maximum duration in seconds for the ``write_bytes_sec_max`` burst period. Only valid when the ``write_bytes_sec_max`` is set. ``total_iops_sec_max_length`` The optional ``total_iops_sec_max_length`` element is the maximum duration in seconds for the ``total_iops_sec_max`` burst period. Only valid when the ``total_iops_sec_max`` is set. ``read_iops_sec_max_length`` The optional ``read_iops_sec_max_length`` element is the maximum duration in seconds for the ``read_iops_sec_max`` burst period. Only valid when the ``read_iops_sec_max`` is set. ``write_iops_sec_max`` The optional ``write_iops_sec_max_length`` element is the maximum duration in seconds for the ``write_iops_sec_max`` burst period. Only valid when the ``write_iops_sec_max`` is set. :since:`Throughput length since 2.4.0 and QEMU 2.6` ``driver`` The optional driver element allows specifying further details related to the hypervisor driver used to provide the disk. :since:`Since 0.1.8` - If the hypervisor supports multiple backend drivers, then the ``name`` attribute selects the primary backend driver name, while the optional ``type`` attribute provides the sub-type. For example, xen supports a name of "tap", "tap2", "phy", or "file", with a type of "aio", while qemu only supports a name of "qemu", but multiple types including "raw", "bochs", "qcow2", and "qed". - The optional ``cache`` attribute controls the cache mechanism, possible values are "default", "none", "writethrough", "writeback", "directsync" (like "writethrough", but it bypasses the host page cache) and "unsafe" (host may cache all disk io, and sync requests from guest are ignored). :since:`Since 0.6.0, "directsync" since 0.9.5, "unsafe" since 0.9.7` - The optional ``error_policy`` attribute controls how the hypervisor will behave on a disk read or write error, possible values are "stop", "report", "ignore", and "enospace". :since:`Since 0.8.0, "report" since 0.9.7` The default is left to the discretion of the hypervisor. There is also an optional ``rerror_policy`` that controls behavior for read errors only. :since:`Since 0.9.7` . If no rerror_policy is given, error_policy is used for both read and write errors. If rerror_policy is given, it overrides the ``error_policy`` for read errors. Also note that "enospace" is not a valid policy for read errors, so if ``error_policy`` is set to "enospace" and no ``rerror_policy`` is given, the read error policy will be left at its default. - The optional ``io`` attribute controls specific policies on I/O; qemu guests support "threads" and "native" :since:`Since 0.8.8` , io_uring :since:`Since 6.3.0 (QEMU 5.0)` . - The optional ``ioeventfd`` attribute allows users to set `domain I/O asynchronous handling `__ for disk device. The default is left to the discretion of the hypervisor. Accepted values are "on" and "off". Enabling this allows qemu to execute VM while a separate thread handles I/O. Typically guests experiencing high system CPU utilization during I/O will benefit from this. On the other hand, on overloaded host it could increase guest I/O latency. :since:`Since 0.9.3 (QEMU and KVM only)` **In general you should leave this option alone, unless you are very certain you know what you are doing.** - The optional ``event_idx`` attribute controls some aspects of device event processing. The value can be either 'on' or 'off' - if it is on, it will reduce the number of interrupts and exits for the guest. The default is determined by QEMU; usually if the feature is supported, default is on. In case there is a situation where this behavior is suboptimal, this attribute provides a way to force the feature off. :since:`Since 0.9.5 (QEMU and KVM only)` **In general you should leave this option alone, unless you are very certain you know what you are doing.** - The optional ``copy_on_read`` attribute controls whether to copy read backing file into the image file. The value can be either "on" or "off". Copy-on-read avoids accessing the same backing file sectors repeatedly and is useful when the backing file is over a slow network. By default copy-on-read is off. :since:`Since 0.9.10 (QEMU and KVM only)` - The optional ``discard`` attribute controls whether discard requests (also known as "trim" or "unmap") are ignored or passed to the filesystem. The value can be either "unmap" (allow the discard request to be passed) or "ignore" (ignore the discard request). :since:`Since 1.0.6 (QEMU and KVM only)` - The optional ``detect_zeroes`` attribute controls whether to detect zero write requests. The value can be "off", "on" or "unmap". First two values turn the detection off and on, respectively. The third value ("unmap") turns the detection on and additionally tries to discard such areas from the image based on the value of ``discard`` above (it will act as "on" if ``discard`` is set to "ignore"). NB enabling the detection is a compute intensive operation, but can save file space and/or time on slow media. :since:`Since 2.0.0` - The optional ``iothread`` attribute assigns the disk to an IOThread as defined by the range for the domain `iothreads <#elementsIOThreadsAllocation>`__ value. Multiple disks may be assigned to the same IOThread and are numbered from 1 to the domain iothreads value. Available for a disk device ``target`` configured to use "virtio" ``bus`` and "pci" or "ccw" ``address`` types. :since:`Since 1.2.8 (QEMU 2.1)` - The optional ``queues`` attribute specifies the number of virt queues for virtio-blk. ( :since:`Since 3.9.0` ) - For virtio disks, `Virtio-specific options <#elementsVirtio>`__ can also be set. ( :since:`Since 3.5.0` ) - The optional ``metadata_cache`` subelement controls aspects related to the format specific caching of storage image metadata. Note that this setting applies only on the top level image; the identically named subelement of ``backingStore``'s ``format`` element can be used to specify cache settings for the backing image. :since:`Since 7.0.0` the maximum size of the metadata cache of ``qcow2`` format driver of the ``qemu`` hypervisor can be controlled via the ``max_size`` subelement (see example below). In the majority of cases the default configuration used by the hypervisor is sufficient so modifying this setting should not be necessary. For specifics on how the metadata cache of ``qcow2`` in ``qemu`` behaves refer to the ``qemu`` `qcow2 cache docs `__ **Example:** :: 1234 1234 ``backenddomain`` The optional ``backenddomain`` element allows specifying a backend domain (aka driver domain) hosting the disk. Use the ``name`` attribute to specify the backend domain name. :since:`Since 1.2.13 (Xen only)` ``boot`` Specifies that the disk is bootable. The ``order`` attribute determines the order in which devices will be tried during boot sequence. On the S390 architecture only the first boot device is used. The optional ``loadparm`` attribute is an 8 character string which can be queried by guests on S390 via sclp or diag 308. Linux guests on S390 can use ``loadparm`` to select a boot entry. :since:`Since 3.5.0` The per-device ``boot`` elements cannot be used together with general boot elements in `BIOS bootloader <#elementsOSBIOS>`__ section. :since:`Since 0.8.8` ``encryption`` Starting with :since:`libvirt 3.9.0` the ``encryption`` element is preferred to be a sub-element of the ``source`` element. If present, specifies how the volume is encrypted using "qcow". See the `Storage Encryption `__ page for more information. ``readonly`` If present, this indicates the device cannot be modified by the guest. For now, this is the default for disks with attribute ``device='cdrom'``. ``shareable`` If present, this indicates the device is expected to be shared between domains (assuming the hypervisor and OS support this), which means that caching should be deactivated for that device. ``transient`` If present, this indicates that changes to the device contents should be reverted automatically when the guest exits. With some hypervisors, marking a disk transient prevents the domain from participating in migration, snapshots, or blockjobs. Only supported in vmx hypervisor (:since:`Since 0.9.5`) and ``qemu`` hypervisor (:since:`Since 6.9.0`). ``serial`` If present, this specify serial number of virtual hard drive. For example, it may look like ``WD-WMAP9A966149``. Not supported for scsi-block devices, that is those using disk ``type`` 'block' using ``device`` 'lun' on ``bus`` 'scsi'. :since:`Since 0.7.1` ``wwn`` If present, this element specifies the WWN (World Wide Name) of a virtual hard disk or CD-ROM drive. It must be composed of 16 hexadecimal digits. :since:`Since 0.10.1` ``vendor`` If present, this element specifies the vendor of a virtual hard disk or CD-ROM device. It must not be longer than 8 printable characters. :since:`Since 1.0.1` ``product`` If present, this element specifies the product of a virtual hard disk or CD-ROM device. It must not be longer than 16 printable characters. :since:`Since 1.0.1` ``address`` If present, the ``address`` element ties the disk to a given slot of a controller (the actual ```` device can often be inferred by libvirt, although it can be `explicitly specified <#elementsControllers>`__). The ``type`` attribute is mandatory, and is typically "pci" or "drive". For a "pci" controller, additional attributes for ``bus``, ``slot``, and ``function`` must be present, as well as optional ``domain`` and ``multifunction``. Multifunction defaults to 'off'; any other value requires QEMU 0.1.3 and :since:`libvirt 0.9.7` . For a "drive" controller, additional attributes ``controller``, ``bus``, ``target`` ( :since:`libvirt 0.9.11` ), and ``unit`` are available, each defaulting to 0. ``auth`` Starting with :since:`libvirt 3.9.0` the ``auth`` element is preferred to be a sub-element of the ``source`` element. The element is still read and managed as a ``disk`` sub-element. It is invalid to use ``auth`` as both a sub-element of ``disk`` and ``source``. The ``auth`` element was introduced as a ``disk`` sub-element in :since:`libvirt 0.9.7.` ``geometry`` The optional ``geometry`` element provides the ability to override geometry settings. This mostly useful for S390 DASD-disks or older DOS-disks. :since:`0.10.0` ``cyls`` The ``cyls`` attribute is the number of cylinders. ``heads`` The ``heads`` attribute is the number of heads. ``secs`` The ``secs`` attribute is the number of sectors per track. ``trans`` The optional ``trans`` attribute is the BIOS-Translation-Modus (none, lba or auto) ``blockio`` If present, the ``blockio`` element allows to override any of the block device properties listed below. :since:`Since 0.10.2 (QEMU and KVM)` ``logical_block_size`` The logical block size the disk will report to the guest OS. For Linux this would be the value returned by the BLKSSZGET ioctl and describes the smallest units for disk I/O. ``physical_block_size`` The physical block size the disk will report to the guest OS. For Linux this would be the value returned by the BLKPBSZGET ioctl and describes the disk's hardware sector size which can be relevant for the alignment of disk data. :anchor:`` Filesystems ~~~~~~~~~~~ A directory on the host that can be accessed directly from the guest. :since:`since 0.3.3, since 0.8.5 for QEMU/KVM` :: ... ... ... ``filesystem`` The filesystem attribute ``type`` specifies the type of the ``source``. The possible values are: ``mount`` A host directory to mount in the guest. Used by LXC, OpenVZ :since:`(since 0.6.2)` and QEMU/KVM :since:`(since 0.8.5)` . This is the default ``type`` if one is not specified. This mode also has an optional sub-element ``driver``, with an attribute ``type='path'`` or ``type='handle'`` :since:`(since 0.9.7)` . The driver block has an optional attribute ``wrpolicy`` that further controls interaction with the host page cache; omitting the attribute gives default behavior, while the value ``immediate`` means that a host writeback is immediately triggered for all pages touched during a guest file write operation :since:`(since 0.9.10)` . :since:`Since 6.2.0` , ``type='virtiofs'`` is also supported. Using virtiofs requires setting up shared memory, see the guide: `Virtio-FS `__ ``template`` OpenVZ filesystem template. Only used by OpenVZ driver. ``file`` A host file will be treated as an image and mounted in the guest. The filesystem format will be autodetected. Only used by LXC driver. ``block`` A host block device to mount in the guest. The filesystem format will be autodetected. Only used by LXC driver :since:`(since 0.9.5)` . ``ram`` An in-memory filesystem, using memory from the host OS. The source element has a single attribute ``usage`` which gives the memory usage limit in KiB, unless units are specified by the ``units`` attribute. Only used by LXC driver. :since:`(since 0.9.13)` ``bind`` A directory inside the guest will be bound to another directory inside the guest. Only used by LXC driver :since:`(since 0.9.13)` The filesystem element has an optional attribute ``accessmode`` which specifies the security mode for accessing the source :since:`(since 0.8.5)` . Currently this only works with ``type='mount'`` for the QEMU/KVM driver. For driver type ``virtiofs``, only ``passthrough`` is supported. For other driver types, the possible values are: ``passthrough`` The ``source`` is accessed with the permissions of the user inside the guest. This is the default ``accessmode`` if one is not specified. `More info `__ ``mapped`` The ``source`` is accessed with the permissions of the hypervisor (QEMU process). `More info `__ ``squash`` Similar to 'passthrough', the exception is that failure of privileged operations like 'chown' are ignored. This makes a passthrough-like mode usable for people who run the hypervisor as non-root. `More info `__ :since:`Since 5.2.0` , the filesystem element has an optional attribute ``model`` with supported values "virtio-transitional", "virtio-non-transitional", or "virtio". See `Virtio transitional devices <#elementsVirtioTransitional>`__ for more details. The filesystem element has optional attributes ``fmode`` and ``dmode``. These two attributes control the creation mode for files and directories when used with the ``mapped`` value for ``accessmode`` (:since:`since 6.10.0, requires QEMU 2.10` ). If not specified, QEMU creates files with mode ``600`` and directories with mode ``700``. The setuid, setgid, and sticky bit are unsupported. The filesystem element has an optional attribute ``multidevs`` which specifies how to deal with a filesystem export containing more than one device, in order to avoid file ID collisions on guest when using 9pfs ( :since:`since 6.3.0, requires QEMU 4.2` ). This attribute is not available for virtiofs. The possible values are: ``default`` Use QEMU's default setting (which currently is ``warn``). ``remap`` This setting allows guest to access multiple devices per export without encountering misbehaviours. Inode numbers from host are automatically remapped on guest to actively prevent file ID collisions if guest accesses one export containing multiple devices. ``forbid`` Only allow to access one device per export by guest. Attempts to access additional devices on the same export will cause the individual filesystem access by guest to fail with an error and being logged (once) as error on host side. ``warn`` This setting resembles the behaviour of 9pfs prior to QEMU 4.2, that is no action is performed to prevent any potential file ID collisions if an export contains multiple devices, with the only exception: a warning is logged (once) on host side now. This setting may lead to misbehaviours on guest side if more than one device is exported per export, due to the potential file ID collisions this may cause on guest side in that case. ``driver`` The optional driver element allows specifying further details related to the hypervisor driver used to provide the filesystem. :since:`Since 1.0.6` - If the hypervisor supports multiple backend drivers, then the ``type`` attribute selects the primary backend driver name, while the ``format`` attribute provides the format type. For example, LXC supports a type of "loop", with a format of "raw" or "nbd" with any format. QEMU supports a type of "path" or "handle", but no formats. Virtuozzo driver supports a type of "ploop" with a format of "ploop". - For virtio-backed devices, `Virtio-specific options <#elementsVirtio>`__ can also be set. ( :since:`Since 3.5.0` ) - For ``virtiofs``, the ``queue`` attribute can be used to specify the queue size (i.e. how many requests can the queue fit). ( :since:`Since 6.2.0` ) ``binary`` The optional ``binary`` element can tune the options for virtiofsd. All of the following attributes and elements are optional. The attribute ``path`` can be used to override the path to the daemon. Attribute ``xattr`` enables the use of filesystem extended attributes. Caching can be tuned via the ``cache`` element, possible ``mode`` values being ``none`` and ``always``. Locking can be controlled via the ``lock`` element - attributes ``posix`` and ``flock`` both accepting values ``on`` or ``off``. ( :since:`Since 6.2.0` ) ``source`` The resource on the host that is being accessed in the guest. The ``name`` attribute must be used with ``type='template'``, and the ``dir`` attribute must be used with ``type='mount'``. The ``usage`` attribute is used with ``type='ram'`` to set the memory limit in KiB, unless units are specified by the ``units`` attribute. ``target`` Where the ``source`` can be accessed in the guest. For most drivers this is an automatic mount point, but for QEMU/KVM this is merely an arbitrary string tag that is exported to the guest as a hint for where to mount. ``readonly`` Enables exporting filesystem as a readonly mount for guest, by default read-write access is given (currently only works for QEMU/KVM driver). ``space_hard_limit`` Maximum space available to this guest's filesystem. :since:`Since 0.9.13` ``space_soft_limit`` Maximum space available to this guest's filesystem. The container is permitted to exceed its soft limits for a grace period of time. Afterwards the hard limit is enforced. :since:`Since 0.9.13` :anchor:`` Device Addresses ~~~~~~~~~~~~~~~~ Many devices have an optional ``
`` sub-element to describe where the device is placed on the virtual bus presented to the guest. If an address (or any optional attribute within an address) is omitted on input, libvirt will generate an appropriate address; but an explicit address is required if more control over layout is required. See below for device examples including an address element. Every address has a mandatory attribute ``type`` that describes which bus the device is on. The choice of which address to use for a given device is constrained in part by the device and the architecture of the guest. For example, a ```` device uses ``type='drive'``, while a ```` device would use ``type='pci'`` on i686 or x86_64 guests, or ``type='spapr-vio'`` on PowerPC64 pseries guests. Each address type has further optional attributes that control where on the bus the device will be placed: ``pci`` PCI addresses have the following additional attributes: ``domain`` (a 2-byte hex integer, not currently used by qemu), ``bus`` (a hex value between 0 and 0xff, inclusive), ``slot`` (a hex value between 0x0 and 0x1f, inclusive), and ``function`` (a value between 0 and 7, inclusive). Also available is the ``multifunction`` attribute, which controls turning on the multifunction bit for a particular slot/function in the PCI control register ( :since:`since 0.9.7, requires QEMU 0.13` ). ``multifunction`` defaults to 'off', but should be set to 'on' for function 0 of a slot that will have multiple functions used. ( :since:`Since 4.10.0` ), PCI address extensions depending on the architecture are supported. For example, PCI addresses for S390 guests will have a ``zpci`` child element, with two attributes: ``uid`` (a hex value between 0x0001 and 0xffff, inclusive), and ``fid`` (a hex value between 0x00000000 and 0xffffffff, inclusive) used by PCI devices on S390 for User-defined Identifiers and Function Identifiers. :since:`Since 1.3.5` , some hypervisor drivers may accept an ``
`` element with no other attributes as an explicit request to assign a PCI address for the device rather than some other type of address that may also be appropriate for that same device (e.g. virtio-mmio). The relationship between the PCI addresses configured in the domain XML and those seen by the guest OS can sometime seem confusing: a separate document describes `how PCI addresses work `__ in more detail. ``drive`` Drive addresses have the following additional attributes: ``controller`` (a 2-digit controller number), ``bus`` (a 2-digit bus number), ``target`` (a 2-digit target number), and ``unit`` (a 2-digit unit number on the bus). ``virtio-serial`` Each virtio-serial address has the following additional attributes: ``controller`` (a 2-digit controller number), ``bus`` (a 2-digit bus number), and ``slot`` (a 2-digit slot within the bus). ``ccid`` A CCID address, for smart-cards, has the following additional attributes: ``bus`` (a 2-digit bus number), and ``slot`` attribute (a 2-digit slot within the bus). :since:`Since 0.8.8.` ``usb`` USB addresses have the following additional attributes: ``bus`` (a hex value between 0 and 0xfff, inclusive), and ``port`` (a dotted notation of up to four octets, such as 1.2 or 2.1.3.1). ``spapr-vio`` On PowerPC pseries guests, devices can be assigned to the SPAPR-VIO bus. It has a flat 32-bit address space; by convention, devices are generally assigned at a non-zero multiple of 0x00001000, but other addresses are valid and permitted by libvirt. Each address has the following additional attribute: ``reg`` (the hex value address of the starting register). :since:`Since 0.9.9.` ``ccw`` S390 guests with a ``machine`` value of s390-ccw-virtio use the native CCW bus for I/O devices. CCW bus addresses have the following additional attributes: ``cssid`` (a hex value between 0 and 0xfe, inclusive), ``ssid`` (a value between 0 and 3, inclusive) and ``devno`` (a hex value between 0 and 0xffff, inclusive). Partially specified bus addresses are not allowed. If omitted, libvirt will assign a free bus address with cssid=0xfe and ssid=0. Virtio-ccw devices must have their cssid set to 0xfe. :since:`Since 1.0.4` ``virtio-mmio`` This places the device on the virtio-mmio transport, which is currently only available for some ``armv7l`` and ``aarch64`` virtual machines. virtio-mmio addresses do not have any additional attributes. :since:`Since 1.1.3` If the guest architecture is ``aarch64`` and the machine type is ``virt``, libvirt will automatically assign PCI addresses to devices; however, the presence of a single device with virtio-mmio address in the guest configuration will cause libvirt to assign virtio-mmio addresses to all further devices. :since:`Since 3.0.0` ``isa`` ISA addresses have the following additional attributes: ``iobase`` and ``irq``. :since:`Since 1.2.1` ``unassigned`` For PCI hostdevs, ``
`` allows the admin to include a PCI hostdev in the domain XML definition, without making it available for the guest. This allows for configurations in which Libvirt manages the device as a regular PCI hostdev, regardless of whether the guest will have access to it. ``
`` is an invalid address type for all other device types. :since:`Since 6.0.0` :anchor:`` Virtio-related options ~~~~~~~~~~~~~~~~~~~~~~ QEMU's virtio devices have some attributes related to the virtio transport under the ``driver`` element: The ``iommu`` attribute enables the use of emulated IOMMU by the device. The attribute ``ats`` controls the Address Translation Service support for PCIe devices. This is needed to make use of IOTLB support (see `IOMMU device <#elementsIommu>`__). Possible values are ``on`` or ``off``. :since:`Since 3.5.0` The attribute ``packed`` controls if QEMU should try to use packed virtqueues. Compared to regular split queues, packed queues consist of only a single descriptor ring replacing available and used ring, index and descriptor buffer. This can result in better cache utilization and performance. If packed virtqueues are actually used depends on the feature negotiation between QEMU, vhost backends and guest drivers. Possible values are ``on`` or ``off``. :since:`Since 6.3.0 (QEMU and KVM only)` :anchor:`` Virtio transitional devices ~~~~~~~~~~~~~~~~~~~~~~~~~~~ :since:`Since 5.2.0` , some of QEMU's virtio devices, when used with PCI/PCIe machine types, accept the following ``model`` values: ``virtio-transitional`` This device can work both with virtio 0.9 and virtio 1.0 guest drivers, so it's the best choice when compatibility with older guest operating systems is desired. libvirt will plug the device into a conventional PCI slot. ``virtio-non-transitional`` This device can only work with virtio 1.0 guest drivers, and it's the recommended option unless compatibility with older guest operating systems is necessary. libvirt will plug the device into either a PCI Express slot or a conventional PCI slot based on the machine type, resulting in a more optimized PCI topology. ``virtio`` This device will work like a ``virtio-non-transitional`` device when plugged into a PCI Express slot, and like a ``virtio-transitional`` device otherwise; libvirt will pick one or the other based on the machine type. This is the best choice when compatibility with libvirt versions older than 5.2.0 is necessary, but it's otherwise not recommended to use it. While the information outlined above applies to most virtio devices, there are a few exceptions: - for SCSI controllers, there is no ``virtio`` model available due to historical reasons: use ``virtio-scsi`` instead, which behaves the same as ``virtio`` does for other devices. Both ``virtio-transitional`` and ``virtio-non-transitional`` work with SCSI controllers; - some devices, such as GPUs and input devices (keyboard, tablet and mouse), are only defined in the virtio 1.0 spec and as such don't have a transitional variant: the only accepted model is ``virtio``, which will result in a non-transitional device. For more details see the `qemu patch posting `__ and the `virtio-1.0 spec `__. :anchor:`` Controllers ~~~~~~~~~~~ Depending on the guest architecture, some device buses can appear more than once, with a group of virtual devices tied to a virtual controller. Normally, libvirt can automatically infer such controllers without requiring explicit XML markup, but sometimes it is necessary to provide an explicit controller element, notably when planning the `PCI topology `__ for guests where device hotplug is expected. :: ...
... ... Each controller has a mandatory attribute ``type``, which must be one of 'ide', 'fdc', 'scsi', 'sata', 'usb', 'ccid', 'virtio-serial' or 'pci', and a mandatory attribute ``index`` which is the decimal integer describing in which order the bus controller is encountered (for use in ``controller`` attributes of ``
`` elements). :since:`Since 1.3.5` the index is optional; if not specified, it will be auto-assigned to be the lowest unused index for the given controller type. Some controller types have additional attributes that control specific features, such as: ``virtio-serial`` The ``virtio-serial`` controller has two additional optional attributes ``ports`` and ``vectors``, which control how many devices can be connected through the controller. :since:`Since 5.2.0` , it supports an optional attribute ``model`` which can be 'virtio', 'virtio-transitional', or 'virtio-non-transitional'. See `Virtio transitional devices <#elementsVirtioTransitional>`__ for more details. ``scsi`` A ``scsi`` controller has an optional attribute ``model``, which is one of 'auto', 'buslogic', 'ibmvscsi', 'lsilogic', 'lsisas1068', 'lsisas1078', 'virtio-scsi', 'vmpvscsi', 'virtio-transitional', 'virtio-non-transitional', 'ncr53c90' (as builtin implicit controller only), 'am53c974', 'dc390'. See `Virtio transitional devices <#elementsVirtioTransitional>`__ for more details. ``usb`` A ``usb`` controller has an optional attribute ``model``, which is one of "piix3-uhci", "piix4-uhci", "ehci", "ich9-ehci1", "ich9-uhci1", "ich9-uhci2", "ich9-uhci3", "vt82c686b-uhci", "pci-ohci", "nec-xhci", "qusb1" (xen pvusb with qemu backend, version 1.1), "qusb2" (xen pvusb with qemu backend, version 2.0) or "qemu-xhci". Additionally, :since:`since 0.10.0` , if the USB bus needs to be explicitly disabled for the guest, ``model='none'`` may be used. :since:`Since 1.0.5` , no default USB controller will be built on s390. :since:`Since 1.3.5` , USB controllers accept a ``ports`` attribute to configure how many devices can be connected to the controller. ``ide`` :since:`Since 3.10.0` for the vbox driver, the ``ide`` controller has an optional attribute ``model``, which is one of "piix3", "piix4" or "ich6". ``xenbus`` :since:`Since 5.2.0` , the ``xenbus`` controller has an optional attribute ``maxGrantFrames``, which specifies the maximum number of grant frames the controller makes available for connected devices. :since:`Since 6.3.0` , the xenbus controller supports the optional ``maxEventChannels`` attribute, which specifies maximum number of event channels (PV interrupts) that can be used by the guest. Note: The PowerPC64 "spapr-vio" addresses do not have an associated controller. For controllers that are themselves devices on a PCI or USB bus, an optional sub-element ``
`` can specify the exact relationship of the controller to its master bus, with semantics `given above <#elementsAddress>`__. An optional sub-element ``driver`` can specify the driver specific options: ``queues`` The optional ``queues`` attribute specifies the number of queues for the controller. For best performance, it's recommended to specify a value matching the number of vCPUs. :since:`Since 1.0.5 (QEMU and KVM only)` ``cmd_per_lun`` The optional ``cmd_per_lun`` attribute specifies the maximum number of commands that can be queued on devices controlled by the host. :since:`Since 1.2.7 (QEMU and KVM only)` ``max_sectors`` The optional ``max_sectors`` attribute specifies the maximum amount of data in bytes that will be transferred to or from the device in a single command. The transfer length is measured in sectors, where a sector is 512 bytes. :since:`Since 1.2.7 (QEMU and KVM only)` ``ioeventfd`` The optional ``ioeventfd`` attribute specifies whether the controller should use `I/O asynchronous handling `__ or not. Accepted values are "on" and "off". :since:`Since 1.2.18` ``iothread`` Supported for controller type ``scsi`` using model ``virtio-scsi`` for ``address`` types ``pci`` and ``ccw`` :since:`since 1.3.5 (QEMU 2.4)` . The optional ``iothread`` attribute assigns the controller to an IOThread as defined by the range for the domain `iothreads <#elementsIOThreadsAllocation>`__ value. Each SCSI ``disk`` assigned to use the specified ``controller`` will utilize the same IOThread. If a specific IOThread is desired for a specific SCSI ``disk``, then multiple controllers must be defined each having a specific ``iothread`` value. The ``iothread`` value must be within the range 1 to the domain iothreads value. virtio options For virtio controllers, `Virtio-specific options <#elementsVirtio>`__ can also be set. ( :since:`Since 3.5.0` ) USB companion controllers have an optional sub-element ```` to specify the exact relationship of the companion to its master controller. A companion controller is on the same bus as its master, so the companion ``index`` value should be equal. Not all controller models can be used as companion controllers and libvirt might provide some sensible defaults (settings of ``master startport`` and ``function`` of an address) for some particular models. Preferred companion controllers are ``ich-uhci[123]``. :: ...
... ... PCI controllers have an optional ``model`` attribute; possible values for this attribute are - ``pci-root``, ``pci-bridge`` ( :since:`since 1.0.5` ) - ``pcie-root``, ``dmi-to-pci-bridge`` ( :since:`since 1.1.2` ) - ``pcie-root-port``, ``pcie-switch-upstream-port``, ``pcie-switch-downstream-port`` ( :since:`since 1.2.19` ) - ``pci-expander-bus``, ``pcie-expander-bus`` ( :since:`since 1.3.4` ) - ``pcie-to-pci-bridge`` ( :since:`since 4.3.0` ) The root controllers (``pci-root`` and ``pcie-root``) have an optional ``pcihole64`` element specifying how big (in kilobytes, or in the unit specified by ``pcihole64``'s ``unit`` attribute) the 64-bit PCI hole should be. Some guests (like Windows XP or Windows Server 2003) might crash when QEMU and Seabios are recent enough to support 64-bit PCI holes, unless this is disabled (set to 0). :since:`Since 1.1.2 (QEMU only)` PCI controllers also have an optional subelement ```` with an attribute ``name``. The name attribute holds the name of the specific device that qemu is emulating (e.g. "i82801b11-bridge") rather than simply the class of device ("pcie-to-pci-bridge", "pci-bridge"), which is set in the controller element's model **attribute**. In almost all cases, you should not manually add a ```` subelement to a controller, nor should you modify one that is automatically generated by libvirt. :since:`Since 1.2.19 (QEMU only).` PCI controllers also have an optional subelement ```` with the attributes and subelements listed below. These are configurable items that 1) are visible to the guest OS so must be preserved for guest ABI compatibility, and 2) are usually left to default values or derived automatically by libvirt. In almost all cases, you should not manually add a ```` subelement to a controller, nor should you modify the values in the those that are automatically generated by libvirt. :since:`Since 1.2.19 (QEMU only).` ``chassisNr`` PCI controllers that have attribute model="pci-bridge", can also have a ``chassisNr`` attribute in the ```` subelement, which is used to control QEMU's "chassis_nr" option for the pci-bridge device (normally libvirt automatically sets this to the same value as the index attribute of the pci controller). If set, chassisNr must be between 1 and 255. ``chassis`` pcie-root-port and pcie-switch-downstream-port controllers can also have a ``chassis`` attribute in the ```` subelement, which is used to set the controller's "chassis" configuration value, which is visible to the virtual machine. If set, chassis must be between 0 and 255. ``port`` pcie-root-port and pcie-switch-downstream-port controllers can also have a ``port`` attribute in the ```` subelement, which is used to set the controller's "port" configuration value, which is visible to the virtual machine. If set, port must be between 0 and 255. ``hotplug`` pcie-root-port and pcie-switch-downstream-port controllers can also have a ``hotplug`` attribute in the ```` subelement, which is used to disable hotplug/unplug of devices on a particular controller. The default setting of ``hotplug`` is ``on``; it should be set to ``off`` to disable hotplug/unplug of devices on a particular controller. :since:`Since 6.3.0` ``busNr`` pci-expander-bus and pcie-expander-bus controllers can have an optional ``busNr`` attribute (1-254). This will be the bus number of the new bus; All bus numbers between that specified and 255 will be available only for assignment to PCI/PCIe controllers plugged into the hierarchy starting with this expander bus, and bus numbers less than the specified value will be available to the next lower expander-bus (or the root-bus if there are no lower expander buses). If you do not specify a busNumber, libvirt will find the lowest existing busNumber in all other expander buses (or use 256 if there are no others) and auto-assign the busNr of that found bus - 2, which provides one bus number for the pci-expander-bus and one for the pci-bridge that is automatically attached to it (if you plan on adding more pci-bridges to the hierarchy of the bus, you should manually set busNr to a lower value). A similar algorithm is used for automatically determining the busNr attribute for pcie-expander-bus, but since the pcie-expander-bus doesn't have any built-in pci-bridge, the 2nd bus-number is just being reserved for the pcie-root-port that must necessarily be connected to the bus in order to actually plug in an endpoint device. If you intend to plug multiple devices into a pcie-expander-bus, you must connect a pcie-switch-upstream-port to the pcie-root-port that is plugged into the pcie-expander-bus, and multiple pcie-switch-downstream-ports to the pcie-switch-upstream-port, and of course for this to work properly, you will need to decrease the pcie-expander-bus' busNr accordingly so that there are enough unused bus numbers above it to accommodate giving out one bus number for the upstream-port and one for each downstream-port (in addition to the pcie-root-port and the pcie-expander-bus itself). ``node`` Some PCI controllers (``pci-expander-bus`` for the pc machine type, ``pcie-expander-bus`` for the q35 machine type and, :since:`since 3.6.0` , ``pci-root`` for the pseries machine type) can have an optional ```` subelement within the ```` subelement, which is used to set the NUMA node reported to the guest OS for that bus - the guest OS will then know that all devices on that bus are a part of the specified NUMA node (it is up to the user of the libvirt API to attach host devices to the correct pci-expander-bus when assigning them to the domain). ``index`` pci-root controllers for pSeries guests use this attribute to record the order they will show up in the guest. :since:`Since 3.6.0` For machine types which provide an implicit PCI bus, the pci-root controller with index=0 is auto-added and required to use PCI devices. pci-root has no address. PCI bridges are auto-added if there are too many devices to fit on the one bus provided by pci-root, or a PCI bus number greater than zero was specified. PCI bridges can also be specified manually, but their addresses should only refer to PCI buses provided by already specified PCI controllers. Leaving gaps in the PCI controller indexes might lead to an invalid configuration. :: ...
... For machine types which provide an implicit PCI Express (PCIe) bus (for example, the machine types based on the Q35 chipset), the pcie-root controller with index=0 is auto-added to the domain's configuration. pcie-root has also no address, provides 31 slots (numbered 1-31) that can be used to attach PCIe or PCI devices (although libvirt will never auto-assign a PCI device to a PCIe slot, it will allow manual specification of such an assignment). Devices connected to pcie-root cannot be hotplugged. If traditional PCI devices are present in the guest configuration, a ``pcie-to-pci-bridge`` controller will automatically be added: this controller, which plugs into a ``pcie-root-port``, provides 31 usable PCI slots (1-31) with hotplug support ( :since:`since 4.3.0` ). If the QEMU binary doesn't support the corresponding device, then a ``dmi-to-pci-bridge`` controller will be added instead, usually at the defacto standard location of slot=0x1e. A dmi-to-pci-bridge controller plugs into a PCIe slot (as provided by pcie-root), and itself provides 31 standard PCI slots (which also do not support device hotplug). In order to have hot-pluggable PCI slots in the guest system, a pci-bridge controller will also be automatically created and connected to one of the slots of the auto-created dmi-to-pci-bridge controller; all guest PCI devices with addresses that are auto-determined by libvirt will be placed on this pci-bridge device. ( :since:`since 1.1.2` ). Domains with an implicit pcie-root can also add controllers with ``model='pcie-root-port'``, ``model='pcie-switch-upstream-port'``, and ``model='pcie-switch-downstream-port'``. pcie-root-port is a simple type of bridge device that can connect only to one of the 31 slots on the pcie-root bus on its upstream side, and makes a single (PCIe, hotpluggable) port available on the downstream side (at slot='0'). pcie-root-port can be used to provide a single slot to later hotplug a PCIe device (but is not itself hotpluggable - it must be in the configuration when the domain is started). ( :since:`since 1.2.19` ) pcie-switch-upstream-port is a more flexible (but also more complex) device that can only plug into a pcie-root-port or pcie-switch-downstream-port on the upstream side (and only before the domain is started - it is not hot-pluggable), and provides 32 ports on the downstream side (slot='0' - slot='31') that accept only pcie-switch-downstream-port devices; each pcie-switch-downstream-port device can only plug into a pcie-switch-upstream-port on its upstream side (again, not hot-pluggable), and on its downstream side provides a single hotpluggable pcie port that can accept any standard pci or pcie device (or another pcie-switch-upstream-port), i.e. identical in function to a pcie-root-port. ( :since:`since 1.2.19` ) :: ...
... :anchor:`` Device leases ~~~~~~~~~~~~~ When using a lock manager, it may be desirable to record device leases against a VM. The lock manager will ensure the VM won't start unless the leases can be acquired. :: ... ... somearea somekey ... ... ``lockspace`` This is an arbitrary string, identifying the lockspace within which the key is held. Lock managers may impose extra restrictions on the format, or length of the lockspace name. ``key`` This is an arbitrary string, uniquely identifying the lease to be acquired. Lock managers may impose extra restrictions on the format, or length of the key. ``target`` This is the fully qualified path of the file associated with the lockspace. The offset specifies where the lease is stored within the file. If the lock manager does not require an offset, just pass 0. :anchor:`` Host device assignment ~~~~~~~~~~~~~~~~~~~~~~ :anchor:`` USB / PCI / SCSI devices ^^^^^^^^^^^^^^^^^^^^^^^^ USB, PCI and SCSI devices attached to the host can be passed through to the guest using the ``hostdev`` element. :since:`since after 0.4.4 for USB, 0.6.0 for PCI (KVM only) and 1.0.6 for SCSI (KVM only)` : :: ... ... or: :: ...
... or: :: ...
... or: :: ...
... or: :: ... ... or: :: ...
... ``hostdev`` The ``hostdev`` element is the main container for describing host devices. For each device, the ``mode`` is always "subsystem" and the ``type`` is one of the following values with additional attributes noted. ``usb`` USB devices are detached from the host on guest startup and reattached after the guest exits or the device is hot-unplugged. ``pci`` For PCI devices, when ``managed`` is "yes" it is detached from the host before being passed on to the guest and reattached to the host after the guest exits. If ``managed`` is omitted or "no", the user is responsible to call ``virNodeDeviceDetachFlags`` (or ``virsh nodedev-detach`` before starting the guest or hot-plugging the device and ``virNodeDeviceReAttach`` (or ``virsh nodedev-reattach``) after hot-unplug or stopping the guest. ``scsi`` For SCSI devices, user is responsible to make sure the device is not used by host. If supported by the hypervisor and OS, the optional ``sgio`` ( :since:`since 1.0.6` ) attribute indicates whether unprivileged SG_IO commands are filtered for the disk. Valid settings are "filtered" or "unfiltered", where the default is "filtered". The optional ``rawio`` ( :since:`since 1.2.9` ) attribute indicates whether the lun needs the rawio capability. Valid settings are "yes" or "no". See the rawio description within the `disk <#elementsDisks>`__ section. If a disk lun in the domain already has the rawio capability, then this setting not required. ``scsi_host`` :since:`since 2.5.0` For SCSI devices, user is responsible to make sure the device is not used by host. This ``type`` passes all LUNs presented by a single HBA to the guest. :since:`Since 5.2.0,` the ``model`` attribute can be specified further with "virtio-transitional", "virtio-non-transitional", or "virtio". See `Virtio transitional devices <#elementsVirtioTransitional>`__ for more details. ``mdev`` For mediated devices ( :since:`Since 3.2.0` ) the ``model`` attribute specifies the device API which determines how the host's vfio driver will expose the device to the guest. Currently, ``model='vfio-pci'``, ``model='vfio-ccw'`` ( :since:`Since 4.4.0` ) and ``model='vfio-ap'`` ( :since:`Since 4.9.0` ) is supported. `MDEV `__ section provides more information about mediated devices as well as how to create mediated devices on the host. :since:`Since 4.6.0 (QEMU 2.12)` an optional ``display`` attribute may be used to enable or disable support for an accelerated remote desktop backed by a mediated device (such as NVIDIA vGPU or Intel GVT-g) as an alternative to emulated `video devices <#elementsVideo>`__. This attribute is limited to ``model='vfio-pci'`` only. Supported values are either ``on`` or ``off`` (default is 'off'). It is required to use a `graphical framebuffer <#elementsGraphics>`__ in order to use this attribute, currently only supported with VNC, Spice and egl-headless graphics devices. :since:`Since version 5.10.0` , there is an optional ``ramfb`` attribute for devices with ``model='vfio-pci'``. Supported values are either ``on`` or ``off`` (default is 'off'). When enabled, this attribute provides a memory framebuffer device to the guest. This framebuffer will be used as a boot display when a vgpu device is the primary display. Note: There are also some implications on the usage of guest's address type depending on the ``model`` attribute, see the ``address`` element below. Note: The ``managed`` attribute is only used with ``type='pci'`` and is ignored by all the other device types, thus setting ``managed`` explicitly with other than a PCI device has the same effect as omitting it. Similarly, ``model`` attribute is only supported by mediated devices and ignored by all other device types. ``source`` The source element describes the device as seen from the host using the following mechanism to describe: ``usb`` The USB device can either be addressed by vendor / product id using the ``vendor`` and ``product`` elements or by the device's address on the host using the ``address`` element. :since:`Since 1.0.0` , the ``source`` element of USB devices may contain ``startupPolicy`` attribute which can be used to define policy what to do if the specified host USB device is not found. The attribute accepts the following values: ========= ===================================================================== mandatory fail if missing for any reason (the default) requisite fail if missing on boot up, drop if missing on migrate/restore/revert optional drop if missing at any start attempt ========= ===================================================================== ``pci`` PCI devices can only be described by their ``address``. :since:`Since 6.8.0 (Xen only)` , the ``source`` element of a PCI device may contain the ``writeFiltering`` attribute to control write access to the PCI configuration space. By default Xen only allows writes of known safe values to the configuration space. Setting ``writeFiltering='no'`` will allow all writes to the device's PCI configuration space. ``scsi`` SCSI devices are described by both the ``adapter`` and ``address`` elements. The ``address`` element includes a ``bus`` attribute (a 2-digit bus number), a ``target`` attribute (a 10-digit target number), and a ``unit`` attribute (a 20-digit unit number on the bus). Not all hypervisors support larger ``target`` and ``unit`` values. It is up to each hypervisor to determine the maximum value supported for the adapter. :since:`Since 1.2.8` , the ``source`` element of a SCSI device may contain the ``protocol`` attribute. When the attribute is set to "iscsi", the host device XML follows the network `disk <#elementsDisks>`__ device using the same ``name`` attribute and optionally using the ``auth`` element to provide the authentication credentials to the iSCSI server. :since:`Since 6.7.0`, the optional ``initiator`` sub-element controls the IQN of the initiator ran by the hypervisor via it's ```__ section. :since:`Since 0.8.8` for PCI devices, :since:`Since 1.0.1` for USB devices. ``rom`` The ``rom`` element is used to change how a PCI device's ROM is presented to the guest. The optional ``bar`` attribute can be set to "on" or "off", and determines whether or not the device's ROM will be visible in the guest's memory map. (In PCI documentation, the "rombar" setting controls the presence of the Base Address Register for the ROM). If no rom bar is specified, the qemu default will be used (older versions of qemu used a default of "off", while newer qemus have a default of "on"). :since:`Since 0.9.7 (QEMU and KVM only)` . The optional ``file`` attribute contains an absolute path to a binary file to be presented to the guest as the device's ROM BIOS. This can be useful, for example, to provide a PXE boot ROM for a virtual function of an sr-iov capable ethernet device (which has no boot ROMs for the VFs). :since:`Since 0.9.10 (QEMU and KVM only)` . The optional ``enabled`` attribute can be set to ``no`` to disable PCI ROM loading completely for the device; if PCI ROM loading is disabled through this attribute, attempts to tweak the loading process further using the ``bar`` or ``file`` attributes will be rejected. :since:`Since 4.3.0 (QEMU and KVM only)` . ``address`` The ``address`` element for USB devices has a ``bus`` and ``device`` attribute to specify the USB bus and device number the device appears at on the host. The values of these attributes can be given in decimal, hexadecimal (starting with 0x) or octal (starting with 0) form. For PCI devices the element carries 4 attributes allowing to designate the device as can be found with the ``lspci`` or with ``virsh nodedev-list``. For SCSI devices a 'drive' address type must be used. For mediated devices, which are software-only devices defining an allocation of resources on the physical parent device, the address type used must conform to the ``model`` attribute of element ``hostdev``, e.g. any address type other than PCI for ``vfio-pci`` device API or any address type other than CCW for ``vfio-ccw`` device API will result in an error. `See above <#elementsAddress>`__ for more details on the address element. ``driver`` PCI devices can have an optional ``driver`` subelement that specifies which backend driver to use for PCI device assignment. Use the ``name`` attribute to select either "vfio" (for the new VFIO device assignment backend, which is compatible with UEFI SecureBoot) or "kvm" (the legacy device assignment handled directly by the KVM kernel module) :since:`Since 1.0.5 (QEMU and KVM only, requires kernel 3.6 or newer)` . When specified, device assignment will fail if the requested method of device assignment isn't available on the host. When not specified, the default is "vfio" on systems where the VFIO driver is available and loaded, and "kvm" on older systems, or those where the VFIO driver hasn't been loaded :since:`Since 1.1.3` (prior to that the default was always "kvm"). ``readonly`` Indicates that the device is readonly, only supported by SCSI host device now. :since:`Since 1.0.6 (QEMU and KVM only)` ``shareable`` If present, this indicates the device is expected to be shared between domains (assuming the hypervisor and OS support this). Only supported by SCSI host device. :since:`Since 1.0.6` Note: Although ``shareable`` was introduced :since:`in 1.0.6` , it did not work as as expected until :since:`1.2.2` . :anchor:`` Block / character devices ^^^^^^^^^^^^^^^^^^^^^^^^^ Block / character devices from the host can be passed through to the guest using the ``hostdev`` element. This is only possible with container based virtualization. Devices are specified by a fully qualified path. :since:`since after 1.0.1 for LXC` : :: ... /dev/sdf1 ... :: ... /dev/input/event3 ... :: ... eth0 ... ``hostdev`` The ``hostdev`` element is the main container for describing host devices. For block/character device passthrough ``mode`` is always "capabilities" and ``type`` is "storage" for a block device, "misc" for a character device and "net" for a host network interface. ``source`` The source element describes the device as seen from the host. For block devices, the path to the block device in the host OS is provided in the nested "block" element, while for character devices the "char" element is used. For network interfaces, the name of the interface is provided in the "interface" element. :anchor:`` Redirected devices ~~~~~~~~~~~~~~~~~~ USB device redirection through a character device is supported :since:`since after 0.9.5 (KVM only)` : :: ... ... ``redirdev`` The ``redirdev`` element is the main container for describing redirected devices. ``bus`` must be "usb" for a USB device. An additional attribute ``type`` is required, matching one of the supported `serial device <#elementsConsole>`__ types, to describe the host side of the tunnel; ``type='tcp'`` or ``type='spicevmc'`` (which uses the usbredir channel of a `SPICE graphics device <#elementsGraphics>`__) are typical. The redirdev element has an optional sub-element ``
`` which can tie the device to a particular controller. Further sub-elements, such as ````, may be required according to the given type, although a ```` sub-element is not required (since the consumer of the character device is the hypervisor itself, rather than a device visible in the guest). ``boot`` Specifies that the device is bootable. The ``order`` attribute determines the order in which devices will be tried during boot sequence. The per-device ``boot`` elements cannot be used together with general boot elements in `BIOS bootloader <#elementsOSBIOS>`__ section. ( :since:`Since 1.0.1` ) ``redirfilter`` The\ ``redirfilter``\ element is used for creating the filter rule to filter out certain devices from redirection. It uses sub-element ```` to define each filter rule. ``class`` attribute is the USB Class code, for example, 0x08 represents mass storage devices. The USB device can be addressed by vendor / product id using the ``vendor`` and ``product`` attributes. ``version`` is the device revision from the bcdDevice field (not the version of the USB protocol). These four attributes are optional and ``-1`` can be used to allow any value for them. ``allow`` attribute is mandatory, 'yes' means allow, 'no' for deny. :anchor:`` Smartcard devices ~~~~~~~~~~~~~~~~~ A virtual smartcard device can be supplied to the guest via the ``smartcard`` element. A USB smartcard reader device on the host cannot be used on a guest with simple device passthrough, since it will then not be available on the host, possibly locking the host computer when it is "removed". Therefore, some hypervisors provide a specialized virtual device that can present a smartcard interface to the guest, with several modes for describing how credentials are obtained from the host or even a from a channel created to a third-party smartcard provider. :since:`Since 0.8.8` :: ... cert1 cert2 cert3 /etc/pki/nssdb/
... The ```` element has a mandatory attribute ``mode``. The following modes are supported; in each mode, the guest sees a device on its USB bus that behaves like a physical USB CCID (Chip/Smart Card Interface Device) card. ``host`` The simplest operation, where the hypervisor relays all requests from the guest into direct access to the host's smartcard via NSS. No other attributes or sub-elements are required. See below about the use of an optional ``
`` sub-element. ``host-certificates`` Rather than requiring a smartcard to be plugged into the host, it is possible to provide three NSS certificate names residing in a database on the host. These certificates can be generated via the command ``certutil -d /etc/pki/nssdb -x -t CT,CT,CT -S -s CN=cert1 -n cert1``, and the resulting three certificate names must be supplied as the content of each of three ```` sub-elements. An additional sub-element ```` can specify the absolute path to an alternate directory (matching the ``-d`` option of the ``certutil`` command when creating the certificates); if not present, it defaults to /etc/pki/nssdb. ``passthrough`` Rather than having the hypervisor directly communicate with the host, it is possible to tunnel all requests through a secondary character device to a third-party provider (which may in turn be talking to a smartcard or using three certificate files). In this mode of operation, an additional attribute ``type`` is required, matching one of the supported `serial device <#elementsConsole>`__ types, to describe the host side of the tunnel; ``type='tcp'`` or ``type='spicevmc'`` (which uses the smartcard channel of a `SPICE graphics device <#elementsGraphics>`__) are typical. Further sub-elements, such as ````, may be required according to the given type, although a ```` sub-element is not required (since the consumer of the character device is the hypervisor itself, rather than a device visible in the guest). Each mode supports an optional sub-element ``
``, which fine-tunes the correlation between the smartcard and a ccid bus controller, `documented above <#elementsAddress>`__. For now, qemu only supports at most one smartcard, with an address of bus=0 slot=0. :anchor:`` Network interfaces ~~~~~~~~~~~~~~~~~~ :: ... ... There are several possibilities for specifying a network interface visible to the guest. Each subsection below provides more details about common setup options. :since:`Since 1.2.10` ), the ``interface`` element property ``trustGuestRxFilters`` provides the capability for the host to detect and trust reports from the guest regarding changes to the interface mac address and receive filters by setting the attribute to ``yes``. The default setting for the attribute is ``no`` for security reasons and support depends on the guest network device model as well as the type of connection on the host - currently it is only supported for the virtio device model and for macvtap connections on the host. Each ```` element has an optional ``
`` sub-element that can tie the interface to a particular pci slot, with attribute ``type='pci'`` as `documented above <#elementsAddress>`__. :since:`Since 6.6.0` , one can force libvirt to keep the provided MAC address when it's in the reserved VMware range by adding a ``type="static"`` attribute to the ```` element. Note that this attribute is useless if the provided MAC address is outside of the reserved VMWare ranges. :since:`Since 7.3.0`, one can set the ACPI index against network interfaces. With some operating systems (eg Linux with systemd), the ACPI index is used to provide network interface device naming, that is stable across changes in PCI addresses assigned to the device. This value is required to be unique across all devices and be between 1 and (16*1024-1). :anchor:`` Virtual network ^^^^^^^^^^^^^^^ **This is the recommended config for general guest connectivity on hosts with dynamic / wireless networking configs.** (or multi-host environments where the host hardware details are described separately in a ```` definition :since:`Since 0.9.4` ). Provides a connection whose details are described by the named network definition. Depending on the virtual network's "forward mode" configuration, the network may be totally isolated (no ```` element given), NAT'ing to an explicit network device or to the default route (````), routed with no NAT (````), or connected directly to one of the host's network interfaces (via macvtap) or bridge devices ((```` :since:`Since 0.9.4` ) For networks with a forward mode of bridge, private, vepa, and passthrough, it is assumed that the host has any necessary DNS and DHCP services already setup outside the scope of libvirt. In the case of isolated, nat, and routed networks, DHCP and DNS are provided on the virtual network by libvirt, and the IP range can be determined by examining the virtual network config with '``virsh net-dumpxml [networkname]``'. There is one virtual network called 'default' setup out of the box which does NAT'ing to the default route and has an IP range of ``192.168.122.0/255.255.255.0``. Each guest will have an associated tun device created with a name of vnetN, which can also be overridden with the element (see `overriding the target element <#elementsNICSTargetOverride>`__). When the source of an interface is a network, a ``portgroup`` can be specified along with the name of the network; one network may have multiple portgroups defined, with each portgroup containing slightly different configuration information for different classes of network connections. :since:`Since 0.9.4` . When a guest is running an interface of type ``network`` may include a ``portid`` attribute. This provides the UUID of an associated virNetworkPortPtr object that records the association between the domain interface and the network. This attribute is read-only since port objects are create and deleted automatically during startup and shutdown. :since:`Since 5.1.0` Also, similar to ``direct`` network connections (described below), a connection of type ``network`` may specify a ``virtualport`` element, with configuration data to be forwarded to a vepa (802.1Qbg) or 802.1Qbh compliant switch ( :since:`Since 0.8.2` ), or to an Open vSwitch virtual switch ( :since:`Since 0.9.11` ). Since the actual type of switch may vary depending on the configuration in the ```` on the host, it is acceptable to omit the virtualport ``type`` attribute, and specify attributes from multiple different virtualport types (and also to leave out certain attributes); at domain startup time, a complete ```` element will be constructed by merging together the type and attributes defined in the network and the portgroup referenced by the interface. The newly-constructed virtualport is a combination of them. The attributes from lower virtualport can't make change on the ones defined in higher virtualport. Interface takes the highest priority, portgroup is lowest priority. ( :since:`Since 0.10.0` ). For example, in order to work properly with both an 802.1Qbh switch and an Open vSwitch switch, you may choose to specify no type, but both a ``profileid`` (in case the switch is 802.1Qbh) and an ``interfaceid`` (in case the switch is Open vSwitch) (you may also omit the other attributes, such as managerid, typeid, or profileid, to be filled in from the network's ````). If you want to limit a guest to connecting only to certain types of switches, you can specify the virtualport type, but still omit some/all of the parameters - in this case if the host's network has a different type of virtualport, connection of the interface will fail. :: ... ... ... :anchor:`` Bridge to LAN ^^^^^^^^^^^^^ **This is the recommended config for general guest connectivity on hosts with static wired networking configs.** Provides a bridge from the VM directly to the LAN. This assumes there is a bridge device on the host which has one or more of the hosts physical NICs attached. The guest VM will have an associated tun device created with a name of vnetN, which can also be overridden with the element (see `overriding the target element <#elementsNICSTargetOverride>`__). The tun device will be attached to the bridge. The IP range / network configuration is whatever is used on the LAN. This provides the guest VM full incoming & outgoing net access just like a physical machine. On Linux systems, the bridge device is normally a standard Linux host bridge. On hosts that support Open vSwitch, it is also possible to connect to an Open vSwitch bridge device by adding a ```` to the interface definition. ( :since:`Since 0.9.11` ). The Open vSwitch type virtualport accepts two parameters in its ```` element - an ``interfaceid`` which is a standard uuid used to uniquely identify this particular interface to Open vSwitch (if you do not specify one, a random interfaceid will be generated for you when you first define the interface), and an optional ``profileid`` which is sent to Open vSwitch as the interfaces "port-profile". :: ... ... ... ... On hosts that support Open vSwitch on the kernel side and have the Midonet Host Agent configured, it is also possible to connect to the 'midonet' bridge device by adding a ```` to the interface definition. ( :since:`Since 1.2.13` ). The Midonet virtualport type requires an ``interfaceid`` attribute in its ```` element. This interface id is the UUID that specifies which port in the virtual network topology will be bound to the interface. :: ... ... ... ... :anchor:`` Userspace SLIRP stack ^^^^^^^^^^^^^^^^^^^^^ Provides a virtual LAN with NAT to the outside world. The virtual network has DHCP & DNS services and will give the guest VM addresses starting from ``10.0.2.15``. The default router will be ``10.0.2.2`` and the DNS server will be ``10.0.2.3``. This networking is the only option for unprivileged users who need their VMs to have outgoing access. :since:`Since 3.8.0` it is possible to override the default network address by including an ``ip`` element specifying an IPv4 address in its one mandatory attribute, ``address``. Optionally, a second ``ip`` element with a ``family`` attribute set to "ipv6" can be specified to add an IPv6 address to the interface. ``address``. Optionally, address ``prefix`` can be specified. :: ... ... ... :anchor:`` Generic ethernet connection ^^^^^^^^^^^^^^^^^^^^^^^^^^^ Provides a means to use a new or existing tap device (or veth device pair, depending on the needs of the hypervisor driver) that is partially or wholly setup external to libvirt (either prior to the guest starting, or while the guest is being started via an optional script specified in the config). The name of the tap device can optionally be specified with the ``dev`` attribute of the ```` element. If no target dev is specified, libvirt will create a new standard tap device with a name of the pattern "vnetN", where "N" is replaced with a number. If a target dev is specified and that device doesn't exist, then a new standard tap device will be created with the exact dev name given. If the specified target dev does exist, then that existing device will be used. Usually some basic setup of the device is done by libvirt, including setting a MAC address, and the IFF_UP flag, but if the ``dev`` is a pre-existing device, and the ``managed`` attribute of the ``target`` element is also set to "no" (the default value is "yes"), even this basic setup will not be performed - libvirt will simply pass the device on to the hypervisor with no setup at all. :since:`Since 5.7.0` Using managed='no' with a pre-created tap device is useful because it permits a virtual machine managed by an unprivileged libvirtd to have emulated network devices based on tap devices. After creating/opening the tap device, an optional shell script (given in the ``path`` attribute of the ``