# Master libvirt daemon configuration file # # For further information consult http://libvirt.org/format.html # Flag listening for secure TLS connections on the public TCP/IP port. # NB, must pass the --listen flag to the libvirtd process for this to # have any effect. # # It is neccessary to setup a CA and issue server certificates before # using this capability. # # This is enabled by default, uncomment this to disable it # listen_tls = 0 # Listen for unencrypted TCP connections on the public TCP/IP port. # NB, must pass the --listen flag to the libvirtd process for this to # have any effect. # # NB, this is insecure. Do not use except for development. # # This is disabled by default, uncomment this to enable it. # listen_tcp = 1 # Override the port for accepting secure TLS connections # This can be a port number, or service name # # tls_port = "16514" # Override the port for accepting insecure TCP connections # This can be a port number, or service name # # tcp_port = "16509" # Flag toggling mDNS advertizement of the libvirt service. # # Alternatively can disable for all services on a host by # stopping the Avahi daemon # # This is enabled by default, uncomment this to disable it # mdns_adv = 0 # Override the default mDNS advertizement name. This must be # unique on the immediate broadcast network. # # The default is "Virtualization Host HOSTNAME", where HOSTNAME # is subsituted for the short hostname of the machine (without domain) # # mdns_name "Virtualization Host Joe Demo" # Set the UNIX domain socket group ownership. This can be used to # allow a 'trusted' set of users access to management capabilities # without becoming root. # # This is restricted to 'root' by default. # unix_sock_group "libvirt" # Set the UNIX socket permissions for the R/O socket. This is used # for monitoring VM status only # # Default allows any user. If setting group ownership may want to # restrict this to: # unix_sock_ro_perms "0777" # Set the UNIX socket permissions for the R/W socket. This is used # for full management of VMs # # Default allows only root. If setting group ownership may want to # relax this to: # unix_sock_rw_perms "octal-perms" "0770" # Flag to disable verification of client certificates # # Client certificate verification is the primary authentication mechanism. # Any client which does not present a certificate signed by the CA # will be rejected. # # Default is to always verify. Uncommenting this will disable # verification - make sure an IP whitelist is set # tls_no_verify_certificate 1 # Flag to disable verification of client IP address # # Client IP address will be verified against the CommonName field # of the x509 certificate. This has minimal security benefit since # it is easy to spoof source IP. # # Uncommenting this will disable verification # tls_no_verify_address 1 # Override the default server key file path # # key_file "/etc/pki/libvirt/private/serverkey.pem" # Override the default server certificate file path # # cert_file "/etc/pki/libvirt/servercert.pem" # Override the default CA certificate path # # ca_file "/etc/pki/CA/cacert.pem" # Specify a certificate revocation list. # # Defaults to not using a CRL, uncomment to enable it # crl_file "/etc/pki/CA/crl.pem" # A whitelist of allowed x509 Distinguished Names # This list may contain wildcards such as # # "C=GB,ST=London,L=London,O=Red Hat,CN=*" # # See the POSIX fnmatch function for the format of the wildcards. # # NB If this is an empty list, no client can connect, so comment out # entirely rather than using empty list to disable these checks # # By default, no DN's are checked # tls_allowed_dn_list ["DN1", "DN2"] # A whitelist of allowed client IP addresses # # This list may contain wildcards such as 192.168.* See the POSIX fnmatch # function for the format of the wildcards. # # NB If this is an empty list, no client can connect, so comment out # entirely rather than using empty list to disable these checks # # By default, no IP's are checked. This can be IPv4 or IPv6 addresses # tls_allowed_ip_list ["ip1", "ip2", "ip3"]