mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-24 22:55:23 +00:00
142 lines
4.0 KiB
Plaintext
142 lines
4.0 KiB
Plaintext
# Master libvirt daemon configuration file
|
|
#
|
|
# For further information consult http://libvirt.org/format.html
|
|
|
|
|
|
# Flag listening for secure TLS connections on the public TCP/IP port.
|
|
# NB, must pass the --listen flag to the libvirtd process for this to
|
|
# have any effect.
|
|
#
|
|
# It is neccessary to setup a CA and issue server certificates before
|
|
# using this capability.
|
|
#
|
|
# This is enabled by default, uncomment this to disable it
|
|
# listen_tls = 0
|
|
|
|
# Listen for unencrypted TCP connections on the public TCP/IP port.
|
|
# NB, must pass the --listen flag to the libvirtd process for this to
|
|
# have any effect.
|
|
#
|
|
# NB, this is insecure. Do not use except for development.
|
|
#
|
|
# This is disabled by default, uncomment this to enable it.
|
|
# listen_tcp = 1
|
|
|
|
|
|
|
|
# Override the port for accepting secure TLS connections
|
|
# This can be a port number, or service name
|
|
#
|
|
# tls_port = "16514"
|
|
|
|
# Override the port for accepting insecure TCP connections
|
|
# This can be a port number, or service name
|
|
#
|
|
# tcp_port = "16509"
|
|
|
|
|
|
|
|
# Flag toggling mDNS advertizement of the libvirt service.
|
|
#
|
|
# Alternatively can disable for all services on a host by
|
|
# stopping the Avahi daemon
|
|
#
|
|
# This is enabled by default, uncomment this to disable it
|
|
# mdns_adv = 0
|
|
|
|
# Override the default mDNS advertizement name. This must be
|
|
# unique on the immediate broadcast network.
|
|
#
|
|
# The default is "Virtualization Host HOSTNAME", where HOSTNAME
|
|
# is subsituted for the short hostname of the machine (without domain)
|
|
#
|
|
# mdns_name "Virtualization Host Joe Demo"
|
|
|
|
|
|
|
|
# Set the UNIX domain socket group ownership. This can be used to
|
|
# allow a 'trusted' set of users access to management capabilities
|
|
# without becoming root.
|
|
#
|
|
# This is restricted to 'root' by default.
|
|
# unix_sock_group "libvirt"
|
|
|
|
# Set the UNIX socket permissions for the R/O socket. This is used
|
|
# for monitoring VM status only
|
|
#
|
|
# Default allows any user. If setting group ownership may want to
|
|
# restrict this to:
|
|
# unix_sock_ro_perms "0777"
|
|
|
|
# Set the UNIX socket permissions for the R/W socket. This is used
|
|
# for full management of VMs
|
|
#
|
|
# Default allows only root. If setting group ownership may want to
|
|
# relax this to:
|
|
# unix_sock_rw_perms "octal-perms" "0770"
|
|
|
|
|
|
|
|
# Flag to disable verification of client certificates
|
|
#
|
|
# Client certificate verification is the primary authentication mechanism.
|
|
# Any client which does not present a certificate signed by the CA
|
|
# will be rejected.
|
|
#
|
|
# Default is to always verify. Uncommenting this will disable
|
|
# verification - make sure an IP whitelist is set
|
|
# tls_no_verify_certificate 1
|
|
|
|
# Flag to disable verification of client IP address
|
|
#
|
|
# Client IP address will be verified against the CommonName field
|
|
# of the x509 certificate. This has minimal security benefit since
|
|
# it is easy to spoof source IP.
|
|
#
|
|
# Uncommenting this will disable verification
|
|
# tls_no_verify_address 1
|
|
|
|
# Override the default server key file path
|
|
#
|
|
# key_file "/etc/pki/libvirt/private/serverkey.pem"
|
|
|
|
# Override the default server certificate file path
|
|
#
|
|
# cert_file "/etc/pki/libvirt/servercert.pem"
|
|
|
|
# Override the default CA certificate path
|
|
#
|
|
# ca_file "/etc/pki/CA/cacert.pem"
|
|
|
|
# Specify a certificate revocation list.
|
|
#
|
|
# Defaults to not using a CRL, uncomment to enable it
|
|
# crl_file "/etc/pki/CA/crl.pem"
|
|
|
|
# A whitelist of allowed x509 Distinguished Names
|
|
# This list may contain wildcards such as
|
|
#
|
|
# "C=GB,ST=London,L=London,O=Red Hat,CN=*"
|
|
#
|
|
# See the POSIX fnmatch function for the format of the wildcards.
|
|
#
|
|
# NB If this is an empty list, no client can connect, so comment out
|
|
# entirely rather than using empty list to disable these checks
|
|
#
|
|
# By default, no DN's are checked
|
|
# tls_allowed_dn_list ["DN1", "DN2"]
|
|
|
|
|
|
# A whitelist of allowed client IP addresses
|
|
#
|
|
# This list may contain wildcards such as 192.168.* See the POSIX fnmatch
|
|
# function for the format of the wildcards.
|
|
#
|
|
# NB If this is an empty list, no client can connect, so comment out
|
|
# entirely rather than using empty list to disable these checks
|
|
#
|
|
# By default, no IP's are checked. This can be IPv4 or IPv6 addresses
|
|
# tls_allowed_ip_list ["ip1", "ip2", "ip3"]
|
|
|
|
|