mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-29 17:15:23 +00:00
12317957ec
The QEMU integrates with the lock manager instructure in a number of key places * During startup, a lock is acquired in between the fork & exec * During startup, the libvirtd process acquires a lock before setting file labelling * During shutdown, the libvirtd process acquires a lock before restoring file labelling * During hotplug, unplug & media change the libvirtd process holds a lock while setting/restoring labels The main content lock is only ever held by the QEMU child process, or libvirtd during VM shutdown. The rest of the operations only require libvirtd to hold the metadata locks, relying on the active QEMU still holding the content lock. * src/qemu/qemu_conf.c, src/qemu/qemu_conf.h, src/qemu/libvirtd_qemu.aug, src/qemu/test_libvirtd_qemu.aug: Add config parameter for configuring lock managers * src/qemu/qemu_driver.c: Add calls to the lock manager
290 lines
9.9 KiB
Plaintext
290 lines
9.9 KiB
Plaintext
# Master configuration file for the QEMU driver.
|
|
# All settings described here are optional - if omitted, sensible
|
|
# defaults are used.
|
|
|
|
# VNC is configured to listen on 127.0.0.1 by default.
|
|
# To make it listen on all public interfaces, uncomment
|
|
# this next option.
|
|
#
|
|
# NB, strong recommendation to enable TLS + x509 certificate
|
|
# verification when allowing public access
|
|
#
|
|
# vnc_listen = "0.0.0.0"
|
|
|
|
# Enable this option to have VNC served over an automatically created
|
|
# unix socket. This prevents unprivileged access from users on the
|
|
# host machine, though most VNC clients do not support it.
|
|
#
|
|
# This will only be enabled for VNC configurations that do not have
|
|
# a hardcoded 'listen' or 'socket' value. This setting takes preference
|
|
# over vnc_listen.
|
|
#
|
|
# vnc_auto_unix_socket = 1
|
|
|
|
# Enable use of TLS encryption on the VNC server. This requires
|
|
# a VNC client which supports the VeNCrypt protocol extension.
|
|
# Examples include vinagre, virt-viewer, virt-manager and vencrypt
|
|
# itself. UltraVNC, RealVNC, TightVNC do not support this
|
|
#
|
|
# It is necessary to setup CA and issue a server certificate
|
|
# before enabling this.
|
|
#
|
|
# vnc_tls = 1
|
|
|
|
|
|
# Use of TLS requires that x509 certificates be issued. The
|
|
# default it to keep them in /etc/pki/libvirt-vnc. This directory
|
|
# must contain
|
|
#
|
|
# ca-cert.pem - the CA master certificate
|
|
# server-cert.pem - the server certificate signed with ca-cert.pem
|
|
# server-key.pem - the server private key
|
|
#
|
|
# This option allows the certificate directory to be changed
|
|
#
|
|
# vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
|
|
|
|
|
|
# The default TLS configuration only uses certificates for the server
|
|
# allowing the client to verify the server's identity and establish
|
|
# an encrypted channel.
|
|
#
|
|
# It is possible to use x509 certificates for authentication too, by
|
|
# issuing a x509 certificate to every client who needs to connect.
|
|
#
|
|
# Enabling this option will reject any client who does not have a
|
|
# certificate signed by the CA in /etc/pki/libvirt-vnc/ca-cert.pem
|
|
#
|
|
# vnc_tls_x509_verify = 1
|
|
|
|
|
|
# The default VNC password. Only 8 letters are significant for
|
|
# VNC passwords. This parameter is only used if the per-domain
|
|
# XML config does not already provide a password. To allow
|
|
# access without passwords, leave this commented out. An empty
|
|
# string will still enable passwords, but be rejected by QEMU,
|
|
# effectively preventing any use of VNC. Obviously change this
|
|
# example here before you set this.
|
|
#
|
|
# vnc_password = "XYZ12345"
|
|
|
|
|
|
# Enable use of SASL encryption on the VNC server. This requires
|
|
# a VNC client which supports the SASL protocol extension.
|
|
# Examples include vinagre, virt-viewer and virt-manager
|
|
# itself. UltraVNC, RealVNC, TightVNC do not support this
|
|
#
|
|
# It is necessary to configure /etc/sasl2/qemu.conf to choose
|
|
# the desired SASL plugin (eg, GSSPI for Kerberos)
|
|
#
|
|
# vnc_sasl = 1
|
|
|
|
|
|
# The default SASL configuration file is located in /etc/sasl2/
|
|
# When running libvirtd unprivileged, it may be desirable to
|
|
# override the configs in this location. Set this parameter to
|
|
# point to the directory, and create a qemu.conf in that location
|
|
#
|
|
# vnc_sasl_dir = "/some/directory/sasl2"
|
|
|
|
|
|
|
|
# SPICE is configured to listen on 127.0.0.1 by default.
|
|
# To make it listen on all public interfaces, uncomment
|
|
# this next option.
|
|
#
|
|
# NB, strong recommendation to enable TLS + x509 certificate
|
|
# verification when allowing public access
|
|
#
|
|
# spice_listen = "0.0.0.0"
|
|
|
|
|
|
# Enable use of TLS encryption on the SPICE server.
|
|
#
|
|
# It is necessary to setup CA and issue a server certificate
|
|
# before enabling this.
|
|
#
|
|
# spice_tls = 1
|
|
|
|
|
|
# Use of TLS requires that x509 certificates be issued. The
|
|
# default it to keep them in /etc/pki/libvirt-spice. This directory
|
|
# must contain
|
|
#
|
|
# ca-cert.pem - the CA master certificate
|
|
# server-cert.pem - the server certificate signed with ca-cert.pem
|
|
# server-key.pem - the server private key
|
|
#
|
|
# This option allows the certificate directory to be changed.
|
|
#
|
|
# spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
|
|
|
|
|
|
# The default SPICE password. This parameter is only used if the
|
|
# per-domain XML config does not already provide a password. To
|
|
# allow access without passwords, leave this commented out. An
|
|
# empty string will still enable passwords, but be rejected by
|
|
# QEMU, effectively preventing any use of SPICE. Obviously change
|
|
# this example here before you set this.
|
|
#
|
|
# spice_password = "XYZ12345"
|
|
|
|
|
|
# The default security driver is SELinux. If SELinux is disabled
|
|
# on the host, then the security driver will automatically disable
|
|
# itself. If you wish to disable QEMU SELinux security driver while
|
|
# leaving SELinux enabled for the host in general, then set this
|
|
# to 'none' instead.
|
|
#
|
|
# security_driver = "selinux"
|
|
|
|
|
|
# The user ID for QEMU processes run by the system instance.
|
|
#user = "root"
|
|
|
|
# The group ID for QEMU processes run by the system instance.
|
|
#group = "root"
|
|
|
|
# Whether libvirt should dynamically change file ownership
|
|
# to match the configured user/group above. Defaults to 1.
|
|
# Set to 0 to disable file ownership changes.
|
|
#dynamic_ownership = 1
|
|
|
|
|
|
# What cgroup controllers to make use of with QEMU guests
|
|
#
|
|
# - 'cpu' - use for schedular tunables
|
|
# - 'devices' - use for device whitelisting
|
|
# - 'memory' - use for memory tunables
|
|
#
|
|
# NB, even if configured here, they won't be used unless
|
|
# the administrator has mounted cgroups, e.g.:
|
|
#
|
|
# mkdir /dev/cgroup
|
|
# mount -t cgroup -o devices,cpu,memory none /dev/cgroup
|
|
#
|
|
# They can be mounted anywhere, and different controllers
|
|
# can be mounted in different locations. libvirt will detect
|
|
# where they are located.
|
|
#
|
|
# cgroup_controllers = [ "cpu", "devices", "memory" ]
|
|
|
|
# This is the basic set of devices allowed / required by
|
|
# all virtual machines.
|
|
#
|
|
# As well as this, any configured block backed disks,
|
|
# all sound device, and all PTY devices are allowed.
|
|
#
|
|
# This will only need setting if newer QEMU suddenly
|
|
# wants some device we don't already know about.
|
|
#
|
|
#cgroup_device_acl = [
|
|
# "/dev/null", "/dev/full", "/dev/zero",
|
|
# "/dev/random", "/dev/urandom",
|
|
# "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
|
|
# "/dev/rtc", "/dev/hpet",
|
|
#]
|
|
|
|
|
|
# The default format for Qemu/KVM guest save images is raw; that is, the
|
|
# memory from the domain is dumped out directly to a file. If you have
|
|
# guests with a large amount of memory, however, this can take up quite
|
|
# a bit of space. If you would like to compress the images while they
|
|
# are being saved to disk, you can also set "lzop", "gzip", "bzip2", or "xz"
|
|
# for save_image_format. Note that this means you slow down the process of
|
|
# saving a domain in order to save disk space; the list above is in descending
|
|
# order by performance and ascending order by compression ratio.
|
|
#
|
|
# save_image_format is used when you use 'virsh save' at scheduled saving.
|
|
# dump_image_format is used when you use 'virsh dump' at emergency crashdump.
|
|
#
|
|
# save_image_format = "raw"
|
|
# dump_image_format = "raw"
|
|
|
|
# When a domain is configured to be auto-dumped when libvirtd receives a
|
|
# watchdog event from qemu guest, libvirtd will save dump files in directory
|
|
# specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump
|
|
#
|
|
# auto_dump_path = "/var/lib/libvirt/qemu/dump"
|
|
|
|
# If provided by the host and a hugetlbfs mount point is configured,
|
|
# a guest may request huge page backing. When this mount point is
|
|
# unspecified here, determination of a host mount point in /proc/mounts
|
|
# will be attempted. Specifying an explicit mount overrides detection
|
|
# of the same in /proc/mounts. Setting the mount point to "" will
|
|
# disable guest hugepage backing.
|
|
#
|
|
# NB, within this mount point, guests will create memory backing files
|
|
# in a location of $MOUNTPOINT/libvirt/qemu
|
|
#
|
|
# hugetlbfs_mount = "/dev/hugepages"
|
|
|
|
|
|
# mac_filter enables MAC addressed based filtering on bridge ports.
|
|
# This currently requires ebtables to be installed.
|
|
#
|
|
# mac_filter = 1
|
|
|
|
|
|
# By default, PCI devices below non-ACS switch are not allowed to be assigned
|
|
# to guests. By setting relaxed_acs_check to 1 such devices will be allowed to
|
|
# be assigned to guests.
|
|
#
|
|
# relaxed_acs_check = 1
|
|
|
|
|
|
# QEMU implements an extension for providing audio over a VNC connection,
|
|
# though if your VNC client does not support it, your only chance for getting
|
|
# sound output is through regular audio backends. By default, libvirt will
|
|
# disable all QEMU sound backends if using VNC, since they can cause
|
|
# permissions issues. Enabling this option will make libvirtd honor the
|
|
# QEMU_AUDIO_DRV environment variable when using VNC.
|
|
#
|
|
# vnc_allow_host_audio = 0
|
|
|
|
|
|
# If clear_emulator_capabilities is enabled, libvirt will drop all
|
|
# privileged capabilities of the QEmu/KVM emulator. This is enabled by
|
|
# default.
|
|
#
|
|
# Warning: Disabling this option means that a compromised guest can
|
|
# exploit the privileges and possibly do damage to the host.
|
|
#
|
|
# clear_emulator_capabilities = 1
|
|
|
|
|
|
# If allow_disk_format_probing is enabled, libvirt will probe disk
|
|
# images to attempt to identify their format, when not otherwise
|
|
# specified in the XML. This is disabled by default.
|
|
#
|
|
# WARNING: Enabling probing is a security hole in almost all
|
|
# deployments. It is strongly recommended that users update their
|
|
# guest XML <disk> elements to include <driver type='XXXX'/>
|
|
# elements instead of enabling this option.
|
|
#
|
|
# allow_disk_format_probing = 1
|
|
|
|
|
|
# If enabled, libvirt will have QEMU set its process name to
|
|
# "qemu:VM_NAME", where VM_NAME is the name of the VM. The QEMU
|
|
# process will appear as "qemu:VM_NAME" in process listings and
|
|
# other system monitoring tools. By default, QEMU does not set
|
|
# its process title, so the complete QEMU command (emulator and
|
|
# its arguments) appear in process listings.
|
|
#
|
|
# set_process_name = 1
|
|
|
|
|
|
# If max_processes is set to a positive integer, libvirt will use it to set
|
|
# maximum number of processes that can be run by qemu user. This can be used to
|
|
# override default value set by host OS.
|
|
#
|
|
# max_processes = 0
|
|
|
|
# To enable strict 'fcntl' based locking of the file
|
|
# content (to prevent two VMs writing to the same
|
|
# disk), start the 'virtlockd' service, and uncomment
|
|
# this
|
|
#
|
|
# lock_manager = "fcntl"
|