mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-30 17:45:23 +00:00
4a3c80a668
Forgetting to use the VIR_MIGRATE_TLS flag with migration can lead to leak of sensitive information. Add an administrative knob to force use of the flag. Note that without VIR_MIGRATE_PEER2PEER, the migration is driven by an instance of the client library which doesn't necessarily run on either of the hosts so the flag can't be used to assume VIR_MIGRATE_TLS even if it wasn't provided by the user instead of rejecting if it's not. Resolves: https://gitlab.com/libvirt/libvirt/-/issues/67 Signed-off-by: Peter Krempa <pkrempa@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
925 lines
34 KiB
Plaintext
925 lines
34 KiB
Plaintext
# Master configuration file for the QEMU driver.
|
|
# All settings described here are optional - if omitted, sensible
|
|
# defaults are used.
|
|
|
|
# Use of TLS requires that x509 certificates be issued. The default is
|
|
# to keep them in /etc/pki/qemu. This directory must contain
|
|
#
|
|
# ca-cert.pem - the CA master certificate
|
|
# server-cert.pem - the server certificate signed with ca-cert.pem
|
|
# server-key.pem - the server private key
|
|
#
|
|
# and optionally may contain
|
|
#
|
|
# dh-params.pem - the DH params configuration file
|
|
#
|
|
# If the directory does not exist, libvirtd will fail to start. If the
|
|
# directory doesn't contain the necessary files, QEMU domains will fail
|
|
# to start if they are configured to use TLS.
|
|
#
|
|
# In order to overwrite the default path alter the following. This path
|
|
# definition will be used as the default path for other *_tls_x509_cert_dir
|
|
# configuration settings if their default path does not exist or is not
|
|
# specifically set.
|
|
#
|
|
#default_tls_x509_cert_dir = "/etc/pki/qemu"
|
|
|
|
|
|
# The default TLS configuration only uses certificates for the server
|
|
# allowing the client to verify the server's identity and establish
|
|
# an encrypted channel.
|
|
#
|
|
# It is possible to use x509 certificates for authentication too, by
|
|
# issuing an x509 certificate to every client who needs to connect.
|
|
#
|
|
# Enabling this option will reject any client who does not have a
|
|
# certificate signed by the CA in /etc/pki/qemu/ca-cert.pem
|
|
#
|
|
# The default_tls_x509_cert_dir directory must also contain
|
|
#
|
|
# client-cert.pem - the client certificate signed with the ca-cert.pem
|
|
# client-key.pem - the client private key
|
|
#
|
|
# If this option is supplied it provides the default for the "_verify" option
|
|
# of specific TLS users such as vnc, backups, migration, etc. The specific
|
|
# users of TLS may override this by setting the specific "_verify" option.
|
|
#
|
|
# When not supplied the specific TLS users provide their own defaults.
|
|
#
|
|
#default_tls_x509_verify = 1
|
|
|
|
#
|
|
# Libvirt assumes the server-key.pem file is unencrypted by default.
|
|
# To use an encrypted server-key.pem file, the password to decrypt
|
|
# the PEM file is required. This can be provided by creating a secret
|
|
# object in libvirt and then to uncomment this setting to set the UUID
|
|
# of the secret.
|
|
#
|
|
# NB This default all-zeros UUID will not work. Replace it with the
|
|
# output from the UUID for the TLS secret from a 'virsh secret-list'
|
|
# command and then uncomment the entry
|
|
#
|
|
#default_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
|
|
|
|
|
|
# VNC is configured to listen on 127.0.0.1 by default.
|
|
# To make it listen on all public interfaces, uncomment
|
|
# this next option.
|
|
#
|
|
# NB, strong recommendation to enable TLS + x509 certificate
|
|
# verification when allowing public access
|
|
#
|
|
#vnc_listen = "0.0.0.0"
|
|
|
|
# Enable this option to have VNC served over an automatically created
|
|
# unix socket. This prevents unprivileged access from users on the
|
|
# host machine, though most VNC clients do not support it.
|
|
#
|
|
# This will only be enabled for VNC configurations that have listen
|
|
# type=address but without any address specified. This setting takes
|
|
# preference over vnc_listen.
|
|
#
|
|
#vnc_auto_unix_socket = 1
|
|
|
|
# Enable use of TLS encryption on the VNC server. This requires
|
|
# a VNC client which supports the VeNCrypt protocol extension.
|
|
# Examples include vinagre, virt-viewer, virt-manager and vencrypt
|
|
# itself. UltraVNC, RealVNC, TightVNC do not support this
|
|
#
|
|
# It is necessary to setup CA and issue a server certificate
|
|
# before enabling this.
|
|
#
|
|
#vnc_tls = 1
|
|
|
|
|
|
# In order to override the default TLS certificate location for
|
|
# vnc certificates, supply a valid path to the certificate directory.
|
|
# If the provided path does not exist, libvirtd will fail to start.
|
|
# If the path is not provided, but vnc_tls = 1, then the
|
|
# default_tls_x509_cert_dir path will be used.
|
|
#
|
|
#vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
|
|
|
|
|
|
# Uncomment and use the following option to override the default secret
|
|
# UUID provided in the default_tls_x509_secret_uuid parameter.
|
|
#
|
|
#vnc_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
|
|
|
|
|
|
# The default TLS configuration only uses certificates for the server
|
|
# allowing the client to verify the server's identity and establish
|
|
# an encrypted channel.
|
|
#
|
|
# It is possible to use x509 certificates for authentication too, by
|
|
# issuing an x509 certificate to every client who needs to connect.
|
|
#
|
|
# Enabling this option will reject any client that does not have a
|
|
# certificate (as described in default_tls_x509_verify) signed by the
|
|
# CA in the vnc_tls_x509_cert_dir (or default_tls_x509_cert_dir).
|
|
#
|
|
# If this option is not supplied, it will be set to the value of
|
|
# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied either,
|
|
# the default is "0".
|
|
#
|
|
#vnc_tls_x509_verify = 1
|
|
|
|
|
|
# The default VNC password. Only 8 bytes are significant for
|
|
# VNC passwords. This parameter is only used if the per-domain
|
|
# XML config does not already provide a password. To allow
|
|
# access without passwords, leave this commented out. An empty
|
|
# string will still enable passwords, but be rejected by QEMU,
|
|
# effectively preventing any use of VNC. Obviously change this
|
|
# example here before you set this.
|
|
#
|
|
#vnc_password = "XYZ12345"
|
|
|
|
|
|
# Enable use of SASL encryption on the VNC server. This requires
|
|
# a VNC client which supports the SASL protocol extension.
|
|
# Examples include vinagre, virt-viewer and virt-manager
|
|
# itself. UltraVNC, RealVNC, TightVNC do not support this
|
|
#
|
|
# It is necessary to configure /etc/sasl2/qemu.conf to choose
|
|
# the desired SASL plugin (eg, GSSPI for Kerberos)
|
|
#
|
|
#vnc_sasl = 1
|
|
|
|
|
|
# The default SASL configuration file is located in /etc/sasl2/
|
|
# When running libvirtd unprivileged, it may be desirable to
|
|
# override the configs in this location. Set this parameter to
|
|
# point to the directory, and create a qemu.conf in that location
|
|
#
|
|
#vnc_sasl_dir = "/some/directory/sasl2"
|
|
|
|
|
|
# QEMU implements an extension for providing audio over a VNC connection,
|
|
# though if your VNC client does not support it, your only chance for getting
|
|
# sound output is through regular audio backends. By default, libvirt will
|
|
# disable all QEMU sound backends if using VNC, since they can cause
|
|
# permissions issues. Enabling this option will make libvirtd honor the
|
|
# QEMU_AUDIO_DRV environment variable when using VNC.
|
|
#
|
|
#vnc_allow_host_audio = 0
|
|
|
|
|
|
|
|
# SPICE is configured to listen on 127.0.0.1 by default.
|
|
# To make it listen on all public interfaces, uncomment
|
|
# this next option.
|
|
#
|
|
# NB, strong recommendation to enable TLS + x509 certificate
|
|
# verification when allowing public access
|
|
#
|
|
#spice_listen = "0.0.0.0"
|
|
|
|
|
|
# Enable use of TLS encryption on the SPICE server.
|
|
#
|
|
# It is necessary to setup CA and issue a server certificate
|
|
# before enabling this.
|
|
#
|
|
#spice_tls = 1
|
|
|
|
|
|
# In order to override the default TLS certificate location for
|
|
# spice certificates, supply a valid path to the certificate directory.
|
|
# If the provided path does not exist, libvirtd will fail to start.
|
|
# If the path is not provided, but spice_tls = 1, then the
|
|
# default_tls_x509_cert_dir path will be used.
|
|
#
|
|
#spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
|
|
|
|
|
|
# Enable this option to have SPICE served over an automatically created
|
|
# unix socket. This prevents unprivileged access from users on the
|
|
# host machine.
|
|
#
|
|
# This will only be enabled for SPICE configurations that have listen
|
|
# type=address but without any address specified. This setting takes
|
|
# preference over spice_listen.
|
|
#
|
|
#spice_auto_unix_socket = 1
|
|
|
|
|
|
# The default SPICE password. This parameter is only used if the
|
|
# per-domain XML config does not already provide a password. To
|
|
# allow access without passwords, leave this commented out. An
|
|
# empty string will still enable passwords, but be rejected by
|
|
# QEMU, effectively preventing any use of SPICE. Obviously change
|
|
# this example here before you set this.
|
|
#
|
|
#spice_password = "XYZ12345"
|
|
|
|
|
|
# Enable use of SASL encryption on the SPICE server. This requires
|
|
# a SPICE client which supports the SASL protocol extension.
|
|
#
|
|
# It is necessary to configure /etc/sasl2/qemu.conf to choose
|
|
# the desired SASL plugin (eg, GSSPI for Kerberos)
|
|
#
|
|
#spice_sasl = 1
|
|
|
|
# The default SASL configuration file is located in /etc/sasl2/
|
|
# When running libvirtd unprivileged, it may be desirable to
|
|
# override the configs in this location. Set this parameter to
|
|
# point to the directory, and create a qemu.conf in that location
|
|
#
|
|
#spice_sasl_dir = "/some/directory/sasl2"
|
|
|
|
# Enable use of TLS encryption on the chardev TCP transports.
|
|
#
|
|
# It is necessary to setup CA and issue a server certificate
|
|
# before enabling this.
|
|
#
|
|
#chardev_tls = 1
|
|
|
|
|
|
# In order to override the default TLS certificate location for character
|
|
# device TCP certificates, supply a valid path to the certificate directory.
|
|
# If the provided path does not exist, libvirtd will fail to start.
|
|
# If the path is not provided, but chardev_tls = 1, then the
|
|
# default_tls_x509_cert_dir path will be used.
|
|
#
|
|
#chardev_tls_x509_cert_dir = "/etc/pki/libvirt-chardev"
|
|
|
|
|
|
# The default TLS configuration only uses certificates for the server
|
|
# allowing the client to verify the server's identity and establish
|
|
# an encrypted channel.
|
|
#
|
|
# It is possible to use x509 certificates for authentication too, by
|
|
# issuing an x509 certificate to every client who needs to connect.
|
|
#
|
|
# Enabling this option will reject any client that does not have a
|
|
# certificate (as described in default_tls_x509_verify) signed by the
|
|
# CA in the chardev_tls_x509_cert_dir (or default_tls_x509_cert_dir).
|
|
#
|
|
# If this option is not supplied, it will be set to the value of
|
|
# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied either,
|
|
# the default is "1".
|
|
#
|
|
#chardev_tls_x509_verify = 1
|
|
|
|
|
|
# Uncomment and use the following option to override the default secret
|
|
# UUID provided in the default_tls_x509_secret_uuid parameter.
|
|
#
|
|
# NB This default all-zeros UUID will not work. Replace it with the
|
|
# output from the UUID for the TLS secret from a 'virsh secret-list'
|
|
# command and then uncomment the entry
|
|
#
|
|
#chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
|
|
|
|
|
|
# Enable use of TLS encryption for all VxHS network block devices that
|
|
# don't specifically disable.
|
|
#
|
|
# When the VxHS network block device server is set up appropriately,
|
|
# x509 certificates are required for authentication between the clients
|
|
# (qemu processes) and the remote VxHS server.
|
|
#
|
|
# It is necessary to setup CA and issue the client certificate before
|
|
# enabling this.
|
|
#
|
|
#vxhs_tls = 1
|
|
|
|
|
|
# In order to override the default TLS certificate location for VxHS
|
|
# backed storage, supply a valid path to the certificate directory.
|
|
# This is used to authenticate the VxHS block device clients to the VxHS
|
|
# server.
|
|
#
|
|
# If the provided path does not exist, libvirtd will fail to start.
|
|
# If the path is not provided, but vxhs_tls = 1, then the
|
|
# default_tls_x509_cert_dir path will be used.
|
|
#
|
|
# VxHS block device clients expect the client certificate and key to be
|
|
# present in the certificate directory along with the CA master certificate.
|
|
# If using the default environment, default_tls_x509_verify must be configured.
|
|
# Since this is only a client the server-key.pem certificate is not needed.
|
|
# Thus a VxHS directory must contain the following:
|
|
#
|
|
# ca-cert.pem - the CA master certificate
|
|
# client-cert.pem - the client certificate signed with the ca-cert.pem
|
|
# client-key.pem - the client private key
|
|
#
|
|
#vxhs_tls_x509_cert_dir = "/etc/pki/libvirt-vxhs"
|
|
|
|
|
|
# Uncomment and use the following option to override the default secret
|
|
# UUID provided in the default_tls_x509_secret_uuid parameter.
|
|
#
|
|
# NB This default all-zeros UUID will not work. Replace it with the
|
|
# output from the UUID for the TLS secret from a 'virsh secret-list'
|
|
# command and then uncomment the entry
|
|
#
|
|
#vxhs_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
|
|
|
|
|
|
# Enable use of TLS encryption for all NBD disk devices that don't
|
|
# specifically disable it.
|
|
#
|
|
# When the NBD server is set up appropriately, x509 certificates are required
|
|
# for authentication between the client and the remote NBD server.
|
|
#
|
|
# It is necessary to setup CA and issue the client certificate before
|
|
# enabling this.
|
|
#
|
|
#nbd_tls = 1
|
|
|
|
|
|
# In order to override the default TLS certificate location for NBD
|
|
# backed storage, supply a valid path to the certificate directory.
|
|
# This is used to authenticate the NBD block device clients to the NBD
|
|
# server.
|
|
#
|
|
# If the provided path does not exist, libvirtd will fail to start.
|
|
# If the path is not provided, but nbd_tls = 1, then the
|
|
# default_tls_x509_cert_dir path will be used.
|
|
#
|
|
# NBD block device clients expect the client certificate and key to be
|
|
# present in the certificate directory along with the CA certificate.
|
|
# Since this is only a client the server-key.pem certificate is not needed.
|
|
# Thus a NBD directory must contain the following:
|
|
#
|
|
# ca-cert.pem - the CA master certificate
|
|
# client-cert.pem - the client certificate signed with the ca-cert.pem
|
|
# client-key.pem - the client private key
|
|
#
|
|
#nbd_tls_x509_cert_dir = "/etc/pki/libvirt-nbd"
|
|
|
|
|
|
# Uncomment and use the following option to override the default secret
|
|
# UUID provided in the default_tls_x509_secret_uuid parameter.
|
|
#
|
|
# NB This default all-zeros UUID will not work. Replace it with the
|
|
# output from the UUID for the TLS secret from a 'virsh secret-list'
|
|
# command and then uncomment the entry
|
|
#
|
|
#nbd_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
|
|
|
|
|
|
# In order to override the default TLS certificate location for migration
|
|
# certificates, supply a valid path to the certificate directory. If the
|
|
# provided path does not exist, libvirtd will fail to start. If the path is
|
|
# not provided, but TLS-encrypted migration is requested, then the
|
|
# default_tls_x509_cert_dir path will be used. Once/if a default certificate is
|
|
# enabled/defined, migration will then be able to use the certificate via
|
|
# migration API flags.
|
|
#
|
|
#migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate"
|
|
|
|
|
|
# The default TLS configuration only uses certificates for the server
|
|
# allowing the client to verify the server's identity and establish
|
|
# an encrypted channel.
|
|
#
|
|
# It is possible to use x509 certificates for authentication too, by
|
|
# issuing an x509 certificate to every client who needs to connect.
|
|
#
|
|
# Enabling this option will reject any client that does not have a
|
|
# certificate (as described in default_tls_x509_verify) signed by the
|
|
# CA in the migrate_tls_x509_cert_dir (or default_tls_x509_cert_dir).
|
|
#
|
|
# If this option is not supplied, it will be set to the value of
|
|
# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied
|
|
# either, the default is "1".
|
|
#
|
|
#migrate_tls_x509_verify = 1
|
|
|
|
|
|
# Uncomment and use the following option to override the default secret
|
|
# UUID provided in the default_tls_x509_secret_uuid parameter.
|
|
#
|
|
# NB This default all-zeros UUID will not work. Replace it with the
|
|
# output from the UUID for the TLS secret from a 'virsh secret-list'
|
|
# command and then uncomment the entry
|
|
#
|
|
#migrate_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
|
|
|
|
|
|
# By default TLS is requested using the VIR_MIGRATE_TLS flag, thus not requested
|
|
# automatically. Setting 'migate_tls_force' to "1" will prevent any migration
|
|
# which is not using VIR_MIGRATE_TLS to ensure higher level of security in
|
|
# deployments with TLS.
|
|
#
|
|
#migrate_tls_force = 0
|
|
|
|
|
|
# In order to override the default TLS certificate location for backup NBD
|
|
# server certificates, supply a valid path to the certificate directory. If the
|
|
# provided path does not exist, libvirtd will fail to start. If the path is
|
|
# not provided, but TLS-encrypted backup is requested, then the
|
|
# default_tls_x509_cert_dir path will be used.
|
|
#
|
|
#backup_tls_x509_cert_dir = "/etc/pki/libvirt-backup"
|
|
|
|
|
|
# The default TLS configuration only uses certificates for the server
|
|
# allowing the client to verify the server's identity and establish
|
|
# an encrypted channel.
|
|
#
|
|
# It is possible to use x509 certificates for authentication too, by
|
|
# issuing an x509 certificate to every client who needs to connect.
|
|
#
|
|
# Enabling this option will reject any client that does not have a
|
|
# certificate (as described in default_tls_x509_verify) signed by the
|
|
# CA in the backup_tls_x509_cert_dir (or default_tls_x509_cert_dir).
|
|
#
|
|
# If this option is not supplied, it will be set to the value of
|
|
# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied either,
|
|
# the default is "1".
|
|
#
|
|
#backup_tls_x509_verify = 1
|
|
|
|
|
|
# Uncomment and use the following option to override the default secret
|
|
# UUID provided in the default_tls_x509_secret_uuid parameter.
|
|
#
|
|
# NB This default all-zeros UUID will not work. Replace it with the
|
|
# output from the UUID for the TLS secret from a 'virsh secret-list'
|
|
# command and then uncomment the entry
|
|
#
|
|
#backup_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
|
|
|
|
|
|
# By default, if no graphical front end is configured, libvirt will disable
|
|
# QEMU audio output since directly talking to alsa/pulseaudio may not work
|
|
# with various security settings. If you know what you're doing, enable
|
|
# the setting below and libvirt will passthrough the QEMU_AUDIO_DRV
|
|
# environment variable when using nographics.
|
|
#
|
|
#nographics_allow_host_audio = 1
|
|
|
|
|
|
# Override the port for creating both VNC and SPICE sessions (min).
|
|
# This defaults to 5900 and increases for consecutive sessions
|
|
# or when ports are occupied, until it hits the maximum.
|
|
#
|
|
# Minimum must be greater than or equal to 5900 as lower number would
|
|
# result into negative vnc display number.
|
|
#
|
|
# Maximum must be less than 65536, because higher numbers do not make
|
|
# sense as a port number.
|
|
#
|
|
#remote_display_port_min = 5900
|
|
#remote_display_port_max = 65535
|
|
|
|
# VNC WebSocket port policies, same rules apply as with remote display
|
|
# ports. VNC WebSockets use similar display <-> port mappings, with
|
|
# the exception being that ports start from 5700 instead of 5900.
|
|
#
|
|
#remote_websocket_port_min = 5700
|
|
#remote_websocket_port_max = 65535
|
|
|
|
# The default security driver is SELinux. If SELinux is disabled
|
|
# on the host, then the security driver will automatically disable
|
|
# itself. If you wish to disable QEMU SELinux security driver while
|
|
# leaving SELinux enabled for the host in general, then set this
|
|
# to 'none' instead. It's also possible to use more than one security
|
|
# driver at the same time, for this use a list of names separated by
|
|
# comma and delimited by square brackets. For example:
|
|
#
|
|
# security_driver = [ "selinux", "apparmor" ]
|
|
#
|
|
# Notes: The DAC security driver is always enabled; as a result, the
|
|
# value of security_driver cannot contain "dac". The value "none" is
|
|
# a special value; security_driver can be set to that value in
|
|
# isolation, but it cannot appear in a list of drivers.
|
|
#
|
|
#security_driver = "selinux"
|
|
|
|
# If set to non-zero, then the default security labeling
|
|
# will make guests confined. If set to zero, then guests
|
|
# will be unconfined by default. Defaults to 1.
|
|
#security_default_confined = 1
|
|
|
|
# If set to non-zero, then attempts to create unconfined
|
|
# guests will be blocked. Defaults to 0.
|
|
#security_require_confined = 1
|
|
|
|
# The user for QEMU processes run by the system instance. It can be
|
|
# specified as a user name or as a user id. The qemu driver will try to
|
|
# parse this value first as a name and then, if the name doesn't exist,
|
|
# as a user id.
|
|
#
|
|
# Since a sequence of digits is a valid user name, a leading plus sign
|
|
# can be used to ensure that a user id will not be interpreted as a user
|
|
# name.
|
|
#
|
|
# Some examples of valid values are:
|
|
#
|
|
# user = "qemu" # A user named "qemu"
|
|
# user = "+0" # Super user (uid=0)
|
|
# user = "100" # A user named "100" or a user with uid=100
|
|
#
|
|
#user = "root"
|
|
|
|
# The group for QEMU processes run by the system instance. It can be
|
|
# specified in a similar way to user.
|
|
#group = "root"
|
|
|
|
# Whether libvirt should dynamically change file ownership
|
|
# to match the configured user/group above. Defaults to 1.
|
|
# Set to 0 to disable file ownership changes.
|
|
#dynamic_ownership = 1
|
|
|
|
# Whether libvirt should remember and restore the original
|
|
# ownership over files it is relabeling. Defaults to 1, set
|
|
# to 0 to disable the feature.
|
|
#remember_owner = 1
|
|
|
|
# What cgroup controllers to make use of with QEMU guests
|
|
#
|
|
# - 'cpu' - use for scheduler tunables
|
|
# - 'devices' - use for device access control
|
|
# - 'memory' - use for memory tunables
|
|
# - 'blkio' - use for block devices I/O tunables
|
|
# - 'cpuset' - use for CPUs and memory nodes
|
|
# - 'cpuacct' - use for CPUs statistics.
|
|
#
|
|
# NB, even if configured here, they won't be used unless
|
|
# the administrator has mounted cgroups, e.g.:
|
|
#
|
|
# mkdir /dev/cgroup
|
|
# mount -t cgroup -o devices,cpu,memory,blkio,cpuset none /dev/cgroup
|
|
#
|
|
# They can be mounted anywhere, and different controllers
|
|
# can be mounted in different locations. libvirt will detect
|
|
# where they are located.
|
|
#
|
|
#cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ]
|
|
|
|
# This is the basic set of devices allowed / required by
|
|
# all virtual machines.
|
|
#
|
|
# As well as this, any configured block backed disks,
|
|
# all sound device, and all PTY devices are allowed.
|
|
#
|
|
# This will only need setting if newer QEMU suddenly
|
|
# wants some device we don't already know about.
|
|
#
|
|
#cgroup_device_acl = [
|
|
# "/dev/null", "/dev/full", "/dev/zero",
|
|
# "/dev/random", "/dev/urandom",
|
|
# "/dev/ptmx", "/dev/kvm"
|
|
#]
|
|
#
|
|
# RDMA migration requires the following extra files to be added to the list:
|
|
# "/dev/infiniband/rdma_cm",
|
|
# "/dev/infiniband/issm0",
|
|
# "/dev/infiniband/issm1",
|
|
# "/dev/infiniband/umad0",
|
|
# "/dev/infiniband/umad1",
|
|
# "/dev/infiniband/uverbs0"
|
|
|
|
|
|
# The default format for QEMU/KVM guest save images is raw; that is, the
|
|
# memory from the domain is dumped out directly to a file. If you have
|
|
# guests with a large amount of memory, however, this can take up quite
|
|
# a bit of space. If you would like to compress the images while they
|
|
# are being saved to disk, you can also set "lzop", "gzip", "bzip2", or "xz"
|
|
# for save_image_format. Note that this means you slow down the process of
|
|
# saving a domain in order to save disk space; the list above is in descending
|
|
# order by performance and ascending order by compression ratio.
|
|
#
|
|
# save_image_format is used when you use 'virsh save' or 'virsh managedsave'
|
|
# at scheduled saving, and it is an error if the specified save_image_format
|
|
# is not valid, or the requested compression program can't be found.
|
|
#
|
|
# dump_image_format is used when you use 'virsh dump' at emergency
|
|
# crashdump, and if the specified dump_image_format is not valid, or
|
|
# the requested compression program can't be found, this falls
|
|
# back to "raw" compression.
|
|
#
|
|
# snapshot_image_format specifies the compression algorithm of the memory save
|
|
# image when an external snapshot of a domain is taken. This does not apply
|
|
# on disk image format. It is an error if the specified format isn't valid,
|
|
# or the requested compression program can't be found.
|
|
#
|
|
#save_image_format = "raw"
|
|
#dump_image_format = "raw"
|
|
#snapshot_image_format = "raw"
|
|
|
|
# When a domain is configured to be auto-dumped when libvirtd receives a
|
|
# watchdog event from qemu guest, libvirtd will save dump files in directory
|
|
# specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump
|
|
#
|
|
#auto_dump_path = "/var/lib/libvirt/qemu/dump"
|
|
|
|
# When a domain is configured to be auto-dumped, enabling this flag
|
|
# has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the
|
|
# virDomainCoreDump API. That is, the system will avoid using the
|
|
# file system cache while writing the dump file, but may cause
|
|
# slower operation.
|
|
#
|
|
#auto_dump_bypass_cache = 0
|
|
|
|
# When a domain is configured to be auto-started, enabling this flag
|
|
# has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag
|
|
# with the virDomainCreateWithFlags API. That is, the system will
|
|
# avoid using the file system cache when restoring any managed state
|
|
# file, but may cause slower operation.
|
|
#
|
|
#auto_start_bypass_cache = 0
|
|
|
|
# If provided by the host and a hugetlbfs mount point is configured,
|
|
# a guest may request huge page backing. When this mount point is
|
|
# unspecified here, determination of a host mount point in /proc/mounts
|
|
# will be attempted. Specifying an explicit mount overrides detection
|
|
# of the same in /proc/mounts. Setting the mount point to "" will
|
|
# disable guest hugepage backing. If desired, multiple mount points can
|
|
# be specified at once, separated by comma and enclosed in square
|
|
# brackets, for example:
|
|
#
|
|
# hugetlbfs_mount = ["/dev/hugepages2M", "/dev/hugepages1G"]
|
|
#
|
|
# The size of huge page served by specific mount point is determined by
|
|
# libvirt at the daemon startup.
|
|
#
|
|
# NB, within these mount points, guests will create memory backing
|
|
# files in a location of $MOUNTPOINT/libvirt/qemu
|
|
#
|
|
#hugetlbfs_mount = "/dev/hugepages"
|
|
|
|
|
|
# Path to the setuid helper for creating tap devices. This executable
|
|
# is used to create <source type='bridge'> interfaces when libvirtd is
|
|
# running unprivileged. libvirt invokes the helper directly, instead
|
|
# of using "-netdev bridge", for security reasons.
|
|
#bridge_helper = "/usr/libexec/qemu-bridge-helper"
|
|
|
|
|
|
# If enabled, libvirt will have QEMU set its process name to
|
|
# "qemu:VM_NAME", where VM_NAME is the name of the VM. The QEMU
|
|
# process will appear as "qemu:VM_NAME" in process listings and
|
|
# other system monitoring tools. By default, QEMU does not set
|
|
# its process title, so the complete QEMU command (emulator and
|
|
# its arguments) appear in process listings.
|
|
#
|
|
#set_process_name = 1
|
|
|
|
|
|
# If max_processes is set to a positive integer, libvirt will use
|
|
# it to set the maximum number of processes that can be run by qemu
|
|
# user. This can be used to override default value set by host OS.
|
|
# The same applies to max_files which sets the limit on the maximum
|
|
# number of opened files.
|
|
#
|
|
#max_processes = 0
|
|
#max_files = 0
|
|
|
|
# If max_threads_per_process is set to a positive integer, libvirt
|
|
# will use it to set the maximum number of threads that can be
|
|
# created by a qemu process. Some VM configurations can result in
|
|
# qemu processes with tens of thousands of threads. systemd-based
|
|
# systems typically limit the number of threads per process to
|
|
# 16k. max_threads_per_process can be used to override default
|
|
# limits in the host OS.
|
|
#
|
|
#max_threads_per_process = 0
|
|
|
|
# If max_core is set to a non-zero integer, then QEMU will be
|
|
# permitted to create core dumps when it crashes, provided its
|
|
# RAM size is smaller than the limit set.
|
|
#
|
|
# Be warned that the core dump will include a full copy of the
|
|
# guest RAM, if the 'dump_guest_core' setting has been enabled,
|
|
# or if the guest XML contains
|
|
#
|
|
# <memory dumpcore="on">...guest ram...</memory>
|
|
#
|
|
# If guest RAM is to be included, ensure the max_core limit
|
|
# is set to at least the size of the largest expected guest
|
|
# plus another 1GB for any QEMU host side memory mappings.
|
|
#
|
|
# As a special case it can be set to the string "unlimited" to
|
|
# to allow arbitrarily sized core dumps.
|
|
#
|
|
# By default the core dump size is set to 0 disabling all dumps
|
|
#
|
|
# Size is a positive integer specifying bytes or the
|
|
# string "unlimited"
|
|
#
|
|
#max_core = "unlimited"
|
|
|
|
# Determine if guest RAM is included in QEMU core dumps. By
|
|
# default guest RAM will be excluded if a new enough QEMU is
|
|
# present. Setting this to '1' will force guest RAM to always
|
|
# be included in QEMU core dumps.
|
|
#
|
|
# This setting will be ignored if the guest XML has set the
|
|
# dumpcore attribute on the <memory> element.
|
|
#
|
|
#dump_guest_core = 1
|
|
|
|
# mac_filter enables MAC addressed based filtering on bridge ports.
|
|
# This currently requires ebtables to be installed.
|
|
#
|
|
#mac_filter = 1
|
|
|
|
|
|
# By default, PCI devices below non-ACS switch are not allowed to be assigned
|
|
# to guests. By setting relaxed_acs_check to 1 such devices will be allowed to
|
|
# be assigned to guests.
|
|
#
|
|
#relaxed_acs_check = 1
|
|
|
|
|
|
# In order to prevent accidentally starting two domains that
|
|
# share one writable disk, libvirt offers two approaches for
|
|
# locking files. The first one is sanlock, the other one,
|
|
# virtlockd, is then our own implementation. Accepted values
|
|
# are "sanlock" and "lockd".
|
|
#
|
|
#lock_manager = "lockd"
|
|
|
|
|
|
# Set limit of maximum APIs queued on one domain. All other APIs
|
|
# over this threshold will fail on acquiring job lock. Specially,
|
|
# setting to zero turns this feature off.
|
|
# Note, that job lock is per domain.
|
|
#
|
|
#max_queued = 0
|
|
|
|
###################################################################
|
|
# Keepalive protocol:
|
|
# This allows qemu driver to detect broken connections to remote
|
|
# libvirtd during peer-to-peer migration. A keepalive message is
|
|
# sent to the daemon after keepalive_interval seconds of inactivity
|
|
# to check if the daemon is still responding; keepalive_count is a
|
|
# maximum number of keepalive messages that are allowed to be sent
|
|
# to the daemon without getting any response before the connection
|
|
# is considered broken. In other words, the connection is
|
|
# automatically closed approximately after
|
|
# keepalive_interval * (keepalive_count + 1) seconds since the last
|
|
# message received from the daemon. If keepalive_interval is set to
|
|
# -1, qemu driver will not send keepalive requests during
|
|
# peer-to-peer migration; however, the remote libvirtd can still
|
|
# send them and source libvirtd will send responses. When
|
|
# keepalive_count is set to 0, connections will be automatically
|
|
# closed after keepalive_interval seconds of inactivity without
|
|
# sending any keepalive messages.
|
|
#
|
|
#keepalive_interval = 5
|
|
#keepalive_count = 5
|
|
|
|
|
|
|
|
# Use seccomp syscall sandbox in QEMU.
|
|
# 1 == seccomp enabled, 0 == seccomp disabled
|
|
#
|
|
# If it is unset (or -1), then seccomp will be enabled
|
|
# only if QEMU >= 2.11.0 is detected, otherwise it is
|
|
# left disabled. This ensures the default config gets
|
|
# protection for new QEMU using the blacklist approach.
|
|
#
|
|
#seccomp_sandbox = 1
|
|
|
|
|
|
# Override the listen address for all incoming migrations. Defaults to
|
|
# 0.0.0.0, or :: if both host and qemu are capable of IPv6.
|
|
#migration_address = "0.0.0.0"
|
|
|
|
|
|
# The default hostname or IP address which will be used by a migration
|
|
# source for transferring migration data to this host. The migration
|
|
# source has to be able to resolve this hostname and connect to it so
|
|
# setting "localhost" will not work. By default, the host's configured
|
|
# hostname is used.
|
|
#migration_host = "host.example.com"
|
|
|
|
|
|
# Override the port range used for incoming migrations.
|
|
#
|
|
# Minimum must be greater than 0, however when QEMU is not running as root,
|
|
# setting the minimum to be lower than 1024 will not work.
|
|
#
|
|
# Maximum must not be greater than 65535.
|
|
#
|
|
#migration_port_min = 49152
|
|
#migration_port_max = 49215
|
|
|
|
|
|
|
|
# Timestamp QEMU's log messages (if QEMU supports it)
|
|
#
|
|
# Defaults to 1.
|
|
#
|
|
#log_timestamp = 0
|
|
|
|
|
|
# Location of master nvram file
|
|
#
|
|
# This configuration option is obsolete. Libvirt will follow the
|
|
# QEMU firmware metadata specification to automatically locate
|
|
# firmware images. See docs/interop/firmware.json in the QEMU
|
|
# source tree. These metadata files are distributed alongside any
|
|
# firmware images intended for use with QEMU.
|
|
#
|
|
# NOTE: if ANY firmware metadata files are detected, this setting
|
|
# will be COMPLETELY IGNORED.
|
|
#
|
|
# ------------------------------------------
|
|
#
|
|
# When a domain is configured to use UEFI instead of standard
|
|
# BIOS it may use a separate storage for UEFI variables. If
|
|
# that's the case libvirt creates the variable store per domain
|
|
# using this master file as image. Each UEFI firmware can,
|
|
# however, have different variables store. Therefore the nvram is
|
|
# a list of strings when a single item is in form of:
|
|
# ${PATH_TO_UEFI_FW}:${PATH_TO_UEFI_VARS}.
|
|
# Later, when libvirt creates per domain variable store, this list is
|
|
# searched for the master image. The UEFI firmware can be called
|
|
# differently for different guest architectures. For instance, it's OVMF
|
|
# for x86_64 and i686, but it's AAVMF for aarch64. The libvirt default
|
|
# follows this scheme.
|
|
#nvram = [
|
|
# "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd",
|
|
# "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd",
|
|
# "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd",
|
|
# "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd"
|
|
#]
|
|
|
|
# The backend to use for handling stdout/stderr output from
|
|
# QEMU processes.
|
|
#
|
|
# 'file': QEMU writes directly to a plain file. This is the
|
|
# historical default, but allows QEMU to inflict a
|
|
# denial of service attack on the host by exhausting
|
|
# filesystem space
|
|
#
|
|
# 'logd': QEMU writes to a pipe provided by virtlogd daemon.
|
|
# This is the current default, providing protection
|
|
# against denial of service by performing log file
|
|
# rollover when a size limit is hit.
|
|
#
|
|
#stdio_handler = "logd"
|
|
|
|
# QEMU gluster libgfapi log level, debug levels are 0-9, with 9 being the
|
|
# most verbose, and 0 representing no debugging output.
|
|
#
|
|
# The current logging levels defined in the gluster GFAPI are:
|
|
#
|
|
# 0 - None
|
|
# 1 - Emergency
|
|
# 2 - Alert
|
|
# 3 - Critical
|
|
# 4 - Error
|
|
# 5 - Warning
|
|
# 6 - Notice
|
|
# 7 - Info
|
|
# 8 - Debug
|
|
# 9 - Trace
|
|
#
|
|
# Defaults to 4
|
|
#
|
|
#gluster_debug_level = 9
|
|
|
|
# virtiofsd debug
|
|
#
|
|
# Whether to enable the debugging output of the virtiofsd daemon.
|
|
# Possible values are 0 or 1. Disabled by default.
|
|
#
|
|
#virtiofsd_debug = 1
|
|
|
|
# To enhance security, QEMU driver is capable of creating private namespaces
|
|
# for each domain started. Well, so far only "mount" namespace is supported. If
|
|
# enabled it means qemu process is unable to see all the devices on the system,
|
|
# only those configured for the domain in question. Libvirt then manages
|
|
# devices entries throughout the domain lifetime. This namespace is turned on
|
|
# by default.
|
|
#namespaces = [ "mount" ]
|
|
|
|
# This directory is used for memoryBacking source if configured as file.
|
|
# NOTE: big files will be stored here
|
|
#memory_backing_dir = "/var/lib/libvirt/qemu/ram"
|
|
|
|
# Path to the SCSI persistent reservations helper. This helper is
|
|
# used whenever <reservations/> are enabled for SCSI LUN devices.
|
|
#pr_helper = "/usr/bin/qemu-pr-helper"
|
|
|
|
# Path to the SLIRP networking helper.
|
|
#slirp_helper = "/usr/bin/slirp-helper"
|
|
|
|
# Path to the dbus-daemon
|
|
#dbus_daemon = "/usr/bin/dbus-daemon"
|
|
|
|
# User for the swtpm TPM Emulator
|
|
#
|
|
# Default is 'tss'; this is the same user that tcsd (TrouSerS) installs
|
|
# and uses; alternative is 'root'
|
|
#
|
|
#swtpm_user = "tss"
|
|
#swtpm_group = "tss"
|
|
|
|
# For debugging and testing purposes it's sometimes useful to be able to disable
|
|
# libvirt behaviour based on the capabilities of the qemu process. This option
|
|
# allows to do so. DO _NOT_ use in production and beaware that the behaviour
|
|
# may change across versions.
|
|
#
|
|
#capability_filters = [ "capname" ]
|