spacepaste

Paste details

reply | raw

  1.  
  2. # Master configuration file for the QEMU driver.
  3. # All settings described here are optional - if omitted, sensible
  4. # defaults are used.
  6. # VNC is configured to listen on 127.0.0.1 by default.
  7. # To make it listen on all public interfaces, uncomment
  8. # this next option.
  9. #
  10. # NB, strong recommendation to enable TLS + x509 certificate
  11. # verification when allowing public access
  12. #
  13. #vnc_listen = "0.0.0.0"
  15. # Enable this option to have VNC served over an automatically created
  16. # unix socket. This prevents unprivileged access from users on the
  17. # host machine, though most VNC clients do not support it.
  18. #
  19. # This will only be enabled for VNC configurations that do not have
  20. # a hardcoded 'listen' or 'socket' value. This setting takes preference
  21. # over vnc_listen.
  22. #
  23. #vnc_auto_unix_socket = 1
  25. # Enable use of TLS encryption on the VNC server. This requires
  26. # a VNC client which supports the VeNCrypt protocol extension.
  27. # Examples include vinagre, virt-viewer, virt-manager and vencrypt
  28. # itself. UltraVNC, RealVNC, TightVNC do not support this
  29. #
  30. # It is necessary to setup CA and issue a server certificate
  31. # before enabling this.
  32. #
  33. #vnc_tls = 1
  36. # Use of TLS requires that x509 certificates be issued. The
  37. # default it to keep them in /etc/pki/libvirt-vnc. This directory
  38. # must contain
  39. #
  40. # ca-cert.pem - the CA master certificate
  41. # server-cert.pem - the server certificate signed with ca-cert.pem
  42. # server-key.pem - the server private key
  43. #
  44. # This option allows the certificate directory to be changed
  45. #
  46. #vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
  49. # The default TLS configuration only uses certificates for the server
  50. # allowing the client to verify the server's identity and establish
  51. # an encrypted channel.
  52. #
  53. # It is possible to use x509 certificates for authentication too, by
  54. # issuing a x509 certificate to every client who needs to connect.
  55. #
  56. # Enabling this option will reject any client who does not have a
  57. # certificate signed by the CA in /etc/pki/libvirt-vnc/ca-cert.pem
  58. #
  59. #vnc_tls_x509_verify = 1
  62. # The default VNC password. Only 8 bytes are significant for
  63. # VNC passwords. This parameter is only used if the per-domain
  64. # XML config does not already provide a password. To allow
  65. # access without passwords, leave this commented out. An empty
  66. # string will still enable passwords, but be rejected by QEMU,
  67. # effectively preventing any use of VNC. Obviously change this
  68. # example here before you set this.
  69. #
  70. #vnc_password = "XYZ12345"
  73. # Enable use of SASL encryption on the VNC server. This requires
  74. # a VNC client which supports the SASL protocol extension.
  75. # Examples include vinagre, virt-viewer and virt-manager
  76. # itself. UltraVNC, RealVNC, TightVNC do not support this
  77. #
  78. # It is necessary to configure /etc/sasl2/qemu.conf to choose
  79. # the desired SASL plugin (eg, GSSPI for Kerberos)
  80. #
  81. #vnc_sasl = 1
  84. # The default SASL configuration file is located in /etc/sasl2/
  85. # When running libvirtd unprivileged, it may be desirable to
  86. # override the configs in this location. Set this parameter to
  87. # point to the directory, and create a qemu.conf in that location
  88. #
  89. #vnc_sasl_dir = "/some/directory/sasl2"
  92. # QEMU implements an extension for providing audio over a VNC connection,
  93. # though if your VNC client does not support it, your only chance for getting
  94. # sound output is through regular audio backends. By default, libvirt will
  95. # disable all QEMU sound backends if using VNC, since they can cause
  96. # permissions issues. Enabling this option will make libvirtd honor the
  97. # QEMU_AUDIO_DRV environment variable when using VNC.
  98. #
  99. #vnc_allow_host_audio = 0
  103. # SPICE is configured to listen on 127.0.0.1 by default.
  104. # To make it listen on all public interfaces, uncomment
  105. # this next option.
  106. #
  107. # NB, strong recommendation to enable TLS + x509 certificate
  108. # verification when allowing public access
  109. #
  110. #spice_listen = "0.0.0.0"
  113. # Enable use of TLS encryption on the SPICE server.
  114. #
  115. # It is necessary to setup CA and issue a server certificate
  116. # before enabling this.
  117. #
  118. #spice_tls = 1
  121. # Use of TLS requires that x509 certificates be issued. The
  122. # default it to keep them in /etc/pki/libvirt-spice. This directory
  123. # must contain
  124. #
  125. # ca-cert.pem - the CA master certificate
  126. # server-cert.pem - the server certificate signed with ca-cert.pem
  127. # server-key.pem - the server private key
  128. #
  129. # This option allows the certificate directory to be changed.
  130. #
  131. #spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
  134. # The default SPICE password. This parameter is only used if the
  135. # per-domain XML config does not already provide a password. To
  136. # allow access without passwords, leave this commented out. An
  137. # empty string will still enable passwords, but be rejected by
  138. # QEMU, effectively preventing any use of SPICE. Obviously change
  139. # this example here before you set this.
  140. #
  141. #spice_password = "XYZ12345"
  144. # Enable use of SASL encryption on the SPICE server. This requires
  145. # a SPICE client which supports the SASL protocol extension.
  146. #
  147. # It is necessary to configure /etc/sasl2/qemu.conf to choose
  148. # the desired SASL plugin (eg, GSSPI for Kerberos)
  149. #
  150. #spice_sasl = 1
  152. # The default SASL configuration file is located in /etc/sasl2/
  153. # When running libvirtd unprivileged, it may be desirable to
  154. # override the configs in this location. Set this parameter to
  155. # point to the directory, and create a qemu.conf in that location
  156. #
  157. #spice_sasl_dir = "/some/directory/sasl2"
  160. # By default, if no graphical front end is configured, libvirt will disable
  161. # QEMU audio output since directly talking to alsa/pulseaudio may not work
  162. # with various security settings. If you know what you're doing, enable
  163. # the setting below and libvirt will passthrough the QEMU_AUDIO_DRV
  164. # environment variable when using nographics.
  165. #
  166. #nographics_allow_host_audio = 1
  169. # Override the port for creating both VNC and SPICE sessions (min).
  170. # This defaults to 5900 and increases for consecutive sessions
  171. # or when ports are occupied, until it hits the maximum.
  172. #
  173. # Minimum must be greater than or equal to 5900 as lower number would
  174. # result into negative vnc display number.
  175. #
  176. # Maximum must be less than 65536, because higher numbers do not make
  177. # sense as a port number.
  178. #
  179. #remote_display_port_min = 5900
  180. #remote_display_port_max = 65535
  182. # VNC WebSocket port policies, same rules apply as with remote display
  183. # ports. VNC WebSockets use similar display <-> port mappings, with
  184. # the exception being that ports start from 5700 instead of 5900.
  185. #
  186. #remote_websocket_port_min = 5700
  187. #remote_websocket_port_max = 65535
  189. # The default security driver is SELinux. If SELinux is disabled
  190. # on the host, then the security driver will automatically disable
  191. # itself. If you wish to disable QEMU SELinux security driver while
  192. # leaving SELinux enabled for the host in general, then set this
  193. # to 'none' instead. It's also possible to use more than one security
  194. # driver at the same time, for this use a list of names separated by
  195. # comma and delimited by square brackets. For example:
  196. #
  197. # security_driver = [ "selinux", "apparmor" ]
  198. #
  199. # Notes: The DAC security driver is always enabled; as a result, the
  200. # value of security_driver cannot contain "dac". The value "none" is
  201. # a special value; security_driver can be set to that value in
  202. # isolation, but it cannot appear in a list of drivers.
  203. #
  204. #security_driver = "selinux"
  206. # If set to non-zero, then the default security labeling
  207. # will make guests confined. If set to zero, then guests
  208. # will be unconfined by default. Defaults to 1.
  209. #security_default_confined = 1
  211. # If set to non-zero, then attempts to create unconfined
  212. # guests will be blocked. Defaults to 0.
  213. #security_require_confined = 1
  215. # The user for QEMU processes run by the system instance. It can be
  216. # specified as a user name or as a user id. The qemu driver will try to
  217. # parse this value first as a name and then, if the name doesn't exist,
  218. # as a user id.
  219. #
  220. # Since a sequence of digits is a valid user name, a leading plus sign
  221. # can be used to ensure that a user id will not be interpreted as a user
  222. # name.
  223. #
  224. # Some examples of valid values are:
  225. #
  226. # user = "qemu" # A user named "qemu"
  227. # user = "+0" # Super user (uid=0)
  228. # user = "100" # A user named "100" or a user with uid=100
  229. #
  230. #user = "root"
  232. # The group for QEMU processes run by the system instance. It can be
  233. # specified in a similar way to user.
  234. group="78"
  236. # Whether libvirt should dynamically change file ownership
  237. # to match the configured user/group above. Defaults to 1.
  238. # Set to 0 to disable file ownership changes.
  239. #dynamic_ownership = 1
  242. # What cgroup controllers to make use of with QEMU guests
  243. #
  244. # - 'cpu' - use for schedular tunables
  245. # - 'devices' - use for device whitelisting
  246. # - 'memory' - use for memory tunables
  247. # - 'blkio' - use for block devices I/O tunables
  248. # - 'cpuset' - use for CPUs and memory nodes
  249. # - 'cpuacct' - use for CPUs statistics.
  250. #
  251. # NB, even if configured here, they won't be used unless
  252. # the administrator has mounted cgroups, e.g.:
  253. #
  254. # mkdir /dev/cgroup
  255. # mount -t cgroup -o devices,cpu,memory,blkio,cpuset none /dev/cgroup
  256. #
  257. # They can be mounted anywhere, and different controllers
  258. # can be mounted in different locations. libvirt will detect
  259. # where they are located.
  260. #
  261. #cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ]
  263. # This is the basic set of devices allowed / required by
  264. # all virtual machines.
  265. #
  266. # As well as this, any configured block backed disks,
  267. # all sound device, and all PTY devices are allowed.
  268. #
  269. # This will only need setting if newer QEMU suddenly
  270. # wants some device we don't already know about.
  271. #
  272. #cgroup_device_acl = [
  273. # "/dev/null", "/dev/full", "/dev/zero",
  274. # "/dev/random", "/dev/urandom",
  275. # "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
  276. # "/dev/rtc","/dev/hpet", "/dev/vfio/vfio",
  277. # "/dev/vfio/1"
  278. #]
  279. #
  280. # RDMA migration requires the following extra files to be added to the list:
  281. # "/dev/infiniband/rdma_cm",
  282. # "/dev/infiniband/issm0",
  283. # "/dev/infiniband/issm1",
  284. # "/dev/infiniband/umad0",
  285. # "/dev/infiniband/umad1",
  286. # "/dev/infiniband/uverbs0"
  289. # The default format for Qemu/KVM guest save images is raw; that is, the
  290. # memory from the domain is dumped out directly to a file. If you have
  291. # guests with a large amount of memory, however, this can take up quite
  292. # a bit of space. If you would like to compress the images while they
  293. # are being saved to disk, you can also set "lzop", "gzip", "bzip2", or "xz"
  294. # for save_image_format. Note that this means you slow down the process of
  295. # saving a domain in order to save disk space; the list above is in descending
  296. # order by performance and ascending order by compression ratio.
  297. #
  298. # save_image_format is used when you use 'virsh save' or 'virsh managedsave'
  299. # at scheduled saving, and it is an error if the specified save_image_format
  300. # is not valid, or the requested compression program can't be found.
  301. #
  302. # dump_image_format is used when you use 'virsh dump' at emergency
  303. # crashdump, and if the specified dump_image_format is not valid, or
  304. # the requested compression program can't be found, this falls
  305. # back to "raw" compression.
  306. #
  307. # snapshot_image_format specifies the compression algorithm of the memory save
  308. # image when an external snapshot of a domain is taken. This does not apply
  309. # on disk image format. It is an error if the specified format isn't valid,
  310. # or the requested compression program can't be found.
  311. #
  312. #save_image_format = "raw"
  313. #dump_image_format = "raw"
  314. #snapshot_image_format = "raw"
  316. # When a domain is configured to be auto-dumped when libvirtd receives a
  317. # watchdog event from qemu guest, libvirtd will save dump files in directory
  318. # specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump
  319. #
  320. #auto_dump_path = "/var/lib/libvirt/qemu/dump"
  322. # When a domain is configured to be auto-dumped, enabling this flag
  323. # has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the
  324. # virDomainCoreDump API. That is, the system will avoid using the
  325. # file system cache while writing the dump file, but may cause
  326. # slower operation.
  327. #
  328. #auto_dump_bypass_cache = 0
  330. # When a domain is configured to be auto-started, enabling this flag
  331. # has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag
  332. # with the virDomainCreateWithFlags API. That is, the system will
  333. # avoid using the file system cache when restoring any managed state
  334. # file, but may cause slower operation.
  335. #
  336. #auto_start_bypass_cache = 0
  338. # If provided by the host and a hugetlbfs mount point is configured,
  339. # a guest may request huge page backing. When this mount point is
  340. # unspecified here, determination of a host mount point in /proc/mounts
  341. # will be attempted. Specifying an explicit mount overrides detection
  342. # of the same in /proc/mounts. Setting the mount point to "" will
  343. # disable guest hugepage backing. If desired, multiple mount points can
  344. # be specified at once, separated by comma and enclosed in square
  345. # brackets, for example:
  346. #
  347. # hugetlbfs_mount = ["/dev/hugepages2M", "/dev/hugepages1G"]
  348. #
  349. # The size of huge page served by specific mount point is determined by
  350. # libvirt at the daemon startup.
  351. #
  352. # NB, within these mount points, guests will create memory backing
  353. # files in a location of $MOUNTPOINT/libvirt/qemu
  354. #
  355. #hugetlbfs_mount = "/dev/hugepages"
  358. # Path to the setuid helper for creating tap devices. This executable
  359. # is used to create <source type='bridge'> interfaces when libvirtd is
  360. # running unprivileged. libvirt invokes the helper directly, instead
  361. # of using "-netdev bridge", for security reasons.
  362. #bridge_helper = "/usr/lib/qemu/qemu-bridge-helper"
  366. # If clear_emulator_capabilities is enabled, libvirt will drop all
  367. # privileged capabilities of the QEmu/KVM emulator. This is enabled by
  368. # default.
  369. #
  370. # Warning: Disabling this option means that a compromised guest can
  371. # exploit the privileges and possibly do damage to the host.
  372. #
  373. clear_emulator_capabilities = 0
  376. # If enabled, libvirt will have QEMU set its process name to
  377. # "qemu:VM_NAME", where VM_NAME is the name of the VM. The QEMU
  378. # process will appear as "qemu:VM_NAME" in process listings and
  379. # other system monitoring tools. By default, QEMU does not set
  380. # its process title, so the complete QEMU command (emulator and
  381. # its arguments) appear in process listings.
  382. #
  383. #set_process_name = 1
  386. # If max_processes is set to a positive integer, libvirt will use
  387. # it to set the maximum number of processes that can be run by qemu
  388. # user. This can be used to override default value set by host OS.
  389. # The same applies to max_files which sets the limit on the maximum
  390. # number of opened files.
  391. #
  392. #max_processes = 0
  393. #max_files = 0
  397. # mac_filter enables MAC addressed based filtering on bridge ports.
  398. # This currently requires ebtables to be installed.
  399. #
  400. #mac_filter = 1
  403. # By default, PCI devices below non-ACS switch are not allowed to be assigned
  404. # to guests. By setting relaxed_acs_check to 1 such devices will be allowed to
  405. # be assigned to guests.
  406. #
  407. #relaxed_acs_check = 1
  410. # If allow_disk_format_probing is enabled, libvirt will probe disk
  411. # images to attempt to identify their format, when not otherwise
  412. # specified in the XML. This is disabled by default.
  413. #
  414. # WARNING: Enabling probing is a security hole in almost all
  415. # deployments. It is strongly recommended that users update their
  416. # guest XML <disk> elements to include <driver type='XXXX'/>
  417. # elements instead of enabling this option.
  418. #
  419. #allow_disk_format_probing = 1
  422. # In order to prevent accidentally starting two domains that
  423. # share one writable disk, libvirt offers two approaches for
  424. # locking files. The first one is sanlock, the other one,
  425. # virtlockd, is then our own implementation. Accepted values
  426. # are "sanlock" and "lockd".
  427. #
  428. #lock_manager = "lockd"
  432. # Set limit of maximum APIs queued on one domain. All other APIs
  433. # over this threshold will fail on acquiring job lock. Specially,
  434. # setting to zero turns this feature off.
  435. # Note, that job lock is per domain.
  436. #
  437. #max_queued = 0
  439. ###################################################################
  440. # Keepalive protocol:
  441. # This allows qemu driver to detect broken connections to remote
  442. # libvirtd during peer-to-peer migration. A keepalive message is
  443. # sent to the daemon after keepalive_interval seconds of inactivity
  444. # to check if the daemon is still responding; keepalive_count is a
  445. # maximum number of keepalive messages that are allowed to be sent
  446. # to the daemon without getting any response before the connection
  447. # is considered broken. In other words, the connection is
  448. # automatically closed approximately after
  449. # keepalive_interval * (keepalive_count + 1) seconds since the last
  450. # message received from the daemon. If keepalive_interval is set to
  451. # -1, qemu driver will not send keepalive requests during
  452. # peer-to-peer migration; however, the remote libvirtd can still
  453. # send them and source libvirtd will send responses. When
  454. # keepalive_count is set to 0, connections will be automatically
  455. # closed after keepalive_interval seconds of inactivity without
  456. # sending any keepalive messages.
  457. #
  458. #keepalive_interval = 5
  459. #keepalive_count = 5
  463. # Use seccomp syscall whitelisting in QEMU.
  464. # 1 = on, 0 = off, -1 = use QEMU default
  465. # Defaults to -1.
  466. #
  467. #seccomp_sandbox = 1
  470. # Override the listen address for all incoming migrations. Defaults to
  471. # 0.0.0.0, or :: if both host and qemu are capable of IPv6.
  472. #migration_address = "0.0.0.0"
  475. # The default hostname or IP address which will be used by a migration
  476. # source for transferring migration data to this host. The migration
  477. # source has to be able to resolve this hostname and connect to it so
  478. # setting "localhost" will not work. By default, the host's configured
  479. # hostname is used.
  480. #migration_host = "host.example.com"
  483. # Override the port range used for incoming migrations.
  484. #
  485. # Minimum must be greater than 0, however when QEMU is not running as root,
  486. # setting the minimum to be lower than 1024 will not work.
  487. #
  488. # Maximum must not be greater than 65535.
  489. #
  490. #migration_port_min = 49152
  491. #migration_port_max = 49215
  495. # Timestamp QEMU's log messages (if QEMU supports it)
  496. #
  497. # Defaults to 1.
  498. #
  499. #log_timestamp = 0
  502. # Location of master nvram file
  503. #
  504. # When a domain is configured to use UEFI instead of standard
  505. # BIOS it may use a separate storage for UEFI variables. If
  506. # that's the case libvirt creates the variable store per domain
  507. # using this master file as image. Each UEFI firmware can,
  508. # however, have different variables store. Therefore the nvram is
  509. # a list of strings when a single item is in form of:
  510. # ${PATH_TO_UEFI_FW}:${PATH_TO_UEFI_VARS}.
  511. # Later, when libvirt creates per domain variable store, this list is
  512. # searched for the master image. The UEFI firmware can be called
  513. # differently for different guest architectures. For instance, it's OVMF
  514. # for x86_64 and i686, but it's AAVMF for aarch64. The libvirt default
  515. # follows this scheme.
  516. # "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd",
  517. # "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd"
  518. nvram = [
  519. "/usr/share/edk2.git/ovmf-x64/OVMF_CODE-pure-efi.fd:/usr/share/edk2.git/ovmf-x64/OVMF_VARS-pure-efi.fd",
  520. ]
  522. # The backend to use for handling stdout/stderr output from
  523. # QEMU processes.
  524. #
  525. # 'file': QEMU writes directly to a plain file. This is the
  526. # historical default, but allows QEMU to inflict a
  527. # denial of service attack on the host by exhausting
  528. # filesystem space
  529. #
  530. # 'logd': QEMU writes to a pipe provided by virtlogd daemon.
  531. # This is the current default, providing protection
  532. # against denial of service by performing log file
  533. # rollover when a size limit is hit.
  534. #
  535. #stdio_handler = "logd"
  536.  
Powered by spacepaste. Paste removal.