· 4 years ago · Jul 21, 2021, 02:16 AM
1Error starting domain: internal error: process exited while connecting to monitor: 2021-07-21T02:05:44.518458Z qemu-system-x86_64: -object input-linux,id=kbd1,evdev=/dev/input/usb-Logitech_USB_Receiver-if02-event-kbd,grab_all=on,repeat=on: Could not open '/dev/input/usb-Logitech_USB_Receiver-if02-event-kbd': No such file or directory
2
3Traceback (most recent call last):
4 File "/usr/share/virt-manager/virtManager/asyncjob.py", line 65, in cb_wrapper
5 callback(asyncjob, *args, **kwargs)
6 File "/usr/share/virt-manager/virtManager/asyncjob.py", line 101, in tmpcb
7 callback(*args, **kwargs)
8 File "/usr/share/virt-manager/virtManager/object/libvirtobject.py", line 57, in newfn
9 ret = fn(self, *args, **kwargs)
10 File "/usr/share/virt-manager/virtManager/object/domain.py", line 1329, in startup
11 self._backend.create()
12 File "/usr/lib/python3/dist-packages/libvirt.py", line 1353, in create
13 raise libvirtError('virDomainCreate() failed')
14libvirt.libvirtError: internal error: process exited while connecting to monitor: 2021-07-21T02:05:44.518458Z qemu-system-x86_64: -object input-linux,id=kbd1,evdev=/dev/input/usb-Logitech_USB_Receiver-if02-event-kbd,grab_all=on,repeat=on: Could not open '/dev/input/usb-Logitech_USB_Receiver-if02-event-kbd': No such file or directory
15
16apparmor.d/abstractions/libvirt-qemu.conf
17
18 #include <abstractions/base>
19 #include <abstractions/consoles>
20 #include <abstractions/nameservice>
21
22 # required for reading disk images
23 capability dac_override,
24 capability dac_read_search,
25 capability chown,
26
27 # needed to drop privileges
28 capability setgid,
29 capability setuid,
30
31 # for 9p
32 capability fsetid,
33 capability fowner,
34
35 network inet stream,
36 network inet6 stream,
37
38 ptrace (readby, tracedby) peer=libvirtd,
39 ptrace (readby, tracedby) peer=/usr/sbin/libvirtd,
40
41 signal (receive) peer=libvirtd,
42 signal (receive) peer=/usr/sbin/libvirtd,
43
44 /dev/kvm rw,
45 /dev/net/tun rw,
46 /dev/ptmx rw,
47 /dev/input/* rw,
48 @{PROC}/*/status r,
49 # When qemu is signaled to terminate, it will read cmdline of signaling
50 # process for reporting purposes. Allowing read access to a process
51 # cmdline may leak sensitive information embedded in the cmdline.
52 @{PROC}/@{pid}/cmdline r,
53 # Per man(5) proc, the kernel enforces that a thread may
54 # only modify its comm value or those in its thread group.
55 owner @{PROC}/@{pid}/task/@{tid}/comm rw,
56 @{PROC}/sys/kernel/cap_last_cap r,
57 @{PROC}/sys/vm/overcommit_memory r,
58 # detect hardware capabilities via qemu_getauxval
59 owner @{PROC}/*/auxv r,
60
61 # For hostdev access. The actual devices will be added dynamically
62 /sys/bus/usb/devices/ r,
63 /sys/devices/**/usb[0-9]*/** r,
64 # libusb needs udev data about usb devices (~equal to content of lsusb -v)
65 /run/udev/data/+usb* r,
66 /run/udev/data/c16[6,7]* r,
67 /run/udev/data/c18[0,8,9]* r,
68
69 # WARNING: this gives the guest direct access to host hardware and specific
70 # portions of shared memory. This is required for sound using ALSA with kvm,
71 # but may constitute a security risk. If your environment does not require
72 # the use of sound in your VMs, feel free to comment out or prepend 'deny' to
73 # the rules for files in /dev.
74 /dev/snd/* rw,
75 /{dev,run}/shm r,
76 /{dev,run}/shmpulse-shm* r,
77 /{dev,run}/shmpulse-shm* rwk,
78 capability ipc_lock,
79 # spice
80 owner /{dev,run}/shm/spice.* rw,
81 # 'kill' is not required for sound and is a security risk. Do not enable
82 # unless you absolutely need it.
83 deny capability kill,
84
85 # Uncomment the following if you need access to /dev/fb*
86 #/dev/fb* rw,
87
88 /etc/pulse/client.conf r,
89 @{HOME}/.pulse-cookie rwk,
90 owner /root/.pulse-cookie rwk,
91 owner /root/.pulse/ rw,
92 owner /root/.pulse/* rw,
93 /usr/share/alsa/** r,
94 owner /tmp/pulse-*/ rw,
95 owner /tmp/pulse-*/* rw,
96 /var/lib/dbus/machine-id r,
97
98 # access to firmware's etc
99 /usr/share/AAVMF/** r,
100 /usr/share/bochs/** r,
101 /usr/share/edk2-ovmf/** r,
102 /usr/share/kvm/** r,
103 /usr/share/misc/sgabios.bin r,
104 /usr/share/openbios/** r,
105 /usr/share/openhackware/** r,
106 /usr/share/OVMF/** r,
107 /usr/share/ovmf/** r,
108 /usr/share/proll/** r,
109 /usr/share/qemu-efi/** r,
110 /usr/share/qemu-kvm/** r,
111 /usr/share/qemu/** r,
112 /usr/share/seabios/** r,
113 /usr/share/sgabios/** r,
114 /usr/share/slof/** r,
115 /usr/share/vgabios/** r,
116
117 # pki for libvirt-vnc and libvirt-spice (LP: #901272, #1690140)
118 /etc/pki/CA/ r,
119 /etc/pki/CA/* r,
120 /etc/pki/libvirt{,-spice,-vnc}/ r,
121 /etc/pki/libvirt{,-spice,-vnc}/** r,
122 /etc/pki/qemu/ r,
123 /etc/pki/qemu/** r,
124
125 # the various binaries
126 /usr/bin/kvm rmix,
127 /usr/bin/kvm-spice rmix,
128 /usr/bin/qemu rmix,
129 /usr/bin/qemu-aarch64 rmix,
130 /usr/bin/qemu-alpha rmix,
131 /usr/bin/qemu-arm rmix,
132 /usr/bin/qemu-armeb rmix,
133 /usr/bin/qemu-cris rmix,
134 /usr/bin/qemu-i386 rmix,
135 /usr/bin/qemu-kvm rmix,
136 /usr/bin/qemu-m68k rmix,
137 /usr/bin/qemu-microblaze rmix,
138 /usr/bin/qemu-microblazeel rmix,
139 /usr/bin/qemu-mips rmix,
140 /usr/bin/qemu-mips64 rmix,
141 /usr/bin/qemu-mips64el rmix,
142 /usr/bin/qemu-mipsel rmix,
143 /usr/bin/qemu-mipsn32 rmix,
144 /usr/bin/qemu-mipsn32el rmix,
145 /usr/bin/qemu-or32 rmix,
146 /usr/bin/qemu-ppc rmix,
147 /usr/bin/qemu-ppc64 rmix,
148 /usr/bin/qemu-ppc64abi32 rmix,
149 /usr/bin/qemu-ppc64le rmix,
150 /usr/bin/qemu-s390x rmix,
151 /usr/bin/qemu-sh4 rmix,
152 /usr/bin/qemu-sh4eb rmix,
153 /usr/bin/qemu-sparc rmix,
154 /usr/bin/qemu-sparc32plus rmix,
155 /usr/bin/qemu-sparc64 rmix,
156 /usr/bin/qemu-system-aarch64 rmix,
157 /usr/bin/qemu-system-alpha rmix,
158 /usr/bin/qemu-system-arm rmix,
159 /usr/bin/qemu-system-cris rmix,
160 /usr/bin/qemu-system-hppa rmix,
161 /usr/bin/qemu-system-i386 rmix,
162 /usr/bin/qemu-system-lm32 rmix,
163 /usr/bin/qemu-system-m68k rmix,
164 /usr/bin/qemu-system-microblaze rmix,
165 /usr/bin/qemu-system-microblazeel rmix,
166 /usr/bin/qemu-system-mips rmix,
167 /usr/bin/qemu-system-mips64 rmix,
168 /usr/bin/qemu-system-mips64el rmix,
169 /usr/bin/qemu-system-mipsel rmix,
170 /usr/bin/qemu-system-moxie rmix,
171 /usr/bin/qemu-system-nios2 rmix,
172 /usr/bin/qemu-system-or1k rmix,
173 /usr/bin/qemu-system-or32 rmix,
174 /usr/bin/qemu-system-ppc rmix,
175 /usr/bin/qemu-system-ppc64 rmix,
176 /usr/bin/qemu-system-ppcemb rmix,
177 /usr/bin/qemu-system-riscv32 rmix,
178 /usr/bin/qemu-system-riscv64 rmix,
179 /usr/bin/qemu-system-s390x rmix,
180 /usr/bin/qemu-system-sh4 rmix,
181 /usr/bin/qemu-system-sh4eb rmix,
182 /usr/bin/qemu-system-sparc rmix,
183 /usr/bin/qemu-system-sparc64 rmix,
184 /usr/bin/qemu-system-tricore rmix,
185 /usr/bin/qemu-system-unicore32 rmix,
186 /usr/bin/qemu-system-x86_64 rmix,
187 /usr/bin/qemu-system-xtensa rmix,
188 /usr/bin/qemu-system-xtensaeb rmix,
189 /usr/bin/qemu-unicore32 rmix,
190 /usr/bin/qemu-x86_64 rmix,
191 # for Debian/Ubuntu qemu-block-extra / RPMs qemu-block-* (LP: #1554761)
192 /usr/{lib,lib64}/qemu/*.so mr,
193 /usr/lib/@{multiarch}/qemu/*.so mr,
194
195 # let qemu load old shared objects after upgrades (LP: #1847361)
196 /{var/,}run/qemu/*/*.so mr,
197 # but explicitly deny writing to these files
198 audit deny /{var/,}run/qemu/*/*.so w,
199
200 # swtpm
201 /{usr/,}bin/swtpm rmix,
202 /usr/{lib,lib64}/libswtpm_libtpms.so mr,
203 /usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
204
205 # for save and resume
206 /{usr/,}bin/dash rmix,
207 /{usr/,}bin/dd rmix,
208 /{usr/,}bin/cat rmix,
209
210 # for restore
211 /{usr/,}bin/bash rmix,
212
213 # for usb access
214 /dev/bus/usb/ r,
215 /etc/udev/udev.conf r,
216 /sys/bus/ r,
217 /sys/class/ r,
218
219 # for rbd
220 /etc/ceph/ceph.conf r,
221
222 # Various functions will need to enumerate /tmp (e.g. ceph), allow the base
223 # dir and a few known functions like samba support.
224 # We want to avoid to give blanket rw permission to everything under /tmp,
225 # users are expected to add site specific addons for more uncommon cases.
226 # Qemu processes usually all run as the same users, so the "owner"
227 # restriction prevents access to other services files, but not across
228 # different instances.
229 # This is a tradeoff between usability and security - if paths would be more
230 # predictable that would be preferred - at least for write rules we would
231 # want more unique paths per rule.
232 /{,var/}tmp/ r,
233 owner /{,var/}tmp/**/ r,
234
235 # for file-posix getting limits since 9103f1ce
236 /sys/devices/**/block/*/queue/max_segments r,
237
238 # for ppc device-tree access
239 @{PROC}/device-tree/ r,
240 @{PROC}/device-tree/** r,
241 /sys/firmware/devicetree/** r,
242
243 # allow connect with openGraphicsFD to work
244 unix (send, receive) type=stream addr=none peer=(label=libvirtd),
245 unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
246
247 # allow access to charm-specific ceph config (LP: #1403648).
248 # No more silencing spurious denials as it can more critically hide other issues (LP: #1719579)
249 # Also allow the optional asok key that might be enabled by the charm (LP: #1779674)
250 /var/lib/charm/*/ceph.conf r,
251 /run/ceph/rbd-client-*.asok rw,
252
253 # kvm.powerpc executes/accesses this
254 /{usr/,}bin/uname rmix,
255 /{usr/,}sbin/ppc64_cpu rmix,
256 /{usr/,}bin/grep rmix,
257 /sys/devices/system/cpu/subcores_per_core r,
258 /sys/devices/system/cpu/cpu*/online r,
259
260 # for gathering information about available host resources
261 /sys/devices/system/cpu/ r,
262 /sys/devices/system/node/ r,
263 /sys/devices/system/node/node[0-9]*/meminfo r,
264 /sys/module/vhost/parameters/max_mem_regions r,
265
266 # silence refusals to open lttng files (see LP: #1432644)
267 deny /dev/shm/lttng-ust-wait-* r,
268 deny /run/shm/lttng-ust-wait-* r,
269
270 # for vfio hotplug on systems without static vfio (LP: #1775777)
271 /dev/vfio/vfio rw,
272
273 # for vhost-net/vsock/scsi hotplug (LP: #1815910)
274 /dev/vhost-net rw,
275 /dev/vhost-vsock rw,
276 /dev/vhost-scsi rw,
277
278 # required for sasl GSSAPI plugin
279 /etc/gss/mech.d/ r,
280 /etc/gss/mech.d/* r,
281
282 # required by libpmem init to fts_open()/fts_read() the symlinks in
283 # /sys/bus/nd/devices
284 / r, # harmless on any lsb compliant system
285 /sys/bus/nd/devices/{,**/} r,
286
287 # Site-specific additions and overrides. See local/README for details.
288 #include <local/abstractions/libvirt-qemu>
289 /dev/input/* rw,
290 /dev/input/by-id/usb-Logitech_USB_Receiver-if02-event-mouse rw,
291 /dev/input/by-id/usb-Logitech_USB_Receiver-if02-event-kbd rw,
292
293
294
295qemu.conf
296
297# Master configuration file for the QEMU driver.
298# All settings described here are optional - if omitted, sensible
299# defaults are used.
300
301# Use of TLS requires that x509 certificates be issued. The default is
302# to keep them in /etc/pki/qemu. This directory must contain
303#
304# ca-cert.pem - the CA master certificate
305# server-cert.pem - the server certificate signed with ca-cert.pem
306# server-key.pem - the server private key
307#
308# and optionally may contain
309#
310# dh-params.pem - the DH params configuration file
311#
312# If the directory does not exist, libvirtd will fail to start. If the
313# directory doesn't contain the necessary files, QEMU domains will fail
314# to start if they are configured to use TLS.
315#
316# In order to overwrite the default path alter the following. This path
317# definition will be used as the default path for other *_tls_x509_cert_dir
318# configuration settings if their default path does not exist or is not
319# specifically set.
320#
321#default_tls_x509_cert_dir = "/etc/pki/qemu"
322
323
324# The default TLS configuration only uses certificates for the server
325# allowing the client to verify the server's identity and establish
326# an encrypted channel.
327#
328# It is possible to use x509 certificates for authentication too, by
329# issuing an x509 certificate to every client who needs to connect.
330#
331# Enabling this option will reject any client who does not have a
332# certificate signed by the CA in /etc/pki/qemu/ca-cert.pem
333#
334# The default_tls_x509_cert_dir directory must also contain
335#
336# client-cert.pem - the client certificate signed with the ca-cert.pem
337# client-key.pem - the client private key
338#
339# If this option is supplied it provides the default for the "_verify" option
340# of specific TLS users such as vnc, backups, migration, etc. The specific
341# users of TLS may override this by setting the specific "_verify" option.
342#
343# When not supplied the specific TLS users provide their own defaults.
344#
345#default_tls_x509_verify = 1
346
347#
348# Libvirt assumes the server-key.pem file is unencrypted by default.
349# To use an encrypted server-key.pem file, the password to decrypt
350# the PEM file is required. This can be provided by creating a secret
351# object in libvirt and then to uncomment this setting to set the UUID
352# of the secret.
353#
354# NB This default all-zeros UUID will not work. Replace it with the
355# output from the UUID for the TLS secret from a 'virsh secret-list'
356# command and then uncomment the entry
357#
358#default_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
359
360
361# VNC is configured to listen on 127.0.0.1 by default.
362# To make it listen on all public interfaces, uncomment
363# this next option.
364#
365# NB, strong recommendation to enable TLS + x509 certificate
366# verification when allowing public access
367#
368#vnc_listen = "0.0.0.0"
369
370# Enable this option to have VNC served over an automatically created
371# unix socket. This prevents unprivileged access from users on the
372# host machine, though most VNC clients do not support it.
373#
374# This will only be enabled for VNC configurations that have listen
375# type=address but without any address specified. This setting takes
376# preference over vnc_listen.
377#
378#vnc_auto_unix_socket = 1
379
380# Enable use of TLS encryption on the VNC server. This requires
381# a VNC client which supports the VeNCrypt protocol extension.
382# Examples include vinagre, virt-viewer, virt-manager and vencrypt
383# itself. UltraVNC, RealVNC, TightVNC do not support this
384#
385# It is necessary to setup CA and issue a server certificate
386# before enabling this.
387#
388#vnc_tls = 1
389
390
391# In order to override the default TLS certificate location for
392# vnc certificates, supply a valid path to the certificate directory.
393# If the provided path does not exist, libvirtd will fail to start.
394# If the path is not provided, but vnc_tls = 1, then the
395# default_tls_x509_cert_dir path will be used.
396#
397#vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
398
399
400# Uncomment and use the following option to override the default secret
401# UUID provided in the default_tls_x509_secret_uuid parameter.
402#
403#vnc_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
404
405
406# The default TLS configuration only uses certificates for the server
407# allowing the client to verify the server's identity and establish
408# an encrypted channel.
409#
410# It is possible to use x509 certificates for authentication too, by
411# issuing an x509 certificate to every client who needs to connect.
412#
413# Enabling this option will reject any client that does not have a
414# certificate (as described in default_tls_x509_verify) signed by the
415# CA in the vnc_tls_x509_cert_dir (or default_tls_x509_cert_dir).
416#
417# If this option is not supplied, it will be set to the value of
418# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied either,
419# the default is "0".
420#
421#vnc_tls_x509_verify = 1
422
423
424# The default VNC password. Only 8 bytes are significant for
425# VNC passwords. This parameter is only used if the per-domain
426# XML config does not already provide a password. To allow
427# access without passwords, leave this commented out. An empty
428# string will still enable passwords, but be rejected by QEMU,
429# effectively preventing any use of VNC. Obviously change this
430# example here before you set this.
431#
432#vnc_password = "XYZ12345"
433
434
435# Enable use of SASL encryption on the VNC server. This requires
436# a VNC client which supports the SASL protocol extension.
437# Examples include vinagre, virt-viewer and virt-manager
438# itself. UltraVNC, RealVNC, TightVNC do not support this
439#
440# It is necessary to configure /etc/sasl2/qemu.conf to choose
441# the desired SASL plugin (eg, GSSPI for Kerberos)
442#
443#vnc_sasl = 1
444
445
446# The default SASL configuration file is located in /etc/sasl2/
447# When running libvirtd unprivileged, it may be desirable to
448# override the configs in this location. Set this parameter to
449# point to the directory, and create a qemu.conf in that location
450#
451#vnc_sasl_dir = "/some/directory/sasl2"
452
453
454# QEMU implements an extension for providing audio over a VNC connection,
455# though if your VNC client does not support it, your only chance for getting
456# sound output is through regular audio backends. By default, libvirt will
457# disable all QEMU sound backends if using VNC, since they can cause
458# permissions issues. Enabling this option will make libvirtd honor the
459# QEMU_AUDIO_DRV environment variable when using VNC.
460#
461#vnc_allow_host_audio = 0
462
463
464
465# SPICE is configured to listen on 127.0.0.1 by default.
466# To make it listen on all public interfaces, uncomment
467# this next option.
468#
469# NB, strong recommendation to enable TLS + x509 certificate
470# verification when allowing public access
471#
472#spice_listen = "0.0.0.0"
473
474
475# Enable use of TLS encryption on the SPICE server.
476#
477# It is necessary to setup CA and issue a server certificate
478# before enabling this.
479#
480#spice_tls = 1
481
482
483# In order to override the default TLS certificate location for
484# spice certificates, supply a valid path to the certificate directory.
485# If the provided path does not exist, libvirtd will fail to start.
486# If the path is not provided, but spice_tls = 1, then the
487# default_tls_x509_cert_dir path will be used.
488#
489#spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
490
491
492# Enable this option to have SPICE served over an automatically created
493# unix socket. This prevents unprivileged access from users on the
494# host machine.
495#
496# This will only be enabled for SPICE configurations that have listen
497# type=address but without any address specified. This setting takes
498# preference over spice_listen.
499#
500#spice_auto_unix_socket = 1
501
502
503# The default SPICE password. This parameter is only used if the
504# per-domain XML config does not already provide a password. To
505# allow access without passwords, leave this commented out. An
506# empty string will still enable passwords, but be rejected by
507# QEMU, effectively preventing any use of SPICE. Obviously change
508# this example here before you set this.
509#
510#spice_password = "XYZ12345"
511
512
513# Enable use of SASL encryption on the SPICE server. This requires
514# a SPICE client which supports the SASL protocol extension.
515#
516# It is necessary to configure /etc/sasl2/qemu.conf to choose
517# the desired SASL plugin (eg, GSSPI for Kerberos)
518#
519#spice_sasl = 1
520
521# The default SASL configuration file is located in /etc/sasl2/
522# When running libvirtd unprivileged, it may be desirable to
523# override the configs in this location. Set this parameter to
524# point to the directory, and create a qemu.conf in that location
525#
526#spice_sasl_dir = "/some/directory/sasl2"
527
528# Enable use of TLS encryption on the chardev TCP transports.
529#
530# It is necessary to setup CA and issue a server certificate
531# before enabling this.
532#
533#chardev_tls = 1
534
535
536# In order to override the default TLS certificate location for character
537# device TCP certificates, supply a valid path to the certificate directory.
538# If the provided path does not exist, libvirtd will fail to start.
539# If the path is not provided, but chardev_tls = 1, then the
540# default_tls_x509_cert_dir path will be used.
541#
542#chardev_tls_x509_cert_dir = "/etc/pki/libvirt-chardev"
543
544
545# The default TLS configuration only uses certificates for the server
546# allowing the client to verify the server's identity and establish
547# an encrypted channel.
548#
549# It is possible to use x509 certificates for authentication too, by
550# issuing an x509 certificate to every client who needs to connect.
551#
552# Enabling this option will reject any client that does not have a
553# certificate (as described in default_tls_x509_verify) signed by the
554# CA in the chardev_tls_x509_cert_dir (or default_tls_x509_cert_dir).
555#
556# If this option is not supplied, it will be set to the value of
557# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied either,
558# the default is "1".
559#
560#chardev_tls_x509_verify = 1
561
562
563# Uncomment and use the following option to override the default secret
564# UUID provided in the default_tls_x509_secret_uuid parameter.
565#
566# NB This default all-zeros UUID will not work. Replace it with the
567# output from the UUID for the TLS secret from a 'virsh secret-list'
568# command and then uncomment the entry
569#
570#chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
571
572
573# Enable use of TLS encryption for all VxHS network block devices that
574# don't specifically disable.
575#
576# When the VxHS network block device server is set up appropriately,
577# x509 certificates are required for authentication between the clients
578# (qemu processes) and the remote VxHS server.
579#
580# It is necessary to setup CA and issue the client certificate before
581# enabling this.
582#
583#vxhs_tls = 1
584
585
586# In order to override the default TLS certificate location for VxHS
587# backed storage, supply a valid path to the certificate directory.
588# This is used to authenticate the VxHS block device clients to the VxHS
589# server.
590#
591# If the provided path does not exist, libvirtd will fail to start.
592# If the path is not provided, but vxhs_tls = 1, then the
593# default_tls_x509_cert_dir path will be used.
594#
595# VxHS block device clients expect the client certificate and key to be
596# present in the certificate directory along with the CA master certificate.
597# If using the default environment, default_tls_x509_verify must be configured.
598# Since this is only a client the server-key.pem certificate is not needed.
599# Thus a VxHS directory must contain the following:
600#
601# ca-cert.pem - the CA master certificate
602# client-cert.pem - the client certificate signed with the ca-cert.pem
603# client-key.pem - the client private key
604#
605#vxhs_tls_x509_cert_dir = "/etc/pki/libvirt-vxhs"
606
607
608# Uncomment and use the following option to override the default secret
609# UUID provided in the default_tls_x509_secret_uuid parameter.
610#
611# NB This default all-zeros UUID will not work. Replace it with the
612# output from the UUID for the TLS secret from a 'virsh secret-list'
613# command and then uncomment the entry
614#
615#vxhs_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
616
617
618# Enable use of TLS encryption for all NBD disk devices that don't
619# specifically disable it.
620#
621# When the NBD server is set up appropriately, x509 certificates are required
622# for authentication between the client and the remote NBD server.
623#
624# It is necessary to setup CA and issue the client certificate before
625# enabling this.
626#
627#nbd_tls = 1
628
629
630# In order to override the default TLS certificate location for NBD
631# backed storage, supply a valid path to the certificate directory.
632# This is used to authenticate the NBD block device clients to the NBD
633# server.
634#
635# If the provided path does not exist, libvirtd will fail to start.
636# If the path is not provided, but nbd_tls = 1, then the
637# default_tls_x509_cert_dir path will be used.
638#
639# NBD block device clients expect the client certificate and key to be
640# present in the certificate directory along with the CA certificate.
641# Since this is only a client the server-key.pem certificate is not needed.
642# Thus a NBD directory must contain the following:
643#
644# ca-cert.pem - the CA master certificate
645# client-cert.pem - the client certificate signed with the ca-cert.pem
646# client-key.pem - the client private key
647#
648#nbd_tls_x509_cert_dir = "/etc/pki/libvirt-nbd"
649
650
651# Uncomment and use the following option to override the default secret
652# UUID provided in the default_tls_x509_secret_uuid parameter.
653#
654# NB This default all-zeros UUID will not work. Replace it with the
655# output from the UUID for the TLS secret from a 'virsh secret-list'
656# command and then uncomment the entry
657#
658#nbd_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
659
660
661# In order to override the default TLS certificate location for migration
662# certificates, supply a valid path to the certificate directory. If the
663# provided path does not exist, libvirtd will fail to start. If the path is
664# not provided, but TLS-encrypted migration is requested, then the
665# default_tls_x509_cert_dir path will be used. Once/if a default certificate is
666# enabled/defined, migration will then be able to use the certificate via
667# migration API flags.
668#
669#migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate"
670
671
672# The default TLS configuration only uses certificates for the server
673# allowing the client to verify the server's identity and establish
674# an encrypted channel.
675#
676# It is possible to use x509 certificates for authentication too, by
677# issuing an x509 certificate to every client who needs to connect.
678#
679# Enabling this option will reject any client that does not have a
680# certificate (as described in default_tls_x509_verify) signed by the
681# CA in the migrate_tls_x509_cert_dir (or default_tls_x509_cert_dir).
682#
683# If this option is not supplied, it will be set to the value of
684# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied
685# either, the default is "1".
686#
687#migrate_tls_x509_verify = 1
688
689
690# Uncomment and use the following option to override the default secret
691# UUID provided in the default_tls_x509_secret_uuid parameter.
692#
693# NB This default all-zeros UUID will not work. Replace it with the
694# output from the UUID for the TLS secret from a 'virsh secret-list'
695# command and then uncomment the entry
696#
697#migrate_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
698
699
700# By default TLS is requested using the VIR_MIGRATE_TLS flag, thus not requested
701# automatically. Setting 'migate_tls_force' to "1" will prevent any migration
702# which is not using VIR_MIGRATE_TLS to ensure higher level of security in
703# deployments with TLS.
704#
705#migrate_tls_force = 0
706
707
708# In order to override the default TLS certificate location for backup NBD
709# server certificates, supply a valid path to the certificate directory. If the
710# provided path does not exist, libvirtd will fail to start. If the path is
711# not provided, but TLS-encrypted backup is requested, then the
712# default_tls_x509_cert_dir path will be used.
713#
714#backup_tls_x509_cert_dir = "/etc/pki/libvirt-backup"
715
716
717# The default TLS configuration only uses certificates for the server
718# allowing the client to verify the server's identity and establish
719# an encrypted channel.
720#
721# It is possible to use x509 certificates for authentication too, by
722# issuing an x509 certificate to every client who needs to connect.
723#
724# Enabling this option will reject any client that does not have a
725# certificate (as described in default_tls_x509_verify) signed by the
726# CA in the backup_tls_x509_cert_dir (or default_tls_x509_cert_dir).
727#
728# If this option is not supplied, it will be set to the value of
729# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied either,
730# the default is "1".
731#
732#backup_tls_x509_verify = 1
733
734
735# Uncomment and use the following option to override the default secret
736# UUID provided in the default_tls_x509_secret_uuid parameter.
737#
738# NB This default all-zeros UUID will not work. Replace it with the
739# output from the UUID for the TLS secret from a 'virsh secret-list'
740# command and then uncomment the entry
741#
742#backup_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
743
744
745# By default, if no graphical front end is configured, libvirt will disable
746# QEMU audio output since directly talking to alsa/pulseaudio may not work
747# with various security settings. If you know what you're doing, enable
748# the setting below and libvirt will passthrough the QEMU_AUDIO_DRV
749# environment variable when using nographics.
750#
751#nographics_allow_host_audio = 1
752
753
754# Override the port for creating both VNC and SPICE sessions (min).
755# This defaults to 5900 and increases for consecutive sessions
756# or when ports are occupied, until it hits the maximum.
757#
758# Minimum must be greater than or equal to 5900 as lower number would
759# result into negative vnc display number.
760#
761# Maximum must be less than 65536, because higher numbers do not make
762# sense as a port number.
763#
764#remote_display_port_min = 5900
765#remote_display_port_max = 65535
766
767# VNC WebSocket port policies, same rules apply as with remote display
768# ports. VNC WebSockets use similar display <-> port mappings, with
769# the exception being that ports start from 5700 instead of 5900.
770#
771#remote_websocket_port_min = 5700
772#remote_websocket_port_max = 65535
773
774# The default security driver is SELinux. If SELinux is disabled
775# on the host, then the security driver will automatically disable
776# itself. If you wish to disable QEMU SELinux security driver while
777# leaving SELinux enabled for the host in general, then set this
778# to 'none' instead. It's also possible to use more than one security
779# driver at the same time, for this use a list of names separated by
780# comma and delimited by square brackets. For example:
781#
782# security_driver = [ "selinux", "apparmor" ]
783#
784# Notes: The DAC security driver is always enabled; as a result, the
785# value of security_driver cannot contain "dac". The value "none" is
786# a special value; security_driver can be set to that value in
787# isolation, but it cannot appear in a list of drivers.
788#
789#security_driver = "selinux"
790
791# If set to non-zero, then the default security labeling
792# will make guests confined. If set to zero, then guests
793# will be unconfined by default. Defaults to 1.
794#security_default_confined = 1
795
796# If set to non-zero, then attempts to create unconfined
797# guests will be blocked. Defaults to 0.
798#security_require_confined = 1
799
800# The user for QEMU processes run by the system instance. It can be
801# specified as a user name or as a user id. The qemu driver will try to
802# parse this value first as a name and then, if the name doesn't exist,
803# as a user id.
804#
805# Since a sequence of digits is a valid user name, a leading plus sign
806# can be used to ensure that a user id will not be interpreted as a user
807# name.
808#
809# By default libvirt runs VMs as non-root and uses AppArmor profiles
810# to provide host protection and VM isolation. While AppArmor
811# continues to provide this protection when the VMs are running as
812# root, /dev/vhost-net, /dev/vhost-vsock and /dev/vhost-scsi access is
813# allowed by default in the AppArmor security policy, so malicious VMs
814# running as root would have direct access to this file. If changing this
815# to run as root, you may want to remove this access from
816# /etc/apparmor.d/abstractions/libvirt-qemu. For more information, see:
817# https://launchpad.net/bugs/1815910
818# https://www.redhat.com/archives/libvir-list/2019-April/msg00750.html
819#
820# Some examples of valid values are:
821#
822# user = "qemu" # A user named "qemu"
823# user = "+0" # Super user (uid=0)
824# user = "100" # A user named "100" or a user with uid=100
825#
826user = "mattdawolf"
827
828# The group for QEMU processes run by the system instance. It can be
829# specified in a similar way to user.
830#group = "root"
831
832# Whether libvirt should dynamically change file ownership
833# to match the configured user/group above. Defaults to 1.
834# Set to 0 to disable file ownership changes.
835#dynamic_ownership = 1
836
837# Whether libvirt should remember and restore the original
838# ownership over files it is relabeling. Defaults to 1, set
839# to 0 to disable the feature.
840#remember_owner = 1
841
842# What cgroup controllers to make use of with QEMU guests
843#
844# - 'cpu' - use for scheduler tunables
845# - 'devices' - use for device access control
846# - 'memory' - use for memory tunables
847# - 'blkio' - use for block devices I/O tunables
848# - 'cpuset' - use for CPUs and memory nodes
849# - 'cpuacct' - use for CPUs statistics.
850#
851# NB, even if configured here, they won't be used unless
852# the administrator has mounted cgroups, e.g.:
853#
854# mkdir /dev/cgroup
855# mount -t cgroup -o devices,cpu,memory,blkio,cpuset none /dev/cgroup
856#
857# They can be mounted anywhere, and different controllers
858# can be mounted in different locations. libvirt will detect
859# where they are located.
860#
861#cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ]
862
863# This is the basic set of devices allowed / required by
864# all virtual machines.
865#
866# As well as this, any configured block backed disks,
867# all sound device, and all PTY devices are allowed.
868#
869# This will only need setting if newer QEMU suddenly
870# wants some device we don't already know about.
871#
872
873cgroup_device_acl = [
874 "/dev/input/by-id/usb-Logitech_USB_Receiver-if02-event-mouse",
875 "/dev/input/by-id/usb-Logitech_USB_Receiver-if02-event-kbd",
876 "/dev/null", "/dev/full", "/dev/zero",
877 "/dev/random", "/dev/urandom",
878 "/dev/ptmx", "/dev/kvm"
879]
880#
881# RDMA migration requires the following extra files to be added to the list:
882# "/dev/infiniband/rdma_cm",
883# "/dev/infiniband/issm0",
884# "/dev/infiniband/issm1",
885# "/dev/infiniband/umad0",
886# "/dev/infiniband/umad1",
887# "/dev/infiniband/uverbs0"
888
889
890# The default format for QEMU/KVM guest save images is raw; that is, the
891# memory from the domain is dumped out directly to a file. If you have
892# guests with a large amount of memory, however, this can take up quite
893# a bit of space. If you would like to compress the images while they
894# are being saved to disk, you can also set "lzop", "gzip", "bzip2", or "xz"
895# for save_image_format. Note that this means you slow down the process of
896# saving a domain in order to save disk space; the list above is in descending
897# order by performance and ascending order by compression ratio.
898#
899# save_image_format is used when you use 'virsh save' or 'virsh managedsave'
900# at scheduled saving, and it is an error if the specified save_image_format
901# is not valid, or the requested compression program can't be found.
902#
903# dump_image_format is used when you use 'virsh dump' at emergency
904# crashdump, and if the specified dump_image_format is not valid, or
905# the requested compression program can't be found, this falls
906# back to "raw" compression.
907#
908# snapshot_image_format specifies the compression algorithm of the memory save
909# image when an external snapshot of a domain is taken. This does not apply
910# on disk image format. It is an error if the specified format isn't valid,
911# or the requested compression program can't be found.
912#
913#save_image_format = "raw"
914#dump_image_format = "raw"
915#snapshot_image_format = "raw"
916
917# When a domain is configured to be auto-dumped when libvirtd receives a
918# watchdog event from qemu guest, libvirtd will save dump files in directory
919# specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump
920#
921#auto_dump_path = "/var/lib/libvirt/qemu/dump"
922
923# When a domain is configured to be auto-dumped, enabling this flag
924# has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the
925# virDomainCoreDump API. That is, the system will avoid using the
926# file system cache while writing the dump file, but may cause
927# slower operation.
928#
929#auto_dump_bypass_cache = 0
930
931# When a domain is configured to be auto-started, enabling this flag
932# has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag
933# with the virDomainCreateWithFlags API. That is, the system will
934# avoid using the file system cache when restoring any managed state
935# file, but may cause slower operation.
936#
937#auto_start_bypass_cache = 0
938
939# If provided by the host and a hugetlbfs mount point is configured,
940# a guest may request huge page backing. When this mount point is
941# unspecified here, determination of a host mount point in /proc/mounts
942# will be attempted. Specifying an explicit mount overrides detection
943# of the same in /proc/mounts. Setting the mount point to "" will
944# disable guest hugepage backing. If desired, multiple mount points can
945# be specified at once, separated by comma and enclosed in square
946# brackets, for example:
947#
948# hugetlbfs_mount = ["/dev/hugepages2M", "/dev/hugepages1G"]
949#
950# The size of huge page served by specific mount point is determined by
951# libvirt at the daemon startup.
952#
953# NB, within these mount points, guests will create memory backing
954# files in a location of $MOUNTPOINT/libvirt/qemu
955#
956#hugetlbfs_mount = "/dev/hugepages"
957
958
959# Path to the setuid helper for creating tap devices. This executable
960# is used to create <source type='bridge'> interfaces when libvirtd is
961# running unprivileged. libvirt invokes the helper directly, instead
962# of using "-netdev bridge", for security reasons.
963#bridge_helper = "/usr/libexec/qemu-bridge-helper"
964
965
966# If enabled, libvirt will have QEMU set its process name to
967# "qemu:VM_NAME", where VM_NAME is the name of the VM. The QEMU
968# process will appear as "qemu:VM_NAME" in process listings and
969# other system monitoring tools. By default, QEMU does not set
970# its process title, so the complete QEMU command (emulator and
971# its arguments) appear in process listings.
972#
973#set_process_name = 1
974
975
976# If max_processes is set to a positive integer, libvirt will use
977# it to set the maximum number of processes that can be run by qemu
978# user. This can be used to override default value set by host OS.
979# The same applies to max_files which sets the limit on the maximum
980# number of opened files.
981#
982#max_processes = 0
983#max_files = 0
984
985# If max_threads_per_process is set to a positive integer, libvirt
986# will use it to set the maximum number of threads that can be
987# created by a qemu process. Some VM configurations can result in
988# qemu processes with tens of thousands of threads. systemd-based
989# systems typically limit the number of threads per process to
990# 16k. max_threads_per_process can be used to override default
991# limits in the host OS.
992#
993#max_threads_per_process = 0
994
995# If max_core is set to a non-zero integer, then QEMU will be
996# permitted to create core dumps when it crashes, provided its
997# RAM size is smaller than the limit set.
998#
999# Be warned that the core dump will include a full copy of the
1000# guest RAM, if the 'dump_guest_core' setting has been enabled,
1001# or if the guest XML contains
1002#
1003# <memory dumpcore="on">...guest ram...</memory>
1004#
1005# If guest RAM is to be included, ensure the max_core limit
1006# is set to at least the size of the largest expected guest
1007# plus another 1GB for any QEMU host side memory mappings.
1008#
1009# As a special case it can be set to the string "unlimited" to
1010# to allow arbitrarily sized core dumps.
1011#
1012# By default the core dump size is set to 0 disabling all dumps
1013#
1014# Size is a positive integer specifying bytes or the
1015# string "unlimited"
1016#
1017#max_core = "unlimited"
1018
1019# Determine if guest RAM is included in QEMU core dumps. By
1020# default guest RAM will be excluded if a new enough QEMU is
1021# present. Setting this to '1' will force guest RAM to always
1022# be included in QEMU core dumps.
1023#
1024# This setting will be ignored if the guest XML has set the
1025# dumpcore attribute on the <memory> element.
1026#
1027#dump_guest_core = 1
1028
1029# mac_filter enables MAC addressed based filtering on bridge ports.
1030# This currently requires ebtables to be installed.
1031#
1032#mac_filter = 1
1033
1034
1035# By default, PCI devices below non-ACS switch are not allowed to be assigned
1036# to guests. By setting relaxed_acs_check to 1 such devices will be allowed to
1037# be assigned to guests.
1038#
1039#relaxed_acs_check = 1
1040
1041
1042# In order to prevent accidentally starting two domains that
1043# share one writable disk, libvirt offers two approaches for
1044# locking files. The first one is sanlock, the other one,
1045# virtlockd, is then our own implementation. Accepted values
1046# are "sanlock" and "lockd".
1047#
1048#lock_manager = "lockd"
1049
1050
1051# Set limit of maximum APIs queued on one domain. All other APIs
1052# over this threshold will fail on acquiring job lock. Specially,
1053# setting to zero turns this feature off.
1054# Note, that job lock is per domain.
1055#
1056#max_queued = 0
1057
1058###################################################################
1059# Keepalive protocol:
1060# This allows qemu driver to detect broken connections to remote
1061# libvirtd during peer-to-peer migration. A keepalive message is
1062# sent to the daemon after keepalive_interval seconds of inactivity
1063# to check if the daemon is still responding; keepalive_count is a
1064# maximum number of keepalive messages that are allowed to be sent
1065# to the daemon without getting any response before the connection
1066# is considered broken. In other words, the connection is
1067# automatically closed approximately after
1068# keepalive_interval * (keepalive_count + 1) seconds since the last
1069# message received from the daemon. If keepalive_interval is set to
1070# -1, qemu driver will not send keepalive requests during
1071# peer-to-peer migration; however, the remote libvirtd can still
1072# send them and source libvirtd will send responses. When
1073# keepalive_count is set to 0, connections will be automatically
1074# closed after keepalive_interval seconds of inactivity without
1075# sending any keepalive messages.
1076#
1077#keepalive_interval = 5
1078#keepalive_count = 5
1079
1080
1081
1082# Use seccomp syscall sandbox in QEMU.
1083# 1 == seccomp enabled, 0 == seccomp disabled
1084#
1085# If it is unset (or -1), then seccomp will be enabled
1086# only if QEMU >= 2.11.0 is detected, otherwise it is
1087# left disabled. This ensures the default config gets
1088# protection for new QEMU using the blacklist approach.
1089#
1090#seccomp_sandbox = 1
1091
1092
1093# Override the listen address for all incoming migrations. Defaults to
1094# 0.0.0.0, or :: if both host and qemu are capable of IPv6.
1095#migration_address = "0.0.0.0"
1096
1097
1098# The default hostname or IP address which will be used by a migration
1099# source for transferring migration data to this host. The migration
1100# source has to be able to resolve this hostname and connect to it so
1101# setting "localhost" will not work. By default, the host's configured
1102# hostname is used.
1103#migration_host = "host.example.com"
1104
1105
1106# Override the port range used for incoming migrations.
1107#
1108# Minimum must be greater than 0, however when QEMU is not running as root,
1109# setting the minimum to be lower than 1024 will not work.
1110#
1111# Maximum must not be greater than 65535.
1112#
1113#migration_port_min = 49152
1114#migration_port_max = 49215
1115
1116
1117
1118# Timestamp QEMU's log messages (if QEMU supports it)
1119#
1120# Defaults to 1.
1121#
1122#log_timestamp = 0
1123
1124
1125# Location of master nvram file
1126#
1127# This configuration option is obsolete. Libvirt will follow the
1128# QEMU firmware metadata specification to automatically locate
1129# firmware images. See docs/interop/firmware.json in the QEMU
1130# source tree. These metadata files are distributed alongside any
1131# firmware images intended for use with QEMU.
1132#
1133# NOTE: if ANY firmware metadata files are detected, this setting
1134# will be COMPLETELY IGNORED.
1135#
1136# ------------------------------------------
1137#
1138# When a domain is configured to use UEFI instead of standard
1139# BIOS it may use a separate storage for UEFI variables. If
1140# that's the case libvirt creates the variable store per domain
1141# using this master file as image. Each UEFI firmware can,
1142# however, have different variables store. Therefore the nvram is
1143# a list of strings when a single item is in form of:
1144# ${PATH_TO_UEFI_FW}:${PATH_TO_UEFI_VARS}.
1145# Later, when libvirt creates per domain variable store, this list is
1146# searched for the master image. The UEFI firmware can be called
1147# differently for different guest architectures. For instance, it's OVMF
1148# for x86_64 and i686, but it's AAVMF for aarch64. The libvirt default
1149# follows this scheme.
1150#nvram = [
1151# "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd",
1152# "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd",
1153# "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd",
1154# "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd",
1155# "/usr/share/OVMF/OVMF_CODE.ms.fd:/usr/share/OVMF/OVMF_VARS.ms.fd"
1156#]
1157
1158# The backend to use for handling stdout/stderr output from
1159# QEMU processes.
1160#
1161# 'file': QEMU writes directly to a plain file. This is the
1162# historical default, but allows QEMU to inflict a
1163# denial of service attack on the host by exhausting
1164# filesystem space
1165#
1166# 'logd': QEMU writes to a pipe provided by virtlogd daemon.
1167# This is the current default, providing protection
1168# against denial of service by performing log file
1169# rollover when a size limit is hit.
1170#
1171#stdio_handler = "logd"
1172
1173# QEMU gluster libgfapi log level, debug levels are 0-9, with 9 being the
1174# most verbose, and 0 representing no debugging output.
1175#
1176# The current logging levels defined in the gluster GFAPI are:
1177#
1178# 0 - None
1179# 1 - Emergency
1180# 2 - Alert
1181# 3 - Critical
1182# 4 - Error
1183# 5 - Warning
1184# 6 - Notice
1185# 7 - Info
1186# 8 - Debug
1187# 9 - Trace
1188#
1189# Defaults to 4
1190#
1191#gluster_debug_level = 9
1192
1193# virtiofsd debug
1194#
1195# Whether to enable the debugging output of the virtiofsd daemon.
1196# Possible values are 0 or 1. Disabled by default.
1197#
1198#virtiofsd_debug = 1
1199
1200# To enhance security, QEMU driver is capable of creating private namespaces
1201# for each domain started. Well, so far only "mount" namespace is supported. If
1202# enabled it means qemu process is unable to see all the devices on the system,
1203# only those configured for the domain in question. Libvirt then manages
1204# devices entries throughout the domain lifetime. This namespace is turned on
1205# by default.
1206#namespaces = [ "mount" ]
1207
1208# This directory is used for memoryBacking source if configured as file.
1209# NOTE: big files will be stored here
1210#memory_backing_dir = "/var/lib/libvirt/qemu/ram"
1211
1212# Path to the SCSI persistent reservations helper. This helper is
1213# used whenever <reservations/> are enabled for SCSI LUN devices.
1214#pr_helper = "/usr/bin/qemu-pr-helper"
1215
1216# Path to the SLIRP networking helper.
1217#slirp_helper = "/usr/bin/slirp-helper"
1218
1219# Path to the dbus-daemon
1220#dbus_daemon = "/usr/bin/dbus-daemon"
1221
1222# User for the swtpm TPM Emulator
1223#
1224# Default is 'tss'; this is the same user that tcsd (TrouSerS) installs
1225# and uses; alternative is 'root'
1226#
1227#swtpm_user = "tss"
1228#swtpm_group = "tss"
1229
1230# For debugging and testing purposes it's sometimes useful to be able to disable
1231# libvirt behaviour based on the capabilities of the qemu process. This option
1232# allows to do so. DO _NOT_ use in production and beaware that the behaviour
1233# may change across versions.
1234#
1235#capability_filters = [ "capname" ]
1236