· 6 years ago · Mar 21, 2020, 08:54 AM
1# Master configuration file for the QEMU driver.
2# All settings described here are optional - if omitted, sensible
3# defaults are used.
4
5# Use of TLS requires that x509 certificates be issued. The default is
6# to keep them in /etc/pki/qemu. This directory must contain
7#
8# ca-cert.pem - the CA master certificate
9# server-cert.pem - the server certificate signed with ca-cert.pem
10# server-key.pem - the server private key
11#
12# and optionally may contain
13#
14# dh-params.pem - the DH params configuration file
15#
16# If the directory does not exist, libvirtd will fail to start. If the
17# directory doesn't contain the necessary files, QEMU domains will fail
18# to start if they are configured to use TLS.
19#
20# In order to overwrite the default path alter the following. This path
21# definition will be used as the default path for other *_tls_x509_cert_dir
22# configuration settings if their default path does not exist or is not
23# specifically set.
24#
25#default_tls_x509_cert_dir = "/etc/pki/qemu"
26
27
28# The default TLS configuration only uses certificates for the server
29# allowing the client to verify the server's identity and establish
30# an encrypted channel.
31#
32# It is possible to use x509 certificates for authentication too, by
33# issuing an x509 certificate to every client who needs to connect.
34#
35# Enabling this option will reject any client who does not have a
36# certificate signed by the CA in /etc/pki/qemu/ca-cert.pem
37#
38# The default_tls_x509_cert_dir directory must also contain
39#
40# client-cert.pem - the client certificate signed with the ca-cert.pem
41# client-key.pem - the client private key
42#
43#default_tls_x509_verify = 1
44
45#
46# Libvirt assumes the server-key.pem file is unencrypted by default.
47# To use an encrypted server-key.pem file, the password to decrypt
48# the PEM file is required. This can be provided by creating a secret
49# object in libvirt and then to uncomment this setting to set the UUID
50# of the secret.
51#
52# NB This default all-zeros UUID will not work. Replace it with the
53# output from the UUID for the TLS secret from a 'virsh secret-list'
54# command and then uncomment the entry
55#
56#default_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
57
58
59# VNC is configured to listen on 127.0.0.1 by default.
60# To make it listen on all public interfaces, uncomment
61# this next option.
62#
63# NB, strong recommendation to enable TLS + x509 certificate
64# verification when allowing public access
65#
66#vnc_listen = "0.0.0.0"
67
68# Enable this option to have VNC served over an automatically created
69# unix socket. This prevents unprivileged access from users on the
70# host machine, though most VNC clients do not support it.
71#
72# This will only be enabled for VNC configurations that have listen
73# type=address but without any address specified. This setting takes
74# preference over vnc_listen.
75#
76#vnc_auto_unix_socket = 1
77
78# Enable use of TLS encryption on the VNC server. This requires
79# a VNC client which supports the VeNCrypt protocol extension.
80# Examples include vinagre, virt-viewer, virt-manager and vencrypt
81# itself. UltraVNC, RealVNC, TightVNC do not support this
82#
83# It is necessary to setup CA and issue a server certificate
84# before enabling this.
85#
86#vnc_tls = 1
87
88
89# In order to override the default TLS certificate location for
90# vnc certificates, supply a valid path to the certificate directory.
91# If the provided path does not exist, libvirtd will fail to start.
92# If the path is not provided, but vnc_tls = 1, then the
93# default_tls_x509_cert_dir path will be used.
94#
95#vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
96
97
98# Uncomment and use the following option to override the default secret
99# UUID provided in the default_tls_x509_secret_uuid parameter.
100#
101#vnc_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
102
103
104# The default TLS configuration only uses certificates for the server
105# allowing the client to verify the server's identity and establish
106# an encrypted channel.
107#
108# It is possible to use x509 certificates for authentication too, by
109# issuing an x509 certificate to every client who needs to connect.
110#
111# Enabling this option will reject any client that does not have a
112# ca-cert.pem certificate signed by the CA in the vnc_tls_x509_cert_dir
113# (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem
114# files described in default_tls_x509_cert_dir.
115#
116# If this option is not supplied, it will be set to the value of
117# "default_tls_x509_verify".
118#
119#vnc_tls_x509_verify = 1
120
121
122# The default VNC password. Only 8 bytes are significant for
123# VNC passwords. This parameter is only used if the per-domain
124# XML config does not already provide a password. To allow
125# access without passwords, leave this commented out. An empty
126# string will still enable passwords, but be rejected by QEMU,
127# effectively preventing any use of VNC. Obviously change this
128# example here before you set this.
129#
130#vnc_password = "XYZ12345"
131
132
133# Enable use of SASL encryption on the VNC server. This requires
134# a VNC client which supports the SASL protocol extension.
135# Examples include vinagre, virt-viewer and virt-manager
136# itself. UltraVNC, RealVNC, TightVNC do not support this
137#
138# It is necessary to configure /etc/sasl2/qemu.conf to choose
139# the desired SASL plugin (eg, GSSPI for Kerberos)
140#
141#vnc_sasl = 1
142
143
144# The default SASL configuration file is located in /etc/sasl2/
145# When running libvirtd unprivileged, it may be desirable to
146# override the configs in this location. Set this parameter to
147# point to the directory, and create a qemu.conf in that location
148#
149#vnc_sasl_dir = "/some/directory/sasl2"
150
151
152# QEMU implements an extension for providing audio over a VNC connection,
153# though if your VNC client does not support it, your only chance for getting
154# sound output is through regular audio backends. By default, libvirt will
155# disable all QEMU sound backends if using VNC, since they can cause
156# permissions issues. Enabling this option will make libvirtd honor the
157# QEMU_AUDIO_DRV environment variable when using VNC.
158#
159#vnc_allow_host_audio = 0
160
161
162
163# SPICE is configured to listen on 127.0.0.1 by default.
164# To make it listen on all public interfaces, uncomment
165# this next option.
166#
167# NB, strong recommendation to enable TLS + x509 certificate
168# verification when allowing public access
169#
170#spice_listen = "0.0.0.0"
171
172
173# Enable use of TLS encryption on the SPICE server.
174#
175# It is necessary to setup CA and issue a server certificate
176# before enabling this.
177#
178#spice_tls = 1
179
180
181# In order to override the default TLS certificate location for
182# spice certificates, supply a valid path to the certificate directory.
183# If the provided path does not exist, libvirtd will fail to start.
184# If the path is not provided, but spice_tls = 1, then the
185# default_tls_x509_cert_dir path will be used.
186#
187#spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
188
189
190# Enable this option to have SPICE served over an automatically created
191# unix socket. This prevents unprivileged access from users on the
192# host machine.
193#
194# This will only be enabled for SPICE configurations that have listen
195# type=address but without any address specified. This setting takes
196# preference over spice_listen.
197#
198#spice_auto_unix_socket = 1
199
200
201# The default SPICE password. This parameter is only used if the
202# per-domain XML config does not already provide a password. To
203# allow access without passwords, leave this commented out. An
204# empty string will still enable passwords, but be rejected by
205# QEMU, effectively preventing any use of SPICE. Obviously change
206# this example here before you set this.
207#
208#spice_password = "XYZ12345"
209
210
211# Enable use of SASL encryption on the SPICE server. This requires
212# a SPICE client which supports the SASL protocol extension.
213#
214# It is necessary to configure /etc/sasl2/qemu.conf to choose
215# the desired SASL plugin (eg, GSSPI for Kerberos)
216#
217#spice_sasl = 1
218
219# The default SASL configuration file is located in /etc/sasl2/
220# When running libvirtd unprivileged, it may be desirable to
221# override the configs in this location. Set this parameter to
222# point to the directory, and create a qemu.conf in that location
223#
224#spice_sasl_dir = "/some/directory/sasl2"
225
226# Enable use of TLS encryption on the chardev TCP transports.
227#
228# It is necessary to setup CA and issue a server certificate
229# before enabling this.
230#
231#chardev_tls = 1
232
233
234# In order to override the default TLS certificate location for character
235# device TCP certificates, supply a valid path to the certificate directory.
236# If the provided path does not exist, libvirtd will fail to start.
237# If the path is not provided, but chardev_tls = 1, then the
238# default_tls_x509_cert_dir path will be used.
239#
240#chardev_tls_x509_cert_dir = "/etc/pki/libvirt-chardev"
241
242
243# The default TLS configuration only uses certificates for the server
244# allowing the client to verify the server's identity and establish
245# an encrypted channel.
246#
247# It is possible to use x509 certificates for authentication too, by
248# issuing an x509 certificate to every client who needs to connect.
249#
250# Enabling this option will reject any client that does not have a
251# ca-cert.pem certificate signed by the CA in the chardev_tls_x509_cert_dir
252# (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem
253# files described in default_tls_x509_cert_dir.
254#
255# If this option is not supplied, it will be set to the value of
256# "default_tls_x509_verify".
257#
258#chardev_tls_x509_verify = 1
259
260
261# Uncomment and use the following option to override the default secret
262# UUID provided in the default_tls_x509_secret_uuid parameter.
263#
264# NB This default all-zeros UUID will not work. Replace it with the
265# output from the UUID for the TLS secret from a 'virsh secret-list'
266# command and then uncomment the entry
267#
268#chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
269
270
271# Enable use of TLS encryption for all VxHS network block devices that
272# don't specifically disable.
273#
274# When the VxHS network block device server is set up appropriately,
275# x509 certificates are required for authentication between the clients
276# (qemu processes) and the remote VxHS server.
277#
278# It is necessary to setup CA and issue the client certificate before
279# enabling this.
280#
281#vxhs_tls = 1
282
283
284# In order to override the default TLS certificate location for VxHS
285# backed storage, supply a valid path to the certificate directory.
286# This is used to authenticate the VxHS block device clients to the VxHS
287# server.
288#
289# If the provided path does not exist, libvirtd will fail to start.
290# If the path is not provided, but vxhs_tls = 1, then the
291# default_tls_x509_cert_dir path will be used.
292#
293# VxHS block device clients expect the client certificate and key to be
294# present in the certificate directory along with the CA master certificate.
295# If using the default environment, default_tls_x509_verify must be configured.
296# Since this is only a client the server-key.pem certificate is not needed.
297# Thus a VxHS directory must contain the following:
298#
299# ca-cert.pem - the CA master certificate
300# client-cert.pem - the client certificate signed with the ca-cert.pem
301# client-key.pem - the client private key
302#
303#vxhs_tls_x509_cert_dir = "/etc/pki/libvirt-vxhs"
304
305
306
307# Enable use of TLS encryption for all NBD disk devices that don't
308# specifically disable it.
309#
310# When the NBD server is set up appropriately, x509 certificates are required
311# for authentication between the client and the remote NBD server.
312#
313# It is necessary to setup CA and issue the client certificate before
314# enabling this.
315#
316#nbd_tls = 1
317
318
319# In order to override the default TLS certificate location for NBD
320# backed storage, supply a valid path to the certificate directory.
321# This is used to authenticate the NBD block device clients to the NBD
322# server.
323#
324# If the provided path does not exist, libvirtd will fail to start.
325# If the path is not provided, but nbd_tls = 1, then the
326# default_tls_x509_cert_dir path will be used.
327#
328# NBD block device clients expect the client certificate and key to be
329# present in the certificate directory along with the CA certificate.
330# Since this is only a client the server-key.pem certificate is not needed.
331# Thus a NBD directory must contain the following:
332#
333# ca-cert.pem - the CA master certificate
334# client-cert.pem - the client certificate signed with the ca-cert.pem
335# client-key.pem - the client private key
336#
337#nbd_tls_x509_cert_dir = "/etc/pki/libvirt-nbd"
338
339
340# In order to override the default TLS certificate location for migration
341# certificates, supply a valid path to the certificate directory. If the
342# provided path does not exist, libvirtd will fail to start. If the path is
343# not provided, but migrate_tls = 1, then the default_tls_x509_cert_dir path
344# will be used. Once/if a default certificate is enabled/defined, migration
345# will then be able to use the certificate via migration API flags.
346#
347#migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate"
348
349
350# The default TLS configuration only uses certificates for the server
351# allowing the client to verify the server's identity and establish
352# an encrypted channel.
353#
354# It is possible to use x509 certificates for authentication too, by
355# issuing an x509 certificate to every client who needs to connect.
356#
357# Enabling this option will reject any client that does not have a
358# ca-cert.pem certificate signed by the CA in the migrate_tls_x509_cert_dir
359# (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem
360# files described in default_tls_x509_cert_dir.
361#
362# If this option is not supplied, it will be set to the value of
363# "default_tls_x509_verify".
364#
365#migrate_tls_x509_verify = 1
366
367
368# Uncomment and use the following option to override the default secret
369# UUID provided in the default_tls_x509_secret_uuid parameter.
370#
371# NB This default all-zeros UUID will not work. Replace it with the
372# output from the UUID for the TLS secret from a 'virsh secret-list'
373# command and then uncomment the entry
374#
375#migrate_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
376
377
378# By default, if no graphical front end is configured, libvirt will disable
379# QEMU audio output since directly talking to alsa/pulseaudio may not work
380# with various security settings. If you know what you're doing, enable
381# the setting below and libvirt will passthrough the QEMU_AUDIO_DRV
382# environment variable when using nographics.
383#
384#nographics_allow_host_audio = 1
385
386
387# Override the port for creating both VNC and SPICE sessions (min).
388# This defaults to 5900 and increases for consecutive sessions
389# or when ports are occupied, until it hits the maximum.
390#
391# Minimum must be greater than or equal to 5900 as lower number would
392# result into negative vnc display number.
393#
394# Maximum must be less than 65536, because higher numbers do not make
395# sense as a port number.
396#
397#remote_display_port_min = 5900
398#remote_display_port_max = 65535
399
400# VNC WebSocket port policies, same rules apply as with remote display
401# ports. VNC WebSockets use similar display <-> port mappings, with
402# the exception being that ports start from 5700 instead of 5900.
403#
404#remote_websocket_port_min = 5700
405#remote_websocket_port_max = 65535
406
407# The default security driver is SELinux. If SELinux is disabled
408# on the host, then the security driver will automatically disable
409# itself. If you wish to disable QEMU SELinux security driver while
410# leaving SELinux enabled for the host in general, then set this
411# to 'none' instead. It's also possible to use more than one security
412# driver at the same time, for this use a list of names separated by
413# comma and delimited by square brackets. For example:
414#
415# security_driver = [ "selinux", "apparmor" ]
416#
417# Notes: The DAC security driver is always enabled; as a result, the
418# value of security_driver cannot contain "dac". The value "none" is
419# a special value; security_driver can be set to that value in
420# isolation, but it cannot appear in a list of drivers.
421#
422#security_driver = "selinux"
423
424# If set to non-zero, then the default security labeling
425# will make guests confined. If set to zero, then guests
426# will be unconfined by default. Defaults to 1.
427#security_default_confined = 1
428
429# If set to non-zero, then attempts to create unconfined
430# guests will be blocked. Defaults to 0.
431#security_require_confined = 1
432
433# The user for QEMU processes run by the system instance. It can be
434# specified as a user name or as a user id. The qemu driver will try to
435# parse this value first as a name and then, if the name doesn't exist,
436# as a user id.
437#
438# Since a sequence of digits is a valid user name, a leading plus sign
439# can be used to ensure that a user id will not be interpreted as a user
440# name.
441#
442# Some examples of valid values are:
443#
444# user = "qemu" # A user named "qemu"
445# user = "+0" # Super user (uid=0)
446# user = "100" # A user named "100" or a user with uid=100
447#
448user = "nano"
449
450# The group for QEMU processes run by the system instance. It can be
451# specified in a similar way to user.
452#group = "1000"
453
454# Whether libvirt should dynamically change file ownership
455# to match the configured user/group above. Defaults to 1.
456# Set to 0 to disable file ownership changes.
457#dynamic_ownership = 1
458
459# Whether libvirt should remember and restore the original
460# ownership over files it is relabeling. Defaults to 1, set
461# to 0 to disable the feature.
462#remember_owner = 1
463
464# What cgroup controllers to make use of with QEMU guests
465#
466# - 'cpu' - use for scheduler tunables
467# - 'devices' - use for device whitelisting
468# - 'memory' - use for memory tunables
469# - 'blkio' - use for block devices I/O tunables
470# - 'cpuset' - use for CPUs and memory nodes
471# - 'cpuacct' - use for CPUs statistics.
472#
473# NB, even if configured here, they won't be used unless
474# the administrator has mounted cgroups, e.g.:
475#
476# mkdir /dev/cgroup
477# mount -t cgroup -o devices,cpu,memory,blkio,cpuset none /dev/cgroup
478#
479# They can be mounted anywhere, and different controllers
480# can be mounted in different locations. libvirt will detect
481# where they are located.
482#
483#cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ]
484
485# This is the basic set of devices allowed / required by
486# all virtual machines.
487#
488# As well as this, any configured block backed disks,
489# all sound device, and all PTY devices are allowed.
490#
491# This will only need setting if newer QEMU suddenly
492# wants some device we don't already know about.
493#
494cgroup_device_acl = [
495 "/dev/input/by-id/usb-Corsair_CORSAIR_K70_RGB_MK.2_LOW_PROFILE_Mechanical_Gaming_Keyboard_04012031AF3DA0285BFAAFE9F5001BC4-event-kbd",
496 "/dev/input/by-id/usb-Logitech_USB_Receiver-if02-event-mouse",
497 "/dev/null", "/dev/full", "/dev/zero",
498 "/dev/random", "/dev/urandom",
499 "/dev/ptmx", "/dev/kvm", "dev/kqemu",
500 "/dev/rtc","/dev/hpet", "/dev/vfio/vfio"
501]
502#
503# RDMA migration requires the following extra files to be added to the list:
504# "/dev/infiniband/rdma_cm",
505# "/dev/infiniband/issm0",
506# "/dev/infiniband/issm1",
507# "/dev/infiniband/umad0",
508# "/dev/infiniband/umad1",
509# "/dev/infiniband/uverbs0"
510
511
512# The default format for QEMU/KVM guest save images is raw; that is, the
513# memory from the domain is dumped out directly to a file. If you have
514# guests with a large amount of memory, however, this can take up quite
515# a bit of space. If you would like to compress the images while they
516# are being saved to disk, you can also set "lzop", "gzip", "bzip2", or "xz"
517# for save_image_format. Note that this means you slow down the process of
518# saving a domain in order to save disk space; the list above is in descending
519# order by performance and ascending order by compression ratio.
520#
521# save_image_format is used when you use 'virsh save' or 'virsh managedsave'
522# at scheduled saving, and it is an error if the specified save_image_format
523# is not valid, or the requested compression program can't be found.
524#
525# dump_image_format is used when you use 'virsh dump' at emergency
526# crashdump, and if the specified dump_image_format is not valid, or
527# the requested compression program can't be found, this falls
528# back to "raw" compression.
529#
530# snapshot_image_format specifies the compression algorithm of the memory save
531# image when an external snapshot of a domain is taken. This does not apply
532# on disk image format. It is an error if the specified format isn't valid,
533# or the requested compression program can't be found.
534#
535#save_image_format = "raw"
536#dump_image_format = "raw"
537#snapshot_image_format = "raw"
538
539# When a domain is configured to be auto-dumped when libvirtd receives a
540# watchdog event from qemu guest, libvirtd will save dump files in directory
541# specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump
542#
543#auto_dump_path = "/var/lib/libvirt/qemu/dump"
544
545# When a domain is configured to be auto-dumped, enabling this flag
546# has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the
547# virDomainCoreDump API. That is, the system will avoid using the
548# file system cache while writing the dump file, but may cause
549# slower operation.
550#
551#auto_dump_bypass_cache = 0
552
553# When a domain is configured to be auto-started, enabling this flag
554# has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag
555# with the virDomainCreateWithFlags API. That is, the system will
556# avoid using the file system cache when restoring any managed state
557# file, but may cause slower operation.
558#
559#auto_start_bypass_cache = 0
560
561# If provided by the host and a hugetlbfs mount point is configured,
562# a guest may request huge page backing. When this mount point is
563# unspecified here, determination of a host mount point in /proc/mounts
564# will be attempted. Specifying an explicit mount overrides detection
565# of the same in /proc/mounts. Setting the mount point to "" will
566# disable guest hugepage backing. If desired, multiple mount points can
567# be specified at once, separated by comma and enclosed in square
568# brackets, for example:
569#
570# hugetlbfs_mount = ["/dev/hugepages2M", "/dev/hugepages1G"]
571#
572# The size of huge page served by specific mount point is determined by
573# libvirt at the daemon startup.
574#
575# NB, within these mount points, guests will create memory backing
576# files in a location of $MOUNTPOINT/libvirt/qemu
577#
578#hugetlbfs_mount = "/dev/hugepages"
579
580
581# Path to the setuid helper for creating tap devices. This executable
582# is used to create <source type='bridge'> interfaces when libvirtd is
583# running unprivileged. libvirt invokes the helper directly, instead
584# of using "-netdev bridge", for security reasons.
585#bridge_helper = "/usr/lib/qemu/qemu-bridge-helper"
586
587
588
589# If clear_emulator_capabilities is enabled, libvirt will drop all
590# privileged capabilities of the QEMU/KVM emulator. This is enabled by
591# default.
592#
593# Warning: Disabling this option means that a compromised guest can
594# exploit the privileges and possibly do damage to the host.
595#
596clear_emulator_capabilities = 0
597
598
599# If enabled, libvirt will have QEMU set its process name to
600# "qemu:VM_NAME", where VM_NAME is the name of the VM. The QEMU
601# process will appear as "qemu:VM_NAME" in process listings and
602# other system monitoring tools. By default, QEMU does not set
603# its process title, so the complete QEMU command (emulator and
604# its arguments) appear in process listings.
605#
606#set_process_name = 1
607
608
609# If max_processes is set to a positive integer, libvirt will use
610# it to set the maximum number of processes that can be run by qemu
611# user. This can be used to override default value set by host OS.
612# The same applies to max_files which sets the limit on the maximum
613# number of opened files.
614#
615#max_processes = 0
616#max_files = 0
617
618# If max_threads_per_process is set to a positive integer, libvirt
619# will use it to set the maximum number of threads that can be
620# created by a qemu process. Some VM configurations can result in
621# qemu processes with tens of thousands of threads. systemd-based
622# systems typically limit the number of threads per process to
623# 16k. max_threads_per_process can be used to override default
624# limits in the host OS.
625#
626#max_threads_per_process = 0
627
628# If max_core is set to a non-zero integer, then QEMU will be
629# permitted to create core dumps when it crashes, provided its
630# RAM size is smaller than the limit set.
631#
632# Be warned that the core dump will include a full copy of the
633# guest RAM, if the 'dump_guest_core' setting has been enabled,
634# or if the guest XML contains
635#
636# <memory dumpcore="on">...guest ram...</memory>
637#
638# If guest RAM is to be included, ensure the max_core limit
639# is set to at least the size of the largest expected guest
640# plus another 1GB for any QEMU host side memory mappings.
641#
642# As a special case it can be set to the string "unlimited" to
643# to allow arbitrarily sized core dumps.
644#
645# By default the core dump size is set to 0 disabling all dumps
646#
647# Size is a positive integer specifying bytes or the
648# string "unlimited"
649#
650#max_core = "unlimited"
651
652# Determine if guest RAM is included in QEMU core dumps. By
653# default guest RAM will be excluded if a new enough QEMU is
654# present. Setting this to '1' will force guest RAM to always
655# be included in QEMU core dumps.
656#
657# This setting will be ignored if the guest XML has set the
658# dumpcore attribute on the <memory> element.
659#
660#dump_guest_core = 1
661
662# mac_filter enables MAC addressed based filtering on bridge ports.
663# This currently requires ebtables to be installed.
664#
665#mac_filter = 1
666
667
668# By default, PCI devices below non-ACS switch are not allowed to be assigned
669# to guests. By setting relaxed_acs_check to 1 such devices will be allowed to
670# be assigned to guests.
671#
672#relaxed_acs_check = 1
673
674
675# In order to prevent accidentally starting two domains that
676# share one writable disk, libvirt offers two approaches for
677# locking files. The first one is sanlock, the other one,
678# virtlockd, is then our own implementation. Accepted values
679# are "sanlock" and "lockd".
680#
681#lock_manager = "lockd"
682
683
684# Set limit of maximum APIs queued on one domain. All other APIs
685# over this threshold will fail on acquiring job lock. Specially,
686# setting to zero turns this feature off.
687# Note, that job lock is per domain.
688#
689#max_queued = 0
690
691###################################################################
692# Keepalive protocol:
693# This allows qemu driver to detect broken connections to remote
694# libvirtd during peer-to-peer migration. A keepalive message is
695# sent to the daemon after keepalive_interval seconds of inactivity
696# to check if the daemon is still responding; keepalive_count is a
697# maximum number of keepalive messages that are allowed to be sent
698# to the daemon without getting any response before the connection
699# is considered broken. In other words, the connection is
700# automatically closed approximately after
701# keepalive_interval * (keepalive_count + 1) seconds since the last
702# message received from the daemon. If keepalive_interval is set to
703# -1, qemu driver will not send keepalive requests during
704# peer-to-peer migration; however, the remote libvirtd can still
705# send them and source libvirtd will send responses. When
706# keepalive_count is set to 0, connections will be automatically
707# closed after keepalive_interval seconds of inactivity without
708# sending any keepalive messages.
709#
710#keepalive_interval = 5
711#keepalive_count = 5
712
713
714
715# Use seccomp syscall sandbox in QEMU.
716# 1 == seccomp enabled, 0 == seccomp disabled
717#
718# If it is unset (or -1), then seccomp will be enabled
719# only if QEMU >= 2.11.0 is detected, otherwise it is
720# left disabled. This ensures the default config gets
721# protection for new QEMU using the blacklist approach.
722#
723#seccomp_sandbox = 1
724
725
726# Override the listen address for all incoming migrations. Defaults to
727# 0.0.0.0, or :: if both host and qemu are capable of IPv6.
728#migration_address = "0.0.0.0"
729
730
731# The default hostname or IP address which will be used by a migration
732# source for transferring migration data to this host. The migration
733# source has to be able to resolve this hostname and connect to it so
734# setting "localhost" will not work. By default, the host's configured
735# hostname is used.
736#migration_host = "host.example.com"
737
738
739# Override the port range used for incoming migrations.
740#
741# Minimum must be greater than 0, however when QEMU is not running as root,
742# setting the minimum to be lower than 1024 will not work.
743#
744# Maximum must not be greater than 65535.
745#
746#migration_port_min = 49152
747#migration_port_max = 49215
748
749
750
751# Timestamp QEMU's log messages (if QEMU supports it)
752#
753# Defaults to 1.
754#
755#log_timestamp = 0
756
757
758# Location of master nvram file
759#
760# This configuration option is obsolete. Libvirt will follow the
761# QEMU firmware metadata specification to automatically locate
762# firmware images. See docs/interop/firmware.json in the QEMU
763# source tree. These metadata files are distributed alongside any
764# firmware images intended for use with QEMU.
765#
766# NOTE: if ANY firmware metadata files are detected, this setting
767# will be COMPLETELY IGNORED.
768#
769# ------------------------------------------
770#
771# When a domain is configured to use UEFI instead of standard
772# BIOS it may use a separate storage for UEFI variables. If
773# that's the case libvirt creates the variable store per domain
774# using this master file as image. Each UEFI firmware can,
775# however, have different variables store. Therefore the nvram is
776# a list of strings when a single item is in form of:
777# ${PATH_TO_UEFI_FW}:${PATH_TO_UEFI_VARS}.
778# Later, when libvirt creates per domain variable store, this list is
779# searched for the master image. The UEFI firmware can be called
780# differently for different guest architectures. For instance, it's OVMF
781# for x86_64 and i686, but it's AAVMF for aarch64. The libvirt default
782# follows this scheme.
783
784nvram = ["/usr/share/ovmf/x64/OVMF_CODE.fd:/usr/share/ovmf/x64/OVMF_VARS.fd"]
785
786# "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd",
787# "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd",
788# "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd",
789# "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd"
790#]
791
792# The backend to use for handling stdout/stderr output from
793# QEMU processes.
794#
795# 'file': QEMU writes directly to a plain file. This is the
796# historical default, but allows QEMU to inflict a
797# denial of service attack on the host by exhausting
798# filesystem space
799#
800# 'logd': QEMU writes to a pipe provided by virtlogd daemon.
801# This is the current default, providing protection
802# against denial of service by performing log file
803# rollover when a size limit is hit.
804#
805#stdio_handler = "logd"
806
807# QEMU gluster libgfapi log level, debug levels are 0-9, with 9 being the
808# most verbose, and 0 representing no debugging output.
809#
810# The current logging levels defined in the gluster GFAPI are:
811#
812# 0 - None
813# 1 - Emergency
814# 2 - Alert
815# 3 - Critical
816# 4 - Error
817# 5 - Warning
818# 6 - Notice
819# 7 - Info
820# 8 - Debug
821# 9 - Trace
822#
823# Defaults to 4
824#
825#gluster_debug_level = 9
826
827# To enhance security, QEMU driver is capable of creating private namespaces
828# for each domain started. Well, so far only "mount" namespace is supported. If
829# enabled it means qemu process is unable to see all the devices on the system,
830# only those configured for the domain in question. Libvirt then manages
831# devices entries throughout the domain lifetime. This namespace is turned on
832# by default.
833#namespaces = [ "mount" ]
834
835# This directory is used for memoryBacking source if configured as file.
836# NOTE: big files will be stored here
837#memory_backing_dir = "/var/lib/libvirt/qemu/ram"
838
839# Path to the SCSI persistent reservations helper. This helper is
840# used whenever <reservations/> are enabled for SCSI LUN devices.
841#pr_helper = "/usr/bin/qemu-pr-helper"
842
843# Path to the SLIRP networking helper.
844#slirp_helper = "/usr/bin/slirp-helper"
845
846# User for the swtpm TPM Emulator
847#
848# Default is 'tss'; this is the same user that tcsd (TrouSerS) installs
849# and uses; alternative is 'root'
850#
851#swtpm_user = "tss"
852#swtpm_group = "tss"
853
854# For debugging and testing purposes it's sometimes useful to be able to disable
855# libvirt behaviour based on the capabilities of the qemu process. This option
856# allows to do so. DO _NOT_ use in production and beaware that the behaviour
857# may change across versions.
858#
859#capability_filters = [ "capname" ]