e5iSd15D

1# Master libvirt daemon configuration file
2#
3
4#################################################################
5#
6# Network connectivity controls
7#
8
9# Flag listening for secure TLS connections on the public TCP/IP port.
10# NB, must pass the --listen flag to the libvirtd process for this to
11# have any effect.
12#
13# It is necessary to setup a CA and issue server certificates before
14# using this capability.
15#
16# This is enabled by default, uncomment this to disable it
17#listen_tls = 0
18
19# Listen for unencrypted TCP connections on the public TCP/IP port.
20# NB, must pass the --listen flag to the libvirtd process for this to
21# have any effect.
22#
23# Using the TCP socket requires SASL authentication by default. Only
24# SASL mechanisms which support data encryption are allowed. This is
25# DIGEST_MD5 and GSSAPI (Kerberos5)
26#
27# This is disabled by default, uncomment this to enable it.
28#listen_tcp = 1
29
30
31
32# Override the port for accepting secure TLS connections
33# This can be a port number, or service name
34#
35#tls_port = "16514"
36
37# Override the port for accepting insecure TCP connections
38# This can be a port number, or service name
39#
40#tcp_port = "16509"
41
42
43# Override the default configuration which binds to all network
44# interfaces. This can be a numeric IPv4/6 address, or hostname
45#
46# If the libvirtd service is started in parallel with network
47# startup (e.g. with systemd), binding to addresses other than
48# the wildcards (0.0.0.0/::) might not be available yet.
49#
50#listen_addr = "192.168.0.1"
51
52
53#################################################################
54#
55# UNIX socket access controls
56#
57
58# Set the UNIX domain socket group ownership. This can be used to
59# allow a 'trusted' set of users access to management capabilities
60# without becoming root.
61#
62# This is restricted to 'root' by default.
63#unix_sock_group = "libvirt"
64
65# Set the UNIX socket permissions for the R/O socket. This is used
66# for monitoring VM status only
67#
68# Default allows any user. If setting group ownership, you may want to
69# restrict this too.
70#unix_sock_ro_perms = "0777"
71
72# Set the UNIX socket permissions for the R/W socket. This is used
73# for full management of VMs
74#
75# Default allows only root. If PolicyKit is enabled on the socket,
76# the default will change to allow everyone (eg, 0777)
77#
78# If not using PolicyKit and setting group ownership for access
79# control, then you may want to relax this too.
80#unix_sock_rw_perms = "0770"
81
82# Set the UNIX socket permissions for the admin interface socket.
83#
84# Default allows only owner (root), do not change it unless you are
85# sure to whom you are exposing the access to.
86#unix_sock_admin_perms = "0700"
87
88# Set the name of the directory in which sockets will be found/created.
89#unix_sock_dir = "/var/run/libvirt"
90
91
92
93#################################################################
94#
95# Authentication.
96#
97#  - none: do not perform auth checks. If you can connect to the
98#          socket you are allowed. This is suitable if there are
99#          restrictions on connecting to the socket (eg, UNIX
100#          socket permissions), or if there is a lower layer in
101#          the network providing auth (eg, TLS/x509 certificates)
102#
103#  - sasl: use SASL infrastructure. The actual auth scheme is then
104#          controlled from /etc/sasl2/libvirt.conf. For the TCP
105#          socket only GSSAPI & DIGEST-MD5 mechanisms will be used.
106#          For non-TCP or TLS sockets, any scheme is allowed.
107#
108#  - polkit: use PolicyKit to authenticate. This is only suitable
109#            for use on the UNIX sockets. The default policy will
110#            require a user to supply their own password to gain
111#            full read/write access (aka sudo like), while anyone
112#            is allowed read/only access.
113#
114# Set an authentication scheme for UNIX read-only sockets
115# By default socket permissions allow anyone to connect
116#
117# To restrict monitoring of domains you may wish to enable
118# an authentication mechanism here
119#auth_unix_ro = "none"
120
121# Set an authentication scheme for UNIX read-write sockets
122# By default socket permissions only allow root. If PolicyKit
123# support was compiled into libvirt, the default will be to
124# use 'polkit' auth.
125#
126# If the unix_sock_rw_perms are changed you may wish to enable
127# an authentication mechanism here
128#auth_unix_rw = "none"
129
130# Change the authentication scheme for TCP sockets.
131#
132# If you don't enable SASL, then all TCP traffic is cleartext.
133# Don't do this outside of a dev/test scenario. For real world
134# use, always enable SASL and use the GSSAPI or DIGEST-MD5
135# mechanism in /etc/sasl2/libvirt.conf
136#auth_tcp = "sasl"
137
138# Change the authentication scheme for TLS sockets.
139#
140# TLS sockets already have encryption provided by the TLS
141# layer, and limited authentication is done by certificates
142#
143# It is possible to make use of any SASL authentication
144# mechanism as well, by using 'sasl' for this option
145#auth_tls = "none"
146
147
148# Change the API access control scheme
149#
150# By default an authenticated user is allowed access
151# to all APIs. Access drivers can place restrictions
152# on this. By default the 'nop' driver is enabled,
153# meaning no access control checks are done once a
154# client has authenticated with libvirtd
155#
156#access_drivers = [ "polkit" ]
157
158#################################################################
159#
160# TLS x509 certificate configuration
161#
162
163# Use of TLS requires that x509 certificates be issued. The default locations
164# for the certificate files is as follows:
165#
166#   /etc/pki/CA/cacert.pem                 - The CA master certificate
167#   /etc/pki/libvirt/servercert.pem        - The server certificate signed with
168#                                            the cacert.pem
169#   /etc/pki/libvirt/private/serverkey.pem - The server private key
170#
171# It is possible to override the default locations by altering the 'key_file',
172# 'cert_file', and 'ca_file' values and uncommenting them below.
173#
174# NB, overriding the default of one location requires uncommenting and
175# possibly additionally overriding the other settings.
176#
177
178# Override the default server key file path
179#
180#key_file = "/etc/pki/libvirt/private/serverkey.pem"
181
182# Override the default server certificate file path
183#
184#cert_file = "/etc/pki/libvirt/servercert.pem"
185
186# Override the default CA certificate path
187#
188#ca_file = "/etc/pki/CA/cacert.pem"
189
190# Specify a certificate revocation list.
191#
192# Defaults to not using a CRL, uncomment to enable it
193#crl_file = "/etc/pki/CA/crl.pem"
194
195
196
197#################################################################
198#
199# Authorization controls
200#
201
202
203# Flag to disable verification of our own server certificates
204#
205# When libvirtd starts it performs some sanity checks against
206# its own certificates.
207#
208# Default is to always run sanity checks. Uncommenting this
209# will disable sanity checks which is not a good idea
210#tls_no_sanity_certificate = 1
211
212# Flag to disable verification of client certificates
213#
214# Client certificate verification is the primary authentication mechanism.
215# Any client which does not present a certificate signed by the CA
216# will be rejected.
217#
218# Default is to always verify. Uncommenting this will disable
219# verification - make sure an IP whitelist is set
220#tls_no_verify_certificate = 1
221
222
223# A whitelist of allowed x509 Distinguished Names
224# This list may contain wildcards such as
225#
226#    "C=GB,ST=London,L=London,O=Red Hat,CN=*"
227#
228# See the POSIX fnmatch function for the format of the wildcards.
229#
230# NB If this is an empty list, no client can connect, so comment out
231# entirely rather than using empty list to disable these checks
232#
233# By default, no DN's are checked
234#tls_allowed_dn_list = ["DN1", "DN2"]
235
236
237# A whitelist of allowed SASL usernames. The format for username
238# depends on the SASL authentication mechanism. Kerberos usernames
239# look like username@REALM
240#
241# This list may contain wildcards such as
242#
243#    "*@EXAMPLE.COM"
244#
245# See the POSIX fnmatch function for the format of the wildcards.
246#
247# NB If this is an empty list, no client can connect, so comment out
248# entirely rather than using empty list to disable these checks
249#
250# By default, no Username's are checked
251#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]
252
253
254# Override the compile time default TLS priority string. The
255# default is usually "NORMAL" unless overridden at build time.
256# Only set this is it is desired for libvirt to deviate from
257# the global default settings.
258#
259#tls_priority="NORMAL"
260
261
262#################################################################
263#
264# Processing controls
265#
266
267# The maximum number of concurrent client connections to allow
268# over all sockets combined.
269#max_clients = 5000
270
271# The maximum length of queue of connections waiting to be
272# accepted by the daemon. Note, that some protocols supporting
273# retransmission may obey this so that a later reattempt at
274# connection succeeds.
275#max_queued_clients = 1000
276
277# The maximum length of queue of accepted but not yet
278# authenticated clients. The default value is 20. Set this to
279# zero to turn this feature off.
280#max_anonymous_clients = 20
281
282# The minimum limit sets the number of workers to start up
283# initially. If the number of active clients exceeds this,
284# then more threads are spawned, up to max_workers limit.
285# Typically you'd want max_workers to equal maximum number
286# of clients allowed
287#min_workers = 5
288#max_workers = 20
289
290
291# The number of priority workers. If all workers from above
292# pool are stuck, some calls marked as high priority
293# (notably domainDestroy) can be executed in this pool.
294#prio_workers = 5
295
296# Limit on concurrent requests from a single client
297# connection. To avoid one client monopolizing the server
298# this should be a small fraction of the global max_workers
299# parameter.
300#max_client_requests = 5
301
302# Same processing controls, but this time for the admin interface.
303# For description of each option, be so kind to scroll few lines
304# upwards.
305
306#admin_min_workers = 1
307#admin_max_workers = 5
308#admin_max_clients = 5
309#admin_max_queued_clients = 5
310#admin_max_client_requests = 5
311
312#################################################################
313#
314# Logging controls
315#
316
317# Logging level: 4 errors, 3 warnings, 2 information, 1 debug
318# basically 1 will log everything possible
319#
320# WARNING: USE OF THIS IS STRONGLY DISCOURAGED.
321#
322# WARNING: It outputs too much information to practically read.
323# WARNING: The "log_filters" setting is recommended instead.
324#
325# WARNING: Journald applies rate limiting of messages and so libvirt
326# WARNING: will limit "log_level" to only allow values 3 or 4 if
327# WARNING: journald is the current output.
328#
329# WARNING: USE OF THIS IS STRONGLY DISCOURAGED.
330#log_level = 3
331
332# Logging filters:
333# A filter allows to select a different logging level for a given category
334# of logs. The format for a filter is one of:
335#
336#    level:match
337#    level:+match
338#
339# where 'match' is a string which is matched against the category
340# given in the VIR_LOG_INIT() at the top of each libvirt source
341# file, e.g., "remote", "qemu", or "util.json". The 'match' in the
342# filter matches using shell wildcard syntax (see 'man glob(7)').
343# The 'match' is always treated as a substring match. IOW a match
344# string 'foo' is equivalent to '*foo*'.
345#
346# If 'match' contains the optional "+" prefix, it tells libvirt
347# to log stack trace for each message matching name.
348#
349# 'level' is the minimal level where matching messages should
350#  be logged:
351#
352#    1: DEBUG
353#    2: INFO
354#    3: WARNING
355#    4: ERROR
356#
357# Multiple filters can be defined in a single @log_filters, they just need
358# to be separated by spaces. Note that libvirt performs "first" match, i.e.
359# if there are concurrent filters, the first one that matches will be applied,
360# given the order in @log_filters.
361#
362# A typical need is to capture information from a hypervisor driver,
363# public API entrypoints and some of the utility code. Some utility
364# code is very verbose and is generally not desired. Taking the QEMU
365# hypervisor as an example, a suitable filter string for debugging
366# might be to turn off object, json & event logging, but enable the
367# rest of the util code:
368#
369#log_filters="1:qemu 1:libvirt 4:object 4:json 4:event 1:util"
370
371# Logging outputs:
372# An output is one of the places to save logging information
373# The format for an output can be:
374#    level:stderr
375#      output goes to stderr
376#    level:syslog:name
377#      use syslog for the output and use the given name as the ident
378#    level:file:file_path
379#      output to a file, with the given filepath
380#    level:journald
381#      output to journald logging system
382# In all cases 'level' is the minimal priority, acting as a filter
383#    1: DEBUG
384#    2: INFO
385#    3: WARNING
386#    4: ERROR
387#
388# Multiple outputs can be defined, they just need to be separated by spaces.
389# e.g. to log all warnings and errors to syslog under the libvirtd ident:
390log_outputs="3:syslog:libvirtd"
391
392
393##################################################################
394#
395# Auditing
396#
397# This setting allows usage of the auditing subsystem to be altered:
398#
399#   audit_level == 0  -> disable all auditing
400#   audit_level == 1  -> enable auditing, only if enabled on host (default)
401#   audit_level == 2  -> enable auditing, and exit if disabled on host
402#
403#audit_level = 2
404#
405# If set to 1, then audit messages will also be sent
406# via libvirt logging infrastructure. Defaults to 0
407#
408#audit_logging = 1
409
410###################################################################
411# UUID of the host:
412# Host UUID is read from one of the sources specified in host_uuid_source.
413#
414# - 'smbios': fetch the UUID from 'dmidecode -s system-uuid'
415# - 'machine-id': fetch the UUID from /etc/machine-id
416#
417# The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide
418# a valid UUID a temporary UUID will be generated.
419#
420# Another option is to specify host UUID in host_uuid.
421#
422# Keep the format of the example UUID below. UUID must not have all digits
423# be the same.
424
425# NB This default all-zeros UUID will not work. Replace
426# it with the output of the 'uuidgen' command and then
427# uncomment this entry
428#host_uuid = "00000000-0000-0000-0000-000000000000"
429#host_uuid_source = "smbios"
430
431###################################################################
432# Keepalive protocol:
433# This allows libvirtd to detect broken client connections or even
434# dead clients.  A keepalive message is sent to a client after
435# keepalive_interval seconds of inactivity to check if the client is
436# still responding; keepalive_count is a maximum number of keepalive
437# messages that are allowed to be sent to the client without getting
438# any response before the connection is considered broken.  In other
439# words, the connection is automatically closed approximately after
440# keepalive_interval * (keepalive_count + 1) seconds since the last
441# message received from the client.  If keepalive_interval is set to
442# -1, libvirtd will never send keepalive requests; however clients
443# can still send them and the daemon will send responses.  When
444# keepalive_count is set to 0, connections will be automatically
445# closed after keepalive_interval seconds of inactivity without
446# sending any keepalive messages.
447#
448#keepalive_interval = 5
449#keepalive_count = 5
450
451#
452# These configuration options are no longer used.  There is no way to
453# restrict such clients from connecting since they first need to
454# connect in order to ask for keepalive.
455#
456#keepalive_required = 1
457#admin_keepalive_required = 1
458
459# Keepalive settings for the admin interface
460#admin_keepalive_interval = 5
461#admin_keepalive_count = 5
462
463###################################################################
464# Open vSwitch:
465# This allows to specify a timeout for openvswitch calls made by
466# libvirt. The ovs-vsctl utility is used for the configuration and
467# its timeout option is set by default to 5 seconds to avoid
468# potential infinite waits blocking libvirt.
469#
470#ovs_timeout = 5