# Master configuration file for the QEMU driver. # All settings described here are optional - if omitted, sensible # defaults are used. # Use of TLS requires that x509 certificates be issued. The default is # to keep them in /etc/pki/qemu. This directory must contain # # ca-cert.pem - the CA master certificate # server-cert.pem - the server certificate signed with ca-cert.pem # server-key.pem - the server private key # # and optionally may contain # # dh-params.pem - the DH params configuration file # # If the directory does not exist, libvirtd will fail to start. If the # directory doesn't contain the necessary files, QEMU domains will fail # to start if they are configured to use TLS. # # In order to overwrite the default path alter the following. This path # definition will be used as the default path for other *_tls_x509_cert_dir # configuration settings if their default path does not exist or is not # specifically set. # #default_tls_x509_cert_dir = "/etc/pki/qemu" # The default TLS configuration only uses certificates for the server # allowing the client to verify the server's identity and establish # an encrypted channel. # # It is possible to use x509 certificates for authentication too, by # issuing an x509 certificate to every client who needs to connect. # # Enabling this option will reject any client who does not have a # certificate signed by the CA in /etc/pki/qemu/ca-cert.pem # # The default_tls_x509_cert_dir directory must also contain # # client-cert.pem - the client certificate signed with the ca-cert.pem # client-key.pem - the client private key # #default_tls_x509_verify = 1 # # Libvirt assumes the server-key.pem file is unencrypted by default. # To use an encrypted server-key.pem file, the password to decrypt # the PEM file is required. This can be provided by creating a secret # object in libvirt and then to uncomment this setting to set the UUID # of the secret. # # NB This default all-zeros UUID will not work. Replace it with the # output from the UUID for the TLS secret from a 'virsh secret-list' # command and then uncomment the entry # #default_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" # VNC is configured to listen on 127.0.0.1 by default. # To make it listen on all public interfaces, uncomment # this next option. # # NB, strong recommendation to enable TLS + x509 certificate # verification when allowing public access # #vnc_listen = "0.0.0.0" # Enable this option to have VNC served over an automatically created # unix socket. This prevents unprivileged access from users on the # host machine, though most VNC clients do not support it. # # This will only be enabled for VNC configurations that have listen # type=address but without any address specified. This setting takes # preference over vnc_listen. # #vnc_auto_unix_socket = 1 # Enable use of TLS encryption on the VNC server. This requires # a VNC client which supports the VeNCrypt protocol extension. # Examples include vinagre, virt-viewer, virt-manager and vencrypt # itself. UltraVNC, RealVNC, TightVNC do not support this # # It is necessary to setup CA and issue a server certificate # before enabling this. # #vnc_tls = 1 # In order to override the default TLS certificate location for # vnc certificates, supply a valid path to the certificate directory. # If the provided path does not exist, libvirtd will fail to start. # If the path is not provided, but vnc_tls = 1, then the # default_tls_x509_cert_dir path will be used. # #vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc" # The default TLS configuration only uses certificates for the server # allowing the client to verify the server's identity and establish # an encrypted channel. # # It is possible to use x509 certificates for authentication too, by # issuing an x509 certificate to every client who needs to connect. # # Enabling this option will reject any client that does not have a # ca-cert.pem certificate signed by the CA in the vnc_tls_x509_cert_dir # (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem # files described in default_tls_x509_cert_dir. # # If this option is not supplied, it will be set to the value of # "default_tls_x509_verify". # #vnc_tls_x509_verify = 1 # The default VNC password. Only 8 bytes are significant for # VNC passwords. This parameter is only used if the per-domain # XML config does not already provide a password. To allow # access without passwords, leave this commented out. An empty # string will still enable passwords, but be rejected by QEMU, # effectively preventing any use of VNC. Obviously change this # example here before you set this. # #vnc_password = "XYZ12345" # Enable use of SASL encryption on the VNC server. This requires # a VNC client which supports the SASL protocol extension. # Examples include vinagre, virt-viewer and virt-manager # itself. UltraVNC, RealVNC, TightVNC do not support this # # It is necessary to configure /etc/sasl2/qemu.conf to choose # the desired SASL plugin (eg, GSSPI for Kerberos) # #vnc_sasl = 1 # The default SASL configuration file is located in /etc/sasl2/ # When running libvirtd unprivileged, it may be desirable to # override the configs in this location. Set this parameter to # point to the directory, and create a qemu.conf in that location # #vnc_sasl_dir = "/some/directory/sasl2" # QEMU implements an extension for providing audio over a VNC connection, # though if your VNC client does not support it, your only chance for getting # sound output is through regular audio backends. By default, libvirt will # disable all QEMU sound backends if using VNC, since they can cause # permissions issues. Enabling this option will make libvirtd honor the # QEMU_AUDIO_DRV environment variable when using VNC. # vnc_allow_host_audio = 1 # SPICE is configured to listen on 127.0.0.1 by default. # To make it listen on all public interfaces, uncomment # this next option. # # NB, strong recommendation to enable TLS + x509 certificate # verification when allowing public access # #spice_listen = "0.0.0.0" # Enable use of TLS encryption on the SPICE server. # # It is necessary to setup CA and issue a server certificate # before enabling this. # #spice_tls = 1 # In order to override the default TLS certificate location for # spice certificates, supply a valid path to the certificate directory. # If the provided path does not exist, libvirtd will fail to start. # If the path is not provided, but spice_tls = 1, then the # default_tls_x509_cert_dir path will be used. # #spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice" # Enable this option to have SPICE served over an automatically created # unix socket. This prevents unprivileged access from users on the # host machine. # # This will only be enabled for SPICE configurations that have listen # type=address but without any address specified. This setting takes # preference over spice_listen. # #spice_auto_unix_socket = 1 # The default SPICE password. This parameter is only used if the # per-domain XML config does not already provide a password. To # allow access without passwords, leave this commented out. An # empty string will still enable passwords, but be rejected by # QEMU, effectively preventing any use of SPICE. Obviously change # this example here before you set this. # #spice_password = "XYZ12345" # Enable use of SASL encryption on the SPICE server. This requires # a SPICE client which supports the SASL protocol extension. # # It is necessary to configure /etc/sasl2/qemu.conf to choose # the desired SASL plugin (eg, GSSPI for Kerberos) # #spice_sasl = 1 # The default SASL configuration file is located in /etc/sasl2/ # When running libvirtd unprivileged, it may be desirable to # override the configs in this location. Set this parameter to # point to the directory, and create a qemu.conf in that location # #spice_sasl_dir = "/some/directory/sasl2" # Enable use of TLS encryption on the chardev TCP transports. # # It is necessary to setup CA and issue a server certificate # before enabling this. # #chardev_tls = 1 # In order to override the default TLS certificate location for character # device TCP certificates, supply a valid path to the certificate directory. # If the provided path does not exist, libvirtd will fail to start. # If the path is not provided, but chardev_tls = 1, then the # default_tls_x509_cert_dir path will be used. # #chardev_tls_x509_cert_dir = "/etc/pki/libvirt-chardev" # The default TLS configuration only uses certificates for the server # allowing the client to verify the server's identity and establish # an encrypted channel. # # It is possible to use x509 certificates for authentication too, by # issuing an x509 certificate to every client who needs to connect. # # Enabling this option will reject any client that does not have a # ca-cert.pem certificate signed by the CA in the chardev_tls_x509_cert_dir # (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem # files described in default_tls_x509_cert_dir. # # If this option is not supplied, it will be set to the value of # "default_tls_x509_verify". # #chardev_tls_x509_verify = 1 # Uncomment and use the following option to override the default secret # UUID provided in the default_tls_x509_secret_uuid parameter. # # NB This default all-zeros UUID will not work. Replace it with the # output from the UUID for the TLS secret from a 'virsh secret-list' # command and then uncomment the entry # #chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" # Enable use of TLS encryption for all VxHS network block devices that # don't specifically disable. # # When the VxHS network block device server is set up appropriately, # x509 certificates are required for authentication between the clients # (qemu processes) and the remote VxHS server. # # It is necessary to setup CA and issue the client certificate before # enabling this. # #vxhs_tls = 1 # In order to override the default TLS certificate location for VxHS # backed storage, supply a valid path to the certificate directory. # This is used to authenticate the VxHS block device clients to the VxHS # server. # # If the provided path does not exist, libvirtd will fail to start. # If the path is not provided, but vxhs_tls = 1, then the # default_tls_x509_cert_dir path will be used. # # VxHS block device clients expect the client certificate and key to be # present in the certificate directory along with the CA master certificate. # If using the default environment, default_tls_x509_verify must be configured. # Since this is only a client the server-key.pem certificate is not needed. # Thus a VxHS directory must contain the following: # # ca-cert.pem - the CA master certificate # client-cert.pem - the client certificate signed with the ca-cert.pem # client-key.pem - the client private key # #vxhs_tls_x509_cert_dir = "/etc/pki/libvirt-vxhs" # In order to override the default TLS certificate location for migration # certificates, supply a valid path to the certificate directory. If the # provided path does not exist, libvirtd will fail to start. If the path is # not provided, but migrate_tls = 1, then the default_tls_x509_cert_dir path # will be used. Once/if a default certificate is enabled/defined, migration # will then be able to use the certificate via migration API flags. # #migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate" # The default TLS configuration only uses certificates for the server # allowing the client to verify the server's identity and establish # an encrypted channel. # # It is possible to use x509 certificates for authentication too, by # issuing an x509 certificate to every client who needs to connect. # # Enabling this option will reject any client that does not have a # ca-cert.pem certificate signed by the CA in the migrate_tls_x509_cert_dir # (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem # files described in default_tls_x509_cert_dir. # # If this option is not supplied, it will be set to the value of # "default_tls_x509_verify". # #migrate_tls_x509_verify = 1 # Uncomment and use the following option to override the default secret # UUID provided in the default_tls_x509_secret_uuid parameter. # # NB This default all-zeros UUID will not work. Replace it with the # output from the UUID for the TLS secret from a 'virsh secret-list' # command and then uncomment the entry # #migrate_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" # By default, if no graphical front end is configured, libvirt will disable # QEMU audio output since directly talking to alsa/pulseaudio may not work # with various security settings. If you know what you're doing, enable # the setting below and libvirt will passthrough the QEMU_AUDIO_DRV # environment variable when using nographics. # #nographics_allow_host_audio = 1 # Override the port for creating both VNC and SPICE sessions (min). # This defaults to 5900 and increases for consecutive sessions # or when ports are occupied, until it hits the maximum. # # Minimum must be greater than or equal to 5900 as lower number would # result into negative vnc display number. # # Maximum must be less than 65536, because higher numbers do not make # sense as a port number. # #remote_display_port_min = 5900 #remote_display_port_max = 65535 # VNC WebSocket port policies, same rules apply as with remote display # ports. VNC WebSockets use similar display <-> port mappings, with # the exception being that ports start from 5700 instead of 5900. # #remote_websocket_port_min = 5700 #remote_websocket_port_max = 65535 # The default security driver is SELinux. If SELinux is disabled # on the host, then the security driver will automatically disable # itself. If you wish to disable QEMU SELinux security driver while # leaving SELinux enabled for the host in general, then set this # to 'none' instead. It's also possible to use more than one security # driver at the same time, for this use a list of names separated by # comma and delimited by square brackets. For example: # # security_driver = [ "selinux", "apparmor" ] # # Notes: The DAC security driver is always enabled; as a result, the # value of security_driver cannot contain "dac". The value "none" is # a special value; security_driver can be set to that value in # isolation, but it cannot appear in a list of drivers. # #security_driver = "selinux" # If set to non-zero, then the default security labeling # will make guests confined. If set to zero, then guests # will be unconfined by default. Defaults to 1. #security_default_confined = 1 # If set to non-zero, then attempts to create unconfined # guests will be blocked. Defaults to 0. #security_require_confined = 1 # The user for QEMU processes run by the system instance. It can be # specified as a user name or as a user id. The qemu driver will try to # parse this value first as a name and then, if the name doesn't exist, # as a user id. # # Since a sequence of digits is a valid user name, a leading plus sign # can be used to ensure that a user id will not be interpreted as a user # name. # # Some examples of valid values are: # # user = "qemu" # A user named "qemu" # user = "+0" # Super user (uid=0) # user = "100" # A user named "100" or a user with uid=100 # user = "bavac" # The group for QEMU processes run by the system instance. It can be # specified in a similar way to user. group = "bavac" # Whether libvirt should dynamically change file ownership # to match the configured user/group above. Defaults to 1. # Set to 0 to disable file ownership changes. #dynamic_ownership = 1 # What cgroup controllers to make use of with QEMU guests # # - 'cpu' - use for scheduler tunables # - 'devices' - use for device whitelisting # - 'memory' - use for memory tunables # - 'blkio' - use for block devices I/O tunables # - 'cpuset' - use for CPUs and memory nodes # - 'cpuacct' - use for CPUs statistics. # # NB, even if configured here, they won't be used unless # the administrator has mounted cgroups, e.g.: # # mkdir /dev/cgroup # mount -t cgroup -o devices,cpu,memory,blkio,cpuset none /dev/cgroup # # They can be mounted anywhere, and different controllers # can be mounted in different locations. libvirt will detect # where they are located. # #cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ] # This is the basic set of devices allowed / required by # all virtual machines. # # As well as this, any configured block backed disks, # all sound device, and all PTY devices are allowed. # # This will only need setting if newer QEMU suddenly # wants some device we don't already know about. # #cgroup_device_acl = [ # "/dev/null", "/dev/full", "/dev/zero", # "/dev/random", "/dev/urandom", # "/dev/ptmx", "/dev/kvm", "/dev/kqemu", # "/dev/rtc","/dev/hpet" #] # # RDMA migration requires the following extra files to be added to the list: # "/dev/infiniband/rdma_cm", # "/dev/infiniband/issm0", # "/dev/infiniband/issm1", # "/dev/infiniband/umad0", # "/dev/infiniband/umad1", # "/dev/infiniband/uverbs0" # The default format for QEMU/KVM guest save images is raw; that is, the # memory from the domain is dumped out directly to a file. If you have # guests with a large amount of memory, however, this can take up quite # a bit of space. If you would like to compress the images while they # are being saved to disk, you can also set "lzop", "gzip", "bzip2", or "xz" # for save_image_format. Note that this means you slow down the process of # saving a domain in order to save disk space; the list above is in descending # order by performance and ascending order by compression ratio. # # save_image_format is used when you use 'virsh save' or 'virsh managedsave' # at scheduled saving, and it is an error if the specified save_image_format # is not valid, or the requested compression program can't be found. # # dump_image_format is used when you use 'virsh dump' at emergency # crashdump, and if the specified dump_image_format is not valid, or # the requested compression program can't be found, this falls # back to "raw" compression. # # snapshot_image_format specifies the compression algorithm of the memory save # image when an external snapshot of a domain is taken. This does not apply # on disk image format. It is an error if the specified format isn't valid, # or the requested compression program can't be found. # #save_image_format = "raw" #dump_image_format = "raw" #snapshot_image_format = "raw" # When a domain is configured to be auto-dumped when libvirtd receives a # watchdog event from qemu guest, libvirtd will save dump files in directory # specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump # #auto_dump_path = "/var/lib/libvirt/qemu/dump" # When a domain is configured to be auto-dumped, enabling this flag # has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the # virDomainCoreDump API. That is, the system will avoid using the # file system cache while writing the dump file, but may cause # slower operation. # #auto_dump_bypass_cache = 0 # When a domain is configured to be auto-started, enabling this flag # has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag # with the virDomainCreateWithFlags API. That is, the system will # avoid using the file system cache when restoring any managed state # file, but may cause slower operation. # #auto_start_bypass_cache = 0 # If provided by the host and a hugetlbfs mount point is configured, # a guest may request huge page backing. When this mount point is # unspecified here, determination of a host mount point in /proc/mounts # will be attempted. Specifying an explicit mount overrides detection # of the same in /proc/mounts. Setting the mount point to "" will # disable guest hugepage backing. If desired, multiple mount points can # be specified at once, separated by comma and enclosed in square # brackets, for example: # # hugetlbfs_mount = ["/dev/hugepages2M", "/dev/hugepages1G"] # # The size of huge page served by specific mount point is determined by # libvirt at the daemon startup. # # NB, within these mount points, guests will create memory backing # files in a location of $MOUNTPOINT/libvirt/qemu # #hugetlbfs_mount = "/dev/hugepages" # Path to the setuid helper for creating tap devices. This executable # is used to create interfaces when libvirtd is # running unprivileged. libvirt invokes the helper directly, instead # of using "-netdev bridge", for security reasons. #bridge_helper = "/usr/lib/qemu/qemu-bridge-helper" # If clear_emulator_capabilities is enabled, libvirt will drop all # privileged capabilities of the QEmu/KVM emulator. This is enabled by # default. # # Warning: Disabling this option means that a compromised guest can # exploit the privileges and possibly do damage to the host. # #clear_emulator_capabilities = 1 # If enabled, libvirt will have QEMU set its process name to # "qemu:VM_NAME", where VM_NAME is the name of the VM. The QEMU # process will appear as "qemu:VM_NAME" in process listings and # other system monitoring tools. By default, QEMU does not set # its process title, so the complete QEMU command (emulator and # its arguments) appear in process listings. # #set_process_name = 1 # If max_processes is set to a positive integer, libvirt will use # it to set the maximum number of processes that can be run by qemu # user. This can be used to override default value set by host OS. # The same applies to max_files which sets the limit on the maximum # number of opened files. # #max_processes = 0 #max_files = 0 # If max_core is set to a non-zero integer, then QEMU will be # permitted to create core dumps when it crashes, provided its # RAM size is smaller than the limit set. # # Be warned that the core dump will include a full copy of the # guest RAM, if the 'dump_guest_core' setting has been enabled, # or if the guest XML contains # # ...guest ram... # # If guest RAM is to be included, ensure the max_core limit # is set to at least the size of the largest expected guest # plus another 1GB for any QEMU host side memory mappings. # # As a special case it can be set to the string "unlimited" to # to allow arbitrarily sized core dumps. # # By default the core dump size is set to 0 disabling all dumps # # Size is a positive integer specifying bytes or the # string "unlimited" # #max_core = "unlimited" # Determine if guest RAM is included in QEMU core dumps. By # default guest RAM will be excluded if a new enough QEMU is # present. Setting this to '1' will force guest RAM to always # be included in QEMU core dumps. # # This setting will be ignored if the guest XML has set the # dumpcore attribute on the element. # #dump_guest_core = 1 # mac_filter enables MAC addressed based filtering on bridge ports. # This currently requires ebtables to be installed. # #mac_filter = 1 # By default, PCI devices below non-ACS switch are not allowed to be assigned # to guests. By setting relaxed_acs_check to 1 such devices will be allowed to # be assigned to guests. # #relaxed_acs_check = 1 # If allow_disk_format_probing is enabled, libvirt will probe disk # images to attempt to identify their format, when not otherwise # specified in the XML. This is disabled by default. # # WARNING: Enabling probing is a security hole in almost all # deployments. It is strongly recommended that users update their # guest XML elements to include # elements instead of enabling this option. # #allow_disk_format_probing = 1 # In order to prevent accidentally starting two domains that # share one writable disk, libvirt offers two approaches for # locking files. The first one is sanlock, the other one, # virtlockd, is then our own implementation. Accepted values # are "sanlock" and "lockd". # #lock_manager = "lockd" # Set limit of maximum APIs queued on one domain. All other APIs # over this threshold will fail on acquiring job lock. Specially, # setting to zero turns this feature off. # Note, that job lock is per domain. # #max_queued = 0 ################################################################### # Keepalive protocol: # This allows qemu driver to detect broken connections to remote # libvirtd during peer-to-peer migration. A keepalive message is # sent to the daemon after keepalive_interval seconds of inactivity # to check if the daemon is still responding; keepalive_count is a # maximum number of keepalive messages that are allowed to be sent # to the daemon without getting any response before the connection # is considered broken. In other words, the connection is # automatically closed approximately after # keepalive_interval * (keepalive_count + 1) seconds since the last # message received from the daemon. If keepalive_interval is set to # -1, qemu driver will not send keepalive requests during # peer-to-peer migration; however, the remote libvirtd can still # send them and source libvirtd will send responses. When # keepalive_count is set to 0, connections will be automatically # closed after keepalive_interval seconds of inactivity without # sending any keepalive messages. # #keepalive_interval = 5 #keepalive_count = 5 # Use seccomp syscall whitelisting in QEMU. # 1 = on, 0 = off, -1 = use QEMU default # Defaults to -1. # #seccomp_sandbox = 1 # Override the listen address for all incoming migrations. Defaults to # 0.0.0.0, or :: if both host and qemu are capable of IPv6. #migration_address = "0.0.0.0" # The default hostname or IP address which will be used by a migration # source for transferring migration data to this host. The migration # source has to be able to resolve this hostname and connect to it so # setting "localhost" will not work. By default, the host's configured # hostname is used. #migration_host = "host.example.com" # Override the port range used for incoming migrations. # # Minimum must be greater than 0, however when QEMU is not running as root, # setting the minimum to be lower than 1024 will not work. # # Maximum must not be greater than 65535. # #migration_port_min = 49152 #migration_port_max = 49215 # Timestamp QEMU's log messages (if QEMU supports it) # # Defaults to 1. # #log_timestamp = 0 # Location of master nvram file # # When a domain is configured to use UEFI instead of standard # BIOS it may use a separate storage for UEFI variables. If # that's the case libvirt creates the variable store per domain # using this master file as image. Each UEFI firmware can, # however, have different variables store. Therefore the nvram is # a list of strings when a single item is in form of: # ${PATH_TO_UEFI_FW}:${PATH_TO_UEFI_VARS}. # Later, when libvirt creates per domain variable store, this list is # searched for the master image. The UEFI firmware can be called # differently for different guest architectures. For instance, it's OVMF # for x86_64 and i686, but it's AAVMF for aarch64. The libvirt default # follows this scheme. nvram = [ "/usr/share/ovmf/x64/OVMF_CODE.fd:/usr/share/ovmf/x64/OVMF_VARS.fd" ] #nvram = [ # "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd", # "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd", # "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd", # "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd" #] # The backend to use for handling stdout/stderr output from # QEMU processes. # # 'file': QEMU writes directly to a plain file. This is the # historical default, but allows QEMU to inflict a # denial of service attack on the host by exhausting # filesystem space # # 'logd': QEMU writes to a pipe provided by virtlogd daemon. # This is the current default, providing protection # against denial of service by performing log file # rollover when a size limit is hit. # #stdio_handler = "logd" # QEMU gluster libgfapi log level, debug levels are 0-9, with 9 being the # most verbose, and 0 representing no debugging output. # # The current logging levels defined in the gluster GFAPI are: # # 0 - None # 1 - Emergency # 2 - Alert # 3 - Critical # 4 - Error # 5 - Warning # 6 - Notice # 7 - Info # 8 - Debug # 9 - Trace # # Defaults to 4 # #gluster_debug_level = 9 # To enhance security, QEMU driver is capable of creating private namespaces # for each domain started. Well, so far only "mount" namespace is supported. If # enabled it means qemu process is unable to see all the devices on the system, # only those configured for the domain in question. Libvirt then manages # devices entries throughout the domain lifetime. This namespace is turned on # by default. #namespaces = [ "mount" ] # This directory is used for memoryBacking source if configured as file. # NOTE: big files will be stored here #memory_backing_dir = "/var/lib/libvirt/qemu/ram"