libvirtd.conf

1. # Master libvirt daemon configuration file
2. #
3. # For further information consult http://libvirt.org/format.html
4. #
5. # NOTE: the tests/daemon-conf regression test script requires
6. # that each "PARAMETER = VALUE" line in this file have the parameter
7. # name just after a leading "#".
8.  
9. #################################################################
10. #
11. # Network connectivity controls
12. #
13.  
14. # Flag listening for secure TLS connections on the public TCP/IP port.
15. # NB, must pass the --listen flag to the libvirtd process for this to
16. # have any effect.
17. #
18. # It is necessary to setup a CA and issue server certificates before
19. # using this capability.
20. #
21. # This is enabled by default, uncomment this to disable it
22. #listen_tls = 0
23.  
24. # Listen for unencrypted TCP connections on the public TCP/IP port.
25. # NB, must pass the --listen flag to the libvirtd process for this to
26. # have any effect.
27. #
28. # Using the TCP socket requires SASL authentication by default. Only
29. # SASL mechanisms which support data encryption are allowed. This is
30. # DIGEST_MD5 and GSSAPI (Kerberos5)
31. #
32. # This is disabled by default, uncomment this to enable it.
33. #listen_tcp = 1
34.  
35.  
36.  
37. # Override the port for accepting secure TLS connections
38. # This can be a port number, or service name
39. #
40. #tls_port = "16514"
41.  
42. # Override the port for accepting insecure TCP connections
43. # This can be a port number, or service name
44. #
45. #tcp_port = "16509"
46.  
47.  
48. # Override the default configuration which binds to all network
49. # interfaces. This can be a numeric IPv4/6 address, or hostname
50. #
51. # If the libvirtd service is started in parallel with network
52. # startup (e.g. with systemd), binding to addresses other than
53. # the wildcards (0.0.0.0/::) might not be available yet.
54. #
55. #listen_addr = "192.168.0.1"
56.  
57.  
58. # Flag toggling mDNS advertizement of the libvirt service.
59. #
60. # Alternatively can disable for all services on a host by
61. # stopping the Avahi daemon
62. #
63. # This is disabled by default, uncomment this to enable it
64. #mdns_adv = 1
65.  
66. # Override the default mDNS advertizement name. This must be
67. # unique on the immediate broadcast network.
68. #
69. # The default is "Virtualization Host HOSTNAME", where HOSTNAME
70. # is substituted for the short hostname of the machine (without domain)
71. #
72. #mdns_name = "Virtualization Host Joe Demo"
73.  
74.  
75. #################################################################
76. #
77. # UNIX socket access controls
78. #
79.  
80. # Beware that if you are changing *any* of these options, and you use
81. # socket activation with systemd, you need to adjust the settings in
82. # the libvirtd.socket file as well since it could impose a security
83. # risk if you rely on file permission checking only.
84.  
85. # Set the UNIX domain socket group ownership. This can be used to
86. # allow a 'trusted' set of users access to management capabilities
87. # without becoming root.
88. #
89. # This is restricted to 'root' by default.
90. #unix_sock_group = "libvirt"
91.  
92. # Set the UNIX socket permissions for the R/O socket. This is used
93. # for monitoring VM status only
94. #
95. # Default allows any user. If setting group ownership, you may want to
96. # restrict this too.
97. #unix_sock_ro_perms = "0777"
98.  
99. # Set the UNIX socket permissions for the R/W socket. This is used
100. # for full management of VMs
101. #
102. # Default allows only root. If PolicyKit is enabled on the socket,
103. # the default will change to allow everyone (eg, 0777)
104. #
105. # If not using PolicyKit and setting group ownership for access
106. # control, then you may want to relax this too.
107. #unix_sock_rw_perms = "0770"
108.  
109. # Set the name of the directory in which sockets will be found/created.
110. #unix_sock_dir = "/var/run/libvirt"
111.  
112. #################################################################
113. #
114. # Authentication.
115. #
116. # - none: do not perform auth checks. If you can connect to the
117. # socket you are allowed. This is suitable if there are
118. # restrictions on connecting to the socket (eg, UNIX
119. # socket permissions), or if there is a lower layer in
120. # the network providing auth (eg, TLS/x509 certificates)
121. #
122. # - sasl: use SASL infrastructure. The actual auth scheme is then
123. # controlled from /etc/sasl2/libvirt.conf. For the TCP
124. # socket only GSSAPI & DIGEST-MD5 mechanisms will be used.
125. # For non-TCP or TLS sockets, any scheme is allowed.
126. #
127. # - polkit: use PolicyKit to authenticate. This is only suitable
128. # for use on the UNIX sockets. The default policy will
129. # require a user to supply their own password to gain
130. # full read/write access (aka sudo like), while anyone
131. # is allowed read/only access.
132. #
133. # Set an authentication scheme for UNIX read-only sockets
134. # By default socket permissions allow anyone to connect
135. #
136. # To restrict monitoring of domains you may wish to enable
137. # an authentication mechanism here
138. #auth_unix_ro = "none"
139.  
140. # Set an authentication scheme for UNIX read-write sockets
141. # By default socket permissions only allow root. If PolicyKit
142. # support was compiled into libvirt, the default will be to
143. # use 'polkit' auth.
144. #
145. # If the unix_sock_rw_perms are changed you may wish to enable
146. # an authentication mechanism here
147. #auth_unix_rw = "none"
148.  
149. # Change the authentication scheme for TCP sockets.
150. #
151. # If you don't enable SASL, then all TCP traffic is cleartext.
152. # Don't do this outside of a dev/test scenario. For real world
153. # use, always enable SASL and use the GSSAPI or DIGEST-MD5
154. # mechanism in /etc/sasl2/libvirt.conf
155. #auth_tcp = "sasl"
156.  
157. # Change the authentication scheme for TLS sockets.
158. #
159. # TLS sockets already have encryption provided by the TLS
160. # layer, and limited authentication is done by certificates
161. #
162. # It is possible to make use of any SASL authentication
163. # mechanism as well, by using 'sasl' for this option
164. #auth_tls = "none"
165.  
166.  
167. # Change the API access control scheme
168. #
169. # By default an authenticated user is allowed access
170. # to all APIs. Access drivers can place restrictions
171. # on this. By default the 'nop' driver is enabled,
172. # meaning no access control checks are done once a
173. # client has authenticated with libvirtd
174. #
175. #access_drivers = [ "polkit" ]
176.  
177. #################################################################
178. #
179. # TLS x509 certificate configuration
180. #
181.  
182.  
183. # Override the default server key file path
184. #
185. #key_file = "/etc/pki/libvirt/private/serverkey.pem"
186.  
187. # Override the default server certificate file path
188. #
189. #cert_file = "/etc/pki/libvirt/servercert.pem"
190.  
191. # Override the default CA certificate path
192. #
193. #ca_file = "/etc/pki/CA/cacert.pem"
194.  
195. # Specify a certificate revocation list.
196. #
197. # Defaults to not using a CRL, uncomment to enable it
198. #crl_file = "/etc/pki/CA/crl.pem"
199.  
200.  
201.  
202. #################################################################
203. #
204. # Authorization controls
205. #
206.  
207.  
208. # Flag to disable verification of our own server certificates
209. #
210. # When libvirtd starts it performs some sanity checks against
211. # its own certificates.
212. #
213. # Default is to always run sanity checks. Uncommenting this
214. # will disable sanity checks which is not a good idea
215. #tls_no_sanity_certificate = 1
216.  
217. # Flag to disable verification of client certificates
218. #
219. # Client certificate verification is the primary authentication mechanism.
220. # Any client which does not present a certificate signed by the CA
221. # will be rejected.
222. #
223. # Default is to always verify. Uncommenting this will disable
224. # verification - make sure an IP whitelist is set
225. #tls_no_verify_certificate = 1
226.  
227.  
228. # A whitelist of allowed x509 Distinguished Names
229. # This list may contain wildcards such as
230. #
231. # "C=GB,ST=London,L=London,O=Red Hat,CN=*"
232. #
233. # See the POSIX fnmatch function for the format of the wildcards.
234. #
235. # NB If this is an empty list, no client can connect, so comment out
236. # entirely rather than using empty list to disable these checks
237. #
238. # By default, no DN's are checked
239. #tls_allowed_dn_list = ["DN1", "DN2"]
240.  
241.  
242. # A whitelist of allowed SASL usernames. The format for usernames
243. # depends on the SASL authentication mechanism. Kerberos usernames
244. # look like username@REALM
245. #
246. # This list may contain wildcards such as
247. #
248. # "*@EXAMPLE.COM"
249. #
250. # See the POSIX fnmatch function for the format of the wildcards.
251. #
252. # NB If this is an empty list, no client can connect, so comment out
253. # entirely rather than using empty list to disable these checks
254. #
255. # By default, no Username's are checked
256. #sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]
257.  
258.  
259.  
260. #################################################################
261. #
262. # Processing controls
263. #
264.  
265. # The maximum number of concurrent client connections to allow
266. # over all sockets combined.
267. #max_clients = 5000
268.  
269. # The maximum length of queue of connections waiting to be
270. # accepted by the daemon. Note, that some protocols supporting
271. # retransmission may obey this so that a later reattempt at
272. # connection succeeds.
273. #max_queued_clients = 1000
274.  
275. # The maximum length of queue of accepted but not yet not
276. # authenticated clients. The default value is zero, meaning
277. # the feature is disabled.
278. #max_anonymous_clients = 20
279.  
280. # The minimum limit sets the number of workers to start up
281. # initially. If the number of active clients exceeds this,
282. # then more threads are spawned, up to max_workers limit.
283. # Typically you'd want max_workers to equal maximum number
284. # of clients allowed
285. #min_workers = 5
286. #max_workers = 20
287.  
288.  
289. # The number of priority workers. If all workers from above
290. # pool are stuck, some calls marked as high priority
291. # (notably domainDestroy) can be executed in this pool.
292. #prio_workers = 5
293.  
294. # Total global limit on concurrent RPC calls. Should be
295. # at least as large as max_workers. Beyond this, RPC requests
296. # will be read into memory and queued. This directly impacts
297. # memory usage, currently each request requires 256 KB of
298. # memory. So by default up to 5 MB of memory is used
299. #
300. # XXX this isn't actually enforced yet, only the per-client
301. # limit is used so far
302. #max_requests = 20
303.  
304. # Limit on concurrent requests from a single client
305. # connection. To avoid one client monopolizing the server
306. # this should be a small fraction of the global max_requests
307. # and max_workers parameter
308. #max_client_requests = 5
309.  
310. #################################################################
311. #
312. # Logging controls
313. #
314.  
315. # Logging level: 4 errors, 3 warnings, 2 information, 1 debug
316. # basically 1 will log everything possible
317. # Note: Journald may employ rate limiting of the messages logged
318. # and thus lock up the libvirt daemon. To use the debug level with
319. # journald you have to specify it explicitly in 'log_outputs', otherwise
320. # only information level messages will be logged.
321. log_level = 3
322.  
323. # Logging filters:
324. # A filter allows to select a different logging level for a given category
325. # of logs
326. # The format for a filter is one of:
327. # x:name
328. # x:+name
329. # where name is a string which is matched against source file name,
330. # e.g., "remote", "qemu", or "util/json", the optional "+" prefix
331. # tells libvirt to log stack trace for each message matching name,
332. # and x is the minimal level where matching messages should be logged:
333. # 1: DEBUG
334. # 2: INFO
335. # 3: WARNING
336. # 4: ERROR
337. #
338. # Multiple filters can be defined in a single @filters, they just need to be
339. # separated by spaces.
340. #
341. # e.g. to only get warning or errors from the remote layer and only errors
342. # from the event layer:
343. #log_filters="3:remote 4:event"
344.  
345. # Logging outputs:
346. # An output is one of the places to save logging information
347. # The format for an output can be:
348. # x:stderr
349. # output goes to stderr
350. # x:syslog:name
351. # use syslog for the output and use the given name as the ident
352. # x:file:file_path
353. # output to a file, with the given filepath
354. # x:journald
355. # output to journald logging system
356. # In all case the x prefix is the minimal level, acting as a filter
357. # 1: DEBUG
358. # 2: INFO
359. # 3: WARNING
360. # 4: ERROR
361. #
362. # Multiple outputs can be defined, they just need to be separated by spaces.
363. # e.g. to log all warnings and errors to syslog under the libvirtd ident:
364. log_outputs="3:syslog:libvirtd"
365. #
366.  
367. # Log debug buffer size:
368. #
369. # This configuration option is no longer used, since the global
370. # log buffer functionality has been removed. Please configure
371. # suitable log_outputs/log_filters settings to obtain logs.
372. #log_buffer_size = 64
373.  
374.  
375. ##################################################################
376. #
377. # Auditing
378. #
379. # This setting allows usage of the auditing subsystem to be altered:
380. #
381. # audit_level == 0 -> disable all auditing
382. # audit_level == 1 -> enable auditing, only if enabled on host (default)
383. # audit_level == 2 -> enable auditing, and exit if disabled on host
384. #
385. #audit_level = 2
386. #
387. # If set to 1, then audit messages will also be sent
388. # via libvirt logging infrastructure. Defaults to 0
389. #
390. #audit_logging = 1
391.  
392. ###################################################################
393. # UUID of the host:
394. # Provide the UUID of the host here in case the command
395. # 'dmidecode -s system-uuid' does not provide a valid uuid. In case
396. # 'dmidecode' does not provide a valid UUID and none is provided here, a
397. # temporary UUID will be generated.
398. # Keep the format of the example UUID below. UUID must not have all digits
399. # be the same.
400.  
401. # NB This default all-zeros UUID will not work. Replace
402. # it with the output of the 'uuidgen' command and then
403. # uncomment this entry
404. #host_uuid = "00000000-0000-0000-0000-000000000000"
405.  
406. ###################################################################
407. # Keepalive protocol:
408. # This allows libvirtd to detect broken client connections or even
409. # dead clients. A keepalive message is sent to a client after
410. # keepalive_interval seconds of inactivity to check if the client is
411. # still responding; keepalive_count is a maximum number of keepalive
412. # messages that are allowed to be sent to the client without getting
413. # any response before the connection is considered broken. In other
414. # words, the connection is automatically closed approximately after
415. # keepalive_interval * (keepalive_count + 1) seconds since the last
416. # message received from the client. If keepalive_interval is set to
417. # -1, libvirtd will never send keepalive requests; however clients
418. # can still send them and the daemon will send responses. When
419. # keepalive_count is set to 0, connections will be automatically
420. # closed after keepalive_interval seconds of inactivity without
421. # sending any keepalive messages.
422. #
423. #keepalive_interval = 5
424. #keepalive_count = 5
425. #
426. # If set to 1, libvirtd will refuse to talk to clients that do not
427. # support keepalive protocol. Defaults to 0.
428. #
429. #keepalive_required = 1