qemu.conf

1. # Master configuration file for the QEMU driver.
2. # All settings described here are optional - if omitted, sensible
3. # defaults are used.
4.  
5. # Use of TLS requires that x509 certificates be issued. The default is
6. # to keep them in /etc/pki/qemu. This directory must contain
7. #
8. # ca-cert.pem - the CA master certificate
9. # server-cert.pem - the server certificate signed with ca-cert.pem
10. # server-key.pem - the server private key
11. #
12. # and optionally may contain
13. #
14. # dh-params.pem - the DH params configuration file
15. #
16. # If the directory does not exist, libvirtd will fail to start. If the
17. # directory doesn't contain the necessary files, QEMU domains will fail
18. # to start if they are configured to use TLS.
19. #
20. # In order to overwrite the default path alter the following. This path
21. # definition will be used as the default path for other *_tls_x509_cert_dir
22. # configuration settings if their default path does not exist or is not
23. # specifically set.
24. #
25. #default_tls_x509_cert_dir = "/etc/pki/qemu"
26.  
27.  
28. # The default TLS configuration only uses certificates for the server
29. # allowing the client to verify the server's identity and establish
30. # an encrypted channel.
31. #
32. # It is possible to use x509 certificates for authentication too, by
33. # issuing an x509 certificate to every client who needs to connect.
34. #
35. # Enabling this option will reject any client who does not have a
36. # certificate signed by the CA in /etc/pki/qemu/ca-cert.pem
37. #
38. # The default_tls_x509_cert_dir directory must also contain
39. #
40. # client-cert.pem - the client certificate signed with the ca-cert.pem
41. # client-key.pem - the client private key
42. #
43. # If this option is supplied it provides the default for the "_verify" option
44. # of specific TLS users such as vnc, backups, migration, etc. The specific
45. # users of TLS may override this by setting the specific "_verify" option.
46. #
47. # When not supplied the specific TLS users provide their own defaults.
48. #
49. #default_tls_x509_verify = 1
50.  
51. #
52. # Libvirt assumes the server-key.pem file is unencrypted by default.
53. # To use an encrypted server-key.pem file, the password to decrypt
54. # the PEM file is required. This can be provided by creating a secret
55. # object in libvirt and then to uncomment this setting to set the UUID
56. # of the secret.
57. #
58. # NB This default all-zeros UUID will not work. Replace it with the
59. # output from the UUID for the TLS secret from a 'virsh secret-list'
60. # command and then uncomment the entry
61. #
62. #default_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
63.  
64.  
65. # VNC is configured to listen on 127.0.0.1 by default.
66. # To make it listen on all public interfaces, uncomment
67. # this next option.
68. #
69. # NB, strong recommendation to enable TLS + x509 certificate
70. # verification when allowing public access
71. #
72. #vnc_listen = "0.0.0.0"
73.  
74. # Enable this option to have VNC served over an automatically created
75. # unix socket. This prevents unprivileged access from users on the
76. # host machine, though most VNC clients do not support it.
77. #
78. # This will only be enabled for VNC configurations that have listen
79. # type=address but without any address specified. This setting takes
80. # preference over vnc_listen.
81. #
82. #vnc_auto_unix_socket = 1
83.  
84. # Enable use of TLS encryption on the VNC server. This requires
85. # a VNC client which supports the VeNCrypt protocol extension.
86. # Examples include vinagre, virt-viewer, virt-manager and vencrypt
87. # itself. UltraVNC, RealVNC, TightVNC do not support this
88. #
89. # It is necessary to setup CA and issue a server certificate
90. # before enabling this.
91. #
92. #vnc_tls = 1
93.  
94.  
95. # In order to override the default TLS certificate location for
96. # vnc certificates, supply a valid path to the certificate directory.
97. # If the provided path does not exist, libvirtd will fail to start.
98. # If the path is not provided, but vnc_tls = 1, then the
99. # default_tls_x509_cert_dir path will be used.
100. #
101. #vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
102.  
103.  
104. # Uncomment and use the following option to override the default secret
105. # UUID provided in the default_tls_x509_secret_uuid parameter.
106. #
107. #vnc_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
108.  
109.  
110. # The default TLS configuration only uses certificates for the server
111. # allowing the client to verify the server's identity and establish
112. # an encrypted channel.
113. #
114. # It is possible to use x509 certificates for authentication too, by
115. # issuing an x509 certificate to every client who needs to connect.
116. #
117. # Enabling this option will reject any client that does not have a
118. # certificate (as described in default_tls_x509_verify) signed by the
119. # CA in the vnc_tls_x509_cert_dir (or default_tls_x509_cert_dir).
120. #
121. # If this option is not supplied, it will be set to the value of
122. # "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied either,
123. # the default is "0".
124. #
125. #vnc_tls_x509_verify = 1
126.  
127.  
128. # The default VNC password. Only 8 bytes are significant for
129. # VNC passwords. This parameter is only used if the per-domain
130. # XML config does not already provide a password. To allow
131. # access without passwords, leave this commented out. An empty
132. # string will still enable passwords, but be rejected by QEMU,
133. # effectively preventing any use of VNC. Obviously change this
134. # example here before you set this.
135. #
136. #vnc_password = "XYZ12345"
137.  
138.  
139. # Enable use of SASL encryption on the VNC server. This requires
140. # a VNC client which supports the SASL protocol extension.
141. # Examples include vinagre, virt-viewer and virt-manager
142. # itself. UltraVNC, RealVNC, TightVNC do not support this
143. #
144. # It is necessary to configure /etc/sasl2/qemu.conf to choose
145. # the desired SASL plugin (eg, GSSPI for Kerberos)
146. #
147. #vnc_sasl = 1
148.  
149.  
150. # The default SASL configuration file is located in /etc/sasl2/
151. # When running libvirtd unprivileged, it may be desirable to
152. # override the configs in this location. Set this parameter to
153. # point to the directory, and create a qemu.conf in that location
154. #
155. #vnc_sasl_dir = "/some/directory/sasl2"
156.  
157.  
158. # QEMU implements an extension for providing audio over a VNC connection,
159. # though if your VNC client does not support it, your only chance for getting
160. # sound output is through regular audio backends. By default, libvirt will
161. # disable all QEMU sound backends if using VNC, since they can cause
162. # permissions issues. Enabling this option will make libvirtd honor the
163. # QEMU_AUDIO_DRV environment variable when using VNC.
164. #
165. #vnc_allow_host_audio = 0
166.  
167.  
168.  
169. # SPICE is configured to listen on 127.0.0.1 by default.
170. # To make it listen on all public interfaces, uncomment
171. # this next option.
172. #
173. # NB, strong recommendation to enable TLS + x509 certificate
174. # verification when allowing public access
175. #
176. #spice_listen = "0.0.0.0"
177.  
178.  
179. # Enable use of TLS encryption on the SPICE server.
180. #
181. # It is necessary to setup CA and issue a server certificate
182. # before enabling this.
183. #
184. #spice_tls = 1
185.  
186.  
187. # In order to override the default TLS certificate location for
188. # spice certificates, supply a valid path to the certificate directory.
189. # If the provided path does not exist, libvirtd will fail to start.
190. # If the path is not provided, but spice_tls = 1, then the
191. # default_tls_x509_cert_dir path will be used.
192. #
193. #spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
194.  
195.  
196. # Enable this option to have SPICE served over an automatically created
197. # unix socket. This prevents unprivileged access from users on the
198. # host machine.
199. #
200. # This will only be enabled for SPICE configurations that have listen
201. # type=address but without any address specified. This setting takes
202. # preference over spice_listen.
203. #
204. #spice_auto_unix_socket = 1
205.  
206.  
207. # The default SPICE password. This parameter is only used if the
208. # per-domain XML config does not already provide a password. To
209. # allow access without passwords, leave this commented out. An
210. # empty string will still enable passwords, but be rejected by
211. # QEMU, effectively preventing any use of SPICE. Obviously change
212. # this example here before you set this.
213. #
214. #spice_password = "XYZ12345"
215.  
216.  
217. # Enable use of SASL encryption on the SPICE server. This requires
218. # a SPICE client which supports the SASL protocol extension.
219. #
220. # It is necessary to configure /etc/sasl2/qemu.conf to choose
221. # the desired SASL plugin (eg, GSSPI for Kerberos)
222. #
223. #spice_sasl = 1
224.  
225. # The default SASL configuration file is located in /etc/sasl2/
226. # When running libvirtd unprivileged, it may be desirable to
227. # override the configs in this location. Set this parameter to
228. # point to the directory, and create a qemu.conf in that location
229. #
230. #spice_sasl_dir = "/some/directory/sasl2"
231.  
232. # Enable use of TLS encryption on the chardev TCP transports.
233. #
234. # It is necessary to setup CA and issue a server certificate
235. # before enabling this.
236. #
237. #chardev_tls = 1
238.  
239.  
240. # In order to override the default TLS certificate location for character
241. # device TCP certificates, supply a valid path to the certificate directory.
242. # If the provided path does not exist, libvirtd will fail to start.
243. # If the path is not provided, but chardev_tls = 1, then the
244. # default_tls_x509_cert_dir path will be used.
245. #
246. #chardev_tls_x509_cert_dir = "/etc/pki/libvirt-chardev"
247.  
248.  
249. # The default TLS configuration only uses certificates for the server
250. # allowing the client to verify the server's identity and establish
251. # an encrypted channel.
252. #
253. # It is possible to use x509 certificates for authentication too, by
254. # issuing an x509 certificate to every client who needs to connect.
255. #
256. # Enabling this option will reject any client that does not have a
257. # certificate (as described in default_tls_x509_verify) signed by the
258. # CA in the chardev_tls_x509_cert_dir (or default_tls_x509_cert_dir).
259. #
260. # If this option is not supplied, it will be set to the value of
261. # "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied either,
262. # the default is "1".
263. #
264. #chardev_tls_x509_verify = 1
265.  
266.  
267. # Uncomment and use the following option to override the default secret
268. # UUID provided in the default_tls_x509_secret_uuid parameter.
269. #
270. # NB This default all-zeros UUID will not work. Replace it with the
271. # output from the UUID for the TLS secret from a 'virsh secret-list'
272. # command and then uncomment the entry
273. #
274. #chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
275.  
276.  
277. # Enable use of TLS encryption for all VxHS network block devices that
278. # don't specifically disable.
279. #
280. # When the VxHS network block device server is set up appropriately,
281. # x509 certificates are required for authentication between the clients
282. # (qemu processes) and the remote VxHS server.
283. #
284. # It is necessary to setup CA and issue the client certificate before
285. # enabling this.
286. #
287. #vxhs_tls = 1
288.  
289.  
290. # In order to override the default TLS certificate location for VxHS
291. # backed storage, supply a valid path to the certificate directory.
292. # This is used to authenticate the VxHS block device clients to the VxHS
293. # server.
294. #
295. # If the provided path does not exist, libvirtd will fail to start.
296. # If the path is not provided, but vxhs_tls = 1, then the
297. # default_tls_x509_cert_dir path will be used.
298. #
299. # VxHS block device clients expect the client certificate and key to be
300. # present in the certificate directory along with the CA master certificate.
301. # If using the default environment, default_tls_x509_verify must be configured.
302. # Since this is only a client the server-key.pem certificate is not needed.
303. # Thus a VxHS directory must contain the following:
304. #
305. # ca-cert.pem - the CA master certificate
306. # client-cert.pem - the client certificate signed with the ca-cert.pem
307. # client-key.pem - the client private key
308. #
309. #vxhs_tls_x509_cert_dir = "/etc/pki/libvirt-vxhs"
310.  
311.  
312. # Uncomment and use the following option to override the default secret
313. # UUID provided in the default_tls_x509_secret_uuid parameter.
314. #
315. # NB This default all-zeros UUID will not work. Replace it with the
316. # output from the UUID for the TLS secret from a 'virsh secret-list'
317. # command and then uncomment the entry
318. #
319. #vxhs_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
320.  
321.  
322. # Enable use of TLS encryption for all NBD disk devices that don't
323. # specifically disable it.
324. #
325. # When the NBD server is set up appropriately, x509 certificates are required
326. # for authentication between the client and the remote NBD server.
327. #
328. # It is necessary to setup CA and issue the client certificate before
329. # enabling this.
330. #
331. #nbd_tls = 1
332.  
333.  
334. # In order to override the default TLS certificate location for NBD
335. # backed storage, supply a valid path to the certificate directory.
336. # This is used to authenticate the NBD block device clients to the NBD
337. # server.
338. #
339. # If the provided path does not exist, libvirtd will fail to start.
340. # If the path is not provided, but nbd_tls = 1, then the
341. # default_tls_x509_cert_dir path will be used.
342. #
343. # NBD block device clients expect the client certificate and key to be
344. # present in the certificate directory along with the CA certificate.
345. # Since this is only a client the server-key.pem certificate is not needed.
346. # Thus a NBD directory must contain the following:
347. #
348. # ca-cert.pem - the CA master certificate
349. # client-cert.pem - the client certificate signed with the ca-cert.pem
350. # client-key.pem - the client private key
351. #
352. #nbd_tls_x509_cert_dir = "/etc/pki/libvirt-nbd"
353.  
354.  
355. # Uncomment and use the following option to override the default secret
356. # UUID provided in the default_tls_x509_secret_uuid parameter.
357. #
358. # NB This default all-zeros UUID will not work. Replace it with the
359. # output from the UUID for the TLS secret from a 'virsh secret-list'
360. # command and then uncomment the entry
361. #
362. #nbd_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
363.  
364.  
365. # In order to override the default TLS certificate location for migration
366. # certificates, supply a valid path to the certificate directory. If the
367. # provided path does not exist, libvirtd will fail to start. If the path is
368. # not provided, but TLS-encrypted migration is requested, then the
369. # default_tls_x509_cert_dir path will be used. Once/if a default certificate is
370. # enabled/defined, migration will then be able to use the certificate via
371. # migration API flags.
372. #
373. #migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate"
374.  
375.  
376. # The default TLS configuration only uses certificates for the server
377. # allowing the client to verify the server's identity and establish
378. # an encrypted channel.
379. #
380. # It is possible to use x509 certificates for authentication too, by
381. # issuing an x509 certificate to every client who needs to connect.
382. #
383. # Enabling this option will reject any client that does not have a
384. # certificate (as described in default_tls_x509_verify) signed by the
385. # CA in the migrate_tls_x509_cert_dir (or default_tls_x509_cert_dir).
386. #
387. # If this option is not supplied, it will be set to the value of
388. # "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied
389. # either, the default is "1".
390. #
391. #migrate_tls_x509_verify = 1
392.  
393.  
394. # Uncomment and use the following option to override the default secret
395. # UUID provided in the default_tls_x509_secret_uuid parameter.
396. #
397. # NB This default all-zeros UUID will not work. Replace it with the
398. # output from the UUID for the TLS secret from a 'virsh secret-list'
399. # command and then uncomment the entry
400. #
401. #migrate_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
402.  
403.  
404. # By default TLS is requested using the VIR_MIGRATE_TLS flag, thus not requested
405. # automatically. Setting 'migate_tls_force' to "1" will prevent any migration
406. # which is not using VIR_MIGRATE_TLS to ensure higher level of security in
407. # deployments with TLS.
408. #
409. #migrate_tls_force = 0
410.  
411.  
412. # In order to override the default TLS certificate location for backup NBD
413. # server certificates, supply a valid path to the certificate directory. If the
414. # provided path does not exist, libvirtd will fail to start. If the path is
415. # not provided, but TLS-encrypted backup is requested, then the
416. # default_tls_x509_cert_dir path will be used.
417. #
418. #backup_tls_x509_cert_dir = "/etc/pki/libvirt-backup"
419.  
420.  
421. # The default TLS configuration only uses certificates for the server
422. # allowing the client to verify the server's identity and establish
423. # an encrypted channel.
424. #
425. # It is possible to use x509 certificates for authentication too, by
426. # issuing an x509 certificate to every client who needs to connect.
427. #
428. # Enabling this option will reject any client that does not have a
429. # certificate (as described in default_tls_x509_verify) signed by the
430. # CA in the backup_tls_x509_cert_dir (or default_tls_x509_cert_dir).
431. #
432. # If this option is not supplied, it will be set to the value of
433. # "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied either,
434. # the default is "1".
435. #
436. #backup_tls_x509_verify = 1
437.  
438.  
439. # Uncomment and use the following option to override the default secret
440. # UUID provided in the default_tls_x509_secret_uuid parameter.
441. #
442. # NB This default all-zeros UUID will not work. Replace it with the
443. # output from the UUID for the TLS secret from a 'virsh secret-list'
444. # command and then uncomment the entry
445. #
446. #backup_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
447.  
448.  
449. # By default, if no graphical front end is configured, libvirt will disable
450. # QEMU audio output since directly talking to alsa/pulseaudio may not work
451. # with various security settings. If you know what you're doing, enable
452. # the setting below and libvirt will passthrough the QEMU_AUDIO_DRV
453. # environment variable when using nographics.
454. #
455. #nographics_allow_host_audio = 1
456.  
457.  
458. # Override the port for creating both VNC and SPICE sessions (min).
459. # This defaults to 5900 and increases for consecutive sessions
460. # or when ports are occupied, until it hits the maximum.
461. #
462. # Minimum must be greater than or equal to 5900 as lower number would
463. # result into negative vnc display number.
464. #
465. # Maximum must be less than 65536, because higher numbers do not make
466. # sense as a port number.
467. #
468. #remote_display_port_min = 5900
469. #remote_display_port_max = 65535
470.  
471. # VNC WebSocket port policies, same rules apply as with remote display
472. # ports. VNC WebSockets use similar display <-> port mappings, with
473. # the exception being that ports start from 5700 instead of 5900.
474. #
475. #remote_websocket_port_min = 5700
476. #remote_websocket_port_max = 65535
477.  
478. # The default security driver is SELinux. If SELinux is disabled
479. # on the host, then the security driver will automatically disable
480. # itself. If you wish to disable QEMU SELinux security driver while
481. # leaving SELinux enabled for the host in general, then set this
482. # to 'none' instead. It's also possible to use more than one security
483. # driver at the same time, for this use a list of names separated by
484. # comma and delimited by square brackets. For example:
485. #
486. # security_driver = [ "selinux", "apparmor" ]
487. #
488. # Notes: The DAC security driver is always enabled; as a result, the
489. # value of security_driver cannot contain "dac". The value "none" is
490. # a special value; security_driver can be set to that value in
491. # isolation, but it cannot appear in a list of drivers.
492. #
493. #security_driver = "selinux"
494.  
495. # If set to non-zero, then the default security labeling
496. # will make guests confined. If set to zero, then guests
497. # will be unconfined by default. Defaults to 1.
498. #security_default_confined = 1
499.  
500. # If set to non-zero, then attempts to create unconfined
501. # guests will be blocked. Defaults to 0.
502. #security_require_confined = 1
503.  
504. # The user for QEMU processes run by the system instance. It can be
505. # specified as a user name or as a user id. The qemu driver will try to
506. # parse this value first as a name and then, if the name doesn't exist,
507. # as a user id.
508. #
509. # Since a sequence of digits is a valid user name, a leading plus sign
510. # can be used to ensure that a user id will not be interpreted as a user
511. # name.
512. #
513. # By default libvirt runs VMs as non-root and uses AppArmor profiles
514. # to provide host protection and VM isolation. While AppArmor
515. # continues to provide this protection when the VMs are running as
516. # root, /dev/vhost-net, /dev/vhost-vsock and /dev/vhost-scsi access is
517. # allowed by default in the AppArmor security policy, so malicious VMs
518. # running as root would have direct access to this file. If changing this
519. # to run as root, you may want to remove this access from
520. # /etc/apparmor.d/abstractions/libvirt-qemu. For more information, see:
521. # https://launchpad.net/bugs/1815910
522. # https://www.redhat.com/archives/libvir-list/2019-April/msg00750.html
523. #
524. # Some examples of valid values are:
525. #
526. # user = "qemu" # A user named "qemu"
527. # user = "+0" # Super user (uid=0)
528. # user = "100" # A user named "100" or a user with uid=100
529. #
530. #user = "root"
531.  
532. # The group for QEMU processes run by the system instance. It can be
533. # specified in a similar way to user.
534. #group = "kvm"
535.  
536. # Whether libvirt should dynamically change file ownership
537. # to match the configured user/group above. Defaults to 1.
538. # Set to 0 to disable file ownership changes.
539. #dynamic_ownership = 1
540.  
541. # Whether libvirt should remember and restore the original
542. # ownership over files it is relabeling. Defaults to 1, set
543. # to 0 to disable the feature.
544. #remember_owner = 1
545.  
546. # What cgroup controllers to make use of with QEMU guests
547. #
548. # - 'cpu' - use for scheduler tunables
549. # - 'devices' - use for device access control
550. # - 'memory' - use for memory tunables
551. # - 'blkio' - use for block devices I/O tunables
552. # - 'cpuset' - use for CPUs and memory nodes
553. # - 'cpuacct' - use for CPUs statistics.
554. #
555. # NB, even if configured here, they won't be used unless
556. # the administrator has mounted cgroups, e.g.:
557. #
558. # mkdir /dev/cgroup
559. # mount -t cgroup -o devices,cpu,memory,blkio,cpuset none /dev/cgroup
560. #
561. # They can be mounted anywhere, and different controllers
562. # can be mounted in different locations. libvirt will detect
563. # where they are located.
564. #
565. #cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ]
566.  
567. # This is the basic set of devices allowed / required by
568. # all virtual machines.
569. #
570. # As well as this, any configured block backed disks,
571. # all sound device, and all PTY devices are allowed.
572. #
573. # This will only need setting if newer QEMU suddenly
574. # wants some device we don't already know about.
575. #
576. #cgroup_device_acl = [
577. # "/dev/null", "/dev/full", "/dev/zero",
578. # "/dev/random", "/dev/urandom",
579. # "/dev/ptmx", "/dev/kvm"
580. #]
581. #
582. # RDMA migration requires the following extra files to be added to the list:
583. # "/dev/infiniband/rdma_cm",
584. # "/dev/infiniband/issm0",
585. # "/dev/infiniband/issm1",
586. # "/dev/infiniband/umad0",
587. # "/dev/infiniband/umad1",
588. # "/dev/infiniband/uverbs0"
589.  
590.  
591. # The default format for QEMU/KVM guest save images is raw; that is, the
592. # memory from the domain is dumped out directly to a file. If you have
593. # guests with a large amount of memory, however, this can take up quite
594. # a bit of space. If you would like to compress the images while they
595. # are being saved to disk, you can also set "lzop", "gzip", "bzip2", or "xz"
596. # for save_image_format. Note that this means you slow down the process of
597. # saving a domain in order to save disk space; the list above is in descending
598. # order by performance and ascending order by compression ratio.
599. #
600. # save_image_format is used when you use 'virsh save' or 'virsh managedsave'
601. # at scheduled saving, and it is an error if the specified save_image_format
602. # is not valid, or the requested compression program can't be found.
603. #
604. # dump_image_format is used when you use 'virsh dump' at emergency
605. # crashdump, and if the specified dump_image_format is not valid, or
606. # the requested compression program can't be found, this falls
607. # back to "raw" compression.
608. #
609. # snapshot_image_format specifies the compression algorithm of the memory save
610. # image when an external snapshot of a domain is taken. This does not apply
611. # on disk image format. It is an error if the specified format isn't valid,
612. # or the requested compression program can't be found.
613. #
614. #save_image_format = "raw"
615. #dump_image_format = "raw"
616. #snapshot_image_format = "raw"
617.  
618. # When a domain is configured to be auto-dumped when libvirtd receives a
619. # watchdog event from qemu guest, libvirtd will save dump files in directory
620. # specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump
621. #
622. #auto_dump_path = "/var/lib/libvirt/qemu/dump"
623.  
624. # When a domain is configured to be auto-dumped, enabling this flag
625. # has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the
626. # virDomainCoreDump API. That is, the system will avoid using the
627. # file system cache while writing the dump file, but may cause
628. # slower operation.
629. #
630. #auto_dump_bypass_cache = 0
631.  
632. # When a domain is configured to be auto-started, enabling this flag
633. # has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag
634. # with the virDomainCreateWithFlags API. That is, the system will
635. # avoid using the file system cache when restoring any managed state
636. # file, but may cause slower operation.
637. #
638. #auto_start_bypass_cache = 0
639.  
640. # If provided by the host and a hugetlbfs mount point is configured,
641. # a guest may request huge page backing. When this mount point is
642. # unspecified here, determination of a host mount point in /proc/mounts
643. # will be attempted. Specifying an explicit mount overrides detection
644. # of the same in /proc/mounts. Setting the mount point to "" will
645. # disable guest hugepage backing. If desired, multiple mount points can
646. # be specified at once, separated by comma and enclosed in square
647. # brackets, for example:
648. #
649. # hugetlbfs_mount = ["/dev/hugepages2M", "/dev/hugepages1G"]
650. #
651. # The size of huge page served by specific mount point is determined by
652. # libvirt at the daemon startup.
653. #
654. # NB, within these mount points, guests will create memory backing
655. # files in a location of $MOUNTPOINT/libvirt/qemu
656. #
657. #hugetlbfs_mount = "/dev/hugepages"
658.  
659.  
660. # Path to the setuid helper for creating tap devices. This executable
661. # is used to create <source type='bridge'> interfaces when libvirtd is
662. # running unprivileged. libvirt invokes the helper directly, instead
663. # of using "-netdev bridge", for security reasons.
664. #bridge_helper = "/usr/libexec/qemu-bridge-helper"
665.  
666.  
667. # If enabled, libvirt will have QEMU set its process name to
668. # "qemu:VM_NAME", where VM_NAME is the name of the VM. The QEMU
669. # process will appear as "qemu:VM_NAME" in process listings and
670. # other system monitoring tools. By default, QEMU does not set
671. # its process title, so the complete QEMU command (emulator and
672. # its arguments) appear in process listings.
673. #
674. #set_process_name = 1
675.  
676.  
677. # If max_processes is set to a positive integer, libvirt will use
678. # it to set the maximum number of processes that can be run by qemu
679. # user. This can be used to override default value set by host OS.
680. # The same applies to max_files which sets the limit on the maximum
681. # number of opened files.
682. #
683. #max_processes = 0
684. #max_files = 0
685.  
686. # If max_threads_per_process is set to a positive integer, libvirt
687. # will use it to set the maximum number of threads that can be
688. # created by a qemu process. Some VM configurations can result in
689. # qemu processes with tens of thousands of threads. systemd-based
690. # systems typically limit the number of threads per process to
691. # 16k. max_threads_per_process can be used to override default
692. # limits in the host OS.
693. #
694. #max_threads_per_process = 0
695.  
696. # If max_core is set to a non-zero integer, then QEMU will be
697. # permitted to create core dumps when it crashes, provided its
698. # RAM size is smaller than the limit set.
699. #
700. # Be warned that the core dump will include a full copy of the
701. # guest RAM, if the 'dump_guest_core' setting has been enabled,
702. # or if the guest XML contains
703. #
704. # <memory dumpcore="on">...guest ram...</memory>
705. #
706. # If guest RAM is to be included, ensure the max_core limit
707. # is set to at least the size of the largest expected guest
708. # plus another 1GB for any QEMU host side memory mappings.
709. #
710. # As a special case it can be set to the string "unlimited" to
711. # to allow arbitrarily sized core dumps.
712. #
713. # By default the core dump size is set to 0 disabling all dumps
714. #
715. # Size is a positive integer specifying bytes or the
716. # string "unlimited"
717. #
718. #max_core = "unlimited"
719.  
720. # Determine if guest RAM is included in QEMU core dumps. By
721. # default guest RAM will be excluded if a new enough QEMU is
722. # present. Setting this to '1' will force guest RAM to always
723. # be included in QEMU core dumps.
724. #
725. # This setting will be ignored if the guest XML has set the
726. # dumpcore attribute on the <memory> element.
727. #
728. #dump_guest_core = 1
729.  
730. # mac_filter enables MAC addressed based filtering on bridge ports.
731. # This currently requires ebtables to be installed.
732. #
733. #mac_filter = 1
734.  
735.  
736. # By default, PCI devices below non-ACS switch are not allowed to be assigned
737. # to guests. By setting relaxed_acs_check to 1 such devices will be allowed to
738. # be assigned to guests.
739. #
740. #relaxed_acs_check = 1
741.  
742.  
743. # In order to prevent accidentally starting two domains that
744. # share one writable disk, libvirt offers two approaches for
745. # locking files. The first one is sanlock, the other one,
746. # virtlockd, is then our own implementation. Accepted values
747. # are "sanlock" and "lockd".
748. #
749. #lock_manager = "lockd"
750.  
751.  
752. # Set limit of maximum APIs queued on one domain. All other APIs
753. # over this threshold will fail on acquiring job lock. Specially,
754. # setting to zero turns this feature off.
755. # Note, that job lock is per domain.
756. #
757. #max_queued = 0
758.  
759. ###################################################################
760. # Keepalive protocol:
761. # This allows qemu driver to detect broken connections to remote
762. # libvirtd during peer-to-peer migration. A keepalive message is
763. # sent to the daemon after keepalive_interval seconds of inactivity
764. # to check if the daemon is still responding; keepalive_count is a
765. # maximum number of keepalive messages that are allowed to be sent
766. # to the daemon without getting any response before the connection
767. # is considered broken. In other words, the connection is
768. # automatically closed approximately after
769. # keepalive_interval * (keepalive_count + 1) seconds since the last
770. # message received from the daemon. If keepalive_interval is set to
771. # -1, qemu driver will not send keepalive requests during
772. # peer-to-peer migration; however, the remote libvirtd can still
773. # send them and source libvirtd will send responses. When
774. # keepalive_count is set to 0, connections will be automatically
775. # closed after keepalive_interval seconds of inactivity without
776. # sending any keepalive messages.
777. #
778. #keepalive_interval = 5
779. #keepalive_count = 5
780.  
781.  
782.  
783. # Use seccomp syscall sandbox in QEMU.
784. # 1 == seccomp enabled, 0 == seccomp disabled
785. #
786. # If it is unset (or -1), then seccomp will be enabled
787. # only if QEMU >= 2.11.0 is detected, otherwise it is
788. # left disabled. This ensures the default config gets
789. # protection for new QEMU using the blacklist approach.
790. #
791. #seccomp_sandbox = 1
792.  
793.  
794. # Override the listen address for all incoming migrations. Defaults to
795. # 0.0.0.0, or :: if both host and qemu are capable of IPv6.
796. #migration_address = "0.0.0.0"
797.  
798.  
799. # The default hostname or IP address which will be used by a migration
800. # source for transferring migration data to this host. The migration
801. # source has to be able to resolve this hostname and connect to it so
802. # setting "localhost" will not work. By default, the host's configured
803. # hostname is used.
804. #migration_host = "host.example.com"
805.  
806.  
807. # Override the port range used for incoming migrations.
808. #
809. # Minimum must be greater than 0, however when QEMU is not running as root,
810. # setting the minimum to be lower than 1024 will not work.
811. #
812. # Maximum must not be greater than 65535.
813. #
814. #migration_port_min = 49152
815. #migration_port_max = 49215
816.  
817.  
818.  
819. # Timestamp QEMU's log messages (if QEMU supports it)
820. #
821. # Defaults to 1.
822. #
823. #log_timestamp = 0
824.  
825.  
826. # Location of master nvram file
827. #
828. # This configuration option is obsolete. Libvirt will follow the
829. # QEMU firmware metadata specification to automatically locate
830. # firmware images. See docs/interop/firmware.json in the QEMU
831. # source tree. These metadata files are distributed alongside any
832. # firmware images intended for use with QEMU.
833. #
834. # NOTE: if ANY firmware metadata files are detected, this setting
835. # will be COMPLETELY IGNORED.
836. #
837. # ------------------------------------------
838. #
839. # When a domain is configured to use UEFI instead of standard
840. # BIOS it may use a separate storage for UEFI variables. If
841. # that's the case libvirt creates the variable store per domain
842. # using this master file as image. Each UEFI firmware can,
843. # however, have different variables store. Therefore the nvram is
844. # a list of strings when a single item is in form of:
845. # ${PATH_TO_UEFI_FW}:${PATH_TO_UEFI_VARS}.
846. # Later, when libvirt creates per domain variable store, this list is
847. # searched for the master image. The UEFI firmware can be called
848. # differently for different guest architectures. For instance, it's OVMF
849. # for x86_64 and i686, but it's AAVMF for aarch64. The libvirt default
850. # follows this scheme.
851. #nvram = [
852. # "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd",
853. # "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd",
854. # "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd",
855. # "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd",
856. # "/usr/share/OVMF/OVMF_CODE.ms.fd:/usr/share/OVMF/OVMF_VARS.ms.fd"
857. #]
858.  
859. # The backend to use for handling stdout/stderr output from
860. # QEMU processes.
861. #
862. # 'file': QEMU writes directly to a plain file. This is the
863. # historical default, but allows QEMU to inflict a
864. # denial of service attack on the host by exhausting
865. # filesystem space
866. #
867. # 'logd': QEMU writes to a pipe provided by virtlogd daemon.
868. # This is the current default, providing protection
869. # against denial of service by performing log file
870. # rollover when a size limit is hit.
871. #
872. #stdio_handler = "logd"
873.  
874. # QEMU gluster libgfapi log level, debug levels are 0-9, with 9 being the
875. # most verbose, and 0 representing no debugging output.
876. #
877. # The current logging levels defined in the gluster GFAPI are:
878. #
879. # 0 - None
880. # 1 - Emergency
881. # 2 - Alert
882. # 3 - Critical
883. # 4 - Error
884. # 5 - Warning
885. # 6 - Notice
886. # 7 - Info
887. # 8 - Debug
888. # 9 - Trace
889. #
890. # Defaults to 4
891. #
892. #gluster_debug_level = 9
893.  
894. # virtiofsd debug
895. #
896. # Whether to enable the debugging output of the virtiofsd daemon.
897. # Possible values are 0 or 1. Disabled by default.
898. #
899. #virtiofsd_debug = 1
900.  
901. # To enhance security, QEMU driver is capable of creating private namespaces
902. # for each domain started. Well, so far only "mount" namespace is supported. If
903. # enabled it means qemu process is unable to see all the devices on the system,
904. # only those configured for the domain in question. Libvirt then manages
905. # devices entries throughout the domain lifetime. This namespace is turned on
906. # by default.
907. #namespaces = [ "mount" ]
908.  
909. # This directory is used for memoryBacking source if configured as file.
910. # NOTE: big files will be stored here
911. #memory_backing_dir = "/var/lib/libvirt/qemu/ram"
912.  
913. # Path to the SCSI persistent reservations helper. This helper is
914. # used whenever <reservations/> are enabled for SCSI LUN devices.
915. #pr_helper = "/usr/bin/qemu-pr-helper"
916.  
917. # Path to the SLIRP networking helper.
918. #slirp_helper = "/usr/bin/slirp-helper"
919.  
920. # Path to the dbus-daemon
921. #dbus_daemon = "/usr/bin/dbus-daemon"
922.  
923. # User for the swtpm TPM Emulator
924. #
925. # Default is 'tss'; this is the same user that tcsd (TrouSerS) installs
926. # and uses; alternative is 'root'
927. #
928. #swtpm_user = "tss"
929. #swtpm_group = "tss"
930.  
931. # For debugging and testing purposes it's sometimes useful to be able to disable
932. # libvirt behaviour based on the capabilities of the qemu process. This option
933. # allows to do so. DO _NOT_ use in production and beaware that the behaviour
934. # may change across versions.
935. #
936. #capability_filters = [ "capname" ]