# Master configuration file for the QEMU driver.# All settings described here

1. # Master configuration file for the QEMU driver.
2. # All settings described here are optional - if omitted, sensible
3. # defaults are used.
4.  
5. # Use of TLS requires that x509 certificates be issued. The default is
6. # to keep them in /etc/pki/qemu. This directory must contain
7. #
8. #  ca-cert.pem - the CA master certificate
9. #  server-cert.pem - the server certificate signed with ca-cert.pem
10. #  server-key.pem  - the server private key
11. #
12. # and optionally may contain
13. #
14. #  dh-params.pem - the DH params configuration file
15. #
16. # If the directory does not exist, libvirtd will fail to start. If the
17. # directory doesn't contain the necessary files, QEMU domains will fail
18. # to start if they are configured to use TLS.
19. #
20. # In order to overwrite the default path alter the following. This path
21. # definition will be used as the default path for other *_tls_x509_cert_dir
22. # configuration settings if their default path does not exist or is not
23. # specifically set.
24. #
25. #default_tls_x509_cert_dir = "/etc/pki/qemu"
26.  
27.  
28. # The default TLS configuration only uses certificates for the server
29. # allowing the client to verify the server's identity and establish
30. # an encrypted channel.
31. #
32. # It is possible to use x509 certificates for authentication too, by
33. # issuing an x509 certificate to every client who needs to connect.
34. #
35. # Enabling this option will reject any client who does not have a
36. # certificate signed by the CA in /etc/pki/qemu/ca-cert.pem
37. #
38. # The default_tls_x509_cert_dir directory must also contain
39. #
40. #  client-cert.pem - the client certificate signed with the ca-cert.pem
41. #  client-key.pem - the client private key
42. #
43. #default_tls_x509_verify = 1
44.  
45. #
46. # Libvirt assumes the server-key.pem file is unencrypted by default.
47. # To use an encrypted server-key.pem file, the password to decrypt
48. # the PEM file is required. This can be provided by creating a secret
49. # object in libvirt and then to uncomment this setting to set the UUID
50. # of the secret.
51. #
52. # NB This default all-zeros UUID will not work. Replace it with the
53. # output from the UUID for the TLS secret from a 'virsh secret-list'
54. # command and then uncomment the entry
55. #
56. #default_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
57.  
58.  
59. # VNC is configured to listen on 127.0.0.1 by default.
60. # To make it listen on all public interfaces, uncomment
61. # this next option.
62. #
63. # NB, strong recommendation to enable TLS + x509 certificate
64. # verification when allowing public access
65. #
66. #vnc_listen = "0.0.0.0"
67.  
68. # Enable this option to have VNC served over an automatically created
69. # unix socket. This prevents unprivileged access from users on the
70. # host machine, though most VNC clients do not support it.
71. #
72. # This will only be enabled for VNC configurations that have listen
73. # type=address but without any address specified. This setting takes
74. # preference over vnc_listen.
75. #
76. #vnc_auto_unix_socket = 1
77.  
78. # Enable use of TLS encryption on the VNC server. This requires
79. # a VNC client which supports the VeNCrypt protocol extension.
80. # Examples include vinagre, virt-viewer, virt-manager and vencrypt
81. # itself. UltraVNC, RealVNC, TightVNC do not support this
82. #
83. # It is necessary to setup CA and issue a server certificate
84. # before enabling this.
85. #
86. #vnc_tls = 1
87.  
88.  
89. # In order to override the default TLS certificate location for
90. # vnc certificates, supply a valid path to the certificate directory.
91. # If the provided path does not exist, libvirtd will fail to start.
92. # If the path is not provided, but vnc_tls = 1, then the
93. # default_tls_x509_cert_dir path will be used.
94. #
95. #vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
96.  
97.  
98. # The default TLS configuration only uses certificates for the server
99. # allowing the client to verify the server's identity and establish
100. # an encrypted channel.
101. #
102. # It is possible to use x509 certificates for authentication too, by
103. # issuing an x509 certificate to every client who needs to connect.
104. #
105. # Enabling this option will reject any client that does not have a
106. # ca-cert.pem certificate signed by the CA in the vnc_tls_x509_cert_dir
107. # (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem
108. # files described in default_tls_x509_cert_dir.
109. #
110. # If this option is not supplied, it will be set to the value of
111. # "default_tls_x509_verify".
112. #
113. #vnc_tls_x509_verify = 1
114.  
115.  
116. # The default VNC password. Only 8 bytes are significant for
117. # VNC passwords. This parameter is only used if the per-domain
118. # XML config does not already provide a password. To allow
119. # access without passwords, leave this commented out. An empty
120. # string will still enable passwords, but be rejected by QEMU,
121. # effectively preventing any use of VNC. Obviously change this
122. # example here before you set this.
123. #
124. #vnc_password = "XYZ12345"
125.  
126.  
127. # Enable use of SASL encryption on the VNC server. This requires
128. # a VNC client which supports the SASL protocol extension.
129. # Examples include vinagre, virt-viewer and virt-manager
130. # itself. UltraVNC, RealVNC, TightVNC do not support this
131. #
132. # It is necessary to configure /etc/sasl2/qemu.conf to choose
133. # the desired SASL plugin (eg, GSSPI for Kerberos)
134. #
135. #vnc_sasl = 1
136.  
137.  
138. # The default SASL configuration file is located in /etc/sasl2/
139. # When running libvirtd unprivileged, it may be desirable to
140. # override the configs in this location. Set this parameter to
141. # point to the directory, and create a qemu.conf in that location
142. #
143. #vnc_sasl_dir = "/some/directory/sasl2"
144.  
145.  
146. # QEMU implements an extension for providing audio over a VNC connection,
147. # though if your VNC client does not support it, your only chance for getting
148. # sound output is through regular audio backends. By default, libvirt will
149. # disable all QEMU sound backends if using VNC, since they can cause
150. # permissions issues. Enabling this option will make libvirtd honor the
151. # QEMU_AUDIO_DRV environment variable when using VNC.
152. #
153. #vnc_allow_host_audio = 0
154.  
155.  
156.  
157. # SPICE is configured to listen on 127.0.0.1 by default.
158. # To make it listen on all public interfaces, uncomment
159. # this next option.
160. #
161. # NB, strong recommendation to enable TLS + x509 certificate
162. # verification when allowing public access
163. #
164. #spice_listen = "0.0.0.0"
165.  
166.  
167. # Enable use of TLS encryption on the SPICE server.
168. #
169. # It is necessary to setup CA and issue a server certificate
170. # before enabling this.
171. #
172. #spice_tls = 1
173.  
174.  
175. # In order to override the default TLS certificate location for
176. # spice certificates, supply a valid path to the certificate directory.
177. # If the provided path does not exist, libvirtd will fail to start.
178. # If the path is not provided, but spice_tls = 1, then the
179. # default_tls_x509_cert_dir path will be used.
180. #
181. #spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
182.  
183.  
184. # Enable this option to have SPICE served over an automatically created
185. # unix socket. This prevents unprivileged access from users on the
186. # host machine.
187. #
188. # This will only be enabled for SPICE configurations that have listen
189. # type=address but without any address specified. This setting takes
190. # preference over spice_listen.
191. #
192. #spice_auto_unix_socket = 1
193.  
194.  
195. # The default SPICE password. This parameter is only used if the
196. # per-domain XML config does not already provide a password. To
197. # allow access without passwords, leave this commented out. An
198. # empty string will still enable passwords, but be rejected by
199. # QEMU, effectively preventing any use of SPICE. Obviously change
200. # this example here before you set this.
201. #
202. #spice_password = "XYZ12345"
203.  
204.  
205. # Enable use of SASL encryption on the SPICE server. This requires
206. # a SPICE client which supports the SASL protocol extension.
207. #
208. # It is necessary to configure /etc/sasl2/qemu.conf to choose
209. # the desired SASL plugin (eg, GSSPI for Kerberos)
210. #
211. #spice_sasl = 1
212.  
213. # The default SASL configuration file is located in /etc/sasl2/
214. # When running libvirtd unprivileged, it may be desirable to
215. # override the configs in this location. Set this parameter to
216. # point to the directory, and create a qemu.conf in that location
217. #
218. #spice_sasl_dir = "/some/directory/sasl2"
219.  
220. # Enable use of TLS encryption on the chardev TCP transports.
221. #
222. # It is necessary to setup CA and issue a server certificate
223. # before enabling this.
224. #
225. #chardev_tls = 1
226.  
227.  
228. # In order to override the default TLS certificate location for character
229. # device TCP certificates, supply a valid path to the certificate directory.
230. # If the provided path does not exist, libvirtd will fail to start.
231. # If the path is not provided, but chardev_tls = 1, then the
232. # default_tls_x509_cert_dir path will be used.
233. #
234. #chardev_tls_x509_cert_dir = "/etc/pki/libvirt-chardev"
235.  
236.  
237. # The default TLS configuration only uses certificates for the server
238. # allowing the client to verify the server's identity and establish
239. # an encrypted channel.
240. #
241. # It is possible to use x509 certificates for authentication too, by
242. # issuing an x509 certificate to every client who needs to connect.
243. #
244. # Enabling this option will reject any client that does not have a
245. # ca-cert.pem certificate signed by the CA in the chardev_tls_x509_cert_dir
246. # (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem
247. # files described in default_tls_x509_cert_dir.
248. #
249. # If this option is not supplied, it will be set to the value of
250. # "default_tls_x509_verify".
251. #
252. #chardev_tls_x509_verify = 1
253.  
254.  
255. # Uncomment and use the following option to override the default secret
256. # UUID provided in the default_tls_x509_secret_uuid parameter.
257. #
258. # NB This default all-zeros UUID will not work. Replace it with the
259. # output from the UUID for the TLS secret from a 'virsh secret-list'
260. # command and then uncomment the entry
261. #
262. #chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
263.  
264.  
265. # Enable use of TLS encryption for all VxHS network block devices that
266. # don't specifically disable.
267. #
268. # When the VxHS network block device server is set up appropriately,
269. # x509 certificates are required for authentication between the clients
270. # (qemu processes) and the remote VxHS server.
271. #
272. # It is necessary to setup CA and issue the client certificate before
273. # enabling this.
274. #
275. #vxhs_tls = 1
276.  
277.  
278. # In order to override the default TLS certificate location for VxHS
279. # backed storage, supply a valid path to the certificate directory.
280. # This is used to authenticate the VxHS block device clients to the VxHS
281. # server.
282. #
283. # If the provided path does not exist, libvirtd will fail to start.
284. # If the path is not provided, but vxhs_tls = 1, then the
285. # default_tls_x509_cert_dir path will be used.
286. #
287. # VxHS block device clients expect the client certificate and key to be
288. # present in the certificate directory along with the CA master certificate.
289. # If using the default environment, default_tls_x509_verify must be configured.
290. # Since this is only a client the server-key.pem certificate is not needed.
291. # Thus a VxHS directory must contain the following:
292. #
293. #  ca-cert.pem - the CA master certificate
294. #  client-cert.pem - the client certificate signed with the ca-cert.pem
295. #  client-key.pem - the client private key
296. #
297. #vxhs_tls_x509_cert_dir = "/etc/pki/libvirt-vxhs"
298.  
299.  
300.  
301. # Enable use of TLS encryption for all NBD disk devices that don't
302. # specifically disable it.
303. #
304. # When the NBD server is set up appropriately, x509 certificates are required
305. # for authentication between the client and the remote NBD server.
306. #
307. # It is necessary to setup CA and issue the client certificate before
308. # enabling this.
309. #
310. #nbd_tls = 1
311.  
312.  
313. # In order to override the default TLS certificate location for NBD
314. # backed storage, supply a valid path to the certificate directory.
315. # This is used to authenticate the NBD block device clients to the NBD
316. # server.
317. #
318. # If the provided path does not exist, libvirtd will fail to start.
319. # If the path is not provided, but nbd_tls = 1, then the
320. # default_tls_x509_cert_dir path will be used.
321. #
322. # NBD block device clients expect the client certificate and key to be
323. # present in the certificate directory along with the CA certificate.
324. # Since this is only a client the server-key.pem certificate is not needed.
325. # Thus a NBD directory must contain the following:
326. #
327. #  ca-cert.pem - the CA master certificate
328. #  client-cert.pem - the client certificate signed with the ca-cert.pem
329. #  client-key.pem - the client private key
330. #
331. #nbd_tls_x509_cert_dir = "/etc/pki/libvirt-nbd"
332.  
333.  
334. # In order to override the default TLS certificate location for migration
335. # certificates, supply a valid path to the certificate directory. If the
336. # provided path does not exist, libvirtd will fail to start. If the path is
337. # not provided, but migrate_tls = 1, then the default_tls_x509_cert_dir path
338. # will be used. Once/if a default certificate is enabled/defined, migration
339. # will then be able to use the certificate via migration API flags.
340. #
341. #migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate"
342.  
343.  
344. # The default TLS configuration only uses certificates for the server
345. # allowing the client to verify the server's identity and establish
346. # an encrypted channel.
347. #
348. # It is possible to use x509 certificates for authentication too, by
349. # issuing an x509 certificate to every client who needs to connect.
350. #
351. # Enabling this option will reject any client that does not have a
352. # ca-cert.pem certificate signed by the CA in the migrate_tls_x509_cert_dir
353. # (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem
354. # files described in default_tls_x509_cert_dir.
355. #
356. # If this option is not supplied, it will be set to the value of
357. # "default_tls_x509_verify".
358. #
359. #migrate_tls_x509_verify = 1
360.  
361.  
362. # Uncomment and use the following option to override the default secret
363. # UUID provided in the default_tls_x509_secret_uuid parameter.
364. #
365. # NB This default all-zeros UUID will not work. Replace it with the
366. # output from the UUID for the TLS secret from a 'virsh secret-list'
367. # command and then uncomment the entry
368. #
369. #migrate_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
370.  
371.  
372. # By default, if no graphical front end is configured, libvirt will disable
373. # QEMU audio output since directly talking to alsa/pulseaudio may not work
374. # with various security settings. If you know what you're doing, enable
375. # the setting below and libvirt will passthrough the QEMU_AUDIO_DRV
376. # environment variable when using nographics.
377. #
378. #nographics_allow_host_audio = 1
379.  
380.  
381. # Override the port for creating both VNC and SPICE sessions (min).
382. # This defaults to 5900 and increases for consecutive sessions
383. # or when ports are occupied, until it hits the maximum.
384. #
385. # Minimum must be greater than or equal to 5900 as lower number would
386. # result into negative vnc display number.
387. #
388. # Maximum must be less than 65536, because higher numbers do not make
389. # sense as a port number.
390. #
391. #remote_display_port_min = 5900
392. #remote_display_port_max = 65535
393.  
394. # VNC WebSocket port policies, same rules apply as with remote display
395. # ports.  VNC WebSockets use similar display <-> port mappings, with
396. # the exception being that ports start from 5700 instead of 5900.
397. #
398. #remote_websocket_port_min = 5700
399. #remote_websocket_port_max = 65535
400.  
401. # The default security driver is SELinux. If SELinux is disabled
402. # on the host, then the security driver will automatically disable
403. # itself. If you wish to disable QEMU SELinux security driver while
404. # leaving SELinux enabled for the host in general, then set this
405. # to 'none' instead. It's also possible to use more than one security
406. # driver at the same time, for this use a list of names separated by
407. # comma and delimited by square brackets. For example:
408. #
409. #       security_driver = [ "selinux", "apparmor" ]
410. #
411. # Notes: The DAC security driver is always enabled; as a result, the
412. # value of security_driver cannot contain "dac".  The value "none" is
413. # a special value; security_driver can be set to that value in
414. # isolation, but it cannot appear in a list of drivers.
415. #
416. #security_driver = "selinux"
417.  
418. # If set to non-zero, then the default security labeling
419. # will make guests confined. If set to zero, then guests
420. # will be unconfined by default. Defaults to 1.
421. #security_default_confined = 1
422.  
423. # If set to non-zero, then attempts to create unconfined
424. # guests will be blocked. Defaults to 0.
425. #security_require_confined = 1
426.  
427. # The user for QEMU processes run by the system instance. It can be
428. # specified as a user name or as a user id. The qemu driver will try to
429. # parse this value first as a name and then, if the name doesn't exist,
430. # as a user id.
431. #
432. # Since a sequence of digits is a valid user name, a leading plus sign
433. # can be used to ensure that a user id will not be interpreted as a user
434. # name.
435. #
436. # Some examples of valid values are:
437. #
438. #       user = "qemu"   # A user named "qemu"
439. #       user = "+0"     # Super user (uid=0)
440. #       user = "100"    # A user named "100" or a user with uid=100
441. #
442. user = "root"
443.  
444. # The group for QEMU processes run by the system instance. It can be
445. # specified in a similar way to user.
446. group = "root"
447.  
448. # Whether libvirt should dynamically change file ownership
449. # to match the configured user/group above. Defaults to 1.
450. # Set to 0 to disable file ownership changes.
451. #dynamic_ownership = 1
452.  
453.  
454. # What cgroup controllers to make use of with QEMU guests
455. #
456. #  - 'cpu' - use for scheduler tunables
457. #  - 'devices' - use for device whitelisting
458. #  - 'memory' - use for memory tunables
459. #  - 'blkio' - use for block devices I/O tunables
460. #  - 'cpuset' - use for CPUs and memory nodes
461. #  - 'cpuacct' - use for CPUs statistics.
462. #
463. # NB, even if configured here, they won't be used unless
464. # the administrator has mounted cgroups, e.g.:
465. #
466. #  mkdir /dev/cgroup
467. #  mount -t cgroup -o devices,cpu,memory,blkio,cpuset none /dev/cgroup
468. #
469. # They can be mounted anywhere, and different controllers
470. # can be mounted in different locations. libvirt will detect
471. # where they are located.
472. #
473. #cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ]
474.  
475. # This is the basic set of devices allowed / required by
476. # all virtual machines.
477. #
478. # As well as this, any configured block backed disks,
479. # all sound device, and all PTY devices are allowed.
480. #
481. # This will only need setting if newer QEMU suddenly
482. # wants some device we don't already know about.
483. #
484.  
485. cgroup_device_acl = [
486.    "/dev/null", "/dev/full", "/dev/zero",
487.    "/dev/random", "/dev/urandom",
488.    "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
489.    "/dev/rtc","/dev/hpet", "/dev/sev",
490.         "/dev/kvm",
491.         "/dev/input/by-id/usb-Corsair_CORSAIR_DARK_CORE_RGB_Wireless_USB_Receiver_15008030AF099D2258CCBEDEF5001940-event-mouse",
492.         "/dev/input/by-id/usb-Razer_Razer_BlackWidow_Tournament_Edition_Chroma-event-kbd",
493.     "/dev/input/event9",
494.     "/dev/input/event4",
495.  
496. ]
497. #
498. # RDMA migration requires the following extra files to be added to the list:
499. #   "/dev/infiniband/rdma_cm",
500. #   "/dev/infiniband/issm0",
501. #   "/dev/infiniband/issm1",
502. #   "/dev/infiniband/umad0",
503. #   "/dev/infiniband/umad1",
504. #   "/dev/infiniband/uverbs0"
505.  
506.  
507. # The default format for QEMU/KVM guest save images is raw; that is, the
508. # memory from the domain is dumped out directly to a file.  If you have
509. # guests with a large amount of memory, however, this can take up quite
510. # a bit of space.  If you would like to compress the images while they
511. # are being saved to disk, you can also set "lzop", "gzip", "bzip2", or "xz"
512. # for save_image_format.  Note that this means you slow down the process of
513. # saving a domain in order to save disk space; the list above is in descending
514. # order by performance and ascending order by compression ratio.
515. #
516. # save_image_format is used when you use 'virsh save' or 'virsh managedsave'
517. # at scheduled saving, and it is an error if the specified save_image_format
518. # is not valid, or the requested compression program can't be found.
519. #
520. # dump_image_format is used when you use 'virsh dump' at emergency
521. # crashdump, and if the specified dump_image_format is not valid, or
522. # the requested compression program can't be found, this falls
523. # back to "raw" compression.
524. #
525. # snapshot_image_format specifies the compression algorithm of the memory save
526. # image when an external snapshot of a domain is taken. This does not apply
527. # on disk image format. It is an error if the specified format isn't valid,
528. # or the requested compression program can't be found.
529. #
530. #save_image_format = "raw"
531. #dump_image_format = "raw"
532. #snapshot_image_format = "raw"
533.  
534. # When a domain is configured to be auto-dumped when libvirtd receives a
535. # watchdog event from qemu guest, libvirtd will save dump files in directory
536. # specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump
537. #
538. #auto_dump_path = "/var/lib/libvirt/qemu/dump"
539.  
540. # When a domain is configured to be auto-dumped, enabling this flag
541. # has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the
542. # virDomainCoreDump API.  That is, the system will avoid using the
543. # file system cache while writing the dump file, but may cause
544. # slower operation.
545. #
546. #auto_dump_bypass_cache = 0
547.  
548. # When a domain is configured to be auto-started, enabling this flag
549. # has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag
550. # with the virDomainCreateWithFlags API.  That is, the system will
551. # avoid using the file system cache when restoring any managed state
552. # file, but may cause slower operation.
553. #
554. #auto_start_bypass_cache = 0
555.  
556. # If provided by the host and a hugetlbfs mount point is configured,
557. # a guest may request huge page backing.  When this mount point is
558. # unspecified here, determination of a host mount point in /proc/mounts
559. # will be attempted.  Specifying an explicit mount overrides detection
560. # of the same in /proc/mounts.  Setting the mount point to "" will
561. # disable guest hugepage backing. If desired, multiple mount points can
562. # be specified at once, separated by comma and enclosed in square
563. # brackets, for example:
564. #
565. #     hugetlbfs_mount = ["/dev/hugepages2M", "/dev/hugepages1G"]
566. #
567. # The size of huge page served by specific mount point is determined by
568. # libvirt at the daemon startup.
569. #
570. # NB, within these mount points, guests will create memory backing
571. # files in a location of $MOUNTPOINT/libvirt/qemu
572. #
573. #hugetlbfs_mount = "/dev/hugepages"
574.  
575.  
576. # Path to the setuid helper for creating tap devices.  This executable
577. # is used to create <source type='bridge'> interfaces when libvirtd is
578. # running unprivileged.  libvirt invokes the helper directly, instead
579. # of using "-netdev bridge", for security reasons.
580. #bridge_helper = "/usr/libexec/qemu-bridge-helper"
581.  
582.  
583.  
584. # If clear_emulator_capabilities is enabled, libvirt will drop all
585. # privileged capabilities of the QEMU/KVM emulator. This is enabled by
586. # default.
587. #
588. # Warning: Disabling this option means that a compromised guest can
589. # exploit the privileges and possibly do damage to the host.
590. #
591. #clear_emulator_capabilities = 1
592.  
593.  
594. # If enabled, libvirt will have QEMU set its process name to
595. # "qemu:VM_NAME", where VM_NAME is the name of the VM. The QEMU
596. # process will appear as "qemu:VM_NAME" in process listings and
597. # other system monitoring tools. By default, QEMU does not set
598. # its process title, so the complete QEMU command (emulator and
599. # its arguments) appear in process listings.
600. #
601. #set_process_name = 1
602.  
603.  
604. # If max_processes is set to a positive integer, libvirt will use
605. # it to set the maximum number of processes that can be run by qemu
606. # user. This can be used to override default value set by host OS.
607. # The same applies to max_files which sets the limit on the maximum
608. # number of opened files.
609. #
610. #max_processes = 0
611. #max_files = 0
612.  
613. # If max_core is set to a non-zero integer, then QEMU will be
614. # permitted to create core dumps when it crashes, provided its
615. # RAM size is smaller than the limit set.
616. #
617. # Be warned that the core dump will include a full copy of the
618. # guest RAM, if the 'dump_guest_core' setting has been enabled,
619. # or if the guest XML contains
620. #
621. #   <memory dumpcore="on">...guest ram...</memory>
622. #
623. # If guest RAM is to be included, ensure the max_core limit
624. # is set to at least the size of the largest expected guest
625. # plus another 1GB for any QEMU host side memory mappings.
626. #
627. # As a special case it can be set to the string "unlimited" to
628. # to allow arbitrarily sized core dumps.
629. #
630. # By default the core dump size is set to 0 disabling all dumps
631. #
632. # Size is a positive integer specifying bytes or the
633. # string "unlimited"
634. #
635. #max_core = "unlimited"
636.  
637. # Determine if guest RAM is included in QEMU core dumps. By
638. # default guest RAM will be excluded if a new enough QEMU is
639. # present. Setting this to '1' will force guest RAM to always
640. # be included in QEMU core dumps.
641. #
642. # This setting will be ignored if the guest XML has set the
643. # dumpcore attribute on the <memory> element.
644. #
645. #dump_guest_core = 1
646.  
647. # mac_filter enables MAC addressed based filtering on bridge ports.
648. # This currently requires ebtables to be installed.
649. #
650. #mac_filter = 1
651.  
652.  
653. # By default, PCI devices below non-ACS switch are not allowed to be assigned
654. # to guests. By setting relaxed_acs_check to 1 such devices will be allowed to
655. # be assigned to guests.
656. #
657. #relaxed_acs_check = 1
658.  
659.  
660. # In order to prevent accidentally starting two domains that
661. # share one writable disk, libvirt offers two approaches for
662. # locking files. The first one is sanlock, the other one,
663. # virtlockd, is then our own implementation. Accepted values
664. # are "sanlock" and "lockd".
665. #
666. #lock_manager = "lockd"
667.  
668.  
669.  
670. # Set limit of maximum APIs queued on one domain. All other APIs
671. # over this threshold will fail on acquiring job lock. Specially,
672. # setting to zero turns this feature off.
673. # Note, that job lock is per domain.
674. #
675. #max_queued = 0
676.  
677. ###################################################################
678. # Keepalive protocol:
679. # This allows qemu driver to detect broken connections to remote
680. # libvirtd during peer-to-peer migration.  A keepalive message is
681. # sent to the daemon after keepalive_interval seconds of inactivity
682. # to check if the daemon is still responding; keepalive_count is a
683. # maximum number of keepalive messages that are allowed to be sent
684. # to the daemon without getting any response before the connection
685. # is considered broken.  In other words, the connection is
686. # automatically closed approximately after
687. # keepalive_interval * (keepalive_count + 1) seconds since the last
688. # message received from the daemon.  If keepalive_interval is set to
689. # -1, qemu driver will not send keepalive requests during
690. # peer-to-peer migration; however, the remote libvirtd can still
691. # send them and source libvirtd will send responses.  When
692. # keepalive_count is set to 0, connections will be automatically
693. # closed after keepalive_interval seconds of inactivity without
694. # sending any keepalive messages.
695. #
696. #keepalive_interval = 5
697. #keepalive_count = 5
698.  
699.  
700.  
701. # Use seccomp syscall sandbox in QEMU.
702. # 1 == seccomp enabled, 0 == seccomp disabled
703. #
704. # If it is unset (or -1), then seccomp will be enabled
705. # only if QEMU >= 2.11.0 is detected, otherwise it is
706. # left disabled. This ensures the default config gets
707. # protection for new QEMU using the blacklist approach.
708. #
709. #seccomp_sandbox = 1
710.  
711.  
712. # Override the listen address for all incoming migrations. Defaults to
713. # 0.0.0.0, or :: if both host and qemu are capable of IPv6.
714. #migration_address = "0.0.0.0"
715.  
716.  
717. # The default hostname or IP address which will be used by a migration
718. # source for transferring migration data to this host.  The migration
719. # source has to be able to resolve this hostname and connect to it so
720. # setting "localhost" will not work.  By default, the host's configured
721. # hostname is used.
722. #migration_host = "host.example.com"
723.  
724.  
725. # Override the port range used for incoming migrations.
726. #
727. # Minimum must be greater than 0, however when QEMU is not running as root,
728. # setting the minimum to be lower than 1024 will not work.
729. #
730. # Maximum must not be greater than 65535.
731. #
732. #migration_port_min = 49152
733. #migration_port_max = 49215
734.  
735.  
736.  
737. # Timestamp QEMU's log messages (if QEMU supports it)
738. #
739. # Defaults to 1.
740. #
741. #log_timestamp = 0
742.  
743.  
744. # Location of master nvram file
745. #
746. # When a domain is configured to use UEFI instead of standard
747. # BIOS it may use a separate storage for UEFI variables. If
748. # that's the case libvirt creates the variable store per domain
749. # using this master file as image. Each UEFI firmware can,
750. # however, have different variables store. Therefore the nvram is
751. # a list of strings when a single item is in form of:
752. #   ${PATH_TO_UEFI_FW}:${PATH_TO_UEFI_VARS}.
753. # Later, when libvirt creates per domain variable store, this list is
754. # searched for the master image. The UEFI firmware can be called
755. # differently for different guest architectures. For instance, it's OVMF
756. # for x86_64 and i686, but it's AAVMF for aarch64. The libvirt default
757. # follows this scheme.
758. #nvram = [
759. #   "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd",
760. #   "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd",
761. #   "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd",
762. #   "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd"
763. #]
764.  
765. # The backend to use for handling stdout/stderr output from
766. # QEMU processes.
767. #
768. #  'file': QEMU writes directly to a plain file. This is the
769. #          historical default, but allows QEMU to inflict a
770. #          denial of service attack on the host by exhausting
771. #          filesystem space
772. #
773. #  'logd': QEMU writes to a pipe provided by virtlogd daemon.
774. #          This is the current default, providing protection
775. #          against denial of service by performing log file
776. #          rollover when a size limit is hit.
777. #
778. #stdio_handler = "logd"
779.  
780. # QEMU gluster libgfapi log level, debug levels are 0-9, with 9 being the
781. # most verbose, and 0 representing no debugging output.
782. #
783. # The current logging levels defined in the gluster GFAPI are:
784. #
785. #    0 - None
786. #    1 - Emergency
787. #    2 - Alert
788. #    3 - Critical
789. #    4 - Error
790. #    5 - Warning
791. #    6 - Notice
792. #    7 - Info
793. #    8 - Debug
794. #    9 - Trace
795. #
796. # Defaults to 4
797. #
798. #gluster_debug_level = 9
799.  
800. # To enhance security, QEMU driver is capable of creating private namespaces
801. # for each domain started. Well, so far only "mount" namespace is supported. If
802. # enabled it means qemu process is unable to see all the devices on the system,
803. # only those configured for the domain in question. Libvirt then manages
804. # devices entries throughout the domain lifetime. This namespace is turned on
805. # by default.
806. #namespaces = [ "mount" ]
807.  
808. # This directory is used for memoryBacking source if configured as file.
809. # NOTE: big files will be stored here
810. #memory_backing_dir = "/var/lib/libvirt/qemu/ram"
811.  
812. # Path to the SCSI persistent reservations helper. This helper is
813. # used whenever <reservations/> are enabled for SCSI LUN devices.
814. #pr_helper = "/usr/bin/qemu-pr-helper"
815.  
816. # User for the swtpm TPM Emulator
817. #
818. # Default is 'tss'; this is the same user that tcsd (TrouSerS) installs
819. # and uses; alternative is 'root'
820. #
821. #swtpm_user = "tss"
822. #swtpm_group = "tss"