# Master configuration file for the QEMU driver.# All settings described here

1. # Master configuration file for the QEMU driver.
2. # All settings described here are optional - if omitted, sensible
3. # defaults are used.
4.  
5. # Use of TLS requires that x509 certificates be issued. The default is
6. # to keep them in /etc/pki/qemu. This directory must contain
7. #
8. # ca-cert.pem - the CA master certificate
9. # server-cert.pem - the server certificate signed with ca-cert.pem
10. # server-key.pem - the server private key
11. #
12. # and optionally may contain
13. #
14. # dh-params.pem - the DH params configuration file
15. #
16. # If the directory does not exist, libvirtd will fail to start. If the
17. # directory doesn't contain the necessary files, QEMU domains will fail
18. # to start if they are configured to use TLS.
19. #
20. # In order to overwrite the default path alter the following. This path
21. # definition will be used as the default path for other *_tls_x509_cert_dir
22. # configuration settings if their default path does not exist or is not
23. # specifically set.
24. #
25. #default_tls_x509_cert_dir = "/etc/pki/qemu"
26.  
27.  
28. # The default TLS configuration only uses certificates for the server
29. # allowing the client to verify the server's identity and establish
30. # an encrypted channel.
31. #
32. # It is possible to use x509 certificates for authentication too, by
33. # issuing an x509 certificate to every client who needs to connect.
34. #
35. # Enabling this option will reject any client who does not have a
36. # certificate signed by the CA in /etc/pki/qemu/ca-cert.pem
37. #
38. # The default_tls_x509_cert_dir directory must also contain
39. #
40. # client-cert.pem - the client certificate signed with the ca-cert.pem
41. # client-key.pem - the client private key
42. #
43. #default_tls_x509_verify = 1
44.  
45. #
46. # Libvirt assumes the server-key.pem file is unencrypted by default.
47. # To use an encrypted server-key.pem file, the password to decrypt
48. # the PEM file is required. This can be provided by creating a secret
49. # object in libvirt and then to uncomment this setting to set the UUID
50. # of the secret.
51. #
52. # NB This default all-zeros UUID will not work. Replace it with the
53. # output from the UUID for the TLS secret from a 'virsh secret-list'
54. # command and then uncomment the entry
55. #
56. #default_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
57.  
58.  
59. # VNC is configured to listen on 127.0.0.1 by default.
60. # To make it listen on all public interfaces, uncomment
61. # this next option.
62. #
63. # NB, strong recommendation to enable TLS + x509 certificate
64. # verification when allowing public access
65. #
66. #vnc_listen = "0.0.0.0"
67.  
68. # Enable this option to have VNC served over an automatically created
69. # unix socket. This prevents unprivileged access from users on the
70. # host machine, though most VNC clients do not support it.
71. #
72. # This will only be enabled for VNC configurations that have listen
73. # type=address but without any address specified. This setting takes
74. # preference over vnc_listen.
75. #
76. #vnc_auto_unix_socket = 1
77.  
78. # Enable use of TLS encryption on the VNC server. This requires
79. # a VNC client which supports the VeNCrypt protocol extension.
80. # Examples include vinagre, virt-viewer, virt-manager and vencrypt
81. # itself. UltraVNC, RealVNC, TightVNC do not support this
82. #
83. # It is necessary to setup CA and issue a server certificate
84. # before enabling this.
85. #
86. #vnc_tls = 1
87.  
88.  
89. # In order to override the default TLS certificate location for
90. # vnc certificates, supply a valid path to the certificate directory.
91. # If the provided path does not exist, libvirtd will fail to start.
92. # If the path is not provided, but vnc_tls = 1, then the
93. # default_tls_x509_cert_dir path will be used.
94. #
95. #vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
96.  
97.  
98. # The default TLS configuration only uses certificates for the server
99. # allowing the client to verify the server's identity and establish
100. # an encrypted channel.
101. #
102. # It is possible to use x509 certificates for authentication too, by
103. # issuing an x509 certificate to every client who needs to connect.
104. #
105. # Enabling this option will reject any client that does not have a
106. # ca-cert.pem certificate signed by the CA in the vnc_tls_x509_cert_dir
107. # (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem
108. # files described in default_tls_x509_cert_dir.
109. #
110. # If this option is not supplied, it will be set to the value of
111. # "default_tls_x509_verify".
112. #
113. #vnc_tls_x509_verify = 1
114.  
115.  
116. # The default VNC password. Only 8 bytes are significant for
117. # VNC passwords. This parameter is only used if the per-domain
118. # XML config does not already provide a password. To allow
119. # access without passwords, leave this commented out. An empty
120. # string will still enable passwords, but be rejected by QEMU,
121. # effectively preventing any use of VNC. Obviously change this
122. # example here before you set this.
123. #
124. #vnc_password = "XYZ12345"
125.  
126.  
127. # Enable use of SASL encryption on the VNC server. This requires
128. # a VNC client which supports the SASL protocol extension.
129. # Examples include vinagre, virt-viewer and virt-manager
130. # itself. UltraVNC, RealVNC, TightVNC do not support this
131. #
132. # It is necessary to configure /etc/sasl2/qemu.conf to choose
133. # the desired SASL plugin (eg, GSSPI for Kerberos)
134. #
135. #vnc_sasl = 1
136.  
137.  
138. # The default SASL configuration file is located in /etc/sasl2/
139. # When running libvirtd unprivileged, it may be desirable to
140. # override the configs in this location. Set this parameter to
141. # point to the directory, and create a qemu.conf in that location
142. #
143. #vnc_sasl_dir = "/some/directory/sasl2"
144.  
145.  
146. # QEMU implements an extension for providing audio over a VNC connection,
147. # though if your VNC client does not support it, your only chance for getting
148. # sound output is through regular audio backends. By default, libvirt will
149. # disable all QEMU sound backends if using VNC, since they can cause
150. # permissions issues. Enabling this option will make libvirtd honor the
151. # QEMU_AUDIO_DRV environment variable when using VNC.
152. #
153. #vnc_allow_host_audio = 0
154.  
155.  
156.  
157. # SPICE is configured to listen on 127.0.0.1 by default.
158. # To make it listen on all public interfaces, uncomment
159. # this next option.
160. #
161. # NB, strong recommendation to enable TLS + x509 certificate
162. # verification when allowing public access
163. #
164. #spice_listen = "0.0.0.0"
165.  
166.  
167. # Enable use of TLS encryption on the SPICE server.
168. #
169. # It is necessary to setup CA and issue a server certificate
170. # before enabling this.
171. #
172. #spice_tls = 1
173.  
174.  
175. # In order to override the default TLS certificate location for
176. # spice certificates, supply a valid path to the certificate directory.
177. # If the provided path does not exist, libvirtd will fail to start.
178. # If the path is not provided, but spice_tls = 1, then the
179. # default_tls_x509_cert_dir path will be used.
180. #
181. #spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
182.  
183.  
184. # Enable this option to have SPICE served over an automatically created
185. # unix socket. This prevents unprivileged access from users on the
186. # host machine.
187. #
188. # This will only be enabled for SPICE configurations that have listen
189. # type=address but without any address specified. This setting takes
190. # preference over spice_listen.
191. #
192. #spice_auto_unix_socket = 1
193.  
194.  
195. # The default SPICE password. This parameter is only used if the
196. # per-domain XML config does not already provide a password. To
197. # allow access without passwords, leave this commented out. An
198. # empty string will still enable passwords, but be rejected by
199. # QEMU, effectively preventing any use of SPICE. Obviously change
200. # this example here before you set this.
201. #
202. #spice_password = "XYZ12345"
203.  
204.  
205. # Enable use of SASL encryption on the SPICE server. This requires
206. # a SPICE client which supports the SASL protocol extension.
207. #
208. # It is necessary to configure /etc/sasl2/qemu.conf to choose
209. # the desired SASL plugin (eg, GSSPI for Kerberos)
210. #
211. #spice_sasl = 1
212.  
213. # The default SASL configuration file is located in /etc/sasl2/
214. # When running libvirtd unprivileged, it may be desirable to
215. # override the configs in this location. Set this parameter to
216. # point to the directory, and create a qemu.conf in that location
217. #
218. #spice_sasl_dir = "/some/directory/sasl2"
219.  
220. # Enable use of TLS encryption on the chardev TCP transports.
221. #
222. # It is necessary to setup CA and issue a server certificate
223. # before enabling this.
224. #
225. #chardev_tls = 1
226.  
227.  
228. # In order to override the default TLS certificate location for character
229. # device TCP certificates, supply a valid path to the certificate directory.
230. # If the provided path does not exist, libvirtd will fail to start.
231. # If the path is not provided, but chardev_tls = 1, then the
232. # default_tls_x509_cert_dir path will be used.
233. #
234. #chardev_tls_x509_cert_dir = "/etc/pki/libvirt-chardev"
235.  
236.  
237. # The default TLS configuration only uses certificates for the server
238. # allowing the client to verify the server's identity and establish
239. # an encrypted channel.
240. #
241. # It is possible to use x509 certificates for authentication too, by
242. # issuing an x509 certificate to every client who needs to connect.
243. #
244. # Enabling this option will reject any client that does not have a
245. # ca-cert.pem certificate signed by the CA in the chardev_tls_x509_cert_dir
246. # (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem
247. # files described in default_tls_x509_cert_dir.
248. #
249. # If this option is not supplied, it will be set to the value of
250. # "default_tls_x509_verify".
251. #
252. #chardev_tls_x509_verify = 1
253.  
254.  
255. # Uncomment and use the following option to override the default secret
256. # UUID provided in the default_tls_x509_secret_uuid parameter.
257. #
258. # NB This default all-zeros UUID will not work. Replace it with the
259. # output from the UUID for the TLS secret from a 'virsh secret-list'
260. # command and then uncomment the entry
261. #
262. #chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
263.  
264.  
265. # Enable use of TLS encryption for all VxHS network block devices that
266. # don't specifically disable.
267. #
268. # When the VxHS network block device server is set up appropriately,
269. # x509 certificates are required for authentication between the clients
270. # (qemu processes) and the remote VxHS server.
271. #
272. # It is necessary to setup CA and issue the client certificate before
273. # enabling this.
274. #
275. #vxhs_tls = 1
276.  
277.  
278. # In order to override the default TLS certificate location for VxHS
279. # backed storage, supply a valid path to the certificate directory.
280. # This is used to authenticate the VxHS block device clients to the VxHS
281. # server.
282. #
283. # If the provided path does not exist, libvirtd will fail to start.
284. # If the path is not provided, but vxhs_tls = 1, then the
285. # default_tls_x509_cert_dir path will be used.
286. #
287. # VxHS block device clients expect the client certificate and key to be
288. # present in the certificate directory along with the CA master certificate.
289. # If using the default environment, default_tls_x509_verify must be configured.
290. # Since this is only a client the server-key.pem certificate is not needed.
291. # Thus a VxHS directory must contain the following:
292. #
293. # ca-cert.pem - the CA master certificate
294. # client-cert.pem - the client certificate signed with the ca-cert.pem
295. # client-key.pem - the client private key
296. #
297. #vxhs_tls_x509_cert_dir = "/etc/pki/libvirt-vxhs"
298.  
299.  
300.  
301. # Enable use of TLS encryption for all NBD disk devices that don't
302. # specifically disable it.
303. #
304. # When the NBD server is set up appropriately, x509 certificates are required
305. # for authentication between the client and the remote NBD server.
306. #
307. # It is necessary to setup CA and issue the client certificate before
308. # enabling this.
309. #
310. #nbd_tls = 1
311.  
312.  
313. # In order to override the default TLS certificate location for NBD
314. # backed storage, supply a valid path to the certificate directory.
315. # This is used to authenticate the NBD block device clients to the NBD
316. # server.
317. #
318. # If the provided path does not exist, libvirtd will fail to start.
319. # If the path is not provided, but nbd_tls = 1, then the
320. # default_tls_x509_cert_dir path will be used.
321. #
322. # NBD block device clients expect the client certificate and key to be
323. # present in the certificate directory along with the CA certificate.
324. # Since this is only a client the server-key.pem certificate is not needed.
325. # Thus a NBD directory must contain the following:
326. #
327. # ca-cert.pem - the CA master certificate
328. # client-cert.pem - the client certificate signed with the ca-cert.pem
329. # client-key.pem - the client private key
330. #
331. #nbd_tls_x509_cert_dir = "/etc/pki/libvirt-nbd"
332.  
333.  
334. # In order to override the default TLS certificate location for migration
335. # certificates, supply a valid path to the certificate directory. If the
336. # provided path does not exist, libvirtd will fail to start. If the path is
337. # not provided, but migrate_tls = 1, then the default_tls_x509_cert_dir path
338. # will be used. Once/if a default certificate is enabled/defined, migration
339. # will then be able to use the certificate via migration API flags.
340. #
341. #migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate"
342.  
343.  
344. # The default TLS configuration only uses certificates for the server
345. # allowing the client to verify the server's identity and establish
346. # an encrypted channel.
347. #
348. # It is possible to use x509 certificates for authentication too, by
349. # issuing an x509 certificate to every client who needs to connect.
350. #
351. # Enabling this option will reject any client that does not have a
352. # ca-cert.pem certificate signed by the CA in the migrate_tls_x509_cert_dir
353. # (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem
354. # files described in default_tls_x509_cert_dir.
355. #
356. # If this option is not supplied, it will be set to the value of
357. # "default_tls_x509_verify".
358. #
359. #migrate_tls_x509_verify = 1
360.  
361.  
362. # Uncomment and use the following option to override the default secret
363. # UUID provided in the default_tls_x509_secret_uuid parameter.
364. #
365. # NB This default all-zeros UUID will not work. Replace it with the
366. # output from the UUID for the TLS secret from a 'virsh secret-list'
367. # command and then uncomment the entry
368. #
369. #migrate_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
370.  
371.  
372. # By default, if no graphical front end is configured, libvirt will disable
373. # QEMU audio output since directly talking to alsa/pulseaudio may not work
374. # with various security settings. If you know what you're doing, enable
375. # the setting below and libvirt will passthrough the QEMU_AUDIO_DRV
376. # environment variable when using nographics.
377. #
378. #nographics_allow_host_audio = 1
379.  
380.  
381. # Override the port for creating both VNC and SPICE sessions (min).
382. # This defaults to 5900 and increases for consecutive sessions
383. # or when ports are occupied, until it hits the maximum.
384. #
385. # Minimum must be greater than or equal to 5900 as lower number would
386. # result into negative vnc display number.
387. #
388. # Maximum must be less than 65536, because higher numbers do not make
389. # sense as a port number.
390. #
391. #remote_display_port_min = 5900
392. #remote_display_port_max = 65535
393.  
394. # VNC WebSocket port policies, same rules apply as with remote display
395. # ports. VNC WebSockets use similar display <-> port mappings, with
396. # the exception being that ports start from 5700 instead of 5900.
397. #
398. #remote_websocket_port_min = 5700
399. #remote_websocket_port_max = 65535
400.  
401. # The default security driver is SELinux. If SELinux is disabled
402. # on the host, then the security driver will automatically disable
403. # itself. If you wish to disable QEMU SELinux security driver while
404. # leaving SELinux enabled for the host in general, then set this
405. # to 'none' instead. It's also possible to use more than one security
406. # driver at the same time, for this use a list of names separated by
407. # comma and delimited by square brackets. For example:
408. #
409. # security_driver = [ "selinux", "apparmor" ]
410. #
411. # Notes: The DAC security driver is always enabled; as a result, the
412. # value of security_driver cannot contain "dac". The value "none" is
413. # a special value; security_driver can be set to that value in
414. # isolation, but it cannot appear in a list of drivers.
415. #
416. #security_driver = "selinux"
417.  
418. # If set to non-zero, then the default security labeling
419. # will make guests confined. If set to zero, then guests
420. # will be unconfined by default. Defaults to 1.
421. #security_default_confined = 1
422.  
423. # If set to non-zero, then attempts to create unconfined
424. # guests will be blocked. Defaults to 0.
425. #security_require_confined = 1
426.  
427. # The user for QEMU processes run by the system instance. It can be
428. # specified as a user name or as a user id. The qemu driver will try to
429. # parse this value first as a name and then, if the name doesn't exist,
430. # as a user id.
431. #
432. # Since a sequence of digits is a valid user name, a leading plus sign
433. # can be used to ensure that a user id will not be interpreted as a user
434. # name.
435. #
436. # Some examples of valid values are:
437. #
438. # user = "qemu" # A user named "qemu"
439. # user = "+0" # Super user (uid=0)
440. # user = "100" # A user named "100" or a user with uid=100
441. #
442. user = "mtothem"
443.  
444. # The group for QEMU processes run by the system instance. It can be
445. # specified in a similar way to user.
446. group = "kvm"
447.  
448. # Whether libvirt should dynamically change file ownership
449. # to match the configured user/group above. Defaults to 1.
450. # Set to 0 to disable file ownership changes.
451. #dynamic_ownership = 1
452.  
453.  
454. # What cgroup controllers to make use of with QEMU guests
455. #
456. # - 'cpu' - use for scheduler tunables
457. # - 'devices' - use for device whitelisting
458. # - 'memory' - use for memory tunables
459. # - 'blkio' - use for block devices I/O tunables
460. # - 'cpuset' - use for CPUs and memory nodes
461. # - 'cpuacct' - use for CPUs statistics.
462. #
463. # NB, even if configured here, they won't be used unless
464. # the administrator has mounted cgroups, e.g.:
465. #
466. # mkdir /dev/cgroup
467. # mount -t cgroup -o devices,cpu,memory,blkio,cpuset none /dev/cgroup
468. #
469. # They can be mounted anywhere, and different controllers
470. # can be mounted in different locations. libvirt will detect
471. # where they are located.
472. #
473. #cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ]
474.  
475. # This is the basic set of devices allowed / required by
476. # all virtual machines.
477. #
478. # As well as this, any configured block backed disks,
479. # all sound device, and all PTY devices are allowed.
480. #
481. # This will only need setting if newer QEMU suddenly
482. # wants some device we don't already know about.
483. #
484. #cgroup_device_acl = [
485. # "/dev/null", "/dev/full", "/dev/zero",
486. # "/dev/random", "/dev/urandom",
487. # "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
488. # "/dev/rtc","/dev/hpet", "/dev/sev"
489. #]
490. #
491. # RDMA migration requires the following extra files to be added to the list:
492. # "/dev/infiniband/rdma_cm",
493. # "/dev/infiniband/issm0",
494. # "/dev/infiniband/issm1",
495. # "/dev/infiniband/umad0",
496. # "/dev/infiniband/umad1",
497. # "/dev/infiniband/uverbs0"
498.  
499.  
500. # The default format for QEMU/KVM guest save images is raw; that is, the
501. # memory from the domain is dumped out directly to a file. If you have
502. # guests with a large amount of memory, however, this can take up quite
503. # a bit of space. If you would like to compress the images while they
504. # are being saved to disk, you can also set "lzop", "gzip", "bzip2", or "xz"
505. # for save_image_format. Note that this means you slow down the process of
506. # saving a domain in order to save disk space; the list above is in descending
507. # order by performance and ascending order by compression ratio.
508. #
509. # save_image_format is used when you use 'virsh save' or 'virsh managedsave'
510. # at scheduled saving, and it is an error if the specified save_image_format
511. # is not valid, or the requested compression program can't be found.
512. #
513. # dump_image_format is used when you use 'virsh dump' at emergency
514. # crashdump, and if the specified dump_image_format is not valid, or
515. # the requested compression program can't be found, this falls
516. # back to "raw" compression.
517. #
518. # snapshot_image_format specifies the compression algorithm of the memory save
519. # image when an external snapshot of a domain is taken. This does not apply
520. # on disk image format. It is an error if the specified format isn't valid,
521. # or the requested compression program can't be found.
522. #
523. #save_image_format = "raw"
524. #dump_image_format = "raw"
525. #snapshot_image_format = "raw"
526.  
527. # When a domain is configured to be auto-dumped when libvirtd receives a
528. # watchdog event from qemu guest, libvirtd will save dump files in directory
529. # specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump
530. #
531. #auto_dump_path = "/var/lib/libvirt/qemu/dump"
532.  
533. # When a domain is configured to be auto-dumped, enabling this flag
534. # has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the
535. # virDomainCoreDump API. That is, the system will avoid using the
536. # file system cache while writing the dump file, but may cause
537. # slower operation.
538. #
539. #auto_dump_bypass_cache = 0
540.  
541. # When a domain is configured to be auto-started, enabling this flag
542. # has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag
543. # with the virDomainCreateWithFlags API. That is, the system will
544. # avoid using the file system cache when restoring any managed state
545. # file, but may cause slower operation.
546. #
547. #auto_start_bypass_cache = 0
548.  
549. # If provided by the host and a hugetlbfs mount point is configured,
550. # a guest may request huge page backing. When this mount point is
551. # unspecified here, determination of a host mount point in /proc/mounts
552. # will be attempted. Specifying an explicit mount overrides detection
553. # of the same in /proc/mounts. Setting the mount point to "" will
554. # disable guest hugepage backing. If desired, multiple mount points can
555. # be specified at once, separated by comma and enclosed in square
556. # brackets, for example:
557. #
558. # hugetlbfs_mount = ["/dev/hugepages2M", "/dev/hugepages1G"]
559. #
560. # The size of huge page served by specific mount point is determined by
561. # libvirt at the daemon startup.
562. #
563. # NB, within these mount points, guests will create memory backing
564. # files in a location of $MOUNTPOINT/libvirt/qemu
565. #
566. #hugetlbfs_mount = "/dev/hugepages"
567.  
568.  
569. # Path to the setuid helper for creating tap devices. This executable
570. # is used to create <source type='bridge'> interfaces when libvirtd is
571. # running unprivileged. libvirt invokes the helper directly, instead
572. # of using "-netdev bridge", for security reasons.
573. #bridge_helper = "/usr/lib/qemu/qemu-bridge-helper"
574.  
575.  
576.  
577. # If clear_emulator_capabilities is enabled, libvirt will drop all
578. # privileged capabilities of the QEMU/KVM emulator. This is enabled by
579. # default.
580. #
581. # Warning: Disabling this option means that a compromised guest can
582. # exploit the privileges and possibly do damage to the host.
583. #
584. #clear_emulator_capabilities = 1
585.  
586.  
587. # If enabled, libvirt will have QEMU set its process name to
588. # "qemu:VM_NAME", where VM_NAME is the name of the VM. The QEMU
589. # process will appear as "qemu:VM_NAME" in process listings and
590. # other system monitoring tools. By default, QEMU does not set
591. # its process title, so the complete QEMU command (emulator and
592. # its arguments) appear in process listings.
593. #
594. #set_process_name = 1
595.  
596.  
597. # If max_processes is set to a positive integer, libvirt will use
598. # it to set the maximum number of processes that can be run by qemu
599. # user. This can be used to override default value set by host OS.
600. # The same applies to max_files which sets the limit on the maximum
601. # number of opened files.
602. #
603. #max_processes = 0
604. #max_files = 0
605.  
606. # If max_core is set to a non-zero integer, then QEMU will be
607. # permitted to create core dumps when it crashes, provided its
608. # RAM size is smaller than the limit set.
609. #
610. # Be warned that the core dump will include a full copy of the
611. # guest RAM, if the 'dump_guest_core' setting has been enabled,
612. # or if the guest XML contains
613. #
614. # <memory dumpcore="on">...guest ram...</memory>
615. #
616. # If guest RAM is to be included, ensure the max_core limit
617. # is set to at least the size of the largest expected guest
618. # plus another 1GB for any QEMU host side memory mappings.
619. #
620. # As a special case it can be set to the string "unlimited" to
621. # to allow arbitrarily sized core dumps.
622. #
623. # By default the core dump size is set to 0 disabling all dumps
624. #
625. # Size is a positive integer specifying bytes or the
626. # string "unlimited"
627. #
628. #max_core = "unlimited"
629.  
630. # Determine if guest RAM is included in QEMU core dumps. By
631. # default guest RAM will be excluded if a new enough QEMU is
632. # present. Setting this to '1' will force guest RAM to always
633. # be included in QEMU core dumps.
634. #
635. # This setting will be ignored if the guest XML has set the
636. # dumpcore attribute on the <memory> element.
637. #
638. #dump_guest_core = 1
639.  
640. # mac_filter enables MAC addressed based filtering on bridge ports.
641. # This currently requires ebtables to be installed.
642. #
643. #mac_filter = 1
644.  
645.  
646. # By default, PCI devices below non-ACS switch are not allowed to be assigned
647. # to guests. By setting relaxed_acs_check to 1 such devices will be allowed to
648. # be assigned to guests.
649. #
650. #relaxed_acs_check = 1
651.  
652.  
653. # In order to prevent accidentally starting two domains that
654. # share one writable disk, libvirt offers two approaches for
655. # locking files. The first one is sanlock, the other one,
656. # virtlockd, is then our own implementation. Accepted values
657. # are "sanlock" and "lockd".
658. #
659. #lock_manager = "lockd"
660.  
661.  
662.  
663. # Set limit of maximum APIs queued on one domain. All other APIs
664. # over this threshold will fail on acquiring job lock. Specially,
665. # setting to zero turns this feature off.
666. # Note, that job lock is per domain.
667. #
668. #max_queued = 0
669.  
670. ###################################################################
671. # Keepalive protocol:
672. # This allows qemu driver to detect broken connections to remote
673. # libvirtd during peer-to-peer migration. A keepalive message is
674. # sent to the daemon after keepalive_interval seconds of inactivity
675. # to check if the daemon is still responding; keepalive_count is a
676. # maximum number of keepalive messages that are allowed to be sent
677. # to the daemon without getting any response before the connection
678. # is considered broken. In other words, the connection is
679. # automatically closed approximately after
680. # keepalive_interval * (keepalive_count + 1) seconds since the last
681. # message received from the daemon. If keepalive_interval is set to
682. # -1, qemu driver will not send keepalive requests during
683. # peer-to-peer migration; however, the remote libvirtd can still
684. # send them and source libvirtd will send responses. When
685. # keepalive_count is set to 0, connections will be automatically
686. # closed after keepalive_interval seconds of inactivity without
687. # sending any keepalive messages.
688. #
689. #keepalive_interval = 5
690. #keepalive_count = 5
691.  
692.  
693.  
694. # Use seccomp syscall sandbox in QEMU.
695. # 1 == seccomp enabled, 0 == seccomp disabled
696. #
697. # If it is unset (or -1), then seccomp will be enabled
698. # only if QEMU >= 2.11.0 is detected, otherwise it is
699. # left disabled. This ensures the default config gets
700. # protection for new QEMU using the blacklist approach.
701. #
702. #seccomp_sandbox = 1
703.  
704.  
705. # Override the listen address for all incoming migrations. Defaults to
706. # 0.0.0.0, or :: if both host and qemu are capable of IPv6.
707. #migration_address = "0.0.0.0"
708.  
709.  
710. # The default hostname or IP address which will be used by a migration
711. # source for transferring migration data to this host. The migration
712. # source has to be able to resolve this hostname and connect to it so
713. # setting "localhost" will not work. By default, the host's configured
714. # hostname is used.
715. #migration_host = "host.example.com"
716.  
717.  
718. # Override the port range used for incoming migrations.
719. #
720. # Minimum must be greater than 0, however when QEMU is not running as root,
721. # setting the minimum to be lower than 1024 will not work.
722. #
723. # Maximum must not be greater than 65535.
724. #
725. #migration_port_min = 49152
726. #migration_port_max = 49215
727.  
728.  
729.  
730. # Timestamp QEMU's log messages (if QEMU supports it)
731. #
732. # Defaults to 1.
733. #
734. #log_timestamp = 0
735.  
736.  
737. # Location of master nvram file
738. #
739. # When a domain is configured to use UEFI instead of standard
740. # BIOS it may use a separate storage for UEFI variables. If
741. # that's the case libvirt creates the variable store per domain
742. # using this master file as image. Each UEFI firmware can,
743. # however, have different variables store. Therefore the nvram is
744. # a list of strings when a single item is in form of:
745. # ${PATH_TO_UEFI_FW}:${PATH_TO_UEFI_VARS}.
746. # Later, when libvirt creates per domain variable store, this list is
747. # searched for the master image. The UEFI firmware can be called
748. # differently for different guest architectures. For instance, it's OVMF
749. # for x86_64 and i686, but it's AAVMF for aarch64. The libvirt default
750. # follows this scheme.
751. #nvram = [
752. # "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd",
753. # "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd",
754. # "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd",
755. # "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd"
756. #]
757.  
758. # The backend to use for handling stdout/stderr output from
759. # QEMU processes.
760. #
761. # 'file': QEMU writes directly to a plain file. This is the
762. # historical default, but allows QEMU to inflict a
763. # denial of service attack on the host by exhausting
764. # filesystem space
765. #
766. # 'logd': QEMU writes to a pipe provided by virtlogd daemon.
767. # This is the current default, providing protection
768. # against denial of service by performing log file
769. # rollover when a size limit is hit.
770. #
771. #stdio_handler = "logd"
772.  
773. # QEMU gluster libgfapi log level, debug levels are 0-9, with 9 being the
774. # most verbose, and 0 representing no debugging output.
775. #
776. # The current logging levels defined in the gluster GFAPI are:
777. #
778. # 0 - None
779. # 1 - Emergency
780. # 2 - Alert
781. # 3 - Critical
782. # 4 - Error
783. # 5 - Warning
784. # 6 - Notice
785. # 7 - Info
786. # 8 - Debug
787. # 9 - Trace
788. #
789. # Defaults to 4
790. #
791. #gluster_debug_level = 9
792.  
793. # To enhance security, QEMU driver is capable of creating private namespaces
794. # for each domain started. Well, so far only "mount" namespace is supported. If
795. # enabled it means qemu process is unable to see all the devices on the system,
796. # only those configured for the domain in question. Libvirt then manages
797. # devices entries throughout the domain lifetime. This namespace is turned on
798. # by default.
799. #namespaces = [ "mount" ]
800.  
801. # This directory is used for memoryBacking source if configured as file.
802. # NOTE: big files will be stored here
803. #memory_backing_dir = "/var/lib/libvirt/qemu/ram"
804.  
805. # Path to the SCSI persistent reservations helper. This helper is
806. # used whenever <reservations/> are enabled for SCSI LUN devices.
807. #pr_helper = "/usr/bin/qemu-pr-helper"
808.  
809. # User for the swtpm TPM Emulator
810. #
811. # Default is 'tss'; this is the same user that tcsd (TrouSerS) installs
812. # and uses; alternative is 'root'
813. #
814. #swtpm_user = "tss"
815. #swtpm_group = "tss"
816.  
817. nvram = [
818. "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd"
819. ]