# Master configuration file for the QEMU driver.# All settings described here

1. # Master configuration file for the QEMU driver.
2. # All settings described here are optional - if omitted, sensible
3. # defaults are used.
4.  
5. # Use of TLS requires that x509 certificates be issued. The default is
6. # to keep them in /etc/pki/qemu. This directory must contain
7. #
8. # ca-cert.pem - the CA master certificate
9. # server-cert.pem - the server certificate signed with ca-cert.pem
10. # server-key.pem - the server private key
11. #
12. # and optionally may contain
13. #
14. # dh-params.pem - the DH params configuration file
15. #
16. #default_tls_x509_cert_dir = "/etc/pki/qemu"
17.  
18.  
19. # The default TLS configuration only uses certificates for the server
20. # allowing the client to verify the server's identity and establish
21. # an encrypted channel.
22. #
23. # It is possible to use x509 certificates for authentication too, by
24. # issuing an x509 certificate to every client who needs to connect.
25. #
26. # Enabling this option will reject any client who does not have a
27. # certificate signed by the CA in /etc/pki/qemu/ca-cert.pem
28. #
29. # The default_tls_x509_cert_dir directory must also contain
30. #
31. # client-cert.pem - the client certificate signed with the ca-cert.pem
32. # client-key.pem - the client private key
33. #
34. #default_tls_x509_verify = 1
35.  
36. #
37. # Libvirt assumes the server-key.pem file is unencrypted by default.
38. # To use an encrypted server-key.pem file, the password to decrypt
39. # the PEM file is required. This can be provided by creating a secret
40. # object in libvirt and then to uncomment this setting to set the UUID
41. # of the secret.
42. #
43. # NB This default all-zeros UUID will not work. Replace it with the
44. # output from the UUID for the TLS secret from a 'virsh secret-list'
45. # command and then uncomment the entry
46. #
47. #default_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
48.  
49.  
50. # VNC is configured to listen on 127.0.0.1 by default.
51. # To make it listen on all public interfaces, uncomment
52. # this next option.
53. #
54. # NB, strong recommendation to enable TLS + x509 certificate
55. # verification when allowing public access
56. #
57. #vnc_listen = "0.0.0.0"
58.  
59. # Enable this option to have VNC served over an automatically created
60. # unix socket. This prevents unprivileged access from users on the
61. # host machine, though most VNC clients do not support it.
62. #
63. # This will only be enabled for VNC configurations that have listen
64. # type=address but without any address specified. This setting takes
65. # preference over vnc_listen.
66. #
67. #vnc_auto_unix_socket = 1
68.  
69. # Enable use of TLS encryption on the VNC server. This requires
70. # a VNC client which supports the VeNCrypt protocol extension.
71. # Examples include vinagre, virt-viewer, virt-manager and vencrypt
72. # itself. UltraVNC, RealVNC, TightVNC do not support this
73. #
74. # It is necessary to setup CA and issue a server certificate
75. # before enabling this.
76. #
77. #vnc_tls = 1
78.  
79.  
80. # In order to override the default TLS certificate location for
81. # vnc certificates, supply a valid path to the certificate directory.
82. # If the provided path does not exist then the default_tls_x509_cert_dir
83. # path will be used.
84. #
85. #vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
86.  
87.  
88. # The default TLS configuration only uses certificates for the server
89. # allowing the client to verify the server's identity and establish
90. # an encrypted channel.
91. #
92. # It is possible to use x509 certificates for authentication too, by
93. # issuing an x509 certificate to every client who needs to connect.
94. #
95. # Enabling this option will reject any client that does not have a
96. # ca-cert.pem certificate signed by the CA in the vnc_tls_x509_cert_dir
97. # (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem
98. # files described in default_tls_x509_cert_dir.
99. #
100. # If this option is not supplied, it will be set to the value of
101. # "default_tls_x509_verify".
102. #
103. #vnc_tls_x509_verify = 1
104.  
105.  
106. # The default VNC password. Only 8 bytes are significant for
107. # VNC passwords. This parameter is only used if the per-domain
108. # XML config does not already provide a password. To allow
109. # access without passwords, leave this commented out. An empty
110. # string will still enable passwords, but be rejected by QEMU,
111. # effectively preventing any use of VNC. Obviously change this
112. # example here before you set this.
113. #
114. #vnc_password = "XYZ12345"
115.  
116.  
117. # Enable use of SASL encryption on the VNC server. This requires
118. # a VNC client which supports the SASL protocol extension.
119. # Examples include vinagre, virt-viewer and virt-manager
120. # itself. UltraVNC, RealVNC, TightVNC do not support this
121. #
122. # It is necessary to configure /etc/sasl2/qemu.conf to choose
123. # the desired SASL plugin (eg, GSSPI for Kerberos)
124. #
125. #vnc_sasl = 1
126.  
127.  
128. # The default SASL configuration file is located in /etc/sasl2/
129. # When running libvirtd unprivileged, it may be desirable to
130. # override the configs in this location. Set this parameter to
131. # point to the directory, and create a qemu.conf in that location
132. #
133. #vnc_sasl_dir = "/some/directory/sasl2"
134.  
135.  
136. # QEMU implements an extension for providing audio over a VNC connection,
137. # though if your VNC client does not support it, your only chance for getting
138. # sound output is through regular audio backends. By default, libvirt will
139. # disable all QEMU sound backends if using VNC, since they can cause
140. # permissions issues. Enabling this option will make libvirtd honor the
141. # QEMU_AUDIO_DRV environment variable when using VNC.
142. #
143. #vnc_allow_host_audio = 0
144.  
145.  
146.  
147. # SPICE is configured to listen on 127.0.0.1 by default.
148. # To make it listen on all public interfaces, uncomment
149. # this next option.
150. #
151. # NB, strong recommendation to enable TLS + x509 certificate
152. # verification when allowing public access
153. #
154. #spice_listen = "0.0.0.0"
155.  
156.  
157. # Enable use of TLS encryption on the SPICE server.
158. #
159. # It is necessary to setup CA and issue a server certificate
160. # before enabling this.
161. #
162. #spice_tls = 1
163.  
164.  
165. # In order to override the default TLS certificate location for
166. # spice certificates, supply a valid path to the certificate directory.
167. # If the provided path does not exist then the default_tls_x509_cert_dir
168. # path will be used.
169. #
170. #spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
171.  
172.  
173. # Enable this option to have SPICE served over an automatically created
174. # unix socket. This prevents unprivileged access from users on the
175. # host machine.
176. #
177. # This will only be enabled for SPICE configurations that have listen
178. # type=address but without any address specified. This setting takes
179. # preference over spice_listen.
180. #
181. #spice_auto_unix_socket = 1
182.  
183.  
184. # The default SPICE password. This parameter is only used if the
185. # per-domain XML config does not already provide a password. To
186. # allow access without passwords, leave this commented out. An
187. # empty string will still enable passwords, but be rejected by
188. # QEMU, effectively preventing any use of SPICE. Obviously change
189. # this example here before you set this.
190. #
191. #spice_password = "XYZ12345"
192.  
193.  
194. # Enable use of SASL encryption on the SPICE server. This requires
195. # a SPICE client which supports the SASL protocol extension.
196. #
197. # It is necessary to configure /etc/sasl2/qemu.conf to choose
198. # the desired SASL plugin (eg, GSSPI for Kerberos)
199. #
200. #spice_sasl = 1
201.  
202. # The default SASL configuration file is located in /etc/sasl2/
203. # When running libvirtd unprivileged, it may be desirable to
204. # override the configs in this location. Set this parameter to
205. # point to the directory, and create a qemu.conf in that location
206. #
207. #spice_sasl_dir = "/some/directory/sasl2"
208.  
209. # Enable use of TLS encryption on the chardev TCP transports.
210. #
211. # It is necessary to setup CA and issue a server certificate
212. # before enabling this.
213. #
214. #chardev_tls = 1
215.  
216.  
217. # In order to override the default TLS certificate location for character
218. # device TCP certificates, supply a valid path to the certificate directory.
219. # If the provided path does not exist then the default_tls_x509_cert_dir
220. # path will be used.
221. #
222. #chardev_tls_x509_cert_dir = "/etc/pki/libvirt-chardev"
223.  
224.  
225. # The default TLS configuration only uses certificates for the server
226. # allowing the client to verify the server's identity and establish
227. # an encrypted channel.
228. #
229. # It is possible to use x509 certificates for authentication too, by
230. # issuing an x509 certificate to every client who needs to connect.
231. #
232. # Enabling this option will reject any client that does not have a
233. # ca-cert.pem certificate signed by the CA in the chardev_tls_x509_cert_dir
234. # (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem
235. # files described in default_tls_x509_cert_dir.
236. #
237. # If this option is not supplied, it will be set to the value of
238. # "default_tls_x509_verify".
239. #
240. #chardev_tls_x509_verify = 1
241.  
242.  
243. # Uncomment and use the following option to override the default secret
244. # UUID provided in the default_tls_x509_secret_uuid parameter.
245. #
246. # NB This default all-zeros UUID will not work. Replace it with the
247. # output from the UUID for the TLS secret from a 'virsh secret-list'
248. # command and then uncomment the entry
249. #
250. #chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
251.  
252.  
253. # In order to override the default TLS certificate location for migration
254. # certificates, supply a valid path to the certificate directory. If the
255. # provided path does not exist then the default_tls_x509_cert_dir path
256. # will be used. Once/if a default certificate is enabled/defined, migration
257. # will then be able to use the certificate via migration API flags.
258. #
259. #migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate"
260.  
261.  
262. # The default TLS configuration only uses certificates for the server
263. # allowing the client to verify the server's identity and establish
264. # an encrypted channel.
265. #
266. # It is possible to use x509 certificates for authentication too, by
267. # issuing an x509 certificate to every client who needs to connect.
268. #
269. # Enabling this option will reject any client that does not have a
270. # ca-cert.pem certificate signed by the CA in the migrate_tls_x509_cert_dir
271. # (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem
272. # files described in default_tls_x509_cert_dir.
273. #
274. # If this option is not supplied, it will be set to the value of
275. # "default_tls_x509_verify".
276. #
277. #migrate_tls_x509_verify = 1
278.  
279.  
280. # Uncomment and use the following option to override the default secret
281. # UUID provided in the default_tls_x509_secret_uuid parameter.
282. #
283. # NB This default all-zeros UUID will not work. Replace it with the
284. # output from the UUID for the TLS secret from a 'virsh secret-list'
285. # command and then uncomment the entry
286. #
287. #migrate_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
288.  
289.  
290. # By default, if no graphical front end is configured, libvirt will disable
291. # QEMU audio output since directly talking to alsa/pulseaudio may not work
292. # with various security settings. If you know what you're doing, enable
293. # the setting below and libvirt will passthrough the QEMU_AUDIO_DRV
294. # environment variable when using nographics.
295. #
296. #nographics_allow_host_audio = 1
297.  
298.  
299. # Override the port for creating both VNC and SPICE sessions (min).
300. # This defaults to 5900 and increases for consecutive sessions
301. # or when ports are occupied, until it hits the maximum.
302. #
303. # Minimum must be greater than or equal to 5900 as lower number would
304. # result into negative vnc display number.
305. #
306. # Maximum must be less than 65536, because higher numbers do not make
307. # sense as a port number.
308. #
309. #remote_display_port_min = 5900
310. #remote_display_port_max = 65535
311.  
312. # VNC WebSocket port policies, same rules apply as with remote display
313. # ports. VNC WebSockets use similar display <-> port mappings, with
314. # the exception being that ports start from 5700 instead of 5900.
315. #
316. #remote_websocket_port_min = 5700
317. #remote_websocket_port_max = 65535
318.  
319. # The default security driver is SELinux. If SELinux is disabled
320. # on the host, then the security driver will automatically disable
321. # itself. If you wish to disable QEMU SELinux security driver while
322. # leaving SELinux enabled for the host in general, then set this
323. # to 'none' instead. It's also possible to use more than one security
324. # driver at the same time, for this use a list of names separated by
325. # comma and delimited by square brackets. For example:
326. #
327. # security_driver = [ "selinux", "apparmor" ]
328. #
329. # Notes: The DAC security driver is always enabled; as a result, the
330. # value of security_driver cannot contain "dac". The value "none" is
331. # a special value; security_driver can be set to that value in
332. # isolation, but it cannot appear in a list of drivers.
333. #
334. #security_driver = "selinux"
335.  
336. # If set to non-zero, then the default security labeling
337. # will make guests confined. If set to zero, then guests
338. # will be unconfined by default. Defaults to 1.
339. #security_default_confined = 1
340.  
341. # If set to non-zero, then attempts to create unconfined
342. # guests will be blocked. Defaults to 0.
343. #security_require_confined = 1
344.  
345. # The user for QEMU processes run by the system instance. It can be
346. # specified as a user name or as a user id. The qemu driver will try to
347. # parse this value first as a name and then, if the name doesn't exist,
348. # as a user id.
349. #
350. # Since a sequence of digits is a valid user name, a leading plus sign
351. # can be used to ensure that a user id will not be interpreted as a user
352. # name.
353. #
354. # Some examples of valid values are:
355. #
356. # user = "qemu" # A user named "qemu"
357. # user = "+0" # Super user (uid=0)
358. # user = "100" # A user named "100" or a user with uid=100
359. #
360. user = "arenn"
361.  
362. # The group for QEMU processes run by the system instance. It can be
363. # specified in a similar way to user.
364. group="78"
365.  
366. # Whether libvirt should dynamically change file ownership
367. # to match the configured user/group above. Defaults to 1.
368. # Set to 0 to disable file ownership changes.
369. #dynamic_ownership = 1
370.  
371.  
372. # What cgroup controllers to make use of with QEMU guests
373. #
374. # - 'cpu' - use for schedular tunables
375. # - 'devices' - use for device whitelisting
376. # - 'memory' - use for memory tunables
377. # - 'blkio' - use for block devices I/O tunables
378. # - 'cpuset' - use for CPUs and memory nodes
379. # - 'cpuacct' - use for CPUs statistics.
380. #
381. # NB, even if configured here, they won't be used unless
382. # the administrator has mounted cgroups, e.g.:
383. #
384. # mkdir /dev/cgroup
385. # mount -t cgroup -o devices,cpu,memory,blkio,cpuset none /dev/cgroup
386. #
387. # They can be mounted anywhere, and different controllers
388. # can be mounted in different locations. libvirt will detect
389. # where they are located.
390. #
391. #cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ]
392.  
393. # This is the basic set of devices allowed / required by
394. # all virtual machines.
395. #
396. # As well as this, any configured block backed disks,
397. # all sound device, and all PTY devices are allowed.
398. #
399. # This will only need setting if newer QEMU suddenly
400. # wants some device we don't already know about.
401. #
402. cgroup_device_acl = [
403. "/dev/null", "/dev/full", "/dev/zero",
404. "/dev/random", "/dev/urandom",
405. "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
406. "/dev/rtc","/dev/hpet"
407. "/dev/input/by-id/usb-Logitech_Logitech_G710_Keyboard-event-kbd"
408. "/dev/input/by-id/usb-Logitech_Logitech_G710_Keyboard-if01-event-kbd"
409. "/dev/input/by-id/usb-Logitech_Gaming_Mouse_G502_0D8F36593737-event-mouse"
410. ]
411. #
412. # RDMA migration requires the following extra files to be added to the list:
413. # "/dev/infiniband/rdma_cm",
414. # "/dev/infiniband/issm0",
415. # "/dev/infiniband/issm1",
416. # "/dev/infiniband/umad0",
417. # "/dev/infiniband/umad1",
418. # "/dev/infiniband/uverbs0"
419.  
420.  
421. # The default format for QEMU/KVM guest save images is raw; that is, the
422. # memory from the domain is dumped out directly to a file. If you have
423. # guests with a large amount of memory, however, this can take up quite
424. # a bit of space. If you would like to compress the images while they
425. # are being saved to disk, you can also set "lzop", "gzip", "bzip2", or "xz"
426. # for save_image_format. Note that this means you slow down the process of
427. # saving a domain in order to save disk space; the list above is in descending
428. # order by performance and ascending order by compression ratio.
429. #
430. # save_image_format is used when you use 'virsh save' or 'virsh managedsave'
431. # at scheduled saving, and it is an error if the specified save_image_format
432. # is not valid, or the requested compression program can't be found.
433. #
434. # dump_image_format is used when you use 'virsh dump' at emergency
435. # crashdump, and if the specified dump_image_format is not valid, or
436. # the requested compression program can't be found, this falls
437. # back to "raw" compression.
438. #
439. # snapshot_image_format specifies the compression algorithm of the memory save
440. # image when an external snapshot of a domain is taken. This does not apply
441. # on disk image format. It is an error if the specified format isn't valid,
442. # or the requested compression program can't be found.
443. #
444. #save_image_format = "raw"
445. #dump_image_format = "raw"
446. #snapshot_image_format = "raw"
447.  
448. # When a domain is configured to be auto-dumped when libvirtd receives a
449. # watchdog event from qemu guest, libvirtd will save dump files in directory
450. # specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump
451. #
452. #auto_dump_path = "/var/lib/libvirt/qemu/dump"
453.  
454. # When a domain is configured to be auto-dumped, enabling this flag
455. # has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the
456. # virDomainCoreDump API. That is, the system will avoid using the
457. # file system cache while writing the dump file, but may cause
458. # slower operation.
459. #
460. #auto_dump_bypass_cache = 0
461.  
462. # When a domain is configured to be auto-started, enabling this flag
463. # has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag
464. # with the virDomainCreateWithFlags API. That is, the system will
465. # avoid using the file system cache when restoring any managed state
466. # file, but may cause slower operation.
467. #
468. #auto_start_bypass_cache = 0
469.  
470. # If provided by the host and a hugetlbfs mount point is configured,
471. # a guest may request huge page backing. When this mount point is
472. # unspecified here, determination of a host mount point in /proc/mounts
473. # will be attempted. Specifying an explicit mount overrides detection
474. # of the same in /proc/mounts. Setting the mount point to "" will
475. # disable guest hugepage backing. If desired, multiple mount points can
476. # be specified at once, separated by comma and enclosed in square
477. # brackets, for example:
478. #
479. # hugetlbfs_mount = ["/dev/hugepages2M", "/dev/hugepages1G"]
480. #
481. # The size of huge page served by specific mount point is determined by
482. # libvirt at the daemon startup.
483. #
484. # NB, within these mount points, guests will create memory backing
485. # files in a location of $MOUNTPOINT/libvirt/qemu
486. #
487. #hugetlbfs_mount = "/dev/hugepages"
488.  
489.  
490. # Path to the setuid helper for creating tap devices. This executable
491. # is used to create <source type='bridge'> interfaces when libvirtd is
492. # running unprivileged. libvirt invokes the helper directly, instead
493. # of using "-netdev bridge", for security reasons.
494. #bridge_helper = "/usr/lib/qemu/qemu-bridge-helper"
495.  
496.  
497.  
498. # If clear_emulator_capabilities is enabled, libvirt will drop all
499. # privileged capabilities of the QEmu/KVM emulator. This is enabled by
500. # default.
501. #
502. # Warning: Disabling this option means that a compromised guest can
503. # exploit the privileges and possibly do damage to the host.
504. #
505. #clear_emulator_capabilities = 1
506.  
507.  
508. # If enabled, libvirt will have QEMU set its process name to
509. # "qemu:VM_NAME", where VM_NAME is the name of the VM. The QEMU
510. # process will appear as "qemu:VM_NAME" in process listings and
511. # other system monitoring tools. By default, QEMU does not set
512. # its process title, so the complete QEMU command (emulator and
513. # its arguments) appear in process listings.
514. #
515. #set_process_name = 1
516.  
517.  
518. # If max_processes is set to a positive integer, libvirt will use
519. # it to set the maximum number of processes that can be run by qemu
520. # user. This can be used to override default value set by host OS.
521. # The same applies to max_files which sets the limit on the maximum
522. # number of opened files.
523. #
524. #max_processes = 0
525. #max_files = 0
526.  
527. # If max_core is set to a non-zero integer, then QEMU will be
528. # permitted to create core dumps when it crashes, provided its
529. # RAM size is smaller than the limit set.
530. #
531. # Be warned that the core dump will include a full copy of the
532. # guest RAM, if the 'dump_guest_core' setting has been enabled,
533. # or if the guest XML contains
534. #
535. # <memory dumpcore="on">...guest ram...</memory>
536. #
537. # If guest RAM is to be included, ensure the max_core limit
538. # is set to at least the size of the largest expected guest
539. # plus another 1GB for any QEMU host side memory mappings.
540. #
541. # As a special case it can be set to the string "unlimited" to
542. # to allow arbitrarily sized core dumps.
543. #
544. # By default the core dump size is set to 0 disabling all dumps
545. #
546. # Size is a positive integer specifying bytes or the
547. # string "unlimited"
548. #
549. #max_core = "unlimited"
550.  
551. # Determine if guest RAM is included in QEMU core dumps. By
552. # default guest RAM will be excluded if a new enough QEMU is
553. # present. Setting this to '1' will force guest RAM to always
554. # be included in QEMU core dumps.
555. #
556. # This setting will be ignored if the guest XML has set the
557. # dumpcore attribute on the <memory> element.
558. #
559. #dump_guest_core = 1
560.  
561. # mac_filter enables MAC addressed based filtering on bridge ports.
562. # This currently requires ebtables to be installed.
563. #
564. #mac_filter = 1
565.  
566.  
567. # By default, PCI devices below non-ACS switch are not allowed to be assigned
568. # to guests. By setting relaxed_acs_check to 1 such devices will be allowed to
569. # be assigned to guests.
570. #
571. #relaxed_acs_check = 1
572.  
573.  
574. # If allow_disk_format_probing is enabled, libvirt will probe disk
575. # images to attempt to identify their format, when not otherwise
576. # specified in the XML. This is disabled by default.
577. #
578. # WARNING: Enabling probing is a security hole in almost all
579. # deployments. It is strongly recommended that users update their
580. # guest XML <disk> elements to include <driver type='XXXX'/>
581. # elements instead of enabling this option.
582. #
583. #allow_disk_format_probing = 1
584.  
585.  
586. # In order to prevent accidentally starting two domains that
587. # share one writable disk, libvirt offers two approaches for
588. # locking files. The first one is sanlock, the other one,
589. # virtlockd, is then our own implementation. Accepted values
590. # are "sanlock" and "lockd".
591. #
592. #lock_manager = "lockd"
593.  
594.  
595.  
596. # Set limit of maximum APIs queued on one domain. All other APIs
597. # over this threshold will fail on acquiring job lock. Specially,
598. # setting to zero turns this feature off.
599. # Note, that job lock is per domain.
600. #
601. #max_queued = 0
602.  
603. ###################################################################
604. # Keepalive protocol:
605. # This allows qemu driver to detect broken connections to remote
606. # libvirtd during peer-to-peer migration. A keepalive message is
607. # sent to the daemon after keepalive_interval seconds of inactivity
608. # to check if the daemon is still responding; keepalive_count is a
609. # maximum number of keepalive messages that are allowed to be sent
610. # to the daemon without getting any response before the connection
611. # is considered broken. In other words, the connection is
612. # automatically closed approximately after
613. # keepalive_interval * (keepalive_count + 1) seconds since the last
614. # message received from the daemon. If keepalive_interval is set to
615. # -1, qemu driver will not send keepalive requests during
616. # peer-to-peer migration; however, the remote libvirtd can still
617. # send them and source libvirtd will send responses. When
618. # keepalive_count is set to 0, connections will be automatically
619. # closed after keepalive_interval seconds of inactivity without
620. # sending any keepalive messages.
621. #
622. #keepalive_interval = 5
623. #keepalive_count = 5
624.  
625.  
626.  
627. # Use seccomp syscall whitelisting in QEMU.
628. # 1 = on, 0 = off, -1 = use QEMU default
629. # Defaults to -1.
630. #
631. #seccomp_sandbox = 1
632.  
633.  
634. # Override the listen address for all incoming migrations. Defaults to
635. # 0.0.0.0, or :: if both host and qemu are capable of IPv6.
636. #migration_address = "0.0.0.0"
637.  
638.  
639. # The default hostname or IP address which will be used by a migration
640. # source for transferring migration data to this host. The migration
641. # source has to be able to resolve this hostname and connect to it so
642. # setting "localhost" will not work. By default, the host's configured
643. # hostname is used.
644. #migration_host = "host.example.com"
645.  
646.  
647. # Override the port range used for incoming migrations.
648. #
649. # Minimum must be greater than 0, however when QEMU is not running as root,
650. # setting the minimum to be lower than 1024 will not work.
651. #
652. # Maximum must not be greater than 65535.
653. #
654. #migration_port_min = 49152
655. #migration_port_max = 49215
656.  
657.  
658.  
659. # Timestamp QEMU's log messages (if QEMU supports it)
660. #
661. # Defaults to 1.
662. #
663. #log_timestamp = 0
664.  
665.  
666. # Location of master nvram file
667. #
668. # When a domain is configured to use UEFI instead of standard
669. # BIOS it may use a separate storage for UEFI variables. If
670. # that's the case libvirt creates the variable store per domain
671. # using this master file as image. Each UEFI firmware can,
672. # however, have different variables store. Therefore the nvram is
673. # a list of strings when a single item is in form of:
674. # ${PATH_TO_UEFI_FW}:${PATH_TO_UEFI_VARS}.
675. # Later, when libvirt creates per domain variable store, this list is
676. # searched for the master image. The UEFI firmware can be called
677. # differently for different guest architectures. For instance, it's OVMF
678. # for x86_64 and i686, but it's AAVMF for aarch64. The libvirt default
679. # follows this scheme.
680. #nvram = [
681. # "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd",
682. # "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd",
683. # "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd"
684. #]
685.  
686. # The backend to use for handling stdout/stderr output from
687. # QEMU processes.
688. #
689. # 'file': QEMU writes directly to a plain file. This is the
690. # historical default, but allows QEMU to inflict a
691. # denial of service attack on the host by exhausting
692. # filesystem space
693. #
694. # 'logd': QEMU writes to a pipe provided by virtlogd daemon.
695. # This is the current default, providing protection
696. # against denial of service by performing log file
697. # rollover when a size limit is hit.
698. #
699. #stdio_handler = "logd"
700.  
701. # QEMU gluster libgfapi log level, debug levels are 0-9, with 9 being the
702. # most verbose, and 0 representing no debugging output.
703. #
704. # The current logging levels defined in the gluster GFAPI are:
705. #
706. # 0 - None
707. # 1 - Emergency
708. # 2 - Alert
709. # 3 - Critical
710. # 4 - Error
711. # 5 - Warning
712. # 6 - Notice
713. # 7 - Info
714. # 8 - Debug
715. # 9 - Trace
716. #
717. # Defaults to 4
718. #
719. #gluster_debug_level = 9
720.  
721. # To enhance security, QEMU driver is capable of creating private namespaces
722. # for each domain started. Well, so far only "mount" namespace is supported. If
723. # enabled it means qemu process is unable to see all the devices on the system,
724. # only those configured for the domain in question. Libvirt then manages
725. # devices entries throughout the domain lifetime. This namespace is turned on
726. # by default.
727. #namespaces = [ "mount" ]
728.  
729. # This directory is used for memoryBacking source if configured as file.
730. # NOTE: big files will be stored here
731. #memory_backing_dir = "/var/lib/libvirt/qemu/ram"
732.  
733.  
734.  
735.  
736. nvram = [
737. "/usr/share/ovmf/ovmf_code_x64.bin:/usr/share/ovmf/ovmf_vars_x64.bin"
738. ]