cat /etc/libvirt/qemu.conf# Master configuration file for the QEMU driver.#

1. cat /etc/libvirt/qemu.conf
2. # Master configuration file for the QEMU driver.
3. # All settings described here are optional - if omitted, sensible
4. # defaults are used.
5.  
6. # Use of TLS requires that x509 certificates be issued. The default is
7. # to keep them in /etc/pki/qemu. This directory must contain
8. #
9. # ca-cert.pem - the CA master certificate
10. # server-cert.pem - the server certificate signed with ca-cert.pem
11. # server-key.pem - the server private key
12. #
13. # and optionally may contain
14. #
15. # dh-params.pem - the DH params configuration file
16. #
17. #default_tls_x509_cert_dir = "/etc/pki/qemu"
18.  
19.  
20. # The default TLS configuration only uses certificates for the server
21. # allowing the client to verify the server's identity and establish
22. # an encrypted channel.
23. #
24. # It is possible to use x509 certificates for authentication too, by
25. # issuing an x509 certificate to every client who needs to connect.
26. #
27. # Enabling this option will reject any client who does not have a
28. # certificate signed by the CA in /etc/pki/qemu/ca-cert.pem
29. #
30. # The default_tls_x509_cert_dir directory must also contain
31. #
32. # client-cert.pem - the client certificate signed with the ca-cert.pem
33. # client-key.pem - the client private key
34. #
35. #default_tls_x509_verify = 1
36.  
37. #
38. # Libvirt assumes the server-key.pem file is unencrypted by default.
39. # To use an encrypted server-key.pem file, the password to decrypt
40. # the PEM file is required. This can be provided by creating a secret
41. # object in libvirt and then to uncomment this setting to set the UUID
42. # of the secret.
43. #
44. # NB This default all-zeros UUID will not work. Replace it with the
45. # output from the UUID for the TLS secret from a 'virsh secret-list'
46. # command and then uncomment the entry
47. #
48. #default_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
49.  
50.  
51. # VNC is configured to listen on 127.0.0.1 by default.
52. # To make it listen on all public interfaces, uncomment
53. # this next option.
54. #
55. # NB, strong recommendation to enable TLS + x509 certificate
56. # verification when allowing public access
57. #
58. #vnc_listen = "0.0.0.0"
59.  
60. # Enable this option to have VNC served over an automatically created
61. # unix socket. This prevents unprivileged access from users on the
62. # host machine, though most VNC clients do not support it.
63. #
64. # This will only be enabled for VNC configurations that have listen
65. # type=address but without any address specified. This setting takes
66. # preference over vnc_listen.
67. #
68. #vnc_auto_unix_socket = 1
69.  
70. # Enable use of TLS encryption on the VNC server. This requires
71. # a VNC client which supports the VeNCrypt protocol extension.
72. # Examples include vinagre, virt-viewer, virt-manager and vencrypt
73. # itself. UltraVNC, RealVNC, TightVNC do not support this
74. #
75. # It is necessary to setup CA and issue a server certificate
76. # before enabling this.
77. #
78. #vnc_tls = 1
79.  
80.  
81. # In order to override the default TLS certificate location for
82. # vnc certificates, supply a valid path to the certificate directory.
83. # If the provided path does not exist then the default_tls_x509_cert_dir
84. # path will be used.
85. #
86. #vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
87.  
88.  
89. # The default TLS configuration only uses certificates for the server
90. # allowing the client to verify the server's identity and establish
91. # an encrypted channel.
92. #
93. # It is possible to use x509 certificates for authentication too, by
94. # issuing an x509 certificate to every client who needs to connect.
95. #
96. # Enabling this option will reject any client that does not have a
97. # ca-cert.pem certificate signed by the CA in the vnc_tls_x509_cert_dir
98. # (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem
99. # files described in default_tls_x509_cert_dir.
100. #
101. # If this option is not supplied, it will be set to the value of
102. # "default_tls_x509_verify".
103. #
104. #vnc_tls_x509_verify = 1
105.  
106.  
107. # The default VNC password. Only 8 bytes are significant for
108. # VNC passwords. This parameter is only used if the per-domain
109. # XML config does not already provide a password. To allow
110. # access without passwords, leave this commented out. An empty
111. # string will still enable passwords, but be rejected by QEMU,
112. # effectively preventing any use of VNC. Obviously change this
113. # example here before you set this.
114. #
115. #vnc_password = "XYZ12345"
116.  
117.  
118. # Enable use of SASL encryption on the VNC server. This requires
119. # a VNC client which supports the SASL protocol extension.
120. # Examples include vinagre, virt-viewer and virt-manager
121. # itself. UltraVNC, RealVNC, TightVNC do not support this
122. #
123. # It is necessary to configure /etc/sasl2/qemu.conf to choose
124. # the desired SASL plugin (eg, GSSPI for Kerberos)
125. #
126. #vnc_sasl = 1
127.  
128.  
129. # The default SASL configuration file is located in /etc/sasl2/
130. # When running libvirtd unprivileged, it may be desirable to
131. # override the configs in this location. Set this parameter to
132. # point to the directory, and create a qemu.conf in that location
133. #
134. #vnc_sasl_dir = "/some/directory/sasl2"
135.  
136.  
137. # QEMU implements an extension for providing audio over a VNC connection,
138. # though if your VNC client does not support it, your only chance for getting
139. # sound output is through regular audio backends. By default, libvirt will
140. # disable all QEMU sound backends if using VNC, since they can cause
141. # permissions issues. Enabling this option will make libvirtd honor the
142. # QEMU_AUDIO_DRV environment variable when using VNC.
143. #
144. #vnc_allow_host_audio = 0
145.  
146.  
147.  
148. # SPICE is configured to listen on 127.0.0.1 by default.
149. # To make it listen on all public interfaces, uncomment
150. # this next option.
151. #
152. # NB, strong recommendation to enable TLS + x509 certificate
153. # verification when allowing public access
154. #
155. #spice_listen = "0.0.0.0"
156.  
157.  
158. # Enable use of TLS encryption on the SPICE server.
159. #
160. # It is necessary to setup CA and issue a server certificate
161. # before enabling this.
162. #
163. #spice_tls = 1
164.  
165.  
166. # In order to override the default TLS certificate location for
167. # spice certificates, supply a valid path to the certificate directory.
168. # If the provided path does not exist then the default_tls_x509_cert_dir
169. # path will be used.
170. #
171. #spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
172.  
173.  
174. # Enable this option to have SPICE served over an automatically created
175. # unix socket. This prevents unprivileged access from users on the
176. # host machine.
177. #
178. # This will only be enabled for SPICE configurations that have listen
179. # type=address but without any address specified. This setting takes
180. # preference over spice_listen.
181. #
182. #spice_auto_unix_socket = 1
183.  
184.  
185. # The default SPICE password. This parameter is only used if the
186. # per-domain XML config does not already provide a password. To
187. # allow access without passwords, leave this commented out. An
188. # empty string will still enable passwords, but be rejected by
189. # QEMU, effectively preventing any use of SPICE. Obviously change
190. # this example here before you set this.
191. #
192. #spice_password = "XYZ12345"
193.  
194.  
195. # Enable use of SASL encryption on the SPICE server. This requires
196. # a SPICE client which supports the SASL protocol extension.
197. #
198. # It is necessary to configure /etc/sasl2/qemu.conf to choose
199. # the desired SASL plugin (eg, GSSPI for Kerberos)
200. #
201. #spice_sasl = 1
202.  
203. # The default SASL configuration file is located in /etc/sasl2/
204. # When running libvirtd unprivileged, it may be desirable to
205. # override the configs in this location. Set this parameter to
206. # point to the directory, and create a qemu.conf in that location
207. #
208. #spice_sasl_dir = "/some/directory/sasl2"
209.  
210. # Enable use of TLS encryption on the chardev TCP transports.
211. #
212. # It is necessary to setup CA and issue a server certificate
213. # before enabling this.
214. #
215. #chardev_tls = 1
216.  
217.  
218. # In order to override the default TLS certificate location for character
219. # device TCP certificates, supply a valid path to the certificate directory.
220. # If the provided path does not exist then the default_tls_x509_cert_dir
221. # path will be used.
222. #
223. #chardev_tls_x509_cert_dir = "/etc/pki/libvirt-chardev"
224.  
225.  
226. # The default TLS configuration only uses certificates for the server
227. # allowing the client to verify the server's identity and establish
228. # an encrypted channel.
229. #
230. # It is possible to use x509 certificates for authentication too, by
231. # issuing an x509 certificate to every client who needs to connect.
232. #
233. # Enabling this option will reject any client that does not have a
234. # ca-cert.pem certificate signed by the CA in the chardev_tls_x509_cert_dir
235. # (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem
236. # files described in default_tls_x509_cert_dir.
237. #
238. # If this option is not supplied, it will be set to the value of
239. # "default_tls_x509_verify".
240. #
241. #chardev_tls_x509_verify = 1
242.  
243.  
244. # Uncomment and use the following option to override the default secret
245. # UUID provided in the default_tls_x509_secret_uuid parameter.
246. #
247. # NB This default all-zeros UUID will not work. Replace it with the
248. # output from the UUID for the TLS secret from a 'virsh secret-list'
249. # command and then uncomment the entry
250. #
251. #chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
252.  
253.  
254. # In order to override the default TLS certificate location for migration
255. # certificates, supply a valid path to the certificate directory. If the
256. # provided path does not exist then the default_tls_x509_cert_dir path
257. # will be used. Once/if a default certificate is enabled/defined, migration
258. # will then be able to use the certificate via migration API flags.
259. #
260. #migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate"
261.  
262.  
263. # The default TLS configuration only uses certificates for the server
264. # allowing the client to verify the server's identity and establish
265. # an encrypted channel.
266. #
267. # It is possible to use x509 certificates for authentication too, by
268. # issuing an x509 certificate to every client who needs to connect.
269. #
270. # Enabling this option will reject any client that does not have a
271. # ca-cert.pem certificate signed by the CA in the migrate_tls_x509_cert_dir
272. # (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem
273. # files described in default_tls_x509_cert_dir.
274. #
275. # If this option is not supplied, it will be set to the value of
276. # "default_tls_x509_verify".
277. #
278. #migrate_tls_x509_verify = 1
279.  
280.  
281. # Uncomment and use the following option to override the default secret
282. # UUID provided in the default_tls_x509_secret_uuid parameter.
283. #
284. # NB This default all-zeros UUID will not work. Replace it with the
285. # output from the UUID for the TLS secret from a 'virsh secret-list'
286. # command and then uncomment the entry
287. #
288. #migrate_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
289.  
290.  
291. # By default, if no graphical front end is configured, libvirt will disable
292. # QEMU audio output since directly talking to alsa/pulseaudio may not work
293. # with various security settings. If you know what you're doing, enable
294. # the setting below and libvirt will passthrough the QEMU_AUDIO_DRV
295. # environment variable when using nographics.
296. #
297. #nographics_allow_host_audio = 1
298.  
299.  
300. # Override the port for creating both VNC and SPICE sessions (min).
301. # This defaults to 5900 and increases for consecutive sessions
302. # or when ports are occupied, until it hits the maximum.
303. #
304. # Minimum must be greater than or equal to 5900 as lower number would
305. # result into negative vnc display number.
306. #
307. # Maximum must be less than 65536, because higher numbers do not make
308. # sense as a port number.
309. #
310. #remote_display_port_min = 5900
311. #remote_display_port_max = 65535
312.  
313. # VNC WebSocket port policies, same rules apply as with remote display
314. # ports. VNC WebSockets use similar display <-> port mappings, with
315. # the exception being that ports start from 5700 instead of 5900.
316. #
317. #remote_websocket_port_min = 5700
318. #remote_websocket_port_max = 65535
319.  
320. # The default security driver is SELinux. If SELinux is disabled
321. # on the host, then the security driver will automatically disable
322. # itself. If you wish to disable QEMU SELinux security driver while
323. # leaving SELinux enabled for the host in general, then set this
324. # to 'none' instead. It's also possible to use more than one security
325. # driver at the same time, for this use a list of names separated by
326. # comma and delimited by square brackets. For example:
327. #
328. # security_driver = [ "selinux", "apparmor" ]
329. #
330. # Notes: The DAC security driver is always enabled; as a result, the
331. # value of security_driver cannot contain "dac". The value "none" is
332. # a special value; security_driver can be set to that value in
333. # isolation, but it cannot appear in a list of drivers.
334. #
335. #security_driver = "selinux"
336.  
337. # If set to non-zero, then the default security labeling
338. # will make guests confined. If set to zero, then guests
339. # will be unconfined by default. Defaults to 1.
340. #security_default_confined = 1
341.  
342. # If set to non-zero, then attempts to create unconfined
343. # guests will be blocked. Defaults to 0.
344. #security_require_confined = 1
345.  
346.  
347. # The user for QEMU processes run by the system instance. It can be
348. # specified as a user name or as a user id. The qemu driver will try to
349. # parse this value first as a name and then, if the name doesn't exist,
350. # as a user id.
351. #
352. # Since a sequence of digits is a valid user name, a leading plus sign
353. # can be used to ensure that a user id will not be interpreted as a user
354. # name.
355. #
356. # Some examples of valid values are:
357. #
358. # user = "qemu" # A user named "qemu"
359. # user = "+0" # Super user (uid=0)
360. # user = "100" # A user named "100" or a user with uid=100
361. #
362. user = "root"
363.  
364. # The group for QEMU processes run by the system instance. It can be
365. # specified in a similar way to user.
366. group = "root"
367.  
368. # Whether libvirt should dynamically change file ownership
369. # to match the configured user/group above. Defaults to 1.
370. # Set to 0 to disable file ownership changes.
371. #dynamic_ownership = 1
372.  
373.  
374. # What cgroup controllers to make use of with QEMU guests
375. #
376. # - 'cpu' - use for schedular tunables
377. # - 'devices' - use for device whitelisting
378. # - 'memory' - use for memory tunables
379. # - 'blkio' - use for block devices I/O tunables
380. # - 'cpuset' - use for CPUs and memory nodes
381. # - 'cpuacct' - use for CPUs statistics.
382. #
383. # NB, even if configured here, they won't be used unless
384. # the administrator has mounted cgroups, e.g.:
385. #
386. # mkdir /dev/cgroup
387. # mount -t cgroup -o devices,cpu,memory,blkio,cpuset none /dev/cgroup
388. #
389. # They can be mounted anywhere, and different controllers
390. # can be mounted in different locations. libvirt will detect
391. # where they are located.
392. #
393. #cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ]
394.  
395. # This is the basic set of devices allowed / required by
396. # all virtual machines.
397. #
398. # As well as this, any configured block backed disks,
399. # all sound device, and all PTY devices are allowed.
400. #
401. # This will only need setting if newer QEMU suddenly
402. # wants some device we don't already know about.
403. #
404. cgroup_device_acl = [
405. "/dev/null", "/dev/full", "/dev/zero",
406. "/dev/random", "/dev/urandom",
407. "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
408. "/dev/rtc","/dev/hpet", "/dev/vfio/vfio",
409. "/dev/vfio/1"
410. ]
411. # "/dev/null", "/dev/full", "/dev/zero",
412. # "/dev/random", "/dev/urandom",
413. # "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
414. # "/dev/rtc","/dev/hpet"
415. #]
416. #
417. # RDMA migration requires the following extra files to be added to the list:
418. # "/dev/infiniband/rdma_cm",
419. # "/dev/infiniband/issm0",
420. # "/dev/infiniband/issm1",
421. # "/dev/infiniband/umad0",
422. # "/dev/infiniband/umad1",
423. # "/dev/infiniband/uverbs0"
424.  
425.  
426. # The default format for QEMU/KVM guest save images is raw; that is, the
427. # memory from the domain is dumped out directly to a file. If you have
428. # guests with a large amount of memory, however, this can take up quite
429. # a bit of space. If you would like to compress the images while they
430. # are being saved to disk, you can also set "lzop", "gzip", "bzip2", or "xz"
431. # for save_image_format. Note that this means you slow down the process of
432. # saving a domain in order to save disk space; the list above is in descending
433. # order by performance and ascending order by compression ratio.
434. #
435. # save_image_format is used when you use 'virsh save' or 'virsh managedsave'
436. # at scheduled saving, and it is an error if the specified save_image_format
437. # is not valid, or the requested compression program can't be found.
438. #
439. # dump_image_format is used when you use 'virsh dump' at emergency
440. # crashdump, and if the specified dump_image_format is not valid, or
441. # the requested compression program can't be found, this falls
442. # back to "raw" compression.
443. #
444. # snapshot_image_format specifies the compression algorithm of the memory save
445. # image when an external snapshot of a domain is taken. This does not apply
446. # on disk image format. It is an error if the specified format isn't valid,
447. # or the requested compression program can't be found.
448. #
449. #save_image_format = "raw"
450. #dump_image_format = "raw"
451. #snapshot_image_format = "raw"
452.  
453. # When a domain is configured to be auto-dumped when libvirtd receives a
454. # watchdog event from qemu guest, libvirtd will save dump files in directory
455. # specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump
456. #
457. #auto_dump_path = "/var/lib/libvirt/qemu/dump"
458.  
459. # When a domain is configured to be auto-dumped, enabling this flag
460. # has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the
461. # virDomainCoreDump API. That is, the system will avoid using the
462. # file system cache while writing the dump file, but may cause
463. # slower operation.
464. #
465. #auto_dump_bypass_cache = 0
466.  
467. # When a domain is configured to be auto-started, enabling this flag
468. # has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag
469. # with the virDomainCreateWithFlags API. That is, the system will
470. # avoid using the file system cache when restoring any managed state
471. # file, but may cause slower operation.
472. #
473. #auto_start_bypass_cache = 0
474.  
475. # If provided by the host and a hugetlbfs mount point is configured,
476. # a guest may request huge page backing. When this mount point is
477. # unspecified here, determination of a host mount point in /proc/mounts
478. # will be attempted. Specifying an explicit mount overrides detection
479. # of the same in /proc/mounts. Setting the mount point to "" will
480. # disable guest hugepage backing. If desired, multiple mount points can
481. # be specified at once, separated by comma and enclosed in square
482. # brackets, for example:
483. #
484. # hugetlbfs_mount = ["/dev/hugepages2M", "/dev/hugepages1G"]
485. #
486. # The size of huge page served by specific mount point is determined by
487. # libvirt at the daemon startup.
488. #
489. # NB, within these mount points, guests will create memory backing
490. # files in a location of $MOUNTPOINT/libvirt/qemu
491. #
492. #hugetlbfs_mount = "/dev/hugepages"
493.  
494.  
495. # Path to the setuid helper for creating tap devices. This executable
496. # is used to create <source type='bridge'> interfaces when libvirtd is
497. # running unprivileged. libvirt invokes the helper directly, instead
498. # of using "-netdev bridge", for security reasons.
499. #bridge_helper = "/usr/libexec/qemu-bridge-helper"
500.  
501.  
502.  
503. # If clear_emulator_capabilities is enabled, libvirt will drop all
504. # privileged capabilities of the QEmu/KVM emulator. This is enabled by
505. # default.
506. #
507. # Warning: Disabling this option means that a compromised guest can
508. # exploit the privileges and possibly do damage to the host.
509. #
510. clear_emulator_capabilities = 0
511.  
512.  
513. # If enabled, libvirt will have QEMU set its process name to
514. # "qemu:VM_NAME", where VM_NAME is the name of the VM. The QEMU
515. # process will appear as "qemu:VM_NAME" in process listings and
516. # other system monitoring tools. By default, QEMU does not set
517. # its process title, so the complete QEMU command (emulator and
518. # its arguments) appear in process listings.
519. #
520. #set_process_name = 1
521.  
522.  
523. # If max_processes is set to a positive integer, libvirt will use
524. # it to set the maximum number of processes that can be run by qemu
525. # user. This can be used to override default value set by host OS.
526. # The same applies to max_files which sets the limit on the maximum
527. # number of opened files.
528. #
529. #max_processes = 0
530. #max_files = 0
531.  
532. # If max_core is set to a non-zero integer, then QEMU will be
533. # permitted to create core dumps when it crashes, provided its
534. # RAM size is smaller than the limit set.
535. #
536. # Be warned that the core dump will include a full copy of the
537. # guest RAM, if the 'dump_guest_core' setting has been enabled,
538. # or if the guest XML contains
539. #
540. # <memory dumpcore="on">...guest ram...</memory>
541. #
542. # If guest RAM is to be included, ensure the max_core limit
543. # is set to at least the size of the largest expected guest
544. # plus another 1GB for any QEMU host side memory mappings.
545. #
546. # As a special case it can be set to the string "unlimited" to
547. # to allow arbitrarily sized core dumps.
548. #
549. # By default the core dump size is set to 0 disabling all dumps
550. #
551. # Size is a positive integer specifying bytes or the
552. # string "unlimited"
553. #
554. #max_core = "unlimited"
555.  
556. # Determine if guest RAM is included in QEMU core dumps. By
557. # default guest RAM will be excluded if a new enough QEMU is
558. # present. Setting this to '1' will force guest RAM to always
559. # be included in QEMU core dumps.
560. #
561. # This setting will be ignored if the guest XML has set the
562. # dumpcore attribute on the <memory> element.
563. #
564. #dump_guest_core = 1
565.  
566. # mac_filter enables MAC addressed based filtering on bridge ports.
567. # This currently requires ebtables to be installed.
568. #
569. #mac_filter = 1
570.  
571.  
572. # By default, PCI devices below non-ACS switch are not allowed to be assigned
573. # to guests. By setting relaxed_acs_check to 1 such devices will be allowed to
574. # be assigned to guests.
575. #
576. #relaxed_acs_check = 1
577.  
578.  
579. # If allow_disk_format_probing is enabled, libvirt will probe disk
580. # images to attempt to identify their format, when not otherwise
581. # specified in the XML. This is disabled by default.
582. #
583. # WARNING: Enabling probing is a security hole in almost all
584. # deployments. It is strongly recommended that users update their
585. # guest XML <disk> elements to include <driver type='XXXX'/>
586. # elements instead of enabling this option.
587. #
588. #allow_disk_format_probing = 1
589.  
590.  
591. # In order to prevent accidentally starting two domains that
592. # share one writable disk, libvirt offers two approaches for
593. # locking files. The first one is sanlock, the other one,
594. # virtlockd, is then our own implementation. Accepted values
595. # are "sanlock" and "lockd".
596. #
597. #lock_manager = "lockd"
598.  
599.  
600.  
601. # Set limit of maximum APIs queued on one domain. All other APIs
602. # over this threshold will fail on acquiring job lock. Specially,
603. # setting to zero turns this feature off.
604. # Note, that job lock is per domain.
605. #
606. #max_queued = 0
607.  
608. ###################################################################
609. # Keepalive protocol:
610. # This allows qemu driver to detect broken connections to remote
611. # libvirtd during peer-to-peer migration. A keepalive message is
612. # sent to the daemon after keepalive_interval seconds of inactivity
613. # to check if the daemon is still responding; keepalive_count is a
614. # maximum number of keepalive messages that are allowed to be sent
615. # to the daemon without getting any response before the connection
616. # is considered broken. In other words, the connection is
617. # automatically closed approximately after
618. # keepalive_interval * (keepalive_count + 1) seconds since the last
619. # message received from the daemon. If keepalive_interval is set to
620. # -1, qemu driver will not send keepalive requests during
621. # peer-to-peer migration; however, the remote libvirtd can still
622. # send them and source libvirtd will send responses. When
623. # keepalive_count is set to 0, connections will be automatically
624. # closed after keepalive_interval seconds of inactivity without
625. # sending any keepalive messages.
626. #
627. #keepalive_interval = 5
628. #keepalive_count = 5
629.  
630.  
631.  
632. # Use seccomp syscall whitelisting in QEMU.
633. # 1 = on, 0 = off, -1 = use QEMU default
634. # Defaults to -1.
635. #
636. #seccomp_sandbox = 1
637.  
638.  
639. # Override the listen address for all incoming migrations. Defaults to
640. # 0.0.0.0, or :: if both host and qemu are capable of IPv6.
641. #migration_address = "0.0.0.0"
642.  
643.  
644. # The default hostname or IP address which will be used by a migration
645. # source for transferring migration data to this host. The migration
646. # source has to be able to resolve this hostname and connect to it so
647. # setting "localhost" will not work. By default, the host's configured
648. # hostname is used.
649. #migration_host = "host.example.com"
650.  
651.  
652. # Override the port range used for incoming migrations.
653. #
654. # Minimum must be greater than 0, however when QEMU is not running as root,
655. # setting the minimum to be lower than 1024 will not work.
656. #
657. # Maximum must not be greater than 65535.
658. #
659. #migration_port_min = 49152
660. #migration_port_max = 49215
661.  
662.  
663.  
664. # Timestamp QEMU's log messages (if QEMU supports it)
665. #
666. # Defaults to 1.
667. #
668. #log_timestamp = 0
669.  
670.  
671. # Location of master nvram file
672. #
673. # When a domain is configured to use UEFI instead of standard
674. # BIOS it may use a separate storage for UEFI variables. If
675. # that's the case libvirt creates the variable store per domain
676. # using this master file as image. Each UEFI firmware can,
677. # however, have different variables store. Therefore the nvram is
678. # a list of strings when a single item is in form of:
679. # ${PATH_TO_UEFI_FW}:${PATH_TO_UEFI_VARS}.
680. # Later, when libvirt creates per domain variable store, this list is
681. # searched for the master image. The UEFI firmware can be called
682. # differently for different guest architectures. For instance, it's OVMF
683. # for x86_64 and i686, but it's AAVMF for aarch64. The libvirt default
684. # follows this scheme.
685. #nvram = [
686. # "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd",
687. # "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd",
688. # "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd"
689. #]
690.  
691. # The backend to use for handling stdout/stderr output from
692. # QEMU processes.
693. #
694. # 'file': QEMU writes directly to a plain file. This is the
695. # historical default, but allows QEMU to inflict a
696. # denial of service attack on the host by exhausting
697. # filesystem space
698. #
699. # 'logd': QEMU writes to a pipe provided by virtlogd daemon.
700. # This is the current default, providing protection
701. # against denial of service by performing log file
702. # rollover when a size limit is hit.
703. #
704. #stdio_handler = "logd"
705.  
706. # QEMU gluster libgfapi log level, debug levels are 0-9, with 9 being the
707. # most verbose, and 0 representing no debugging output.
708. #
709. # The current logging levels defined in the gluster GFAPI are:
710. #
711. # 0 - None
712. # 1 - Emergency
713. # 2 - Alert
714. # 3 - Critical
715. # 4 - Error
716. # 5 - Warning
717. # 6 - Notice
718. # 7 - Info
719. # 8 - Debug
720. # 9 - Trace
721. #
722. # Defaults to 4
723. #
724. #gluster_debug_level = 9
725.  
726. # To enhance security, QEMU driver is capable of creating private namespaces
727. # for each domain started. Well, so far only "mount" namespace is supported. If
728. # enabled it means qemu process is unable to see all the devices on the system,
729. # only those configured for the domain in question. Libvirt then manages
730. # devices entries throughout the domain lifetime. This namespace is turned on
731. # by default.
732. #namespaces = [ "mount" ]
733.  
734. # This directory is used for memoryBacking source if configured as file.
735. # NOTE: big files will be stored here
736. #memory_backing_dir = "/var/lib/libvirt/qemu/ram"