]>
Commit | Line | Data |
---|---|---|
3e5d4e6f JS |
1 | # Master libvirt daemon configuration file |
2 | # | |
3 | ||
4 | ################################################################# | |
5 | # | |
6 | # Network connectivity controls | |
7 | # | |
8 | ||
9 | # Flag listening for secure TLS connections on the public TCP/IP port. | |
10 | # NB, must pass the --listen flag to the libvirtd process for this to | |
11 | # have any effect. | |
12 | # | |
13 | # This setting is not required or honoured if using systemd socket | |
14 | # activation. | |
15 | # | |
16 | # It is necessary to setup a CA and issue server certificates before | |
17 | # using this capability. | |
18 | # | |
19 | # This is enabled by default, uncomment this to disable it | |
20 | listen_tls = 0 | |
21 | ||
22 | # Listen for unencrypted TCP connections on the public TCP/IP port. | |
23 | # NB, must pass the --listen flag to the libvirtd process for this to | |
24 | # have any effect. | |
25 | # | |
26 | # This setting is not required or honoured if using systemd socket | |
27 | # activation. | |
28 | # | |
29 | # Using the TCP socket requires SASL authentication by default. Only | |
30 | # SASL mechanisms which support data encryption are allowed. This is | |
31 | # DIGEST_MD5 and GSSAPI (Kerberos5) | |
32 | # | |
33 | # This is disabled by default, uncomment this to enable it. | |
34 | #listen_tcp = 1 | |
35 | ||
36 | ||
37 | ||
38 | # Override the port for accepting secure TLS connections | |
39 | # This can be a port number, or service name | |
40 | # | |
41 | # This setting is not required or honoured if using systemd socket | |
42 | # activation with systemd version >= 227 | |
43 | # | |
44 | #tls_port = "16514" | |
45 | ||
46 | # Override the port for accepting insecure TCP connections | |
47 | # This can be a port number, or service name | |
48 | # | |
49 | # This setting is not required or honoured if using systemd socket | |
50 | # activation with systemd version >= 227 | |
51 | # | |
52 | #tcp_port = "16509" | |
53 | ||
54 | ||
55 | # Override the default configuration which binds to all network | |
56 | # interfaces. This can be a numeric IPv4/6 address, or hostname | |
57 | # | |
58 | # This setting is not required or honoured if using systemd socket | |
59 | # activation. | |
60 | # | |
61 | # If the libvirtd service is started in parallel with network | |
62 | # startup (e.g. with systemd), binding to addresses other than | |
63 | # the wildcards (0.0.0.0/::) might not be available yet. | |
64 | # | |
65 | listen_addr = "127.0.0.1" | |
66 | ||
67 | ||
68 | ################################################################# | |
69 | # | |
70 | # UNIX socket access controls | |
71 | # | |
72 | ||
73 | # Set the UNIX domain socket group ownership. This can be used to | |
74 | # allow a 'trusted' set of users access to management capabilities | |
75 | # without becoming root. | |
76 | # | |
77 | # This setting is not required or honoured if using systemd socket | |
78 | # activation. | |
79 | # | |
80 | # This is restricted to 'root' by default. | |
81 | unix_sock_group = "libvirt-remote" | |
82 | ||
83 | # Set the UNIX socket permissions for the R/O socket. This is used | |
84 | # for monitoring VM status only | |
85 | # | |
86 | # This setting is not required or honoured if using systemd socket | |
87 | # activation. | |
88 | # | |
89 | # Default allows any user. If setting group ownership, you may want to | |
90 | # restrict this too. | |
91 | unix_sock_ro_perms = "0770" | |
92 | ||
93 | # Set the UNIX socket permissions for the R/W socket. This is used | |
94 | # for full management of VMs | |
95 | # | |
96 | # This setting is not required or honoured if using systemd socket | |
97 | # activation. | |
98 | # | |
99 | # Default allows only root. If PolicyKit is enabled on the socket, | |
100 | # the default will change to allow everyone (eg, 0777) | |
101 | # | |
102 | # If not using PolicyKit and setting group ownership for access | |
103 | # control, then you may want to relax this too. | |
104 | unix_sock_rw_perms = "0770" | |
105 | ||
106 | # Set the UNIX socket permissions for the admin interface socket. | |
107 | # | |
108 | # This setting is not required or honoured if using systemd socket | |
109 | # activation. | |
110 | # | |
111 | # Default allows only owner (root), do not change it unless you are | |
112 | # sure to whom you are exposing the access to. | |
113 | #unix_sock_admin_perms = "0700" | |
114 | ||
115 | # Set the name of the directory in which sockets will be found/created. | |
116 | # | |
117 | # This setting is not required or honoured if using systemd socket | |
118 | # activation with systemd version >= 227 | |
119 | # | |
120 | #unix_sock_dir = "/var/run/libvirt" | |
121 | ||
122 | ||
123 | ||
124 | ################################################################# | |
125 | # | |
126 | # Authentication. | |
127 | # | |
128 | # - none: do not perform auth checks. If you can connect to the | |
129 | # socket you are allowed. This is suitable if there are | |
130 | # restrictions on connecting to the socket (eg, UNIX | |
131 | # socket permissions), or if there is a lower layer in | |
132 | # the network providing auth (eg, TLS/x509 certificates) | |
133 | # | |
134 | # - sasl: use SASL infrastructure. The actual auth scheme is then | |
135 | # controlled from /etc/sasl2/libvirt.conf. For the TCP | |
136 | # socket only GSSAPI & DIGEST-MD5 mechanisms will be used. | |
137 | # For non-TCP or TLS sockets, any scheme is allowed. | |
138 | # | |
139 | # - polkit: use PolicyKit to authenticate. This is only suitable | |
140 | # for use on the UNIX sockets. The default policy will | |
141 | # require a user to supply their own password to gain | |
142 | # full read/write access (aka sudo like), while anyone | |
143 | # is allowed read/only access. | |
144 | # | |
145 | # Set an authentication scheme for UNIX read-only sockets | |
146 | # By default socket permissions allow anyone to connect | |
147 | # | |
148 | # To restrict monitoring of domains you may wish to enable | |
149 | # an authentication mechanism here | |
150 | #auth_unix_ro = "none" | |
151 | ||
152 | # Set an authentication scheme for UNIX read-write sockets | |
153 | # By default socket permissions only allow root. If PolicyKit | |
154 | # support was compiled into libvirt, the default will be to | |
155 | # use 'polkit' auth. | |
156 | # | |
157 | # If the unix_sock_rw_perms are changed you may wish to enable | |
158 | # an authentication mechanism here | |
159 | #auth_unix_rw = "none" | |
160 | ||
161 | # Change the authentication scheme for TCP sockets. | |
162 | # | |
163 | # If you don't enable SASL, then all TCP traffic is cleartext. | |
164 | # Don't do this outside of a dev/test scenario. For real world | |
165 | # use, always enable SASL and use the GSSAPI or DIGEST-MD5 | |
166 | # mechanism in /etc/sasl2/libvirt.conf | |
167 | #auth_tcp = "sasl" | |
168 | ||
169 | # Change the authentication scheme for TLS sockets. | |
170 | # | |
171 | # TLS sockets already have encryption provided by the TLS | |
172 | # layer, and limited authentication is done by certificates | |
173 | # | |
174 | # It is possible to make use of any SASL authentication | |
175 | # mechanism as well, by using 'sasl' for this option | |
176 | #auth_tls = "none" | |
177 | ||
178 | ||
179 | # Change the API access control scheme | |
180 | # | |
181 | # By default an authenticated user is allowed access | |
182 | # to all APIs. Access drivers can place restrictions | |
183 | # on this. By default the 'nop' driver is enabled, | |
184 | # meaning no access control checks are done once a | |
185 | # client has authenticated with libvirtd | |
186 | # | |
187 | #access_drivers = [ "polkit" ] | |
188 | ||
189 | ################################################################# | |
190 | # | |
191 | # TLS x509 certificate configuration | |
192 | # | |
193 | ||
194 | # Use of TLS requires that x509 certificates be issued. The default locations | |
195 | # for the certificate files is as follows: | |
196 | # | |
197 | # /etc/pki/CA/cacert.pem - The CA master certificate | |
198 | # /etc/pki/libvirt/servercert.pem - The server certificate signed with | |
199 | # the cacert.pem | |
200 | # /etc/pki/libvirt/private/serverkey.pem - The server private key | |
201 | # | |
202 | # It is possible to override the default locations by altering the 'key_file', | |
203 | # 'cert_file', and 'ca_file' values and uncommenting them below. | |
204 | # | |
205 | # NB, overriding the default of one location requires uncommenting and | |
206 | # possibly additionally overriding the other settings. | |
207 | # | |
208 | ||
209 | # Override the default server key file path | |
210 | # | |
211 | #key_file = "/etc/pki/libvirt/private/serverkey.pem" | |
212 | ||
213 | # Override the default server certificate file path | |
214 | # | |
215 | #cert_file = "/etc/pki/libvirt/servercert.pem" | |
216 | ||
217 | # Override the default CA certificate path | |
218 | # | |
219 | #ca_file = "/etc/pki/CA/cacert.pem" | |
220 | ||
221 | # Specify a certificate revocation list. | |
222 | # | |
223 | # Defaults to not using a CRL, uncomment to enable it | |
224 | #crl_file = "/etc/pki/CA/crl.pem" | |
225 | ||
226 | ||
227 | ||
228 | ################################################################# | |
229 | # | |
230 | # Authorization controls | |
231 | # | |
232 | ||
233 | ||
234 | # Flag to disable verification of our own server certificates | |
235 | # | |
236 | # When libvirtd starts it performs some sanity checks against | |
237 | # its own certificates. | |
238 | # | |
239 | # Default is to always run sanity checks. Uncommenting this | |
240 | # will disable sanity checks which is not a good idea | |
241 | #tls_no_sanity_certificate = 1 | |
242 | ||
243 | # Flag to disable verification of client certificates | |
244 | # | |
245 | # Client certificate verification is the primary authentication mechanism. | |
246 | # Any client which does not present a certificate signed by the CA | |
247 | # will be rejected. | |
248 | # | |
249 | # Default is to always verify. Uncommenting this will disable | |
250 | # verification - make sure an IP whitelist is set | |
251 | #tls_no_verify_certificate = 1 | |
252 | ||
253 | ||
254 | # A whitelist of allowed x509 Distinguished Names | |
255 | # This list may contain wildcards such as | |
256 | # | |
257 | # "C=GB,ST=London,L=London,O=Red Hat,CN=*" | |
258 | # | |
259 | # See the POSIX fnmatch function for the format of the wildcards. | |
260 | # | |
261 | # NB If this is an empty list, no client can connect, so comment out | |
262 | # entirely rather than using empty list to disable these checks | |
263 | # | |
264 | # By default, no DN's are checked | |
265 | #tls_allowed_dn_list = ["DN1", "DN2"] | |
266 | ||
267 | ||
268 | # A whitelist of allowed SASL usernames. The format for username | |
269 | # depends on the SASL authentication mechanism. Kerberos usernames | |
270 | # look like username@REALM | |
271 | # | |
272 | # This list may contain wildcards such as | |
273 | # | |
274 | # "*@EXAMPLE.COM" | |
275 | # | |
276 | # See the POSIX fnmatch function for the format of the wildcards. | |
277 | # | |
278 | # NB If this is an empty list, no client can connect, so comment out | |
279 | # entirely rather than using empty list to disable these checks | |
280 | # | |
281 | # By default, no Username's are checked | |
282 | #sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ] | |
283 | ||
284 | ||
285 | # Override the compile time default TLS priority string. The | |
286 | # default is usually "NORMAL" unless overridden at build time. | |
287 | # Only set this is it is desired for libvirt to deviate from | |
288 | # the global default settings. | |
289 | # | |
290 | #tls_priority="NORMAL" | |
291 | ||
292 | ||
293 | ################################################################# | |
294 | # | |
295 | # Processing controls | |
296 | # | |
297 | ||
298 | # The maximum number of concurrent client connections to allow | |
299 | # over all sockets combined. | |
300 | #max_clients = 5000 | |
301 | ||
302 | # The maximum length of queue of connections waiting to be | |
303 | # accepted by the daemon. Note, that some protocols supporting | |
304 | # retransmission may obey this so that a later reattempt at | |
305 | # connection succeeds. | |
306 | #max_queued_clients = 1000 | |
307 | ||
308 | # The maximum length of queue of accepted but not yet | |
309 | # authenticated clients. The default value is 20. Set this to | |
310 | # zero to turn this feature off. | |
311 | #max_anonymous_clients = 20 | |
312 | ||
313 | # The minimum limit sets the number of workers to start up | |
314 | # initially. If the number of active clients exceeds this, | |
315 | # then more threads are spawned, up to max_workers limit. | |
316 | # Typically you'd want max_workers to equal maximum number | |
317 | # of clients allowed | |
318 | #min_workers = 5 | |
319 | #max_workers = 20 | |
320 | ||
321 | ||
322 | # The number of priority workers. If all workers from above | |
323 | # pool are stuck, some calls marked as high priority | |
324 | # (notably domainDestroy) can be executed in this pool. | |
325 | #prio_workers = 5 | |
326 | ||
327 | # Limit on concurrent requests from a single client | |
328 | # connection. To avoid one client monopolizing the server | |
329 | # this should be a small fraction of the global max_workers | |
330 | # parameter. | |
331 | #max_client_requests = 5 | |
332 | ||
333 | # Same processing controls, but this time for the admin interface. | |
334 | # For description of each option, be so kind to scroll few lines | |
335 | # upwards. | |
336 | ||
337 | #admin_min_workers = 1 | |
338 | #admin_max_workers = 5 | |
339 | #admin_max_clients = 5 | |
340 | #admin_max_queued_clients = 5 | |
341 | #admin_max_client_requests = 5 | |
342 | ||
343 | ################################################################# | |
344 | # | |
345 | # Logging controls | |
346 | # | |
347 | ||
348 | # Logging level: 4 errors, 3 warnings, 2 information, 1 debug | |
349 | # basically 1 will log everything possible | |
350 | # | |
351 | # WARNING: USE OF THIS IS STRONGLY DISCOURAGED. | |
352 | # | |
353 | # WARNING: It outputs too much information to practically read. | |
354 | # WARNING: The "log_filters" setting is recommended instead. | |
355 | # | |
356 | # WARNING: Journald applies rate limiting of messages and so libvirt | |
357 | # WARNING: will limit "log_level" to only allow values 3 or 4 if | |
358 | # WARNING: journald is the current output. | |
359 | # | |
360 | # WARNING: USE OF THIS IS STRONGLY DISCOURAGED. | |
361 | #log_level = 3 | |
362 | ||
363 | # Logging filters: | |
364 | # A filter allows to select a different logging level for a given category | |
365 | # of logs. The format for a filter is one of: | |
366 | # | |
367 | # level:match | |
368 | # level:+match | |
369 | # | |
370 | # where 'match' is a string which is matched against the category | |
371 | # given in the VIR_LOG_INIT() at the top of each libvirt source | |
372 | # file, e.g., "remote", "qemu", or "util.json". The 'match' in the | |
373 | # filter matches using shell wildcard syntax (see 'man glob(7)'). | |
374 | # The 'match' is always treated as a substring match. IOW a match | |
375 | # string 'foo' is equivalent to '*foo*'. | |
376 | # | |
377 | # If 'match' contains the optional "+" prefix, it tells libvirt | |
378 | # to log stack trace for each message matching name. | |
379 | # | |
380 | # 'level' is the minimal level where matching messages should | |
381 | # be logged: | |
382 | # | |
383 | # 1: DEBUG | |
384 | # 2: INFO | |
385 | # 3: WARNING | |
386 | # 4: ERROR | |
387 | # | |
388 | # Multiple filters can be defined in a single @log_filters, they just need | |
389 | # to be separated by spaces. Note that libvirt performs "first" match, i.e. | |
390 | # if there are concurrent filters, the first one that matches will be applied, | |
391 | # given the order in @log_filters. | |
392 | # | |
393 | # A typical need is to capture information from a hypervisor driver, | |
394 | # public API entrypoints and some of the utility code. Some utility | |
395 | # code is very verbose and is generally not desired. Taking the QEMU | |
396 | # hypervisor as an example, a suitable filter string for debugging | |
397 | # might be to turn off object, json & event logging, but enable the | |
398 | # rest of the util code: | |
399 | # | |
400 | #log_filters="1:qemu 1:libvirt 4:object 4:json 4:event 1:util" | |
401 | ||
402 | # Logging outputs: | |
403 | # An output is one of the places to save logging information | |
404 | # The format for an output can be: | |
405 | # level:stderr | |
406 | # output goes to stderr | |
407 | # level:syslog:name | |
408 | # use syslog for the output and use the given name as the ident | |
409 | # level:file:file_path | |
410 | # output to a file, with the given filepath | |
411 | # level:journald | |
412 | # output to journald logging system | |
413 | # In all cases 'level' is the minimal priority, acting as a filter | |
414 | # 1: DEBUG | |
415 | # 2: INFO | |
416 | # 3: WARNING | |
417 | # 4: ERROR | |
418 | # | |
419 | # Multiple outputs can be defined, they just need to be separated by spaces. | |
420 | # e.g. to log all warnings and errors to syslog under the libvirtd ident: | |
421 | #log_outputs="3:syslog:libvirtd" | |
422 | ||
423 | ||
424 | ################################################################## | |
425 | # | |
426 | # Auditing | |
427 | # | |
428 | # This setting allows usage of the auditing subsystem to be altered: | |
429 | # | |
430 | # audit_level == 0 -> disable all auditing | |
431 | # audit_level == 1 -> enable auditing, only if enabled on host (default) | |
432 | # audit_level == 2 -> enable auditing, and exit if disabled on host | |
433 | # | |
434 | #audit_level = 2 | |
435 | # | |
436 | # If set to 1, then audit messages will also be sent | |
437 | # via libvirt logging infrastructure. Defaults to 0 | |
438 | # | |
439 | #audit_logging = 1 | |
440 | ||
441 | ################################################################### | |
442 | # UUID of the host: | |
443 | # Host UUID is read from one of the sources specified in host_uuid_source. | |
444 | # | |
445 | # - 'smbios': fetch the UUID from 'dmidecode -s system-uuid' | |
446 | # - 'machine-id': fetch the UUID from /etc/machine-id | |
447 | # | |
448 | # The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide | |
449 | # a valid UUID a temporary UUID will be generated. | |
450 | # | |
451 | # Another option is to specify host UUID in host_uuid. | |
452 | # | |
453 | # Keep the format of the example UUID below. UUID must not have all digits | |
454 | # be the same. | |
455 | ||
456 | # NB This default all-zeros UUID will not work. Replace | |
457 | # it with the output of the 'uuidgen' command and then | |
458 | # uncomment this entry | |
459 | #host_uuid = "00000000-0000-0000-0000-000000000000" | |
460 | #host_uuid_source = "smbios" | |
461 | ||
462 | ################################################################### | |
463 | # Keepalive protocol: | |
464 | # This allows libvirtd to detect broken client connections or even | |
465 | # dead clients. A keepalive message is sent to a client after | |
466 | # keepalive_interval seconds of inactivity to check if the client is | |
467 | # still responding; keepalive_count is a maximum number of keepalive | |
468 | # messages that are allowed to be sent to the client without getting | |
469 | # any response before the connection is considered broken. In other | |
470 | # words, the connection is automatically closed approximately after | |
471 | # keepalive_interval * (keepalive_count + 1) seconds since the last | |
472 | # message received from the client. If keepalive_interval is set to | |
473 | # -1, libvirtd will never send keepalive requests; however clients | |
474 | # can still send them and the daemon will send responses. When | |
475 | # keepalive_count is set to 0, connections will be automatically | |
476 | # closed after keepalive_interval seconds of inactivity without | |
477 | # sending any keepalive messages. | |
478 | # | |
479 | #keepalive_interval = 5 | |
480 | #keepalive_count = 5 | |
481 | ||
482 | # | |
483 | # These configuration options are no longer used. There is no way to | |
484 | # restrict such clients from connecting since they first need to | |
485 | # connect in order to ask for keepalive. | |
486 | # | |
487 | #keepalive_required = 1 | |
488 | #admin_keepalive_required = 1 | |
489 | ||
490 | # Keepalive settings for the admin interface | |
491 | #admin_keepalive_interval = 5 | |
492 | #admin_keepalive_count = 5 | |
493 | ||
494 | ################################################################### | |
495 | # Open vSwitch: | |
496 | # This allows to specify a timeout for openvswitch calls made by | |
497 | # libvirt. The ovs-vsctl utility is used for the configuration and | |
498 | # its timeout option is set by default to 5 seconds to avoid | |
499 | # potential infinite waits blocking libvirt. | |
500 | # | |
501 | #ovs_timeout = 5 |