1 # Master libvirt daemon configuration file
4 #################################################################
6 # Network connectivity controls
9 # Flag listening for secure TLS connections on the public TCP/IP port.
10 # NB, must pass the --listen flag to the libvirtd process for this to
13 # This setting is not required or honoured if using systemd socket
16 # It is necessary to setup a CA and issue server certificates before
17 # using this capability.
19 # This is enabled by default, uncomment this to disable it
22 # Listen for unencrypted TCP connections on the public TCP/IP port.
23 # NB, must pass the --listen flag to the libvirtd process for this to
26 # This setting is not required or honoured if using systemd socket
29 # Using the TCP socket requires SASL authentication by default. Only
30 # SASL mechanisms which support data encryption are allowed. This is
31 # DIGEST_MD5 and GSSAPI (Kerberos5)
33 # This is disabled by default, uncomment this to enable it.
38 # Override the port for accepting secure TLS connections
39 # This can be a port number, or service name
41 # This setting is not required or honoured if using systemd socket
42 # activation with systemd version >= 227
46 # Override the port for accepting insecure TCP connections
47 # This can be a port number, or service name
49 # This setting is not required or honoured if using systemd socket
50 # activation with systemd version >= 227
55 # Override the default configuration which binds to all network
56 # interfaces. This can be a numeric IPv4/6 address, or hostname
58 # This setting is not required or honoured if using systemd socket
61 # If the libvirtd service is started in parallel with network
62 # startup (e.g. with systemd), binding to addresses other than
63 # the wildcards (0.0.0.0/::) might not be available yet.
65 listen_addr = "127.0.0.1"
68 #################################################################
70 # UNIX socket access controls
73 # Set the UNIX domain socket group ownership. This can be used to
74 # allow a 'trusted' set of users access to management capabilities
75 # without becoming root.
77 # This setting is not required or honoured if using systemd socket
80 # This is restricted to 'root' by default.
81 unix_sock_group = "libvirt-remote"
83 # Set the UNIX socket permissions for the R/O socket. This is used
84 # for monitoring VM status only
86 # This setting is not required or honoured if using systemd socket
89 # Default allows any user. If setting group ownership, you may want to
91 unix_sock_ro_perms = "0770"
93 # Set the UNIX socket permissions for the R/W socket. This is used
94 # for full management of VMs
96 # This setting is not required or honoured if using systemd socket
99 # Default allows only root. If PolicyKit is enabled on the socket,
100 # the default will change to allow everyone (eg, 0777)
102 # If not using PolicyKit and setting group ownership for access
103 # control, then you may want to relax this too.
104 unix_sock_rw_perms = "0770"
106 # Set the UNIX socket permissions for the admin interface socket.
108 # This setting is not required or honoured if using systemd socket
111 # Default allows only owner (root), do not change it unless you are
112 # sure to whom you are exposing the access to.
113 #unix_sock_admin_perms = "0700"
115 # Set the name of the directory in which sockets will be found/created.
117 # This setting is not required or honoured if using systemd socket
118 # activation with systemd version >= 227
120 #unix_sock_dir = "/var/run/libvirt"
124 #################################################################
128 # - none: do not perform auth checks. If you can connect to the
129 # socket you are allowed. This is suitable if there are
130 # restrictions on connecting to the socket (eg, UNIX
131 # socket permissions), or if there is a lower layer in
132 # the network providing auth (eg, TLS/x509 certificates)
134 # - sasl: use SASL infrastructure. The actual auth scheme is then
135 # controlled from /etc/sasl2/libvirt.conf. For the TCP
136 # socket only GSSAPI & DIGEST-MD5 mechanisms will be used.
137 # For non-TCP or TLS sockets, any scheme is allowed.
139 # - polkit: use PolicyKit to authenticate. This is only suitable
140 # for use on the UNIX sockets. The default policy will
141 # require a user to supply their own password to gain
142 # full read/write access (aka sudo like), while anyone
143 # is allowed read/only access.
145 # Set an authentication scheme for UNIX read-only sockets
146 # By default socket permissions allow anyone to connect
148 # To restrict monitoring of domains you may wish to enable
149 # an authentication mechanism here
150 #auth_unix_ro = "none"
152 # Set an authentication scheme for UNIX read-write sockets
153 # By default socket permissions only allow root. If PolicyKit
154 # support was compiled into libvirt, the default will be to
157 # If the unix_sock_rw_perms are changed you may wish to enable
158 # an authentication mechanism here
159 #auth_unix_rw = "none"
161 # Change the authentication scheme for TCP sockets.
163 # If you don't enable SASL, then all TCP traffic is cleartext.
164 # Don't do this outside of a dev/test scenario. For real world
165 # use, always enable SASL and use the GSSAPI or DIGEST-MD5
166 # mechanism in /etc/sasl2/libvirt.conf
169 # Change the authentication scheme for TLS sockets.
171 # TLS sockets already have encryption provided by the TLS
172 # layer, and limited authentication is done by certificates
174 # It is possible to make use of any SASL authentication
175 # mechanism as well, by using 'sasl' for this option
179 # Change the API access control scheme
181 # By default an authenticated user is allowed access
182 # to all APIs. Access drivers can place restrictions
183 # on this. By default the 'nop' driver is enabled,
184 # meaning no access control checks are done once a
185 # client has authenticated with libvirtd
187 #access_drivers = [ "polkit" ]
189 #################################################################
191 # TLS x509 certificate configuration
194 # Use of TLS requires that x509 certificates be issued. The default locations
195 # for the certificate files is as follows:
197 # /etc/pki/CA/cacert.pem - The CA master certificate
198 # /etc/pki/libvirt/servercert.pem - The server certificate signed with
200 # /etc/pki/libvirt/private/serverkey.pem - The server private key
202 # It is possible to override the default locations by altering the 'key_file',
203 # 'cert_file', and 'ca_file' values and uncommenting them below.
205 # NB, overriding the default of one location requires uncommenting and
206 # possibly additionally overriding the other settings.
209 # Override the default server key file path
211 #key_file = "/etc/pki/libvirt/private/serverkey.pem"
213 # Override the default server certificate file path
215 #cert_file = "/etc/pki/libvirt/servercert.pem"
217 # Override the default CA certificate path
219 #ca_file = "/etc/pki/CA/cacert.pem"
221 # Specify a certificate revocation list.
223 # Defaults to not using a CRL, uncomment to enable it
224 #crl_file = "/etc/pki/CA/crl.pem"
228 #################################################################
230 # Authorization controls
234 # Flag to disable verification of our own server certificates
236 # When libvirtd starts it performs some sanity checks against
237 # its own certificates.
239 # Default is to always run sanity checks. Uncommenting this
240 # will disable sanity checks which is not a good idea
241 #tls_no_sanity_certificate = 1
243 # Flag to disable verification of client certificates
245 # Client certificate verification is the primary authentication mechanism.
246 # Any client which does not present a certificate signed by the CA
249 # Default is to always verify. Uncommenting this will disable
250 # verification - make sure an IP whitelist is set
251 #tls_no_verify_certificate = 1
254 # A whitelist of allowed x509 Distinguished Names
255 # This list may contain wildcards such as
257 # "C=GB,ST=London,L=London,O=Red Hat,CN=*"
259 # See the POSIX fnmatch function for the format of the wildcards.
261 # NB If this is an empty list, no client can connect, so comment out
262 # entirely rather than using empty list to disable these checks
264 # By default, no DN's are checked
265 #tls_allowed_dn_list = ["DN1", "DN2"]
268 # A whitelist of allowed SASL usernames. The format for username
269 # depends on the SASL authentication mechanism. Kerberos usernames
270 # look like username@REALM
272 # This list may contain wildcards such as
276 # See the POSIX fnmatch function for the format of the wildcards.
278 # NB If this is an empty list, no client can connect, so comment out
279 # entirely rather than using empty list to disable these checks
281 # By default, no Username's are checked
282 #sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]
285 # Override the compile time default TLS priority string. The
286 # default is usually "NORMAL" unless overridden at build time.
287 # Only set this is it is desired for libvirt to deviate from
288 # the global default settings.
290 #tls_priority="NORMAL"
293 #################################################################
295 # Processing controls
298 # The maximum number of concurrent client connections to allow
299 # over all sockets combined.
302 # The maximum length of queue of connections waiting to be
303 # accepted by the daemon. Note, that some protocols supporting
304 # retransmission may obey this so that a later reattempt at
305 # connection succeeds.
306 #max_queued_clients = 1000
308 # The maximum length of queue of accepted but not yet
309 # authenticated clients. The default value is 20. Set this to
310 # zero to turn this feature off.
311 #max_anonymous_clients = 20
313 # The minimum limit sets the number of workers to start up
314 # initially. If the number of active clients exceeds this,
315 # then more threads are spawned, up to max_workers limit.
316 # Typically you'd want max_workers to equal maximum number
322 # The number of priority workers. If all workers from above
323 # pool are stuck, some calls marked as high priority
324 # (notably domainDestroy) can be executed in this pool.
327 # Limit on concurrent requests from a single client
328 # connection. To avoid one client monopolizing the server
329 # this should be a small fraction of the global max_workers
331 #max_client_requests = 5
333 # Same processing controls, but this time for the admin interface.
334 # For description of each option, be so kind to scroll few lines
337 #admin_min_workers = 1
338 #admin_max_workers = 5
339 #admin_max_clients = 5
340 #admin_max_queued_clients = 5
341 #admin_max_client_requests = 5
343 #################################################################
348 # Logging level: 4 errors, 3 warnings, 2 information, 1 debug
349 # basically 1 will log everything possible
351 # WARNING: USE OF THIS IS STRONGLY DISCOURAGED.
353 # WARNING: It outputs too much information to practically read.
354 # WARNING: The "log_filters" setting is recommended instead.
356 # WARNING: Journald applies rate limiting of messages and so libvirt
357 # WARNING: will limit "log_level" to only allow values 3 or 4 if
358 # WARNING: journald is the current output.
360 # WARNING: USE OF THIS IS STRONGLY DISCOURAGED.
364 # A filter allows to select a different logging level for a given category
365 # of logs. The format for a filter is one of:
370 # where 'match' is a string which is matched against the category
371 # given in the VIR_LOG_INIT() at the top of each libvirt source
372 # file, e.g., "remote", "qemu", or "util.json". The 'match' in the
373 # filter matches using shell wildcard syntax (see 'man glob(7)').
374 # The 'match' is always treated as a substring match. IOW a match
375 # string 'foo' is equivalent to '*foo*'.
377 # If 'match' contains the optional "+" prefix, it tells libvirt
378 # to log stack trace for each message matching name.
380 # 'level' is the minimal level where matching messages should
388 # Multiple filters can be defined in a single @log_filters, they just need
389 # to be separated by spaces. Note that libvirt performs "first" match, i.e.
390 # if there are concurrent filters, the first one that matches will be applied,
391 # given the order in @log_filters.
393 # A typical need is to capture information from a hypervisor driver,
394 # public API entrypoints and some of the utility code. Some utility
395 # code is very verbose and is generally not desired. Taking the QEMU
396 # hypervisor as an example, a suitable filter string for debugging
397 # might be to turn off object, json & event logging, but enable the
398 # rest of the util code:
400 #log_filters="1:qemu 1:libvirt 4:object 4:json 4:event 1:util"
403 # An output is one of the places to save logging information
404 # The format for an output can be:
406 # output goes to stderr
408 # use syslog for the output and use the given name as the ident
409 # level:file:file_path
410 # output to a file, with the given filepath
412 # output to journald logging system
413 # In all cases 'level' is the minimal priority, acting as a filter
419 # Multiple outputs can be defined, they just need to be separated by spaces.
420 # e.g. to log all warnings and errors to syslog under the libvirtd ident:
421 #log_outputs="3:syslog:libvirtd"
424 ##################################################################
428 # This setting allows usage of the auditing subsystem to be altered:
430 # audit_level == 0 -> disable all auditing
431 # audit_level == 1 -> enable auditing, only if enabled on host (default)
432 # audit_level == 2 -> enable auditing, and exit if disabled on host
436 # If set to 1, then audit messages will also be sent
437 # via libvirt logging infrastructure. Defaults to 0
441 ###################################################################
443 # Host UUID is read from one of the sources specified in host_uuid_source.
445 # - 'smbios': fetch the UUID from 'dmidecode -s system-uuid'
446 # - 'machine-id': fetch the UUID from /etc/machine-id
448 # The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide
449 # a valid UUID a temporary UUID will be generated.
451 # Another option is to specify host UUID in host_uuid.
453 # Keep the format of the example UUID below. UUID must not have all digits
456 # NB This default all-zeros UUID will not work. Replace
457 # it with the output of the 'uuidgen' command and then
458 # uncomment this entry
459 #host_uuid = "00000000-0000-0000-0000-000000000000"
460 #host_uuid_source = "smbios"
462 ###################################################################
463 # Keepalive protocol:
464 # This allows libvirtd to detect broken client connections or even
465 # dead clients. A keepalive message is sent to a client after
466 # keepalive_interval seconds of inactivity to check if the client is
467 # still responding; keepalive_count is a maximum number of keepalive
468 # messages that are allowed to be sent to the client without getting
469 # any response before the connection is considered broken. In other
470 # words, the connection is automatically closed approximately after
471 # keepalive_interval * (keepalive_count + 1) seconds since the last
472 # message received from the client. If keepalive_interval is set to
473 # -1, libvirtd will never send keepalive requests; however clients
474 # can still send them and the daemon will send responses. When
475 # keepalive_count is set to 0, connections will be automatically
476 # closed after keepalive_interval seconds of inactivity without
477 # sending any keepalive messages.
479 #keepalive_interval = 5
483 # These configuration options are no longer used. There is no way to
484 # restrict such clients from connecting since they first need to
485 # connect in order to ask for keepalive.
487 #keepalive_required = 1
488 #admin_keepalive_required = 1
490 # Keepalive settings for the admin interface
491 #admin_keepalive_interval = 5
492 #admin_keepalive_count = 5
494 ###################################################################
496 # This allows to specify a timeout for openvswitch calls made by
497 # libvirt. The ovs-vsctl utility is used for the configuration and
498 # its timeout option is set by default to 5 seconds to avoid
499 # potential infinite waits blocking libvirt.