Subversion Repositories configs

# Master configuration file for the QEMU driver.

# All settings described here are optional - if omitted, sensible

# defaults are used.

# Use of TLS requires that x509 certificates be issued. The default is

# to keep them in /etc/pki/qemu. This directory must contain

#

#  ca-cert.pem - the CA master certificate

#  server-cert.pem - the server certificate signed with ca-cert.pem

#  server-key.pem  - the server private key

#

# and optionally may contain

#

#  dh-params.pem - the DH params configuration file

#

# If the directory does not exist, libvirtd will fail to start. If the

# directory doesn't contain the necessary files, QEMU domains will fail

# to start if they are configured to use TLS.

#

# In order to overwrite the default path alter the following. This path

# definition will be used as the default path for other *_tls_x509_cert_dir

# configuration settings if their default path does not exist or is not

# specifically set.

#

#default_tls_x509_cert_dir = "/etc/pki/qemu"

# The default TLS configuration only uses certificates for the server

# allowing the client to verify the server's identity and establish

# an encrypted channel.

#

# It is possible to use x509 certificates for authentication too, by

# issuing an x509 certificate to every client who needs to connect.

#

# Enabling this option will reject any client who does not have a

# certificate signed by the CA in /etc/pki/qemu/ca-cert.pem

#

# The default_tls_x509_cert_dir directory must also contain

#

#  client-cert.pem - the client certificate signed with the ca-cert.pem

#  client-key.pem - the client private key

#

# If this option is supplied it provides the default for the "_verify" option

# of specific TLS users such as vnc, backups, migration, etc. The specific

# users of TLS may override this by setting the specific "_verify" option.

#

# When not supplied the specific TLS users provide their own defaults.

#

#default_tls_x509_verify = 1

#

# Libvirt assumes the server-key.pem file is unencrypted by default.

# To use an encrypted server-key.pem file, the password to decrypt

# the PEM file is required. This can be provided by creating a secret

# object in libvirt and then to uncomment this setting to set the UUID

# of the secret.

#

# NB This default all-zeros UUID will not work. Replace it with the

# output from the UUID for the TLS secret from a 'virsh secret-list'

# command and then uncomment the entry

#

#default_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"

# VNC is configured to listen on 127.0.0.1 by default.

# To make it listen on all public interfaces, uncomment

# this next option.

#

# NB, strong recommendation to enable TLS + x509 certificate

# verification when allowing public access

#

#vnc_listen = "0.0.0.0"

# Enable this option to have VNC served over an automatically created

# unix socket. This prevents unprivileged access from users on the

# host machine, though most VNC clients do not support it.

#

# This will only be enabled for VNC configurations that have listen

# type=address but without any address specified. This setting takes

# preference over vnc_listen.

#

#vnc_auto_unix_socket = 1

# Enable use of TLS encryption on the VNC server. This requires

# a VNC client which supports the VeNCrypt protocol extension.

# Examples include vinagre, virt-viewer, virt-manager and vencrypt

# itself. UltraVNC, RealVNC, TightVNC do not support this

#

# It is necessary to setup CA and issue a server certificate

# before enabling this.

#

#vnc_tls = 1

# In order to override the default TLS certificate location for

# vnc certificates, supply a valid path to the certificate directory.

# If the provided path does not exist, libvirtd will fail to start.

# If the path is not provided, but vnc_tls = 1, then the

# default_tls_x509_cert_dir path will be used.

#

#vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"

# Uncomment and use the following option to override the default secret

# UUID provided in the default_tls_x509_secret_uuid parameter.

#

#vnc_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"

# The default TLS configuration only uses certificates for the server

# allowing the client to verify the server's identity and establish

# an encrypted channel.

#

# It is possible to use x509 certificates for authentication too, by

# issuing an x509 certificate to every client who needs to connect.

#

# Enabling this option will reject any client that does not have a

# certificate (as described in default_tls_x509_verify) signed by the

# CA in the vnc_tls_x509_cert_dir (or default_tls_x509_cert_dir).

#

# If this option is not supplied, it will be set to the value of

# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied either,

# the default is "0".

#

#vnc_tls_x509_verify = 1

# The default VNC password. Only 8 bytes are significant for

# VNC passwords. This parameter is only used if the per-domain

# XML config does not already provide a password. To allow

# access without passwords, leave this commented out. An empty

# string will still enable passwords, but be rejected by QEMU,

# effectively preventing any use of VNC. Obviously change this

# example here before you set this.

#

#vnc_password = "XYZ12345"

# Enable use of SASL encryption on the VNC server. This requires

# a VNC client which supports the SASL protocol extension.

# Examples include vinagre, virt-viewer and virt-manager

# itself. UltraVNC, RealVNC, TightVNC do not support this

#

# It is necessary to configure /etc/sasl2/qemu.conf to choose

# the desired SASL plugin (eg, GSSPI for Kerberos)

#

#vnc_sasl = 1

# The default SASL configuration file is located in /etc/sasl2/

# When running libvirtd unprivileged, it may be desirable to

# override the configs in this location. Set this parameter to

# point to the directory, and create a qemu.conf in that location

#

#vnc_sasl_dir = "/some/directory/sasl2"

# QEMU implements an extension for providing audio over a VNC connection,

# though if your VNC client does not support it, your only chance for getting

# sound output is through regular audio backends. By default, libvirt will

# disable all QEMU sound backends if using VNC, since they can cause

# permissions issues. Enabling this option will make libvirtd honor the

# QEMU_AUDIO_DRV environment variable when using VNC.

#

#vnc_allow_host_audio = 0

# SPICE is configured to listen on 127.0.0.1 by default.

# To make it listen on all public interfaces, uncomment

# this next option.

#

# NB, strong recommendation to enable TLS + x509 certificate

# verification when allowing public access

#

#spice_listen = "0.0.0.0"

# Enable use of TLS encryption on the SPICE server.

#

# It is necessary to setup CA and issue a server certificate

# before enabling this.

#

#spice_tls = 1

# In order to override the default TLS certificate location for

# spice certificates, supply a valid path to the certificate directory.

# If the provided path does not exist, libvirtd will fail to start.

# If the path is not provided, but spice_tls = 1, then the

# default_tls_x509_cert_dir path will be used.

#

#spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"

# Enable this option to have SPICE served over an automatically created

# unix socket. This prevents unprivileged access from users on the

# host machine.

#

# This will only be enabled for SPICE configurations that have listen

# type=address but without any address specified. This setting takes

# preference over spice_listen.

#

#spice_auto_unix_socket = 1

# The default SPICE password. This parameter is only used if the

# per-domain XML config does not already provide a password. To

# allow access without passwords, leave this commented out. An

# empty string will still enable passwords, but be rejected by

# QEMU, effectively preventing any use of SPICE. Obviously change

# this example here before you set this.

#

#spice_password = "XYZ12345"

# Enable use of SASL encryption on the SPICE server. This requires

# a SPICE client which supports the SASL protocol extension.

#

# It is necessary to configure /etc/sasl2/qemu.conf to choose

# the desired SASL plugin (eg, GSSPI for Kerberos)

#

#spice_sasl = 1

# The default SASL configuration file is located in /etc/sasl2/

# When running libvirtd unprivileged, it may be desirable to

# override the configs in this location. Set this parameter to

# point to the directory, and create a qemu.conf in that location

#

#spice_sasl_dir = "/some/directory/sasl2"

# Enable use of TLS encryption on the chardev TCP transports.

#

# It is necessary to setup CA and issue a server certificate

# before enabling this.

#

#chardev_tls = 1

# In order to override the default TLS certificate location for character

# device TCP certificates, supply a valid path to the certificate directory.

# If the provided path does not exist, libvirtd will fail to start.

# If the path is not provided, but chardev_tls = 1, then the

# default_tls_x509_cert_dir path will be used.

#

#chardev_tls_x509_cert_dir = "/etc/pki/libvirt-chardev"

# The default TLS configuration only uses certificates for the server

# allowing the client to verify the server's identity and establish

# an encrypted channel.

#

# It is possible to use x509 certificates for authentication too, by

# issuing an x509 certificate to every client who needs to connect.

#

# Enabling this option will reject any client that does not have a

# certificate (as described in default_tls_x509_verify) signed by the

# CA in the chardev_tls_x509_cert_dir (or default_tls_x509_cert_dir).

#

# If this option is not supplied, it will be set to the value of

# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied either,

# the default is "1".

#

#chardev_tls_x509_verify = 1

# Uncomment and use the following option to override the default secret

# UUID provided in the default_tls_x509_secret_uuid parameter.

#

# NB This default all-zeros UUID will not work. Replace it with the

# output from the UUID for the TLS secret from a 'virsh secret-list'

# command and then uncomment the entry

#

#chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"

# Enable use of TLS encryption for all VxHS network block devices that

# don't specifically disable.

#

# When the VxHS network block device server is set up appropriately,

# x509 certificates are required for authentication between the clients

# (qemu processes) and the remote VxHS server.

#

# It is necessary to setup CA and issue the client certificate before

# enabling this.

#

#vxhs_tls = 1

# In order to override the default TLS certificate location for VxHS

# backed storage, supply a valid path to the certificate directory.

# This is used to authenticate the VxHS block device clients to the VxHS

# server.

#

# If the provided path does not exist, libvirtd will fail to start.

# If the path is not provided, but vxhs_tls = 1, then the

# default_tls_x509_cert_dir path will be used.

#

# VxHS block device clients expect the client certificate and key to be

# present in the certificate directory along with the CA master certificate.

# If using the default environment, default_tls_x509_verify must be configured.

# Since this is only a client the server-key.pem certificate is not needed.

# Thus a VxHS directory must contain the following:

#

#  ca-cert.pem - the CA master certificate

#  client-cert.pem - the client certificate signed with the ca-cert.pem

#  client-key.pem - the client private key

#

#vxhs_tls_x509_cert_dir = "/etc/pki/libvirt-vxhs"

# Uncomment and use the following option to override the default secret

# UUID provided in the default_tls_x509_secret_uuid parameter.

#

# NB This default all-zeros UUID will not work. Replace it with the

# output from the UUID for the TLS secret from a 'virsh secret-list'

# command and then uncomment the entry

#

#vxhs_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"

# Enable use of TLS encryption for all NBD disk devices that don't

# specifically disable it.

#

# When the NBD server is set up appropriately, x509 certificates are required

# for authentication between the client and the remote NBD server.

#

# It is necessary to setup CA and issue the client certificate before

# enabling this.

#

#nbd_tls = 1

# In order to override the default TLS certificate location for NBD

# backed storage, supply a valid path to the certificate directory.

# This is used to authenticate the NBD block device clients to the NBD

# server.

#

# If the provided path does not exist, libvirtd will fail to start.

# If the path is not provided, but nbd_tls = 1, then the

# default_tls_x509_cert_dir path will be used.

#

# NBD block device clients expect the client certificate and key to be

# present in the certificate directory along with the CA certificate.

# Since this is only a client the server-key.pem certificate is not needed.

# Thus a NBD directory must contain the following:

#

#  ca-cert.pem - the CA master certificate

#  client-cert.pem - the client certificate signed with the ca-cert.pem

#  client-key.pem - the client private key

#

#nbd_tls_x509_cert_dir = "/etc/pki/libvirt-nbd"

# Uncomment and use the following option to override the default secret

# UUID provided in the default_tls_x509_secret_uuid parameter.

#

# NB This default all-zeros UUID will not work. Replace it with the

# output from the UUID for the TLS secret from a 'virsh secret-list'

# command and then uncomment the entry

#

#nbd_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"

# In order to override the default TLS certificate location for migration

# certificates, supply a valid path to the certificate directory. If the

# provided path does not exist, libvirtd will fail to start. If the path is

# not provided, but TLS-encrypted migration is requested, then the

# default_tls_x509_cert_dir path will be used. Once/if a default certificate is

# enabled/defined, migration will then be able to use the certificate via

# migration API flags.

#

#migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate"

# The default TLS configuration only uses certificates for the server

# allowing the client to verify the server's identity and establish

# an encrypted channel.

#

# It is possible to use x509 certificates for authentication too, by

# issuing an x509 certificate to every client who needs to connect.

#

# Enabling this option will reject any client that does not have a

# certificate (as described in default_tls_x509_verify) signed by the

# CA in the migrate_tls_x509_cert_dir (or default_tls_x509_cert_dir).

#

# If this option is not supplied, it will be set to the value of

# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied

# either, the default is "1".

#

#migrate_tls_x509_verify = 1

# Uncomment and use the following option to override the default secret

# UUID provided in the default_tls_x509_secret_uuid parameter.

#

# NB This default all-zeros UUID will not work. Replace it with the

# output from the UUID for the TLS secret from a 'virsh secret-list'

# command and then uncomment the entry

#

#migrate_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"

# By default TLS is requested using the VIR_MIGRATE_TLS flag, thus not requested

# automatically. Setting 'migate_tls_force' to "1" will prevent any migration

# which is not using VIR_MIGRATE_TLS to ensure higher level of security in

# deployments with TLS.

#

#migrate_tls_force = 0

# In order to override the default TLS certificate location for backup NBD

# server certificates, supply a valid path to the certificate directory. If the

# provided path does not exist, libvirtd will fail to start. If the path is

# not provided, but TLS-encrypted backup is requested, then the

# default_tls_x509_cert_dir path will be used.

#

#backup_tls_x509_cert_dir = "/etc/pki/libvirt-backup"

# The default TLS configuration only uses certificates for the server

# allowing the client to verify the server's identity and establish

# an encrypted channel.

#

# It is possible to use x509 certificates for authentication too, by

# issuing an x509 certificate to every client who needs to connect.

#

# Enabling this option will reject any client that does not have a

# certificate (as described in default_tls_x509_verify) signed by the

# CA in the backup_tls_x509_cert_dir (or default_tls_x509_cert_dir).

#

# If this option is not supplied, it will be set to the value of

# "default_tls_x509_verify". If "default_tls_x509_verify" is not supplied either,

# the default is "1".

#

#backup_tls_x509_verify = 1

# Uncomment and use the following option to override the default secret

# UUID provided in the default_tls_x509_secret_uuid parameter.

#

# NB This default all-zeros UUID will not work. Replace it with the

# output from the UUID for the TLS secret from a 'virsh secret-list'

# command and then uncomment the entry

#

#backup_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"

# By default, if no graphical front end is configured, libvirt will disable

# QEMU audio output since directly talking to alsa/pulseaudio may not work

# with various security settings. If you know what you're doing, enable

# the setting below and libvirt will passthrough the QEMU_AUDIO_DRV

# environment variable when using nographics.

#

#nographics_allow_host_audio = 1

# Override the port for creating both VNC and SPICE sessions (min).

# This defaults to 5900 and increases for consecutive sessions

# or when ports are occupied, until it hits the maximum.

#

# Minimum must be greater than or equal to 5900 as lower number would

# result into negative vnc display number.

#

# Maximum must be less than 65536, because higher numbers do not make

# sense as a port number.

#

#remote_display_port_min = 5900

#remote_display_port_max = 65535

# VNC WebSocket port policies, same rules apply as with remote display

# ports.  VNC WebSockets use similar display <-> port mappings, with

# the exception being that ports start from 5700 instead of 5900.

#

#remote_websocket_port_min = 5700

#remote_websocket_port_max = 65535

# The default security driver is SELinux. If SELinux is disabled

# on the host, then the security driver will automatically disable

# itself. If you wish to disable QEMU SELinux security driver while

# leaving SELinux enabled for the host in general, then set this

# to 'none' instead. It's also possible to use more than one security

# driver at the same time, for this use a list of names separated by

# comma and delimited by square brackets. For example:

#

#       security_driver = [ "selinux", "apparmor" ]

#

# Notes: The DAC security driver is always enabled; as a result, the

# value of security_driver cannot contain "dac".  The value "none" is

# a special value; security_driver can be set to that value in

# isolation, but it cannot appear in a list of drivers.

#

#security_driver = "selinux"

# If set to non-zero, then the default security labeling

# will make guests confined. If set to zero, then guests

# will be unconfined by default. Defaults to 1.

#security_default_confined = 1

# If set to non-zero, then attempts to create unconfined

# guests will be blocked. Defaults to 0.

#security_require_confined = 1

# The user for QEMU processes run by the system instance. It can be

# specified as a user name or as a user id. The qemu driver will try to

# parse this value first as a name and then, if the name doesn't exist,

# as a user id.

#

# Since a sequence of digits is a valid user name, a leading plus sign

# can be used to ensure that a user id will not be interpreted as a user

# name.

#

# Some examples of valid values are:

#

#       user = "qemu"   # A user named "qemu"

#       user = "+0"     # Super user (uid=0)

#       user = "100"    # A user named "100" or a user with uid=100

#

#user = "root"

# The group for QEMU processes run by the system instance. It can be

# specified in a similar way to user.

#group = "root"

# Whether libvirt should dynamically change file ownership

# to match the configured user/group above. Defaults to 1.

# Set to 0 to disable file ownership changes.

#dynamic_ownership = 1

# Whether libvirt should remember and restore the original

# ownership over files it is relabeling. Defaults to 1, set

# to 0 to disable the feature.

#remember_owner = 1

# What cgroup controllers to make use of with QEMU guests

#

#  - 'cpu' - use for scheduler tunables

#  - 'devices' - use for device access control

#  - 'memory' - use for memory tunables

#  - 'blkio' - use for block devices I/O tunables

#  - 'cpuset' - use for CPUs and memory nodes

#  - 'cpuacct' - use for CPUs statistics.

#

# NB, even if configured here, they won't be used unless

# the administrator has mounted cgroups, e.g.:

#

#  mkdir /dev/cgroup

#  mount -t cgroup -o devices,cpu,memory,blkio,cpuset none /dev/cgroup

#

# They can be mounted anywhere, and different controllers

# can be mounted in different locations. libvirt will detect

# where they are located.

#

#cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ]

# This is the basic set of devices allowed / required by

# all virtual machines.

#

# As well as this, any configured block backed disks,

# all sound device, and all PTY devices are allowed.

#

# This will only need setting if newer QEMU suddenly

# wants some device we don't already know about.

#

#cgroup_device_acl = [

#    "/dev/null", "/dev/full", "/dev/zero",

#    "/dev/random", "/dev/urandom",

#    "/dev/ptmx", "/dev/kvm"

#]

#

# RDMA migration requires the following extra files to be added to the list:

#   "/dev/infiniband/rdma_cm",

#   "/dev/infiniband/issm0",

#   "/dev/infiniband/issm1",

#   "/dev/infiniband/umad0",

#   "/dev/infiniband/umad1",

#   "/dev/infiniband/uverbs0"

# The default format for QEMU/KVM guest save images is raw; that is, the

# memory from the domain is dumped out directly to a file.  If you have

# guests with a large amount of memory, however, this can take up quite

# a bit of space.  If you would like to compress the images while they

# are being saved to disk, you can also set "lzop", "gzip", "bzip2", or "xz"

# for save_image_format.  Note that this means you slow down the process of

# saving a domain in order to save disk space; the list above is in descending

# order by performance and ascending order by compression ratio.

#

# save_image_format is used when you use 'virsh save' or 'virsh managedsave'

# at scheduled saving, and it is an error if the specified save_image_format

# is not valid, or the requested compression program can't be found.

#

# dump_image_format is used when you use 'virsh dump' at emergency

# crashdump, and if the specified dump_image_format is not valid, or

# the requested compression program can't be found, this falls

# back to "raw" compression.

#

# snapshot_image_format specifies the compression algorithm of the memory save

# image when an external snapshot of a domain is taken. This does not apply

# on disk image format. It is an error if the specified format isn't valid,

# or the requested compression program can't be found.

#

#save_image_format = "raw"

#dump_image_format = "raw"

#snapshot_image_format = "raw"

# When a domain is configured to be auto-dumped when libvirtd receives a

# watchdog event from qemu guest, libvirtd will save dump files in directory

# specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump

#

#auto_dump_path = "/var/lib/libvirt/qemu/dump"

# When a domain is configured to be auto-dumped, enabling this flag

# has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the

# virDomainCoreDump API.  That is, the system will avoid using the

# file system cache while writing the dump file, but may cause

# slower operation.

#

#auto_dump_bypass_cache = 0

# When a domain is configured to be auto-started, enabling this flag

# has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag

# with the virDomainCreateWithFlags API.  That is, the system will

# avoid using the file system cache when restoring any managed state

# file, but may cause slower operation.

#

#auto_start_bypass_cache = 0

# If provided by the host and a hugetlbfs mount point is configured,

# a guest may request huge page backing.  When this mount point is

# unspecified here, determination of a host mount point in /proc/mounts

# will be attempted.  Specifying an explicit mount overrides detection

# of the same in /proc/mounts.  Setting the mount point to "" will

# disable guest hugepage backing. If desired, multiple mount points can

# be specified at once, separated by comma and enclosed in square

# brackets, for example:

#

#     hugetlbfs_mount = ["/dev/hugepages2M", "/dev/hugepages1G"]

#

# The size of huge page served by specific mount point is determined by

# libvirt at the daemon startup.

#

# NB, within these mount points, guests will create memory backing

# files in a location of $MOUNTPOINT/libvirt/qemu

#

#hugetlbfs_mount = "/dev/hugepages"

# Path to the setuid helper for creating tap devices.  This executable

# is used to create <source type='bridge'> interfaces when libvirtd is

# running unprivileged.  libvirt invokes the helper directly, instead

# of using "-netdev bridge", for security reasons.

#bridge_helper = "/usr/libexec/qemu-bridge-helper"

# If enabled, libvirt will have QEMU set its process name to

# "qemu:VM_NAME", where VM_NAME is the name of the VM. The QEMU

# process will appear as "qemu:VM_NAME" in process listings and

# other system monitoring tools. By default, QEMU does not set

# its process title, so the complete QEMU command (emulator and

# its arguments) appear in process listings.

#

#set_process_name = 1

# If max_processes is set to a positive integer, libvirt will use

# it to set the maximum number of processes that can be run by qemu

# user. This can be used to override default value set by host OS.

# The same applies to max_files which sets the limit on the maximum

# number of opened files.

#

#max_processes = 0

#max_files = 0

# If max_threads_per_process is set to a positive integer, libvirt

# will use it to set the maximum number of threads that can be

# created by a qemu process. Some VM configurations can result in

# qemu processes with tens of thousands of threads. systemd-based

# systems typically limit the number of threads per process to

# 16k. max_threads_per_process can be used to override default

# limits in the host OS.

#

#max_threads_per_process = 0

# If max_core is set to a non-zero integer, then QEMU will be

# permitted to create core dumps when it crashes, provided its

# RAM size is smaller than the limit set.

#

# Be warned that the core dump will include a full copy of the

# guest RAM, if the 'dump_guest_core' setting has been enabled,

# or if the guest XML contains

#

#   <memory dumpcore="on">...guest ram...</memory>

#

# If guest RAM is to be included, ensure the max_core limit

# is set to at least the size of the largest expected guest

# plus another 1GB for any QEMU host side memory mappings.

#

# As a special case it can be set to the string "unlimited" to

# to allow arbitrarily sized core dumps.

#

# By default the core dump size is set to 0 disabling all dumps

#

# Size is a positive integer specifying bytes or the

# string "unlimited"

#

#max_core = "unlimited"

# Determine if guest RAM is included in QEMU core dumps. By

# default guest RAM will be excluded if a new enough QEMU is

# present. Setting this to '1' will force guest RAM to always

# be included in QEMU core dumps.

#

# This setting will be ignored if the guest XML has set the

# dumpcore attribute on the <memory> element.

#

#dump_guest_core = 1

# mac_filter enables MAC addressed based filtering on bridge ports.

# This currently requires ebtables to be installed.

#

#mac_filter = 1

# By default, PCI devices below non-ACS switch are not allowed to be assigned

# to guests. By setting relaxed_acs_check to 1 such devices will be allowed to

# be assigned to guests.

#

#relaxed_acs_check = 1

# In order to prevent accidentally starting two domains that

# share one writable disk, libvirt offers two approaches for

# locking files. The first one is sanlock, the other one,

# virtlockd, is then our own implementation. Accepted values

# are "sanlock" and "lockd".

#

#lock_manager = "lockd"

# Set limit of maximum APIs queued on one domain. All other APIs

# over this threshold will fail on acquiring job lock. Specially,

# setting to zero turns this feature off.

# Note, that job lock is per domain.

#

#max_queued = 0

###################################################################

# Keepalive protocol:

# This allows qemu driver to detect broken connections to remote

# libvirtd during peer-to-peer migration.  A keepalive message is

# sent to the daemon after keepalive_interval seconds of inactivity

# to check if the daemon is still responding; keepalive_count is a

# maximum number of keepalive messages that are allowed to be sent

# to the daemon without getting any response before the connection

# is considered broken.  In other words, the connection is

# automatically closed approximately after

# keepalive_interval * (keepalive_count + 1) seconds since the last

# message received from the daemon.  If keepalive_interval is set to

# -1, qemu driver will not send keepalive requests during

# peer-to-peer migration; however, the remote libvirtd can still

# send them and source libvirtd will send responses.  When

# keepalive_count is set to 0, connections will be automatically

# closed after keepalive_interval seconds of inactivity without

# sending any keepalive messages.

#

#keepalive_interval = 5

#keepalive_count = 5

# Use seccomp syscall filtering sandbox in QEMU.

# 1 == filter enabled, 0 == filter disabled

#

# Unless this option is disabled, QEMU will be run with

# a seccomp filter that stops it from executing certain

# syscalls.

#

#seccomp_sandbox = 1

# Override the listen address for all incoming migrations. Defaults to

# 0.0.0.0, or :: if both host and qemu are capable of IPv6.

#migration_address = "0.0.0.0"

# The default hostname or IP address which will be used by a migration

# source for transferring migration data to this host.  The migration

# source has to be able to resolve this hostname and connect to it so

# setting "localhost" will not work.  By default, the host's configured

# hostname is used.

#migration_host = "host.example.com"

# Override the port range used for incoming migrations.

#

# Minimum must be greater than 0, however when QEMU is not running as root,

# setting the minimum to be lower than 1024 will not work.

#

# Maximum must not be greater than 65535.

#

#migration_port_min = 49152

#migration_port_max = 49215

# Timestamp QEMU's log messages (if QEMU supports it)

#

# Defaults to 1.

#

#log_timestamp = 0

# Location of master nvram file

#

# This configuration option is obsolete. Libvirt will follow the

# QEMU firmware metadata specification to automatically locate

# firmware images. See docs/interop/firmware.json in the QEMU

# source tree. These metadata files are distributed alongside any

# firmware images intended for use with QEMU.

#

# NOTE: if ANY firmware metadata files are detected, this setting

# will be COMPLETELY IGNORED.

#

# ------------------------------------------

#

# When a domain is configured to use UEFI instead of standard

# BIOS it may use a separate storage for UEFI variables. If

# that's the case libvirt creates the variable store per domain

# using this master file as image. Each UEFI firmware can,

# however, have different variables store. Therefore the nvram is

# a list of strings when a single item is in form of:

#   ${PATH_TO_UEFI_FW}:${PATH_TO_UEFI_VARS}.

# Later, when libvirt creates per domain variable store, this list is

# searched for the master image. The UEFI firmware can be called

# differently for different guest architectures. For instance, it's OVMF

# for x86_64 and i686, but it's AAVMF for aarch64. The libvirt default

# follows this scheme.

#nvram = [

#   "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd",

#   "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd",

#   "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd",

#   "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd"

#]

# The backend to use for handling stdout/stderr output from

# QEMU processes.

#

#  'file': QEMU writes directly to a plain file. This is the

#          historical default, but allows QEMU to inflict a

#          denial of service attack on the host by exhausting

#          filesystem space

#

#  'logd': QEMU writes to a pipe provided by virtlogd daemon.

#          This is the current default, providing protection

#          against denial of service by performing log file

#          rollover when a size limit is hit.

#

#stdio_handler = "logd"

# QEMU gluster libgfapi log level, debug levels are 0-9, with 9 being the

# most verbose, and 0 representing no debugging output.

#

# The current logging levels defined in the gluster GFAPI are:

#

#    0 - None

#    1 - Emergency

#    2 - Alert

#    3 - Critical

#    4 - Error

#    5 - Warning

#    6 - Notice

#    7 - Info

#    8 - Debug

#    9 - Trace

#

# Defaults to 4

#

#gluster_debug_level = 9

# virtiofsd debug

#

# Whether to enable the debugging output of the virtiofsd daemon.

# Possible values are 0 or 1. Disabled by default.

#

#virtiofsd_debug = 1

# To enhance security, QEMU driver is capable of creating private namespaces

# for each domain started. Well, so far only "mount" namespace is supported. If

# enabled it means qemu process is unable to see all the devices on the system,

# only those configured for the domain in question. Libvirt then manages

# devices entries throughout the domain lifetime. This namespace is turned on

# by default.

#namespaces = [ "mount" ]

# This directory is used for memoryBacking source if configured as file.

# NOTE: big files will be stored here

#memory_backing_dir = "/var/lib/libvirt/qemu/ram"

# Path to the SCSI persistent reservations helper. This helper is

# used whenever <reservations/> are enabled for SCSI LUN devices.

#pr_helper = "/usr/bin/qemu-pr-helper"

# Path to the SLIRP networking helper.

#slirp_helper = "/usr/bin/slirp-helper"

# Path to the dbus-daemon

#dbus_daemon = "/usr/bin/dbus-daemon"

# User for the swtpm TPM Emulator

#

# Default is 'tss'; this is the same user that tcsd (TrouSerS) installs

# and uses; alternative is 'root'

#

#swtpm_user = "tss"

#swtpm_group = "tss"

# For debugging and testing purposes it's sometimes useful to be able to disable

# libvirt behaviour based on the capabilities of the qemu process. This option

# allows to do so. DO _NOT_ use in production and beaware that the behaviour

# may change across versions.

#

#capability_filters = [ "capname" ]

# 'deprecation_behavior' setting controls how the qemu process behaves towards

# deprecated commands and arguments used by libvirt.

#

# This setting is meant for developers and CI efforts to make it obvious when

# libvirt relies on fields which are deprecated so that it can be fixes as soon

# as possible.

#

# Possible options are:

# "none"   - (default) qemu is supposed to accept and output deprecated fields

#            and commands

# "omit"   - qemu is instructed to omit deprecated fields on output, behaviour

#            towards fields and commands from qemu is not changed

# "reject" - qemu is instructed to report an error if a deprecated command or

#            field is used by libvirtd

# "crash"  - qemu crashes when an deprecated command or field is used by libvirtd

#

# For both "reject" and "crash" qemu is instructed to omit any deprecated fields

# on output.

#

# The "reject" option is less harsh towards the VMs but some code paths ignore

# errors reported by qemu and thus it may not be obvious that a deprecated

# command/field was used, thus it's suggested to use the "crash" option instead.

#

# In cases when qemu doesn't support configuring the behaviour this setting is

# silently ignored to allow testing older qemu versions without having to

# reconfigure libvirtd.

#

# DO NOT use in production.

#

#deprecation_behavior = "none"