Rev 204 | Blame | Compare with Previous | Last modification | View Log | RSS feed
# Master libvirt daemon configuration file#################################################################### Network connectivity controls## Flag listening for secure TLS connections on the public TCP/IP port.# NB, must pass the --listen flag to the virtproxyd process for this to# have any effect.## This setting is not required or honoured if using systemd socket# activation.## It is necessary to setup a CA and issue server certificates before# using this capability.## This is enabled by default, uncomment this to disable it#listen_tls = 0# Listen for unencrypted TCP connections on the public TCP/IP port.# NB, must pass the --listen flag to the virtproxyd process for this to# have any effect.## This setting is not required or honoured if using systemd socket# activation.## Using the TCP socket requires SASL authentication by default. Only# SASL mechanisms which support data encryption are allowed. This is# DIGEST_MD5 and GSSAPI (Kerberos5)## This is disabled by default, uncomment this to enable it.#listen_tcp = 1# Override the port for accepting secure TLS connections# This can be a port number, or service name## This setting is not required or honoured if using systemd socket# activation with systemd version >= 227##tls_port = "16514"# Override the port for accepting insecure TCP connections# This can be a port number, or service name## This setting is not required or honoured if using systemd socket# activation with systemd version >= 227##tcp_port = "16509"# Override the default configuration which binds to all network# interfaces. This can be a numeric IPv4/6 address, or hostname## This setting is not required or honoured if using systemd socket# activation.## If the virtproxyd service is started in parallel with network# startup (e.g. with systemd), binding to addresses other than# the wildcards (0.0.0.0/::) might not be available yet.##listen_addr = "192.168.0.1"################################################################### UNIX socket access controls## Set the UNIX domain socket group ownership. This can be used to# allow a 'trusted' set of users access to management capabilities# without becoming root.## This setting is not required or honoured if using systemd socket# activation.## This is restricted to 'root' by default.#unix_sock_group = "libvirt"# Set the UNIX socket permissions for the R/O socket. This is used# for monitoring VM status only## This setting is not required or honoured if using systemd socket# activation.## Default allows any user. If setting group ownership, you may want to# restrict this too.#unix_sock_ro_perms = "0777"# Set the UNIX socket permissions for the R/W socket. This is used# for full management of VMs## This setting is not required or honoured if using systemd socket# activation.## Default allows only root. If PolicyKit is enabled on the socket,# the default will change to allow everyone (eg, 0777)## If not using PolicyKit and setting group ownership for access# control, then you may want to relax this too.#unix_sock_rw_perms = "0770"# Set the UNIX socket permissions for the admin interface socket.## This setting is not required or honoured if using systemd socket# activation.## Default allows only owner (root), do not change it unless you are# sure to whom you are exposing the access to.#unix_sock_admin_perms = "0700"# Set the name of the directory in which sockets will be found/created.## This setting is not required or honoured if using systemd socket# activation with systemd version >= 227##unix_sock_dir = "/run/libvirt"################################################################### Authentication.## There are the following choices available:## - none: do not perform auth checks. If you can connect to the# socket you are allowed. This is suitable if there are# restrictions on connecting to the socket (eg, UNIX# socket permissions), or if there is a lower layer in# the network providing auth (eg, TLS/x509 certificates)## - sasl: use SASL infrastructure. The actual auth scheme is then# controlled from /etc/sasl2/libvirt.conf. For the TCP# socket only GSSAPI & DIGEST-MD5 mechanisms will be used.# For non-TCP or TLS sockets, any scheme is allowed.## - polkit: use PolicyKit to authenticate. This is only suitable# for use on the UNIX sockets. The default policy will# require a user to supply their own password to gain# full read/write access (aka sudo like), while anyone# is allowed read/only access.## Set an authentication scheme for UNIX read-only sockets## By default socket permissions allow anyone to connect## If libvirt was compiled without support for 'polkit', then# no access control checks are done, but libvirt still only# allows execution of APIs which don't change state.## If libvirt was compiled with support for 'polkit', then# the libvirt socket will perform a check with polkit after# connections. The default policy still allows any local# user access.## To restrict monitoring of domains you may wish to either# enable 'sasl' here, or change the polkit policy definition.#auth_unix_ro = "polkit"# Set an authentication scheme for UNIX read-write sockets.## If libvirt was compiled without support for 'polkit', then# the systemd .socket files will use SocketMode=0600 by default# thus only allowing root user to connect, and 'auth_unix_rw'# will default to 'none'.## If libvirt was compiled with support for 'polkit', then# the systemd .socket files will use SocketMode=0666 which# allows any user to connect and 'auth_unix_rw' will default# to 'polkit'. If you disable use of 'polkit' here, then it# is essential to change the systemd SocketMode parameter# back to 0600, to avoid an insecure configuration.##auth_unix_rw = "polkit"# Change the authentication scheme for TCP sockets.## If you don't enable SASL, then all TCP traffic is cleartext.# Don't do this outside of a dev/test scenario. For real world# use, always enable SASL and use the GSSAPI or DIGEST-MD5# mechanism in /etc/sasl2/libvirt.conf#auth_tcp = "sasl"# Change the authentication scheme for TLS sockets.## TLS sockets already have encryption provided by the TLS# layer, and limited authentication is done by certificates## It is possible to make use of any SASL authentication# mechanism as well, by using 'sasl' for this option#auth_tls = "none"# Enforce a minimum SSF value for TCP sockets## The default minimum is currently 56 (single-DES) which will# be raised to 112 in the future.## This option can be used to set values higher than 112#tcp_min_ssf = 112# Change the API access control scheme## By default an authenticated user is allowed access# to all APIs. Access drivers can place restrictions# on this. By default the 'nop' driver is enabled,# meaning no access control checks are done once a# client has authenticated with virtproxyd##access_drivers = [ "polkit" ]################################################################### TLS x509 certificate configuration## Use of TLS requires that x509 certificates be issued. The default locations# for the certificate files is as follows:## /etc/pki/CA/cacert.pem - The CA master certificate# /etc/pki/libvirt/servercert.pem - The server certificate signed by cacert.pem# /etc/pki/libvirt/private/serverkey.pem - The server private key## It is possible to override the default locations by altering the 'key_file',# 'cert_file', and 'ca_file' values and uncommenting them below.## NB, overriding the default of one location requires uncommenting and# possibly additionally overriding the other settings.## Override the default server key file path##key_file = "/etc/pki/libvirt/private/serverkey.pem"# Override the default server certificate file path##cert_file = "/etc/pki/libvirt/servercert.pem"# Override the default CA certificate path##ca_file = "/etc/pki/CA/cacert.pem"# Specify a certificate revocation list.## Defaults to not using a CRL, uncomment to enable it#crl_file = "/etc/pki/CA/crl.pem"################################################################### Authorization controls## Flag to disable verification of our own server certificates## When virtproxyd starts it performs some sanity checks against# its own certificates.## Default is to always run sanity checks. Uncommenting this# will disable sanity checks which is not a good idea#tls_no_sanity_certificate = 1# Flag to disable verification of client certificates## Client certificate verification is the primary authentication mechanism.# Any client which does not present a certificate signed by the CA# will be rejected.## Default is to always verify. Uncommenting this will disable# verification.#tls_no_verify_certificate = 1# An access control list of allowed x509 Distinguished Names# This list may contain wildcards such as## "C=GB,ST=London,L=London,O=Red Hat,CN=*"## Any * matches any number of consecutive spaces, like a simplified glob(7).## The format of the DN for a particular certificate can be queried# using:## virt-pki-query-dn clientcert.pem## NB If this is an empty list, no client can connect, so comment out# entirely rather than using empty list to disable these checks## By default, no DN's are checked#tls_allowed_dn_list = ["DN1", "DN2"]# Override the compile time default TLS priority string. The# default is usually "NORMAL" unless overridden at build time.# Only set this is it is desired for libvirt to deviate from# the global default settings.##tls_priority="NORMAL"# An access control list of allowed SASL usernames. The format for username# depends on the SASL authentication mechanism. Kerberos usernames# look like username@REALM## This list may contain wildcards such as## "*@EXAMPLE.COM"## See the g_pattern_match function for the format of the wildcards.## https://developer.gnome.org/glib/stable/glib-Glob-style-pattern-matching.html## NB If this is an empty list, no client can connect, so comment out# entirely rather than using empty list to disable these checks## By default, no Username's are checked#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]################################################################### Processing controls## The maximum number of concurrent client connections to allow# over all sockets combined.#max_clients = 5000# The maximum length of queue of connections waiting to be# accepted by the daemon. Note, that some protocols supporting# retransmission may obey this so that a later reattempt at# connection succeeds.#max_queued_clients = 1000# The maximum length of queue of accepted but not yet# authenticated clients. The default value is 20. Set this to# zero to turn this feature off.#max_anonymous_clients = 20# The minimum limit sets the number of workers to start up# initially. If the number of active clients exceeds this,# then more threads are spawned, up to max_workers limit.# Typically you'd want max_workers to equal maximum number# of clients allowed#min_workers = 5#max_workers = 20# The number of priority workers. If all workers from above# pool are stuck, some calls marked as high priority# (notably domainDestroy) can be executed in this pool.#prio_workers = 5# Limit on concurrent requests from a single client# connection. To avoid one client monopolizing the server# this should be a small fraction of the global max_workers# parameter.#max_client_requests = 5# Same processing controls, but this time for the admin interface.# For description of each option, be so kind to scroll few lines# upwards.#admin_min_workers = 1#admin_max_workers = 5#admin_max_clients = 5#admin_max_queued_clients = 5#admin_max_client_requests = 5################################################################### Logging controls## Logging level: 4 errors, 3 warnings, 2 information, 1 debug# basically 1 will log everything possible## WARNING: USE OF THIS IS STRONGLY DISCOURAGED.## WARNING: It outputs too much information to practically read.# WARNING: The "log_filters" setting is recommended instead.## WARNING: Journald applies rate limiting of messages and so libvirt# WARNING: will limit "log_level" to only allow values 3 or 4 if# WARNING: journald is the current output.## WARNING: USE OF THIS IS STRONGLY DISCOURAGED.#log_level = 3# Logging filters:# A filter allows to select a different logging level for a given category# of logs. The format for a filter is:## level:match## where 'match' is a string which is matched against the category# given in the VIR_LOG_INIT() at the top of each libvirt source# file, e.g., "remote", "qemu", or "util.json". The 'match' in the# filter matches using shell wildcard syntax (see 'man glob(7)').# The 'match' is always treated as a substring match. IOW a match# string 'foo' is equivalent to '*foo*'.## 'level' is the minimal level where matching messages should# be logged:## 1: DEBUG# 2: INFO# 3: WARNING# 4: ERROR## Multiple filters can be defined in a single @log_filters, they just need# to be separated by spaces. Note that libvirt performs "first" match, i.e.# if there are concurrent filters, the first one that matches will be applied,# given the order in @log_filters.## A typical need is to capture information from a hypervisor driver,# public API entrypoints and some of the utility code. Some utility# code is very verbose and is generally not desired. Taking the QEMU# hypervisor as an example, a suitable filter string for debugging# might be to turn off object, json & event logging, but enable the# rest of the util code:##log_filters="1:qemu 1:libvirt 4:object 4:json 4:event 1:util"# Logging outputs:# An output is one of the places to save logging information# The format for an output can be:# level:stderr# output goes to stderr# level:syslog:name# use syslog for the output and use the given name as the ident# level:file:file_path# output to a file, with the given filepath# level:journald# output to journald logging system# In all cases 'level' is the minimal priority, acting as a filter# 1: DEBUG# 2: INFO# 3: WARNING# 4: ERROR## Multiple outputs can be defined, they just need to be separated by spaces.# e.g. to log all warnings and errors to syslog under the virtproxyd ident:#log_outputs="3:syslog:virtproxyd"#################################################################### Auditing## This setting allows usage of the auditing subsystem to be altered:## audit_level == 0 -> disable all auditing# audit_level == 1 -> enable auditing, only if enabled on host (default)# audit_level == 2 -> enable auditing, and exit if disabled on host##audit_level = 2## If set to 1, then audit messages will also be sent# via libvirt logging infrastructure. Defaults to 0##audit_logging = 1#################################################################### UUID of the host:# Host UUID is read from one of the sources specified in host_uuid_source.## - 'smbios': fetch the UUID from 'dmidecode -s system-uuid'# - 'machine-id': fetch the UUID from /etc/machine-id## The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide# a valid UUID a temporary UUID will be generated.## Another option is to specify host UUID in host_uuid.## Keep the format of the example UUID below. UUID must not have all digits# be the same.# NB This default all-zeros UUID will not work. Replace# it with the output of the 'uuidgen' command and then# uncomment this entry#host_uuid = "00000000-0000-0000-0000-000000000000"#host_uuid_source = "smbios"#################################################################### Keepalive protocol:# This allows virtproxyd to detect broken client connections or even# dead clients. A keepalive message is sent to a client after# keepalive_interval seconds of inactivity to check if the client is# still responding; keepalive_count is a maximum number of keepalive# messages that are allowed to be sent to the client without getting# any response before the connection is considered broken. In other# words, the connection is automatically closed approximately after# keepalive_interval * (keepalive_count + 1) seconds since the last# message received from the client. If keepalive_interval is set to# -1, virtproxyd will never send keepalive requests; however clients# can still send them and the daemon will send responses. When# keepalive_count is set to 0, connections will be automatically# closed after keepalive_interval seconds of inactivity without# sending any keepalive messages.##keepalive_interval = 5#keepalive_count = 5## These configuration options are no longer used. There is no way to# restrict such clients from connecting since they first need to# connect in order to ask for keepalive.##keepalive_required = 1#admin_keepalive_required = 1# Keepalive settings for the admin interface#admin_keepalive_interval = 5#admin_keepalive_count = 5#################################################################### Open vSwitch:# This allows to specify a timeout for openvswitch calls made by# libvirt. The ovs-vsctl utility is used for the configuration and# its timeout option is set by default to 5 seconds to avoid# potential infinite waits blocking libvirt.##ovs_timeout = 5