2007-10-12 23:54:15 +04:00
# Master libvirt daemon configuration file
#
# For further information consult http://libvirt.org/format.html
2008-12-01 18:04:28 +03:00
#
# NOTE: the tests/daemon-conf regression test script requires
# that each "PARAMETER = VALUE" line in this file have the parameter
# name just after a leading "#".
2007-10-12 23:54:15 +04:00
2007-12-05 18:34:05 +03:00
#################################################################
#
2008-02-29 15:53:10 +03:00
# Network connectivity controls
2007-12-05 18:34:05 +03:00
#
2007-10-12 23:54:15 +04:00
# Flag listening for secure TLS connections on the public TCP/IP port.
# NB, must pass the --listen flag to the libvirtd process for this to
# have any effect.
#
2008-02-29 15:53:10 +03:00
# It is necessary to setup a CA and issue server certificates before
2007-10-12 23:54:15 +04:00
# using this capability.
#
# This is enabled by default, uncomment this to disable it
2007-12-05 18:34:05 +03:00
#listen_tls = 0
2007-10-12 23:54:15 +04:00
# Listen for unencrypted TCP connections on the public TCP/IP port.
# NB, must pass the --listen flag to the libvirtd process for this to
# have any effect.
#
2007-12-05 18:34:05 +03:00
# Using the TCP socket requires SASL authentication by default. Only
# SASL mechanisms which support data encryption are allowed. This is
# DIGEST_MD5 and GSSAPI (Kerberos5)
2007-10-12 23:54:15 +04:00
#
# This is disabled by default, uncomment this to enable it.
2007-12-05 18:34:05 +03:00
#listen_tcp = 1
2007-10-12 23:54:15 +04:00
# Override the port for accepting secure TLS connections
# This can be a port number, or service name
#
2007-12-05 18:34:05 +03:00
#tls_port = "16514"
2007-10-12 23:54:15 +04:00
# Override the port for accepting insecure TCP connections
# This can be a port number, or service name
2007-12-05 18:34:05 +03:00
#
#tcp_port = "16509"
2007-10-12 23:54:15 +04:00
2008-05-15 00:57:20 +04:00
# Override the default configuration which binds to all network
# interfaces. This can be a numeric IPv4/6 address, or hostname
#
2014-05-29 13:21:25 +04:00
# If the libvirtd service is started in parallel with network
# startup (e.g. with systemd), binding to addresses other than
# the wildcards (0.0.0.0/::) might not be available yet.
#
2008-12-01 18:04:28 +03:00
#listen_addr = "192.168.0.1"
2008-05-15 00:57:20 +04:00
2007-10-12 23:54:15 +04:00
# Flag toggling mDNS advertizement of the libvirt service.
#
# Alternatively can disable for all services on a host by
# stopping the Avahi daemon
#
2012-03-27 18:20:54 +04:00
# This is disabled by default, uncomment this to enable it
#mdns_adv = 1
2007-10-12 23:54:15 +04:00
# Override the default mDNS advertizement name. This must be
# unique on the immediate broadcast network.
2007-12-05 18:34:05 +03:00
#
2007-10-12 23:54:15 +04:00
# The default is "Virtualization Host HOSTNAME", where HOSTNAME
2014-02-05 21:04:35 +04:00
# is substituted for the short hostname of the machine (without domain)
2007-10-12 23:54:15 +04:00
#
2007-12-05 18:34:05 +03:00
#mdns_name = "Virtualization Host Joe Demo"
2007-10-12 23:54:15 +04:00
2007-12-05 18:34:05 +03:00
#################################################################
#
# UNIX socket access controls
#
2007-10-12 23:54:15 +04:00
2014-07-23 12:58:00 +04:00
# Beware that if you are changing *any* of these options, and you use
# socket activation with systemd, you need to adjust the settings in
# the libvirtd.socket file as well since it could impose a security
# risk if you rely on file permission checking only.
2007-10-12 23:54:15 +04:00
# Set the UNIX domain socket group ownership. This can be used to
# allow a 'trusted' set of users access to management capabilities
# without becoming root.
2007-12-05 18:34:05 +03:00
#
# This is restricted to 'root' by default.
#unix_sock_group = "libvirt"
2007-10-12 23:54:15 +04:00
# Set the UNIX socket permissions for the R/O socket. This is used
# for monitoring VM status only
#
2014-02-05 21:04:35 +04:00
# Default allows any user. If setting group ownership, you may want to
# restrict this too.
2007-12-05 18:34:05 +03:00
#unix_sock_ro_perms = "0777"
2007-10-12 23:54:15 +04:00
# Set the UNIX socket permissions for the R/W socket. This is used
# for full management of VMs
#
2007-12-05 21:21:27 +03:00
# Default allows only root. If PolicyKit is enabled on the socket,
# the default will change to allow everyone (eg, 0777)
#
# If not using PolicyKit and setting group ownership for access
2014-02-05 21:04:35 +04:00
# control, then you may want to relax this too.
2007-12-05 18:34:05 +03:00
#unix_sock_rw_perms = "0770"
2007-10-12 23:54:15 +04:00
2015-04-13 17:05:46 +03:00
# Set the UNIX socket permissions for the admin interface socket.
#
# Default allows only owner (root), do not change it unless you are
# sure to whom you are exposing the access to.
#unix_sock_admin_perms = "0700"
2009-02-09 20:52:38 +03:00
# Set the name of the directory in which sockets will be found/created.
#unix_sock_dir = "/var/run/libvirt"
2007-10-12 23:54:15 +04:00
2015-04-13 17:05:46 +03:00
2007-12-05 18:34:05 +03:00
#################################################################
2007-10-12 23:54:15 +04:00
#
2007-12-05 18:34:05 +03:00
# Authentication.
2007-10-12 23:54:15 +04:00
#
2007-12-05 18:34:05 +03:00
# - none: do not perform auth checks. If you can connect to the
# socket you are allowed. This is suitable if there are
# restrictions on connecting to the socket (eg, UNIX
# socket permissions), or if there is a lower layer in
# the network providing auth (eg, TLS/x509 certificates)
#
# - sasl: use SASL infrastructure. The actual auth scheme is then
# controlled from /etc/sasl2/libvirt.conf. For the TCP
# socket only GSSAPI & DIGEST-MD5 mechanisms will be used.
2014-02-05 21:04:35 +04:00
# For non-TCP or TLS sockets, any scheme is allowed.
2007-12-05 18:34:05 +03:00
#
2007-12-05 21:21:27 +03:00
# - polkit: use PolicyKit to authenticate. This is only suitable
# for use on the UNIX sockets. The default policy will
# require a user to supply their own password to gain
# full read/write access (aka sudo like), while anyone
# is allowed read/only access.
#
2007-12-05 18:34:05 +03:00
# Set an authentication scheme for UNIX read-only sockets
# By default socket permissions allow anyone to connect
#
# To restrict monitoring of domains you may wish to enable
# an authentication mechanism here
#auth_unix_ro = "none"
# Set an authentication scheme for UNIX read-write sockets
2007-12-05 21:21:27 +03:00
# By default socket permissions only allow root. If PolicyKit
# support was compiled into libvirt, the default will be to
# use 'polkit' auth.
2007-12-05 18:34:05 +03:00
#
# If the unix_sock_rw_perms are changed you may wish to enable
# an authentication mechanism here
#auth_unix_rw = "none"
# Change the authentication scheme for TCP sockets.
#
# If you don't enable SASL, then all TCP traffic is cleartext.
# Don't do this outside of a dev/test scenario. For real world
# use, always enable SASL and use the GSSAPI or DIGEST-MD5
# mechanism in /etc/sasl2/libvirt.conf
#auth_tcp = "sasl"
# Change the authentication scheme for TLS sockets.
#
# TLS sockets already have encryption provided by the TLS
# layer, and limited authentication is done by certificates
#
# It is possible to make use of any SASL authentication
# mechanism as well, by using 'sasl' for this option
#auth_tls = "none"
2013-04-17 15:01:24 +04:00
# Change the API access control scheme
#
# By default an authenticated user is allowed access
# to all APIs. Access drivers can place restrictions
# on this. By default the 'nop' driver is enabled,
# meaning no access control checks are done once a
# client has authenticated with libvirtd
#
2012-01-23 19:12:57 +04:00
#access_drivers = [ "polkit" ]
2007-10-12 23:54:15 +04:00
2007-12-05 18:34:05 +03:00
#################################################################
2007-10-12 23:54:15 +04:00
#
2007-12-05 18:34:05 +03:00
# TLS x509 certificate configuration
2007-10-12 23:54:15 +04:00
#
2007-12-05 18:34:05 +03:00
2007-10-12 23:54:15 +04:00
# Override the default server key file path
#
2007-12-05 18:34:05 +03:00
#key_file = "/etc/pki/libvirt/private/serverkey.pem"
2007-10-12 23:54:15 +04:00
# Override the default server certificate file path
#
2007-12-05 18:34:05 +03:00
#cert_file = "/etc/pki/libvirt/servercert.pem"
2007-10-12 23:54:15 +04:00
# Override the default CA certificate path
#
2007-12-05 18:34:05 +03:00
#ca_file = "/etc/pki/CA/cacert.pem"
2007-10-12 23:54:15 +04:00
# Specify a certificate revocation list.
2007-12-05 18:34:05 +03:00
#
2007-10-12 23:54:15 +04:00
# Defaults to not using a CRL, uncomment to enable it
2007-12-05 18:34:05 +03:00
#crl_file = "/etc/pki/CA/crl.pem"
#################################################################
#
# Authorization controls
#
2011-07-21 14:13:11 +04:00
# Flag to disable verification of our own server certificates
#
# When libvirtd starts it performs some sanity checks against
# its own certificates.
#
2011-07-22 18:19:32 +04:00
# Default is to always run sanity checks. Uncommenting this
# will disable sanity checks which is not a good idea
2011-07-21 14:13:11 +04:00
#tls_no_sanity_certificate = 1
2007-12-05 18:34:05 +03:00
# Flag to disable verification of client certificates
#
# Client certificate verification is the primary authentication mechanism.
# Any client which does not present a certificate signed by the CA
# will be rejected.
#
# Default is to always verify. Uncommenting this will disable
# verification - make sure an IP whitelist is set
#tls_no_verify_certificate = 1
2007-10-12 23:54:15 +04:00
2014-02-05 21:04:35 +04:00
# A whitelist of allowed x509 Distinguished Names
2007-12-05 18:34:05 +03:00
# This list may contain wildcards such as
2007-10-12 23:54:15 +04:00
#
# "C=GB,ST=London,L=London,O=Red Hat,CN=*"
#
# See the POSIX fnmatch function for the format of the wildcards.
#
# NB If this is an empty list, no client can connect, so comment out
# entirely rather than using empty list to disable these checks
#
# By default, no DN's are checked
2007-12-05 18:34:05 +03:00
#tls_allowed_dn_list = ["DN1", "DN2"]
2007-10-12 23:54:15 +04:00
2007-12-05 18:34:05 +03:00
# A whitelist of allowed SASL usernames. The format for usernames
# depends on the SASL authentication mechanism. Kerberos usernames
# look like username@REALM
2007-10-12 23:54:15 +04:00
#
2007-12-05 18:34:05 +03:00
# This list may contain wildcards such as
#
# "*@EXAMPLE.COM"
#
# See the POSIX fnmatch function for the format of the wildcards.
2007-10-12 23:54:15 +04:00
#
# NB If this is an empty list, no client can connect, so comment out
# entirely rather than using empty list to disable these checks
#
2007-12-05 18:34:05 +03:00
# By default, no Username's are checked
#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]
2007-10-12 23:54:15 +04:00
2008-12-05 01:18:44 +03:00
#################################################################
#
# Processing controls
#
# The maximum number of concurrent client connections to allow
# over all sockets combined.
2014-03-04 21:55:24 +04:00
#max_clients = 5000
2008-12-05 01:18:44 +03:00
2013-07-25 16:45:38 +04:00
# The maximum length of queue of connections waiting to be
# accepted by the daemon. Note, that some protocols supporting
# retransmission may obey this so that a later reattempt at
# connection succeeds.
#max_queued_clients = 1000
2015-02-12 07:22:40 +03:00
# The maximum length of queue of accepted but not yet
2014-03-04 21:55:24 +04:00
# authenticated clients. The default value is zero, meaning
# the feature is disabled.
#max_anonymous_clients = 20
2008-12-05 01:18:44 +03:00
# The minimum limit sets the number of workers to start up
# initially. If the number of active clients exceeds this,
2012-10-11 20:31:20 +04:00
# then more threads are spawned, up to max_workers limit.
2008-12-05 01:18:44 +03:00
# Typically you'd want max_workers to equal maximum number
# of clients allowed
#min_workers = 5
#max_workers = 20
2011-08-12 16:04:31 +04:00
# The number of priority workers. If all workers from above
2014-02-05 21:04:35 +04:00
# pool are stuck, some calls marked as high priority
2011-08-12 16:04:31 +04:00
# (notably domainDestroy) can be executed in this pool.
#prio_workers = 5
2009-01-20 22:25:15 +03:00
# Total global limit on concurrent RPC calls. Should be
# at least as large as max_workers. Beyond this, RPC requests
2014-02-05 21:04:35 +04:00
# will be read into memory and queued. This directly impacts
2009-01-20 22:25:15 +03:00
# memory usage, currently each request requires 256 KB of
2012-10-11 20:31:20 +04:00
# memory. So by default up to 5 MB of memory is used
2009-01-20 22:25:15 +03:00
#
# XXX this isn't actually enforced yet, only the per-client
# limit is used so far
#max_requests = 20
# Limit on concurrent requests from a single client
# connection. To avoid one client monopolizing the server
# this should be a small fraction of the global max_requests
# and max_workers parameter
#max_client_requests = 5
2015-04-13 17:05:46 +03:00
# Same processing controls, but this time for the admin interface.
# For description of each option, be so kind to scroll few lines
# upwards.
#admin_min_workers = 1
#admin_max_workers = 5
#admin_max_clients = 5
#admin_max_queued_clients = 5
#admin_max_client_requests = 5
2008-12-22 15:57:35 +03:00
#################################################################
#
# Logging controls
#
2011-12-02 03:08:34 +04:00
# Logging level: 4 errors, 3 warnings, 2 information, 1 debug
2008-12-22 15:57:35 +03:00
# basically 1 will log everything possible
2014-08-12 18:10:39 +04:00
# Note: Journald may employ rate limiting of the messages logged
# and thus lock up the libvirt daemon. To use the debug level with
# journald you have to specify it explicitly in 'log_outputs', otherwise
# only information level messages will be logged.
2008-12-22 15:57:35 +03:00
#log_level = 3
# Logging filters:
# A filter allows to select a different logging level for a given category
# of logs
2012-08-17 16:12:51 +04:00
# The format for a filter is one of:
2008-12-22 15:57:35 +03:00
# x:name
2012-08-17 16:12:51 +04:00
# x:+name
# where name is a string which is matched against source file name,
# e.g., "remote", "qemu", or "util/json", the optional "+" prefix
# tells libvirt to log stack trace for each message matching name,
# and x is the minimal level where matching messages should be logged:
2008-12-22 15:57:35 +03:00
# 1: DEBUG
# 2: INFO
# 3: WARNING
# 4: ERROR
#
2014-02-05 21:04:35 +04:00
# Multiple filters can be defined in a single @filters, they just need to be
2008-12-22 15:57:35 +03:00
# separated by spaces.
#
2012-05-25 13:32:17 +04:00
# e.g. to only get warning or errors from the remote layer and only errors
# from the event layer:
#log_filters="3:remote 4:event"
2008-12-22 15:57:35 +03:00
# Logging outputs:
2011-12-02 03:08:34 +04:00
# An output is one of the places to save logging information
2008-12-22 15:57:35 +03:00
# The format for an output can be:
# x:stderr
# output goes to stderr
# x:syslog:name
# use syslog for the output and use the given name as the ident
# x:file:file_path
# output to a file, with the given filepath
2014-08-12 18:05:36 +04:00
# x:journald
# output to journald logging system
2008-12-22 15:57:35 +03:00
# In all case the x prefix is the minimal level, acting as a filter
# 1: DEBUG
# 2: INFO
# 3: WARNING
# 4: ERROR
#
2014-02-05 21:04:35 +04:00
# Multiple outputs can be defined, they just need to be separated by spaces.
2012-05-25 13:32:17 +04:00
# e.g. to log all warnings and errors to syslog under the libvirtd ident:
#log_outputs="3:syslog:libvirtd"
#
2010-05-25 18:33:51 +04:00
2014-03-03 18:54:33 +04:00
# Log debug buffer size:
#
# This configuration option is no longer used, since the global
# log buffer functionality has been removed. Please configure
# suitable log_outputs/log_filters settings to obtain logs.
2011-03-08 13:31:20 +03:00
#log_buffer_size = 64
2010-09-15 17:44:11 +04:00
##################################################################
#
# Auditing
#
# This setting allows usage of the auditing subsystem to be altered:
#
# audit_level == 0 -> disable all auditing
# audit_level == 1 -> enable auditing, only if enabled on host (default)
# audit_level == 2 -> enable auditing, and exit if disabled on host
#
#audit_level = 2
#
# If set to 1, then audit messages will also be sent
# via libvirt logging infrastructure. Defaults to 0
#
#audit_logging = 1
###################################################################
2010-05-25 18:33:51 +04:00
# UUID of the host:
# Provide the UUID of the host here in case the command
# 'dmidecode -s system-uuid' does not provide a valid uuid. In case
# 'dmidecode' does not provide a valid UUID and none is provided here, a
# temporary UUID will be generated.
# Keep the format of the example UUID below. UUID must not have all digits
# be the same.
# NB This default all-zeros UUID will not work. Replace
# it with the output of the 'uuidgen' command and then
# uncomment this entry
#host_uuid = "00000000-0000-0000-0000-000000000000"
2011-08-24 17:33:34 +04:00
###################################################################
# Keepalive protocol:
# This allows libvirtd to detect broken client connections or even
2014-02-05 21:04:35 +04:00
# dead clients. A keepalive message is sent to a client after
2011-08-24 17:33:34 +04:00
# keepalive_interval seconds of inactivity to check if the client is
# still responding; keepalive_count is a maximum number of keepalive
# messages that are allowed to be sent to the client without getting
# any response before the connection is considered broken. In other
# words, the connection is automatically closed approximately after
# keepalive_interval * (keepalive_count + 1) seconds since the last
# message received from the client. If keepalive_interval is set to
# -1, libvirtd will never send keepalive requests; however clients
2014-02-05 21:04:35 +04:00
# can still send them and the daemon will send responses. When
2011-08-24 17:33:34 +04:00
# keepalive_count is set to 0, connections will be automatically
# closed after keepalive_interval seconds of inactivity without
# sending any keepalive messages.
#
#keepalive_interval = 5
#keepalive_count = 5
2015-07-20 15:51:24 +03:00
2011-08-24 17:33:34 +04:00
#
2015-07-20 15:51:24 +03:00
# These configuration options are no longer used. There is no way to
# restrict such clients from connecting since they first need to
# connect in order to ask for keepalive.
2011-08-24 17:33:34 +04:00
#
#keepalive_required = 1
2015-07-20 15:51:24 +03:00
#admin_keepalive_required = 1
2015-04-13 17:05:46 +03:00
# Keepalive settings for the admin interface
#admin_keepalive_interval = 5
#admin_keepalive_count = 5