1
0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-12-27 07:22:07 +03:00
libvirt/qemud/libvirtd.conf
2007-10-12 19:54:15 +00:00

142 lines
4.0 KiB
Plaintext

# Master libvirt daemon configuration file
#
# For further information consult http://libvirt.org/format.html
# Flag listening for secure TLS connections on the public TCP/IP port.
# NB, must pass the --listen flag to the libvirtd process for this to
# have any effect.
#
# It is neccessary to setup a CA and issue server certificates before
# using this capability.
#
# This is enabled by default, uncomment this to disable it
# listen_tls = 0
# Listen for unencrypted TCP connections on the public TCP/IP port.
# NB, must pass the --listen flag to the libvirtd process for this to
# have any effect.
#
# NB, this is insecure. Do not use except for development.
#
# This is disabled by default, uncomment this to enable it.
# listen_tcp = 1
# Override the port for accepting secure TLS connections
# This can be a port number, or service name
#
# tls_port = "16514"
# Override the port for accepting insecure TCP connections
# This can be a port number, or service name
#
# tcp_port = "16509"
# Flag toggling mDNS advertizement of the libvirt service.
#
# Alternatively can disable for all services on a host by
# stopping the Avahi daemon
#
# This is enabled by default, uncomment this to disable it
# mdns_adv = 0
# Override the default mDNS advertizement name. This must be
# unique on the immediate broadcast network.
#
# The default is "Virtualization Host HOSTNAME", where HOSTNAME
# is subsituted for the short hostname of the machine (without domain)
#
# mdns_name "Virtualization Host Joe Demo"
# Set the UNIX domain socket group ownership. This can be used to
# allow a 'trusted' set of users access to management capabilities
# without becoming root.
#
# This is restricted to 'root' by default.
# unix_sock_group "libvirt"
# Set the UNIX socket permissions for the R/O socket. This is used
# for monitoring VM status only
#
# Default allows any user. If setting group ownership may want to
# restrict this to:
# unix_sock_ro_perms "0777"
# Set the UNIX socket permissions for the R/W socket. This is used
# for full management of VMs
#
# Default allows only root. If setting group ownership may want to
# relax this to:
# unix_sock_rw_perms "octal-perms" "0770"
# Flag to disable verification of client certificates
#
# Client certificate verification is the primary authentication mechanism.
# Any client which does not present a certificate signed by the CA
# will be rejected.
#
# Default is to always verify. Uncommenting this will disable
# verification - make sure an IP whitelist is set
# tls_no_verify_certificate 1
# Flag to disable verification of client IP address
#
# Client IP address will be verified against the CommonName field
# of the x509 certificate. This has minimal security benefit since
# it is easy to spoof source IP.
#
# Uncommenting this will disable verification
# tls_no_verify_address 1
# Override the default server key file path
#
# key_file "/etc/pki/libvirt/private/serverkey.pem"
# Override the default server certificate file path
#
# cert_file "/etc/pki/libvirt/servercert.pem"
# Override the default CA certificate path
#
# ca_file "/etc/pki/CA/cacert.pem"
# Specify a certificate revocation list.
#
# Defaults to not using a CRL, uncomment to enable it
# crl_file "/etc/pki/CA/crl.pem"
# A whitelist of allowed x509 Distinguished Names
# This list may contain wildcards such as
#
# "C=GB,ST=London,L=London,O=Red Hat,CN=*"
#
# See the POSIX fnmatch function for the format of the wildcards.
#
# NB If this is an empty list, no client can connect, so comment out
# entirely rather than using empty list to disable these checks
#
# By default, no DN's are checked
# tls_allowed_dn_list ["DN1", "DN2"]
# A whitelist of allowed client IP addresses
#
# This list may contain wildcards such as 192.168.* See the POSIX fnmatch
# function for the format of the wildcards.
#
# NB If this is an empty list, no client can connect, so comment out
# entirely rather than using empty list to disable these checks
#
# By default, no IP's are checked. This can be IPv4 or IPv6 addresses
# tls_allowed_ip_list ["ip1", "ip2", "ip3"]