Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / d849ec78de728ef9a2d383b92ccfeabf40f8f1d0 / . / import-layers / meta-virtualization / recipes-extended / libvirt / libvirt / libvirtd.conf
blob: c0462b47b473a9c91dd6d9fa36928080a0938dd8 [file] [log] [blame]
Patrick Williamsd849ec72016-08-17 14:59:38 -0500[diff] [blame^]1# Master libvirt daemon configuration file
2#
3# For further information consult http://libvirt.org/format.html
4#
5# NOTE: the tests/daemon-conf regression test script requires
6# that each "PARAMETER = VALUE" line in this file have the parameter
7# name just after a leading "#".
8
9#################################################################
10#
11# Network connectivity controls
12#
13
14# Flag listening for secure TLS connections on the public TCP/IP port.
15# NB, must pass the --listen flag to the libvirtd process for this to
16# have any effect.
17#
18# It is necessary to setup a CA and issue server certificates before
19# using this capability.
20#
21# This is enabled by default, uncomment this to disable it
22listen_tls = 0
23
24# Listen for unencrypted TCP connections on the public TCP/IP port.
25# NB, must pass the --listen flag to the libvirtd process for this to
26# have any effect.
27#
28# Using the TCP socket requires SASL authentication by default. Only
29# SASL mechanisms which support data encryption are allowed. This is
30# DIGEST_MD5 and GSSAPI (Kerberos5)
31#
32# This is disabled by default, uncomment this to enable it.
33listen_tcp = 1
34
35
36
37# Override the port for accepting secure TLS connections
38# This can be a port number, or service name
39#
40#tls_port = "16514"
41
42# Override the port for accepting insecure TCP connections
43# This can be a port number, or service name
44#
45#tcp_port = "16509"
46
47
48# Override the default configuration which binds to all network
49# interfaces. This can be a numeric IPv4/6 address, or hostname
50#
51#listen_addr = "192.168.0.1"
52
53
54# Flag toggling mDNS advertizement of the libvirt service.
55#
56# Alternatively can disable for all services on a host by
57# stopping the Avahi daemon
58#
59# This is enabled by default, uncomment this to disable it
60#mdns_adv = 0
61
62# Override the default mDNS advertizement name. This must be
63# unique on the immediate broadcast network.
64#
65# The default is "Virtualization Host HOSTNAME", where HOSTNAME
66# is subsituted for the short hostname of the machine (without domain)
67#
68#mdns_name = "Virtualization Host Joe Demo"
69
70
71#################################################################
72#
73# UNIX socket access controls
74#
75
76# Set the UNIX domain socket group ownership. This can be used to
77# allow a 'trusted' set of users access to management capabilities
78# without becoming root.
79#
80# This is restricted to 'root' by default.
81#unix_sock_group = "libvirt"
82
83# Set the UNIX socket permissions for the R/O socket. This is used
84# for monitoring VM status only
85#
86# Default allows any user. If setting group ownership may want to
87# restrict this to:
88#unix_sock_ro_perms = "0777"
89
90# Set the UNIX socket permissions for the R/W socket. This is used
91# for full management of VMs
92#
93# Default allows only root. If PolicyKit is enabled on the socket,
94# the default will change to allow everyone (eg, 0777)
95#
96# If not using PolicyKit and setting group ownership for access
97# control then you may want to relax this to:
98#unix_sock_rw_perms = "0770"
99
100# Set the name of the directory in which sockets will be found/created.
101#unix_sock_dir = "/var/run/libvirt"
102
103#################################################################
104#
105# Authentication.
106#
107# - none: do not perform auth checks. If you can connect to the
108# socket you are allowed. This is suitable if there are
109# restrictions on connecting to the socket (eg, UNIX
110# socket permissions), or if there is a lower layer in
111# the network providing auth (eg, TLS/x509 certificates)
112#
113# - sasl: use SASL infrastructure. The actual auth scheme is then
114# controlled from /etc/sasl2/libvirt.conf. For the TCP
115# socket only GSSAPI & DIGEST-MD5 mechanisms will be used.
116# For non-TCP or TLS sockets, any scheme is allowed.
117#
118# - polkit: use PolicyKit to authenticate. This is only suitable
119# for use on the UNIX sockets. The default policy will
120# require a user to supply their own password to gain
121# full read/write access (aka sudo like), while anyone
122# is allowed read/only access.
123#
124# Set an authentication scheme for UNIX read-only sockets
125# By default socket permissions allow anyone to connect
126#
127# To restrict monitoring of domains you may wish to enable
128# an authentication mechanism here
129#auth_unix_ro = "none"
130
131# Set an authentication scheme for UNIX read-write sockets
132# By default socket permissions only allow root. If PolicyKit
133# support was compiled into libvirt, the default will be to
134# use 'polkit' auth.
135#
136# If the unix_sock_rw_perms are changed you may wish to enable
137# an authentication mechanism here
138#auth_unix_rw = "none"
139
140# Change the authentication scheme for TCP sockets.
141#
142# If you don't enable SASL, then all TCP traffic is cleartext.
143# Don't do this outside of a dev/test scenario. For real world
144# use, always enable SASL and use the GSSAPI or DIGEST-MD5
145# mechanism in /etc/sasl2/libvirt.conf
146#auth_tcp = "sasl"
147
148# Change the authentication scheme for TLS sockets.
149#
150# TLS sockets already have encryption provided by the TLS
151# layer, and limited authentication is done by certificates
152#
153# It is possible to make use of any SASL authentication
154# mechanism as well, by using 'sasl' for this option
155#auth_tls = "none"
156
157
158
159#################################################################
160#
161# TLS x509 certificate configuration
162#
163
164
165# Override the default server key file path
166#
167#key_file = "/etc/pki/libvirt/private/serverkey.pem"
168
169# Override the default server certificate file path
170#
171#cert_file = "/etc/pki/libvirt/servercert.pem"
172
173# Override the default CA certificate path
174#
175#ca_file = "/etc/pki/CA/cacert.pem"
176
177# Specify a certificate revocation list.
178#
179# Defaults to not using a CRL, uncomment to enable it
180#crl_file = "/etc/pki/CA/crl.pem"
181
182
183
184#################################################################
185#
186# Authorization controls
187#
188
189
190# Flag to disable verification of our own server certificates
191#
192# When libvirtd starts it performs some sanity checks against
193# its own certificates.
194#
195# Default is to always run sanity checks. Uncommenting this
196# will disable sanity checks which is not a good idea
197#tls_no_sanity_certificate = 1
198
199# Flag to disable verification of client certificates
200#
201# Client certificate verification is the primary authentication mechanism.
202# Any client which does not present a certificate signed by the CA
203# will be rejected.
204#
205# Default is to always verify. Uncommenting this will disable
206# verification - make sure an IP whitelist is set
207#tls_no_verify_certificate = 1
208
209
210# A whitelist of allowed x509 Distinguished Names
211# This list may contain wildcards such as
212#
213# "C=GB,ST=London,L=London,O=Red Hat,CN=*"
214#
215# See the POSIX fnmatch function for the format of the wildcards.
216#
217# NB If this is an empty list, no client can connect, so comment out
218# entirely rather than using empty list to disable these checks
219#
220# By default, no DN's are checked
221#tls_allowed_dn_list = ["DN1", "DN2"]
222
223
224# A whitelist of allowed SASL usernames. The format for usernames
225# depends on the SASL authentication mechanism. Kerberos usernames
226# look like username@REALM
227#
228# This list may contain wildcards such as
229#
230# "*@EXAMPLE.COM"
231#
232# See the POSIX fnmatch function for the format of the wildcards.
233#
234# NB If this is an empty list, no client can connect, so comment out
235# entirely rather than using empty list to disable these checks
236#
237# By default, no Username's are checked
238#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]
239
240
241
242#################################################################
243#
244# Processing controls
245#
246
247# The maximum number of concurrent client connections to allow
248# over all sockets combined.
249#max_clients = 20
250
251
252# The minimum limit sets the number of workers to start up
253# initially. If the number of active clients exceeds this,
254# then more threads are spawned, upto max_workers limit.
255# Typically you'd want max_workers to equal maximum number
256# of clients allowed
257#min_workers = 5
258#max_workers = 20
259
260
261# The number of priority workers. If all workers from above
262# pool will stuck, some calls marked as high priority
263# (notably domainDestroy) can be executed in this pool.
264#prio_workers = 5
265
266# Total global limit on concurrent RPC calls. Should be
267# at least as large as max_workers. Beyond this, RPC requests
268# will be read into memory and queued. This directly impact
269# memory usage, currently each request requires 256 KB of
270# memory. So by default upto 5 MB of memory is used
271#
272# XXX this isn't actually enforced yet, only the per-client
273# limit is used so far
274#max_requests = 20
275
276# Limit on concurrent requests from a single client
277# connection. To avoid one client monopolizing the server
278# this should be a small fraction of the global max_requests
279# and max_workers parameter
280#max_client_requests = 5
281
282#################################################################
283#
284# Logging controls
285#
286
287# Logging level: 4 errors, 3 warnings, 2 information, 1 debug
288# basically 1 will log everything possible
289#log_level = 3
290
291# Logging filters:
292# A filter allows to select a different logging level for a given category
293# of logs
294# The format for a filter is:
295# x:name
296# where name is a match string e.g. remote or qemu
297# the x prefix is the minimal level where matching messages should be logged
298# 1: DEBUG
299# 2: INFO
300# 3: WARNING
301# 4: ERROR
302#
303# Multiple filter can be defined in a single @filters, they just need to be
304# separated by spaces.
305#
306# e.g:
307# log_filters="3:remote 4:event"
308# to only get warning or errors from the remote layer and only errors from
309# the event layer.
310
311# Logging outputs:
312# An output is one of the places to save logging information
313# The format for an output can be:
314# x:stderr
315# output goes to stderr
316# x:syslog:name
317# use syslog for the output and use the given name as the ident
318# x:file:file_path
319# output to a file, with the given filepath
320# In all case the x prefix is the minimal level, acting as a filter
321# 1: DEBUG
322# 2: INFO
323# 3: WARNING
324# 4: ERROR
325#
326# Multiple output can be defined, they just need to be separated by spaces.
327# e.g.:
328# log_outputs="3:syslog:libvirtd"
329# to log all warnings and errors to syslog under the libvirtd ident
330
331# Log debug buffer size: default 64
332# The daemon keeps an internal debug log buffer which will be dumped in case
333# of crash or upon receiving a SIGUSR2 signal. This setting allows to override
334# the default buffer size in kilobytes.
335# If value is 0 or less the debug log buffer is deactivated
336#log_buffer_size = 64
337
338
339##################################################################
340#
341# Auditing
342#
343# This setting allows usage of the auditing subsystem to be altered:
344#
345# audit_level == 0 -> disable all auditing
346# audit_level == 1 -> enable auditing, only if enabled on host (default)
347# audit_level == 2 -> enable auditing, and exit if disabled on host
348#
349#audit_level = 2
350#
351# If set to 1, then audit messages will also be sent
352# via libvirt logging infrastructure. Defaults to 0
353#
354#audit_logging = 1
355
356###################################################################
357# UUID of the host:
358# Provide the UUID of the host here in case the command
359# 'dmidecode -s system-uuid' does not provide a valid uuid. In case
360# 'dmidecode' does not provide a valid UUID and none is provided here, a
361# temporary UUID will be generated.
362# Keep the format of the example UUID below. UUID must not have all digits
363# be the same.
364
365# NB This default all-zeros UUID will not work. Replace
366# it with the output of the 'uuidgen' command and then
367# uncomment this entry
368#host_uuid = "00000000-0000-0000-0000-000000000000"
369
370###################################################################
371# Keepalive protocol:
372# This allows libvirtd to detect broken client connections or even
373# dead client. A keepalive message is sent to a client after
374# keepalive_interval seconds of inactivity to check if the client is
375# still responding; keepalive_count is a maximum number of keepalive
376# messages that are allowed to be sent to the client without getting
377# any response before the connection is considered broken. In other
378# words, the connection is automatically closed approximately after
379# keepalive_interval * (keepalive_count + 1) seconds since the last
380# message received from the client. If keepalive_interval is set to
381# -1, libvirtd will never send keepalive requests; however clients
382# can still send them and the deamon will send responses. When
383# keepalive_count is set to 0, connections will be automatically
384# closed after keepalive_interval seconds of inactivity without
385# sending any keepalive messages.
386#
387#keepalive_interval = 5
388#keepalive_count = 5
389#
390# If set to 1, libvirtd will refuse to talk to clients that do not
391# support keepalive protocol. Defaults to 0.
392#
393#keepalive_required = 1