nova/files/pike/libvirtd.conf.Debian - salt-formulas/nova - Gitiles

 {%- from "nova/map.jinja" import compute with context %}
 # Master libvirt daemon configuration file
 #
 # For further information consult http://libvirt.org/format.html
 #
 # NOTE: the tests/daemon-conf regression test script requires
 # that each "PARAMETER = VALUE" line in this file have the parameter
 # name just after a leading "#".

 #################################################################
 #
 # Network connectivity controls
 #

 # Flag listening for secure TLS connections on the public TCP/IP port.
 # NB, must pass the --listen flag to the libvirtd process for this to
 # have any effect.
 #
 # It is necessary to setup a CA and issue server certificates before
 # using this capability.
 #

 {%- if compute.libvirt.tls.get('enabled', False) %}
 {%- set listen_tls = 1 %}
 {%- set listen_tcp = 0 %}
 {%- set key_file = compute.libvirt.tls.key_file %}
 {%- set cert_file = compute.libvirt.tls.cert_file %}
 {%- set ca_file = compute.libvirt.tls.ca_file %}
 {%- set unix_sock_ro_perms = "0777" %}
 {%- set unix_sock_rw_perms = "0770" %}
 {%- if compute.libvirt.tls.allowed_dn_list is defined %}
   {% set tls_allowed_dn_list = [] %}
   {%- for _,item in compute.libvirt.tls.allowed_dn_list.iteritems() %}
     {%- if item.enabled %}
       {%- do tls_allowed_dn_list.append(item.value) %}
     {%- endif %}
   {%- endfor %}
 {%- endif %}
 {%- else %}
 {%- set listen_tls = 0 %}
 {%- set listen_tcp = 1 %}
 {%- set unix_sock_ro_perms = "0777" %}
 {%- set unix_sock_rw_perms = "0770" %}
 {%- endif %}

 # This is enabled by default, uncomment this to disable it
 listen_tls = {{ listen_tls }}

 # Listen for unencrypted TCP connections on the public TCP/IP port.
 # NB, must pass the --listen flag to the libvirtd process for this to
 # have any effect.
 #
 # Using the TCP socket requires SASL authentication by default. Only
 # SASL mechanisms which support data encryption are allowed. This is
 # DIGEST_MD5 and GSSAPI (Kerberos5)
 #
 # This is disabled by default, uncomment this to enable it.
 #listen_tcp = 1


 listen_tcp = {{ listen_tcp }}

 # Override the port for accepting secure TLS connections
 # This can be a port number, or service name
 #
 #tls_port = "16514"

 # Override the port for accepting insecure TCP connections
 # This can be a port number, or service name
 #
 #tcp_port = "16509"


 # Override the default configuration which binds to all network
 # interfaces. This can be a numeric IPv4/6 address, or hostname
 #
 #listen_addr = "192.168.0.1"


 # Flag toggling mDNS advertizement of the libvirt service.
 #
 # Alternatively can disable for all services on a host by
 # stopping the Avahi daemon
 #
 # This is disabled by default, uncomment this to enable it
 #mdns_adv = 1

 # Override the default mDNS advertizement name. This must be
 # unique on the immediate broadcast network.
 #
 # The default is "Virtualization Host HOSTNAME", where HOSTNAME
 # is subsituted for the short hostname of the machine (without domain)
 #
 #mdns_name = "Virtualization Host Joe Demo"


 #################################################################
 #
 # UNIX socket access controls
 #

 # Set the UNIX domain socket group ownership. This can be used to
 # allow a 'trusted' set of users access to management capabilities
 # without becoming root.
 #
 # This is restricted to 'root' by default.
 unix_sock_group = {{ compute.get('libvirt_service_group', 'libvirtd')|yaml_dquote }}

 # Set the UNIX socket permissions for the R/O socket. This is used
 # for monitoring VM status only
 #
 # Default allows any user. If setting group ownership may want to
 # restrict this to:
 #unix_sock_ro_perms = "0777"
 unix_sock_ro_perms = {{ unix_sock_ro_perms|yaml_dquote }}

 # Set the UNIX socket permissions for the R/W socket. This is used
 # for full management of VMs
 #
 # Default allows only root. If PolicyKit is enabled on the socket,
 # the default will change to allow everyone (eg, 0777)
 #
 # If not using PolicyKit and setting group ownership for access
 # control then you may want to relax this to:
 unix_sock_rw_perms = {{ unix_sock_rw_perms|yaml_dquote }}

 # Set the name of the directory in which sockets will be found/created.
 #unix_sock_dir = "/var/run/libvirt"

 #################################################################
 #
 # Authentication.
 #
 #  - none: do not perform auth checks. If you can connect to the
 #          socket you are allowed. This is suitable if there are
 #          restrictions on connecting to the socket (eg, UNIX
 #          socket permissions), or if there is a lower layer in
 #          the network providing auth (eg, TLS/x509 certificates)
 #
 #  - sasl: use SASL infrastructure. The actual auth scheme is then
 #          controlled from /etc/sasl2/libvirt.conf. For the TCP
 #          socket only GSSAPI & DIGEST-MD5 mechanisms will be used.
 #          For non-TCP or TLS sockets,  any scheme is allowed.
 #
 #  - polkit: use PolicyKit to authenticate. This is only suitable
 #            for use on the UNIX sockets. The default policy will
 #            require a user to supply their own password to gain
 #            full read/write access (aka sudo like), while anyone
 #            is allowed read/only access.
 #
 # Set an authentication scheme for UNIX read-only sockets
 # By default socket permissions allow anyone to connect
 #
 # To restrict monitoring of domains you may wish to enable
 # an authentication mechanism here
 auth_unix_ro = "none"

 # Set an authentication scheme for UNIX read-write sockets
 # By default socket permissions only allow root. If PolicyKit
 # support was compiled into libvirt, the default will be to
 # use 'polkit' auth.
 #
 # If the unix_sock_rw_perms are changed you may wish to enable
 # an authentication mechanism here
 auth_unix_rw = "none"

 # Change the authentication scheme for TCP sockets.
 #
 # If you don't enable SASL, then all TCP traffic is cleartext.
 # Don't do this outside of a dev/test scenario. For real world
 # use, always enable SASL and use the GSSAPI or DIGEST-MD5
 # mechanism in /etc/sasl2/libvirt.conf
 #auth_tcp = "sasl"
 #auth_tcp = "none"
 auth_tcp = {{ compute.libvirt.auth_tcp|yaml_dquote }}

 # Change the authentication scheme for TLS sockets.
 #
 # TLS sockets already have encryption provided by the TLS
 # layer, and limited authentication is done by certificates
 #
 # It is possible to make use of any SASL authentication
 # mechanism as well, by using 'sasl' for this option
 #auth_tls = "none"


 #################################################################
 #
 # TLS x509 certificate configuration
 #


 # Override the default server key file path
 #
 #key_file = "/etc/pki/libvirt/private/serverkey.pem"
 {%- if key_file is defined %}
 key_file = {{ key_file|yaml_squote }}
 {%- endif %}

 # Override the default server certificate file path
 #
 #cert_file = "/etc/pki/libvirt/servercert.pem"
 {%- if cert_file is defined %}
 cert_file = {{ cert_file|yaml_squote }}
 {%- endif %}

 # Override the default CA certificate path
 #
 #ca_file = "/etc/pki/CA/cacert.pem"
 {%- if ca_file is defined %}
 ca_file = {{ ca_file|yaml_squote }}
 {%- endif %}

 # Specify a certificate revocation list.
 #
 # Defaults to not using a CRL, uncomment to enable it
 #crl_file = "/etc/pki/CA/crl.pem"


 #################################################################
 #
 # Authorization controls
 #


 # Flag to disable verification of our own server certificates
 #
 # When libvirtd starts it performs some sanity checks against
 # its own certificates.
 #
 # Default is to always run sanity checks. Uncommenting this
 # will disable sanity checks which is not a good idea
 #tls_no_sanity_certificate = 1

 # Flag to disable verification of client certificates
 #
 # Client certificate verification is the primary authentication mechanism.
 # Any client which does not present a certificate signed by the CA
 # will be rejected.
 #
 # Default is to always verify. Uncommenting this will disable
 # verification - make sure an IP whitelist is set
 #tls_no_verify_certificate = 1


 # A whitelist of allowed x509  Distinguished Names
 # This list may contain wildcards such as
 #
 #    "C=GB,ST=London,L=London,O=Red Hat,CN=*"
 #
 # See the POSIX fnmatch function for the format of the wildcards.
 #
 # NB If this is an empty list, no client can connect, so comment out
 # entirely rather than using empty list to disable these checks
 #
 # By default, no DN's are checked
 #tls_allowed_dn_list = ["DN1", "DN2"]

 {%- if tls_allowed_dn_list is defined %}
 tls_allowed_dn_list = {{ tls_allowed_dn_list }}
 {%- endif %}

 # A whitelist of allowed SASL usernames. The format for usernames
 # depends on the SASL authentication mechanism. Kerberos usernames
 # look like username@REALM
 #
 # This list may contain wildcards such as
 #
 #    "*@EXAMPLE.COM"
 #
 # See the POSIX fnmatch function for the format of the wildcards.
 #
 # NB If this is an empty list, no client can connect, so comment out
 # entirely rather than using empty list to disable these checks
 #
 # By default, no Username's are checked
 #sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]


 #################################################################
 #
 # Processing controls
 #

 # The maximum number of concurrent client connections to allow
 # over all sockets combined.
 #max_clients = 20


 # The minimum limit sets the number of workers to start up
 # initially. If the number of active clients exceeds this,
 # then more threads are spawned, upto max_workers limit.
 # Typically you'd want max_workers to equal maximum number
 # of clients allowed
 #min_workers = 5
 #max_workers = 20


 # The number of priority workers. If all workers from above
 # pool will stuck, some calls marked as high priority
 # (notably domainDestroy) can be executed in this pool.
 #prio_workers = 5

 # Total global limit on concurrent RPC calls. Should be
 # at least as large as max_workers. Beyond this, RPC requests
 # will be read into memory and queued. This directly impact
 # memory usage, currently each request requires 256 KB of
 # memory. So by default upto 5 MB of memory is used
 #
 # XXX this isn't actually enforced yet, only the per-client
 # limit is used so far
 #max_requests = 20

 # Limit on concurrent requests from a single client
 # connection. To avoid one client monopolizing the server
 # this should be a small fraction of the global max_requests
 # and max_workers parameter
 #max_client_requests = 5

 #################################################################
 #
 # Logging controls
 #

 # Logging level: 4 errors, 3 warnings, 2 information, 1 debug
 # basically 1 will log everything possible
 #log_level = 3
 {%- if compute.libvirt.get('logging',{}).level is defined %}
 log_level = {{ compute.libvirt.logging.level }}
 {%- endif %}
 # Logging filters:
 # A filter allows to select a different logging level for a given category
 # of logs
 # The format for a filter is one of:
 #    x:name
 #    x:+name
 #      where name is a string which is matched against source file name,
 #      e.g., "remote", "qemu", or "util/json", the optional "+" prefix
 #      tells libvirt to log stack trace for each message matching name,
 #      and x is the minimal level where matching messages should be logged:
 #    1: DEBUG
 #    2: INFO
 #    3: WARNING
 #    4: ERROR
 #
 # Multiple filter can be defined in a single @filters, they just need to be
 # separated by spaces.
 #
 # e.g. to only get warning or errors from the remote layer and only errors
 # from the event layer:
 #log_filters="3:remote 4:event"
 {%- if compute.libvirt.get('logging',{}).filters is defined %}
 log_filters={{ compute.libvirt.logging.filters|yaml_dquote }}
 {%- endif %}

 # Logging outputs:
 # An output is one of the places to save logging information
 # The format for an output can be:
 #    x:stderr
 #      output goes to stderr
 #    x:syslog:name
 #      use syslog for the output and use the given name as the ident
 #    x:file:file_path
 #      output to a file, with the given filepath
 # In all case the x prefix is the minimal level, acting as a filter
 #    1: DEBUG
 #    2: INFO
 #    3: WARNING
 #    4: ERROR
 #
 # Multiple output can be defined, they just need to be separated by spaces.
 # e.g. to log all warnings and errors to syslog under the libvirtd ident:
 #log_outputs="3:syslog:libvirtd"
 #
 {%- if compute.libvirt.get('logging',{}).outputs is defined %}
 log_outputs={{ compute.libvirt.logging.outputs|yaml_dquote }}
 {%- endif %}

 # Log debug buffer size: default 64
 # The daemon keeps an internal debug log buffer which will be dumped in case
 # of crash or upon receiving a SIGUSR2 signal. This setting allows to override
 # the default buffer size in kilobytes.
 # If value is 0 or less the debug log buffer is deactivated
 #log_buffer_size = 64
 {%- if compute.libvirt.get('logging',{}).buffer_size is defined %}
 log_buffer_size = {{ compute.libvirt.logging.buffer_size }}
 {%- endif %}

 ##################################################################
 #
 # Auditing
 #
 # This setting allows usage of the auditing subsystem to be altered:
 #
 #   audit_level == 0  -> disable all auditing
 #   audit_level == 1  -> enable auditing, only if enabled on host (default)
 #   audit_level == 2  -> enable auditing, and exit if disabled on host
 #
 #audit_level = 2
 #
 # If set to 1, then audit messages will also be sent
 # via libvirt logging infrastructure. Defaults to 0
 #
 #audit_logging = 1

 ###################################################################
 # UUID of the host:
 # Provide the UUID of the host here in case the command
 # 'dmidecode -s system-uuid' does not provide a valid uuid. In case
 # 'dmidecode' does not provide a valid UUID and none is provided here, a
 # temporary UUID will be generated.
 # Keep the format of the example UUID below. UUID must not have all digits
 # be the same.

 # NB This default all-zeros UUID will not work. Replace
 # it with the output of the 'uuidgen' command and then
 # uncomment this entry
 #host_uuid = "00000000-0000-0000-0000-000000000000"

 ###################################################################
 # Keepalive protocol:
 # This allows libvirtd to detect broken client connections or even
 # dead client.  A keepalive message is sent to a client after
 # keepalive_interval seconds of inactivity to check if the client is
 # still responding; keepalive_count is a maximum number of keepalive
 # messages that are allowed to be sent to the client without getting
 # any response before the connection is considered broken.  In other
 # words, the connection is automatically closed approximately after
 # keepalive_interval * (keepalive_count + 1) seconds since the last
 # message received from the client.  If keepalive_interval is set to
 # -1, libvirtd will never send keepalive requests; however clients
 # can still send them and the deamon will send responses.  When
 # keepalive_count is set to 0, connections will be automatically
 # closed after keepalive_interval seconds of inactivity without
 # sending any keepalive messages.
 #
 #keepalive_interval = 5
 #keepalive_count = 5
 #
 # If set to 1, libvirtd will refuse to talk to clients that do not
 # support keepalive protocol.  Defaults to 0.
 #
 #keepalive_required = 1
	{%- from "nova/map.jinja" import compute with context %}
	# Master libvirt daemon configuration file
	#
	# For further information consult http://libvirt.org/format.html
	#
	# NOTE: the tests/daemon-conf regression test script requires
	# that each "PARAMETER = VALUE" line in this file have the parameter
	# name just after a leading "#".

	#################################################################
	#
	# Network connectivity controls
	#

	# Flag listening for secure TLS connections on the public TCP/IP port.
	# NB, must pass the --listen flag to the libvirtd process for this to
	# have any effect.
	#
	# It is necessary to setup a CA and issue server certificates before
	# using this capability.
	#

	{%- if compute.libvirt.tls.get('enabled', False) %}
	{%- set listen_tls = 1 %}
	{%- set listen_tcp = 0 %}
	{%- set key_file = compute.libvirt.tls.key_file %}
	{%- set cert_file = compute.libvirt.tls.cert_file %}
	{%- set ca_file = compute.libvirt.tls.ca_file %}
	{%- set unix_sock_ro_perms = "0777" %}
	{%- set unix_sock_rw_perms = "0770" %}
	{%- if compute.libvirt.tls.allowed_dn_list is defined %}
	{% set tls_allowed_dn_list = [] %}
	{%- for _,item in compute.libvirt.tls.allowed_dn_list.iteritems() %}
	{%- if item.enabled %}
	{%- do tls_allowed_dn_list.append(item.value) %}
	{%- endif %}
	{%- endfor %}
	{%- endif %}
	{%- else %}
	{%- set listen_tls = 0 %}
	{%- set listen_tcp = 1 %}
	{%- set unix_sock_ro_perms = "0777" %}
	{%- set unix_sock_rw_perms = "0770" %}
	{%- endif %}

	# This is enabled by default, uncomment this to disable it
	listen_tls = {{ listen_tls }}

	# Listen for unencrypted TCP connections on the public TCP/IP port.
	# NB, must pass the --listen flag to the libvirtd process for this to
	# have any effect.
	#
	# Using the TCP socket requires SASL authentication by default. Only
	# SASL mechanisms which support data encryption are allowed. This is
	# DIGEST_MD5 and GSSAPI (Kerberos5)
	#
	# This is disabled by default, uncomment this to enable it.
	#listen_tcp = 1


	listen_tcp = {{ listen_tcp }}

	# Override the port for accepting secure TLS connections
	# This can be a port number, or service name
	#
	#tls_port = "16514"

	# Override the port for accepting insecure TCP connections
	# This can be a port number, or service name
	#
	#tcp_port = "16509"


	# Override the default configuration which binds to all network
	# interfaces. This can be a numeric IPv4/6 address, or hostname
	#
	#listen_addr = "192.168.0.1"


	# Flag toggling mDNS advertizement of the libvirt service.
	#
	# Alternatively can disable for all services on a host by
	# stopping the Avahi daemon
	#
	# This is disabled by default, uncomment this to enable it
	#mdns_adv = 1

	# Override the default mDNS advertizement name. This must be
	# unique on the immediate broadcast network.
	#
	# The default is "Virtualization Host HOSTNAME", where HOSTNAME
	# is subsituted for the short hostname of the machine (without domain)
	#
	#mdns_name = "Virtualization Host Joe Demo"


	#################################################################
	#
	# UNIX socket access controls
	#

	# Set the UNIX domain socket group ownership. This can be used to
	# allow a 'trusted' set of users access to management capabilities
	# without becoming root.
	#
	# This is restricted to 'root' by default.
	unix_sock_group = {{ compute.get('libvirt_service_group', 'libvirtd')\|yaml_dquote }}

	# Set the UNIX socket permissions for the R/O socket. This is used
	# for monitoring VM status only
	#
	# Default allows any user. If setting group ownership may want to
	# restrict this to:
	#unix_sock_ro_perms = "0777"
	unix_sock_ro_perms = {{ unix_sock_ro_perms\|yaml_dquote }}

	# Set the UNIX socket permissions for the R/W socket. This is used
	# for full management of VMs
	#
	# Default allows only root. If PolicyKit is enabled on the socket,
	# the default will change to allow everyone (eg, 0777)
	#
	# If not using PolicyKit and setting group ownership for access
	# control then you may want to relax this to:
	unix_sock_rw_perms = {{ unix_sock_rw_perms\|yaml_dquote }}

	# Set the name of the directory in which sockets will be found/created.
	#unix_sock_dir = "/var/run/libvirt"

	#################################################################
	#
	# Authentication.
	#
	# - none: do not perform auth checks. If you can connect to the
	# socket you are allowed. This is suitable if there are
	# restrictions on connecting to the socket (eg, UNIX
	# socket permissions), or if there is a lower layer in
	# the network providing auth (eg, TLS/x509 certificates)
	#
	# - sasl: use SASL infrastructure. The actual auth scheme is then
	# controlled from /etc/sasl2/libvirt.conf. For the TCP
	# socket only GSSAPI & DIGEST-MD5 mechanisms will be used.
	# For non-TCP or TLS sockets, any scheme is allowed.
	#
	# - polkit: use PolicyKit to authenticate. This is only suitable
	# for use on the UNIX sockets. The default policy will
	# require a user to supply their own password to gain
	# full read/write access (aka sudo like), while anyone
	# is allowed read/only access.
	#
	# Set an authentication scheme for UNIX read-only sockets
	# By default socket permissions allow anyone to connect
	#
	# To restrict monitoring of domains you may wish to enable
	# an authentication mechanism here
	auth_unix_ro = "none"

	# Set an authentication scheme for UNIX read-write sockets
	# By default socket permissions only allow root. If PolicyKit
	# support was compiled into libvirt, the default will be to
	# use 'polkit' auth.
	#
	# If the unix_sock_rw_perms are changed you may wish to enable
	# an authentication mechanism here
	auth_unix_rw = "none"

	# Change the authentication scheme for TCP sockets.
	#
	# If you don't enable SASL, then all TCP traffic is cleartext.
	# Don't do this outside of a dev/test scenario. For real world
	# use, always enable SASL and use the GSSAPI or DIGEST-MD5
	# mechanism in /etc/sasl2/libvirt.conf
	#auth_tcp = "sasl"
	#auth_tcp = "none"
	auth_tcp = {{ compute.libvirt.auth_tcp\|yaml_dquote }}

	# Change the authentication scheme for TLS sockets.
	#
	# TLS sockets already have encryption provided by the TLS
	# layer, and limited authentication is done by certificates
	#
	# It is possible to make use of any SASL authentication
	# mechanism as well, by using 'sasl' for this option
	#auth_tls = "none"



	#################################################################
	#
	# TLS x509 certificate configuration
	#


	# Override the default server key file path
	#
	#key_file = "/etc/pki/libvirt/private/serverkey.pem"
	{%- if key_file is defined %}
	key_file = {{ key_file\|yaml_squote }}
	{%- endif %}

	# Override the default server certificate file path
	#
	#cert_file = "/etc/pki/libvirt/servercert.pem"
	{%- if cert_file is defined %}
	cert_file = {{ cert_file\|yaml_squote }}
	{%- endif %}

	# Override the default CA certificate path
	#
	#ca_file = "/etc/pki/CA/cacert.pem"
	{%- if ca_file is defined %}
	ca_file = {{ ca_file\|yaml_squote }}
	{%- endif %}

	# Specify a certificate revocation list.
	#
	# Defaults to not using a CRL, uncomment to enable it
	#crl_file = "/etc/pki/CA/crl.pem"



	#################################################################
	#
	# Authorization controls
	#


	# Flag to disable verification of our own server certificates
	#
	# When libvirtd starts it performs some sanity checks against
	# its own certificates.
	#
	# Default is to always run sanity checks. Uncommenting this
	# will disable sanity checks which is not a good idea
	#tls_no_sanity_certificate = 1

	# Flag to disable verification of client certificates
	#
	# Client certificate verification is the primary authentication mechanism.
	# Any client which does not present a certificate signed by the CA
	# will be rejected.
	#
	# Default is to always verify. Uncommenting this will disable
	# verification - make sure an IP whitelist is set
	#tls_no_verify_certificate = 1


	# A whitelist of allowed x509 Distinguished Names
	# This list may contain wildcards such as
	#
	# "C=GB,ST=London,L=London,O=Red Hat,CN=*"
	#
	# See the POSIX fnmatch function for the format of the wildcards.
	#
	# NB If this is an empty list, no client can connect, so comment out
	# entirely rather than using empty list to disable these checks
	#
	# By default, no DN's are checked
	#tls_allowed_dn_list = ["DN1", "DN2"]

	{%- if tls_allowed_dn_list is defined %}
	tls_allowed_dn_list = {{ tls_allowed_dn_list }}
	{%- endif %}

	# A whitelist of allowed SASL usernames. The format for usernames
	# depends on the SASL authentication mechanism. Kerberos usernames
	# look like username@REALM
	#
	# This list may contain wildcards such as
	#
	# "*@EXAMPLE.COM"
	#
	# See the POSIX fnmatch function for the format of the wildcards.
	#
	# NB If this is an empty list, no client can connect, so comment out
	# entirely rather than using empty list to disable these checks
	#
	# By default, no Username's are checked
	#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]



	#################################################################
	#
	# Processing controls
	#

	# The maximum number of concurrent client connections to allow
	# over all sockets combined.
	#max_clients = 20


	# The minimum limit sets the number of workers to start up
	# initially. If the number of active clients exceeds this,
	# then more threads are spawned, upto max_workers limit.
	# Typically you'd want max_workers to equal maximum number
	# of clients allowed
	#min_workers = 5
	#max_workers = 20


	# The number of priority workers. If all workers from above
	# pool will stuck, some calls marked as high priority
	# (notably domainDestroy) can be executed in this pool.
	#prio_workers = 5

	# Total global limit on concurrent RPC calls. Should be
	# at least as large as max_workers. Beyond this, RPC requests
	# will be read into memory and queued. This directly impact
	# memory usage, currently each request requires 256 KB of
	# memory. So by default upto 5 MB of memory is used
	#
	# XXX this isn't actually enforced yet, only the per-client
	# limit is used so far
	#max_requests = 20

	# Limit on concurrent requests from a single client
	# connection. To avoid one client monopolizing the server
	# this should be a small fraction of the global max_requests
	# and max_workers parameter
	#max_client_requests = 5

	#################################################################
	#
	# Logging controls
	#

	# Logging level: 4 errors, 3 warnings, 2 information, 1 debug
	# basically 1 will log everything possible
	#log_level = 3
	{%- if compute.libvirt.get('logging',{}).level is defined %}
	log_level = {{ compute.libvirt.logging.level }}
	{%- endif %}
	# Logging filters:
	# A filter allows to select a different logging level for a given category
	# of logs
	# The format for a filter is one of:
	# x:name
	# x:+name
	# where name is a string which is matched against source file name,
	# e.g., "remote", "qemu", or "util/json", the optional "+" prefix
	# tells libvirt to log stack trace for each message matching name,
	# and x is the minimal level where matching messages should be logged:
	# 1: DEBUG
	# 2: INFO
	# 3: WARNING
	# 4: ERROR
	#
	# Multiple filter can be defined in a single @filters, they just need to be
	# separated by spaces.
	#
	# e.g. to only get warning or errors from the remote layer and only errors
	# from the event layer:
	#log_filters="3:remote 4:event"
	{%- if compute.libvirt.get('logging',{}).filters is defined %}
	log_filters={{ compute.libvirt.logging.filters\|yaml_dquote }}
	{%- endif %}

	# Logging outputs:
	# An output is one of the places to save logging information
	# The format for an output can be:
	# x:stderr
	# output goes to stderr
	# x:syslog:name
	# use syslog for the output and use the given name as the ident
	# x:file:file_path
	# output to a file, with the given filepath
	# In all case the x prefix is the minimal level, acting as a filter
	# 1: DEBUG
	# 2: INFO
	# 3: WARNING
	# 4: ERROR
	#
	# Multiple output can be defined, they just need to be separated by spaces.
	# e.g. to log all warnings and errors to syslog under the libvirtd ident:
	#log_outputs="3:syslog:libvirtd"
	#
	{%- if compute.libvirt.get('logging',{}).outputs is defined %}
	log_outputs={{ compute.libvirt.logging.outputs\|yaml_dquote }}
	{%- endif %}

	# Log debug buffer size: default 64
	# The daemon keeps an internal debug log buffer which will be dumped in case
	# of crash or upon receiving a SIGUSR2 signal. This setting allows to override
	# the default buffer size in kilobytes.
	# If value is 0 or less the debug log buffer is deactivated
	#log_buffer_size = 64
	{%- if compute.libvirt.get('logging',{}).buffer_size is defined %}
	log_buffer_size = {{ compute.libvirt.logging.buffer_size }}
	{%- endif %}

	##################################################################
	#
	# Auditing
	#
	# This setting allows usage of the auditing subsystem to be altered:
	#
	# audit_level == 0 -> disable all auditing
	# audit_level == 1 -> enable auditing, only if enabled on host (default)
	# audit_level == 2 -> enable auditing, and exit if disabled on host
	#
	#audit_level = 2
	#
	# If set to 1, then audit messages will also be sent
	# via libvirt logging infrastructure. Defaults to 0
	#
	#audit_logging = 1

	###################################################################
	# UUID of the host:
	# Provide the UUID of the host here in case the command
	# 'dmidecode -s system-uuid' does not provide a valid uuid. In case
	# 'dmidecode' does not provide a valid UUID and none is provided here, a
	# temporary UUID will be generated.
	# Keep the format of the example UUID below. UUID must not have all digits
	# be the same.

	# NB This default all-zeros UUID will not work. Replace
	# it with the output of the 'uuidgen' command and then
	# uncomment this entry
	#host_uuid = "00000000-0000-0000-0000-000000000000"

	###################################################################
	# Keepalive protocol:
	# This allows libvirtd to detect broken client connections or even
	# dead client. A keepalive message is sent to a client after
	# keepalive_interval seconds of inactivity to check if the client is
	# still responding; keepalive_count is a maximum number of keepalive
	# messages that are allowed to be sent to the client without getting
	# any response before the connection is considered broken. In other
	# words, the connection is automatically closed approximately after
	# keepalive_interval * (keepalive_count + 1) seconds since the last
	# message received from the client. If keepalive_interval is set to
	# -1, libvirtd will never send keepalive requests; however clients
	# can still send them and the deamon will send responses. When
	# keepalive_count is set to 0, connections will be automatically
	# closed after keepalive_interval seconds of inactivity without
	# sending any keepalive messages.
	#
	#keepalive_interval = 5
	#keepalive_count = 5
	#
	# If set to 1, libvirtd will refuse to talk to clients that do not
	# support keepalive protocol. Defaults to 0.
	#
	#keepalive_required = 1