blob: 8333dcba4a1d4e2a48c7063618e75e1d041cbe00 [file] [log] [blame]
Jakub Pavlik02a01c72017-04-11 16:04:51 +02001# Master libvirt daemon configuration file
2#
3# For further information consult http://libvirt.org/format.html
4#
5# NOTE: the tests/daemon-conf regression test script requires
6# that each "PARAMETER = VALUE" line in this file have the parameter
7# name just after a leading "#".
8
9#################################################################
10#
11# Network connectivity controls
12#
13
14# Flag listening for secure TLS connections on the public TCP/IP port.
15# NB, must pass the --listen flag to the libvirtd process for this to
16# have any effect.
17#
18# It is necessary to setup a CA and issue server certificates before
19# using this capability.
20#
21# This is enabled by default, uncomment this to disable it
22#listen_tls = 0
23
24
25listen_tls = 0
26listen_tcp = 1
27auth_tcp = "none"
28
29
30# Listen for unencrypted TCP connections on the public TCP/IP port.
31# NB, must pass the --listen flag to the libvirtd process for this to
32# have any effect.
33#
34# Using the TCP socket requires SASL authentication by default. Only
35# SASL mechanisms which support data encryption are allowed. This is
36# DIGEST_MD5 and GSSAPI (Kerberos5)
37#
38# This is disabled by default, uncomment this to enable it.
39#listen_tcp = 1
40
41
42
43# Override the port for accepting secure TLS connections
44# This can be a port number, or service name
45#
46#tls_port = "16514"
47
48# Override the port for accepting insecure TCP connections
49# This can be a port number, or service name
50#
51#tcp_port = "16509"
52
53
54# Override the default configuration which binds to all network
55# interfaces. This can be a numeric IPv4/6 address, or hostname
56#
57#listen_addr = "192.168.0.1"
58
59
60# Flag toggling mDNS advertizement of the libvirt service.
61#
62# Alternatively can disable for all services on a host by
63# stopping the Avahi daemon
64#
65# This is disabled by default, uncomment this to enable it
66#mdns_adv = 1
67
68# Override the default mDNS advertizement name. This must be
69# unique on the immediate broadcast network.
70#
71# The default is "Virtualization Host HOSTNAME", where HOSTNAME
72# is subsituted for the short hostname of the machine (without domain)
73#
74#mdns_name = "Virtualization Host Joe Demo"
75
76
77#################################################################
78#
79# UNIX socket access controls
80#
81
82# Set the UNIX domain socket group ownership. This can be used to
83# allow a 'trusted' set of users access to management capabilities
84# without becoming root.
85#
86# This is restricted to 'root' by default.
87unix_sock_group = "libvirtd"
88
89# Set the UNIX socket permissions for the R/O socket. This is used
90# for monitoring VM status only
91#
92# Default allows any user. If setting group ownership may want to
93# restrict this to:
94#unix_sock_ro_perms = "0777"
95
96# Set the UNIX socket permissions for the R/W socket. This is used
97# for full management of VMs
98#
99# Default allows only root. If PolicyKit is enabled on the socket,
100# the default will change to allow everyone (eg, 0777)
101#
102# If not using PolicyKit and setting group ownership for access
103# control then you may want to relax this to:
104unix_sock_rw_perms = "0770"
105
106# Set the name of the directory in which sockets will be found/created.
107#unix_sock_dir = "/var/run/libvirt"
108
109#################################################################
110#
111# Authentication.
112#
113# - none: do not perform auth checks. If you can connect to the
114# socket you are allowed. This is suitable if there are
115# restrictions on connecting to the socket (eg, UNIX
116# socket permissions), or if there is a lower layer in
117# the network providing auth (eg, TLS/x509 certificates)
118#
119# - sasl: use SASL infrastructure. The actual auth scheme is then
120# controlled from /etc/sasl2/libvirt.conf. For the TCP
121# socket only GSSAPI & DIGEST-MD5 mechanisms will be used.
122# For non-TCP or TLS sockets, any scheme is allowed.
123#
124# - polkit: use PolicyKit to authenticate. This is only suitable
125# for use on the UNIX sockets. The default policy will
126# require a user to supply their own password to gain
127# full read/write access (aka sudo like), while anyone
128# is allowed read/only access.
129#
130# Set an authentication scheme for UNIX read-only sockets
131# By default socket permissions allow anyone to connect
132#
133# To restrict monitoring of domains you may wish to enable
134# an authentication mechanism here
135auth_unix_ro = "none"
136
137# Set an authentication scheme for UNIX read-write sockets
138# By default socket permissions only allow root. If PolicyKit
139# support was compiled into libvirt, the default will be to
140# use 'polkit' auth.
141#
142# If the unix_sock_rw_perms are changed you may wish to enable
143# an authentication mechanism here
144auth_unix_rw = "none"
145
146# Change the authentication scheme for TCP sockets.
147#
148# If you don't enable SASL, then all TCP traffic is cleartext.
149# Don't do this outside of a dev/test scenario. For real world
150# use, always enable SASL and use the GSSAPI or DIGEST-MD5
151# mechanism in /etc/sasl2/libvirt.conf
152#auth_tcp = "sasl"
153#auth_tcp = "none"
154
155# Change the authentication scheme for TLS sockets.
156#
157# TLS sockets already have encryption provided by the TLS
158# layer, and limited authentication is done by certificates
159#
160# It is possible to make use of any SASL authentication
161# mechanism as well, by using 'sasl' for this option
162#auth_tls = "none"
163
164
165
166#################################################################
167#
168# TLS x509 certificate configuration
169#
170
171
172# Override the default server key file path
173#
174#key_file = "/etc/pki/libvirt/private/serverkey.pem"
175
176# Override the default server certificate file path
177#
178#cert_file = "/etc/pki/libvirt/servercert.pem"
179
180# Override the default CA certificate path
181#
182#ca_file = "/etc/pki/CA/cacert.pem"
183
184# Specify a certificate revocation list.
185#
186# Defaults to not using a CRL, uncomment to enable it
187#crl_file = "/etc/pki/CA/crl.pem"
188
189
190
191#################################################################
192#
193# Authorization controls
194#
195
196
197# Flag to disable verification of our own server certificates
198#
199# When libvirtd starts it performs some sanity checks against
200# its own certificates.
201#
202# Default is to always run sanity checks. Uncommenting this
203# will disable sanity checks which is not a good idea
204#tls_no_sanity_certificate = 1
205
206# Flag to disable verification of client certificates
207#
208# Client certificate verification is the primary authentication mechanism.
209# Any client which does not present a certificate signed by the CA
210# will be rejected.
211#
212# Default is to always verify. Uncommenting this will disable
213# verification - make sure an IP whitelist is set
214#tls_no_verify_certificate = 1
215
216
217# A whitelist of allowed x509 Distinguished Names
218# This list may contain wildcards such as
219#
220# "C=GB,ST=London,L=London,O=Red Hat,CN=*"
221#
222# See the POSIX fnmatch function for the format of the wildcards.
223#
224# NB If this is an empty list, no client can connect, so comment out
225# entirely rather than using empty list to disable these checks
226#
227# By default, no DN's are checked
228#tls_allowed_dn_list = ["DN1", "DN2"]
229
230
231# A whitelist of allowed SASL usernames. The format for usernames
232# depends on the SASL authentication mechanism. Kerberos usernames
233# look like username@REALM
234#
235# This list may contain wildcards such as
236#
237# "*@EXAMPLE.COM"
238#
239# See the POSIX fnmatch function for the format of the wildcards.
240#
241# NB If this is an empty list, no client can connect, so comment out
242# entirely rather than using empty list to disable these checks
243#
244# By default, no Username's are checked
245#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]
246
247
248
249#################################################################
250#
251# Processing controls
252#
253
254# The maximum number of concurrent client connections to allow
255# over all sockets combined.
256#max_clients = 20
257
258
259# The minimum limit sets the number of workers to start up
260# initially. If the number of active clients exceeds this,
261# then more threads are spawned, upto max_workers limit.
262# Typically you'd want max_workers to equal maximum number
263# of clients allowed
264#min_workers = 5
265#max_workers = 20
266
267
268# The number of priority workers. If all workers from above
269# pool will stuck, some calls marked as high priority
270# (notably domainDestroy) can be executed in this pool.
271#prio_workers = 5
272
273# Total global limit on concurrent RPC calls. Should be
274# at least as large as max_workers. Beyond this, RPC requests
275# will be read into memory and queued. This directly impact
276# memory usage, currently each request requires 256 KB of
277# memory. So by default upto 5 MB of memory is used
278#
279# XXX this isn't actually enforced yet, only the per-client
280# limit is used so far
281#max_requests = 20
282
283# Limit on concurrent requests from a single client
284# connection. To avoid one client monopolizing the server
285# this should be a small fraction of the global max_requests
286# and max_workers parameter
287#max_client_requests = 5
288
289#################################################################
290#
291# Logging controls
292#
293
294# Logging level: 4 errors, 3 warnings, 2 information, 1 debug
295# basically 1 will log everything possible
296#log_level = 3
297
298# Logging filters:
299# A filter allows to select a different logging level for a given category
300# of logs
301# The format for a filter is one of:
302# x:name
303# x:+name
304# where name is a string which is matched against source file name,
305# e.g., "remote", "qemu", or "util/json", the optional "+" prefix
306# tells libvirt to log stack trace for each message matching name,
307# and x is the minimal level where matching messages should be logged:
308# 1: DEBUG
309# 2: INFO
310# 3: WARNING
311# 4: ERROR
312#
313# Multiple filter can be defined in a single @filters, they just need to be
314# separated by spaces.
315#
316# e.g. to only get warning or errors from the remote layer and only errors
317# from the event layer:
318#log_filters="3:remote 4:event"
319
320# Logging outputs:
321# An output is one of the places to save logging information
322# The format for an output can be:
323# x:stderr
324# output goes to stderr
325# x:syslog:name
326# use syslog for the output and use the given name as the ident
327# x:file:file_path
328# output to a file, with the given filepath
329# In all case the x prefix is the minimal level, acting as a filter
330# 1: DEBUG
331# 2: INFO
332# 3: WARNING
333# 4: ERROR
334#
335# Multiple output can be defined, they just need to be separated by spaces.
336# e.g. to log all warnings and errors to syslog under the libvirtd ident:
337#log_outputs="3:syslog:libvirtd"
338#
339
340# Log debug buffer size: default 64
341# The daemon keeps an internal debug log buffer which will be dumped in case
342# of crash or upon receiving a SIGUSR2 signal. This setting allows to override
343# the default buffer size in kilobytes.
344# If value is 0 or less the debug log buffer is deactivated
345#log_buffer_size = 64
346
347
348##################################################################
349#
350# Auditing
351#
352# This setting allows usage of the auditing subsystem to be altered:
353#
354# audit_level == 0 -> disable all auditing
355# audit_level == 1 -> enable auditing, only if enabled on host (default)
356# audit_level == 2 -> enable auditing, and exit if disabled on host
357#
358#audit_level = 2
359#
360# If set to 1, then audit messages will also be sent
361# via libvirt logging infrastructure. Defaults to 0
362#
363#audit_logging = 1
364
365###################################################################
366# UUID of the host:
367# Provide the UUID of the host here in case the command
368# 'dmidecode -s system-uuid' does not provide a valid uuid. In case
369# 'dmidecode' does not provide a valid UUID and none is provided here, a
370# temporary UUID will be generated.
371# Keep the format of the example UUID below. UUID must not have all digits
372# be the same.
373
374# NB This default all-zeros UUID will not work. Replace
375# it with the output of the 'uuidgen' command and then
376# uncomment this entry
377#host_uuid = "00000000-0000-0000-0000-000000000000"
378
379###################################################################
380# Keepalive protocol:
381# This allows libvirtd to detect broken client connections or even
382# dead client. A keepalive message is sent to a client after
383# keepalive_interval seconds of inactivity to check if the client is
384# still responding; keepalive_count is a maximum number of keepalive
385# messages that are allowed to be sent to the client without getting
386# any response before the connection is considered broken. In other
387# words, the connection is automatically closed approximately after
388# keepalive_interval * (keepalive_count + 1) seconds since the last
389# message received from the client. If keepalive_interval is set to
390# -1, libvirtd will never send keepalive requests; however clients
391# can still send them and the deamon will send responses. When
392# keepalive_count is set to 0, connections will be automatically
393# closed after keepalive_interval seconds of inactivity without
394# sending any keepalive messages.
395#
396#keepalive_interval = 5
397#keepalive_count = 5
398#
399# If set to 1, libvirtd will refuse to talk to clients that do not
400# support keepalive protocol. Defaults to 0.
401#
402#keepalive_required = 1