# Master libvirt daemon configuration file # ################################################################# # # Network connectivity controls # # Flag listening for secure TLS connections on the public TCP/IP port. # # To enable listening sockets with the 'libvirtd' daemon it's also required to # pass the '--listen' flag on the commandline of the daemon. # This is not needed with 'virtproxyd'. # # This setting is not required or honoured if using systemd socket # activation. # # It is necessary to setup a CA and issue server certificates before # using this capability. # # This is enabled by default, uncomment this to disable it #listen_tls = 0 # Listen for unencrypted TCP connections on the public TCP/IP port. # # To enable listening sockets with the 'libvirtd' daemon it's also required to # pass the '--listen' flag on the commandline of the daemon. # This is not needed with 'virtproxyd'. # # This setting is not required or honoured if using systemd socket # activation. # # Using the TCP socket requires SASL authentication by default. Only # SASL mechanisms which support data encryption are allowed. This is # DIGEST_MD5 and GSSAPI (Kerberos5) # # This is disabled by default, uncomment this to enable it. #listen_tcp = 1 # Override the port for accepting secure TLS connections # This can be a port number, or service name # # This setting is not required or honoured if using systemd socket # activation. # #tls_port = "16514" # Override the port for accepting insecure TCP connections # This can be a port number, or service name # # This setting is not required or honoured if using systemd socket # activation. # #tcp_port = "16509" # Override the default configuration which binds to all network # interfaces. This can be a numeric IPv4/6 address, or hostname # # This setting is not required or honoured if using systemd socket # activation. # # If the libvirtd service is started in parallel with network # startup (e.g. with systemd), binding to addresses other than # the wildcards (0.0.0.0/::) might not be available yet. # #listen_addr = "192.168.0.1" ################################################################# # # UNIX socket access controls # # Set the UNIX domain socket group ownership. This can be used to # allow a 'trusted' set of users access to management capabilities # without becoming root. # # This setting is not required or honoured if using systemd socket # activation. # # This is restricted to 'root' by default. unix_sock_group = "libvirt" # Set the UNIX socket permissions for the R/O socket. This is used # for monitoring VM status only # # This setting is not required or honoured if using systemd socket # activation. # # Default allows any user. If setting group ownership, you may want to # restrict this too. unix_sock_ro_perms = "0770" # Set the UNIX socket permissions for the R/W socket. This is used # for full management of VMs # # This setting is not required or honoured if using systemd socket # activation. # # Default allows only root. If PolicyKit is enabled on the socket, # the default will change to allow everyone (eg, 0777) # # If not using PolicyKit and setting group ownership for access # control, then you may want to relax this too. unix_sock_rw_perms = "0770" # Set the UNIX socket permissions for the admin interface socket. # # This setting is not required or honoured if using systemd socket # activation. # # Default allows only owner (root), do not change it unless you are # sure to whom you are exposing the access to. #unix_sock_admin_perms = "0700" # Set the name of the directory in which sockets will be found/created. # # This setting is not required or honoured if using systemd socket # activation. # #unix_sock_dir = "/run/libvirt" ################################################################# # # Authentication. # # There are the following choices available: # # - none: do not perform auth checks. If you can connect to the # socket you are allowed. This is suitable if there are # restrictions on connecting to the socket (eg, UNIX # socket permissions), or if there is a lower layer in # the network providing auth (eg, TLS/x509 certificates) # # - sasl: use SASL infrastructure. The actual auth scheme is then # controlled from /etc/sasl2/libvirt.conf. For the TCP # socket only GSSAPI & DIGEST-MD5 mechanisms will be used. # For non-TCP or TLS sockets, any scheme is allowed. # # - polkit: use PolicyKit to authenticate. This is only suitable # for use on the UNIX sockets. The default policy will # require a user to supply their own password to gain # full read/write access (aka sudo like), while anyone # is allowed read/only access. # # Set an authentication scheme for UNIX read-only sockets # # By default socket permissions allow anyone to connect # # If libvirt was compiled without support for 'polkit', then # no access control checks are done, but libvirt still only # allows execution of APIs which don't change state. # # If libvirt was compiled with support for 'polkit', then # the libvirt socket will perform a check with polkit after # connections. The default policy still allows any local # user access. # # To restrict monitoring of domains you may wish to either # enable 'sasl' here, or change the polkit policy definition. #auth_unix_ro = "polkit" # Set an authentication scheme for UNIX read-write sockets. # # If libvirt was compiled without support for 'polkit', then # the systemd .socket files will use SocketMode=0600 by default # thus only allowing root user to connect, and 'auth_unix_rw' # will default to 'none'. # # If libvirt was compiled with support for 'polkit', then # the systemd .socket files will use SocketMode=0666 which # allows any user to connect and 'auth_unix_rw' will default # to 'polkit'. If you disable use of 'polkit' here, then it # is essential to change the systemd SocketMode parameter # back to 0600, to avoid an insecure configuration. # #auth_unix_rw = "polkit" # Change the authentication scheme for TCP sockets. # # If you don't enable SASL, then all TCP traffic is cleartext. # Don't do this outside of a dev/test scenario. For real world # use, always enable SASL and use the GSSAPI or DIGEST-MD5 # mechanism in /etc/sasl2/libvirt.conf #auth_tcp = "sasl" # Change the authentication scheme for TLS sockets. # # TLS sockets already have encryption provided by the TLS # layer, and limited authentication is done by certificates # # It is possible to make use of any SASL authentication # mechanism as well, by using 'sasl' for this option #auth_tls = "none" # Enforce a minimum SSF value for TCP sockets # # The default minimum is currently 56 (single-DES) which will # be raised to 112 in the future. # # This option can be used to set values higher than 112 #tcp_min_ssf = 112 # Change the API access control scheme # # By default an authenticated user is allowed access # to all APIs. Access drivers can place restrictions # on this. By default the 'nop' driver is enabled, # meaning no access control checks are done once a # client has authenticated with libvirtd # #access_drivers = [ "polkit" ] ################################################################# # # TLS x509 certificate configuration # # Use of TLS requires that x509 certificates be issued. The default locations # for the certificate files is as follows: # # /etc/pki/CA/cacert.pem - The CA master certificate # /etc/pki/libvirt/servercert.pem - The server certificate signed by cacert.pem # /etc/pki/libvirt/private/serverkey.pem - The server private key # # It is possible to override the default locations by altering the 'key_file', # 'cert_file', and 'ca_file' values and uncommenting them below. # # NB, overriding the default of one location requires uncommenting and # possibly additionally overriding the other settings. # # Override the default server key file path # #key_file = "/etc/pki/libvirt/private/serverkey.pem" # Override the default server certificate file path # #cert_file = "/etc/pki/libvirt/servercert.pem" # Override the default CA certificate path # #ca_file = "/etc/pki/CA/cacert.pem" # Specify a certificate revocation list. # # Defaults to not using a CRL, uncomment to enable it #crl_file = "/etc/pki/CA/crl.pem" ################################################################# # # Authorization controls # # Flag to disable verification of our own server certificates # # When libvirtd starts it performs some sanity checks against # its own certificates. # # Default is to always run sanity checks. Uncommenting this # will disable sanity checks which is not a good idea #tls_no_sanity_certificate = 1 # Flag to disable verification of client certificates # # Client certificate verification is the primary authentication mechanism. # Any client which does not present a certificate signed by the CA # will be rejected. # # Default is to always verify. Uncommenting this will disable # verification. #tls_no_verify_certificate = 1 # An access control list of allowed x509 Distinguished Names # This list may contain wildcards such as # # "C=GB,ST=London,L=London,O=Red Hat,CN=*" # # Any * matches any number of consecutive spaces, like a simplified glob(7). # # The format of the DN for a particular certificate can be queried # using: # # virt-pki-query-dn clientcert.pem # # NB If this is an empty list, no client can connect, so comment out # entirely rather than using empty list to disable these checks # # By default, no DN's are checked #tls_allowed_dn_list = ["DN1", "DN2"] # Override the compile time default TLS priority string. The # default is usually "NORMAL" unless overridden at build time. # Only set this is it is desired for libvirt to deviate from # the global default settings. # #tls_priority="NORMAL" # An access control list of allowed SASL usernames. The format for username # depends on the SASL authentication mechanism. Kerberos usernames # look like username@REALM # # This list may contain wildcards such as # # "*@EXAMPLE.COM" # # See the g_pattern_match function for the format of the wildcards. # # https://developer.gnome.org/glib/stable/glib-Glob-style-pattern-matching.html # # NB If this is an empty list, no client can connect, so comment out # entirely rather than using empty list to disable these checks # # By default, no Username's are checked #sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ] ################################################################# # # Processing controls # # The maximum number of concurrent client connections to allow # over all sockets combined. #max_clients = 5000 # The maximum length of queue of connections waiting to be # accepted by the daemon. Note, that some protocols supporting # retransmission may obey this so that a later reattempt at # connection succeeds. #max_queued_clients = 1000 # The maximum length of queue of accepted but not yet # authenticated clients. The default value is 20. Set this to # zero to turn this feature off. #max_anonymous_clients = 20 # The minimum limit sets the number of workers to start up # initially. If the number of active clients exceeds this, # then more threads are spawned, up to max_workers limit. # Typically you'd want max_workers to equal maximum number # of clients allowed #min_workers = 5 #max_workers = 20 # The number of priority workers. If all workers from above # pool are stuck, some calls marked as high priority # (notably domainDestroy) can be executed in this pool. #prio_workers = 5 # Limit on concurrent requests from a single client # connection. To avoid one client monopolizing the server # this should be a small fraction of the global max_workers # parameter. #max_client_requests = 5 # Same processing controls, but this time for the admin interface. # For description of each option, be so kind to scroll few lines # upwards. #admin_min_workers = 1 #admin_max_workers = 5 #admin_max_clients = 5 #admin_max_queued_clients = 5 #admin_max_client_requests = 5 ################################################################# # # Logging controls # # Logging level: 4 errors, 3 warnings, 2 information, 1 debug # basically 1 will log everything possible # # WARNING: USE OF THIS IS STRONGLY DISCOURAGED. # # WARNING: It outputs too much information to practically read. # WARNING: The "log_filters" setting is recommended instead. # # WARNING: Journald applies rate limiting of messages and so libvirt # WARNING: will limit "log_level" to only allow values 3 or 4 if # WARNING: journald is the current output. # # WARNING: USE OF THIS IS STRONGLY DISCOURAGED. #log_level = 3 # Logging filters: # A filter allows to select a different logging level for a given category # of logs. The format for a filter is: # # level:match # # where 'match' is a string which is matched against the category # given in the VIR_LOG_INIT() at the top of each libvirt source # file, e.g., "remote", "qemu", or "util.json". The 'match' in the # filter matches using shell wildcard syntax (see 'man glob(7)'). # The 'match' is always treated as a substring match. IOW a match # string 'foo' is equivalent to '*foo*'. # # 'level' is the minimal level where matching messages should # be logged: # # 1: DEBUG # 2: INFO # 3: WARNING # 4: ERROR # # Multiple filters can be defined in a single @log_filters, they just need # to be separated by spaces. Note that libvirt performs "first" match, i.e. # if there are concurrent filters, the first one that matches will be applied, # given the order in @log_filters. # # A typical need is to capture information from a hypervisor driver, # public API entrypoints and some of the utility code. Some utility # code is very verbose and is generally not desired. Taking the QEMU # hypervisor as an example, a suitable filter string for debugging # might be to turn off object, json & event logging, but enable the # rest of the util code: # #log_filters="1:qemu 1:libvirt 4:object 4:json 4:event 1:util" # Logging outputs: # An output is one of the places to save logging information # The format for an output can be: # level:stderr # output goes to stderr # level:syslog:name # use syslog for the output and use the given name as the ident # level:file:file_path # output to a file, with the given filepath # level:journald # output to journald logging system # In all cases 'level' is the minimal priority, acting as a filter # 1: DEBUG # 2: INFO # 3: WARNING # 4: ERROR # # Multiple outputs can be defined, they just need to be separated by spaces. # e.g. to log all warnings and errors to syslog under the libvirtd ident: #log_outputs="3:syslog:libvirtd" ################################################################## # # Auditing # # This setting allows usage of the auditing subsystem to be altered: # # audit_level == 0 -> disable all auditing # audit_level == 1 -> enable auditing, only if enabled on host (default) # audit_level == 2 -> enable auditing, and exit if disabled on host # #audit_level = 2 # # If set to 1, then audit messages will also be sent # via libvirt logging infrastructure. Defaults to 0 # #audit_logging = 1 ################################################################### # UUID of the host: # Host UUID is read from one of the sources specified in host_uuid_source. # # - 'smbios': fetch the UUID from 'dmidecode -s system-uuid' # - 'machine-id': fetch the UUID from /etc/machine-id # # The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide # a valid UUID a temporary UUID will be generated. # # Another option is to specify host UUID in host_uuid. # # Keep the format of the example UUID below. UUID must not have all digits # be the same. # NB This default all-zeros UUID will not work. Replace # it with the output of the 'uuidgen' command and then # uncomment this entry #host_uuid = "00000000-0000-0000-0000-000000000000" #host_uuid_source = "smbios" ################################################################### # Keepalive protocol: # This allows libvirtd to detect broken client connections or even # dead clients. A keepalive message is sent to a client after # keepalive_interval seconds of inactivity to check if the client is # still responding; keepalive_count is a maximum number of keepalive # messages that are allowed to be sent to the client without getting # any response before the connection is considered broken. In other # words, the connection is automatically closed approximately after # keepalive_interval * (keepalive_count + 1) seconds since the last # message received from the client. If keepalive_interval is set to # -1, libvirtd will never send keepalive requests; however clients # can still send them and the daemon will send responses. When # keepalive_count is set to 0, connections will be automatically # closed after keepalive_interval seconds of inactivity without # sending any keepalive messages. # #keepalive_interval = 5 #keepalive_count = 5 # # These configuration options are no longer used. There is no way to # restrict such clients from connecting since they first need to # connect in order to ask for keepalive. # #keepalive_required = 1 #admin_keepalive_required = 1 # Keepalive settings for the admin interface #admin_keepalive_interval = 5 #admin_keepalive_count = 5 ################################################################### # Open vSwitch: # This allows to specify a timeout for openvswitch calls made by # libvirt. The ovs-vsctl utility is used for the configuration and # its timeout option is set by default to 5 seconds to avoid # potential infinite waits blocking libvirt. # #ovs_timeout = 5