├── tests
└── init.pp
├── spec
├── spec_helper.rb
├── acceptance
│ ├── nodesets
│ │ ├── centos-64-x64.yml
│ │ ├── ubuntu-server-1404-x64.yml
│ │ ├── default.yml
│ │ └── ubuntu-server-12042-x64.yml
│ ├── class_spec.rb
│ └── network_spec.rb
├── spec_helper_acceptance.rb
├── classes
│ └── libvirt_spec.rb
└── defines
│ └── network_spec.rb
├── .gitignore
├── .fixtures.yml
├── .nodeset.yml
├── templates
├── default
│ ├── libvirt-bin.orig
│ └── libvirt-bin.erb
├── libvirt.conf.orig
├── sysconfig
│ ├── libvirtd.orig
│ └── libvirtd.erb
├── sasl2
│ ├── libvirt.conf.orig
│ ├── qemu-kvm.conf.orig
│ ├── libvirt.conf.erb
│ ├── qemu-kvm.conf.erb
│ ├── libvirt.conf-el8.erb
│ ├── libvirt.conf-el8.orig
│ ├── qemu-kvm.conf-el8.erb
│ └── qemu-kvm.conf-el8.orig
├── lxc.conf.orig
├── network.xml.erb
├── qemu.conf.orig
├── libvirtd.conf.orig
├── qemu.conf.erb
├── libvirtd.conf.erb
├── libvirtd.conf-el8.erb
├── libvirtd.conf-el8.orig
└── qemu.conf-el8.erb
├── Gemfile
├── LICENSE
├── metadata.json
├── Rakefile
├── manifests
├── params.pp
├── network.pp
└── init.pp
├── CHANGELOG.md
├── lib
└── puppet
│ ├── type
│ └── libvirt_pool.rb
│ └── provider
│ └── libvirt_pool
│ └── virsh.rb
└── README.md
/tests/init.pp:
--------------------------------------------------------------------------------
1 | class { 'libvirt': mdns_adv => '0' }
2 |
--------------------------------------------------------------------------------
/spec/spec_helper.rb:
--------------------------------------------------------------------------------
1 | require 'puppetlabs_spec_helper/module_spec_helper'
2 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | .*.swp
2 | pkg/
3 | spec/fixtures
4 | .rspec_system
5 | Gemfile.lock
6 |
--------------------------------------------------------------------------------
/.fixtures.yml:
--------------------------------------------------------------------------------
1 | fixtures:
2 | repositories:
3 | stdlib: "git://github.com/puppetlabs/puppetlabs-stdlib"
4 | symlinks:
5 | libvirt: "#{source_dir}"
6 |
--------------------------------------------------------------------------------
/spec/acceptance/nodesets/centos-64-x64.yml:
--------------------------------------------------------------------------------
1 | HOSTS:
2 | centos-64-x64:
3 | roles:
4 | - master
5 | platform: el-6-x86_64
6 | box : centos-64-x64-vbox4210-nocm
7 | box_url : http://puppet-vagrant-boxes.puppetlabs.com/centos-64-x64-vbox4210-nocm.box
8 | hypervisor : vagrant
9 | CONFIG:
10 | log_level: verbose
11 | type: foss
12 |
--------------------------------------------------------------------------------
/spec/acceptance/nodesets/ubuntu-server-1404-x64.yml:
--------------------------------------------------------------------------------
1 | HOSTS:
2 | ubuntu-server-1404-x64:
3 | roles:
4 | - master
5 | platform: ubuntu-14.04-amd64
6 | box : puppetlabs/ubuntu-14.04-64-nocm
7 | box_url : https://vagrantcloud.com/puppetlabs/ubuntu-14.04-64-nocm
8 | hypervisor : vagrant
9 | CONFIG:
10 | log_level : debug
11 | type: git
12 |
--------------------------------------------------------------------------------
/.nodeset.yml:
--------------------------------------------------------------------------------
1 | ---
2 | default_set: 'centos-64-x64'
3 | sets:
4 | 'centos-64-x64':
5 | nodes:
6 | "main.foo.vm":
7 | prefab: 'centos-64-x64'
8 | 'debian-70rc1-x64':
9 | nodes:
10 | "main.foo.vm":
11 | prefab: 'debian-70rc1-x64'
12 | 'ubuntu-server-12042-x64':
13 | nodes:
14 | "main.foo.vm":
15 | prefab: 'ubuntu-server-12042-x64'
16 |
--------------------------------------------------------------------------------
/spec/acceptance/nodesets/default.yml:
--------------------------------------------------------------------------------
1 | HOSTS:
2 | ubuntu-server-12042-x64:
3 | roles:
4 | - master
5 | platform: ubuntu-server-12.04-amd64
6 | box: ubuntu-server-12042-x64-vbox4210-nocm
7 | box_url: http://puppet-vagrant-boxes.puppetlabs.com/ubuntu-server-12042-x64-vbox4210-nocm.box
8 | hypervisor: vagrant
9 |
10 | CONFIG:
11 | log_level: verbose
12 | type: foss
13 |
--------------------------------------------------------------------------------
/templates/default/libvirt-bin.orig:
--------------------------------------------------------------------------------
1 | # Defaults for libvirt-bin initscript (/etc/init.d/libvirt-bin)
2 | # This is a POSIX shell fragment
3 |
4 | # Start libvirtd to handle qemu/kvm:
5 | start_libvirtd="yes"
6 |
7 | # options passed to libvirtd, add "-l" to listen on tcp
8 | libvirtd_opts="-d --listen"
9 |
10 | # pass in location of kerberos keytab
11 | #export KRB5_KTNAME=/etc/libvirt/libvirt.keytab
12 |
--------------------------------------------------------------------------------
/spec/acceptance/nodesets/ubuntu-server-12042-x64.yml:
--------------------------------------------------------------------------------
1 | HOSTS:
2 | ubuntu-server-12042-x64:
3 | roles:
4 | - master
5 | platform: ubuntu-server-12.04-amd64
6 | box: ubuntu-server-12042-x64-vbox4210-nocm
7 | box_url: http://puppet-vagrant-boxes.puppetlabs.com/ubuntu-server-12042-x64-vbox4210-nocm.box
8 | hypervisor: vagrant
9 |
10 | CONFIG:
11 | log_level: verbose
12 | type: foss
13 |
--------------------------------------------------------------------------------
/templates/libvirt.conf.orig:
--------------------------------------------------------------------------------
1 | #
2 | # This can be used to setup URI aliases for frequently
3 | # used connection URIs. Aliases may contain only the
4 | # characters a-Z, 0-9, _, -.
5 | #
6 | # Following the '=' may be any valid libvirt connection
7 | # URI, including arbitrary parameters
8 |
9 | #uri_aliases = [
10 | # "hail=qemu+ssh://root@hail.cloud.example.com/system",
11 | # "sleet=qemu+ssh://root@sleet.cloud.example.com/system",
12 | #]
13 |
--------------------------------------------------------------------------------
/Gemfile:
--------------------------------------------------------------------------------
1 | source "https://rubygems.org"
2 |
3 | group :test do
4 | gem "rake"
5 | gem "puppet", ENV['PUPPET_VERSION'] || '~> 3.4.0'
6 | gem "puppet-lint"
7 | gem "rspec-puppet", :git => 'https://github.com/rodjek/rspec-puppet.git'
8 | gem "puppet-syntax"
9 | gem "puppetlabs_spec_helper"
10 | end
11 |
12 | group :development do
13 | gem "travis"
14 | gem "travis-lint"
15 | gem "beaker"
16 | gem "beaker-rspec"
17 | gem "vagrant-wrapper"
18 | gem "puppet-blacksmith"
19 | gem "guard-rake"
20 | end
21 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | Copyright (C) 2012-2015 Matthias Saou
2 |
3 | Licensed under the Apache License, Version 2.0 (the "License");
4 | you may not use this file except in compliance with the License.
5 | You may obtain a copy of the License at
6 |
7 | http://www.apache.org/licenses/LICENSE-2.0
8 |
9 | Unless required by applicable law or agreed to in writing, software
10 | distributed under the License is distributed on an "AS IS" BASIS,
11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | See the License for the specific language governing permissions and
13 | limitations under the License.
14 |
15 |
--------------------------------------------------------------------------------
/spec/spec_helper_acceptance.rb:
--------------------------------------------------------------------------------
1 | require 'beaker-rspec/spec_helper'
2 | require 'beaker-rspec/helpers/serverspec'
3 |
4 | hosts.each do |host|
5 | # Install Puppet
6 | install_puppet
7 | end
8 |
9 | RSpec.configure do |c|
10 | # Project root
11 | proj_root = File.expand_path(File.join(File.dirname(__FILE__), '..'))
12 |
13 | # Readable test descriptions
14 | c.formatter = :documentation
15 |
16 | # Configure all nodes in nodeset
17 | c.before :suite do
18 | # Install module and dependencies
19 | puppet_module_install(:source => proj_root, :module_name => 'libvirt')
20 | hosts.each do |host|
21 | on host, puppet('module', 'install', 'puppetlabs-stdlib'), { :acceptable_exit_codes => [0,1] }
22 | end
23 | end
24 | end
25 |
--------------------------------------------------------------------------------
/templates/default/libvirt-bin.erb:
--------------------------------------------------------------------------------
1 | # Defaults for libvirt-bin initscript (/etc/init.d/libvirt-bin)
2 | # This is a POSIX shell fragment
3 |
4 | # Start libvirtd to handle qemu/kvm:
5 | <% if @deb_default['start_libvirtd'] -%>
6 | start_libvirtd="<%= @deb_default['start_libvirtd'] %>"
7 | <% else -%>
8 | start_libvirtd="yes"
9 | <% end -%>
10 |
11 | # options passed to libvirtd, add "-l" to listen on tcp
12 | <% if @deb_default['libvirtd_opts'] -%>
13 | libvirtd_opts="<%= @deb_default['libvirtd_opts'] %>"
14 | <% else -%>
15 | libvirtd_opts="-d"
16 | <% end -%>
17 |
18 | # pass in location of kerberos keytab
19 | <% if @deb_default['KRB5_KTNAME'] -%>
20 | export KRB5_KTNAME=<%= @deb_default['KRB5_KTNAME'] %>
21 | <% else -%>
22 | #export KRB5_KTNAME=/etc/libvirt/libvirt.keytab
23 | <% end -%>
24 |
--------------------------------------------------------------------------------
/spec/classes/libvirt_spec.rb:
--------------------------------------------------------------------------------
1 | # Copyright 2013 Brainsware
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 |
15 | require 'spec_helper'
16 |
17 | describe 'libvirt', :type => :class do
18 | let(:title) { 'libvirt' }
19 |
20 | it { should contain_class('libvirt') }
21 | it { should contain_file('/etc/libvirt/qemu/networks/autostart/default.xml')
22 | .with_ensure('absent')
23 | }
24 |
25 | describe 'with default network enabled' do
26 | let(:params) {{ :defaultnetwork => true }}
27 |
28 | it { should contain_class('libvirt') }
29 | it { should contain_exec('virsh-net-autostart-default') }
30 | end
31 |
32 | end
33 |
--------------------------------------------------------------------------------
/metadata.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "thias-libvirt",
3 | "version": "1.0.3",
4 | "author": "Matthias Saou",
5 | "license": "Apache-2.0",
6 | "summary": "Libvirt virtualization API and capabilities.",
7 | "source": "git://github.com/thias/puppet-libvirt",
8 | "project_page": "https://github.com/thias/puppet-libvirt",
9 | "issues_url": "https://github.com/thias/puppet-libvirt/issues",
10 | "tags": ["libvirt", "kvm", "qemu", "virtualization"],
11 | "operatingsystem_support": [
12 | {
13 | "operatingsystem": "RedHat",
14 | "operatingsystemrelease": [ "6", "7", "8", "9" ]
15 | },
16 | {
17 | "operatingsystem": "CentOS",
18 | "operatingsystemrelease": [ "6", "7", "8", "9" ]
19 | },
20 | {
21 | "operatingsystem":"Debian",
22 | "operatingsystemrelease":[ "6", "7" ]
23 | },
24 | {
25 | "operatingsystem":"Ubuntu",
26 | "operatingsystemrelease":[ "12", "14" ]
27 | }
28 | ],
29 | "requirements": [
30 | {
31 | "name": "puppet",
32 | "version_requirement": ">=2.7.20 <8.0.0"
33 | }
34 | ],
35 | "dependencies": [
36 | {
37 | "name": "puppetlabs/stdlib",
38 | "version_requirement": ">= 3.2.0"
39 | }
40 | ]
41 | }
42 |
--------------------------------------------------------------------------------
/templates/sysconfig/libvirtd.orig:
--------------------------------------------------------------------------------
1 | # Override the default config file
2 | # NOTE: This setting is no longer honoured if using
3 | # systemd. Set '--config /etc/libvirt/libvirtd.conf'
4 | # in LIBVIRTD_ARGS instead.
5 | #LIBVIRTD_CONFIG=/etc/libvirt/libvirtd.conf
6 |
7 | # Listen for TCP/IP connections
8 | # NB. must setup TLS/SSL keys prior to using this
9 | #LIBVIRTD_ARGS="--listen"
10 |
11 | # Override Kerberos service keytab for SASL/GSSAPI
12 | #KRB5_KTNAME=/etc/libvirt/krb5.tab
13 |
14 | # Override the QEMU/SDL default audio driver probing when
15 | # starting virtual machines using SDL graphics
16 | #
17 | # NB these have no effect for VMs using VNC, unless vnc_allow_host_audio
18 | # is enabled in /etc/libvirt/qemu.conf
19 | #QEMU_AUDIO_DRV=sdl
20 | #
21 | #SDL_AUDIODRIVER=pulse
22 |
23 | # Override the maximum number of opened files.
24 | # This only works with traditional init scripts.
25 | # In the systemd world, the limit can only be changed by overriding
26 | # LimitNOFILE for libvirtd.service. To do that, just create a *.conf
27 | # file in /etc/systemd/system/libvirtd.service.d/ (for example
28 | # /etc/systemd/system/libvirtd.service.d/openfiles.conf) and write
29 | # the following two lines in it:
30 | # [Service]
31 | # LimitNOFILE=2048
32 | #
33 | #LIBVIRTD_NOFILES_LIMIT=2048
34 |
--------------------------------------------------------------------------------
/templates/sasl2/libvirt.conf.orig:
--------------------------------------------------------------------------------
1 | # If you want to use the non-TLS socket, then you *must* include
2 | # the GSSAPI or DIGEST-MD5 mechanisms, because they are the only
3 | # ones that can offer session encryption as well as authentication.
4 | #
5 | # If you're only using TLS, then you can turn on any mechanisms
6 | # you like for authentication, because TLS provides the encryption
7 | #
8 | # Default to a simple username+password mechanism
9 | mech_list: digest-md5
10 |
11 | # Before you can use GSSAPI, you need a service principle on the
12 | # KDC server for libvirt, and that to be exported to the keytab
13 | # file listed below
14 | #mech_list: gssapi
15 | #
16 | # You can also list many mechanisms at once, then the user can choose
17 | # by adding '?auth=sasl.gssapi' to their libvirt URI, eg
18 | # qemu+tcp://hostname/system?auth=sasl.gssapi
19 | #mech_list: digest-md5 gssapi
20 |
21 | # MIT kerberos ignores this option & needs KRB5_KTNAME env var.
22 | # May be useful for other non-Linux OS though....
23 | keytab: /etc/libvirt/krb5.tab
24 |
25 | # If using digest-md5 for username/passwds, then this is the file
26 | # containing the passwds. Use 'saslpasswd2 -a libvirt [username]'
27 | # to add entries, and 'sasldblistusers2 -a libvirt' to browse it
28 | sasldb_path: /etc/libvirt/passwd.db
29 |
30 |
--------------------------------------------------------------------------------
/templates/lxc.conf.orig:
--------------------------------------------------------------------------------
1 | # Master configuration file for the LXC driver.
2 | # All settings described here are optional - if omitted, sensible
3 | # defaults are used.
4 |
5 | # By default, log messages generated by the lxc controller go to the
6 | # container logfile. It is also possible to accumulate log messages
7 | # from all lxc controllers along with libvirtd's log outputs. In this
8 | # case, the lxc controller will honor either LIBVIRT_LOG_OUTPUTS or
9 | # log_outputs from libvirtd.conf.
10 | #
11 | # This is disabled by default, uncomment below to enable it.
12 | #
13 | # log_with_libvirtd = 1
14 |
15 |
16 | # The default security driver is SELinux. If SELinux is disabled
17 | # on the host, then the security driver will automatically disable
18 | # itself. If you wish to disable QEMU SELinux security driver while
19 | # leaving SELinux enabled for the host in general, then set this
20 | # to 'none' instead.
21 | #
22 | # security_driver = "selinux"
23 |
24 | # If set to non-zero, then the default security labeling
25 | # will make guests confined. If set to zero, then guests
26 | # will be unconfined by default. Defaults to 0.
27 | # security_default_confined = 1
28 |
29 | # If set to non-zero, then attempts to create unconfined
30 | # guests will be blocked. Defaults to 0.
31 | # security_require_confined = 1
32 |
--------------------------------------------------------------------------------
/Rakefile:
--------------------------------------------------------------------------------
1 | require 'puppetlabs_spec_helper/rake_tasks'
2 | require 'puppet-lint/tasks/puppet-lint'
3 | require 'puppet-syntax/tasks/puppet-syntax'
4 |
5 | # These two gems aren't always present, for instance
6 | # on Travis with --without development
7 | begin
8 | require 'puppet_blacksmith/rake_tasks'
9 | rescue LoadError
10 | end
11 |
12 | PuppetLint.configuration.send("disable_80chars")
13 | PuppetLint.configuration.log_format = "%{path}:%{linenumber}:%{check}:%{KIND}:%{message}"
14 | PuppetLint.configuration.fail_on_warnings = true
15 |
16 | # Forsake support for Puppet 2.6.2 for the benefit of cleaner code.
17 | # http://puppet-lint.com/checks/class_parameter_defaults/
18 | PuppetLint.configuration.send('disable_class_parameter_defaults')
19 | # http://puppet-lint.com/checks/class_inherits_from_params_class/
20 | PuppetLint.configuration.send('disable_class_inherits_from_params_class')
21 |
22 | exclude_paths = [
23 | "pkg/**/*",
24 | "vendor/**/*",
25 | "spec/**/*",
26 | ]
27 | PuppetLint.configuration.ignore_paths = exclude_paths
28 | PuppetSyntax.exclude_paths = exclude_paths
29 |
30 | desc "Run acceptance tests"
31 | RSpec::Core::RakeTask.new(:acceptance) do |t|
32 | t.pattern = 'spec/acceptance'
33 | end
34 |
35 | desc "Run syntax, lint, and spec tests."
36 | task :test => [
37 | :syntax,
38 | :lint,
39 | :spec,
40 | ]
41 |
--------------------------------------------------------------------------------
/templates/sasl2/qemu-kvm.conf.orig:
--------------------------------------------------------------------------------
1 | # If you want to use the non-TLS socket, then you *must* include
2 | # the GSSAPI or DIGEST-MD5 mechanisms, because they are the only
3 | # ones that can offer session encryption as well as authentication.
4 | #
5 | # If you're only using TLS, then you can turn on any mechanisms
6 | # you like for authentication, because TLS provides the encryption
7 | #
8 | # Default to a simple username+password mechanism
9 | # NB digest-md5 is no longer considered secure by current standards
10 | mech_list: digest-md5
11 |
12 | # Before you can use GSSAPI, you need a service principle on the
13 | # KDC server for libvirt, and that to be exported to the keytab
14 | # file listed below
15 | #mech_list: gssapi
16 | #
17 | # You can also list many mechanisms at once, then the user can choose
18 | # by adding '?auth=sasl.gssapi' to their libvirt URI, eg
19 | # qemu+tcp://hostname/system?auth=sasl.gssapi
20 | #mech_list: digest-md5 gssapi
21 |
22 | # Some older builds of MIT kerberos on Linux ignore this option &
23 | # instead need KRB5_KTNAME env var.
24 | # For modern Linux, and other OS, this should be sufficient
25 | keytab: /etc/qemu/krb5.tab
26 |
27 | # If using digest-md5 for username/passwds, then this is the file
28 | # containing the passwds. Use 'saslpasswd2 -a qemu [username]'
29 | # to add entries, and 'sasldblistusers2 -a qemu' to browse it
30 | sasldb_path: /etc/qemu/passwd.db
31 |
32 |
33 | auxprop_plugin: sasldb
34 |
35 |
--------------------------------------------------------------------------------
/templates/sasl2/libvirt.conf.erb:
--------------------------------------------------------------------------------
1 | # If you want to use the non-TLS socket, then you *must* include
2 | # the GSSAPI or DIGEST-MD5 mechanisms, because they are the only
3 | # ones that can offer session encryption as well as authentication.
4 | #
5 | # If you're only using TLS, then you can turn on any mechanisms
6 | # you like for authentication, because TLS provides the encryption
7 | #
8 | # Default to a simple username+password mechanism
9 | <% if @sasl2_libvirt_mech_list -%>
10 | mech_list: <%= @sasl2_libvirt_mech_list %>
11 | <% else -%>
12 | mech_list: digest-md5
13 | <% end -%>
14 |
15 | # Before you can use GSSAPI, you need a service principle on the
16 | # KDC server for libvirt, and that to be exported to the keytab
17 | # file listed below
18 | #mech_list: gssapi
19 | #
20 | # You can also list many mechanisms at once, then the user can choose
21 | # by adding '?auth=sasl.gssapi' to their libvirt URI, eg
22 | # qemu+tcp://hostname/system?auth=sasl.gssapi
23 | #mech_list: digest-md5 gssapi
24 |
25 | # MIT kerberos ignores this option & needs KRB5_KTNAME env var.
26 | # May be useful for other non-Linux OS though....
27 | <% if @sasl2_libvirt_keytab -%>
28 | keytab: <%= @sasl2_libvirt_keytab %>
29 | <% else -%>
30 | keytab: /etc/libvirt/krb5.tab
31 | <% end -%>
32 |
33 | # If using digest-md5 for username/passwds, then this is the file
34 | # containing the passwds. Use 'saslpasswd2 -a libvirt [username]'
35 | # to add entries, and 'sasldblistusers2 -a libvirt' to browse it
36 | sasldb_path: /etc/libvirt/passwd.db
37 |
--------------------------------------------------------------------------------
/templates/sasl2/qemu-kvm.conf.erb:
--------------------------------------------------------------------------------
1 | # If you want to use the non-TLS socket, then you *must* include
2 | # the GSSAPI or DIGEST-MD5 mechanisms, because they are the only
3 | # ones that can offer session encryption as well as authentication.
4 | #
5 | # If you're only using TLS, then you can turn on any mechanisms
6 | # you like for authentication, because TLS provides the encryption
7 | #
8 | # Default to a simple username+password mechanism
9 | # NB digest-md5 is no longer considered secure by current standards
10 | <% if @sasl2_qemu_mech_list -%>
11 | mech_list: <%= @sasl2_qemu_mech_list %>
12 | <% else -%>
13 | mech_list: digest-md5
14 | <% end -%>
15 |
16 | # Before you can use GSSAPI, you need a service principle on the
17 | # KDC server for libvirt, and that to be exported to the keytab
18 | # file listed below
19 | #mech_list: gssapi
20 | #
21 | # You can also list many mechanisms at once, then the user can choose
22 | # by adding '?auth=sasl.gssapi' to their libvirt URI, eg
23 | # qemu+tcp://hostname/system?auth=sasl.gssapi
24 | #mech_list: digest-md5 gssapi
25 |
26 | # Some older builds of MIT kerberos on Linux ignore this option &
27 | # instead need KRB5_KTNAME env var.
28 | # For modern Linux, and other OS, this should be sufficient
29 | <% if @sasl2_qemu_keytab -%>
30 | keytab: <%= @sasl2_qemu_keytab %>
31 | <% else -%>
32 | keytab: /etc/qemu/krb5.tab
33 | <% end -%>
34 |
35 | # If using digest-md5 for username/passwds, then this is the file
36 | # containing the passwds. Use 'saslpasswd2 -a qemu [username]'
37 | # to add entries, and 'sasldblistusers2 -a qemu' to browse it
38 | sasldb_path: /etc/qemu/passwd.db
39 |
40 | <% if @sasl2_qemu_auxprop_plugin -%>
41 | auxprop_plugin: <%= @sasl2_qemu_auxprop_plugin %>
42 | <% else -%>
43 | auxprop_plugin: sasldb
44 | <% end -%>
45 |
46 |
--------------------------------------------------------------------------------
/spec/acceptance/class_spec.rb:
--------------------------------------------------------------------------------
1 | require 'spec_helper_acceptance'
2 |
3 | describe 'libvirt class' do
4 | case fact('osfamily')
5 | when 'RedHat'
6 | package_name = 'libvirt'
7 | service_name = 'libvirtd'
8 | virtinst_package = 'python-virtinst'
9 | when 'Debian'
10 | package_name = 'libvirt-bin'
11 | service_name = 'libvirt-bin'
12 | virtinst_package = 'virtinst'
13 | end
14 |
15 | context 'default parameters' do
16 | # Using puppet_apply as a helper
17 | it 'should work with no errors' do
18 | pp = <<-EOS
19 | class { 'libvirt': }
20 | EOS
21 |
22 | # Run it twice and test for idempotency
23 | expect(apply_manifest(pp).exit_code).to_not eq(1)
24 | expect(apply_manifest(pp).exit_code).to eq(0)
25 | end
26 |
27 | describe package(package_name) do
28 | it { should be_installed }
29 | end
30 | describe service(service_name) do
31 | it { should be_enabled }
32 | it { should be_running }
33 | end
34 |
35 | end
36 |
37 | context 'with virtinst package' do
38 | # Using puppet_apply as a helper
39 | it 'should work with no errors' do
40 | pp = <<-EOS
41 | class { 'libvirt':
42 | virtinst => true,
43 | }
44 | EOS
45 |
46 | # Run it twice and test for idempotency
47 | expect(apply_manifest(pp).exit_code).to_not eq(1)
48 | expect(apply_manifest(pp).exit_code).to eq(0)
49 | end
50 |
51 | describe package(package_name) do
52 | it { should be_installed }
53 | end
54 |
55 | describe service(service_name) do
56 | it { should be_enabled }
57 | it { should be_running }
58 | end
59 |
60 | describe package(virtinst_package) do
61 | it { should be_installed }
62 | end
63 | end
64 |
65 | end
66 |
--------------------------------------------------------------------------------
/templates/sasl2/libvirt.conf-el8.erb:
--------------------------------------------------------------------------------
1 | # If you want to use the non-TLS socket, then you *must* pick a
2 | # mechanism which provides session encryption as well as
3 | # authentication.
4 | #
5 | # If you are only using TLS, then you can turn on any mechanisms
6 | # you like for authentication, because TLS provides the encryption
7 | #
8 | # If you are only using UNIX, sockets then encryption is not
9 | # required at all.
10 | #
11 | # Since SASL is the default for the libvirtd non-TLS socket, we
12 | # pick a strong mechanism by default.
13 | #
14 | # NB, previously DIGEST-MD5 was set as the default mechanism for
15 | # libvirt. Per RFC 6331 this is vulnerable to many serious security
16 | # flaws and should no longer be used. Thus GSSAPI is now the default.
17 | #
18 | # To use GSSAPI requires that a libvirtd service principal is
19 | # added to the Kerberos server for each host running libvirtd.
20 | # This principal needs to be exported to the keytab file listed below
21 | mech_list: gssapi
22 |
23 | # If using a TLS socket or UNIX socket only, it is possible to
24 | # enable plugins which don't provide session encryption. The
25 | # 'scram-sha-1' plugin allows plain username/password authentication
26 | # to be performed
27 | #
28 | #mech_list: scram-sha-1
29 |
30 | #
31 | # You can also list many mechanisms at once, then the user can choose
32 | # by adding '?auth=sasl.gssapi' to their libvirt URI, eg
33 | # qemu+tcp://hostname/system?auth=sasl.gssapi
34 | #mech_list: scram-sha-1 gssapi
35 |
36 | # Some older builds of MIT kerberos on Linux ignore this option &
37 | # instead need KRB5_KTNAME env var.
38 | # For modern Linux, and other OS, this should be sufficient
39 | #
40 | keytab: /etc/libvirt/krb5.tab
41 |
42 | # If using scram-sha-1 for username/passwds, then this is the file
43 | # containing the passwds. Use 'saslpasswd2 -a libvirt [username]'
44 | # to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it
45 | #sasldb_path: /etc/libvirt/passwd.db
46 |
--------------------------------------------------------------------------------
/templates/sasl2/libvirt.conf-el8.orig:
--------------------------------------------------------------------------------
1 | # If you want to use the non-TLS socket, then you *must* pick a
2 | # mechanism which provides session encryption as well as
3 | # authentication.
4 | #
5 | # If you are only using TLS, then you can turn on any mechanisms
6 | # you like for authentication, because TLS provides the encryption
7 | #
8 | # If you are only using UNIX, sockets then encryption is not
9 | # required at all.
10 | #
11 | # Since SASL is the default for the libvirtd non-TLS socket, we
12 | # pick a strong mechanism by default.
13 | #
14 | # NB, previously DIGEST-MD5 was set as the default mechanism for
15 | # libvirt. Per RFC 6331 this is vulnerable to many serious security
16 | # flaws and should no longer be used. Thus GSSAPI is now the default.
17 | #
18 | # To use GSSAPI requires that a libvirtd service principal is
19 | # added to the Kerberos server for each host running libvirtd.
20 | # This principal needs to be exported to the keytab file listed below
21 | mech_list: gssapi
22 |
23 | # If using a TLS socket or UNIX socket only, it is possible to
24 | # enable plugins which don't provide session encryption. The
25 | # 'scram-sha-1' plugin allows plain username/password authentication
26 | # to be performed
27 | #
28 | #mech_list: scram-sha-1
29 |
30 | #
31 | # You can also list many mechanisms at once, then the user can choose
32 | # by adding '?auth=sasl.gssapi' to their libvirt URI, eg
33 | # qemu+tcp://hostname/system?auth=sasl.gssapi
34 | #mech_list: scram-sha-1 gssapi
35 |
36 | # Some older builds of MIT kerberos on Linux ignore this option &
37 | # instead need KRB5_KTNAME env var.
38 | # For modern Linux, and other OS, this should be sufficient
39 | #
40 | keytab: /etc/libvirt/krb5.tab
41 |
42 | # If using scram-sha-1 for username/passwds, then this is the file
43 | # containing the passwds. Use 'saslpasswd2 -a libvirt [username]'
44 | # to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it
45 | #sasldb_path: /etc/libvirt/passwd.db
46 |
--------------------------------------------------------------------------------
/templates/sysconfig/libvirtd.erb:
--------------------------------------------------------------------------------
1 | # Override the default config file
2 | # NOTE: This setting is no longer honoured if using
3 | # systemd. Set '--config /etc/libvirt/libvirtd.conf'
4 | # in LIBVIRTD_ARGS instead.
5 | #LIBVIRTD_CONFIG=/etc/libvirt/libvirtd.conf
6 | <% if @sysconfig['LIBVIRTD_CONFIG'] -%>
7 | LIBVIRTD_CONFIG=<%= @sysconfig['LIBVIRTD_CONFIG'] %>
8 | <% end -%>
9 |
10 | # Listen for TCP/IP connections
11 | # NB. must setup TLS/SSL keys prior to using this
12 | #LIBVIRTD_ARGS="--listen"
13 | <% if @sysconfig['LIBVIRTD_ARGS'] -%>
14 | LIBVIRTD_ARGS=<%= @sysconfig['LIBVIRTD_ARGS'] %>
15 | <% end -%>
16 |
17 | # Override Kerberos service keytab for SASL/GSSAPI
18 | #KRB5_KTNAME=/etc/libvirt/krb5.tab
19 | <% if @sysconfig['KRB5_KTNAME'] -%>
20 | KRB5_KTNAME=<%= @sysconfig['KRB5_KTNAME'] %>
21 | <% end -%>
22 |
23 | # Override the QEMU/SDL default audio driver probing when
24 | # starting virtual machines using SDL graphics
25 | #
26 | # NB these have no effect for VMs using VNC, unless vnc_allow_host_audio
27 | # is enabled in /etc/libvirt/qemu.conf
28 | #QEMU_AUDIO_DRV=sdl
29 | <% if @sysconfig['QEMU_AUDIO_DRV'] -%>
30 | QEMU_AUDIO_DRV=<%= @sysconfig['QEMU_AUDIO_DRV'] %>
31 | <% end -%>
32 | #
33 | #SDL_AUDIODRIVER=pulse
34 | <% if @sysconfig['SDL_AUDIODRIVER'] -%>
35 | SDL_AUDIODRIVER=<%= @sysconfig['SDL_AUDIODRIVER'] %>
36 | <% end -%>
37 |
38 | # Override the maximum number of opened files.
39 | # This only works with traditional init scripts.
40 | # In the systemd world, the limit can only be changed by overriding
41 | # LimitNOFILE for libvirtd.service. To do that, just create a *.conf
42 | # file in /etc/systemd/system/libvirtd.service.d/ (for example
43 | # /etc/systemd/system/libvirtd.service.d/openfiles.conf) and write
44 | # the following two lines in it:
45 | # [Service]
46 | # LimitNOFILE=2048
47 | #
48 | #LIBVIRTD_NOFILES_LIMIT=2048
49 | <% if @sysconfig['LIBVIRTD_NOFILES_LIMIT'] -%>
50 | LIBVIRTD_NOFILES_LIMIT=<%= @sysconfig['LIBVIRTD_NOFILES_LIMIT'] %>
51 | <% end -%>
52 |
--------------------------------------------------------------------------------
/templates/sasl2/qemu-kvm.conf-el8.erb:
--------------------------------------------------------------------------------
1 | # If you want to use VNC remotely without TLS, then you *must*
2 | # pick a mechanism which provides session encryption as well
3 | # as authentication.
4 | #
5 | # If you are only using TLS, then you can turn on any mechanisms
6 | # you like for authentication, because TLS provides the encryption
7 | #
8 | # If you are only using UNIX sockets then encryption is not
9 | # required at all.
10 | #
11 | # NB, previously DIGEST-MD5 was set as the default mechanism for
12 | # QEMU VNC. Per RFC 6331 this is vulnerable to many serious security
13 | # flaws as should no longer be used. Thus GSSAPI is now the default.
14 | #
15 | # To use GSSAPI requires that a QEMU service principal is
16 | # added to the Kerberos server for each host running QEMU.
17 | # This principal needs to be exported to the keytab file listed below
18 | mech_list: gssapi
19 |
20 | # If using TLS with VNC, or a UNIX socket only, it is possible to
21 | # enable plugins which don't provide session encryption. The
22 | # 'scram-sha-1' plugin allows plain username/password authentication
23 | # to be performed
24 | #
25 | #mech_list: scram-sha-1
26 |
27 | # You can also list many mechanisms at once, and the VNC server will
28 | # negotiate which to use by considering the list enabled on the VNC
29 | # client.
30 | #mech_list: scram-sha-1 gssapi
31 |
32 | # Some older builds of MIT kerberos on Linux ignore this option &
33 | # instead need KRB5_KTNAME env var.
34 | # For modern Linux, and other OS, this should be sufficient
35 | #
36 | # This file needs to be populated with the service principal that
37 | # was created on the Kerberos v5 server. If switching to a non-gssapi
38 | # mechanism this can be commented out.
39 | keytab: /etc/qemu/krb5.tab
40 |
41 | # If using scram-sha-1 for username/passwds, then this is the file
42 | # containing the passwds. Use 'saslpasswd2 -a qemu [username]'
43 | # to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it
44 | #sasldb_path: /etc/qemu/passwd.db
45 |
--------------------------------------------------------------------------------
/templates/sasl2/qemu-kvm.conf-el8.orig:
--------------------------------------------------------------------------------
1 | # If you want to use VNC remotely without TLS, then you *must*
2 | # pick a mechanism which provides session encryption as well
3 | # as authentication.
4 | #
5 | # If you are only using TLS, then you can turn on any mechanisms
6 | # you like for authentication, because TLS provides the encryption
7 | #
8 | # If you are only using UNIX sockets then encryption is not
9 | # required at all.
10 | #
11 | # NB, previously DIGEST-MD5 was set as the default mechanism for
12 | # QEMU VNC. Per RFC 6331 this is vulnerable to many serious security
13 | # flaws as should no longer be used. Thus GSSAPI is now the default.
14 | #
15 | # To use GSSAPI requires that a QEMU service principal is
16 | # added to the Kerberos server for each host running QEMU.
17 | # This principal needs to be exported to the keytab file listed below
18 | mech_list: gssapi
19 |
20 | # If using TLS with VNC, or a UNIX socket only, it is possible to
21 | # enable plugins which don't provide session encryption. The
22 | # 'scram-sha-1' plugin allows plain username/password authentication
23 | # to be performed
24 | #
25 | #mech_list: scram-sha-1
26 |
27 | # You can also list many mechanisms at once, and the VNC server will
28 | # negotiate which to use by considering the list enabled on the VNC
29 | # client.
30 | #mech_list: scram-sha-1 gssapi
31 |
32 | # Some older builds of MIT kerberos on Linux ignore this option &
33 | # instead need KRB5_KTNAME env var.
34 | # For modern Linux, and other OS, this should be sufficient
35 | #
36 | # This file needs to be populated with the service principal that
37 | # was created on the Kerberos v5 server. If switching to a non-gssapi
38 | # mechanism this can be commented out.
39 | keytab: /etc/qemu/krb5.tab
40 |
41 | # If using scram-sha-1 for username/passwds, then this is the file
42 | # containing the passwds. Use 'saslpasswd2 -a qemu [username]'
43 | # to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it
44 | #sasldb_path: /etc/qemu/passwd.db
45 |
--------------------------------------------------------------------------------
/templates/network.xml.erb:
--------------------------------------------------------------------------------
1 |
2 | <%= @name -%>
3 | <%- if @mac -%>
4 |
5 | <%- end -%>
6 | <%- if @forward_mode -%>
7 | dev='<%= @forward_dev -%>'<%-end-%> mode='<%= @forward_mode -%>'<%-if @forward_interfaces.empty? -%>/<%-end-%>>
8 | <%- if !@forward_interfaces.empty? -%>
9 | <%- @forward_interfaces.each do |dev| -%>
10 |
11 | <%- end -%>
12 |
13 | <%- end -%>
14 | <%-end -%>
15 | <%- if @bridge -%>
16 | stp='on' delay='0'<%-end-%>/>
17 | <%- end -%>
18 | <%-if @ip -%>
19 | <%- @ip.each do |ip| -%>
20 | address='<%=ip['address']-%>'<%-end-%><%-if ip['netmask']-%> netmask='<%=ip['netmask']-%>'<%-end-%><%-if ip['prefix']-%> prefix='<%=ip['prefix']-%>'<%-end-%><%- unless ip['dhcp'] %>/<%- end -%>>
21 | <%- if ip['dhcp'] -%>
22 | <%- dhcp = ip['dhcp'] -%>
23 |
24 | <%-if dhcp['start'] and dhcp['end']-%>
25 | ' end='<%=dhcp['end']-%>'/>
26 | <%-end-%>
27 | <%-if dhcp['bootp_file']-%>
28 | '<%-if dhcp['bootp_server']-%> server='<%=dhcp['bootp_server']-%>'<%-end-%>/>
29 | <%-end-%>
30 |
31 |
32 | <%- end-%>
33 | <%- end-%>
34 | <%-end-%>
35 | <%-if @ipv6 -%>
36 | <%- @ipv6.each do |ip| -%>
37 | address='<%=ip['address']-%>'<%-end-%><%-if ip['netmask']-%> netmask='<%=ip['netmask']-%>'<%-end-%><%-if ip['prefix']-%> prefix='<%=ip['prefix']-%>'<%-end-%><%- unless ip['dhcp'] %>/<%- end -%>>
38 | <%- if ip['dhcp'] -%>
39 | <%- dhcp = ip['dhcp'] -%>
40 |
41 | <%-if dhcp['start'] and dhcp['end']-%>
42 | ' end='<%=dhcp['end']-%>'/>
43 | <%-end-%>
44 |
45 |
46 | <%- end-%>
47 | <%- end-%>
48 | <%-end-%>
49 |
50 |
--------------------------------------------------------------------------------
/manifests/params.pp:
--------------------------------------------------------------------------------
1 | # Class: libvirt::params
2 | #
3 | # Hold values for parameters and variables for each supported platform.
4 | #
5 | class libvirt::params {
6 |
7 | case $facts['os']['family'] {
8 | 'RedHat': {
9 | $libvirt_package = "libvirt.${facts['os']['architecture']}"
10 | if versioncmp($facts['os']['release']['major'], '9') >= 0 {
11 | $libvirt_service = 'virtqemud'
12 | } else {
13 | $libvirt_service = 'libvirtd'
14 | }
15 | if versioncmp($facts['os']['release']['major'], '7') >= 0 {
16 | $virtinst_package = 'virt-install'
17 | } else {
18 | $virtinst_package = 'python-virtinst'
19 | }
20 | $radvd_package = 'radvd'
21 | $sysconfig = {}
22 | $deb_default = false
23 | $auth_unix_ro = false
24 | $unix_sock_rw_perms = false
25 | $auth_unix_rw = false
26 | $unix_sock_group = false
27 | }
28 | 'Debian': {
29 | $libvirt_package = 'libvirt-bin'
30 | $virtinst_package = 'virtinst'
31 | $radvd_package = 'radvd'
32 | $sysconfig = false
33 | $deb_default = {}
34 | # UNIX socket
35 | $auth_unix_ro = 'none'
36 | $unix_sock_rw_perms = '0770'
37 | $auth_unix_rw = 'none'
38 | case $facts['os']['name'] {
39 | 'Ubuntu', 'LinuxMint': {
40 | $libvirt_service = 'libvirt-bin'
41 | $unix_sock_group = 'libvirtd'
42 | }
43 | default: {
44 | $libvirt_service = 'libvirtd'
45 | $unix_sock_group = 'libvirt'
46 | }
47 | }
48 | }
49 | default: {
50 | $libvirt_package = 'libvirt'
51 | $libvirt_service = 'libvirtd'
52 | $virtinst_package = 'python-virtinst'
53 | $radvd_package = 'radvd'
54 | $sysconfig = false
55 | $deb_default = false
56 | $auth_unix_ro = false
57 | $unix_sock_rw_perms = false
58 | $auth_unix_rw = false
59 | $unix_sock_group = false
60 | }
61 | }
62 |
63 | $default_dhcp = {
64 | 'start' => '192.168.122.2',
65 | 'end' => '192.168.122.254',
66 | }
67 | $default_ip = {
68 | 'address' => '192.168.122.1',
69 | 'netmask' => '255.255.255.0',
70 | 'dhcp' => $default_dhcp,
71 | }
72 | }
73 |
74 |
--------------------------------------------------------------------------------
/CHANGELOG.md:
--------------------------------------------------------------------------------
1 | #### 2025-02-04 - 1.0.3
2 | * Remove legacy facts usage.
3 | * Remove obsolete validate functions.
4 |
5 | #### 2022-11-15 - 1.0.2
6 | * Add support for RHEL9.
7 |
8 | #### 2021-06-30 - 1.0.1
9 | * Add support for Linux Mint (#55, @ssaki).
10 | * Add support for RHEL8 with templates as close to the original as possible.
11 |
12 | #### 2015-04-28 - 1.0.0
13 | * Strip whitespace to fix pool detection (#30, @CyBeRoni).
14 | * Convert spec system to beaker tests (#33, @igalic).
15 | * Fix activate vs. active in the README (#35, @unicorn-ljw).
16 | * Pool simplify (#39, @igalic).
17 | * Fix version comparison for puppet future parser (#40, @edestecd).
18 | * Force LC_ALL=en_US.utf8 for all execs (#41, @kakwa).
19 | * Replace Modulefile with metadata.json.
20 |
21 | #### 2014-05-05 - 0.3.2
22 | * Bugfix for debian defaults with Puppet 2.7 (#28, @darktim).
23 | * Add qemu_user and qemu_group parameters (#28, @darktim).
24 | * Add support for RHEL7.
25 | * Add version to the puppetlabs/stdlib dependency.
26 |
27 | #### 2014-01-31 - 0.3.1
28 | * Fixed typo in init.pp (#23, @gigawhat).
29 |
30 | #### 2014-01-28 - 0.3.0
31 | * Add /etc/default/libvirt-bin generation for debian systems (#15, @msimonin).
32 | * Add type to manage storage pools (#16, @msimonin).
33 | * Fix tests (#17, @igalic).
34 | * Add initial configuration of qemu.conf (#18, @luisfdez).
35 | * Add qemu_set_process_name parameter (#21).
36 | * Add networks and networks_defaults parameters, useful from hiera (#9).
37 |
38 | #### 2013-10-16 - 0.2.3
39 | * Fix for default sysconfig setting on RedHat.
40 | * Add listen_addr, tcp_auth and tls_auth parameters.
41 |
42 | #### 2013-10-16 - 0.2.2
43 | * Add sysconfig/libvirtd file management on RedHat osfamily.
44 | * Add tls and tcp related parameters.
45 |
46 | #### 2013-10-14 - 0.2.1
47 | * Add new libvirt::network definition (Igor Galić).
48 | * Move all current parameters to the params class.
49 |
50 | #### 2013-10-07 - 0.2.0
51 | * Add puppet-rspec and rspec system tests (Igor Galić).
52 | * Add Debian/Ubuntu support (Igor Galić).
53 |
54 | #### 2013-10-04 - 0.1.1
55 | * Add syntax highlighting tags to the README.
56 |
57 | #### 2013-05-24 - 0.1.0
58 | * Update README and use markdown.
59 | * Change to 2-space indent.
60 |
61 | #### 2012-08-29 - 0.0.1
62 | * Clean up existing module.
63 |
64 |
--------------------------------------------------------------------------------
/lib/puppet/type/libvirt_pool.rb:
--------------------------------------------------------------------------------
1 | Puppet::Type.newtype(:libvirt_pool) do
2 | @doc = %q{Manages libvirt pools
3 |
4 | Example :
5 | libvirt_pool { 'default' :
6 | ensure => absent
7 | }
8 |
9 |
10 | libvirt_pool { 'mydirpool' :
11 | ensure => present,
12 | active => true,
13 | autostart => true,
14 | type => 'dir',
15 | target => '/tmp/mypool',
16 | }
17 |
18 | libvirt_pool { 'vm_storage':
19 | ensure => 'present',
20 | active => 'true',
21 | type => 'logical',
22 | sourcedev => ['/dev/sdb', '/dev/sdc'],
23 | target => '/dev/vg0'
24 | }
25 |
26 |
27 | }
28 |
29 | ensurable do
30 |
31 | desc 'Manages the creation or the removal of a pool
32 | `present` means that the pool will be defined and created
33 | `absent` means that the pool will be purged from the system'
34 |
35 | defaultto(:present)
36 | newvalue(:present) do
37 | provider.create
38 | end
39 |
40 | newvalue(:absent) do
41 | if (provider.exists?)
42 | provider.destroy
43 | end
44 | end
45 |
46 | def retrieve
47 | provider.status
48 | end
49 |
50 | end
51 |
52 | newparam(:name, :namevar => true) do
53 | desc 'The pool name.'
54 | newvalues(/^\S+$/)
55 | end
56 |
57 | newparam(:type) do
58 | desc 'The pool type.'
59 | newvalues(:dir, :netfs, :fs, :logical, :disk, :iscsi, :mpath, :rbd, :sheepdog)
60 | end
61 |
62 | newparam(:sourcehost) do
63 | desc 'The source host.'
64 | newvalues(/^\S+$/)
65 | end
66 |
67 | newparam(:sourcepath) do
68 | desc 'The source path.'
69 | newvalues(/(\/)?(\w)/)
70 | end
71 |
72 | newparam(:sourcedev) do
73 | desc 'The source device.'
74 | newvalues(/(\/)?(\w)/)
75 | end
76 |
77 | newparam(:sourcename) do
78 | desc 'The source name.'
79 | newvalues(/^\S+$/)
80 | end
81 |
82 | newparam(:sourceformat) do
83 | desc 'The source format.'
84 | newvalues(:auto, :nfs, :glusterfs, :cifs)
85 | end
86 |
87 | newparam(:target) do
88 | desc 'The target.'
89 | newvalues(/(\/)?(\w)/)
90 | end
91 |
92 | newproperty(:active) do
93 | desc 'Whether the pool should be started.'
94 | defaultto(:true)
95 | newvalues(:true)
96 | newvalues(:false)
97 | end
98 |
99 | newproperty(:autostart) do
100 | desc 'Whether the pool should be autostarted.'
101 | defaultto(:false)
102 | newvalues(:true)
103 | newvalues(:false)
104 | end
105 |
106 | end
107 |
--------------------------------------------------------------------------------
/spec/defines/network_spec.rb:
--------------------------------------------------------------------------------
1 | # Copyright 2013 Brainsware
2 | #
3 | # Licensed under the Apache License, Version 2.0 (the "License");
4 | # you may not use this file except in compliance with the License.
5 | # You may obtain a copy of the License at
6 | #
7 | # http://www.apache.org/licenses/LICENSE-2.0
8 | #
9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 |
15 | require 'spec_helper'
16 |
17 | describe 'libvirt::network' do
18 | network_dir = '/etc/libvirt/qemu/networks'
19 | autostart_dir = "#{network_dir}/autostart"
20 |
21 | let(:title) { 'direct-net' }
22 | let(:params) {{ :forward_mode => 'bridge', :forward_dev => 'eth0', :forward_interfaces => [ 'eth0', ] }}
23 |
24 | it { should contain_libvirt__network('direct-net').with({ 'ensure' => 'present'} )}
25 | it { should contain_exec("create-#{network_dir}/direct-net.xml").with({
26 | 'command' => "cat > #{network_dir}/direct-net.xml <
28 | direct-net
29 |
30 |
31 |
32 |
33 |
34 | EOF",
35 | })}
36 |
37 | context 'pxe boot network' do
38 | let(:title) { 'pxe' }
39 | dhcp = {
40 | 'start' => '192.168.122.2',
41 | 'end' => '192.168.122.254',
42 | 'bootp_file' => 'pxelinux.0',
43 | }
44 | ip = {
45 | 'address' => '192.168.122.1',
46 | 'netmask' => '255.255.255.0',
47 | 'dhcp' => dhcp,
48 | }
49 | let(:params) {{ :forward_mode => 'nat', :forward_dev => 'virbr0', :bridge => 'virbr0', :ip => [ ip ] }}
50 |
51 | it { should contain_libvirt__network('pxe').with({ 'ensure' => 'present'} )}
52 | it { should contain_exec("create-#{network_dir}/pxe.xml").with({
53 | 'command' => "cat > #{network_dir}/pxe.xml <
55 | pxe
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 | EOF",
67 | })}
68 | end
69 |
70 | context 'dual stack' do
71 | let(:title) { 'dual-stack' }
72 | dhcp = {
73 | 'start' => '192.168.122.2',
74 | 'end' => '192.168.122.254',
75 | 'bootp_file' => 'pxelinux.0',
76 | }
77 | ip = {
78 | 'address' => '192.168.122.1',
79 | 'netmask' => '255.255.255.0',
80 | 'dhcp' => dhcp,
81 | }
82 | ipv6 = {
83 | 'address' => '2001:db8:ca2:2::1',
84 | 'prefix' => '64',
85 | }
86 | let(:params) {{ :forward_mode => 'nat', :forward_dev => 'virbr0', :bridge => 'virbr0', :ip => [ ip ], :ipv6 => [ ipv6 ] }}
87 |
88 | it { should contain_libvirt__network('dual-stack').with({ 'ensure' => 'present'} )}
89 | it { should contain_exec("create-#{network_dir}/dual-stack.xml").with({
90 | 'command' => "cat > #{network_dir}/dual-stack.xml <
92 | dual-stack
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 | EOF",
105 | })}
106 | end
107 |
108 | end
109 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # puppet-libvirt
2 |
3 | ## Overview
4 |
5 | Libvirt module. Useful on minimal Red Hat Enterprise Linux and Debian/Ubuntu
6 | installations which need to be configured as KVM virtualization hosts.
7 |
8 | * `libvirt` : Main class to install, enable and configure libvirt.
9 | * `libvirt::network` : Definition to manage libvirt networks.
10 |
11 | ## Examples
12 |
13 | Use all of the module's defaults :
14 |
15 | ```puppet
16 | include '::libvirt'
17 | ```
18 |
19 | Typical KVM/qemu host for virtualization :
20 |
21 | ```puppet
22 | class { '::libvirt':
23 | mdns_adv => false
24 | }
25 | ```
26 |
27 | Change even more defaults :
28 |
29 | ```puppet
30 | class { '::libvirt':
31 | defaultnetwork => true,
32 | virtinst => false,
33 | unix_sock_group => 'wheel',
34 | unix_sock_rw_perms => '0770',
35 | }
36 | ```
37 |
38 | The module also allows the user to customize qemu parameters :
39 |
40 | ```puppet
41 | class { '::libvirt':
42 | qemu_vnc_listen => "0.0.0.0",
43 | qemu_vnc_sasl => true,
44 | qemu_vnc_tls => false,
45 | }
46 | ```
47 |
48 | Configure Kerberos authentication:
49 |
50 | ```puppet
51 | class { '::libvirt':
52 | listen_tls => false,
53 | listen_tcp => true,
54 | auth_tcp => 'sasl',
55 | sysconfig => {
56 | 'LIBVIRTD_ARGS' => '--listen',
57 | },
58 | sasl2_libvirt_mech_list => 'gssapi',
59 | sasl2_libvirt_keytab => '/etc/libvirt/krb5.tab',
60 | qemu_vnc_listen => "0.0.0.0",
61 | qemu_vnc_sasl => true,
62 | qemu_vnc_tls => false,
63 | sasl2_qemu_mech_list => 'gssapi',
64 | sasl2_qemu_keytab => '/etc/qemu/krb5.tab',
65 | sasl2_qemu_auxprop_plugin => 'sasldb',
66 | }
67 | ```
68 |
69 | Replace the default network with a PXE boot one :
70 |
71 | ```puppet
72 | class { '::libvirt':
73 | defaultnetwork => false, # This is the default
74 | }
75 |
76 | $dhcp = {
77 | 'start' => '192.168.122.2',
78 | 'end' => '192.168.122.254',
79 | 'bootp_file' => 'pxelinux.0',
80 | }
81 | $ip = {
82 | 'address' => '192.168.122.1',
83 | 'netmask' => '255.255.255.0',
84 | 'dhcp' => $dhcp,
85 | }
86 |
87 | libvirt::network { 'pxe':
88 | forward_mode => 'nat',
89 | forward_dev => 'virbr0',
90 | ip => [ $ip ],
91 | }
92 | ```
93 |
94 | We also support IPv6: It has the same sematics as ip:
95 |
96 | ```puppet
97 | # $ip = same as above
98 |
99 | $ipv6 = {
100 | address => '2001:db8:ca2:2::1',
101 | prefix => '64',
102 | }
103 |
104 | libvirt::network { 'dual-stack':
105 | forward_mode => 'nat',
106 | forward_dev => 'virbr0',
107 | ip => [ $ip ],
108 | ipv6 => [ $ipv6 ],
109 | }
110 | ```
111 |
112 | While this might look a little convoluted in puppet code, this gives you the ability to specify networks in hiera, and then use `create_resources()` to generate them:
113 |
114 | ```yaml
115 | ---
116 | libvirt_networks:
117 |
118 | pxe:
119 | autostart: true
120 | forward_mode: nat
121 | forward_dev: virbr0
122 | ip:
123 | - address: 192.168.122.1
124 | netmask: 255.255.255.0
125 | dhcp:
126 | start: 192.168.122.2
127 | end: 192.168.122.254
128 | bootp_file: pxelinux.0
129 | direct:
130 | autostart: true
131 | forward_mode: bridge
132 | forward_dev: br0
133 | forward_interfaces:
134 | - eth0
135 | ```
136 |
137 | and then in your manifest:
138 |
139 | ```puppet
140 | $networks = hiera('libvirt_networks', [])
141 | create_resources($networks, $your_defaults_for_a_network)
142 | ```
143 |
144 | On Red Hat Enterprise Linux, you might want to also manage changes to the
145 | `/etc/sysconfig/libvirtd` file. In this case, you pass the key/value pairs
146 | of the variables to set inside the `sysconfig` hash :
147 |
148 | ```puppet
149 | class { '::libvirt':
150 | listen_tls => false,
151 | listen_tcp => true,
152 | sysconfig => {
153 | 'LIBVIRTD_ARGS' => '--listen',
154 | 'LIBVIRTD_NOFILES_LIMIT' => '4096',
155 | },
156 | }
157 | ```
158 |
159 | ## Native Types
160 |
161 | ### Libvirt Storage Pools
162 |
163 | #### Puppet Resource
164 |
165 | Query all current pools: `$ puppet resource libvirt_pool`
166 |
167 | #### Examples
168 |
169 | * Create a new directory pool :
170 |
171 | ```puppet
172 | libvirt_pool { 'mypool' :
173 | ensure => present,
174 | type => 'dir',
175 | active => false,
176 | target => '/tmp/pool-dir',
177 | }
178 | ```
179 | The above will *define*, *build* but not *activate* the pool.
180 |
181 | By default a pool is *activated* ( same as `active => true`).
182 |
183 | By default a pool is *not autostarted* (same as `autostart => false`).
184 |
185 |
186 |
187 | * Create a `logical` pool (`lvm`) and set the autostart flag :
188 |
189 | ```puppet
190 | libvirt_pool { 'lvm-pool' :
191 | ensure => present,
192 | type => 'logical',
193 | autostart => true,
194 | sourcedev => [ '/dev/sdb1', '/dev/sdc1' ],
195 | sourcename => 'vg',
196 | target => '/dev/vg'
197 | }
198 | ```
199 |
200 | * Remove the default pool :
201 |
202 | ```puppet
203 | libvirt_pool { 'default' :
204 | ensure => absent,
205 | }
206 | ```
207 |
--------------------------------------------------------------------------------
/spec/acceptance/network_spec.rb:
--------------------------------------------------------------------------------
1 | require 'spec_helper_acceptance'
2 |
3 | describe 'libvirt::network' do
4 | network_dir = '/etc/libvirt/qemu/networks'
5 |
6 | context 'enable default network' do
7 | it 'should enable the default network' do
8 | pp = <<-EOS
9 | class { 'libvirt':
10 | defaultnetwork => true
11 | }
12 | EOS
13 |
14 | # Run it twice and test for idempotency
15 | expect(apply_manifest(pp).exit_code).to_not eq(1)
16 | expect(apply_manifest(pp).exit_code).to eq(0)
17 | end
18 |
19 | it 'respond to ping on IP 192.168.122.1 (for interface virbr0)' do
20 | shell('ping -c1 -q -I virbr0 192.168.122.1') do |r|
21 | r.exit_code.should == 0
22 | end
23 | end
24 | end
25 |
26 | context 'network directly connected via bridge' do
27 | it 'should create a network directly connected via a bridge' do
28 | pp = <<-EOS
29 | class { 'libvirt': }
30 | libvirt::network { 'direct-net':
31 | forward_mode => 'bridge',
32 | forward_dev => 'eth0',
33 | forward_interfaces => [ 'eth0']
34 | }
35 | EOS
36 |
37 | # Run it twice and test for idempotency
38 | expect(apply_manifest(pp).exit_code).to_not eq(1)
39 | expect(apply_manifest(pp).exit_code).to eq(0)
40 | end
41 |
42 | describe file("#{network_dir}/direct-net.xml") do
43 | it { should contain "" }
44 | it { should contain "" }
45 | end
46 | end
47 |
48 | context 'network directly connected via autostarted bridge' do
49 | it 'should create an autostarted network directly connected via a bridge' do
50 | pp = <<-EOS
51 | class { 'libvirt': }
52 | libvirt::network { 'direct-net':
53 | autostart => true,
54 | forward_mode => 'bridge',
55 | forward_dev => 'eth0',
56 | forward_interfaces => [ 'eth0']
57 | }
58 | EOS
59 |
60 | # Run it twice and test for idempotency
61 | expect(apply_manifest(pp).exit_code).to_not eq(1)
62 | expect(apply_manifest(pp).exit_code).to eq(0)
63 | end
64 |
65 | it 'respond to ping on public IPs (for interface eth0)' do
66 | shell('ping -c1 -q -I eth0 8.8.8.8') do |r|
67 | r.exit_code.should == 0
68 | end
69 | end
70 | end
71 |
72 | context 'autostarted pxe boot via dhcp' do
73 | it 'should create an autostarted network for booting from DHCP' do
74 | pp = <<-EOS
75 | class { 'libvirt': }
76 | $dhcp = {
77 | 'start' => '192.168.122.2',
78 | 'end' => '192.168.122.254',
79 | 'bootp_file' => 'pxelinux.0',
80 | }
81 | $ip = {
82 | 'address' => '192.168.122.1',
83 | 'netmask' => '255.255.255.0',
84 | 'dhcp' => $dhcp,
85 | }
86 | libvirt::network { 'pxe':
87 | autostart => true,
88 | ensure => 'running',
89 | forward_mode => 'nat',
90 | forward_dev => 'virbr0',
91 | bridge => 'virbr0',
92 | ip => [ $ip]
93 | }
94 | EOS
95 |
96 | # Run it twice and test for idempotency
97 | expect(apply_manifest(pp).exit_code).to_not eq(1)
98 | expect(apply_manifest(pp).exit_code).to eq(0)
99 | end
100 |
101 | it 'respond to ping on IP 192.168.122.1 (for interface virbr0)' do
102 | shell('ping -c1 -q -I virbr0 192.168.122.1') do |r|
103 | r.exit_code.should == 0
104 | end
105 | end
106 | end
107 |
108 | context 'autostarted dual-stack' do
109 | it 'should create an autostarted network with NATed IPv4 network and an IPv6 address' do
110 | pp = <<-EOS
111 | class { 'libvirt': }
112 | $dhcp = {
113 | 'start' => '192.168.222.2',
114 | 'end' => '192.168.222.254',
115 | }
116 | $ip = {
117 | 'address' => '192.168.222.1',
118 | 'netmask' => '255.255.255.0',
119 | }
120 | $ipv6 = {
121 | address => '2001:db8:ca2:2::1',
122 | prefix => '64',
123 | }
124 | libvirt::network { 'dual-stack':
125 | autostart => true,
126 | ensure => 'running',
127 | forward_mode => 'nat',
128 | forward_dev => 'virbr2',
129 | bridge => 'virbr2',
130 | ip => [ $ip],
131 | ipv6 => [ $ipv6 ],
132 | }
133 | EOS
134 |
135 | # Run it twice and test for idempotency
136 | expect(apply_manifest(pp).exit_code).to_not eq(1)
137 | expect(apply_manifest(pp).exit_code).to eq(0)
138 | end
139 |
140 | it 'respond to ping on IP 192.168.222.1 (for interface virbr2)' do
141 | shell('ping -c1 -q -I virbr2 192.168.222.1') do |r|
142 | r.exit_code.should == 0
143 | end
144 | end
145 |
146 | it 'respond to ping6 on IP 2001:db8:ca2:2::1 (for interface virbr2)' do
147 | shell('ping6 -c1 -q -I virbr2 2001:db8:ca2:2::1') do |r|
148 | r.exit_code.should == 0
149 | end
150 | end
151 | end
152 |
153 | end
154 |
--------------------------------------------------------------------------------
/manifests/network.pp:
--------------------------------------------------------------------------------
1 | # Define: libvirt::network
2 | #
3 | # define, configure, enable and autostart a network for libvirt guests
4 | #
5 | # Parameters:
6 | # $ensure
7 | # Ensure this network is defined (present), or enabled (running), or undefined (absent)
8 | # $autostart
9 | # Whether to start this network at boot time
10 | # $bridge
11 | # Name of the bridge this network will be attached to
12 | # $forward_mode
13 | # One of nat, route, bridge, vepa, passthrough, private, hostdev
14 | # $forward_dev
15 | # The interface to forward, useful in bridge and route mode
16 | # $forward_interfaces
17 | # An array of interfaces to forwad
18 | # $ip and/or $ipv6 array hashes with
19 | # address
20 | # netmask (or alterntively prefix)
21 | # dhcp This is another hash that consists of
22 | # start - start of the range
23 | # end - end of the range
24 | # host - an array of hosts
25 | # Note: The following options are not supported on IPv6 networks
26 | # bootp_file - A file to serve for servers booting from PXE
27 | # bootp_server - Which server that file is served from
28 | # $mac - A MAC for this network, if none is defined, libvirt will chose one for you
29 | #
30 | # Sample Usage :
31 | #
32 | # $dhcp = {
33 | # start => '192.168.122.2',
34 | # end => '192.168.122.254',
35 | # bootp_file => 'pxelinux.0',
36 | # }
37 | # $pxe_ip = {
38 | # 'address' => '192.168.122.2'
39 | # 'prefix' => '24'
40 | # 'dhcp' => $dhcp,
41 | # }
42 | # libvirt::network { 'pxe':
43 | # ensure => 'enabled',
44 | # autostart => true,
45 | # forward_mode => 'nat',
46 | # ip => [ $pxe_ip ],
47 | # }
48 | #
49 | # libvirt::network { 'direct-net'
50 | # ensure => 'enabled',
51 | # autostart => true,
52 | # forward_mode => 'bridge',
53 | # forward_dev => 'br0',
54 | # forward_interfaces => [ 'eth0', ],
55 | # }
56 | #
57 | # $ipv6 = {
58 | # address => '2001:db8:ca2:2::1',
59 | # prefix => '64',
60 | # }
61 | #
62 | # libvirt::network { 'dual-stack'
63 | # ensure => 'enabled',
64 | # autostart => true,
65 | # forward_mode => 'nat',
66 | # ip => [ $pxe_ip ],
67 | # ipv6 => [ $ipv6 ],
68 | # }
69 | #
70 | define libvirt::network (
71 | Enum['present','defined','enabled','running','undefined','absent'] $ensure = 'present',
72 | Boolean $autostart = false,
73 | $bridge = undef,
74 | $forward_mode = undef,
75 | $forward_dev = undef,
76 | $forward_interfaces = [],
77 | $ip = undef,
78 | $ipv6 = undef,
79 | $mac = undef,
80 | ) {
81 |
82 | include ::libvirt::params
83 |
84 | Exec {
85 | cwd => '/',
86 | path => '/bin:/usr/bin',
87 | user => 'root',
88 | provider => 'posix',
89 | require => Service[$::libvirt::params::libvirt_service],
90 | environment => ['LC_ALL=en_US.utf8', ],
91 | }
92 |
93 | $ensure_file = $ensure? {
94 | /(present|defined|enabled|running)/ => 'present',
95 | /(undefined|absent)/ => 'absent',
96 | }
97 |
98 | $network_file = "/etc/libvirt/qemu/networks/${title}.xml"
99 | $autostart_file = "/etc/libvirt/qemu/networks/autostart/${title}.xml"
100 |
101 | case $ensure_file {
102 | 'present': {
103 | $content = template('libvirt/network.xml.erb')
104 | exec { "create-${network_file}":
105 | command => "cat > ${network_file} < $network_file,
107 | unless => "test -f ${network_file}",
108 | }
109 | exec { "virsh-net-define-${title}":
110 | command => "virsh net-define ${network_file}",
111 | unless => "virsh -q net-list --all | grep -Eq '^\s*${title}'",
112 | require => Exec["create-${network_file}"],
113 | }
114 | if $autostart {
115 | exec { "virsh-net-autostart-${title}":
116 | command => "virsh net-autostart ${title}",
117 | require => Exec["virsh-net-define-${title}"],
118 | creates => $autostart_file,
119 | }
120 | }
121 | if $ensure in [ 'enabled', 'running' ] {
122 | exec { "virsh-net-start-${title}":
123 | command => "virsh net-start ${title}",
124 | require => Exec["virsh-net-define-${title}"],
125 | unless => "virsh -q net-list --all | grep -Eq '^\s*${title}\\s+active'",
126 | }
127 | }
128 | }
129 | 'absent': {
130 | exec { "virsh-net-destroy-${title}":
131 | command => "virsh net-destroy ${title}",
132 | onlyif => "virsh -q net-list --all | grep -Eq '^\s*${title}\\s+active'",
133 | }
134 | exec { "virsh-net-undefine-${title}":
135 | command => "virsh net-undefine ${title}",
136 | onlyif => "virsh -q net-list --all | grep -Eq '^\s*${title}\\s+inactive'",
137 | require => Exec["virsh-net-destroy-${title}"],
138 | }
139 | file { [ $network_file, $autostart_file ]:
140 | ensure => absent,
141 | require => Exec["virsh-net-undefine-${title}"],
142 | }
143 | }
144 | default : {
145 | fail ("${module_name} This default case should never be reached in Libvirt::Network{'${title}':} on node ${facts['networking']['fqdn']}.")
146 | }
147 | }
148 | }
149 |
--------------------------------------------------------------------------------
/lib/puppet/provider/libvirt_pool/virsh.rb:
--------------------------------------------------------------------------------
1 | require 'rexml/document'
2 | require 'tempfile'
3 |
4 | Puppet::Type.type(:libvirt_pool).provide(:virsh) do
5 |
6 | commands :virsh => 'virsh'
7 |
8 | def self.instances
9 | list = virsh('-q', 'pool-list', '--all')
10 | list.split(/\n/)[0..-1].map do |line|
11 | values = line.strip.split(/ +/)
12 | new(
13 | :name => values[0],
14 | :active => values[1].match(/^act/)? :true : :false,
15 | :autostart => values[2].match(/no/) ? :false : :true,
16 | :provider => self.name
17 | )
18 | end
19 | end
20 |
21 | def status
22 | list = virsh('-q', 'pool-list', '--all')
23 | list.split(/\n/)[0..-1].detect do |line|
24 | fields = line.strip.split(/ +/)
25 | if (fields[0].match(/^#{resource[:name]}$/))
26 | return :present
27 | end
28 | end
29 | return :absent
30 |
31 | end
32 |
33 | def self.prefetch(resources)
34 | pools = instances
35 | resources.keys.each do |name|
36 | if provider = pools.find{ |pool| pool.name == name}
37 | resources[name].provider = provider
38 | end
39 | end
40 | end
41 |
42 | def create
43 | defined = self.definePool
44 | if !defined
45 | # for some reason the pool has not been defined
46 | # malformed xml
47 | # or failed tmpfile creationa
48 | # or ?
49 | raise Puppet::Error.new("Unable to define the pool")
50 | end
51 | self.buildPool
52 |
53 | @property_hash[:ensure] = :present
54 | should_active = @resource.should(:active)
55 | unless self.active == should_active
56 | self.active = should_active
57 | end
58 | should_autostart = @resource.should(:autostart)
59 | unless self.autostart == should_autostart
60 | self.autostart = should_autostart
61 | end
62 | end
63 |
64 | def destroy
65 | self.destroyPool
66 | @property_hash.clear
67 | end
68 |
69 | def definePool
70 | result = false
71 | begin
72 | tmpFile = Tempfile.new("pool.#{resource[:name]}")
73 | xml = buildPoolXML resource
74 | tmpFile.write(xml)
75 | tmpFile.rewind
76 | virsh('pool-define', tmpFile.path)
77 | result = true
78 | ensure
79 | tmpFile.close
80 | tmpFile.unlink
81 | end
82 | return result
83 | end
84 |
85 | def buildPool
86 | begin
87 | virsh('pool-build', '--pool', resource[:name])
88 | rescue
89 | # Unable to build the pool maybe because
90 | # it is already defined (it this case we should consider
91 | # to continue execution)
92 | # or there is permission issue on the fs
93 | # or ?
94 | # in these cases we should consider raising something
95 | notice("Unable to build the pool")
96 | end
97 |
98 | end
99 |
100 | def destroyPool
101 | begin
102 | virsh('pool-destroy', resource[:name])
103 | rescue Puppet::ExecutionFailure => e
104 | notice(e.message)
105 | end
106 | virsh('pool-undefine', resource[:name])
107 | end
108 |
109 | def active
110 | @property_hash[:active] || :false
111 | end
112 |
113 | def active=(active)
114 | if (active == :true)
115 | virsh 'pool-start', '--pool', resource[:name]
116 | @property_hash[:active] = 'true'
117 | else
118 | virsh 'pool-destroy', '--pool', resource[:name]
119 | @property_hash[:active] = 'false'
120 | end
121 | end
122 |
123 | def autostart
124 | @property_hash[:autostart] || :false
125 | end
126 |
127 | def autostart=(autostart)
128 | if (autostart == :true)
129 | virsh 'pool-autostart', '--pool', resource[:name]
130 | @property_hash[:autostart] = :true
131 | else
132 | virsh 'pool-autostart', '--pool', resource[:name], '--disable'
133 | @property_hash[:autostart] = :false
134 | end
135 | end
136 |
137 |
138 | def exists?
139 | @property_hash[:ensure] != :absent
140 | end
141 |
142 | def buildPoolXML(resource)
143 | root = REXML::Document.new
144 | pool = root.add_element 'pool', {'type' => resource[:type]}
145 | name = pool.add_element 'name'
146 | name.add_text resource[:name]
147 |
148 | srcHost = resource[:sourcehost]
149 | srcPath = resource[:sourcepath]
150 | srcDev = resource[:sourcedev]
151 | srcName = resource[:sourcename]
152 | srcFormat = resource[:sourceformat]
153 |
154 | if (srcHost || srcPath || srcDev || srcName || srcFormat)
155 | source = pool.add_element 'source'
156 |
157 | source.add_element('host', {'name' => srcHost}) if srcHost
158 | source.add_element('dir', {'path' => srcPath}) if srcPath
159 | source.add_element('format', {'type' => srcFormat}) if (srcFormat)
160 |
161 | if (srcDev)
162 | Array(srcDev).each do |dev|
163 | source.add_element('device', {'path' => dev})
164 | end
165 | end
166 |
167 | if (srcName)
168 | srcNameEl = source.add_element 'name'
169 | srcNameEl.add_text srcName
170 | end
171 | end
172 |
173 | target = resource[:target]
174 | if target
175 | targetEl = pool.add_element 'target'
176 | targetPathEl = targetEl.add_element 'path'
177 | targetPathEl.add_text target
178 | end
179 |
180 | return root.to_s
181 |
182 | end # buildPoolXML
183 |
184 | end
185 |
--------------------------------------------------------------------------------
/manifests/init.pp:
--------------------------------------------------------------------------------
1 | # Class: libvirt
2 | #
3 | # Install, enable and configure libvirt.
4 | #
5 | # Parameters:
6 | # $defaultnetwork:
7 | # Whether the default network for NAT should be enabled. Default: false
8 | # $virtinst:
9 | # Install the python-virtinst package, to get virt-install. Default: true
10 | # $qemu:
11 | # Install the qemu-kvm package, required for KVM. Default: true
12 | # $mdns_adv,
13 | # $unix_sock_group,
14 | # $unix_sock_ro_perms,
15 | # $unix_sock_rw_perms,
16 | # $unix_sock_dir:
17 | # Options for libvirtd.conf. Default: unchanged original values
18 | #
19 | # Sample Usage :
20 | # include libvirt
21 | #
22 | class libvirt (
23 | $defaultnetwork = false,
24 | $networks = {},
25 | $networks_defaults = {},
26 | $virtinst = true,
27 | $qemu = true,
28 | $radvd = false,
29 | $libvirt_package = $::libvirt::params::libvirt_package,
30 | $libvirt_service = $::libvirt::params::libvirt_service,
31 | $virtinst_package = $::libvirt::params::virtinst_package,
32 | $radvd_package = $::libvirt::params::radvd_package,
33 | $sysconfig = $::libvirt::params::sysconfig,
34 | $deb_default = $::libvirt::params::deb_default,
35 | # libvirtd.conf options
36 | $listen_tls = undef,
37 | $listen_tcp = undef,
38 | $tls_port = undef,
39 | $tcp_port = undef,
40 | $listen_addr = undef,
41 | $mdns_adv = undef,
42 | $auth_tcp = undef,
43 | $auth_tls = undef,
44 | $unix_sock_group = $::libvirt::params::unix_sock_group,
45 | $unix_sock_ro_perms = undef,
46 | $auth_unix_ro = $::libvirt::params::auth_unix_ro,
47 | $unix_sock_rw_perms = $::libvirt::params::unix_sock_rw_perms,
48 | $auth_unix_rw = $::libvirt::params::auth_unix_rw,
49 | $unix_sock_dir = undef,
50 | # qemu.conf options
51 | $qemu_vnc_listen = undef,
52 | $qemu_vnc_sasl = undef,
53 | $qemu_vnc_tls = undef,
54 | $qemu_set_process_name = undef,
55 | $qemu_user = undef,
56 | $qemu_group = undef,
57 | # sasl2 options
58 | $sasl2_libvirt_mech_list = undef,
59 | $sasl2_libvirt_keytab = undef,
60 | $sasl2_qemu_mech_list = undef,
61 | $sasl2_qemu_keytab = undef,
62 | $sasl2_qemu_auxprop_plugin = undef,
63 | ) inherits ::libvirt::params {
64 |
65 | # Keep multiple templates, as close to the original as possible
66 | if $facts['os']['family'] == 'RedHat' and versioncmp($facts['os']['release']['major'], '8') >= 0 {
67 | $filesuffix = '-el8'
68 | } else {
69 | $filesuffix = ''
70 | }
71 |
72 | package { 'libvirt':
73 | ensure => installed,
74 | name => $libvirt_package,
75 | }
76 |
77 | service { 'libvirtd':
78 | ensure => running,
79 | name => $libvirt_service,
80 | enable => true,
81 | hasstatus => true,
82 | require => Package['libvirt'],
83 | }
84 |
85 | file { '/etc/libvirt/libvirtd.conf':
86 | owner => 'root',
87 | group => 'root',
88 | mode => '0644',
89 | content => template("libvirt/libvirtd.conf${filesuffix}.erb"),
90 | notify => Service['libvirtd'],
91 | require => Package['libvirt'],
92 | }
93 |
94 | file { '/etc/libvirt/qemu.conf':
95 | owner => 'root',
96 | group => 'root',
97 | mode => '0644',
98 | content => template("libvirt/qemu.conf${filesuffix}.erb"),
99 | notify => Service['libvirtd'],
100 | require => Package['libvirt'],
101 | }
102 |
103 | file { '/etc/sasl2/libvirt.conf':
104 | owner => 'root',
105 | group => 'root',
106 | mode => '0644',
107 | content => template("libvirt/sasl2/libvirt.conf${filesuffix}.erb"),
108 | notify => Service['libvirtd'],
109 | require => Package['libvirt'],
110 | }
111 |
112 | # The default network, automatically configured... disable it by default
113 | $def_net = $defaultnetwork? {
114 | true => 'enabled',
115 | default => 'absent',
116 | }
117 | libvirt::network { 'default':
118 | ensure => $def_net,
119 | autostart => true,
120 | forward_mode => 'nat',
121 | bridge => 'virbr0',
122 | ip => [ $::libvirt::params::default_ip ],
123 | }
124 |
125 | # The most useful libvirt-related packages
126 | if $virtinst {
127 | package { $virtinst_package: ensure => installed }
128 | }
129 | if $qemu {
130 | package { 'qemu-kvm': ensure => installed }
131 | file { '/etc/sasl2/qemu-kvm.conf':
132 | owner => 'root',
133 | group => 'root',
134 | mode => '0644',
135 | content => template("libvirt/sasl2/qemu-kvm.conf${filesuffix}.erb"),
136 | notify => Service['libvirtd'],
137 | require => [Package['libvirt'], Package['qemu-kvm']]
138 | }
139 | }
140 | if $radvd {
141 | package { $radvd_package: ensure => installed }
142 | }
143 |
144 | # Optional changes to the sysconfig file (on RedHat)
145 | if $sysconfig != false {
146 | file { '/etc/sysconfig/libvirtd':
147 | owner => 'root',
148 | group => 'root',
149 | mode => '0644',
150 | content => template("${module_name}/sysconfig/libvirtd.erb"),
151 | notify => Service['libvirtd'],
152 | }
153 | }
154 |
155 | # Optional changes to the /etc/default file (on Debian)
156 | if $deb_default != false {
157 | file { '/etc/default/libvirt-bin':
158 | owner => 'root',
159 | group => 'root',
160 | mode => '0644',
161 | content => template("${module_name}/default/libvirt-bin.erb"),
162 | notify => Service['libvirtd'],
163 | }
164 | }
165 |
166 | # Create Optional networks
167 | create_resources(libvirt::network, $networks, $networks_defaults)
168 |
169 | }
170 |
171 |
--------------------------------------------------------------------------------
/templates/qemu.conf.orig:
--------------------------------------------------------------------------------
1 | # Master configuration file for the QEMU driver.
2 | # All settings described here are optional - if omitted, sensible
3 | # defaults are used.
4 |
5 | # VNC is configured to listen on 127.0.0.1 by default.
6 | # To make it listen on all public interfaces, uncomment
7 | # this next option.
8 | #
9 | # NB, strong recommendation to enable TLS + x509 certificate
10 | # verification when allowing public access
11 | #
12 | # vnc_listen = "0.0.0.0"
13 |
14 | # Enable this option to have VNC served over an automatically created
15 | # unix socket. This prevents unprivileged access from users on the
16 | # host machine, though most VNC clients do not support it.
17 | #
18 | # This will only be enabled for VNC configurations that do not have
19 | # a hardcoded 'listen' or 'socket' value. This setting takes preference
20 | # over vnc_listen.
21 | #
22 | # vnc_auto_unix_socket = 1
23 |
24 | # Enable use of TLS encryption on the VNC server. This requires
25 | # a VNC client which supports the VeNCrypt protocol extension.
26 | # Examples include vinagre, virt-viewer, virt-manager and vencrypt
27 | # itself. UltraVNC, RealVNC, TightVNC do not support this
28 | #
29 | # It is necessary to setup CA and issue a server certificate
30 | # before enabling this.
31 | #
32 | # vnc_tls = 1
33 |
34 |
35 | # Use of TLS requires that x509 certificates be issued. The
36 | # default it to keep them in /etc/pki/libvirt-vnc. This directory
37 | # must contain
38 | #
39 | # ca-cert.pem - the CA master certificate
40 | # server-cert.pem - the server certificate signed with ca-cert.pem
41 | # server-key.pem - the server private key
42 | #
43 | # This option allows the certificate directory to be changed
44 | #
45 | # vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
46 |
47 |
48 | # The default TLS configuration only uses certificates for the server
49 | # allowing the client to verify the server's identity and establish
50 | # an encrypted channel.
51 | #
52 | # It is possible to use x509 certificates for authentication too, by
53 | # issuing a x509 certificate to every client who needs to connect.
54 | #
55 | # Enabling this option will reject any client who does not have a
56 | # certificate signed by the CA in /etc/pki/libvirt-vnc/ca-cert.pem
57 | #
58 | # vnc_tls_x509_verify = 1
59 |
60 |
61 | # The default VNC password. Only 8 letters are significant for
62 | # VNC passwords. This parameter is only used if the per-domain
63 | # XML config does not already provide a password. To allow
64 | # access without passwords, leave this commented out. An empty
65 | # string will still enable passwords, but be rejected by QEMU,
66 | # effectively preventing any use of VNC. Obviously change this
67 | # example here before you set this.
68 | #
69 | # vnc_password = "XYZ12345"
70 |
71 |
72 | # Enable use of SASL encryption on the VNC server. This requires
73 | # a VNC client which supports the SASL protocol extension.
74 | # Examples include vinagre, virt-viewer and virt-manager
75 | # itself. UltraVNC, RealVNC, TightVNC do not support this
76 | #
77 | # It is necessary to configure /etc/sasl2/qemu.conf to choose
78 | # the desired SASL plugin (eg, GSSPI for Kerberos)
79 | #
80 | # vnc_sasl = 1
81 |
82 |
83 | # The default SASL configuration file is located in /etc/sasl2/
84 | # When running libvirtd unprivileged, it may be desirable to
85 | # override the configs in this location. Set this parameter to
86 | # point to the directory, and create a qemu.conf in that location
87 | #
88 | # vnc_sasl_dir = "/some/directory/sasl2"
89 |
90 |
91 |
92 | # SPICE is configured to listen on 127.0.0.1 by default.
93 | # To make it listen on all public interfaces, uncomment
94 | # this next option.
95 | #
96 | # NB, strong recommendation to enable TLS + x509 certificate
97 | # verification when allowing public access
98 | #
99 | # spice_listen = "0.0.0.0"
100 |
101 |
102 | # Enable use of TLS encryption on the SPICE server.
103 | #
104 | # It is necessary to setup CA and issue a server certificate
105 | # before enabling this.
106 | #
107 | # spice_tls = 1
108 |
109 |
110 | # Use of TLS requires that x509 certificates be issued. The
111 | # default it to keep them in /etc/pki/libvirt-spice. This directory
112 | # must contain
113 | #
114 | # ca-cert.pem - the CA master certificate
115 | # server-cert.pem - the server certificate signed with ca-cert.pem
116 | # server-key.pem - the server private key
117 | #
118 | # This option allows the certificate directory to be changed.
119 | #
120 | # spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
121 |
122 |
123 | # The default SPICE password. This parameter is only used if the
124 | # per-domain XML config does not already provide a password. To
125 | # allow access without passwords, leave this commented out. An
126 | # empty string will still enable passwords, but be rejected by
127 | # QEMU, effectively preventing any use of SPICE. Obviously change
128 | # this example here before you set this.
129 | #
130 | # spice_password = "XYZ12345"
131 |
132 |
133 | # The default security driver is SELinux. If SELinux is disabled
134 | # on the host, then the security driver will automatically disable
135 | # itself. If you wish to disable QEMU SELinux security driver while
136 | # leaving SELinux enabled for the host in general, then set this
137 | # to 'none' instead.
138 | #
139 | # security_driver = "selinux"
140 |
141 | # If set to non-zero, then the default security labeling
142 | # will make guests confined. If set to zero, then guests
143 | # will be unconfined by default. Defaults to 1.
144 | # security_default_confined = 1
145 |
146 | # If set to non-zero, then attempts to create unconfined
147 | # guests will be blocked. Defaults to 0.
148 | # security_require_confined = 1
149 |
150 | # The user ID for QEMU processes run by the system instance.
151 | #user = "root"
152 |
153 | # The group ID for QEMU processes run by the system instance.
154 | #group = "root"
155 |
156 | # Whether libvirt should dynamically change file ownership
157 | # to match the configured user/group above. Defaults to 1.
158 | # Set to 0 to disable file ownership changes.
159 | #dynamic_ownership = 1
160 |
161 |
162 | # What cgroup controllers to make use of with QEMU guests
163 | #
164 | # - 'cpu' - use for schedular tunables
165 | # - 'devices' - use for device whitelisting
166 | # - 'memory' - use for memory tunables
167 | # - 'blkio' - use for block devices I/O tunables
168 | # - 'cpuset' - use for CPUs and memory nodes
169 | # - 'cpuacct' - use for CPUs statistics.
170 | #
171 | # NB, even if configured here, they won't be used unless
172 | # the administrator has mounted cgroups, e.g.:
173 | #
174 | # mkdir /dev/cgroup
175 | # mount -t cgroup -o devices,cpu,memory,blkio,cpuset none /dev/cgroup
176 | #
177 | # They can be mounted anywhere, and different controllers
178 | # can be mounted in different locations. libvirt will detect
179 | # where they are located.
180 | #
181 | # cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ]
182 |
183 | # This is the basic set of devices allowed / required by
184 | # all virtual machines.
185 | #
186 | # As well as this, any configured block backed disks,
187 | # all sound device, and all PTY devices are allowed.
188 | #
189 | # This will only need setting if newer QEMU suddenly
190 | # wants some device we don't already know about.
191 | #
192 | #cgroup_device_acl = [
193 | # "/dev/null", "/dev/full", "/dev/zero",
194 | # "/dev/random", "/dev/urandom",
195 | # "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
196 | # "/dev/rtc", "/dev/hpet",
197 | #]
198 |
199 |
200 | # The default format for Qemu/KVM guest save images is raw; that is, the
201 | # memory from the domain is dumped out directly to a file. If you have
202 | # guests with a large amount of memory, however, this can take up quite
203 | # a bit of space. If you would like to compress the images while they
204 | # are being saved to disk, you can also set "lzop", "gzip", "bzip2", or "xz"
205 | # for save_image_format. Note that this means you slow down the process of
206 | # saving a domain in order to save disk space; the list above is in descending
207 | # order by performance and ascending order by compression ratio.
208 | #
209 | # save_image_format is used when you use 'virsh save' at scheduled
210 | # saving, and it is an error if the specified save_image_format is
211 | # not valid, or the requested compression program can't be found.
212 | #
213 | # dump_image_format is used when you use 'virsh dump' at emergency
214 | # crashdump, and if the specified dump_image_format is not valid, or
215 | # the requested compression program can't be found, this falls
216 | # back to "raw" compression.
217 | #
218 | # save_image_format = "raw"
219 | # dump_image_format = "raw"
220 |
221 | # When a domain is configured to be auto-dumped when libvirtd receives a
222 | # watchdog event from qemu guest, libvirtd will save dump files in directory
223 | # specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump
224 | #
225 | # auto_dump_path = "/var/lib/libvirt/qemu/dump"
226 |
227 | # When a domain is configured to be auto-dumped, enabling this flag
228 | # has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the
229 | # virDomainCoreDump API. That is, the system will avoid using the
230 | # file system cache while writing the dump file, but may cause
231 | # slower operation.
232 | #
233 | # auto_dump_bypass_cache = 0
234 |
235 | # When a domain is configured to be auto-started, enabling this flag
236 | # has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag
237 | # with the virDomainCreateWithFlags API. That is, the system will
238 | # avoid using the file system cache when restoring any managed state
239 | # file, but may cause slower operation.
240 | #
241 | # auto_start_bypass_cache = 0
242 |
243 | # If provided by the host and a hugetlbfs mount point is configured,
244 | # a guest may request huge page backing. When this mount point is
245 | # unspecified here, determination of a host mount point in /proc/mounts
246 | # will be attempted. Specifying an explicit mount overrides detection
247 | # of the same in /proc/mounts. Setting the mount point to "" will
248 | # disable guest hugepage backing.
249 | #
250 | # NB, within this mount point, guests will create memory backing files
251 | # in a location of $MOUNTPOINT/libvirt/qemu
252 | #
253 | # hugetlbfs_mount = "/dev/hugepages"
254 |
255 |
256 | # mac_filter enables MAC addressed based filtering on bridge ports.
257 | # This currently requires ebtables to be installed.
258 | #
259 | # mac_filter = 1
260 |
261 |
262 | # By default, PCI devices below non-ACS switch are not allowed to be assigned
263 | # to guests. By setting relaxed_acs_check to 1 such devices will be allowed to
264 | # be assigned to guests.
265 | #
266 | # relaxed_acs_check = 1
267 |
268 |
269 | # QEMU implements an extension for providing audio over a VNC connection,
270 | # though if your VNC client does not support it, your only chance for getting
271 | # sound output is through regular audio backends. By default, libvirt will
272 | # disable all QEMU sound backends if using VNC, since they can cause
273 | # permissions issues. Enabling this option will make libvirtd honor the
274 | # QEMU_AUDIO_DRV environment variable when using VNC.
275 | #
276 | # vnc_allow_host_audio = 0
277 |
278 |
279 | # If clear_emulator_capabilities is enabled, libvirt will drop all
280 | # privileged capabilities of the QEmu/KVM emulator. This is enabled by
281 | # default.
282 | #
283 | # Warning: Disabling this option means that a compromised guest can
284 | # exploit the privileges and possibly do damage to the host.
285 | #
286 | # clear_emulator_capabilities = 1
287 |
288 |
289 | # If allow_disk_format_probing is enabled, libvirt will probe disk
290 | # images to attempt to identify their format, when not otherwise
291 | # specified in the XML. This is disabled by default.
292 | #
293 | # WARNING: Enabling probing is a security hole in almost all
294 | # deployments. It is strongly recommended that users update their
295 | # guest XML elements to include
296 | # elements instead of enabling this option.
297 | #
298 | # allow_disk_format_probing = 1
299 |
300 |
301 | # If enabled, libvirt will have QEMU set its process name to
302 | # "qemu:VM_NAME", where VM_NAME is the name of the VM. The QEMU
303 | # process will appear as "qemu:VM_NAME" in process listings and
304 | # other system monitoring tools. By default, QEMU does not set
305 | # its process title, so the complete QEMU command (emulator and
306 | # its arguments) appear in process listings.
307 | #
308 | # set_process_name = 1
309 |
310 |
311 | # If max_processes is set to a positive integer, libvirt will use
312 | # it to set the maximum number of processes that can be run by qemu
313 | # user. This can be used to override default value set by host OS.
314 | # The same applies to max_files which sets the limit on the maximum
315 | # number of opened files.
316 | #
317 | # max_processes = 0
318 | # max_files = 0
319 |
320 | # To enable 'Sanlock' project based locking of the file
321 | # content (to prevent two VMs writing to the same
322 | # disk), uncomment this
323 | #
324 | # lock_manager = "sanlock"
325 |
326 | # Set limit of maximum APIs queued on one domain. All other APIs
327 | # over this threshold will fail on acquiring job lock. Specially,
328 | # setting to zero turns this feature off.
329 | # Note, that job lock is per domain.
330 | #
331 | # max_queued = 0
332 |
333 | ###################################################################
334 | # Keepalive protocol:
335 | # This allows qemu driver to detect broken connections to remote
336 | # libvirtd during peer-to-peer migration. A keepalive message is
337 | # sent to the deamon after keepalive_interval seconds of inactivity
338 | # to check if the deamon is still responding; keepalive_count is a
339 | # maximum number of keepalive messages that are allowed to be sent
340 | # to the deamon without getting any response before the connection
341 | # is considered broken. In other words, the connection is
342 | # automatically closed approximately after
343 | # keepalive_interval * (keepalive_count + 1) seconds since the last
344 | # message received from the deamon. If keepalive_interval is set to
345 | # -1, qemu driver will not send keepalive requests during
346 | # peer-to-peer migration; however, the remote libvirtd can still
347 | # send them and source libvirtd will send responses. When
348 | # keepalive_count is set to 0, connections will be automatically
349 | # closed after keepalive_interval seconds of inactivity without
350 | # sending any keepalive messages. Disabled by default.
351 | #
352 | #keepalive_interval = 5
353 | #keepalive_count = 5
354 |
--------------------------------------------------------------------------------
/templates/libvirtd.conf.orig:
--------------------------------------------------------------------------------
1 | # Master libvirt daemon configuration file
2 | #
3 | # For further information consult http://libvirt.org/format.html
4 | #
5 | # NOTE: the tests/daemon-conf regression test script requires
6 | # that each "PARAMETER = VALUE" line in this file have the parameter
7 | # name just after a leading "#".
8 |
9 | #################################################################
10 | #
11 | # Network connectivity controls
12 | #
13 |
14 | # Flag listening for secure TLS connections on the public TCP/IP port.
15 | # NB, must pass the --listen flag to the libvirtd process for this to
16 | # have any effect.
17 | #
18 | # It is necessary to setup a CA and issue server certificates before
19 | # using this capability.
20 | #
21 | # This is enabled by default, uncomment this to disable it
22 | #listen_tls = 0
23 |
24 | # Listen for unencrypted TCP connections on the public TCP/IP port.
25 | # NB, must pass the --listen flag to the libvirtd process for this to
26 | # have any effect.
27 | #
28 | # Using the TCP socket requires SASL authentication by default. Only
29 | # SASL mechanisms which support data encryption are allowed. This is
30 | # DIGEST_MD5 and GSSAPI (Kerberos5)
31 | #
32 | # This is disabled by default, uncomment this to enable it.
33 | #listen_tcp = 1
34 |
35 |
36 |
37 | # Override the port for accepting secure TLS connections
38 | # This can be a port number, or service name
39 | #
40 | #tls_port = "16514"
41 |
42 | # Override the port for accepting insecure TCP connections
43 | # This can be a port number, or service name
44 | #
45 | #tcp_port = "16509"
46 |
47 |
48 | # Override the default configuration which binds to all network
49 | # interfaces. This can be a numeric IPv4/6 address, or hostname
50 | #
51 | #listen_addr = "192.168.0.1"
52 |
53 |
54 | # Flag toggling mDNS advertizement of the libvirt service.
55 | #
56 | # Alternatively can disable for all services on a host by
57 | # stopping the Avahi daemon
58 | #
59 | # This is enabled by default, uncomment this to disable it
60 | #mdns_adv = 0
61 |
62 | # Override the default mDNS advertizement name. This must be
63 | # unique on the immediate broadcast network.
64 | #
65 | # The default is "Virtualization Host HOSTNAME", where HOSTNAME
66 | # is subsituted for the short hostname of the machine (without domain)
67 | #
68 | #mdns_name = "Virtualization Host Joe Demo"
69 |
70 |
71 | #################################################################
72 | #
73 | # UNIX socket access controls
74 | #
75 |
76 | # Set the UNIX domain socket group ownership. This can be used to
77 | # allow a 'trusted' set of users access to management capabilities
78 | # without becoming root.
79 | #
80 | # This is restricted to 'root' by default.
81 | #unix_sock_group = "libvirt"
82 |
83 | # Set the UNIX socket permissions for the R/O socket. This is used
84 | # for monitoring VM status only
85 | #
86 | # Default allows any user. If setting group ownership may want to
87 | # restrict this to:
88 | #unix_sock_ro_perms = "0777"
89 |
90 | # Set the UNIX socket permissions for the R/W socket. This is used
91 | # for full management of VMs
92 | #
93 | # Default allows only root. If PolicyKit is enabled on the socket,
94 | # the default will change to allow everyone (eg, 0777)
95 | #
96 | # If not using PolicyKit and setting group ownership for access
97 | # control then you may want to relax this to:
98 | #unix_sock_rw_perms = "0770"
99 |
100 | # Set the name of the directory in which sockets will be found/created.
101 | #unix_sock_dir = "/var/run/libvirt"
102 |
103 | #################################################################
104 | #
105 | # Authentication.
106 | #
107 | # - none: do not perform auth checks. If you can connect to the
108 | # socket you are allowed. This is suitable if there are
109 | # restrictions on connecting to the socket (eg, UNIX
110 | # socket permissions), or if there is a lower layer in
111 | # the network providing auth (eg, TLS/x509 certificates)
112 | #
113 | # - sasl: use SASL infrastructure. The actual auth scheme is then
114 | # controlled from /etc/sasl2/libvirt.conf. For the TCP
115 | # socket only GSSAPI & DIGEST-MD5 mechanisms will be used.
116 | # For non-TCP or TLS sockets, any scheme is allowed.
117 | #
118 | # - polkit: use PolicyKit to authenticate. This is only suitable
119 | # for use on the UNIX sockets. The default policy will
120 | # require a user to supply their own password to gain
121 | # full read/write access (aka sudo like), while anyone
122 | # is allowed read/only access.
123 | #
124 | # Set an authentication scheme for UNIX read-only sockets
125 | # By default socket permissions allow anyone to connect
126 | #
127 | # To restrict monitoring of domains you may wish to enable
128 | # an authentication mechanism here
129 | #auth_unix_ro = "none"
130 |
131 | # Set an authentication scheme for UNIX read-write sockets
132 | # By default socket permissions only allow root. If PolicyKit
133 | # support was compiled into libvirt, the default will be to
134 | # use 'polkit' auth.
135 | #
136 | # If the unix_sock_rw_perms are changed you may wish to enable
137 | # an authentication mechanism here
138 | #auth_unix_rw = "none"
139 |
140 | # Change the authentication scheme for TCP sockets.
141 | #
142 | # If you don't enable SASL, then all TCP traffic is cleartext.
143 | # Don't do this outside of a dev/test scenario. For real world
144 | # use, always enable SASL and use the GSSAPI or DIGEST-MD5
145 | # mechanism in /etc/sasl2/libvirt.conf
146 | #auth_tcp = "sasl"
147 |
148 | # Change the authentication scheme for TLS sockets.
149 | #
150 | # TLS sockets already have encryption provided by the TLS
151 | # layer, and limited authentication is done by certificates
152 | #
153 | # It is possible to make use of any SASL authentication
154 | # mechanism as well, by using 'sasl' for this option
155 | #auth_tls = "none"
156 |
157 |
158 |
159 | #################################################################
160 | #
161 | # TLS x509 certificate configuration
162 | #
163 |
164 |
165 | # Override the default server key file path
166 | #
167 | #key_file = "/etc/pki/libvirt/private/serverkey.pem"
168 |
169 | # Override the default server certificate file path
170 | #
171 | #cert_file = "/etc/pki/libvirt/servercert.pem"
172 |
173 | # Override the default CA certificate path
174 | #
175 | #ca_file = "/etc/pki/CA/cacert.pem"
176 |
177 | # Specify a certificate revocation list.
178 | #
179 | # Defaults to not using a CRL, uncomment to enable it
180 | #crl_file = "/etc/pki/CA/crl.pem"
181 |
182 |
183 |
184 | #################################################################
185 | #
186 | # Authorization controls
187 | #
188 |
189 |
190 | # Flag to disable verification of our own server certificates
191 | #
192 | # When libvirtd starts it performs some sanity checks against
193 | # its own certificates.
194 | #
195 | # Default is to always run sanity checks. Uncommenting this
196 | # will disable sanity checks which is not a good idea
197 | #tls_no_sanity_certificate = 1
198 |
199 | # Flag to disable verification of client certificates
200 | #
201 | # Client certificate verification is the primary authentication mechanism.
202 | # Any client which does not present a certificate signed by the CA
203 | # will be rejected.
204 | #
205 | # Default is to always verify. Uncommenting this will disable
206 | # verification - make sure an IP whitelist is set
207 | #tls_no_verify_certificate = 1
208 |
209 |
210 | # A whitelist of allowed x509 Distinguished Names
211 | # This list may contain wildcards such as
212 | #
213 | # "C=GB,ST=London,L=London,O=Red Hat,CN=*"
214 | #
215 | # See the POSIX fnmatch function for the format of the wildcards.
216 | #
217 | # NB If this is an empty list, no client can connect, so comment out
218 | # entirely rather than using empty list to disable these checks
219 | #
220 | # By default, no DN's are checked
221 | #tls_allowed_dn_list = ["DN1", "DN2"]
222 |
223 |
224 | # A whitelist of allowed SASL usernames. The format for usernames
225 | # depends on the SASL authentication mechanism. Kerberos usernames
226 | # look like username@REALM
227 | #
228 | # This list may contain wildcards such as
229 | #
230 | # "*@EXAMPLE.COM"
231 | #
232 | # See the POSIX fnmatch function for the format of the wildcards.
233 | #
234 | # NB If this is an empty list, no client can connect, so comment out
235 | # entirely rather than using empty list to disable these checks
236 | #
237 | # By default, no Username's are checked
238 | #sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]
239 |
240 |
241 |
242 | #################################################################
243 | #
244 | # Processing controls
245 | #
246 |
247 | # The maximum number of concurrent client connections to allow
248 | # over all sockets combined.
249 | #max_clients = 20
250 |
251 |
252 | # The minimum limit sets the number of workers to start up
253 | # initially. If the number of active clients exceeds this,
254 | # then more threads are spawned, upto max_workers limit.
255 | # Typically you'd want max_workers to equal maximum number
256 | # of clients allowed
257 | #min_workers = 5
258 | #max_workers = 20
259 |
260 |
261 | # The number of priority workers. If all workers from above
262 | # pool will stuck, some calls marked as high priority
263 | # (notably domainDestroy) can be executed in this pool.
264 | #prio_workers = 5
265 |
266 | # Total global limit on concurrent RPC calls. Should be
267 | # at least as large as max_workers. Beyond this, RPC requests
268 | # will be read into memory and queued. This directly impact
269 | # memory usage, currently each request requires 256 KB of
270 | # memory. So by default upto 5 MB of memory is used
271 | #
272 | # XXX this isn't actually enforced yet, only the per-client
273 | # limit is used so far
274 | #max_requests = 20
275 |
276 | # Limit on concurrent requests from a single client
277 | # connection. To avoid one client monopolizing the server
278 | # this should be a small fraction of the global max_requests
279 | # and max_workers parameter
280 | #max_client_requests = 5
281 |
282 | #################################################################
283 | #
284 | # Logging controls
285 | #
286 |
287 | # Logging level: 4 errors, 3 warnings, 2 information, 1 debug
288 | # basically 1 will log everything possible
289 | #log_level = 3
290 |
291 | # Logging filters:
292 | # A filter allows to select a different logging level for a given category
293 | # of logs
294 | # The format for a filter is:
295 | # x:name
296 | # where name is a match string e.g. remote or qemu
297 | # the x prefix is the minimal level where matching messages should be logged
298 | # 1: DEBUG
299 | # 2: INFO
300 | # 3: WARNING
301 | # 4: ERROR
302 | #
303 | # Multiple filter can be defined in a single @filters, they just need to be
304 | # separated by spaces.
305 | #
306 | # e.g:
307 | # log_filters="3:remote 4:event"
308 | # to only get warning or errors from the remote layer and only errors from
309 | # the event layer.
310 |
311 | # Logging outputs:
312 | # An output is one of the places to save logging information
313 | # The format for an output can be:
314 | # x:stderr
315 | # output goes to stderr
316 | # x:syslog:name
317 | # use syslog for the output and use the given name as the ident
318 | # x:file:file_path
319 | # output to a file, with the given filepath
320 | # In all case the x prefix is the minimal level, acting as a filter
321 | # 1: DEBUG
322 | # 2: INFO
323 | # 3: WARNING
324 | # 4: ERROR
325 | #
326 | # Multiple output can be defined, they just need to be separated by spaces.
327 | # e.g.:
328 | # log_outputs="3:syslog:libvirtd"
329 | # to log all warnings and errors to syslog under the libvirtd ident
330 |
331 | # Log debug buffer size: default 64
332 | # The daemon keeps an internal debug log buffer which will be dumped in case
333 | # of crash or upon receiving a SIGUSR2 signal. This setting allows to override
334 | # the default buffer size in kilobytes.
335 | # If value is 0 or less the debug log buffer is deactivated
336 | #log_buffer_size = 64
337 |
338 |
339 | ##################################################################
340 | #
341 | # Auditing
342 | #
343 | # This setting allows usage of the auditing subsystem to be altered:
344 | #
345 | # audit_level == 0 -> disable all auditing
346 | # audit_level == 1 -> enable auditing, only if enabled on host (default)
347 | # audit_level == 2 -> enable auditing, and exit if disabled on host
348 | #
349 | #audit_level = 2
350 | #
351 | # If set to 1, then audit messages will also be sent
352 | # via libvirt logging infrastructure. Defaults to 0
353 | #
354 | #audit_logging = 1
355 |
356 | ###################################################################
357 | # UUID of the host:
358 | # Provide the UUID of the host here in case the command
359 | # 'dmidecode -s system-uuid' does not provide a valid uuid. In case
360 | # 'dmidecode' does not provide a valid UUID and none is provided here, a
361 | # temporary UUID will be generated.
362 | # Keep the format of the example UUID below. UUID must not have all digits
363 | # be the same.
364 |
365 | # NB This default all-zeros UUID will not work. Replace
366 | # it with the output of the 'uuidgen' command and then
367 | # uncomment this entry
368 | #host_uuid = "00000000-0000-0000-0000-000000000000"
369 |
370 | ###################################################################
371 | # Keepalive protocol:
372 | # This allows libvirtd to detect broken client connections or even
373 | # dead client. A keepalive message is sent to a client after
374 | # keepalive_interval seconds of inactivity to check if the client is
375 | # still responding; keepalive_count is a maximum number of keepalive
376 | # messages that are allowed to be sent to the client without getting
377 | # any response before the connection is considered broken. In other
378 | # words, the connection is automatically closed approximately after
379 | # keepalive_interval * (keepalive_count + 1) seconds since the last
380 | # message received from the client. If keepalive_interval is set to
381 | # -1, libvirtd will never send keepalive requests; however clients
382 | # can still send them and the deamon will send responses. When
383 | # keepalive_count is set to 0, connections will be automatically
384 | # closed after keepalive_interval seconds of inactivity without
385 | # sending any keepalive messages. Disabled by default.
386 | #
387 | #keepalive_interval = 5
388 | #keepalive_count = 5
389 | #
390 | # If set to 1, libvirtd will refuse to talk to clients that do not
391 | # support keepalive protocol. Defaults to 0.
392 | #
393 | #keepalive_required = 1
394 |
--------------------------------------------------------------------------------
/templates/qemu.conf.erb:
--------------------------------------------------------------------------------
1 | # Master configuration file for the QEMU driver.
2 | # All settings described here are optional - if omitted, sensible
3 | # defaults are used.
4 |
5 | # VNC is configured to listen on 127.0.0.1 by default.
6 | # To make it listen on all public interfaces, uncomment
7 | # this next option.
8 | #
9 | # NB, strong recommendation to enable TLS + x509 certificate
10 | # verification when allowing public access
11 | #
12 | # vnc_listen = "0.0.0.0"
13 | <% if @qemu_vnc_listen -%>
14 | vnc_listen = "<%= @qemu_vnc_listen %>"
15 | <% end -%>
16 |
17 | # Enable this option to have VNC served over an automatically created
18 | # unix socket. This prevents unprivileged access from users on the
19 | # host machine, though most VNC clients do not support it.
20 | #
21 | # This will only be enabled for VNC configurations that do not have
22 | # a hardcoded 'listen' or 'socket' value. This setting takes preference
23 | # over vnc_listen.
24 | #
25 | # vnc_auto_unix_socket = 1
26 |
27 | # Enable use of TLS encryption on the VNC server. This requires
28 | # a VNC client which supports the VeNCrypt protocol extension.
29 | # Examples include vinagre, virt-viewer, virt-manager and vencrypt
30 | # itself. UltraVNC, RealVNC, TightVNC do not support this
31 | #
32 | # It is necessary to setup CA and issue a server certificate
33 | # before enabling this.
34 | #
35 | # vnc_tls = 1
36 | <% if @qemu_vnc_tls == true -%>
37 | vnc_tls = 1
38 | <% elsif @qemu_vnc_tls == false -%>
39 | vnc_tls = 0
40 | <% end -%>
41 |
42 | # Use of TLS requires that x509 certificates be issued. The
43 | # default it to keep them in /etc/pki/libvirt-vnc. This directory
44 | # must contain
45 | #
46 | # ca-cert.pem - the CA master certificate
47 | # server-cert.pem - the server certificate signed with ca-cert.pem
48 | # server-key.pem - the server private key
49 | #
50 | # This option allows the certificate directory to be changed
51 | #
52 | # vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
53 |
54 |
55 | # The default TLS configuration only uses certificates for the server
56 | # allowing the client to verify the server's identity and establish
57 | # an encrypted channel.
58 | #
59 | # It is possible to use x509 certificates for authentication too, by
60 | # issuing a x509 certificate to every client who needs to connect.
61 | #
62 | # Enabling this option will reject any client who does not have a
63 | # certificate signed by the CA in /etc/pki/libvirt-vnc/ca-cert.pem
64 | #
65 | # vnc_tls_x509_verify = 1
66 |
67 |
68 | # The default VNC password. Only 8 letters are significant for
69 | # VNC passwords. This parameter is only used if the per-domain
70 | # XML config does not already provide a password. To allow
71 | # access without passwords, leave this commented out. An empty
72 | # string will still enable passwords, but be rejected by QEMU,
73 | # effectively preventing any use of VNC. Obviously change this
74 | # example here before you set this.
75 | #
76 | # vnc_password = "XYZ12345"
77 |
78 |
79 | # Enable use of SASL encryption on the VNC server. This requires
80 | # a VNC client which supports the SASL protocol extension.
81 | # Examples include vinagre, virt-viewer and virt-manager
82 | # itself. UltraVNC, RealVNC, TightVNC do not support this
83 | #
84 | # It is necessary to configure /etc/sasl2/qemu.conf to choose
85 | # the desired SASL plugin (eg, GSSPI for Kerberos)
86 | #
87 | # vnc_sasl = 1
88 | <% if @qemu_vnc_sasl == true -%>
89 | vnc_sasl = 1
90 | <% elsif @qemu_vnc_sasl == false -%>
91 | vnc_sasl = 0
92 | <% end -%>
93 |
94 | # The default SASL configuration file is located in /etc/sasl2/
95 | # When running libvirtd unprivileged, it may be desirable to
96 | # override the configs in this location. Set this parameter to
97 | # point to the directory, and create a qemu.conf in that location
98 | #
99 | # vnc_sasl_dir = "/some/directory/sasl2"
100 |
101 |
102 |
103 | # SPICE is configured to listen on 127.0.0.1 by default.
104 | # To make it listen on all public interfaces, uncomment
105 | # this next option.
106 | #
107 | # NB, strong recommendation to enable TLS + x509 certificate
108 | # verification when allowing public access
109 | #
110 | # spice_listen = "0.0.0.0"
111 |
112 |
113 | # Enable use of TLS encryption on the SPICE server.
114 | #
115 | # It is necessary to setup CA and issue a server certificate
116 | # before enabling this.
117 | #
118 | # spice_tls = 1
119 |
120 |
121 | # Use of TLS requires that x509 certificates be issued. The
122 | # default it to keep them in /etc/pki/libvirt-spice. This directory
123 | # must contain
124 | #
125 | # ca-cert.pem - the CA master certificate
126 | # server-cert.pem - the server certificate signed with ca-cert.pem
127 | # server-key.pem - the server private key
128 | #
129 | # This option allows the certificate directory to be changed.
130 | #
131 | # spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
132 |
133 |
134 | # The default SPICE password. This parameter is only used if the
135 | # per-domain XML config does not already provide a password. To
136 | # allow access without passwords, leave this commented out. An
137 | # empty string will still enable passwords, but be rejected by
138 | # QEMU, effectively preventing any use of SPICE. Obviously change
139 | # this example here before you set this.
140 | #
141 | # spice_password = "XYZ12345"
142 |
143 |
144 | # The default security driver is SELinux. If SELinux is disabled
145 | # on the host, then the security driver will automatically disable
146 | # itself. If you wish to disable QEMU SELinux security driver while
147 | # leaving SELinux enabled for the host in general, then set this
148 | # to 'none' instead.
149 | #
150 | # security_driver = "selinux"
151 |
152 | # If set to non-zero, then the default security labeling
153 | # will make guests confined. If set to zero, then guests
154 | # will be unconfined by default. Defaults to 1.
155 | # security_default_confined = 1
156 |
157 | # If set to non-zero, then attempts to create unconfined
158 | # guests will be blocked. Defaults to 0.
159 | # security_require_confined = 1
160 |
161 | # The user ID for QEMU processes run by the system instance.
162 | #user = "root"
163 | <% if @qemu_user -%>
164 | user = "<%= @qemu_user %>"
165 | <% end -%>
166 |
167 | # The group ID for QEMU processes run by the system instance.
168 | #group = "root"
169 | <% if @qemu_group -%>
170 | group = "<%= @qemu_group %>"
171 | <% end -%>
172 |
173 | # Whether libvirt should dynamically change file ownership
174 | # to match the configured user/group above. Defaults to 1.
175 | # Set to 0 to disable file ownership changes.
176 | #dynamic_ownership = 1
177 |
178 |
179 | # What cgroup controllers to make use of with QEMU guests
180 | #
181 | # - 'cpu' - use for schedular tunables
182 | # - 'devices' - use for device whitelisting
183 | # - 'memory' - use for memory tunables
184 | # - 'blkio' - use for block devices I/O tunables
185 | # - 'cpuset' - use for CPUs and memory nodes
186 | # - 'cpuacct' - use for CPUs statistics.
187 | #
188 | # NB, even if configured here, they won't be used unless
189 | # the administrator has mounted cgroups, e.g.:
190 | #
191 | # mkdir /dev/cgroup
192 | # mount -t cgroup -o devices,cpu,memory,blkio,cpuset none /dev/cgroup
193 | #
194 | # They can be mounted anywhere, and different controllers
195 | # can be mounted in different locations. libvirt will detect
196 | # where they are located.
197 | #
198 | # cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ]
199 |
200 | # This is the basic set of devices allowed / required by
201 | # all virtual machines.
202 | #
203 | # As well as this, any configured block backed disks,
204 | # all sound device, and all PTY devices are allowed.
205 | #
206 | # This will only need setting if newer QEMU suddenly
207 | # wants some device we don't already know about.
208 | #
209 | #cgroup_device_acl = [
210 | # "/dev/null", "/dev/full", "/dev/zero",
211 | # "/dev/random", "/dev/urandom",
212 | # "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
213 | # "/dev/rtc", "/dev/hpet",
214 | #]
215 |
216 |
217 | # The default format for Qemu/KVM guest save images is raw; that is, the
218 | # memory from the domain is dumped out directly to a file. If you have
219 | # guests with a large amount of memory, however, this can take up quite
220 | # a bit of space. If you would like to compress the images while they
221 | # are being saved to disk, you can also set "lzop", "gzip", "bzip2", or "xz"
222 | # for save_image_format. Note that this means you slow down the process of
223 | # saving a domain in order to save disk space; the list above is in descending
224 | # order by performance and ascending order by compression ratio.
225 | #
226 | # save_image_format is used when you use 'virsh save' at scheduled
227 | # saving, and it is an error if the specified save_image_format is
228 | # not valid, or the requested compression program can't be found.
229 | #
230 | # dump_image_format is used when you use 'virsh dump' at emergency
231 | # crashdump, and if the specified dump_image_format is not valid, or
232 | # the requested compression program can't be found, this falls
233 | # back to "raw" compression.
234 | #
235 | # save_image_format = "raw"
236 | # dump_image_format = "raw"
237 |
238 | # When a domain is configured to be auto-dumped when libvirtd receives a
239 | # watchdog event from qemu guest, libvirtd will save dump files in directory
240 | # specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump
241 | #
242 | # auto_dump_path = "/var/lib/libvirt/qemu/dump"
243 |
244 | # When a domain is configured to be auto-dumped, enabling this flag
245 | # has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the
246 | # virDomainCoreDump API. That is, the system will avoid using the
247 | # file system cache while writing the dump file, but may cause
248 | # slower operation.
249 | #
250 | # auto_dump_bypass_cache = 0
251 |
252 | # When a domain is configured to be auto-started, enabling this flag
253 | # has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag
254 | # with the virDomainCreateWithFlags API. That is, the system will
255 | # avoid using the file system cache when restoring any managed state
256 | # file, but may cause slower operation.
257 | #
258 | # auto_start_bypass_cache = 0
259 |
260 | # If provided by the host and a hugetlbfs mount point is configured,
261 | # a guest may request huge page backing. When this mount point is
262 | # unspecified here, determination of a host mount point in /proc/mounts
263 | # will be attempted. Specifying an explicit mount overrides detection
264 | # of the same in /proc/mounts. Setting the mount point to "" will
265 | # disable guest hugepage backing.
266 | #
267 | # NB, within this mount point, guests will create memory backing files
268 | # in a location of $MOUNTPOINT/libvirt/qemu
269 | #
270 | # hugetlbfs_mount = "/dev/hugepages"
271 |
272 |
273 | # mac_filter enables MAC addressed based filtering on bridge ports.
274 | # This currently requires ebtables to be installed.
275 | #
276 | # mac_filter = 1
277 |
278 |
279 | # By default, PCI devices below non-ACS switch are not allowed to be assigned
280 | # to guests. By setting relaxed_acs_check to 1 such devices will be allowed to
281 | # be assigned to guests.
282 | #
283 | # relaxed_acs_check = 1
284 |
285 |
286 | # QEMU implements an extension for providing audio over a VNC connection,
287 | # though if your VNC client does not support it, your only chance for getting
288 | # sound output is through regular audio backends. By default, libvirt will
289 | # disable all QEMU sound backends if using VNC, since they can cause
290 | # permissions issues. Enabling this option will make libvirtd honor the
291 | # QEMU_AUDIO_DRV environment variable when using VNC.
292 | #
293 | # vnc_allow_host_audio = 0
294 |
295 |
296 | # If clear_emulator_capabilities is enabled, libvirt will drop all
297 | # privileged capabilities of the QEmu/KVM emulator. This is enabled by
298 | # default.
299 | #
300 | # Warning: Disabling this option means that a compromised guest can
301 | # exploit the privileges and possibly do damage to the host.
302 | #
303 | # clear_emulator_capabilities = 1
304 |
305 |
306 | # If allow_disk_format_probing is enabled, libvirt will probe disk
307 | # images to attempt to identify their format, when not otherwise
308 | # specified in the XML. This is disabled by default.
309 | #
310 | # WARNING: Enabling probing is a security hole in almost all
311 | # deployments. It is strongly recommended that users update their
312 | # guest XML elements to include
313 | # elements instead of enabling this option.
314 | #
315 | # allow_disk_format_probing = 1
316 |
317 |
318 | # If enabled, libvirt will have QEMU set its process name to
319 | # "qemu:VM_NAME", where VM_NAME is the name of the VM. The QEMU
320 | # process will appear as "qemu:VM_NAME" in process listings and
321 | # other system monitoring tools. By default, QEMU does not set
322 | # its process title, so the complete QEMU command (emulator and
323 | # its arguments) appear in process listings.
324 | #
325 | # set_process_name = 1
326 | <% if @qemu_set_process_name == true -%>
327 | set_process_name = 1
328 | <% elsif @qemu_set_process_name == false -%>
329 | set_process_name = 0
330 | <% end -%>
331 |
332 |
333 | # If max_processes is set to a positive integer, libvirt will use
334 | # it to set the maximum number of processes that can be run by qemu
335 | # user. This can be used to override default value set by host OS.
336 | # The same applies to max_files which sets the limit on the maximum
337 | # number of opened files.
338 | #
339 | # max_processes = 0
340 | # max_files = 0
341 |
342 | # To enable 'Sanlock' project based locking of the file
343 | # content (to prevent two VMs writing to the same
344 | # disk), uncomment this
345 | #
346 | # lock_manager = "sanlock"
347 |
348 | # Set limit of maximum APIs queued on one domain. All other APIs
349 | # over this threshold will fail on acquiring job lock. Specially,
350 | # setting to zero turns this feature off.
351 | # Note, that job lock is per domain.
352 | #
353 | # max_queued = 0
354 |
355 | ###################################################################
356 | # Keepalive protocol:
357 | # This allows qemu driver to detect broken connections to remote
358 | # libvirtd during peer-to-peer migration. A keepalive message is
359 | # sent to the deamon after keepalive_interval seconds of inactivity
360 | # to check if the deamon is still responding; keepalive_count is a
361 | # maximum number of keepalive messages that are allowed to be sent
362 | # to the deamon without getting any response before the connection
363 | # is considered broken. In other words, the connection is
364 | # automatically closed approximately after
365 | # keepalive_interval * (keepalive_count + 1) seconds since the last
366 | # message received from the deamon. If keepalive_interval is set to
367 | # -1, qemu driver will not send keepalive requests during
368 | # peer-to-peer migration; however, the remote libvirtd can still
369 | # send them and source libvirtd will send responses. When
370 | # keepalive_count is set to 0, connections will be automatically
371 | # closed after keepalive_interval seconds of inactivity without
372 | # sending any keepalive messages. Disabled by default.
373 | #
374 | #keepalive_interval = 5
375 | #keepalive_count = 5
376 |
--------------------------------------------------------------------------------
/templates/libvirtd.conf.erb:
--------------------------------------------------------------------------------
1 | # Master libvirt daemon configuration file
2 | #
3 | # For further information consult http://libvirt.org/format.html
4 | #
5 | # NOTE: the tests/daemon-conf regression test script requires
6 | # that each "PARAMETER = VALUE" line in this file have the parameter
7 | # name just after a leading "#".
8 |
9 | #################################################################
10 | #
11 | # Network connectivity controls
12 | #
13 |
14 | # Flag listening for secure TLS connections on the public TCP/IP port.
15 | # NB, must pass the --listen flag to the libvirtd process for this to
16 | # have any effect.
17 | #
18 | # It is necessary to setup a CA and issue server certificates before
19 | # using this capability.
20 | #
21 | # This is enabled by default, uncomment this to disable it
22 | #listen_tls = 0
23 | <% if @listen_tls == true -%>
24 | listen_tls = 1
25 | <% elsif @listen_tls == false -%>
26 | listen_tls = 0
27 | <% end -%>
28 |
29 | # Listen for unencrypted TCP connections on the public TCP/IP port.
30 | # NB, must pass the --listen flag to the libvirtd process for this to
31 | # have any effect.
32 | #
33 | # Using the TCP socket requires SASL authentication by default. Only
34 | # SASL mechanisms which support data encryption are allowed. This is
35 | # DIGEST_MD5 and GSSAPI (Kerberos5)
36 | #
37 | # This is disabled by default, uncomment this to enable it.
38 | #listen_tcp = 1
39 | <% if @listen_tcp == true -%>
40 | listen_tcp = 1
41 | <% elsif @listen_tcp == false -%>
42 | listen_tcp = 0
43 | <% end -%>
44 |
45 |
46 |
47 | # Override the port for accepting secure TLS connections
48 | # This can be a port number, or service name
49 | #
50 | #tls_port = "16514"
51 | <% if @tls_port -%>
52 | tls_port = "<%= @tls_port %>"
53 | <% end -%>
54 |
55 | # Override the port for accepting insecure TCP connections
56 | # This can be a port number, or service name
57 | #
58 | #tcp_port = "16509"
59 | <% if @tcp_port -%>
60 | tcp_port = "<%= @tcp_port %>"
61 | <% end -%>
62 |
63 |
64 | # Override the default configuration which binds to all network
65 | # interfaces. This can be a numeric IPv4/6 address, or hostname
66 | #
67 | #listen_addr = "192.168.0.1"
68 | <% if @listen_addr -%>
69 | listen_addr = "<%= @listen_addr %>"
70 | <% end -%>
71 |
72 |
73 | # Flag toggling mDNS advertizement of the libvirt service.
74 | #
75 | # Alternatively can disable for all services on a host by
76 | # stopping the Avahi daemon
77 | #
78 | # This is enabled by default, uncomment this to disable it
79 | #mdns_adv = 0
80 | <% if @mdns_adv == false or @mdns_adv == '0' -%>
81 | mdns_adv = 0
82 | <% end -%>
83 |
84 | # Override the default mDNS advertizement name. This must be
85 | # unique on the immediate broadcast network.
86 | #
87 | # The default is "Virtualization Host HOSTNAME", where HOSTNAME
88 | # is subsituted for the short hostname of the machine (without domain)
89 | #
90 | #mdns_name = "Virtualization Host Joe Demo"
91 |
92 |
93 | #################################################################
94 | #
95 | # UNIX socket access controls
96 | #
97 |
98 | # Set the UNIX domain socket group ownership. This can be used to
99 | # allow a 'trusted' set of users access to management capabilities
100 | # without becoming root.
101 | #
102 | # This is restricted to 'root' by default.
103 | #unix_sock_group = "libvirt"
104 | <% if @unix_sock_group -%>
105 | unix_sock_group = "<%= @unix_sock_group %>"
106 | <% end -%>
107 |
108 | # Set the UNIX socket permissions for the R/O socket. This is used
109 | # for monitoring VM status only
110 | #
111 | # Default allows any user. If setting group ownership may want to
112 | # restrict this to:
113 | #unix_sock_ro_perms = "0777"
114 | <% if @unix_sock_ro_perms -%>
115 | unix_sock_ro_perms = "<%= @unix_sock_ro_perms %>"
116 | <% end -%>
117 |
118 | # Set the UNIX socket permissions for the R/W socket. This is used
119 | # for full management of VMs
120 | #
121 | # Default allows only root. If PolicyKit is enabled on the socket,
122 | # the default will change to allow everyone (eg, 0777)
123 | #
124 | # If not using PolicyKit and setting group ownership for access
125 | # control then you may want to relax this to:
126 | #unix_sock_rw_perms = "0770"
127 | <% if @unix_sock_rw_perms -%>
128 | unix_sock_rw_perms = "<%= @unix_sock_rw_perms %>"
129 | <% end -%>
130 |
131 | # Set the name of the directory in which sockets will be found/created.
132 | #unix_sock_dir = "/var/run/libvirt"
133 | <% if @unix_sock_dir -%>
134 | unix_sock_dir = "<%= @unix_sock_dir %>"
135 | <% end -%>
136 |
137 | #################################################################
138 | #
139 | # Authentication.
140 | #
141 | # - none: do not perform auth checks. If you can connect to the
142 | # socket you are allowed. This is suitable if there are
143 | # restrictions on connecting to the socket (eg, UNIX
144 | # socket permissions), or if there is a lower layer in
145 | # the network providing auth (eg, TLS/x509 certificates)
146 | #
147 | # - sasl: use SASL infrastructure. The actual auth scheme is then
148 | # controlled from /etc/sasl2/libvirt.conf. For the TCP
149 | # socket only GSSAPI & DIGEST-MD5 mechanisms will be used.
150 | # For non-TCP or TLS sockets, any scheme is allowed.
151 | #
152 | # - polkit: use PolicyKit to authenticate. This is only suitable
153 | # for use on the UNIX sockets. The default policy will
154 | # require a user to supply their own password to gain
155 | # full read/write access (aka sudo like), while anyone
156 | # is allowed read/only access.
157 | #
158 | # Set an authentication scheme for UNIX read-only sockets
159 | # By default socket permissions allow anyone to connect
160 | #
161 | # To restrict monitoring of domains you may wish to enable
162 | # an authentication mechanism here
163 | #auth_unix_ro = "none"
164 | <%- if @auth_unix_ro -%>
165 | auth_unix_ro = "<%= @auth_unix_ro %>"
166 | <%- end -%>
167 |
168 | # Set an authentication scheme for UNIX read-write sockets
169 | # By default socket permissions only allow root. If PolicyKit
170 | # support was compiled into libvirt, the default will be to
171 | # use 'polkit' auth.
172 | #
173 | # If the unix_sock_rw_perms are changed you may wish to enable
174 | # an authentication mechanism here
175 | #auth_unix_rw = "none"
176 | <%- if @auth_unix_rw -%>
177 | auth_unix_rw = "<%= @auth_unix_rw %>"
178 | <%- end -%>
179 |
180 | # Change the authentication scheme for TCP sockets.
181 | #
182 | # If you don't enable SASL, then all TCP traffic is cleartext.
183 | # Don't do this outside of a dev/test scenario. For real world
184 | # use, always enable SASL and use the GSSAPI or DIGEST-MD5
185 | # mechanism in /etc/sasl2/libvirt.conf
186 | #auth_tcp = "sasl"
187 | <% if @auth_tcp -%>
188 | auth_tcp = "<%= @auth_tcp %>"
189 | <% end -%>
190 |
191 | # Change the authentication scheme for TLS sockets.
192 | #
193 | # TLS sockets already have encryption provided by the TLS
194 | # layer, and limited authentication is done by certificates
195 | #
196 | # It is possible to make use of any SASL authentication
197 | # mechanism as well, by using 'sasl' for this option
198 | #auth_tls = "none"
199 | <% if @auth_tls -%>
200 | auth_tls = "<%= @auth_tls %>"
201 | <% end -%>
202 |
203 |
204 |
205 | #################################################################
206 | #
207 | # TLS x509 certificate configuration
208 | #
209 |
210 |
211 | # Override the default server key file path
212 | #
213 | #key_file = "/etc/pki/libvirt/private/serverkey.pem"
214 |
215 | # Override the default server certificate file path
216 | #
217 | #cert_file = "/etc/pki/libvirt/servercert.pem"
218 |
219 | # Override the default CA certificate path
220 | #
221 | #ca_file = "/etc/pki/CA/cacert.pem"
222 |
223 | # Specify a certificate revocation list.
224 | #
225 | # Defaults to not using a CRL, uncomment to enable it
226 | #crl_file = "/etc/pki/CA/crl.pem"
227 |
228 |
229 |
230 | #################################################################
231 | #
232 | # Authorization controls
233 | #
234 |
235 |
236 | # Flag to disable verification of our own server certificates
237 | #
238 | # When libvirtd starts it performs some sanity checks against
239 | # its own certificates.
240 | #
241 | # Default is to always run sanity checks. Uncommenting this
242 | # will disable sanity checks which is not a good idea
243 | #tls_no_sanity_certificate = 1
244 |
245 | # Flag to disable verification of client certificates
246 | #
247 | # Client certificate verification is the primary authentication mechanism.
248 | # Any client which does not present a certificate signed by the CA
249 | # will be rejected.
250 | #
251 | # Default is to always verify. Uncommenting this will disable
252 | # verification - make sure an IP whitelist is set
253 | #tls_no_verify_certificate = 1
254 |
255 |
256 | # A whitelist of allowed x509 Distinguished Names
257 | # This list may contain wildcards such as
258 | #
259 | # "C=GB,ST=London,L=London,O=Red Hat,CN=*"
260 | #
261 | # See the POSIX fnmatch function for the format of the wildcards.
262 | #
263 | # NB If this is an empty list, no client can connect, so comment out
264 | # entirely rather than using empty list to disable these checks
265 | #
266 | # By default, no DN's are checked
267 | #tls_allowed_dn_list = ["DN1", "DN2"]
268 |
269 |
270 | # A whitelist of allowed SASL usernames. The format for usernames
271 | # depends on the SASL authentication mechanism. Kerberos usernames
272 | # look like username@REALM
273 | #
274 | # This list may contain wildcards such as
275 | #
276 | # "*@EXAMPLE.COM"
277 | #
278 | # See the POSIX fnmatch function for the format of the wildcards.
279 | #
280 | # NB If this is an empty list, no client can connect, so comment out
281 | # entirely rather than using empty list to disable these checks
282 | #
283 | # By default, no Username's are checked
284 | #sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]
285 |
286 |
287 |
288 | #################################################################
289 | #
290 | # Processing controls
291 | #
292 |
293 | # The maximum number of concurrent client connections to allow
294 | # over all sockets combined.
295 | #max_clients = 20
296 |
297 |
298 | # The minimum limit sets the number of workers to start up
299 | # initially. If the number of active clients exceeds this,
300 | # then more threads are spawned, upto max_workers limit.
301 | # Typically you'd want max_workers to equal maximum number
302 | # of clients allowed
303 | #min_workers = 5
304 | #max_workers = 20
305 |
306 |
307 | # The number of priority workers. If all workers from above
308 | # pool will stuck, some calls marked as high priority
309 | # (notably domainDestroy) can be executed in this pool.
310 | #prio_workers = 5
311 |
312 | # Total global limit on concurrent RPC calls. Should be
313 | # at least as large as max_workers. Beyond this, RPC requests
314 | # will be read into memory and queued. This directly impact
315 | # memory usage, currently each request requires 256 KB of
316 | # memory. So by default upto 5 MB of memory is used
317 | #
318 | # XXX this isn't actually enforced yet, only the per-client
319 | # limit is used so far
320 | #max_requests = 20
321 |
322 | # Limit on concurrent requests from a single client
323 | # connection. To avoid one client monopolizing the server
324 | # this should be a small fraction of the global max_requests
325 | # and max_workers parameter
326 | #max_client_requests = 5
327 |
328 | #################################################################
329 | #
330 | # Logging controls
331 | #
332 |
333 | # Logging level: 4 errors, 3 warnings, 2 information, 1 debug
334 | # basically 1 will log everything possible
335 | #log_level = 3
336 |
337 | # Logging filters:
338 | # A filter allows to select a different logging level for a given category
339 | # of logs
340 | # The format for a filter is:
341 | # x:name
342 | # where name is a match string e.g. remote or qemu
343 | # the x prefix is the minimal level where matching messages should be logged
344 | # 1: DEBUG
345 | # 2: INFO
346 | # 3: WARNING
347 | # 4: ERROR
348 | #
349 | # Multiple filter can be defined in a single @filters, they just need to be
350 | # separated by spaces.
351 | #
352 | # e.g:
353 | # log_filters="3:remote 4:event"
354 | # to only get warning or errors from the remote layer and only errors from
355 | # the event layer.
356 |
357 | # Logging outputs:
358 | # An output is one of the places to save logging information
359 | # The format for an output can be:
360 | # x:stderr
361 | # output goes to stderr
362 | # x:syslog:name
363 | # use syslog for the output and use the given name as the ident
364 | # x:file:file_path
365 | # output to a file, with the given filepath
366 | # In all case the x prefix is the minimal level, acting as a filter
367 | # 1: DEBUG
368 | # 2: INFO
369 | # 3: WARNING
370 | # 4: ERROR
371 | #
372 | # Multiple output can be defined, they just need to be separated by spaces.
373 | # e.g.:
374 | # log_outputs="3:syslog:libvirtd"
375 | # to log all warnings and errors to syslog under the libvirtd ident
376 |
377 | # Log debug buffer size: default 64
378 | # The daemon keeps an internal debug log buffer which will be dumped in case
379 | # of crash or upon receiving a SIGUSR2 signal. This setting allows to override
380 | # the default buffer size in kilobytes.
381 | # If value is 0 or less the debug log buffer is deactivated
382 | #log_buffer_size = 64
383 |
384 |
385 | ##################################################################
386 | #
387 | # Auditing
388 | #
389 | # This setting allows usage of the auditing subsystem to be altered:
390 | #
391 | # audit_level == 0 -> disable all auditing
392 | # audit_level == 1 -> enable auditing, only if enabled on host (default)
393 | # audit_level == 2 -> enable auditing, and exit if disabled on host
394 | #
395 | #audit_level = 2
396 | #
397 | # If set to 1, then audit messages will also be sent
398 | # via libvirt logging infrastructure. Defaults to 0
399 | #
400 | #audit_logging = 1
401 |
402 | ###################################################################
403 | # UUID of the host:
404 | # Provide the UUID of the host here in case the command
405 | # 'dmidecode -s system-uuid' does not provide a valid uuid. In case
406 | # 'dmidecode' does not provide a valid UUID and none is provided here, a
407 | # temporary UUID will be generated.
408 | # Keep the format of the example UUID below. UUID must not have all digits
409 | # be the same.
410 |
411 | # NB This default all-zeros UUID will not work. Replace
412 | # it with the output of the 'uuidgen' command and then
413 | # uncomment this entry
414 | #host_uuid = "00000000-0000-0000-0000-000000000000"
415 |
416 | ###################################################################
417 | # Keepalive protocol:
418 | # This allows libvirtd to detect broken client connections or even
419 | # dead client. A keepalive message is sent to a client after
420 | # keepalive_interval seconds of inactivity to check if the client is
421 | # still responding; keepalive_count is a maximum number of keepalive
422 | # messages that are allowed to be sent to the client without getting
423 | # any response before the connection is considered broken. In other
424 | # words, the connection is automatically closed approximately after
425 | # keepalive_interval * (keepalive_count + 1) seconds since the last
426 | # message received from the client. If keepalive_interval is set to
427 | # -1, libvirtd will never send keepalive requests; however clients
428 | # can still send them and the deamon will send responses. When
429 | # keepalive_count is set to 0, connections will be automatically
430 | # closed after keepalive_interval seconds of inactivity without
431 | # sending any keepalive messages. Disabled by default.
432 | #
433 | #keepalive_interval = 5
434 | #keepalive_count = 5
435 | #
436 | # If set to 1, libvirtd will refuse to talk to clients that do not
437 | # support keepalive protocol. Defaults to 0.
438 | #
439 | #keepalive_required = 1
440 |
--------------------------------------------------------------------------------
/templates/libvirtd.conf-el8.erb:
--------------------------------------------------------------------------------
1 | # Master libvirt daemon configuration file
2 | #
3 | # For further information consult https://libvirt.org/format.html
4 | #
5 | # NOTE: the tests/daemon-conf regression test script requires
6 | # that each "PARAMETER = VALUE" line in this file have the parameter
7 | # name just after a leading "#".
8 |
9 | #################################################################
10 | #
11 | # Network connectivity controls
12 | #
13 |
14 | # Flag listening for secure TLS connections on the public TCP/IP port.
15 | # NB, must pass the --listen flag to the libvirtd process for this to
16 | # have any effect.
17 | #
18 | # It is necessary to setup a CA and issue server certificates before
19 | # using this capability.
20 | #
21 | # This is enabled by default, uncomment this to disable it
22 | #listen_tls = 0
23 |
24 | # Listen for unencrypted TCP connections on the public TCP/IP port.
25 | # NB, must pass the --listen flag to the libvirtd process for this to
26 | # have any effect.
27 | #
28 | # Using the TCP socket requires SASL authentication by default. Only
29 | # SASL mechanisms which support data encryption are allowed. This is
30 | # DIGEST_MD5 and GSSAPI (Kerberos5)
31 | #
32 | # This is disabled by default, uncomment this to enable it.
33 | #listen_tcp = 1
34 |
35 |
36 |
37 | # Override the port for accepting secure TLS connections
38 | # This can be a port number, or service name
39 | #
40 | #tls_port = "16514"
41 |
42 | # Override the port for accepting insecure TCP connections
43 | # This can be a port number, or service name
44 | #
45 | #tcp_port = "16509"
46 |
47 |
48 | # Override the default configuration which binds to all network
49 | # interfaces. This can be a numeric IPv4/6 address, or hostname
50 | #
51 | # If the libvirtd service is started in parallel with network
52 | # startup (e.g. with systemd), binding to addresses other than
53 | # the wildcards (0.0.0.0/::) might not be available yet.
54 | #
55 | #listen_addr = "192.168.0.1"
56 |
57 |
58 | # Flag toggling mDNS advertizement of the libvirt service.
59 | #
60 | # Alternatively can disable for all services on a host by
61 | # stopping the Avahi daemon
62 | #
63 | # This is disabled by default, uncomment this to enable it
64 | #mdns_adv = 1
65 |
66 | # Override the default mDNS advertizement name. This must be
67 | # unique on the immediate broadcast network.
68 | #
69 | # The default is "Virtualization Host HOSTNAME", where HOSTNAME
70 | # is substituted for the short hostname of the machine (without domain)
71 | #
72 | #mdns_name = "Virtualization Host Joe Demo"
73 |
74 |
75 | #################################################################
76 | #
77 | # UNIX socket access controls
78 | #
79 |
80 | # Set the UNIX domain socket group ownership. This can be used to
81 | # allow a 'trusted' set of users access to management capabilities
82 | # without becoming root.
83 | #
84 | # This is restricted to 'root' by default.
85 | #unix_sock_group = "libvirt"
86 |
87 | # Set the UNIX socket permissions for the R/O socket. This is used
88 | # for monitoring VM status only
89 | #
90 | # Default allows any user. If setting group ownership, you may want to
91 | # restrict this too.
92 | #unix_sock_ro_perms = "0777"
93 |
94 | # Set the UNIX socket permissions for the R/W socket. This is used
95 | # for full management of VMs
96 | #
97 | # Default allows only root. If PolicyKit is enabled on the socket,
98 | # the default will change to allow everyone (eg, 0777)
99 | #
100 | # If not using PolicyKit and setting group ownership for access
101 | # control, then you may want to relax this too.
102 | #unix_sock_rw_perms = "0770"
103 |
104 | # Set the UNIX socket permissions for the admin interface socket.
105 | #
106 | # Default allows only owner (root), do not change it unless you are
107 | # sure to whom you are exposing the access to.
108 | #unix_sock_admin_perms = "0700"
109 |
110 | # Set the name of the directory in which sockets will be found/created.
111 | #unix_sock_dir = "/var/run/libvirt"
112 |
113 |
114 |
115 | #################################################################
116 | #
117 | # Authentication.
118 | #
119 | # - none: do not perform auth checks. If you can connect to the
120 | # socket you are allowed. This is suitable if there are
121 | # restrictions on connecting to the socket (eg, UNIX
122 | # socket permissions), or if there is a lower layer in
123 | # the network providing auth (eg, TLS/x509 certificates)
124 | #
125 | # - sasl: use SASL infrastructure. The actual auth scheme is then
126 | # controlled from /etc/sasl2/libvirt.conf. For the TCP
127 | # socket only GSSAPI & DIGEST-MD5 mechanisms will be used.
128 | # For non-TCP or TLS sockets, any scheme is allowed.
129 | #
130 | # - polkit: use PolicyKit to authenticate. This is only suitable
131 | # for use on the UNIX sockets. The default policy will
132 | # require a user to supply their own password to gain
133 | # full read/write access (aka sudo like), while anyone
134 | # is allowed read/only access.
135 | #
136 | # Set an authentication scheme for UNIX read-only sockets
137 | # By default socket permissions allow anyone to connect
138 | #
139 | # To restrict monitoring of domains you may wish to enable
140 | # an authentication mechanism here
141 | #auth_unix_ro = "none"
142 |
143 | # Set an authentication scheme for UNIX read-write sockets
144 | # By default socket permissions only allow root. If PolicyKit
145 | # support was compiled into libvirt, the default will be to
146 | # use 'polkit' auth.
147 | #
148 | # If the unix_sock_rw_perms are changed you may wish to enable
149 | # an authentication mechanism here
150 | #auth_unix_rw = "none"
151 |
152 | # Change the authentication scheme for TCP sockets.
153 | #
154 | # If you don't enable SASL, then all TCP traffic is cleartext.
155 | # Don't do this outside of a dev/test scenario. For real world
156 | # use, always enable SASL and use the GSSAPI or DIGEST-MD5
157 | # mechanism in /etc/sasl2/libvirt.conf
158 | #auth_tcp = "sasl"
159 |
160 | # Change the authentication scheme for TLS sockets.
161 | #
162 | # TLS sockets already have encryption provided by the TLS
163 | # layer, and limited authentication is done by certificates
164 | #
165 | # It is possible to make use of any SASL authentication
166 | # mechanism as well, by using 'sasl' for this option
167 | #auth_tls = "none"
168 |
169 |
170 | # Change the API access control scheme
171 | #
172 | # By default an authenticated user is allowed access
173 | # to all APIs. Access drivers can place restrictions
174 | # on this. By default the 'nop' driver is enabled,
175 | # meaning no access control checks are done once a
176 | # client has authenticated with libvirtd
177 | #
178 | #access_drivers = [ "polkit" ]
179 |
180 | #################################################################
181 | #
182 | # TLS x509 certificate configuration
183 | #
184 |
185 | # Use of TLS requires that x509 certificates be issued. The default locations
186 | # for the certificate files is as follows:
187 | #
188 | # /etc/pki/CA/cacert.pem - The CA master certificate
189 | # /etc/pki/libvirt/servercert.pem - The server certificate signed with
190 | # the cacert.pem
191 | # /etc/pki/libvirt/private/serverkey.pem - The server private key
192 | #
193 | # It is possible to override the default locations by altering the 'key_file',
194 | # 'cert_file', and 'ca_file' values and uncommenting them below.
195 | #
196 | # NB, overriding the default of one location requires uncommenting and
197 | # possibly additionally overriding the other settings.
198 | #
199 |
200 | # Override the default server key file path
201 | #
202 | #key_file = "/etc/pki/libvirt/private/serverkey.pem"
203 |
204 | # Override the default server certificate file path
205 | #
206 | #cert_file = "/etc/pki/libvirt/servercert.pem"
207 |
208 | # Override the default CA certificate path
209 | #
210 | #ca_file = "/etc/pki/CA/cacert.pem"
211 |
212 | # Specify a certificate revocation list.
213 | #
214 | # Defaults to not using a CRL, uncomment to enable it
215 | #crl_file = "/etc/pki/CA/crl.pem"
216 |
217 |
218 |
219 | #################################################################
220 | #
221 | # Authorization controls
222 | #
223 |
224 |
225 | # Flag to disable verification of our own server certificates
226 | #
227 | # When libvirtd starts it performs some sanity checks against
228 | # its own certificates.
229 | #
230 | # Default is to always run sanity checks. Uncommenting this
231 | # will disable sanity checks which is not a good idea
232 | #tls_no_sanity_certificate = 1
233 |
234 | # Flag to disable verification of client certificates
235 | #
236 | # Client certificate verification is the primary authentication mechanism.
237 | # Any client which does not present a certificate signed by the CA
238 | # will be rejected.
239 | #
240 | # Default is to always verify. Uncommenting this will disable
241 | # verification - make sure an IP whitelist is set
242 | #tls_no_verify_certificate = 1
243 |
244 |
245 | # A whitelist of allowed x509 Distinguished Names
246 | # This list may contain wildcards such as
247 | #
248 | # "C=GB,ST=London,L=London,O=Red Hat,CN=*"
249 | #
250 | # See the POSIX fnmatch function for the format of the wildcards.
251 | #
252 | # NB If this is an empty list, no client can connect, so comment out
253 | # entirely rather than using empty list to disable these checks
254 | #
255 | # By default, no DN's are checked
256 | #tls_allowed_dn_list = ["DN1", "DN2"]
257 |
258 |
259 | # A whitelist of allowed SASL usernames. The format for username
260 | # depends on the SASL authentication mechanism. Kerberos usernames
261 | # look like username@REALM
262 | #
263 | # This list may contain wildcards such as
264 | #
265 | # "*@EXAMPLE.COM"
266 | #
267 | # See the POSIX fnmatch function for the format of the wildcards.
268 | #
269 | # NB If this is an empty list, no client can connect, so comment out
270 | # entirely rather than using empty list to disable these checks
271 | #
272 | # By default, no Username's are checked
273 | #sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]
274 |
275 |
276 | # Override the compile time default TLS priority string. The
277 | # default is usually "NORMAL" unless overridden at build time.
278 | # Only set this is it is desired for libvirt to deviate from
279 | # the global default settings.
280 | #
281 | #tls_priority="NORMAL"
282 |
283 |
284 | #################################################################
285 | #
286 | # Processing controls
287 | #
288 |
289 | # The maximum number of concurrent client connections to allow
290 | # over all sockets combined.
291 | #max_clients = 5000
292 |
293 | # The maximum length of queue of connections waiting to be
294 | # accepted by the daemon. Note, that some protocols supporting
295 | # retransmission may obey this so that a later reattempt at
296 | # connection succeeds.
297 | #max_queued_clients = 1000
298 |
299 | # The maximum length of queue of accepted but not yet
300 | # authenticated clients. The default value is 20. Set this to
301 | # zero to turn this feature off.
302 | #max_anonymous_clients = 20
303 |
304 | # The minimum limit sets the number of workers to start up
305 | # initially. If the number of active clients exceeds this,
306 | # then more threads are spawned, up to max_workers limit.
307 | # Typically you'd want max_workers to equal maximum number
308 | # of clients allowed
309 | #min_workers = 5
310 | #max_workers = 20
311 |
312 |
313 | # The number of priority workers. If all workers from above
314 | # pool are stuck, some calls marked as high priority
315 | # (notably domainDestroy) can be executed in this pool.
316 | #prio_workers = 5
317 |
318 | # Limit on concurrent requests from a single client
319 | # connection. To avoid one client monopolizing the server
320 | # this should be a small fraction of the global max_workers
321 | # parameter.
322 | #max_client_requests = 5
323 |
324 | # Same processing controls, but this time for the admin interface.
325 | # For description of each option, be so kind to scroll few lines
326 | # upwards.
327 |
328 | #admin_min_workers = 1
329 | #admin_max_workers = 5
330 | #admin_max_clients = 5
331 | #admin_max_queued_clients = 5
332 | #admin_max_client_requests = 5
333 |
334 | #################################################################
335 | #
336 | # Logging controls
337 | #
338 |
339 | # Logging level: 4 errors, 3 warnings, 2 information, 1 debug
340 | # basically 1 will log everything possible
341 | #
342 | # WARNING: USE OF THIS IS STRONGLY DISCOURAGED.
343 | #
344 | # WARNING: It outputs too much information to practically read.
345 | # WARNING: The "log_filters" setting is recommended instead.
346 | #
347 | # WARNING: Journald applies rate limiting of messages and so libvirt
348 | # WARNING: will limit "log_level" to only allow values 3 or 4 if
349 | # WARNING: journald is the current output.
350 | #
351 | # WARNING: USE OF THIS IS STRONGLY DISCOURAGED.
352 | #log_level = 3
353 |
354 | # Logging filters:
355 | # A filter allows to select a different logging level for a given category
356 | # of logs. The format for a filter is one of:
357 | #
358 | # level:match
359 | # level:+match
360 | #
361 | # where 'match' is a string which is matched against the category
362 | # given in the VIR_LOG_INIT() at the top of each libvirt source
363 | # file, e.g., "remote", "qemu", or "util.json". The 'match' in the
364 | # filter matches using shell wildcard syntax (see 'man glob(7)').
365 | # The 'match' is always treated as a substring match. IOW a match
366 | # string 'foo' is equivalent to '*foo*'.
367 | #
368 | # If 'match' contains the optional "+" prefix, it tells libvirt
369 | # to log stack trace for each message matching name.
370 | #
371 | # 'level' is the minimal level where matching messages should
372 | # be logged:
373 | #
374 | # 1: DEBUG
375 | # 2: INFO
376 | # 3: WARNING
377 | # 4: ERROR
378 | #
379 | # Multiple filters can be defined in a single @log_filters, they just need
380 | # to be separated by spaces. Note that libvirt performs "first" match, i.e.
381 | # if there are concurrent filters, the first one that matches will be applied,
382 | # given the order in @log_filters.
383 | #
384 | # A typical need is to capture information from a hypervisor driver,
385 | # public API entrypoints and some of the utility code. Some utility
386 | # code is very verbose and is generally not desired. Taking the QEMU
387 | # hypervisor as an example, a suitable filter string for debugging
388 | # might be to turn off object, json & event logging, but enable the
389 | # rest of the util code:
390 | #
391 | #log_filters="1:qemu 1:libvirt 4:object 4:json 4:event 1:util"
392 |
393 | # Logging outputs:
394 | # An output is one of the places to save logging information
395 | # The format for an output can be:
396 | # level:stderr
397 | # output goes to stderr
398 | # level:syslog:name
399 | # use syslog for the output and use the given name as the ident
400 | # level:file:file_path
401 | # output to a file, with the given filepath
402 | # level:journald
403 | # output to journald logging system
404 | # In all cases 'level' is the minimal priority, acting as a filter
405 | # 1: DEBUG
406 | # 2: INFO
407 | # 3: WARNING
408 | # 4: ERROR
409 | #
410 | # Multiple outputs can be defined, they just need to be separated by spaces.
411 | # e.g. to log all warnings and errors to syslog under the libvirtd ident:
412 | #log_outputs="3:syslog:libvirtd"
413 | #
414 |
415 |
416 | ##################################################################
417 | #
418 | # Auditing
419 | #
420 | # This setting allows usage of the auditing subsystem to be altered:
421 | #
422 | # audit_level == 0 -> disable all auditing
423 | # audit_level == 1 -> enable auditing, only if enabled on host (default)
424 | # audit_level == 2 -> enable auditing, and exit if disabled on host
425 | #
426 | #audit_level = 2
427 | #
428 | # If set to 1, then audit messages will also be sent
429 | # via libvirt logging infrastructure. Defaults to 0
430 | #
431 | #audit_logging = 1
432 |
433 | ###################################################################
434 | # UUID of the host:
435 | # Host UUID is read from one of the sources specified in host_uuid_source.
436 | #
437 | # - 'smbios': fetch the UUID from 'dmidecode -s system-uuid'
438 | # - 'machine-id': fetch the UUID from /etc/machine-id
439 | #
440 | # The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide
441 | # a valid UUID a temporary UUID will be generated.
442 | #
443 | # Another option is to specify host UUID in host_uuid.
444 | #
445 | # Keep the format of the example UUID below. UUID must not have all digits
446 | # be the same.
447 |
448 | # NB This default all-zeros UUID will not work. Replace
449 | # it with the output of the 'uuidgen' command and then
450 | # uncomment this entry
451 | #host_uuid = "00000000-0000-0000-0000-000000000000"
452 | #host_uuid_source = "smbios"
453 |
454 | ###################################################################
455 | # Keepalive protocol:
456 | # This allows libvirtd to detect broken client connections or even
457 | # dead clients. A keepalive message is sent to a client after
458 | # keepalive_interval seconds of inactivity to check if the client is
459 | # still responding; keepalive_count is a maximum number of keepalive
460 | # messages that are allowed to be sent to the client without getting
461 | # any response before the connection is considered broken. In other
462 | # words, the connection is automatically closed approximately after
463 | # keepalive_interval * (keepalive_count + 1) seconds since the last
464 | # message received from the client. If keepalive_interval is set to
465 | # -1, libvirtd will never send keepalive requests; however clients
466 | # can still send them and the daemon will send responses. When
467 | # keepalive_count is set to 0, connections will be automatically
468 | # closed after keepalive_interval seconds of inactivity without
469 | # sending any keepalive messages.
470 | #
471 | #keepalive_interval = 5
472 | #keepalive_count = 5
473 |
474 | #
475 | # These configuration options are no longer used. There is no way to
476 | # restrict such clients from connecting since they first need to
477 | # connect in order to ask for keepalive.
478 | #
479 | #keepalive_required = 1
480 | #admin_keepalive_required = 1
481 |
482 | # Keepalive settings for the admin interface
483 | #admin_keepalive_interval = 5
484 | #admin_keepalive_count = 5
485 |
486 | ###################################################################
487 | # Open vSwitch:
488 | # This allows to specify a timeout for openvswitch calls made by
489 | # libvirt. The ovs-vsctl utility is used for the configuration and
490 | # its timeout option is set by default to 5 seconds to avoid
491 | # potential infinite waits blocking libvirt.
492 | #
493 | #ovs_timeout = 5
494 |
--------------------------------------------------------------------------------
/templates/libvirtd.conf-el8.orig:
--------------------------------------------------------------------------------
1 | # Master libvirt daemon configuration file
2 | #
3 | # For further information consult https://libvirt.org/format.html
4 | #
5 | # NOTE: the tests/daemon-conf regression test script requires
6 | # that each "PARAMETER = VALUE" line in this file have the parameter
7 | # name just after a leading "#".
8 |
9 | #################################################################
10 | #
11 | # Network connectivity controls
12 | #
13 |
14 | # Flag listening for secure TLS connections on the public TCP/IP port.
15 | # NB, must pass the --listen flag to the libvirtd process for this to
16 | # have any effect.
17 | #
18 | # It is necessary to setup a CA and issue server certificates before
19 | # using this capability.
20 | #
21 | # This is enabled by default, uncomment this to disable it
22 | #listen_tls = 0
23 |
24 | # Listen for unencrypted TCP connections on the public TCP/IP port.
25 | # NB, must pass the --listen flag to the libvirtd process for this to
26 | # have any effect.
27 | #
28 | # Using the TCP socket requires SASL authentication by default. Only
29 | # SASL mechanisms which support data encryption are allowed. This is
30 | # DIGEST_MD5 and GSSAPI (Kerberos5)
31 | #
32 | # This is disabled by default, uncomment this to enable it.
33 | #listen_tcp = 1
34 |
35 |
36 |
37 | # Override the port for accepting secure TLS connections
38 | # This can be a port number, or service name
39 | #
40 | #tls_port = "16514"
41 |
42 | # Override the port for accepting insecure TCP connections
43 | # This can be a port number, or service name
44 | #
45 | #tcp_port = "16509"
46 |
47 |
48 | # Override the default configuration which binds to all network
49 | # interfaces. This can be a numeric IPv4/6 address, or hostname
50 | #
51 | # If the libvirtd service is started in parallel with network
52 | # startup (e.g. with systemd), binding to addresses other than
53 | # the wildcards (0.0.0.0/::) might not be available yet.
54 | #
55 | #listen_addr = "192.168.0.1"
56 |
57 |
58 | # Flag toggling mDNS advertizement of the libvirt service.
59 | #
60 | # Alternatively can disable for all services on a host by
61 | # stopping the Avahi daemon
62 | #
63 | # This is disabled by default, uncomment this to enable it
64 | #mdns_adv = 1
65 |
66 | # Override the default mDNS advertizement name. This must be
67 | # unique on the immediate broadcast network.
68 | #
69 | # The default is "Virtualization Host HOSTNAME", where HOSTNAME
70 | # is substituted for the short hostname of the machine (without domain)
71 | #
72 | #mdns_name = "Virtualization Host Joe Demo"
73 |
74 |
75 | #################################################################
76 | #
77 | # UNIX socket access controls
78 | #
79 |
80 | # Set the UNIX domain socket group ownership. This can be used to
81 | # allow a 'trusted' set of users access to management capabilities
82 | # without becoming root.
83 | #
84 | # This is restricted to 'root' by default.
85 | #unix_sock_group = "libvirt"
86 |
87 | # Set the UNIX socket permissions for the R/O socket. This is used
88 | # for monitoring VM status only
89 | #
90 | # Default allows any user. If setting group ownership, you may want to
91 | # restrict this too.
92 | #unix_sock_ro_perms = "0777"
93 |
94 | # Set the UNIX socket permissions for the R/W socket. This is used
95 | # for full management of VMs
96 | #
97 | # Default allows only root. If PolicyKit is enabled on the socket,
98 | # the default will change to allow everyone (eg, 0777)
99 | #
100 | # If not using PolicyKit and setting group ownership for access
101 | # control, then you may want to relax this too.
102 | #unix_sock_rw_perms = "0770"
103 |
104 | # Set the UNIX socket permissions for the admin interface socket.
105 | #
106 | # Default allows only owner (root), do not change it unless you are
107 | # sure to whom you are exposing the access to.
108 | #unix_sock_admin_perms = "0700"
109 |
110 | # Set the name of the directory in which sockets will be found/created.
111 | #unix_sock_dir = "/var/run/libvirt"
112 |
113 |
114 |
115 | #################################################################
116 | #
117 | # Authentication.
118 | #
119 | # - none: do not perform auth checks. If you can connect to the
120 | # socket you are allowed. This is suitable if there are
121 | # restrictions on connecting to the socket (eg, UNIX
122 | # socket permissions), or if there is a lower layer in
123 | # the network providing auth (eg, TLS/x509 certificates)
124 | #
125 | # - sasl: use SASL infrastructure. The actual auth scheme is then
126 | # controlled from /etc/sasl2/libvirt.conf. For the TCP
127 | # socket only GSSAPI & DIGEST-MD5 mechanisms will be used.
128 | # For non-TCP or TLS sockets, any scheme is allowed.
129 | #
130 | # - polkit: use PolicyKit to authenticate. This is only suitable
131 | # for use on the UNIX sockets. The default policy will
132 | # require a user to supply their own password to gain
133 | # full read/write access (aka sudo like), while anyone
134 | # is allowed read/only access.
135 | #
136 | # Set an authentication scheme for UNIX read-only sockets
137 | # By default socket permissions allow anyone to connect
138 | #
139 | # To restrict monitoring of domains you may wish to enable
140 | # an authentication mechanism here
141 | #auth_unix_ro = "none"
142 |
143 | # Set an authentication scheme for UNIX read-write sockets
144 | # By default socket permissions only allow root. If PolicyKit
145 | # support was compiled into libvirt, the default will be to
146 | # use 'polkit' auth.
147 | #
148 | # If the unix_sock_rw_perms are changed you may wish to enable
149 | # an authentication mechanism here
150 | #auth_unix_rw = "none"
151 |
152 | # Change the authentication scheme for TCP sockets.
153 | #
154 | # If you don't enable SASL, then all TCP traffic is cleartext.
155 | # Don't do this outside of a dev/test scenario. For real world
156 | # use, always enable SASL and use the GSSAPI or DIGEST-MD5
157 | # mechanism in /etc/sasl2/libvirt.conf
158 | #auth_tcp = "sasl"
159 |
160 | # Change the authentication scheme for TLS sockets.
161 | #
162 | # TLS sockets already have encryption provided by the TLS
163 | # layer, and limited authentication is done by certificates
164 | #
165 | # It is possible to make use of any SASL authentication
166 | # mechanism as well, by using 'sasl' for this option
167 | #auth_tls = "none"
168 |
169 |
170 | # Change the API access control scheme
171 | #
172 | # By default an authenticated user is allowed access
173 | # to all APIs. Access drivers can place restrictions
174 | # on this. By default the 'nop' driver is enabled,
175 | # meaning no access control checks are done once a
176 | # client has authenticated with libvirtd
177 | #
178 | #access_drivers = [ "polkit" ]
179 |
180 | #################################################################
181 | #
182 | # TLS x509 certificate configuration
183 | #
184 |
185 | # Use of TLS requires that x509 certificates be issued. The default locations
186 | # for the certificate files is as follows:
187 | #
188 | # /etc/pki/CA/cacert.pem - The CA master certificate
189 | # /etc/pki/libvirt/servercert.pem - The server certificate signed with
190 | # the cacert.pem
191 | # /etc/pki/libvirt/private/serverkey.pem - The server private key
192 | #
193 | # It is possible to override the default locations by altering the 'key_file',
194 | # 'cert_file', and 'ca_file' values and uncommenting them below.
195 | #
196 | # NB, overriding the default of one location requires uncommenting and
197 | # possibly additionally overriding the other settings.
198 | #
199 |
200 | # Override the default server key file path
201 | #
202 | #key_file = "/etc/pki/libvirt/private/serverkey.pem"
203 |
204 | # Override the default server certificate file path
205 | #
206 | #cert_file = "/etc/pki/libvirt/servercert.pem"
207 |
208 | # Override the default CA certificate path
209 | #
210 | #ca_file = "/etc/pki/CA/cacert.pem"
211 |
212 | # Specify a certificate revocation list.
213 | #
214 | # Defaults to not using a CRL, uncomment to enable it
215 | #crl_file = "/etc/pki/CA/crl.pem"
216 |
217 |
218 |
219 | #################################################################
220 | #
221 | # Authorization controls
222 | #
223 |
224 |
225 | # Flag to disable verification of our own server certificates
226 | #
227 | # When libvirtd starts it performs some sanity checks against
228 | # its own certificates.
229 | #
230 | # Default is to always run sanity checks. Uncommenting this
231 | # will disable sanity checks which is not a good idea
232 | #tls_no_sanity_certificate = 1
233 |
234 | # Flag to disable verification of client certificates
235 | #
236 | # Client certificate verification is the primary authentication mechanism.
237 | # Any client which does not present a certificate signed by the CA
238 | # will be rejected.
239 | #
240 | # Default is to always verify. Uncommenting this will disable
241 | # verification - make sure an IP whitelist is set
242 | #tls_no_verify_certificate = 1
243 |
244 |
245 | # A whitelist of allowed x509 Distinguished Names
246 | # This list may contain wildcards such as
247 | #
248 | # "C=GB,ST=London,L=London,O=Red Hat,CN=*"
249 | #
250 | # See the POSIX fnmatch function for the format of the wildcards.
251 | #
252 | # NB If this is an empty list, no client can connect, so comment out
253 | # entirely rather than using empty list to disable these checks
254 | #
255 | # By default, no DN's are checked
256 | #tls_allowed_dn_list = ["DN1", "DN2"]
257 |
258 |
259 | # A whitelist of allowed SASL usernames. The format for username
260 | # depends on the SASL authentication mechanism. Kerberos usernames
261 | # look like username@REALM
262 | #
263 | # This list may contain wildcards such as
264 | #
265 | # "*@EXAMPLE.COM"
266 | #
267 | # See the POSIX fnmatch function for the format of the wildcards.
268 | #
269 | # NB If this is an empty list, no client can connect, so comment out
270 | # entirely rather than using empty list to disable these checks
271 | #
272 | # By default, no Username's are checked
273 | #sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]
274 |
275 |
276 | # Override the compile time default TLS priority string. The
277 | # default is usually "NORMAL" unless overridden at build time.
278 | # Only set this is it is desired for libvirt to deviate from
279 | # the global default settings.
280 | #
281 | #tls_priority="NORMAL"
282 |
283 |
284 | #################################################################
285 | #
286 | # Processing controls
287 | #
288 |
289 | # The maximum number of concurrent client connections to allow
290 | # over all sockets combined.
291 | #max_clients = 5000
292 |
293 | # The maximum length of queue of connections waiting to be
294 | # accepted by the daemon. Note, that some protocols supporting
295 | # retransmission may obey this so that a later reattempt at
296 | # connection succeeds.
297 | #max_queued_clients = 1000
298 |
299 | # The maximum length of queue of accepted but not yet
300 | # authenticated clients. The default value is 20. Set this to
301 | # zero to turn this feature off.
302 | #max_anonymous_clients = 20
303 |
304 | # The minimum limit sets the number of workers to start up
305 | # initially. If the number of active clients exceeds this,
306 | # then more threads are spawned, up to max_workers limit.
307 | # Typically you'd want max_workers to equal maximum number
308 | # of clients allowed
309 | #min_workers = 5
310 | #max_workers = 20
311 |
312 |
313 | # The number of priority workers. If all workers from above
314 | # pool are stuck, some calls marked as high priority
315 | # (notably domainDestroy) can be executed in this pool.
316 | #prio_workers = 5
317 |
318 | # Limit on concurrent requests from a single client
319 | # connection. To avoid one client monopolizing the server
320 | # this should be a small fraction of the global max_workers
321 | # parameter.
322 | #max_client_requests = 5
323 |
324 | # Same processing controls, but this time for the admin interface.
325 | # For description of each option, be so kind to scroll few lines
326 | # upwards.
327 |
328 | #admin_min_workers = 1
329 | #admin_max_workers = 5
330 | #admin_max_clients = 5
331 | #admin_max_queued_clients = 5
332 | #admin_max_client_requests = 5
333 |
334 | #################################################################
335 | #
336 | # Logging controls
337 | #
338 |
339 | # Logging level: 4 errors, 3 warnings, 2 information, 1 debug
340 | # basically 1 will log everything possible
341 | #
342 | # WARNING: USE OF THIS IS STRONGLY DISCOURAGED.
343 | #
344 | # WARNING: It outputs too much information to practically read.
345 | # WARNING: The "log_filters" setting is recommended instead.
346 | #
347 | # WARNING: Journald applies rate limiting of messages and so libvirt
348 | # WARNING: will limit "log_level" to only allow values 3 or 4 if
349 | # WARNING: journald is the current output.
350 | #
351 | # WARNING: USE OF THIS IS STRONGLY DISCOURAGED.
352 | #log_level = 3
353 |
354 | # Logging filters:
355 | # A filter allows to select a different logging level for a given category
356 | # of logs. The format for a filter is one of:
357 | #
358 | # level:match
359 | # level:+match
360 | #
361 | # where 'match' is a string which is matched against the category
362 | # given in the VIR_LOG_INIT() at the top of each libvirt source
363 | # file, e.g., "remote", "qemu", or "util.json". The 'match' in the
364 | # filter matches using shell wildcard syntax (see 'man glob(7)').
365 | # The 'match' is always treated as a substring match. IOW a match
366 | # string 'foo' is equivalent to '*foo*'.
367 | #
368 | # If 'match' contains the optional "+" prefix, it tells libvirt
369 | # to log stack trace for each message matching name.
370 | #
371 | # 'level' is the minimal level where matching messages should
372 | # be logged:
373 | #
374 | # 1: DEBUG
375 | # 2: INFO
376 | # 3: WARNING
377 | # 4: ERROR
378 | #
379 | # Multiple filters can be defined in a single @log_filters, they just need
380 | # to be separated by spaces. Note that libvirt performs "first" match, i.e.
381 | # if there are concurrent filters, the first one that matches will be applied,
382 | # given the order in @log_filters.
383 | #
384 | # A typical need is to capture information from a hypervisor driver,
385 | # public API entrypoints and some of the utility code. Some utility
386 | # code is very verbose and is generally not desired. Taking the QEMU
387 | # hypervisor as an example, a suitable filter string for debugging
388 | # might be to turn off object, json & event logging, but enable the
389 | # rest of the util code:
390 | #
391 | #log_filters="1:qemu 1:libvirt 4:object 4:json 4:event 1:util"
392 |
393 | # Logging outputs:
394 | # An output is one of the places to save logging information
395 | # The format for an output can be:
396 | # level:stderr
397 | # output goes to stderr
398 | # level:syslog:name
399 | # use syslog for the output and use the given name as the ident
400 | # level:file:file_path
401 | # output to a file, with the given filepath
402 | # level:journald
403 | # output to journald logging system
404 | # In all cases 'level' is the minimal priority, acting as a filter
405 | # 1: DEBUG
406 | # 2: INFO
407 | # 3: WARNING
408 | # 4: ERROR
409 | #
410 | # Multiple outputs can be defined, they just need to be separated by spaces.
411 | # e.g. to log all warnings and errors to syslog under the libvirtd ident:
412 | #log_outputs="3:syslog:libvirtd"
413 | #
414 |
415 |
416 | ##################################################################
417 | #
418 | # Auditing
419 | #
420 | # This setting allows usage of the auditing subsystem to be altered:
421 | #
422 | # audit_level == 0 -> disable all auditing
423 | # audit_level == 1 -> enable auditing, only if enabled on host (default)
424 | # audit_level == 2 -> enable auditing, and exit if disabled on host
425 | #
426 | #audit_level = 2
427 | #
428 | # If set to 1, then audit messages will also be sent
429 | # via libvirt logging infrastructure. Defaults to 0
430 | #
431 | #audit_logging = 1
432 |
433 | ###################################################################
434 | # UUID of the host:
435 | # Host UUID is read from one of the sources specified in host_uuid_source.
436 | #
437 | # - 'smbios': fetch the UUID from 'dmidecode -s system-uuid'
438 | # - 'machine-id': fetch the UUID from /etc/machine-id
439 | #
440 | # The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide
441 | # a valid UUID a temporary UUID will be generated.
442 | #
443 | # Another option is to specify host UUID in host_uuid.
444 | #
445 | # Keep the format of the example UUID below. UUID must not have all digits
446 | # be the same.
447 |
448 | # NB This default all-zeros UUID will not work. Replace
449 | # it with the output of the 'uuidgen' command and then
450 | # uncomment this entry
451 | #host_uuid = "00000000-0000-0000-0000-000000000000"
452 | #host_uuid_source = "smbios"
453 |
454 | ###################################################################
455 | # Keepalive protocol:
456 | # This allows libvirtd to detect broken client connections or even
457 | # dead clients. A keepalive message is sent to a client after
458 | # keepalive_interval seconds of inactivity to check if the client is
459 | # still responding; keepalive_count is a maximum number of keepalive
460 | # messages that are allowed to be sent to the client without getting
461 | # any response before the connection is considered broken. In other
462 | # words, the connection is automatically closed approximately after
463 | # keepalive_interval * (keepalive_count + 1) seconds since the last
464 | # message received from the client. If keepalive_interval is set to
465 | # -1, libvirtd will never send keepalive requests; however clients
466 | # can still send them and the daemon will send responses. When
467 | # keepalive_count is set to 0, connections will be automatically
468 | # closed after keepalive_interval seconds of inactivity without
469 | # sending any keepalive messages.
470 | #
471 | #keepalive_interval = 5
472 | #keepalive_count = 5
473 |
474 | #
475 | # These configuration options are no longer used. There is no way to
476 | # restrict such clients from connecting since they first need to
477 | # connect in order to ask for keepalive.
478 | #
479 | #keepalive_required = 1
480 | #admin_keepalive_required = 1
481 |
482 | # Keepalive settings for the admin interface
483 | #admin_keepalive_interval = 5
484 | #admin_keepalive_count = 5
485 |
486 | ###################################################################
487 | # Open vSwitch:
488 | # This allows to specify a timeout for openvswitch calls made by
489 | # libvirt. The ovs-vsctl utility is used for the configuration and
490 | # its timeout option is set by default to 5 seconds to avoid
491 | # potential infinite waits blocking libvirt.
492 | #
493 | #ovs_timeout = 5
494 |
--------------------------------------------------------------------------------
/templates/qemu.conf-el8.erb:
--------------------------------------------------------------------------------
1 | # Master configuration file for the QEMU driver.
2 | # All settings described here are optional - if omitted, sensible
3 | # defaults are used.
4 |
5 | # Use of TLS requires that x509 certificates be issued. The default is
6 | # to keep them in /etc/pki/qemu. This directory must contain
7 | #
8 | # ca-cert.pem - the CA master certificate
9 | # server-cert.pem - the server certificate signed with ca-cert.pem
10 | # server-key.pem - the server private key
11 | #
12 | # and optionally may contain
13 | #
14 | # dh-params.pem - the DH params configuration file
15 | #
16 | # If the directory does not exist, libvirtd will fail to start. If the
17 | # directory doesn't contain the necessary files, QEMU domains will fail
18 | # to start if they are configured to use TLS.
19 | #
20 | # In order to overwrite the default path alter the following. This path
21 | # definition will be used as the default path for other *_tls_x509_cert_dir
22 | # configuration settings if their default path does not exist or is not
23 | # specifically set.
24 | #
25 | #default_tls_x509_cert_dir = "/etc/pki/qemu"
26 |
27 |
28 | # The default TLS configuration only uses certificates for the server
29 | # allowing the client to verify the server's identity and establish
30 | # an encrypted channel.
31 | #
32 | # It is possible to use x509 certificates for authentication too, by
33 | # issuing an x509 certificate to every client who needs to connect.
34 | #
35 | # Enabling this option will reject any client who does not have a
36 | # certificate signed by the CA in /etc/pki/qemu/ca-cert.pem
37 | #
38 | # The default_tls_x509_cert_dir directory must also contain
39 | #
40 | # client-cert.pem - the client certificate signed with the ca-cert.pem
41 | # client-key.pem - the client private key
42 | #
43 | #default_tls_x509_verify = 1
44 |
45 | #
46 | # Libvirt assumes the server-key.pem file is unencrypted by default.
47 | # To use an encrypted server-key.pem file, the password to decrypt
48 | # the PEM file is required. This can be provided by creating a secret
49 | # object in libvirt and then to uncomment this setting to set the UUID
50 | # of the secret.
51 | #
52 | # NB This default all-zeros UUID will not work. Replace it with the
53 | # output from the UUID for the TLS secret from a 'virsh secret-list'
54 | # command and then uncomment the entry
55 | #
56 | #default_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
57 |
58 |
59 | # VNC is configured to listen on 127.0.0.1 by default.
60 | # To make it listen on all public interfaces, uncomment
61 | # this next option.
62 | #
63 | # NB, strong recommendation to enable TLS + x509 certificate
64 | # verification when allowing public access
65 | #
66 | #vnc_listen = "0.0.0.0"
67 |
68 | # Enable this option to have VNC served over an automatically created
69 | # unix socket. This prevents unprivileged access from users on the
70 | # host machine, though most VNC clients do not support it.
71 | #
72 | # This will only be enabled for VNC configurations that have listen
73 | # type=address but without any address specified. This setting takes
74 | # preference over vnc_listen.
75 | #
76 | #vnc_auto_unix_socket = 1
77 |
78 | # Enable use of TLS encryption on the VNC server. This requires
79 | # a VNC client which supports the VeNCrypt protocol extension.
80 | # Examples include vinagre, virt-viewer, virt-manager and vencrypt
81 | # itself. UltraVNC, RealVNC, TightVNC do not support this
82 | #
83 | # It is necessary to setup CA and issue a server certificate
84 | # before enabling this.
85 | #
86 | #vnc_tls = 1
87 |
88 |
89 | # In order to override the default TLS certificate location for
90 | # vnc certificates, supply a valid path to the certificate directory.
91 | # If the provided path does not exist, libvirtd will fail to start.
92 | # If the path is not provided, but vnc_tls = 1, then the
93 | # default_tls_x509_cert_dir path will be used.
94 | #
95 | #vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
96 |
97 |
98 | # The default TLS configuration only uses certificates for the server
99 | # allowing the client to verify the server's identity and establish
100 | # an encrypted channel.
101 | #
102 | # It is possible to use x509 certificates for authentication too, by
103 | # issuing an x509 certificate to every client who needs to connect.
104 | #
105 | # Enabling this option will reject any client that does not have a
106 | # ca-cert.pem certificate signed by the CA in the vnc_tls_x509_cert_dir
107 | # (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem
108 | # files described in default_tls_x509_cert_dir.
109 | #
110 | # If this option is not supplied, it will be set to the value of
111 | # "default_tls_x509_verify".
112 | #
113 | #vnc_tls_x509_verify = 1
114 |
115 |
116 | # The default VNC password. Only 8 bytes are significant for
117 | # VNC passwords. This parameter is only used if the per-domain
118 | # XML config does not already provide a password. To allow
119 | # access without passwords, leave this commented out. An empty
120 | # string will still enable passwords, but be rejected by QEMU,
121 | # effectively preventing any use of VNC. Obviously change this
122 | # example here before you set this.
123 | #
124 | #vnc_password = "XYZ12345"
125 |
126 |
127 | # Enable use of SASL encryption on the VNC server. This requires
128 | # a VNC client which supports the SASL protocol extension.
129 | # Examples include vinagre, virt-viewer and virt-manager
130 | # itself. UltraVNC, RealVNC, TightVNC do not support this
131 | #
132 | # It is necessary to configure /etc/sasl2/qemu.conf to choose
133 | # the desired SASL plugin (eg, GSSPI for Kerberos)
134 | #
135 | #vnc_sasl = 1
136 |
137 |
138 | # The default SASL configuration file is located in /etc/sasl2/
139 | # When running libvirtd unprivileged, it may be desirable to
140 | # override the configs in this location. Set this parameter to
141 | # point to the directory, and create a qemu.conf in that location
142 | #
143 | #vnc_sasl_dir = "/some/directory/sasl2"
144 |
145 |
146 | # QEMU implements an extension for providing audio over a VNC connection,
147 | # though if your VNC client does not support it, your only chance for getting
148 | # sound output is through regular audio backends. By default, libvirt will
149 | # disable all QEMU sound backends if using VNC, since they can cause
150 | # permissions issues. Enabling this option will make libvirtd honor the
151 | # QEMU_AUDIO_DRV environment variable when using VNC.
152 | #
153 | #vnc_allow_host_audio = 0
154 |
155 |
156 |
157 | # SPICE is configured to listen on 127.0.0.1 by default.
158 | # To make it listen on all public interfaces, uncomment
159 | # this next option.
160 | #
161 | # NB, strong recommendation to enable TLS + x509 certificate
162 | # verification when allowing public access
163 | #
164 | #spice_listen = "0.0.0.0"
165 |
166 |
167 | # Enable use of TLS encryption on the SPICE server.
168 | #
169 | # It is necessary to setup CA and issue a server certificate
170 | # before enabling this.
171 | #
172 | #spice_tls = 1
173 |
174 |
175 | # In order to override the default TLS certificate location for
176 | # spice certificates, supply a valid path to the certificate directory.
177 | # If the provided path does not exist, libvirtd will fail to start.
178 | # If the path is not provided, but spice_tls = 1, then the
179 | # default_tls_x509_cert_dir path will be used.
180 | #
181 | #spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
182 |
183 |
184 | # Enable this option to have SPICE served over an automatically created
185 | # unix socket. This prevents unprivileged access from users on the
186 | # host machine.
187 | #
188 | # This will only be enabled for SPICE configurations that have listen
189 | # type=address but without any address specified. This setting takes
190 | # preference over spice_listen.
191 | #
192 | #spice_auto_unix_socket = 1
193 |
194 |
195 | # The default SPICE password. This parameter is only used if the
196 | # per-domain XML config does not already provide a password. To
197 | # allow access without passwords, leave this commented out. An
198 | # empty string will still enable passwords, but be rejected by
199 | # QEMU, effectively preventing any use of SPICE. Obviously change
200 | # this example here before you set this.
201 | #
202 | #spice_password = "XYZ12345"
203 |
204 |
205 | # Enable use of SASL encryption on the SPICE server. This requires
206 | # a SPICE client which supports the SASL protocol extension.
207 | #
208 | # It is necessary to configure /etc/sasl2/qemu.conf to choose
209 | # the desired SASL plugin (eg, GSSPI for Kerberos)
210 | #
211 | #spice_sasl = 1
212 |
213 | # The default SASL configuration file is located in /etc/sasl2/
214 | # When running libvirtd unprivileged, it may be desirable to
215 | # override the configs in this location. Set this parameter to
216 | # point to the directory, and create a qemu.conf in that location
217 | #
218 | #spice_sasl_dir = "/some/directory/sasl2"
219 |
220 | # Enable use of TLS encryption on the chardev TCP transports.
221 | #
222 | # It is necessary to setup CA and issue a server certificate
223 | # before enabling this.
224 | #
225 | #chardev_tls = 1
226 |
227 |
228 | # In order to override the default TLS certificate location for character
229 | # device TCP certificates, supply a valid path to the certificate directory.
230 | # If the provided path does not exist, libvirtd will fail to start.
231 | # If the path is not provided, but chardev_tls = 1, then the
232 | # default_tls_x509_cert_dir path will be used.
233 | #
234 | #chardev_tls_x509_cert_dir = "/etc/pki/libvirt-chardev"
235 |
236 |
237 | # The default TLS configuration only uses certificates for the server
238 | # allowing the client to verify the server's identity and establish
239 | # an encrypted channel.
240 | #
241 | # It is possible to use x509 certificates for authentication too, by
242 | # issuing an x509 certificate to every client who needs to connect.
243 | #
244 | # Enabling this option will reject any client that does not have a
245 | # ca-cert.pem certificate signed by the CA in the chardev_tls_x509_cert_dir
246 | # (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem
247 | # files described in default_tls_x509_cert_dir.
248 | #
249 | # If this option is not supplied, it will be set to the value of
250 | # "default_tls_x509_verify".
251 | #
252 | #chardev_tls_x509_verify = 1
253 |
254 |
255 | # Uncomment and use the following option to override the default secret
256 | # UUID provided in the default_tls_x509_secret_uuid parameter.
257 | #
258 | # NB This default all-zeros UUID will not work. Replace it with the
259 | # output from the UUID for the TLS secret from a 'virsh secret-list'
260 | # command and then uncomment the entry
261 | #
262 | #chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
263 |
264 |
265 | # Enable use of TLS encryption for all VxHS network block devices that
266 | # don't specifically disable.
267 | #
268 | # When the VxHS network block device server is set up appropriately,
269 | # x509 certificates are required for authentication between the clients
270 | # (qemu processes) and the remote VxHS server.
271 | #
272 | # It is necessary to setup CA and issue the client certificate before
273 | # enabling this.
274 | #
275 | #vxhs_tls = 1
276 |
277 |
278 | # In order to override the default TLS certificate location for VxHS
279 | # backed storage, supply a valid path to the certificate directory.
280 | # This is used to authenticate the VxHS block device clients to the VxHS
281 | # server.
282 | #
283 | # If the provided path does not exist, libvirtd will fail to start.
284 | # If the path is not provided, but vxhs_tls = 1, then the
285 | # default_tls_x509_cert_dir path will be used.
286 | #
287 | # VxHS block device clients expect the client certificate and key to be
288 | # present in the certificate directory along with the CA master certificate.
289 | # If using the default environment, default_tls_x509_verify must be configured.
290 | # Since this is only a client the server-key.pem certificate is not needed.
291 | # Thus a VxHS directory must contain the following:
292 | #
293 | # ca-cert.pem - the CA master certificate
294 | # client-cert.pem - the client certificate signed with the ca-cert.pem
295 | # client-key.pem - the client private key
296 | #
297 | #vxhs_tls_x509_cert_dir = "/etc/pki/libvirt-vxhs"
298 |
299 |
300 |
301 | # Enable use of TLS encryption for all NBD disk devices that don't
302 | # specifically disable it.
303 | #
304 | # When the NBD server is set up appropriately, x509 certificates are required
305 | # for authentication between the client and the remote NBD server.
306 | #
307 | # It is necessary to setup CA and issue the client certificate before
308 | # enabling this.
309 | #
310 | #nbd_tls = 1
311 |
312 |
313 | # In order to override the default TLS certificate location for NBD
314 | # backed storage, supply a valid path to the certificate directory.
315 | # This is used to authenticate the NBD block device clients to the NBD
316 | # server.
317 | #
318 | # If the provided path does not exist, libvirtd will fail to start.
319 | # If the path is not provided, but nbd_tls = 1, then the
320 | # default_tls_x509_cert_dir path will be used.
321 | #
322 | # NBD block device clients expect the client certificate and key to be
323 | # present in the certificate directory along with the CA certificate.
324 | # Since this is only a client the server-key.pem certificate is not needed.
325 | # Thus a NBD directory must contain the following:
326 | #
327 | # ca-cert.pem - the CA master certificate
328 | # client-cert.pem - the client certificate signed with the ca-cert.pem
329 | # client-key.pem - the client private key
330 | #
331 | #nbd_tls_x509_cert_dir = "/etc/pki/libvirt-nbd"
332 |
333 |
334 | # In order to override the default TLS certificate location for migration
335 | # certificates, supply a valid path to the certificate directory. If the
336 | # provided path does not exist, libvirtd will fail to start. If the path is
337 | # not provided, but migrate_tls = 1, then the default_tls_x509_cert_dir path
338 | # will be used. Once/if a default certificate is enabled/defined, migration
339 | # will then be able to use the certificate via migration API flags.
340 | #
341 | #migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate"
342 |
343 |
344 | # The default TLS configuration only uses certificates for the server
345 | # allowing the client to verify the server's identity and establish
346 | # an encrypted channel.
347 | #
348 | # It is possible to use x509 certificates for authentication too, by
349 | # issuing an x509 certificate to every client who needs to connect.
350 | #
351 | # Enabling this option will reject any client that does not have a
352 | # ca-cert.pem certificate signed by the CA in the migrate_tls_x509_cert_dir
353 | # (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem
354 | # files described in default_tls_x509_cert_dir.
355 | #
356 | # If this option is not supplied, it will be set to the value of
357 | # "default_tls_x509_verify".
358 | #
359 | #migrate_tls_x509_verify = 1
360 |
361 |
362 | # Uncomment and use the following option to override the default secret
363 | # UUID provided in the default_tls_x509_secret_uuid parameter.
364 | #
365 | # NB This default all-zeros UUID will not work. Replace it with the
366 | # output from the UUID for the TLS secret from a 'virsh secret-list'
367 | # command and then uncomment the entry
368 | #
369 | #migrate_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
370 |
371 |
372 | # By default, if no graphical front end is configured, libvirt will disable
373 | # QEMU audio output since directly talking to alsa/pulseaudio may not work
374 | # with various security settings. If you know what you're doing, enable
375 | # the setting below and libvirt will passthrough the QEMU_AUDIO_DRV
376 | # environment variable when using nographics.
377 | #
378 | #nographics_allow_host_audio = 1
379 |
380 |
381 | # Override the port for creating both VNC and SPICE sessions (min).
382 | # This defaults to 5900 and increases for consecutive sessions
383 | # or when ports are occupied, until it hits the maximum.
384 | #
385 | # Minimum must be greater than or equal to 5900 as lower number would
386 | # result into negative vnc display number.
387 | #
388 | # Maximum must be less than 65536, because higher numbers do not make
389 | # sense as a port number.
390 | #
391 | #remote_display_port_min = 5900
392 | #remote_display_port_max = 65535
393 |
394 | # VNC WebSocket port policies, same rules apply as with remote display
395 | # ports. VNC WebSockets use similar display <-> port mappings, with
396 | # the exception being that ports start from 5700 instead of 5900.
397 | #
398 | #remote_websocket_port_min = 5700
399 | #remote_websocket_port_max = 65535
400 |
401 | # The default security driver is SELinux. If SELinux is disabled
402 | # on the host, then the security driver will automatically disable
403 | # itself. If you wish to disable QEMU SELinux security driver while
404 | # leaving SELinux enabled for the host in general, then set this
405 | # to 'none' instead. It's also possible to use more than one security
406 | # driver at the same time, for this use a list of names separated by
407 | # comma and delimited by square brackets. For example:
408 | #
409 | # security_driver = [ "selinux", "apparmor" ]
410 | #
411 | # Notes: The DAC security driver is always enabled; as a result, the
412 | # value of security_driver cannot contain "dac". The value "none" is
413 | # a special value; security_driver can be set to that value in
414 | # isolation, but it cannot appear in a list of drivers.
415 | #
416 | #security_driver = "selinux"
417 |
418 | # If set to non-zero, then the default security labeling
419 | # will make guests confined. If set to zero, then guests
420 | # will be unconfined by default. Defaults to 1.
421 | #security_default_confined = 1
422 |
423 | # If set to non-zero, then attempts to create unconfined
424 | # guests will be blocked. Defaults to 0.
425 | #security_require_confined = 1
426 |
427 | # The user for QEMU processes run by the system instance. It can be
428 | # specified as a user name or as a user id. The qemu driver will try to
429 | # parse this value first as a name and then, if the name doesn't exist,
430 | # as a user id.
431 | #
432 | # Since a sequence of digits is a valid user name, a leading plus sign
433 | # can be used to ensure that a user id will not be interpreted as a user
434 | # name.
435 | #
436 | # Some examples of valid values are:
437 | #
438 | # user = "qemu" # A user named "qemu"
439 | # user = "+0" # Super user (uid=0)
440 | # user = "100" # A user named "100" or a user with uid=100
441 | #
442 | #user = "root"
443 |
444 | # The group for QEMU processes run by the system instance. It can be
445 | # specified in a similar way to user.
446 | #group = "root"
447 |
448 | # Whether libvirt should dynamically change file ownership
449 | # to match the configured user/group above. Defaults to 1.
450 | # Set to 0 to disable file ownership changes.
451 | #dynamic_ownership = 1
452 |
453 |
454 | # What cgroup controllers to make use of with QEMU guests
455 | #
456 | # - 'cpu' - use for scheduler tunables
457 | # - 'devices' - use for device whitelisting
458 | # - 'memory' - use for memory tunables
459 | # - 'blkio' - use for block devices I/O tunables
460 | # - 'cpuset' - use for CPUs and memory nodes
461 | # - 'cpuacct' - use for CPUs statistics.
462 | #
463 | # NB, even if configured here, they won't be used unless
464 | # the administrator has mounted cgroups, e.g.:
465 | #
466 | # mkdir /dev/cgroup
467 | # mount -t cgroup -o devices,cpu,memory,blkio,cpuset none /dev/cgroup
468 | #
469 | # They can be mounted anywhere, and different controllers
470 | # can be mounted in different locations. libvirt will detect
471 | # where they are located.
472 | #
473 | #cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ]
474 |
475 | # This is the basic set of devices allowed / required by
476 | # all virtual machines.
477 | #
478 | # As well as this, any configured block backed disks,
479 | # all sound device, and all PTY devices are allowed.
480 | #
481 | # This will only need setting if newer QEMU suddenly
482 | # wants some device we don't already know about.
483 | #
484 | #cgroup_device_acl = [
485 | # "/dev/null", "/dev/full", "/dev/zero",
486 | # "/dev/random", "/dev/urandom",
487 | # "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
488 | # "/dev/rtc","/dev/hpet"
489 | #]
490 | #
491 | # RDMA migration requires the following extra files to be added to the list:
492 | # "/dev/infiniband/rdma_cm",
493 | # "/dev/infiniband/issm0",
494 | # "/dev/infiniband/issm1",
495 | # "/dev/infiniband/umad0",
496 | # "/dev/infiniband/umad1",
497 | # "/dev/infiniband/uverbs0"
498 |
499 |
500 | # The default format for QEMU/KVM guest save images is raw; that is, the
501 | # memory from the domain is dumped out directly to a file. If you have
502 | # guests with a large amount of memory, however, this can take up quite
503 | # a bit of space. If you would like to compress the images while they
504 | # are being saved to disk, you can also set "lzop", "gzip", "bzip2", or "xz"
505 | # for save_image_format. Note that this means you slow down the process of
506 | # saving a domain in order to save disk space; the list above is in descending
507 | # order by performance and ascending order by compression ratio.
508 | #
509 | # save_image_format is used when you use 'virsh save' or 'virsh managedsave'
510 | # at scheduled saving, and it is an error if the specified save_image_format
511 | # is not valid, or the requested compression program can't be found.
512 | #
513 | # dump_image_format is used when you use 'virsh dump' at emergency
514 | # crashdump, and if the specified dump_image_format is not valid, or
515 | # the requested compression program can't be found, this falls
516 | # back to "raw" compression.
517 | #
518 | # snapshot_image_format specifies the compression algorithm of the memory save
519 | # image when an external snapshot of a domain is taken. This does not apply
520 | # on disk image format. It is an error if the specified format isn't valid,
521 | # or the requested compression program can't be found.
522 | #
523 | #save_image_format = "raw"
524 | #dump_image_format = "raw"
525 | #snapshot_image_format = "raw"
526 |
527 | # When a domain is configured to be auto-dumped when libvirtd receives a
528 | # watchdog event from qemu guest, libvirtd will save dump files in directory
529 | # specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump
530 | #
531 | #auto_dump_path = "/var/lib/libvirt/qemu/dump"
532 |
533 | # When a domain is configured to be auto-dumped, enabling this flag
534 | # has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the
535 | # virDomainCoreDump API. That is, the system will avoid using the
536 | # file system cache while writing the dump file, but may cause
537 | # slower operation.
538 | #
539 | #auto_dump_bypass_cache = 0
540 |
541 | # When a domain is configured to be auto-started, enabling this flag
542 | # has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag
543 | # with the virDomainCreateWithFlags API. That is, the system will
544 | # avoid using the file system cache when restoring any managed state
545 | # file, but may cause slower operation.
546 | #
547 | #auto_start_bypass_cache = 0
548 |
549 | # If provided by the host and a hugetlbfs mount point is configured,
550 | # a guest may request huge page backing. When this mount point is
551 | # unspecified here, determination of a host mount point in /proc/mounts
552 | # will be attempted. Specifying an explicit mount overrides detection
553 | # of the same in /proc/mounts. Setting the mount point to "" will
554 | # disable guest hugepage backing. If desired, multiple mount points can
555 | # be specified at once, separated by comma and enclosed in square
556 | # brackets, for example:
557 | #
558 | # hugetlbfs_mount = ["/dev/hugepages2M", "/dev/hugepages1G"]
559 | #
560 | # The size of huge page served by specific mount point is determined by
561 | # libvirt at the daemon startup.
562 | #
563 | # NB, within these mount points, guests will create memory backing
564 | # files in a location of $MOUNTPOINT/libvirt/qemu
565 | #
566 | #hugetlbfs_mount = "/dev/hugepages"
567 |
568 |
569 | # Path to the setuid helper for creating tap devices. This executable
570 | # is used to create interfaces when libvirtd is
571 | # running unprivileged. libvirt invokes the helper directly, instead
572 | # of using "-netdev bridge", for security reasons.
573 | #bridge_helper = "/usr/libexec/qemu-bridge-helper"
574 |
575 |
576 |
577 | # If clear_emulator_capabilities is enabled, libvirt will drop all
578 | # privileged capabilities of the QEMU/KVM emulator. This is enabled by
579 | # default.
580 | #
581 | # Warning: Disabling this option means that a compromised guest can
582 | # exploit the privileges and possibly do damage to the host.
583 | #
584 | #clear_emulator_capabilities = 1
585 |
586 |
587 | # If enabled, libvirt will have QEMU set its process name to
588 | # "qemu:VM_NAME", where VM_NAME is the name of the VM. The QEMU
589 | # process will appear as "qemu:VM_NAME" in process listings and
590 | # other system monitoring tools. By default, QEMU does not set
591 | # its process title, so the complete QEMU command (emulator and
592 | # its arguments) appear in process listings.
593 | #
594 | #set_process_name = 1
595 |
596 |
597 | # If max_processes is set to a positive integer, libvirt will use
598 | # it to set the maximum number of processes that can be run by qemu
599 | # user. This can be used to override default value set by host OS.
600 | # The same applies to max_files which sets the limit on the maximum
601 | # number of opened files.
602 | #
603 | #max_processes = 0
604 | #max_files = 0
605 |
606 | # If max_core is set to a non-zero integer, then QEMU will be
607 | # permitted to create core dumps when it crashes, provided its
608 | # RAM size is smaller than the limit set.
609 | #
610 | # Be warned that the core dump will include a full copy of the
611 | # guest RAM, if the 'dump_guest_core' setting has been enabled,
612 | # or if the guest XML contains
613 | #
614 | # ...guest ram...
615 | #
616 | # If guest RAM is to be included, ensure the max_core limit
617 | # is set to at least the size of the largest expected guest
618 | # plus another 1GB for any QEMU host side memory mappings.
619 | #
620 | # As a special case it can be set to the string "unlimited" to
621 | # to allow arbitrarily sized core dumps.
622 | #
623 | # By default the core dump size is set to 0 disabling all dumps
624 | #
625 | # Size is a positive integer specifying bytes or the
626 | # string "unlimited"
627 | #
628 | #max_core = "unlimited"
629 |
630 | # Determine if guest RAM is included in QEMU core dumps. By
631 | # default guest RAM will be excluded if a new enough QEMU is
632 | # present. Setting this to '1' will force guest RAM to always
633 | # be included in QEMU core dumps.
634 | #
635 | # This setting will be ignored if the guest XML has set the
636 | # dumpcore attribute on the element.
637 | #
638 | #dump_guest_core = 1
639 |
640 | # mac_filter enables MAC addressed based filtering on bridge ports.
641 | # This currently requires ebtables to be installed.
642 | #
643 | #mac_filter = 1
644 |
645 |
646 | # By default, PCI devices below non-ACS switch are not allowed to be assigned
647 | # to guests. By setting relaxed_acs_check to 1 such devices will be allowed to
648 | # be assigned to guests.
649 | #
650 | #relaxed_acs_check = 1
651 |
652 |
653 | # In order to prevent accidentally starting two domains that
654 | # share one writable disk, libvirt offers two approaches for
655 | # locking files. The first one is sanlock, the other one,
656 | # virtlockd, is then our own implementation. Accepted values
657 | # are "sanlock" and "lockd".
658 | #
659 | #lock_manager = "lockd"
660 |
661 |
662 |
663 | # Set limit of maximum APIs queued on one domain. All other APIs
664 | # over this threshold will fail on acquiring job lock. Specially,
665 | # setting to zero turns this feature off.
666 | # Note, that job lock is per domain.
667 | #
668 | #max_queued = 0
669 |
670 | ###################################################################
671 | # Keepalive protocol:
672 | # This allows qemu driver to detect broken connections to remote
673 | # libvirtd during peer-to-peer migration. A keepalive message is
674 | # sent to the daemon after keepalive_interval seconds of inactivity
675 | # to check if the daemon is still responding; keepalive_count is a
676 | # maximum number of keepalive messages that are allowed to be sent
677 | # to the daemon without getting any response before the connection
678 | # is considered broken. In other words, the connection is
679 | # automatically closed approximately after
680 | # keepalive_interval * (keepalive_count + 1) seconds since the last
681 | # message received from the daemon. If keepalive_interval is set to
682 | # -1, qemu driver will not send keepalive requests during
683 | # peer-to-peer migration; however, the remote libvirtd can still
684 | # send them and source libvirtd will send responses. When
685 | # keepalive_count is set to 0, connections will be automatically
686 | # closed after keepalive_interval seconds of inactivity without
687 | # sending any keepalive messages.
688 | #
689 | #keepalive_interval = 5
690 | #keepalive_count = 5
691 |
692 |
693 |
694 | # Use seccomp syscall sandbox in QEMU.
695 | # 1 == seccomp enabled, 0 == seccomp disabled
696 | #
697 | # If it is unset (or -1), then seccomp will be enabled
698 | # only if QEMU >= 2.11.0 is detected, otherwise it is
699 | # left disabled. This ensures the default config gets
700 | # protection for new QEMU using the blacklist approach.
701 | #
702 | #seccomp_sandbox = 1
703 |
704 |
705 | # Override the listen address for all incoming migrations. Defaults to
706 | # 0.0.0.0, or :: if both host and qemu are capable of IPv6.
707 | #migration_address = "0.0.0.0"
708 |
709 |
710 | # The default hostname or IP address which will be used by a migration
711 | # source for transferring migration data to this host. The migration
712 | # source has to be able to resolve this hostname and connect to it so
713 | # setting "localhost" will not work. By default, the host's configured
714 | # hostname is used.
715 | #migration_host = "host.example.com"
716 |
717 |
718 | # Override the port range used for incoming migrations.
719 | #
720 | # Minimum must be greater than 0, however when QEMU is not running as root,
721 | # setting the minimum to be lower than 1024 will not work.
722 | #
723 | # Maximum must not be greater than 65535.
724 | #
725 | #migration_port_min = 49152
726 | #migration_port_max = 49215
727 |
728 |
729 |
730 | # Timestamp QEMU's log messages (if QEMU supports it)
731 | #
732 | # Defaults to 1.
733 | #
734 | #log_timestamp = 0
735 |
736 |
737 | # Location of master nvram file
738 | #
739 | # When a domain is configured to use UEFI instead of standard
740 | # BIOS it may use a separate storage for UEFI variables. If
741 | # that's the case libvirt creates the variable store per domain
742 | # using this master file as image. Each UEFI firmware can,
743 | # however, have different variables store. Therefore the nvram is
744 | # a list of strings when a single item is in form of:
745 | # ${PATH_TO_UEFI_FW}:${PATH_TO_UEFI_VARS}.
746 | # Later, when libvirt creates per domain variable store, this list is
747 | # searched for the master image. The UEFI firmware can be called
748 | # differently for different guest architectures. For instance, it's OVMF
749 | # for x86_64 and i686, but it's AAVMF for aarch64. The libvirt default
750 | # follows this scheme.
751 | #nvram = [
752 | # "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd",
753 | # "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd",
754 | # "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd",
755 | # "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd"
756 | #]
757 |
758 | # The backend to use for handling stdout/stderr output from
759 | # QEMU processes.
760 | #
761 | # 'file': QEMU writes directly to a plain file. This is the
762 | # historical default, but allows QEMU to inflict a
763 | # denial of service attack on the host by exhausting
764 | # filesystem space
765 | #
766 | # 'logd': QEMU writes to a pipe provided by virtlogd daemon.
767 | # This is the current default, providing protection
768 | # against denial of service by performing log file
769 | # rollover when a size limit is hit.
770 | #
771 | #stdio_handler = "logd"
772 |
773 | # QEMU gluster libgfapi log level, debug levels are 0-9, with 9 being the
774 | # most verbose, and 0 representing no debugging output.
775 | #
776 | # The current logging levels defined in the gluster GFAPI are:
777 | #
778 | # 0 - None
779 | # 1 - Emergency
780 | # 2 - Alert
781 | # 3 - Critical
782 | # 4 - Error
783 | # 5 - Warning
784 | # 6 - Notice
785 | # 7 - Info
786 | # 8 - Debug
787 | # 9 - Trace
788 | #
789 | # Defaults to 4
790 | #
791 | #gluster_debug_level = 9
792 |
793 | # To enhance security, QEMU driver is capable of creating private namespaces
794 | # for each domain started. Well, so far only "mount" namespace is supported. If
795 | # enabled it means qemu process is unable to see all the devices on the system,
796 | # only those configured for the domain in question. Libvirt then manages
797 | # devices entries throughout the domain lifetime. This namespace is turned on
798 | # by default.
799 | #namespaces = [ "mount" ]
800 |
801 | # This directory is used for memoryBacking source if configured as file.
802 | # NOTE: big files will be stored here
803 | #memory_backing_dir = "/var/lib/libvirt/qemu/ram"
804 |
805 | # Path to the SCSI persistent reservations helper. This helper is
806 | # used whenever are enabled for SCSI LUN devices.
807 | #pr_helper = "/usr/bin/qemu-pr-helper"
808 |
809 | # User for the swtpm TPM Emulator
810 | #
811 | # Default is 'tss'; this is the same user that tcsd (TrouSerS) installs
812 | # and uses; alternative is 'root'
813 | #
814 | #swtpm_user = "tss"
815 | #swtpm_group = "tss"
816 |
--------------------------------------------------------------------------------