├── .fixtures.yml ├── .gitignore ├── .nodeset.yml ├── CHANGELOG.md ├── Gemfile ├── LICENSE ├── README.md ├── Rakefile ├── lib └── puppet │ ├── provider │ └── libvirt_pool │ │ └── virsh.rb │ └── type │ └── libvirt_pool.rb ├── manifests ├── init.pp ├── network.pp └── params.pp ├── metadata.json ├── spec ├── acceptance │ ├── class_spec.rb │ ├── network_spec.rb │ └── nodesets │ │ ├── centos-64-x64.yml │ │ ├── default.yml │ │ ├── ubuntu-server-12042-x64.yml │ │ └── ubuntu-server-1404-x64.yml ├── classes │ └── libvirt_spec.rb ├── defines │ └── network_spec.rb ├── spec_helper.rb └── spec_helper_acceptance.rb ├── templates ├── default │ ├── libvirt-bin.erb │ └── libvirt-bin.orig ├── libvirt.conf.orig ├── libvirtd.conf-el8.erb ├── libvirtd.conf-el8.orig ├── libvirtd.conf.erb ├── libvirtd.conf.orig ├── lxc.conf.orig ├── network.xml.erb ├── qemu.conf-el8.erb ├── qemu.conf-el8.orig ├── qemu.conf.erb ├── qemu.conf.orig ├── sasl2 │ ├── libvirt.conf-el8.erb │ ├── libvirt.conf-el8.orig │ ├── libvirt.conf.erb │ ├── libvirt.conf.orig │ ├── qemu-kvm.conf-el8.erb │ ├── qemu-kvm.conf-el8.orig │ ├── qemu-kvm.conf.erb │ └── qemu-kvm.conf.orig └── sysconfig │ ├── libvirtd.erb │ └── libvirtd.orig └── tests └── init.pp /.fixtures.yml: -------------------------------------------------------------------------------- 1 | fixtures: 2 | repositories: 3 | stdlib: "git://github.com/puppetlabs/puppetlabs-stdlib" 4 | symlinks: 5 | libvirt: "#{source_dir}" 6 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .*.swp 2 | pkg/ 3 | spec/fixtures 4 | .rspec_system 5 | Gemfile.lock 6 | -------------------------------------------------------------------------------- /.nodeset.yml: -------------------------------------------------------------------------------- 1 | --- 2 | default_set: 'centos-64-x64' 3 | sets: 4 | 'centos-64-x64': 5 | nodes: 6 | "main.foo.vm": 7 | prefab: 'centos-64-x64' 8 | 'debian-70rc1-x64': 9 | nodes: 10 | "main.foo.vm": 11 | prefab: 'debian-70rc1-x64' 12 | 'ubuntu-server-12042-x64': 13 | nodes: 14 | "main.foo.vm": 15 | prefab: 'ubuntu-server-12042-x64' 16 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | #### 2025-02-04 - 1.0.3 2 | * Remove legacy facts usage. 3 | * Remove obsolete validate functions. 4 | 5 | #### 2022-11-15 - 1.0.2 6 | * Add support for RHEL9. 7 | 8 | #### 2021-06-30 - 1.0.1 9 | * Add support for Linux Mint (#55, @ssaki). 10 | * Add support for RHEL8 with templates as close to the original as possible. 11 | 12 | #### 2015-04-28 - 1.0.0 13 | * Strip whitespace to fix pool detection (#30, @CyBeRoni). 14 | * Convert spec system to beaker tests (#33, @igalic). 15 | * Fix activate vs. active in the README (#35, @unicorn-ljw). 16 | * Pool simplify (#39, @igalic). 17 | * Fix version comparison for puppet future parser (#40, @edestecd). 18 | * Force LC_ALL=en_US.utf8 for all execs (#41, @kakwa). 19 | * Replace Modulefile with metadata.json. 20 | 21 | #### 2014-05-05 - 0.3.2 22 | * Bugfix for debian defaults with Puppet 2.7 (#28, @darktim). 23 | * Add qemu_user and qemu_group parameters (#28, @darktim). 24 | * Add support for RHEL7. 25 | * Add version to the puppetlabs/stdlib dependency. 26 | 27 | #### 2014-01-31 - 0.3.1 28 | * Fixed typo in init.pp (#23, @gigawhat). 29 | 30 | #### 2014-01-28 - 0.3.0 31 | * Add /etc/default/libvirt-bin generation for debian systems (#15, @msimonin). 32 | * Add type to manage storage pools (#16, @msimonin). 33 | * Fix tests (#17, @igalic). 34 | * Add initial configuration of qemu.conf (#18, @luisfdez). 35 | * Add qemu_set_process_name parameter (#21). 36 | * Add networks and networks_defaults parameters, useful from hiera (#9). 37 | 38 | #### 2013-10-16 - 0.2.3 39 | * Fix for default sysconfig setting on RedHat. 40 | * Add listen_addr, tcp_auth and tls_auth parameters. 41 | 42 | #### 2013-10-16 - 0.2.2 43 | * Add sysconfig/libvirtd file management on RedHat osfamily. 44 | * Add tls and tcp related parameters. 45 | 46 | #### 2013-10-14 - 0.2.1 47 | * Add new libvirt::network definition (Igor Galić). 48 | * Move all current parameters to the params class. 49 | 50 | #### 2013-10-07 - 0.2.0 51 | * Add puppet-rspec and rspec system tests (Igor Galić). 52 | * Add Debian/Ubuntu support (Igor Galić). 53 | 54 | #### 2013-10-04 - 0.1.1 55 | * Add syntax highlighting tags to the README. 56 | 57 | #### 2013-05-24 - 0.1.0 58 | * Update README and use markdown. 59 | * Change to 2-space indent. 60 | 61 | #### 2012-08-29 - 0.0.1 62 | * Clean up existing module. 63 | 64 | -------------------------------------------------------------------------------- /Gemfile: -------------------------------------------------------------------------------- 1 | source "https://rubygems.org" 2 | 3 | group :test do 4 | gem "rake" 5 | gem "puppet", ENV['PUPPET_VERSION'] || '~> 3.4.0' 6 | gem "puppet-lint" 7 | gem "rspec-puppet", :git => 'https://github.com/rodjek/rspec-puppet.git' 8 | gem "puppet-syntax" 9 | gem "puppetlabs_spec_helper" 10 | end 11 | 12 | group :development do 13 | gem "travis" 14 | gem "travis-lint" 15 | gem "beaker" 16 | gem "beaker-rspec" 17 | gem "vagrant-wrapper" 18 | gem "puppet-blacksmith" 19 | gem "guard-rake" 20 | end 21 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (C) 2012-2015 Matthias Saou 2 | 3 | Licensed under the Apache License, Version 2.0 (the "License"); 4 | you may not use this file except in compliance with the License. 5 | You may obtain a copy of the License at 6 | 7 | http://www.apache.org/licenses/LICENSE-2.0 8 | 9 | Unless required by applicable law or agreed to in writing, software 10 | distributed under the License is distributed on an "AS IS" BASIS, 11 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | See the License for the specific language governing permissions and 13 | limitations under the License. 14 | 15 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # puppet-libvirt 2 | 3 | ## Overview 4 | 5 | Libvirt module. Useful on minimal Red Hat Enterprise Linux and Debian/Ubuntu 6 | installations which need to be configured as KVM virtualization hosts. 7 | 8 | * `libvirt` : Main class to install, enable and configure libvirt. 9 | * `libvirt::network` : Definition to manage libvirt networks. 10 | 11 | ## Examples 12 | 13 | Use all of the module's defaults : 14 | 15 | ```puppet 16 | include '::libvirt' 17 | ``` 18 | 19 | Typical KVM/qemu host for virtualization : 20 | 21 | ```puppet 22 | class { '::libvirt': 23 | mdns_adv => false 24 | } 25 | ``` 26 | 27 | Change even more defaults : 28 | 29 | ```puppet 30 | class { '::libvirt': 31 | defaultnetwork => true, 32 | virtinst => false, 33 | unix_sock_group => 'wheel', 34 | unix_sock_rw_perms => '0770', 35 | } 36 | ``` 37 | 38 | The module also allows the user to customize qemu parameters : 39 | 40 | ```puppet 41 | class { '::libvirt': 42 | qemu_vnc_listen => "0.0.0.0", 43 | qemu_vnc_sasl => true, 44 | qemu_vnc_tls => false, 45 | } 46 | ``` 47 | 48 | Configure Kerberos authentication: 49 | 50 | ```puppet 51 | class { '::libvirt': 52 | listen_tls => false, 53 | listen_tcp => true, 54 | auth_tcp => 'sasl', 55 | sysconfig => { 56 | 'LIBVIRTD_ARGS' => '--listen', 57 | }, 58 | sasl2_libvirt_mech_list => 'gssapi', 59 | sasl2_libvirt_keytab => '/etc/libvirt/krb5.tab', 60 | qemu_vnc_listen => "0.0.0.0", 61 | qemu_vnc_sasl => true, 62 | qemu_vnc_tls => false, 63 | sasl2_qemu_mech_list => 'gssapi', 64 | sasl2_qemu_keytab => '/etc/qemu/krb5.tab', 65 | sasl2_qemu_auxprop_plugin => 'sasldb', 66 | } 67 | ``` 68 | 69 | Replace the default network with a PXE boot one : 70 | 71 | ```puppet 72 | class { '::libvirt': 73 | defaultnetwork => false, # This is the default 74 | } 75 | 76 | $dhcp = { 77 | 'start' => '192.168.122.2', 78 | 'end' => '192.168.122.254', 79 | 'bootp_file' => 'pxelinux.0', 80 | } 81 | $ip = { 82 | 'address' => '192.168.122.1', 83 | 'netmask' => '255.255.255.0', 84 | 'dhcp' => $dhcp, 85 | } 86 | 87 | libvirt::network { 'pxe': 88 | forward_mode => 'nat', 89 | forward_dev => 'virbr0', 90 | ip => [ $ip ], 91 | } 92 | ``` 93 | 94 | We also support IPv6: It has the same sematics as ip: 95 | 96 | ```puppet 97 | # $ip = same as above 98 | 99 | $ipv6 = { 100 | address => '2001:db8:ca2:2::1', 101 | prefix => '64', 102 | } 103 | 104 | libvirt::network { 'dual-stack': 105 | forward_mode => 'nat', 106 | forward_dev => 'virbr0', 107 | ip => [ $ip ], 108 | ipv6 => [ $ipv6 ], 109 | } 110 | ``` 111 | 112 | While this might look a little convoluted in puppet code, this gives you the ability to specify networks in hiera, and then use `create_resources()` to generate them: 113 | 114 | ```yaml 115 | --- 116 | libvirt_networks: 117 | 118 | pxe: 119 | autostart: true 120 | forward_mode: nat 121 | forward_dev: virbr0 122 | ip: 123 | - address: 192.168.122.1 124 | netmask: 255.255.255.0 125 | dhcp: 126 | start: 192.168.122.2 127 | end: 192.168.122.254 128 | bootp_file: pxelinux.0 129 | direct: 130 | autostart: true 131 | forward_mode: bridge 132 | forward_dev: br0 133 | forward_interfaces: 134 | - eth0 135 | ``` 136 | 137 | and then in your manifest: 138 | 139 | ```puppet 140 | $networks = hiera('libvirt_networks', []) 141 | create_resources($networks, $your_defaults_for_a_network) 142 | ``` 143 | 144 | On Red Hat Enterprise Linux, you might want to also manage changes to the 145 | `/etc/sysconfig/libvirtd` file. In this case, you pass the key/value pairs 146 | of the variables to set inside the `sysconfig` hash : 147 | 148 | ```puppet 149 | class { '::libvirt': 150 | listen_tls => false, 151 | listen_tcp => true, 152 | sysconfig => { 153 | 'LIBVIRTD_ARGS' => '--listen', 154 | 'LIBVIRTD_NOFILES_LIMIT' => '4096', 155 | }, 156 | } 157 | ``` 158 | 159 | ## Native Types 160 | 161 | ### Libvirt Storage Pools 162 | 163 | #### Puppet Resource 164 | 165 | Query all current pools: `$ puppet resource libvirt_pool` 166 | 167 | #### Examples 168 | 169 | * Create a new directory pool : 170 | 171 | ```puppet 172 | libvirt_pool { 'mypool' : 173 | ensure => present, 174 | type => 'dir', 175 | active => false, 176 | target => '/tmp/pool-dir', 177 | } 178 | ``` 179 | The above will *define*, *build* but not *activate* the pool. 180 | 181 | By default a pool is *activated* ( same as `active => true`). 182 | 183 | By default a pool is *not autostarted* (same as `autostart => false`). 184 | 185 | 186 | 187 | * Create a `logical` pool (`lvm`) and set the autostart flag : 188 | 189 | ```puppet 190 | libvirt_pool { 'lvm-pool' : 191 | ensure => present, 192 | type => 'logical', 193 | autostart => true, 194 | sourcedev => [ '/dev/sdb1', '/dev/sdc1' ], 195 | sourcename => 'vg', 196 | target => '/dev/vg' 197 | } 198 | ``` 199 | 200 | * Remove the default pool : 201 | 202 | ```puppet 203 | libvirt_pool { 'default' : 204 | ensure => absent, 205 | } 206 | ``` 207 | -------------------------------------------------------------------------------- /Rakefile: -------------------------------------------------------------------------------- 1 | require 'puppetlabs_spec_helper/rake_tasks' 2 | require 'puppet-lint/tasks/puppet-lint' 3 | require 'puppet-syntax/tasks/puppet-syntax' 4 | 5 | # These two gems aren't always present, for instance 6 | # on Travis with --without development 7 | begin 8 | require 'puppet_blacksmith/rake_tasks' 9 | rescue LoadError 10 | end 11 | 12 | PuppetLint.configuration.send("disable_80chars") 13 | PuppetLint.configuration.log_format = "%{path}:%{linenumber}:%{check}:%{KIND}:%{message}" 14 | PuppetLint.configuration.fail_on_warnings = true 15 | 16 | # Forsake support for Puppet 2.6.2 for the benefit of cleaner code. 17 | # http://puppet-lint.com/checks/class_parameter_defaults/ 18 | PuppetLint.configuration.send('disable_class_parameter_defaults') 19 | # http://puppet-lint.com/checks/class_inherits_from_params_class/ 20 | PuppetLint.configuration.send('disable_class_inherits_from_params_class') 21 | 22 | exclude_paths = [ 23 | "pkg/**/*", 24 | "vendor/**/*", 25 | "spec/**/*", 26 | ] 27 | PuppetLint.configuration.ignore_paths = exclude_paths 28 | PuppetSyntax.exclude_paths = exclude_paths 29 | 30 | desc "Run acceptance tests" 31 | RSpec::Core::RakeTask.new(:acceptance) do |t| 32 | t.pattern = 'spec/acceptance' 33 | end 34 | 35 | desc "Run syntax, lint, and spec tests." 36 | task :test => [ 37 | :syntax, 38 | :lint, 39 | :spec, 40 | ] 41 | -------------------------------------------------------------------------------- /lib/puppet/provider/libvirt_pool/virsh.rb: -------------------------------------------------------------------------------- 1 | require 'rexml/document' 2 | require 'tempfile' 3 | 4 | Puppet::Type.type(:libvirt_pool).provide(:virsh) do 5 | 6 | commands :virsh => 'virsh' 7 | 8 | def self.instances 9 | list = virsh('-q', 'pool-list', '--all') 10 | list.split(/\n/)[0..-1].map do |line| 11 | values = line.strip.split(/ +/) 12 | new( 13 | :name => values[0], 14 | :active => values[1].match(/^act/)? :true : :false, 15 | :autostart => values[2].match(/no/) ? :false : :true, 16 | :provider => self.name 17 | ) 18 | end 19 | end 20 | 21 | def status 22 | list = virsh('-q', 'pool-list', '--all') 23 | list.split(/\n/)[0..-1].detect do |line| 24 | fields = line.strip.split(/ +/) 25 | if (fields[0].match(/^#{resource[:name]}$/)) 26 | return :present 27 | end 28 | end 29 | return :absent 30 | 31 | end 32 | 33 | def self.prefetch(resources) 34 | pools = instances 35 | resources.keys.each do |name| 36 | if provider = pools.find{ |pool| pool.name == name} 37 | resources[name].provider = provider 38 | end 39 | end 40 | end 41 | 42 | def create 43 | defined = self.definePool 44 | if !defined 45 | # for some reason the pool has not been defined 46 | # malformed xml 47 | # or failed tmpfile creationa 48 | # or ? 49 | raise Puppet::Error.new("Unable to define the pool") 50 | end 51 | self.buildPool 52 | 53 | @property_hash[:ensure] = :present 54 | should_active = @resource.should(:active) 55 | unless self.active == should_active 56 | self.active = should_active 57 | end 58 | should_autostart = @resource.should(:autostart) 59 | unless self.autostart == should_autostart 60 | self.autostart = should_autostart 61 | end 62 | end 63 | 64 | def destroy 65 | self.destroyPool 66 | @property_hash.clear 67 | end 68 | 69 | def definePool 70 | result = false 71 | begin 72 | tmpFile = Tempfile.new("pool.#{resource[:name]}") 73 | xml = buildPoolXML resource 74 | tmpFile.write(xml) 75 | tmpFile.rewind 76 | virsh('pool-define', tmpFile.path) 77 | result = true 78 | ensure 79 | tmpFile.close 80 | tmpFile.unlink 81 | end 82 | return result 83 | end 84 | 85 | def buildPool 86 | begin 87 | virsh('pool-build', '--pool', resource[:name]) 88 | rescue 89 | # Unable to build the pool maybe because 90 | # it is already defined (it this case we should consider 91 | # to continue execution) 92 | # or there is permission issue on the fs 93 | # or ? 94 | # in these cases we should consider raising something 95 | notice("Unable to build the pool") 96 | end 97 | 98 | end 99 | 100 | def destroyPool 101 | begin 102 | virsh('pool-destroy', resource[:name]) 103 | rescue Puppet::ExecutionFailure => e 104 | notice(e.message) 105 | end 106 | virsh('pool-undefine', resource[:name]) 107 | end 108 | 109 | def active 110 | @property_hash[:active] || :false 111 | end 112 | 113 | def active=(active) 114 | if (active == :true) 115 | virsh 'pool-start', '--pool', resource[:name] 116 | @property_hash[:active] = 'true' 117 | else 118 | virsh 'pool-destroy', '--pool', resource[:name] 119 | @property_hash[:active] = 'false' 120 | end 121 | end 122 | 123 | def autostart 124 | @property_hash[:autostart] || :false 125 | end 126 | 127 | def autostart=(autostart) 128 | if (autostart == :true) 129 | virsh 'pool-autostart', '--pool', resource[:name] 130 | @property_hash[:autostart] = :true 131 | else 132 | virsh 'pool-autostart', '--pool', resource[:name], '--disable' 133 | @property_hash[:autostart] = :false 134 | end 135 | end 136 | 137 | 138 | def exists? 139 | @property_hash[:ensure] != :absent 140 | end 141 | 142 | def buildPoolXML(resource) 143 | root = REXML::Document.new 144 | pool = root.add_element 'pool', {'type' => resource[:type]} 145 | name = pool.add_element 'name' 146 | name.add_text resource[:name] 147 | 148 | srcHost = resource[:sourcehost] 149 | srcPath = resource[:sourcepath] 150 | srcDev = resource[:sourcedev] 151 | srcName = resource[:sourcename] 152 | srcFormat = resource[:sourceformat] 153 | 154 | if (srcHost || srcPath || srcDev || srcName || srcFormat) 155 | source = pool.add_element 'source' 156 | 157 | source.add_element('host', {'name' => srcHost}) if srcHost 158 | source.add_element('dir', {'path' => srcPath}) if srcPath 159 | source.add_element('format', {'type' => srcFormat}) if (srcFormat) 160 | 161 | if (srcDev) 162 | Array(srcDev).each do |dev| 163 | source.add_element('device', {'path' => dev}) 164 | end 165 | end 166 | 167 | if (srcName) 168 | srcNameEl = source.add_element 'name' 169 | srcNameEl.add_text srcName 170 | end 171 | end 172 | 173 | target = resource[:target] 174 | if target 175 | targetEl = pool.add_element 'target' 176 | targetPathEl = targetEl.add_element 'path' 177 | targetPathEl.add_text target 178 | end 179 | 180 | return root.to_s 181 | 182 | end # buildPoolXML 183 | 184 | end 185 | -------------------------------------------------------------------------------- /lib/puppet/type/libvirt_pool.rb: -------------------------------------------------------------------------------- 1 | Puppet::Type.newtype(:libvirt_pool) do 2 | @doc = %q{Manages libvirt pools 3 | 4 | Example : 5 | libvirt_pool { 'default' : 6 | ensure => absent 7 | } 8 | 9 | 10 | libvirt_pool { 'mydirpool' : 11 | ensure => present, 12 | active => true, 13 | autostart => true, 14 | type => 'dir', 15 | target => '/tmp/mypool', 16 | } 17 | 18 | libvirt_pool { 'vm_storage': 19 | ensure => 'present', 20 | active => 'true', 21 | type => 'logical', 22 | sourcedev => ['/dev/sdb', '/dev/sdc'], 23 | target => '/dev/vg0' 24 | } 25 | 26 | 27 | } 28 | 29 | ensurable do 30 | 31 | desc 'Manages the creation or the removal of a pool 32 | `present` means that the pool will be defined and created 33 | `absent` means that the pool will be purged from the system' 34 | 35 | defaultto(:present) 36 | newvalue(:present) do 37 | provider.create 38 | end 39 | 40 | newvalue(:absent) do 41 | if (provider.exists?) 42 | provider.destroy 43 | end 44 | end 45 | 46 | def retrieve 47 | provider.status 48 | end 49 | 50 | end 51 | 52 | newparam(:name, :namevar => true) do 53 | desc 'The pool name.' 54 | newvalues(/^\S+$/) 55 | end 56 | 57 | newparam(:type) do 58 | desc 'The pool type.' 59 | newvalues(:dir, :netfs, :fs, :logical, :disk, :iscsi, :mpath, :rbd, :sheepdog) 60 | end 61 | 62 | newparam(:sourcehost) do 63 | desc 'The source host.' 64 | newvalues(/^\S+$/) 65 | end 66 | 67 | newparam(:sourcepath) do 68 | desc 'The source path.' 69 | newvalues(/(\/)?(\w)/) 70 | end 71 | 72 | newparam(:sourcedev) do 73 | desc 'The source device.' 74 | newvalues(/(\/)?(\w)/) 75 | end 76 | 77 | newparam(:sourcename) do 78 | desc 'The source name.' 79 | newvalues(/^\S+$/) 80 | end 81 | 82 | newparam(:sourceformat) do 83 | desc 'The source format.' 84 | newvalues(:auto, :nfs, :glusterfs, :cifs) 85 | end 86 | 87 | newparam(:target) do 88 | desc 'The target.' 89 | newvalues(/(\/)?(\w)/) 90 | end 91 | 92 | newproperty(:active) do 93 | desc 'Whether the pool should be started.' 94 | defaultto(:true) 95 | newvalues(:true) 96 | newvalues(:false) 97 | end 98 | 99 | newproperty(:autostart) do 100 | desc 'Whether the pool should be autostarted.' 101 | defaultto(:false) 102 | newvalues(:true) 103 | newvalues(:false) 104 | end 105 | 106 | end 107 | -------------------------------------------------------------------------------- /manifests/init.pp: -------------------------------------------------------------------------------- 1 | # Class: libvirt 2 | # 3 | # Install, enable and configure libvirt. 4 | # 5 | # Parameters: 6 | # $defaultnetwork: 7 | # Whether the default network for NAT should be enabled. Default: false 8 | # $virtinst: 9 | # Install the python-virtinst package, to get virt-install. Default: true 10 | # $qemu: 11 | # Install the qemu-kvm package, required for KVM. Default: true 12 | # $mdns_adv, 13 | # $unix_sock_group, 14 | # $unix_sock_ro_perms, 15 | # $unix_sock_rw_perms, 16 | # $unix_sock_dir: 17 | # Options for libvirtd.conf. Default: unchanged original values 18 | # 19 | # Sample Usage : 20 | # include libvirt 21 | # 22 | class libvirt ( 23 | $defaultnetwork = false, 24 | $networks = {}, 25 | $networks_defaults = {}, 26 | $virtinst = true, 27 | $qemu = true, 28 | $radvd = false, 29 | $libvirt_package = $::libvirt::params::libvirt_package, 30 | $libvirt_service = $::libvirt::params::libvirt_service, 31 | $virtinst_package = $::libvirt::params::virtinst_package, 32 | $radvd_package = $::libvirt::params::radvd_package, 33 | $sysconfig = $::libvirt::params::sysconfig, 34 | $deb_default = $::libvirt::params::deb_default, 35 | # libvirtd.conf options 36 | $listen_tls = undef, 37 | $listen_tcp = undef, 38 | $tls_port = undef, 39 | $tcp_port = undef, 40 | $listen_addr = undef, 41 | $mdns_adv = undef, 42 | $auth_tcp = undef, 43 | $auth_tls = undef, 44 | $unix_sock_group = $::libvirt::params::unix_sock_group, 45 | $unix_sock_ro_perms = undef, 46 | $auth_unix_ro = $::libvirt::params::auth_unix_ro, 47 | $unix_sock_rw_perms = $::libvirt::params::unix_sock_rw_perms, 48 | $auth_unix_rw = $::libvirt::params::auth_unix_rw, 49 | $unix_sock_dir = undef, 50 | # qemu.conf options 51 | $qemu_vnc_listen = undef, 52 | $qemu_vnc_sasl = undef, 53 | $qemu_vnc_tls = undef, 54 | $qemu_set_process_name = undef, 55 | $qemu_user = undef, 56 | $qemu_group = undef, 57 | # sasl2 options 58 | $sasl2_libvirt_mech_list = undef, 59 | $sasl2_libvirt_keytab = undef, 60 | $sasl2_qemu_mech_list = undef, 61 | $sasl2_qemu_keytab = undef, 62 | $sasl2_qemu_auxprop_plugin = undef, 63 | ) inherits ::libvirt::params { 64 | 65 | # Keep multiple templates, as close to the original as possible 66 | if $facts['os']['family'] == 'RedHat' and versioncmp($facts['os']['release']['major'], '8') >= 0 { 67 | $filesuffix = '-el8' 68 | } else { 69 | $filesuffix = '' 70 | } 71 | 72 | package { 'libvirt': 73 | ensure => installed, 74 | name => $libvirt_package, 75 | } 76 | 77 | service { 'libvirtd': 78 | ensure => running, 79 | name => $libvirt_service, 80 | enable => true, 81 | hasstatus => true, 82 | require => Package['libvirt'], 83 | } 84 | 85 | file { '/etc/libvirt/libvirtd.conf': 86 | owner => 'root', 87 | group => 'root', 88 | mode => '0644', 89 | content => template("libvirt/libvirtd.conf${filesuffix}.erb"), 90 | notify => Service['libvirtd'], 91 | require => Package['libvirt'], 92 | } 93 | 94 | file { '/etc/libvirt/qemu.conf': 95 | owner => 'root', 96 | group => 'root', 97 | mode => '0644', 98 | content => template("libvirt/qemu.conf${filesuffix}.erb"), 99 | notify => Service['libvirtd'], 100 | require => Package['libvirt'], 101 | } 102 | 103 | file { '/etc/sasl2/libvirt.conf': 104 | owner => 'root', 105 | group => 'root', 106 | mode => '0644', 107 | content => template("libvirt/sasl2/libvirt.conf${filesuffix}.erb"), 108 | notify => Service['libvirtd'], 109 | require => Package['libvirt'], 110 | } 111 | 112 | # The default network, automatically configured... disable it by default 113 | $def_net = $defaultnetwork? { 114 | true => 'enabled', 115 | default => 'absent', 116 | } 117 | libvirt::network { 'default': 118 | ensure => $def_net, 119 | autostart => true, 120 | forward_mode => 'nat', 121 | bridge => 'virbr0', 122 | ip => [ $::libvirt::params::default_ip ], 123 | } 124 | 125 | # The most useful libvirt-related packages 126 | if $virtinst { 127 | package { $virtinst_package: ensure => installed } 128 | } 129 | if $qemu { 130 | package { 'qemu-kvm': ensure => installed } 131 | file { '/etc/sasl2/qemu-kvm.conf': 132 | owner => 'root', 133 | group => 'root', 134 | mode => '0644', 135 | content => template("libvirt/sasl2/qemu-kvm.conf${filesuffix}.erb"), 136 | notify => Service['libvirtd'], 137 | require => [Package['libvirt'], Package['qemu-kvm']] 138 | } 139 | } 140 | if $radvd { 141 | package { $radvd_package: ensure => installed } 142 | } 143 | 144 | # Optional changes to the sysconfig file (on RedHat) 145 | if $sysconfig != false { 146 | file { '/etc/sysconfig/libvirtd': 147 | owner => 'root', 148 | group => 'root', 149 | mode => '0644', 150 | content => template("${module_name}/sysconfig/libvirtd.erb"), 151 | notify => Service['libvirtd'], 152 | } 153 | } 154 | 155 | # Optional changes to the /etc/default file (on Debian) 156 | if $deb_default != false { 157 | file { '/etc/default/libvirt-bin': 158 | owner => 'root', 159 | group => 'root', 160 | mode => '0644', 161 | content => template("${module_name}/default/libvirt-bin.erb"), 162 | notify => Service['libvirtd'], 163 | } 164 | } 165 | 166 | # Create Optional networks 167 | create_resources(libvirt::network, $networks, $networks_defaults) 168 | 169 | } 170 | 171 | -------------------------------------------------------------------------------- /manifests/network.pp: -------------------------------------------------------------------------------- 1 | # Define: libvirt::network 2 | # 3 | # define, configure, enable and autostart a network for libvirt guests 4 | # 5 | # Parameters: 6 | # $ensure 7 | # Ensure this network is defined (present), or enabled (running), or undefined (absent) 8 | # $autostart 9 | # Whether to start this network at boot time 10 | # $bridge 11 | # Name of the bridge this network will be attached to 12 | # $forward_mode 13 | # One of nat, route, bridge, vepa, passthrough, private, hostdev 14 | # $forward_dev 15 | # The interface to forward, useful in bridge and route mode 16 | # $forward_interfaces 17 | # An array of interfaces to forwad 18 | # $ip and/or $ipv6 array hashes with 19 | # address 20 | # netmask (or alterntively prefix) 21 | # dhcp This is another hash that consists of 22 | # start - start of the range 23 | # end - end of the range 24 | # host - an array of hosts 25 | # Note: The following options are not supported on IPv6 networks 26 | # bootp_file - A file to serve for servers booting from PXE 27 | # bootp_server - Which server that file is served from 28 | # $mac - A MAC for this network, if none is defined, libvirt will chose one for you 29 | # 30 | # Sample Usage : 31 | # 32 | # $dhcp = { 33 | # start => '192.168.122.2', 34 | # end => '192.168.122.254', 35 | # bootp_file => 'pxelinux.0', 36 | # } 37 | # $pxe_ip = { 38 | # 'address' => '192.168.122.2' 39 | # 'prefix' => '24' 40 | # 'dhcp' => $dhcp, 41 | # } 42 | # libvirt::network { 'pxe': 43 | # ensure => 'enabled', 44 | # autostart => true, 45 | # forward_mode => 'nat', 46 | # ip => [ $pxe_ip ], 47 | # } 48 | # 49 | # libvirt::network { 'direct-net' 50 | # ensure => 'enabled', 51 | # autostart => true, 52 | # forward_mode => 'bridge', 53 | # forward_dev => 'br0', 54 | # forward_interfaces => [ 'eth0', ], 55 | # } 56 | # 57 | # $ipv6 = { 58 | # address => '2001:db8:ca2:2::1', 59 | # prefix => '64', 60 | # } 61 | # 62 | # libvirt::network { 'dual-stack' 63 | # ensure => 'enabled', 64 | # autostart => true, 65 | # forward_mode => 'nat', 66 | # ip => [ $pxe_ip ], 67 | # ipv6 => [ $ipv6 ], 68 | # } 69 | # 70 | define libvirt::network ( 71 | Enum['present','defined','enabled','running','undefined','absent'] $ensure = 'present', 72 | Boolean $autostart = false, 73 | $bridge = undef, 74 | $forward_mode = undef, 75 | $forward_dev = undef, 76 | $forward_interfaces = [], 77 | $ip = undef, 78 | $ipv6 = undef, 79 | $mac = undef, 80 | ) { 81 | 82 | include ::libvirt::params 83 | 84 | Exec { 85 | cwd => '/', 86 | path => '/bin:/usr/bin', 87 | user => 'root', 88 | provider => 'posix', 89 | require => Service[$::libvirt::params::libvirt_service], 90 | environment => ['LC_ALL=en_US.utf8', ], 91 | } 92 | 93 | $ensure_file = $ensure? { 94 | /(present|defined|enabled|running)/ => 'present', 95 | /(undefined|absent)/ => 'absent', 96 | } 97 | 98 | $network_file = "/etc/libvirt/qemu/networks/${title}.xml" 99 | $autostart_file = "/etc/libvirt/qemu/networks/autostart/${title}.xml" 100 | 101 | case $ensure_file { 102 | 'present': { 103 | $content = template('libvirt/network.xml.erb') 104 | exec { "create-${network_file}": 105 | command => "cat > ${network_file} < $network_file, 107 | unless => "test -f ${network_file}", 108 | } 109 | exec { "virsh-net-define-${title}": 110 | command => "virsh net-define ${network_file}", 111 | unless => "virsh -q net-list --all | grep -Eq '^\s*${title}'", 112 | require => Exec["create-${network_file}"], 113 | } 114 | if $autostart { 115 | exec { "virsh-net-autostart-${title}": 116 | command => "virsh net-autostart ${title}", 117 | require => Exec["virsh-net-define-${title}"], 118 | creates => $autostart_file, 119 | } 120 | } 121 | if $ensure in [ 'enabled', 'running' ] { 122 | exec { "virsh-net-start-${title}": 123 | command => "virsh net-start ${title}", 124 | require => Exec["virsh-net-define-${title}"], 125 | unless => "virsh -q net-list --all | grep -Eq '^\s*${title}\\s+active'", 126 | } 127 | } 128 | } 129 | 'absent': { 130 | exec { "virsh-net-destroy-${title}": 131 | command => "virsh net-destroy ${title}", 132 | onlyif => "virsh -q net-list --all | grep -Eq '^\s*${title}\\s+active'", 133 | } 134 | exec { "virsh-net-undefine-${title}": 135 | command => "virsh net-undefine ${title}", 136 | onlyif => "virsh -q net-list --all | grep -Eq '^\s*${title}\\s+inactive'", 137 | require => Exec["virsh-net-destroy-${title}"], 138 | } 139 | file { [ $network_file, $autostart_file ]: 140 | ensure => absent, 141 | require => Exec["virsh-net-undefine-${title}"], 142 | } 143 | } 144 | default : { 145 | fail ("${module_name} This default case should never be reached in Libvirt::Network{'${title}':} on node ${facts['networking']['fqdn']}.") 146 | } 147 | } 148 | } 149 | -------------------------------------------------------------------------------- /manifests/params.pp: -------------------------------------------------------------------------------- 1 | # Class: libvirt::params 2 | # 3 | # Hold values for parameters and variables for each supported platform. 4 | # 5 | class libvirt::params { 6 | 7 | case $facts['os']['family'] { 8 | 'RedHat': { 9 | $libvirt_package = "libvirt.${facts['os']['architecture']}" 10 | if versioncmp($facts['os']['release']['major'], '9') >= 0 { 11 | $libvirt_service = 'virtqemud' 12 | } else { 13 | $libvirt_service = 'libvirtd' 14 | } 15 | if versioncmp($facts['os']['release']['major'], '7') >= 0 { 16 | $virtinst_package = 'virt-install' 17 | } else { 18 | $virtinst_package = 'python-virtinst' 19 | } 20 | $radvd_package = 'radvd' 21 | $sysconfig = {} 22 | $deb_default = false 23 | $auth_unix_ro = false 24 | $unix_sock_rw_perms = false 25 | $auth_unix_rw = false 26 | $unix_sock_group = false 27 | } 28 | 'Debian': { 29 | $libvirt_package = 'libvirt-bin' 30 | $virtinst_package = 'virtinst' 31 | $radvd_package = 'radvd' 32 | $sysconfig = false 33 | $deb_default = {} 34 | # UNIX socket 35 | $auth_unix_ro = 'none' 36 | $unix_sock_rw_perms = '0770' 37 | $auth_unix_rw = 'none' 38 | case $facts['os']['name'] { 39 | 'Ubuntu', 'LinuxMint': { 40 | $libvirt_service = 'libvirt-bin' 41 | $unix_sock_group = 'libvirtd' 42 | } 43 | default: { 44 | $libvirt_service = 'libvirtd' 45 | $unix_sock_group = 'libvirt' 46 | } 47 | } 48 | } 49 | default: { 50 | $libvirt_package = 'libvirt' 51 | $libvirt_service = 'libvirtd' 52 | $virtinst_package = 'python-virtinst' 53 | $radvd_package = 'radvd' 54 | $sysconfig = false 55 | $deb_default = false 56 | $auth_unix_ro = false 57 | $unix_sock_rw_perms = false 58 | $auth_unix_rw = false 59 | $unix_sock_group = false 60 | } 61 | } 62 | 63 | $default_dhcp = { 64 | 'start' => '192.168.122.2', 65 | 'end' => '192.168.122.254', 66 | } 67 | $default_ip = { 68 | 'address' => '192.168.122.1', 69 | 'netmask' => '255.255.255.0', 70 | 'dhcp' => $default_dhcp, 71 | } 72 | } 73 | 74 | -------------------------------------------------------------------------------- /metadata.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "thias-libvirt", 3 | "version": "1.0.3", 4 | "author": "Matthias Saou", 5 | "license": "Apache-2.0", 6 | "summary": "Libvirt virtualization API and capabilities.", 7 | "source": "git://github.com/thias/puppet-libvirt", 8 | "project_page": "https://github.com/thias/puppet-libvirt", 9 | "issues_url": "https://github.com/thias/puppet-libvirt/issues", 10 | "tags": ["libvirt", "kvm", "qemu", "virtualization"], 11 | "operatingsystem_support": [ 12 | { 13 | "operatingsystem": "RedHat", 14 | "operatingsystemrelease": [ "6", "7", "8", "9" ] 15 | }, 16 | { 17 | "operatingsystem": "CentOS", 18 | "operatingsystemrelease": [ "6", "7", "8", "9" ] 19 | }, 20 | { 21 | "operatingsystem":"Debian", 22 | "operatingsystemrelease":[ "6", "7" ] 23 | }, 24 | { 25 | "operatingsystem":"Ubuntu", 26 | "operatingsystemrelease":[ "12", "14" ] 27 | } 28 | ], 29 | "requirements": [ 30 | { 31 | "name": "puppet", 32 | "version_requirement": ">=2.7.20 <8.0.0" 33 | } 34 | ], 35 | "dependencies": [ 36 | { 37 | "name": "puppetlabs/stdlib", 38 | "version_requirement": ">= 3.2.0" 39 | } 40 | ] 41 | } 42 | -------------------------------------------------------------------------------- /spec/acceptance/class_spec.rb: -------------------------------------------------------------------------------- 1 | require 'spec_helper_acceptance' 2 | 3 | describe 'libvirt class' do 4 | case fact('osfamily') 5 | when 'RedHat' 6 | package_name = 'libvirt' 7 | service_name = 'libvirtd' 8 | virtinst_package = 'python-virtinst' 9 | when 'Debian' 10 | package_name = 'libvirt-bin' 11 | service_name = 'libvirt-bin' 12 | virtinst_package = 'virtinst' 13 | end 14 | 15 | context 'default parameters' do 16 | # Using puppet_apply as a helper 17 | it 'should work with no errors' do 18 | pp = <<-EOS 19 | class { 'libvirt': } 20 | EOS 21 | 22 | # Run it twice and test for idempotency 23 | expect(apply_manifest(pp).exit_code).to_not eq(1) 24 | expect(apply_manifest(pp).exit_code).to eq(0) 25 | end 26 | 27 | describe package(package_name) do 28 | it { should be_installed } 29 | end 30 | describe service(service_name) do 31 | it { should be_enabled } 32 | it { should be_running } 33 | end 34 | 35 | end 36 | 37 | context 'with virtinst package' do 38 | # Using puppet_apply as a helper 39 | it 'should work with no errors' do 40 | pp = <<-EOS 41 | class { 'libvirt': 42 | virtinst => true, 43 | } 44 | EOS 45 | 46 | # Run it twice and test for idempotency 47 | expect(apply_manifest(pp).exit_code).to_not eq(1) 48 | expect(apply_manifest(pp).exit_code).to eq(0) 49 | end 50 | 51 | describe package(package_name) do 52 | it { should be_installed } 53 | end 54 | 55 | describe service(service_name) do 56 | it { should be_enabled } 57 | it { should be_running } 58 | end 59 | 60 | describe package(virtinst_package) do 61 | it { should be_installed } 62 | end 63 | end 64 | 65 | end 66 | -------------------------------------------------------------------------------- /spec/acceptance/network_spec.rb: -------------------------------------------------------------------------------- 1 | require 'spec_helper_acceptance' 2 | 3 | describe 'libvirt::network' do 4 | network_dir = '/etc/libvirt/qemu/networks' 5 | 6 | context 'enable default network' do 7 | it 'should enable the default network' do 8 | pp = <<-EOS 9 | class { 'libvirt': 10 | defaultnetwork => true 11 | } 12 | EOS 13 | 14 | # Run it twice and test for idempotency 15 | expect(apply_manifest(pp).exit_code).to_not eq(1) 16 | expect(apply_manifest(pp).exit_code).to eq(0) 17 | end 18 | 19 | it 'respond to ping on IP 192.168.122.1 (for interface virbr0)' do 20 | shell('ping -c1 -q -I virbr0 192.168.122.1') do |r| 21 | r.exit_code.should == 0 22 | end 23 | end 24 | end 25 | 26 | context 'network directly connected via bridge' do 27 | it 'should create a network directly connected via a bridge' do 28 | pp = <<-EOS 29 | class { 'libvirt': } 30 | libvirt::network { 'direct-net': 31 | forward_mode => 'bridge', 32 | forward_dev => 'eth0', 33 | forward_interfaces => [ 'eth0'] 34 | } 35 | EOS 36 | 37 | # Run it twice and test for idempotency 38 | expect(apply_manifest(pp).exit_code).to_not eq(1) 39 | expect(apply_manifest(pp).exit_code).to eq(0) 40 | end 41 | 42 | describe file("#{network_dir}/direct-net.xml") do 43 | it { should contain "" } 44 | it { should contain "" } 45 | end 46 | end 47 | 48 | context 'network directly connected via autostarted bridge' do 49 | it 'should create an autostarted network directly connected via a bridge' do 50 | pp = <<-EOS 51 | class { 'libvirt': } 52 | libvirt::network { 'direct-net': 53 | autostart => true, 54 | forward_mode => 'bridge', 55 | forward_dev => 'eth0', 56 | forward_interfaces => [ 'eth0'] 57 | } 58 | EOS 59 | 60 | # Run it twice and test for idempotency 61 | expect(apply_manifest(pp).exit_code).to_not eq(1) 62 | expect(apply_manifest(pp).exit_code).to eq(0) 63 | end 64 | 65 | it 'respond to ping on public IPs (for interface eth0)' do 66 | shell('ping -c1 -q -I eth0 8.8.8.8') do |r| 67 | r.exit_code.should == 0 68 | end 69 | end 70 | end 71 | 72 | context 'autostarted pxe boot via dhcp' do 73 | it 'should create an autostarted network for booting from DHCP' do 74 | pp = <<-EOS 75 | class { 'libvirt': } 76 | $dhcp = { 77 | 'start' => '192.168.122.2', 78 | 'end' => '192.168.122.254', 79 | 'bootp_file' => 'pxelinux.0', 80 | } 81 | $ip = { 82 | 'address' => '192.168.122.1', 83 | 'netmask' => '255.255.255.0', 84 | 'dhcp' => $dhcp, 85 | } 86 | libvirt::network { 'pxe': 87 | autostart => true, 88 | ensure => 'running', 89 | forward_mode => 'nat', 90 | forward_dev => 'virbr0', 91 | bridge => 'virbr0', 92 | ip => [ $ip] 93 | } 94 | EOS 95 | 96 | # Run it twice and test for idempotency 97 | expect(apply_manifest(pp).exit_code).to_not eq(1) 98 | expect(apply_manifest(pp).exit_code).to eq(0) 99 | end 100 | 101 | it 'respond to ping on IP 192.168.122.1 (for interface virbr0)' do 102 | shell('ping -c1 -q -I virbr0 192.168.122.1') do |r| 103 | r.exit_code.should == 0 104 | end 105 | end 106 | end 107 | 108 | context 'autostarted dual-stack' do 109 | it 'should create an autostarted network with NATed IPv4 network and an IPv6 address' do 110 | pp = <<-EOS 111 | class { 'libvirt': } 112 | $dhcp = { 113 | 'start' => '192.168.222.2', 114 | 'end' => '192.168.222.254', 115 | } 116 | $ip = { 117 | 'address' => '192.168.222.1', 118 | 'netmask' => '255.255.255.0', 119 | } 120 | $ipv6 = { 121 | address => '2001:db8:ca2:2::1', 122 | prefix => '64', 123 | } 124 | libvirt::network { 'dual-stack': 125 | autostart => true, 126 | ensure => 'running', 127 | forward_mode => 'nat', 128 | forward_dev => 'virbr2', 129 | bridge => 'virbr2', 130 | ip => [ $ip], 131 | ipv6 => [ $ipv6 ], 132 | } 133 | EOS 134 | 135 | # Run it twice and test for idempotency 136 | expect(apply_manifest(pp).exit_code).to_not eq(1) 137 | expect(apply_manifest(pp).exit_code).to eq(0) 138 | end 139 | 140 | it 'respond to ping on IP 192.168.222.1 (for interface virbr2)' do 141 | shell('ping -c1 -q -I virbr2 192.168.222.1') do |r| 142 | r.exit_code.should == 0 143 | end 144 | end 145 | 146 | it 'respond to ping6 on IP 2001:db8:ca2:2::1 (for interface virbr2)' do 147 | shell('ping6 -c1 -q -I virbr2 2001:db8:ca2:2::1') do |r| 148 | r.exit_code.should == 0 149 | end 150 | end 151 | end 152 | 153 | end 154 | -------------------------------------------------------------------------------- /spec/acceptance/nodesets/centos-64-x64.yml: -------------------------------------------------------------------------------- 1 | HOSTS: 2 | centos-64-x64: 3 | roles: 4 | - master 5 | platform: el-6-x86_64 6 | box : centos-64-x64-vbox4210-nocm 7 | box_url : http://puppet-vagrant-boxes.puppetlabs.com/centos-64-x64-vbox4210-nocm.box 8 | hypervisor : vagrant 9 | CONFIG: 10 | log_level: verbose 11 | type: foss 12 | -------------------------------------------------------------------------------- /spec/acceptance/nodesets/default.yml: -------------------------------------------------------------------------------- 1 | HOSTS: 2 | ubuntu-server-12042-x64: 3 | roles: 4 | - master 5 | platform: ubuntu-server-12.04-amd64 6 | box: ubuntu-server-12042-x64-vbox4210-nocm 7 | box_url: http://puppet-vagrant-boxes.puppetlabs.com/ubuntu-server-12042-x64-vbox4210-nocm.box 8 | hypervisor: vagrant 9 | 10 | CONFIG: 11 | log_level: verbose 12 | type: foss 13 | -------------------------------------------------------------------------------- /spec/acceptance/nodesets/ubuntu-server-12042-x64.yml: -------------------------------------------------------------------------------- 1 | HOSTS: 2 | ubuntu-server-12042-x64: 3 | roles: 4 | - master 5 | platform: ubuntu-server-12.04-amd64 6 | box: ubuntu-server-12042-x64-vbox4210-nocm 7 | box_url: http://puppet-vagrant-boxes.puppetlabs.com/ubuntu-server-12042-x64-vbox4210-nocm.box 8 | hypervisor: vagrant 9 | 10 | CONFIG: 11 | log_level: verbose 12 | type: foss 13 | -------------------------------------------------------------------------------- /spec/acceptance/nodesets/ubuntu-server-1404-x64.yml: -------------------------------------------------------------------------------- 1 | HOSTS: 2 | ubuntu-server-1404-x64: 3 | roles: 4 | - master 5 | platform: ubuntu-14.04-amd64 6 | box : puppetlabs/ubuntu-14.04-64-nocm 7 | box_url : https://vagrantcloud.com/puppetlabs/ubuntu-14.04-64-nocm 8 | hypervisor : vagrant 9 | CONFIG: 10 | log_level : debug 11 | type: git 12 | -------------------------------------------------------------------------------- /spec/classes/libvirt_spec.rb: -------------------------------------------------------------------------------- 1 | # Copyright 2013 Brainsware 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | require 'spec_helper' 16 | 17 | describe 'libvirt', :type => :class do 18 | let(:title) { 'libvirt' } 19 | 20 | it { should contain_class('libvirt') } 21 | it { should contain_file('/etc/libvirt/qemu/networks/autostart/default.xml') 22 | .with_ensure('absent') 23 | } 24 | 25 | describe 'with default network enabled' do 26 | let(:params) {{ :defaultnetwork => true }} 27 | 28 | it { should contain_class('libvirt') } 29 | it { should contain_exec('virsh-net-autostart-default') } 30 | end 31 | 32 | end 33 | -------------------------------------------------------------------------------- /spec/defines/network_spec.rb: -------------------------------------------------------------------------------- 1 | # Copyright 2013 Brainsware 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | 15 | require 'spec_helper' 16 | 17 | describe 'libvirt::network' do 18 | network_dir = '/etc/libvirt/qemu/networks' 19 | autostart_dir = "#{network_dir}/autostart" 20 | 21 | let(:title) { 'direct-net' } 22 | let(:params) {{ :forward_mode => 'bridge', :forward_dev => 'eth0', :forward_interfaces => [ 'eth0', ] }} 23 | 24 | it { should contain_libvirt__network('direct-net').with({ 'ensure' => 'present'} )} 25 | it { should contain_exec("create-#{network_dir}/direct-net.xml").with({ 26 | 'command' => "cat > #{network_dir}/direct-net.xml < 28 | direct-net 29 | 30 | 31 | 32 | 33 | 34 | EOF", 35 | })} 36 | 37 | context 'pxe boot network' do 38 | let(:title) { 'pxe' } 39 | dhcp = { 40 | 'start' => '192.168.122.2', 41 | 'end' => '192.168.122.254', 42 | 'bootp_file' => 'pxelinux.0', 43 | } 44 | ip = { 45 | 'address' => '192.168.122.1', 46 | 'netmask' => '255.255.255.0', 47 | 'dhcp' => dhcp, 48 | } 49 | let(:params) {{ :forward_mode => 'nat', :forward_dev => 'virbr0', :bridge => 'virbr0', :ip => [ ip ] }} 50 | 51 | it { should contain_libvirt__network('pxe').with({ 'ensure' => 'present'} )} 52 | it { should contain_exec("create-#{network_dir}/pxe.xml").with({ 53 | 'command' => "cat > #{network_dir}/pxe.xml < 55 | pxe 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | EOF", 67 | })} 68 | end 69 | 70 | context 'dual stack' do 71 | let(:title) { 'dual-stack' } 72 | dhcp = { 73 | 'start' => '192.168.122.2', 74 | 'end' => '192.168.122.254', 75 | 'bootp_file' => 'pxelinux.0', 76 | } 77 | ip = { 78 | 'address' => '192.168.122.1', 79 | 'netmask' => '255.255.255.0', 80 | 'dhcp' => dhcp, 81 | } 82 | ipv6 = { 83 | 'address' => '2001:db8:ca2:2::1', 84 | 'prefix' => '64', 85 | } 86 | let(:params) {{ :forward_mode => 'nat', :forward_dev => 'virbr0', :bridge => 'virbr0', :ip => [ ip ], :ipv6 => [ ipv6 ] }} 87 | 88 | it { should contain_libvirt__network('dual-stack').with({ 'ensure' => 'present'} )} 89 | it { should contain_exec("create-#{network_dir}/dual-stack.xml").with({ 90 | 'command' => "cat > #{network_dir}/dual-stack.xml < 92 | dual-stack 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | EOF", 105 | })} 106 | end 107 | 108 | end 109 | -------------------------------------------------------------------------------- /spec/spec_helper.rb: -------------------------------------------------------------------------------- 1 | require 'puppetlabs_spec_helper/module_spec_helper' 2 | -------------------------------------------------------------------------------- /spec/spec_helper_acceptance.rb: -------------------------------------------------------------------------------- 1 | require 'beaker-rspec/spec_helper' 2 | require 'beaker-rspec/helpers/serverspec' 3 | 4 | hosts.each do |host| 5 | # Install Puppet 6 | install_puppet 7 | end 8 | 9 | RSpec.configure do |c| 10 | # Project root 11 | proj_root = File.expand_path(File.join(File.dirname(__FILE__), '..')) 12 | 13 | # Readable test descriptions 14 | c.formatter = :documentation 15 | 16 | # Configure all nodes in nodeset 17 | c.before :suite do 18 | # Install module and dependencies 19 | puppet_module_install(:source => proj_root, :module_name => 'libvirt') 20 | hosts.each do |host| 21 | on host, puppet('module', 'install', 'puppetlabs-stdlib'), { :acceptable_exit_codes => [0,1] } 22 | end 23 | end 24 | end 25 | -------------------------------------------------------------------------------- /templates/default/libvirt-bin.erb: -------------------------------------------------------------------------------- 1 | # Defaults for libvirt-bin initscript (/etc/init.d/libvirt-bin) 2 | # This is a POSIX shell fragment 3 | 4 | # Start libvirtd to handle qemu/kvm: 5 | <% if @deb_default['start_libvirtd'] -%> 6 | start_libvirtd="<%= @deb_default['start_libvirtd'] %>" 7 | <% else -%> 8 | start_libvirtd="yes" 9 | <% end -%> 10 | 11 | # options passed to libvirtd, add "-l" to listen on tcp 12 | <% if @deb_default['libvirtd_opts'] -%> 13 | libvirtd_opts="<%= @deb_default['libvirtd_opts'] %>" 14 | <% else -%> 15 | libvirtd_opts="-d" 16 | <% end -%> 17 | 18 | # pass in location of kerberos keytab 19 | <% if @deb_default['KRB5_KTNAME'] -%> 20 | export KRB5_KTNAME=<%= @deb_default['KRB5_KTNAME'] %> 21 | <% else -%> 22 | #export KRB5_KTNAME=/etc/libvirt/libvirt.keytab 23 | <% end -%> 24 | -------------------------------------------------------------------------------- /templates/default/libvirt-bin.orig: -------------------------------------------------------------------------------- 1 | # Defaults for libvirt-bin initscript (/etc/init.d/libvirt-bin) 2 | # This is a POSIX shell fragment 3 | 4 | # Start libvirtd to handle qemu/kvm: 5 | start_libvirtd="yes" 6 | 7 | # options passed to libvirtd, add "-l" to listen on tcp 8 | libvirtd_opts="-d --listen" 9 | 10 | # pass in location of kerberos keytab 11 | #export KRB5_KTNAME=/etc/libvirt/libvirt.keytab 12 | -------------------------------------------------------------------------------- /templates/libvirt.conf.orig: -------------------------------------------------------------------------------- 1 | # 2 | # This can be used to setup URI aliases for frequently 3 | # used connection URIs. Aliases may contain only the 4 | # characters a-Z, 0-9, _, -. 5 | # 6 | # Following the '=' may be any valid libvirt connection 7 | # URI, including arbitrary parameters 8 | 9 | #uri_aliases = [ 10 | # "hail=qemu+ssh://root@hail.cloud.example.com/system", 11 | # "sleet=qemu+ssh://root@sleet.cloud.example.com/system", 12 | #] 13 | -------------------------------------------------------------------------------- /templates/libvirtd.conf-el8.erb: -------------------------------------------------------------------------------- 1 | # Master libvirt daemon configuration file 2 | # 3 | # For further information consult https://libvirt.org/format.html 4 | # 5 | # NOTE: the tests/daemon-conf regression test script requires 6 | # that each "PARAMETER = VALUE" line in this file have the parameter 7 | # name just after a leading "#". 8 | 9 | ################################################################# 10 | # 11 | # Network connectivity controls 12 | # 13 | 14 | # Flag listening for secure TLS connections on the public TCP/IP port. 15 | # NB, must pass the --listen flag to the libvirtd process for this to 16 | # have any effect. 17 | # 18 | # It is necessary to setup a CA and issue server certificates before 19 | # using this capability. 20 | # 21 | # This is enabled by default, uncomment this to disable it 22 | #listen_tls = 0 23 | 24 | # Listen for unencrypted TCP connections on the public TCP/IP port. 25 | # NB, must pass the --listen flag to the libvirtd process for this to 26 | # have any effect. 27 | # 28 | # Using the TCP socket requires SASL authentication by default. Only 29 | # SASL mechanisms which support data encryption are allowed. This is 30 | # DIGEST_MD5 and GSSAPI (Kerberos5) 31 | # 32 | # This is disabled by default, uncomment this to enable it. 33 | #listen_tcp = 1 34 | 35 | 36 | 37 | # Override the port for accepting secure TLS connections 38 | # This can be a port number, or service name 39 | # 40 | #tls_port = "16514" 41 | 42 | # Override the port for accepting insecure TCP connections 43 | # This can be a port number, or service name 44 | # 45 | #tcp_port = "16509" 46 | 47 | 48 | # Override the default configuration which binds to all network 49 | # interfaces. This can be a numeric IPv4/6 address, or hostname 50 | # 51 | # If the libvirtd service is started in parallel with network 52 | # startup (e.g. with systemd), binding to addresses other than 53 | # the wildcards (0.0.0.0/::) might not be available yet. 54 | # 55 | #listen_addr = "192.168.0.1" 56 | 57 | 58 | # Flag toggling mDNS advertizement of the libvirt service. 59 | # 60 | # Alternatively can disable for all services on a host by 61 | # stopping the Avahi daemon 62 | # 63 | # This is disabled by default, uncomment this to enable it 64 | #mdns_adv = 1 65 | 66 | # Override the default mDNS advertizement name. This must be 67 | # unique on the immediate broadcast network. 68 | # 69 | # The default is "Virtualization Host HOSTNAME", where HOSTNAME 70 | # is substituted for the short hostname of the machine (without domain) 71 | # 72 | #mdns_name = "Virtualization Host Joe Demo" 73 | 74 | 75 | ################################################################# 76 | # 77 | # UNIX socket access controls 78 | # 79 | 80 | # Set the UNIX domain socket group ownership. This can be used to 81 | # allow a 'trusted' set of users access to management capabilities 82 | # without becoming root. 83 | # 84 | # This is restricted to 'root' by default. 85 | #unix_sock_group = "libvirt" 86 | 87 | # Set the UNIX socket permissions for the R/O socket. This is used 88 | # for monitoring VM status only 89 | # 90 | # Default allows any user. If setting group ownership, you may want to 91 | # restrict this too. 92 | #unix_sock_ro_perms = "0777" 93 | 94 | # Set the UNIX socket permissions for the R/W socket. This is used 95 | # for full management of VMs 96 | # 97 | # Default allows only root. If PolicyKit is enabled on the socket, 98 | # the default will change to allow everyone (eg, 0777) 99 | # 100 | # If not using PolicyKit and setting group ownership for access 101 | # control, then you may want to relax this too. 102 | #unix_sock_rw_perms = "0770" 103 | 104 | # Set the UNIX socket permissions for the admin interface socket. 105 | # 106 | # Default allows only owner (root), do not change it unless you are 107 | # sure to whom you are exposing the access to. 108 | #unix_sock_admin_perms = "0700" 109 | 110 | # Set the name of the directory in which sockets will be found/created. 111 | #unix_sock_dir = "/var/run/libvirt" 112 | 113 | 114 | 115 | ################################################################# 116 | # 117 | # Authentication. 118 | # 119 | # - none: do not perform auth checks. If you can connect to the 120 | # socket you are allowed. This is suitable if there are 121 | # restrictions on connecting to the socket (eg, UNIX 122 | # socket permissions), or if there is a lower layer in 123 | # the network providing auth (eg, TLS/x509 certificates) 124 | # 125 | # - sasl: use SASL infrastructure. The actual auth scheme is then 126 | # controlled from /etc/sasl2/libvirt.conf. For the TCP 127 | # socket only GSSAPI & DIGEST-MD5 mechanisms will be used. 128 | # For non-TCP or TLS sockets, any scheme is allowed. 129 | # 130 | # - polkit: use PolicyKit to authenticate. This is only suitable 131 | # for use on the UNIX sockets. The default policy will 132 | # require a user to supply their own password to gain 133 | # full read/write access (aka sudo like), while anyone 134 | # is allowed read/only access. 135 | # 136 | # Set an authentication scheme for UNIX read-only sockets 137 | # By default socket permissions allow anyone to connect 138 | # 139 | # To restrict monitoring of domains you may wish to enable 140 | # an authentication mechanism here 141 | #auth_unix_ro = "none" 142 | 143 | # Set an authentication scheme for UNIX read-write sockets 144 | # By default socket permissions only allow root. If PolicyKit 145 | # support was compiled into libvirt, the default will be to 146 | # use 'polkit' auth. 147 | # 148 | # If the unix_sock_rw_perms are changed you may wish to enable 149 | # an authentication mechanism here 150 | #auth_unix_rw = "none" 151 | 152 | # Change the authentication scheme for TCP sockets. 153 | # 154 | # If you don't enable SASL, then all TCP traffic is cleartext. 155 | # Don't do this outside of a dev/test scenario. For real world 156 | # use, always enable SASL and use the GSSAPI or DIGEST-MD5 157 | # mechanism in /etc/sasl2/libvirt.conf 158 | #auth_tcp = "sasl" 159 | 160 | # Change the authentication scheme for TLS sockets. 161 | # 162 | # TLS sockets already have encryption provided by the TLS 163 | # layer, and limited authentication is done by certificates 164 | # 165 | # It is possible to make use of any SASL authentication 166 | # mechanism as well, by using 'sasl' for this option 167 | #auth_tls = "none" 168 | 169 | 170 | # Change the API access control scheme 171 | # 172 | # By default an authenticated user is allowed access 173 | # to all APIs. Access drivers can place restrictions 174 | # on this. By default the 'nop' driver is enabled, 175 | # meaning no access control checks are done once a 176 | # client has authenticated with libvirtd 177 | # 178 | #access_drivers = [ "polkit" ] 179 | 180 | ################################################################# 181 | # 182 | # TLS x509 certificate configuration 183 | # 184 | 185 | # Use of TLS requires that x509 certificates be issued. The default locations 186 | # for the certificate files is as follows: 187 | # 188 | # /etc/pki/CA/cacert.pem - The CA master certificate 189 | # /etc/pki/libvirt/servercert.pem - The server certificate signed with 190 | # the cacert.pem 191 | # /etc/pki/libvirt/private/serverkey.pem - The server private key 192 | # 193 | # It is possible to override the default locations by altering the 'key_file', 194 | # 'cert_file', and 'ca_file' values and uncommenting them below. 195 | # 196 | # NB, overriding the default of one location requires uncommenting and 197 | # possibly additionally overriding the other settings. 198 | # 199 | 200 | # Override the default server key file path 201 | # 202 | #key_file = "/etc/pki/libvirt/private/serverkey.pem" 203 | 204 | # Override the default server certificate file path 205 | # 206 | #cert_file = "/etc/pki/libvirt/servercert.pem" 207 | 208 | # Override the default CA certificate path 209 | # 210 | #ca_file = "/etc/pki/CA/cacert.pem" 211 | 212 | # Specify a certificate revocation list. 213 | # 214 | # Defaults to not using a CRL, uncomment to enable it 215 | #crl_file = "/etc/pki/CA/crl.pem" 216 | 217 | 218 | 219 | ################################################################# 220 | # 221 | # Authorization controls 222 | # 223 | 224 | 225 | # Flag to disable verification of our own server certificates 226 | # 227 | # When libvirtd starts it performs some sanity checks against 228 | # its own certificates. 229 | # 230 | # Default is to always run sanity checks. Uncommenting this 231 | # will disable sanity checks which is not a good idea 232 | #tls_no_sanity_certificate = 1 233 | 234 | # Flag to disable verification of client certificates 235 | # 236 | # Client certificate verification is the primary authentication mechanism. 237 | # Any client which does not present a certificate signed by the CA 238 | # will be rejected. 239 | # 240 | # Default is to always verify. Uncommenting this will disable 241 | # verification - make sure an IP whitelist is set 242 | #tls_no_verify_certificate = 1 243 | 244 | 245 | # A whitelist of allowed x509 Distinguished Names 246 | # This list may contain wildcards such as 247 | # 248 | # "C=GB,ST=London,L=London,O=Red Hat,CN=*" 249 | # 250 | # See the POSIX fnmatch function for the format of the wildcards. 251 | # 252 | # NB If this is an empty list, no client can connect, so comment out 253 | # entirely rather than using empty list to disable these checks 254 | # 255 | # By default, no DN's are checked 256 | #tls_allowed_dn_list = ["DN1", "DN2"] 257 | 258 | 259 | # A whitelist of allowed SASL usernames. The format for username 260 | # depends on the SASL authentication mechanism. Kerberos usernames 261 | # look like username@REALM 262 | # 263 | # This list may contain wildcards such as 264 | # 265 | # "*@EXAMPLE.COM" 266 | # 267 | # See the POSIX fnmatch function for the format of the wildcards. 268 | # 269 | # NB If this is an empty list, no client can connect, so comment out 270 | # entirely rather than using empty list to disable these checks 271 | # 272 | # By default, no Username's are checked 273 | #sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ] 274 | 275 | 276 | # Override the compile time default TLS priority string. The 277 | # default is usually "NORMAL" unless overridden at build time. 278 | # Only set this is it is desired for libvirt to deviate from 279 | # the global default settings. 280 | # 281 | #tls_priority="NORMAL" 282 | 283 | 284 | ################################################################# 285 | # 286 | # Processing controls 287 | # 288 | 289 | # The maximum number of concurrent client connections to allow 290 | # over all sockets combined. 291 | #max_clients = 5000 292 | 293 | # The maximum length of queue of connections waiting to be 294 | # accepted by the daemon. Note, that some protocols supporting 295 | # retransmission may obey this so that a later reattempt at 296 | # connection succeeds. 297 | #max_queued_clients = 1000 298 | 299 | # The maximum length of queue of accepted but not yet 300 | # authenticated clients. The default value is 20. Set this to 301 | # zero to turn this feature off. 302 | #max_anonymous_clients = 20 303 | 304 | # The minimum limit sets the number of workers to start up 305 | # initially. If the number of active clients exceeds this, 306 | # then more threads are spawned, up to max_workers limit. 307 | # Typically you'd want max_workers to equal maximum number 308 | # of clients allowed 309 | #min_workers = 5 310 | #max_workers = 20 311 | 312 | 313 | # The number of priority workers. If all workers from above 314 | # pool are stuck, some calls marked as high priority 315 | # (notably domainDestroy) can be executed in this pool. 316 | #prio_workers = 5 317 | 318 | # Limit on concurrent requests from a single client 319 | # connection. To avoid one client monopolizing the server 320 | # this should be a small fraction of the global max_workers 321 | # parameter. 322 | #max_client_requests = 5 323 | 324 | # Same processing controls, but this time for the admin interface. 325 | # For description of each option, be so kind to scroll few lines 326 | # upwards. 327 | 328 | #admin_min_workers = 1 329 | #admin_max_workers = 5 330 | #admin_max_clients = 5 331 | #admin_max_queued_clients = 5 332 | #admin_max_client_requests = 5 333 | 334 | ################################################################# 335 | # 336 | # Logging controls 337 | # 338 | 339 | # Logging level: 4 errors, 3 warnings, 2 information, 1 debug 340 | # basically 1 will log everything possible 341 | # 342 | # WARNING: USE OF THIS IS STRONGLY DISCOURAGED. 343 | # 344 | # WARNING: It outputs too much information to practically read. 345 | # WARNING: The "log_filters" setting is recommended instead. 346 | # 347 | # WARNING: Journald applies rate limiting of messages and so libvirt 348 | # WARNING: will limit "log_level" to only allow values 3 or 4 if 349 | # WARNING: journald is the current output. 350 | # 351 | # WARNING: USE OF THIS IS STRONGLY DISCOURAGED. 352 | #log_level = 3 353 | 354 | # Logging filters: 355 | # A filter allows to select a different logging level for a given category 356 | # of logs. The format for a filter is one of: 357 | # 358 | # level:match 359 | # level:+match 360 | # 361 | # where 'match' is a string which is matched against the category 362 | # given in the VIR_LOG_INIT() at the top of each libvirt source 363 | # file, e.g., "remote", "qemu", or "util.json". The 'match' in the 364 | # filter matches using shell wildcard syntax (see 'man glob(7)'). 365 | # The 'match' is always treated as a substring match. IOW a match 366 | # string 'foo' is equivalent to '*foo*'. 367 | # 368 | # If 'match' contains the optional "+" prefix, it tells libvirt 369 | # to log stack trace for each message matching name. 370 | # 371 | # 'level' is the minimal level where matching messages should 372 | # be logged: 373 | # 374 | # 1: DEBUG 375 | # 2: INFO 376 | # 3: WARNING 377 | # 4: ERROR 378 | # 379 | # Multiple filters can be defined in a single @log_filters, they just need 380 | # to be separated by spaces. Note that libvirt performs "first" match, i.e. 381 | # if there are concurrent filters, the first one that matches will be applied, 382 | # given the order in @log_filters. 383 | # 384 | # A typical need is to capture information from a hypervisor driver, 385 | # public API entrypoints and some of the utility code. Some utility 386 | # code is very verbose and is generally not desired. Taking the QEMU 387 | # hypervisor as an example, a suitable filter string for debugging 388 | # might be to turn off object, json & event logging, but enable the 389 | # rest of the util code: 390 | # 391 | #log_filters="1:qemu 1:libvirt 4:object 4:json 4:event 1:util" 392 | 393 | # Logging outputs: 394 | # An output is one of the places to save logging information 395 | # The format for an output can be: 396 | # level:stderr 397 | # output goes to stderr 398 | # level:syslog:name 399 | # use syslog for the output and use the given name as the ident 400 | # level:file:file_path 401 | # output to a file, with the given filepath 402 | # level:journald 403 | # output to journald logging system 404 | # In all cases 'level' is the minimal priority, acting as a filter 405 | # 1: DEBUG 406 | # 2: INFO 407 | # 3: WARNING 408 | # 4: ERROR 409 | # 410 | # Multiple outputs can be defined, they just need to be separated by spaces. 411 | # e.g. to log all warnings and errors to syslog under the libvirtd ident: 412 | #log_outputs="3:syslog:libvirtd" 413 | # 414 | 415 | 416 | ################################################################## 417 | # 418 | # Auditing 419 | # 420 | # This setting allows usage of the auditing subsystem to be altered: 421 | # 422 | # audit_level == 0 -> disable all auditing 423 | # audit_level == 1 -> enable auditing, only if enabled on host (default) 424 | # audit_level == 2 -> enable auditing, and exit if disabled on host 425 | # 426 | #audit_level = 2 427 | # 428 | # If set to 1, then audit messages will also be sent 429 | # via libvirt logging infrastructure. Defaults to 0 430 | # 431 | #audit_logging = 1 432 | 433 | ################################################################### 434 | # UUID of the host: 435 | # Host UUID is read from one of the sources specified in host_uuid_source. 436 | # 437 | # - 'smbios': fetch the UUID from 'dmidecode -s system-uuid' 438 | # - 'machine-id': fetch the UUID from /etc/machine-id 439 | # 440 | # The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide 441 | # a valid UUID a temporary UUID will be generated. 442 | # 443 | # Another option is to specify host UUID in host_uuid. 444 | # 445 | # Keep the format of the example UUID below. UUID must not have all digits 446 | # be the same. 447 | 448 | # NB This default all-zeros UUID will not work. Replace 449 | # it with the output of the 'uuidgen' command and then 450 | # uncomment this entry 451 | #host_uuid = "00000000-0000-0000-0000-000000000000" 452 | #host_uuid_source = "smbios" 453 | 454 | ################################################################### 455 | # Keepalive protocol: 456 | # This allows libvirtd to detect broken client connections or even 457 | # dead clients. A keepalive message is sent to a client after 458 | # keepalive_interval seconds of inactivity to check if the client is 459 | # still responding; keepalive_count is a maximum number of keepalive 460 | # messages that are allowed to be sent to the client without getting 461 | # any response before the connection is considered broken. In other 462 | # words, the connection is automatically closed approximately after 463 | # keepalive_interval * (keepalive_count + 1) seconds since the last 464 | # message received from the client. If keepalive_interval is set to 465 | # -1, libvirtd will never send keepalive requests; however clients 466 | # can still send them and the daemon will send responses. When 467 | # keepalive_count is set to 0, connections will be automatically 468 | # closed after keepalive_interval seconds of inactivity without 469 | # sending any keepalive messages. 470 | # 471 | #keepalive_interval = 5 472 | #keepalive_count = 5 473 | 474 | # 475 | # These configuration options are no longer used. There is no way to 476 | # restrict such clients from connecting since they first need to 477 | # connect in order to ask for keepalive. 478 | # 479 | #keepalive_required = 1 480 | #admin_keepalive_required = 1 481 | 482 | # Keepalive settings for the admin interface 483 | #admin_keepalive_interval = 5 484 | #admin_keepalive_count = 5 485 | 486 | ################################################################### 487 | # Open vSwitch: 488 | # This allows to specify a timeout for openvswitch calls made by 489 | # libvirt. The ovs-vsctl utility is used for the configuration and 490 | # its timeout option is set by default to 5 seconds to avoid 491 | # potential infinite waits blocking libvirt. 492 | # 493 | #ovs_timeout = 5 494 | -------------------------------------------------------------------------------- /templates/libvirtd.conf-el8.orig: -------------------------------------------------------------------------------- 1 | # Master libvirt daemon configuration file 2 | # 3 | # For further information consult https://libvirt.org/format.html 4 | # 5 | # NOTE: the tests/daemon-conf regression test script requires 6 | # that each "PARAMETER = VALUE" line in this file have the parameter 7 | # name just after a leading "#". 8 | 9 | ################################################################# 10 | # 11 | # Network connectivity controls 12 | # 13 | 14 | # Flag listening for secure TLS connections on the public TCP/IP port. 15 | # NB, must pass the --listen flag to the libvirtd process for this to 16 | # have any effect. 17 | # 18 | # It is necessary to setup a CA and issue server certificates before 19 | # using this capability. 20 | # 21 | # This is enabled by default, uncomment this to disable it 22 | #listen_tls = 0 23 | 24 | # Listen for unencrypted TCP connections on the public TCP/IP port. 25 | # NB, must pass the --listen flag to the libvirtd process for this to 26 | # have any effect. 27 | # 28 | # Using the TCP socket requires SASL authentication by default. Only 29 | # SASL mechanisms which support data encryption are allowed. This is 30 | # DIGEST_MD5 and GSSAPI (Kerberos5) 31 | # 32 | # This is disabled by default, uncomment this to enable it. 33 | #listen_tcp = 1 34 | 35 | 36 | 37 | # Override the port for accepting secure TLS connections 38 | # This can be a port number, or service name 39 | # 40 | #tls_port = "16514" 41 | 42 | # Override the port for accepting insecure TCP connections 43 | # This can be a port number, or service name 44 | # 45 | #tcp_port = "16509" 46 | 47 | 48 | # Override the default configuration which binds to all network 49 | # interfaces. This can be a numeric IPv4/6 address, or hostname 50 | # 51 | # If the libvirtd service is started in parallel with network 52 | # startup (e.g. with systemd), binding to addresses other than 53 | # the wildcards (0.0.0.0/::) might not be available yet. 54 | # 55 | #listen_addr = "192.168.0.1" 56 | 57 | 58 | # Flag toggling mDNS advertizement of the libvirt service. 59 | # 60 | # Alternatively can disable for all services on a host by 61 | # stopping the Avahi daemon 62 | # 63 | # This is disabled by default, uncomment this to enable it 64 | #mdns_adv = 1 65 | 66 | # Override the default mDNS advertizement name. This must be 67 | # unique on the immediate broadcast network. 68 | # 69 | # The default is "Virtualization Host HOSTNAME", where HOSTNAME 70 | # is substituted for the short hostname of the machine (without domain) 71 | # 72 | #mdns_name = "Virtualization Host Joe Demo" 73 | 74 | 75 | ################################################################# 76 | # 77 | # UNIX socket access controls 78 | # 79 | 80 | # Set the UNIX domain socket group ownership. This can be used to 81 | # allow a 'trusted' set of users access to management capabilities 82 | # without becoming root. 83 | # 84 | # This is restricted to 'root' by default. 85 | #unix_sock_group = "libvirt" 86 | 87 | # Set the UNIX socket permissions for the R/O socket. This is used 88 | # for monitoring VM status only 89 | # 90 | # Default allows any user. If setting group ownership, you may want to 91 | # restrict this too. 92 | #unix_sock_ro_perms = "0777" 93 | 94 | # Set the UNIX socket permissions for the R/W socket. This is used 95 | # for full management of VMs 96 | # 97 | # Default allows only root. If PolicyKit is enabled on the socket, 98 | # the default will change to allow everyone (eg, 0777) 99 | # 100 | # If not using PolicyKit and setting group ownership for access 101 | # control, then you may want to relax this too. 102 | #unix_sock_rw_perms = "0770" 103 | 104 | # Set the UNIX socket permissions for the admin interface socket. 105 | # 106 | # Default allows only owner (root), do not change it unless you are 107 | # sure to whom you are exposing the access to. 108 | #unix_sock_admin_perms = "0700" 109 | 110 | # Set the name of the directory in which sockets will be found/created. 111 | #unix_sock_dir = "/var/run/libvirt" 112 | 113 | 114 | 115 | ################################################################# 116 | # 117 | # Authentication. 118 | # 119 | # - none: do not perform auth checks. If you can connect to the 120 | # socket you are allowed. This is suitable if there are 121 | # restrictions on connecting to the socket (eg, UNIX 122 | # socket permissions), or if there is a lower layer in 123 | # the network providing auth (eg, TLS/x509 certificates) 124 | # 125 | # - sasl: use SASL infrastructure. The actual auth scheme is then 126 | # controlled from /etc/sasl2/libvirt.conf. For the TCP 127 | # socket only GSSAPI & DIGEST-MD5 mechanisms will be used. 128 | # For non-TCP or TLS sockets, any scheme is allowed. 129 | # 130 | # - polkit: use PolicyKit to authenticate. This is only suitable 131 | # for use on the UNIX sockets. The default policy will 132 | # require a user to supply their own password to gain 133 | # full read/write access (aka sudo like), while anyone 134 | # is allowed read/only access. 135 | # 136 | # Set an authentication scheme for UNIX read-only sockets 137 | # By default socket permissions allow anyone to connect 138 | # 139 | # To restrict monitoring of domains you may wish to enable 140 | # an authentication mechanism here 141 | #auth_unix_ro = "none" 142 | 143 | # Set an authentication scheme for UNIX read-write sockets 144 | # By default socket permissions only allow root. If PolicyKit 145 | # support was compiled into libvirt, the default will be to 146 | # use 'polkit' auth. 147 | # 148 | # If the unix_sock_rw_perms are changed you may wish to enable 149 | # an authentication mechanism here 150 | #auth_unix_rw = "none" 151 | 152 | # Change the authentication scheme for TCP sockets. 153 | # 154 | # If you don't enable SASL, then all TCP traffic is cleartext. 155 | # Don't do this outside of a dev/test scenario. For real world 156 | # use, always enable SASL and use the GSSAPI or DIGEST-MD5 157 | # mechanism in /etc/sasl2/libvirt.conf 158 | #auth_tcp = "sasl" 159 | 160 | # Change the authentication scheme for TLS sockets. 161 | # 162 | # TLS sockets already have encryption provided by the TLS 163 | # layer, and limited authentication is done by certificates 164 | # 165 | # It is possible to make use of any SASL authentication 166 | # mechanism as well, by using 'sasl' for this option 167 | #auth_tls = "none" 168 | 169 | 170 | # Change the API access control scheme 171 | # 172 | # By default an authenticated user is allowed access 173 | # to all APIs. Access drivers can place restrictions 174 | # on this. By default the 'nop' driver is enabled, 175 | # meaning no access control checks are done once a 176 | # client has authenticated with libvirtd 177 | # 178 | #access_drivers = [ "polkit" ] 179 | 180 | ################################################################# 181 | # 182 | # TLS x509 certificate configuration 183 | # 184 | 185 | # Use of TLS requires that x509 certificates be issued. The default locations 186 | # for the certificate files is as follows: 187 | # 188 | # /etc/pki/CA/cacert.pem - The CA master certificate 189 | # /etc/pki/libvirt/servercert.pem - The server certificate signed with 190 | # the cacert.pem 191 | # /etc/pki/libvirt/private/serverkey.pem - The server private key 192 | # 193 | # It is possible to override the default locations by altering the 'key_file', 194 | # 'cert_file', and 'ca_file' values and uncommenting them below. 195 | # 196 | # NB, overriding the default of one location requires uncommenting and 197 | # possibly additionally overriding the other settings. 198 | # 199 | 200 | # Override the default server key file path 201 | # 202 | #key_file = "/etc/pki/libvirt/private/serverkey.pem" 203 | 204 | # Override the default server certificate file path 205 | # 206 | #cert_file = "/etc/pki/libvirt/servercert.pem" 207 | 208 | # Override the default CA certificate path 209 | # 210 | #ca_file = "/etc/pki/CA/cacert.pem" 211 | 212 | # Specify a certificate revocation list. 213 | # 214 | # Defaults to not using a CRL, uncomment to enable it 215 | #crl_file = "/etc/pki/CA/crl.pem" 216 | 217 | 218 | 219 | ################################################################# 220 | # 221 | # Authorization controls 222 | # 223 | 224 | 225 | # Flag to disable verification of our own server certificates 226 | # 227 | # When libvirtd starts it performs some sanity checks against 228 | # its own certificates. 229 | # 230 | # Default is to always run sanity checks. Uncommenting this 231 | # will disable sanity checks which is not a good idea 232 | #tls_no_sanity_certificate = 1 233 | 234 | # Flag to disable verification of client certificates 235 | # 236 | # Client certificate verification is the primary authentication mechanism. 237 | # Any client which does not present a certificate signed by the CA 238 | # will be rejected. 239 | # 240 | # Default is to always verify. Uncommenting this will disable 241 | # verification - make sure an IP whitelist is set 242 | #tls_no_verify_certificate = 1 243 | 244 | 245 | # A whitelist of allowed x509 Distinguished Names 246 | # This list may contain wildcards such as 247 | # 248 | # "C=GB,ST=London,L=London,O=Red Hat,CN=*" 249 | # 250 | # See the POSIX fnmatch function for the format of the wildcards. 251 | # 252 | # NB If this is an empty list, no client can connect, so comment out 253 | # entirely rather than using empty list to disable these checks 254 | # 255 | # By default, no DN's are checked 256 | #tls_allowed_dn_list = ["DN1", "DN2"] 257 | 258 | 259 | # A whitelist of allowed SASL usernames. The format for username 260 | # depends on the SASL authentication mechanism. Kerberos usernames 261 | # look like username@REALM 262 | # 263 | # This list may contain wildcards such as 264 | # 265 | # "*@EXAMPLE.COM" 266 | # 267 | # See the POSIX fnmatch function for the format of the wildcards. 268 | # 269 | # NB If this is an empty list, no client can connect, so comment out 270 | # entirely rather than using empty list to disable these checks 271 | # 272 | # By default, no Username's are checked 273 | #sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ] 274 | 275 | 276 | # Override the compile time default TLS priority string. The 277 | # default is usually "NORMAL" unless overridden at build time. 278 | # Only set this is it is desired for libvirt to deviate from 279 | # the global default settings. 280 | # 281 | #tls_priority="NORMAL" 282 | 283 | 284 | ################################################################# 285 | # 286 | # Processing controls 287 | # 288 | 289 | # The maximum number of concurrent client connections to allow 290 | # over all sockets combined. 291 | #max_clients = 5000 292 | 293 | # The maximum length of queue of connections waiting to be 294 | # accepted by the daemon. Note, that some protocols supporting 295 | # retransmission may obey this so that a later reattempt at 296 | # connection succeeds. 297 | #max_queued_clients = 1000 298 | 299 | # The maximum length of queue of accepted but not yet 300 | # authenticated clients. The default value is 20. Set this to 301 | # zero to turn this feature off. 302 | #max_anonymous_clients = 20 303 | 304 | # The minimum limit sets the number of workers to start up 305 | # initially. If the number of active clients exceeds this, 306 | # then more threads are spawned, up to max_workers limit. 307 | # Typically you'd want max_workers to equal maximum number 308 | # of clients allowed 309 | #min_workers = 5 310 | #max_workers = 20 311 | 312 | 313 | # The number of priority workers. If all workers from above 314 | # pool are stuck, some calls marked as high priority 315 | # (notably domainDestroy) can be executed in this pool. 316 | #prio_workers = 5 317 | 318 | # Limit on concurrent requests from a single client 319 | # connection. To avoid one client monopolizing the server 320 | # this should be a small fraction of the global max_workers 321 | # parameter. 322 | #max_client_requests = 5 323 | 324 | # Same processing controls, but this time for the admin interface. 325 | # For description of each option, be so kind to scroll few lines 326 | # upwards. 327 | 328 | #admin_min_workers = 1 329 | #admin_max_workers = 5 330 | #admin_max_clients = 5 331 | #admin_max_queued_clients = 5 332 | #admin_max_client_requests = 5 333 | 334 | ################################################################# 335 | # 336 | # Logging controls 337 | # 338 | 339 | # Logging level: 4 errors, 3 warnings, 2 information, 1 debug 340 | # basically 1 will log everything possible 341 | # 342 | # WARNING: USE OF THIS IS STRONGLY DISCOURAGED. 343 | # 344 | # WARNING: It outputs too much information to practically read. 345 | # WARNING: The "log_filters" setting is recommended instead. 346 | # 347 | # WARNING: Journald applies rate limiting of messages and so libvirt 348 | # WARNING: will limit "log_level" to only allow values 3 or 4 if 349 | # WARNING: journald is the current output. 350 | # 351 | # WARNING: USE OF THIS IS STRONGLY DISCOURAGED. 352 | #log_level = 3 353 | 354 | # Logging filters: 355 | # A filter allows to select a different logging level for a given category 356 | # of logs. The format for a filter is one of: 357 | # 358 | # level:match 359 | # level:+match 360 | # 361 | # where 'match' is a string which is matched against the category 362 | # given in the VIR_LOG_INIT() at the top of each libvirt source 363 | # file, e.g., "remote", "qemu", or "util.json". The 'match' in the 364 | # filter matches using shell wildcard syntax (see 'man glob(7)'). 365 | # The 'match' is always treated as a substring match. IOW a match 366 | # string 'foo' is equivalent to '*foo*'. 367 | # 368 | # If 'match' contains the optional "+" prefix, it tells libvirt 369 | # to log stack trace for each message matching name. 370 | # 371 | # 'level' is the minimal level where matching messages should 372 | # be logged: 373 | # 374 | # 1: DEBUG 375 | # 2: INFO 376 | # 3: WARNING 377 | # 4: ERROR 378 | # 379 | # Multiple filters can be defined in a single @log_filters, they just need 380 | # to be separated by spaces. Note that libvirt performs "first" match, i.e. 381 | # if there are concurrent filters, the first one that matches will be applied, 382 | # given the order in @log_filters. 383 | # 384 | # A typical need is to capture information from a hypervisor driver, 385 | # public API entrypoints and some of the utility code. Some utility 386 | # code is very verbose and is generally not desired. Taking the QEMU 387 | # hypervisor as an example, a suitable filter string for debugging 388 | # might be to turn off object, json & event logging, but enable the 389 | # rest of the util code: 390 | # 391 | #log_filters="1:qemu 1:libvirt 4:object 4:json 4:event 1:util" 392 | 393 | # Logging outputs: 394 | # An output is one of the places to save logging information 395 | # The format for an output can be: 396 | # level:stderr 397 | # output goes to stderr 398 | # level:syslog:name 399 | # use syslog for the output and use the given name as the ident 400 | # level:file:file_path 401 | # output to a file, with the given filepath 402 | # level:journald 403 | # output to journald logging system 404 | # In all cases 'level' is the minimal priority, acting as a filter 405 | # 1: DEBUG 406 | # 2: INFO 407 | # 3: WARNING 408 | # 4: ERROR 409 | # 410 | # Multiple outputs can be defined, they just need to be separated by spaces. 411 | # e.g. to log all warnings and errors to syslog under the libvirtd ident: 412 | #log_outputs="3:syslog:libvirtd" 413 | # 414 | 415 | 416 | ################################################################## 417 | # 418 | # Auditing 419 | # 420 | # This setting allows usage of the auditing subsystem to be altered: 421 | # 422 | # audit_level == 0 -> disable all auditing 423 | # audit_level == 1 -> enable auditing, only if enabled on host (default) 424 | # audit_level == 2 -> enable auditing, and exit if disabled on host 425 | # 426 | #audit_level = 2 427 | # 428 | # If set to 1, then audit messages will also be sent 429 | # via libvirt logging infrastructure. Defaults to 0 430 | # 431 | #audit_logging = 1 432 | 433 | ################################################################### 434 | # UUID of the host: 435 | # Host UUID is read from one of the sources specified in host_uuid_source. 436 | # 437 | # - 'smbios': fetch the UUID from 'dmidecode -s system-uuid' 438 | # - 'machine-id': fetch the UUID from /etc/machine-id 439 | # 440 | # The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide 441 | # a valid UUID a temporary UUID will be generated. 442 | # 443 | # Another option is to specify host UUID in host_uuid. 444 | # 445 | # Keep the format of the example UUID below. UUID must not have all digits 446 | # be the same. 447 | 448 | # NB This default all-zeros UUID will not work. Replace 449 | # it with the output of the 'uuidgen' command and then 450 | # uncomment this entry 451 | #host_uuid = "00000000-0000-0000-0000-000000000000" 452 | #host_uuid_source = "smbios" 453 | 454 | ################################################################### 455 | # Keepalive protocol: 456 | # This allows libvirtd to detect broken client connections or even 457 | # dead clients. A keepalive message is sent to a client after 458 | # keepalive_interval seconds of inactivity to check if the client is 459 | # still responding; keepalive_count is a maximum number of keepalive 460 | # messages that are allowed to be sent to the client without getting 461 | # any response before the connection is considered broken. In other 462 | # words, the connection is automatically closed approximately after 463 | # keepalive_interval * (keepalive_count + 1) seconds since the last 464 | # message received from the client. If keepalive_interval is set to 465 | # -1, libvirtd will never send keepalive requests; however clients 466 | # can still send them and the daemon will send responses. When 467 | # keepalive_count is set to 0, connections will be automatically 468 | # closed after keepalive_interval seconds of inactivity without 469 | # sending any keepalive messages. 470 | # 471 | #keepalive_interval = 5 472 | #keepalive_count = 5 473 | 474 | # 475 | # These configuration options are no longer used. There is no way to 476 | # restrict such clients from connecting since they first need to 477 | # connect in order to ask for keepalive. 478 | # 479 | #keepalive_required = 1 480 | #admin_keepalive_required = 1 481 | 482 | # Keepalive settings for the admin interface 483 | #admin_keepalive_interval = 5 484 | #admin_keepalive_count = 5 485 | 486 | ################################################################### 487 | # Open vSwitch: 488 | # This allows to specify a timeout for openvswitch calls made by 489 | # libvirt. The ovs-vsctl utility is used for the configuration and 490 | # its timeout option is set by default to 5 seconds to avoid 491 | # potential infinite waits blocking libvirt. 492 | # 493 | #ovs_timeout = 5 494 | -------------------------------------------------------------------------------- /templates/libvirtd.conf.erb: -------------------------------------------------------------------------------- 1 | # Master libvirt daemon configuration file 2 | # 3 | # For further information consult http://libvirt.org/format.html 4 | # 5 | # NOTE: the tests/daemon-conf regression test script requires 6 | # that each "PARAMETER = VALUE" line in this file have the parameter 7 | # name just after a leading "#". 8 | 9 | ################################################################# 10 | # 11 | # Network connectivity controls 12 | # 13 | 14 | # Flag listening for secure TLS connections on the public TCP/IP port. 15 | # NB, must pass the --listen flag to the libvirtd process for this to 16 | # have any effect. 17 | # 18 | # It is necessary to setup a CA and issue server certificates before 19 | # using this capability. 20 | # 21 | # This is enabled by default, uncomment this to disable it 22 | #listen_tls = 0 23 | <% if @listen_tls == true -%> 24 | listen_tls = 1 25 | <% elsif @listen_tls == false -%> 26 | listen_tls = 0 27 | <% end -%> 28 | 29 | # Listen for unencrypted TCP connections on the public TCP/IP port. 30 | # NB, must pass the --listen flag to the libvirtd process for this to 31 | # have any effect. 32 | # 33 | # Using the TCP socket requires SASL authentication by default. Only 34 | # SASL mechanisms which support data encryption are allowed. This is 35 | # DIGEST_MD5 and GSSAPI (Kerberos5) 36 | # 37 | # This is disabled by default, uncomment this to enable it. 38 | #listen_tcp = 1 39 | <% if @listen_tcp == true -%> 40 | listen_tcp = 1 41 | <% elsif @listen_tcp == false -%> 42 | listen_tcp = 0 43 | <% end -%> 44 | 45 | 46 | 47 | # Override the port for accepting secure TLS connections 48 | # This can be a port number, or service name 49 | # 50 | #tls_port = "16514" 51 | <% if @tls_port -%> 52 | tls_port = "<%= @tls_port %>" 53 | <% end -%> 54 | 55 | # Override the port for accepting insecure TCP connections 56 | # This can be a port number, or service name 57 | # 58 | #tcp_port = "16509" 59 | <% if @tcp_port -%> 60 | tcp_port = "<%= @tcp_port %>" 61 | <% end -%> 62 | 63 | 64 | # Override the default configuration which binds to all network 65 | # interfaces. This can be a numeric IPv4/6 address, or hostname 66 | # 67 | #listen_addr = "192.168.0.1" 68 | <% if @listen_addr -%> 69 | listen_addr = "<%= @listen_addr %>" 70 | <% end -%> 71 | 72 | 73 | # Flag toggling mDNS advertizement of the libvirt service. 74 | # 75 | # Alternatively can disable for all services on a host by 76 | # stopping the Avahi daemon 77 | # 78 | # This is enabled by default, uncomment this to disable it 79 | #mdns_adv = 0 80 | <% if @mdns_adv == false or @mdns_adv == '0' -%> 81 | mdns_adv = 0 82 | <% end -%> 83 | 84 | # Override the default mDNS advertizement name. This must be 85 | # unique on the immediate broadcast network. 86 | # 87 | # The default is "Virtualization Host HOSTNAME", where HOSTNAME 88 | # is subsituted for the short hostname of the machine (without domain) 89 | # 90 | #mdns_name = "Virtualization Host Joe Demo" 91 | 92 | 93 | ################################################################# 94 | # 95 | # UNIX socket access controls 96 | # 97 | 98 | # Set the UNIX domain socket group ownership. This can be used to 99 | # allow a 'trusted' set of users access to management capabilities 100 | # without becoming root. 101 | # 102 | # This is restricted to 'root' by default. 103 | #unix_sock_group = "libvirt" 104 | <% if @unix_sock_group -%> 105 | unix_sock_group = "<%= @unix_sock_group %>" 106 | <% end -%> 107 | 108 | # Set the UNIX socket permissions for the R/O socket. This is used 109 | # for monitoring VM status only 110 | # 111 | # Default allows any user. If setting group ownership may want to 112 | # restrict this to: 113 | #unix_sock_ro_perms = "0777" 114 | <% if @unix_sock_ro_perms -%> 115 | unix_sock_ro_perms = "<%= @unix_sock_ro_perms %>" 116 | <% end -%> 117 | 118 | # Set the UNIX socket permissions for the R/W socket. This is used 119 | # for full management of VMs 120 | # 121 | # Default allows only root. If PolicyKit is enabled on the socket, 122 | # the default will change to allow everyone (eg, 0777) 123 | # 124 | # If not using PolicyKit and setting group ownership for access 125 | # control then you may want to relax this to: 126 | #unix_sock_rw_perms = "0770" 127 | <% if @unix_sock_rw_perms -%> 128 | unix_sock_rw_perms = "<%= @unix_sock_rw_perms %>" 129 | <% end -%> 130 | 131 | # Set the name of the directory in which sockets will be found/created. 132 | #unix_sock_dir = "/var/run/libvirt" 133 | <% if @unix_sock_dir -%> 134 | unix_sock_dir = "<%= @unix_sock_dir %>" 135 | <% end -%> 136 | 137 | ################################################################# 138 | # 139 | # Authentication. 140 | # 141 | # - none: do not perform auth checks. If you can connect to the 142 | # socket you are allowed. This is suitable if there are 143 | # restrictions on connecting to the socket (eg, UNIX 144 | # socket permissions), or if there is a lower layer in 145 | # the network providing auth (eg, TLS/x509 certificates) 146 | # 147 | # - sasl: use SASL infrastructure. The actual auth scheme is then 148 | # controlled from /etc/sasl2/libvirt.conf. For the TCP 149 | # socket only GSSAPI & DIGEST-MD5 mechanisms will be used. 150 | # For non-TCP or TLS sockets, any scheme is allowed. 151 | # 152 | # - polkit: use PolicyKit to authenticate. This is only suitable 153 | # for use on the UNIX sockets. The default policy will 154 | # require a user to supply their own password to gain 155 | # full read/write access (aka sudo like), while anyone 156 | # is allowed read/only access. 157 | # 158 | # Set an authentication scheme for UNIX read-only sockets 159 | # By default socket permissions allow anyone to connect 160 | # 161 | # To restrict monitoring of domains you may wish to enable 162 | # an authentication mechanism here 163 | #auth_unix_ro = "none" 164 | <%- if @auth_unix_ro -%> 165 | auth_unix_ro = "<%= @auth_unix_ro %>" 166 | <%- end -%> 167 | 168 | # Set an authentication scheme for UNIX read-write sockets 169 | # By default socket permissions only allow root. If PolicyKit 170 | # support was compiled into libvirt, the default will be to 171 | # use 'polkit' auth. 172 | # 173 | # If the unix_sock_rw_perms are changed you may wish to enable 174 | # an authentication mechanism here 175 | #auth_unix_rw = "none" 176 | <%- if @auth_unix_rw -%> 177 | auth_unix_rw = "<%= @auth_unix_rw %>" 178 | <%- end -%> 179 | 180 | # Change the authentication scheme for TCP sockets. 181 | # 182 | # If you don't enable SASL, then all TCP traffic is cleartext. 183 | # Don't do this outside of a dev/test scenario. For real world 184 | # use, always enable SASL and use the GSSAPI or DIGEST-MD5 185 | # mechanism in /etc/sasl2/libvirt.conf 186 | #auth_tcp = "sasl" 187 | <% if @auth_tcp -%> 188 | auth_tcp = "<%= @auth_tcp %>" 189 | <% end -%> 190 | 191 | # Change the authentication scheme for TLS sockets. 192 | # 193 | # TLS sockets already have encryption provided by the TLS 194 | # layer, and limited authentication is done by certificates 195 | # 196 | # It is possible to make use of any SASL authentication 197 | # mechanism as well, by using 'sasl' for this option 198 | #auth_tls = "none" 199 | <% if @auth_tls -%> 200 | auth_tls = "<%= @auth_tls %>" 201 | <% end -%> 202 | 203 | 204 | 205 | ################################################################# 206 | # 207 | # TLS x509 certificate configuration 208 | # 209 | 210 | 211 | # Override the default server key file path 212 | # 213 | #key_file = "/etc/pki/libvirt/private/serverkey.pem" 214 | 215 | # Override the default server certificate file path 216 | # 217 | #cert_file = "/etc/pki/libvirt/servercert.pem" 218 | 219 | # Override the default CA certificate path 220 | # 221 | #ca_file = "/etc/pki/CA/cacert.pem" 222 | 223 | # Specify a certificate revocation list. 224 | # 225 | # Defaults to not using a CRL, uncomment to enable it 226 | #crl_file = "/etc/pki/CA/crl.pem" 227 | 228 | 229 | 230 | ################################################################# 231 | # 232 | # Authorization controls 233 | # 234 | 235 | 236 | # Flag to disable verification of our own server certificates 237 | # 238 | # When libvirtd starts it performs some sanity checks against 239 | # its own certificates. 240 | # 241 | # Default is to always run sanity checks. Uncommenting this 242 | # will disable sanity checks which is not a good idea 243 | #tls_no_sanity_certificate = 1 244 | 245 | # Flag to disable verification of client certificates 246 | # 247 | # Client certificate verification is the primary authentication mechanism. 248 | # Any client which does not present a certificate signed by the CA 249 | # will be rejected. 250 | # 251 | # Default is to always verify. Uncommenting this will disable 252 | # verification - make sure an IP whitelist is set 253 | #tls_no_verify_certificate = 1 254 | 255 | 256 | # A whitelist of allowed x509 Distinguished Names 257 | # This list may contain wildcards such as 258 | # 259 | # "C=GB,ST=London,L=London,O=Red Hat,CN=*" 260 | # 261 | # See the POSIX fnmatch function for the format of the wildcards. 262 | # 263 | # NB If this is an empty list, no client can connect, so comment out 264 | # entirely rather than using empty list to disable these checks 265 | # 266 | # By default, no DN's are checked 267 | #tls_allowed_dn_list = ["DN1", "DN2"] 268 | 269 | 270 | # A whitelist of allowed SASL usernames. The format for usernames 271 | # depends on the SASL authentication mechanism. Kerberos usernames 272 | # look like username@REALM 273 | # 274 | # This list may contain wildcards such as 275 | # 276 | # "*@EXAMPLE.COM" 277 | # 278 | # See the POSIX fnmatch function for the format of the wildcards. 279 | # 280 | # NB If this is an empty list, no client can connect, so comment out 281 | # entirely rather than using empty list to disable these checks 282 | # 283 | # By default, no Username's are checked 284 | #sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ] 285 | 286 | 287 | 288 | ################################################################# 289 | # 290 | # Processing controls 291 | # 292 | 293 | # The maximum number of concurrent client connections to allow 294 | # over all sockets combined. 295 | #max_clients = 20 296 | 297 | 298 | # The minimum limit sets the number of workers to start up 299 | # initially. If the number of active clients exceeds this, 300 | # then more threads are spawned, upto max_workers limit. 301 | # Typically you'd want max_workers to equal maximum number 302 | # of clients allowed 303 | #min_workers = 5 304 | #max_workers = 20 305 | 306 | 307 | # The number of priority workers. If all workers from above 308 | # pool will stuck, some calls marked as high priority 309 | # (notably domainDestroy) can be executed in this pool. 310 | #prio_workers = 5 311 | 312 | # Total global limit on concurrent RPC calls. Should be 313 | # at least as large as max_workers. Beyond this, RPC requests 314 | # will be read into memory and queued. This directly impact 315 | # memory usage, currently each request requires 256 KB of 316 | # memory. So by default upto 5 MB of memory is used 317 | # 318 | # XXX this isn't actually enforced yet, only the per-client 319 | # limit is used so far 320 | #max_requests = 20 321 | 322 | # Limit on concurrent requests from a single client 323 | # connection. To avoid one client monopolizing the server 324 | # this should be a small fraction of the global max_requests 325 | # and max_workers parameter 326 | #max_client_requests = 5 327 | 328 | ################################################################# 329 | # 330 | # Logging controls 331 | # 332 | 333 | # Logging level: 4 errors, 3 warnings, 2 information, 1 debug 334 | # basically 1 will log everything possible 335 | #log_level = 3 336 | 337 | # Logging filters: 338 | # A filter allows to select a different logging level for a given category 339 | # of logs 340 | # The format for a filter is: 341 | # x:name 342 | # where name is a match string e.g. remote or qemu 343 | # the x prefix is the minimal level where matching messages should be logged 344 | # 1: DEBUG 345 | # 2: INFO 346 | # 3: WARNING 347 | # 4: ERROR 348 | # 349 | # Multiple filter can be defined in a single @filters, they just need to be 350 | # separated by spaces. 351 | # 352 | # e.g: 353 | # log_filters="3:remote 4:event" 354 | # to only get warning or errors from the remote layer and only errors from 355 | # the event layer. 356 | 357 | # Logging outputs: 358 | # An output is one of the places to save logging information 359 | # The format for an output can be: 360 | # x:stderr 361 | # output goes to stderr 362 | # x:syslog:name 363 | # use syslog for the output and use the given name as the ident 364 | # x:file:file_path 365 | # output to a file, with the given filepath 366 | # In all case the x prefix is the minimal level, acting as a filter 367 | # 1: DEBUG 368 | # 2: INFO 369 | # 3: WARNING 370 | # 4: ERROR 371 | # 372 | # Multiple output can be defined, they just need to be separated by spaces. 373 | # e.g.: 374 | # log_outputs="3:syslog:libvirtd" 375 | # to log all warnings and errors to syslog under the libvirtd ident 376 | 377 | # Log debug buffer size: default 64 378 | # The daemon keeps an internal debug log buffer which will be dumped in case 379 | # of crash or upon receiving a SIGUSR2 signal. This setting allows to override 380 | # the default buffer size in kilobytes. 381 | # If value is 0 or less the debug log buffer is deactivated 382 | #log_buffer_size = 64 383 | 384 | 385 | ################################################################## 386 | # 387 | # Auditing 388 | # 389 | # This setting allows usage of the auditing subsystem to be altered: 390 | # 391 | # audit_level == 0 -> disable all auditing 392 | # audit_level == 1 -> enable auditing, only if enabled on host (default) 393 | # audit_level == 2 -> enable auditing, and exit if disabled on host 394 | # 395 | #audit_level = 2 396 | # 397 | # If set to 1, then audit messages will also be sent 398 | # via libvirt logging infrastructure. Defaults to 0 399 | # 400 | #audit_logging = 1 401 | 402 | ################################################################### 403 | # UUID of the host: 404 | # Provide the UUID of the host here in case the command 405 | # 'dmidecode -s system-uuid' does not provide a valid uuid. In case 406 | # 'dmidecode' does not provide a valid UUID and none is provided here, a 407 | # temporary UUID will be generated. 408 | # Keep the format of the example UUID below. UUID must not have all digits 409 | # be the same. 410 | 411 | # NB This default all-zeros UUID will not work. Replace 412 | # it with the output of the 'uuidgen' command and then 413 | # uncomment this entry 414 | #host_uuid = "00000000-0000-0000-0000-000000000000" 415 | 416 | ################################################################### 417 | # Keepalive protocol: 418 | # This allows libvirtd to detect broken client connections or even 419 | # dead client. A keepalive message is sent to a client after 420 | # keepalive_interval seconds of inactivity to check if the client is 421 | # still responding; keepalive_count is a maximum number of keepalive 422 | # messages that are allowed to be sent to the client without getting 423 | # any response before the connection is considered broken. In other 424 | # words, the connection is automatically closed approximately after 425 | # keepalive_interval * (keepalive_count + 1) seconds since the last 426 | # message received from the client. If keepalive_interval is set to 427 | # -1, libvirtd will never send keepalive requests; however clients 428 | # can still send them and the deamon will send responses. When 429 | # keepalive_count is set to 0, connections will be automatically 430 | # closed after keepalive_interval seconds of inactivity without 431 | # sending any keepalive messages. Disabled by default. 432 | # 433 | #keepalive_interval = 5 434 | #keepalive_count = 5 435 | # 436 | # If set to 1, libvirtd will refuse to talk to clients that do not 437 | # support keepalive protocol. Defaults to 0. 438 | # 439 | #keepalive_required = 1 440 | -------------------------------------------------------------------------------- /templates/libvirtd.conf.orig: -------------------------------------------------------------------------------- 1 | # Master libvirt daemon configuration file 2 | # 3 | # For further information consult http://libvirt.org/format.html 4 | # 5 | # NOTE: the tests/daemon-conf regression test script requires 6 | # that each "PARAMETER = VALUE" line in this file have the parameter 7 | # name just after a leading "#". 8 | 9 | ################################################################# 10 | # 11 | # Network connectivity controls 12 | # 13 | 14 | # Flag listening for secure TLS connections on the public TCP/IP port. 15 | # NB, must pass the --listen flag to the libvirtd process for this to 16 | # have any effect. 17 | # 18 | # It is necessary to setup a CA and issue server certificates before 19 | # using this capability. 20 | # 21 | # This is enabled by default, uncomment this to disable it 22 | #listen_tls = 0 23 | 24 | # Listen for unencrypted TCP connections on the public TCP/IP port. 25 | # NB, must pass the --listen flag to the libvirtd process for this to 26 | # have any effect. 27 | # 28 | # Using the TCP socket requires SASL authentication by default. Only 29 | # SASL mechanisms which support data encryption are allowed. This is 30 | # DIGEST_MD5 and GSSAPI (Kerberos5) 31 | # 32 | # This is disabled by default, uncomment this to enable it. 33 | #listen_tcp = 1 34 | 35 | 36 | 37 | # Override the port for accepting secure TLS connections 38 | # This can be a port number, or service name 39 | # 40 | #tls_port = "16514" 41 | 42 | # Override the port for accepting insecure TCP connections 43 | # This can be a port number, or service name 44 | # 45 | #tcp_port = "16509" 46 | 47 | 48 | # Override the default configuration which binds to all network 49 | # interfaces. This can be a numeric IPv4/6 address, or hostname 50 | # 51 | #listen_addr = "192.168.0.1" 52 | 53 | 54 | # Flag toggling mDNS advertizement of the libvirt service. 55 | # 56 | # Alternatively can disable for all services on a host by 57 | # stopping the Avahi daemon 58 | # 59 | # This is enabled by default, uncomment this to disable it 60 | #mdns_adv = 0 61 | 62 | # Override the default mDNS advertizement name. This must be 63 | # unique on the immediate broadcast network. 64 | # 65 | # The default is "Virtualization Host HOSTNAME", where HOSTNAME 66 | # is subsituted for the short hostname of the machine (without domain) 67 | # 68 | #mdns_name = "Virtualization Host Joe Demo" 69 | 70 | 71 | ################################################################# 72 | # 73 | # UNIX socket access controls 74 | # 75 | 76 | # Set the UNIX domain socket group ownership. This can be used to 77 | # allow a 'trusted' set of users access to management capabilities 78 | # without becoming root. 79 | # 80 | # This is restricted to 'root' by default. 81 | #unix_sock_group = "libvirt" 82 | 83 | # Set the UNIX socket permissions for the R/O socket. This is used 84 | # for monitoring VM status only 85 | # 86 | # Default allows any user. If setting group ownership may want to 87 | # restrict this to: 88 | #unix_sock_ro_perms = "0777" 89 | 90 | # Set the UNIX socket permissions for the R/W socket. This is used 91 | # for full management of VMs 92 | # 93 | # Default allows only root. If PolicyKit is enabled on the socket, 94 | # the default will change to allow everyone (eg, 0777) 95 | # 96 | # If not using PolicyKit and setting group ownership for access 97 | # control then you may want to relax this to: 98 | #unix_sock_rw_perms = "0770" 99 | 100 | # Set the name of the directory in which sockets will be found/created. 101 | #unix_sock_dir = "/var/run/libvirt" 102 | 103 | ################################################################# 104 | # 105 | # Authentication. 106 | # 107 | # - none: do not perform auth checks. If you can connect to the 108 | # socket you are allowed. This is suitable if there are 109 | # restrictions on connecting to the socket (eg, UNIX 110 | # socket permissions), or if there is a lower layer in 111 | # the network providing auth (eg, TLS/x509 certificates) 112 | # 113 | # - sasl: use SASL infrastructure. The actual auth scheme is then 114 | # controlled from /etc/sasl2/libvirt.conf. For the TCP 115 | # socket only GSSAPI & DIGEST-MD5 mechanisms will be used. 116 | # For non-TCP or TLS sockets, any scheme is allowed. 117 | # 118 | # - polkit: use PolicyKit to authenticate. This is only suitable 119 | # for use on the UNIX sockets. The default policy will 120 | # require a user to supply their own password to gain 121 | # full read/write access (aka sudo like), while anyone 122 | # is allowed read/only access. 123 | # 124 | # Set an authentication scheme for UNIX read-only sockets 125 | # By default socket permissions allow anyone to connect 126 | # 127 | # To restrict monitoring of domains you may wish to enable 128 | # an authentication mechanism here 129 | #auth_unix_ro = "none" 130 | 131 | # Set an authentication scheme for UNIX read-write sockets 132 | # By default socket permissions only allow root. If PolicyKit 133 | # support was compiled into libvirt, the default will be to 134 | # use 'polkit' auth. 135 | # 136 | # If the unix_sock_rw_perms are changed you may wish to enable 137 | # an authentication mechanism here 138 | #auth_unix_rw = "none" 139 | 140 | # Change the authentication scheme for TCP sockets. 141 | # 142 | # If you don't enable SASL, then all TCP traffic is cleartext. 143 | # Don't do this outside of a dev/test scenario. For real world 144 | # use, always enable SASL and use the GSSAPI or DIGEST-MD5 145 | # mechanism in /etc/sasl2/libvirt.conf 146 | #auth_tcp = "sasl" 147 | 148 | # Change the authentication scheme for TLS sockets. 149 | # 150 | # TLS sockets already have encryption provided by the TLS 151 | # layer, and limited authentication is done by certificates 152 | # 153 | # It is possible to make use of any SASL authentication 154 | # mechanism as well, by using 'sasl' for this option 155 | #auth_tls = "none" 156 | 157 | 158 | 159 | ################################################################# 160 | # 161 | # TLS x509 certificate configuration 162 | # 163 | 164 | 165 | # Override the default server key file path 166 | # 167 | #key_file = "/etc/pki/libvirt/private/serverkey.pem" 168 | 169 | # Override the default server certificate file path 170 | # 171 | #cert_file = "/etc/pki/libvirt/servercert.pem" 172 | 173 | # Override the default CA certificate path 174 | # 175 | #ca_file = "/etc/pki/CA/cacert.pem" 176 | 177 | # Specify a certificate revocation list. 178 | # 179 | # Defaults to not using a CRL, uncomment to enable it 180 | #crl_file = "/etc/pki/CA/crl.pem" 181 | 182 | 183 | 184 | ################################################################# 185 | # 186 | # Authorization controls 187 | # 188 | 189 | 190 | # Flag to disable verification of our own server certificates 191 | # 192 | # When libvirtd starts it performs some sanity checks against 193 | # its own certificates. 194 | # 195 | # Default is to always run sanity checks. Uncommenting this 196 | # will disable sanity checks which is not a good idea 197 | #tls_no_sanity_certificate = 1 198 | 199 | # Flag to disable verification of client certificates 200 | # 201 | # Client certificate verification is the primary authentication mechanism. 202 | # Any client which does not present a certificate signed by the CA 203 | # will be rejected. 204 | # 205 | # Default is to always verify. Uncommenting this will disable 206 | # verification - make sure an IP whitelist is set 207 | #tls_no_verify_certificate = 1 208 | 209 | 210 | # A whitelist of allowed x509 Distinguished Names 211 | # This list may contain wildcards such as 212 | # 213 | # "C=GB,ST=London,L=London,O=Red Hat,CN=*" 214 | # 215 | # See the POSIX fnmatch function for the format of the wildcards. 216 | # 217 | # NB If this is an empty list, no client can connect, so comment out 218 | # entirely rather than using empty list to disable these checks 219 | # 220 | # By default, no DN's are checked 221 | #tls_allowed_dn_list = ["DN1", "DN2"] 222 | 223 | 224 | # A whitelist of allowed SASL usernames. The format for usernames 225 | # depends on the SASL authentication mechanism. Kerberos usernames 226 | # look like username@REALM 227 | # 228 | # This list may contain wildcards such as 229 | # 230 | # "*@EXAMPLE.COM" 231 | # 232 | # See the POSIX fnmatch function for the format of the wildcards. 233 | # 234 | # NB If this is an empty list, no client can connect, so comment out 235 | # entirely rather than using empty list to disable these checks 236 | # 237 | # By default, no Username's are checked 238 | #sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ] 239 | 240 | 241 | 242 | ################################################################# 243 | # 244 | # Processing controls 245 | # 246 | 247 | # The maximum number of concurrent client connections to allow 248 | # over all sockets combined. 249 | #max_clients = 20 250 | 251 | 252 | # The minimum limit sets the number of workers to start up 253 | # initially. If the number of active clients exceeds this, 254 | # then more threads are spawned, upto max_workers limit. 255 | # Typically you'd want max_workers to equal maximum number 256 | # of clients allowed 257 | #min_workers = 5 258 | #max_workers = 20 259 | 260 | 261 | # The number of priority workers. If all workers from above 262 | # pool will stuck, some calls marked as high priority 263 | # (notably domainDestroy) can be executed in this pool. 264 | #prio_workers = 5 265 | 266 | # Total global limit on concurrent RPC calls. Should be 267 | # at least as large as max_workers. Beyond this, RPC requests 268 | # will be read into memory and queued. This directly impact 269 | # memory usage, currently each request requires 256 KB of 270 | # memory. So by default upto 5 MB of memory is used 271 | # 272 | # XXX this isn't actually enforced yet, only the per-client 273 | # limit is used so far 274 | #max_requests = 20 275 | 276 | # Limit on concurrent requests from a single client 277 | # connection. To avoid one client monopolizing the server 278 | # this should be a small fraction of the global max_requests 279 | # and max_workers parameter 280 | #max_client_requests = 5 281 | 282 | ################################################################# 283 | # 284 | # Logging controls 285 | # 286 | 287 | # Logging level: 4 errors, 3 warnings, 2 information, 1 debug 288 | # basically 1 will log everything possible 289 | #log_level = 3 290 | 291 | # Logging filters: 292 | # A filter allows to select a different logging level for a given category 293 | # of logs 294 | # The format for a filter is: 295 | # x:name 296 | # where name is a match string e.g. remote or qemu 297 | # the x prefix is the minimal level where matching messages should be logged 298 | # 1: DEBUG 299 | # 2: INFO 300 | # 3: WARNING 301 | # 4: ERROR 302 | # 303 | # Multiple filter can be defined in a single @filters, they just need to be 304 | # separated by spaces. 305 | # 306 | # e.g: 307 | # log_filters="3:remote 4:event" 308 | # to only get warning or errors from the remote layer and only errors from 309 | # the event layer. 310 | 311 | # Logging outputs: 312 | # An output is one of the places to save logging information 313 | # The format for an output can be: 314 | # x:stderr 315 | # output goes to stderr 316 | # x:syslog:name 317 | # use syslog for the output and use the given name as the ident 318 | # x:file:file_path 319 | # output to a file, with the given filepath 320 | # In all case the x prefix is the minimal level, acting as a filter 321 | # 1: DEBUG 322 | # 2: INFO 323 | # 3: WARNING 324 | # 4: ERROR 325 | # 326 | # Multiple output can be defined, they just need to be separated by spaces. 327 | # e.g.: 328 | # log_outputs="3:syslog:libvirtd" 329 | # to log all warnings and errors to syslog under the libvirtd ident 330 | 331 | # Log debug buffer size: default 64 332 | # The daemon keeps an internal debug log buffer which will be dumped in case 333 | # of crash or upon receiving a SIGUSR2 signal. This setting allows to override 334 | # the default buffer size in kilobytes. 335 | # If value is 0 or less the debug log buffer is deactivated 336 | #log_buffer_size = 64 337 | 338 | 339 | ################################################################## 340 | # 341 | # Auditing 342 | # 343 | # This setting allows usage of the auditing subsystem to be altered: 344 | # 345 | # audit_level == 0 -> disable all auditing 346 | # audit_level == 1 -> enable auditing, only if enabled on host (default) 347 | # audit_level == 2 -> enable auditing, and exit if disabled on host 348 | # 349 | #audit_level = 2 350 | # 351 | # If set to 1, then audit messages will also be sent 352 | # via libvirt logging infrastructure. Defaults to 0 353 | # 354 | #audit_logging = 1 355 | 356 | ################################################################### 357 | # UUID of the host: 358 | # Provide the UUID of the host here in case the command 359 | # 'dmidecode -s system-uuid' does not provide a valid uuid. In case 360 | # 'dmidecode' does not provide a valid UUID and none is provided here, a 361 | # temporary UUID will be generated. 362 | # Keep the format of the example UUID below. UUID must not have all digits 363 | # be the same. 364 | 365 | # NB This default all-zeros UUID will not work. Replace 366 | # it with the output of the 'uuidgen' command and then 367 | # uncomment this entry 368 | #host_uuid = "00000000-0000-0000-0000-000000000000" 369 | 370 | ################################################################### 371 | # Keepalive protocol: 372 | # This allows libvirtd to detect broken client connections or even 373 | # dead client. A keepalive message is sent to a client after 374 | # keepalive_interval seconds of inactivity to check if the client is 375 | # still responding; keepalive_count is a maximum number of keepalive 376 | # messages that are allowed to be sent to the client without getting 377 | # any response before the connection is considered broken. In other 378 | # words, the connection is automatically closed approximately after 379 | # keepalive_interval * (keepalive_count + 1) seconds since the last 380 | # message received from the client. If keepalive_interval is set to 381 | # -1, libvirtd will never send keepalive requests; however clients 382 | # can still send them and the deamon will send responses. When 383 | # keepalive_count is set to 0, connections will be automatically 384 | # closed after keepalive_interval seconds of inactivity without 385 | # sending any keepalive messages. Disabled by default. 386 | # 387 | #keepalive_interval = 5 388 | #keepalive_count = 5 389 | # 390 | # If set to 1, libvirtd will refuse to talk to clients that do not 391 | # support keepalive protocol. Defaults to 0. 392 | # 393 | #keepalive_required = 1 394 | -------------------------------------------------------------------------------- /templates/lxc.conf.orig: -------------------------------------------------------------------------------- 1 | # Master configuration file for the LXC driver. 2 | # All settings described here are optional - if omitted, sensible 3 | # defaults are used. 4 | 5 | # By default, log messages generated by the lxc controller go to the 6 | # container logfile. It is also possible to accumulate log messages 7 | # from all lxc controllers along with libvirtd's log outputs. In this 8 | # case, the lxc controller will honor either LIBVIRT_LOG_OUTPUTS or 9 | # log_outputs from libvirtd.conf. 10 | # 11 | # This is disabled by default, uncomment below to enable it. 12 | # 13 | # log_with_libvirtd = 1 14 | 15 | 16 | # The default security driver is SELinux. If SELinux is disabled 17 | # on the host, then the security driver will automatically disable 18 | # itself. If you wish to disable QEMU SELinux security driver while 19 | # leaving SELinux enabled for the host in general, then set this 20 | # to 'none' instead. 21 | # 22 | # security_driver = "selinux" 23 | 24 | # If set to non-zero, then the default security labeling 25 | # will make guests confined. If set to zero, then guests 26 | # will be unconfined by default. Defaults to 0. 27 | # security_default_confined = 1 28 | 29 | # If set to non-zero, then attempts to create unconfined 30 | # guests will be blocked. Defaults to 0. 31 | # security_require_confined = 1 32 | -------------------------------------------------------------------------------- /templates/network.xml.erb: -------------------------------------------------------------------------------- 1 | 2 | <%= @name -%> 3 | <%- if @mac -%> 4 | 5 | <%- end -%> 6 | <%- if @forward_mode -%> 7 | dev='<%= @forward_dev -%>'<%-end-%> mode='<%= @forward_mode -%>'<%-if @forward_interfaces.empty? -%>/<%-end-%>> 8 | <%- if !@forward_interfaces.empty? -%> 9 | <%- @forward_interfaces.each do |dev| -%> 10 | 11 | <%- end -%> 12 | 13 | <%- end -%> 14 | <%-end -%> 15 | <%- if @bridge -%> 16 | stp='on' delay='0'<%-end-%>/> 17 | <%- end -%> 18 | <%-if @ip -%> 19 | <%- @ip.each do |ip| -%> 20 | address='<%=ip['address']-%>'<%-end-%><%-if ip['netmask']-%> netmask='<%=ip['netmask']-%>'<%-end-%><%-if ip['prefix']-%> prefix='<%=ip['prefix']-%>'<%-end-%><%- unless ip['dhcp'] %>/<%- end -%>> 21 | <%- if ip['dhcp'] -%> 22 | <%- dhcp = ip['dhcp'] -%> 23 | 24 | <%-if dhcp['start'] and dhcp['end']-%> 25 | ' end='<%=dhcp['end']-%>'/> 26 | <%-end-%> 27 | <%-if dhcp['bootp_file']-%> 28 | '<%-if dhcp['bootp_server']-%> server='<%=dhcp['bootp_server']-%>'<%-end-%>/> 29 | <%-end-%> 30 | 31 | 32 | <%- end-%> 33 | <%- end-%> 34 | <%-end-%> 35 | <%-if @ipv6 -%> 36 | <%- @ipv6.each do |ip| -%> 37 | address='<%=ip['address']-%>'<%-end-%><%-if ip['netmask']-%> netmask='<%=ip['netmask']-%>'<%-end-%><%-if ip['prefix']-%> prefix='<%=ip['prefix']-%>'<%-end-%><%- unless ip['dhcp'] %>/<%- end -%>> 38 | <%- if ip['dhcp'] -%> 39 | <%- dhcp = ip['dhcp'] -%> 40 | 41 | <%-if dhcp['start'] and dhcp['end']-%> 42 | ' end='<%=dhcp['end']-%>'/> 43 | <%-end-%> 44 | 45 | 46 | <%- end-%> 47 | <%- end-%> 48 | <%-end-%> 49 | 50 | -------------------------------------------------------------------------------- /templates/qemu.conf-el8.erb: -------------------------------------------------------------------------------- 1 | # Master configuration file for the QEMU driver. 2 | # All settings described here are optional - if omitted, sensible 3 | # defaults are used. 4 | 5 | # Use of TLS requires that x509 certificates be issued. The default is 6 | # to keep them in /etc/pki/qemu. This directory must contain 7 | # 8 | # ca-cert.pem - the CA master certificate 9 | # server-cert.pem - the server certificate signed with ca-cert.pem 10 | # server-key.pem - the server private key 11 | # 12 | # and optionally may contain 13 | # 14 | # dh-params.pem - the DH params configuration file 15 | # 16 | # If the directory does not exist, libvirtd will fail to start. If the 17 | # directory doesn't contain the necessary files, QEMU domains will fail 18 | # to start if they are configured to use TLS. 19 | # 20 | # In order to overwrite the default path alter the following. This path 21 | # definition will be used as the default path for other *_tls_x509_cert_dir 22 | # configuration settings if their default path does not exist or is not 23 | # specifically set. 24 | # 25 | #default_tls_x509_cert_dir = "/etc/pki/qemu" 26 | 27 | 28 | # The default TLS configuration only uses certificates for the server 29 | # allowing the client to verify the server's identity and establish 30 | # an encrypted channel. 31 | # 32 | # It is possible to use x509 certificates for authentication too, by 33 | # issuing an x509 certificate to every client who needs to connect. 34 | # 35 | # Enabling this option will reject any client who does not have a 36 | # certificate signed by the CA in /etc/pki/qemu/ca-cert.pem 37 | # 38 | # The default_tls_x509_cert_dir directory must also contain 39 | # 40 | # client-cert.pem - the client certificate signed with the ca-cert.pem 41 | # client-key.pem - the client private key 42 | # 43 | #default_tls_x509_verify = 1 44 | 45 | # 46 | # Libvirt assumes the server-key.pem file is unencrypted by default. 47 | # To use an encrypted server-key.pem file, the password to decrypt 48 | # the PEM file is required. This can be provided by creating a secret 49 | # object in libvirt and then to uncomment this setting to set the UUID 50 | # of the secret. 51 | # 52 | # NB This default all-zeros UUID will not work. Replace it with the 53 | # output from the UUID for the TLS secret from a 'virsh secret-list' 54 | # command and then uncomment the entry 55 | # 56 | #default_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" 57 | 58 | 59 | # VNC is configured to listen on 127.0.0.1 by default. 60 | # To make it listen on all public interfaces, uncomment 61 | # this next option. 62 | # 63 | # NB, strong recommendation to enable TLS + x509 certificate 64 | # verification when allowing public access 65 | # 66 | #vnc_listen = "0.0.0.0" 67 | 68 | # Enable this option to have VNC served over an automatically created 69 | # unix socket. This prevents unprivileged access from users on the 70 | # host machine, though most VNC clients do not support it. 71 | # 72 | # This will only be enabled for VNC configurations that have listen 73 | # type=address but without any address specified. This setting takes 74 | # preference over vnc_listen. 75 | # 76 | #vnc_auto_unix_socket = 1 77 | 78 | # Enable use of TLS encryption on the VNC server. This requires 79 | # a VNC client which supports the VeNCrypt protocol extension. 80 | # Examples include vinagre, virt-viewer, virt-manager and vencrypt 81 | # itself. UltraVNC, RealVNC, TightVNC do not support this 82 | # 83 | # It is necessary to setup CA and issue a server certificate 84 | # before enabling this. 85 | # 86 | #vnc_tls = 1 87 | 88 | 89 | # In order to override the default TLS certificate location for 90 | # vnc certificates, supply a valid path to the certificate directory. 91 | # If the provided path does not exist, libvirtd will fail to start. 92 | # If the path is not provided, but vnc_tls = 1, then the 93 | # default_tls_x509_cert_dir path will be used. 94 | # 95 | #vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc" 96 | 97 | 98 | # The default TLS configuration only uses certificates for the server 99 | # allowing the client to verify the server's identity and establish 100 | # an encrypted channel. 101 | # 102 | # It is possible to use x509 certificates for authentication too, by 103 | # issuing an x509 certificate to every client who needs to connect. 104 | # 105 | # Enabling this option will reject any client that does not have a 106 | # ca-cert.pem certificate signed by the CA in the vnc_tls_x509_cert_dir 107 | # (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem 108 | # files described in default_tls_x509_cert_dir. 109 | # 110 | # If this option is not supplied, it will be set to the value of 111 | # "default_tls_x509_verify". 112 | # 113 | #vnc_tls_x509_verify = 1 114 | 115 | 116 | # The default VNC password. Only 8 bytes are significant for 117 | # VNC passwords. This parameter is only used if the per-domain 118 | # XML config does not already provide a password. To allow 119 | # access without passwords, leave this commented out. An empty 120 | # string will still enable passwords, but be rejected by QEMU, 121 | # effectively preventing any use of VNC. Obviously change this 122 | # example here before you set this. 123 | # 124 | #vnc_password = "XYZ12345" 125 | 126 | 127 | # Enable use of SASL encryption on the VNC server. This requires 128 | # a VNC client which supports the SASL protocol extension. 129 | # Examples include vinagre, virt-viewer and virt-manager 130 | # itself. UltraVNC, RealVNC, TightVNC do not support this 131 | # 132 | # It is necessary to configure /etc/sasl2/qemu.conf to choose 133 | # the desired SASL plugin (eg, GSSPI for Kerberos) 134 | # 135 | #vnc_sasl = 1 136 | 137 | 138 | # The default SASL configuration file is located in /etc/sasl2/ 139 | # When running libvirtd unprivileged, it may be desirable to 140 | # override the configs in this location. Set this parameter to 141 | # point to the directory, and create a qemu.conf in that location 142 | # 143 | #vnc_sasl_dir = "/some/directory/sasl2" 144 | 145 | 146 | # QEMU implements an extension for providing audio over a VNC connection, 147 | # though if your VNC client does not support it, your only chance for getting 148 | # sound output is through regular audio backends. By default, libvirt will 149 | # disable all QEMU sound backends if using VNC, since they can cause 150 | # permissions issues. Enabling this option will make libvirtd honor the 151 | # QEMU_AUDIO_DRV environment variable when using VNC. 152 | # 153 | #vnc_allow_host_audio = 0 154 | 155 | 156 | 157 | # SPICE is configured to listen on 127.0.0.1 by default. 158 | # To make it listen on all public interfaces, uncomment 159 | # this next option. 160 | # 161 | # NB, strong recommendation to enable TLS + x509 certificate 162 | # verification when allowing public access 163 | # 164 | #spice_listen = "0.0.0.0" 165 | 166 | 167 | # Enable use of TLS encryption on the SPICE server. 168 | # 169 | # It is necessary to setup CA and issue a server certificate 170 | # before enabling this. 171 | # 172 | #spice_tls = 1 173 | 174 | 175 | # In order to override the default TLS certificate location for 176 | # spice certificates, supply a valid path to the certificate directory. 177 | # If the provided path does not exist, libvirtd will fail to start. 178 | # If the path is not provided, but spice_tls = 1, then the 179 | # default_tls_x509_cert_dir path will be used. 180 | # 181 | #spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice" 182 | 183 | 184 | # Enable this option to have SPICE served over an automatically created 185 | # unix socket. This prevents unprivileged access from users on the 186 | # host machine. 187 | # 188 | # This will only be enabled for SPICE configurations that have listen 189 | # type=address but without any address specified. This setting takes 190 | # preference over spice_listen. 191 | # 192 | #spice_auto_unix_socket = 1 193 | 194 | 195 | # The default SPICE password. This parameter is only used if the 196 | # per-domain XML config does not already provide a password. To 197 | # allow access without passwords, leave this commented out. An 198 | # empty string will still enable passwords, but be rejected by 199 | # QEMU, effectively preventing any use of SPICE. Obviously change 200 | # this example here before you set this. 201 | # 202 | #spice_password = "XYZ12345" 203 | 204 | 205 | # Enable use of SASL encryption on the SPICE server. This requires 206 | # a SPICE client which supports the SASL protocol extension. 207 | # 208 | # It is necessary to configure /etc/sasl2/qemu.conf to choose 209 | # the desired SASL plugin (eg, GSSPI for Kerberos) 210 | # 211 | #spice_sasl = 1 212 | 213 | # The default SASL configuration file is located in /etc/sasl2/ 214 | # When running libvirtd unprivileged, it may be desirable to 215 | # override the configs in this location. Set this parameter to 216 | # point to the directory, and create a qemu.conf in that location 217 | # 218 | #spice_sasl_dir = "/some/directory/sasl2" 219 | 220 | # Enable use of TLS encryption on the chardev TCP transports. 221 | # 222 | # It is necessary to setup CA and issue a server certificate 223 | # before enabling this. 224 | # 225 | #chardev_tls = 1 226 | 227 | 228 | # In order to override the default TLS certificate location for character 229 | # device TCP certificates, supply a valid path to the certificate directory. 230 | # If the provided path does not exist, libvirtd will fail to start. 231 | # If the path is not provided, but chardev_tls = 1, then the 232 | # default_tls_x509_cert_dir path will be used. 233 | # 234 | #chardev_tls_x509_cert_dir = "/etc/pki/libvirt-chardev" 235 | 236 | 237 | # The default TLS configuration only uses certificates for the server 238 | # allowing the client to verify the server's identity and establish 239 | # an encrypted channel. 240 | # 241 | # It is possible to use x509 certificates for authentication too, by 242 | # issuing an x509 certificate to every client who needs to connect. 243 | # 244 | # Enabling this option will reject any client that does not have a 245 | # ca-cert.pem certificate signed by the CA in the chardev_tls_x509_cert_dir 246 | # (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem 247 | # files described in default_tls_x509_cert_dir. 248 | # 249 | # If this option is not supplied, it will be set to the value of 250 | # "default_tls_x509_verify". 251 | # 252 | #chardev_tls_x509_verify = 1 253 | 254 | 255 | # Uncomment and use the following option to override the default secret 256 | # UUID provided in the default_tls_x509_secret_uuid parameter. 257 | # 258 | # NB This default all-zeros UUID will not work. Replace it with the 259 | # output from the UUID for the TLS secret from a 'virsh secret-list' 260 | # command and then uncomment the entry 261 | # 262 | #chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" 263 | 264 | 265 | # Enable use of TLS encryption for all VxHS network block devices that 266 | # don't specifically disable. 267 | # 268 | # When the VxHS network block device server is set up appropriately, 269 | # x509 certificates are required for authentication between the clients 270 | # (qemu processes) and the remote VxHS server. 271 | # 272 | # It is necessary to setup CA and issue the client certificate before 273 | # enabling this. 274 | # 275 | #vxhs_tls = 1 276 | 277 | 278 | # In order to override the default TLS certificate location for VxHS 279 | # backed storage, supply a valid path to the certificate directory. 280 | # This is used to authenticate the VxHS block device clients to the VxHS 281 | # server. 282 | # 283 | # If the provided path does not exist, libvirtd will fail to start. 284 | # If the path is not provided, but vxhs_tls = 1, then the 285 | # default_tls_x509_cert_dir path will be used. 286 | # 287 | # VxHS block device clients expect the client certificate and key to be 288 | # present in the certificate directory along with the CA master certificate. 289 | # If using the default environment, default_tls_x509_verify must be configured. 290 | # Since this is only a client the server-key.pem certificate is not needed. 291 | # Thus a VxHS directory must contain the following: 292 | # 293 | # ca-cert.pem - the CA master certificate 294 | # client-cert.pem - the client certificate signed with the ca-cert.pem 295 | # client-key.pem - the client private key 296 | # 297 | #vxhs_tls_x509_cert_dir = "/etc/pki/libvirt-vxhs" 298 | 299 | 300 | 301 | # Enable use of TLS encryption for all NBD disk devices that don't 302 | # specifically disable it. 303 | # 304 | # When the NBD server is set up appropriately, x509 certificates are required 305 | # for authentication between the client and the remote NBD server. 306 | # 307 | # It is necessary to setup CA and issue the client certificate before 308 | # enabling this. 309 | # 310 | #nbd_tls = 1 311 | 312 | 313 | # In order to override the default TLS certificate location for NBD 314 | # backed storage, supply a valid path to the certificate directory. 315 | # This is used to authenticate the NBD block device clients to the NBD 316 | # server. 317 | # 318 | # If the provided path does not exist, libvirtd will fail to start. 319 | # If the path is not provided, but nbd_tls = 1, then the 320 | # default_tls_x509_cert_dir path will be used. 321 | # 322 | # NBD block device clients expect the client certificate and key to be 323 | # present in the certificate directory along with the CA certificate. 324 | # Since this is only a client the server-key.pem certificate is not needed. 325 | # Thus a NBD directory must contain the following: 326 | # 327 | # ca-cert.pem - the CA master certificate 328 | # client-cert.pem - the client certificate signed with the ca-cert.pem 329 | # client-key.pem - the client private key 330 | # 331 | #nbd_tls_x509_cert_dir = "/etc/pki/libvirt-nbd" 332 | 333 | 334 | # In order to override the default TLS certificate location for migration 335 | # certificates, supply a valid path to the certificate directory. If the 336 | # provided path does not exist, libvirtd will fail to start. If the path is 337 | # not provided, but migrate_tls = 1, then the default_tls_x509_cert_dir path 338 | # will be used. Once/if a default certificate is enabled/defined, migration 339 | # will then be able to use the certificate via migration API flags. 340 | # 341 | #migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate" 342 | 343 | 344 | # The default TLS configuration only uses certificates for the server 345 | # allowing the client to verify the server's identity and establish 346 | # an encrypted channel. 347 | # 348 | # It is possible to use x509 certificates for authentication too, by 349 | # issuing an x509 certificate to every client who needs to connect. 350 | # 351 | # Enabling this option will reject any client that does not have a 352 | # ca-cert.pem certificate signed by the CA in the migrate_tls_x509_cert_dir 353 | # (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem 354 | # files described in default_tls_x509_cert_dir. 355 | # 356 | # If this option is not supplied, it will be set to the value of 357 | # "default_tls_x509_verify". 358 | # 359 | #migrate_tls_x509_verify = 1 360 | 361 | 362 | # Uncomment and use the following option to override the default secret 363 | # UUID provided in the default_tls_x509_secret_uuid parameter. 364 | # 365 | # NB This default all-zeros UUID will not work. Replace it with the 366 | # output from the UUID for the TLS secret from a 'virsh secret-list' 367 | # command and then uncomment the entry 368 | # 369 | #migrate_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000" 370 | 371 | 372 | # By default, if no graphical front end is configured, libvirt will disable 373 | # QEMU audio output since directly talking to alsa/pulseaudio may not work 374 | # with various security settings. If you know what you're doing, enable 375 | # the setting below and libvirt will passthrough the QEMU_AUDIO_DRV 376 | # environment variable when using nographics. 377 | # 378 | #nographics_allow_host_audio = 1 379 | 380 | 381 | # Override the port for creating both VNC and SPICE sessions (min). 382 | # This defaults to 5900 and increases for consecutive sessions 383 | # or when ports are occupied, until it hits the maximum. 384 | # 385 | # Minimum must be greater than or equal to 5900 as lower number would 386 | # result into negative vnc display number. 387 | # 388 | # Maximum must be less than 65536, because higher numbers do not make 389 | # sense as a port number. 390 | # 391 | #remote_display_port_min = 5900 392 | #remote_display_port_max = 65535 393 | 394 | # VNC WebSocket port policies, same rules apply as with remote display 395 | # ports. VNC WebSockets use similar display <-> port mappings, with 396 | # the exception being that ports start from 5700 instead of 5900. 397 | # 398 | #remote_websocket_port_min = 5700 399 | #remote_websocket_port_max = 65535 400 | 401 | # The default security driver is SELinux. If SELinux is disabled 402 | # on the host, then the security driver will automatically disable 403 | # itself. If you wish to disable QEMU SELinux security driver while 404 | # leaving SELinux enabled for the host in general, then set this 405 | # to 'none' instead. It's also possible to use more than one security 406 | # driver at the same time, for this use a list of names separated by 407 | # comma and delimited by square brackets. For example: 408 | # 409 | # security_driver = [ "selinux", "apparmor" ] 410 | # 411 | # Notes: The DAC security driver is always enabled; as a result, the 412 | # value of security_driver cannot contain "dac". The value "none" is 413 | # a special value; security_driver can be set to that value in 414 | # isolation, but it cannot appear in a list of drivers. 415 | # 416 | #security_driver = "selinux" 417 | 418 | # If set to non-zero, then the default security labeling 419 | # will make guests confined. If set to zero, then guests 420 | # will be unconfined by default. Defaults to 1. 421 | #security_default_confined = 1 422 | 423 | # If set to non-zero, then attempts to create unconfined 424 | # guests will be blocked. Defaults to 0. 425 | #security_require_confined = 1 426 | 427 | # The user for QEMU processes run by the system instance. It can be 428 | # specified as a user name or as a user id. The qemu driver will try to 429 | # parse this value first as a name and then, if the name doesn't exist, 430 | # as a user id. 431 | # 432 | # Since a sequence of digits is a valid user name, a leading plus sign 433 | # can be used to ensure that a user id will not be interpreted as a user 434 | # name. 435 | # 436 | # Some examples of valid values are: 437 | # 438 | # user = "qemu" # A user named "qemu" 439 | # user = "+0" # Super user (uid=0) 440 | # user = "100" # A user named "100" or a user with uid=100 441 | # 442 | #user = "root" 443 | 444 | # The group for QEMU processes run by the system instance. It can be 445 | # specified in a similar way to user. 446 | #group = "root" 447 | 448 | # Whether libvirt should dynamically change file ownership 449 | # to match the configured user/group above. Defaults to 1. 450 | # Set to 0 to disable file ownership changes. 451 | #dynamic_ownership = 1 452 | 453 | 454 | # What cgroup controllers to make use of with QEMU guests 455 | # 456 | # - 'cpu' - use for scheduler tunables 457 | # - 'devices' - use for device whitelisting 458 | # - 'memory' - use for memory tunables 459 | # - 'blkio' - use for block devices I/O tunables 460 | # - 'cpuset' - use for CPUs and memory nodes 461 | # - 'cpuacct' - use for CPUs statistics. 462 | # 463 | # NB, even if configured here, they won't be used unless 464 | # the administrator has mounted cgroups, e.g.: 465 | # 466 | # mkdir /dev/cgroup 467 | # mount -t cgroup -o devices,cpu,memory,blkio,cpuset none /dev/cgroup 468 | # 469 | # They can be mounted anywhere, and different controllers 470 | # can be mounted in different locations. libvirt will detect 471 | # where they are located. 472 | # 473 | #cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ] 474 | 475 | # This is the basic set of devices allowed / required by 476 | # all virtual machines. 477 | # 478 | # As well as this, any configured block backed disks, 479 | # all sound device, and all PTY devices are allowed. 480 | # 481 | # This will only need setting if newer QEMU suddenly 482 | # wants some device we don't already know about. 483 | # 484 | #cgroup_device_acl = [ 485 | # "/dev/null", "/dev/full", "/dev/zero", 486 | # "/dev/random", "/dev/urandom", 487 | # "/dev/ptmx", "/dev/kvm", "/dev/kqemu", 488 | # "/dev/rtc","/dev/hpet" 489 | #] 490 | # 491 | # RDMA migration requires the following extra files to be added to the list: 492 | # "/dev/infiniband/rdma_cm", 493 | # "/dev/infiniband/issm0", 494 | # "/dev/infiniband/issm1", 495 | # "/dev/infiniband/umad0", 496 | # "/dev/infiniband/umad1", 497 | # "/dev/infiniband/uverbs0" 498 | 499 | 500 | # The default format for QEMU/KVM guest save images is raw; that is, the 501 | # memory from the domain is dumped out directly to a file. If you have 502 | # guests with a large amount of memory, however, this can take up quite 503 | # a bit of space. If you would like to compress the images while they 504 | # are being saved to disk, you can also set "lzop", "gzip", "bzip2", or "xz" 505 | # for save_image_format. Note that this means you slow down the process of 506 | # saving a domain in order to save disk space; the list above is in descending 507 | # order by performance and ascending order by compression ratio. 508 | # 509 | # save_image_format is used when you use 'virsh save' or 'virsh managedsave' 510 | # at scheduled saving, and it is an error if the specified save_image_format 511 | # is not valid, or the requested compression program can't be found. 512 | # 513 | # dump_image_format is used when you use 'virsh dump' at emergency 514 | # crashdump, and if the specified dump_image_format is not valid, or 515 | # the requested compression program can't be found, this falls 516 | # back to "raw" compression. 517 | # 518 | # snapshot_image_format specifies the compression algorithm of the memory save 519 | # image when an external snapshot of a domain is taken. This does not apply 520 | # on disk image format. It is an error if the specified format isn't valid, 521 | # or the requested compression program can't be found. 522 | # 523 | #save_image_format = "raw" 524 | #dump_image_format = "raw" 525 | #snapshot_image_format = "raw" 526 | 527 | # When a domain is configured to be auto-dumped when libvirtd receives a 528 | # watchdog event from qemu guest, libvirtd will save dump files in directory 529 | # specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump 530 | # 531 | #auto_dump_path = "/var/lib/libvirt/qemu/dump" 532 | 533 | # When a domain is configured to be auto-dumped, enabling this flag 534 | # has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the 535 | # virDomainCoreDump API. That is, the system will avoid using the 536 | # file system cache while writing the dump file, but may cause 537 | # slower operation. 538 | # 539 | #auto_dump_bypass_cache = 0 540 | 541 | # When a domain is configured to be auto-started, enabling this flag 542 | # has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag 543 | # with the virDomainCreateWithFlags API. That is, the system will 544 | # avoid using the file system cache when restoring any managed state 545 | # file, but may cause slower operation. 546 | # 547 | #auto_start_bypass_cache = 0 548 | 549 | # If provided by the host and a hugetlbfs mount point is configured, 550 | # a guest may request huge page backing. When this mount point is 551 | # unspecified here, determination of a host mount point in /proc/mounts 552 | # will be attempted. Specifying an explicit mount overrides detection 553 | # of the same in /proc/mounts. Setting the mount point to "" will 554 | # disable guest hugepage backing. If desired, multiple mount points can 555 | # be specified at once, separated by comma and enclosed in square 556 | # brackets, for example: 557 | # 558 | # hugetlbfs_mount = ["/dev/hugepages2M", "/dev/hugepages1G"] 559 | # 560 | # The size of huge page served by specific mount point is determined by 561 | # libvirt at the daemon startup. 562 | # 563 | # NB, within these mount points, guests will create memory backing 564 | # files in a location of $MOUNTPOINT/libvirt/qemu 565 | # 566 | #hugetlbfs_mount = "/dev/hugepages" 567 | 568 | 569 | # Path to the setuid helper for creating tap devices. This executable 570 | # is used to create interfaces when libvirtd is 571 | # running unprivileged. libvirt invokes the helper directly, instead 572 | # of using "-netdev bridge", for security reasons. 573 | #bridge_helper = "/usr/libexec/qemu-bridge-helper" 574 | 575 | 576 | 577 | # If clear_emulator_capabilities is enabled, libvirt will drop all 578 | # privileged capabilities of the QEMU/KVM emulator. This is enabled by 579 | # default. 580 | # 581 | # Warning: Disabling this option means that a compromised guest can 582 | # exploit the privileges and possibly do damage to the host. 583 | # 584 | #clear_emulator_capabilities = 1 585 | 586 | 587 | # If enabled, libvirt will have QEMU set its process name to 588 | # "qemu:VM_NAME", where VM_NAME is the name of the VM. The QEMU 589 | # process will appear as "qemu:VM_NAME" in process listings and 590 | # other system monitoring tools. By default, QEMU does not set 591 | # its process title, so the complete QEMU command (emulator and 592 | # its arguments) appear in process listings. 593 | # 594 | #set_process_name = 1 595 | 596 | 597 | # If max_processes is set to a positive integer, libvirt will use 598 | # it to set the maximum number of processes that can be run by qemu 599 | # user. This can be used to override default value set by host OS. 600 | # The same applies to max_files which sets the limit on the maximum 601 | # number of opened files. 602 | # 603 | #max_processes = 0 604 | #max_files = 0 605 | 606 | # If max_core is set to a non-zero integer, then QEMU will be 607 | # permitted to create core dumps when it crashes, provided its 608 | # RAM size is smaller than the limit set. 609 | # 610 | # Be warned that the core dump will include a full copy of the 611 | # guest RAM, if the 'dump_guest_core' setting has been enabled, 612 | # or if the guest XML contains 613 | # 614 | # ...guest ram... 615 | # 616 | # If guest RAM is to be included, ensure the max_core limit 617 | # is set to at least the size of the largest expected guest 618 | # plus another 1GB for any QEMU host side memory mappings. 619 | # 620 | # As a special case it can be set to the string "unlimited" to 621 | # to allow arbitrarily sized core dumps. 622 | # 623 | # By default the core dump size is set to 0 disabling all dumps 624 | # 625 | # Size is a positive integer specifying bytes or the 626 | # string "unlimited" 627 | # 628 | #max_core = "unlimited" 629 | 630 | # Determine if guest RAM is included in QEMU core dumps. By 631 | # default guest RAM will be excluded if a new enough QEMU is 632 | # present. Setting this to '1' will force guest RAM to always 633 | # be included in QEMU core dumps. 634 | # 635 | # This setting will be ignored if the guest XML has set the 636 | # dumpcore attribute on the element. 637 | # 638 | #dump_guest_core = 1 639 | 640 | # mac_filter enables MAC addressed based filtering on bridge ports. 641 | # This currently requires ebtables to be installed. 642 | # 643 | #mac_filter = 1 644 | 645 | 646 | # By default, PCI devices below non-ACS switch are not allowed to be assigned 647 | # to guests. By setting relaxed_acs_check to 1 such devices will be allowed to 648 | # be assigned to guests. 649 | # 650 | #relaxed_acs_check = 1 651 | 652 | 653 | # In order to prevent accidentally starting two domains that 654 | # share one writable disk, libvirt offers two approaches for 655 | # locking files. The first one is sanlock, the other one, 656 | # virtlockd, is then our own implementation. Accepted values 657 | # are "sanlock" and "lockd". 658 | # 659 | #lock_manager = "lockd" 660 | 661 | 662 | 663 | # Set limit of maximum APIs queued on one domain. All other APIs 664 | # over this threshold will fail on acquiring job lock. Specially, 665 | # setting to zero turns this feature off. 666 | # Note, that job lock is per domain. 667 | # 668 | #max_queued = 0 669 | 670 | ################################################################### 671 | # Keepalive protocol: 672 | # This allows qemu driver to detect broken connections to remote 673 | # libvirtd during peer-to-peer migration. A keepalive message is 674 | # sent to the daemon after keepalive_interval seconds of inactivity 675 | # to check if the daemon is still responding; keepalive_count is a 676 | # maximum number of keepalive messages that are allowed to be sent 677 | # to the daemon without getting any response before the connection 678 | # is considered broken. In other words, the connection is 679 | # automatically closed approximately after 680 | # keepalive_interval * (keepalive_count + 1) seconds since the last 681 | # message received from the daemon. If keepalive_interval is set to 682 | # -1, qemu driver will not send keepalive requests during 683 | # peer-to-peer migration; however, the remote libvirtd can still 684 | # send them and source libvirtd will send responses. When 685 | # keepalive_count is set to 0, connections will be automatically 686 | # closed after keepalive_interval seconds of inactivity without 687 | # sending any keepalive messages. 688 | # 689 | #keepalive_interval = 5 690 | #keepalive_count = 5 691 | 692 | 693 | 694 | # Use seccomp syscall sandbox in QEMU. 695 | # 1 == seccomp enabled, 0 == seccomp disabled 696 | # 697 | # If it is unset (or -1), then seccomp will be enabled 698 | # only if QEMU >= 2.11.0 is detected, otherwise it is 699 | # left disabled. This ensures the default config gets 700 | # protection for new QEMU using the blacklist approach. 701 | # 702 | #seccomp_sandbox = 1 703 | 704 | 705 | # Override the listen address for all incoming migrations. Defaults to 706 | # 0.0.0.0, or :: if both host and qemu are capable of IPv6. 707 | #migration_address = "0.0.0.0" 708 | 709 | 710 | # The default hostname or IP address which will be used by a migration 711 | # source for transferring migration data to this host. The migration 712 | # source has to be able to resolve this hostname and connect to it so 713 | # setting "localhost" will not work. By default, the host's configured 714 | # hostname is used. 715 | #migration_host = "host.example.com" 716 | 717 | 718 | # Override the port range used for incoming migrations. 719 | # 720 | # Minimum must be greater than 0, however when QEMU is not running as root, 721 | # setting the minimum to be lower than 1024 will not work. 722 | # 723 | # Maximum must not be greater than 65535. 724 | # 725 | #migration_port_min = 49152 726 | #migration_port_max = 49215 727 | 728 | 729 | 730 | # Timestamp QEMU's log messages (if QEMU supports it) 731 | # 732 | # Defaults to 1. 733 | # 734 | #log_timestamp = 0 735 | 736 | 737 | # Location of master nvram file 738 | # 739 | # When a domain is configured to use UEFI instead of standard 740 | # BIOS it may use a separate storage for UEFI variables. If 741 | # that's the case libvirt creates the variable store per domain 742 | # using this master file as image. Each UEFI firmware can, 743 | # however, have different variables store. Therefore the nvram is 744 | # a list of strings when a single item is in form of: 745 | # ${PATH_TO_UEFI_FW}:${PATH_TO_UEFI_VARS}. 746 | # Later, when libvirt creates per domain variable store, this list is 747 | # searched for the master image. The UEFI firmware can be called 748 | # differently for different guest architectures. For instance, it's OVMF 749 | # for x86_64 and i686, but it's AAVMF for aarch64. The libvirt default 750 | # follows this scheme. 751 | #nvram = [ 752 | # "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd", 753 | # "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd", 754 | # "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd", 755 | # "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd" 756 | #] 757 | 758 | # The backend to use for handling stdout/stderr output from 759 | # QEMU processes. 760 | # 761 | # 'file': QEMU writes directly to a plain file. This is the 762 | # historical default, but allows QEMU to inflict a 763 | # denial of service attack on the host by exhausting 764 | # filesystem space 765 | # 766 | # 'logd': QEMU writes to a pipe provided by virtlogd daemon. 767 | # This is the current default, providing protection 768 | # against denial of service by performing log file 769 | # rollover when a size limit is hit. 770 | # 771 | #stdio_handler = "logd" 772 | 773 | # QEMU gluster libgfapi log level, debug levels are 0-9, with 9 being the 774 | # most verbose, and 0 representing no debugging output. 775 | # 776 | # The current logging levels defined in the gluster GFAPI are: 777 | # 778 | # 0 - None 779 | # 1 - Emergency 780 | # 2 - Alert 781 | # 3 - Critical 782 | # 4 - Error 783 | # 5 - Warning 784 | # 6 - Notice 785 | # 7 - Info 786 | # 8 - Debug 787 | # 9 - Trace 788 | # 789 | # Defaults to 4 790 | # 791 | #gluster_debug_level = 9 792 | 793 | # To enhance security, QEMU driver is capable of creating private namespaces 794 | # for each domain started. Well, so far only "mount" namespace is supported. If 795 | # enabled it means qemu process is unable to see all the devices on the system, 796 | # only those configured for the domain in question. Libvirt then manages 797 | # devices entries throughout the domain lifetime. This namespace is turned on 798 | # by default. 799 | #namespaces = [ "mount" ] 800 | 801 | # This directory is used for memoryBacking source if configured as file. 802 | # NOTE: big files will be stored here 803 | #memory_backing_dir = "/var/lib/libvirt/qemu/ram" 804 | 805 | # Path to the SCSI persistent reservations helper. This helper is 806 | # used whenever are enabled for SCSI LUN devices. 807 | #pr_helper = "/usr/bin/qemu-pr-helper" 808 | 809 | # User for the swtpm TPM Emulator 810 | # 811 | # Default is 'tss'; this is the same user that tcsd (TrouSerS) installs 812 | # and uses; alternative is 'root' 813 | # 814 | #swtpm_user = "tss" 815 | #swtpm_group = "tss" 816 | -------------------------------------------------------------------------------- /templates/qemu.conf.erb: -------------------------------------------------------------------------------- 1 | # Master configuration file for the QEMU driver. 2 | # All settings described here are optional - if omitted, sensible 3 | # defaults are used. 4 | 5 | # VNC is configured to listen on 127.0.0.1 by default. 6 | # To make it listen on all public interfaces, uncomment 7 | # this next option. 8 | # 9 | # NB, strong recommendation to enable TLS + x509 certificate 10 | # verification when allowing public access 11 | # 12 | # vnc_listen = "0.0.0.0" 13 | <% if @qemu_vnc_listen -%> 14 | vnc_listen = "<%= @qemu_vnc_listen %>" 15 | <% end -%> 16 | 17 | # Enable this option to have VNC served over an automatically created 18 | # unix socket. This prevents unprivileged access from users on the 19 | # host machine, though most VNC clients do not support it. 20 | # 21 | # This will only be enabled for VNC configurations that do not have 22 | # a hardcoded 'listen' or 'socket' value. This setting takes preference 23 | # over vnc_listen. 24 | # 25 | # vnc_auto_unix_socket = 1 26 | 27 | # Enable use of TLS encryption on the VNC server. This requires 28 | # a VNC client which supports the VeNCrypt protocol extension. 29 | # Examples include vinagre, virt-viewer, virt-manager and vencrypt 30 | # itself. UltraVNC, RealVNC, TightVNC do not support this 31 | # 32 | # It is necessary to setup CA and issue a server certificate 33 | # before enabling this. 34 | # 35 | # vnc_tls = 1 36 | <% if @qemu_vnc_tls == true -%> 37 | vnc_tls = 1 38 | <% elsif @qemu_vnc_tls == false -%> 39 | vnc_tls = 0 40 | <% end -%> 41 | 42 | # Use of TLS requires that x509 certificates be issued. The 43 | # default it to keep them in /etc/pki/libvirt-vnc. This directory 44 | # must contain 45 | # 46 | # ca-cert.pem - the CA master certificate 47 | # server-cert.pem - the server certificate signed with ca-cert.pem 48 | # server-key.pem - the server private key 49 | # 50 | # This option allows the certificate directory to be changed 51 | # 52 | # vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc" 53 | 54 | 55 | # The default TLS configuration only uses certificates for the server 56 | # allowing the client to verify the server's identity and establish 57 | # an encrypted channel. 58 | # 59 | # It is possible to use x509 certificates for authentication too, by 60 | # issuing a x509 certificate to every client who needs to connect. 61 | # 62 | # Enabling this option will reject any client who does not have a 63 | # certificate signed by the CA in /etc/pki/libvirt-vnc/ca-cert.pem 64 | # 65 | # vnc_tls_x509_verify = 1 66 | 67 | 68 | # The default VNC password. Only 8 letters are significant for 69 | # VNC passwords. This parameter is only used if the per-domain 70 | # XML config does not already provide a password. To allow 71 | # access without passwords, leave this commented out. An empty 72 | # string will still enable passwords, but be rejected by QEMU, 73 | # effectively preventing any use of VNC. Obviously change this 74 | # example here before you set this. 75 | # 76 | # vnc_password = "XYZ12345" 77 | 78 | 79 | # Enable use of SASL encryption on the VNC server. This requires 80 | # a VNC client which supports the SASL protocol extension. 81 | # Examples include vinagre, virt-viewer and virt-manager 82 | # itself. UltraVNC, RealVNC, TightVNC do not support this 83 | # 84 | # It is necessary to configure /etc/sasl2/qemu.conf to choose 85 | # the desired SASL plugin (eg, GSSPI for Kerberos) 86 | # 87 | # vnc_sasl = 1 88 | <% if @qemu_vnc_sasl == true -%> 89 | vnc_sasl = 1 90 | <% elsif @qemu_vnc_sasl == false -%> 91 | vnc_sasl = 0 92 | <% end -%> 93 | 94 | # The default SASL configuration file is located in /etc/sasl2/ 95 | # When running libvirtd unprivileged, it may be desirable to 96 | # override the configs in this location. Set this parameter to 97 | # point to the directory, and create a qemu.conf in that location 98 | # 99 | # vnc_sasl_dir = "/some/directory/sasl2" 100 | 101 | 102 | 103 | # SPICE is configured to listen on 127.0.0.1 by default. 104 | # To make it listen on all public interfaces, uncomment 105 | # this next option. 106 | # 107 | # NB, strong recommendation to enable TLS + x509 certificate 108 | # verification when allowing public access 109 | # 110 | # spice_listen = "0.0.0.0" 111 | 112 | 113 | # Enable use of TLS encryption on the SPICE server. 114 | # 115 | # It is necessary to setup CA and issue a server certificate 116 | # before enabling this. 117 | # 118 | # spice_tls = 1 119 | 120 | 121 | # Use of TLS requires that x509 certificates be issued. The 122 | # default it to keep them in /etc/pki/libvirt-spice. This directory 123 | # must contain 124 | # 125 | # ca-cert.pem - the CA master certificate 126 | # server-cert.pem - the server certificate signed with ca-cert.pem 127 | # server-key.pem - the server private key 128 | # 129 | # This option allows the certificate directory to be changed. 130 | # 131 | # spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice" 132 | 133 | 134 | # The default SPICE password. This parameter is only used if the 135 | # per-domain XML config does not already provide a password. To 136 | # allow access without passwords, leave this commented out. An 137 | # empty string will still enable passwords, but be rejected by 138 | # QEMU, effectively preventing any use of SPICE. Obviously change 139 | # this example here before you set this. 140 | # 141 | # spice_password = "XYZ12345" 142 | 143 | 144 | # The default security driver is SELinux. If SELinux is disabled 145 | # on the host, then the security driver will automatically disable 146 | # itself. If you wish to disable QEMU SELinux security driver while 147 | # leaving SELinux enabled for the host in general, then set this 148 | # to 'none' instead. 149 | # 150 | # security_driver = "selinux" 151 | 152 | # If set to non-zero, then the default security labeling 153 | # will make guests confined. If set to zero, then guests 154 | # will be unconfined by default. Defaults to 1. 155 | # security_default_confined = 1 156 | 157 | # If set to non-zero, then attempts to create unconfined 158 | # guests will be blocked. Defaults to 0. 159 | # security_require_confined = 1 160 | 161 | # The user ID for QEMU processes run by the system instance. 162 | #user = "root" 163 | <% if @qemu_user -%> 164 | user = "<%= @qemu_user %>" 165 | <% end -%> 166 | 167 | # The group ID for QEMU processes run by the system instance. 168 | #group = "root" 169 | <% if @qemu_group -%> 170 | group = "<%= @qemu_group %>" 171 | <% end -%> 172 | 173 | # Whether libvirt should dynamically change file ownership 174 | # to match the configured user/group above. Defaults to 1. 175 | # Set to 0 to disable file ownership changes. 176 | #dynamic_ownership = 1 177 | 178 | 179 | # What cgroup controllers to make use of with QEMU guests 180 | # 181 | # - 'cpu' - use for schedular tunables 182 | # - 'devices' - use for device whitelisting 183 | # - 'memory' - use for memory tunables 184 | # - 'blkio' - use for block devices I/O tunables 185 | # - 'cpuset' - use for CPUs and memory nodes 186 | # - 'cpuacct' - use for CPUs statistics. 187 | # 188 | # NB, even if configured here, they won't be used unless 189 | # the administrator has mounted cgroups, e.g.: 190 | # 191 | # mkdir /dev/cgroup 192 | # mount -t cgroup -o devices,cpu,memory,blkio,cpuset none /dev/cgroup 193 | # 194 | # They can be mounted anywhere, and different controllers 195 | # can be mounted in different locations. libvirt will detect 196 | # where they are located. 197 | # 198 | # cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ] 199 | 200 | # This is the basic set of devices allowed / required by 201 | # all virtual machines. 202 | # 203 | # As well as this, any configured block backed disks, 204 | # all sound device, and all PTY devices are allowed. 205 | # 206 | # This will only need setting if newer QEMU suddenly 207 | # wants some device we don't already know about. 208 | # 209 | #cgroup_device_acl = [ 210 | # "/dev/null", "/dev/full", "/dev/zero", 211 | # "/dev/random", "/dev/urandom", 212 | # "/dev/ptmx", "/dev/kvm", "/dev/kqemu", 213 | # "/dev/rtc", "/dev/hpet", 214 | #] 215 | 216 | 217 | # The default format for Qemu/KVM guest save images is raw; that is, the 218 | # memory from the domain is dumped out directly to a file. If you have 219 | # guests with a large amount of memory, however, this can take up quite 220 | # a bit of space. If you would like to compress the images while they 221 | # are being saved to disk, you can also set "lzop", "gzip", "bzip2", or "xz" 222 | # for save_image_format. Note that this means you slow down the process of 223 | # saving a domain in order to save disk space; the list above is in descending 224 | # order by performance and ascending order by compression ratio. 225 | # 226 | # save_image_format is used when you use 'virsh save' at scheduled 227 | # saving, and it is an error if the specified save_image_format is 228 | # not valid, or the requested compression program can't be found. 229 | # 230 | # dump_image_format is used when you use 'virsh dump' at emergency 231 | # crashdump, and if the specified dump_image_format is not valid, or 232 | # the requested compression program can't be found, this falls 233 | # back to "raw" compression. 234 | # 235 | # save_image_format = "raw" 236 | # dump_image_format = "raw" 237 | 238 | # When a domain is configured to be auto-dumped when libvirtd receives a 239 | # watchdog event from qemu guest, libvirtd will save dump files in directory 240 | # specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump 241 | # 242 | # auto_dump_path = "/var/lib/libvirt/qemu/dump" 243 | 244 | # When a domain is configured to be auto-dumped, enabling this flag 245 | # has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the 246 | # virDomainCoreDump API. That is, the system will avoid using the 247 | # file system cache while writing the dump file, but may cause 248 | # slower operation. 249 | # 250 | # auto_dump_bypass_cache = 0 251 | 252 | # When a domain is configured to be auto-started, enabling this flag 253 | # has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag 254 | # with the virDomainCreateWithFlags API. That is, the system will 255 | # avoid using the file system cache when restoring any managed state 256 | # file, but may cause slower operation. 257 | # 258 | # auto_start_bypass_cache = 0 259 | 260 | # If provided by the host and a hugetlbfs mount point is configured, 261 | # a guest may request huge page backing. When this mount point is 262 | # unspecified here, determination of a host mount point in /proc/mounts 263 | # will be attempted. Specifying an explicit mount overrides detection 264 | # of the same in /proc/mounts. Setting the mount point to "" will 265 | # disable guest hugepage backing. 266 | # 267 | # NB, within this mount point, guests will create memory backing files 268 | # in a location of $MOUNTPOINT/libvirt/qemu 269 | # 270 | # hugetlbfs_mount = "/dev/hugepages" 271 | 272 | 273 | # mac_filter enables MAC addressed based filtering on bridge ports. 274 | # This currently requires ebtables to be installed. 275 | # 276 | # mac_filter = 1 277 | 278 | 279 | # By default, PCI devices below non-ACS switch are not allowed to be assigned 280 | # to guests. By setting relaxed_acs_check to 1 such devices will be allowed to 281 | # be assigned to guests. 282 | # 283 | # relaxed_acs_check = 1 284 | 285 | 286 | # QEMU implements an extension for providing audio over a VNC connection, 287 | # though if your VNC client does not support it, your only chance for getting 288 | # sound output is through regular audio backends. By default, libvirt will 289 | # disable all QEMU sound backends if using VNC, since they can cause 290 | # permissions issues. Enabling this option will make libvirtd honor the 291 | # QEMU_AUDIO_DRV environment variable when using VNC. 292 | # 293 | # vnc_allow_host_audio = 0 294 | 295 | 296 | # If clear_emulator_capabilities is enabled, libvirt will drop all 297 | # privileged capabilities of the QEmu/KVM emulator. This is enabled by 298 | # default. 299 | # 300 | # Warning: Disabling this option means that a compromised guest can 301 | # exploit the privileges and possibly do damage to the host. 302 | # 303 | # clear_emulator_capabilities = 1 304 | 305 | 306 | # If allow_disk_format_probing is enabled, libvirt will probe disk 307 | # images to attempt to identify their format, when not otherwise 308 | # specified in the XML. This is disabled by default. 309 | # 310 | # WARNING: Enabling probing is a security hole in almost all 311 | # deployments. It is strongly recommended that users update their 312 | # guest XML elements to include 313 | # elements instead of enabling this option. 314 | # 315 | # allow_disk_format_probing = 1 316 | 317 | 318 | # If enabled, libvirt will have QEMU set its process name to 319 | # "qemu:VM_NAME", where VM_NAME is the name of the VM. The QEMU 320 | # process will appear as "qemu:VM_NAME" in process listings and 321 | # other system monitoring tools. By default, QEMU does not set 322 | # its process title, so the complete QEMU command (emulator and 323 | # its arguments) appear in process listings. 324 | # 325 | # set_process_name = 1 326 | <% if @qemu_set_process_name == true -%> 327 | set_process_name = 1 328 | <% elsif @qemu_set_process_name == false -%> 329 | set_process_name = 0 330 | <% end -%> 331 | 332 | 333 | # If max_processes is set to a positive integer, libvirt will use 334 | # it to set the maximum number of processes that can be run by qemu 335 | # user. This can be used to override default value set by host OS. 336 | # The same applies to max_files which sets the limit on the maximum 337 | # number of opened files. 338 | # 339 | # max_processes = 0 340 | # max_files = 0 341 | 342 | # To enable 'Sanlock' project based locking of the file 343 | # content (to prevent two VMs writing to the same 344 | # disk), uncomment this 345 | # 346 | # lock_manager = "sanlock" 347 | 348 | # Set limit of maximum APIs queued on one domain. All other APIs 349 | # over this threshold will fail on acquiring job lock. Specially, 350 | # setting to zero turns this feature off. 351 | # Note, that job lock is per domain. 352 | # 353 | # max_queued = 0 354 | 355 | ################################################################### 356 | # Keepalive protocol: 357 | # This allows qemu driver to detect broken connections to remote 358 | # libvirtd during peer-to-peer migration. A keepalive message is 359 | # sent to the deamon after keepalive_interval seconds of inactivity 360 | # to check if the deamon is still responding; keepalive_count is a 361 | # maximum number of keepalive messages that are allowed to be sent 362 | # to the deamon without getting any response before the connection 363 | # is considered broken. In other words, the connection is 364 | # automatically closed approximately after 365 | # keepalive_interval * (keepalive_count + 1) seconds since the last 366 | # message received from the deamon. If keepalive_interval is set to 367 | # -1, qemu driver will not send keepalive requests during 368 | # peer-to-peer migration; however, the remote libvirtd can still 369 | # send them and source libvirtd will send responses. When 370 | # keepalive_count is set to 0, connections will be automatically 371 | # closed after keepalive_interval seconds of inactivity without 372 | # sending any keepalive messages. Disabled by default. 373 | # 374 | #keepalive_interval = 5 375 | #keepalive_count = 5 376 | -------------------------------------------------------------------------------- /templates/qemu.conf.orig: -------------------------------------------------------------------------------- 1 | # Master configuration file for the QEMU driver. 2 | # All settings described here are optional - if omitted, sensible 3 | # defaults are used. 4 | 5 | # VNC is configured to listen on 127.0.0.1 by default. 6 | # To make it listen on all public interfaces, uncomment 7 | # this next option. 8 | # 9 | # NB, strong recommendation to enable TLS + x509 certificate 10 | # verification when allowing public access 11 | # 12 | # vnc_listen = "0.0.0.0" 13 | 14 | # Enable this option to have VNC served over an automatically created 15 | # unix socket. This prevents unprivileged access from users on the 16 | # host machine, though most VNC clients do not support it. 17 | # 18 | # This will only be enabled for VNC configurations that do not have 19 | # a hardcoded 'listen' or 'socket' value. This setting takes preference 20 | # over vnc_listen. 21 | # 22 | # vnc_auto_unix_socket = 1 23 | 24 | # Enable use of TLS encryption on the VNC server. This requires 25 | # a VNC client which supports the VeNCrypt protocol extension. 26 | # Examples include vinagre, virt-viewer, virt-manager and vencrypt 27 | # itself. UltraVNC, RealVNC, TightVNC do not support this 28 | # 29 | # It is necessary to setup CA and issue a server certificate 30 | # before enabling this. 31 | # 32 | # vnc_tls = 1 33 | 34 | 35 | # Use of TLS requires that x509 certificates be issued. The 36 | # default it to keep them in /etc/pki/libvirt-vnc. This directory 37 | # must contain 38 | # 39 | # ca-cert.pem - the CA master certificate 40 | # server-cert.pem - the server certificate signed with ca-cert.pem 41 | # server-key.pem - the server private key 42 | # 43 | # This option allows the certificate directory to be changed 44 | # 45 | # vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc" 46 | 47 | 48 | # The default TLS configuration only uses certificates for the server 49 | # allowing the client to verify the server's identity and establish 50 | # an encrypted channel. 51 | # 52 | # It is possible to use x509 certificates for authentication too, by 53 | # issuing a x509 certificate to every client who needs to connect. 54 | # 55 | # Enabling this option will reject any client who does not have a 56 | # certificate signed by the CA in /etc/pki/libvirt-vnc/ca-cert.pem 57 | # 58 | # vnc_tls_x509_verify = 1 59 | 60 | 61 | # The default VNC password. Only 8 letters are significant for 62 | # VNC passwords. This parameter is only used if the per-domain 63 | # XML config does not already provide a password. To allow 64 | # access without passwords, leave this commented out. An empty 65 | # string will still enable passwords, but be rejected by QEMU, 66 | # effectively preventing any use of VNC. Obviously change this 67 | # example here before you set this. 68 | # 69 | # vnc_password = "XYZ12345" 70 | 71 | 72 | # Enable use of SASL encryption on the VNC server. This requires 73 | # a VNC client which supports the SASL protocol extension. 74 | # Examples include vinagre, virt-viewer and virt-manager 75 | # itself. UltraVNC, RealVNC, TightVNC do not support this 76 | # 77 | # It is necessary to configure /etc/sasl2/qemu.conf to choose 78 | # the desired SASL plugin (eg, GSSPI for Kerberos) 79 | # 80 | # vnc_sasl = 1 81 | 82 | 83 | # The default SASL configuration file is located in /etc/sasl2/ 84 | # When running libvirtd unprivileged, it may be desirable to 85 | # override the configs in this location. Set this parameter to 86 | # point to the directory, and create a qemu.conf in that location 87 | # 88 | # vnc_sasl_dir = "/some/directory/sasl2" 89 | 90 | 91 | 92 | # SPICE is configured to listen on 127.0.0.1 by default. 93 | # To make it listen on all public interfaces, uncomment 94 | # this next option. 95 | # 96 | # NB, strong recommendation to enable TLS + x509 certificate 97 | # verification when allowing public access 98 | # 99 | # spice_listen = "0.0.0.0" 100 | 101 | 102 | # Enable use of TLS encryption on the SPICE server. 103 | # 104 | # It is necessary to setup CA and issue a server certificate 105 | # before enabling this. 106 | # 107 | # spice_tls = 1 108 | 109 | 110 | # Use of TLS requires that x509 certificates be issued. The 111 | # default it to keep them in /etc/pki/libvirt-spice. This directory 112 | # must contain 113 | # 114 | # ca-cert.pem - the CA master certificate 115 | # server-cert.pem - the server certificate signed with ca-cert.pem 116 | # server-key.pem - the server private key 117 | # 118 | # This option allows the certificate directory to be changed. 119 | # 120 | # spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice" 121 | 122 | 123 | # The default SPICE password. This parameter is only used if the 124 | # per-domain XML config does not already provide a password. To 125 | # allow access without passwords, leave this commented out. An 126 | # empty string will still enable passwords, but be rejected by 127 | # QEMU, effectively preventing any use of SPICE. Obviously change 128 | # this example here before you set this. 129 | # 130 | # spice_password = "XYZ12345" 131 | 132 | 133 | # The default security driver is SELinux. If SELinux is disabled 134 | # on the host, then the security driver will automatically disable 135 | # itself. If you wish to disable QEMU SELinux security driver while 136 | # leaving SELinux enabled for the host in general, then set this 137 | # to 'none' instead. 138 | # 139 | # security_driver = "selinux" 140 | 141 | # If set to non-zero, then the default security labeling 142 | # will make guests confined. If set to zero, then guests 143 | # will be unconfined by default. Defaults to 1. 144 | # security_default_confined = 1 145 | 146 | # If set to non-zero, then attempts to create unconfined 147 | # guests will be blocked. Defaults to 0. 148 | # security_require_confined = 1 149 | 150 | # The user ID for QEMU processes run by the system instance. 151 | #user = "root" 152 | 153 | # The group ID for QEMU processes run by the system instance. 154 | #group = "root" 155 | 156 | # Whether libvirt should dynamically change file ownership 157 | # to match the configured user/group above. Defaults to 1. 158 | # Set to 0 to disable file ownership changes. 159 | #dynamic_ownership = 1 160 | 161 | 162 | # What cgroup controllers to make use of with QEMU guests 163 | # 164 | # - 'cpu' - use for schedular tunables 165 | # - 'devices' - use for device whitelisting 166 | # - 'memory' - use for memory tunables 167 | # - 'blkio' - use for block devices I/O tunables 168 | # - 'cpuset' - use for CPUs and memory nodes 169 | # - 'cpuacct' - use for CPUs statistics. 170 | # 171 | # NB, even if configured here, they won't be used unless 172 | # the administrator has mounted cgroups, e.g.: 173 | # 174 | # mkdir /dev/cgroup 175 | # mount -t cgroup -o devices,cpu,memory,blkio,cpuset none /dev/cgroup 176 | # 177 | # They can be mounted anywhere, and different controllers 178 | # can be mounted in different locations. libvirt will detect 179 | # where they are located. 180 | # 181 | # cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ] 182 | 183 | # This is the basic set of devices allowed / required by 184 | # all virtual machines. 185 | # 186 | # As well as this, any configured block backed disks, 187 | # all sound device, and all PTY devices are allowed. 188 | # 189 | # This will only need setting if newer QEMU suddenly 190 | # wants some device we don't already know about. 191 | # 192 | #cgroup_device_acl = [ 193 | # "/dev/null", "/dev/full", "/dev/zero", 194 | # "/dev/random", "/dev/urandom", 195 | # "/dev/ptmx", "/dev/kvm", "/dev/kqemu", 196 | # "/dev/rtc", "/dev/hpet", 197 | #] 198 | 199 | 200 | # The default format for Qemu/KVM guest save images is raw; that is, the 201 | # memory from the domain is dumped out directly to a file. If you have 202 | # guests with a large amount of memory, however, this can take up quite 203 | # a bit of space. If you would like to compress the images while they 204 | # are being saved to disk, you can also set "lzop", "gzip", "bzip2", or "xz" 205 | # for save_image_format. Note that this means you slow down the process of 206 | # saving a domain in order to save disk space; the list above is in descending 207 | # order by performance and ascending order by compression ratio. 208 | # 209 | # save_image_format is used when you use 'virsh save' at scheduled 210 | # saving, and it is an error if the specified save_image_format is 211 | # not valid, or the requested compression program can't be found. 212 | # 213 | # dump_image_format is used when you use 'virsh dump' at emergency 214 | # crashdump, and if the specified dump_image_format is not valid, or 215 | # the requested compression program can't be found, this falls 216 | # back to "raw" compression. 217 | # 218 | # save_image_format = "raw" 219 | # dump_image_format = "raw" 220 | 221 | # When a domain is configured to be auto-dumped when libvirtd receives a 222 | # watchdog event from qemu guest, libvirtd will save dump files in directory 223 | # specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump 224 | # 225 | # auto_dump_path = "/var/lib/libvirt/qemu/dump" 226 | 227 | # When a domain is configured to be auto-dumped, enabling this flag 228 | # has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the 229 | # virDomainCoreDump API. That is, the system will avoid using the 230 | # file system cache while writing the dump file, but may cause 231 | # slower operation. 232 | # 233 | # auto_dump_bypass_cache = 0 234 | 235 | # When a domain is configured to be auto-started, enabling this flag 236 | # has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag 237 | # with the virDomainCreateWithFlags API. That is, the system will 238 | # avoid using the file system cache when restoring any managed state 239 | # file, but may cause slower operation. 240 | # 241 | # auto_start_bypass_cache = 0 242 | 243 | # If provided by the host and a hugetlbfs mount point is configured, 244 | # a guest may request huge page backing. When this mount point is 245 | # unspecified here, determination of a host mount point in /proc/mounts 246 | # will be attempted. Specifying an explicit mount overrides detection 247 | # of the same in /proc/mounts. Setting the mount point to "" will 248 | # disable guest hugepage backing. 249 | # 250 | # NB, within this mount point, guests will create memory backing files 251 | # in a location of $MOUNTPOINT/libvirt/qemu 252 | # 253 | # hugetlbfs_mount = "/dev/hugepages" 254 | 255 | 256 | # mac_filter enables MAC addressed based filtering on bridge ports. 257 | # This currently requires ebtables to be installed. 258 | # 259 | # mac_filter = 1 260 | 261 | 262 | # By default, PCI devices below non-ACS switch are not allowed to be assigned 263 | # to guests. By setting relaxed_acs_check to 1 such devices will be allowed to 264 | # be assigned to guests. 265 | # 266 | # relaxed_acs_check = 1 267 | 268 | 269 | # QEMU implements an extension for providing audio over a VNC connection, 270 | # though if your VNC client does not support it, your only chance for getting 271 | # sound output is through regular audio backends. By default, libvirt will 272 | # disable all QEMU sound backends if using VNC, since they can cause 273 | # permissions issues. Enabling this option will make libvirtd honor the 274 | # QEMU_AUDIO_DRV environment variable when using VNC. 275 | # 276 | # vnc_allow_host_audio = 0 277 | 278 | 279 | # If clear_emulator_capabilities is enabled, libvirt will drop all 280 | # privileged capabilities of the QEmu/KVM emulator. This is enabled by 281 | # default. 282 | # 283 | # Warning: Disabling this option means that a compromised guest can 284 | # exploit the privileges and possibly do damage to the host. 285 | # 286 | # clear_emulator_capabilities = 1 287 | 288 | 289 | # If allow_disk_format_probing is enabled, libvirt will probe disk 290 | # images to attempt to identify their format, when not otherwise 291 | # specified in the XML. This is disabled by default. 292 | # 293 | # WARNING: Enabling probing is a security hole in almost all 294 | # deployments. It is strongly recommended that users update their 295 | # guest XML elements to include 296 | # elements instead of enabling this option. 297 | # 298 | # allow_disk_format_probing = 1 299 | 300 | 301 | # If enabled, libvirt will have QEMU set its process name to 302 | # "qemu:VM_NAME", where VM_NAME is the name of the VM. The QEMU 303 | # process will appear as "qemu:VM_NAME" in process listings and 304 | # other system monitoring tools. By default, QEMU does not set 305 | # its process title, so the complete QEMU command (emulator and 306 | # its arguments) appear in process listings. 307 | # 308 | # set_process_name = 1 309 | 310 | 311 | # If max_processes is set to a positive integer, libvirt will use 312 | # it to set the maximum number of processes that can be run by qemu 313 | # user. This can be used to override default value set by host OS. 314 | # The same applies to max_files which sets the limit on the maximum 315 | # number of opened files. 316 | # 317 | # max_processes = 0 318 | # max_files = 0 319 | 320 | # To enable 'Sanlock' project based locking of the file 321 | # content (to prevent two VMs writing to the same 322 | # disk), uncomment this 323 | # 324 | # lock_manager = "sanlock" 325 | 326 | # Set limit of maximum APIs queued on one domain. All other APIs 327 | # over this threshold will fail on acquiring job lock. Specially, 328 | # setting to zero turns this feature off. 329 | # Note, that job lock is per domain. 330 | # 331 | # max_queued = 0 332 | 333 | ################################################################### 334 | # Keepalive protocol: 335 | # This allows qemu driver to detect broken connections to remote 336 | # libvirtd during peer-to-peer migration. A keepalive message is 337 | # sent to the deamon after keepalive_interval seconds of inactivity 338 | # to check if the deamon is still responding; keepalive_count is a 339 | # maximum number of keepalive messages that are allowed to be sent 340 | # to the deamon without getting any response before the connection 341 | # is considered broken. In other words, the connection is 342 | # automatically closed approximately after 343 | # keepalive_interval * (keepalive_count + 1) seconds since the last 344 | # message received from the deamon. If keepalive_interval is set to 345 | # -1, qemu driver will not send keepalive requests during 346 | # peer-to-peer migration; however, the remote libvirtd can still 347 | # send them and source libvirtd will send responses. When 348 | # keepalive_count is set to 0, connections will be automatically 349 | # closed after keepalive_interval seconds of inactivity without 350 | # sending any keepalive messages. Disabled by default. 351 | # 352 | #keepalive_interval = 5 353 | #keepalive_count = 5 354 | -------------------------------------------------------------------------------- /templates/sasl2/libvirt.conf-el8.erb: -------------------------------------------------------------------------------- 1 | # If you want to use the non-TLS socket, then you *must* pick a 2 | # mechanism which provides session encryption as well as 3 | # authentication. 4 | # 5 | # If you are only using TLS, then you can turn on any mechanisms 6 | # you like for authentication, because TLS provides the encryption 7 | # 8 | # If you are only using UNIX, sockets then encryption is not 9 | # required at all. 10 | # 11 | # Since SASL is the default for the libvirtd non-TLS socket, we 12 | # pick a strong mechanism by default. 13 | # 14 | # NB, previously DIGEST-MD5 was set as the default mechanism for 15 | # libvirt. Per RFC 6331 this is vulnerable to many serious security 16 | # flaws and should no longer be used. Thus GSSAPI is now the default. 17 | # 18 | # To use GSSAPI requires that a libvirtd service principal is 19 | # added to the Kerberos server for each host running libvirtd. 20 | # This principal needs to be exported to the keytab file listed below 21 | mech_list: gssapi 22 | 23 | # If using a TLS socket or UNIX socket only, it is possible to 24 | # enable plugins which don't provide session encryption. The 25 | # 'scram-sha-1' plugin allows plain username/password authentication 26 | # to be performed 27 | # 28 | #mech_list: scram-sha-1 29 | 30 | # 31 | # You can also list many mechanisms at once, then the user can choose 32 | # by adding '?auth=sasl.gssapi' to their libvirt URI, eg 33 | # qemu+tcp://hostname/system?auth=sasl.gssapi 34 | #mech_list: scram-sha-1 gssapi 35 | 36 | # Some older builds of MIT kerberos on Linux ignore this option & 37 | # instead need KRB5_KTNAME env var. 38 | # For modern Linux, and other OS, this should be sufficient 39 | # 40 | keytab: /etc/libvirt/krb5.tab 41 | 42 | # If using scram-sha-1 for username/passwds, then this is the file 43 | # containing the passwds. Use 'saslpasswd2 -a libvirt [username]' 44 | # to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it 45 | #sasldb_path: /etc/libvirt/passwd.db 46 | -------------------------------------------------------------------------------- /templates/sasl2/libvirt.conf-el8.orig: -------------------------------------------------------------------------------- 1 | # If you want to use the non-TLS socket, then you *must* pick a 2 | # mechanism which provides session encryption as well as 3 | # authentication. 4 | # 5 | # If you are only using TLS, then you can turn on any mechanisms 6 | # you like for authentication, because TLS provides the encryption 7 | # 8 | # If you are only using UNIX, sockets then encryption is not 9 | # required at all. 10 | # 11 | # Since SASL is the default for the libvirtd non-TLS socket, we 12 | # pick a strong mechanism by default. 13 | # 14 | # NB, previously DIGEST-MD5 was set as the default mechanism for 15 | # libvirt. Per RFC 6331 this is vulnerable to many serious security 16 | # flaws and should no longer be used. Thus GSSAPI is now the default. 17 | # 18 | # To use GSSAPI requires that a libvirtd service principal is 19 | # added to the Kerberos server for each host running libvirtd. 20 | # This principal needs to be exported to the keytab file listed below 21 | mech_list: gssapi 22 | 23 | # If using a TLS socket or UNIX socket only, it is possible to 24 | # enable plugins which don't provide session encryption. The 25 | # 'scram-sha-1' plugin allows plain username/password authentication 26 | # to be performed 27 | # 28 | #mech_list: scram-sha-1 29 | 30 | # 31 | # You can also list many mechanisms at once, then the user can choose 32 | # by adding '?auth=sasl.gssapi' to their libvirt URI, eg 33 | # qemu+tcp://hostname/system?auth=sasl.gssapi 34 | #mech_list: scram-sha-1 gssapi 35 | 36 | # Some older builds of MIT kerberos on Linux ignore this option & 37 | # instead need KRB5_KTNAME env var. 38 | # For modern Linux, and other OS, this should be sufficient 39 | # 40 | keytab: /etc/libvirt/krb5.tab 41 | 42 | # If using scram-sha-1 for username/passwds, then this is the file 43 | # containing the passwds. Use 'saslpasswd2 -a libvirt [username]' 44 | # to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it 45 | #sasldb_path: /etc/libvirt/passwd.db 46 | -------------------------------------------------------------------------------- /templates/sasl2/libvirt.conf.erb: -------------------------------------------------------------------------------- 1 | # If you want to use the non-TLS socket, then you *must* include 2 | # the GSSAPI or DIGEST-MD5 mechanisms, because they are the only 3 | # ones that can offer session encryption as well as authentication. 4 | # 5 | # If you're only using TLS, then you can turn on any mechanisms 6 | # you like for authentication, because TLS provides the encryption 7 | # 8 | # Default to a simple username+password mechanism 9 | <% if @sasl2_libvirt_mech_list -%> 10 | mech_list: <%= @sasl2_libvirt_mech_list %> 11 | <% else -%> 12 | mech_list: digest-md5 13 | <% end -%> 14 | 15 | # Before you can use GSSAPI, you need a service principle on the 16 | # KDC server for libvirt, and that to be exported to the keytab 17 | # file listed below 18 | #mech_list: gssapi 19 | # 20 | # You can also list many mechanisms at once, then the user can choose 21 | # by adding '?auth=sasl.gssapi' to their libvirt URI, eg 22 | # qemu+tcp://hostname/system?auth=sasl.gssapi 23 | #mech_list: digest-md5 gssapi 24 | 25 | # MIT kerberos ignores this option & needs KRB5_KTNAME env var. 26 | # May be useful for other non-Linux OS though.... 27 | <% if @sasl2_libvirt_keytab -%> 28 | keytab: <%= @sasl2_libvirt_keytab %> 29 | <% else -%> 30 | keytab: /etc/libvirt/krb5.tab 31 | <% end -%> 32 | 33 | # If using digest-md5 for username/passwds, then this is the file 34 | # containing the passwds. Use 'saslpasswd2 -a libvirt [username]' 35 | # to add entries, and 'sasldblistusers2 -a libvirt' to browse it 36 | sasldb_path: /etc/libvirt/passwd.db 37 | -------------------------------------------------------------------------------- /templates/sasl2/libvirt.conf.orig: -------------------------------------------------------------------------------- 1 | # If you want to use the non-TLS socket, then you *must* include 2 | # the GSSAPI or DIGEST-MD5 mechanisms, because they are the only 3 | # ones that can offer session encryption as well as authentication. 4 | # 5 | # If you're only using TLS, then you can turn on any mechanisms 6 | # you like for authentication, because TLS provides the encryption 7 | # 8 | # Default to a simple username+password mechanism 9 | mech_list: digest-md5 10 | 11 | # Before you can use GSSAPI, you need a service principle on the 12 | # KDC server for libvirt, and that to be exported to the keytab 13 | # file listed below 14 | #mech_list: gssapi 15 | # 16 | # You can also list many mechanisms at once, then the user can choose 17 | # by adding '?auth=sasl.gssapi' to their libvirt URI, eg 18 | # qemu+tcp://hostname/system?auth=sasl.gssapi 19 | #mech_list: digest-md5 gssapi 20 | 21 | # MIT kerberos ignores this option & needs KRB5_KTNAME env var. 22 | # May be useful for other non-Linux OS though.... 23 | keytab: /etc/libvirt/krb5.tab 24 | 25 | # If using digest-md5 for username/passwds, then this is the file 26 | # containing the passwds. Use 'saslpasswd2 -a libvirt [username]' 27 | # to add entries, and 'sasldblistusers2 -a libvirt' to browse it 28 | sasldb_path: /etc/libvirt/passwd.db 29 | 30 | -------------------------------------------------------------------------------- /templates/sasl2/qemu-kvm.conf-el8.erb: -------------------------------------------------------------------------------- 1 | # If you want to use VNC remotely without TLS, then you *must* 2 | # pick a mechanism which provides session encryption as well 3 | # as authentication. 4 | # 5 | # If you are only using TLS, then you can turn on any mechanisms 6 | # you like for authentication, because TLS provides the encryption 7 | # 8 | # If you are only using UNIX sockets then encryption is not 9 | # required at all. 10 | # 11 | # NB, previously DIGEST-MD5 was set as the default mechanism for 12 | # QEMU VNC. Per RFC 6331 this is vulnerable to many serious security 13 | # flaws as should no longer be used. Thus GSSAPI is now the default. 14 | # 15 | # To use GSSAPI requires that a QEMU service principal is 16 | # added to the Kerberos server for each host running QEMU. 17 | # This principal needs to be exported to the keytab file listed below 18 | mech_list: gssapi 19 | 20 | # If using TLS with VNC, or a UNIX socket only, it is possible to 21 | # enable plugins which don't provide session encryption. The 22 | # 'scram-sha-1' plugin allows plain username/password authentication 23 | # to be performed 24 | # 25 | #mech_list: scram-sha-1 26 | 27 | # You can also list many mechanisms at once, and the VNC server will 28 | # negotiate which to use by considering the list enabled on the VNC 29 | # client. 30 | #mech_list: scram-sha-1 gssapi 31 | 32 | # Some older builds of MIT kerberos on Linux ignore this option & 33 | # instead need KRB5_KTNAME env var. 34 | # For modern Linux, and other OS, this should be sufficient 35 | # 36 | # This file needs to be populated with the service principal that 37 | # was created on the Kerberos v5 server. If switching to a non-gssapi 38 | # mechanism this can be commented out. 39 | keytab: /etc/qemu/krb5.tab 40 | 41 | # If using scram-sha-1 for username/passwds, then this is the file 42 | # containing the passwds. Use 'saslpasswd2 -a qemu [username]' 43 | # to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it 44 | #sasldb_path: /etc/qemu/passwd.db 45 | -------------------------------------------------------------------------------- /templates/sasl2/qemu-kvm.conf-el8.orig: -------------------------------------------------------------------------------- 1 | # If you want to use VNC remotely without TLS, then you *must* 2 | # pick a mechanism which provides session encryption as well 3 | # as authentication. 4 | # 5 | # If you are only using TLS, then you can turn on any mechanisms 6 | # you like for authentication, because TLS provides the encryption 7 | # 8 | # If you are only using UNIX sockets then encryption is not 9 | # required at all. 10 | # 11 | # NB, previously DIGEST-MD5 was set as the default mechanism for 12 | # QEMU VNC. Per RFC 6331 this is vulnerable to many serious security 13 | # flaws as should no longer be used. Thus GSSAPI is now the default. 14 | # 15 | # To use GSSAPI requires that a QEMU service principal is 16 | # added to the Kerberos server for each host running QEMU. 17 | # This principal needs to be exported to the keytab file listed below 18 | mech_list: gssapi 19 | 20 | # If using TLS with VNC, or a UNIX socket only, it is possible to 21 | # enable plugins which don't provide session encryption. The 22 | # 'scram-sha-1' plugin allows plain username/password authentication 23 | # to be performed 24 | # 25 | #mech_list: scram-sha-1 26 | 27 | # You can also list many mechanisms at once, and the VNC server will 28 | # negotiate which to use by considering the list enabled on the VNC 29 | # client. 30 | #mech_list: scram-sha-1 gssapi 31 | 32 | # Some older builds of MIT kerberos on Linux ignore this option & 33 | # instead need KRB5_KTNAME env var. 34 | # For modern Linux, and other OS, this should be sufficient 35 | # 36 | # This file needs to be populated with the service principal that 37 | # was created on the Kerberos v5 server. If switching to a non-gssapi 38 | # mechanism this can be commented out. 39 | keytab: /etc/qemu/krb5.tab 40 | 41 | # If using scram-sha-1 for username/passwds, then this is the file 42 | # containing the passwds. Use 'saslpasswd2 -a qemu [username]' 43 | # to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it 44 | #sasldb_path: /etc/qemu/passwd.db 45 | -------------------------------------------------------------------------------- /templates/sasl2/qemu-kvm.conf.erb: -------------------------------------------------------------------------------- 1 | # If you want to use the non-TLS socket, then you *must* include 2 | # the GSSAPI or DIGEST-MD5 mechanisms, because they are the only 3 | # ones that can offer session encryption as well as authentication. 4 | # 5 | # If you're only using TLS, then you can turn on any mechanisms 6 | # you like for authentication, because TLS provides the encryption 7 | # 8 | # Default to a simple username+password mechanism 9 | # NB digest-md5 is no longer considered secure by current standards 10 | <% if @sasl2_qemu_mech_list -%> 11 | mech_list: <%= @sasl2_qemu_mech_list %> 12 | <% else -%> 13 | mech_list: digest-md5 14 | <% end -%> 15 | 16 | # Before you can use GSSAPI, you need a service principle on the 17 | # KDC server for libvirt, and that to be exported to the keytab 18 | # file listed below 19 | #mech_list: gssapi 20 | # 21 | # You can also list many mechanisms at once, then the user can choose 22 | # by adding '?auth=sasl.gssapi' to their libvirt URI, eg 23 | # qemu+tcp://hostname/system?auth=sasl.gssapi 24 | #mech_list: digest-md5 gssapi 25 | 26 | # Some older builds of MIT kerberos on Linux ignore this option & 27 | # instead need KRB5_KTNAME env var. 28 | # For modern Linux, and other OS, this should be sufficient 29 | <% if @sasl2_qemu_keytab -%> 30 | keytab: <%= @sasl2_qemu_keytab %> 31 | <% else -%> 32 | keytab: /etc/qemu/krb5.tab 33 | <% end -%> 34 | 35 | # If using digest-md5 for username/passwds, then this is the file 36 | # containing the passwds. Use 'saslpasswd2 -a qemu [username]' 37 | # to add entries, and 'sasldblistusers2 -a qemu' to browse it 38 | sasldb_path: /etc/qemu/passwd.db 39 | 40 | <% if @sasl2_qemu_auxprop_plugin -%> 41 | auxprop_plugin: <%= @sasl2_qemu_auxprop_plugin %> 42 | <% else -%> 43 | auxprop_plugin: sasldb 44 | <% end -%> 45 | 46 | -------------------------------------------------------------------------------- /templates/sasl2/qemu-kvm.conf.orig: -------------------------------------------------------------------------------- 1 | # If you want to use the non-TLS socket, then you *must* include 2 | # the GSSAPI or DIGEST-MD5 mechanisms, because they are the only 3 | # ones that can offer session encryption as well as authentication. 4 | # 5 | # If you're only using TLS, then you can turn on any mechanisms 6 | # you like for authentication, because TLS provides the encryption 7 | # 8 | # Default to a simple username+password mechanism 9 | # NB digest-md5 is no longer considered secure by current standards 10 | mech_list: digest-md5 11 | 12 | # Before you can use GSSAPI, you need a service principle on the 13 | # KDC server for libvirt, and that to be exported to the keytab 14 | # file listed below 15 | #mech_list: gssapi 16 | # 17 | # You can also list many mechanisms at once, then the user can choose 18 | # by adding '?auth=sasl.gssapi' to their libvirt URI, eg 19 | # qemu+tcp://hostname/system?auth=sasl.gssapi 20 | #mech_list: digest-md5 gssapi 21 | 22 | # Some older builds of MIT kerberos on Linux ignore this option & 23 | # instead need KRB5_KTNAME env var. 24 | # For modern Linux, and other OS, this should be sufficient 25 | keytab: /etc/qemu/krb5.tab 26 | 27 | # If using digest-md5 for username/passwds, then this is the file 28 | # containing the passwds. Use 'saslpasswd2 -a qemu [username]' 29 | # to add entries, and 'sasldblistusers2 -a qemu' to browse it 30 | sasldb_path: /etc/qemu/passwd.db 31 | 32 | 33 | auxprop_plugin: sasldb 34 | 35 | -------------------------------------------------------------------------------- /templates/sysconfig/libvirtd.erb: -------------------------------------------------------------------------------- 1 | # Override the default config file 2 | # NOTE: This setting is no longer honoured if using 3 | # systemd. Set '--config /etc/libvirt/libvirtd.conf' 4 | # in LIBVIRTD_ARGS instead. 5 | #LIBVIRTD_CONFIG=/etc/libvirt/libvirtd.conf 6 | <% if @sysconfig['LIBVIRTD_CONFIG'] -%> 7 | LIBVIRTD_CONFIG=<%= @sysconfig['LIBVIRTD_CONFIG'] %> 8 | <% end -%> 9 | 10 | # Listen for TCP/IP connections 11 | # NB. must setup TLS/SSL keys prior to using this 12 | #LIBVIRTD_ARGS="--listen" 13 | <% if @sysconfig['LIBVIRTD_ARGS'] -%> 14 | LIBVIRTD_ARGS=<%= @sysconfig['LIBVIRTD_ARGS'] %> 15 | <% end -%> 16 | 17 | # Override Kerberos service keytab for SASL/GSSAPI 18 | #KRB5_KTNAME=/etc/libvirt/krb5.tab 19 | <% if @sysconfig['KRB5_KTNAME'] -%> 20 | KRB5_KTNAME=<%= @sysconfig['KRB5_KTNAME'] %> 21 | <% end -%> 22 | 23 | # Override the QEMU/SDL default audio driver probing when 24 | # starting virtual machines using SDL graphics 25 | # 26 | # NB these have no effect for VMs using VNC, unless vnc_allow_host_audio 27 | # is enabled in /etc/libvirt/qemu.conf 28 | #QEMU_AUDIO_DRV=sdl 29 | <% if @sysconfig['QEMU_AUDIO_DRV'] -%> 30 | QEMU_AUDIO_DRV=<%= @sysconfig['QEMU_AUDIO_DRV'] %> 31 | <% end -%> 32 | # 33 | #SDL_AUDIODRIVER=pulse 34 | <% if @sysconfig['SDL_AUDIODRIVER'] -%> 35 | SDL_AUDIODRIVER=<%= @sysconfig['SDL_AUDIODRIVER'] %> 36 | <% end -%> 37 | 38 | # Override the maximum number of opened files. 39 | # This only works with traditional init scripts. 40 | # In the systemd world, the limit can only be changed by overriding 41 | # LimitNOFILE for libvirtd.service. To do that, just create a *.conf 42 | # file in /etc/systemd/system/libvirtd.service.d/ (for example 43 | # /etc/systemd/system/libvirtd.service.d/openfiles.conf) and write 44 | # the following two lines in it: 45 | # [Service] 46 | # LimitNOFILE=2048 47 | # 48 | #LIBVIRTD_NOFILES_LIMIT=2048 49 | <% if @sysconfig['LIBVIRTD_NOFILES_LIMIT'] -%> 50 | LIBVIRTD_NOFILES_LIMIT=<%= @sysconfig['LIBVIRTD_NOFILES_LIMIT'] %> 51 | <% end -%> 52 | -------------------------------------------------------------------------------- /templates/sysconfig/libvirtd.orig: -------------------------------------------------------------------------------- 1 | # Override the default config file 2 | # NOTE: This setting is no longer honoured if using 3 | # systemd. Set '--config /etc/libvirt/libvirtd.conf' 4 | # in LIBVIRTD_ARGS instead. 5 | #LIBVIRTD_CONFIG=/etc/libvirt/libvirtd.conf 6 | 7 | # Listen for TCP/IP connections 8 | # NB. must setup TLS/SSL keys prior to using this 9 | #LIBVIRTD_ARGS="--listen" 10 | 11 | # Override Kerberos service keytab for SASL/GSSAPI 12 | #KRB5_KTNAME=/etc/libvirt/krb5.tab 13 | 14 | # Override the QEMU/SDL default audio driver probing when 15 | # starting virtual machines using SDL graphics 16 | # 17 | # NB these have no effect for VMs using VNC, unless vnc_allow_host_audio 18 | # is enabled in /etc/libvirt/qemu.conf 19 | #QEMU_AUDIO_DRV=sdl 20 | # 21 | #SDL_AUDIODRIVER=pulse 22 | 23 | # Override the maximum number of opened files. 24 | # This only works with traditional init scripts. 25 | # In the systemd world, the limit can only be changed by overriding 26 | # LimitNOFILE for libvirtd.service. To do that, just create a *.conf 27 | # file in /etc/systemd/system/libvirtd.service.d/ (for example 28 | # /etc/systemd/system/libvirtd.service.d/openfiles.conf) and write 29 | # the following two lines in it: 30 | # [Service] 31 | # LimitNOFILE=2048 32 | # 33 | #LIBVIRTD_NOFILES_LIMIT=2048 34 | -------------------------------------------------------------------------------- /tests/init.pp: -------------------------------------------------------------------------------- 1 | class { 'libvirt': mdns_adv => '0' } 2 | --------------------------------------------------------------------------------