1 # Master libvirt daemon configuration file
2 #
3
4 #################################################################
5 #
6 # Network connectivity controls
7 #
8
9 # Flag listening for secure TLS connections on the public TCP/IP port.
10 # NB, must pass the --listen flag to the libvirtd process for this to
11 # have any effect.
12 #
13 # This setting is not required or honoured if using systemd socket
14 # activation.
15 #
16 # It is necessary to setup a CA and issue server certificates before
17 # using this capability.
18 #
19 # This is enabled by default, uncomment this to disable it
20 #listen_tls = 0
21
22 # Listen for unencrypted TCP connections on the public TCP/IP port.
23 # NB, must pass the --listen flag to the libvirtd process for this to
24 # have any effect.
25 #
26 # This setting is not required or honoured if using systemd socket
27 # activation.
28 #
29 # Using the TCP socket requires SASL authentication by default. Only
30 # SASL mechanisms which support data encryption are allowed. This is
31 # DIGEST_MD5 and GSSAPI (Kerberos5)
32 #
33 # This is disabled by default, uncomment this to enable it.
34 #listen_tcp = 1
35
36
37
38 # Override the port for accepting secure TLS connections
39 # This can be a port number, or service name
40 #
41 # This setting is not required or honoured if using systemd socket
42 # activation.
43 #
44 #tls_port = "16514"
45
46 # Override the port for accepting insecure TCP connections
47 # This can be a port number, or service name
48 #
49 # This setting is not required or honoured if using systemd socket
50 # activation.
51 #
52 #tcp_port = "16509"
53
54
55 # Override the default configuration which binds to all network
56 # interfaces. This can be a numeric IPv4/6 address, or hostname
57 #
58 # This setting is not required or honoured if using systemd socket
59 # activation.
60 #
61 # If the libvirtd service is started in parallel with network
62 # startup (e.g. with systemd), binding to addresses other than
63 # the wildcards (0.0.0.0/::) might not be available yet.
64 #
65 #listen_addr = "192.168.0.1"
66
67
68 #################################################################
69 #
70 # UNIX socket access controls
71 #
72
73 # Set the UNIX domain socket group ownership. This can be used to
74 # allow a 'trusted' set of users access to management capabilities
75 # without becoming root.
76 #
77 # This setting is not required or honoured if using systemd socket
78 # activation.
79 #
80 # This is restricted to 'root' by default.
81 unix_sock_group = "libvirt"
82
83 # Set the UNIX socket permissions for the R/O socket. This is used
84 # for monitoring VM status only
85 #
86 # This setting is not required or honoured if using systemd socket
87 # activation.
88 #
89 # Default allows any user. If setting group ownership, you may want to
90 # restrict this too.
91 unix_sock_ro_perms = "0777"
92
93 # Set the UNIX socket permissions for the R/W socket. This is used
94 # for full management of VMs
95 #
96 # This setting is not required or honoured if using systemd socket
97 # activation.
98 #
99 # Default allows only root. If PolicyKit is enabled on the socket,
100 # the default will change to allow everyone (eg, 0777)
101 #
102 # If not using PolicyKit and setting group ownership for access
103 # control, then you may want to relax this too.
104 unix_sock_rw_perms = "0770"
105
106 # Set the UNIX socket permissions for the admin interface socket.
107 #
108 # This setting is not required or honoured if using systemd socket
109 # activation.
110 #
111 # Default allows only owner (root), do not change it unless you are
112 # sure to whom you are exposing the access to.
113 unix_sock_admin_perms = "0700"
114
115 # Set the name of the directory in which sockets will be found/created.
116 #
117 # This setting is not required or honoured if using systemd socket
118 # activation.
119 #
120 unix_sock_dir = "/var/run/libvirt"
121
122
123
124 #################################################################
125 #
126 # Authentication.
127 #
128 # There are the following choices available:
129 #
130 # - none: do not perform auth checks. If you can connect to the
131 # socket you are allowed. This is suitable if there are
132 # restrictions on connecting to the socket (eg, UNIX
133 # socket permissions), or if there is a lower layer in
134 # the network providing auth (eg, TLS/x509 certificates)
135 #
136 # - sasl: use SASL infrastructure. The actual auth scheme is then
137 # controlled from /etc/sasl2/libvirt.conf. For the TCP
138 # socket only GSSAPI & DIGEST-MD5 mechanisms will be used.
139 # For non-TCP or TLS sockets, any scheme is allowed.
140 #
141 # - polkit: use PolicyKit to authenticate. This is only suitable
142 # for use on the UNIX sockets. The default policy will
143 # require a user to supply their own password to gain
144 # full read/write access (aka sudo like), while anyone
145 # is allowed read/only access.
146 #
147
148 # Set an authentication scheme for UNIX read-only sockets
149 #
150 # By default socket permissions allow anyone to connect
151 #
152 # If libvirt was compiled without support for 'polkit', then
153 # no access control checks are done, but libvirt still only
154 # allows execution of APIs which don't change state.
155 #
156 # If libvirt was compiled with support for 'polkit', then
157 # the libvirt socket will perform a check with polkit after
158 # connections. The default policy still allows any local
159 # user access.
160 #
161 # To restrict monitoring of domains you may wish to either
162 # enable 'sasl' here, or change the polkit policy definition.
163 #auth_unix_ro = "none"
164
165 # Set an authentication scheme for UNIX read-write sockets.
166 #
167 # If libvirt was compiled without support for 'polkit', then
168 # the systemd .socket files will use SocketMode=0600 by default
169 # thus only allowing root user to connect, and 'auth_unix_rw'
170 # will default to 'none'.
171 #
172 # If libvirt was compiled with support for 'polkit', then
173 # the systemd .socket files will use SocketMode=0666 which
174 # allows any user to connect and 'auth_unix_rw' will default
175 # to 'polkit'. If you disable use of 'polkit' here, then it
176 # is essential to change the systemd SocketMode parameter
177 # back to 0600, to avoid an insecure configuration.
178 #
179 #auth_unix_rw = "none"
180
181 # Change the authentication scheme for TCP sockets.
182 #
183 # If you don't enable SASL, then all TCP traffic is cleartext.
184 # Don't do this outside of a dev/test scenario. For real world
185 # use, always enable SASL and use the GSSAPI or DIGEST-MD5
186 # mechanism in /etc/sasl2/libvirt.conf
187 #auth_tcp = "sasl"
188
189 # Change the authentication scheme for TLS sockets.
190 #
191 # TLS sockets already have encryption provided by the TLS
192 # layer, and limited authentication is done by certificates
193 #
194 # It is possible to make use of any SASL authentication
195 # mechanism as well, by using 'sasl' for this option
196 #auth_tls = "none"
197
198 # Enforce a minimum SSF value for TCP sockets
199 #
200 # The default minimum is currently 56 (single-DES) which will
201 # be raised to 112 in the future.
202 #
203 # This option can be used to set values higher than 112
204 #tcp_min_ssf = 112
205
206
207 # Change the API access control scheme
208 #
209 # By default an authenticated user is allowed access
210 # to all APIs. Access drivers can place restrictions
211 # on this. By default the 'nop' driver is enabled,
212 # meaning no access control checks are done once a
213 # client has authenticated with libvirtd
214 #
215 #access_drivers = [ "polkit" ]
216
217 #################################################################
218 #
219 # TLS x509 certificate configuration
220 #
221
222 # Use of TLS requires that x509 certificates be issued. The default locations
223 # for the certificate files is as follows:
224 #
225 # /etc/pki/CA/cacert.pem - The CA master certificate
226 # /etc/pki/libvirt/servercert.pem - The server certificate signed by cacert.pem
227 # /etc/pki/libvirt/private/serverkey.pem - The server private key
228 #
229 # It is possible to override the default locations by altering the 'key_file',
230 # 'cert_file', and 'ca_file' values and uncommenting them below.
231 #
232 # NB, overriding the default of one location requires uncommenting and
233 # possibly additionally overriding the other settings.
234 #
235
236 # Override the default server key file path
237 #
238 #key_file = "/etc/pki/libvirt/private/serverkey.pem"
239
240 # Override the default server certificate file path
241 #
242 #cert_file = "/etc/pki/libvirt/servercert.pem"
243
244 # Override the default CA certificate path
245 #
246 #ca_file = "/etc/pki/CA/cacert.pem"
247
248 # Specify a certificate revocation list.
249 #
250 # Defaults to not using a CRL, uncomment to enable it
251 #crl_file = "/etc/pki/CA/crl.pem"
252
253
254
255 #################################################################
256 #
257 # Authorization controls
258 #
259
260
261 # Flag to disable verification of our own server certificates
262 #
263 # When libvirtd starts it performs some sanity checks against
264 # its own certificates.
265 #
266 # Default is to always run sanity checks. Uncommenting this
267 # will disable sanity checks which is not a good idea
268 #tls_no_sanity_certificate = 1
269
270 # Flag to disable verification of client certificates
271 #
272 # Client certificate verification is the primary authentication mechanism.
273 # Any client which does not present a certificate signed by the CA
274 # will be rejected.
275 #
276 # Default is to always verify. Uncommenting this will disable
277 # verification.
278 #tls_no_verify_certificate = 1
279
280
281 # An access control list of allowed x509 Distinguished Names
282 # This list may contain wildcards such as
283 #
284 # "C=GB,ST=London,L=London,O=Red Hat,CN=*"
285 #
286 # Any * matches any number of consecutive spaces, like a simplified glob(7).
287 #
288 # The format of the DN for a particular certificate can be queried
289 # using:
290 #
291 # virt-pki-query-dn clientcert.pem
292 #
293 # NB If this is an empty list, no client can connect, so comment out
294 # entirely rather than using empty list to disable these checks
295 #
296 # By default, no DN's are checked
297 #tls_allowed_dn_list = ["DN1", "DN2"]
298
299
300 # Override the compile time default TLS priority string. The
301 # default is usually "NORMAL" unless overridden at build time.
302 # Only set this is it is desired for libvirt to deviate from
303 # the global default settings.
304 #
305 #tls_priority="NORMAL"
306
307
308 # An access control list of allowed SASL usernames. The format for username
309 # depends on the SASL authentication mechanism. Kerberos usernames
310 # look like username@REALM
311 #
312 # This list may contain wildcards such as
313 #
314 # "*@EXAMPLE.COM"
315 #
316 # See the g_pattern_match function for the format of the wildcards.
317 #
318 # https://developer.gnome.org/glib/stable/glib-Glob-style-pattern-matching.html
319 #
320 # NB If this is an empty list, no client can connect, so comment out
321 # entirely rather than using empty list to disable these checks
322 #
323 # By default, no Username's are checked
324 #sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]
325
326
327 #################################################################
328 #
329 # Processing controls
330 #
331
332 # The maximum number of concurrent client connections to allow
333 # over all sockets combined.
334 #max_clients = 5000
335
336 # The maximum length of queue of connections waiting to be
337 # accepted by the daemon. Note, that some protocols supporting
338 # retransmission may obey this so that a later reattempt at
339 # connection succeeds.
340 #max_queued_clients = 1000
341
342 # The maximum length of queue of accepted but not yet
343 # authenticated clients. The default value is 20. Set this to
344 # zero to turn this feature off.
345 #max_anonymous_clients = 20
346
347 # The minimum limit sets the number of workers to start up
348 # initially. If the number of active clients exceeds this,
349 # then more threads are spawned, up to max_workers limit.
350 # Typically you'd want max_workers to equal maximum number
351 # of clients allowed
352 #min_workers = 5
353 #max_workers = 20
354
355
356 # The number of priority workers. If all workers from above
357 # pool are stuck, some calls marked as high priority
358 # (notably domainDestroy) can be executed in this pool.
359 #prio_workers = 5
360
361 # Limit on concurrent requests from a single client
362 # connection. To avoid one client monopolizing the server
363 # this should be a small fraction of the global max_workers
364 # parameter.
365 #max_client_requests = 5
366
367 # Same processing controls, but this time for the admin interface.
368 # For description of each option, be so kind to scroll few lines
369 # upwards.
370
371 #admin_min_workers = 1
372 #admin_max_workers = 5
373 #admin_max_clients = 5
374 #admin_max_queued_clients = 5
375 #admin_max_client_requests = 5
376
377 #################################################################
378 #
379 # Logging controls
380 #
381
382 # Logging level: 4 errors, 3 warnings, 2 information, 1 debug
383 # basically 1 will log everything possible
384 #
385 # WARNING: USE OF THIS IS STRONGLY DISCOURAGED.
386 #
387 # WARNING: It outputs too much information to practically read.
388 # WARNING: The "log_filters" setting is recommended instead.
389 #
390 # WARNING: Journald applies rate limiting of messages and so libvirt
391 # WARNING: will limit "log_level" to only allow values 3 or 4 if
392 # WARNING: journald is the current output.
393 #
394 # WARNING: USE OF THIS IS STRONGLY DISCOURAGED.
395 #log_level = 3
396
397 # Logging filters:
398 # A filter allows to select a different logging level for a given category
399 # of logs. The format for a filter is:
400 #
401 # level:match
402 #
403 # where 'match' is a string which is matched against the category
404 # given in the VIR_LOG_INIT() at the top of each libvirt source
405 # file, e.g., "remote", "qemu", or "util.json". The 'match' in the
406 # filter matches using shell wildcard syntax (see 'man glob(7)').
407 # The 'match' is always treated as a substring match. IOW a match
408 # string 'foo' is equivalent to '*foo*'.
409 #
410 # 'level' is the minimal level where matching messages should
411 # be logged:
412 #
413 # 1: DEBUG
414 # 2: INFO
415 # 3: WARNING
416 # 4: ERROR
417 #
418 # Multiple filters can be defined in a single @log_filters, they just need
419 # to be separated by spaces. Note that libvirt performs "first" match, i.e.
420 # if there are concurrent filters, the first one that matches will be applied,
421 # given the order in @log_filters.
422 #
423 # A typical need is to capture information from a hypervisor driver,
424 # public API entrypoints and some of the utility code. Some utility
425 # code is very verbose and is generally not desired. Taking the QEMU
426 # hypervisor as an example, a suitable filter string for debugging
427 # might be to turn off object, json & event logging, but enable the
428 # rest of the util code:
429 #
430 #log_filters="1:qemu 1:libvirt 4:object 4:json 4:event 1:util"
431
432 # Logging outputs:
433 # An output is one of the places to save logging information
434 # The format for an output can be:
435 # level:stderr
436 # output goes to stderr
437 # level:syslog:name
438 # use syslog for the output and use the given name as the ident
439 # level:file:file_path
440 # output to a file, with the given filepath
441 # level:journald
442 # output to journald logging system
443 # In all cases 'level' is the minimal priority, acting as a filter
444 # 1: DEBUG
445 # 2: INFO
446 # 3: WARNING
447 # 4: ERROR
448 #
449 # Multiple outputs can be defined, they just need to be separated by spaces.
450 # e.g. to log all warnings and errors to syslog under the libvirtd ident:
451 #log_outputs="3:syslog:libvirtd"
452
453
454 ##################################################################
455 #
456 # Auditing
457 #
458 # This setting allows usage of the auditing subsystem to be altered:
459 #
460 # audit_level == 0 -> disable all auditing
461 # audit_level == 1 -> enable auditing, only if enabled on host (default)
462 # audit_level == 2 -> enable auditing, and exit if disabled on host
463 #
464 #audit_level = 2
465 #
466 # If set to 1, then audit messages will also be sent
467 # via libvirt logging infrastructure. Defaults to 0
468 #
469 #audit_logging = 1
470
471 ###################################################################
472 # UUID of the host:
473 # Host UUID is read from one of the sources specified in host_uuid_source.
474 #
475 # - 'smbios': fetch the UUID from 'dmidecode -s system-uuid'
476 # - 'machine-id': fetch the UUID from /etc/machine-id
477 #
478 # The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide
479 # a valid UUID a temporary UUID will be generated.
480 #
481 # Another option is to specify host UUID in host_uuid.
482 #
483 # Keep the format of the example UUID below. UUID must not have all digits
484 # be the same.
485
486 # NB This default all-zeros UUID will not work. Replace
487 # it with the output of the 'uuidgen' command and then
488 # uncomment this entry
489 #host_uuid = "00000000-0000-0000-0000-000000000000"
490 #host_uuid_source = "smbios"
491
492 ###################################################################
493 # Keepalive protocol:
494 # This allows libvirtd to detect broken client connections or even
495 # dead clients. A keepalive message is sent to a client after
496 # keepalive_interval seconds of inactivity to check if the client is
497 # still responding; keepalive_count is a maximum number of keepalive
498 # messages that are allowed to be sent to the client without getting
499 # any response before the connection is considered broken. In other
500 # words, the connection is automatically closed approximately after
501 # keepalive_interval * (keepalive_count + 1) seconds since the last
502 # message received from the client. If keepalive_interval is set to
503 # -1, libvirtd will never send keepalive requests; however clients
504 # can still send them and the daemon will send responses. When
505 # keepalive_count is set to 0, connections will be automatically
506 # closed after keepalive_interval seconds of inactivity without
507 # sending any keepalive messages.
508 #
509 #keepalive_interval = 5
510 #keepalive_count = 5
511
512 #
513 # These configuration options are no longer used. There is no way to
514 # restrict such clients from connecting since they first need to
515 # connect in order to ask for keepalive.
516 #
517 #keepalive_required = 1
518 #admin_keepalive_required = 1
519
520 # Keepalive settings for the admin interface
521 #admin_keepalive_interval = 5
522 #admin_keepalive_count = 5
523
524 ###################################################################
525 # Open vSwitch:
526 # This allows to specify a timeout for openvswitch calls made by
527 # libvirt. The ovs-vsctl utility is used for the configuration and
528 # its timeout option is set by default to 5 seconds to avoid
529 # potential infinite waits blocking libvirt.
530 #
531 #ovs_timeout = 5
|