4
# Xend configuration file.
7
# This example configuration is appropriate for an installation that
8
# utilizes a bridged network configuration. Access to xend via http
11
# Commented out entries show the default for that entry, unless otherwise
14
#(logfile /var/log/xen/xend.log)
17
# Uncomment the line below. Set the value to flask, acm, or dummy to
18
# select a security module.
20
#(xsm_module_name dummy)
22
# The Xen-API server configuration.
24
# This value configures the ports, interfaces, and access controls for the
25
# Xen-API server. Each entry in the list starts with either unix, a port
26
# number, or an address:port pair. If this is "unix", then a UDP socket is
27
# opened, and this entry applies to that. If it is a port, then Xend will
28
# listen on all interfaces on that TCP port, and if it is an address:port
29
# pair, then Xend will listen on the specified port, using the interface with
30
# the specified address.
32
# The subsequent string configures the user-based access control for the
33
# listener in question. This can be one of "none" or "pam", indicating either
34
# that users should be allowed access unconditionally, or that the local
35
# Pluggable Authentication Modules configuration should be used. If this
36
# string is missing or empty, then "pam" is used.
38
# The final string gives the host-based access control for that listener. If
39
# this is missing or empty, then all connections are accepted. Otherwise,
40
# this should be a space-separated sequence of regular expressions; any host
41
# with a fully-qualified domain name or an IP address that matches one of
42
# these regular expressions will be accepted.
44
# Example: listen on TCP port 9363 on all interfaces, accepting connections
45
# only from machines in example.com or localhost, and allow access through
46
# the unix domain socket unconditionally:
48
# (xen-api-server ((9363 pam '^localhost$ example\\.com$')
51
# Optionally, the TCP Xen-API server can use SSL by specifying the private
52
# key and certificate location:
54
# (9367 pam '' xen-api.key xen-api.crt)
57
# (xen-api-server ((unix)))
60
#(xend-http-server no)
61
#(xend-unix-server no)
62
#(xend-tcp-xmlrpc-server no)
63
#(xend-unix-xmlrpc-server yes)
64
#(xend-relocation-server no)
65
(xend-relocation-server yes)
66
#(xend-relocation-ssl-server no)
67
#(xend-udev-event-server no)
69
#(xend-unix-path /var/lib/xend/xend-socket)
72
# Address and port xend should use for the legacy TCP XMLRPC interface,
73
# if xend-tcp-xmlrpc-server is set.
74
#(xend-tcp-xmlrpc-server-address 'localhost')
75
#(xend-tcp-xmlrpc-server-port 8006)
77
# SSL key and certificate to use for the legacy TCP XMLRPC interface.
78
# Setting these will mean that this port serves only SSL connections as
79
# opposed to plaintext ones.
80
#(xend-tcp-xmlrpc-server-ssl-key-file xmlrpc.key)
81
#(xend-tcp-xmlrpc-server-ssl-cert-file xmlrpc.crt)
84
# Port xend should use for the HTTP interface, if xend-http-server is set.
87
# Port xend should use for the relocation interface, if xend-relocation-server
89
#(xend-relocation-port 8002)
91
# Port xend should use for the ssl relocation interface, if
92
# xend-relocation-ssl-server is set.
93
#(xend-relocation-ssl-port 8003)
95
# SSL key and certificate to use for the ssl relocation interface, if
96
# xend-relocation-ssl-server is set.
97
#(xend-relocation-server-ssl-key-file xmlrpc.key)
98
#(xend-relocation-server-ssl-cert-file xmlrpc.crt)
100
# Whether to use ssl as default when relocating.
101
#(xend-relocation-ssl no)
103
# Address xend should listen on for HTTP connections, if xend-http-server is
105
# Specifying 'localhost' prevents remote connections.
106
# Specifying the empty string '' (the default) allows all connections.
108
#(xend-address localhost)
110
# Address xend should listen on for relocation-socket connections, if
111
# xend-relocation-server is set.
112
# Meaning and default as for xend-address above.
113
#(xend-relocation-address '')
115
# The hosts allowed to talk to the relocation port. If this is empty (the
116
# default), then all connections are allowed (assuming that the connection
117
# arrives on a port and interface on which we are listening; see
118
# xend-relocation-port and xend-relocation-address above). Otherwise, this
119
# should be a space-separated sequence of regular expressions. Any host with
120
# a fully-qualified domain name or an IP address that matches one of these
121
# regular expressions will be accepted.
124
# (xend-relocation-hosts-allow '^localhost$ ^.*\\.example\\.org$')
126
#(xend-relocation-hosts-allow '')
127
(xend-relocation-hosts-allow '^localhost$ ^localhost\\.localdomain$')
129
# The limit (in kilobytes) on the size of the console buffer
130
#(console-limit 1024)
133
# To bridge network traffic, like this:
135
# dom0: ----------------- bridge -> real eth0 -> the network
137
# domU: fake eth0 -> vifN.0 -+
141
# (network-script network-bridge)
143
# Your default ethernet device is used as the outgoing interface, by default.
144
# To use a different one (e.g. eth1) use
146
# (network-script 'network-bridge netdev=eth1')
148
# The bridge is named xenbr0, by default. To rename the bridge, use
150
# (network-script 'network-bridge bridge=<name>')
152
# It is possible to use the network-bridge script in more complicated
153
# scenarios, such as having two outgoing interfaces, with two bridges, and
154
# two fake interfaces per guest domain. To do things like this, write
155
# yourself a wrapper script, and call network-bridge from it, as appropriate.
157
(network-script network-bridge)
159
# The script used to control virtual interfaces. This can be overridden on a
160
# per-vif basis when creating a domain or a configuring a new vif. The
161
# vif-bridge script is designed for use with the network-bridge script, or
162
# similar configurations.
164
# If you have overridden the bridge name using
165
# (network-script 'network-bridge bridge=<name>') then you may wish to do the
166
# same here. The bridge name can also be set when creating a domain or
167
# configuring a new vif, but a value specified here would act as a default.
169
# If you are using only one bridge, the vif-bridge script will discover that,
170
# so there is no need to specify it explicitly.
172
(vif-script vif-bridge)
175
## Use the following if network traffic is routed, as an alternative to the
176
# settings for bridged networking given above.
177
#(network-script network-route)
178
#(vif-script vif-route)
181
## Use the following if network traffic is routed with NAT, as an alternative
182
# to the settings for bridged networking given above.
183
#(network-script network-nat)
184
#(vif-script vif-nat)
186
# dom0-min-mem is the lowest permissible memory level (in MB) for dom0.
187
# This is a minimum both for auto-ballooning (as enabled by
188
# enable-dom0-ballooning below) and for xm mem-set when applied to dom0.
191
# Whether to enable auto-ballooning of dom0 to allow domUs to be created.
192
# If enable-dom0-ballooning = no, dom0 will never balloon out.
193
(enable-dom0-ballooning yes)
195
# 32-bit paravirtual domains can only consume physical
196
# memory below 168GB. On systems with memory beyond that address,
197
# they'll be confined to memory below 128GB.
198
# Using total_available_memory (in GB) to specify the amount of memory reserved
199
# in the memory pool exclusively for 32-bit paravirtual domains.
200
# Additionally you should use dom0_mem = <-Value> as a parameter in
201
# xen kernel to reserve the memory for 32-bit paravirtual domains, default
203
(total_available_memory 0)
205
# In SMP system, dom0 will use dom0-cpus # of CPUS
206
# If dom0-cpus = 0, dom0 will take all cpus available
209
# Whether to enable core-dumps when domains crash.
212
# The tool used for initiating virtual TPM migration
213
#(external-migration-tool '')
215
# The interface for VNC servers to listen on. Defaults
216
# to 127.0.0.1 To restore old 'listen everywhere' behaviour
217
# set this to 0.0.0.0
218
#(vnc-listen '127.0.0.1')
220
# The default password for VNC console on HVM domain.
221
# Empty string is no authentication.
224
# The VNC server can be told to negotiate a TLS session
225
# to encryption all traffic, and provide x509 cert to
226
# clients enabling them to verify server identity. The
227
# GTK-VNC widget, virt-viewer, virt-manager and VeNCrypt
228
# all support the VNC extension for TLS used in QEMU. The
229
# TightVNC/RealVNC/UltraVNC clients do not.
231
# To enable this create x509 certificates / keys in the
232
# directory ${XEN_CONFIG_DIR} + vnc
234
# ca-cert.pem - The CA certificate
235
# server-cert.pem - The Server certificate signed by the CA
236
# server-key.pem - The server private key
238
# and then uncomment this next line
241
# The certificate dir can be pointed elsewhere..
243
# (vnc-x509-cert-dir vnc)
245
# The server can be told to request & validate an x509
246
# certificate from the client. Only clients with a cert
247
# signed by the trusted CA will be able to connect. This
248
# is more secure the password auth alone. Passwd auth can
249
# used at the same time if desired. To enable client cert
250
# checking uncomment this:
252
# (vnc-x509-verify 1)
254
# The default keymap to use for the VM's virtual keyboard
255
# when not specififed in VM's configuration
258
# Script to run when the label of a resource has changed.
259
#(resource-label-change-script '')
261
# Rotation count of qemu-dm log file.
262
#(qemu-dm-logrotate-count 10)
264
# Path where persistent domain configuration is stored.
265
# Default is /var/lib/xend/domains/
266
#(xend-domains-path /var/lib/xend/domains)
268
# Number of seconds xend will wait for device creation and
270
#(device-create-timeout 100)
271
#(device-destroy-timeout 100)
273
# When assigning device to HVM guest, we use the strict check for HVM guest by
274
# default. (For PV guest, we use loose check automatically if necessary.)
275
# When we assign device to HVM guest, if we meet with the co-assignment
276
# issues or the ACS issue, we could try changing the option to 'no' -- however,
277
# we have to realize this may incur security issue and we can't make sure the
278
# device assignment could really work properly even after we do this.
279
#(pci-passthrough-strict-check yes)