1
# Master configuration file for the QEMU driver.
2
# All settings described here are optional - if omitted, sensible
5
# VNC is configured to listen on 127.0.0.1 by default.
6
# To make it listen on all public interfaces, uncomment
9
# NB, strong recommendation to enable TLS + x509 certificate
10
# verification when allowing public access
12
# vnc_listen = "0.0.0.0"
15
# Enable use of TLS encryption on the VNC server. This requires
16
# a VNC client which supports the VeNCrypt protocol extension.
17
# Examples include vinagre, virt-viewer, virt-manager and vencrypt
18
# itself. UltraVNC, RealVNC, TightVNC do not support this
20
# It is necessary to setup CA and issue a server certificate
21
# before enabling this.
26
# Use of TLS requires that x509 certificates be issued. The
27
# default it to keep them in /etc/pki/libvirt-vnc. This directory
30
# ca-cert.pem - the CA master certificate
31
# server-cert.pem - the server certificate signed with ca-cert.pem
32
# server-key.pem - the server private key
34
# This option allows the certificate directory to be changed
36
# vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
39
# The default TLS configuration only uses certificates for the server
40
# allowing the client to verify the server's identity and establish
41
# and encrypted channel.
43
# It is possible to use x509 certificates for authentication too, by
44
# issuing a x509 certificate to every client who needs to connect.
46
# Enabling this option will reject any client who does not have a
47
# certificate signed by the CA in /etc/pki/libvirt-vnc/ca-cert.pem
49
# vnc_tls_x509_verify = 1
52
# The default VNC password. Only 8 letters are significant for
53
# VNC passwords. This parameter is only used if the per-domain
54
# XML config does not already provide a password. To allow
55
# access without passwords, leave this commented out. An empty
56
# string will still enable passwords, but be rejected by QEMU
57
# effectively preventing any use of VNC. Obviously change this
58
# example here before you set this
60
# vnc_password = "XYZ12345"
63
# Enable use of SASL encryption on the VNC server. This requires
64
# a VNC client which supports the SASL protocol extension.
65
# Examples include vinagre, virt-viewer and virt-manager
66
# itself. UltraVNC, RealVNC, TightVNC do not support this
68
# It is necessary to configure /etc/sasl2/qemu.conf to choose
69
# the desired SASL plugin (eg, GSSPI for Kerberos)
74
# The default SASL configuration file is located in /etc/sasl2/
75
# When running libvirtd unprivileged, it may be desirable to
76
# override the configs in this location. Set this parameter to
77
# point to the directory, and create a qemu.conf in that location
79
# vnc_sasl_dir = "/some/directory/sasl2"
84
# The default security driver is SELinux. If SELinux is disabled
85
# on the host, then the security driver will automatically disable
86
# itself. If you wish to disable QEMU SELinux security driver while
87
# leaving SELinux enabled for the host in general, then set this
90
# security_driver = "selinux"
93
# The user ID for QEMU processes run by the system instance
96
# The group ID for QEMU processes run by the system instance
99
# Whether libvirt should dynamically change file ownership
100
# to match the configured user/group above. Defaults to 1.
101
# Set to 0 to disable file ownership changes.
102
#dynamic_ownership = 1
105
# What cgroup controllers to make use of with QEMU guests
107
# - 'cpu' - use for schedular tunables
108
# - 'devices' - use for device whitelisting
110
# NB, even if configured here, they won't be used unless
111
# the adminsitrator has mounted cgroups. eg
114
# mount -t cgroup -o devices,cpu none /dev/cgroup
116
# They can be mounted anywhere, and different controlers
117
# can be mounted in different locations. libvirt will detect
118
# where they are located.
120
# cgroup_controllers = [ "cpu", "devices" ]
122
# This is the basic set of devices allowed / required by
123
# all virtual machines.
125
# As well as this, any configured block backed disks,
126
# all sound device, and all PTY devices are allowed.
128
# This will only need setting if newer QEMU suddenly
129
# wants some device we don't already know a bout.
131
#cgroup_device_acl = [
132
# "/dev/null", "/dev/full", "/dev/zero",
133
# "/dev/random", "/dev/urandom",
134
# "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
135
# "/dev/rtc", "/dev/hpet", "/dev/net/tun",
138
# The default format for Qemu/KVM guest save images is raw; that is, the
139
# memory from the domain is dumped out directly to a file. If you have
140
# guests with a large amount of memory, however, this can take up quite
141
# a bit of space. If you would like to compress the images while they
142
# are being saved to disk, you can also set "lzop", "gzip", "bzip2", or "xz"
143
# for save_image_format. Note that this means you slow down the process of
144
# saving a domain in order to save disk space; the list above is in descending
145
# order by performance and ascending order by compression ratio.
147
# save_image_format = "raw"
149
# If provided by the host and a hugetlbfs mount point is configured,
150
# a guest may request huge page backing. When this mount point is
151
# unspecified here, determination of a host mount point in /proc/mounts
152
# will be attempted. Specifying an explicit mount overrides detection
153
# of the same in /proc/mounts. Setting the mount point to "" will
154
# disable guest hugepage backing.
156
# NB, within this mount point, guests will create memory backing files
157
# in a location of $MOUNTPOINT/libvirt/qemu
159
# hugetlbfs_mount = "/dev/hugepages"
161
# mac_filter enables MAC addressed based filtering on bridge ports.
162
# This currently requires ebtables to be installed.
166
# By default, PCI devices below non-ACS switch are not allowed to be assigned
167
# to guests. By setting relaxed_acs_check to 1 such devices will be allowed to
168
# be assigned to guests.
170
# relaxed_acs_check = 1