Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 861787 Details for
Bug 1036883
VM fails to start when qemu.conf's spice_tls conflicts with vdsm.conf's ssl
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
/etc/libvirt/qemu.conf
qemu.conf (text/plain), 14.47 KB, created by
Xavier
on 2014-02-11 13:38:28 UTC
(
hide
)
Description:
/etc/libvirt/qemu.conf
Filename:
MIME Type:
Creator:
Xavier
Created:
2014-02-11 13:38:28 UTC
Size:
14.47 KB
patch
obsolete
># Master configuration file for the QEMU driver. ># All settings described here are optional - if omitted, sensible ># defaults are used. > ># VNC is configured to listen on 127.0.0.1 by default. ># To make it listen on all public interfaces, uncomment ># this next option. ># ># NB, strong recommendation to enable TLS + x509 certificate ># verification when allowing public access ># >#vnc_listen = "0.0.0.0" > ># Enable this option to have VNC served over an automatically created ># unix socket. This prevents unprivileged access from users on the ># host machine, though most VNC clients do not support it. ># ># This will only be enabled for VNC configurations that do not have ># a hardcoded 'listen' or 'socket' value. This setting takes preference ># over vnc_listen. ># >#vnc_auto_unix_socket = 1 > ># Enable use of TLS encryption on the VNC server. This requires ># a VNC client which supports the VeNCrypt protocol extension. ># Examples include vinagre, virt-viewer, virt-manager and vencrypt ># itself. UltraVNC, RealVNC, TightVNC do not support this ># ># It is necessary to setup CA and issue a server certificate ># before enabling this. ># >#vnc_tls = 1 > > ># Use of TLS requires that x509 certificates be issued. The ># default it to keep them in /etc/pki/libvirt-vnc. This directory ># must contain ># ># ca-cert.pem - the CA master certificate ># server-cert.pem - the server certificate signed with ca-cert.pem ># server-key.pem - the server private key ># ># This option allows the certificate directory to be changed ># >#vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc" > > ># The default TLS configuration only uses certificates for the server ># allowing the client to verify the server's identity and establish ># an encrypted channel. ># ># It is possible to use x509 certificates for authentication too, by ># issuing a x509 certificate to every client who needs to connect. ># ># Enabling this option will reject any client who does not have a ># certificate signed by the CA in /etc/pki/libvirt-vnc/ca-cert.pem ># >#vnc_tls_x509_verify = 1 > > ># The default VNC password. Only 8 letters are significant for ># VNC passwords. This parameter is only used if the per-domain ># XML config does not already provide a password. To allow ># access without passwords, leave this commented out. An empty ># string will still enable passwords, but be rejected by QEMU, ># effectively preventing any use of VNC. Obviously change this ># example here before you set this. ># >#vnc_password = "XYZ12345" > > ># Enable use of SASL encryption on the VNC server. This requires ># a VNC client which supports the SASL protocol extension. ># Examples include vinagre, virt-viewer and virt-manager ># itself. UltraVNC, RealVNC, TightVNC do not support this ># ># It is necessary to configure /etc/sasl2/qemu.conf to choose ># the desired SASL plugin (eg, GSSPI for Kerberos) ># >#vnc_sasl = 1 > > ># The default SASL configuration file is located in /etc/sasl2/ ># When running libvirtd unprivileged, it may be desirable to ># override the configs in this location. Set this parameter to ># point to the directory, and create a qemu.conf in that location ># >#vnc_sasl_dir = "/some/directory/sasl2" > > ># QEMU implements an extension for providing audio over a VNC connection, ># though if your VNC client does not support it, your only chance for getting ># sound output is through regular audio backends. By default, libvirt will ># disable all QEMU sound backends if using VNC, since they can cause ># permissions issues. Enabling this option will make libvirtd honor the ># QEMU_AUDIO_DRV environment variable when using VNC. ># >#vnc_allow_host_audio = 0 > > > ># SPICE is configured to listen on 127.0.0.1 by default. ># To make it listen on all public interfaces, uncomment ># this next option. ># ># NB, strong recommendation to enable TLS + x509 certificate ># verification when allowing public access ># >#spice_listen = "0.0.0.0" > > ># Enable use of TLS encryption on the SPICE server. ># ># It is necessary to setup CA and issue a server certificate ># before enabling this. ># >#spice_tls = 1 > > ># Use of TLS requires that x509 certificates be issued. The ># default it to keep them in /etc/pki/libvirt-spice. This directory ># must contain ># ># ca-cert.pem - the CA master certificate ># server-cert.pem - the server certificate signed with ca-cert.pem ># server-key.pem - the server private key ># ># This option allows the certificate directory to be changed. ># >#spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice" > > ># The default SPICE password. This parameter is only used if the ># per-domain XML config does not already provide a password. To ># allow access without passwords, leave this commented out. An ># empty string will still enable passwords, but be rejected by ># QEMU, effectively preventing any use of SPICE. Obviously change ># this example here before you set this. ># >#spice_password = "XYZ12345" > > ># Override the port for creating both VNC and SPICE sessions (min). ># This defaults to 5900 and increases for consecutive sessions ># or when ports are occupied, until it hits the maximum. ># ># Minimum must be greater than or equal to 5900 as lower number would ># result into negative vnc display number. ># ># Maximum must be less than 65536, because higher numbers do not make ># sense as a port number. ># >#remote_display_port_min = 5900 >#remote_display_port_max = 65535 > > ># The default security driver is SELinux. If SELinux is disabled ># on the host, then the security driver will automatically disable ># itself. If you wish to disable QEMU SELinux security driver while ># leaving SELinux enabled for the host in general, then set this ># to 'none' instead. It's also possible to use more than one security ># driver at the same time, for this use a list of names separated by ># comma and delimited by square brackets. For example: ># ># security_driver = [ "selinux", "apparmor" ] ># ># Notes: The DAC security driver is always enabled; as a result, the ># value of security_driver cannot contain "dac". The value "none" is ># a special value; security_driver can be set to that value in ># isolation, but it cannot appear in a list of drivers. ># >#security_driver = "selinux" > ># If set to non-zero, then the default security labeling ># will make guests confined. If set to zero, then guests ># will be unconfined by default. Defaults to 1. >#security_default_confined = 1 > ># If set to non-zero, then attempts to create unconfined ># guests will be blocked. Defaults to 0. >#security_require_confined = 1 > ># The user for QEMU processes run by the system instance. It can be ># specified as a user name or as a user id. The qemu driver will try to ># parse this value first as a name and then, if the name doesn't exist, ># as a user id. ># ># Since a sequence of digits is a valid user name, a leading plus sign ># can be used to ensure that a user id will not be interpreted as a user ># name. ># ># Some examples of valid values are: ># ># user = "qemu" # A user named "qemu" ># user = "+0" # Super user (uid=0) ># user = "100" # A user named "100" or a user with uid=100 ># >#user = "root" > ># The group for QEMU processes run by the system instance. It can be ># specified in a similar way to user. >#group = "root" > ># Whether libvirt should dynamically change file ownership ># to match the configured user/group above. Defaults to 1. ># Set to 0 to disable file ownership changes. >#dynamic_ownership = 1 > > ># What cgroup controllers to make use of with QEMU guests ># ># - 'cpu' - use for schedular tunables ># - 'devices' - use for device whitelisting ># - 'memory' - use for memory tunables ># - 'blkio' - use for block devices I/O tunables ># - 'cpuset' - use for CPUs and memory nodes ># - 'cpuacct' - use for CPUs statistics. ># ># NB, even if configured here, they won't be used unless ># the administrator has mounted cgroups, e.g.: ># ># mkdir /dev/cgroup ># mount -t cgroup -o devices,cpu,memory,blkio,cpuset none /dev/cgroup ># ># They can be mounted anywhere, and different controllers ># can be mounted in different locations. libvirt will detect ># where they are located. ># >#cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ] > ># This is the basic set of devices allowed / required by ># all virtual machines. ># ># As well as this, any configured block backed disks, ># all sound device, and all PTY devices are allowed. ># ># This will only need setting if newer QEMU suddenly ># wants some device we don't already know about. ># >#cgroup_device_acl = [ ># "/dev/null", "/dev/full", "/dev/zero", ># "/dev/random", "/dev/urandom", ># "/dev/ptmx", "/dev/kvm", "/dev/kqemu", ># "/dev/rtc","/dev/hpet" >#] > > ># The default format for Qemu/KVM guest save images is raw; that is, the ># memory from the domain is dumped out directly to a file. If you have ># guests with a large amount of memory, however, this can take up quite ># a bit of space. If you would like to compress the images while they ># are being saved to disk, you can also set "lzop", "gzip", "bzip2", or "xz" ># for save_image_format. Note that this means you slow down the process of ># saving a domain in order to save disk space; the list above is in descending ># order by performance and ascending order by compression ratio. ># ># save_image_format is used when you use 'virsh save' at scheduled ># saving, and it is an error if the specified save_image_format is ># not valid, or the requested compression program can't be found. ># ># dump_image_format is used when you use 'virsh dump' at emergency ># crashdump, and if the specified dump_image_format is not valid, or ># the requested compression program can't be found, this falls ># back to "raw" compression. ># >#save_image_format = "raw" >#dump_image_format = "raw" > ># When a domain is configured to be auto-dumped when libvirtd receives a ># watchdog event from qemu guest, libvirtd will save dump files in directory ># specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump ># >#auto_dump_path = "/var/lib/libvirt/qemu/dump" > ># When a domain is configured to be auto-dumped, enabling this flag ># has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the ># virDomainCoreDump API. That is, the system will avoid using the ># file system cache while writing the dump file, but may cause ># slower operation. ># >#auto_dump_bypass_cache = 0 > ># When a domain is configured to be auto-started, enabling this flag ># has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag ># with the virDomainCreateWithFlags API. That is, the system will ># avoid using the file system cache when restoring any managed state ># file, but may cause slower operation. ># >#auto_start_bypass_cache = 0 > ># If provided by the host and a hugetlbfs mount point is configured, ># a guest may request huge page backing. When this mount point is ># unspecified here, determination of a host mount point in /proc/mounts ># will be attempted. Specifying an explicit mount overrides detection ># of the same in /proc/mounts. Setting the mount point to "" will ># disable guest hugepage backing. ># ># NB, within this mount point, guests will create memory backing files ># in a location of $MOUNTPOINT/libvirt/qemu ># >#hugetlbfs_mount = "/dev/hugepages" > > ># If clear_emulator_capabilities is enabled, libvirt will drop all ># privileged capabilities of the QEmu/KVM emulator. This is enabled by ># default. ># ># Warning: Disabling this option means that a compromised guest can ># exploit the privileges and possibly do damage to the host. ># >#clear_emulator_capabilities = 1 > > ># If enabled, libvirt will have QEMU set its process name to ># "qemu:VM_NAME", where VM_NAME is the name of the VM. The QEMU ># process will appear as "qemu:VM_NAME" in process listings and ># other system monitoring tools. By default, QEMU does not set ># its process title, so the complete QEMU command (emulator and ># its arguments) appear in process listings. ># >#set_process_name = 1 > > ># If max_processes is set to a positive integer, libvirt will use ># it to set the maximum number of processes that can be run by qemu ># user. This can be used to override default value set by host OS. ># The same applies to max_files which sets the limit on the maximum ># number of opened files. ># >#max_processes = 0 >#max_files = 0 > > > ># mac_filter enables MAC addressed based filtering on bridge ports. ># This currently requires ebtables to be installed. ># >#mac_filter = 1 > > ># By default, PCI devices below non-ACS switch are not allowed to be assigned ># to guests. By setting relaxed_acs_check to 1 such devices will be allowed to ># be assigned to guests. ># >#relaxed_acs_check = 1 > > ># If allow_disk_format_probing is enabled, libvirt will probe disk ># images to attempt to identify their format, when not otherwise ># specified in the XML. This is disabled by default. ># ># WARNING: Enabling probing is a security hole in almost all ># deployments. It is strongly recommended that users update their ># guest XML <disk> elements to include <driver type='XXXX'/> ># elements instead of enabling this option. ># >#allow_disk_format_probing = 1 > > ># To enable 'Sanlock' project based locking of the file ># content (to prevent two VMs writing to the same ># disk), uncomment this ># >#lock_manager = "sanlock" > > > ># Set limit of maximum APIs queued on one domain. All other APIs ># over this threshold will fail on acquiring job lock. Specially, ># setting to zero turns this feature off. ># Note, that job lock is per domain. ># >#max_queued = 0 > >################################################################### ># Keepalive protocol: ># This allows qemu driver to detect broken connections to remote ># libvirtd during peer-to-peer migration. A keepalive message is ># sent to the deamon after keepalive_interval seconds of inactivity ># to check if the deamon is still responding; keepalive_count is a ># maximum number of keepalive messages that are allowed to be sent ># to the deamon without getting any response before the connection ># is considered broken. In other words, the connection is ># automatically closed approximately after ># keepalive_interval * (keepalive_count + 1) seconds since the last ># message received from the deamon. If keepalive_interval is set to ># -1, qemu driver will not send keepalive requests during ># peer-to-peer migration; however, the remote libvirtd can still ># send them and source libvirtd will send responses. When ># keepalive_count is set to 0, connections will be automatically ># closed after keepalive_interval seconds of inactivity without ># sending any keepalive messages. ># >#keepalive_interval = 5 >#keepalive_count = 5 > > > ># Use seccomp syscall whitelisting in QEMU. ># 1 = on, 0 = off, -1 = use QEMU default ># Defaults to -1. ># >#seccomp_sandbox = 1 >## beginning of configuration section by vdsm-4.10.3 >dynamic_ownership=0 >spice_tls=0 >save_image_format="lzop" >lock_manager="sanlock" >auto_dump_path="/var/log/core" >## end of configuration section by vdsm-4.10.3
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=861787">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 1036883
:
861771
|
861772
|
861786
| 861787