1 # Master libvirt daemon configuration file
3 # For further information consult http://libvirt.org/format.html
4 #################################################################
6 # Network connectivitiy controls
8 # Flag listening for secure TLS connections on the public TCP/IP port.
9 # NB, must pass the --listen flag to the libvirtd process for this to
12 # It is necessary to setup a CA and issue server certificates before
13 # using this capability.
15 # This is enabled by default, uncomment this to disable it
17 # Listen for unencrypted TCP connections on the public TCP/IP port.
18 # NB, must pass the --listen flag to the libvirtd process for this to
21 # Using the TCP socket requires SASL authentication by default. Only
22 # SASL mechanisms which support data encryption are allowed. This is
23 # DIGEST_MD5 and GSSAPI (Kerberos5)
25 # This is disabled by default, uncomment this to enable it.
27 # Override the port for accepting secure TLS connections
28 # This can be a port number, or service name
31 # Override the port for accepting insecure TCP connections
32 # This can be a port number, or service name
35 # Flag toggling mDNS advertizement of the libvirt service.
37 # Alternatively can disable for all services on a host by
38 # stopping the Avahi daemon
40 # This is disabled by default, uncomment this to enable it
42 # Override the default mDNS advertizement name. This must be
43 # unique on the immediate broadcast network.
45 # The default is "Virtualization Host HOSTNAME", where HOSTNAME
46 # is subsituted for the short hostname of the machine (without domain)
48 mdns_name = "Virtualization Host Joe Demo"
49 #################################################################
51 # UNIX socket access controls
53 # Set the UNIX domain socket group ownership. This can be used to
54 # allow a 'trusted' set of users access to management capabilities
55 # without becoming root.
57 # This is restricted to 'root' by default.
58 unix_sock_group = "libvirt"
59 # Set the UNIX socket permissions for the R/O socket. This is used
60 # for monitoring VM status only
62 # Default allows any user. If setting group ownership may want to
64 unix_sock_ro_perms = "0777"
65 # Set the UNIX socket permissions for the R/W socket. This is used
66 # for full management of VMs
68 # Default allows only root. If PolicyKit is enabled on the socket,
69 # the default will change to allow everyone (eg, 0777)
71 # If not using PolicyKit and setting group ownership for access
72 # control then you may want to relax this to:
73 unix_sock_rw_perms = "0770"
74 #################################################################
78 # - none: do not perform auth checks. If you can connect to the
79 # socket you are allowed. This is suitable if there are
80 # restrictions on connecting to the socket (eg, UNIX
81 # socket permissions), or if there is a lower layer in
82 # the network providing auth (eg, TLS/x509 certificates)
84 # - sasl: use SASL infrastructure. The actual auth scheme is then
85 # controlled from /etc/sasl2/libvirt.conf. For the TCP
86 # socket only GSSAPI & DIGEST-MD5 mechanisms will be used.
87 # For non-TCP or TLS sockets, any scheme is allowed.
89 # - polkit: use PolicyKit to authenticate. This is only suitable
90 # for use on the UNIX sockets. The default policy will
91 # require a user to supply their own password to gain
92 # full read/write access (aka sudo like), while anyone
93 # is allowed read/only access.
95 # Set an authentication scheme for UNIX read-only sockets
96 # By default socket permissions allow anyone to connect
98 # To restrict monitoring of domains you may wish to enable
99 # an authentication mechanism here
100 auth_unix_ro = "none"
101 # Set an authentication scheme for UNIX read-write sockets
102 # By default socket permissions only allow root. If PolicyKit
103 # support was compiled into libvirt, the default will be to
106 # If the unix_sock_rw_perms are changed you may wish to enable
107 # an authentication mechanism here
108 auth_unix_rw = "none"
109 # Change the authentication scheme for TCP sockets.
111 # If you don't enable SASL, then all TCP traffic is cleartext.
112 # Don't do this outside of a dev/test scenario. For real world
113 # use, always enable SASL and use the GSSAPI or DIGEST-MD5
114 # mechanism in /etc/sasl2/libvirt.conf
116 # Change the authentication scheme for TLS sockets.
118 # TLS sockets already have encryption provided by the TLS
119 # layer, and limited authentication is done by certificates
121 # It is possible to make use of any SASL authentication
122 # mechanism as well, by using 'sasl' for this option
124 #################################################################
126 # TLS x509 certificate configuration
128 # Override the default server key file path
130 key_file = "/etc/pki/libvirt/private/serverkey.pem"
131 # Override the default server certificate file path
133 cert_file = "/etc/pki/libvirt/servercert.pem"
134 # Override the default CA certificate path
136 ca_file = "/etc/pki/CA/cacert.pem"
137 # Specify a certificate revocation list.
139 # Defaults to not using a CRL, uncomment to enable it
140 crl_file = "/etc/pki/CA/crl.pem"
141 #################################################################
143 # Authorization controls
145 # Flag to disable verification of client certificates
147 # Client certificate verification is the primary authentication mechanism.
148 # Any client which does not present a certificate signed by the CA
151 # Default is to always verify. Uncommenting this will disable
152 # verification - make sure an IP whitelist is set
153 tls_no_verify_certificate = 1
154 # A whitelist of allowed x509 Distinguished Names
155 # This list may contain wildcards such as
157 # "C=GB,ST=London,L=London,O=Red Hat,CN=*"
159 # See the POSIX fnmatch function for the format of the wildcards.
161 # NB If this is an empty list, no client can connect, so comment out
162 # entirely rather than using empty list to disable these checks
164 # By default, no DN's are checked
165 tls_allowed_dn_list = [ "DN1", "DN2" ]
166 # A whitelist of allowed SASL usernames. The format for usernames
167 # depends on the SASL authentication mechanism. Kerberos usernames
168 # look like username@REALM
170 # This list may contain wildcards such as
174 # See the POSIX fnmatch function for the format of the wildcards.
176 # NB If this is an empty list, no client can connect, so comment out
177 # entirely rather than using empty list to disable these checks
179 # By default, no Username's are checked
180 sasl_allowed_username_list = [ "joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]
182 # Provide the UUID of the host here in case the command
183 # 'dmidecode -s system-uuid' does not provide a valid uuid. In case
184 # 'dmidecode' does not provide a valid UUID and none is provided here, a
185 # temporary UUID will be generated.
186 # Keep the format of the example UUID below.
187 host_uuid = "8510b1a1-1afa-4da6-8111-785fae202c1e"