mkdir -p './initramfs-tools/scripts/panic'
mkdir -p './kernel/install.d'
mkdir -p './libpaper.d'
+mkdir -p './libvirt/hooks'
+mkdir -p './libvirt/secrets'
mkdir -p './mate-settings-daemon/xrandr'
mkdir -p './molly-guard/messages.d'
mkdir -p './network/interfaces.d'
maybe chmod 0644 'apparmor.d/abstractions/launchpad-integration'
maybe chmod 0644 'apparmor.d/abstractions/ldapclient'
maybe chmod 0644 'apparmor.d/abstractions/libpam-systemd'
+maybe chmod 0644 'apparmor.d/abstractions/libvirt-lxc'
+maybe chmod 0644 'apparmor.d/abstractions/libvirt-qemu'
maybe chmod 0644 'apparmor.d/abstractions/lightdm'
maybe chmod 0644 'apparmor.d/abstractions/lightdm_chromium-browser'
maybe chmod 0644 'apparmor.d/abstractions/likewise'
maybe chmod 0755 'apparmor.d/cache'
maybe chmod 0755 'apparmor.d/disable'
maybe chmod 0755 'apparmor.d/force-complain'
+maybe chmod 0755 'apparmor.d/libvirt'
+maybe chmod 0644 'apparmor.d/libvirt/TEMPLATE.lxc'
+maybe chmod 0644 'apparmor.d/libvirt/TEMPLATE.qemu'
maybe chmod 0644 'apparmor.d/lightdm-guest-session'
maybe chmod 0755 'apparmor.d/local'
maybe chmod 0644 'apparmor.d/local/README'
maybe chmod 0644 'apparmor.d/local/usr.lib.libreoffice.program.senddoc'
maybe chmod 0644 'apparmor.d/local/usr.lib.libreoffice.program.soffice.bin'
maybe chmod 0644 'apparmor.d/local/usr.lib.libreoffice.program.xpdfimport'
+maybe chmod 0644 'apparmor.d/local/usr.lib.libvirt.virt-aa-helper'
maybe chmod 0644 'apparmor.d/local/usr.sbin.chronyd'
maybe chmod 0644 'apparmor.d/local/usr.sbin.cups-browsed'
maybe chmod 0644 'apparmor.d/local/usr.sbin.cupsd'
maybe chmod 0644 'apparmor.d/local/usr.sbin.ippusbxd'
+maybe chmod 0644 'apparmor.d/local/usr.sbin.libvirtd'
maybe chmod 0644 'apparmor.d/local/usr.sbin.named'
maybe chmod 0644 'apparmor.d/local/usr.sbin.rsyslogd'
maybe chmod 0644 'apparmor.d/local/usr.sbin.tcpdump'
maybe chmod 0644 'apparmor.d/usr.lib.libreoffice.program.senddoc'
maybe chmod 0644 'apparmor.d/usr.lib.libreoffice.program.soffice.bin'
maybe chmod 0644 'apparmor.d/usr.lib.libreoffice.program.xpdfimport'
+maybe chmod 0644 'apparmor.d/usr.lib.libvirt.virt-aa-helper'
maybe chmod 0644 'apparmor.d/usr.sbin.chronyd'
maybe chmod 0644 'apparmor.d/usr.sbin.cups-browsed'
maybe chmod 0644 'apparmor.d/usr.sbin.cupsd'
maybe chmod 0644 'apparmor.d/usr.sbin.ippusbxd'
+maybe chmod 0644 'apparmor.d/usr.sbin.libvirtd'
maybe chmod 0644 'apparmor.d/usr.sbin.named'
maybe chmod 0644 'apparmor.d/usr.sbin.rsyslogd'
maybe chmod 0644 'apparmor.d/usr.sbin.tcpdump'
maybe chmod 0644 'default/kdm.d/10_desktop-base'
maybe chmod 0644 'default/kerneloops'
maybe chmod 0644 'default/keyboard'
+maybe chmod 0644 'default/libvirt-guests'
+maybe chmod 0644 'default/libvirtd'
maybe chmod 0644 'default/locale'
maybe chmod 0644 'default/mdadm'
maybe chmod 0644 'default/motd-news'
maybe chmod 0644 'default/ssh'
maybe chmod 0644 'default/ufw'
maybe chmod 0644 'default/useradd'
+maybe chmod 0644 'default/virtlockd'
+maybe chmod 0644 'default/virtlogd'
maybe chmod 0644 'deluser.conf'
maybe chmod 0755 'depmod.d'
maybe chmod 0644 'depmod.d/ubuntu.conf'
maybe chmod 0755 'dkms/template-dkms-mkdeb/debian/postinst'
maybe chmod 0755 'dkms/template-dkms-mkdeb/debian/prerm'
maybe chmod 0755 'dkms/template-dkms-mkdeb/debian/rules'
+maybe chmod 0755 'dnsmasq.d'
+maybe chmod 0755 'dnsmasq.d-available'
+maybe chmod 0644 'dnsmasq.d-available/libvirt-daemon'
maybe chmod 0755 'doc-base'
maybe chmod 0755 'doc-base/documents'
maybe chmod 0644 'doc-base/documents/README'
maybe chmod 0755 'init.d/kerneloops'
maybe chmod 0755 'init.d/keyboard-setup.sh'
maybe chmod 0755 'init.d/kmod'
+maybe chmod 0755 'init.d/libvirt-guests'
+maybe chmod 0755 'init.d/libvirtd'
maybe chmod 0755 'init.d/lightdm'
maybe chmod 0755 'init.d/lm-sensors'
maybe chmod 0755 'init.d/lvm2'
maybe chmod 0755 'init.d/udev'
maybe chmod 0755 'init.d/ufw'
maybe chmod 0755 'init.d/uuidd'
+maybe chmod 0755 'init.d/virtlogd'
maybe chmod 0755 'init.d/x11-common'
maybe chmod 0644 'init/anacron.conf'
maybe chmod 0644 'init/lightdm.conf'
maybe chmod 0644 'libreoffice/psprint.conf'
maybe chmod 0644 'libreoffice/soffice.sh'
maybe chmod 0644 'libreoffice/sofficerc'
+maybe chmod 0755 'libvirt'
+maybe chmod 0755 'libvirt/hooks'
+maybe chmod 0644 'libvirt/libvirt-admin.conf'
+maybe chmod 0644 'libvirt/libvirt.conf'
+maybe chmod 0644 'libvirt/libvirtd.conf'
+maybe chmod 0644 'libvirt/libxl-lockd.conf'
+maybe chmod 0644 'libvirt/libxl.conf'
+maybe chmod 0644 'libvirt/lxc.conf'
+maybe chmod 0755 'libvirt/nwfilter'
+maybe chmod 0600 'libvirt/nwfilter/allow-arp.xml'
+maybe chmod 0600 'libvirt/nwfilter/allow-dhcp-server.xml'
+maybe chmod 0600 'libvirt/nwfilter/allow-dhcp.xml'
+maybe chmod 0600 'libvirt/nwfilter/allow-incoming-ipv4.xml'
+maybe chmod 0600 'libvirt/nwfilter/allow-ipv4.xml'
+maybe chmod 0600 'libvirt/nwfilter/clean-traffic.xml'
+maybe chmod 0600 'libvirt/nwfilter/no-arp-ip-spoofing.xml'
+maybe chmod 0600 'libvirt/nwfilter/no-arp-mac-spoofing.xml'
+maybe chmod 0600 'libvirt/nwfilter/no-arp-spoofing.xml'
+maybe chmod 0600 'libvirt/nwfilter/no-ip-multicast.xml'
+maybe chmod 0600 'libvirt/nwfilter/no-ip-spoofing.xml'
+maybe chmod 0600 'libvirt/nwfilter/no-mac-broadcast.xml'
+maybe chmod 0600 'libvirt/nwfilter/no-mac-spoofing.xml'
+maybe chmod 0600 'libvirt/nwfilter/no-other-l2-traffic.xml'
+maybe chmod 0600 'libvirt/nwfilter/no-other-rarp-traffic.xml'
+maybe chmod 0600 'libvirt/nwfilter/qemu-announce-self-rarp.xml'
+maybe chmod 0600 'libvirt/nwfilter/qemu-announce-self.xml'
+maybe chmod 0755 'libvirt/qemu'
+maybe chmod 0644 'libvirt/qemu-lockd.conf'
+maybe chmod 0644 'libvirt/qemu-sanlock.conf'
+maybe chmod 0600 'libvirt/qemu.conf'
+maybe chmod 0755 'libvirt/qemu/networks'
+maybe chmod 0755 'libvirt/qemu/networks/autostart'
+maybe chmod 0600 'libvirt/qemu/networks/default.xml'
+maybe chmod 0700 'libvirt/secrets'
+maybe chmod 0644 'libvirt/virt-login-shell.conf'
+maybe chmod 0644 'libvirt/virtlockd.conf'
+maybe chmod 0644 'libvirt/virtlogd.conf'
maybe chmod 0755 'lightdm'
maybe chmod 0755 'lightdm/lightdm-gtk-greeter.conf.d'
maybe chmod 0644 'lightdm/lightdm-gtk-greeter.conf.d/99_linuxmint.conf'
maybe chmod 0644 'logrotate.d/chrony'
maybe chmod 0644 'logrotate.d/cups-daemon'
maybe chmod 0644 'logrotate.d/dpkg'
+maybe chmod 0644 'logrotate.d/libvirtd'
+maybe chmod 0644 'logrotate.d/libvirtd.libxl'
+maybe chmod 0644 'logrotate.d/libvirtd.lxc'
+maybe chmod 0644 'logrotate.d/libvirtd.qemu'
+maybe chmod 0644 'logrotate.d/libvirtd.uml'
maybe chmod 0644 'logrotate.d/lightdm'
maybe chmod 0644 'logrotate.d/mintupdate'
maybe chmod 0644 'logrotate.d/pm-utils'
maybe chmod 0644 'profile.d/fbrehm.sh'
maybe chmod 0644 'profile.d/flatpak.sh'
maybe chmod 0644 'profile.d/input-method-config.sh'
+maybe chmod 0644 'profile.d/libvirt-uri.sh'
maybe chmod 0644 'profile.d/vte-2.91.sh'
maybe chmod 0644 'profile.d/xdg_dirs_desktop_session.sh'
maybe chmod 0644 'protocols'
maybe chmod 0644 'sane.d/umax1220u.conf'
maybe chmod 0644 'sane.d/umax_pp.conf'
maybe chmod 0644 'sane.d/xerox_mfp.conf'
+maybe chmod 0755 'sasl2'
+maybe chmod 0644 'sasl2/libvirt.conf'
maybe chmod 0644 'screenrc'
maybe chmod 0644 'securetty'
maybe chmod 0755 'security'
--- /dev/null
+# Last Modified: Fri Feb 7 13:01:36 2014
+
+ #include <abstractions/base>
+
+ umount,
+
+ # ignore DENIED message on / remount
+ deny mount options=(ro, remount) -> /,
+
+ # allow tmpfs mounts everywhere
+ mount fstype=tmpfs,
+
+ # allow mqueue mounts everywhere
+ mount fstype=mqueue,
+
+ # allow fuse mounts everywhere
+ mount fstype=fuse.*,
+
+ # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
+ mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
+ deny @{PROC}/sys/fs/** wklx,
+
+ # allow efivars to be mounted, writing to it will be blocked though
+ mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
+
+ # block some other dangerous paths
+ deny @{PROC}/sysrq-trigger rwklx,
+ deny @{PROC}/mem rwklx,
+ deny @{PROC}/kmem rwklx,
+
+ # deny writes in /sys except for /sys/fs/cgroup, also allow
+ # fusectl, securityfs and debugfs to be mounted there (read-only)
+ mount fstype=fusectl -> /sys/fs/fuse/connections/,
+ mount fstype=securityfs -> /sys/kernel/security/,
+ mount fstype=debugfs -> /sys/kernel/debug/,
+ mount fstype=proc -> /proc/,
+ mount fstype=sysfs -> /sys/,
+ deny /sys/firmware/efi/efivars/** rwklx,
+ deny /sys/kernel/security/** rwklx,
+
+ # generated by: lxc-generate-aa-rules.py container-rules.base
+ deny /proc/sys/[^kn]*{,/**} wklx,
+ deny /proc/sys/k[^e]*{,/**} wklx,
+ deny /proc/sys/ke[^r]*{,/**} wklx,
+ deny /proc/sys/ker[^n]*{,/**} wklx,
+ deny /proc/sys/kern[^e]*{,/**} wklx,
+ deny /proc/sys/kerne[^l]*{,/**} wklx,
+ deny /proc/sys/kernel/[^smhd]*{,/**} wklx,
+ deny /proc/sys/kernel/d[^o]*{,/**} wklx,
+ deny /proc/sys/kernel/do[^m]*{,/**} wklx,
+ deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
+ deny /proc/sys/kernel/doma[^i]*{,/**} wklx,
+ deny /proc/sys/kernel/domai[^n]*{,/**} wklx,
+ deny /proc/sys/kernel/domain[^n]*{,/**} wklx,
+ deny /proc/sys/kernel/domainn[^a]*{,/**} wklx,
+ deny /proc/sys/kernel/domainna[^m]*{,/**} wklx,
+ deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx,
+ deny /proc/sys/kernel/domainname?*{,/**} wklx,
+ deny /proc/sys/kernel/h[^o]*{,/**} wklx,
+ deny /proc/sys/kernel/ho[^s]*{,/**} wklx,
+ deny /proc/sys/kernel/hos[^t]*{,/**} wklx,
+ deny /proc/sys/kernel/host[^n]*{,/**} wklx,
+ deny /proc/sys/kernel/hostn[^a]*{,/**} wklx,
+ deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
+ deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
+ deny /proc/sys/kernel/hostname?*{,/**} wklx,
+ deny /proc/sys/kernel/m[^s]*{,/**} wklx,
+ deny /proc/sys/kernel/ms[^g]*{,/**} wklx,
+ deny /proc/sys/kernel/msg*/** wklx,
+ deny /proc/sys/kernel/s[^he]*{,/**} wklx,
+ deny /proc/sys/kernel/se[^m]*{,/**} wklx,
+ deny /proc/sys/kernel/sem*/** wklx,
+ deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
+ deny /proc/sys/kernel/shm*/** wklx,
+ deny /proc/sys/kernel?*{,/**} wklx,
+ deny /proc/sys/n[^e]*{,/**} wklx,
+ deny /proc/sys/ne[^t]*{,/**} wklx,
+ deny /proc/sys/net?*{,/**} wklx,
+ deny /sys/[^fdc]*{,/**} wklx,
+ deny /sys/c[^l]*{,/**} wklx,
+ deny /sys/cl[^a]*{,/**} wklx,
+ deny /sys/cla[^s]*{,/**} wklx,
+ deny /sys/clas[^s]*{,/**} wklx,
+ deny /sys/class/[^n]*{,/**} wklx,
+ deny /sys/class/n[^e]*{,/**} wklx,
+ deny /sys/class/ne[^t]*{,/**} wklx,
+ deny /sys/class/net?*{,/**} wklx,
+ deny /sys/class?*{,/**} wklx,
+ deny /sys/d[^e]*{,/**} wklx,
+ deny /sys/de[^v]*{,/**} wklx,
+ deny /sys/dev[^i]*{,/**} wklx,
+ deny /sys/devi[^c]*{,/**} wklx,
+ deny /sys/devic[^e]*{,/**} wklx,
+ deny /sys/device[^s]*{,/**} wklx,
+ deny /sys/devices/[^v]*{,/**} wklx,
+ deny /sys/devices/v[^i]*{,/**} wklx,
+ deny /sys/devices/vi[^r]*{,/**} wklx,
+ deny /sys/devices/vir[^t]*{,/**} wklx,
+ deny /sys/devices/virt[^u]*{,/**} wklx,
+ deny /sys/devices/virtu[^a]*{,/**} wklx,
+ deny /sys/devices/virtua[^l]*{,/**} wklx,
+ deny /sys/devices/virtual/[^n]*{,/**} wklx,
+ deny /sys/devices/virtual/n[^e]*{,/**} wklx,
+ deny /sys/devices/virtual/ne[^t]*{,/**} wklx,
+ deny /sys/devices/virtual/net?*{,/**} wklx,
+ deny /sys/devices/virtual?*{,/**} wklx,
+ deny /sys/devices?*{,/**} wklx,
+ deny /sys/f[^s]*{,/**} wklx,
+ deny /sys/fs/[^c]*{,/**} wklx,
+ deny /sys/fs/c[^g]*{,/**} wklx,
+ deny /sys/fs/cg[^r]*{,/**} wklx,
+ deny /sys/fs/cgr[^o]*{,/**} wklx,
+ deny /sys/fs/cgro[^u]*{,/**} wklx,
+ deny /sys/fs/cgrou[^p]*{,/**} wklx,
+ deny /sys/fs/cgroup?*{,/**} wklx,
+ deny /sys/fs?*{,/**} wklx,
--- /dev/null
+# Last Modified: Wed Sep 3 21:52:03 2014
+
+ #include <abstractions/base>
+ #include <abstractions/consoles>
+ #include <abstractions/nameservice>
+
+ # required for reading disk images
+ capability dac_override,
+ capability dac_read_search,
+ capability chown,
+
+ # needed to drop privileges
+ capability setgid,
+ capability setuid,
+
+ # for 9p
+ capability fsetid,
+ capability fowner,
+
+ network inet stream,
+ network inet6 stream,
+
+ ptrace (readby, tracedby) peer=/usr/sbin/libvirtd,
+
+ signal (receive) peer=/usr/sbin/libvirtd,
+
+ /dev/net/tun rw,
+ /dev/kvm rw,
+ /dev/ptmx rw,
+ /dev/kqemu rw,
+ @{PROC}/*/status r,
+ # When qemu is signaled to terminate, it will read cmdline of signaling
+ # process for reporting purposes. Allowing read access to a process
+ # cmdline may leak sensitive information embedded in the cmdline.
+ @{PROC}/@{pid}/cmdline r,
+ # Per man(5) proc, the kernel enforces that a thread may
+ # only modify its comm value or those in its thread group.
+ owner @{PROC}/@{pid}/task/@{tid}/comm rw,
+ @{PROC}/sys/kernel/cap_last_cap r,
+ owner @{PROC}/*/auxv r,
+ @{PROC}/sys/vm/overcommit_memory r,
+
+ # For hostdev access. The actual devices will be added dynamically
+ /sys/bus/usb/devices/ r,
+ /sys/devices/**/usb[0-9]*/** r,
+ # libusb needs udev data about usb devices (~equal to content of lsusb -v)
+ /run/udev/data/c16[6,7]* r,
+ /run/udev/data/c18[0,8,9]* r,
+ /run/udev/data/+usb* r,
+
+ # WARNING: this gives the guest direct access to host hardware and specific
+ # portions of shared memory. This is required for sound using ALSA with kvm,
+ # but may constitute a security risk. If your environment does not require
+ # the use of sound in your VMs, feel free to comment out or prepend 'deny' to
+ # the rules for files in /dev.
+ /{dev,run}/shm r,
+ /{dev,run}/shmpulse-shm* r,
+ /{dev,run}/shmpulse-shm* rwk,
+ /dev/snd/* rw,
+ capability ipc_lock,
+ # spice
+ owner /{dev,run}/shm/spice.* rw,
+ # 'kill' is not required for sound and is a security risk. Do not enable
+ # unless you absolutely need it.
+ deny capability kill,
+
+ # Uncomment the following if you need access to /dev/fb*
+ #/dev/fb* rw,
+
+ /etc/pulse/client.conf r,
+ @{HOME}/.pulse-cookie rwk,
+ owner /root/.pulse-cookie rwk,
+ owner /root/.pulse/ rw,
+ owner /root/.pulse/* rw,
+ /usr/share/alsa/** r,
+ owner /tmp/pulse-*/ rw,
+ owner /tmp/pulse-*/* rw,
+ /var/lib/dbus/machine-id r,
+
+ # access to firmware's etc
+ /usr/share/kvm/** r,
+ /usr/share/qemu/** r,
+ /usr/share/qemu-kvm/** r,
+ /usr/share/bochs/** r,
+ /usr/share/openbios/** r,
+ /usr/share/openhackware/** r,
+ /usr/share/proll/** r,
+ /usr/share/vgabios/** r,
+ /usr/share/seabios/** r,
+ /usr/share/misc/sgabios.bin r,
+ /usr/share/ovmf/** r,
+ /usr/share/OVMF/** r,
+ /usr/share/AAVMF/** r,
+ /usr/share/qemu-efi/** r,
+ /usr/share/slof/** r,
+
+ # pki for libvirt-vnc and libvirt-spice (LP: #901272, #1690140)
+ /etc/pki/CA/ r,
+ /etc/pki/CA/* r,
+ /etc/pki/libvirt{,-spice,-vnc}/ r,
+ /etc/pki/libvirt{,-spice,-vnc}/** r,
+
+ # the various binaries
+ /usr/bin/kvm rmix,
+ /usr/bin/qemu rmix,
+ /usr/bin/qemu-kvm rmix,
+ /usr/bin/qemu-system-aarch64 rmix,
+ /usr/bin/qemu-system-alpha rmix,
+ /usr/bin/qemu-system-arm rmix,
+ /usr/bin/qemu-system-cris rmix,
+ /usr/bin/qemu-system-i386 rmix,
+ /usr/bin/qemu-system-lm32 rmix,
+ /usr/bin/qemu-system-m68k rmix,
+ /usr/bin/qemu-system-microblaze rmix,
+ /usr/bin/qemu-system-microblazeel rmix,
+ /usr/bin/qemu-system-mips rmix,
+ /usr/bin/qemu-system-mips64 rmix,
+ /usr/bin/qemu-system-mips64el rmix,
+ /usr/bin/qemu-system-mipsel rmix,
+ /usr/bin/qemu-system-moxie rmix,
+ /usr/bin/qemu-system-or32 rmix,
+ /usr/bin/qemu-system-ppc rmix,
+ /usr/bin/qemu-system-ppc64 rmix,
+ /usr/bin/qemu-system-ppcemb rmix,
+ /usr/bin/qemu-system-s390x rmix,
+ /usr/bin/qemu-system-sh4 rmix,
+ /usr/bin/qemu-system-sh4eb rmix,
+ /usr/bin/qemu-system-sparc rmix,
+ /usr/bin/qemu-system-sparc64 rmix,
+ /usr/bin/qemu-system-tricore rmix,
+ /usr/bin/qemu-system-unicore32 rmix,
+ /usr/bin/qemu-system-x86_64 rmix,
+ /usr/bin/qemu-system-xtensa rmix,
+ /usr/bin/qemu-system-xtensaeb rmix,
+ /usr/bin/qemu-aarch64 rmix,
+ /usr/bin/qemu-alpha rmix,
+ /usr/bin/qemu-arm rmix,
+ /usr/bin/qemu-armeb rmix,
+ /usr/bin/qemu-cris rmix,
+ /usr/bin/qemu-i386 rmix,
+ /usr/bin/qemu-m68k rmix,
+ /usr/bin/qemu-microblaze rmix,
+ /usr/bin/qemu-microblazeel rmix,
+ /usr/bin/qemu-mips rmix,
+ /usr/bin/qemu-mips64 rmix,
+ /usr/bin/qemu-mips64el rmix,
+ /usr/bin/qemu-mipsel rmix,
+ /usr/bin/qemu-mipsn32 rmix,
+ /usr/bin/qemu-mipsn32el rmix,
+ /usr/bin/qemu-or32 rmix,
+ /usr/bin/qemu-ppc rmix,
+ /usr/bin/qemu-ppc64 rmix,
+ /usr/bin/qemu-ppc64abi32 rmix,
+ /usr/bin/qemu-ppc64le rmix,
+ /usr/bin/qemu-s390x rmix,
+ /usr/bin/qemu-sh4 rmix,
+ /usr/bin/qemu-sh4eb rmix,
+ /usr/bin/qemu-sparc rmix,
+ /usr/bin/qemu-sparc32plus rmix,
+ /usr/bin/qemu-sparc64 rmix,
+ /usr/bin/qemu-unicore32 rmix,
+ /usr/bin/qemu-x86_64 rmix,
+ # for Debian/Ubuntu qemu-block-extra / RPMs qemu-block-* (LP: #1554761)
+ /usr/{lib,lib64}/qemu/*.so mr,
+ /usr/lib/@{multiarch}/qemu/*.so mr,
+
+ # for save and resume
+ /{usr/,}bin/dash rmix,
+ /{usr/,}bin/dd rmix,
+ /{usr/,}bin/cat rmix,
+
+ # for restore
+ /{usr/,}bin/bash rmix,
+
+ # for usb access
+ /dev/bus/usb/ r,
+ /etc/udev/udev.conf r,
+ /sys/bus/ r,
+ /sys/class/ r,
+
+ # for rbd
+ /etc/ceph/ceph.conf r,
+
+ # for file-posix getting limits since 9103f1ce
+ /sys/devices/**/block/*/queue/max_segments r,
+
+ # for ppc device-tree access
+ @{PROC}/device-tree/ r,
+ @{PROC}/device-tree/** r,
+ /sys/firmware/devicetree/** r,
+
+ # allow connect with openGraphicsFD to work
+ unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
+
+ # allow access to charm-specific ceph config and silence spurious
+ # denials (LP: #1403648).
+ /var/lib/charm/*/ceph.conf r,
+ deny /tmp/{,**} r,
+ deny /var/tmp/{,**} r,
+
+ # kvm.powerpc executes/accesses this
+ /bin/uname rmix,
+ /usr/sbin/ppc64_cpu rmix,
+ /bin/grep rmix,
+ /sys/devices/system/cpu/subcores_per_core r,
+ /sys/devices/system/cpu/cpu*/online r,
+
+ # for gathering information about available host resources
+ /sys/devices/system/cpu/ r,
+ /sys/devices/system/node/ r,
+ /sys/devices/system/node/node[0-9]*/meminfo r,
+ /sys/module/vhost/parameters/max_mem_regions r,
+
+ # silence refusals to open lttng files (see LP: #1432644)
+ deny /dev/shm/lttng-ust-wait-* r,
+ deny /run/shm/lttng-ust-wait-* r,
+
+ # for vfio hotplug on systems without static vfio (LP: #1775777)
+ /dev/vfio/vfio rw,
+
+ # required for sasl GSSAPI plugin
+ /etc/gss/mech.d/ r,
+ /etc/gss/mech.d/* r,
--- /dev/null
+#
+# This profile is for the domain whose UUID matches this file.
+#
+
+#include <tunables/global>
+
+profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
+ #include <abstractions/libvirt-lxc>
+
+ # Globally allows everything to run under this profile
+ # These can be narrowed depending on the container's use.
+ file,
+ capability,
+ network,
+}
--- /dev/null
+#
+# This profile is for the domain whose UUID matches this file.
+#
+
+#include <tunables/global>
+
+profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
+ #include <abstractions/libvirt-qemu>
+}
--- /dev/null
+# Last Modified: Mon Apr 5 15:10:27 2010
+#include <tunables/global>
+
+profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/user-tmp>
+
+ # needed for searching directories
+ capability dac_override,
+ capability dac_read_search,
+
+ # needed for when disk is on a network filesystem
+ network inet,
+ network inet6,
+
+ deny @{PROC}/[0-9]*/mounts r,
+ @{PROC}/[0-9]*/net/psched r,
+ owner @{PROC}/[0-9]*/status r,
+ @{PROC}/filesystems r,
+
+ /etc/libnl-3/classid r,
+
+ # for hostdev
+ /sys/devices/ r,
+ /sys/devices/** r,
+ /sys/bus/usb/devices/ r,
+ deny /dev/sd* r,
+ deny /dev/vd* r,
+ deny /dev/dm-* r,
+ deny /dev/drbd[0-9]* r,
+ deny /dev/dasd* r,
+ deny /dev/nvme* r,
+ deny /dev/zd[0-9]* r,
+ deny /dev/mapper/ r,
+ deny /dev/mapper/* r,
+
+ /usr/{lib,lib64}/libvirt/virt-aa-helper mr,
+ /{usr/,}sbin/apparmor_parser Ux,
+
+ # for openvswitch
+ /{,var/}run/** rw,
+
+ /etc/apparmor.d/libvirt/* r,
+ /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
+
+ # for backingstore -- allow access to non-hidden files in @{HOME} as well
+ # as storage pools
+ audit deny @{HOME}/.* mrwkl,
+ audit deny @{HOME}/.*/ rw,
+ audit deny @{HOME}/.*/** mrwkl,
+ audit deny @{HOME}/bin/ rw,
+ audit deny @{HOME}/bin/** mrwkl,
+ @{HOME}/ r,
+ @{HOME}/** r,
+ /var/lib/libvirt/images/ r,
+ /var/lib/libvirt/images/** r,
+ # nova base images (LP: #907269)
+ /var/lib/nova/images/** r,
+ /var/lib/nova/instances/_base/** r,
+ # nova snapshots (LP: #1244694)
+ /var/lib/nova/instances/snapshots/** r,
+ # nova base/snapshot files in snapped nova (LP: #1644507)
+ /var/snap/nova-hypervisor/common/instances/_base/** r,
+ /var/snap/nova-hypervisor/common/instances/snapshots/** r,
+ # eucalyptus (LP: #564914)
+ /var/lib/eucalyptus/instances/**/disk* r,
+ # eucalyptus loader (LP: #637544)
+ /var/lib/eucalyptus/instances/**/loader* r,
+ # for uvtool
+ /var/lib/uvtool/libvirt/images/** r,
+ # for multipass
+ /var/snap/multipass/common/data/multipassd/vault/instances/** r,
+ /{media,mnt,opt,srv}/** r,
+ # For virt-sandbox
+ /{,var/}run/libvirt/**/[sv]d[a-z] r,
+
+ /**.img r,
+ /**.raw r,
+ /**.qcow{,2} r,
+ /**.qed r,
+ /**.vmdk r,
+ /**.[iI][sS][oO] r,
+ /**/disk{,.*} r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.libvirt.virt-aa-helper>
+}
--- /dev/null
+# Last Modified: Mon Apr 5 15:03:58 2010
+#include <tunables/global>
+@{LIBVIRT}="libvirt"
+
+/usr/sbin/libvirtd flags=(attach_disconnected) {
+ #include <abstractions/base>
+ #include <abstractions/dbus>
+
+ capability kill,
+ capability net_admin,
+ capability net_raw,
+ capability setgid,
+ capability sys_admin,
+ capability sys_module,
+ capability sys_ptrace,
+ capability sys_pacct,
+ capability sys_nice,
+ capability sys_chroot,
+ capability setuid,
+ capability dac_override,
+ capability dac_read_search,
+ capability fowner,
+ capability chown,
+ capability setpcap,
+ capability mknod,
+ capability fsetid,
+ capability audit_write,
+ capability ipc_lock,
+
+ # Needed for vfio
+ capability sys_resource,
+
+ mount options=(rw,rslave) -> /,
+ mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/,
+
+ mount options=(rw, move) /dev/ -> /{var/,}run/libvirt/qemu/*.dev/,
+ mount options=(rw, move) /dev/hugepages/ -> /{var/,}run/libvirt/qemu/*.hugepages/,
+ mount options=(rw, move) /dev/mqueue/ -> /{var/,}run/libvirt/qemu/*.mqueue/,
+ mount options=(rw, move) /dev/pts/ -> /{var/,}run/libvirt/qemu/*.pts/,
+ mount options=(rw, move) /dev/shm/ -> /{var/,}run/libvirt/qemu/*.shm/,
+
+ mount options=(rw, move) /{var/,}run/libvirt/qemu/*.dev/ -> /dev/,
+ mount options=(rw, move) /{var/,}run/libvirt/qemu/*.hugepages/ -> /dev/hugepages/,
+ mount options=(rw, move) /{var/,}run/libvirt/qemu/*.mqueue/ -> /dev/mqueue/,
+ mount options=(rw, move) /{var/,}run/libvirt/qemu/*.pts/ -> /dev/pts/,
+ mount options=(rw, move) /{var/,}run/libvirt/qemu/*.shm/ -> /dev/shm/,
+
+ network inet stream,
+ network inet dgram,
+ network inet6 stream,
+ network inet6 dgram,
+ network netlink raw,
+ network packet dgram,
+ network packet raw,
+
+ # for --p2p migrations
+ unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none),
+
+ ptrace (read,trace) peer=unconfined,
+ ptrace (read,trace) peer=/usr/sbin/libvirtd,
+ ptrace (read,trace) peer=/usr/sbin/dnsmasq,
+ ptrace (read,trace) peer=libvirt-*,
+
+ signal (send) peer=/usr/sbin/dnsmasq,
+ signal (read, send) peer=libvirt-*,
+ signal (send) set=("kill", "term") peer=unconfined,
+
+ # Since libvirt 4.0 we also need the reverse direction (LP: #1741617)
+ unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*),
+ # unconfined also required if guests run without security module
+ unix (send, receive) type=stream addr=none peer=(label=unconfined),
+
+ # required if guests run unconfined seclabel type='none' but libvirtd is confined
+ signal (read, send) peer=unconfined,
+
+ # Very lenient profile for libvirtd since we want to first focus on confining
+ # the guests. Guests will have a very restricted profile.
+ / r,
+ /** rwmkl,
+
+ /bin/* PUx,
+ /sbin/* PUx,
+ /usr/bin/* PUx,
+ /usr/sbin/virtlogd pix,
+ /usr/sbin/* PUx,
+ /{usr/,}lib/udev/scsi_id PUx,
+ /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
+ /usr/{lib,lib64}/xen/bin/* Ux,
+ /usr/lib/xen-*/bin/libxl-save-helper PUx,
+ /usr/lib/xen-*/bin/pygrub PUx,
+
+ # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
+ # read and run an ebtables script.
+ /var/lib/libvirt/virtd* ixr,
+
+ # force the use of virt-aa-helper
+ audit deny /{usr/,}sbin/apparmor_parser rwxl,
+ audit deny /etc/apparmor.d/libvirt/** wxl,
+ audit deny /sys/kernel/security/apparmor/features rwxl,
+ audit deny /sys/kernel/security/apparmor/matching rwxl,
+ audit deny /sys/kernel/security/apparmor/.* rwxl,
+ /sys/kernel/security/apparmor/profiles r,
+ /usr/{lib,lib64}/libvirt/* PUxr,
+ /usr/{lib,lib64}/libvirt/libvirt_parthelper ix,
+ /usr/{lib,lib64}/libvirt/libvirt_iohelper ix,
+ /etc/libvirt/hooks/** rmix,
+ /etc/xen/scripts/** rmix,
+
+ # allow changing to our UUID-based named profiles
+ change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+
+ /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
+ # child profile for bridge helper process
+ profile qemu_bridge_helper {
+ #include <abstractions/base>
+
+ capability setuid,
+ capability setgid,
+ capability setpcap,
+ capability net_admin,
+
+ network inet stream,
+
+ /dev/net/tun rw,
+ /etc/qemu/** r,
+ owner @{PROC}/*/status r,
+
+ /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
+ }
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.libvirtd>
+}
--- /dev/null
+# URIs to check for running guests
+# example: URIS='default xen:/// vbox+tcp://host/system lxc:///'
+#URIS=default
+
+# action taken on host boot
+# - start all guests which were running on shutdown are started on boot
+# regardless on their autostart settings
+# - ignore libvirt-guests init script won't start any guest on boot, however,
+# guests marked as autostart will still be automatically started by
+# libvirtd
+#ON_BOOT=ignore
+
+# Number of seconds to wait between each guest start. Set to 0 to allow
+# parallel startup.
+#START_DELAY=0
+
+# action taken on host shutdown
+# - suspend all running guests are suspended using virsh managedsave
+# - shutdown all running guests are asked to shutdown. Please be careful with
+# this settings since there is no way to distinguish between a
+# guest which is stuck or ignores shutdown requests and a guest
+# which just needs a long time to shutdown. When setting
+# ON_SHUTDOWN=shutdown, you must also set SHUTDOWN_TIMEOUT to a
+# value suitable for your guests.
+#ON_SHUTDOWN=shutdown
+
+# Number of guests will be shutdown concurrently, taking effect when
+# "ON_SHUTDOWN" is set to "shutdown". If Set to 0, guests will be shutdown one
+# after another. Number of guests on shutdown at any time will not exceed number
+# set in this variable.
+PARALLEL_SHUTDOWN=10
+
+# Number of seconds we're willing to wait for a guest to shut down. If parallel
+# shutdown is enabled, this timeout applies as a timeout for shutting down all
+# guests on a single URI defined in the variable URIS. If this is 0, then there
+# is no time out (use with caution, as guests might not respond to a shutdown
+# request). The default value is 300 seconds (5 minutes).
+SHUTDOWN_TIMEOUT=120
+
+# If non-zero, try to bypass the file system cache when saving and
+# restoring guests, even though this may give slower operation for
+# some file systems.
+#BYPASS_CACHE=0
+
+# If non-zero, try to sync guest time on domain resume. Be aware, that
+# this requires guest agent with support for time synchronization
+# running in the guest. For instance, qemu-ga doesn't support guest time
+# synchronization on Windows guests, but Linux ones. By default, this
+# functionality is turned off.
+#SYNC_TIME=1
--- /dev/null
+# Defaults for libvirtd initscript (/etc/init.d/libvirtd)
+# This is a POSIX shell fragment
+
+# Start libvirtd to handle qemu/kvm:
+start_libvirtd="yes"
+
+# options passed to libvirtd, add "-l" to listen on tcp
+#libvirtd_opts=""
+
+# pass in location of kerberos keytab
+#export KRB5_KTNAME=/etc/libvirt/libvirt.keytab
+
+# Whether to mount a systemd like cgroup layout (only
+# useful when not running systemd)
+#mount_cgroups=yes
+# Which cgroups to mount
+#cgroups="memory devices"
--- /dev/null
+#
+# Pass extra arguments to virtlockd
+#VIRTLOCKD_ARGS=
--- /dev/null
+#
+# Pass extra arguments to virtlogd
+#VIRTLOGD_ARGS=
--- /dev/null
+bind-interfaces
+except-interface=virbr0
--- /dev/null
+/etc/dnsmasq.d-available/libvirt-daemon
\ No newline at end of file
rdma:x:134:
_chrony:x:135:
gdm:x:118:
+libvirt:x:136:frank
+libvirt-qemu:x:64055:libvirt-qemu
+libvirt-dnsmasq:x:137:
kvm:x:133:
rdma:x:134:
_chrony:x:135:
+gdm:x:118:
+libvirt:x:136:frank
+libvirt-qemu:x:64055:libvirt-qemu
rdma:!::
_chrony:!::
gdm:!::
+libvirt:!::frank
+libvirt-qemu:!::libvirt-qemu
+libvirt-dnsmasq:!::
kvm:!::
rdma:!::
_chrony:!::
+gdm:!::
+libvirt:!::frank
+libvirt-qemu:!::libvirt-qemu
--- /dev/null
+#!/bin/sh
+#
+### BEGIN INIT INFO
+# Provides: libvirt-guests
+# Required-Start: $remote_fs libvirtd
+# Required-Stop: $remote_fs libvirtd
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: suspend/resume libvirt guests on shutdown/boot
+# Description: This is a script for suspending active libvirt guests
+# on shutdown and resuming them on next boot
+# See http://libvirt.org
+### END INIT INFO
+#
+# Copyright (C) 2011-2014 Red Hat, Inc.
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see
+# <http://www.gnu.org/licenses/>.
+
+sysconfdir=/etc
+localstatedir=/var
+libvirtd=/usr/sbin/libvirtd
+
+# Source gettext library.
+# Make sure this file is recognized as having translations: _("dummy")
+. /usr/bin/gettext.sh
+
+# Make sure calls to this script get redirected to systemctl when
+# using systemd
+. /lib/lsb/init-functions
+
+export TEXTDOMAIN="libvirt" TEXTDOMAINDIR="/usr/share/locale"
+
+URIS=default
+ON_BOOT=ignore
+ON_SHUTDOWN=shutdown
+SHUTDOWN_TIMEOUT=300
+PARALLEL_SHUTDOWN=0
+START_DELAY=0
+BYPASS_CACHE=0
+CONNECT_RETRIES=10
+RETRIES_SLEEP=1
+SYNC_TIME=0
+
+test -f "$sysconfdir"/default/libvirt-guests &&
+ . "$sysconfdir"/default/libvirt-guests
+
+LISTFILE="$localstatedir"/lib/libvirt/libvirt-guests
+VAR_SUBSYS_LIBVIRT_GUESTS="$localstatedir"/lock/libvirt-guests
+
+RETVAL=0
+
+# Default URI is not correct in the Xen case as the non-accelerated
+# qemu driver also gets initialized.
+if [ -f "/proc/xen/capabilities" ]; then
+ if [ "$(cat /proc/xen/capabilities)" = "control_d" ]; then
+ LIBVIRT_DEFAULT_URI="xen:///"
+ export LIBVIRT_DEFAULT_URI
+ fi
+fi
+
+# retval COMMAND ARGUMENTS...
+# run command with arguments and convert non-zero return value to 1 and set
+# the global return variable
+retval() {
+ "$@"
+ if [ $? -ne 0 ]; then
+ RETVAL=1
+ return 1
+ else
+ return 0
+ fi
+}
+
+# run_virsh URI ARGUMENTS...
+# start virsh and let it execute ARGUMENTS on URI
+# If URI is "default" virsh is called without the "-c" argument
+# (using libvirt's default connection)
+run_virsh() {
+ uri=$1
+ shift
+
+ if [ "x$uri" = xdefault ]; then
+ virsh "$@" </dev/null
+ else
+ virsh -c "$uri" "$@" </dev/null
+ fi
+}
+
+# run_virsh_c URI ARGUMENTS
+# Same as "run_virsh" but the "C" locale is used instead of
+# the system's locale.
+run_virsh_c() {
+ ( export LC_ALL=C; run_virsh "$@" )
+}
+
+# test_connect URI
+# check if URI is reachable
+test_connect()
+{
+ uri=$1
+
+ i=${CONNECT_RETRIES}
+ while [ $i -gt 0 ]; do
+ run_virsh "$uri" connect 2>/dev/null
+ if [ $? -eq 0 ]; then
+ return 0;
+ fi
+ sleep ${RETRIES_SLEEP}
+ eval_gettext "Unable to connect to libvirt currently. Retrying .. \$i"
+ i=$(($i-1))
+ done
+ eval_gettext "Can't connect to \$uri. Skipping."
+ echo
+ return 1
+}
+
+# list_guests URI PERSISTENT
+# List running guests on URI.
+# PERSISTENT argument options:
+# --persistent: list only persistent guests
+# --transient: list only transient guests
+# [none]: list both persistent and transient guests
+list_guests() {
+ uri=$1
+ persistent=$2
+
+ list=$(run_virsh_c "$uri" list --uuid $persistent)
+ if [ $? -ne 0 ]; then
+ RETVAL=1
+ return 1
+ fi
+
+ echo "$list" | sed "/00000000-0000-0000-0000-000000000000/d"
+}
+
+# guest_name URI UUID
+# return name of guest UUID on URI
+guest_name() {
+ uri=$1
+ uuid=$2
+
+ run_virsh "$uri" domname "$uuid" 2>/dev/null
+}
+
+# guest_is_on URI UUID
+# check if guest UUID on URI is running
+# Result is returned by variable "guest_running"
+guest_is_on() {
+ uri=$1
+ uuid=$2
+
+ guest_running=false
+ id=$(run_virsh "$uri" domid "$uuid")
+ if [ $? -ne 0 ]; then
+ RETVAL=1
+ return 1
+ fi
+
+ [ -n "$id" ] && [ "x$id" != x- ] && guest_running=true
+ return 0
+}
+
+# started
+# Create the startup lock file
+started() {
+ touch "$VAR_SUBSYS_LIBVIRT_GUESTS"
+}
+
+# start
+# Start or resume the guests
+start() {
+ [ -f "$LISTFILE" ] || { started; return 0; }
+
+ if [ "x$ON_BOOT" != xstart ]; then
+ gettext "libvirt-guests is configured not to start any guests on boot"
+ echo
+ rm -f "$LISTFILE"
+ started
+ return 0
+ fi
+
+ isfirst=true
+ bypass=
+ sync_time=false
+ test "x$BYPASS_CACHE" = x0 || bypass=--bypass-cache
+ test "x$SYNC_TIME" = x0 || sync_time=true
+ while read uri list; do
+ configured=false
+ set -f
+ for confuri in $URIS; do
+ set +f
+ if [ "x$confuri" = "x$uri" ]; then
+ configured=true
+ break
+ fi
+ done
+ set +f
+ if ! "$configured"; then
+ eval_gettext "Ignoring guests on \$uri URI"; echo
+ continue
+ fi
+
+ test_connect "$uri" || continue
+
+ eval_gettext "Resuming guests on \$uri URI..."; echo
+ for guest in $list; do
+ name=$(guest_name "$uri" "$guest")
+ eval_gettext "Resuming guest \$name: "
+ if guest_is_on "$uri" "$guest"; then
+ if "$guest_running"; then
+ gettext "already active"; echo
+ else
+ if "$isfirst"; then
+ isfirst=false
+ else
+ sleep $START_DELAY
+ fi
+ retval run_virsh "$uri" start $bypass "$name" \
+ >/dev/null && \
+ gettext "done"; echo
+ if "$sync_time"; then
+ run_virsh "$uri" domtime --sync "$name" >/dev/null
+ fi
+ fi
+ fi
+ done
+ done <"$LISTFILE"
+
+ rm -f "$LISTFILE"
+ started
+}
+
+# suspend_guest URI GUEST
+# Do a managed save on a GUEST on URI. This function returns after the guest
+# was saved.
+suspend_guest()
+{
+ uri=$1
+ guest=$2
+
+ name=$(guest_name "$uri" "$guest")
+ label=$(eval_gettext "Suspending \$name: ")
+ bypass=
+ slept=0
+ test "x$BYPASS_CACHE" = x0 || bypass=--bypass-cache
+ printf '%s...\n' "$label"
+ run_virsh "$uri" managedsave $bypass "$guest" >/dev/null &
+ virsh_pid=$!
+ while true; do
+ sleep 1
+ kill -0 "$virsh_pid" >/dev/null 2>&1 || break
+
+ slept=$(($slept + 1))
+ if [ $(($slept % 5)) -eq 0 ]; then
+ progress=$(run_virsh_c "$uri" domjobinfo "$guest" 2>/dev/null | \
+ awk '/^Data processed:/{print $3, $4}')
+ if [ -n "$progress" ]; then
+ printf '%s%s\n' "$label" "$progress"
+ else
+ printf '%s%s\n' "$label" "..."
+ fi
+ fi
+ done
+ retval wait "$virsh_pid" && printf '%s%s\n' "$label" "$(gettext "done")"
+}
+
+# shutdown_guest URI GUEST
+# Start an ACPI shutdown of GUEST on URI. This function returns after the guest
+# was successfully shutdown or the timeout defined by $SHUTDOWN_TIMEOUT expired.
+shutdown_guest()
+{
+ uri=$1
+ guest=$2
+
+ name=$(guest_name "$uri" "$guest")
+ eval_gettext "Starting shutdown on guest: \$name"
+ echo
+ retval run_virsh "$uri" shutdown "$guest" >/dev/null || return
+ timeout=$SHUTDOWN_TIMEOUT
+ check_timeout=false
+ if [ $timeout -gt 0 ]; then
+ check_timeout=true
+ format=$(eval_gettext "Waiting for guest %s to shut down, %d seconds left\n")
+ else
+ slept=0
+ format=$(eval_gettext "Waiting for guest %s to shut down\n")
+ fi
+ while ! $check_timeout || [ "$timeout" -gt 0 ]; do
+ sleep 1
+ guest_is_on "$uri" "$guest" || return
+ "$guest_running" || break
+
+ if $check_timeout; then
+ if [ $(($timeout % 5)) -eq 0 ]; then
+ printf "$format" "$name" "$timeout"
+ fi
+ timeout=$(($timeout - 1))
+ else
+ slept=$(($slept + 1))
+ if [ $(($slept % 5)) -eq 0 ]; then
+ printf "$format" "$name"
+ fi
+ fi
+ done
+
+ if guest_is_on "$uri" "$guest"; then
+ if "$guest_running"; then
+ eval_gettext "Shutdown of guest \$name failed to complete in time."
+ else
+ eval_gettext "Shutdown of guest \$name complete."
+ fi
+ echo
+ fi
+}
+
+# shutdown_guest_async URI GUEST
+# Start a ACPI shutdown of GUEST on URI. This function returns after the command
+# was issued to libvirt to allow parallel shutdown.
+shutdown_guest_async()
+{
+ uri=$1
+ guest=$2
+
+ name=$(guest_name "$uri" "$guest")
+ eval_gettext "Starting shutdown on guest: \$name"
+ echo
+ retval run_virsh "$uri" shutdown "$guest" > /dev/null
+}
+
+# guest_count GUEST_LIST
+# Returns number of guests in GUEST_LIST
+guest_count()
+{
+ set -- $1
+ echo $#
+}
+
+# check_guests_shutdown URI GUESTS
+# check if shutdown is complete on guests in "GUESTS" and returns only
+# guests that are still shutting down
+# Result is returned in "guests_shutting_down"
+check_guests_shutdown()
+{
+ uri=$1
+ guests_to_check=$2
+
+ guests_shutting_down=
+ for guest in $guests_to_check; do
+ if ! guest_is_on "$uri" "$guest" >/dev/null 2>&1; then
+ eval_gettext "Failed to determine state of guest: \$guest. Not tracking it anymore."
+ echo
+ continue
+ fi
+ if "$guest_running"; then
+ guests_shutting_down="$guests_shutting_down $guest"
+ fi
+ done
+}
+
+# print_guests_shutdown URI BEFORE AFTER
+# Checks for differences in the lists BEFORE and AFTER and prints
+# a shutdown complete notice for guests that have finished
+print_guests_shutdown()
+{
+ uri=$1
+ before=$2
+ after=$3
+
+ for guest in $before; do
+ case " $after " in
+ *" $guest "*) continue;;
+ esac
+
+ name=$(guest_name "$uri" "$guest")
+ if [ -n "$name" ]; then
+ eval_gettext "Shutdown of guest \$name complete."
+ echo
+ fi
+ done
+}
+
+# shutdown_guests_parallel URI GUESTS
+# Shutdown guests GUESTS on machine URI in parallel
+shutdown_guests_parallel()
+{
+ uri=$1
+ guests=$2
+
+ on_shutdown=
+ check_timeout=false
+ timeout=$SHUTDOWN_TIMEOUT
+ if [ $timeout -gt 0 ]; then
+ check_timeout=true
+ format=$(eval_gettext "Waiting for %d guests to shut down, %d seconds left\n")
+ else
+ slept=0
+ format=$(eval_gettext "Waiting for %d guests to shut down\n")
+ fi
+ while [ -n "$on_shutdown" ] || [ -n "$guests" ]; do
+ while [ -n "$guests" ] &&
+ [ $(guest_count "$on_shutdown") -lt "$PARALLEL_SHUTDOWN" ]; do
+ set -- $guests
+ guest=$1
+ shift
+ guests=$*
+ if [ -z "$(echo $on_shutdown | grep $guest)" ] &&
+ [ -n "$(guest_name "$uri" "$guest")" ]; then
+ shutdown_guest_async "$uri" "$guest"
+ on_shutdown="$on_shutdown $guest"
+ fi
+ done
+ sleep 1
+
+ set -- $guests
+ guestcount=$#
+ set -- $on_shutdown
+ shutdowncount=$#
+
+ if $check_timeout; then
+ if [ $(($timeout % 5)) -eq 0 ]; then
+ printf "$format" $(($guestcount + $shutdowncount)) "$timeout"
+ fi
+ timeout=$(($timeout - 1))
+ if [ $timeout -le 0 ]; then
+ eval_gettext "Timeout expired while shutting down domains"; echo
+ RETVAL=1
+ return
+ fi
+ else
+ slept=$(($slept + 1))
+ if [ $(($slept % 5)) -eq 0 ]; then
+ printf "$format" $(($guestcount + $shutdowncount))
+ fi
+ fi
+
+ on_shutdown_prev=$on_shutdown
+ check_guests_shutdown "$uri" "$on_shutdown"
+ on_shutdown="$guests_shutting_down"
+ print_guests_shutdown "$uri" "$on_shutdown_prev" "$on_shutdown"
+ done
+}
+
+# stop
+# Shutdown or save guests on the configured uris
+stop() {
+ # last stop was not followed by start
+ [ -f "$LISTFILE" ] && return 0
+
+ suspending=true
+ if [ "x$ON_SHUTDOWN" = xshutdown ]; then
+ suspending=false
+ if [ $SHUTDOWN_TIMEOUT -lt 0 ]; then
+ gettext "SHUTDOWN_TIMEOUT must be equal or greater than 0"
+ echo
+ RETVAL=6
+ return
+ fi
+ fi
+
+ : >"$LISTFILE"
+ set -f
+ for uri in $URIS; do
+ set +f
+
+ test_connect "$uri" || continue
+
+ eval_gettext "Running guests on \$uri URI: "
+
+ list=$(list_guests "$uri")
+ if [ $? -eq 0 ]; then
+ empty=true
+ for uuid in $list; do
+ "$empty" || printf ", "
+ printf %s "$(guest_name "$uri" "$uuid")"
+ empty=false
+ done
+
+ if "$empty"; then
+ gettext "no running guests."
+ fi
+ echo
+ fi
+
+ if "$suspending"; then
+ transient=$(list_guests "$uri" "--transient")
+ if [ $? -eq 0 ]; then
+ empty=true
+ for uuid in $transient; do
+ if "$empty"; then
+ eval_gettext "Not suspending transient guests on URI: \$uri: "
+ empty=false
+ else
+ printf ", "
+ fi
+ printf %s "$(guest_name "$uri" "$uuid")"
+ done
+ echo
+ # reload domain list to contain only persistent guests
+ list=$(list_guests "$uri" "--persistent")
+ if [ $? -ne 0 ]; then
+ eval_gettext "Failed to list persistent guests on \$uri"
+ echo
+ RETVAL=1
+ set +f
+ return
+ fi
+ else
+ gettext "Failed to list transient guests"
+ echo
+ RETVAL=1
+ set +f
+ return
+ fi
+ fi
+
+ if [ -n "$list" ]; then
+ echo "$uri" $list >>"$LISTFILE"
+ fi
+ done
+ set +f
+
+ if [ -s "$LISTFILE" ]; then
+ while read uri list; do
+ if "$suspending"; then
+ eval_gettext "Suspending guests on \$uri URI..."; echo
+ else
+ eval_gettext "Shutting down guests on \$uri URI..."; echo
+ fi
+
+ if [ "$PARALLEL_SHUTDOWN" -gt 1 ] &&
+ ! "$suspending"; then
+ shutdown_guests_parallel "$uri" "$list"
+ else
+ for guest in $list; do
+ if "$suspending"; then
+ suspend_guest "$uri" "$guest"
+ else
+ shutdown_guest "$uri" "$guest"
+ fi
+ done
+ fi
+ done <"$LISTFILE"
+ else
+ rm -f "$LISTFILE"
+ fi
+
+ rm -f "$VAR_SUBSYS_LIBVIRT_GUESTS"
+}
+
+# gueststatus
+# List status of guests
+gueststatus() {
+ set -f
+ for uri in $URIS; do
+ set +f
+ echo "* $uri URI:"
+ retval run_virsh "$uri" list | grep -v "Domain-0" || echo
+ done
+ set +f
+}
+
+# rh_status
+# Display current status: whether saved state exists, and whether start
+# has been executed.
+rh_status() {
+ if [ -f "$LISTFILE" ]; then
+ gettext "stopped, with saved guests"; echo
+ RETVAL=3
+ else
+ if [ -f "$VAR_SUBSYS_LIBVIRT_GUESTS" ]; then
+ gettext "started"; echo
+ RETVAL=0
+ else
+ gettext "stopped, with no saved guests"; echo
+ RETVAL=3
+ fi
+ fi
+}
+
+# usage [val]
+# Display usage string, then exit with VAL (defaults to 2).
+usage() {
+ program_name=$0
+ eval_gettext "Usage: \$program_name {start|stop|status|restart|"\
+"condrestart|try-restart|reload|force-reload|gueststatus|shutdown}"; echo
+ exit ${1-2}
+}
+
+# See how we were called.
+if test $# != 1; then
+ usage
+fi
+case "$1" in
+ --help)
+ usage 0
+ ;;
+ start|stop|gueststatus)
+ "$1"
+ ;;
+ restart)
+ stop && start
+ ;;
+ condrestart|try-restart)
+ [ -f "$VAR_SUBSYS_LIBVIRT_GUESTS" ] && stop && start
+ ;;
+ reload|force-reload)
+ # Nothing to do; we reread configuration on each invocation
+ ;;
+ status)
+ rh_status
+ ;;
+ shutdown)
+ ON_SHUTDOWN=shutdown
+ stop
+ ;;
+ *)
+ usage
+ ;;
+esac
+exit $RETVAL
--- /dev/null
+#! /bin/sh
+#
+# Init script for libvirtd
+#
+# (c) 2007 Guido Guenther <agx@sigxcpu.org>
+# based on the skeletons that comes with dh_make
+#
+### BEGIN INIT INFO
+# Provides: libvirtd
+# Required-Start: $network $local_fs $remote_fs $syslog virtlogd
+# Required-Stop: $local_fs $remote_fs $syslog virtlogd
+# Should-Start: avahi-daemon cgconfig
+# Should-Stop: avahi-daemon cgconfig
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: libvirt management daemon
+### END INIT INFO
+
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+export PATH
+DAEMON=/usr/sbin/libvirtd
+NAME=libvirtd
+DESC="libvirt management daemon"
+cgroups="cpuset cpu cpuacct devices freezer net_cls blkio perf_event"
+! grep -qs cgroup_enable=memory /proc/cmdline || cgroups="$cgroups memory"
+
+test -x $DAEMON || exit 0
+. /lib/lsb/init-functions
+
+PIDFILE=/var/run/$NAME.pid
+DODTIME=1 # Time to wait for the server to die, in seconds
+
+# Include libvirtd defaults if available
+if [ -f /etc/default/libvirtd ] ; then
+ . /etc/default/libvirtd
+fi
+
+check_start_libvirtd_option() {
+ if [ ! "$start_libvirtd" = "yes" ]; then
+ log_warning_msg "Not starting libvirt management daemon libvirtd, disabled via /etc/default/libvirtd"
+ return 1
+ else
+ return 0
+ fi
+}
+
+running_pid()
+{
+ # Check if a given process pid's cmdline matches a given name
+ pid=$1
+ name=$2
+ [ -z "$pid" ] && return 1
+ [ ! -d /proc/$pid ] && return 1
+ cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1 |cut -d : -f 1`
+ # Is this the expected child?
+ [ "$cmd" != "$name" ] && return 1
+ return 0
+}
+
+running()
+{
+# Check if the process is running looking at /proc
+# (works for all users)
+ # No pidfile, probably no daemon present
+ [ ! -f "$PIDFILE" ] && return 1
+ # Obtain the pid and check it against the binary name
+ pid=`cat $PIDFILE`
+ running_pid $pid $DAEMON || return 1
+ return 0
+}
+
+systemd_running()
+{
+ if [ -d /run/systemd/system ] ; then
+ return 0
+ fi
+ return 1
+}
+
+mount_cgroups()
+{
+ if ! systemd_running
+ then
+ mount -t tmpfs cgroup_root /sys/fs/cgroup || return 1
+ for M in $cgroups; do
+ mkdir /sys/fs/cgroup/$M || return 1
+ mount -t cgroup -o rw,nosuid,nodev,noexec,relatime,$M "cgroup_${M}" "/sys/fs/cgroup/${M}" || return 1
+ done
+ else
+ log_warning_msg "Systemd running, skipping cgroup mount."
+ fi
+
+}
+
+umount_cgroups()
+{
+ if ! systemd_running
+ then
+ for M in $cgroups; do
+ umount "cgroup_${M}"
+ rmdir /sys/fs/cgroup/$M
+ done
+ umount cgroup_root
+ else
+ log_warning_msg "Systemd running, skipping cgroup mount."
+ fi
+}
+
+check_mount_cgroup_options() {
+ if [ ! "$mount_cgroups" = "yes" ]; then
+ return 1
+ else
+ return 0
+ fi
+}
+
+force_stop() {
+# Forcefully kill the process
+ [ ! -f "$PIDFILE" ] && return
+ if running ; then
+ kill -15 $pid
+ # Is it really dead?
+ [ -n "$DODTIME" ] && sleep "$DODTIME"s
+ if running ; then
+ kill -9 $pid
+ [ -n "$DODTIME" ] && sleep "$DODTIME"s
+ if running ; then
+ echo "Cannot kill $LABEL (pid=$pid)!"
+ exit 1
+ fi
+ fi
+ fi
+ rm -f $PIDFILE
+ return 0
+}
+
+case "$1" in
+ start)
+ if check_start_libvirtd_option; then
+ log_daemon_msg "Starting $DESC" "$NAME"
+ if running ; then
+ log_progress_msg "already running"
+ log_end_msg 0
+ exit 0
+ fi
+ rm -f /var/run/libvirtd.pid
+ if check_mount_cgroup_options; then
+ if ! mount_cgroups;then
+ log_warning_msg "Can not mount cgroups layout"
+ exit 1
+ fi
+ fi
+ start-stop-daemon --start --quiet --pidfile $PIDFILE \
+ --exec $DAEMON -- -d $libvirtd_opts
+ if running; then
+ log_end_msg 0
+ else
+ log_end_msg 1
+ fi
+ fi
+ ;;
+ stop)
+ log_daemon_msg "Stopping $DESC" "$NAME"
+ if ! running ; then
+ log_progress_msg "not running"
+ log_end_msg 0
+ exit 0
+ fi
+ if check_mount_cgroup_options; then
+ umount_cgroups
+ fi
+ start-stop-daemon --stop --quiet --pidfile $PIDFILE \
+ --exec $DAEMON
+ log_end_msg 0
+ ;;
+ force-stop)
+ log_daemon_msg "Forcefully stopping $DESC" "$NAME"
+ force_stop
+ if ! running; then
+ log_end_msg 0
+ else
+ log_end_msg 1
+ fi
+ ;;
+ restart)
+ if check_start_libvirtd_option; then
+ log_daemon_msg "Restarting $DESC" "$DAEMON"
+ start-stop-daemon --oknodo --stop --quiet --pidfile \
+ /var/run/$NAME.pid --exec $DAEMON
+ [ -n "$DODTIME" ] && sleep $DODTIME
+ start-stop-daemon --start --quiet --pidfile \
+ /var/run/$NAME.pid --exec $DAEMON -- -d $libvirtd_opts
+ if running; then
+ log_end_msg 0
+ else
+ log_end_msg 1
+ fi
+ fi
+ ;;
+ reload|force-reload)
+ if running; then
+ log_daemon_msg "Reloading configuration of $DESC" "$NAME"
+ start-stop-daemon --stop --signal 1 --quiet --pidfile \
+ /var/run/$NAME.pid --exec $DAEMON
+ log_end_msg 0
+ else
+ log_warning_msg "libvirtd not running, doing nothing."
+ fi
+ ;;
+ status)
+ log_daemon_msg "Checking status of $DESC" "$NAME"
+ if running ; then
+ log_progress_msg "running"
+ log_end_msg 0
+ else
+ log_progress_msg "not running"
+ log_end_msg 1
+ if [ -f "$PIDFILE" ] ; then
+ exit 1
+ else
+ exit 3
+ fi
+ fi
+ ;;
+ *)
+ N=/etc/init.d/libvirtd
+ echo "Usage: $N {start|stop|restart|reload|force-reload|status|force-stop}" >&2
+ exit 1
+ ;;
+esac
+
+exit 0
--- /dev/null
+#! /bin/sh
+#
+# Init script for virtlogd
+#
+# (c) 2015 Guido Guenther <agx@sigxcpu.org>
+# based on the skeletons that comes with dh_make
+#
+### BEGIN INIT INFO
+# Provides: virtlogd
+# Required-Start: $local_fs $remote_fs $syslog
+# Required-Stop: $local_fs $remote_fs $syslog
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Libvirt logging daemon
+### END INIT INFO
+
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+export PATH
+DAEMON=/usr/sbin/virtlogd
+NAME=virtlogd
+DESC="libvirt logging daemon"
+
+test -x $DAEMON || exit 0
+. /lib/lsb/init-functions
+
+PIDFILE=/var/run/$NAME.pid
+DODTIME=1 # Time to wait for the server to die, in seconds
+
+# Include libvirtd defaults if available
+if [ -f /etc/default/virtlogd ] ; then
+ . /etc/default/virtlogd
+fi
+
+running_pid()
+{
+ # Check if a given process pid's cmdline matches a given name
+ pid=$1
+ name=$2
+ [ -z "$pid" ] && return 1
+ [ ! -d /proc/$pid ] && return 1
+ cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1 |cut -d : -f 1`
+ # Is this the expected child?
+ [ "$cmd" != "$name" ] && return 1
+ return 0
+}
+
+running()
+{
+# Check if the process is running looking at /proc
+# (works for all users)
+ # No pidfile, probably no daemon present
+ [ ! -f "$PIDFILE" ] && return 1
+ # Obtain the pid and check it against the binary name
+ pid=`cat $PIDFILE`
+ running_pid $pid $DAEMON || return 1
+ return 0
+}
+
+force_stop() {
+# Forcefully kill the process
+ [ ! -f "$PIDFILE" ] && return
+ if running ; then
+ kill -15 $pid
+ # Is it really dead?
+ [ -n "$DODTIME" ] && sleep "$DODTIME"s
+ if running ; then
+ kill -9 $pid
+ [ -n "$DODTIME" ] && sleep "$DODTIME"s
+ if running ; then
+ echo "Cannot kill $LABEL (pid=$pid)!"
+ exit 1
+ fi
+ fi
+ fi
+ rm -f $PIDFILE
+ return 0
+}
+
+case "$1" in
+ start)
+ log_daemon_msg "Starting $DESC" "$NAME"
+ if running ; then
+ log_progress_msg "already running"
+ log_end_msg 0
+ exit 0
+ fi
+ rm -f $PIDFILE
+ start-stop-daemon --start --quiet --pidfile $PIDFILE \
+ --exec $DAEMON -- -d $VIRTLOGD_ARGS
+ if running; then
+ log_end_msg 0
+ else
+ log_end_msg 1
+ fi
+ ;;
+ stop)
+ log_daemon_msg "Stopping $DESC" "$NAME"
+ if ! running ; then
+ log_progress_msg "not running"
+ log_end_msg 0
+ exit 0
+ fi
+ start-stop-daemon --stop --quiet --pidfile $PIDFILE \
+ --exec $DAEMON
+ log_end_msg 0
+ ;;
+ force-stop)
+ log_daemon_msg "Forcefully stopping $DESC" "$NAME"
+ force_stop
+ if ! running; then
+ log_end_msg 0
+ else
+ log_end_msg 1
+ fi
+ ;;
+ restart)
+ log_daemon_msg "Restarting $DESC" "$DAEMON"
+ start-stop-daemon --oknodo --stop --quiet --pidfile \
+ /var/run/$NAME.pid --exec $DAEMON
+ [ -n "$DODTIME" ] && sleep $DODTIME
+ start-stop-daemon --start --quiet --pidfile \
+ /var/run/$NAME.pid --exec $DAEMON -- -d $libvirtd_opts
+ if running; then
+ log_end_msg 0
+ else
+ log_end_msg 1
+ fi
+ ;;
+ reload|force-reload)
+ if running; then
+ log_daemon_msg "Reloading configuration of $DESC" "$NAME"
+ start-stop-daemon --stop --signal 1 --quiet --pidfile \
+ /var/run/$NAME.pid --exec $DAEMON
+ log_end_msg 0
+ else
+ log_warning_msg "libvirtd not running, doing nothing."
+ fi
+ ;;
+ status)
+ log_daemon_msg "Checking status of $DESC" "$NAME"
+ if running ; then
+ log_progress_msg "running"
+ log_end_msg 0
+ else
+ log_progress_msg "not running"
+ log_end_msg 1
+ if [ -f "$PIDFILE" ] ; then
+ exit 1
+ else
+ exit 3
+ fi
+ fi
+ ;;
+ *)
+ N=/etc/init.d/libvirtd
+ echo "Usage: $N {start|stop|restart|reload|force-reload|status|force-stop}" >&2
+ exit 1
+ ;;
+esac
+
+exit 0
--- /dev/null
+#
+# This can be used to setup URI aliases for frequently
+# used connection URIs. Aliases may contain only the
+# characters a-Z, 0-9, _, -.
+#
+# Following the '=' may be any valid libvirt admin connection
+# URI, including arbitrary parameters
+
+#uri_aliases = [
+# "admin=libvirtd:///system",
+#]
+
+# This specifies the default location the client tries to connect to if no other
+# URI is provided by the application
+
+#uri_default = "libvirtd:///system"
--- /dev/null
+#
+# This can be used to setup URI aliases for frequently
+# used connection URIs. Aliases may contain only the
+# characters a-Z, 0-9, _, -.
+#
+# Following the '=' may be any valid libvirt connection
+# URI, including arbitrary parameters
+
+#uri_aliases = [
+# "hail=qemu+ssh://root@hail.cloud.example.com/system",
+# "sleet=qemu+ssh://root@sleet.cloud.example.com/system",
+#]
+
+#
+# These can be used in cases when no URI is supplied by the application
+# (@uri_default also prevents probing of the hypervisor driver).
+#
+#uri_default = "qemu:///system"
--- /dev/null
+# Master libvirt daemon configuration file
+#
+# For further information consult https://libvirt.org/format.html
+#
+# NOTE: the tests/daemon-conf regression test script requires
+# that each "PARAMETER = VALUE" line in this file have the parameter
+# name just after a leading "#".
+
+#################################################################
+#
+# Network connectivity controls
+#
+
+# Flag listening for secure TLS connections on the public TCP/IP port.
+# NB, must pass the --listen flag to the libvirtd process for this to
+# have any effect.
+#
+# It is necessary to setup a CA and issue server certificates before
+# using this capability.
+#
+# This is enabled by default, uncomment this to disable it
+#listen_tls = 0
+
+# Listen for unencrypted TCP connections on the public TCP/IP port.
+# NB, must pass the --listen flag to the libvirtd process for this to
+# have any effect.
+#
+# Using the TCP socket requires SASL authentication by default. Only
+# SASL mechanisms which support data encryption are allowed. This is
+# DIGEST_MD5 and GSSAPI (Kerberos5)
+#
+# This is disabled by default, uncomment this to enable it.
+#listen_tcp = 1
+
+
+
+# Override the port for accepting secure TLS connections
+# This can be a port number, or service name
+#
+#tls_port = "16514"
+
+# Override the port for accepting insecure TCP connections
+# This can be a port number, or service name
+#
+#tcp_port = "16509"
+
+
+# Override the default configuration which binds to all network
+# interfaces. This can be a numeric IPv4/6 address, or hostname
+#
+# If the libvirtd service is started in parallel with network
+# startup (e.g. with systemd), binding to addresses other than
+# the wildcards (0.0.0.0/::) might not be available yet.
+#
+#listen_addr = "192.168.0.1"
+
+
+# Flag toggling mDNS advertizement of the libvirt service.
+#
+# Alternatively can disable for all services on a host by
+# stopping the Avahi daemon
+#
+# This is disabled by default, uncomment this to enable it
+#mdns_adv = 1
+
+# Override the default mDNS advertizement name. This must be
+# unique on the immediate broadcast network.
+#
+# The default is "Virtualization Host HOSTNAME", where HOSTNAME
+# is substituted for the short hostname of the machine (without domain)
+#
+#mdns_name = "Virtualization Host Joe Demo"
+
+
+#################################################################
+#
+# UNIX socket access controls
+#
+
+# Set the UNIX domain socket group ownership. This can be used to
+# allow a 'trusted' set of users access to management capabilities
+# without becoming root.
+#
+# This is restricted to 'root' by default.
+unix_sock_group = "libvirt"
+
+# Set the UNIX socket permissions for the R/O socket. This is used
+# for monitoring VM status only
+#
+# Default allows any user. If setting group ownership, you may want to
+# restrict this too.
+unix_sock_ro_perms = "0777"
+
+# Set the UNIX socket permissions for the R/W socket. This is used
+# for full management of VMs
+#
+# Default allows only root. If PolicyKit is enabled on the socket,
+# the default will change to allow everyone (eg, 0777)
+#
+# If not using PolicyKit and setting group ownership for access
+# control, then you may want to relax this too.
+unix_sock_rw_perms = "0770"
+
+# Set the UNIX socket permissions for the admin interface socket.
+#
+# Default allows only owner (root), do not change it unless you are
+# sure to whom you are exposing the access to.
+#unix_sock_admin_perms = "0700"
+
+# Set the name of the directory in which sockets will be found/created.
+#unix_sock_dir = "/var/run/libvirt"
+
+
+
+#################################################################
+#
+# Authentication.
+#
+# - none: do not perform auth checks. If you can connect to the
+# socket you are allowed. This is suitable if there are
+# restrictions on connecting to the socket (eg, UNIX
+# socket permissions), or if there is a lower layer in
+# the network providing auth (eg, TLS/x509 certificates)
+#
+# - sasl: use SASL infrastructure. The actual auth scheme is then
+# controlled from /etc/sasl2/libvirt.conf. For the TCP
+# socket only GSSAPI & DIGEST-MD5 mechanisms will be used.
+# For non-TCP or TLS sockets, any scheme is allowed.
+#
+# - polkit: use PolicyKit to authenticate. This is only suitable
+# for use on the UNIX sockets. The default policy will
+# require a user to supply their own password to gain
+# full read/write access (aka sudo like), while anyone
+# is allowed read/only access.
+#
+# Set an authentication scheme for UNIX read-only sockets
+# By default socket permissions allow anyone to connect
+#
+# To restrict monitoring of domains you may wish to enable
+# an authentication mechanism here
+auth_unix_ro = "none"
+
+# Set an authentication scheme for UNIX read-write sockets
+# By default socket permissions only allow root. If PolicyKit
+# support was compiled into libvirt, the default will be to
+# use 'polkit' auth.
+#
+# If the unix_sock_rw_perms are changed you may wish to enable
+# an authentication mechanism here
+auth_unix_rw = "none"
+
+# Change the authentication scheme for TCP sockets.
+#
+# If you don't enable SASL, then all TCP traffic is cleartext.
+# Don't do this outside of a dev/test scenario. For real world
+# use, always enable SASL and use the GSSAPI or DIGEST-MD5
+# mechanism in /etc/sasl2/libvirt.conf
+#auth_tcp = "sasl"
+
+# Change the authentication scheme for TLS sockets.
+#
+# TLS sockets already have encryption provided by the TLS
+# layer, and limited authentication is done by certificates
+#
+# It is possible to make use of any SASL authentication
+# mechanism as well, by using 'sasl' for this option
+#auth_tls = "none"
+
+
+# Change the API access control scheme
+#
+# By default an authenticated user is allowed access
+# to all APIs. Access drivers can place restrictions
+# on this. By default the 'nop' driver is enabled,
+# meaning no access control checks are done once a
+# client has authenticated with libvirtd
+#
+#access_drivers = [ "polkit" ]
+
+#################################################################
+#
+# TLS x509 certificate configuration
+#
+
+
+# Override the default server key file path
+#
+#key_file = "/etc/pki/libvirt/private/serverkey.pem"
+
+# Override the default server certificate file path
+#
+#cert_file = "/etc/pki/libvirt/servercert.pem"
+
+# Override the default CA certificate path
+#
+#ca_file = "/etc/pki/CA/cacert.pem"
+
+# Specify a certificate revocation list.
+#
+# Defaults to not using a CRL, uncomment to enable it
+#crl_file = "/etc/pki/CA/crl.pem"
+
+
+
+#################################################################
+#
+# Authorization controls
+#
+
+
+# Flag to disable verification of our own server certificates
+#
+# When libvirtd starts it performs some sanity checks against
+# its own certificates.
+#
+# Default is to always run sanity checks. Uncommenting this
+# will disable sanity checks which is not a good idea
+#tls_no_sanity_certificate = 1
+
+# Flag to disable verification of client certificates
+#
+# Client certificate verification is the primary authentication mechanism.
+# Any client which does not present a certificate signed by the CA
+# will be rejected.
+#
+# Default is to always verify. Uncommenting this will disable
+# verification - make sure an IP whitelist is set
+#tls_no_verify_certificate = 1
+
+
+# A whitelist of allowed x509 Distinguished Names
+# This list may contain wildcards such as
+#
+# "C=GB,ST=London,L=London,O=Red Hat,CN=*"
+#
+# See the POSIX fnmatch function for the format of the wildcards.
+#
+# NB If this is an empty list, no client can connect, so comment out
+# entirely rather than using empty list to disable these checks
+#
+# By default, no DN's are checked
+#tls_allowed_dn_list = ["DN1", "DN2"]
+
+
+# A whitelist of allowed SASL usernames. The format for username
+# depends on the SASL authentication mechanism. Kerberos usernames
+# look like username@REALM
+#
+# This list may contain wildcards such as
+#
+# "*@EXAMPLE.COM"
+#
+# See the POSIX fnmatch function for the format of the wildcards.
+#
+# NB If this is an empty list, no client can connect, so comment out
+# entirely rather than using empty list to disable these checks
+#
+# By default, no Username's are checked
+#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]
+
+
+# Override the compile time default TLS priority string. The
+# default is usually "NORMAL" unless overridden at build time.
+# Only set this is it is desired for libvirt to deviate from
+# the global default settings.
+#
+#tls_priority="NORMAL"
+
+
+#################################################################
+#
+# Processing controls
+#
+
+# The maximum number of concurrent client connections to allow
+# over all sockets combined.
+#max_clients = 5000
+
+# The maximum length of queue of connections waiting to be
+# accepted by the daemon. Note, that some protocols supporting
+# retransmission may obey this so that a later reattempt at
+# connection succeeds.
+#max_queued_clients = 1000
+
+# The maximum length of queue of accepted but not yet
+# authenticated clients. The default value is 20. Set this to
+# zero to turn this feature off.
+#max_anonymous_clients = 20
+
+# The minimum limit sets the number of workers to start up
+# initially. If the number of active clients exceeds this,
+# then more threads are spawned, up to max_workers limit.
+# Typically you'd want max_workers to equal maximum number
+# of clients allowed
+#min_workers = 5
+#max_workers = 20
+
+
+# The number of priority workers. If all workers from above
+# pool are stuck, some calls marked as high priority
+# (notably domainDestroy) can be executed in this pool.
+#prio_workers = 5
+
+# Limit on concurrent requests from a single client
+# connection. To avoid one client monopolizing the server
+# this should be a small fraction of the global max_workers
+# parameter.
+#max_client_requests = 5
+
+# Same processing controls, but this time for the admin interface.
+# For description of each option, be so kind to scroll few lines
+# upwards.
+
+#admin_min_workers = 1
+#admin_max_workers = 5
+#admin_max_clients = 5
+#admin_max_queued_clients = 5
+#admin_max_client_requests = 5
+
+#################################################################
+#
+# Logging controls
+#
+
+# Logging level: 4 errors, 3 warnings, 2 information, 1 debug
+# basically 1 will log everything possible
+# Note: Journald may employ rate limiting of the messages logged
+# and thus lock up the libvirt daemon. To use the debug level with
+# journald you have to specify it explicitly in 'log_outputs', otherwise
+# only information level messages will be logged.
+#log_level = 3
+
+# Logging filters:
+# A filter allows to select a different logging level for a given category
+# of logs
+# The format for a filter is one of:
+# x:name
+# x:+name
+
+# where name is a string which is matched against the category
+# given in the VIR_LOG_INIT() at the top of each libvirt source
+# file, e.g., "remote", "qemu", or "util.json" (the name in the
+# filter can be a substring of the full category name, in order
+# to match multiple similar categories), the optional "+" prefix
+# tells libvirt to log stack trace for each message matching
+# name, and x is the minimal level where matching messages should
+# be logged:
+
+# 1: DEBUG
+# 2: INFO
+# 3: WARNING
+# 4: ERROR
+#
+# Multiple filters can be defined in a single @filters, they just need to be
+# separated by spaces.
+#
+# e.g. to only get warning or errors from the remote layer and only errors
+# from the event layer:
+#log_filters="3:remote 4:event"
+
+# Logging outputs:
+# An output is one of the places to save logging information
+# The format for an output can be:
+# x:stderr
+# output goes to stderr
+# x:syslog:name
+# use syslog for the output and use the given name as the ident
+# x:file:file_path
+# output to a file, with the given filepath
+# x:journald
+# output to journald logging system
+# In all case the x prefix is the minimal level, acting as a filter
+# 1: DEBUG
+# 2: INFO
+# 3: WARNING
+# 4: ERROR
+#
+# Multiple outputs can be defined, they just need to be separated by spaces.
+# e.g. to log all warnings and errors to syslog under the libvirtd ident:
+#log_outputs="3:syslog:libvirtd"
+#
+
+# Log debug buffer size:
+#
+# This configuration option is no longer used, since the global
+# log buffer functionality has been removed. Please configure
+# suitable log_outputs/log_filters settings to obtain logs.
+#log_buffer_size = 64
+
+
+##################################################################
+#
+# Auditing
+#
+# This setting allows usage of the auditing subsystem to be altered:
+#
+# audit_level == 0 -> disable all auditing
+# audit_level == 1 -> enable auditing, only if enabled on host (default)
+# audit_level == 2 -> enable auditing, and exit if disabled on host
+#
+#audit_level = 2
+#
+# If set to 1, then audit messages will also be sent
+# via libvirt logging infrastructure. Defaults to 0
+#
+#audit_logging = 1
+
+###################################################################
+# UUID of the host:
+# Host UUID is read from one of the sources specified in host_uuid_source.
+#
+# - 'smbios': fetch the UUID from 'dmidecode -s system-uuid'
+# - 'machine-id': fetch the UUID from /etc/machine-id
+#
+# The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide
+# a valid UUID a temporary UUID will be generated.
+#
+# Another option is to specify host UUID in host_uuid.
+#
+# Keep the format of the example UUID below. UUID must not have all digits
+# be the same.
+
+# NB This default all-zeros UUID will not work. Replace
+# it with the output of the 'uuidgen' command and then
+# uncomment this entry
+#host_uuid = "00000000-0000-0000-0000-000000000000"
+#host_uuid_source = "smbios"
+
+###################################################################
+# Keepalive protocol:
+# This allows libvirtd to detect broken client connections or even
+# dead clients. A keepalive message is sent to a client after
+# keepalive_interval seconds of inactivity to check if the client is
+# still responding; keepalive_count is a maximum number of keepalive
+# messages that are allowed to be sent to the client without getting
+# any response before the connection is considered broken. In other
+# words, the connection is automatically closed approximately after
+# keepalive_interval * (keepalive_count + 1) seconds since the last
+# message received from the client. If keepalive_interval is set to
+# -1, libvirtd will never send keepalive requests; however clients
+# can still send them and the daemon will send responses. When
+# keepalive_count is set to 0, connections will be automatically
+# closed after keepalive_interval seconds of inactivity without
+# sending any keepalive messages.
+#
+#keepalive_interval = 5
+#keepalive_count = 5
+
+#
+# These configuration options are no longer used. There is no way to
+# restrict such clients from connecting since they first need to
+# connect in order to ask for keepalive.
+#
+#keepalive_required = 1
+#admin_keepalive_required = 1
+
+# Keepalive settings for the admin interface
+#admin_keepalive_interval = 5
+#admin_keepalive_count = 5
+
+###################################################################
+# Open vSwitch:
+# This allows to specify a timeout for openvswitch calls made by
+# libvirt. The ovs-vsctl utility is used for the configuration and
+# its timeout option is set by default to 5 seconds to avoid
+# potential infinite waits blocking libvirt.
+#
+#ovs_timeout = 5
--- /dev/null
+#
+# The default lockd behaviour is to acquire locks directly
+# against each configured disk file / block device. If the
+# application wishes to instead manually manage leases in
+# the guest XML, then this parameter can be disabled
+#
+#auto_disk_leases = 0
+
+#
+# Flag to determine whether we allow starting of guests
+# which do not have any <lease> elements defined in their
+# configuration.
+#
+# If 'auto_disk_leases' is disabled, this setting defaults
+# to enabled, otherwise it defaults to disabled.
+#
+#require_lease_for_disks = 1
+
+
+#
+# The default lockd behaviour is to use the "direct"
+# lockspace, where the locks are acquired against the
+# actual file paths associated with the <disk> devices.
+#
+# Setting a directory here causes lockd to use "indirect"
+# lockspace, where a hash of the <disk> file path is
+# used to create a file in the lockspace directory. The
+# locks are then held on these hash files instead.
+#
+# This can be useful if the file paths refer to block
+# devices which are shared, since /dev fcntl() locks
+# don't propagate across hosts. It is also useful if
+# the filesystem does not support fcntl() locks.
+#
+# Typically this directory would be located on a shared
+# filesystem visible to all hosts accessing the same
+# storage.
+#
+#file_lockspace_dir = "/var/lib/libvirt/lockd/files"
+
+
+#
+# When using LVM volumes that can be visible across
+# multiple, it is desirable to do locking based on
+# the unique UUID associated with each volume, instead
+# of their paths. Setting this path causes libvirt to
+# do UUID based locking for LVM.
+#
+# Typically this directory would be located on a shared
+# filesystem visible to all hosts accessing the same
+# storage.
+#
+#lvm_lockspace_dir = "/var/lib/libvirt/lockd/lvmvolumes"
+
+
+#
+# When using SCSI volumes that can be visible across
+# multiple, it is desirable to do locking based on
+# the unique UUID associated with each volume, instead
+# of their paths. Setting this path causes libvirt to
+# do UUID based locking for SCSI.
+#
+# Typically this directory would be located on a shared
+# filesystem visible to all hosts accessing the same
+# storage.
+#
+#scsi_lockspace_dir = "/var/lib/libvirt/lockd/scsivolumes"
--- /dev/null
+# Master configuration file for the libxl driver.
+# All settings described here are optional. If omitted, sensible
+# defaults are used.
+
+# Enable autoballooning of domain0
+#
+# By default, autoballooning of domain0 is enabled unless its memory
+# is already limited with Xen's "dom0_mem=" parameter, in which case
+# autoballooning is disabled. Override the default behavior with the
+# autoballoon setting.
+#
+#autoballoon = 1
+
+
+# In order to prevent accidentally starting two domains that
+# share one writable disk, libvirt offers two approaches for
+# locking files: sanlock and virtlockd. sanlock is an external
+# project which libvirt integrates with via the libvirt-lock-sanlock
+# package. virtlockd is a libvirt implementation that is enabled with
+# "lockd". Accepted values are "sanlock" and "lockd".
+#
+#lock_manager = "lockd"
+
+
+# Keepalive protocol:
+# This allows the libxl driver to detect broken connections to the
+# remote libvirtd during peer-to-peer migration. A keepalive message
+# is sent to the daemon after keepalive_interval seconds of inactivity
+# to check if the daemon is still responding; keepalive_count is a
+# maximum number of keepalive messages that are allowed to be sent to
+# the daemon without getting any response before the connection is
+# considered broken. In other words, the connection is automatically
+# closed after approximately keepalive_interval * (keepalive_count + 1)
+# seconds since the last message was received from the daemon. If
+# keepalive_interval is set to -1, the libxl driver will not send
+# keepalive requests during peer-to-peer migration; however, the remote
+# libvirtd can still send them and source libvirtd will send responses.
+# When keepalive_count is set to 0, connections will be automatically
+# closed after keepalive_interval seconds of inactivity without sending
+# any keepalive messages.
+#
+#keepalive_interval = 5
+#keepalive_count = 5
--- /dev/null
+# Master configuration file for the LXC driver.
+# All settings described here are optional - if omitted, sensible
+# defaults are used.
+
+# By default, log messages generated by the lxc controller go to the
+# container logfile. It is also possible to accumulate log messages
+# from all lxc controllers along with libvirtd's log outputs. In this
+# case, the lxc controller will honor either LIBVIRT_LOG_OUTPUTS or
+# log_outputs from libvirtd.conf.
+#
+# This is disabled by default, uncomment below to enable it.
+#
+#log_with_libvirtd = 1
+
+
+# The default security driver is SELinux. If SELinux is disabled
+# on the host, then the security driver will automatically disable
+# itself. If you wish to disable LXC SELinux security driver while
+# leaving SELinux enabled for the host in general, then set this
+# to 'none' instead.
+#
+#security_driver = "selinux"
+
+# If set to non-zero, then the default security labeling
+# will make guests confined. If set to zero, then guests
+# will be unconfined by default. Defaults to 0.
+#security_default_confined = 1
+
+# If set to non-zero, then attempts to create unconfined
+# guests will be blocked. Defaults to 0.
+#security_require_confined = 1
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit allow-arp
+or other application using the libvirt API.
+-->
+
+<filter name='allow-arp' chain='arp' priority='-500'>
+ <uuid>49cdc163-2256-41bf-a493-83dd68636f4a</uuid>
+ <rule action='accept' direction='inout' priority='500'/>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit allow-dhcp-server
+or other application using the libvirt API.
+-->
+
+<filter name='allow-dhcp-server' chain='ipv4' priority='-700'>
+ <uuid>b45a2be5-4de7-41e5-9bf7-529cedb55419</uuid>
+ <rule action='accept' direction='out' priority='100'>
+ <ip srcipaddr='0.0.0.0' dstipaddr='255.255.255.255' protocol='udp' srcportstart='68' dstportstart='67'/>
+ </rule>
+ <rule action='accept' direction='in' priority='100'>
+ <ip srcipaddr='$DHCPSERVER' protocol='udp' srcportstart='67' dstportstart='68'/>
+ </rule>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit allow-dhcp
+or other application using the libvirt API.
+-->
+
+<filter name='allow-dhcp' chain='ipv4' priority='-700'>
+ <uuid>fcce2359-479a-48f1-91b8-4ced48a02bac</uuid>
+ <rule action='accept' direction='out' priority='100'>
+ <ip srcipaddr='0.0.0.0' dstipaddr='255.255.255.255' protocol='udp' srcportstart='68' dstportstart='67'/>
+ </rule>
+ <rule action='accept' direction='in' priority='100'>
+ <ip protocol='udp' srcportstart='67' dstportstart='68'/>
+ </rule>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit allow-incoming-ipv4
+or other application using the libvirt API.
+-->
+
+<filter name='allow-incoming-ipv4' chain='ipv4' priority='-700'>
+ <uuid>4c4ef777-1f4b-4f41-836b-551e6ba7bbfe</uuid>
+ <rule action='accept' direction='in' priority='500'/>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit allow-ipv4
+or other application using the libvirt API.
+-->
+
+<filter name='allow-ipv4' chain='ipv4' priority='-700'>
+ <uuid>f00ad379-eac4-4b69-a6e7-b9e1883204a1</uuid>
+ <rule action='accept' direction='inout' priority='500'/>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit clean-traffic
+or other application using the libvirt API.
+-->
+
+<filter name='clean-traffic' chain='root'>
+ <uuid>cc37ae21-ce67-427f-8fe6-59ca5a382055</uuid>
+ <filterref filter='no-mac-spoofing'/>
+ <filterref filter='no-ip-spoofing'/>
+ <rule action='accept' direction='out' priority='-650'>
+ <mac protocolid='ipv4'/>
+ </rule>
+ <filterref filter='allow-incoming-ipv4'/>
+ <filterref filter='no-arp-spoofing'/>
+ <rule action='accept' direction='inout' priority='-500'>
+ <mac protocolid='arp'/>
+ </rule>
+ <filterref filter='no-other-l2-traffic'/>
+ <filterref filter='qemu-announce-self'/>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit no-arp-ip-spoofing
+or other application using the libvirt API.
+-->
+
+<filter name='no-arp-ip-spoofing' chain='arp-ip' priority='-510'>
+ <uuid>e48edfe6-0f22-4dae-92b3-e30d65d0ffe9</uuid>
+ <rule action='return' direction='out' priority='400'>
+ <arp arpsrcipaddr='$IP'/>
+ </rule>
+ <rule action='drop' direction='out' priority='1000'/>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit no-arp-mac-spoofing
+or other application using the libvirt API.
+-->
+
+<filter name='no-arp-mac-spoofing' chain='arp-mac' priority='-520'>
+ <uuid>0cacea96-9a8e-44f9-a538-06f0b16d9633</uuid>
+ <rule action='return' direction='out' priority='350'>
+ <arp arpsrcmacaddr='$MAC'/>
+ </rule>
+ <rule action='drop' direction='out' priority='1000'/>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit no-arp-spoofing
+or other application using the libvirt API.
+-->
+
+<filter name='no-arp-spoofing' chain='root'>
+ <uuid>cc007e40-3015-4666-918c-a985b28f61c4</uuid>
+ <filterref filter='no-arp-mac-spoofing'/>
+ <filterref filter='no-arp-ip-spoofing'/>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit no-ip-multicast
+or other application using the libvirt API.
+-->
+
+<filter name='no-ip-multicast' chain='ipv4' priority='-700'>
+ <uuid>d9a3c4e8-6f6e-414c-aa69-d4f39de10f8c</uuid>
+ <rule action='drop' direction='out' priority='500'>
+ <ip dstipaddr='224.0.0.0' dstipmask='4'/>
+ </rule>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit no-ip-spoofing
+or other application using the libvirt API.
+-->
+
+<filter name='no-ip-spoofing' chain='ipv4-ip' priority='-710'>
+ <uuid>c4328ea7-72e0-4b6e-8ff1-98cdd1dcd6f6</uuid>
+ <rule action='return' direction='out' priority='100'>
+ <ip srcipaddr='0.0.0.0' protocol='udp'/>
+ </rule>
+ <rule action='return' direction='out' priority='500'>
+ <ip srcipaddr='$IP'/>
+ </rule>
+ <rule action='drop' direction='out' priority='1000'/>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit no-mac-broadcast
+or other application using the libvirt API.
+-->
+
+<filter name='no-mac-broadcast' chain='ipv4' priority='-700'>
+ <uuid>1c1e0a7f-9def-4601-8062-e6206d3f500c</uuid>
+ <rule action='drop' direction='out' priority='500'>
+ <mac dstmacaddr='ff:ff:ff:ff:ff:ff'/>
+ </rule>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit no-mac-spoofing
+or other application using the libvirt API.
+-->
+
+<filter name='no-mac-spoofing' chain='mac' priority='-800'>
+ <uuid>bbc85970-2e86-487a-969b-24eb96a29793</uuid>
+ <rule action='return' direction='out' priority='500'>
+ <mac srcmacaddr='$MAC'/>
+ </rule>
+ <rule action='drop' direction='out' priority='500'>
+ <mac/>
+ </rule>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit no-other-l2-traffic
+or other application using the libvirt API.
+-->
+
+<filter name='no-other-l2-traffic' chain='root'>
+ <uuid>79adc489-a486-4d83-ae77-9cfc76357bcf</uuid>
+ <rule action='drop' direction='inout' priority='1000'/>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit no-other-rarp-traffic
+or other application using the libvirt API.
+-->
+
+<filter name='no-other-rarp-traffic' chain='rarp' priority='-400'>
+ <uuid>5e268392-e9bd-46fa-80fa-caedd8636615</uuid>
+ <rule action='drop' direction='inout' priority='1000'/>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit qemu-announce-self-rarp
+or other application using the libvirt API.
+-->
+
+<filter name='qemu-announce-self-rarp' chain='rarp' priority='-400'>
+ <uuid>a2830f77-47f7-4124-b1bb-3a1a24499e81</uuid>
+ <rule action='accept' direction='out' priority='500'>
+ <rarp srcmacaddr='$MAC' dstmacaddr='ff:ff:ff:ff:ff:ff' opcode='Request_Reverse' arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC' arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/>
+ </rule>
+ <rule action='accept' direction='in' priority='500'>
+ <rarp dstmacaddr='ff:ff:ff:ff:ff:ff' opcode='Request_Reverse' arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC' arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/>
+ </rule>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit qemu-announce-self
+or other application using the libvirt API.
+-->
+
+<filter name='qemu-announce-self' chain='root'>
+ <uuid>9f30a1dc-a9f0-4968-8d08-ca1d18ec8063</uuid>
+ <rule action='accept' direction='out' priority='500'>
+ <mac protocolid='0x835'/>
+ </rule>
+ <filterref filter='qemu-announce-self-rarp'/>
+ <filterref filter='no-other-rarp-traffic'/>
+</filter>
--- /dev/null
+#
+# The default lockd behaviour is to acquire locks directly
+# against each configured disk file / block device. If the
+# application wishes to instead manually manage leases in
+# the guest XML, then this parameter can be disabled
+#
+#auto_disk_leases = 0
+
+#
+# Flag to determine whether we allow starting of guests
+# which do not have any <lease> elements defined in their
+# configuration.
+#
+# If 'auto_disk_leases' is disabled, this setting defaults
+# to enabled, otherwise it defaults to disabled.
+#
+#require_lease_for_disks = 1
+
+
+#
+# The default lockd behaviour is to use the "direct"
+# lockspace, where the locks are acquired against the
+# actual file paths associated with the <disk> devices.
+#
+# Setting a directory here causes lockd to use "indirect"
+# lockspace, where a hash of the <disk> file path is
+# used to create a file in the lockspace directory. The
+# locks are then held on these hash files instead.
+#
+# This can be useful if the file paths refer to block
+# devices which are shared, since /dev fcntl() locks
+# don't propagate across hosts. It is also useful if
+# the filesystem does not support fcntl() locks.
+#
+# Typically this directory would be located on a shared
+# filesystem visible to all hosts accessing the same
+# storage.
+#
+#file_lockspace_dir = "/var/lib/libvirt/lockd/files"
+
+
+#
+# When using LVM volumes that can be visible across
+# multiple, it is desirable to do locking based on
+# the unique UUID associated with each volume, instead
+# of their paths. Setting this path causes libvirt to
+# do UUID based locking for LVM.
+#
+# Typically this directory would be located on a shared
+# filesystem visible to all hosts accessing the same
+# storage.
+#
+#lvm_lockspace_dir = "/var/lib/libvirt/lockd/lvmvolumes"
+
+
+#
+# When using SCSI volumes that can be visible across
+# multiple, it is desirable to do locking based on
+# the unique UUID associated with each volume, instead
+# of their paths. Setting this path causes libvirt to
+# do UUID based locking for SCSI.
+#
+# Typically this directory would be located on a shared
+# filesystem visible to all hosts accessing the same
+# storage.
+#
+#scsi_lockspace_dir = "/var/lib/libvirt/lockd/scsivolumes"
--- /dev/null
+#
+# The default sanlock configuration requires the management
+# application to manually define <lease> elements in the
+# guest configuration, typically one lease per disk. An
+# alternative is to enable "auto disk lease" mode. In this
+# usage, libvirt will automatically create a lockspace and
+# lease for each fully qualified disk path. This works if
+# you are able to ensure stable, unique disk paths across
+# all hosts in a network.
+#
+# Uncomment this to enable automatic lease creation.
+#
+# NB: the 'host_id' parameter must be set if enabling this
+#
+#auto_disk_leases = 1
+
+#
+# The default location in which lockspaces are created when
+# automatic lease creation is enabled. For each unique disk
+# path, a file $LEASE_DIR/NNNNNNNNNNNNNN will be created
+# where 'NNNNNNNNNNNNNN' is the MD5 hash of the disk path.
+#
+# If this directory is on local storage, it will only protect
+# against a VM being started twice on the same host, or two
+# guests on the same host using the same disk path. If the
+# directory is on NFS, then it can protect against concurrent
+# usage across all hosts which have the share mounted.
+#
+# Recommendation is to just mount this default location as
+# an NFS volume. Uncomment this, if you would prefer the mount
+# point to be somewhere else. Moreover, please make sure
+# sanlock daemon can access the specified path.
+#
+#disk_lease_dir = "/var/lib/libvirt/sanlock"
+
+#
+# The unique ID for this host.
+#
+# IMPORTANT: *EVERY* host which can access the filesystem mounted
+# at 'disk_lease_dir' *MUST* be given a different host ID.
+#
+# This parameter has no default and must be manually set if
+# 'auto_disk_leases' is enabled
+#host_id = 1
+
+#
+# Flag to determine whether we allow starting of guests
+# which do not have any <lease> elements defined in their
+# configuration.
+#
+# If 'auto_disk_leases' is disabled, this setting defaults
+# to enabled, otherwise it defaults to disabled.
+#
+#require_lease_for_disks = 1
+
+#
+# Sanlock is able to kill qemu processes on IO timeout. By its internal
+# implementation, the current default is 80 seconds. If you need to adjust
+# the value change the following variable. Value of zero means use the
+# default sanlock timeout.
+#io_timeout = 0
+
+#
+# The combination of user and group under which the sanlock
+# daemon runs. Libvirt will chown created files (like
+# content of disk_lease_dir) to make sure sanlock daemon can
+# access them. Accepted values are described in qemu.conf.
+#user = "root"
+#group = "root"
--- /dev/null
+# Master configuration file for the QEMU driver.
+# All settings described here are optional - if omitted, sensible
+# defaults are used.
+
+# Use of TLS requires that x509 certificates be issued. The default is
+# to keep them in /etc/pki/qemu. This directory must contain
+#
+# ca-cert.pem - the CA master certificate
+# server-cert.pem - the server certificate signed with ca-cert.pem
+# server-key.pem - the server private key
+#
+# and optionally may contain
+#
+# dh-params.pem - the DH params configuration file
+#
+# If the directory does not exist, libvirtd will fail to start. If the
+# directory doesn't contain the necessary files, QEMU domains will fail
+# to start if they are configured to use TLS.
+#
+# In order to overwrite the default path alter the following. This path
+# definition will be used as the default path for other *_tls_x509_cert_dir
+# configuration settings if their default path does not exist or is not
+# specifically set.
+#
+#default_tls_x509_cert_dir = "/etc/pki/qemu"
+
+
+# The default TLS configuration only uses certificates for the server
+# allowing the client to verify the server's identity and establish
+# an encrypted channel.
+#
+# It is possible to use x509 certificates for authentication too, by
+# issuing an x509 certificate to every client who needs to connect.
+#
+# Enabling this option will reject any client who does not have a
+# certificate signed by the CA in /etc/pki/qemu/ca-cert.pem
+#
+# The default_tls_x509_cert_dir directory must also contain
+#
+# client-cert.pem - the client certificate signed with the ca-cert.pem
+# client-key.pem - the client private key
+#
+#default_tls_x509_verify = 1
+
+#
+# Libvirt assumes the server-key.pem file is unencrypted by default.
+# To use an encrypted server-key.pem file, the password to decrypt
+# the PEM file is required. This can be provided by creating a secret
+# object in libvirt and then to uncomment this setting to set the UUID
+# of the secret.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#default_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
+
+# VNC is configured to listen on 127.0.0.1 by default.
+# To make it listen on all public interfaces, uncomment
+# this next option.
+#
+# NB, strong recommendation to enable TLS + x509 certificate
+# verification when allowing public access
+#
+#vnc_listen = "0.0.0.0"
+
+# Enable this option to have VNC served over an automatically created
+# unix socket. This prevents unprivileged access from users on the
+# host machine, though most VNC clients do not support it.
+#
+# This will only be enabled for VNC configurations that have listen
+# type=address but without any address specified. This setting takes
+# preference over vnc_listen.
+#
+#vnc_auto_unix_socket = 1
+
+# Enable use of TLS encryption on the VNC server. This requires
+# a VNC client which supports the VeNCrypt protocol extension.
+# Examples include vinagre, virt-viewer, virt-manager and vencrypt
+# itself. UltraVNC, RealVNC, TightVNC do not support this
+#
+# It is necessary to setup CA and issue a server certificate
+# before enabling this.
+#
+#vnc_tls = 1
+
+
+# In order to override the default TLS certificate location for
+# vnc certificates, supply a valid path to the certificate directory.
+# If the provided path does not exist, libvirtd will fail to start.
+# If the path is not provided, but vnc_tls = 1, then the
+# default_tls_x509_cert_dir path will be used.
+#
+#vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
+
+
+# The default TLS configuration only uses certificates for the server
+# allowing the client to verify the server's identity and establish
+# an encrypted channel.
+#
+# It is possible to use x509 certificates for authentication too, by
+# issuing an x509 certificate to every client who needs to connect.
+#
+# Enabling this option will reject any client that does not have a
+# ca-cert.pem certificate signed by the CA in the vnc_tls_x509_cert_dir
+# (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem
+# files described in default_tls_x509_cert_dir.
+#
+# If this option is not supplied, it will be set to the value of
+# "default_tls_x509_verify".
+#
+#vnc_tls_x509_verify = 1
+
+
+# The default VNC password. Only 8 bytes are significant for
+# VNC passwords. This parameter is only used if the per-domain
+# XML config does not already provide a password. To allow
+# access without passwords, leave this commented out. An empty
+# string will still enable passwords, but be rejected by QEMU,
+# effectively preventing any use of VNC. Obviously change this
+# example here before you set this.
+#
+#vnc_password = "XYZ12345"
+
+
+# Enable use of SASL encryption on the VNC server. This requires
+# a VNC client which supports the SASL protocol extension.
+# Examples include vinagre, virt-viewer and virt-manager
+# itself. UltraVNC, RealVNC, TightVNC do not support this
+#
+# It is necessary to configure /etc/sasl2/qemu.conf to choose
+# the desired SASL plugin (eg, GSSPI for Kerberos)
+#
+#vnc_sasl = 1
+
+
+# The default SASL configuration file is located in /etc/sasl2/
+# When running libvirtd unprivileged, it may be desirable to
+# override the configs in this location. Set this parameter to
+# point to the directory, and create a qemu.conf in that location
+#
+#vnc_sasl_dir = "/some/directory/sasl2"
+
+
+# QEMU implements an extension for providing audio over a VNC connection,
+# though if your VNC client does not support it, your only chance for getting
+# sound output is through regular audio backends. By default, libvirt will
+# disable all QEMU sound backends if using VNC, since they can cause
+# permissions issues. Enabling this option will make libvirtd honor the
+# QEMU_AUDIO_DRV environment variable when using VNC.
+#
+#vnc_allow_host_audio = 0
+
+
+
+# SPICE is configured to listen on 127.0.0.1 by default.
+# To make it listen on all public interfaces, uncomment
+# this next option.
+#
+# NB, strong recommendation to enable TLS + x509 certificate
+# verification when allowing public access
+#
+#spice_listen = "0.0.0.0"
+
+
+# Enable use of TLS encryption on the SPICE server.
+#
+# It is necessary to setup CA and issue a server certificate
+# before enabling this.
+#
+#spice_tls = 1
+
+
+# In order to override the default TLS certificate location for
+# spice certificates, supply a valid path to the certificate directory.
+# If the provided path does not exist, libvirtd will fail to start.
+# If the path is not provided, but spice_tls = 1, then the
+# default_tls_x509_cert_dir path will be used.
+#
+#spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
+
+
+# Enable this option to have SPICE served over an automatically created
+# unix socket. This prevents unprivileged access from users on the
+# host machine.
+#
+# This will only be enabled for SPICE configurations that have listen
+# type=address but without any address specified. This setting takes
+# preference over spice_listen.
+#
+#spice_auto_unix_socket = 1
+
+
+# The default SPICE password. This parameter is only used if the
+# per-domain XML config does not already provide a password. To
+# allow access without passwords, leave this commented out. An
+# empty string will still enable passwords, but be rejected by
+# QEMU, effectively preventing any use of SPICE. Obviously change
+# this example here before you set this.
+#
+#spice_password = "XYZ12345"
+
+
+# Enable use of SASL encryption on the SPICE server. This requires
+# a SPICE client which supports the SASL protocol extension.
+#
+# It is necessary to configure /etc/sasl2/qemu.conf to choose
+# the desired SASL plugin (eg, GSSPI for Kerberos)
+#
+#spice_sasl = 1
+
+# The default SASL configuration file is located in /etc/sasl2/
+# When running libvirtd unprivileged, it may be desirable to
+# override the configs in this location. Set this parameter to
+# point to the directory, and create a qemu.conf in that location
+#
+#spice_sasl_dir = "/some/directory/sasl2"
+
+# Enable use of TLS encryption on the chardev TCP transports.
+#
+# It is necessary to setup CA and issue a server certificate
+# before enabling this.
+#
+#chardev_tls = 1
+
+
+# In order to override the default TLS certificate location for character
+# device TCP certificates, supply a valid path to the certificate directory.
+# If the provided path does not exist, libvirtd will fail to start.
+# If the path is not provided, but chardev_tls = 1, then the
+# default_tls_x509_cert_dir path will be used.
+#
+#chardev_tls_x509_cert_dir = "/etc/pki/libvirt-chardev"
+
+
+# The default TLS configuration only uses certificates for the server
+# allowing the client to verify the server's identity and establish
+# an encrypted channel.
+#
+# It is possible to use x509 certificates for authentication too, by
+# issuing an x509 certificate to every client who needs to connect.
+#
+# Enabling this option will reject any client that does not have a
+# ca-cert.pem certificate signed by the CA in the chardev_tls_x509_cert_dir
+# (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem
+# files described in default_tls_x509_cert_dir.
+#
+# If this option is not supplied, it will be set to the value of
+# "default_tls_x509_verify".
+#
+#chardev_tls_x509_verify = 1
+
+
+# Uncomment and use the following option to override the default secret
+# UUID provided in the default_tls_x509_secret_uuid parameter.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
+
+# Enable use of TLS encryption for all VxHS network block devices that
+# don't specifically disable.
+#
+# When the VxHS network block device server is set up appropriately,
+# x509 certificates are required for authentication between the clients
+# (qemu processes) and the remote VxHS server.
+#
+# It is necessary to setup CA and issue the client certificate before
+# enabling this.
+#
+#vxhs_tls = 1
+
+
+# In order to override the default TLS certificate location for VxHS
+# backed storage, supply a valid path to the certificate directory.
+# This is used to authenticate the VxHS block device clients to the VxHS
+# server.
+#
+# If the provided path does not exist, libvirtd will fail to start.
+# If the path is not provided, but vxhs_tls = 1, then the
+# default_tls_x509_cert_dir path will be used.
+#
+# VxHS block device clients expect the client certificate and key to be
+# present in the certificate directory along with the CA master certificate.
+# If using the default environment, default_tls_x509_verify must be configured.
+# Since this is only a client the server-key.pem certificate is not needed.
+# Thus a VxHS directory must contain the following:
+#
+# ca-cert.pem - the CA master certificate
+# client-cert.pem - the client certificate signed with the ca-cert.pem
+# client-key.pem - the client private key
+#
+#vxhs_tls_x509_cert_dir = "/etc/pki/libvirt-vxhs"
+
+
+# In order to override the default TLS certificate location for migration
+# certificates, supply a valid path to the certificate directory. If the
+# provided path does not exist, libvirtd will fail to start. If the path is
+# not provided, but migrate_tls = 1, then the default_tls_x509_cert_dir path
+# will be used. Once/if a default certificate is enabled/defined, migration
+# will then be able to use the certificate via migration API flags.
+#
+#migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate"
+
+
+# The default TLS configuration only uses certificates for the server
+# allowing the client to verify the server's identity and establish
+# an encrypted channel.
+#
+# It is possible to use x509 certificates for authentication too, by
+# issuing an x509 certificate to every client who needs to connect.
+#
+# Enabling this option will reject any client that does not have a
+# ca-cert.pem certificate signed by the CA in the migrate_tls_x509_cert_dir
+# (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem
+# files described in default_tls_x509_cert_dir.
+#
+# If this option is not supplied, it will be set to the value of
+# "default_tls_x509_verify".
+#
+#migrate_tls_x509_verify = 1
+
+
+# Uncomment and use the following option to override the default secret
+# UUID provided in the default_tls_x509_secret_uuid parameter.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#migrate_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
+
+# By default, if no graphical front end is configured, libvirt will disable
+# QEMU audio output since directly talking to alsa/pulseaudio may not work
+# with various security settings. If you know what you're doing, enable
+# the setting below and libvirt will passthrough the QEMU_AUDIO_DRV
+# environment variable when using nographics.
+#
+#nographics_allow_host_audio = 1
+
+
+# Override the port for creating both VNC and SPICE sessions (min).
+# This defaults to 5900 and increases for consecutive sessions
+# or when ports are occupied, until it hits the maximum.
+#
+# Minimum must be greater than or equal to 5900 as lower number would
+# result into negative vnc display number.
+#
+# Maximum must be less than 65536, because higher numbers do not make
+# sense as a port number.
+#
+#remote_display_port_min = 5900
+#remote_display_port_max = 65535
+
+# VNC WebSocket port policies, same rules apply as with remote display
+# ports. VNC WebSockets use similar display <-> port mappings, with
+# the exception being that ports start from 5700 instead of 5900.
+#
+#remote_websocket_port_min = 5700
+#remote_websocket_port_max = 65535
+
+# The default security driver is SELinux. If SELinux is disabled
+# on the host, then the security driver will automatically disable
+# itself. If you wish to disable QEMU SELinux security driver while
+# leaving SELinux enabled for the host in general, then set this
+# to 'none' instead. It's also possible to use more than one security
+# driver at the same time, for this use a list of names separated by
+# comma and delimited by square brackets. For example:
+#
+# security_driver = [ "selinux", "apparmor" ]
+#
+# Notes: The DAC security driver is always enabled; as a result, the
+# value of security_driver cannot contain "dac". The value "none" is
+# a special value; security_driver can be set to that value in
+# isolation, but it cannot appear in a list of drivers.
+#
+#security_driver = "selinux"
+
+# If set to non-zero, then the default security labeling
+# will make guests confined. If set to zero, then guests
+# will be unconfined by default. Defaults to 1.
+#security_default_confined = 1
+
+# If set to non-zero, then attempts to create unconfined
+# guests will be blocked. Defaults to 0.
+#security_require_confined = 1
+
+# The user for QEMU processes run by the system instance. It can be
+# specified as a user name or as a user id. The qemu driver will try to
+# parse this value first as a name and then, if the name doesn't exist,
+# as a user id.
+#
+# Since a sequence of digits is a valid user name, a leading plus sign
+# can be used to ensure that a user id will not be interpreted as a user
+# name.
+#
+# Some examples of valid values are:
+#
+# user = "qemu" # A user named "qemu"
+# user = "+0" # Super user (uid=0)
+# user = "100" # A user named "100" or a user with uid=100
+#
+#user = "root"
+
+# The group for QEMU processes run by the system instance. It can be
+# specified in a similar way to user.
+#group = "root"
+
+# Whether libvirt should dynamically change file ownership
+# to match the configured user/group above. Defaults to 1.
+# Set to 0 to disable file ownership changes.
+#dynamic_ownership = 1
+
+
+# What cgroup controllers to make use of with QEMU guests
+#
+# - 'cpu' - use for scheduler tunables
+# - 'devices' - use for device whitelisting
+# - 'memory' - use for memory tunables
+# - 'blkio' - use for block devices I/O tunables
+# - 'cpuset' - use for CPUs and memory nodes
+# - 'cpuacct' - use for CPUs statistics.
+#
+# NB, even if configured here, they won't be used unless
+# the administrator has mounted cgroups, e.g.:
+#
+# mkdir /dev/cgroup
+# mount -t cgroup -o devices,cpu,memory,blkio,cpuset none /dev/cgroup
+#
+# They can be mounted anywhere, and different controllers
+# can be mounted in different locations. libvirt will detect
+# where they are located.
+#
+#cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ]
+
+# This is the basic set of devices allowed / required by
+# all virtual machines.
+#
+# As well as this, any configured block backed disks,
+# all sound device, and all PTY devices are allowed.
+#
+# This will only need setting if newer QEMU suddenly
+# wants some device we don't already know about.
+#
+#cgroup_device_acl = [
+# "/dev/null", "/dev/full", "/dev/zero",
+# "/dev/random", "/dev/urandom",
+# "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
+# "/dev/rtc","/dev/hpet"
+#]
+#
+# RDMA migration requires the following extra files to be added to the list:
+# "/dev/infiniband/rdma_cm",
+# "/dev/infiniband/issm0",
+# "/dev/infiniband/issm1",
+# "/dev/infiniband/umad0",
+# "/dev/infiniband/umad1",
+# "/dev/infiniband/uverbs0"
+
+
+# The default format for QEMU/KVM guest save images is raw; that is, the
+# memory from the domain is dumped out directly to a file. If you have
+# guests with a large amount of memory, however, this can take up quite
+# a bit of space. If you would like to compress the images while they
+# are being saved to disk, you can also set "lzop", "gzip", "bzip2", or "xz"
+# for save_image_format. Note that this means you slow down the process of
+# saving a domain in order to save disk space; the list above is in descending
+# order by performance and ascending order by compression ratio.
+#
+# save_image_format is used when you use 'virsh save' or 'virsh managedsave'
+# at scheduled saving, and it is an error if the specified save_image_format
+# is not valid, or the requested compression program can't be found.
+#
+# dump_image_format is used when you use 'virsh dump' at emergency
+# crashdump, and if the specified dump_image_format is not valid, or
+# the requested compression program can't be found, this falls
+# back to "raw" compression.
+#
+# snapshot_image_format specifies the compression algorithm of the memory save
+# image when an external snapshot of a domain is taken. This does not apply
+# on disk image format. It is an error if the specified format isn't valid,
+# or the requested compression program can't be found.
+#
+#save_image_format = "raw"
+#dump_image_format = "raw"
+#snapshot_image_format = "raw"
+
+# When a domain is configured to be auto-dumped when libvirtd receives a
+# watchdog event from qemu guest, libvirtd will save dump files in directory
+# specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump
+#
+#auto_dump_path = "/var/lib/libvirt/qemu/dump"
+
+# When a domain is configured to be auto-dumped, enabling this flag
+# has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the
+# virDomainCoreDump API. That is, the system will avoid using the
+# file system cache while writing the dump file, but may cause
+# slower operation.
+#
+#auto_dump_bypass_cache = 0
+
+# When a domain is configured to be auto-started, enabling this flag
+# has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag
+# with the virDomainCreateWithFlags API. That is, the system will
+# avoid using the file system cache when restoring any managed state
+# file, but may cause slower operation.
+#
+#auto_start_bypass_cache = 0
+
+# If provided by the host and a hugetlbfs mount point is configured,
+# a guest may request huge page backing. When this mount point is
+# unspecified here, determination of a host mount point in /proc/mounts
+# will be attempted. Specifying an explicit mount overrides detection
+# of the same in /proc/mounts. Setting the mount point to "" will
+# disable guest hugepage backing. If desired, multiple mount points can
+# be specified at once, separated by comma and enclosed in square
+# brackets, for example:
+#
+# hugetlbfs_mount = ["/dev/hugepages2M", "/dev/hugepages1G"]
+#
+# The size of huge page served by specific mount point is determined by
+# libvirt at the daemon startup.
+#
+# NB, within these mount points, guests will create memory backing
+# files in a location of $MOUNTPOINT/libvirt/qemu
+#
+#hugetlbfs_mount = "/dev/hugepages"
+
+
+# Path to the setuid helper for creating tap devices. This executable
+# is used to create <source type='bridge'> interfaces when libvirtd is
+# running unprivileged. libvirt invokes the helper directly, instead
+# of using "-netdev bridge", for security reasons.
+#bridge_helper = "/usr/libexec/qemu-bridge-helper"
+
+
+
+# If clear_emulator_capabilities is enabled, libvirt will drop all
+# privileged capabilities of the QEmu/KVM emulator. This is enabled by
+# default.
+#
+# Warning: Disabling this option means that a compromised guest can
+# exploit the privileges and possibly do damage to the host.
+#
+#clear_emulator_capabilities = 1
+
+
+# If enabled, libvirt will have QEMU set its process name to
+# "qemu:VM_NAME", where VM_NAME is the name of the VM. The QEMU
+# process will appear as "qemu:VM_NAME" in process listings and
+# other system monitoring tools. By default, QEMU does not set
+# its process title, so the complete QEMU command (emulator and
+# its arguments) appear in process listings.
+#
+#set_process_name = 1
+
+
+# If max_processes is set to a positive integer, libvirt will use
+# it to set the maximum number of processes that can be run by qemu
+# user. This can be used to override default value set by host OS.
+# The same applies to max_files which sets the limit on the maximum
+# number of opened files.
+#
+#max_processes = 0
+#max_files = 0
+
+# If max_core is set to a non-zero integer, then QEMU will be
+# permitted to create core dumps when it crashes, provided its
+# RAM size is smaller than the limit set.
+#
+# Be warned that the core dump will include a full copy of the
+# guest RAM, if the 'dump_guest_core' setting has been enabled,
+# or if the guest XML contains
+#
+# <memory dumpcore="on">...guest ram...</memory>
+#
+# If guest RAM is to be included, ensure the max_core limit
+# is set to at least the size of the largest expected guest
+# plus another 1GB for any QEMU host side memory mappings.
+#
+# As a special case it can be set to the string "unlimited" to
+# to allow arbitrarily sized core dumps.
+#
+# By default the core dump size is set to 0 disabling all dumps
+#
+# Size is a positive integer specifying bytes or the
+# string "unlimited"
+#
+#max_core = "unlimited"
+
+# Determine if guest RAM is included in QEMU core dumps. By
+# default guest RAM will be excluded if a new enough QEMU is
+# present. Setting this to '1' will force guest RAM to always
+# be included in QEMU core dumps.
+#
+# This setting will be ignored if the guest XML has set the
+# dumpcore attribute on the <memory> element.
+#
+#dump_guest_core = 1
+
+# mac_filter enables MAC addressed based filtering on bridge ports.
+# This currently requires ebtables to be installed.
+#
+#mac_filter = 1
+
+
+# By default, PCI devices below non-ACS switch are not allowed to be assigned
+# to guests. By setting relaxed_acs_check to 1 such devices will be allowed to
+# be assigned to guests.
+#
+#relaxed_acs_check = 1
+
+
+# If allow_disk_format_probing is enabled, libvirt will probe disk
+# images to attempt to identify their format, when not otherwise
+# specified in the XML. This is disabled by default.
+#
+# WARNING: Enabling probing is a security hole in almost all
+# deployments. It is strongly recommended that users update their
+# guest XML <disk> elements to include <driver type='XXXX'/>
+# elements instead of enabling this option.
+#
+#allow_disk_format_probing = 1
+
+
+# In order to prevent accidentally starting two domains that
+# share one writable disk, libvirt offers two approaches for
+# locking files. The first one is sanlock, the other one,
+# virtlockd, is then our own implementation. Accepted values
+# are "sanlock" and "lockd".
+#
+#lock_manager = "lockd"
+
+
+
+# Set limit of maximum APIs queued on one domain. All other APIs
+# over this threshold will fail on acquiring job lock. Specially,
+# setting to zero turns this feature off.
+# Note, that job lock is per domain.
+#
+#max_queued = 0
+
+###################################################################
+# Keepalive protocol:
+# This allows qemu driver to detect broken connections to remote
+# libvirtd during peer-to-peer migration. A keepalive message is
+# sent to the daemon after keepalive_interval seconds of inactivity
+# to check if the daemon is still responding; keepalive_count is a
+# maximum number of keepalive messages that are allowed to be sent
+# to the daemon without getting any response before the connection
+# is considered broken. In other words, the connection is
+# automatically closed approximately after
+# keepalive_interval * (keepalive_count + 1) seconds since the last
+# message received from the daemon. If keepalive_interval is set to
+# -1, qemu driver will not send keepalive requests during
+# peer-to-peer migration; however, the remote libvirtd can still
+# send them and source libvirtd will send responses. When
+# keepalive_count is set to 0, connections will be automatically
+# closed after keepalive_interval seconds of inactivity without
+# sending any keepalive messages.
+#
+#keepalive_interval = 5
+#keepalive_count = 5
+
+
+
+# Use seccomp syscall whitelisting in QEMU.
+# 1 = on, 0 = off, -1 = use QEMU default
+# Defaults to -1.
+#
+#seccomp_sandbox = 1
+
+
+# Override the listen address for all incoming migrations. Defaults to
+# 0.0.0.0, or :: if both host and qemu are capable of IPv6.
+#migration_address = "0.0.0.0"
+
+
+# The default hostname or IP address which will be used by a migration
+# source for transferring migration data to this host. The migration
+# source has to be able to resolve this hostname and connect to it so
+# setting "localhost" will not work. By default, the host's configured
+# hostname is used.
+#migration_host = "host.example.com"
+
+
+# Override the port range used for incoming migrations.
+#
+# Minimum must be greater than 0, however when QEMU is not running as root,
+# setting the minimum to be lower than 1024 will not work.
+#
+# Maximum must not be greater than 65535.
+#
+#migration_port_min = 49152
+#migration_port_max = 49215
+
+
+
+# Timestamp QEMU's log messages (if QEMU supports it)
+#
+# Defaults to 1.
+#
+#log_timestamp = 0
+
+
+# Location of master nvram file
+#
+# When a domain is configured to use UEFI instead of standard
+# BIOS it may use a separate storage for UEFI variables. If
+# that's the case libvirt creates the variable store per domain
+# using this master file as image. Each UEFI firmware can,
+# however, have different variables store. Therefore the nvram is
+# a list of strings when a single item is in form of:
+# ${PATH_TO_UEFI_FW}:${PATH_TO_UEFI_VARS}.
+# Later, when libvirt creates per domain variable store, this list is
+# searched for the master image. The UEFI firmware can be called
+# differently for different guest architectures. For instance, it's OVMF
+# for x86_64 and i686, but it's AAVMF for aarch64. The libvirt default
+# follows this scheme.
+#nvram = [
+# "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd",
+# "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd",
+# "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd",
+# "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd"
+#]
+
+# The backend to use for handling stdout/stderr output from
+# QEMU processes.
+#
+# 'file': QEMU writes directly to a plain file. This is the
+# historical default, but allows QEMU to inflict a
+# denial of service attack on the host by exhausting
+# filesystem space
+#
+# 'logd': QEMU writes to a pipe provided by virtlogd daemon.
+# This is the current default, providing protection
+# against denial of service by performing log file
+# rollover when a size limit is hit.
+#
+#stdio_handler = "logd"
+
+# QEMU gluster libgfapi log level, debug levels are 0-9, with 9 being the
+# most verbose, and 0 representing no debugging output.
+#
+# The current logging levels defined in the gluster GFAPI are:
+#
+# 0 - None
+# 1 - Emergency
+# 2 - Alert
+# 3 - Critical
+# 4 - Error
+# 5 - Warning
+# 6 - Notice
+# 7 - Info
+# 8 - Debug
+# 9 - Trace
+#
+# Defaults to 4
+#
+#gluster_debug_level = 9
+
+# To enhance security, QEMU driver is capable of creating private namespaces
+# for each domain started. Well, so far only "mount" namespace is supported. If
+# enabled it means qemu process is unable to see all the devices on the system,
+# only those configured for the domain in question. Libvirt then manages
+# devices entries throughout the domain lifetime. This namespace is turned on
+# by default.
+#namespaces = [ "mount" ]
+
+# This directory is used for memoryBacking source if configured as file.
+# NOTE: big files will be stored here
+#memory_backing_dir = "/var/lib/libvirt/qemu/ram"
+
+# The following two values set the default RX/TX ring buffer size for virtio
+# interfaces. These values are taken unless overridden in domain XML. For more
+# info consult docs to corresponding attributes from domain XML.
+#rx_queue_size = 1024
+#tx_queue_size = 1024
--- /dev/null
+/etc/libvirt/qemu/networks/default.xml
\ No newline at end of file
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh net-edit default
+or other application using the libvirt API.
+-->
+
+<network>
+ <name>default</name>
+ <uuid>a111fef7-d376-453e-916c-4acde8cdd18c</uuid>
+ <forward mode='nat'/>
+ <bridge name='virbr0' stp='on' delay='0'/>
+ <mac address='52:54:00:b9:69:25'/>
+ <ip address='192.168.122.1' netmask='255.255.255.0'>
+ <dhcp>
+ <range start='192.168.122.2' end='192.168.122.254'/>
+ </dhcp>
+ </ip>
+</network>
--- /dev/null
+# Master configuration file for the virt-login-shell program.
+# All settings described here are optional - if omitted, sensible
+# defaults are used.
+
+# By default, virt-login-shell will connect you to a container running
+# with the /bin/sh program. Modify the shell variable if you want your
+# users to run a different shell or a setup container when joining a
+# container.
+#
+# This can either be just the path to a shell binary:
+#
+# shell = "/bin/bash"
+#
+# Or can be the path and extra arguments
+#
+# shell = [ "/bin/bash", "--posix" ]
+#
+# Note there is no need to pass a '--login' / '-l' argument since
+# virt-login-shell will always request a login shell
+
+# Normally virt-login-shell will always use the shell identified
+# by the 'shell' configuration setting above. If the container
+# is running a full OS, it might be desirable to allow the choice
+# of shell to be delegated to the owner of the shell, by querying
+# the /etc/passwd file inside the container
+#
+# To allow for that, uncomment the following:
+# auto_shell = 1
+#
+# NB, this should /not/ be used if any container is sharing the
+# host filesystem /etc, as this would cause virt-login-shell to
+# look at the host's /etc/passwd finding itself as the listed
+# shell. Hilarious recursion would then ensue.
+
+# allowed_users specifies the user names of all users that are allowed to
+# execute virt-login-shell. You can specify the users as a comma
+# separated list of usernames or user groups.
+# The list of names support glob syntax.
+# To disallow all users (default)
+# allowed_users = []
+# If you do not specify any names (default) then no one is allowed
+# to use this executable.
+# To allow fred and joe only
+# allowed_users = ["fred", "joe"]
+# To allow all users within a specific group prefix the group name with %.
+# allowed_users = ["%engineers"]
+# To allow all users specify the following
+# allowed_users = [ "*" ]
--- /dev/null
+# Master virtlockd daemon configuration file
+#
+
+#################################################################
+#
+# Logging controls
+#
+
+# Logging level: 4 errors, 3 warnings, 2 information, 1 debug
+# basically 1 will log everything possible
+#log_level = 3
+
+# Logging filters:
+# A filter allows to select a different logging level for a given category
+# of logs
+# The format for a filter is one of:
+# x:name
+# x:+name
+# where name is a string which is matched against source file name,
+# e.g., "remote", "qemu", or "util/json", the optional "+" prefix
+# tells libvirt to log stack trace for each message matching name,
+# and x is the minimal level where matching messages should be logged:
+# 1: DEBUG
+# 2: INFO
+# 3: WARNING
+# 4: ERROR
+#
+# Multiple filter can be defined in a single @filters, they just need to be
+# separated by spaces.
+#
+# e.g. to only get warning or errors from the remote layer and only errors
+# from the event layer:
+#log_filters="3:remote 4:event"
+
+# Logging outputs:
+# An output is one of the places to save logging information
+# The format for an output can be:
+# x:stderr
+# output goes to stderr
+# x:syslog:name
+# use syslog for the output and use the given name as the ident
+# x:file:file_path
+# output to a file, with the given filepath
+# In all case the x prefix is the minimal level, acting as a filter
+# 1: DEBUG
+# 2: INFO
+# 3: WARNING
+# 4: ERROR
+#
+# Multiple output can be defined, they just need to be separated by spaces.
+# e.g. to log all warnings and errors to syslog under the virtlockd ident:
+#log_outputs="3:syslog:virtlockd"
+#
+
+# Log debug buffer size:
+#
+# This configuration option is no longer used, since the global
+# log buffer functionality has been removed. Please configure
+# suitable log_outputs/log_filters settings to obtain logs.
+#log_buffer_size = 64
+
+# The maximum number of concurrent client connections to allow
+# over all sockets combined.
+# Each running virtual machine will require one open connection
+# to virtlockd. So 'max_clients' will affect how many VMs can
+# be run on a host
+#max_clients = 1024
--- /dev/null
+# Master virtlogd daemon configuration file
+#
+
+#################################################################
+#
+# Logging controls
+#
+
+# Logging level: 4 errors, 3 warnings, 2 information, 1 debug
+# basically 1 will log everything possible
+#log_level = 3
+
+# Logging filters:
+# A filter allows to select a different logging level for a given category
+# of logs
+# The format for a filter is one of:
+# x:name
+# x:+name
+# where name is a string which is matched against source file name,
+# e.g., "remote", "qemu", or "util/json", the optional "+" prefix
+# tells libvirt to log stack trace for each message matching name,
+# and x is the minimal level where matching messages should be logged:
+# 1: DEBUG
+# 2: INFO
+# 3: WARNING
+# 4: ERROR
+#
+# Multiple filter can be defined in a single @filters, they just need to be
+# separated by spaces.
+#
+# e.g. to only get warning or errors from the remote layer and only errors
+# from the event layer:
+#log_filters="3:remote 4:event"
+
+# Logging outputs:
+# An output is one of the places to save logging information
+# The format for an output can be:
+# x:stderr
+# output goes to stderr
+# x:syslog:name
+# use syslog for the output and use the given name as the ident
+# x:file:file_path
+# output to a file, with the given filepath
+# x:journald
+# ouput to the systemd journal
+# In all case the x prefix is the minimal level, acting as a filter
+# 1: DEBUG
+# 2: INFO
+# 3: WARNING
+# 4: ERROR
+#
+# Multiple output can be defined, they just need to be separated by spaces.
+# e.g. to log all warnings and errors to syslog under the virtlogd ident:
+#log_outputs="3:syslog:virtlogd"
+#
+
+# The maximum number of concurrent client connections to allow
+# over all sockets combined.
+#max_clients = 1024
+
+
+# Maximum file size before rolling over. Defaults to 2 MB
+#max_size = 2097152
+
+# Maximum number of backup files to keep. Defaults to 3,
+# not including the primary active file
+#max_backups = 3
--- /dev/null
+/var/log/libvirt/libvirtd.log {
+ weekly
+ missingok
+ rotate 4
+ compress
+ delaycompress
+ copytruncate
+ minsize 100k
+}
--- /dev/null
+/var/log/libvirt/libxl/*.log {
+ weekly
+ missingok
+ rotate 4
+ compress
+ delaycompress
+ copytruncate
+}
--- /dev/null
+/var/log/libvirt/lxc/*.log {
+ weekly
+ missingok
+ rotate 4
+ compress
+ delaycompress
+ copytruncate
+}
--- /dev/null
+/var/log/libvirt/qemu/*.log {
+ weekly
+ missingok
+ rotate 4
+ compress
+ delaycompress
+ copytruncate
+}
--- /dev/null
+/var/log/libvirt/uml/*.log {
+ weekly
+ missingok
+ rotate 4
+ compress
+ delaycompress
+ copytruncate
+}
plex:x:136:963:Plex Media Server:/var/lib/plexmediaserver:/bin/sh
_chrony:x:126:135:Chrony daemon,,,:/var/lib/chrony:/usr/sbin/nologin
gdm:x:112:118:Gnome Display Manager:/var/lib/gdm3:/bin/false
+libvirt-qemu:x:64055:133:Libvirt Qemu,,,:/var/lib/libvirt:/usr/sbin/nologin
+libvirt-dnsmasq:x:127:137:Libvirt Dnsmasq,,,:/var/lib/libvirt/dnsmasq:/usr/sbin/nologin
kameu:x:1001:100:Karin Meusel:/home/kameu:/bin/sh
plex:x:136:963:Plex Media Server:/var/lib/plexmediaserver:/bin/sh
_chrony:x:126:135:Chrony daemon,,,:/var/lib/chrony:/usr/sbin/nologin
-gdm:x:112:118::/var/lib/gdm3:/bin/false
+gdm:x:112:118:Gnome Display Manager:/var/lib/gdm3:/bin/false
+libvirt-qemu:x:64055:133:Libvirt Qemu,,,:/var/lib/libvirt:/usr/sbin/nologin
+libvirt-dnsmasq:x:127:137::/var/lib/libvirt/dnsmasq:/usr/sbin/nologin
--- /dev/null
+#!/bin/sh
+# libvirt-uri.sh - Automatically switch default libvirt URI for user
+# Copyright (C) 2015 Canonical Ltd.
+#
+# Authors: Stefan Bader <stefan.bader@canonical.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+LIBVIRT_DEFAULT_URI="qemu:///system"
+if [ -f /proc/xen/capabilities ]; then
+ if [ "$(cat /proc/xen/capabilities)" = "control_d" ]; then
+ LIBVIRT_DEFAULT_URI="xen:///"
+ fi
+fi
+
+export LIBVIRT_DEFAULT_URI
+
--- /dev/null
+../init.d/libvirt-guests
\ No newline at end of file
--- /dev/null
+../init.d/libvirtd
\ No newline at end of file
--- /dev/null
+../init.d/virtlogd
\ No newline at end of file
--- /dev/null
+../init.d/libvirt-guests
\ No newline at end of file
--- /dev/null
+../init.d/libvirtd
\ No newline at end of file
--- /dev/null
+../init.d/virtlogd
\ No newline at end of file
--- /dev/null
+../init.d/libvirt-guests
\ No newline at end of file
--- /dev/null
+../init.d/libvirtd
\ No newline at end of file
--- /dev/null
+../init.d/virtlogd
\ No newline at end of file
--- /dev/null
+../init.d/libvirt-guests
\ No newline at end of file
--- /dev/null
+../init.d/libvirtd
\ No newline at end of file
--- /dev/null
+../init.d/virtlogd
\ No newline at end of file
--- /dev/null
+../init.d/libvirt-guests
\ No newline at end of file
--- /dev/null
+../init.d/libvirtd
\ No newline at end of file
--- /dev/null
+../init.d/virtlogd
\ No newline at end of file
--- /dev/null
+../init.d/libvirt-guests
\ No newline at end of file
--- /dev/null
+../init.d/libvirtd
\ No newline at end of file
--- /dev/null
+../init.d/virtlogd
\ No newline at end of file
--- /dev/null
+../init.d/libvirt-guests
\ No newline at end of file
--- /dev/null
+../init.d/libvirtd
\ No newline at end of file
--- /dev/null
+../init.d/virtlogd
\ No newline at end of file
--- /dev/null
+# If you want to use the non-TLS socket, then you *must* pick a
+# mechanism which provides session encryption as well as
+# authentication.
+#
+# If you are only using TLS, then you can turn on any mechanisms
+# you like for authentication, because TLS provides the encryption
+#
+# If you are only using UNIX, sockets then encryption is not
+# required at all.
+#
+# Since SASL is the default for the libvirtd non-TLS socket, we
+# pick a strong mechanism by default.
+#
+# NB, previously DIGEST-MD5 was set as the default mechanism for
+# libvirt. Per RFC 6331 this is vulnerable to many serious security
+# flaws and should no longer be used. Thus GSSAPI is now the default.
+#
+# To use GSSAPI requires that a libvirtd service principal is
+# added to the Kerberos server for each host running libvirtd.
+# This principal needs to be exported to the keytab file listed below
+mech_list: gssapi
+
+# If using a TLS socket or UNIX socket only, it is possible to
+# enable plugins which don't provide session encryption. The
+# 'scram-sha-1' plugin allows plain username/password authentication
+# to be performed
+#
+#mech_list: scram-sha-1
+
+#
+# You can also list many mechanisms at once, then the user can choose
+# by adding '?auth=sasl.gssapi' to their libvirt URI, eg
+# qemu+tcp://hostname/system?auth=sasl.gssapi
+#mech_list: scram-sha-1 gssapi
+
+# Some older builds of MIT kerberos on Linux ignore this option &
+# instead need KRB5_KTNAME env var.
+# For modern Linux, and other OS, this should be sufficient
+#
+keytab: /etc/libvirt/krb5.tab
+
+# If using scram-sha-1 for username/passwds, then this is the file
+# containing the passwds. Use 'saslpasswd2 -a libvirt [username]'
+# to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it
+#sasldb_path: /etc/libvirt/passwd.db
plex:!:18385:0:99999:7:::
_chrony:*:18385:0:99999:7:::
gdm:*:18385:0:99999:7:::
+libvirt-qemu:!:18385:0:99999:7:::
+libvirt-dnsmasq:!:18385:0:99999:7:::
plex:!:18385:0:99999:7:::
_chrony:*:18385:0:99999:7:::
gdm:*:18385:0:99999:7:::
+libvirt-qemu:!:18385:0:99999:7:::
+libvirt-dnsmasq:!:18385:0:99999:7:::
--- /dev/null
+/lib/systemd/system/libvirtd.service
\ No newline at end of file
--- /dev/null
+/lib/systemd/system/libvirt-guests.service
\ No newline at end of file
--- /dev/null
+/lib/systemd/system/libvirtd.service
\ No newline at end of file
--- /dev/null
+/lib/systemd/system/virtlockd.socket
\ No newline at end of file
--- /dev/null
+/lib/systemd/system/virtlogd.socket
\ No newline at end of file
projects / config / bruni / etc-mint-new1.git / commitdiff