mkdir -p './insserv/overrides'
mkdir -p './kernel/install.d'
mkdir -p './libpaper.d'
+mkdir -p './libvirt/hooks'
+mkdir -p './libvirt/secrets'
mkdir -p './lightdm/lightdm.conf.d'
mkdir -p './logcheck/violations.ignore.d'
mkdir -p './netplan'
maybe chmod 0644 'apparmor.d/abstractions/kerberosclient'
maybe chmod 0644 'apparmor.d/abstractions/ldapclient'
maybe chmod 0644 'apparmor.d/abstractions/libpam-systemd'
+maybe chmod 0644 'apparmor.d/abstractions/libvirt-lxc'
+maybe chmod 0644 'apparmor.d/abstractions/libvirt-qemu'
maybe chmod 0644 'apparmor.d/abstractions/lightdm'
maybe chmod 0644 'apparmor.d/abstractions/lightdm_chromium-browser'
maybe chmod 0644 'apparmor.d/abstractions/likewise'
maybe chmod 0644 'apparmor.d/abstractions/xdg-desktop'
maybe chmod 0755 'apparmor.d/disable'
maybe chmod 0755 'apparmor.d/force-complain'
+maybe chmod 0755 'apparmor.d/libvirt'
+maybe chmod 0644 'apparmor.d/libvirt/TEMPLATE.lxc'
+maybe chmod 0644 'apparmor.d/libvirt/TEMPLATE.qemu'
maybe chmod 0644 'apparmor.d/lightdm-guest-session'
maybe chmod 0755 'apparmor.d/local'
maybe chmod 0644 'apparmor.d/local/README'
+maybe chmod 0755 'apparmor.d/local/abstractions'
+maybe chmod 0644 'apparmor.d/local/abstractions/libvirt-qemu'
maybe chmod 0644 'apparmor.d/local/lsb_release'
maybe chmod 0644 'apparmor.d/local/nvidia_modprobe'
maybe chmod 0644 'apparmor.d/local/sbin.dhclient'
maybe chmod 0644 'apparmor.d/local/usr.lib.libreoffice.program.senddoc'
maybe chmod 0644 'apparmor.d/local/usr.lib.libreoffice.program.soffice.bin'
maybe chmod 0644 'apparmor.d/local/usr.lib.libreoffice.program.xpdfimport'
+maybe chmod 0644 'apparmor.d/local/usr.lib.libvirt.virt-aa-helper'
maybe chmod 0644 'apparmor.d/local/usr.lib.snapd.snap-confine'
maybe chmod 0644 'apparmor.d/local/usr.lib.snapd.snap-confine.real'
maybe chmod 0644 'apparmor.d/local/usr.lib.telepathy'
maybe chmod 0644 'apparmor.d/local/usr.sbin.cupsd'
maybe chmod 0644 'apparmor.d/local/usr.sbin.gpsd'
maybe chmod 0644 'apparmor.d/local/usr.sbin.ippusbxd'
+maybe chmod 0644 'apparmor.d/local/usr.sbin.libvirtd'
maybe chmod 0644 'apparmor.d/local/usr.sbin.ntpd'
maybe chmod 0644 'apparmor.d/local/usr.sbin.rsyslogd'
maybe chmod 0644 'apparmor.d/local/usr.sbin.tcpdump'
maybe chmod 0644 'apparmor.d/usr.lib.libreoffice.program.senddoc'
maybe chmod 0644 'apparmor.d/usr.lib.libreoffice.program.soffice.bin'
maybe chmod 0644 'apparmor.d/usr.lib.libreoffice.program.xpdfimport'
+maybe chmod 0644 'apparmor.d/usr.lib.libvirt.virt-aa-helper'
maybe chmod 0644 'apparmor.d/usr.lib.snapd.snap-confine.real'
maybe chmod 0644 'apparmor.d/usr.lib.telepathy'
maybe chmod 0644 'apparmor.d/usr.sbin.cups-browsed'
maybe chmod 0644 'apparmor.d/usr.sbin.cupsd'
maybe chmod 0644 'apparmor.d/usr.sbin.gpsd'
maybe chmod 0644 'apparmor.d/usr.sbin.ippusbxd'
+maybe chmod 0644 'apparmor.d/usr.sbin.libvirtd'
maybe chmod 0644 'apparmor.d/usr.sbin.mysqld'
maybe chmod 0644 'apparmor.d/usr.sbin.ntpd'
maybe chmod 0644 'apparmor.d/usr.sbin.rsyslogd'
maybe chmod 0644 'default/irqbalance'
maybe chmod 0644 'default/kerneloops'
maybe chmod 0664 'default/keyboard'
+maybe chmod 0644 'default/libvirt-guests'
+maybe chmod 0644 'default/libvirtd'
maybe chmod 0644 'default/locale'
maybe chmod 0644 'default/motd-news'
maybe chmod 0644 'default/mysql'
maybe chmod 0644 'default/sysstat'
maybe chmod 0644 'default/ufw'
maybe chmod 0644 'default/useradd'
+maybe chmod 0644 'default/virtlockd'
+maybe chmod 0644 'default/virtlogd'
maybe chmod 0644 'deluser.conf'
maybe chmod 0755 'depmod.d'
maybe chmod 0644 'depmod.d/ubuntu.conf'
maybe chmod 0644 'dleyna-renderer-service.conf'
maybe chmod 0644 'dleyna-server-service.conf'
maybe chmod 0755 'dnsmasq.d'
+maybe chmod 0755 'dnsmasq.d-available'
+maybe chmod 0644 'dnsmasq.d-available/libvirt-daemon'
maybe chmod 0644 'dnsmasq.d/network-manager'
maybe chmod 0755 'doc-base'
maybe chmod 0755 'doc-base/documents'
maybe chmod 0644 'libreoffice/psprint.conf'
maybe chmod 0644 'libreoffice/soffice.sh'
maybe chmod 0644 'libreoffice/sofficerc'
+maybe chmod 0755 'libvirt'
+maybe chmod 0755 'libvirt/hooks'
+maybe chmod 0644 'libvirt/libvirt-admin.conf'
+maybe chmod 0644 'libvirt/libvirt.conf'
+maybe chmod 0644 'libvirt/libvirtd.conf'
+maybe chmod 0644 'libvirt/libxl-lockd.conf'
+maybe chmod 0644 'libvirt/libxl-sanlock.conf'
+maybe chmod 0644 'libvirt/libxl.conf'
+maybe chmod 0644 'libvirt/lxc.conf'
+maybe chmod 0755 'libvirt/nwfilter'
+maybe chmod 0600 'libvirt/nwfilter/allow-arp.xml'
+maybe chmod 0600 'libvirt/nwfilter/allow-dhcp-server.xml'
+maybe chmod 0600 'libvirt/nwfilter/allow-dhcp.xml'
+maybe chmod 0600 'libvirt/nwfilter/allow-incoming-ipv4.xml'
+maybe chmod 0600 'libvirt/nwfilter/allow-ipv4.xml'
+maybe chmod 0600 'libvirt/nwfilter/clean-traffic-gateway.xml'
+maybe chmod 0600 'libvirt/nwfilter/clean-traffic.xml'
+maybe chmod 0600 'libvirt/nwfilter/no-arp-ip-spoofing.xml'
+maybe chmod 0600 'libvirt/nwfilter/no-arp-mac-spoofing.xml'
+maybe chmod 0600 'libvirt/nwfilter/no-arp-spoofing.xml'
+maybe chmod 0600 'libvirt/nwfilter/no-ip-multicast.xml'
+maybe chmod 0600 'libvirt/nwfilter/no-ip-spoofing.xml'
+maybe chmod 0600 'libvirt/nwfilter/no-mac-broadcast.xml'
+maybe chmod 0600 'libvirt/nwfilter/no-mac-spoofing.xml'
+maybe chmod 0600 'libvirt/nwfilter/no-other-l2-traffic.xml'
+maybe chmod 0600 'libvirt/nwfilter/no-other-rarp-traffic.xml'
+maybe chmod 0600 'libvirt/nwfilter/qemu-announce-self-rarp.xml'
+maybe chmod 0600 'libvirt/nwfilter/qemu-announce-self.xml'
+maybe chmod 0755 'libvirt/qemu'
+maybe chmod 0644 'libvirt/qemu-lockd.conf'
+maybe chmod 0644 'libvirt/qemu-sanlock.conf'
+maybe chmod 0600 'libvirt/qemu.conf'
+maybe chmod 0755 'libvirt/qemu/networks'
+maybe chmod 0755 'libvirt/qemu/networks/autostart'
+maybe chmod 0600 'libvirt/qemu/networks/default.xml'
+maybe chmod 0700 'libvirt/secrets'
+maybe chmod 0644 'libvirt/virt-login-shell.conf'
+maybe chmod 0644 'libvirt/virtlockd.conf'
+maybe chmod 0644 'libvirt/virtlogd.conf'
maybe chmod 0755 'lightdm'
maybe chmod 0755 'lightdm/lightdm.conf.d'
maybe chmod 0644 'lightdm/users.conf'
maybe chmod 0644 'logrotate.d/dpkg'
maybe chmod 0644 'logrotate.d/dump1090-mutability'
maybe chmod 0644 'logrotate.d/iptraf-ng'
+maybe chmod 0644 'logrotate.d/libvirtd'
+maybe chmod 0644 'logrotate.d/libvirtd.libxl'
+maybe chmod 0644 'logrotate.d/libvirtd.lxc'
+maybe chmod 0644 'logrotate.d/libvirtd.qemu'
maybe chmod 0644 'logrotate.d/lightdm'
maybe chmod 0644 'logrotate.d/lighttpd'
maybe chmod 0644 'logrotate.d/mongodb-server'
maybe chmod 0644 'profile.d/gawk.sh'
maybe chmod 0755 'profile.d/jdk.csh'
maybe chmod 0755 'profile.d/jdk.sh'
+maybe chmod 0644 'profile.d/libvirt-uri.sh'
maybe chmod 0644 'profile.d/vte-2.91.sh'
maybe chmod 0644 'profile.d/vte.csh'
maybe chmod 0644 'profile.d/xdg_dirs_desktop_session.sh'
maybe chmod 0644 'sane.d/umax1220u.conf'
maybe chmod 0644 'sane.d/umax_pp.conf'
maybe chmod 0644 'sane.d/xerox_mfp.conf'
+maybe chmod 0755 'sasl2'
+maybe chmod 0644 'sasl2/libvirt.conf'
maybe chmod 0755 'scalpel'
maybe chmod 0644 'scalpel/scalpel.conf'
maybe chmod 0644 'screenrc'
--- /dev/null
+# Last Modified: Fri Feb 7 13:01:36 2014
+
+ #include <abstractions/base>
+
+ umount,
+
+ # ignore DENIED message on / remount
+ deny mount options=(ro, remount) -> /,
+
+ # allow tmpfs mounts everywhere
+ mount fstype=tmpfs,
+
+ # allow mqueue mounts everywhere
+ mount fstype=mqueue,
+
+ # allow fuse mounts everywhere
+ mount fstype=fuse.*,
+
+ # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
+ mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
+ deny @{PROC}/sys/fs/** wklx,
+
+ # allow efivars to be mounted, writing to it will be blocked though
+ mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
+
+ # block some other dangerous paths
+ deny @{PROC}/sysrq-trigger rwklx,
+ deny @{PROC}/mem rwklx,
+ deny @{PROC}/kmem rwklx,
+
+ # deny writes in /sys except for /sys/fs/cgroup, also allow
+ # fusectl, securityfs and debugfs to be mounted there (read-only)
+ mount fstype=fusectl -> /sys/fs/fuse/connections/,
+ mount fstype=securityfs -> /sys/kernel/security/,
+ mount fstype=debugfs -> /sys/kernel/debug/,
+ mount fstype=proc -> /proc/,
+ mount fstype=sysfs -> /sys/,
+ deny /sys/firmware/efi/efivars/** rwklx,
+ deny /sys/kernel/security/** rwklx,
+
+ # generated by: lxc-generate-aa-rules.py container-rules.base
+ deny /proc/sys/[^kn]*{,/**} wklx,
+ deny /proc/sys/k[^e]*{,/**} wklx,
+ deny /proc/sys/ke[^r]*{,/**} wklx,
+ deny /proc/sys/ker[^n]*{,/**} wklx,
+ deny /proc/sys/kern[^e]*{,/**} wklx,
+ deny /proc/sys/kerne[^l]*{,/**} wklx,
+ deny /proc/sys/kernel/[^smhd]*{,/**} wklx,
+ deny /proc/sys/kernel/d[^o]*{,/**} wklx,
+ deny /proc/sys/kernel/do[^m]*{,/**} wklx,
+ deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
+ deny /proc/sys/kernel/doma[^i]*{,/**} wklx,
+ deny /proc/sys/kernel/domai[^n]*{,/**} wklx,
+ deny /proc/sys/kernel/domain[^n]*{,/**} wklx,
+ deny /proc/sys/kernel/domainn[^a]*{,/**} wklx,
+ deny /proc/sys/kernel/domainna[^m]*{,/**} wklx,
+ deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx,
+ deny /proc/sys/kernel/domainname?*{,/**} wklx,
+ deny /proc/sys/kernel/h[^o]*{,/**} wklx,
+ deny /proc/sys/kernel/ho[^s]*{,/**} wklx,
+ deny /proc/sys/kernel/hos[^t]*{,/**} wklx,
+ deny /proc/sys/kernel/host[^n]*{,/**} wklx,
+ deny /proc/sys/kernel/hostn[^a]*{,/**} wklx,
+ deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
+ deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
+ deny /proc/sys/kernel/hostname?*{,/**} wklx,
+ deny /proc/sys/kernel/m[^s]*{,/**} wklx,
+ deny /proc/sys/kernel/ms[^g]*{,/**} wklx,
+ deny /proc/sys/kernel/msg*/** wklx,
+ deny /proc/sys/kernel/s[^he]*{,/**} wklx,
+ deny /proc/sys/kernel/se[^m]*{,/**} wklx,
+ deny /proc/sys/kernel/sem*/** wklx,
+ deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
+ deny /proc/sys/kernel/shm*/** wklx,
+ deny /proc/sys/kernel?*{,/**} wklx,
+ deny /proc/sys/n[^e]*{,/**} wklx,
+ deny /proc/sys/ne[^t]*{,/**} wklx,
+ deny /proc/sys/net?*{,/**} wklx,
+ deny /sys/[^fdc]*{,/**} wklx,
+ deny /sys/c[^l]*{,/**} wklx,
+ deny /sys/cl[^a]*{,/**} wklx,
+ deny /sys/cla[^s]*{,/**} wklx,
+ deny /sys/clas[^s]*{,/**} wklx,
+ deny /sys/class/[^n]*{,/**} wklx,
+ deny /sys/class/n[^e]*{,/**} wklx,
+ deny /sys/class/ne[^t]*{,/**} wklx,
+ deny /sys/class/net?*{,/**} wklx,
+ deny /sys/class?*{,/**} wklx,
+ deny /sys/d[^e]*{,/**} wklx,
+ deny /sys/de[^v]*{,/**} wklx,
+ deny /sys/dev[^i]*{,/**} wklx,
+ deny /sys/devi[^c]*{,/**} wklx,
+ deny /sys/devic[^e]*{,/**} wklx,
+ deny /sys/device[^s]*{,/**} wklx,
+ deny /sys/devices/[^v]*{,/**} wklx,
+ deny /sys/devices/v[^i]*{,/**} wklx,
+ deny /sys/devices/vi[^r]*{,/**} wklx,
+ deny /sys/devices/vir[^t]*{,/**} wklx,
+ deny /sys/devices/virt[^u]*{,/**} wklx,
+ deny /sys/devices/virtu[^a]*{,/**} wklx,
+ deny /sys/devices/virtua[^l]*{,/**} wklx,
+ deny /sys/devices/virtual/[^n]*{,/**} wklx,
+ deny /sys/devices/virtual/n[^e]*{,/**} wklx,
+ deny /sys/devices/virtual/ne[^t]*{,/**} wklx,
+ deny /sys/devices/virtual/net?*{,/**} wklx,
+ deny /sys/devices/virtual?*{,/**} wklx,
+ deny /sys/devices?*{,/**} wklx,
+ deny /sys/f[^s]*{,/**} wklx,
+ deny /sys/fs/[^c]*{,/**} wklx,
+ deny /sys/fs/c[^g]*{,/**} wklx,
+ deny /sys/fs/cg[^r]*{,/**} wklx,
+ deny /sys/fs/cgr[^o]*{,/**} wklx,
+ deny /sys/fs/cgro[^u]*{,/**} wklx,
+ deny /sys/fs/cgrou[^p]*{,/**} wklx,
+ deny /sys/fs/cgroup?*{,/**} wklx,
+ deny /sys/fs?*{,/**} wklx,
--- /dev/null
+# Last Modified: Wed Sep 3 21:52:03 2014
+
+ #include <abstractions/base>
+ #include <abstractions/consoles>
+ #include <abstractions/nameservice>
+
+ # required for reading disk images
+ capability dac_override,
+ capability dac_read_search,
+ capability chown,
+
+ # needed to drop privileges
+ capability setgid,
+ capability setuid,
+
+ # for 9p
+ capability fsetid,
+ capability fowner,
+
+ network inet stream,
+ network inet6 stream,
+
+ ptrace (readby, tracedby) peer=libvirtd,
+ ptrace (readby, tracedby) peer=/usr/sbin/libvirtd,
+
+ signal (receive) peer=libvirtd,
+ signal (receive) peer=/usr/sbin/libvirtd,
+
+ /dev/net/tun rw,
+ /dev/kvm rw,
+ /dev/ptmx rw,
+ @{PROC}/*/status r,
+ # When qemu is signaled to terminate, it will read cmdline of signaling
+ # process for reporting purposes. Allowing read access to a process
+ # cmdline may leak sensitive information embedded in the cmdline.
+ @{PROC}/@{pid}/cmdline r,
+ # Per man(5) proc, the kernel enforces that a thread may
+ # only modify its comm value or those in its thread group.
+ owner @{PROC}/@{pid}/task/@{tid}/comm rw,
+ @{PROC}/sys/kernel/cap_last_cap r,
+ owner @{PROC}/*/auxv r,
+ @{PROC}/sys/vm/overcommit_memory r,
+
+ # For hostdev access. The actual devices will be added dynamically
+ /sys/bus/usb/devices/ r,
+ /sys/devices/**/usb[0-9]*/** r,
+ # libusb needs udev data about usb devices (~equal to content of lsusb -v)
+ /run/udev/data/c16[6,7]* r,
+ /run/udev/data/c18[0,8,9]* r,
+ /run/udev/data/+usb* r,
+
+ # WARNING: this gives the guest direct access to host hardware and specific
+ # portions of shared memory. This is required for sound using ALSA with kvm,
+ # but may constitute a security risk. If your environment does not require
+ # the use of sound in your VMs, feel free to comment out or prepend 'deny' to
+ # the rules for files in /dev.
+ /{dev,run}/shm r,
+ /{dev,run}/shmpulse-shm* r,
+ /{dev,run}/shmpulse-shm* rwk,
+ /dev/snd/* rw,
+ capability ipc_lock,
+ # spice
+ owner /{dev,run}/shm/spice.* rw,
+ # 'kill' is not required for sound and is a security risk. Do not enable
+ # unless you absolutely need it.
+ deny capability kill,
+
+ # Uncomment the following if you need access to /dev/fb*
+ #/dev/fb* rw,
+
+ /etc/pulse/client.conf r,
+ @{HOME}/.pulse-cookie rwk,
+ owner /root/.pulse-cookie rwk,
+ owner /root/.pulse/ rw,
+ owner /root/.pulse/* rw,
+ /usr/share/alsa/** r,
+ owner /tmp/pulse-*/ rw,
+ owner /tmp/pulse-*/* rw,
+ /var/lib/dbus/machine-id r,
+
+ # access to firmware's etc
+ /usr/share/kvm/** r,
+ /usr/share/qemu/** r,
+ /usr/share/qemu-kvm/** r,
+ /usr/share/bochs/** r,
+ /usr/share/openbios/** r,
+ /usr/share/openhackware/** r,
+ /usr/share/proll/** r,
+ /usr/share/vgabios/** r,
+ /usr/share/seabios/** r,
+ /usr/share/misc/sgabios.bin r,
+ /usr/share/ovmf/** r,
+ /usr/share/OVMF/** r,
+ /usr/share/AAVMF/** r,
+ /usr/share/qemu-efi/** r,
+ /usr/share/slof/** r,
+
+ # pki for libvirt-vnc and libvirt-spice (LP: #901272, #1690140)
+ /etc/pki/CA/ r,
+ /etc/pki/CA/* r,
+ /etc/pki/libvirt{,-spice,-vnc}/ r,
+ /etc/pki/libvirt{,-spice,-vnc}/** r,
+ /etc/pki/qemu/ r,
+ /etc/pki/qemu/** r,
+
+ # the various binaries
+ /usr/bin/kvm rmix,
+ /usr/bin/qemu rmix,
+ /usr/bin/qemu-kvm rmix,
+ /usr/bin/qemu-system-aarch64 rmix,
+ /usr/bin/qemu-system-alpha rmix,
+ /usr/bin/qemu-system-arm rmix,
+ /usr/bin/qemu-system-cris rmix,
+ /usr/bin/qemu-system-hppa rmix,
+ /usr/bin/qemu-system-i386 rmix,
+ /usr/bin/qemu-system-lm32 rmix,
+ /usr/bin/qemu-system-m68k rmix,
+ /usr/bin/qemu-system-microblaze rmix,
+ /usr/bin/qemu-system-microblazeel rmix,
+ /usr/bin/qemu-system-mips rmix,
+ /usr/bin/qemu-system-mips64 rmix,
+ /usr/bin/qemu-system-mips64el rmix,
+ /usr/bin/qemu-system-mipsel rmix,
+ /usr/bin/qemu-system-moxie rmix,
+ /usr/bin/qemu-system-nios2 rmix,
+ /usr/bin/qemu-system-or1k rmix,
+ /usr/bin/qemu-system-or32 rmix,
+ /usr/bin/qemu-system-ppc rmix,
+ /usr/bin/qemu-system-ppc64 rmix,
+ /usr/bin/qemu-system-ppcemb rmix,
+ /usr/bin/qemu-system-riscv32 rmix,
+ /usr/bin/qemu-system-riscv64 rmix,
+ /usr/bin/qemu-system-s390x rmix,
+ /usr/bin/qemu-system-sh4 rmix,
+ /usr/bin/qemu-system-sh4eb rmix,
+ /usr/bin/qemu-system-sparc rmix,
+ /usr/bin/qemu-system-sparc64 rmix,
+ /usr/bin/qemu-system-tricore rmix,
+ /usr/bin/qemu-system-unicore32 rmix,
+ /usr/bin/qemu-system-x86_64 rmix,
+ /usr/bin/qemu-system-xtensa rmix,
+ /usr/bin/qemu-system-xtensaeb rmix,
+ /usr/bin/qemu-aarch64 rmix,
+ /usr/bin/qemu-alpha rmix,
+ /usr/bin/qemu-arm rmix,
+ /usr/bin/qemu-armeb rmix,
+ /usr/bin/qemu-cris rmix,
+ /usr/bin/qemu-i386 rmix,
+ /usr/bin/qemu-m68k rmix,
+ /usr/bin/qemu-microblaze rmix,
+ /usr/bin/qemu-microblazeel rmix,
+ /usr/bin/qemu-mips rmix,
+ /usr/bin/qemu-mips64 rmix,
+ /usr/bin/qemu-mips64el rmix,
+ /usr/bin/qemu-mipsel rmix,
+ /usr/bin/qemu-mipsn32 rmix,
+ /usr/bin/qemu-mipsn32el rmix,
+ /usr/bin/qemu-or32 rmix,
+ /usr/bin/qemu-ppc rmix,
+ /usr/bin/qemu-ppc64 rmix,
+ /usr/bin/qemu-ppc64abi32 rmix,
+ /usr/bin/qemu-ppc64le rmix,
+ /usr/bin/qemu-s390x rmix,
+ /usr/bin/qemu-sh4 rmix,
+ /usr/bin/qemu-sh4eb rmix,
+ /usr/bin/qemu-sparc rmix,
+ /usr/bin/qemu-sparc32plus rmix,
+ /usr/bin/qemu-sparc64 rmix,
+ /usr/bin/qemu-unicore32 rmix,
+ /usr/bin/qemu-x86_64 rmix,
+ # for Debian/Ubuntu qemu-block-extra / RPMs qemu-block-* (LP: #1554761)
+ /usr/{lib,lib64}/qemu/*.so mr,
+ /usr/lib/@{multiarch}/qemu/*.so mr,
+
+ # let qemu load old shared objects after upgrades (LP: #1847361)
+ /{var/,}run/qemu/*/*.so mr,
+ # but explicitly deny with auditing writing to these files
+ audit deny /{var/,}run/qemu/*/*.so w,
+
+ # swtpm
+ /{usr/,}bin/swtpm rmix,
+ /usr/{lib,lib64}/libswtpm_libtpms.so mr,
+ /usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
+
+ # for save and resume
+ /{usr/,}bin/dash rmix,
+ /{usr/,}bin/dd rmix,
+ /{usr/,}bin/cat rmix,
+
+ # for restore
+ /{usr/,}bin/bash rmix,
+
+ # for usb access
+ /dev/bus/usb/ r,
+ /etc/udev/udev.conf r,
+ /sys/bus/ r,
+ /sys/class/ r,
+
+ # for rbd
+ /etc/ceph/ceph.conf r,
+
+ # Various functions will need to enumerate /tmp (e.g. ceph), allow the base
+ # dir and a few known functions like samba support.
+ # We want to avoid to give blanket rw permission to everything under /tmp,
+ # users are expected to add site specific addons for more uncommon cases.
+ # Qemu processes usually all run as the same users, so the "owner"
+ # restriction prevents access to other services files, but not across
+ # different instances.
+ # This is a tradeoff between usability and security - if paths would be more
+ # predictable that would be preferred - at least for write rules we would
+ # want more unique paths per rule.
+ /{,var/}tmp/ r,
+ owner /{,var/}tmp/**/ r,
+
+ # for file-posix getting limits since 9103f1ce
+ /sys/devices/**/block/*/queue/max_segments r,
+
+ # for ppc device-tree access
+ @{PROC}/device-tree/ r,
+ @{PROC}/device-tree/** r,
+ /sys/firmware/devicetree/** r,
+
+ # allow connect with openGraphicsFD to work
+ unix (send, receive) type=stream addr=none peer=(label=libvirtd),
+ unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
+
+ # allow access to charm-specific ceph config (LP: #1403648).
+ # No more silencing spurious denials as it can more critically hide other issues (LP: #1719579)
+ # Also allow the optional asok key that might be enabled by the charm (LP: #1779674)
+ /var/lib/charm/*/ceph.conf r,
+ /run/ceph/rbd-client-*.asok rw,
+
+ # kvm.powerpc executes/accesses this
+ /{usr/,}bin/uname rmix,
+ /{usr/,}sbin/ppc64_cpu rmix,
+ /{usr/,}bin/grep rmix,
+ /sys/devices/system/cpu/subcores_per_core r,
+ /sys/devices/system/cpu/cpu*/online r,
+
+ # for gathering information about available host resources
+ /sys/devices/system/cpu/ r,
+ /sys/devices/system/node/ r,
+ /sys/devices/system/node/node[0-9]*/meminfo r,
+ /sys/module/vhost/parameters/max_mem_regions r,
+
+ # silence refusals to open lttng files (see LP: #1432644)
+ deny /dev/shm/lttng-ust-wait-* r,
+ deny /run/shm/lttng-ust-wait-* r,
+
+ # for vfio hotplug on systems without static vfio (LP: #1775777)
+ /dev/vfio/vfio rw,
+
+ # for vhost-net/vsock/scsi hotplug (LP: #1815910)
+ /dev/vhost-net rw,
+ /dev/vhost-vsock rw,
+ /dev/vhost-scsi rw,
+
+ # required for sasl GSSAPI plugin
+ /etc/gss/mech.d/ r,
+ /etc/gss/mech.d/* r,
+
+ # required by libpmem init to fts_open()/fts_read() the symlinks in
+ # /sys/bus/nd/devices
+ / r, # harmless on any lsb compliant system
+ /sys/bus/nd/devices/{,**/} r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/abstractions/libvirt-qemu>
--- /dev/null
+#
+# This profile is for the domain whose UUID matches this file.
+#
+
+#include <tunables/global>
+
+profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
+ #include <abstractions/libvirt-lxc>
+
+ # Globally allows everything to run under this profile
+ # These can be narrowed depending on the container's use.
+ file,
+ capability,
+ network,
+}
--- /dev/null
+#
+# This profile is for the domain whose UUID matches this file.
+#
+
+#include <tunables/global>
+
+profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
+ #include <abstractions/libvirt-qemu>
+}
--- /dev/null
+# Last Modified: Mon Apr 5 15:10:27 2010
+#include <tunables/global>
+
+profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/user-tmp>
+
+ # needed for searching directories
+ capability dac_override,
+ capability dac_read_search,
+
+ # needed for when disk is on a network filesystem
+ network inet,
+ network inet6,
+
+ deny @{PROC}/[0-9]*/mounts r,
+ @{PROC}/[0-9]*/net/psched r,
+ owner @{PROC}/[0-9]*/status r,
+ @{PROC}/filesystems r,
+
+ # Used when internally running another command (namely apparmor_parser)
+ @{PROC}/@{pid}/fd/ r,
+
+ /etc/libnl-3/classid r,
+
+ # for gl enabled graphics
+ /dev/dri/{,*} r,
+
+ # for hostdev
+ /sys/devices/ r,
+ /sys/devices/** r,
+ /sys/bus/usb/devices/ r,
+ deny /dev/sd* r,
+ deny /dev/vd* r,
+ deny /dev/dm-* r,
+ deny /dev/drbd[0-9]* r,
+ deny /dev/dasd* r,
+ deny /dev/nvme* r,
+ deny /dev/zd[0-9]* r,
+ deny /dev/mapper/ r,
+ deny /dev/mapper/* r,
+
+ /usr/{lib,lib64}/libvirt/virt-aa-helper mr,
+ /{usr/,}sbin/apparmor_parser Ux,
+
+ # for openvswitch
+ /{,var/}run/** rw,
+
+ /etc/apparmor.d/libvirt/* r,
+ /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
+
+ # for backingstore -- allow access to non-hidden files in @{HOME} as well
+ # as storage pools
+ audit deny @{HOME}/.* mrwkl,
+ audit deny @{HOME}/.*/ rw,
+ audit deny @{HOME}/.*/** mrwkl,
+ audit deny @{HOME}/bin/ rw,
+ audit deny @{HOME}/bin/** mrwkl,
+ @{HOME}/ r,
+ @{HOME}/** r,
+ /var/lib/libvirt/images/ r,
+ /var/lib/libvirt/images/** r,
+ # nova base images (LP: #907269)
+ /var/lib/nova/images/** r,
+ /var/lib/nova/instances/_base/** r,
+ # nova snapshots (LP: #1244694)
+ /var/lib/nova/instances/snapshots/** r,
+ # nova base/snapshot files in snapped nova (LP: #1644507)
+ /var/snap/nova-hypervisor/common/instances/_base/** r,
+ /var/snap/nova-hypervisor/common/instances/snapshots/** r,
+ # eucalyptus (LP: #564914)
+ /var/lib/eucalyptus/instances/**/disk* r,
+ # eucalyptus loader (LP: #637544)
+ /var/lib/eucalyptus/instances/**/loader* r,
+ # for uvtool
+ /var/lib/uvtool/libvirt/images/** r,
+ # for multipass
+ /var/snap/multipass/common/data/multipassd/vault/instances/** r,
+ /{media,mnt,opt,srv}/** r,
+ # For virt-sandbox
+ /{,var/}run/libvirt/**/[sv]d[a-z] r,
+
+ /**.img r,
+ /**.raw r,
+ /**.qcow{,2} r,
+ /**.qed r,
+ /**.vmdk r,
+ /**.vhd r,
+ /**.[iI][sS][oO] r,
+ /**/disk{,.*} r,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.lib.libvirt.virt-aa-helper>
+}
--- /dev/null
+# Last Modified: Mon Apr 5 15:03:58 2010
+#include <tunables/global>
+@{LIBVIRT}="libvirt"
+
+profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) {
+ #include <abstractions/base>
+ #include <abstractions/dbus>
+
+ capability kill,
+ capability net_admin,
+ capability net_raw,
+ capability setgid,
+ capability sys_admin,
+ capability sys_module,
+ capability sys_ptrace,
+ capability sys_pacct,
+ capability sys_nice,
+ capability sys_chroot,
+ capability setuid,
+ capability dac_override,
+ capability dac_read_search,
+ capability fowner,
+ capability chown,
+ capability setpcap,
+ capability mknod,
+ capability fsetid,
+ capability audit_write,
+ capability ipc_lock,
+
+ # Needed for vfio
+ capability sys_resource,
+
+ mount options=(rw,rslave) -> /,
+ mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/,
+
+ # libvirt provides any mounts under /dev to qemu namespaces
+ mount options=(rw, move) /dev/ -> /{,var/}run/libvirt/qemu/*.dev/,
+ mount options=(rw, move) /dev/** -> /{,var/}run/libvirt/qemu/*{,/},
+ mount options=(rw, move) /{,var/}run/libvirt/qemu/*.dev/ -> /dev/,
+ mount options=(rw, move) /{,var/}run/libvirt/qemu/*{,/} -> /dev/**,
+
+ network inet stream,
+ network inet dgram,
+ network inet6 stream,
+ network inet6 dgram,
+ network netlink raw,
+ network packet dgram,
+ network packet raw,
+
+ # for --p2p migrations
+ unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none),
+
+ ptrace (read,trace) peer=unconfined,
+ ptrace (read,trace) peer=@{profile_name},
+ ptrace (read,trace) peer=dnsmasq,
+ ptrace (read,trace) peer=/usr/sbin/dnsmasq,
+ ptrace (read,trace) peer=libvirt-*,
+
+ signal (send) peer=dnsmasq,
+ signal (send) peer=/usr/sbin/dnsmasq,
+ signal (read, send) peer=libvirt-*,
+ signal (send) set=("kill", "term") peer=unconfined,
+
+ # For communication/control to qemu-bridge-helper
+ unix (send, receive) type=stream addr=none peer=(label=libvirtd//qemu_bridge_helper),
+ signal (send) set=("term") peer=libvirtd//qemu_bridge_helper,
+
+ # allow connect with openGraphicsFD, direction reversed in newer versions
+ unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*),
+ # unconfined also required if guests run without security module
+ unix (send, receive) type=stream addr=none peer=(label=unconfined),
+
+ # required if guests run unconfined seclabel type='none' but libvirtd is confined
+ signal (read, send) peer=unconfined,
+
+ # Very lenient profile for libvirtd since we want to first focus on confining
+ # the guests. Guests will have a very restricted profile.
+ / r,
+ /** rwmkl,
+
+ /bin/* PUx,
+ /sbin/* PUx,
+ /usr/bin/* PUx,
+ /usr/sbin/virtlogd pix,
+ /usr/sbin/* PUx,
+ /{usr/,}lib/udev/scsi_id PUx,
+ /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
+ /usr/{lib,lib64}/xen/bin/* Ux,
+ /usr/lib/xen-*/bin/libxl-save-helper PUx,
+ /usr/lib/xen-*/bin/pygrub PUx,
+ /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,
+
+ # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
+ # read and run an ebtables script.
+ /var/lib/libvirt/virtd* ixr,
+
+ # force the use of virt-aa-helper
+ audit deny /{usr/,}sbin/apparmor_parser rwxl,
+ audit deny /etc/apparmor.d/libvirt/** wxl,
+ audit deny /sys/kernel/security/apparmor/features rwxl,
+ audit deny /sys/kernel/security/apparmor/matching rwxl,
+ audit deny /sys/kernel/security/apparmor/.* rwxl,
+ /sys/kernel/security/apparmor/profiles r,
+ /usr/{lib,lib64}/libvirt/* PUxr,
+ /usr/{lib,lib64}/libvirt/libvirt_parthelper ix,
+ /usr/{lib,lib64}/libvirt/libvirt_iohelper ix,
+ /etc/libvirt/hooks/** rmix,
+ /etc/xen/scripts/** rmix,
+
+ # allow changing to our UUID-based named profiles
+ change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+
+ /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
+ # child profile for bridge helper process
+ profile qemu_bridge_helper {
+ #include <abstractions/base>
+
+ capability setuid,
+ capability setgid,
+ capability setpcap,
+ capability net_admin,
+
+ network inet stream,
+
+ # For communication/control from libvirtd
+ unix (send, receive) type=stream addr=none peer=(label=libvirtd),
+ signal (receive) set=("term") peer=/usr/sbin/libvirtd,
+ signal (receive) set=("term") peer=libvirtd,
+
+ /dev/net/tun rw,
+ /etc/qemu/** r,
+ owner @{PROC}/*/status r,
+
+ /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
+ }
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.sbin.libvirtd>
+}
--- /dev/null
+# URIs to check for running guests
+# example: URIS='default xen:///system vbox+tcp://host/system lxc:///system'
+#URIS=default
+
+# action taken on host boot
+# - start all guests which were running on shutdown are started on boot
+# regardless on their autostart settings
+# - ignore libvirt-guests init script won't start any guest on boot, however,
+# guests marked as autostart will still be automatically started by
+# libvirtd
+#ON_BOOT=ignore
+
+# Number of seconds to wait between each guest start. Set to 0 to allow
+# parallel startup.
+#START_DELAY=0
+
+# action taken on host shutdown
+# - suspend all running guests are suspended using virsh managedsave
+# - shutdown all running guests are asked to shutdown. Please be careful with
+# this settings since there is no way to distinguish between a
+# guest which is stuck or ignores shutdown requests and a guest
+# which just needs a long time to shutdown. When setting
+# ON_SHUTDOWN=shutdown, you must also set SHUTDOWN_TIMEOUT to a
+# value suitable for your guests.
+#ON_SHUTDOWN=shutdown
+
+# Number of guests will be shutdown concurrently, taking effect when
+# "ON_SHUTDOWN" is set to "shutdown". If Set to 0, guests will be shutdown one
+# after another. Number of guests on shutdown at any time will not exceed number
+# set in this variable.
+PARALLEL_SHUTDOWN=10
+
+# Number of seconds we're willing to wait for a guest to shut down. If parallel
+# shutdown is enabled, this timeout applies as a timeout for shutting down all
+# guests on a single URI defined in the variable URIS. If this is 0, then there
+# is no time out (use with caution, as guests might not respond to a shutdown
+# request). The default value is 300 seconds (5 minutes).
+SHUTDOWN_TIMEOUT=120
+
+# If non-zero, try to bypass the file system cache when saving and
+# restoring guests, even though this may give slower operation for
+# some file systems.
+#BYPASS_CACHE=0
+
+# If non-zero, try to sync guest time on domain resume. Be aware, that
+# this requires guest agent with support for time synchronization
+# running in the guest. For instance, qemu-ga doesn't support guest time
+# synchronization on Windows guests, but Linux ones. By default, this
+# functionality is turned off.
+#SYNC_TIME=1
--- /dev/null
+# Defaults for libvirtd initscript (/etc/init.d/libvirtd)
+# This is a POSIX shell fragment
+
+# Start libvirtd to handle qemu/kvm:
+start_libvirtd="yes"
+
+# options passed to libvirtd, see man libvirtd for details.
+# For example to enable listening on tcp add -l here
+# and set up the TLS Certificates that libvirtd will need.
+#libvirtd_opts=""
+
+# pass in location of kerberos keytab
+#export KRB5_KTNAME=/etc/libvirt/libvirt.keytab
+
+# Whether to mount a systemd like cgroup layout (only
+# useful when not running systemd)
+#mount_cgroups=yes
+# Which cgroups to mount
+#cgroups="memory devices"
--- /dev/null
+#
+# Pass extra arguments to virtlockd
+#VIRTLOCKD_ARGS=
--- /dev/null
+#
+# Pass extra arguments to virtlogd
+#VIRTLOGD_ARGS=
--- /dev/null
+bind-interfaces
+except-interface=virbr0
--- /dev/null
+/etc/dnsmasq.d-available/libvirt-daemon
\ No newline at end of file
nvidia-persistenced:x:146:
nx:x:1015:
tss:x:147:
+libvirt:x:148:mhoellein
+libvirt-qemu:x:64055:libvirt-qemu
+libvirt-dnsmasq:x:149:
tcpdump:x:145:
nvidia-persistenced:x:146:
nx:x:1015:
+tss:x:147:
+libvirt:x:148:mhoellein
+libvirt-qemu:x:64055:libvirt-qemu
nvidia-persistenced:!::
nx:!::
tss:!::
+libvirt:!::mhoellein
+libvirt-qemu:!::libvirt-qemu
+libvirt-dnsmasq:!::
tcpdump:!::
nvidia-persistenced:!::
nx:!::
+tss:!::
+libvirt:!::mhoellein
+libvirt-qemu:!::libvirt-qemu
--- /dev/null
+#
+# This can be used to setup URI aliases for frequently
+# used connection URIs. Aliases may contain only the
+# characters a-Z, 0-9, _, -.
+#
+# Following the '=' may be any valid libvirt admin connection
+# URI, including arbitrary parameters
+
+#uri_aliases = [
+# "admin=libvirtd:///system",
+#]
+
+# This specifies the default location the client tries to connect to if no other
+# URI is provided by the application
+
+#uri_default = "libvirtd:///system"
--- /dev/null
+#
+# This can be used to setup URI aliases for frequently
+# used connection URIs. Aliases may contain only the
+# characters a-Z, 0-9, _, -.
+#
+# Following the '=' may be any valid libvirt connection
+# URI, including arbitrary parameters
+
+#uri_aliases = [
+# "hail=qemu+ssh://root@hail.cloud.example.com/system",
+# "sleet=qemu+ssh://root@sleet.cloud.example.com/system",
+#]
+
+#
+# These can be used in cases when no URI is supplied by the application
+# (@uri_default also prevents probing of the hypervisor driver).
+#
+#uri_default = "qemu:///system"
--- /dev/null
+# Master libvirt daemon configuration file
+#
+
+#################################################################
+#
+# Network connectivity controls
+#
+
+# Flag listening for secure TLS connections on the public TCP/IP port.
+# NB, must pass the --listen flag to the libvirtd process for this to
+# have any effect.
+#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
+# It is necessary to setup a CA and issue server certificates before
+# using this capability.
+#
+# This is enabled by default, uncomment this to disable it
+#listen_tls = 0
+
+# Listen for unencrypted TCP connections on the public TCP/IP port.
+# NB, must pass the --listen flag to the libvirtd process for this to
+# have any effect.
+#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
+# Using the TCP socket requires SASL authentication by default. Only
+# SASL mechanisms which support data encryption are allowed. This is
+# DIGEST_MD5 and GSSAPI (Kerberos5)
+#
+# This is disabled by default, uncomment this to enable it.
+#listen_tcp = 1
+
+
+
+# Override the port for accepting secure TLS connections
+# This can be a port number, or service name
+#
+# This setting is not required or honoured if using systemd socket
+# activation with systemd version >= 227
+#
+#tls_port = "16514"
+
+# Override the port for accepting insecure TCP connections
+# This can be a port number, or service name
+#
+# This setting is not required or honoured if using systemd socket
+# activation with systemd version >= 227
+#
+#tcp_port = "16509"
+
+
+# Override the default configuration which binds to all network
+# interfaces. This can be a numeric IPv4/6 address, or hostname
+#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
+# If the libvirtd service is started in parallel with network
+# startup (e.g. with systemd), binding to addresses other than
+# the wildcards (0.0.0.0/::) might not be available yet.
+#
+#listen_addr = "192.168.0.1"
+
+
+#################################################################
+#
+# UNIX socket access controls
+#
+
+# Set the UNIX domain socket group ownership. This can be used to
+# allow a 'trusted' set of users access to management capabilities
+# without becoming root.
+#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
+# This is restricted to 'root' by default.
+#unix_sock_group = "libvirt"
+unix_sock_group = "libvirt"
+
+# Set the UNIX socket permissions for the R/O socket. This is used
+# for monitoring VM status only
+#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
+# Default allows any user. If setting group ownership, you may want to
+# restrict this too.
+#unix_sock_ro_perms = "0777"
+unix_sock_ro_perms = "0777"
+
+# Set the UNIX socket permissions for the R/W socket. This is used
+# for full management of VMs
+#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
+# Default allows only root. If PolicyKit is enabled on the socket,
+# the default will change to allow everyone (eg, 0777)
+#
+# If not using PolicyKit and setting group ownership for access
+# control, then you may want to relax this too.
+unix_sock_rw_perms = "0770"
+
+# Set the UNIX socket permissions for the admin interface socket.
+#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
+# Default allows only owner (root), do not change it unless you are
+# sure to whom you are exposing the access to.
+#unix_sock_admin_perms = "0700"
+
+# Set the name of the directory in which sockets will be found/created.
+#
+# This setting is not required or honoured if using systemd socket
+# activation with systemd version >= 227
+#
+#unix_sock_dir = "/run/libvirt"
+
+
+
+#################################################################
+#
+# Authentication.
+#
+# - none: do not perform auth checks. If you can connect to the
+# socket you are allowed. This is suitable if there are
+# restrictions on connecting to the socket (eg, UNIX
+# socket permissions), or if there is a lower layer in
+# the network providing auth (eg, TLS/x509 certificates)
+#
+# - sasl: use SASL infrastructure. The actual auth scheme is then
+# controlled from /etc/sasl2/libvirt.conf. For the TCP
+# socket only GSSAPI & DIGEST-MD5 mechanisms will be used.
+# For non-TCP or TLS sockets, any scheme is allowed.
+#
+# - polkit: use PolicyKit to authenticate. This is only suitable
+# for use on the UNIX sockets. The default policy will
+# require a user to supply their own password to gain
+# full read/write access (aka sudo like), while anyone
+# is allowed read/only access.
+#
+# Set an authentication scheme for UNIX read-only sockets
+# By default socket permissions allow anyone to connect
+#
+# To restrict monitoring of domains you may wish to enable
+# an authentication mechanism here
+auth_unix_ro = "none"
+
+# Set an authentication scheme for UNIX read-write sockets
+# By default socket permissions only allow root. If PolicyKit
+# support was compiled into libvirt, the default will be to
+# use 'polkit' auth.
+#
+# If the unix_sock_rw_perms are changed you may wish to enable
+# an authentication mechanism here
+#auth_unix_rw = "none"
+auth_unix_rw = "none"
+
+# Change the authentication scheme for TCP sockets.
+#
+# If you don't enable SASL, then all TCP traffic is cleartext.
+# Don't do this outside of a dev/test scenario. For real world
+# use, always enable SASL and use the GSSAPI or DIGEST-MD5
+# mechanism in /etc/sasl2/libvirt.conf
+#auth_tcp = "sasl"
+
+# Change the authentication scheme for TLS sockets.
+#
+# TLS sockets already have encryption provided by the TLS
+# layer, and limited authentication is done by certificates
+#
+# It is possible to make use of any SASL authentication
+# mechanism as well, by using 'sasl' for this option
+#auth_tls = "none"
+
+
+# Change the API access control scheme
+#
+# By default an authenticated user is allowed access
+# to all APIs. Access drivers can place restrictions
+# on this. By default the 'nop' driver is enabled,
+# meaning no access control checks are done once a
+# client has authenticated with libvirtd
+#
+#access_drivers = [ "polkit" ]
+
+#################################################################
+#
+# TLS x509 certificate configuration
+#
+
+# Use of TLS requires that x509 certificates be issued. The default locations
+# for the certificate files is as follows:
+#
+# /etc/pki/CA/cacert.pem - The CA master certificate
+# /etc/pki/libvirt/servercert.pem - The server certificate signed by cacert.pem
+# /etc/pki/libvirt/private/serverkey.pem - The server private key
+#
+# It is possible to override the default locations by altering the 'key_file',
+# 'cert_file', and 'ca_file' values and uncommenting them below.
+#
+# NB, overriding the default of one location requires uncommenting and
+# possibly additionally overriding the other settings.
+#
+
+# Override the default server key file path
+#
+#key_file = "/etc/pki/libvirt/private/serverkey.pem"
+
+# Override the default server certificate file path
+#
+#cert_file = "/etc/pki/libvirt/servercert.pem"
+
+# Override the default CA certificate path
+#
+#ca_file = "/etc/pki/CA/cacert.pem"
+
+# Specify a certificate revocation list.
+#
+# Defaults to not using a CRL, uncomment to enable it
+#crl_file = "/etc/pki/CA/crl.pem"
+
+
+
+#################################################################
+#
+# Authorization controls
+#
+
+
+# Flag to disable verification of our own server certificates
+#
+# When libvirtd starts it performs some sanity checks against
+# its own certificates.
+#
+# Default is to always run sanity checks. Uncommenting this
+# will disable sanity checks which is not a good idea
+#tls_no_sanity_certificate = 1
+
+# Flag to disable verification of client certificates
+#
+# Client certificate verification is the primary authentication mechanism.
+# Any client which does not present a certificate signed by the CA
+# will be rejected.
+#
+# Default is to always verify. Uncommenting this will disable
+# verification - make sure an IP whitelist is set
+#tls_no_verify_certificate = 1
+
+
+# A whitelist of allowed x509 Distinguished Names
+# This list may contain wildcards such as
+#
+# "C=GB,ST=London,L=London,O=Red Hat,CN=*"
+#
+# See the g_pattern_match function for the format of the wildcards:
+#
+# https://developer.gnome.org/glib/stable/glib-Glob-style-pattern-matching.html
+#
+# NB If this is an empty list, no client can connect, so comment out
+# entirely rather than using empty list to disable these checks
+#
+# By default, no DN's are checked
+#tls_allowed_dn_list = ["DN1", "DN2"]
+
+
+# Override the compile time default TLS priority string. The
+# default is usually "NORMAL" unless overridden at build time.
+# Only set this is it is desired for libvirt to deviate from
+# the global default settings.
+#
+#tls_priority="NORMAL"
+
+
+# A whitelist of allowed SASL usernames. The format for username
+# depends on the SASL authentication mechanism. Kerberos usernames
+# look like username@REALM
+#
+# This list may contain wildcards such as
+#
+# "*@EXAMPLE.COM"
+#
+# See the g_pattern_match function for the format of the wildcards.
+#
+# https://developer.gnome.org/glib/stable/glib-Glob-style-pattern-matching.html
+#
+# NB If this is an empty list, no client can connect, so comment out
+# entirely rather than using empty list to disable these checks
+#
+# By default, no Username's are checked
+#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]
+
+
+#################################################################
+#
+# Processing controls
+#
+
+# The maximum number of concurrent client connections to allow
+# over all sockets combined.
+#max_clients = 5000
+
+# The maximum length of queue of connections waiting to be
+# accepted by the daemon. Note, that some protocols supporting
+# retransmission may obey this so that a later reattempt at
+# connection succeeds.
+#max_queued_clients = 1000
+
+# The maximum length of queue of accepted but not yet
+# authenticated clients. The default value is 20. Set this to
+# zero to turn this feature off.
+#max_anonymous_clients = 20
+
+# The minimum limit sets the number of workers to start up
+# initially. If the number of active clients exceeds this,
+# then more threads are spawned, up to max_workers limit.
+# Typically you'd want max_workers to equal maximum number
+# of clients allowed
+#min_workers = 5
+#max_workers = 20
+
+
+# The number of priority workers. If all workers from above
+# pool are stuck, some calls marked as high priority
+# (notably domainDestroy) can be executed in this pool.
+#prio_workers = 5
+
+# Limit on concurrent requests from a single client
+# connection. To avoid one client monopolizing the server
+# this should be a small fraction of the global max_workers
+# parameter.
+#max_client_requests = 5
+
+# Same processing controls, but this time for the admin interface.
+# For description of each option, be so kind to scroll few lines
+# upwards.
+
+#admin_min_workers = 1
+#admin_max_workers = 5
+#admin_max_clients = 5
+#admin_max_queued_clients = 5
+#admin_max_client_requests = 5
+
+#################################################################
+#
+# Logging controls
+#
+
+# Logging level: 4 errors, 3 warnings, 2 information, 1 debug
+# basically 1 will log everything possible
+#
+# WARNING: USE OF THIS IS STRONGLY DISCOURAGED.
+#
+# WARNING: It outputs too much information to practically read.
+# WARNING: The "log_filters" setting is recommended instead.
+#
+# WARNING: Journald applies rate limiting of messages and so libvirt
+# WARNING: will limit "log_level" to only allow values 3 or 4 if
+# WARNING: journald is the current output.
+#
+# WARNING: USE OF THIS IS STRONGLY DISCOURAGED.
+#log_level = 3
+
+# Logging filters:
+# A filter allows to select a different logging level for a given category
+# of logs. The format for a filter is:
+#
+# level:match
+#
+# where 'match' is a string which is matched against the category
+# given in the VIR_LOG_INIT() at the top of each libvirt source
+# file, e.g., "remote", "qemu", or "util.json". The 'match' in the
+# filter matches using shell wildcard syntax (see 'man glob(7)').
+# The 'match' is always treated as a substring match. IOW a match
+# string 'foo' is equivalent to '*foo*'.
+#
+# 'level' is the minimal level where matching messages should
+# be logged:
+#
+# 1: DEBUG
+# 2: INFO
+# 3: WARNING
+# 4: ERROR
+#
+# Multiple filters can be defined in a single @log_filters, they just need
+# to be separated by spaces. Note that libvirt performs "first" match, i.e.
+# if there are concurrent filters, the first one that matches will be applied,
+# given the order in @log_filters.
+#
+# A typical need is to capture information from a hypervisor driver,
+# public API entrypoints and some of the utility code. Some utility
+# code is very verbose and is generally not desired. Taking the QEMU
+# hypervisor as an example, a suitable filter string for debugging
+# might be to turn off object, json & event logging, but enable the
+# rest of the util code:
+#
+#log_filters="1:qemu 1:libvirt 4:object 4:json 4:event 1:util"
+
+# Logging outputs:
+# An output is one of the places to save logging information
+# The format for an output can be:
+# level:stderr
+# output goes to stderr
+# level:syslog:name
+# use syslog for the output and use the given name as the ident
+# level:file:file_path
+# output to a file, with the given filepath
+# level:journald
+# output to journald logging system
+# In all cases 'level' is the minimal priority, acting as a filter
+# 1: DEBUG
+# 2: INFO
+# 3: WARNING
+# 4: ERROR
+#
+# Multiple outputs can be defined, they just need to be separated by spaces.
+# e.g. to log all warnings and errors to syslog under the libvirtd ident:
+#log_outputs="3:syslog:libvirtd"
+
+
+##################################################################
+#
+# Auditing
+#
+# This setting allows usage of the auditing subsystem to be altered:
+#
+# audit_level == 0 -> disable all auditing
+# audit_level == 1 -> enable auditing, only if enabled on host (default)
+# audit_level == 2 -> enable auditing, and exit if disabled on host
+#
+#audit_level = 2
+#
+# If set to 1, then audit messages will also be sent
+# via libvirt logging infrastructure. Defaults to 0
+#
+#audit_logging = 1
+
+###################################################################
+# UUID of the host:
+# Host UUID is read from one of the sources specified in host_uuid_source.
+#
+# - 'smbios': fetch the UUID from 'dmidecode -s system-uuid'
+# - 'machine-id': fetch the UUID from /etc/machine-id
+#
+# The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide
+# a valid UUID a temporary UUID will be generated.
+#
+# Another option is to specify host UUID in host_uuid.
+#
+# Keep the format of the example UUID below. UUID must not have all digits
+# be the same.
+
+# NB This default all-zeros UUID will not work. Replace
+# it with the output of the 'uuidgen' command and then
+# uncomment this entry
+#host_uuid = "00000000-0000-0000-0000-000000000000"
+#host_uuid_source = "smbios"
+
+###################################################################
+# Keepalive protocol:
+# This allows libvirtd to detect broken client connections or even
+# dead clients. A keepalive message is sent to a client after
+# keepalive_interval seconds of inactivity to check if the client is
+# still responding; keepalive_count is a maximum number of keepalive
+# messages that are allowed to be sent to the client without getting
+# any response before the connection is considered broken. In other
+# words, the connection is automatically closed approximately after
+# keepalive_interval * (keepalive_count + 1) seconds since the last
+# message received from the client. If keepalive_interval is set to
+# -1, libvirtd will never send keepalive requests; however clients
+# can still send them and the daemon will send responses. When
+# keepalive_count is set to 0, connections will be automatically
+# closed after keepalive_interval seconds of inactivity without
+# sending any keepalive messages.
+#
+#keepalive_interval = 5
+#keepalive_count = 5
+
+#
+# These configuration options are no longer used. There is no way to
+# restrict such clients from connecting since they first need to
+# connect in order to ask for keepalive.
+#
+#keepalive_required = 1
+#admin_keepalive_required = 1
+
+# Keepalive settings for the admin interface
+#admin_keepalive_interval = 5
+#admin_keepalive_count = 5
+
+###################################################################
+# Open vSwitch:
+# This allows to specify a timeout for openvswitch calls made by
+# libvirt. The ovs-vsctl utility is used for the configuration and
+# its timeout option is set by default to 5 seconds to avoid
+# potential infinite waits blocking libvirt.
+#
+#ovs_timeout = 5
--- /dev/null
+#
+# The default lockd behaviour is to acquire locks directly
+# against each configured disk file / block device. If the
+# application wishes to instead manually manage leases in
+# the guest XML, then this parameter can be disabled
+#
+#auto_disk_leases = 0
+
+#
+# Flag to determine whether we allow starting of guests
+# which do not have any <lease> elements defined in their
+# configuration.
+#
+# If 'auto_disk_leases' is disabled, this setting defaults
+# to enabled, otherwise it defaults to disabled.
+#
+#require_lease_for_disks = 1
+
+
+#
+# The default lockd behaviour is to use the "direct"
+# lockspace, where the locks are acquired against the
+# actual file paths associated with the <disk> devices.
+#
+# Setting a directory here causes lockd to use "indirect"
+# lockspace, where a hash of the <disk> file path is
+# used to create a file in the lockspace directory. The
+# locks are then held on these hash files instead.
+#
+# This can be useful if the file paths refer to block
+# devices which are shared, since /dev fcntl() locks
+# don't propagate across hosts. It is also useful if
+# the filesystem does not support fcntl() locks.
+#
+# Typically this directory would be located on a shared
+# filesystem visible to all hosts accessing the same
+# storage.
+#
+#file_lockspace_dir = "/var/lib/libvirt/lockd/files"
+
+
+#
+# When using LVM volumes that can be visible across
+# multiple, it is desirable to do locking based on
+# the unique UUID associated with each volume, instead
+# of their paths. Setting this path causes libvirt to
+# do UUID based locking for LVM.
+#
+# Typically this directory would be located on a shared
+# filesystem visible to all hosts accessing the same
+# storage.
+#
+#lvm_lockspace_dir = "/var/lib/libvirt/lockd/lvmvolumes"
+
+
+#
+# When using SCSI volumes that can be visible across
+# multiple, it is desirable to do locking based on
+# the unique UUID associated with each volume, instead
+# of their paths. Setting this path causes libvirt to
+# do UUID based locking for SCSI.
+#
+# Typically this directory would be located on a shared
+# filesystem visible to all hosts accessing the same
+# storage.
+#
+#scsi_lockspace_dir = "/var/lib/libvirt/lockd/scsivolumes"
--- /dev/null
+#
+# The default sanlock configuration requires the management
+# application to manually define <lease> elements in the
+# guest configuration, typically one lease per disk. An
+# alternative is to enable "auto disk lease" mode. In this
+# usage, libvirt will automatically create a lockspace and
+# lease for each fully qualified disk path. This works if
+# you are able to ensure stable, unique disk paths across
+# all hosts in a network.
+#
+# Uncomment this to enable automatic lease creation.
+#
+# NB: the 'host_id' parameter must be set if enabling this
+#
+#auto_disk_leases = 1
+
+#
+# The default location in which lockspaces are created when
+# automatic lease creation is enabled. For each unique disk
+# path, a file $LEASE_DIR/NNNNNNNNNNNNNN will be created
+# where 'NNNNNNNNNNNNNN' is the MD5 hash of the disk path.
+#
+# If this directory is on local storage, it will only protect
+# against a VM being started twice on the same host, or two
+# guests on the same host using the same disk path. If the
+# directory is on NFS, then it can protect against concurrent
+# usage across all hosts which have the share mounted.
+#
+# Recommendation is to just mount this default location as
+# an NFS volume. Uncomment this, if you would prefer the mount
+# point to be somewhere else. Moreover, please make sure
+# sanlock daemon can access the specified path.
+#
+#disk_lease_dir = "/var/lib/libvirt/sanlock"
+
+#
+# The unique ID for this host.
+#
+# IMPORTANT: *EVERY* host which can access the filesystem mounted
+# at 'disk_lease_dir' *MUST* be given a different host ID.
+#
+# This parameter has no default and must be manually set if
+# 'auto_disk_leases' is enabled
+#host_id = 1
+
+#
+# Flag to determine whether we allow starting of guests
+# which do not have any <lease> elements defined in their
+# configuration.
+#
+# If 'auto_disk_leases' is disabled, this setting defaults
+# to enabled, otherwise it defaults to disabled.
+#
+#require_lease_for_disks = 1
+
+#
+# Sanlock is able to kill qemu processes on IO timeout. By its internal
+# implementation, the current default is 80 seconds. If you need to adjust
+# the value change the following variable. Value of zero means use the
+# default sanlock timeout.
+#io_timeout = 0
+
+#
+# The combination of user and group under which the sanlock
+# daemon runs. Libvirt will chown created files (like
+# content of disk_lease_dir) to make sure sanlock daemon can
+# access them. Accepted values are described in qemu.conf.
+#user = "root"
+#group = "root"
--- /dev/null
+# Master configuration file for the libxl driver.
+# All settings described here are optional. If omitted, sensible
+# defaults are used.
+
+# Enable autoballooning of domain0
+#
+# By default, autoballooning of domain0 is enabled unless its memory
+# is already limited with Xen's "dom0_mem=" parameter, in which case
+# autoballooning is disabled. Override the default behavior with the
+# autoballoon setting.
+#
+#autoballoon = 1
+
+
+# In order to prevent accidentally starting two domains that
+# share one writable disk, libvirt offers two approaches for
+# locking files: sanlock and virtlockd. sanlock is an external
+# project which libvirt integrates with via the libvirt-lock-sanlock
+# package. virtlockd is a libvirt implementation that is enabled with
+# "lockd". Accepted values are "sanlock" and "lockd".
+#
+#lock_manager = "lockd"
+
+
+# Keepalive protocol:
+# This allows the libxl driver to detect broken connections to the
+# remote libvirtd during peer-to-peer migration. A keepalive message
+# is sent to the daemon after keepalive_interval seconds of inactivity
+# to check if the daemon is still responding; keepalive_count is a
+# maximum number of keepalive messages that are allowed to be sent to
+# the daemon without getting any response before the connection is
+# considered broken. In other words, the connection is automatically
+# closed after approximately keepalive_interval * (keepalive_count + 1)
+# seconds since the last message was received from the daemon. If
+# keepalive_interval is set to -1, the libxl driver will not send
+# keepalive requests during peer-to-peer migration; however, the remote
+# libvirtd can still send them and source libvirtd will send responses.
+# When keepalive_count is set to 0, connections will be automatically
+# closed after keepalive_interval seconds of inactivity without sending
+# any keepalive messages.
+#
+#keepalive_interval = 5
+#keepalive_count = 5
+
+# Nested HVM default control. In order to use nested HVM feature, this option
+# needs to be enabled, in addition to specifying <cpu mode='host-passthrough'>
+# in domain configuration. This can be overridden in domain configuration by
+# explicitly setting <feature policy='require' name='vmx'/> inside <cpu/>
+# element.
+# By default it is disabled.
+#nested_hvm = 0
--- /dev/null
+# Master configuration file for the LXC driver.
+# All settings described here are optional - if omitted, sensible
+# defaults are used.
+
+# By default, log messages generated by the lxc controller go to the
+# container logfile. It is also possible to accumulate log messages
+# from all lxc controllers along with libvirtd's log outputs. In this
+# case, the lxc controller will honor either LIBVIRT_LOG_OUTPUTS or
+# log_outputs from libvirtd.conf.
+#
+# This is disabled by default, uncomment below to enable it.
+#
+#log_with_libvirtd = 1
+
+
+# The default security driver is SELinux. If SELinux is disabled
+# on the host, then the security driver will automatically disable
+# itself. If you wish to disable LXC SELinux security driver while
+# leaving SELinux enabled for the host in general, then set this
+# to 'none' instead.
+#
+#security_driver = "selinux"
+
+# If set to non-zero, then the default security labeling
+# will make guests confined. If set to zero, then guests
+# will be unconfined by default. Defaults to 0.
+#security_default_confined = 1
+
+# If set to non-zero, then attempts to create unconfined
+# guests will be blocked. Defaults to 0.
+#security_require_confined = 1
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit allow-arp
+or other application using the libvirt API.
+-->
+
+<filter name='allow-arp' chain='arp' priority='-500'>
+ <uuid>20c4b8ce-2b84-474f-a2a7-9b159c188094</uuid>
+ <rule action='accept' direction='inout' priority='500'/>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit allow-dhcp-server
+or other application using the libvirt API.
+-->
+
+<filter name='allow-dhcp-server' chain='ipv4' priority='-700'>
+ <uuid>1aafb74b-f0bc-4c24-ae25-ab354d293c41</uuid>
+ <rule action='accept' direction='out' priority='100'>
+ <ip srcipaddr='0.0.0.0' dstipaddr='255.255.255.255' protocol='udp' srcportstart='68' dstportstart='67'/>
+ </rule>
+ <rule action='accept' direction='in' priority='100'>
+ <ip srcipaddr='$DHCPSERVER' protocol='udp' srcportstart='67' dstportstart='68'/>
+ </rule>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit allow-dhcp
+or other application using the libvirt API.
+-->
+
+<filter name='allow-dhcp' chain='ipv4' priority='-700'>
+ <uuid>ac743ac4-4e41-4596-a6bd-013165613bc7</uuid>
+ <rule action='accept' direction='out' priority='100'>
+ <ip srcipaddr='0.0.0.0' dstipaddr='255.255.255.255' protocol='udp' srcportstart='68' dstportstart='67'/>
+ </rule>
+ <rule action='accept' direction='in' priority='100'>
+ <ip protocol='udp' srcportstart='67' dstportstart='68'/>
+ </rule>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit allow-incoming-ipv4
+or other application using the libvirt API.
+-->
+
+<filter name='allow-incoming-ipv4' chain='ipv4' priority='-700'>
+ <uuid>07d54b53-8c78-42a4-8d95-8dedb2d7c6ec</uuid>
+ <rule action='accept' direction='in' priority='500'/>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit allow-ipv4
+or other application using the libvirt API.
+-->
+
+<filter name='allow-ipv4' chain='ipv4' priority='-700'>
+ <uuid>d37255b2-8523-4def-b925-830db6a880a1</uuid>
+ <rule action='accept' direction='inout' priority='500'/>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit clean-traffic-gateway
+or other application using the libvirt API.
+-->
+
+<filter name='clean-traffic-gateway' chain='root'>
+ <uuid>615b237c-76c7-4667-bf0e-73b796f4acd1</uuid>
+ <filterref filter='no-mac-spoofing'/>
+ <filterref filter='no-ip-spoofing'/>
+ <filterref filter='no-arp-spoofing'/>
+ <rule action='accept' direction='inout' priority='-500'>
+ <mac protocolid='arp'/>
+ </rule>
+ <rule action='accept' direction='in' priority='500'>
+ <mac srcmacaddr='$GATEWAY_MAC'/>
+ </rule>
+ <rule action='accept' direction='out' priority='500'>
+ <mac dstmacaddr='$GATEWAY_MAC'/>
+ </rule>
+ <filterref filter='no-other-l2-traffic'/>
+ <filterref filter='qemu-announce-self'/>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit clean-traffic
+or other application using the libvirt API.
+-->
+
+<filter name='clean-traffic' chain='root'>
+ <uuid>ee1d69b2-5be0-445c-9eaf-43923c89ec63</uuid>
+ <filterref filter='no-mac-spoofing'/>
+ <filterref filter='no-ip-spoofing'/>
+ <rule action='accept' direction='out' priority='-650'>
+ <mac protocolid='ipv4'/>
+ </rule>
+ <filterref filter='allow-incoming-ipv4'/>
+ <filterref filter='no-arp-spoofing'/>
+ <rule action='accept' direction='inout' priority='-500'>
+ <mac protocolid='arp'/>
+ </rule>
+ <filterref filter='no-other-l2-traffic'/>
+ <filterref filter='qemu-announce-self'/>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit no-arp-ip-spoofing
+or other application using the libvirt API.
+-->
+
+<filter name='no-arp-ip-spoofing' chain='arp-ip' priority='-510'>
+ <uuid>535d335d-00fe-431d-8af6-75a421cba336</uuid>
+ <rule action='return' direction='out' priority='400'>
+ <arp arpsrcipaddr='$IP'/>
+ </rule>
+ <rule action='drop' direction='out' priority='1000'/>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit no-arp-mac-spoofing
+or other application using the libvirt API.
+-->
+
+<filter name='no-arp-mac-spoofing' chain='arp-mac' priority='-520'>
+ <uuid>53735534-60ae-4526-808b-4790e3acf999</uuid>
+ <rule action='return' direction='out' priority='350'>
+ <arp arpsrcmacaddr='$MAC'/>
+ </rule>
+ <rule action='drop' direction='out' priority='1000'/>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit no-arp-spoofing
+or other application using the libvirt API.
+-->
+
+<filter name='no-arp-spoofing' chain='root'>
+ <uuid>00f043c8-f255-4936-9a6b-44f2aaee9631</uuid>
+ <filterref filter='no-arp-mac-spoofing'/>
+ <filterref filter='no-arp-ip-spoofing'/>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit no-ip-multicast
+or other application using the libvirt API.
+-->
+
+<filter name='no-ip-multicast' chain='ipv4' priority='-700'>
+ <uuid>bf82156a-5f04-4b4f-83c8-9b2ee9864081</uuid>
+ <rule action='drop' direction='out' priority='500'>
+ <ip dstipaddr='224.0.0.0' dstipmask='4'/>
+ </rule>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit no-ip-spoofing
+or other application using the libvirt API.
+-->
+
+<filter name='no-ip-spoofing' chain='ipv4-ip' priority='-710'>
+ <uuid>ea585a34-1393-413d-8a24-16a858434442</uuid>
+ <rule action='return' direction='out' priority='100'>
+ <ip srcipaddr='0.0.0.0' protocol='udp'/>
+ </rule>
+ <rule action='return' direction='out' priority='500'>
+ <ip srcipaddr='$IP'/>
+ </rule>
+ <rule action='drop' direction='out' priority='1000'/>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit no-mac-broadcast
+or other application using the libvirt API.
+-->
+
+<filter name='no-mac-broadcast' chain='ipv4' priority='-700'>
+ <uuid>f95c98c4-9200-4921-a82f-eab08a7e70b2</uuid>
+ <rule action='drop' direction='out' priority='500'>
+ <mac dstmacaddr='ff:ff:ff:ff:ff:ff'/>
+ </rule>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit no-mac-spoofing
+or other application using the libvirt API.
+-->
+
+<filter name='no-mac-spoofing' chain='mac' priority='-800'>
+ <uuid>bf5253ea-1c10-4b04-bc78-7e0f16f79f55</uuid>
+ <rule action='return' direction='out' priority='500'>
+ <mac srcmacaddr='$MAC'/>
+ </rule>
+ <rule action='drop' direction='out' priority='500'>
+ <mac/>
+ </rule>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit no-other-l2-traffic
+or other application using the libvirt API.
+-->
+
+<filter name='no-other-l2-traffic' chain='root'>
+ <uuid>afdb30e6-62b3-4c25-b794-d67d2515d763</uuid>
+ <rule action='drop' direction='inout' priority='1000'/>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit no-other-rarp-traffic
+or other application using the libvirt API.
+-->
+
+<filter name='no-other-rarp-traffic' chain='rarp' priority='-400'>
+ <uuid>1c09955e-4420-4ab3-ae29-7c91ab18b15c</uuid>
+ <rule action='drop' direction='inout' priority='1000'/>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit qemu-announce-self-rarp
+or other application using the libvirt API.
+-->
+
+<filter name='qemu-announce-self-rarp' chain='rarp' priority='-400'>
+ <uuid>72f76118-fccb-4fa1-bf50-7baa63725c5a</uuid>
+ <rule action='accept' direction='out' priority='500'>
+ <rarp srcmacaddr='$MAC' dstmacaddr='ff:ff:ff:ff:ff:ff' opcode='Request_Reverse' arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC' arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/>
+ </rule>
+ <rule action='accept' direction='in' priority='500'>
+ <rarp dstmacaddr='ff:ff:ff:ff:ff:ff' opcode='Request_Reverse' arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC' arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/>
+ </rule>
+</filter>
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh nwfilter-edit qemu-announce-self
+or other application using the libvirt API.
+-->
+
+<filter name='qemu-announce-self' chain='root'>
+ <uuid>be0f52c8-edf8-474b-83d6-5725d9c14e4f</uuid>
+ <rule action='accept' direction='out' priority='500'>
+ <mac protocolid='0x835'/>
+ </rule>
+ <filterref filter='qemu-announce-self-rarp'/>
+ <filterref filter='no-other-rarp-traffic'/>
+</filter>
--- /dev/null
+#
+# The default lockd behaviour is to acquire locks directly
+# against each configured disk file / block device. If the
+# application wishes to instead manually manage leases in
+# the guest XML, then this parameter can be disabled
+#
+#auto_disk_leases = 0
+
+#
+# Flag to determine whether we allow starting of guests
+# which do not have any <lease> elements defined in their
+# configuration.
+#
+# If 'auto_disk_leases' is disabled, this setting defaults
+# to enabled, otherwise it defaults to disabled.
+#
+#require_lease_for_disks = 1
+
+
+#
+# The default lockd behaviour is to use the "direct"
+# lockspace, where the locks are acquired against the
+# actual file paths associated with the <disk> devices.
+#
+# Setting a directory here causes lockd to use "indirect"
+# lockspace, where a hash of the <disk> file path is
+# used to create a file in the lockspace directory. The
+# locks are then held on these hash files instead.
+#
+# This can be useful if the file paths refer to block
+# devices which are shared, since /dev fcntl() locks
+# don't propagate across hosts. It is also useful if
+# the filesystem does not support fcntl() locks.
+#
+# Typically this directory would be located on a shared
+# filesystem visible to all hosts accessing the same
+# storage.
+#
+#file_lockspace_dir = "/var/lib/libvirt/lockd/files"
+
+
+#
+# When using LVM volumes that can be visible across
+# multiple, it is desirable to do locking based on
+# the unique UUID associated with each volume, instead
+# of their paths. Setting this path causes libvirt to
+# do UUID based locking for LVM.
+#
+# Typically this directory would be located on a shared
+# filesystem visible to all hosts accessing the same
+# storage.
+#
+#lvm_lockspace_dir = "/var/lib/libvirt/lockd/lvmvolumes"
+
+
+#
+# When using SCSI volumes that can be visible across
+# multiple, it is desirable to do locking based on
+# the unique UUID associated with each volume, instead
+# of their paths. Setting this path causes libvirt to
+# do UUID based locking for SCSI.
+#
+# Typically this directory would be located on a shared
+# filesystem visible to all hosts accessing the same
+# storage.
+#
+#scsi_lockspace_dir = "/var/lib/libvirt/lockd/scsivolumes"
--- /dev/null
+#
+# The default sanlock configuration requires the management
+# application to manually define <lease> elements in the
+# guest configuration, typically one lease per disk. An
+# alternative is to enable "auto disk lease" mode. In this
+# usage, libvirt will automatically create a lockspace and
+# lease for each fully qualified disk path. This works if
+# you are able to ensure stable, unique disk paths across
+# all hosts in a network.
+#
+# Uncomment this to enable automatic lease creation.
+#
+# NB: the 'host_id' parameter must be set if enabling this
+#
+#auto_disk_leases = 1
+
+#
+# The default location in which lockspaces are created when
+# automatic lease creation is enabled. For each unique disk
+# path, a file $LEASE_DIR/NNNNNNNNNNNNNN will be created
+# where 'NNNNNNNNNNNNNN' is the MD5 hash of the disk path.
+#
+# If this directory is on local storage, it will only protect
+# against a VM being started twice on the same host, or two
+# guests on the same host using the same disk path. If the
+# directory is on NFS, then it can protect against concurrent
+# usage across all hosts which have the share mounted.
+#
+# Recommendation is to just mount this default location as
+# an NFS volume. Uncomment this, if you would prefer the mount
+# point to be somewhere else. Moreover, please make sure
+# sanlock daemon can access the specified path.
+#
+#disk_lease_dir = "/var/lib/libvirt/sanlock"
+
+#
+# The unique ID for this host.
+#
+# IMPORTANT: *EVERY* host which can access the filesystem mounted
+# at 'disk_lease_dir' *MUST* be given a different host ID.
+#
+# This parameter has no default and must be manually set if
+# 'auto_disk_leases' is enabled
+#host_id = 1
+
+#
+# Flag to determine whether we allow starting of guests
+# which do not have any <lease> elements defined in their
+# configuration.
+#
+# If 'auto_disk_leases' is disabled, this setting defaults
+# to enabled, otherwise it defaults to disabled.
+#
+#require_lease_for_disks = 1
+
+#
+# Sanlock is able to kill qemu processes on IO timeout. By its internal
+# implementation, the current default is 80 seconds. If you need to adjust
+# the value change the following variable. Value of zero means use the
+# default sanlock timeout.
+#io_timeout = 0
+
+#
+# The combination of user and group under which the sanlock
+# daemon runs. Libvirt will chown created files (like
+# content of disk_lease_dir) to make sure sanlock daemon can
+# access them. Accepted values are described in qemu.conf.
+#user = "root"
+#group = "root"
--- /dev/null
+# Master configuration file for the QEMU driver.
+# All settings described here are optional - if omitted, sensible
+# defaults are used.
+
+# Use of TLS requires that x509 certificates be issued. The default is
+# to keep them in /etc/pki/qemu. This directory must contain
+#
+# ca-cert.pem - the CA master certificate
+# server-cert.pem - the server certificate signed with ca-cert.pem
+# server-key.pem - the server private key
+#
+# and optionally may contain
+#
+# dh-params.pem - the DH params configuration file
+#
+# If the directory does not exist, libvirtd will fail to start. If the
+# directory doesn't contain the necessary files, QEMU domains will fail
+# to start if they are configured to use TLS.
+#
+# In order to overwrite the default path alter the following. This path
+# definition will be used as the default path for other *_tls_x509_cert_dir
+# configuration settings if their default path does not exist or is not
+# specifically set.
+#
+#default_tls_x509_cert_dir = "/etc/pki/qemu"
+
+
+# The default TLS configuration only uses certificates for the server
+# allowing the client to verify the server's identity and establish
+# an encrypted channel.
+#
+# It is possible to use x509 certificates for authentication too, by
+# issuing an x509 certificate to every client who needs to connect.
+#
+# Enabling this option will reject any client who does not have a
+# certificate signed by the CA in /etc/pki/qemu/ca-cert.pem
+#
+# The default_tls_x509_cert_dir directory must also contain
+#
+# client-cert.pem - the client certificate signed with the ca-cert.pem
+# client-key.pem - the client private key
+#
+#default_tls_x509_verify = 1
+
+#
+# Libvirt assumes the server-key.pem file is unencrypted by default.
+# To use an encrypted server-key.pem file, the password to decrypt
+# the PEM file is required. This can be provided by creating a secret
+# object in libvirt and then to uncomment this setting to set the UUID
+# of the secret.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#default_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
+
+# VNC is configured to listen on 127.0.0.1 by default.
+# To make it listen on all public interfaces, uncomment
+# this next option.
+#
+# NB, strong recommendation to enable TLS + x509 certificate
+# verification when allowing public access
+#
+#vnc_listen = "0.0.0.0"
+
+# Enable this option to have VNC served over an automatically created
+# unix socket. This prevents unprivileged access from users on the
+# host machine, though most VNC clients do not support it.
+#
+# This will only be enabled for VNC configurations that have listen
+# type=address but without any address specified. This setting takes
+# preference over vnc_listen.
+#
+#vnc_auto_unix_socket = 1
+
+# Enable use of TLS encryption on the VNC server. This requires
+# a VNC client which supports the VeNCrypt protocol extension.
+# Examples include vinagre, virt-viewer, virt-manager and vencrypt
+# itself. UltraVNC, RealVNC, TightVNC do not support this
+#
+# It is necessary to setup CA and issue a server certificate
+# before enabling this.
+#
+#vnc_tls = 1
+
+
+# In order to override the default TLS certificate location for
+# vnc certificates, supply a valid path to the certificate directory.
+# If the provided path does not exist, libvirtd will fail to start.
+# If the path is not provided, but vnc_tls = 1, then the
+# default_tls_x509_cert_dir path will be used.
+#
+#vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
+
+
+# Uncomment and use the following option to override the default secret
+# UUID provided in the default_tls_x509_secret_uuid parameter.
+#
+#vnc_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
+
+# The default TLS configuration only uses certificates for the server
+# allowing the client to verify the server's identity and establish
+# an encrypted channel.
+#
+# It is possible to use x509 certificates for authentication too, by
+# issuing an x509 certificate to every client who needs to connect.
+#
+# Enabling this option will reject any client that does not have a
+# ca-cert.pem certificate signed by the CA in the vnc_tls_x509_cert_dir
+# (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem
+# files described in default_tls_x509_cert_dir.
+#
+# If this option is not supplied, it will be set to the value of
+# "default_tls_x509_verify".
+#
+#vnc_tls_x509_verify = 1
+
+
+# The default VNC password. Only 8 bytes are significant for
+# VNC passwords. This parameter is only used if the per-domain
+# XML config does not already provide a password. To allow
+# access without passwords, leave this commented out. An empty
+# string will still enable passwords, but be rejected by QEMU,
+# effectively preventing any use of VNC. Obviously change this
+# example here before you set this.
+#
+#vnc_password = "XYZ12345"
+
+
+# Enable use of SASL encryption on the VNC server. This requires
+# a VNC client which supports the SASL protocol extension.
+# Examples include vinagre, virt-viewer and virt-manager
+# itself. UltraVNC, RealVNC, TightVNC do not support this
+#
+# It is necessary to configure /etc/sasl2/qemu.conf to choose
+# the desired SASL plugin (eg, GSSPI for Kerberos)
+#
+#vnc_sasl = 1
+
+
+# The default SASL configuration file is located in /etc/sasl2/
+# When running libvirtd unprivileged, it may be desirable to
+# override the configs in this location. Set this parameter to
+# point to the directory, and create a qemu.conf in that location
+#
+#vnc_sasl_dir = "/some/directory/sasl2"
+
+
+# QEMU implements an extension for providing audio over a VNC connection,
+# though if your VNC client does not support it, your only chance for getting
+# sound output is through regular audio backends. By default, libvirt will
+# disable all QEMU sound backends if using VNC, since they can cause
+# permissions issues. Enabling this option will make libvirtd honor the
+# QEMU_AUDIO_DRV environment variable when using VNC.
+#
+#vnc_allow_host_audio = 0
+
+
+
+# SPICE is configured to listen on 127.0.0.1 by default.
+# To make it listen on all public interfaces, uncomment
+# this next option.
+#
+# NB, strong recommendation to enable TLS + x509 certificate
+# verification when allowing public access
+#
+#spice_listen = "0.0.0.0"
+
+
+# Enable use of TLS encryption on the SPICE server.
+#
+# It is necessary to setup CA and issue a server certificate
+# before enabling this.
+#
+#spice_tls = 1
+
+
+# In order to override the default TLS certificate location for
+# spice certificates, supply a valid path to the certificate directory.
+# If the provided path does not exist, libvirtd will fail to start.
+# If the path is not provided, but spice_tls = 1, then the
+# default_tls_x509_cert_dir path will be used.
+#
+#spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
+
+
+# Enable this option to have SPICE served over an automatically created
+# unix socket. This prevents unprivileged access from users on the
+# host machine.
+#
+# This will only be enabled for SPICE configurations that have listen
+# type=address but without any address specified. This setting takes
+# preference over spice_listen.
+#
+#spice_auto_unix_socket = 1
+
+
+# The default SPICE password. This parameter is only used if the
+# per-domain XML config does not already provide a password. To
+# allow access without passwords, leave this commented out. An
+# empty string will still enable passwords, but be rejected by
+# QEMU, effectively preventing any use of SPICE. Obviously change
+# this example here before you set this.
+#
+#spice_password = "XYZ12345"
+
+
+# Enable use of SASL encryption on the SPICE server. This requires
+# a SPICE client which supports the SASL protocol extension.
+#
+# It is necessary to configure /etc/sasl2/qemu.conf to choose
+# the desired SASL plugin (eg, GSSPI for Kerberos)
+#
+#spice_sasl = 1
+
+# The default SASL configuration file is located in /etc/sasl2/
+# When running libvirtd unprivileged, it may be desirable to
+# override the configs in this location. Set this parameter to
+# point to the directory, and create a qemu.conf in that location
+#
+#spice_sasl_dir = "/some/directory/sasl2"
+
+# Enable use of TLS encryption on the chardev TCP transports.
+#
+# It is necessary to setup CA and issue a server certificate
+# before enabling this.
+#
+#chardev_tls = 1
+
+
+# In order to override the default TLS certificate location for character
+# device TCP certificates, supply a valid path to the certificate directory.
+# If the provided path does not exist, libvirtd will fail to start.
+# If the path is not provided, but chardev_tls = 1, then the
+# default_tls_x509_cert_dir path will be used.
+#
+#chardev_tls_x509_cert_dir = "/etc/pki/libvirt-chardev"
+
+
+# The default TLS configuration only uses certificates for the server
+# allowing the client to verify the server's identity and establish
+# an encrypted channel.
+#
+# It is possible to use x509 certificates for authentication too, by
+# issuing an x509 certificate to every client who needs to connect.
+#
+# Enabling this option will reject any client that does not have a
+# ca-cert.pem certificate signed by the CA in the chardev_tls_x509_cert_dir
+# (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem
+# files described in default_tls_x509_cert_dir.
+#
+# If this option is not supplied, it will be set to the value of
+# "default_tls_x509_verify".
+#
+#chardev_tls_x509_verify = 1
+
+
+# Uncomment and use the following option to override the default secret
+# UUID provided in the default_tls_x509_secret_uuid parameter.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
+
+# Enable use of TLS encryption for all VxHS network block devices that
+# don't specifically disable.
+#
+# When the VxHS network block device server is set up appropriately,
+# x509 certificates are required for authentication between the clients
+# (qemu processes) and the remote VxHS server.
+#
+# It is necessary to setup CA and issue the client certificate before
+# enabling this.
+#
+#vxhs_tls = 1
+
+
+# In order to override the default TLS certificate location for VxHS
+# backed storage, supply a valid path to the certificate directory.
+# This is used to authenticate the VxHS block device clients to the VxHS
+# server.
+#
+# If the provided path does not exist, libvirtd will fail to start.
+# If the path is not provided, but vxhs_tls = 1, then the
+# default_tls_x509_cert_dir path will be used.
+#
+# VxHS block device clients expect the client certificate and key to be
+# present in the certificate directory along with the CA master certificate.
+# If using the default environment, default_tls_x509_verify must be configured.
+# Since this is only a client the server-key.pem certificate is not needed.
+# Thus a VxHS directory must contain the following:
+#
+# ca-cert.pem - the CA master certificate
+# client-cert.pem - the client certificate signed with the ca-cert.pem
+# client-key.pem - the client private key
+#
+#vxhs_tls_x509_cert_dir = "/etc/pki/libvirt-vxhs"
+
+
+
+# Enable use of TLS encryption for all NBD disk devices that don't
+# specifically disable it.
+#
+# When the NBD server is set up appropriately, x509 certificates are required
+# for authentication between the client and the remote NBD server.
+#
+# It is necessary to setup CA and issue the client certificate before
+# enabling this.
+#
+#nbd_tls = 1
+
+
+# In order to override the default TLS certificate location for NBD
+# backed storage, supply a valid path to the certificate directory.
+# This is used to authenticate the NBD block device clients to the NBD
+# server.
+#
+# If the provided path does not exist, libvirtd will fail to start.
+# If the path is not provided, but nbd_tls = 1, then the
+# default_tls_x509_cert_dir path will be used.
+#
+# NBD block device clients expect the client certificate and key to be
+# present in the certificate directory along with the CA certificate.
+# Since this is only a client the server-key.pem certificate is not needed.
+# Thus a NBD directory must contain the following:
+#
+# ca-cert.pem - the CA master certificate
+# client-cert.pem - the client certificate signed with the ca-cert.pem
+# client-key.pem - the client private key
+#
+#nbd_tls_x509_cert_dir = "/etc/pki/libvirt-nbd"
+
+
+# In order to override the default TLS certificate location for migration
+# certificates, supply a valid path to the certificate directory. If the
+# provided path does not exist, libvirtd will fail to start. If the path is
+# not provided, but migrate_tls = 1, then the default_tls_x509_cert_dir path
+# will be used. Once/if a default certificate is enabled/defined, migration
+# will then be able to use the certificate via migration API flags.
+#
+#migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate"
+
+
+# The default TLS configuration only uses certificates for the server
+# allowing the client to verify the server's identity and establish
+# an encrypted channel.
+#
+# It is possible to use x509 certificates for authentication too, by
+# issuing an x509 certificate to every client who needs to connect.
+#
+# Enabling this option will reject any client that does not have a
+# ca-cert.pem certificate signed by the CA in the migrate_tls_x509_cert_dir
+# (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem
+# files described in default_tls_x509_cert_dir.
+#
+# If this option is not supplied, it will be set to the value of
+# "default_tls_x509_verify".
+#
+#migrate_tls_x509_verify = 1
+
+
+# Uncomment and use the following option to override the default secret
+# UUID provided in the default_tls_x509_secret_uuid parameter.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#migrate_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
+
+# By default, if no graphical front end is configured, libvirt will disable
+# QEMU audio output since directly talking to alsa/pulseaudio may not work
+# with various security settings. If you know what you're doing, enable
+# the setting below and libvirt will passthrough the QEMU_AUDIO_DRV
+# environment variable when using nographics.
+#
+#nographics_allow_host_audio = 1
+
+
+# Override the port for creating both VNC and SPICE sessions (min).
+# This defaults to 5900 and increases for consecutive sessions
+# or when ports are occupied, until it hits the maximum.
+#
+# Minimum must be greater than or equal to 5900 as lower number would
+# result into negative vnc display number.
+#
+# Maximum must be less than 65536, because higher numbers do not make
+# sense as a port number.
+#
+#remote_display_port_min = 5900
+#remote_display_port_max = 65535
+
+# VNC WebSocket port policies, same rules apply as with remote display
+# ports. VNC WebSockets use similar display <-> port mappings, with
+# the exception being that ports start from 5700 instead of 5900.
+#
+#remote_websocket_port_min = 5700
+#remote_websocket_port_max = 65535
+
+# The default security driver is SELinux. If SELinux is disabled
+# on the host, then the security driver will automatically disable
+# itself. If you wish to disable QEMU SELinux security driver while
+# leaving SELinux enabled for the host in general, then set this
+# to 'none' instead. It's also possible to use more than one security
+# driver at the same time, for this use a list of names separated by
+# comma and delimited by square brackets. For example:
+#
+# security_driver = [ "selinux", "apparmor" ]
+#
+# Notes: The DAC security driver is always enabled; as a result, the
+# value of security_driver cannot contain "dac". The value "none" is
+# a special value; security_driver can be set to that value in
+# isolation, but it cannot appear in a list of drivers.
+#
+#security_driver = "selinux"
+
+# If set to non-zero, then the default security labeling
+# will make guests confined. If set to zero, then guests
+# will be unconfined by default. Defaults to 1.
+#security_default_confined = 1
+
+# If set to non-zero, then attempts to create unconfined
+# guests will be blocked. Defaults to 0.
+#security_require_confined = 1
+
+# The user for QEMU processes run by the system instance. It can be
+# specified as a user name or as a user id. The qemu driver will try to
+# parse this value first as a name and then, if the name doesn't exist,
+# as a user id.
+#
+# Since a sequence of digits is a valid user name, a leading plus sign
+# can be used to ensure that a user id will not be interpreted as a user
+# name.
+#
+# By default libvirt runs VMs as non-root and uses AppArmor profiles
+# to provide host protection and VM isolation. While AppArmor
+# continues to provide this protection when the VMs are running as
+# root, /dev/vhost-net, /dev/vhost-vsock and /dev/vhost-scsi access is
+# allowed by default in the AppArmor security policy, so malicious VMs
+# running as root would have direct access to this file. If changing this
+# to run as root, you may want to remove this access from
+# /etc/apparmor.d/abstractions/libvirt-qemu. For more information, see:
+# https://launchpad.net/bugs/1815910
+# https://www.redhat.com/archives/libvir-list/2019-April/msg00750.html
+#
+# Some examples of valid values are:
+#
+# user = "qemu" # A user named "qemu"
+# user = "+0" # Super user (uid=0)
+# user = "100" # A user named "100" or a user with uid=100
+#
+#user = "root"
+
+# The group for QEMU processes run by the system instance. It can be
+# specified in a similar way to user.
+#group = "root"
+
+# Whether libvirt should dynamically change file ownership
+# to match the configured user/group above. Defaults to 1.
+# Set to 0 to disable file ownership changes.
+#dynamic_ownership = 1
+
+# Whether libvirt should remember and restore the original
+# ownership over files it is relabeling. Defaults to 1, set
+# to 0 to disable the feature.
+#remember_owner = 1
+
+# What cgroup controllers to make use of with QEMU guests
+#
+# - 'cpu' - use for scheduler tunables
+# - 'devices' - use for device whitelisting
+# - 'memory' - use for memory tunables
+# - 'blkio' - use for block devices I/O tunables
+# - 'cpuset' - use for CPUs and memory nodes
+# - 'cpuacct' - use for CPUs statistics.
+#
+# NB, even if configured here, they won't be used unless
+# the administrator has mounted cgroups, e.g.:
+#
+# mkdir /dev/cgroup
+# mount -t cgroup -o devices,cpu,memory,blkio,cpuset none /dev/cgroup
+#
+# They can be mounted anywhere, and different controllers
+# can be mounted in different locations. libvirt will detect
+# where they are located.
+#
+#cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ]
+
+# This is the basic set of devices allowed / required by
+# all virtual machines.
+#
+# As well as this, any configured block backed disks,
+# all sound device, and all PTY devices are allowed.
+#
+# This will only need setting if newer QEMU suddenly
+# wants some device we don't already know about.
+#
+#cgroup_device_acl = [
+# "/dev/null", "/dev/full", "/dev/zero",
+# "/dev/random", "/dev/urandom",
+# "/dev/ptmx", "/dev/kvm",
+# "/dev/rtc","/dev/hpet"
+#]
+#
+# RDMA migration requires the following extra files to be added to the list:
+# "/dev/infiniband/rdma_cm",
+# "/dev/infiniband/issm0",
+# "/dev/infiniband/issm1",
+# "/dev/infiniband/umad0",
+# "/dev/infiniband/umad1",
+# "/dev/infiniband/uverbs0"
+
+
+# The default format for QEMU/KVM guest save images is raw; that is, the
+# memory from the domain is dumped out directly to a file. If you have
+# guests with a large amount of memory, however, this can take up quite
+# a bit of space. If you would like to compress the images while they
+# are being saved to disk, you can also set "lzop", "gzip", "bzip2", or "xz"
+# for save_image_format. Note that this means you slow down the process of
+# saving a domain in order to save disk space; the list above is in descending
+# order by performance and ascending order by compression ratio.
+#
+# save_image_format is used when you use 'virsh save' or 'virsh managedsave'
+# at scheduled saving, and it is an error if the specified save_image_format
+# is not valid, or the requested compression program can't be found.
+#
+# dump_image_format is used when you use 'virsh dump' at emergency
+# crashdump, and if the specified dump_image_format is not valid, or
+# the requested compression program can't be found, this falls
+# back to "raw" compression.
+#
+# snapshot_image_format specifies the compression algorithm of the memory save
+# image when an external snapshot of a domain is taken. This does not apply
+# on disk image format. It is an error if the specified format isn't valid,
+# or the requested compression program can't be found.
+#
+#save_image_format = "raw"
+#dump_image_format = "raw"
+#snapshot_image_format = "raw"
+
+# When a domain is configured to be auto-dumped when libvirtd receives a
+# watchdog event from qemu guest, libvirtd will save dump files in directory
+# specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump
+#
+#auto_dump_path = "/var/lib/libvirt/qemu/dump"
+
+# When a domain is configured to be auto-dumped, enabling this flag
+# has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the
+# virDomainCoreDump API. That is, the system will avoid using the
+# file system cache while writing the dump file, but may cause
+# slower operation.
+#
+#auto_dump_bypass_cache = 0
+
+# When a domain is configured to be auto-started, enabling this flag
+# has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag
+# with the virDomainCreateWithFlags API. That is, the system will
+# avoid using the file system cache when restoring any managed state
+# file, but may cause slower operation.
+#
+#auto_start_bypass_cache = 0
+
+# If provided by the host and a hugetlbfs mount point is configured,
+# a guest may request huge page backing. When this mount point is
+# unspecified here, determination of a host mount point in /proc/mounts
+# will be attempted. Specifying an explicit mount overrides detection
+# of the same in /proc/mounts. Setting the mount point to "" will
+# disable guest hugepage backing. If desired, multiple mount points can
+# be specified at once, separated by comma and enclosed in square
+# brackets, for example:
+#
+# hugetlbfs_mount = ["/dev/hugepages2M", "/dev/hugepages1G"]
+#
+# The size of huge page served by specific mount point is determined by
+# libvirt at the daemon startup.
+#
+# NB, within these mount points, guests will create memory backing
+# files in a location of $MOUNTPOINT/libvirt/qemu
+#
+#hugetlbfs_mount = "/dev/hugepages"
+
+
+# Path to the setuid helper for creating tap devices. This executable
+# is used to create <source type='bridge'> interfaces when libvirtd is
+# running unprivileged. libvirt invokes the helper directly, instead
+# of using "-netdev bridge", for security reasons.
+#bridge_helper = "/usr/libexec/qemu-bridge-helper"
+
+
+# If enabled, libvirt will have QEMU set its process name to
+# "qemu:VM_NAME", where VM_NAME is the name of the VM. The QEMU
+# process will appear as "qemu:VM_NAME" in process listings and
+# other system monitoring tools. By default, QEMU does not set
+# its process title, so the complete QEMU command (emulator and
+# its arguments) appear in process listings.
+#
+#set_process_name = 1
+
+
+# If max_processes is set to a positive integer, libvirt will use
+# it to set the maximum number of processes that can be run by qemu
+# user. This can be used to override default value set by host OS.
+# The same applies to max_files which sets the limit on the maximum
+# number of opened files.
+#
+#max_processes = 0
+#max_files = 0
+
+# If max_threads_per_process is set to a positive integer, libvirt
+# will use it to set the maximum number of threads that can be
+# created by a qemu process. Some VM configurations can result in
+# qemu processes with tens of thousands of threads. systemd-based
+# systems typically limit the number of threads per process to
+# 16k. max_threads_per_process can be used to override default
+# limits in the host OS.
+#
+#max_threads_per_process = 0
+
+# If max_core is set to a non-zero integer, then QEMU will be
+# permitted to create core dumps when it crashes, provided its
+# RAM size is smaller than the limit set.
+#
+# Be warned that the core dump will include a full copy of the
+# guest RAM, if the 'dump_guest_core' setting has been enabled,
+# or if the guest XML contains
+#
+# <memory dumpcore="on">...guest ram...</memory>
+#
+# If guest RAM is to be included, ensure the max_core limit
+# is set to at least the size of the largest expected guest
+# plus another 1GB for any QEMU host side memory mappings.
+#
+# As a special case it can be set to the string "unlimited" to
+# to allow arbitrarily sized core dumps.
+#
+# By default the core dump size is set to 0 disabling all dumps
+#
+# Size is a positive integer specifying bytes or the
+# string "unlimited"
+#
+#max_core = "unlimited"
+
+# Determine if guest RAM is included in QEMU core dumps. By
+# default guest RAM will be excluded if a new enough QEMU is
+# present. Setting this to '1' will force guest RAM to always
+# be included in QEMU core dumps.
+#
+# This setting will be ignored if the guest XML has set the
+# dumpcore attribute on the <memory> element.
+#
+#dump_guest_core = 1
+
+# mac_filter enables MAC addressed based filtering on bridge ports.
+# This currently requires ebtables to be installed.
+#
+#mac_filter = 1
+
+
+# By default, PCI devices below non-ACS switch are not allowed to be assigned
+# to guests. By setting relaxed_acs_check to 1 such devices will be allowed to
+# be assigned to guests.
+#
+#relaxed_acs_check = 1
+
+
+# In order to prevent accidentally starting two domains that
+# share one writable disk, libvirt offers two approaches for
+# locking files. The first one is sanlock, the other one,
+# virtlockd, is then our own implementation. Accepted values
+# are "sanlock" and "lockd".
+#
+#lock_manager = "lockd"
+
+
+# Set limit of maximum APIs queued on one domain. All other APIs
+# over this threshold will fail on acquiring job lock. Specially,
+# setting to zero turns this feature off.
+# Note, that job lock is per domain.
+#
+#max_queued = 0
+
+###################################################################
+# Keepalive protocol:
+# This allows qemu driver to detect broken connections to remote
+# libvirtd during peer-to-peer migration. A keepalive message is
+# sent to the daemon after keepalive_interval seconds of inactivity
+# to check if the daemon is still responding; keepalive_count is a
+# maximum number of keepalive messages that are allowed to be sent
+# to the daemon without getting any response before the connection
+# is considered broken. In other words, the connection is
+# automatically closed approximately after
+# keepalive_interval * (keepalive_count + 1) seconds since the last
+# message received from the daemon. If keepalive_interval is set to
+# -1, qemu driver will not send keepalive requests during
+# peer-to-peer migration; however, the remote libvirtd can still
+# send them and source libvirtd will send responses. When
+# keepalive_count is set to 0, connections will be automatically
+# closed after keepalive_interval seconds of inactivity without
+# sending any keepalive messages.
+#
+#keepalive_interval = 5
+#keepalive_count = 5
+
+
+
+# Use seccomp syscall sandbox in QEMU.
+# 1 == seccomp enabled, 0 == seccomp disabled
+#
+# If it is unset (or -1), then seccomp will be enabled
+# only if QEMU >= 2.11.0 is detected, otherwise it is
+# left disabled. This ensures the default config gets
+# protection for new QEMU using the blacklist approach.
+#
+#seccomp_sandbox = 1
+
+
+# Override the listen address for all incoming migrations. Defaults to
+# 0.0.0.0, or :: if both host and qemu are capable of IPv6.
+#migration_address = "0.0.0.0"
+
+
+# The default hostname or IP address which will be used by a migration
+# source for transferring migration data to this host. The migration
+# source has to be able to resolve this hostname and connect to it so
+# setting "localhost" will not work. By default, the host's configured
+# hostname is used.
+#migration_host = "host.example.com"
+
+
+# Override the port range used for incoming migrations.
+#
+# Minimum must be greater than 0, however when QEMU is not running as root,
+# setting the minimum to be lower than 1024 will not work.
+#
+# Maximum must not be greater than 65535.
+#
+#migration_port_min = 49152
+#migration_port_max = 49215
+
+
+
+# Timestamp QEMU's log messages (if QEMU supports it)
+#
+# Defaults to 1.
+#
+#log_timestamp = 0
+
+
+# Location of master nvram file
+#
+# This configuration option is obsolete. Libvirt will follow the
+# QEMU firmware metadata specification to automatically locate
+# firmware images. See docs/interop/firmware.json in the QEMU
+# source tree. These metadata files are distributed alongside any
+# firmware images intended for use with QEMU.
+#
+# NOTE: if ANY firmware metadata files are detected, this setting
+# will be COMPLETELY IGNORED.
+#
+# ------------------------------------------
+#
+# When a domain is configured to use UEFI instead of standard
+# BIOS it may use a separate storage for UEFI variables. If
+# that's the case libvirt creates the variable store per domain
+# using this master file as image. Each UEFI firmware can,
+# however, have different variables store. Therefore the nvram is
+# a list of strings when a single item is in form of:
+# ${PATH_TO_UEFI_FW}:${PATH_TO_UEFI_VARS}.
+# Later, when libvirt creates per domain variable store, this list is
+# searched for the master image. The UEFI firmware can be called
+# differently for different guest architectures. For instance, it's OVMF
+# for x86_64 and i686, but it's AAVMF for aarch64. The libvirt default
+# follows this scheme.
+#nvram = [
+# "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd",
+# "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd",
+# "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd",
+# "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd",
+# "/usr/share/OVMF/OVMF_CODE.ms.fd:/usr/share/OVMF/OVMF_VARS.ms.fd"
+#]
+
+# The backend to use for handling stdout/stderr output from
+# QEMU processes.
+#
+# 'file': QEMU writes directly to a plain file. This is the
+# historical default, but allows QEMU to inflict a
+# denial of service attack on the host by exhausting
+# filesystem space
+#
+# 'logd': QEMU writes to a pipe provided by virtlogd daemon.
+# This is the current default, providing protection
+# against denial of service by performing log file
+# rollover when a size limit is hit.
+#
+#stdio_handler = "logd"
+
+# QEMU gluster libgfapi log level, debug levels are 0-9, with 9 being the
+# most verbose, and 0 representing no debugging output.
+#
+# The current logging levels defined in the gluster GFAPI are:
+#
+# 0 - None
+# 1 - Emergency
+# 2 - Alert
+# 3 - Critical
+# 4 - Error
+# 5 - Warning
+# 6 - Notice
+# 7 - Info
+# 8 - Debug
+# 9 - Trace
+#
+# Defaults to 4
+#
+#gluster_debug_level = 9
+
+# To enhance security, QEMU driver is capable of creating private namespaces
+# for each domain started. Well, so far only "mount" namespace is supported. If
+# enabled it means qemu process is unable to see all the devices on the system,
+# only those configured for the domain in question. Libvirt then manages
+# devices entries throughout the domain lifetime. This namespace is turned on
+# by default.
+#namespaces = [ "mount" ]
+
+# This directory is used for memoryBacking source if configured as file.
+# NOTE: big files will be stored here
+#memory_backing_dir = "/var/lib/libvirt/qemu/ram"
+
+# Path to the SCSI persistent reservations helper. This helper is
+# used whenever <reservations/> are enabled for SCSI LUN devices.
+#pr_helper = "/usr/bin/qemu-pr-helper"
+
+# Path to the SLIRP networking helper.
+#slirp_helper = "/usr/bin/slirp-helper"
+
+# User for the swtpm TPM Emulator
+#
+# Default is 'tss'; this is the same user that tcsd (TrouSerS) installs
+# and uses; alternative is 'root'
+#
+#swtpm_user = "tss"
+#swtpm_group = "tss"
+
+# For debugging and testing purposes it's sometimes useful to be able to disable
+# libvirt behaviour based on the capabilities of the qemu process. This option
+# allows to do so. DO _NOT_ use in production and beaware that the behaviour
+# may change across versions.
+#
+#capability_filters = [ "capname" ]
--- /dev/null
+/etc/libvirt/qemu/networks/default.xml
\ No newline at end of file
--- /dev/null
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+ virsh net-edit default
+or other application using the libvirt API.
+-->
+
+<network>
+ <name>default</name>
+ <uuid>dd567aef-0d2a-405d-90b9-f69e9e53754f</uuid>
+ <forward mode='nat'/>
+ <bridge name='virbr0' stp='on' delay='0'/>
+ <mac address='52:54:00:68:68:93'/>
+ <ip address='192.168.122.1' netmask='255.255.255.0'>
+ <dhcp>
+ <range start='192.168.122.2' end='192.168.122.254'/>
+ </dhcp>
+ </ip>
+</network>
--- /dev/null
+# Master configuration file for the virt-login-shell program.
+# All settings described here are optional - if omitted, sensible
+# defaults are used.
+
+# By default, virt-login-shell will connect you to a container running
+# with the /bin/sh program. Modify the shell variable if you want your
+# users to run a different shell or a setup container when joining a
+# container.
+#
+# This can either be just the path to a shell binary:
+#
+# shell = "/bin/bash"
+#
+# Or can be the path and extra arguments
+#
+# shell = [ "/bin/bash", "--posix" ]
+#
+# Note there is no need to pass a '--login' / '-l' argument since
+# virt-login-shell will always request a login shell
+
+# Normally virt-login-shell will always use the shell identified
+# by the 'shell' configuration setting above. If the container
+# is running a full OS, it might be desirable to allow the choice
+# of shell to be delegated to the owner of the shell, by querying
+# the /etc/passwd file inside the container
+#
+# To allow for that, uncomment the following:
+# auto_shell = 1
+#
+# NB, this should /not/ be used if any container is sharing the
+# host filesystem /etc, as this would cause virt-login-shell to
+# look at the host's /etc/passwd finding itself as the listed
+# shell. Hilarious recursion would then ensue.
+
+# allowed_users specifies the user names of all users that are allowed to
+# execute virt-login-shell. You can specify the users as a comma
+# separated list of usernames or user groups.
+# The list of names support glob syntax.
+# To disallow all users (default)
+# allowed_users = []
+# If you do not specify any names (default) then no one is allowed
+# to use this executable.
+# To allow fred and joe only
+# allowed_users = ["fred", "joe"]
+# To allow all users within a specific group prefix the group name with %.
+# allowed_users = ["%engineers"]
+# To allow all users specify the following
+# allowed_users = [ "*" ]
--- /dev/null
+# Master virtlockd daemon configuration file
+#
+
+#################################################################
+#
+# Logging controls
+#
+
+# Logging level: 4 errors, 3 warnings, 2 information, 1 debug
+# basically 1 will log everything possible
+#
+# WARNING: USE OF THIS IS STRONGLY DISCOURAGED.
+#
+# WARNING: It outputs too much information to practically read.
+# WARNING: The "log_filters" setting is recommended instead.
+#
+# WARNING: Journald applies rate limiting of messages and so libvirt
+# WARNING: will limit "log_level" to only allow values 3 or 4 if
+# WARNING: journald is the current output.
+#
+# WARNING: USE OF THIS IS STRONGLY DISCOURAGED.
+#log_level = 3
+
+# Logging filters:
+# A filter allows to select a different logging level for a given category
+# of logs. The format for a filter is:
+#
+# level:match
+#
+# where 'match' is a string which is matched against the category
+# given in the VIR_LOG_INIT() at the top of each libvirt source
+# file, e.g., "remote", "qemu", or "util.json". The 'match' in the
+# filter matches using shell wildcard syntax (see 'man glob(7)').
+# The 'match' is always treated as a substring match. IOW a match
+# string 'foo' is equivalent to '*foo*'.
+#
+# 'level' is the minimal level where matching messages should
+# be logged:
+#
+# 1: DEBUG
+# 2: INFO
+# 3: WARNING
+# 4: ERROR
+#
+# Multiple filters can be defined in a single @log_filters, they just need
+# to be separated by spaces. Note that libvirt performs "first" match, i.e.
+# if there are concurrent filters, the first one that matches will be applied,
+# given the order in @log_filters.
+#
+# For the virtlockd daemon, a typical need is to capture information
+# from the locking code and some of the utility code. Some utility
+# code is very verbose and is generally not desired. A suitable filter
+# string for debugging might be to turn off object, json & event logging,
+# but enable the rest of the util and the locking code:
+#
+#log_filters="1:locking 4:object 4:json 4:event 1:util"
+
+# Logging outputs:
+# An output is one of the places to save logging information
+# The format for an output can be:
+# level:stderr
+# output goes to stderr
+# level:syslog:name
+# use syslog for the output and use the given name as the ident
+# level:file:file_path
+# output to a file, with the given filepath
+# level:journald
+# output to journald logging system
+# In all cases 'level' is the minimal priority, acting as a filter
+# 1: DEBUG
+# 2: INFO
+# 3: WARNING
+# 4: ERROR
+#
+# Multiple outputs can be defined, they just need to be separated by spaces.
+# e.g. to log all warnings and errors to syslog under the virtlockd ident:
+#log_outputs="3:syslog:virtlockd"
+#
+
+# The maximum number of concurrent client connections to allow
+# on primary socket
+# Each running virtual machine will require one open connection
+# to virtlockd. So 'max_clients' will affect how many VMs can
+# be run on a host
+#max_clients = 1024
+
+# The maximum number of concurrent client connections to allow
+# on administrative socket
+#admin_max_clients = 5
--- /dev/null
+# Master virtlogd daemon configuration file
+#
+
+#################################################################
+#
+# Logging controls
+#
+
+# Logging level: 4 errors, 3 warnings, 2 information, 1 debug
+# basically 1 will log everything possible
+#
+# WARNING: USE OF THIS IS STRONGLY DISCOURAGED.
+#
+# WARNING: It outputs too much information to practically read.
+# WARNING: The "log_filters" setting is recommended instead.
+#
+# WARNING: Journald applies rate limiting of messages and so libvirt
+# WARNING: will limit "log_level" to only allow values 3 or 4 if
+# WARNING: journald is the current output.
+#
+# WARNING: USE OF THIS IS STRONGLY DISCOURAGED.
+#log_level = 3
+
+# Logging filters:
+# A filter allows to select a different logging level for a given category
+# of logs. The format for a filter is:
+#
+# level:match
+#
+# where 'match' is a string which is matched against the category
+# given in the VIR_LOG_INIT() at the top of each libvirt source
+# file, e.g., "remote", "qemu", or "util.json". The 'match' in the
+# filter matches using shell wildcard syntax (see 'man glob(7)').
+# The 'match' is always treated as a substring match. IOW a match
+# string 'foo' is equivalent to '*foo*'.
+#
+# 'level' is the minimal level where matching messages should
+# be logged:
+#
+# 1: DEBUG
+# 2: INFO
+# 3: WARNING
+# 4: ERROR
+#
+# Multiple filters can be defined in a single @log_filters, they just need
+# to be separated by spaces. Note that libvirt performs "first" match, i.e.
+# if there are concurrent filters, the first one that matches will be applied,
+# given the order in @log_filters.
+#
+# For the virtlogd daemon, a typical need is to capture information
+# from the logging code and some of the utility code. Some utility
+# code is very verbose and is generally not desired. A suitable filter
+# string for debugging might be to turn off object, json & event logging,
+# but enable the rest of the util and the logging code:
+#
+#log_filters="1:logging 4:object 4:json 4:event 1:util"
+
+# Logging outputs:
+# An output is one of the places to save logging information
+# The format for an output can be:
+# level:stderr
+# output goes to stderr
+# level:syslog:name
+# use syslog for the output and use the given name as the ident
+# level:file:file_path
+# output to a file, with the given filepath
+# level:journald
+# output to journald logging system
+# In all cases 'level' is the minimal priority, acting as a filter
+# 1: DEBUG
+# 2: INFO
+# 3: WARNING
+# 4: ERROR
+#
+# Multiple outputs can be defined, they just need to be separated by spaces.
+# e.g. to log all warnings and errors to syslog under the virtlogd ident:
+#log_outputs="3:syslog:virtlogd"
+#
+
+# The maximum number of concurrent client connections to allow
+# on primary socket
+#max_clients = 1024
+
+# The maximum number of concurrent client connections to allow
+# on administrative socket
+#admin_max_clients = 5
+
+# Maximum file size before rolling over. Defaults to 2 MB
+#
+# Beware that a logrotate config file might be installed too,
+# to handle cases where virtlogd is disabled. To ensure that
+# the logrotate config is a no-op when virtlogd is running,
+# make sure that max_size here is smaller than size listed
+# in the logrotate config.
+#max_size = 2097152
+
+# Maximum number of backup files to keep. Defaults to 3,
+# not including the primary active file
+#max_backups = 3
--- /dev/null
+/var/log/libvirt/libvirtd.log {
+ weekly
+ missingok
+ rotate 4
+ compress
+ delaycompress
+ copytruncate
+ minsize 100k
+}
--- /dev/null
+/var/log/libvirt/libxl/*.log {
+ size 2097153
+ missingok
+ rotate 4
+ compress
+ delaycompress
+ copytruncate
+}
--- /dev/null
+/var/log/libvirt/lxc/*.log {
+ size 2097153
+ missingok
+ rotate 4
+ compress
+ delaycompress
+ copytruncate
+}
--- /dev/null
+/var/log/libvirt/qemu/*.log {
+ # The QEMU driver is configured to use virtlogd by
+ # default, which will perform log rollover.
+ # This logrotate config is still installed for cases
+ # where the user has switched off virtlogd.
+ #
+ # If virtlogd is active, ensure that size here is
+ # larger than 'max_size' in the virtlogd config
+ # so that logrotate becomes a no-op
+ size 2097153
+ missingok
+ rotate 4
+ compress
+ delaycompress
+ copytruncate
+}
x-scheme-handler/rdp; /usr/bin/remmina -e %s; test=test -n "$DISPLAY"
x-scheme-handler/spice; /usr/bin/remmina -e %s; test=test -n "$DISPLAY"
x-scheme-handler/vnc; /usr/bin/remmina -e %s; test=test -n "$DISPLAY"
+x-scheme-handler/spice; remote-viewer %s; test=test -n "$DISPLAY"
+application/x-virt-viewer; remote-viewer %s; test=test -n "$DISPLAY"
x-content/audio-player; rhythmbox-client --select-source %s; test=test -n "$DISPLAY"
x-content/audio-cdda; rhythmbox-client --select-source %s; test=test -n "$DISPLAY"
x-scheme-handler/sgnl; /opt/Signal/signal-desktop --no-sandbox %s; test=test -n "$DISPLAY"
shadow: compat
gshadow: files
-hosts: files mdns4_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] dns myhostname
+hosts: files mdns4_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] dns myhostname mymachines
networks: files
protocols: db files
nx:x:135:1015::/var/NX/nx:/etc/NX/nxserver
tss:x:136:147:TPM software stack,,,:/var/lib/tpm:/bin/false
gpsd:x:137:20:GPSD system user,,,:/run/gpsd:/bin/false
+libvirt-qemu:x:64055:139:Libvirt Qemu,,,:/var/lib/libvirt:/usr/sbin/nologin
+libvirt-dnsmasq:x:138:149:Libvirt Dnsmasq,,,:/var/lib/libvirt/dnsmasq:/usr/sbin/nologin
dump1090:x:134:65534::/usr/share/dump1090-mutability:/usr/sbin/nologin
nx:x:135:1015::/var/NX/nx:/etc/NX/nxserver
tss:x:136:147:TPM software stack,,,:/var/lib/tpm:/bin/false
-gpsd:x:137:20::/run/gpsd:/bin/false
+gpsd:x:137:20:GPSD system user,,,:/run/gpsd:/bin/false
+libvirt-qemu:x:64055:139:Libvirt Qemu,,,:/var/lib/libvirt:/usr/sbin/nologin
+libvirt-dnsmasq:x:138:149::/var/lib/libvirt/dnsmasq:/usr/sbin/nologin
--- /dev/null
+#!/bin/sh
+# libvirt-uri.sh - Automatically switch default libvirt URI for user
+# Copyright (C) 2015 Canonical Ltd.
+#
+# Authors: Stefan Bader <stefan.bader@canonical.com>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+LIBVIRT_DEFAULT_URI="qemu:///system"
+if [ -f /proc/xen/capabilities ]; then
+ if [ "$(cat /proc/xen/capabilities)" = "control_d" ]; then
+ LIBVIRT_DEFAULT_URI="xen:///"
+ fi
+fi
+
+export LIBVIRT_DEFAULT_URI
+
--- /dev/null
+# If you want to use the non-TLS socket, then you *must* pick a
+# mechanism which provides session encryption as well as
+# authentication.
+#
+# If you are only using TLS, then you can turn on any mechanisms
+# you like for authentication, because TLS provides the encryption
+#
+# If you are only using UNIX, sockets then encryption is not
+# required at all.
+#
+# Since SASL is the default for the libvirtd non-TLS socket, we
+# pick a strong mechanism by default.
+#
+# NB, previously DIGEST-MD5 was set as the default mechanism for
+# libvirt. Per RFC 6331 this is vulnerable to many serious security
+# flaws and should no longer be used. Thus GSSAPI is now the default.
+#
+# To use GSSAPI requires that a libvirtd service principal is
+# added to the Kerberos server for each host running libvirtd.
+# This principal needs to be exported to the keytab file listed below
+mech_list: gssapi
+
+# If using a TLS socket or UNIX socket only, it is possible to
+# enable plugins which don't provide session encryption. The
+# 'scram-sha-1' plugin allows plain username/password authentication
+# to be performed
+#
+#mech_list: scram-sha-1
+
+#
+# You can also list many mechanisms at once, then the user can choose
+# by adding '?auth=sasl.gssapi' to their libvirt URI, eg
+# qemu+tcp://hostname/system?auth=sasl.gssapi
+#mech_list: scram-sha-1 gssapi
+
+# Some older builds of MIT kerberos on Linux ignore this option &
+# instead need KRB5_KTNAME env var.
+# For modern Linux, and other OS, this should be sufficient
+#
+keytab: /etc/libvirt/krb5.tab
+
+# If using scram-sha-1 for username/passwds, then this is the file
+# containing the passwds. Use 'saslpasswd2 -a libvirt [username]'
+# to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it
+#sasldb_path: /etc/libvirt/passwd.db
nx:*:18347:0:99999:7:::
tss:*:18407:0:99999:7:::
gpsd:*:18409:0:99999:7:::
+libvirt-qemu:!:18454:0:99999:7:::
+libvirt-dnsmasq:!:18454:0:99999:7:::
nx:*:18347:0:99999:7:::
tss:*:18407:0:99999:7:::
gpsd:*:18409:0:99999:7:::
+libvirt-qemu:!:18454:0:99999:7:::
+libvirt-dnsmasq:!:18454:0:99999:7:::
--- /dev/null
+/lib/systemd/system/libvirt-guests.service
\ No newline at end of file
--- /dev/null
+/lib/systemd/system/libvirtd.service
\ No newline at end of file
--- /dev/null
+/lib/systemd/system/machines.target
\ No newline at end of file
--- /dev/null
+/lib/systemd/system/libvirtd-admin.socket
\ No newline at end of file
--- /dev/null
+/lib/systemd/system/libvirtd-ro.socket
\ No newline at end of file
--- /dev/null
+/lib/systemd/system/libvirtd.socket
\ No newline at end of file
--- /dev/null
+/lib/systemd/system/virtlockd-admin.socket
\ No newline at end of file
--- /dev/null
+/lib/systemd/system/virtlockd.socket
\ No newline at end of file
--- /dev/null
+/lib/systemd/system/virtlogd-admin.socket
\ No newline at end of file
--- /dev/null
+/lib/systemd/system/virtlogd.socket
\ No newline at end of file
projects / zenbook / commitdiff