From 05c751e89d8867874e4656467be79222ef4f7f96 Mon Sep 17 00:00:00 2001
From: root <root@localhost>
Date: Sat, 11 Jul 2020 21:50:09 +0200
Subject: [PATCH] committing changes in /etc made by "apt-get install
 virt-manager"

Package changes:
+gir1.2-gtk-vnc-2.0 1.0.0-1build1 amd64
+gir1.2-libosinfo-1.0 1.7.1-1 amd64
+gir1.2-libvirt-glib-1.0 3.0.0-1 amd64
+gir1.2-spiceclientglib-2.0 0.37-2fakesync1 amd64
+gir1.2-spiceclientgtk-3.0 0.37-2fakesync1 amd64
+libgovirt-common 0.3.4-3.1 all
+libgovirt2 0.3.4-3.1 amd64
+libgtk-vnc-2.0-0 1.0.0-1build1 amd64
+libgvnc-1.0-0 1.0.0-1build1 amd64
+libnss-mymachines 245.4-4ubuntu3.1 amd64
+libosinfo-1.0-0 1.7.1-1 amd64
+libphodav-2.0-0 2.4-1 amd64
+libphodav-2.0-common 2.4-1 all
+libspice-client-glib-2.0-8 0.37-2fakesync1 amd64
+libspice-client-gtk-3.0-5 0.37-2fakesync1 amd64
+libusbredirhost1 0.8.0-1 amd64
+libvirt-clients 6.0.0-0ubuntu8.1 amd64
+libvirt-daemon 6.0.0-0ubuntu8.1 amd64
+libvirt-daemon-driver-qemu 6.0.0-0ubuntu8.1 amd64
+libvirt-daemon-driver-storage-rbd 6.0.0-0ubuntu8.1 amd64
+libvirt-daemon-system 6.0.0-0ubuntu8.1 amd64
+libvirt-daemon-system-systemd 6.0.0-0ubuntu8.1 amd64
+libvirt-glib-1.0-0 3.0.0-1 amd64
+libvirt0 6.0.0-0ubuntu8.1 amd64
+osinfo-db 0.20200325-1 all
+python3-libvirt 6.1.0-1 amd64
+spice-client-glib-usb-acl-helper 0.37-2fakesync1 amd64
+systemd-container 245.4-4ubuntu3.1 amd64
+virt-manager 1:2.2.1-3ubuntu2 all
+virt-viewer 7.0-2build1 amd64
+virtinst 1:2.2.1-3ubuntu2 all
---
 .etckeeper                                    |  65 ++
 apparmor.d/abstractions/libvirt-lxc           | 116 +++
 apparmor.d/abstractions/libvirt-qemu          | 268 ++++++
 apparmor.d/libvirt/TEMPLATE.lxc               |  15 +
 apparmor.d/libvirt/TEMPLATE.qemu              |   9 +
 apparmor.d/local/abstractions/libvirt-qemu    |   0
 .../local/usr.lib.libvirt.virt-aa-helper      |   0
 apparmor.d/local/usr.sbin.libvirtd            |   0
 apparmor.d/usr.lib.libvirt.virt-aa-helper     |  95 ++
 apparmor.d/usr.sbin.libvirtd                  | 139 +++
 default/libvirt-guests                        |  50 +
 default/libvirtd                              |  19 +
 default/virtlockd                             |   3 +
 default/virtlogd                              |   3 +
 dnsmasq.d-available/libvirt-daemon            |   2 +
 dnsmasq.d/libvirt-daemon                      |   1 +
 group                                         |   3 +
 group-                                        |   3 +
 gshadow                                       |   3 +
 gshadow-                                      |   3 +
 libvirt/libvirt-admin.conf                    |  16 +
 libvirt/libvirt.conf                          |  18 +
 libvirt/libvirtd.conf                         | 503 ++++++++++
 libvirt/libxl-lockd.conf                      |  67 ++
 libvirt/libxl-sanlock.conf                    |  69 ++
 libvirt/libxl.conf                            |  51 ++
 libvirt/lxc.conf                              |  31 +
 libvirt/nwfilter/allow-arp.xml                |  11 +
 libvirt/nwfilter/allow-dhcp-server.xml        |  16 +
 libvirt/nwfilter/allow-dhcp.xml               |  16 +
 libvirt/nwfilter/allow-incoming-ipv4.xml      |  11 +
 libvirt/nwfilter/allow-ipv4.xml               |  11 +
 libvirt/nwfilter/clean-traffic-gateway.xml    |  24 +
 libvirt/nwfilter/clean-traffic.xml            |  22 +
 libvirt/nwfilter/no-arp-ip-spoofing.xml       |  14 +
 libvirt/nwfilter/no-arp-mac-spoofing.xml      |  14 +
 libvirt/nwfilter/no-arp-spoofing.xml          |  12 +
 libvirt/nwfilter/no-ip-multicast.xml          |  13 +
 libvirt/nwfilter/no-ip-spoofing.xml           |  17 +
 libvirt/nwfilter/no-mac-broadcast.xml         |  13 +
 libvirt/nwfilter/no-mac-spoofing.xml          |  16 +
 libvirt/nwfilter/no-other-l2-traffic.xml      |  11 +
 libvirt/nwfilter/no-other-rarp-traffic.xml    |  11 +
 libvirt/nwfilter/qemu-announce-self-rarp.xml  |  16 +
 libvirt/nwfilter/qemu-announce-self.xml       |  15 +
 libvirt/qemu-lockd.conf                       |  67 ++
 libvirt/qemu-sanlock.conf                     |  69 ++
 libvirt/qemu.conf                             | 856 ++++++++++++++++++
 libvirt/qemu/networks/autostart/default.xml   |   1 +
 libvirt/qemu/networks/default.xml             |  19 +
 libvirt/virt-login-shell.conf                 |  48 +
 libvirt/virtlockd.conf                        |  89 ++
 libvirt/virtlogd.conf                         |  99 ++
 logrotate.d/libvirtd                          |   9 +
 logrotate.d/libvirtd.libxl                    |   8 +
 logrotate.d/libvirtd.lxc                      |   8 +
 logrotate.d/libvirtd.qemu                     |  16 +
 mailcap                                       |   2 +
 nsswitch.conf                                 |   2 +-
 passwd                                        |   2 +
 passwd-                                       |   4 +-
 profile.d/libvirt-uri.sh                      |  27 +
 sasl2/libvirt.conf                            |  45 +
 shadow                                        |   2 +
 shadow-                                       |   2 +
 .../libvirt-guests.service                    |   1 +
 .../multi-user.target.wants/libvirtd.service  |   1 +
 .../multi-user.target.wants/machines.target   |   1 +
 .../libvirtd-admin.socket                     |   1 +
 .../sockets.target.wants/libvirtd-ro.socket   |   1 +
 .../sockets.target.wants/libvirtd.socket      |   1 +
 .../virtlockd-admin.socket                    |   1 +
 .../sockets.target.wants/virtlockd.socket     |   1 +
 .../virtlogd-admin.socket                     |   1 +
 .../sockets.target.wants/virtlogd.socket      |   1 +
 75 files changed, 3198 insertions(+), 2 deletions(-)
 create mode 100644 apparmor.d/abstractions/libvirt-lxc
 create mode 100644 apparmor.d/abstractions/libvirt-qemu
 create mode 100644 apparmor.d/libvirt/TEMPLATE.lxc
 create mode 100644 apparmor.d/libvirt/TEMPLATE.qemu
 create mode 100644 apparmor.d/local/abstractions/libvirt-qemu
 create mode 100644 apparmor.d/local/usr.lib.libvirt.virt-aa-helper
 create mode 100644 apparmor.d/local/usr.sbin.libvirtd
 create mode 100644 apparmor.d/usr.lib.libvirt.virt-aa-helper
 create mode 100644 apparmor.d/usr.sbin.libvirtd
 create mode 100644 default/libvirt-guests
 create mode 100644 default/libvirtd
 create mode 100644 default/virtlockd
 create mode 100644 default/virtlogd
 create mode 100644 dnsmasq.d-available/libvirt-daemon
 create mode 120000 dnsmasq.d/libvirt-daemon
 create mode 100644 libvirt/libvirt-admin.conf
 create mode 100644 libvirt/libvirt.conf
 create mode 100644 libvirt/libvirtd.conf
 create mode 100644 libvirt/libxl-lockd.conf
 create mode 100644 libvirt/libxl-sanlock.conf
 create mode 100644 libvirt/libxl.conf
 create mode 100644 libvirt/lxc.conf
 create mode 100644 libvirt/nwfilter/allow-arp.xml
 create mode 100644 libvirt/nwfilter/allow-dhcp-server.xml
 create mode 100644 libvirt/nwfilter/allow-dhcp.xml
 create mode 100644 libvirt/nwfilter/allow-incoming-ipv4.xml
 create mode 100644 libvirt/nwfilter/allow-ipv4.xml
 create mode 100644 libvirt/nwfilter/clean-traffic-gateway.xml
 create mode 100644 libvirt/nwfilter/clean-traffic.xml
 create mode 100644 libvirt/nwfilter/no-arp-ip-spoofing.xml
 create mode 100644 libvirt/nwfilter/no-arp-mac-spoofing.xml
 create mode 100644 libvirt/nwfilter/no-arp-spoofing.xml
 create mode 100644 libvirt/nwfilter/no-ip-multicast.xml
 create mode 100644 libvirt/nwfilter/no-ip-spoofing.xml
 create mode 100644 libvirt/nwfilter/no-mac-broadcast.xml
 create mode 100644 libvirt/nwfilter/no-mac-spoofing.xml
 create mode 100644 libvirt/nwfilter/no-other-l2-traffic.xml
 create mode 100644 libvirt/nwfilter/no-other-rarp-traffic.xml
 create mode 100644 libvirt/nwfilter/qemu-announce-self-rarp.xml
 create mode 100644 libvirt/nwfilter/qemu-announce-self.xml
 create mode 100644 libvirt/qemu-lockd.conf
 create mode 100644 libvirt/qemu-sanlock.conf
 create mode 100644 libvirt/qemu.conf
 create mode 120000 libvirt/qemu/networks/autostart/default.xml
 create mode 100644 libvirt/qemu/networks/default.xml
 create mode 100644 libvirt/virt-login-shell.conf
 create mode 100644 libvirt/virtlockd.conf
 create mode 100644 libvirt/virtlogd.conf
 create mode 100644 logrotate.d/libvirtd
 create mode 100644 logrotate.d/libvirtd.libxl
 create mode 100644 logrotate.d/libvirtd.lxc
 create mode 100644 logrotate.d/libvirtd.qemu
 create mode 100644 profile.d/libvirt-uri.sh
 create mode 100644 sasl2/libvirt.conf
 create mode 120000 systemd/system/multi-user.target.wants/libvirt-guests.service
 create mode 120000 systemd/system/multi-user.target.wants/libvirtd.service
 create mode 120000 systemd/system/multi-user.target.wants/machines.target
 create mode 120000 systemd/system/sockets.target.wants/libvirtd-admin.socket
 create mode 120000 systemd/system/sockets.target.wants/libvirtd-ro.socket
 create mode 120000 systemd/system/sockets.target.wants/libvirtd.socket
 create mode 120000 systemd/system/sockets.target.wants/virtlockd-admin.socket
 create mode 120000 systemd/system/sockets.target.wants/virtlockd.socket
 create mode 120000 systemd/system/sockets.target.wants/virtlogd-admin.socket
 create mode 120000 systemd/system/sockets.target.wants/virtlogd.socket

diff --git a/.etckeeper b/.etckeeper
index 21fa3c0..cb26232 100755
--- a/.etckeeper
+++ b/.etckeeper
@@ -38,6 +38,8 @@ mkdir -p './initramfs-tools/scripts/panic'
 mkdir -p './insserv/overrides'
 mkdir -p './kernel/install.d'
 mkdir -p './libpaper.d'
+mkdir -p './libvirt/hooks'
+mkdir -p './libvirt/secrets'
 mkdir -p './lightdm/lightdm.conf.d'
 mkdir -p './logcheck/violations.ignore.d'
 mkdir -p './netplan'
@@ -567,6 +569,8 @@ maybe chmod 0644 'apparmor.d/abstractions/kde-language-write'
 maybe chmod 0644 'apparmor.d/abstractions/kerberosclient'
 maybe chmod 0644 'apparmor.d/abstractions/ldapclient'
 maybe chmod 0644 'apparmor.d/abstractions/libpam-systemd'
+maybe chmod 0644 'apparmor.d/abstractions/libvirt-lxc'
+maybe chmod 0644 'apparmor.d/abstractions/libvirt-qemu'
 maybe chmod 0644 'apparmor.d/abstractions/lightdm'
 maybe chmod 0644 'apparmor.d/abstractions/lightdm_chromium-browser'
 maybe chmod 0644 'apparmor.d/abstractions/likewise'
@@ -645,9 +649,14 @@ maybe chmod 0644 'apparmor.d/abstractions/xad'
 maybe chmod 0644 'apparmor.d/abstractions/xdg-desktop'
 maybe chmod 0755 'apparmor.d/disable'
 maybe chmod 0755 'apparmor.d/force-complain'
+maybe chmod 0755 'apparmor.d/libvirt'
+maybe chmod 0644 'apparmor.d/libvirt/TEMPLATE.lxc'
+maybe chmod 0644 'apparmor.d/libvirt/TEMPLATE.qemu'
 maybe chmod 0644 'apparmor.d/lightdm-guest-session'
 maybe chmod 0755 'apparmor.d/local'
 maybe chmod 0644 'apparmor.d/local/README'
+maybe chmod 0755 'apparmor.d/local/abstractions'
+maybe chmod 0644 'apparmor.d/local/abstractions/libvirt-qemu'
 maybe chmod 0644 'apparmor.d/local/lsb_release'
 maybe chmod 0644 'apparmor.d/local/nvidia_modprobe'
 maybe chmod 0644 'apparmor.d/local/sbin.dhclient'
@@ -658,6 +667,7 @@ maybe chmod 0644 'apparmor.d/local/usr.lib.libreoffice.program.oosplash'
 maybe chmod 0644 'apparmor.d/local/usr.lib.libreoffice.program.senddoc'
 maybe chmod 0644 'apparmor.d/local/usr.lib.libreoffice.program.soffice.bin'
 maybe chmod 0644 'apparmor.d/local/usr.lib.libreoffice.program.xpdfimport'
+maybe chmod 0644 'apparmor.d/local/usr.lib.libvirt.virt-aa-helper'
 maybe chmod 0644 'apparmor.d/local/usr.lib.snapd.snap-confine'
 maybe chmod 0644 'apparmor.d/local/usr.lib.snapd.snap-confine.real'
 maybe chmod 0644 'apparmor.d/local/usr.lib.telepathy'
@@ -665,6 +675,7 @@ maybe chmod 0644 'apparmor.d/local/usr.sbin.cups-browsed'
 maybe chmod 0644 'apparmor.d/local/usr.sbin.cupsd'
 maybe chmod 0644 'apparmor.d/local/usr.sbin.gpsd'
 maybe chmod 0644 'apparmor.d/local/usr.sbin.ippusbxd'
+maybe chmod 0644 'apparmor.d/local/usr.sbin.libvirtd'
 maybe chmod 0644 'apparmor.d/local/usr.sbin.ntpd'
 maybe chmod 0644 'apparmor.d/local/usr.sbin.rsyslogd'
 maybe chmod 0644 'apparmor.d/local/usr.sbin.tcpdump'
@@ -699,12 +710,14 @@ maybe chmod 0644 'apparmor.d/usr.lib.libreoffice.program.oosplash'
 maybe chmod 0644 'apparmor.d/usr.lib.libreoffice.program.senddoc'
 maybe chmod 0644 'apparmor.d/usr.lib.libreoffice.program.soffice.bin'
 maybe chmod 0644 'apparmor.d/usr.lib.libreoffice.program.xpdfimport'
+maybe chmod 0644 'apparmor.d/usr.lib.libvirt.virt-aa-helper'
 maybe chmod 0644 'apparmor.d/usr.lib.snapd.snap-confine.real'
 maybe chmod 0644 'apparmor.d/usr.lib.telepathy'
 maybe chmod 0644 'apparmor.d/usr.sbin.cups-browsed'
 maybe chmod 0644 'apparmor.d/usr.sbin.cupsd'
 maybe chmod 0644 'apparmor.d/usr.sbin.gpsd'
 maybe chmod 0644 'apparmor.d/usr.sbin.ippusbxd'
+maybe chmod 0644 'apparmor.d/usr.sbin.libvirtd'
 maybe chmod 0644 'apparmor.d/usr.sbin.mysqld'
 maybe chmod 0644 'apparmor.d/usr.sbin.ntpd'
 maybe chmod 0644 'apparmor.d/usr.sbin.rsyslogd'
@@ -1582,6 +1595,8 @@ maybe chmod 0644 'default/intel-microcode'
 maybe chmod 0644 'default/irqbalance'
 maybe chmod 0644 'default/kerneloops'
 maybe chmod 0664 'default/keyboard'
+maybe chmod 0644 'default/libvirt-guests'
+maybe chmod 0644 'default/libvirtd'
 maybe chmod 0644 'default/locale'
 maybe chmod 0644 'default/motd-news'
 maybe chmod 0644 'default/mysql'
@@ -1601,6 +1616,8 @@ maybe chmod 0644 'default/ssh'
 maybe chmod 0644 'default/sysstat'
 maybe chmod 0644 'default/ufw'
 maybe chmod 0644 'default/useradd'
+maybe chmod 0644 'default/virtlockd'
+maybe chmod 0644 'default/virtlogd'
 maybe chmod 0644 'deluser.conf'
 maybe chmod 0755 'depmod.d'
 maybe chmod 0644 'depmod.d/ubuntu.conf'
@@ -1644,6 +1661,8 @@ maybe chmod 0755 'dkms/template-dkms-mkdeb/debian/rules'
 maybe chmod 0644 'dleyna-renderer-service.conf'
 maybe chmod 0644 'dleyna-server-service.conf'
 maybe chmod 0755 'dnsmasq.d'
+maybe chmod 0755 'dnsmasq.d-available'
+maybe chmod 0644 'dnsmasq.d-available/libvirt-daemon'
 maybe chmod 0644 'dnsmasq.d/network-manager'
 maybe chmod 0755 'doc-base'
 maybe chmod 0755 'doc-base/documents'
@@ -2297,6 +2316,45 @@ maybe chmod 0755 'libreoffice'
 maybe chmod 0644 'libreoffice/psprint.conf'
 maybe chmod 0644 'libreoffice/soffice.sh'
 maybe chmod 0644 'libreoffice/sofficerc'
+maybe chmod 0755 'libvirt'
+maybe chmod 0755 'libvirt/hooks'
+maybe chmod 0644 'libvirt/libvirt-admin.conf'
+maybe chmod 0644 'libvirt/libvirt.conf'
+maybe chmod 0644 'libvirt/libvirtd.conf'
+maybe chmod 0644 'libvirt/libxl-lockd.conf'
+maybe chmod 0644 'libvirt/libxl-sanlock.conf'
+maybe chmod 0644 'libvirt/libxl.conf'
+maybe chmod 0644 'libvirt/lxc.conf'
+maybe chmod 0755 'libvirt/nwfilter'
+maybe chmod 0600 'libvirt/nwfilter/allow-arp.xml'
+maybe chmod 0600 'libvirt/nwfilter/allow-dhcp-server.xml'
+maybe chmod 0600 'libvirt/nwfilter/allow-dhcp.xml'
+maybe chmod 0600 'libvirt/nwfilter/allow-incoming-ipv4.xml'
+maybe chmod 0600 'libvirt/nwfilter/allow-ipv4.xml'
+maybe chmod 0600 'libvirt/nwfilter/clean-traffic-gateway.xml'
+maybe chmod 0600 'libvirt/nwfilter/clean-traffic.xml'
+maybe chmod 0600 'libvirt/nwfilter/no-arp-ip-spoofing.xml'
+maybe chmod 0600 'libvirt/nwfilter/no-arp-mac-spoofing.xml'
+maybe chmod 0600 'libvirt/nwfilter/no-arp-spoofing.xml'
+maybe chmod 0600 'libvirt/nwfilter/no-ip-multicast.xml'
+maybe chmod 0600 'libvirt/nwfilter/no-ip-spoofing.xml'
+maybe chmod 0600 'libvirt/nwfilter/no-mac-broadcast.xml'
+maybe chmod 0600 'libvirt/nwfilter/no-mac-spoofing.xml'
+maybe chmod 0600 'libvirt/nwfilter/no-other-l2-traffic.xml'
+maybe chmod 0600 'libvirt/nwfilter/no-other-rarp-traffic.xml'
+maybe chmod 0600 'libvirt/nwfilter/qemu-announce-self-rarp.xml'
+maybe chmod 0600 'libvirt/nwfilter/qemu-announce-self.xml'
+maybe chmod 0755 'libvirt/qemu'
+maybe chmod 0644 'libvirt/qemu-lockd.conf'
+maybe chmod 0644 'libvirt/qemu-sanlock.conf'
+maybe chmod 0600 'libvirt/qemu.conf'
+maybe chmod 0755 'libvirt/qemu/networks'
+maybe chmod 0755 'libvirt/qemu/networks/autostart'
+maybe chmod 0600 'libvirt/qemu/networks/default.xml'
+maybe chmod 0700 'libvirt/secrets'
+maybe chmod 0644 'libvirt/virt-login-shell.conf'
+maybe chmod 0644 'libvirt/virtlockd.conf'
+maybe chmod 0644 'libvirt/virtlogd.conf'
 maybe chmod 0755 'lightdm'
 maybe chmod 0755 'lightdm/lightdm.conf.d'
 maybe chmod 0644 'lightdm/users.conf'
@@ -2363,6 +2421,10 @@ maybe chmod 0644 'logrotate.d/cups-daemon'
 maybe chmod 0644 'logrotate.d/dpkg'
 maybe chmod 0644 'logrotate.d/dump1090-mutability'
 maybe chmod 0644 'logrotate.d/iptraf-ng'
+maybe chmod 0644 'logrotate.d/libvirtd'
+maybe chmod 0644 'logrotate.d/libvirtd.libxl'
+maybe chmod 0644 'logrotate.d/libvirtd.lxc'
+maybe chmod 0644 'logrotate.d/libvirtd.qemu'
 maybe chmod 0644 'logrotate.d/lightdm'
 maybe chmod 0644 'logrotate.d/lighttpd'
 maybe chmod 0644 'logrotate.d/mongodb-server'
@@ -2853,6 +2915,7 @@ maybe chmod 0644 'profile.d/gawk.csh'
 maybe chmod 0644 'profile.d/gawk.sh'
 maybe chmod 0755 'profile.d/jdk.csh'
 maybe chmod 0755 'profile.d/jdk.sh'
+maybe chmod 0644 'profile.d/libvirt-uri.sh'
 maybe chmod 0644 'profile.d/vte-2.91.sh'
 maybe chmod 0644 'profile.d/vte.csh'
 maybe chmod 0644 'profile.d/xdg_dirs_desktop_session.sh'
@@ -3018,6 +3081,8 @@ maybe chmod 0644 'sane.d/umax.conf'
 maybe chmod 0644 'sane.d/umax1220u.conf'
 maybe chmod 0644 'sane.d/umax_pp.conf'
 maybe chmod 0644 'sane.d/xerox_mfp.conf'
+maybe chmod 0755 'sasl2'
+maybe chmod 0644 'sasl2/libvirt.conf'
 maybe chmod 0755 'scalpel'
 maybe chmod 0644 'scalpel/scalpel.conf'
 maybe chmod 0644 'screenrc'
diff --git a/apparmor.d/abstractions/libvirt-lxc b/apparmor.d/abstractions/libvirt-lxc
new file mode 100644
index 0000000..4bfb503
--- /dev/null
+++ b/apparmor.d/abstractions/libvirt-lxc
@@ -0,0 +1,116 @@
+# Last Modified: Fri Feb  7 13:01:36 2014
+
+  #include <abstractions/base>
+
+  umount,
+
+  # ignore DENIED message on / remount
+  deny mount options=(ro, remount) -> /,
+
+  # allow tmpfs mounts everywhere
+  mount fstype=tmpfs,
+
+  # allow mqueue mounts everywhere
+  mount fstype=mqueue,
+
+  # allow fuse mounts everywhere
+  mount fstype=fuse.*,
+
+  # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
+  mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
+  deny @{PROC}/sys/fs/** wklx,
+
+  # allow efivars to be mounted, writing to it will be blocked though
+  mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
+
+  # block some other dangerous paths
+  deny @{PROC}/sysrq-trigger rwklx,
+  deny @{PROC}/mem rwklx,
+  deny @{PROC}/kmem rwklx,
+
+  # deny writes in /sys except for /sys/fs/cgroup, also allow
+  # fusectl, securityfs and debugfs to be mounted there (read-only)
+  mount fstype=fusectl -> /sys/fs/fuse/connections/,
+  mount fstype=securityfs -> /sys/kernel/security/,
+  mount fstype=debugfs -> /sys/kernel/debug/,
+  mount fstype=proc -> /proc/,
+  mount fstype=sysfs -> /sys/,
+  deny /sys/firmware/efi/efivars/** rwklx,
+  deny /sys/kernel/security/** rwklx,
+
+  # generated by: lxc-generate-aa-rules.py container-rules.base
+  deny /proc/sys/[^kn]*{,/**} wklx,
+  deny /proc/sys/k[^e]*{,/**} wklx,
+  deny /proc/sys/ke[^r]*{,/**} wklx,
+  deny /proc/sys/ker[^n]*{,/**} wklx,
+  deny /proc/sys/kern[^e]*{,/**} wklx,
+  deny /proc/sys/kerne[^l]*{,/**} wklx,
+  deny /proc/sys/kernel/[^smhd]*{,/**} wklx,
+  deny /proc/sys/kernel/d[^o]*{,/**} wklx,
+  deny /proc/sys/kernel/do[^m]*{,/**} wklx,
+  deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
+  deny /proc/sys/kernel/doma[^i]*{,/**} wklx,
+  deny /proc/sys/kernel/domai[^n]*{,/**} wklx,
+  deny /proc/sys/kernel/domain[^n]*{,/**} wklx,
+  deny /proc/sys/kernel/domainn[^a]*{,/**} wklx,
+  deny /proc/sys/kernel/domainna[^m]*{,/**} wklx,
+  deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx,
+  deny /proc/sys/kernel/domainname?*{,/**} wklx,
+  deny /proc/sys/kernel/h[^o]*{,/**} wklx,
+  deny /proc/sys/kernel/ho[^s]*{,/**} wklx,
+  deny /proc/sys/kernel/hos[^t]*{,/**} wklx,
+  deny /proc/sys/kernel/host[^n]*{,/**} wklx,
+  deny /proc/sys/kernel/hostn[^a]*{,/**} wklx,
+  deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
+  deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
+  deny /proc/sys/kernel/hostname?*{,/**} wklx,
+  deny /proc/sys/kernel/m[^s]*{,/**} wklx,
+  deny /proc/sys/kernel/ms[^g]*{,/**} wklx,
+  deny /proc/sys/kernel/msg*/** wklx,
+  deny /proc/sys/kernel/s[^he]*{,/**} wklx,
+  deny /proc/sys/kernel/se[^m]*{,/**} wklx,
+  deny /proc/sys/kernel/sem*/** wklx,
+  deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
+  deny /proc/sys/kernel/shm*/** wklx,
+  deny /proc/sys/kernel?*{,/**} wklx,
+  deny /proc/sys/n[^e]*{,/**} wklx,
+  deny /proc/sys/ne[^t]*{,/**} wklx,
+  deny /proc/sys/net?*{,/**} wklx,
+  deny /sys/[^fdc]*{,/**} wklx,
+  deny /sys/c[^l]*{,/**} wklx,
+  deny /sys/cl[^a]*{,/**} wklx,
+  deny /sys/cla[^s]*{,/**} wklx,
+  deny /sys/clas[^s]*{,/**} wklx,
+  deny /sys/class/[^n]*{,/**} wklx,
+  deny /sys/class/n[^e]*{,/**} wklx,
+  deny /sys/class/ne[^t]*{,/**} wklx,
+  deny /sys/class/net?*{,/**} wklx,
+  deny /sys/class?*{,/**} wklx,
+  deny /sys/d[^e]*{,/**} wklx,
+  deny /sys/de[^v]*{,/**} wklx,
+  deny /sys/dev[^i]*{,/**} wklx,
+  deny /sys/devi[^c]*{,/**} wklx,
+  deny /sys/devic[^e]*{,/**} wklx,
+  deny /sys/device[^s]*{,/**} wklx,
+  deny /sys/devices/[^v]*{,/**} wklx,
+  deny /sys/devices/v[^i]*{,/**} wklx,
+  deny /sys/devices/vi[^r]*{,/**} wklx,
+  deny /sys/devices/vir[^t]*{,/**} wklx,
+  deny /sys/devices/virt[^u]*{,/**} wklx,
+  deny /sys/devices/virtu[^a]*{,/**} wklx,
+  deny /sys/devices/virtua[^l]*{,/**} wklx,
+  deny /sys/devices/virtual/[^n]*{,/**} wklx,
+  deny /sys/devices/virtual/n[^e]*{,/**} wklx,
+  deny /sys/devices/virtual/ne[^t]*{,/**} wklx,
+  deny /sys/devices/virtual/net?*{,/**} wklx,
+  deny /sys/devices/virtual?*{,/**} wklx,
+  deny /sys/devices?*{,/**} wklx,
+  deny /sys/f[^s]*{,/**} wklx,
+  deny /sys/fs/[^c]*{,/**} wklx,
+  deny /sys/fs/c[^g]*{,/**} wklx,
+  deny /sys/fs/cg[^r]*{,/**} wklx,
+  deny /sys/fs/cgr[^o]*{,/**} wklx,
+  deny /sys/fs/cgro[^u]*{,/**} wklx,
+  deny /sys/fs/cgrou[^p]*{,/**} wklx,
+  deny /sys/fs/cgroup?*{,/**} wklx,
+  deny /sys/fs?*{,/**} wklx,
diff --git a/apparmor.d/abstractions/libvirt-qemu b/apparmor.d/abstractions/libvirt-qemu
new file mode 100644
index 0000000..5c5210c
--- /dev/null
+++ b/apparmor.d/abstractions/libvirt-qemu
@@ -0,0 +1,268 @@
+# Last Modified: Wed Sep 3 21:52:03 2014
+
+  #include <abstractions/base>
+  #include <abstractions/consoles>
+  #include <abstractions/nameservice>
+
+  # required for reading disk images
+  capability dac_override,
+  capability dac_read_search,
+  capability chown,
+
+  # needed to drop privileges
+  capability setgid,
+  capability setuid,
+
+  # for 9p
+  capability fsetid,
+  capability fowner,
+
+  network inet stream,
+  network inet6 stream,
+
+  ptrace (readby, tracedby) peer=libvirtd,
+  ptrace (readby, tracedby) peer=/usr/sbin/libvirtd,
+
+  signal (receive) peer=libvirtd,
+  signal (receive) peer=/usr/sbin/libvirtd,
+
+  /dev/net/tun rw,
+  /dev/kvm rw,
+  /dev/ptmx rw,
+  @{PROC}/*/status r,
+  # When qemu is signaled to terminate, it will read cmdline of signaling
+  # process for reporting purposes. Allowing read access to a process
+  # cmdline may leak sensitive information embedded in the cmdline.
+  @{PROC}/@{pid}/cmdline r,
+  # Per man(5) proc, the kernel enforces that a thread may
+  # only modify its comm value or those in its thread group.
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
+  @{PROC}/sys/kernel/cap_last_cap r,
+  owner @{PROC}/*/auxv r,
+  @{PROC}/sys/vm/overcommit_memory r,
+
+  # For hostdev access. The actual devices will be added dynamically
+  /sys/bus/usb/devices/ r,
+  /sys/devices/**/usb[0-9]*/** r,
+  # libusb needs udev data about usb devices (~equal to content of lsusb -v)
+  /run/udev/data/c16[6,7]* r,
+  /run/udev/data/c18[0,8,9]* r,
+  /run/udev/data/+usb* r,
+
+  # WARNING: this gives the guest direct access to host hardware and specific
+  # portions of shared memory. This is required for sound using ALSA with kvm,
+  # but may constitute a security risk. If your environment does not require
+  # the use of sound in your VMs, feel free to comment out or prepend 'deny' to
+  # the rules for files in /dev.
+  /{dev,run}/shm r,
+  /{dev,run}/shmpulse-shm* r,
+  /{dev,run}/shmpulse-shm* rwk,
+  /dev/snd/* rw,
+  capability ipc_lock,
+  # spice
+  owner /{dev,run}/shm/spice.* rw,
+  # 'kill' is not required for sound and is a security risk. Do not enable
+  # unless you absolutely need it.
+  deny capability kill,
+
+  # Uncomment the following if you need access to /dev/fb*
+  #/dev/fb* rw,
+
+  /etc/pulse/client.conf r,
+  @{HOME}/.pulse-cookie rwk,
+  owner /root/.pulse-cookie rwk,
+  owner /root/.pulse/ rw,
+  owner /root/.pulse/* rw,
+  /usr/share/alsa/** r,
+  owner /tmp/pulse-*/ rw,
+  owner /tmp/pulse-*/* rw,
+  /var/lib/dbus/machine-id r,
+
+  # access to firmware's etc
+  /usr/share/kvm/** r,
+  /usr/share/qemu/** r,
+  /usr/share/qemu-kvm/** r,
+  /usr/share/bochs/** r,
+  /usr/share/openbios/** r,
+  /usr/share/openhackware/** r,
+  /usr/share/proll/** r,
+  /usr/share/vgabios/** r,
+  /usr/share/seabios/** r,
+  /usr/share/misc/sgabios.bin r,
+  /usr/share/ovmf/** r,
+  /usr/share/OVMF/** r,
+  /usr/share/AAVMF/** r,
+  /usr/share/qemu-efi/** r,
+  /usr/share/slof/** r,
+
+  # pki for libvirt-vnc and libvirt-spice (LP: #901272, #1690140)
+  /etc/pki/CA/ r,
+  /etc/pki/CA/* r,
+  /etc/pki/libvirt{,-spice,-vnc}/ r,
+  /etc/pki/libvirt{,-spice,-vnc}/** r,
+  /etc/pki/qemu/ r,
+  /etc/pki/qemu/** r,
+
+  # the various binaries
+  /usr/bin/kvm rmix,
+  /usr/bin/qemu rmix,
+  /usr/bin/qemu-kvm rmix,
+  /usr/bin/qemu-system-aarch64 rmix,
+  /usr/bin/qemu-system-alpha rmix,
+  /usr/bin/qemu-system-arm rmix,
+  /usr/bin/qemu-system-cris rmix,
+  /usr/bin/qemu-system-hppa rmix,
+  /usr/bin/qemu-system-i386 rmix,
+  /usr/bin/qemu-system-lm32 rmix,
+  /usr/bin/qemu-system-m68k rmix,
+  /usr/bin/qemu-system-microblaze rmix,
+  /usr/bin/qemu-system-microblazeel rmix,
+  /usr/bin/qemu-system-mips rmix,
+  /usr/bin/qemu-system-mips64 rmix,
+  /usr/bin/qemu-system-mips64el rmix,
+  /usr/bin/qemu-system-mipsel rmix,
+  /usr/bin/qemu-system-moxie rmix,
+  /usr/bin/qemu-system-nios2 rmix,
+  /usr/bin/qemu-system-or1k rmix,
+  /usr/bin/qemu-system-or32 rmix,
+  /usr/bin/qemu-system-ppc rmix,
+  /usr/bin/qemu-system-ppc64 rmix,
+  /usr/bin/qemu-system-ppcemb rmix,
+  /usr/bin/qemu-system-riscv32 rmix,
+  /usr/bin/qemu-system-riscv64 rmix,
+  /usr/bin/qemu-system-s390x rmix,
+  /usr/bin/qemu-system-sh4 rmix,
+  /usr/bin/qemu-system-sh4eb rmix,
+  /usr/bin/qemu-system-sparc rmix,
+  /usr/bin/qemu-system-sparc64 rmix,
+  /usr/bin/qemu-system-tricore rmix,
+  /usr/bin/qemu-system-unicore32 rmix,
+  /usr/bin/qemu-system-x86_64 rmix,
+  /usr/bin/qemu-system-xtensa rmix,
+  /usr/bin/qemu-system-xtensaeb rmix,
+  /usr/bin/qemu-aarch64 rmix,
+  /usr/bin/qemu-alpha rmix,
+  /usr/bin/qemu-arm rmix,
+  /usr/bin/qemu-armeb rmix,
+  /usr/bin/qemu-cris rmix,
+  /usr/bin/qemu-i386 rmix,
+  /usr/bin/qemu-m68k rmix,
+  /usr/bin/qemu-microblaze rmix,
+  /usr/bin/qemu-microblazeel rmix,
+  /usr/bin/qemu-mips rmix,
+  /usr/bin/qemu-mips64 rmix,
+  /usr/bin/qemu-mips64el rmix,
+  /usr/bin/qemu-mipsel rmix,
+  /usr/bin/qemu-mipsn32 rmix,
+  /usr/bin/qemu-mipsn32el rmix,
+  /usr/bin/qemu-or32 rmix,
+  /usr/bin/qemu-ppc rmix,
+  /usr/bin/qemu-ppc64 rmix,
+  /usr/bin/qemu-ppc64abi32 rmix,
+  /usr/bin/qemu-ppc64le rmix,
+  /usr/bin/qemu-s390x rmix,
+  /usr/bin/qemu-sh4 rmix,
+  /usr/bin/qemu-sh4eb rmix,
+  /usr/bin/qemu-sparc rmix,
+  /usr/bin/qemu-sparc32plus rmix,
+  /usr/bin/qemu-sparc64 rmix,
+  /usr/bin/qemu-unicore32 rmix,
+  /usr/bin/qemu-x86_64 rmix,
+  # for Debian/Ubuntu qemu-block-extra / RPMs qemu-block-* (LP: #1554761)
+  /usr/{lib,lib64}/qemu/*.so mr,
+  /usr/lib/@{multiarch}/qemu/*.so mr,
+
+  # let qemu load old shared objects after upgrades (LP: #1847361)
+  /{var/,}run/qemu/*/*.so mr,
+  # but explicitly deny with auditing writing to these files
+  audit deny /{var/,}run/qemu/*/*.so w,
+
+  # swtpm
+  /{usr/,}bin/swtpm rmix,
+  /usr/{lib,lib64}/libswtpm_libtpms.so mr,
+  /usr/lib/@{multiarch}/libswtpm_libtpms.so mr,
+
+  # for save and resume
+  /{usr/,}bin/dash rmix,
+  /{usr/,}bin/dd rmix,
+  /{usr/,}bin/cat rmix,
+
+  # for restore
+  /{usr/,}bin/bash rmix,
+
+  # for usb access
+  /dev/bus/usb/ r,
+  /etc/udev/udev.conf r,
+  /sys/bus/ r,
+  /sys/class/ r,
+
+  # for rbd
+  /etc/ceph/ceph.conf r,
+
+  # Various functions will need to enumerate /tmp (e.g. ceph), allow the base
+  # dir and a few known functions like samba support.
+  # We want to avoid to give blanket rw permission to everything under /tmp,
+  # users are expected to add site specific addons for more uncommon cases.
+  # Qemu processes usually all run as the same users, so the "owner"
+  # restriction prevents access to other services files, but not across
+  # different instances.
+  # This is a tradeoff between usability and security - if paths would be more
+  # predictable that would be preferred - at least for write rules we would
+  # want more unique paths per rule.
+  /{,var/}tmp/ r,
+  owner /{,var/}tmp/**/ r,
+
+  # for file-posix getting limits since 9103f1ce
+  /sys/devices/**/block/*/queue/max_segments r,
+
+  # for ppc device-tree access
+  @{PROC}/device-tree/ r,
+  @{PROC}/device-tree/** r,
+  /sys/firmware/devicetree/** r,
+
+  # allow connect with openGraphicsFD to work
+  unix (send, receive) type=stream addr=none peer=(label=libvirtd),
+  unix (send, receive) type=stream addr=none peer=(label=/usr/sbin/libvirtd),
+
+  # allow access to charm-specific ceph config (LP: #1403648).
+  # No more silencing spurious denials as it can more critically hide other issues (LP: #1719579)
+  # Also allow the optional asok key that might be enabled by the charm (LP: #1779674)
+  /var/lib/charm/*/ceph.conf r,
+  /run/ceph/rbd-client-*.asok rw,
+
+  # kvm.powerpc executes/accesses this
+  /{usr/,}bin/uname rmix,
+  /{usr/,}sbin/ppc64_cpu rmix,
+  /{usr/,}bin/grep rmix,
+  /sys/devices/system/cpu/subcores_per_core r,
+  /sys/devices/system/cpu/cpu*/online r,
+
+  # for gathering information about available host resources
+  /sys/devices/system/cpu/ r,
+  /sys/devices/system/node/ r,
+  /sys/devices/system/node/node[0-9]*/meminfo r,
+  /sys/module/vhost/parameters/max_mem_regions r,
+
+  # silence refusals to open lttng files (see LP: #1432644)
+  deny /dev/shm/lttng-ust-wait-* r,
+  deny /run/shm/lttng-ust-wait-* r,
+
+  # for vfio hotplug on systems without static vfio (LP: #1775777)
+  /dev/vfio/vfio rw,
+
+  # for vhost-net/vsock/scsi hotplug (LP: #1815910)
+  /dev/vhost-net rw,
+  /dev/vhost-vsock rw,
+  /dev/vhost-scsi rw,
+
+  # required for sasl GSSAPI plugin
+  /etc/gss/mech.d/ r,
+  /etc/gss/mech.d/* r,
+
+  # required by libpmem init to fts_open()/fts_read() the symlinks in
+  # /sys/bus/nd/devices
+  / r, # harmless on any lsb compliant system
+  /sys/bus/nd/devices/{,**/} r,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/abstractions/libvirt-qemu>
diff --git a/apparmor.d/libvirt/TEMPLATE.lxc b/apparmor.d/libvirt/TEMPLATE.lxc
new file mode 100644
index 0000000..f1005dc
--- /dev/null
+++ b/apparmor.d/libvirt/TEMPLATE.lxc
@@ -0,0 +1,15 @@
+#
+# This profile is for the domain whose UUID matches this file.
+#
+
+#include <tunables/global>
+
+profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
+  #include <abstractions/libvirt-lxc>
+
+  # Globally allows everything to run under this profile
+  # These can be narrowed depending on the container's use.
+  file,
+  capability,
+  network,
+}
diff --git a/apparmor.d/libvirt/TEMPLATE.qemu b/apparmor.d/libvirt/TEMPLATE.qemu
new file mode 100644
index 0000000..a327315
--- /dev/null
+++ b/apparmor.d/libvirt/TEMPLATE.qemu
@@ -0,0 +1,9 @@
+#
+# This profile is for the domain whose UUID matches this file.
+#
+
+#include <tunables/global>
+
+profile LIBVIRT_TEMPLATE flags=(attach_disconnected) {
+  #include <abstractions/libvirt-qemu>
+}
diff --git a/apparmor.d/local/abstractions/libvirt-qemu b/apparmor.d/local/abstractions/libvirt-qemu
new file mode 100644
index 0000000..e69de29
diff --git a/apparmor.d/local/usr.lib.libvirt.virt-aa-helper b/apparmor.d/local/usr.lib.libvirt.virt-aa-helper
new file mode 100644
index 0000000..e69de29
diff --git a/apparmor.d/local/usr.sbin.libvirtd b/apparmor.d/local/usr.sbin.libvirtd
new file mode 100644
index 0000000..e69de29
diff --git a/apparmor.d/usr.lib.libvirt.virt-aa-helper b/apparmor.d/usr.lib.libvirt.virt-aa-helper
new file mode 100644
index 0000000..6fbfb6e
--- /dev/null
+++ b/apparmor.d/usr.lib.libvirt.virt-aa-helper
@@ -0,0 +1,95 @@
+# Last Modified: Mon Apr  5 15:10:27 2010
+#include <tunables/global>
+
+profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/user-tmp>
+
+  # needed for searching directories
+  capability dac_override,
+  capability dac_read_search,
+
+  # needed for when disk is on a network filesystem
+  network inet,
+  network inet6,
+
+  deny @{PROC}/[0-9]*/mounts r,
+  @{PROC}/[0-9]*/net/psched r,
+  owner @{PROC}/[0-9]*/status r,
+  @{PROC}/filesystems r,
+
+  # Used when internally running another command (namely apparmor_parser)
+  @{PROC}/@{pid}/fd/ r,
+
+  /etc/libnl-3/classid r,
+
+  # for gl enabled graphics
+  /dev/dri/{,*} r,
+
+  # for hostdev
+  /sys/devices/ r,
+  /sys/devices/** r,
+  /sys/bus/usb/devices/ r,
+  deny /dev/sd* r,
+  deny /dev/vd* r,
+  deny /dev/dm-* r,
+  deny /dev/drbd[0-9]* r,
+  deny /dev/dasd* r,
+  deny /dev/nvme* r,
+  deny /dev/zd[0-9]* r,
+  deny /dev/mapper/ r,
+  deny /dev/mapper/* r,
+
+  /usr/{lib,lib64}/libvirt/virt-aa-helper mr,
+  /{usr/,}sbin/apparmor_parser Ux,
+
+  # for openvswitch
+  /{,var/}run/** rw,
+
+  /etc/apparmor.d/libvirt/* r,
+  /etc/apparmor.d/libvirt/libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* rw,
+
+  # for backingstore -- allow access to non-hidden files in @{HOME} as well
+  # as storage pools
+  audit deny @{HOME}/.* mrwkl,
+  audit deny @{HOME}/.*/ rw,
+  audit deny @{HOME}/.*/** mrwkl,
+  audit deny @{HOME}/bin/ rw,
+  audit deny @{HOME}/bin/** mrwkl,
+  @{HOME}/ r,
+  @{HOME}/** r,
+  /var/lib/libvirt/images/ r,
+  /var/lib/libvirt/images/** r,
+  # nova base images (LP: #907269)
+  /var/lib/nova/images/** r,
+  /var/lib/nova/instances/_base/** r,
+  # nova snapshots (LP: #1244694)
+  /var/lib/nova/instances/snapshots/** r,
+  # nova base/snapshot files in snapped nova (LP: #1644507)
+  /var/snap/nova-hypervisor/common/instances/_base/** r,
+  /var/snap/nova-hypervisor/common/instances/snapshots/** r,
+  # eucalyptus (LP: #564914)
+  /var/lib/eucalyptus/instances/**/disk* r,
+  # eucalyptus loader (LP: #637544)
+  /var/lib/eucalyptus/instances/**/loader* r,
+  # for uvtool
+  /var/lib/uvtool/libvirt/images/** r,
+  # for multipass
+  /var/snap/multipass/common/data/multipassd/vault/instances/** r,
+  /{media,mnt,opt,srv}/** r,
+  # For virt-sandbox
+  /{,var/}run/libvirt/**/[sv]d[a-z] r,
+
+  /**.img r,
+  /**.raw r,
+  /**.qcow{,2} r,
+  /**.qed r,
+  /**.vmdk r,
+  /**.vhd r,
+  /**.[iI][sS][oO] r,
+  /**/disk{,.*} r,
+
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.lib.libvirt.virt-aa-helper>
+}
diff --git a/apparmor.d/usr.sbin.libvirtd b/apparmor.d/usr.sbin.libvirtd
new file mode 100644
index 0000000..77052d9
--- /dev/null
+++ b/apparmor.d/usr.sbin.libvirtd
@@ -0,0 +1,139 @@
+# Last Modified: Mon Apr  5 15:03:58 2010
+#include <tunables/global>
+@{LIBVIRT}="libvirt"
+
+profile libvirtd /usr/sbin/libvirtd flags=(attach_disconnected) {
+  #include <abstractions/base>
+  #include <abstractions/dbus>
+
+  capability kill,
+  capability net_admin,
+  capability net_raw,
+  capability setgid,
+  capability sys_admin,
+  capability sys_module,
+  capability sys_ptrace,
+  capability sys_pacct,
+  capability sys_nice,
+  capability sys_chroot,
+  capability setuid,
+  capability dac_override,
+  capability dac_read_search,
+  capability fowner,
+  capability chown,
+  capability setpcap,
+  capability mknod,
+  capability fsetid,
+  capability audit_write,
+  capability ipc_lock,
+
+  # Needed for vfio
+  capability sys_resource,
+
+  mount options=(rw,rslave)  -> /,
+  mount options=(rw, nosuid) -> /{var/,}run/libvirt/qemu/*.dev/,
+
+  # libvirt provides any mounts under /dev to qemu namespaces
+  mount options=(rw, move) /dev/ -> /{,var/}run/libvirt/qemu/*.dev/,
+  mount options=(rw, move) /dev/** -> /{,var/}run/libvirt/qemu/*{,/},
+  mount options=(rw, move) /{,var/}run/libvirt/qemu/*.dev/ -> /dev/,
+  mount options=(rw, move) /{,var/}run/libvirt/qemu/*{,/} -> /dev/**,
+
+  network inet stream,
+  network inet dgram,
+  network inet6 stream,
+  network inet6 dgram,
+  network netlink raw,
+  network packet dgram,
+  network packet raw,
+
+  # for --p2p migrations
+  unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none),
+
+  ptrace (read,trace) peer=unconfined,
+  ptrace (read,trace) peer=@{profile_name},
+  ptrace (read,trace) peer=dnsmasq,
+  ptrace (read,trace) peer=/usr/sbin/dnsmasq,
+  ptrace (read,trace) peer=libvirt-*,
+
+  signal (send) peer=dnsmasq,
+  signal (send) peer=/usr/sbin/dnsmasq,
+  signal (read, send) peer=libvirt-*,
+  signal (send) set=("kill", "term") peer=unconfined,
+
+  # For communication/control to qemu-bridge-helper
+  unix (send, receive) type=stream addr=none peer=(label=libvirtd//qemu_bridge_helper),
+  signal (send) set=("term") peer=libvirtd//qemu_bridge_helper,
+
+  # allow connect with openGraphicsFD, direction reversed in newer versions
+  unix (send, receive) type=stream addr=none peer=(label=libvirt-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*),
+  # unconfined also required if guests run without security module
+  unix (send, receive) type=stream addr=none peer=(label=unconfined),
+
+  # required if guests run unconfined seclabel type='none' but libvirtd is confined
+  signal (read, send) peer=unconfined,
+
+  # Very lenient profile for libvirtd since we want to first focus on confining
+  # the guests. Guests will have a very restricted profile.
+  / r,
+  /** rwmkl,
+
+  /bin/* PUx,
+  /sbin/* PUx,
+  /usr/bin/* PUx,
+  /usr/sbin/virtlogd pix,
+  /usr/sbin/* PUx,
+  /{usr/,}lib/udev/scsi_id PUx,
+  /usr/{lib,lib64}/xen-common/bin/xen-toolstack PUx,
+  /usr/{lib,lib64}/xen/bin/* Ux,
+  /usr/lib/xen-*/bin/libxl-save-helper PUx,
+  /usr/lib/xen-*/bin/pygrub PUx,
+  /usr/{lib,lib64,lib/qemu,libexec}/vhost-user-gpu PUx,
+
+  # Required by nwfilter_ebiptables_driver.c:ebiptablesWriteToTempFile() to
+  # read and run an ebtables script.
+  /var/lib/libvirt/virtd* ixr,
+
+  # force the use of virt-aa-helper
+  audit deny /{usr/,}sbin/apparmor_parser rwxl,
+  audit deny /etc/apparmor.d/libvirt/** wxl,
+  audit deny /sys/kernel/security/apparmor/features rwxl,
+  audit deny /sys/kernel/security/apparmor/matching rwxl,
+  audit deny /sys/kernel/security/apparmor/.* rwxl,
+  /sys/kernel/security/apparmor/profiles r,
+  /usr/{lib,lib64}/libvirt/* PUxr,
+  /usr/{lib,lib64}/libvirt/libvirt_parthelper ix,
+  /usr/{lib,lib64}/libvirt/libvirt_iohelper ix,
+  /etc/libvirt/hooks/** rmix,
+  /etc/xen/scripts/** rmix,
+
+  # allow changing to our UUID-based named profiles
+  change_profile -> @{LIBVIRT}-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*,
+
+  /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
+  # child profile for bridge helper process
+  profile qemu_bridge_helper {
+   #include <abstractions/base>
+
+   capability setuid,
+   capability setgid,
+   capability setpcap,
+   capability net_admin,
+
+   network inet stream,
+
+   # For communication/control from libvirtd
+   unix (send, receive) type=stream addr=none peer=(label=libvirtd),
+   signal (receive) set=("term") peer=/usr/sbin/libvirtd,
+   signal (receive) set=("term") peer=libvirtd,
+
+   /dev/net/tun rw,
+   /etc/qemu/** r,
+   owner @{PROC}/*/status r,
+
+   /usr/{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper rmix,
+  }
+  
+  # Site-specific additions and overrides. See local/README for details.
+  #include <local/usr.sbin.libvirtd>
+}
diff --git a/default/libvirt-guests b/default/libvirt-guests
new file mode 100644
index 0000000..f7f9015
--- /dev/null
+++ b/default/libvirt-guests
@@ -0,0 +1,50 @@
+# URIs to check for running guests
+# example: URIS='default xen:///system vbox+tcp://host/system lxc:///system'
+#URIS=default
+
+# action taken on host boot
+# - start   all guests which were running on shutdown are started on boot
+#           regardless on their autostart settings
+# - ignore  libvirt-guests init script won't start any guest on boot, however,
+#           guests marked as autostart will still be automatically started by
+#           libvirtd
+#ON_BOOT=ignore
+
+# Number of seconds to wait between each guest start. Set to 0 to allow
+# parallel startup.
+#START_DELAY=0
+
+# action taken on host shutdown
+# - suspend   all running guests are suspended using virsh managedsave
+# - shutdown  all running guests are asked to shutdown. Please be careful with
+#             this settings since there is no way to distinguish between a
+#             guest which is stuck or ignores shutdown requests and a guest
+#             which just needs a long time to shutdown. When setting
+#             ON_SHUTDOWN=shutdown, you must also set SHUTDOWN_TIMEOUT to a
+#             value suitable for your guests.
+#ON_SHUTDOWN=shutdown
+
+# Number of guests will be shutdown concurrently, taking effect when
+# "ON_SHUTDOWN" is set to "shutdown". If Set to 0, guests will be shutdown one
+# after another. Number of guests on shutdown at any time will not exceed number
+# set in this variable.
+PARALLEL_SHUTDOWN=10
+
+# Number of seconds we're willing to wait for a guest to shut down. If parallel
+# shutdown is enabled, this timeout applies as a timeout for shutting down all
+# guests on a single URI defined in the variable URIS. If this is 0, then there
+# is no time out (use with caution, as guests might not respond to a shutdown
+# request). The default value is 300 seconds (5 minutes).
+SHUTDOWN_TIMEOUT=120
+
+# If non-zero, try to bypass the file system cache when saving and
+# restoring guests, even though this may give slower operation for
+# some file systems.
+#BYPASS_CACHE=0
+
+# If non-zero, try to sync guest time on domain resume. Be aware, that
+# this requires guest agent with support for time synchronization
+# running in the guest. For instance, qemu-ga doesn't support guest time
+# synchronization on Windows guests, but Linux ones. By default, this
+# functionality is turned off.
+#SYNC_TIME=1
diff --git a/default/libvirtd b/default/libvirtd
new file mode 100644
index 0000000..142044c
--- /dev/null
+++ b/default/libvirtd
@@ -0,0 +1,19 @@
+# Defaults for libvirtd initscript (/etc/init.d/libvirtd)
+# This is a POSIX shell fragment
+
+# Start libvirtd to handle qemu/kvm:
+start_libvirtd="yes"
+
+# options passed to libvirtd, see man libvirtd for details.
+# For example to enable listening on tcp add -l here
+# and set up the TLS Certificates that libvirtd will need.
+#libvirtd_opts=""
+
+# pass in location of kerberos keytab
+#export KRB5_KTNAME=/etc/libvirt/libvirt.keytab
+
+# Whether to mount a systemd like cgroup layout (only
+# useful when not running systemd)
+#mount_cgroups=yes
+# Which cgroups to mount
+#cgroups="memory devices"
diff --git a/default/virtlockd b/default/virtlockd
new file mode 100644
index 0000000..d44dc46
--- /dev/null
+++ b/default/virtlockd
@@ -0,0 +1,3 @@
+#
+# Pass extra arguments to virtlockd
+#VIRTLOCKD_ARGS=
diff --git a/default/virtlogd b/default/virtlogd
new file mode 100644
index 0000000..5886f35
--- /dev/null
+++ b/default/virtlogd
@@ -0,0 +1,3 @@
+#
+# Pass extra arguments to virtlogd
+#VIRTLOGD_ARGS=
diff --git a/dnsmasq.d-available/libvirt-daemon b/dnsmasq.d-available/libvirt-daemon
new file mode 100644
index 0000000..a7c3059
--- /dev/null
+++ b/dnsmasq.d-available/libvirt-daemon
@@ -0,0 +1,2 @@
+bind-interfaces
+except-interface=virbr0
diff --git a/dnsmasq.d/libvirt-daemon b/dnsmasq.d/libvirt-daemon
new file mode 120000
index 0000000..f35fb42
--- /dev/null
+++ b/dnsmasq.d/libvirt-daemon
@@ -0,0 +1 @@
+/etc/dnsmasq.d-available/libvirt-daemon
\ No newline at end of file
diff --git a/group b/group
index 5aa5577..357419c 100644
--- a/group
+++ b/group
@@ -92,3 +92,6 @@ tcpdump:x:145:
 nvidia-persistenced:x:146:
 nx:x:1015:
 tss:x:147:
+libvirt:x:148:mhoellein
+libvirt-qemu:x:64055:libvirt-qemu
+libvirt-dnsmasq:x:149:
diff --git a/group- b/group-
index 07eb610..67106e8 100644
--- a/group-
+++ b/group-
@@ -91,3 +91,6 @@ render:x:131:
 tcpdump:x:145:
 nvidia-persistenced:x:146:
 nx:x:1015:
+tss:x:147:
+libvirt:x:148:mhoellein
+libvirt-qemu:x:64055:libvirt-qemu
diff --git a/gshadow b/gshadow
index 72bee5d..613fa26 100644
--- a/gshadow
+++ b/gshadow
@@ -92,3 +92,6 @@ tcpdump:!::
 nvidia-persistenced:!::
 nx:!::
 tss:!::
+libvirt:!::mhoellein
+libvirt-qemu:!::libvirt-qemu
+libvirt-dnsmasq:!::
diff --git a/gshadow- b/gshadow-
index 922d56b..1826a95 100644
--- a/gshadow-
+++ b/gshadow-
@@ -91,3 +91,6 @@ render:!::
 tcpdump:!::
 nvidia-persistenced:!::
 nx:!::
+tss:!::
+libvirt:!::mhoellein
+libvirt-qemu:!::libvirt-qemu
diff --git a/libvirt/libvirt-admin.conf b/libvirt/libvirt-admin.conf
new file mode 100644
index 0000000..d7cf12a
--- /dev/null
+++ b/libvirt/libvirt-admin.conf
@@ -0,0 +1,16 @@
+#
+# This can be used to setup URI aliases for frequently
+# used connection URIs. Aliases may contain only the
+# characters  a-Z, 0-9, _, -.
+#
+# Following the '=' may be any valid libvirt admin connection
+# URI, including arbitrary parameters
+
+#uri_aliases = [
+#  "admin=libvirtd:///system",
+#]
+
+# This specifies the default location the client tries to connect to if no other
+# URI is provided by the application
+
+#uri_default = "libvirtd:///system"
diff --git a/libvirt/libvirt.conf b/libvirt/libvirt.conf
new file mode 100644
index 0000000..da4dfbe
--- /dev/null
+++ b/libvirt/libvirt.conf
@@ -0,0 +1,18 @@
+#
+# This can be used to setup URI aliases for frequently
+# used connection URIs. Aliases may contain only the
+# characters  a-Z, 0-9, _, -.
+#
+# Following the '=' may be any valid libvirt connection
+# URI, including arbitrary parameters
+
+#uri_aliases = [
+#  "hail=qemu+ssh://root@hail.cloud.example.com/system",
+#  "sleet=qemu+ssh://root@sleet.cloud.example.com/system",
+#]
+
+#
+# These can be used in cases when no URI is supplied by the application
+# (@uri_default also prevents probing of the hypervisor driver).
+#
+#uri_default = "qemu:///system"
diff --git a/libvirt/libvirtd.conf b/libvirt/libvirtd.conf
new file mode 100644
index 0000000..0ee720f
--- /dev/null
+++ b/libvirt/libvirtd.conf
@@ -0,0 +1,503 @@
+# Master libvirt daemon configuration file
+#
+
+#################################################################
+#
+# Network connectivity controls
+#
+
+# Flag listening for secure TLS connections on the public TCP/IP port.
+# NB, must pass the --listen flag to the libvirtd process for this to
+# have any effect.
+#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
+# It is necessary to setup a CA and issue server certificates before
+# using this capability.
+#
+# This is enabled by default, uncomment this to disable it
+#listen_tls = 0
+
+# Listen for unencrypted TCP connections on the public TCP/IP port.
+# NB, must pass the --listen flag to the libvirtd process for this to
+# have any effect.
+#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
+# Using the TCP socket requires SASL authentication by default. Only
+# SASL mechanisms which support data encryption are allowed. This is
+# DIGEST_MD5 and GSSAPI (Kerberos5)
+#
+# This is disabled by default, uncomment this to enable it.
+#listen_tcp = 1
+
+
+
+# Override the port for accepting secure TLS connections
+# This can be a port number, or service name
+#
+# This setting is not required or honoured if using systemd socket
+# activation with systemd version >= 227
+#
+#tls_port = "16514"
+
+# Override the port for accepting insecure TCP connections
+# This can be a port number, or service name
+#
+# This setting is not required or honoured if using systemd socket
+# activation with systemd version >= 227
+#
+#tcp_port = "16509"
+
+
+# Override the default configuration which binds to all network
+# interfaces. This can be a numeric IPv4/6 address, or hostname
+#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
+# If the libvirtd service is started in parallel with network
+# startup (e.g. with systemd), binding to addresses other than
+# the wildcards (0.0.0.0/::) might not be available yet.
+#
+#listen_addr = "192.168.0.1"
+
+
+#################################################################
+#
+# UNIX socket access controls
+#
+
+# Set the UNIX domain socket group ownership. This can be used to
+# allow a 'trusted' set of users access to management capabilities
+# without becoming root.
+#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
+# This is restricted to 'root' by default.
+#unix_sock_group = "libvirt"
+unix_sock_group = "libvirt"
+
+# Set the UNIX socket permissions for the R/O socket. This is used
+# for monitoring VM status only
+#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
+# Default allows any user. If setting group ownership, you may want to
+# restrict this too.
+#unix_sock_ro_perms = "0777"
+unix_sock_ro_perms = "0777"
+
+# Set the UNIX socket permissions for the R/W socket. This is used
+# for full management of VMs
+#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
+# Default allows only root. If PolicyKit is enabled on the socket,
+# the default will change to allow everyone (eg, 0777)
+#
+# If not using PolicyKit and setting group ownership for access
+# control, then you may want to relax this too.
+unix_sock_rw_perms = "0770"
+
+# Set the UNIX socket permissions for the admin interface socket.
+#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
+# Default allows only owner (root), do not change it unless you are
+# sure to whom you are exposing the access to.
+#unix_sock_admin_perms = "0700"
+
+# Set the name of the directory in which sockets will be found/created.
+#
+# This setting is not required or honoured if using systemd socket
+# activation with systemd version >= 227
+#
+#unix_sock_dir = "/run/libvirt"
+
+
+
+#################################################################
+#
+# Authentication.
+#
+#  - none: do not perform auth checks. If you can connect to the
+#          socket you are allowed. This is suitable if there are
+#          restrictions on connecting to the socket (eg, UNIX
+#          socket permissions), or if there is a lower layer in
+#          the network providing auth (eg, TLS/x509 certificates)
+#
+#  - sasl: use SASL infrastructure. The actual auth scheme is then
+#          controlled from /etc/sasl2/libvirt.conf. For the TCP
+#          socket only GSSAPI & DIGEST-MD5 mechanisms will be used.
+#          For non-TCP or TLS sockets, any scheme is allowed.
+#
+#  - polkit: use PolicyKit to authenticate. This is only suitable
+#            for use on the UNIX sockets. The default policy will
+#            require a user to supply their own password to gain
+#            full read/write access (aka sudo like), while anyone
+#            is allowed read/only access.
+#
+# Set an authentication scheme for UNIX read-only sockets
+# By default socket permissions allow anyone to connect
+#
+# To restrict monitoring of domains you may wish to enable
+# an authentication mechanism here
+auth_unix_ro = "none"
+
+# Set an authentication scheme for UNIX read-write sockets
+# By default socket permissions only allow root. If PolicyKit
+# support was compiled into libvirt, the default will be to
+# use 'polkit' auth.
+#
+# If the unix_sock_rw_perms are changed you may wish to enable
+# an authentication mechanism here
+#auth_unix_rw = "none"
+auth_unix_rw = "none"
+
+# Change the authentication scheme for TCP sockets.
+#
+# If you don't enable SASL, then all TCP traffic is cleartext.
+# Don't do this outside of a dev/test scenario. For real world
+# use, always enable SASL and use the GSSAPI or DIGEST-MD5
+# mechanism in /etc/sasl2/libvirt.conf
+#auth_tcp = "sasl"
+
+# Change the authentication scheme for TLS sockets.
+#
+# TLS sockets already have encryption provided by the TLS
+# layer, and limited authentication is done by certificates
+#
+# It is possible to make use of any SASL authentication
+# mechanism as well, by using 'sasl' for this option
+#auth_tls = "none"
+
+
+# Change the API access control scheme
+#
+# By default an authenticated user is allowed access
+# to all APIs. Access drivers can place restrictions
+# on this. By default the 'nop' driver is enabled,
+# meaning no access control checks are done once a
+# client has authenticated with libvirtd
+#
+#access_drivers = [ "polkit" ]
+
+#################################################################
+#
+# TLS x509 certificate configuration
+#
+
+# Use of TLS requires that x509 certificates be issued. The default locations
+# for the certificate files is as follows:
+#
+#   /etc/pki/CA/cacert.pem - The CA master certificate
+#   /etc/pki/libvirt/servercert.pem - The server certificate signed by cacert.pem
+#   /etc/pki/libvirt/private/serverkey.pem - The server private key
+#
+# It is possible to override the default locations by altering the 'key_file',
+# 'cert_file', and 'ca_file' values and uncommenting them below.
+#
+# NB, overriding the default of one location requires uncommenting and
+# possibly additionally overriding the other settings.
+#
+
+# Override the default server key file path
+#
+#key_file = "/etc/pki/libvirt/private/serverkey.pem"
+
+# Override the default server certificate file path
+#
+#cert_file = "/etc/pki/libvirt/servercert.pem"
+
+# Override the default CA certificate path
+#
+#ca_file = "/etc/pki/CA/cacert.pem"
+
+# Specify a certificate revocation list.
+#
+# Defaults to not using a CRL, uncomment to enable it
+#crl_file = "/etc/pki/CA/crl.pem"
+
+
+
+#################################################################
+#
+# Authorization controls
+#
+
+
+# Flag to disable verification of our own server certificates
+#
+# When libvirtd starts it performs some sanity checks against
+# its own certificates.
+#
+# Default is to always run sanity checks. Uncommenting this
+# will disable sanity checks which is not a good idea
+#tls_no_sanity_certificate = 1
+
+# Flag to disable verification of client certificates
+#
+# Client certificate verification is the primary authentication mechanism.
+# Any client which does not present a certificate signed by the CA
+# will be rejected.
+#
+# Default is to always verify. Uncommenting this will disable
+# verification - make sure an IP whitelist is set
+#tls_no_verify_certificate = 1
+
+
+# A whitelist of allowed x509 Distinguished Names
+# This list may contain wildcards such as
+#
+#    "C=GB,ST=London,L=London,O=Red Hat,CN=*"
+#
+# See the g_pattern_match function for the format of the wildcards:
+#
+# https://developer.gnome.org/glib/stable/glib-Glob-style-pattern-matching.html
+#
+# NB If this is an empty list, no client can connect, so comment out
+# entirely rather than using empty list to disable these checks
+#
+# By default, no DN's are checked
+#tls_allowed_dn_list = ["DN1", "DN2"]
+
+
+# Override the compile time default TLS priority string. The
+# default is usually "NORMAL" unless overridden at build time.
+# Only set this is it is desired for libvirt to deviate from
+# the global default settings.
+#
+#tls_priority="NORMAL"
+
+
+# A whitelist of allowed SASL usernames. The format for username
+# depends on the SASL authentication mechanism. Kerberos usernames
+# look like username@REALM
+#
+# This list may contain wildcards such as
+#
+#    "*@EXAMPLE.COM"
+#
+# See the g_pattern_match function for the format of the wildcards.
+#
+# https://developer.gnome.org/glib/stable/glib-Glob-style-pattern-matching.html
+#
+# NB If this is an empty list, no client can connect, so comment out
+# entirely rather than using empty list to disable these checks
+#
+# By default, no Username's are checked
+#sasl_allowed_username_list = ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ]
+
+
+#################################################################
+#
+# Processing controls
+#
+
+# The maximum number of concurrent client connections to allow
+# over all sockets combined.
+#max_clients = 5000
+
+# The maximum length of queue of connections waiting to be
+# accepted by the daemon. Note, that some protocols supporting
+# retransmission may obey this so that a later reattempt at
+# connection succeeds.
+#max_queued_clients = 1000
+
+# The maximum length of queue of accepted but not yet
+# authenticated clients. The default value is 20. Set this to
+# zero to turn this feature off.
+#max_anonymous_clients = 20
+
+# The minimum limit sets the number of workers to start up
+# initially. If the number of active clients exceeds this,
+# then more threads are spawned, up to max_workers limit.
+# Typically you'd want max_workers to equal maximum number
+# of clients allowed
+#min_workers = 5
+#max_workers = 20
+
+
+# The number of priority workers. If all workers from above
+# pool are stuck, some calls marked as high priority
+# (notably domainDestroy) can be executed in this pool.
+#prio_workers = 5
+
+# Limit on concurrent requests from a single client
+# connection. To avoid one client monopolizing the server
+# this should be a small fraction of the global max_workers
+# parameter.
+#max_client_requests = 5
+
+# Same processing controls, but this time for the admin interface.
+# For description of each option, be so kind to scroll few lines
+# upwards.
+
+#admin_min_workers = 1
+#admin_max_workers = 5
+#admin_max_clients = 5
+#admin_max_queued_clients = 5
+#admin_max_client_requests = 5
+
+#################################################################
+#
+# Logging controls
+#
+
+# Logging level: 4 errors, 3 warnings, 2 information, 1 debug
+# basically 1 will log everything possible
+#
+# WARNING: USE OF THIS IS STRONGLY DISCOURAGED.
+#
+# WARNING: It outputs too much information to practically read.
+# WARNING: The "log_filters" setting is recommended instead.
+#
+# WARNING: Journald applies rate limiting of messages and so libvirt
+# WARNING: will limit "log_level" to only allow values 3 or 4 if
+# WARNING: journald is the current output.
+#
+# WARNING: USE OF THIS IS STRONGLY DISCOURAGED.
+#log_level = 3
+
+# Logging filters:
+# A filter allows to select a different logging level for a given category
+# of logs. The format for a filter is:
+#
+#    level:match
+#
+# where 'match' is a string which is matched against the category
+# given in the VIR_LOG_INIT() at the top of each libvirt source
+# file, e.g., "remote", "qemu", or "util.json". The 'match' in the
+# filter matches using shell wildcard syntax (see 'man glob(7)').
+# The 'match' is always treated as a substring match. IOW a match
+# string 'foo' is equivalent to '*foo*'.
+#
+# 'level' is the minimal level where matching messages should
+#  be logged:
+#
+#    1: DEBUG
+#    2: INFO
+#    3: WARNING
+#    4: ERROR
+#
+# Multiple filters can be defined in a single @log_filters, they just need
+# to be separated by spaces. Note that libvirt performs "first" match, i.e.
+# if there are concurrent filters, the first one that matches will be applied,
+# given the order in @log_filters.
+#
+# A typical need is to capture information from a hypervisor driver,
+# public API entrypoints and some of the utility code. Some utility
+# code is very verbose and is generally not desired. Taking the QEMU
+# hypervisor as an example, a suitable filter string for debugging
+# might be to turn off object, json & event logging, but enable the
+# rest of the util code:
+#
+#log_filters="1:qemu 1:libvirt 4:object 4:json 4:event 1:util"
+
+# Logging outputs:
+# An output is one of the places to save logging information
+# The format for an output can be:
+#    level:stderr
+#      output goes to stderr
+#    level:syslog:name
+#      use syslog for the output and use the given name as the ident
+#    level:file:file_path
+#      output to a file, with the given filepath
+#    level:journald
+#      output to journald logging system
+# In all cases 'level' is the minimal priority, acting as a filter
+#    1: DEBUG
+#    2: INFO
+#    3: WARNING
+#    4: ERROR
+#
+# Multiple outputs can be defined, they just need to be separated by spaces.
+# e.g. to log all warnings and errors to syslog under the libvirtd ident:
+#log_outputs="3:syslog:libvirtd"
+
+
+##################################################################
+#
+# Auditing
+#
+# This setting allows usage of the auditing subsystem to be altered:
+#
+#   audit_level == 0  -> disable all auditing
+#   audit_level == 1  -> enable auditing, only if enabled on host (default)
+#   audit_level == 2  -> enable auditing, and exit if disabled on host
+#
+#audit_level = 2
+#
+# If set to 1, then audit messages will also be sent
+# via libvirt logging infrastructure. Defaults to 0
+#
+#audit_logging = 1
+
+###################################################################
+# UUID of the host:
+# Host UUID is read from one of the sources specified in host_uuid_source.
+#
+# - 'smbios': fetch the UUID from 'dmidecode -s system-uuid'
+# - 'machine-id': fetch the UUID from /etc/machine-id
+#
+# The host_uuid_source default is 'smbios'. If 'dmidecode' does not provide
+# a valid UUID a temporary UUID will be generated.
+#
+# Another option is to specify host UUID in host_uuid.
+#
+# Keep the format of the example UUID below. UUID must not have all digits
+# be the same.
+
+# NB This default all-zeros UUID will not work. Replace
+# it with the output of the 'uuidgen' command and then
+# uncomment this entry
+#host_uuid = "00000000-0000-0000-0000-000000000000"
+#host_uuid_source = "smbios"
+
+###################################################################
+# Keepalive protocol:
+# This allows libvirtd to detect broken client connections or even
+# dead clients.  A keepalive message is sent to a client after
+# keepalive_interval seconds of inactivity to check if the client is
+# still responding; keepalive_count is a maximum number of keepalive
+# messages that are allowed to be sent to the client without getting
+# any response before the connection is considered broken.  In other
+# words, the connection is automatically closed approximately after
+# keepalive_interval * (keepalive_count + 1) seconds since the last
+# message received from the client.  If keepalive_interval is set to
+# -1, libvirtd will never send keepalive requests; however clients
+# can still send them and the daemon will send responses.  When
+# keepalive_count is set to 0, connections will be automatically
+# closed after keepalive_interval seconds of inactivity without
+# sending any keepalive messages.
+#
+#keepalive_interval = 5
+#keepalive_count = 5
+
+#
+# These configuration options are no longer used.  There is no way to
+# restrict such clients from connecting since they first need to
+# connect in order to ask for keepalive.
+#
+#keepalive_required = 1
+#admin_keepalive_required = 1
+
+# Keepalive settings for the admin interface
+#admin_keepalive_interval = 5
+#admin_keepalive_count = 5
+
+###################################################################
+# Open vSwitch:
+# This allows to specify a timeout for openvswitch calls made by
+# libvirt. The ovs-vsctl utility is used for the configuration and
+# its timeout option is set by default to 5 seconds to avoid
+# potential infinite waits blocking libvirt.
+#
+#ovs_timeout = 5
diff --git a/libvirt/libxl-lockd.conf b/libvirt/libxl-lockd.conf
new file mode 100644
index 0000000..fa43760
--- /dev/null
+++ b/libvirt/libxl-lockd.conf
@@ -0,0 +1,67 @@
+#
+# The default lockd behaviour is to acquire locks directly
+# against each configured disk file / block device. If the
+# application wishes to instead manually manage leases in
+# the guest XML, then this parameter can be disabled
+#
+#auto_disk_leases = 0
+
+#
+# Flag to determine whether we allow starting of guests
+# which do not have any <lease> elements defined in their
+# configuration.
+#
+# If 'auto_disk_leases' is disabled, this setting defaults
+# to enabled, otherwise it defaults to disabled.
+#
+#require_lease_for_disks = 1
+
+
+#
+# The default lockd behaviour is to use the "direct"
+# lockspace, where the locks are acquired against the
+# actual file paths associated with the <disk> devices.
+#
+# Setting a directory here causes lockd to use "indirect"
+# lockspace, where a hash of the <disk> file path is
+# used to create a file in the lockspace directory. The
+# locks are then held on these hash files instead.
+#
+# This can be useful if the file paths refer to block
+# devices which are shared, since /dev fcntl() locks
+# don't propagate across hosts. It is also useful if
+# the filesystem does not support fcntl() locks.
+#
+# Typically this directory would be located on a shared
+# filesystem visible to all hosts accessing the same
+# storage.
+#
+#file_lockspace_dir = "/var/lib/libvirt/lockd/files"
+
+
+#
+# When using LVM volumes that can be visible across
+# multiple, it is desirable to do locking based on
+# the unique UUID associated with each volume, instead
+# of their paths. Setting this path causes libvirt to
+# do UUID based locking for LVM.
+#
+# Typically this directory would be located on a shared
+# filesystem visible to all hosts accessing the same
+# storage.
+#
+#lvm_lockspace_dir = "/var/lib/libvirt/lockd/lvmvolumes"
+
+
+#
+# When using SCSI volumes that can be visible across
+# multiple, it is desirable to do locking based on
+# the unique UUID associated with each volume, instead
+# of their paths. Setting this path causes libvirt to
+# do UUID based locking for SCSI.
+#
+# Typically this directory would be located on a shared
+# filesystem visible to all hosts accessing the same
+# storage.
+#
+#scsi_lockspace_dir = "/var/lib/libvirt/lockd/scsivolumes"
diff --git a/libvirt/libxl-sanlock.conf b/libvirt/libxl-sanlock.conf
new file mode 100644
index 0000000..3c356be
--- /dev/null
+++ b/libvirt/libxl-sanlock.conf
@@ -0,0 +1,69 @@
+#
+# The default sanlock configuration requires the management
+# application to manually define <lease> elements in the
+# guest configuration, typically one lease per disk. An
+# alternative is to enable "auto disk lease" mode. In this
+# usage, libvirt will automatically create a lockspace and
+# lease for each fully qualified disk path. This works if
+# you are able to ensure stable, unique disk paths across
+# all hosts in a network.
+#
+# Uncomment this to enable automatic lease creation.
+#
+# NB: the 'host_id' parameter must be set if enabling this
+#
+#auto_disk_leases = 1
+
+#
+# The default location in which lockspaces are created when
+# automatic lease creation is enabled. For each unique disk
+# path, a file $LEASE_DIR/NNNNNNNNNNNNNN will be created
+# where 'NNNNNNNNNNNNNN' is the MD5 hash of the disk path.
+#
+# If this directory is on local storage, it will only protect
+# against a VM being started twice on the same host, or two
+# guests on the same host using the same disk path. If the
+# directory is on NFS, then it can protect against concurrent
+# usage across all hosts which have the share mounted.
+#
+# Recommendation is to just mount this default location as
+# an NFS volume. Uncomment this, if you would prefer the mount
+# point to be somewhere else. Moreover, please make sure
+# sanlock daemon can access the specified path.
+#
+#disk_lease_dir = "/var/lib/libvirt/sanlock"
+
+#
+# The unique ID for this host.
+#
+# IMPORTANT: *EVERY* host which can access the filesystem mounted
+# at 'disk_lease_dir' *MUST* be given a different host ID.
+#
+# This parameter has no default and must be manually set if
+# 'auto_disk_leases' is enabled
+#host_id = 1
+
+#
+# Flag to determine whether we allow starting of guests
+# which do not have any <lease> elements defined in their
+# configuration.
+#
+# If 'auto_disk_leases' is disabled, this setting defaults
+# to enabled, otherwise it defaults to disabled.
+#
+#require_lease_for_disks = 1
+
+#
+# Sanlock is able to kill qemu processes on IO timeout. By its internal
+# implementation, the current default is 80 seconds. If you need to adjust
+# the value change the following variable. Value of zero means use the
+# default sanlock timeout.
+#io_timeout = 0
+
+#
+# The combination of user and group under which the sanlock
+# daemon runs. Libvirt will chown created files (like
+# content of disk_lease_dir) to make sure sanlock daemon can
+# access them. Accepted values are described in qemu.conf.
+#user = "root"
+#group = "root"
diff --git a/libvirt/libxl.conf b/libvirt/libxl.conf
new file mode 100644
index 0000000..72825a7
--- /dev/null
+++ b/libvirt/libxl.conf
@@ -0,0 +1,51 @@
+# Master configuration file for the libxl driver.
+# All settings described here are optional.  If omitted, sensible
+# defaults are used.
+
+# Enable autoballooning of domain0
+#
+# By default, autoballooning of domain0 is enabled unless its memory
+# is already limited with Xen's "dom0_mem=" parameter, in which case
+# autoballooning is disabled.  Override the default behavior with the
+# autoballoon setting.
+#
+#autoballoon = 1
+
+
+# In order to prevent accidentally starting two domains that
+# share one writable disk, libvirt offers two approaches for
+# locking files: sanlock and virtlockd.  sanlock is an external
+# project which libvirt integrates with via the libvirt-lock-sanlock
+# package.  virtlockd is a libvirt implementation that is enabled with
+# "lockd".  Accepted values are "sanlock" and "lockd".
+#
+#lock_manager = "lockd"
+
+
+# Keepalive protocol:
+# This allows the libxl driver to detect broken connections to the
+# remote libvirtd during peer-to-peer migration.  A keepalive message
+# is sent to the daemon after keepalive_interval seconds of inactivity
+# to check if the daemon is still responding; keepalive_count is a
+# maximum number of keepalive messages that are allowed to be sent to
+# the daemon without getting any response before the connection is
+# considered broken.  In other words, the connection is automatically
+# closed after approximately keepalive_interval * (keepalive_count + 1)
+# seconds since the last message was received from the daemon. If
+# keepalive_interval is set to -1, the libxl driver will not send
+# keepalive requests during peer-to-peer migration; however, the remote
+# libvirtd can still send them and source libvirtd will send responses.
+# When keepalive_count is set to 0, connections will be automatically
+# closed after keepalive_interval seconds of inactivity without sending
+# any keepalive messages.
+#
+#keepalive_interval = 5
+#keepalive_count = 5
+
+# Nested HVM default control. In order to use nested HVM feature, this option
+# needs to be enabled, in addition to specifying <cpu mode='host-passthrough'>
+# in domain configuration. This can be overridden in domain configuration by
+# explicitly setting <feature policy='require' name='vmx'/> inside <cpu/>
+# element.
+# By default it is disabled.
+#nested_hvm = 0
diff --git a/libvirt/lxc.conf b/libvirt/lxc.conf
new file mode 100644
index 0000000..318a536
--- /dev/null
+++ b/libvirt/lxc.conf
@@ -0,0 +1,31 @@
+# Master configuration file for the LXC driver.
+# All settings described here are optional - if omitted, sensible
+# defaults are used.
+
+# By default, log messages generated by the lxc controller go to the
+# container logfile. It is also possible to accumulate log messages
+# from all lxc controllers along with libvirtd's log outputs. In this
+# case, the lxc controller will honor either LIBVIRT_LOG_OUTPUTS or
+# log_outputs from libvirtd.conf.
+#
+# This is disabled by default, uncomment below to enable it.
+#
+#log_with_libvirtd = 1
+
+
+# The default security driver is SELinux. If SELinux is disabled
+# on the host, then the security driver will automatically disable
+# itself. If you wish to disable LXC SELinux security driver while
+# leaving SELinux enabled for the host in general, then set this
+# to 'none' instead.
+#
+#security_driver = "selinux"
+
+# If set to non-zero, then the default security labeling
+# will make guests confined. If set to zero, then guests
+# will be unconfined by default. Defaults to 0.
+#security_default_confined = 1
+
+# If set to non-zero, then attempts to create unconfined
+# guests will be blocked. Defaults to 0.
+#security_require_confined = 1
diff --git a/libvirt/nwfilter/allow-arp.xml b/libvirt/nwfilter/allow-arp.xml
new file mode 100644
index 0000000..58e5db3
--- /dev/null
+++ b/libvirt/nwfilter/allow-arp.xml
@@ -0,0 +1,11 @@
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+  virsh nwfilter-edit allow-arp
+or other application using the libvirt API.
+-->
+
+<filter name='allow-arp' chain='arp' priority='-500'>
+  <uuid>20c4b8ce-2b84-474f-a2a7-9b159c188094</uuid>
+  <rule action='accept' direction='inout' priority='500'/>
+</filter>
diff --git a/libvirt/nwfilter/allow-dhcp-server.xml b/libvirt/nwfilter/allow-dhcp-server.xml
new file mode 100644
index 0000000..f5f1264
--- /dev/null
+++ b/libvirt/nwfilter/allow-dhcp-server.xml
@@ -0,0 +1,16 @@
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+  virsh nwfilter-edit allow-dhcp-server
+or other application using the libvirt API.
+-->
+
+<filter name='allow-dhcp-server' chain='ipv4' priority='-700'>
+  <uuid>1aafb74b-f0bc-4c24-ae25-ab354d293c41</uuid>
+  <rule action='accept' direction='out' priority='100'>
+    <ip srcipaddr='0.0.0.0' dstipaddr='255.255.255.255' protocol='udp' srcportstart='68' dstportstart='67'/>
+  </rule>
+  <rule action='accept' direction='in' priority='100'>
+    <ip srcipaddr='$DHCPSERVER' protocol='udp' srcportstart='67' dstportstart='68'/>
+  </rule>
+</filter>
diff --git a/libvirt/nwfilter/allow-dhcp.xml b/libvirt/nwfilter/allow-dhcp.xml
new file mode 100644
index 0000000..a5e621b
--- /dev/null
+++ b/libvirt/nwfilter/allow-dhcp.xml
@@ -0,0 +1,16 @@
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+  virsh nwfilter-edit allow-dhcp
+or other application using the libvirt API.
+-->
+
+<filter name='allow-dhcp' chain='ipv4' priority='-700'>
+  <uuid>ac743ac4-4e41-4596-a6bd-013165613bc7</uuid>
+  <rule action='accept' direction='out' priority='100'>
+    <ip srcipaddr='0.0.0.0' dstipaddr='255.255.255.255' protocol='udp' srcportstart='68' dstportstart='67'/>
+  </rule>
+  <rule action='accept' direction='in' priority='100'>
+    <ip protocol='udp' srcportstart='67' dstportstart='68'/>
+  </rule>
+</filter>
diff --git a/libvirt/nwfilter/allow-incoming-ipv4.xml b/libvirt/nwfilter/allow-incoming-ipv4.xml
new file mode 100644
index 0000000..1fad205
--- /dev/null
+++ b/libvirt/nwfilter/allow-incoming-ipv4.xml
@@ -0,0 +1,11 @@
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+  virsh nwfilter-edit allow-incoming-ipv4
+or other application using the libvirt API.
+-->
+
+<filter name='allow-incoming-ipv4' chain='ipv4' priority='-700'>
+  <uuid>07d54b53-8c78-42a4-8d95-8dedb2d7c6ec</uuid>
+  <rule action='accept' direction='in' priority='500'/>
+</filter>
diff --git a/libvirt/nwfilter/allow-ipv4.xml b/libvirt/nwfilter/allow-ipv4.xml
new file mode 100644
index 0000000..a9a0950
--- /dev/null
+++ b/libvirt/nwfilter/allow-ipv4.xml
@@ -0,0 +1,11 @@
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+  virsh nwfilter-edit allow-ipv4
+or other application using the libvirt API.
+-->
+
+<filter name='allow-ipv4' chain='ipv4' priority='-700'>
+  <uuid>d37255b2-8523-4def-b925-830db6a880a1</uuid>
+  <rule action='accept' direction='inout' priority='500'/>
+</filter>
diff --git a/libvirt/nwfilter/clean-traffic-gateway.xml b/libvirt/nwfilter/clean-traffic-gateway.xml
new file mode 100644
index 0000000..bad3548
--- /dev/null
+++ b/libvirt/nwfilter/clean-traffic-gateway.xml
@@ -0,0 +1,24 @@
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+  virsh nwfilter-edit clean-traffic-gateway
+or other application using the libvirt API.
+-->
+
+<filter name='clean-traffic-gateway' chain='root'>
+  <uuid>615b237c-76c7-4667-bf0e-73b796f4acd1</uuid>
+  <filterref filter='no-mac-spoofing'/>
+  <filterref filter='no-ip-spoofing'/>
+  <filterref filter='no-arp-spoofing'/>
+  <rule action='accept' direction='inout' priority='-500'>
+    <mac protocolid='arp'/>
+  </rule>
+  <rule action='accept' direction='in' priority='500'>
+    <mac srcmacaddr='$GATEWAY_MAC'/>
+  </rule>
+  <rule action='accept' direction='out' priority='500'>
+    <mac dstmacaddr='$GATEWAY_MAC'/>
+  </rule>
+  <filterref filter='no-other-l2-traffic'/>
+  <filterref filter='qemu-announce-self'/>
+</filter>
diff --git a/libvirt/nwfilter/clean-traffic.xml b/libvirt/nwfilter/clean-traffic.xml
new file mode 100644
index 0000000..07fa1d1
--- /dev/null
+++ b/libvirt/nwfilter/clean-traffic.xml
@@ -0,0 +1,22 @@
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+  virsh nwfilter-edit clean-traffic
+or other application using the libvirt API.
+-->
+
+<filter name='clean-traffic' chain='root'>
+  <uuid>ee1d69b2-5be0-445c-9eaf-43923c89ec63</uuid>
+  <filterref filter='no-mac-spoofing'/>
+  <filterref filter='no-ip-spoofing'/>
+  <rule action='accept' direction='out' priority='-650'>
+    <mac protocolid='ipv4'/>
+  </rule>
+  <filterref filter='allow-incoming-ipv4'/>
+  <filterref filter='no-arp-spoofing'/>
+  <rule action='accept' direction='inout' priority='-500'>
+    <mac protocolid='arp'/>
+  </rule>
+  <filterref filter='no-other-l2-traffic'/>
+  <filterref filter='qemu-announce-self'/>
+</filter>
diff --git a/libvirt/nwfilter/no-arp-ip-spoofing.xml b/libvirt/nwfilter/no-arp-ip-spoofing.xml
new file mode 100644
index 0000000..8c9cdcb
--- /dev/null
+++ b/libvirt/nwfilter/no-arp-ip-spoofing.xml
@@ -0,0 +1,14 @@
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+  virsh nwfilter-edit no-arp-ip-spoofing
+or other application using the libvirt API.
+-->
+
+<filter name='no-arp-ip-spoofing' chain='arp-ip' priority='-510'>
+  <uuid>535d335d-00fe-431d-8af6-75a421cba336</uuid>
+  <rule action='return' direction='out' priority='400'>
+    <arp arpsrcipaddr='$IP'/>
+  </rule>
+  <rule action='drop' direction='out' priority='1000'/>
+</filter>
diff --git a/libvirt/nwfilter/no-arp-mac-spoofing.xml b/libvirt/nwfilter/no-arp-mac-spoofing.xml
new file mode 100644
index 0000000..da657f8
--- /dev/null
+++ b/libvirt/nwfilter/no-arp-mac-spoofing.xml
@@ -0,0 +1,14 @@
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+  virsh nwfilter-edit no-arp-mac-spoofing
+or other application using the libvirt API.
+-->
+
+<filter name='no-arp-mac-spoofing' chain='arp-mac' priority='-520'>
+  <uuid>53735534-60ae-4526-808b-4790e3acf999</uuid>
+  <rule action='return' direction='out' priority='350'>
+    <arp arpsrcmacaddr='$MAC'/>
+  </rule>
+  <rule action='drop' direction='out' priority='1000'/>
+</filter>
diff --git a/libvirt/nwfilter/no-arp-spoofing.xml b/libvirt/nwfilter/no-arp-spoofing.xml
new file mode 100644
index 0000000..8bdd2a1
--- /dev/null
+++ b/libvirt/nwfilter/no-arp-spoofing.xml
@@ -0,0 +1,12 @@
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+  virsh nwfilter-edit no-arp-spoofing
+or other application using the libvirt API.
+-->
+
+<filter name='no-arp-spoofing' chain='root'>
+  <uuid>00f043c8-f255-4936-9a6b-44f2aaee9631</uuid>
+  <filterref filter='no-arp-mac-spoofing'/>
+  <filterref filter='no-arp-ip-spoofing'/>
+</filter>
diff --git a/libvirt/nwfilter/no-ip-multicast.xml b/libvirt/nwfilter/no-ip-multicast.xml
new file mode 100644
index 0000000..bda0808
--- /dev/null
+++ b/libvirt/nwfilter/no-ip-multicast.xml
@@ -0,0 +1,13 @@
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+  virsh nwfilter-edit no-ip-multicast
+or other application using the libvirt API.
+-->
+
+<filter name='no-ip-multicast' chain='ipv4' priority='-700'>
+  <uuid>bf82156a-5f04-4b4f-83c8-9b2ee9864081</uuid>
+  <rule action='drop' direction='out' priority='500'>
+    <ip dstipaddr='224.0.0.0' dstipmask='4'/>
+  </rule>
+</filter>
diff --git a/libvirt/nwfilter/no-ip-spoofing.xml b/libvirt/nwfilter/no-ip-spoofing.xml
new file mode 100644
index 0000000..d999ed5
--- /dev/null
+++ b/libvirt/nwfilter/no-ip-spoofing.xml
@@ -0,0 +1,17 @@
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+  virsh nwfilter-edit no-ip-spoofing
+or other application using the libvirt API.
+-->
+
+<filter name='no-ip-spoofing' chain='ipv4-ip' priority='-710'>
+  <uuid>ea585a34-1393-413d-8a24-16a858434442</uuid>
+  <rule action='return' direction='out' priority='100'>
+    <ip srcipaddr='0.0.0.0' protocol='udp'/>
+  </rule>
+  <rule action='return' direction='out' priority='500'>
+    <ip srcipaddr='$IP'/>
+  </rule>
+  <rule action='drop' direction='out' priority='1000'/>
+</filter>
diff --git a/libvirt/nwfilter/no-mac-broadcast.xml b/libvirt/nwfilter/no-mac-broadcast.xml
new file mode 100644
index 0000000..426cd89
--- /dev/null
+++ b/libvirt/nwfilter/no-mac-broadcast.xml
@@ -0,0 +1,13 @@
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+  virsh nwfilter-edit no-mac-broadcast
+or other application using the libvirt API.
+-->
+
+<filter name='no-mac-broadcast' chain='ipv4' priority='-700'>
+  <uuid>f95c98c4-9200-4921-a82f-eab08a7e70b2</uuid>
+  <rule action='drop' direction='out' priority='500'>
+    <mac dstmacaddr='ff:ff:ff:ff:ff:ff'/>
+  </rule>
+</filter>
diff --git a/libvirt/nwfilter/no-mac-spoofing.xml b/libvirt/nwfilter/no-mac-spoofing.xml
new file mode 100644
index 0000000..66f21be
--- /dev/null
+++ b/libvirt/nwfilter/no-mac-spoofing.xml
@@ -0,0 +1,16 @@
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+  virsh nwfilter-edit no-mac-spoofing
+or other application using the libvirt API.
+-->
+
+<filter name='no-mac-spoofing' chain='mac' priority='-800'>
+  <uuid>bf5253ea-1c10-4b04-bc78-7e0f16f79f55</uuid>
+  <rule action='return' direction='out' priority='500'>
+    <mac srcmacaddr='$MAC'/>
+  </rule>
+  <rule action='drop' direction='out' priority='500'>
+    <mac/>
+  </rule>
+</filter>
diff --git a/libvirt/nwfilter/no-other-l2-traffic.xml b/libvirt/nwfilter/no-other-l2-traffic.xml
new file mode 100644
index 0000000..ba4a868
--- /dev/null
+++ b/libvirt/nwfilter/no-other-l2-traffic.xml
@@ -0,0 +1,11 @@
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+  virsh nwfilter-edit no-other-l2-traffic
+or other application using the libvirt API.
+-->
+
+<filter name='no-other-l2-traffic' chain='root'>
+  <uuid>afdb30e6-62b3-4c25-b794-d67d2515d763</uuid>
+  <rule action='drop' direction='inout' priority='1000'/>
+</filter>
diff --git a/libvirt/nwfilter/no-other-rarp-traffic.xml b/libvirt/nwfilter/no-other-rarp-traffic.xml
new file mode 100644
index 0000000..5efd52f
--- /dev/null
+++ b/libvirt/nwfilter/no-other-rarp-traffic.xml
@@ -0,0 +1,11 @@
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+  virsh nwfilter-edit no-other-rarp-traffic
+or other application using the libvirt API.
+-->
+
+<filter name='no-other-rarp-traffic' chain='rarp' priority='-400'>
+  <uuid>1c09955e-4420-4ab3-ae29-7c91ab18b15c</uuid>
+  <rule action='drop' direction='inout' priority='1000'/>
+</filter>
diff --git a/libvirt/nwfilter/qemu-announce-self-rarp.xml b/libvirt/nwfilter/qemu-announce-self-rarp.xml
new file mode 100644
index 0000000..4d95bf3
--- /dev/null
+++ b/libvirt/nwfilter/qemu-announce-self-rarp.xml
@@ -0,0 +1,16 @@
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+  virsh nwfilter-edit qemu-announce-self-rarp
+or other application using the libvirt API.
+-->
+
+<filter name='qemu-announce-self-rarp' chain='rarp' priority='-400'>
+  <uuid>72f76118-fccb-4fa1-bf50-7baa63725c5a</uuid>
+  <rule action='accept' direction='out' priority='500'>
+    <rarp srcmacaddr='$MAC' dstmacaddr='ff:ff:ff:ff:ff:ff' opcode='Request_Reverse' arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC' arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/>
+  </rule>
+  <rule action='accept' direction='in' priority='500'>
+    <rarp dstmacaddr='ff:ff:ff:ff:ff:ff' opcode='Request_Reverse' arpsrcmacaddr='$MAC' arpdstmacaddr='$MAC' arpsrcipaddr='0.0.0.0' arpdstipaddr='0.0.0.0'/>
+  </rule>
+</filter>
diff --git a/libvirt/nwfilter/qemu-announce-self.xml b/libvirt/nwfilter/qemu-announce-self.xml
new file mode 100644
index 0000000..ea3b71b
--- /dev/null
+++ b/libvirt/nwfilter/qemu-announce-self.xml
@@ -0,0 +1,15 @@
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+  virsh nwfilter-edit qemu-announce-self
+or other application using the libvirt API.
+-->
+
+<filter name='qemu-announce-self' chain='root'>
+  <uuid>be0f52c8-edf8-474b-83d6-5725d9c14e4f</uuid>
+  <rule action='accept' direction='out' priority='500'>
+    <mac protocolid='0x835'/>
+  </rule>
+  <filterref filter='qemu-announce-self-rarp'/>
+  <filterref filter='no-other-rarp-traffic'/>
+</filter>
diff --git a/libvirt/qemu-lockd.conf b/libvirt/qemu-lockd.conf
new file mode 100644
index 0000000..fa43760
--- /dev/null
+++ b/libvirt/qemu-lockd.conf
@@ -0,0 +1,67 @@
+#
+# The default lockd behaviour is to acquire locks directly
+# against each configured disk file / block device. If the
+# application wishes to instead manually manage leases in
+# the guest XML, then this parameter can be disabled
+#
+#auto_disk_leases = 0
+
+#
+# Flag to determine whether we allow starting of guests
+# which do not have any <lease> elements defined in their
+# configuration.
+#
+# If 'auto_disk_leases' is disabled, this setting defaults
+# to enabled, otherwise it defaults to disabled.
+#
+#require_lease_for_disks = 1
+
+
+#
+# The default lockd behaviour is to use the "direct"
+# lockspace, where the locks are acquired against the
+# actual file paths associated with the <disk> devices.
+#
+# Setting a directory here causes lockd to use "indirect"
+# lockspace, where a hash of the <disk> file path is
+# used to create a file in the lockspace directory. The
+# locks are then held on these hash files instead.
+#
+# This can be useful if the file paths refer to block
+# devices which are shared, since /dev fcntl() locks
+# don't propagate across hosts. It is also useful if
+# the filesystem does not support fcntl() locks.
+#
+# Typically this directory would be located on a shared
+# filesystem visible to all hosts accessing the same
+# storage.
+#
+#file_lockspace_dir = "/var/lib/libvirt/lockd/files"
+
+
+#
+# When using LVM volumes that can be visible across
+# multiple, it is desirable to do locking based on
+# the unique UUID associated with each volume, instead
+# of their paths. Setting this path causes libvirt to
+# do UUID based locking for LVM.
+#
+# Typically this directory would be located on a shared
+# filesystem visible to all hosts accessing the same
+# storage.
+#
+#lvm_lockspace_dir = "/var/lib/libvirt/lockd/lvmvolumes"
+
+
+#
+# When using SCSI volumes that can be visible across
+# multiple, it is desirable to do locking based on
+# the unique UUID associated with each volume, instead
+# of their paths. Setting this path causes libvirt to
+# do UUID based locking for SCSI.
+#
+# Typically this directory would be located on a shared
+# filesystem visible to all hosts accessing the same
+# storage.
+#
+#scsi_lockspace_dir = "/var/lib/libvirt/lockd/scsivolumes"
diff --git a/libvirt/qemu-sanlock.conf b/libvirt/qemu-sanlock.conf
new file mode 100644
index 0000000..3c356be
--- /dev/null
+++ b/libvirt/qemu-sanlock.conf
@@ -0,0 +1,69 @@
+#
+# The default sanlock configuration requires the management
+# application to manually define <lease> elements in the
+# guest configuration, typically one lease per disk. An
+# alternative is to enable "auto disk lease" mode. In this
+# usage, libvirt will automatically create a lockspace and
+# lease for each fully qualified disk path. This works if
+# you are able to ensure stable, unique disk paths across
+# all hosts in a network.
+#
+# Uncomment this to enable automatic lease creation.
+#
+# NB: the 'host_id' parameter must be set if enabling this
+#
+#auto_disk_leases = 1
+
+#
+# The default location in which lockspaces are created when
+# automatic lease creation is enabled. For each unique disk
+# path, a file $LEASE_DIR/NNNNNNNNNNNNNN will be created
+# where 'NNNNNNNNNNNNNN' is the MD5 hash of the disk path.
+#
+# If this directory is on local storage, it will only protect
+# against a VM being started twice on the same host, or two
+# guests on the same host using the same disk path. If the
+# directory is on NFS, then it can protect against concurrent
+# usage across all hosts which have the share mounted.
+#
+# Recommendation is to just mount this default location as
+# an NFS volume. Uncomment this, if you would prefer the mount
+# point to be somewhere else. Moreover, please make sure
+# sanlock daemon can access the specified path.
+#
+#disk_lease_dir = "/var/lib/libvirt/sanlock"
+
+#
+# The unique ID for this host.
+#
+# IMPORTANT: *EVERY* host which can access the filesystem mounted
+# at 'disk_lease_dir' *MUST* be given a different host ID.
+#
+# This parameter has no default and must be manually set if
+# 'auto_disk_leases' is enabled
+#host_id = 1
+
+#
+# Flag to determine whether we allow starting of guests
+# which do not have any <lease> elements defined in their
+# configuration.
+#
+# If 'auto_disk_leases' is disabled, this setting defaults
+# to enabled, otherwise it defaults to disabled.
+#
+#require_lease_for_disks = 1
+
+#
+# Sanlock is able to kill qemu processes on IO timeout. By its internal
+# implementation, the current default is 80 seconds. If you need to adjust
+# the value change the following variable. Value of zero means use the
+# default sanlock timeout.
+#io_timeout = 0
+
+#
+# The combination of user and group under which the sanlock
+# daemon runs. Libvirt will chown created files (like
+# content of disk_lease_dir) to make sure sanlock daemon can
+# access them. Accepted values are described in qemu.conf.
+#user = "root"
+#group = "root"
diff --git a/libvirt/qemu.conf b/libvirt/qemu.conf
new file mode 100644
index 0000000..d40f9ba
--- /dev/null
+++ b/libvirt/qemu.conf
@@ -0,0 +1,856 @@
+# Master configuration file for the QEMU driver.
+# All settings described here are optional - if omitted, sensible
+# defaults are used.
+
+# Use of TLS requires that x509 certificates be issued. The default is
+# to keep them in /etc/pki/qemu. This directory must contain
+#
+#  ca-cert.pem - the CA master certificate
+#  server-cert.pem - the server certificate signed with ca-cert.pem
+#  server-key.pem  - the server private key
+#
+# and optionally may contain
+#
+#  dh-params.pem - the DH params configuration file
+#
+# If the directory does not exist, libvirtd will fail to start. If the
+# directory doesn't contain the necessary files, QEMU domains will fail
+# to start if they are configured to use TLS.
+#
+# In order to overwrite the default path alter the following. This path
+# definition will be used as the default path for other *_tls_x509_cert_dir
+# configuration settings if their default path does not exist or is not
+# specifically set.
+#
+#default_tls_x509_cert_dir = "/etc/pki/qemu"
+
+
+# The default TLS configuration only uses certificates for the server
+# allowing the client to verify the server's identity and establish
+# an encrypted channel.
+#
+# It is possible to use x509 certificates for authentication too, by
+# issuing an x509 certificate to every client who needs to connect.
+#
+# Enabling this option will reject any client who does not have a
+# certificate signed by the CA in /etc/pki/qemu/ca-cert.pem
+#
+# The default_tls_x509_cert_dir directory must also contain
+#
+#  client-cert.pem - the client certificate signed with the ca-cert.pem
+#  client-key.pem - the client private key
+#
+#default_tls_x509_verify = 1
+
+#
+# Libvirt assumes the server-key.pem file is unencrypted by default.
+# To use an encrypted server-key.pem file, the password to decrypt
+# the PEM file is required. This can be provided by creating a secret
+# object in libvirt and then to uncomment this setting to set the UUID
+# of the secret.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#default_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
+
+# VNC is configured to listen on 127.0.0.1 by default.
+# To make it listen on all public interfaces, uncomment
+# this next option.
+#
+# NB, strong recommendation to enable TLS + x509 certificate
+# verification when allowing public access
+#
+#vnc_listen = "0.0.0.0"
+
+# Enable this option to have VNC served over an automatically created
+# unix socket. This prevents unprivileged access from users on the
+# host machine, though most VNC clients do not support it.
+#
+# This will only be enabled for VNC configurations that have listen
+# type=address but without any address specified. This setting takes
+# preference over vnc_listen.
+#
+#vnc_auto_unix_socket = 1
+
+# Enable use of TLS encryption on the VNC server. This requires
+# a VNC client which supports the VeNCrypt protocol extension.
+# Examples include vinagre, virt-viewer, virt-manager and vencrypt
+# itself. UltraVNC, RealVNC, TightVNC do not support this
+#
+# It is necessary to setup CA and issue a server certificate
+# before enabling this.
+#
+#vnc_tls = 1
+
+
+# In order to override the default TLS certificate location for
+# vnc certificates, supply a valid path to the certificate directory.
+# If the provided path does not exist, libvirtd will fail to start.
+# If the path is not provided, but vnc_tls = 1, then the
+# default_tls_x509_cert_dir path will be used.
+#
+#vnc_tls_x509_cert_dir = "/etc/pki/libvirt-vnc"
+
+
+# Uncomment and use the following option to override the default secret
+# UUID provided in the default_tls_x509_secret_uuid parameter.
+#
+#vnc_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
+
+# The default TLS configuration only uses certificates for the server
+# allowing the client to verify the server's identity and establish
+# an encrypted channel.
+#
+# It is possible to use x509 certificates for authentication too, by
+# issuing an x509 certificate to every client who needs to connect.
+#
+# Enabling this option will reject any client that does not have a
+# ca-cert.pem certificate signed by the CA in the vnc_tls_x509_cert_dir
+# (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem
+# files described in default_tls_x509_cert_dir.
+#
+# If this option is not supplied, it will be set to the value of
+# "default_tls_x509_verify".
+#
+#vnc_tls_x509_verify = 1
+
+
+# The default VNC password. Only 8 bytes are significant for
+# VNC passwords. This parameter is only used if the per-domain
+# XML config does not already provide a password. To allow
+# access without passwords, leave this commented out. An empty
+# string will still enable passwords, but be rejected by QEMU,
+# effectively preventing any use of VNC. Obviously change this
+# example here before you set this.
+#
+#vnc_password = "XYZ12345"
+
+
+# Enable use of SASL encryption on the VNC server. This requires
+# a VNC client which supports the SASL protocol extension.
+# Examples include vinagre, virt-viewer and virt-manager
+# itself. UltraVNC, RealVNC, TightVNC do not support this
+#
+# It is necessary to configure /etc/sasl2/qemu.conf to choose
+# the desired SASL plugin (eg, GSSPI for Kerberos)
+#
+#vnc_sasl = 1
+
+
+# The default SASL configuration file is located in /etc/sasl2/
+# When running libvirtd unprivileged, it may be desirable to
+# override the configs in this location. Set this parameter to
+# point to the directory, and create a qemu.conf in that location
+#
+#vnc_sasl_dir = "/some/directory/sasl2"
+
+
+# QEMU implements an extension for providing audio over a VNC connection,
+# though if your VNC client does not support it, your only chance for getting
+# sound output is through regular audio backends. By default, libvirt will
+# disable all QEMU sound backends if using VNC, since they can cause
+# permissions issues. Enabling this option will make libvirtd honor the
+# QEMU_AUDIO_DRV environment variable when using VNC.
+#
+#vnc_allow_host_audio = 0
+
+
+
+# SPICE is configured to listen on 127.0.0.1 by default.
+# To make it listen on all public interfaces, uncomment
+# this next option.
+#
+# NB, strong recommendation to enable TLS + x509 certificate
+# verification when allowing public access
+#
+#spice_listen = "0.0.0.0"
+
+
+# Enable use of TLS encryption on the SPICE server.
+#
+# It is necessary to setup CA and issue a server certificate
+# before enabling this.
+#
+#spice_tls = 1
+
+
+# In order to override the default TLS certificate location for
+# spice certificates, supply a valid path to the certificate directory.
+# If the provided path does not exist, libvirtd will fail to start.
+# If the path is not provided, but spice_tls = 1, then the
+# default_tls_x509_cert_dir path will be used.
+#
+#spice_tls_x509_cert_dir = "/etc/pki/libvirt-spice"
+
+
+# Enable this option to have SPICE served over an automatically created
+# unix socket. This prevents unprivileged access from users on the
+# host machine.
+#
+# This will only be enabled for SPICE configurations that have listen
+# type=address but without any address specified. This setting takes
+# preference over spice_listen.
+#
+#spice_auto_unix_socket = 1
+
+
+# The default SPICE password. This parameter is only used if the
+# per-domain XML config does not already provide a password. To
+# allow access without passwords, leave this commented out. An
+# empty string will still enable passwords, but be rejected by
+# QEMU, effectively preventing any use of SPICE. Obviously change
+# this example here before you set this.
+#
+#spice_password = "XYZ12345"
+
+
+# Enable use of SASL encryption on the SPICE server. This requires
+# a SPICE client which supports the SASL protocol extension.
+#
+# It is necessary to configure /etc/sasl2/qemu.conf to choose
+# the desired SASL plugin (eg, GSSPI for Kerberos)
+#
+#spice_sasl = 1
+
+# The default SASL configuration file is located in /etc/sasl2/
+# When running libvirtd unprivileged, it may be desirable to
+# override the configs in this location. Set this parameter to
+# point to the directory, and create a qemu.conf in that location
+#
+#spice_sasl_dir = "/some/directory/sasl2"
+
+# Enable use of TLS encryption on the chardev TCP transports.
+#
+# It is necessary to setup CA and issue a server certificate
+# before enabling this.
+#
+#chardev_tls = 1
+
+
+# In order to override the default TLS certificate location for character
+# device TCP certificates, supply a valid path to the certificate directory.
+# If the provided path does not exist, libvirtd will fail to start.
+# If the path is not provided, but chardev_tls = 1, then the
+# default_tls_x509_cert_dir path will be used.
+#
+#chardev_tls_x509_cert_dir = "/etc/pki/libvirt-chardev"
+
+
+# The default TLS configuration only uses certificates for the server
+# allowing the client to verify the server's identity and establish
+# an encrypted channel.
+#
+# It is possible to use x509 certificates for authentication too, by
+# issuing an x509 certificate to every client who needs to connect.
+#
+# Enabling this option will reject any client that does not have a
+# ca-cert.pem certificate signed by the CA in the chardev_tls_x509_cert_dir
+# (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem
+# files described in default_tls_x509_cert_dir.
+#
+# If this option is not supplied, it will be set to the value of
+# "default_tls_x509_verify".
+#
+#chardev_tls_x509_verify = 1
+
+
+# Uncomment and use the following option to override the default secret
+# UUID provided in the default_tls_x509_secret_uuid parameter.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#chardev_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
+
+# Enable use of TLS encryption for all VxHS network block devices that
+# don't specifically disable.
+#
+# When the VxHS network block device server is set up appropriately,
+# x509 certificates are required for authentication between the clients
+# (qemu processes) and the remote VxHS server.
+#
+# It is necessary to setup CA and issue the client certificate before
+# enabling this.
+#
+#vxhs_tls = 1
+
+
+# In order to override the default TLS certificate location for VxHS
+# backed storage, supply a valid path to the certificate directory.
+# This is used to authenticate the VxHS block device clients to the VxHS
+# server.
+#
+# If the provided path does not exist, libvirtd will fail to start.
+# If the path is not provided, but vxhs_tls = 1, then the
+# default_tls_x509_cert_dir path will be used.
+#
+# VxHS block device clients expect the client certificate and key to be
+# present in the certificate directory along with the CA master certificate.
+# If using the default environment, default_tls_x509_verify must be configured.
+# Since this is only a client the server-key.pem certificate is not needed.
+# Thus a VxHS directory must contain the following:
+#
+#  ca-cert.pem - the CA master certificate
+#  client-cert.pem - the client certificate signed with the ca-cert.pem
+#  client-key.pem - the client private key
+#
+#vxhs_tls_x509_cert_dir = "/etc/pki/libvirt-vxhs"
+
+
+
+# Enable use of TLS encryption for all NBD disk devices that don't
+# specifically disable it.
+#
+# When the NBD server is set up appropriately, x509 certificates are required
+# for authentication between the client and the remote NBD server.
+#
+# It is necessary to setup CA and issue the client certificate before
+# enabling this.
+#
+#nbd_tls = 1
+
+
+# In order to override the default TLS certificate location for NBD
+# backed storage, supply a valid path to the certificate directory.
+# This is used to authenticate the NBD block device clients to the NBD
+# server.
+#
+# If the provided path does not exist, libvirtd will fail to start.
+# If the path is not provided, but nbd_tls = 1, then the
+# default_tls_x509_cert_dir path will be used.
+#
+# NBD block device clients expect the client certificate and key to be
+# present in the certificate directory along with the CA certificate.
+# Since this is only a client the server-key.pem certificate is not needed.
+# Thus a NBD directory must contain the following:
+#
+#  ca-cert.pem - the CA master certificate
+#  client-cert.pem - the client certificate signed with the ca-cert.pem
+#  client-key.pem - the client private key
+#
+#nbd_tls_x509_cert_dir = "/etc/pki/libvirt-nbd"
+
+
+# In order to override the default TLS certificate location for migration
+# certificates, supply a valid path to the certificate directory. If the
+# provided path does not exist, libvirtd will fail to start. If the path is
+# not provided, but migrate_tls = 1, then the default_tls_x509_cert_dir path
+# will be used. Once/if a default certificate is enabled/defined, migration
+# will then be able to use the certificate via migration API flags.
+#
+#migrate_tls_x509_cert_dir = "/etc/pki/libvirt-migrate"
+
+
+# The default TLS configuration only uses certificates for the server
+# allowing the client to verify the server's identity and establish
+# an encrypted channel.
+#
+# It is possible to use x509 certificates for authentication too, by
+# issuing an x509 certificate to every client who needs to connect.
+#
+# Enabling this option will reject any client that does not have a
+# ca-cert.pem certificate signed by the CA in the migrate_tls_x509_cert_dir
+# (or default_tls_x509_cert_dir) as well as the corresponding client-*.pem
+# files described in default_tls_x509_cert_dir.
+#
+# If this option is not supplied, it will be set to the value of
+# "default_tls_x509_verify".
+#
+#migrate_tls_x509_verify = 1
+
+
+# Uncomment and use the following option to override the default secret
+# UUID provided in the default_tls_x509_secret_uuid parameter.
+#
+# NB This default all-zeros UUID will not work. Replace it with the
+# output from the UUID for the TLS secret from a 'virsh secret-list'
+# command and then uncomment the entry
+#
+#migrate_tls_x509_secret_uuid = "00000000-0000-0000-0000-000000000000"
+
+
+# By default, if no graphical front end is configured, libvirt will disable
+# QEMU audio output since directly talking to alsa/pulseaudio may not work
+# with various security settings. If you know what you're doing, enable
+# the setting below and libvirt will passthrough the QEMU_AUDIO_DRV
+# environment variable when using nographics.
+#
+#nographics_allow_host_audio = 1
+
+
+# Override the port for creating both VNC and SPICE sessions (min).
+# This defaults to 5900 and increases for consecutive sessions
+# or when ports are occupied, until it hits the maximum.
+#
+# Minimum must be greater than or equal to 5900 as lower number would
+# result into negative vnc display number.
+#
+# Maximum must be less than 65536, because higher numbers do not make
+# sense as a port number.
+#
+#remote_display_port_min = 5900
+#remote_display_port_max = 65535
+
+# VNC WebSocket port policies, same rules apply as with remote display
+# ports.  VNC WebSockets use similar display <-> port mappings, with
+# the exception being that ports start from 5700 instead of 5900.
+#
+#remote_websocket_port_min = 5700
+#remote_websocket_port_max = 65535
+
+# The default security driver is SELinux. If SELinux is disabled
+# on the host, then the security driver will automatically disable
+# itself. If you wish to disable QEMU SELinux security driver while
+# leaving SELinux enabled for the host in general, then set this
+# to 'none' instead. It's also possible to use more than one security
+# driver at the same time, for this use a list of names separated by
+# comma and delimited by square brackets. For example:
+#
+#       security_driver = [ "selinux", "apparmor" ]
+#
+# Notes: The DAC security driver is always enabled; as a result, the
+# value of security_driver cannot contain "dac".  The value "none" is
+# a special value; security_driver can be set to that value in
+# isolation, but it cannot appear in a list of drivers.
+#
+#security_driver = "selinux"
+
+# If set to non-zero, then the default security labeling
+# will make guests confined. If set to zero, then guests
+# will be unconfined by default. Defaults to 1.
+#security_default_confined = 1
+
+# If set to non-zero, then attempts to create unconfined
+# guests will be blocked. Defaults to 0.
+#security_require_confined = 1
+
+# The user for QEMU processes run by the system instance. It can be
+# specified as a user name or as a user id. The qemu driver will try to
+# parse this value first as a name and then, if the name doesn't exist,
+# as a user id.
+#
+# Since a sequence of digits is a valid user name, a leading plus sign
+# can be used to ensure that a user id will not be interpreted as a user
+# name.
+#
+# By default libvirt runs VMs as non-root and uses AppArmor profiles
+# to provide host protection and VM isolation. While AppArmor
+# continues to provide this protection when the VMs are running as
+# root, /dev/vhost-net, /dev/vhost-vsock and /dev/vhost-scsi access is
+# allowed by default in the AppArmor security policy, so malicious VMs
+# running as root would have direct access to this file. If changing this
+# to run as root, you may want to remove this access from
+# /etc/apparmor.d/abstractions/libvirt-qemu. For more information, see:
+# https://launchpad.net/bugs/1815910
+# https://www.redhat.com/archives/libvir-list/2019-April/msg00750.html
+#
+# Some examples of valid values are:
+#
+#       user = "qemu"   # A user named "qemu"
+#       user = "+0"     # Super user (uid=0)
+#       user = "100"    # A user named "100" or a user with uid=100
+#
+#user = "root"
+
+# The group for QEMU processes run by the system instance. It can be
+# specified in a similar way to user.
+#group = "root"
+
+# Whether libvirt should dynamically change file ownership
+# to match the configured user/group above. Defaults to 1.
+# Set to 0 to disable file ownership changes.
+#dynamic_ownership = 1
+
+# Whether libvirt should remember and restore the original
+# ownership over files it is relabeling. Defaults to 1, set
+# to 0 to disable the feature.
+#remember_owner = 1
+
+# What cgroup controllers to make use of with QEMU guests
+#
+#  - 'cpu' - use for scheduler tunables
+#  - 'devices' - use for device whitelisting
+#  - 'memory' - use for memory tunables
+#  - 'blkio' - use for block devices I/O tunables
+#  - 'cpuset' - use for CPUs and memory nodes
+#  - 'cpuacct' - use for CPUs statistics.
+#
+# NB, even if configured here, they won't be used unless
+# the administrator has mounted cgroups, e.g.:
+#
+#  mkdir /dev/cgroup
+#  mount -t cgroup -o devices,cpu,memory,blkio,cpuset none /dev/cgroup
+#
+# They can be mounted anywhere, and different controllers
+# can be mounted in different locations. libvirt will detect
+# where they are located.
+#
+#cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ]
+
+# This is the basic set of devices allowed / required by
+# all virtual machines.
+#
+# As well as this, any configured block backed disks,
+# all sound device, and all PTY devices are allowed.
+#
+# This will only need setting if newer QEMU suddenly
+# wants some device we don't already know about.
+#
+#cgroup_device_acl = [
+#    "/dev/null", "/dev/full", "/dev/zero",
+#    "/dev/random", "/dev/urandom",
+#    "/dev/ptmx", "/dev/kvm",
+#    "/dev/rtc","/dev/hpet"
+#]
+#
+# RDMA migration requires the following extra files to be added to the list:
+#   "/dev/infiniband/rdma_cm",
+#   "/dev/infiniband/issm0",
+#   "/dev/infiniband/issm1",
+#   "/dev/infiniband/umad0",
+#   "/dev/infiniband/umad1",
+#   "/dev/infiniband/uverbs0"
+
+
+# The default format for QEMU/KVM guest save images is raw; that is, the
+# memory from the domain is dumped out directly to a file.  If you have
+# guests with a large amount of memory, however, this can take up quite
+# a bit of space.  If you would like to compress the images while they
+# are being saved to disk, you can also set "lzop", "gzip", "bzip2", or "xz"
+# for save_image_format.  Note that this means you slow down the process of
+# saving a domain in order to save disk space; the list above is in descending
+# order by performance and ascending order by compression ratio.
+#
+# save_image_format is used when you use 'virsh save' or 'virsh managedsave'
+# at scheduled saving, and it is an error if the specified save_image_format
+# is not valid, or the requested compression program can't be found.
+#
+# dump_image_format is used when you use 'virsh dump' at emergency
+# crashdump, and if the specified dump_image_format is not valid, or
+# the requested compression program can't be found, this falls
+# back to "raw" compression.
+#
+# snapshot_image_format specifies the compression algorithm of the memory save
+# image when an external snapshot of a domain is taken. This does not apply
+# on disk image format. It is an error if the specified format isn't valid,
+# or the requested compression program can't be found.
+#
+#save_image_format = "raw"
+#dump_image_format = "raw"
+#snapshot_image_format = "raw"
+
+# When a domain is configured to be auto-dumped when libvirtd receives a
+# watchdog event from qemu guest, libvirtd will save dump files in directory
+# specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump
+#
+#auto_dump_path = "/var/lib/libvirt/qemu/dump"
+
+# When a domain is configured to be auto-dumped, enabling this flag
+# has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the
+# virDomainCoreDump API.  That is, the system will avoid using the
+# file system cache while writing the dump file, but may cause
+# slower operation.
+#
+#auto_dump_bypass_cache = 0
+
+# When a domain is configured to be auto-started, enabling this flag
+# has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag
+# with the virDomainCreateWithFlags API.  That is, the system will
+# avoid using the file system cache when restoring any managed state
+# file, but may cause slower operation.
+#
+#auto_start_bypass_cache = 0
+
+# If provided by the host and a hugetlbfs mount point is configured,
+# a guest may request huge page backing.  When this mount point is
+# unspecified here, determination of a host mount point in /proc/mounts
+# will be attempted.  Specifying an explicit mount overrides detection
+# of the same in /proc/mounts.  Setting the mount point to "" will
+# disable guest hugepage backing. If desired, multiple mount points can
+# be specified at once, separated by comma and enclosed in square
+# brackets, for example:
+#
+#     hugetlbfs_mount = ["/dev/hugepages2M", "/dev/hugepages1G"]
+#
+# The size of huge page served by specific mount point is determined by
+# libvirt at the daemon startup.
+#
+# NB, within these mount points, guests will create memory backing
+# files in a location of $MOUNTPOINT/libvirt/qemu
+#
+#hugetlbfs_mount = "/dev/hugepages"
+
+
+# Path to the setuid helper for creating tap devices.  This executable
+# is used to create <source type='bridge'> interfaces when libvirtd is
+# running unprivileged.  libvirt invokes the helper directly, instead
+# of using "-netdev bridge", for security reasons.
+#bridge_helper = "/usr/libexec/qemu-bridge-helper"
+
+
+# If enabled, libvirt will have QEMU set its process name to
+# "qemu:VM_NAME", where VM_NAME is the name of the VM. The QEMU
+# process will appear as "qemu:VM_NAME" in process listings and
+# other system monitoring tools. By default, QEMU does not set
+# its process title, so the complete QEMU command (emulator and
+# its arguments) appear in process listings.
+#
+#set_process_name = 1
+
+
+# If max_processes is set to a positive integer, libvirt will use
+# it to set the maximum number of processes that can be run by qemu
+# user. This can be used to override default value set by host OS.
+# The same applies to max_files which sets the limit on the maximum
+# number of opened files.
+#
+#max_processes = 0
+#max_files = 0
+
+# If max_threads_per_process is set to a positive integer, libvirt
+# will use it to set the maximum number of threads that can be
+# created by a qemu process. Some VM configurations can result in
+# qemu processes with tens of thousands of threads. systemd-based
+# systems typically limit the number of threads per process to
+# 16k. max_threads_per_process can be used to override default
+# limits in the host OS.
+#
+#max_threads_per_process = 0
+
+# If max_core is set to a non-zero integer, then QEMU will be
+# permitted to create core dumps when it crashes, provided its
+# RAM size is smaller than the limit set.
+#
+# Be warned that the core dump will include a full copy of the
+# guest RAM, if the 'dump_guest_core' setting has been enabled,
+# or if the guest XML contains
+#
+#   <memory dumpcore="on">...guest ram...</memory>
+#
+# If guest RAM is to be included, ensure the max_core limit
+# is set to at least the size of the largest expected guest
+# plus another 1GB for any QEMU host side memory mappings.
+#
+# As a special case it can be set to the string "unlimited" to
+# to allow arbitrarily sized core dumps.
+#
+# By default the core dump size is set to 0 disabling all dumps
+#
+# Size is a positive integer specifying bytes or the
+# string "unlimited"
+#
+#max_core = "unlimited"
+
+# Determine if guest RAM is included in QEMU core dumps. By
+# default guest RAM will be excluded if a new enough QEMU is
+# present. Setting this to '1' will force guest RAM to always
+# be included in QEMU core dumps.
+#
+# This setting will be ignored if the guest XML has set the
+# dumpcore attribute on the <memory> element.
+#
+#dump_guest_core = 1
+
+# mac_filter enables MAC addressed based filtering on bridge ports.
+# This currently requires ebtables to be installed.
+#
+#mac_filter = 1
+
+
+# By default, PCI devices below non-ACS switch are not allowed to be assigned
+# to guests. By setting relaxed_acs_check to 1 such devices will be allowed to
+# be assigned to guests.
+#
+#relaxed_acs_check = 1
+
+
+# In order to prevent accidentally starting two domains that
+# share one writable disk, libvirt offers two approaches for
+# locking files. The first one is sanlock, the other one,
+# virtlockd, is then our own implementation. Accepted values
+# are "sanlock" and "lockd".
+#
+#lock_manager = "lockd"
+
+
+# Set limit of maximum APIs queued on one domain. All other APIs
+# over this threshold will fail on acquiring job lock. Specially,
+# setting to zero turns this feature off.
+# Note, that job lock is per domain.
+#
+#max_queued = 0
+
+###################################################################
+# Keepalive protocol:
+# This allows qemu driver to detect broken connections to remote
+# libvirtd during peer-to-peer migration.  A keepalive message is
+# sent to the daemon after keepalive_interval seconds of inactivity
+# to check if the daemon is still responding; keepalive_count is a
+# maximum number of keepalive messages that are allowed to be sent
+# to the daemon without getting any response before the connection
+# is considered broken.  In other words, the connection is
+# automatically closed approximately after
+# keepalive_interval * (keepalive_count + 1) seconds since the last
+# message received from the daemon.  If keepalive_interval is set to
+# -1, qemu driver will not send keepalive requests during
+# peer-to-peer migration; however, the remote libvirtd can still
+# send them and source libvirtd will send responses.  When
+# keepalive_count is set to 0, connections will be automatically
+# closed after keepalive_interval seconds of inactivity without
+# sending any keepalive messages.
+#
+#keepalive_interval = 5
+#keepalive_count = 5
+
+
+
+# Use seccomp syscall sandbox in QEMU.
+# 1 == seccomp enabled, 0 == seccomp disabled
+#
+# If it is unset (or -1), then seccomp will be enabled
+# only if QEMU >= 2.11.0 is detected, otherwise it is
+# left disabled. This ensures the default config gets
+# protection for new QEMU using the blacklist approach.
+#
+#seccomp_sandbox = 1
+
+
+# Override the listen address for all incoming migrations. Defaults to
+# 0.0.0.0, or :: if both host and qemu are capable of IPv6.
+#migration_address = "0.0.0.0"
+
+
+# The default hostname or IP address which will be used by a migration
+# source for transferring migration data to this host.  The migration
+# source has to be able to resolve this hostname and connect to it so
+# setting "localhost" will not work.  By default, the host's configured
+# hostname is used.
+#migration_host = "host.example.com"
+
+
+# Override the port range used for incoming migrations.
+#
+# Minimum must be greater than 0, however when QEMU is not running as root,
+# setting the minimum to be lower than 1024 will not work.
+#
+# Maximum must not be greater than 65535.
+#
+#migration_port_min = 49152
+#migration_port_max = 49215
+
+
+
+# Timestamp QEMU's log messages (if QEMU supports it)
+#
+# Defaults to 1.
+#
+#log_timestamp = 0
+
+
+# Location of master nvram file
+#
+# This configuration option is obsolete. Libvirt will follow the
+# QEMU firmware metadata specification to automatically locate
+# firmware images. See docs/interop/firmware.json in the QEMU
+# source tree. These metadata files are distributed alongside any
+# firmware images intended for use with QEMU.
+#
+# NOTE: if ANY firmware metadata files are detected, this setting
+# will be COMPLETELY IGNORED.
+#
+# ------------------------------------------
+#
+# When a domain is configured to use UEFI instead of standard
+# BIOS it may use a separate storage for UEFI variables. If
+# that's the case libvirt creates the variable store per domain
+# using this master file as image. Each UEFI firmware can,
+# however, have different variables store. Therefore the nvram is
+# a list of strings when a single item is in form of:
+#   ${PATH_TO_UEFI_FW}:${PATH_TO_UEFI_VARS}.
+# Later, when libvirt creates per domain variable store, this list is
+# searched for the master image. The UEFI firmware can be called
+# differently for different guest architectures. For instance, it's OVMF
+# for x86_64 and i686, but it's AAVMF for aarch64. The libvirt default
+# follows this scheme.
+#nvram = [
+#   "/usr/share/OVMF/OVMF_CODE.fd:/usr/share/OVMF/OVMF_VARS.fd",
+#   "/usr/share/OVMF/OVMF_CODE.secboot.fd:/usr/share/OVMF/OVMF_VARS.fd",
+#   "/usr/share/AAVMF/AAVMF_CODE.fd:/usr/share/AAVMF/AAVMF_VARS.fd",
+#   "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd",
+#   "/usr/share/OVMF/OVMF_CODE.ms.fd:/usr/share/OVMF/OVMF_VARS.ms.fd"
+#]
+
+# The backend to use for handling stdout/stderr output from
+# QEMU processes.
+#
+#  'file': QEMU writes directly to a plain file. This is the
+#          historical default, but allows QEMU to inflict a
+#          denial of service attack on the host by exhausting
+#          filesystem space
+#
+#  'logd': QEMU writes to a pipe provided by virtlogd daemon.
+#          This is the current default, providing protection
+#          against denial of service by performing log file
+#          rollover when a size limit is hit.
+#
+#stdio_handler = "logd"
+
+# QEMU gluster libgfapi log level, debug levels are 0-9, with 9 being the
+# most verbose, and 0 representing no debugging output.
+#
+# The current logging levels defined in the gluster GFAPI are:
+#
+#    0 - None
+#    1 - Emergency
+#    2 - Alert
+#    3 - Critical
+#    4 - Error
+#    5 - Warning
+#    6 - Notice
+#    7 - Info
+#    8 - Debug
+#    9 - Trace
+#
+# Defaults to 4
+#
+#gluster_debug_level = 9
+
+# To enhance security, QEMU driver is capable of creating private namespaces
+# for each domain started. Well, so far only "mount" namespace is supported. If
+# enabled it means qemu process is unable to see all the devices on the system,
+# only those configured for the domain in question. Libvirt then manages
+# devices entries throughout the domain lifetime. This namespace is turned on
+# by default.
+#namespaces = [ "mount" ]
+
+# This directory is used for memoryBacking source if configured as file.
+# NOTE: big files will be stored here
+#memory_backing_dir = "/var/lib/libvirt/qemu/ram"
+
+# Path to the SCSI persistent reservations helper. This helper is
+# used whenever <reservations/> are enabled for SCSI LUN devices.
+#pr_helper = "/usr/bin/qemu-pr-helper"
+
+# Path to the SLIRP networking helper.
+#slirp_helper = "/usr/bin/slirp-helper"
+
+# User for the swtpm TPM Emulator
+#
+# Default is 'tss'; this is the same user that tcsd (TrouSerS) installs
+# and uses; alternative is 'root'
+#
+#swtpm_user = "tss"
+#swtpm_group = "tss"
+
+# For debugging and testing purposes it's sometimes useful to be able to disable
+# libvirt behaviour based on the capabilities of the qemu process. This option
+# allows to do so. DO _NOT_ use in production and beaware that the behaviour
+# may change across versions.
+#
+#capability_filters = [ "capname" ]
diff --git a/libvirt/qemu/networks/autostart/default.xml b/libvirt/qemu/networks/autostart/default.xml
new file mode 120000
index 0000000..f19824e
--- /dev/null
+++ b/libvirt/qemu/networks/autostart/default.xml
@@ -0,0 +1 @@
+/etc/libvirt/qemu/networks/default.xml
\ No newline at end of file
diff --git a/libvirt/qemu/networks/default.xml b/libvirt/qemu/networks/default.xml
new file mode 100644
index 0000000..86d880c
--- /dev/null
+++ b/libvirt/qemu/networks/default.xml
@@ -0,0 +1,19 @@
+<!--
+WARNING: THIS IS AN AUTO-GENERATED FILE. CHANGES TO IT ARE LIKELY TO BE
+OVERWRITTEN AND LOST. Changes to this xml configuration should be made using:
+  virsh net-edit default
+or other application using the libvirt API.
+-->
+
+<network>
+  <name>default</name>
+  <uuid>dd567aef-0d2a-405d-90b9-f69e9e53754f</uuid>
+  <forward mode='nat'/>
+  <bridge name='virbr0' stp='on' delay='0'/>
+  <mac address='52:54:00:68:68:93'/>
+  <ip address='192.168.122.1' netmask='255.255.255.0'>
+    <dhcp>
+      <range start='192.168.122.2' end='192.168.122.254'/>
+    </dhcp>
+  </ip>
+</network>
diff --git a/libvirt/virt-login-shell.conf b/libvirt/virt-login-shell.conf
new file mode 100644
index 0000000..4a504b3
--- /dev/null
+++ b/libvirt/virt-login-shell.conf
@@ -0,0 +1,48 @@
+# Master configuration file for the virt-login-shell program.
+# All settings described here are optional - if omitted, sensible
+# defaults are used.
+
+# By default, virt-login-shell will connect you to a container running
+# with the /bin/sh program.  Modify the shell variable if you want your
+# users to run a different shell or a setup container when joining a
+# container.
+#
+# This can either be just the path to a shell binary:
+#
+# shell = "/bin/bash"
+#
+# Or can be the path and extra arguments
+#
+# shell = [ "/bin/bash", "--posix" ]
+#
+# Note there is no need to pass a '--login' / '-l' argument since
+# virt-login-shell will always request a login shell
+
+# Normally virt-login-shell will always use the shell identified
+# by the 'shell' configuration setting above. If the container
+# is running a full OS, it might be desirable to allow the choice
+# of shell to be delegated to the owner of the shell, by querying
+# the /etc/passwd file inside the container
+#
+# To allow for that, uncomment the following:
+# auto_shell = 1
+#
+# NB, this should /not/ be used if any container is sharing the
+# host filesystem /etc, as this would cause virt-login-shell to
+# look at the host's /etc/passwd finding itself as the listed
+# shell. Hilarious recursion would then ensue.
+
+# allowed_users specifies the user names of all users that are allowed to
+# execute virt-login-shell.  You can specify the users as a comma
+# separated list of usernames or user groups.
+# The list of names support glob syntax.
+# To disallow all users (default)
+# allowed_users = []
+# If you do not specify any names (default) then no one is allowed
+# to use this executable.
+# To allow fred and joe only
+# allowed_users = ["fred", "joe"]
+# To allow all users within a specific group prefix the group name with %.
+# allowed_users = ["%engineers"]
+# To allow all users specify the following
+# allowed_users = [ "*" ]
diff --git a/libvirt/virtlockd.conf b/libvirt/virtlockd.conf
new file mode 100644
index 0000000..152d6a8
--- /dev/null
+++ b/libvirt/virtlockd.conf
@@ -0,0 +1,89 @@
+# Master virtlockd daemon configuration file
+#
+
+#################################################################
+#
+# Logging controls
+#
+
+# Logging level: 4 errors, 3 warnings, 2 information, 1 debug
+# basically 1 will log everything possible
+#
+# WARNING: USE OF THIS IS STRONGLY DISCOURAGED.
+#
+# WARNING: It outputs too much information to practically read.
+# WARNING: The "log_filters" setting is recommended instead.
+#
+# WARNING: Journald applies rate limiting of messages and so libvirt
+# WARNING: will limit "log_level" to only allow values 3 or 4 if
+# WARNING: journald is the current output.
+#
+# WARNING: USE OF THIS IS STRONGLY DISCOURAGED.
+#log_level = 3
+
+# Logging filters:
+# A filter allows to select a different logging level for a given category
+# of logs. The format for a filter is:
+#
+#    level:match
+#
+# where 'match' is a string which is matched against the category
+# given in the VIR_LOG_INIT() at the top of each libvirt source
+# file, e.g., "remote", "qemu", or "util.json". The 'match' in the
+# filter matches using shell wildcard syntax (see 'man glob(7)').
+# The 'match' is always treated as a substring match. IOW a match
+# string 'foo' is equivalent to '*foo*'.
+#
+# 'level' is the minimal level where matching messages should
+#  be logged:
+#
+#    1: DEBUG
+#    2: INFO
+#    3: WARNING
+#    4: ERROR
+#
+# Multiple filters can be defined in a single @log_filters, they just need
+# to be separated by spaces. Note that libvirt performs "first" match, i.e.
+# if there are concurrent filters, the first one that matches will be applied,
+# given the order in @log_filters.
+#
+# For the virtlockd daemon, a typical need is to capture information
+# from the locking code and some of the utility code. Some utility
+# code is very verbose and is generally not desired. A suitable filter
+# string for debugging might be to turn off object, json & event logging,
+# but enable the rest of the util and the locking code:
+#
+#log_filters="1:locking 4:object 4:json 4:event 1:util"
+
+# Logging outputs:
+# An output is one of the places to save logging information
+# The format for an output can be:
+#    level:stderr
+#      output goes to stderr
+#    level:syslog:name
+#      use syslog for the output and use the given name as the ident
+#    level:file:file_path
+#      output to a file, with the given filepath
+#    level:journald
+#      output to journald logging system
+# In all cases 'level' is the minimal priority, acting as a filter
+#    1: DEBUG
+#    2: INFO
+#    3: WARNING
+#    4: ERROR
+#
+# Multiple outputs can be defined, they just need to be separated by spaces.
+# e.g. to log all warnings and errors to syslog under the virtlockd ident:
+#log_outputs="3:syslog:virtlockd"
+#
+
+# The maximum number of concurrent client connections to allow
+# on primary socket
+# Each running virtual machine will require one open connection
+# to virtlockd. So 'max_clients' will affect how many VMs can
+# be run on a host
+#max_clients = 1024
+
+# The maximum number of concurrent client connections to allow
+# on administrative socket
+#admin_max_clients = 5
diff --git a/libvirt/virtlogd.conf b/libvirt/virtlogd.conf
new file mode 100644
index 0000000..8b1ff01
--- /dev/null
+++ b/libvirt/virtlogd.conf
@@ -0,0 +1,99 @@
+# Master virtlogd daemon configuration file
+#
+
+#################################################################
+#
+# Logging controls
+#
+
+# Logging level: 4 errors, 3 warnings, 2 information, 1 debug
+# basically 1 will log everything possible
+#
+# WARNING: USE OF THIS IS STRONGLY DISCOURAGED.
+#
+# WARNING: It outputs too much information to practically read.
+# WARNING: The "log_filters" setting is recommended instead.
+#
+# WARNING: Journald applies rate limiting of messages and so libvirt
+# WARNING: will limit "log_level" to only allow values 3 or 4 if
+# WARNING: journald is the current output.
+#
+# WARNING: USE OF THIS IS STRONGLY DISCOURAGED.
+#log_level = 3
+
+# Logging filters:
+# A filter allows to select a different logging level for a given category
+# of logs. The format for a filter is:
+#
+#    level:match
+#
+# where 'match' is a string which is matched against the category
+# given in the VIR_LOG_INIT() at the top of each libvirt source
+# file, e.g., "remote", "qemu", or "util.json". The 'match' in the
+# filter matches using shell wildcard syntax (see 'man glob(7)').
+# The 'match' is always treated as a substring match. IOW a match
+# string 'foo' is equivalent to '*foo*'.
+#
+# 'level' is the minimal level where matching messages should
+#  be logged:
+#
+#    1: DEBUG
+#    2: INFO
+#    3: WARNING
+#    4: ERROR
+#
+# Multiple filters can be defined in a single @log_filters, they just need
+# to be separated by spaces. Note that libvirt performs "first" match, i.e.
+# if there are concurrent filters, the first one that matches will be applied,
+# given the order in @log_filters.
+#
+# For the virtlogd daemon, a typical need is to capture information
+# from the logging code and some of the utility code. Some utility
+# code is very verbose and is generally not desired. A suitable filter
+# string for debugging might be to turn off object, json & event logging,
+# but enable the rest of the util and the logging code:
+#
+#log_filters="1:logging 4:object 4:json 4:event 1:util"
+
+# Logging outputs:
+# An output is one of the places to save logging information
+# The format for an output can be:
+#    level:stderr
+#      output goes to stderr
+#    level:syslog:name
+#      use syslog for the output and use the given name as the ident
+#    level:file:file_path
+#      output to a file, with the given filepath
+#    level:journald
+#      output to journald logging system
+# In all cases 'level' is the minimal priority, acting as a filter
+#    1: DEBUG
+#    2: INFO
+#    3: WARNING
+#    4: ERROR
+#
+# Multiple outputs can be defined, they just need to be separated by spaces.
+# e.g. to log all warnings and errors to syslog under the virtlogd ident:
+#log_outputs="3:syslog:virtlogd"
+#
+
+# The maximum number of concurrent client connections to allow
+# on primary socket
+#max_clients = 1024
+
+# The maximum number of concurrent client connections to allow
+# on administrative socket
+#admin_max_clients = 5
+
+# Maximum file size before rolling over. Defaults to 2 MB
+#
+# Beware that a logrotate config file might be installed too,
+# to handle cases where virtlogd is disabled. To ensure that
+# the logrotate config is a no-op when virtlogd is running,
+# make sure that max_size here is smaller than size listed
+# in the logrotate config.
+#max_size = 2097152
+
+# Maximum number of backup files to keep. Defaults to 3,
+# not including the primary active file
+#max_backups = 3
diff --git a/logrotate.d/libvirtd b/logrotate.d/libvirtd
new file mode 100644
index 0000000..869c879
--- /dev/null
+++ b/logrotate.d/libvirtd
@@ -0,0 +1,9 @@
+/var/log/libvirt/libvirtd.log {
+        weekly
+        missingok
+        rotate 4
+        compress
+        delaycompress
+        copytruncate
+        minsize 100k
+}
diff --git a/logrotate.d/libvirtd.libxl b/logrotate.d/libvirtd.libxl
new file mode 100644
index 0000000..70e19d5
--- /dev/null
+++ b/logrotate.d/libvirtd.libxl
@@ -0,0 +1,8 @@
+/var/log/libvirt/libxl/*.log {
+        size 2097153
+        missingok
+        rotate 4
+        compress
+        delaycompress
+        copytruncate
+}
diff --git a/logrotate.d/libvirtd.lxc b/logrotate.d/libvirtd.lxc
new file mode 100644
index 0000000..f21f382
--- /dev/null
+++ b/logrotate.d/libvirtd.lxc
@@ -0,0 +1,8 @@
+/var/log/libvirt/lxc/*.log {
+        size 2097153
+        missingok
+        rotate 4
+        compress
+        delaycompress
+        copytruncate
+}
diff --git a/logrotate.d/libvirtd.qemu b/logrotate.d/libvirtd.qemu
new file mode 100644
index 0000000..ef606a4
--- /dev/null
+++ b/logrotate.d/libvirtd.qemu
@@ -0,0 +1,16 @@
+/var/log/libvirt/qemu/*.log {
+        # The QEMU driver is configured to use virtlogd by
+        # default, which will perform log rollover.
+        # This logrotate config is still installed for cases
+        # where the user has switched off virtlogd.
+        #
+        # If virtlogd is active, ensure that size here is
+        # larger than 'max_size' in the virtlogd config
+        # so that logrotate becomes a no-op
+        size 2097153
+        missingok
+        rotate 4
+        compress
+        delaycompress
+        copytruncate
+}
diff --git a/mailcap b/mailcap
index a8818fe..2a22900 100644
--- a/mailcap
+++ b/mailcap
@@ -888,6 +888,8 @@ x-scheme-handler/remmina; /usr/bin/remmina -e %s; test=test -n "$DISPLAY"
 x-scheme-handler/rdp; /usr/bin/remmina -e %s; test=test -n "$DISPLAY"
 x-scheme-handler/spice; /usr/bin/remmina -e %s; test=test -n "$DISPLAY"
 x-scheme-handler/vnc; /usr/bin/remmina -e %s; test=test -n "$DISPLAY"
+x-scheme-handler/spice; remote-viewer %s; test=test -n "$DISPLAY"
+application/x-virt-viewer; remote-viewer %s; test=test -n "$DISPLAY"
 x-content/audio-player; rhythmbox-client --select-source %s; test=test -n "$DISPLAY"
 x-content/audio-cdda; rhythmbox-client --select-source %s; test=test -n "$DISPLAY"
 x-scheme-handler/sgnl; /opt/Signal/signal-desktop --no-sandbox %s; test=test -n "$DISPLAY"
diff --git a/nsswitch.conf b/nsswitch.conf
index acb2843..0e0e0b6 100644
--- a/nsswitch.conf
+++ b/nsswitch.conf
@@ -9,7 +9,7 @@ group:          compat systemd
 shadow:         compat
 gshadow:        files
 
-hosts:          files mdns4_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] dns myhostname
+hosts:          files mdns4_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] dns myhostname mymachines
 networks:       files
 
 protocols:      db files
diff --git a/passwd b/passwd
index 8a7683c..c7b4fc3 100644
--- a/passwd
+++ b/passwd
@@ -60,3 +60,5 @@ dump1090:x:134:65534::/usr/share/dump1090-mutability:/usr/sbin/nologin
 nx:x:135:1015::/var/NX/nx:/etc/NX/nxserver
 tss:x:136:147:TPM software stack,,,:/var/lib/tpm:/bin/false
 gpsd:x:137:20:GPSD system user,,,:/run/gpsd:/bin/false
+libvirt-qemu:x:64055:139:Libvirt Qemu,,,:/var/lib/libvirt:/usr/sbin/nologin
+libvirt-dnsmasq:x:138:149:Libvirt Dnsmasq,,,:/var/lib/libvirt/dnsmasq:/usr/sbin/nologin
diff --git a/passwd- b/passwd-
index 263ed34..8444523 100644
--- a/passwd-
+++ b/passwd-
@@ -59,4 +59,6 @@ nvidia-persistenced:x:133:146:NVIDIA Persistence Daemon,,,:/nonexistent:/sbin/no
 dump1090:x:134:65534::/usr/share/dump1090-mutability:/usr/sbin/nologin
 nx:x:135:1015::/var/NX/nx:/etc/NX/nxserver
 tss:x:136:147:TPM software stack,,,:/var/lib/tpm:/bin/false
-gpsd:x:137:20::/run/gpsd:/bin/false
+gpsd:x:137:20:GPSD system user,,,:/run/gpsd:/bin/false
+libvirt-qemu:x:64055:139:Libvirt Qemu,,,:/var/lib/libvirt:/usr/sbin/nologin
+libvirt-dnsmasq:x:138:149::/var/lib/libvirt/dnsmasq:/usr/sbin/nologin
diff --git a/profile.d/libvirt-uri.sh b/profile.d/libvirt-uri.sh
new file mode 100644
index 0000000..f9bdc6d
--- /dev/null
+++ b/profile.d/libvirt-uri.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+#    libvirt-uri.sh - Automatically switch default libvirt URI for user
+#    Copyright (C) 2015 Canonical Ltd.
+#
+#    Authors: Stefan Bader <stefan.bader@canonical.com>
+#
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, version 3 of the License.
+#
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+LIBVIRT_DEFAULT_URI="qemu:///system"
+if [ -f /proc/xen/capabilities ]; then
+	if [ "$(cat /proc/xen/capabilities)" = "control_d" ]; then
+		LIBVIRT_DEFAULT_URI="xen:///"
+	fi
+fi
+
+export LIBVIRT_DEFAULT_URI
+
diff --git a/sasl2/libvirt.conf b/sasl2/libvirt.conf
new file mode 100644
index 0000000..9e7699c
--- /dev/null
+++ b/sasl2/libvirt.conf
@@ -0,0 +1,45 @@
+# If you want to use the non-TLS socket, then you *must* pick a
+# mechanism which provides session encryption as well as
+# authentication.
+#
+# If you are only using TLS, then you can turn on any mechanisms
+# you like for authentication, because TLS provides the encryption
+#
+# If you are only using UNIX, sockets then encryption is not
+# required at all.
+#
+# Since SASL is the default for the libvirtd non-TLS socket, we
+# pick a strong mechanism by default.
+#
+# NB, previously DIGEST-MD5 was set as the default mechanism for
+# libvirt. Per RFC 6331 this is vulnerable to many serious security
+# flaws and should no longer be used. Thus GSSAPI is now the default.
+#
+# To use GSSAPI requires that a libvirtd service principal is
+# added to the Kerberos server for each host running libvirtd.
+# This principal needs to be exported to the keytab file listed below
+mech_list: gssapi
+
+# If using a TLS socket or UNIX socket only, it is possible to
+# enable plugins which don't provide session encryption. The
+# 'scram-sha-1' plugin allows plain username/password authentication
+# to be performed
+#
+#mech_list: scram-sha-1
+
+#
+# You can also list many mechanisms at once, then the user can choose
+# by adding  '?auth=sasl.gssapi' to their libvirt URI, eg
+#   qemu+tcp://hostname/system?auth=sasl.gssapi
+#mech_list: scram-sha-1 gssapi
+
+# Some older builds of MIT kerberos on Linux ignore this option &
+# instead need KRB5_KTNAME env var.
+# For modern Linux, and other OS, this should be sufficient
+#
+keytab: /etc/libvirt/krb5.tab
+
+# If using scram-sha-1 for username/passwds, then this is the file
+# containing the passwds. Use 'saslpasswd2 -a libvirt [username]'
+# to add entries, and 'sasldblistusers2 -f [sasldb_path]' to browse it
+#sasldb_path: /etc/libvirt/passwd.db
diff --git a/shadow b/shadow
index 095c016..8b792f4 100644
--- a/shadow
+++ b/shadow
@@ -60,3 +60,5 @@ dump1090:*:18302:0:99999:7:::
 nx:*:18347:0:99999:7:::
 tss:*:18407:0:99999:7:::
 gpsd:*:18409:0:99999:7:::
+libvirt-qemu:!:18454:0:99999:7:::
+libvirt-dnsmasq:!:18454:0:99999:7:::
diff --git a/shadow- b/shadow-
index 095c016..8b792f4 100644
--- a/shadow-
+++ b/shadow-
@@ -60,3 +60,5 @@ dump1090:*:18302:0:99999:7:::
 nx:*:18347:0:99999:7:::
 tss:*:18407:0:99999:7:::
 gpsd:*:18409:0:99999:7:::
+libvirt-qemu:!:18454:0:99999:7:::
+libvirt-dnsmasq:!:18454:0:99999:7:::
diff --git a/systemd/system/multi-user.target.wants/libvirt-guests.service b/systemd/system/multi-user.target.wants/libvirt-guests.service
new file mode 120000
index 0000000..d1d5309
--- /dev/null
+++ b/systemd/system/multi-user.target.wants/libvirt-guests.service
@@ -0,0 +1 @@
+/lib/systemd/system/libvirt-guests.service
\ No newline at end of file
diff --git a/systemd/system/multi-user.target.wants/libvirtd.service b/systemd/system/multi-user.target.wants/libvirtd.service
new file mode 120000
index 0000000..bf818f9
--- /dev/null
+++ b/systemd/system/multi-user.target.wants/libvirtd.service
@@ -0,0 +1 @@
+/lib/systemd/system/libvirtd.service
\ No newline at end of file
diff --git a/systemd/system/multi-user.target.wants/machines.target b/systemd/system/multi-user.target.wants/machines.target
new file mode 120000
index 0000000..7eaa671
--- /dev/null
+++ b/systemd/system/multi-user.target.wants/machines.target
@@ -0,0 +1 @@
+/lib/systemd/system/machines.target
\ No newline at end of file
diff --git a/systemd/system/sockets.target.wants/libvirtd-admin.socket b/systemd/system/sockets.target.wants/libvirtd-admin.socket
new file mode 120000
index 0000000..28d5380
--- /dev/null
+++ b/systemd/system/sockets.target.wants/libvirtd-admin.socket
@@ -0,0 +1 @@
+/lib/systemd/system/libvirtd-admin.socket
\ No newline at end of file
diff --git a/systemd/system/sockets.target.wants/libvirtd-ro.socket b/systemd/system/sockets.target.wants/libvirtd-ro.socket
new file mode 120000
index 0000000..9e0b46a
--- /dev/null
+++ b/systemd/system/sockets.target.wants/libvirtd-ro.socket
@@ -0,0 +1 @@
+/lib/systemd/system/libvirtd-ro.socket
\ No newline at end of file
diff --git a/systemd/system/sockets.target.wants/libvirtd.socket b/systemd/system/sockets.target.wants/libvirtd.socket
new file mode 120000
index 0000000..f37bf5e
--- /dev/null
+++ b/systemd/system/sockets.target.wants/libvirtd.socket
@@ -0,0 +1 @@
+/lib/systemd/system/libvirtd.socket
\ No newline at end of file
diff --git a/systemd/system/sockets.target.wants/virtlockd-admin.socket b/systemd/system/sockets.target.wants/virtlockd-admin.socket
new file mode 120000
index 0000000..fd06b4a
--- /dev/null
+++ b/systemd/system/sockets.target.wants/virtlockd-admin.socket
@@ -0,0 +1 @@
+/lib/systemd/system/virtlockd-admin.socket
\ No newline at end of file
diff --git a/systemd/system/sockets.target.wants/virtlockd.socket b/systemd/system/sockets.target.wants/virtlockd.socket
new file mode 120000
index 0000000..8f7876f
--- /dev/null
+++ b/systemd/system/sockets.target.wants/virtlockd.socket
@@ -0,0 +1 @@
+/lib/systemd/system/virtlockd.socket
\ No newline at end of file
diff --git a/systemd/system/sockets.target.wants/virtlogd-admin.socket b/systemd/system/sockets.target.wants/virtlogd-admin.socket
new file mode 120000
index 0000000..0a2b23a
--- /dev/null
+++ b/systemd/system/sockets.target.wants/virtlogd-admin.socket
@@ -0,0 +1 @@
+/lib/systemd/system/virtlogd-admin.socket
\ No newline at end of file
diff --git a/systemd/system/sockets.target.wants/virtlogd.socket b/systemd/system/sockets.target.wants/virtlogd.socket
new file mode 120000
index 0000000..a39fe54
--- /dev/null
+++ b/systemd/system/sockets.target.wants/virtlogd.socket
@@ -0,0 +1 @@
+/lib/systemd/system/virtlogd.socket
\ No newline at end of file
-- 
2.43.0