# -*- sh -*- # # Xend configuration file. # # This example configuration is appropriate for an installation that # utilizes a bridged network configuration. Access to xend via http # is disabled. # Commented out entries show the default for that entry, unless otherwise # specified. #(logfile /var/log/xen/xend.log) #(loglevel DEBUG) # Uncomment the line below. Set the value to flask, acm, or dummy to # select a security module. #(xsm_module_name dummy) # The Xen-API server configuration. # # This value configures the ports, interfaces, and access controls for the # Xen-API server. Each entry in the list starts with either unix, a port # number, or an address:port pair. If this is "unix", then a UDP socket is # opened, and this entry applies to that. If it is a port, then Xend will # listen on all interfaces on that TCP port, and if it is an address:port # pair, then Xend will listen on the specified port, using the interface with # the specified address. # # The subsequent string configures the user-based access control for the # listener in question. This can be one of "none" or "pam", indicating either # that users should be allowed access unconditionally, or that the local # Pluggable Authentication Modules configuration should be used. If this # string is missing or empty, then "pam" is used. # # The final string gives the host-based access control for that listener. If # this is missing or empty, then all connections are accepted. Otherwise, # this should be a space-separated sequence of regular expressions; any host # with a fully-qualified domain name or an IP address that matches one of # these regular expressions will be accepted. # # Example: listen on TCP port 9363 on all interfaces, accepting connections # only from machines in example.com or localhost, and allow access through # the unix domain socket unconditionally: # # (xen-api-server ((9363 pam '^localhost$ example\\.com$') # (unix none))) # # Optionally, the TCP Xen-API server can use SSL by specifying the private # key and certificate location: # # (9367 pam '' xen-api.key xen-api.crt) # # Default: # (xen-api-server ((unix))) #(xend-http-server no) #(xend-unix-server no) #(xend-tcp-xmlrpc-server no) #(xend-unix-xmlrpc-server yes) #(xend-relocation-server no) (xend-relocation-server yes) #(xend-relocation-ssl-server no) #(xend-udev-event-server no) #(xend-unix-path /var/lib/xend/xend-socket) # Address and port xend should use for the legacy TCP XMLRPC interface, # if xend-tcp-xmlrpc-server is set. #(xend-tcp-xmlrpc-server-address 'localhost') #(xend-tcp-xmlrpc-server-port 8006) # SSL key and certificate to use for the legacy TCP XMLRPC interface. # Setting these will mean that this port serves only SSL connections as # opposed to plaintext ones. #(xend-tcp-xmlrpc-server-ssl-key-file xmlrpc.key) #(xend-tcp-xmlrpc-server-ssl-cert-file xmlrpc.crt) # Port xend should use for the HTTP interface, if xend-http-server is set. (xend-port 8008) # Port xend should use for the relocation interface, if xend-relocation-server # is set. #(xend-relocation-port 8002) # Port xend should use for the ssl relocation interface, if # xend-relocation-ssl-server is set. #(xend-relocation-ssl-port 8003) # SSL key and certificate to use for the ssl relocation interface, if # xend-relocation-ssl-server is set. #(xend-relocation-server-ssl-key-file xmlrpc.key) #(xend-relocation-server-ssl-cert-file xmlrpc.crt) # Whether to use ssl as default when relocating. #(xend-relocation-ssl no) # Address xend should listen on for HTTP connections, if xend-http-server is # set. # Specifying 'localhost' prevents remote connections. # Specifying the empty string '' (the default) allows all connections. #(xend-address '') #(xend-address localhost) # Address xend should listen on for relocation-socket connections, if # xend-relocation-server is set. # Meaning and default as for xend-address above. #(xend-relocation-address '') # The hosts allowed to talk to the relocation port. If this is empty (the # default), then all connections are allowed (assuming that the connection # arrives on a port and interface on which we are listening; see # xend-relocation-port and xend-relocation-address above). Otherwise, this # should be a space-separated sequence of regular expressions. Any host with # a fully-qualified domain name or an IP address that matches one of these # regular expressions will be accepted. # # For example: # (xend-relocation-hosts-allow '^localhost$ ^.*\\.example\\.org$') # #(xend-relocation-hosts-allow '') (xend-relocation-hosts-allow '^localhost$ ^localhost\\.localdomain$') # The limit (in kilobytes) on the size of the console buffer #(console-limit 1024) ## # To bridge network traffic, like this: # # dom0: ----------------- bridge -> real eth0 -> the network # | # domU: fake eth0 -> vifN.0 -+ # # use # (network-script network-bridge) # # Your default ethernet device is used as the outgoing interface, by default. # To use a different one (e.g. eth1) use # # (network-script 'network-bridge netdev=eth1') # # The bridge is named xenbr0, by default. To rename the bridge, use # # (network-script 'network-bridge bridge=') # # It is possible to use the network-bridge script in more complicated # scenarios, such as having two outgoing interfaces, with two bridges, and # two fake interfaces per guest domain. To do things like this, write # yourself a wrapper script, and call network-bridge from it, as appropriate. (network-script network-bridge) # The script used to control virtual interfaces. This can be overridden on a # per-vif basis when creating a domain or a configuring a new vif. The # vif-bridge script is designed for use with the network-bridge script, or # similar configurations. # # If you have overridden the bridge name using # (network-script 'network-bridge bridge=') then you may wish to do the # same here. The bridge name can also be set when creating a domain or # configuring a new vif, but a value specified here would act as a default. # # If you are using only one bridge, the vif-bridge script will discover that, # so there is no need to specify it explicitly. # (vif-script vif-bridge) ## Use the following if network traffic is routed, as an alternative to the # settings for bridged networking given above. #(network-script network-route) #(vif-script vif-route) ## Use the following if network traffic is routed with NAT, as an alternative # to the settings for bridged networking given above. #(network-script network-nat) #(vif-script vif-nat) # dom0-min-mem is the lowest permissible memory level (in MB) for dom0. # This is a minimum both for auto-ballooning (as enabled by # enable-dom0-ballooning below) and for xm mem-set when applied to dom0. (dom0-min-mem 400) # Whether to enable auto-ballooning of dom0 to allow domUs to be created. # If enable-dom0-ballooning = no, dom0 will never balloon out. (enable-dom0-ballooning yes) # 32-bit paravirtual domains can only consume physical # memory below 168GB. On systems with memory beyond that address, # they'll be confined to memory below 128GB. # Using total_available_memory (in GB) to specify the amount of memory reserved # in the memory pool exclusively for 32-bit paravirtual domains. # Additionally you should use dom0_mem = <-Value> as a parameter in # xen kernel to reserve the memory for 32-bit paravirtual domains, default # is "0" (0GB). (total_available_memory 0) # In SMP system, dom0 will use dom0-cpus # of CPUS # If dom0-cpus = 0, dom0 will take all cpus available (dom0-cpus 0) # Whether to enable core-dumps when domains crash. #(enable-dump no) # The tool used for initiating virtual TPM migration #(external-migration-tool '') # The interface for VNC servers to listen on. Defaults # to 127.0.0.1 To restore old 'listen everywhere' behaviour # set this to 0.0.0.0 #(vnc-listen '127.0.0.1') # The default password for VNC console on HVM domain. # Empty string is no authentication. (vncpasswd '') # The VNC server can be told to negotiate a TLS session # to encryption all traffic, and provide x509 cert to # clients enabling them to verify server identity. The # GTK-VNC widget, virt-viewer, virt-manager and VeNCrypt # all support the VNC extension for TLS used in QEMU. The # TightVNC/RealVNC/UltraVNC clients do not. # # To enable this create x509 certificates / keys in the # directory ${XEN_CONFIG_DIR} + vnc # # ca-cert.pem - The CA certificate # server-cert.pem - The Server certificate signed by the CA # server-key.pem - The server private key # # and then uncomment this next line # (vnc-tls 1) # The certificate dir can be pointed elsewhere.. # # (vnc-x509-cert-dir vnc) # The server can be told to request & validate an x509 # certificate from the client. Only clients with a cert # signed by the trusted CA will be able to connect. This # is more secure the password auth alone. Passwd auth can # used at the same time if desired. To enable client cert # checking uncomment this: # # (vnc-x509-verify 1) # The default keymap to use for the VM's virtual keyboard # when not specififed in VM's configuration #(keymap 'en-us') # Script to run when the label of a resource has changed. #(resource-label-change-script '') # Rotation count of qemu-dm log file. #(qemu-dm-logrotate-count 10) # Path where persistent domain configuration is stored. # Default is /var/lib/xend/domains/ #(xend-domains-path /var/lib/xend/domains) # Number of seconds xend will wait for device creation and # destruction #(device-create-timeout 100) #(device-destroy-timeout 100) # When assigning device to HVM guest, we use the strict check for HVM guest by # default. (For PV guest, we use loose check automatically if necessary.) # When we assign device to HVM guest, if we meet with the co-assignment # issues or the ACS issue, we could try changing the option to 'no' -- however, # we have to realize this may incur security issue and we can't make sure the # device assignment could really work properly even after we do this. #(pci-passthrough-strict-check yes)