Laboratoire de l'Informatique et du Parallélisme » CIAB

# -*- sh -*-

#

# Xend configuration file.

#

# This example configuration is appropriate for an installation that

# utilizes a bridged network configuration. Access to xend via http

# is disabled.

# Commented out entries show the default for that entry, unless otherwise

# specified.

#(logfile /var/log/xen/xend.log)

#(loglevel DEBUG)

# Uncomment the line below.  Set the value to flask, acm, or dummy to

# select a security module.

#(xsm_module_name dummy)

# The Xen-API server configuration.

#

# This value configures the ports, interfaces, and access controls for the

# Xen-API server.  Each entry in the list starts with either unix, a port

# number, or an address:port pair.  If this is "unix", then a UDP socket is

# opened, and this entry applies to that.  If it is a port, then Xend will

# listen on all interfaces on that TCP port, and if it is an address:port

# pair, then Xend will listen on the specified port, using the interface with

# the specified address.

#

# The subsequent string configures the user-based access control for the

# listener in question.  This can be one of "none" or "pam", indicating either

# that users should be allowed access unconditionally, or that the local

# Pluggable Authentication Modules configuration should be used.  If this

# string is missing or empty, then "pam" is used.

#

# The final string gives the host-based access control for that listener. If

# this is missing or empty, then all connections are accepted.  Otherwise,

# this should be a space-separated sequence of regular expressions; any host

# with a fully-qualified domain name or an IP address that matches one of

# these regular expressions will be accepted.

#

# Example: listen on TCP port 9363 on all interfaces, accepting connections

# only from machines in example.com or localhost, and allow access through

# the unix domain socket unconditionally:

#

#   (xen-api-server ((9363 pam '^localhost$ example\\.com$')

#                    (unix none)))

#

# Optionally, the TCP Xen-API server can use SSL by specifying the private

# key and certificate location:

#

#                    (9367 pam '' xen-api.key xen-api.crt)

#

# Default:

#   (xen-api-server ((unix)))

#(xend-http-server no)

#(xend-unix-server no)

#(xend-tcp-xmlrpc-server no)

#(xend-unix-xmlrpc-server yes)

#(xend-relocation-server no)

#(xend-relocation-ssl-server no)

#(xend-udev-event-server no)

#(xend-unix-path /var/lib/xend/xend-socket)

# Address and port xend should use for the legacy TCP XMLRPC interface,

# if xend-tcp-xmlrpc-server is set.

#(xend-tcp-xmlrpc-server-address 'localhost')

#(xend-tcp-xmlrpc-server-port 8006)

# SSL key and certificate to use for the legacy TCP XMLRPC interface.

# Setting these will mean that this port serves only SSL connections as

# opposed to plaintext ones.

#(xend-tcp-xmlrpc-server-ssl-key-file  xmlrpc.key)

#(xend-tcp-xmlrpc-server-ssl-cert-file xmlrpc.crt)

# Port xend should use for the HTTP interface, if xend-http-server is set.

#(xend-port            8000)

# Port xend should use for the relocation interface, if xend-relocation-server

# is set.

#(xend-relocation-port 8002)

# Port xend should use for the ssl relocation interface, if

# xend-relocation-ssl-server is set.

#(xend-relocation-ssl-port 8003)

# SSL key and certificate to use for the ssl relocation interface, if

# xend-relocation-ssl-server is set.

#(xend-relocation-server-ssl-key-file   xmlrpc.key)

#(xend-relocation-server-ssl-cert-file  xmlrpc.crt)

# Whether to use ssl as default when relocating.

#(xend-relocation-ssl no)

# Address xend should listen on for HTTP connections, if xend-http-server is

# set.

# Specifying 'localhost' prevents remote connections.

# Specifying the empty string '' (the default) allows all connections.

#(xend-address '')

#(xend-address localhost)

# Address xend should listen on for relocation-socket connections, if

# xend-relocation-server is set.

# Meaning and default as for xend-address above.

#(xend-relocation-address '')

# The hosts allowed to talk to the relocation port.  If this is empty (the

# default), then all connections are allowed (assuming that the connection

# arrives on a port and interface on which we are listening; see

# xend-relocation-port and xend-relocation-address above).  Otherwise, this

# should be a space-separated sequence of regular expressions.  Any host with

# a fully-qualified domain name or an IP address that matches one of these

# regular expressions will be accepted.

#

# For example:

#  (xend-relocation-hosts-allow '^localhost$ ^.*\\.example\\.org$')

#

#(xend-relocation-hosts-allow '')

# The limit (in kilobytes) on the size of the console buffer

#(console-limit 1024)

##

# NOTE:

# Please read /usr/share/doc/xen-utils-common/README.Debian for Debian specific

# informations about the network setup.

##

# To bridge network traffic, like this:

#

# dom0: ----------------- bridge -> real eth0 -> the network

#                            |

# domU: fake eth0 -> vifN.0 -+

#

# use

#

# (network-script network-bridge)

# Use a modified script to create an internal bridge. ST-2012-03-06.

__CLUSTER_BRIDGE_STANZA__

# Your default ethernet device is used as the outgoing interface, by default.

# To use a different one (e.g. eth1) use

#

# (network-script 'network-bridge netdev=eth1')

#

# The bridge is named xenbr0, by default.  To rename the bridge, use

#

# (network-script 'network-bridge bridge=<name>')

#

# It is possible to use the network-bridge script in more complicated

# scenarios, such as having two outgoing interfaces, with two bridges, and

# two fake interfaces per guest domain.  To do things like this, write

# yourself a wrapper script, and call network-bridge from it, as appropriate.

#

# The script used to control virtual interfaces.  This can be overridden on a

# per-vif basis when creating a domain or a configuring a new vif.  The

# vif-bridge script is designed for use with the network-bridge script, or

# similar configurations.

#

# If you have overridden the bridge name using

# (network-script 'network-bridge bridge=<name>') then you may wish to do the

# same here.  The bridge name can also be set when creating a domain or

# configuring a new vif, but a value specified here would act as a default.

#

# If you are using only one bridge, the vif-bridge script will discover that,

# so there is no need to specify it explicitly.

#

(vif-script vif-bridge)

## Use the following if network traffic is routed, as an alternative to the

# settings for bridged networking given above.

#(network-script network-route)

#(vif-script     vif-route)

## Use the following if network traffic is routed with NAT, as an alternative

# to the settings for bridged networking given above.

#(network-script network-nat)

#(vif-script     vif-nat)

# dom0-min-mem is the lowest permissible memory level (in MB) for dom0.

# This is a minimum both for auto-ballooning (as enabled by

# enable-dom0-ballooning below) and for xm mem-set when applied to dom0.

(dom0-min-mem 1024)

# Whether to enable auto-ballooning of dom0 to allow domUs to be created.

# If enable-dom0-ballooning = no, dom0 will never balloon out.

# ST 2012-03-06: ballooning is disabled since memory of dom0 is set

# in GRUB.

(enable-dom0-ballooning no)

# 32-bit paravirtual domains can only consume physical

# memory below 168GB. On systems with memory beyond that address,

# they'll be confined to memory below 128GB.

# Using total_available_memory (in GB) to specify the amount of memory reserved

# in the memory pool exclusively for 32-bit paravirtual domains.

# Additionally you should use dom0_mem = <-Value> as a parameter in

# xen kernel to reserve the memory for 32-bit paravirtual domains, default

# is "0" (0GB).

(total_available_memory 0)

# In SMP system, dom0 will use dom0-cpus # of CPUS

# If dom0-cpus = 0, dom0 will take all cpus available

__DOM0_CPUS_CLAUSE__

# Whether to enable core-dumps when domains crash.

#(enable-dump no)

# The tool used for initiating virtual TPM migration

#(external-migration-tool '')

# The interface for VNC servers to listen on. Defaults

# to 127.0.0.1  To restore old 'listen everywhere' behaviour

# set this to 0.0.0.0

#(vnc-listen '127.0.0.1')

# The default password for VNC console on HVM domain.

# Empty string is no authentication.

(vncpasswd '')

# The VNC server can be told to negotiate a TLS session

# to encryption all traffic, and provide x509 cert to

# clients enabling them to verify server identity. The

# GTK-VNC widget, virt-viewer, virt-manager and VeNCrypt

# all support the VNC extension for TLS used in QEMU. The

# TightVNC/RealVNC/UltraVNC clients do not.

#

# To enable this create x509 certificates / keys in the

# directory ${XEN_CONFIG_DIR} + vnc

#

#  ca-cert.pem       - The CA certificate

#  server-cert.pem   - The Server certificate signed by the CA

#  server-key.pem    - The server private key

#

# and then uncomment this next line

# (vnc-tls 1)

# The certificate dir can be pointed elsewhere..

#

# (vnc-x509-cert-dir vnc)

# The server can be told to request & validate an x509

# certificate from the client. Only clients with a cert

# signed by the trusted CA will be able to connect. This

# is more secure the password auth alone. Passwd auth can

# used at the same time if desired. To enable client cert

# checking uncomment this:

#

# (vnc-x509-verify 1)

# The default keymap to use for the VM's virtual keyboard

# when not specififed in VM's configuration

#(keymap 'en-us')

# Script to run when the label of a resource has changed.

#(resource-label-change-script '')

# Rotation count of qemu-dm log file.

#(qemu-dm-logrotate-count 10)

# Path where persistent domain configuration is stored.

# Default is /var/lib/xend/domains/

#(xend-domains-path /var/lib/xend/domains)

# Number of seconds xend will wait for device creation and

# destruction

#(device-create-timeout 100)

#(device-destroy-timeout 100)

# When assigning device to HVM guest, we use the strict check for HVM guest by

# default. (For PV guest, we use loose check automatically if necessary.)

# When we assign device to HVM guest, if we meet with the co-assignment

# issues or the ACS issue, we could try changing the option to 'no' -- however,

# we have to realize this may incur security issue and we can't make sure the

# device assignment could really work properly even after we do this.

#(pci-passthrough-strict-check yes)