root / trunk / dom0 / etc / xen / xend-config.sxp @ 8
Historique | Voir | Annoter | Télécharger (9,95 ko)
| 1 |
# -*- sh -*- |
|---|---|
| 2 |
|
| 3 |
# |
| 4 |
# Xend configuration file. |
| 5 |
# |
| 6 |
|
| 7 |
# This example configuration is appropriate for an installation that |
| 8 |
# utilizes a bridged network configuration. Access to xend via http |
| 9 |
# is disabled. |
| 10 |
|
| 11 |
# Commented out entries show the default for that entry, unless otherwise |
| 12 |
# specified. |
| 13 |
|
| 14 |
#(logfile /var/log/xen/xend.log) |
| 15 |
#(loglevel DEBUG) |
| 16 |
|
| 17 |
# Uncomment the line below. Set the value to flask, acm, or dummy to |
| 18 |
# select a security module. |
| 19 |
|
| 20 |
#(xsm_module_name dummy) |
| 21 |
|
| 22 |
# The Xen-API server configuration. |
| 23 |
# |
| 24 |
# This value configures the ports, interfaces, and access controls for the |
| 25 |
# Xen-API server. Each entry in the list starts with either unix, a port |
| 26 |
# number, or an address:port pair. If this is "unix", then a UDP socket is |
| 27 |
# opened, and this entry applies to that. If it is a port, then Xend will |
| 28 |
# listen on all interfaces on that TCP port, and if it is an address:port |
| 29 |
# pair, then Xend will listen on the specified port, using the interface with |
| 30 |
# the specified address. |
| 31 |
# |
| 32 |
# The subsequent string configures the user-based access control for the |
| 33 |
# listener in question. This can be one of "none" or "pam", indicating either |
| 34 |
# that users should be allowed access unconditionally, or that the local |
| 35 |
# Pluggable Authentication Modules configuration should be used. If this |
| 36 |
# string is missing or empty, then "pam" is used. |
| 37 |
# |
| 38 |
# The final string gives the host-based access control for that listener. If |
| 39 |
# this is missing or empty, then all connections are accepted. Otherwise, |
| 40 |
# this should be a space-separated sequence of regular expressions; any host |
| 41 |
# with a fully-qualified domain name or an IP address that matches one of |
| 42 |
# these regular expressions will be accepted. |
| 43 |
# |
| 44 |
# Example: listen on TCP port 9363 on all interfaces, accepting connections |
| 45 |
# only from machines in example.com or localhost, and allow access through |
| 46 |
# the unix domain socket unconditionally: |
| 47 |
# |
| 48 |
# (xen-api-server ((9363 pam '^localhost$ example\\.com$') |
| 49 |
# (unix none))) |
| 50 |
# |
| 51 |
# Optionally, the TCP Xen-API server can use SSL by specifying the private |
| 52 |
# key and certificate location: |
| 53 |
# |
| 54 |
# (9367 pam '' xen-api.key xen-api.crt) |
| 55 |
# |
| 56 |
# Default: |
| 57 |
# (xen-api-server ((unix))) |
| 58 |
|
| 59 |
|
| 60 |
#(xend-http-server no) |
| 61 |
#(xend-unix-server no) |
| 62 |
#(xend-tcp-xmlrpc-server no) |
| 63 |
#(xend-unix-xmlrpc-server yes) |
| 64 |
#(xend-relocation-server no) |
| 65 |
#(xend-relocation-ssl-server no) |
| 66 |
#(xend-udev-event-server no) |
| 67 |
|
| 68 |
#(xend-unix-path /var/lib/xend/xend-socket) |
| 69 |
|
| 70 |
|
| 71 |
# Address and port xend should use for the legacy TCP XMLRPC interface, |
| 72 |
# if xend-tcp-xmlrpc-server is set. |
| 73 |
#(xend-tcp-xmlrpc-server-address 'localhost') |
| 74 |
#(xend-tcp-xmlrpc-server-port 8006) |
| 75 |
|
| 76 |
# SSL key and certificate to use for the legacy TCP XMLRPC interface. |
| 77 |
# Setting these will mean that this port serves only SSL connections as |
| 78 |
# opposed to plaintext ones. |
| 79 |
#(xend-tcp-xmlrpc-server-ssl-key-file xmlrpc.key) |
| 80 |
#(xend-tcp-xmlrpc-server-ssl-cert-file xmlrpc.crt) |
| 81 |
|
| 82 |
|
| 83 |
# Port xend should use for the HTTP interface, if xend-http-server is set. |
| 84 |
#(xend-port 8000) |
| 85 |
|
| 86 |
# Port xend should use for the relocation interface, if xend-relocation-server |
| 87 |
# is set. |
| 88 |
#(xend-relocation-port 8002) |
| 89 |
|
| 90 |
# Port xend should use for the ssl relocation interface, if |
| 91 |
# xend-relocation-ssl-server is set. |
| 92 |
#(xend-relocation-ssl-port 8003) |
| 93 |
|
| 94 |
# SSL key and certificate to use for the ssl relocation interface, if |
| 95 |
# xend-relocation-ssl-server is set. |
| 96 |
#(xend-relocation-server-ssl-key-file xmlrpc.key) |
| 97 |
#(xend-relocation-server-ssl-cert-file xmlrpc.crt) |
| 98 |
|
| 99 |
# Whether to use ssl as default when relocating. |
| 100 |
#(xend-relocation-ssl no) |
| 101 |
|
| 102 |
# Address xend should listen on for HTTP connections, if xend-http-server is |
| 103 |
# set. |
| 104 |
# Specifying 'localhost' prevents remote connections. |
| 105 |
# Specifying the empty string '' (the default) allows all connections. |
| 106 |
#(xend-address '') |
| 107 |
#(xend-address localhost) |
| 108 |
|
| 109 |
# Address xend should listen on for relocation-socket connections, if |
| 110 |
# xend-relocation-server is set. |
| 111 |
# Meaning and default as for xend-address above. |
| 112 |
#(xend-relocation-address '') |
| 113 |
|
| 114 |
# The hosts allowed to talk to the relocation port. If this is empty (the |
| 115 |
# default), then all connections are allowed (assuming that the connection |
| 116 |
# arrives on a port and interface on which we are listening; see |
| 117 |
# xend-relocation-port and xend-relocation-address above). Otherwise, this |
| 118 |
# should be a space-separated sequence of regular expressions. Any host with |
| 119 |
# a fully-qualified domain name or an IP address that matches one of these |
| 120 |
# regular expressions will be accepted. |
| 121 |
# |
| 122 |
# For example: |
| 123 |
# (xend-relocation-hosts-allow '^localhost$ ^.*\\.example\\.org$') |
| 124 |
# |
| 125 |
#(xend-relocation-hosts-allow '') |
| 126 |
|
| 127 |
# The limit (in kilobytes) on the size of the console buffer |
| 128 |
#(console-limit 1024) |
| 129 |
|
| 130 |
## |
| 131 |
# NOTE: |
| 132 |
# Please read /usr/share/doc/xen-utils-common/README.Debian for Debian specific |
| 133 |
# informations about the network setup. |
| 134 |
|
| 135 |
## |
| 136 |
# To bridge network traffic, like this: |
| 137 |
# |
| 138 |
# dom0: ----------------- bridge -> real eth0 -> the network |
| 139 |
# | |
| 140 |
# domU: fake eth0 -> vifN.0 -+ |
| 141 |
# |
| 142 |
# use |
| 143 |
# |
| 144 |
# (network-script network-bridge) |
| 145 |
# |
| 146 |
# Your default ethernet device is used as the outgoing interface, by default. |
| 147 |
# To use a different one (e.g. eth1) use |
| 148 |
# |
| 149 |
# (network-script 'network-bridge netdev=eth1') |
| 150 |
# |
| 151 |
# The bridge is named xenbr0, by default. To rename the bridge, use |
| 152 |
# |
| 153 |
# (network-script 'network-bridge bridge=<name>') |
| 154 |
# |
| 155 |
# It is possible to use the network-bridge script in more complicated |
| 156 |
# scenarios, such as having two outgoing interfaces, with two bridges, and |
| 157 |
# two fake interfaces per guest domain. To do things like this, write |
| 158 |
# yourself a wrapper script, and call network-bridge from it, as appropriate. |
| 159 |
# |
| 160 |
|
| 161 |
# The script used to control virtual interfaces. This can be overridden on a |
| 162 |
# per-vif basis when creating a domain or a configuring a new vif. The |
| 163 |
# vif-bridge script is designed for use with the network-bridge script, or |
| 164 |
# similar configurations. |
| 165 |
# |
| 166 |
# If you have overridden the bridge name using |
| 167 |
# (network-script 'network-bridge bridge=<name>') then you may wish to do the |
| 168 |
# same here. The bridge name can also be set when creating a domain or |
| 169 |
# configuring a new vif, but a value specified here would act as a default. |
| 170 |
# |
| 171 |
# If you are using only one bridge, the vif-bridge script will discover that, |
| 172 |
# so there is no need to specify it explicitly. |
| 173 |
# |
| 174 |
(vif-script vif-bridge) |
| 175 |
|
| 176 |
|
| 177 |
## Use the following if network traffic is routed, as an alternative to the |
| 178 |
# settings for bridged networking given above. |
| 179 |
#(network-script network-route) |
| 180 |
#(vif-script vif-route) |
| 181 |
|
| 182 |
|
| 183 |
## Use the following if network traffic is routed with NAT, as an alternative |
| 184 |
# to the settings for bridged networking given above. |
| 185 |
#(network-script network-nat) |
| 186 |
#(vif-script vif-nat) |
| 187 |
|
| 188 |
# dom0-min-mem is the lowest permissible memory level (in MB) for dom0. |
| 189 |
# This is a minimum both for auto-ballooning (as enabled by |
| 190 |
# enable-dom0-ballooning below) and for xm mem-set when applied to dom0. |
| 191 |
(dom0-min-mem 196) |
| 192 |
|
| 193 |
# Whether to enable auto-ballooning of dom0 to allow domUs to be created. |
| 194 |
# If enable-dom0-ballooning = no, dom0 will never balloon out. |
| 195 |
(enable-dom0-ballooning yes) |
| 196 |
|
| 197 |
# 32-bit paravirtual domains can only consume physical |
| 198 |
# memory below 168GB. On systems with memory beyond that address, |
| 199 |
# they'll be confined to memory below 128GB. |
| 200 |
# Using total_available_memory (in GB) to specify the amount of memory reserved |
| 201 |
# in the memory pool exclusively for 32-bit paravirtual domains. |
| 202 |
# Additionally you should use dom0_mem = <-Value> as a parameter in |
| 203 |
# xen kernel to reserve the memory for 32-bit paravirtual domains, default |
| 204 |
# is "0" (0GB). |
| 205 |
(total_available_memory 0) |
| 206 |
|
| 207 |
# In SMP system, dom0 will use dom0-cpus # of CPUS |
| 208 |
# If dom0-cpus = 0, dom0 will take all cpus available |
| 209 |
(dom0-cpus 2) |
| 210 |
|
| 211 |
# Whether to enable core-dumps when domains crash. |
| 212 |
#(enable-dump no) |
| 213 |
|
| 214 |
# The tool used for initiating virtual TPM migration |
| 215 |
#(external-migration-tool '') |
| 216 |
|
| 217 |
# The interface for VNC servers to listen on. Defaults |
| 218 |
# to 127.0.0.1 To restore old 'listen everywhere' behaviour |
| 219 |
# set this to 0.0.0.0 |
| 220 |
#(vnc-listen '127.0.0.1') |
| 221 |
|
| 222 |
# The default password for VNC console on HVM domain. |
| 223 |
# Empty string is no authentication. |
| 224 |
(vncpasswd '') |
| 225 |
|
| 226 |
# The VNC server can be told to negotiate a TLS session |
| 227 |
# to encryption all traffic, and provide x509 cert to |
| 228 |
# clients enabling them to verify server identity. The |
| 229 |
# GTK-VNC widget, virt-viewer, virt-manager and VeNCrypt |
| 230 |
# all support the VNC extension for TLS used in QEMU. The |
| 231 |
# TightVNC/RealVNC/UltraVNC clients do not. |
| 232 |
# |
| 233 |
# To enable this create x509 certificates / keys in the |
| 234 |
# directory ${XEN_CONFIG_DIR} + vnc
|
| 235 |
# |
| 236 |
# ca-cert.pem - The CA certificate |
| 237 |
# server-cert.pem - The Server certificate signed by the CA |
| 238 |
# server-key.pem - The server private key |
| 239 |
# |
| 240 |
# and then uncomment this next line |
| 241 |
# (vnc-tls 1) |
| 242 |
|
| 243 |
# The certificate dir can be pointed elsewhere.. |
| 244 |
# |
| 245 |
# (vnc-x509-cert-dir vnc) |
| 246 |
|
| 247 |
# The server can be told to request & validate an x509 |
| 248 |
# certificate from the client. Only clients with a cert |
| 249 |
# signed by the trusted CA will be able to connect. This |
| 250 |
# is more secure the password auth alone. Passwd auth can |
| 251 |
# used at the same time if desired. To enable client cert |
| 252 |
# checking uncomment this: |
| 253 |
# |
| 254 |
# (vnc-x509-verify 1) |
| 255 |
|
| 256 |
# The default keymap to use for the VM's virtual keyboard |
| 257 |
# when not specififed in VM's configuration |
| 258 |
#(keymap 'en-us') |
| 259 |
|
| 260 |
# Script to run when the label of a resource has changed. |
| 261 |
#(resource-label-change-script '') |
| 262 |
|
| 263 |
# Rotation count of qemu-dm log file. |
| 264 |
#(qemu-dm-logrotate-count 10) |
| 265 |
|
| 266 |
# Path where persistent domain configuration is stored. |
| 267 |
# Default is /var/lib/xend/domains/ |
| 268 |
#(xend-domains-path /var/lib/xend/domains) |
| 269 |
|
| 270 |
# Number of seconds xend will wait for device creation and |
| 271 |
# destruction |
| 272 |
#(device-create-timeout 100) |
| 273 |
#(device-destroy-timeout 100) |
| 274 |
|
| 275 |
# When assigning device to HVM guest, we use the strict check for HVM guest by |
| 276 |
# default. (For PV guest, we use loose check automatically if necessary.) |
| 277 |
# When we assign device to HVM guest, if we meet with the co-assignment |
| 278 |
# issues or the ACS issue, we could try changing the option to 'no' -- however, |
| 279 |
# we have to realize this may incur security issue and we can't make sure the |
| 280 |
# device assignment could really work properly even after we do this. |
| 281 |
#(pci-passthrough-strict-check yes) |