|
|
@@ -0,0 +1,306 @@
|
|
|
+# -*- sh -*-
|
|
|
+
|
|
|
+#
|
|
|
+# Xend configuration file.
|
|
|
+#
|
|
|
+
|
|
|
+# This example configuration is appropriate for an installation that
|
|
|
+# utilizes a bridged network configuration. Access to xend via http
|
|
|
+# is disabled.
|
|
|
+
|
|
|
+# Commented out entries show the default for that entry, unless otherwise
|
|
|
+# specified.
|
|
|
+
|
|
|
+#(logfile /var/log/xen/xend.log)
|
|
|
+#(loglevel DEBUG)
|
|
|
+
|
|
|
+# Uncomment the line below. Set the value to flask, acm, or dummy to
|
|
|
+# select a security module.
|
|
|
+
|
|
|
+#(xsm_module_name dummy)
|
|
|
+
|
|
|
+# The Xen-API server configuration.
|
|
|
+#
|
|
|
+# This value configures the ports, interfaces, and access controls for the
|
|
|
+# Xen-API server. Each entry in the list starts with either unix, a port
|
|
|
+# number, or an address:port pair. If this is "unix", then a UDP socket is
|
|
|
+# opened, and this entry applies to that. If it is a port, then Xend will
|
|
|
+# listen on all interfaces on that TCP port, and if it is an address:port
|
|
|
+# pair, then Xend will listen on the specified port, using the interface with
|
|
|
+# the specified address.
|
|
|
+#
|
|
|
+# The subsequent string configures the user-based access control for the
|
|
|
+# listener in question. This can be one of "none" or "pam", indicating either
|
|
|
+# that users should be allowed access unconditionally, or that the local
|
|
|
+# Pluggable Authentication Modules configuration should be used. If this
|
|
|
+# string is missing or empty, then "pam" is used.
|
|
|
+#
|
|
|
+# The final string gives the host-based access control for that listener. If
|
|
|
+# this is missing or empty, then all connections are accepted. Otherwise,
|
|
|
+# this should be a space-separated sequence of regular expressions; any host
|
|
|
+# with a fully-qualified domain name or an IP address that matches one of
|
|
|
+# these regular expressions will be accepted.
|
|
|
+#
|
|
|
+# Example: listen on TCP port 9363 on all interfaces, accepting connections
|
|
|
+# only from machines in example.com or localhost, and allow access through
|
|
|
+# the unix domain socket unconditionally:
|
|
|
+#
|
|
|
+# (xen-api-server ((9363 pam '^localhost$ example\\.com$')
|
|
|
+# (unix none)))
|
|
|
+#
|
|
|
+# Optionally, the TCP Xen-API server can use SSL by specifying the private
|
|
|
+# key and certificate location:
|
|
|
+#
|
|
|
+# (9367 pam '' xen-api.key xen-api.crt)
|
|
|
+#
|
|
|
+# Default:
|
|
|
+# (xen-api-server ((unix)))
|
|
|
+
|
|
|
+
|
|
|
+#(xend-http-server no)
|
|
|
+#(xend-unix-server no)
|
|
|
+#(xend-tcp-xmlrpc-server no)
|
|
|
+#(xend-unix-xmlrpc-server yes)
|
|
|
+#(xend-relocation-server no)
|
|
|
+#(xend-relocation-ssl-server no)
|
|
|
+#(xend-udev-event-server no)
|
|
|
+
|
|
|
+#(xend-unix-path /var/lib/xend/xend-socket)
|
|
|
+
|
|
|
+
|
|
|
+# Address and port xend should use for the legacy TCP XMLRPC interface,
|
|
|
+# if xend-tcp-xmlrpc-server is set.
|
|
|
+#(xend-tcp-xmlrpc-server-address 'localhost')
|
|
|
+#(xend-tcp-xmlrpc-server-port 8006)
|
|
|
+
|
|
|
+# SSL key and certificate to use for the legacy TCP XMLRPC interface.
|
|
|
+# Setting these will mean that this port serves only SSL connections as
|
|
|
+# opposed to plaintext ones.
|
|
|
+#(xend-tcp-xmlrpc-server-ssl-key-file xmlrpc.key)
|
|
|
+#(xend-tcp-xmlrpc-server-ssl-cert-file xmlrpc.crt)
|
|
|
+
|
|
|
+
|
|
|
+# Port xend should use for the HTTP interface, if xend-http-server is set.
|
|
|
+#(xend-port 8000)
|
|
|
+
|
|
|
+# Port xend should use for the relocation interface, if xend-relocation-server
|
|
|
+# is set.
|
|
|
+#(xend-relocation-port 8002)
|
|
|
+
|
|
|
+# Port xend should use for the ssl relocation interface, if
|
|
|
+# xend-relocation-ssl-server is set.
|
|
|
+#(xend-relocation-ssl-port 8003)
|
|
|
+
|
|
|
+# SSL key and certificate to use for the ssl relocation interface, if
|
|
|
+# xend-relocation-ssl-server is set.
|
|
|
+#(xend-relocation-server-ssl-key-file xmlrpc.key)
|
|
|
+#(xend-relocation-server-ssl-cert-file xmlrpc.crt)
|
|
|
+
|
|
|
+# Whether to use ssl as default when relocating.
|
|
|
+#(xend-relocation-ssl no)
|
|
|
+
|
|
|
+# Address xend should listen on for HTTP connections, if xend-http-server is
|
|
|
+# set.
|
|
|
+# Specifying 'localhost' prevents remote connections.
|
|
|
+# Specifying the empty string '' (the default) allows all connections.
|
|
|
+#(xend-address '')
|
|
|
+#(xend-address localhost)
|
|
|
+
|
|
|
+# Address xend should listen on for relocation-socket connections, if
|
|
|
+# xend-relocation-server is set.
|
|
|
+# Meaning and default as for xend-address above.
|
|
|
+# Also, interface name is allowed (e.g. eth0) there to get the
|
|
|
+# relocation address to be bound on.
|
|
|
+#(xend-relocation-address '')
|
|
|
+
|
|
|
+# The hosts allowed to talk to the relocation port. If this is empty (the
|
|
|
+# default), then all connections are allowed (assuming that the connection
|
|
|
+# arrives on a port and interface on which we are listening; see
|
|
|
+# xend-relocation-port and xend-relocation-address above). Otherwise, this
|
|
|
+# should be a space-separated sequence of regular expressions. Any host with
|
|
|
+# a fully-qualified domain name or an IP address that matches one of these
|
|
|
+# regular expressions will be accepted.
|
|
|
+#
|
|
|
+# For example:
|
|
|
+# (xend-relocation-hosts-allow '^localhost$ ^.*\\.example\\.org$')
|
|
|
+#
|
|
|
+#(xend-relocation-hosts-allow '')
|
|
|
+
|
|
|
+# The limit (in kilobytes) on the size of the console buffer
|
|
|
+#(console-limit 1024)
|
|
|
+
|
|
|
+##
|
|
|
+# NOTE:
|
|
|
+# Please read /usr/share/doc/xen-utils-common/README.Debian for Debian specific
|
|
|
+# informations about the network setup.
|
|
|
+
|
|
|
+##
|
|
|
+# To bridge network traffic, like this:
|
|
|
+#
|
|
|
+# dom0: ----------------- bridge -> real eth0 -> the network
|
|
|
+# |
|
|
|
+# domU: fake eth0 -> vifN.0 -+
|
|
|
+#
|
|
|
+# use
|
|
|
+#
|
|
|
+# (network-script network-bridge)
|
|
|
+#
|
|
|
+# Your default ethernet device is used as the outgoing interface, by default.
|
|
|
+# To use a different one (e.g. eth1) use
|
|
|
+#
|
|
|
+# (network-script 'network-bridge netdev=eth1')
|
|
|
+#
|
|
|
+# The bridge is named eth0, by default (yes, really!)
|
|
|
+#
|
|
|
+
|
|
|
+# It is normally much better to create the bridge yourself in
|
|
|
+# /etc/network/interfaces. network-bridge start does nothing if you
|
|
|
+# already have a bridge, and network-bridge stop does nothing if the
|
|
|
+# default bridge name (normally eth0) is not a bridge. See
|
|
|
+# bridge-utils-interfaces(5) for full information on the syntax in
|
|
|
+# /etc/network/interfaces, but you probably want something like this:
|
|
|
+# iface xenbr0 inet static
|
|
|
+# address [etc]
|
|
|
+# netmask [etc]
|
|
|
+# [etc]
|
|
|
+# bridge_ports eth0
|
|
|
+#
|
|
|
+# To have network-bridge create a differently-named bridge, use:
|
|
|
+# (network-script 'network-bridge bridge=<name>')
|
|
|
+#
|
|
|
+# It is possible to use the network-bridge script in more complicated
|
|
|
+# scenarios, such as having two outgoing interfaces, with two bridges, and
|
|
|
+# two fake interfaces per guest domain. To do things like this, write
|
|
|
+# yourself a wrapper script, and call network-bridge from it, as appropriate.
|
|
|
+#
|
|
|
+
|
|
|
+# The script used to control virtual interfaces. This can be overridden on a
|
|
|
+# per-vif basis when creating a domain or a configuring a new vif. The
|
|
|
+# vif-bridge script is designed for use with the network-bridge script, or
|
|
|
+# similar configurations.
|
|
|
+#
|
|
|
+# If you have overridden the bridge name using
|
|
|
+# (network-script 'network-bridge bridge=<name>') then you may wish to do the
|
|
|
+# same here. The bridge name can also be set when creating a domain or
|
|
|
+# configuring a new vif, but a value specified here would act as a default.
|
|
|
+#
|
|
|
+# If you are using only one bridge, the vif-bridge script will discover that,
|
|
|
+# so there is no need to specify it explicitly. The default is to use
|
|
|
+# the bridge which is listed first in the output from brctl.
|
|
|
+#
|
|
|
+(vif-script vif-bridge)
|
|
|
+
|
|
|
+
|
|
|
+## Use the following if network traffic is routed, as an alternative to the
|
|
|
+# settings for bridged networking given above.
|
|
|
+#(network-script network-route)
|
|
|
+#(vif-script vif-route)
|
|
|
+
|
|
|
+
|
|
|
+## Use the following if network traffic is routed with NAT, as an alternative
|
|
|
+# to the settings for bridged networking given above.
|
|
|
+#(network-script network-nat)
|
|
|
+#(vif-script vif-nat)
|
|
|
+
|
|
|
+# dom0-min-mem is the lowest permissible memory level (in MB) for dom0.
|
|
|
+# This is a minimum both for auto-ballooning (as enabled by
|
|
|
+# enable-dom0-ballooning below) and for xm mem-set when applied to dom0.
|
|
|
+(dom0-min-mem {{ xendom0_mem }})
|
|
|
+
|
|
|
+# Whether to enable auto-ballooning of dom0 to allow domUs to be created.
|
|
|
+# If enable-dom0-ballooning = no, dom0 will never balloon out.
|
|
|
+(enable-dom0-ballooning no)
|
|
|
+
|
|
|
+# 32-bit paravirtual domains can only consume physical
|
|
|
+# memory below 168GB. On systems with memory beyond that address,
|
|
|
+# they'll be confined to memory below 128GB.
|
|
|
+# Using total_available_memory (in GB) to specify the amount of memory reserved
|
|
|
+# in the memory pool exclusively for 32-bit paravirtual domains.
|
|
|
+# Additionally you should use dom0_mem = <-Value> as a parameter in
|
|
|
+# xen kernel to reserve the memory for 32-bit paravirtual domains, default
|
|
|
+# is "0" (0GB).
|
|
|
+(total_available_memory 0)
|
|
|
+
|
|
|
+# In SMP system, dom0 will use dom0-cpus # of CPUS
|
|
|
+# If dom0-cpus = 0, dom0 will take all cpus available
|
|
|
+(dom0-cpus 0)
|
|
|
+
|
|
|
+# Whether to enable core-dumps when domains crash.
|
|
|
+#(enable-dump no)
|
|
|
+
|
|
|
+# The tool used for initiating virtual TPM migration
|
|
|
+#(external-migration-tool '')
|
|
|
+
|
|
|
+# The interface for VNC servers to listen on. Defaults
|
|
|
+# to 127.0.0.1 To restore old 'listen everywhere' behaviour
|
|
|
+# set this to 0.0.0.0
|
|
|
+#(vnc-listen '127.0.0.1')
|
|
|
+
|
|
|
+# The default password for VNC console on HVM domain.
|
|
|
+# Empty string is no authentication.
|
|
|
+(vncpasswd '')
|
|
|
+
|
|
|
+# The VNC server can be told to negotiate a TLS session
|
|
|
+# to encryption all traffic, and provide x509 cert to
|
|
|
+# clients enabling them to verify server identity. The
|
|
|
+# GTK-VNC widget, virt-viewer, virt-manager and VeNCrypt
|
|
|
+# all support the VNC extension for TLS used in QEMU. The
|
|
|
+# TightVNC/RealVNC/UltraVNC clients do not.
|
|
|
+#
|
|
|
+# To enable this create x509 certificates / keys in the
|
|
|
+# directory ${XEN_CONFIG_DIR} + vnc
|
|
|
+#
|
|
|
+# ca-cert.pem - The CA certificate
|
|
|
+# server-cert.pem - The Server certificate signed by the CA
|
|
|
+# server-key.pem - The server private key
|
|
|
+#
|
|
|
+# and then uncomment this next line
|
|
|
+# (vnc-tls 1)
|
|
|
+
|
|
|
+# The certificate dir can be pointed elsewhere..
|
|
|
+#
|
|
|
+# (vnc-x509-cert-dir vnc)
|
|
|
+
|
|
|
+# The server can be told to request & validate an x509
|
|
|
+# certificate from the client. Only clients with a cert
|
|
|
+# signed by the trusted CA will be able to connect. This
|
|
|
+# is more secure the password auth alone. Passwd auth can
|
|
|
+# used at the same time if desired. To enable client cert
|
|
|
+# checking uncomment this:
|
|
|
+#
|
|
|
+# (vnc-x509-verify 1)
|
|
|
+
|
|
|
+# The default keymap to use for the VM's virtual keyboard
|
|
|
+# when not specififed in VM's configuration
|
|
|
+#(keymap 'en-us')
|
|
|
+
|
|
|
+# Script to run when the label of a resource has changed.
|
|
|
+#(resource-label-change-script '')
|
|
|
+
|
|
|
+# Rotation count of qemu-dm log file.
|
|
|
+#(qemu-dm-logrotate-count 10)
|
|
|
+
|
|
|
+# Path where persistent domain configuration is stored.
|
|
|
+# Default is /var/lib/xend/domains/
|
|
|
+#(xend-domains-path /var/lib/xend/domains)
|
|
|
+
|
|
|
+# Number of seconds xend will wait for device creation and
|
|
|
+# destruction
|
|
|
+#(device-create-timeout 100)
|
|
|
+#(device-destroy-timeout 100)
|
|
|
+
|
|
|
+# When assigning device to HVM guest, we use the strict check for HVM guest by
|
|
|
+# default. (For PV guest, we use loose check automatically if necessary.)
|
|
|
+# When we assign device to HVM guest, if we meet with the co-assignment
|
|
|
+# issues or the ACS issue, we could try changing the option to 'no' -- however,
|
|
|
+# we have to realize this may incur security issue and we can't make sure the
|
|
|
+# device assignment could really work properly even after we do this.
|
|
|
+#(pci-passthrough-strict-check yes)
|
|
|
+
|
|
|
+# If we have a very big scsi device configuration, start of xend is slow,
|
|
|
+# because xend scans all the device paths to build its internal PSCSI device
|
|
|
+# list. If we need only a few devices for assigning to a guest, we can reduce
|
|
|
+# the scan to this device. Set list list of device paths in same syntax like in
|
|
|
+# command lsscsi, e.g. ('16:0:0:0' '15:0')
|
|
|
+# (pscsi-device-mask ('*'))
|
|
|
+
|
