xend-config.sxp.j2 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306
  1. # -*- sh -*-
  2. #
  3. # Xend configuration file.
  4. #
  5. # This example configuration is appropriate for an installation that
  6. # utilizes a bridged network configuration. Access to xend via http
  7. # is disabled.
  8. # Commented out entries show the default for that entry, unless otherwise
  9. # specified.
  10. #(logfile /var/log/xen/xend.log)
  11. #(loglevel DEBUG)
  12. # Uncomment the line below. Set the value to flask, acm, or dummy to
  13. # select a security module.
  14. #(xsm_module_name dummy)
  15. # The Xen-API server configuration.
  16. #
  17. # This value configures the ports, interfaces, and access controls for the
  18. # Xen-API server. Each entry in the list starts with either unix, a port
  19. # number, or an address:port pair. If this is "unix", then a UDP socket is
  20. # opened, and this entry applies to that. If it is a port, then Xend will
  21. # listen on all interfaces on that TCP port, and if it is an address:port
  22. # pair, then Xend will listen on the specified port, using the interface with
  23. # the specified address.
  24. #
  25. # The subsequent string configures the user-based access control for the
  26. # listener in question. This can be one of "none" or "pam", indicating either
  27. # that users should be allowed access unconditionally, or that the local
  28. # Pluggable Authentication Modules configuration should be used. If this
  29. # string is missing or empty, then "pam" is used.
  30. #
  31. # The final string gives the host-based access control for that listener. If
  32. # this is missing or empty, then all connections are accepted. Otherwise,
  33. # this should be a space-separated sequence of regular expressions; any host
  34. # with a fully-qualified domain name or an IP address that matches one of
  35. # these regular expressions will be accepted.
  36. #
  37. # Example: listen on TCP port 9363 on all interfaces, accepting connections
  38. # only from machines in example.com or localhost, and allow access through
  39. # the unix domain socket unconditionally:
  40. #
  41. # (xen-api-server ((9363 pam '^localhost$ example\\.com$')
  42. # (unix none)))
  43. #
  44. # Optionally, the TCP Xen-API server can use SSL by specifying the private
  45. # key and certificate location:
  46. #
  47. # (9367 pam '' xen-api.key xen-api.crt)
  48. #
  49. # Default:
  50. # (xen-api-server ((unix)))
  51. #(xend-http-server no)
  52. #(xend-unix-server no)
  53. #(xend-tcp-xmlrpc-server no)
  54. #(xend-unix-xmlrpc-server yes)
  55. #(xend-relocation-server no)
  56. #(xend-relocation-ssl-server no)
  57. #(xend-udev-event-server no)
  58. #(xend-unix-path /var/lib/xend/xend-socket)
  59. # Address and port xend should use for the legacy TCP XMLRPC interface,
  60. # if xend-tcp-xmlrpc-server is set.
  61. #(xend-tcp-xmlrpc-server-address 'localhost')
  62. #(xend-tcp-xmlrpc-server-port 8006)
  63. # SSL key and certificate to use for the legacy TCP XMLRPC interface.
  64. # Setting these will mean that this port serves only SSL connections as
  65. # opposed to plaintext ones.
  66. #(xend-tcp-xmlrpc-server-ssl-key-file xmlrpc.key)
  67. #(xend-tcp-xmlrpc-server-ssl-cert-file xmlrpc.crt)
  68. # Port xend should use for the HTTP interface, if xend-http-server is set.
  69. #(xend-port 8000)
  70. # Port xend should use for the relocation interface, if xend-relocation-server
  71. # is set.
  72. #(xend-relocation-port 8002)
  73. # Port xend should use for the ssl relocation interface, if
  74. # xend-relocation-ssl-server is set.
  75. #(xend-relocation-ssl-port 8003)
  76. # SSL key and certificate to use for the ssl relocation interface, if
  77. # xend-relocation-ssl-server is set.
  78. #(xend-relocation-server-ssl-key-file xmlrpc.key)
  79. #(xend-relocation-server-ssl-cert-file xmlrpc.crt)
  80. # Whether to use ssl as default when relocating.
  81. #(xend-relocation-ssl no)
  82. # Address xend should listen on for HTTP connections, if xend-http-server is
  83. # set.
  84. # Specifying 'localhost' prevents remote connections.
  85. # Specifying the empty string '' (the default) allows all connections.
  86. #(xend-address '')
  87. #(xend-address localhost)
  88. # Address xend should listen on for relocation-socket connections, if
  89. # xend-relocation-server is set.
  90. # Meaning and default as for xend-address above.
  91. # Also, interface name is allowed (e.g. eth0) there to get the
  92. # relocation address to be bound on.
  93. #(xend-relocation-address '')
  94. # The hosts allowed to talk to the relocation port. If this is empty (the
  95. # default), then all connections are allowed (assuming that the connection
  96. # arrives on a port and interface on which we are listening; see
  97. # xend-relocation-port and xend-relocation-address above). Otherwise, this
  98. # should be a space-separated sequence of regular expressions. Any host with
  99. # a fully-qualified domain name or an IP address that matches one of these
  100. # regular expressions will be accepted.
  101. #
  102. # For example:
  103. # (xend-relocation-hosts-allow '^localhost$ ^.*\\.example\\.org$')
  104. #
  105. #(xend-relocation-hosts-allow '')
  106. # The limit (in kilobytes) on the size of the console buffer
  107. #(console-limit 1024)
  108. ##
  109. # NOTE:
  110. # Please read /usr/share/doc/xen-utils-common/README.Debian for Debian specific
  111. # informations about the network setup.
  112. ##
  113. # To bridge network traffic, like this:
  114. #
  115. # dom0: ----------------- bridge -> real eth0 -> the network
  116. # |
  117. # domU: fake eth0 -> vifN.0 -+
  118. #
  119. # use
  120. #
  121. # (network-script network-bridge)
  122. #
  123. # Your default ethernet device is used as the outgoing interface, by default.
  124. # To use a different one (e.g. eth1) use
  125. #
  126. # (network-script 'network-bridge netdev=eth1')
  127. #
  128. # The bridge is named eth0, by default (yes, really!)
  129. #
  130. # It is normally much better to create the bridge yourself in
  131. # /etc/network/interfaces. network-bridge start does nothing if you
  132. # already have a bridge, and network-bridge stop does nothing if the
  133. # default bridge name (normally eth0) is not a bridge. See
  134. # bridge-utils-interfaces(5) for full information on the syntax in
  135. # /etc/network/interfaces, but you probably want something like this:
  136. # iface xenbr0 inet static
  137. # address [etc]
  138. # netmask [etc]
  139. # [etc]
  140. # bridge_ports eth0
  141. #
  142. # To have network-bridge create a differently-named bridge, use:
  143. # (network-script 'network-bridge bridge=<name>')
  144. #
  145. # It is possible to use the network-bridge script in more complicated
  146. # scenarios, such as having two outgoing interfaces, with two bridges, and
  147. # two fake interfaces per guest domain. To do things like this, write
  148. # yourself a wrapper script, and call network-bridge from it, as appropriate.
  149. #
  150. # The script used to control virtual interfaces. This can be overridden on a
  151. # per-vif basis when creating a domain or a configuring a new vif. The
  152. # vif-bridge script is designed for use with the network-bridge script, or
  153. # similar configurations.
  154. #
  155. # If you have overridden the bridge name using
  156. # (network-script 'network-bridge bridge=<name>') then you may wish to do the
  157. # same here. The bridge name can also be set when creating a domain or
  158. # configuring a new vif, but a value specified here would act as a default.
  159. #
  160. # If you are using only one bridge, the vif-bridge script will discover that,
  161. # so there is no need to specify it explicitly. The default is to use
  162. # the bridge which is listed first in the output from brctl.
  163. #
  164. (vif-script vif-bridge)
  165. ## Use the following if network traffic is routed, as an alternative to the
  166. # settings for bridged networking given above.
  167. #(network-script network-route)
  168. #(vif-script vif-route)
  169. ## Use the following if network traffic is routed with NAT, as an alternative
  170. # to the settings for bridged networking given above.
  171. #(network-script network-nat)
  172. #(vif-script vif-nat)
  173. # dom0-min-mem is the lowest permissible memory level (in MB) for dom0.
  174. # This is a minimum both for auto-ballooning (as enabled by
  175. # enable-dom0-ballooning below) and for xm mem-set when applied to dom0.
  176. (dom0-min-mem {{ xendom0_mem }})
  177. # Whether to enable auto-ballooning of dom0 to allow domUs to be created.
  178. # If enable-dom0-ballooning = no, dom0 will never balloon out.
  179. (enable-dom0-ballooning no)
  180. # 32-bit paravirtual domains can only consume physical
  181. # memory below 168GB. On systems with memory beyond that address,
  182. # they'll be confined to memory below 128GB.
  183. # Using total_available_memory (in GB) to specify the amount of memory reserved
  184. # in the memory pool exclusively for 32-bit paravirtual domains.
  185. # Additionally you should use dom0_mem = <-Value> as a parameter in
  186. # xen kernel to reserve the memory for 32-bit paravirtual domains, default
  187. # is "0" (0GB).
  188. (total_available_memory 0)
  189. # In SMP system, dom0 will use dom0-cpus # of CPUS
  190. # If dom0-cpus = 0, dom0 will take all cpus available
  191. (dom0-cpus 0)
  192. # Whether to enable core-dumps when domains crash.
  193. #(enable-dump no)
  194. # The tool used for initiating virtual TPM migration
  195. #(external-migration-tool '')
  196. # The interface for VNC servers to listen on. Defaults
  197. # to 127.0.0.1 To restore old 'listen everywhere' behaviour
  198. # set this to 0.0.0.0
  199. #(vnc-listen '127.0.0.1')
  200. # The default password for VNC console on HVM domain.
  201. # Empty string is no authentication.
  202. (vncpasswd '')
  203. # The VNC server can be told to negotiate a TLS session
  204. # to encryption all traffic, and provide x509 cert to
  205. # clients enabling them to verify server identity. The
  206. # GTK-VNC widget, virt-viewer, virt-manager and VeNCrypt
  207. # all support the VNC extension for TLS used in QEMU. The
  208. # TightVNC/RealVNC/UltraVNC clients do not.
  209. #
  210. # To enable this create x509 certificates / keys in the
  211. # directory ${XEN_CONFIG_DIR} + vnc
  212. #
  213. # ca-cert.pem - The CA certificate
  214. # server-cert.pem - The Server certificate signed by the CA
  215. # server-key.pem - The server private key
  216. #
  217. # and then uncomment this next line
  218. # (vnc-tls 1)
  219. # The certificate dir can be pointed elsewhere..
  220. #
  221. # (vnc-x509-cert-dir vnc)
  222. # The server can be told to request & validate an x509
  223. # certificate from the client. Only clients with a cert
  224. # signed by the trusted CA will be able to connect. This
  225. # is more secure the password auth alone. Passwd auth can
  226. # used at the same time if desired. To enable client cert
  227. # checking uncomment this:
  228. #
  229. # (vnc-x509-verify 1)
  230. # The default keymap to use for the VM's virtual keyboard
  231. # when not specififed in VM's configuration
  232. #(keymap 'en-us')
  233. # Script to run when the label of a resource has changed.
  234. #(resource-label-change-script '')
  235. # Rotation count of qemu-dm log file.
  236. #(qemu-dm-logrotate-count 10)
  237. # Path where persistent domain configuration is stored.
  238. # Default is /var/lib/xend/domains/
  239. #(xend-domains-path /var/lib/xend/domains)
  240. # Number of seconds xend will wait for device creation and
  241. # destruction
  242. #(device-create-timeout 100)
  243. #(device-destroy-timeout 100)
  244. # When assigning device to HVM guest, we use the strict check for HVM guest by
  245. # default. (For PV guest, we use loose check automatically if necessary.)
  246. # When we assign device to HVM guest, if we meet with the co-assignment
  247. # issues or the ACS issue, we could try changing the option to 'no' -- however,
  248. # we have to realize this may incur security issue and we can't make sure the
  249. # device assignment could really work properly even after we do this.
  250. #(pci-passthrough-strict-check yes)
  251. # If we have a very big scsi device configuration, start of xend is slow,
  252. # because xend scans all the device paths to build its internal PSCSI device
  253. # list. If we need only a few devices for assigning to a guest, we can reduce
  254. # the scan to this device. Set list list of device paths in same syntax like in
  255. # command lsscsi, e.g. ('16:0:0:0' '15:0')
  256. # (pscsi-device-mask ('*'))