ia64/xen-unstable

annotate tools/examples/xend-config.sxp @ 19648:f0e2df69a8eb

x86 hvm: Allow cross-vendor migration

Intercept #UD and emulate SYSCALL/SYSENTER/SYSEXIT as necessary.

Signed-off-by: Christoph Egger <Christoph.Egger@amd.com>
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
author Keir Fraser <keir.fraser@citrix.com>
date Tue May 26 15:01:36 2009 +0100 (2009-05-26)
parents 62ec6aae4ba9
children
rev   line source
emellor@7467 1 # -*- sh -*-
emellor@7467 2
emellor@7467 3 #
mjw@1723 4 # Xend configuration file.
emellor@7467 5 #
mjw@1723 6
nivedita@8404 7 # This example configuration is appropriate for an installation that
nivedita@8404 8 # utilizes a bridged network configuration. Access to xend via http
nivedita@8404 9 # is disabled.
emellor@7467 10
emellor@7467 11 # Commented out entries show the default for that entry, unless otherwise
emellor@7467 12 # specified.
emellor@7467 13
kaf24@11316 14 #(logfile /var/log/xen/xend.log)
emellor@7467 15 #(loglevel DEBUG)
mjw@1723 16
keir@18435 17 # Uncomment the line below. Set the value to flask, acm, or dummy to
keir@18435 18 # select a security module.
keir@18435 19
keir@18435 20 #(xsm_module_name dummy)
ewan@12606 21
keir@16885 22 # The Xen-API server configuration.
ewan@12604 23 #
ewan@12604 24 # This value configures the ports, interfaces, and access controls for the
ewan@12604 25 # Xen-API server. Each entry in the list starts with either unix, a port
ewan@12604 26 # number, or an address:port pair. If this is "unix", then a UDP socket is
ewan@12604 27 # opened, and this entry applies to that. If it is a port, then Xend will
ewan@12606 28 # listen on all interfaces on that TCP port, and if it is an address:port
ewan@12606 29 # pair, then Xend will listen on the specified port, using the interface with
ewan@12606 30 # the specified address.
ewan@12606 31 #
ewan@12606 32 # The subsequent string configures the user-based access control for the
ewan@12606 33 # listener in question. This can be one of "none" or "pam", indicating either
ewan@12606 34 # that users should be allowed access unconditionally, or that the local
ewan@12606 35 # Pluggable Authentication Modules configuration should be used. If this
ewan@12606 36 # string is missing or empty, then "pam" is used.
ewan@12604 37 #
ewan@12606 38 # The final string gives the host-based access control for that listener. If
ewan@12606 39 # this is missing or empty, then all connections are accepted. Otherwise,
ewan@12606 40 # this should be a space-separated sequence of regular expressions; any host
ewan@12606 41 # with a fully-qualified domain name or an IP address that matches one of
ewan@12606 42 # these regular expressions will be accepted.
ewan@12604 43 #
ewan@12606 44 # Example: listen on TCP port 9363 on all interfaces, accepting connections
ewan@12606 45 # only from machines in example.com or localhost, and allow access through
ewan@12606 46 # the unix domain socket unconditionally:
ewan@12604 47 #
ewan@12606 48 # (xen-api-server ((9363 pam '^localhost$ example\\.com$')
ewan@12606 49 # (unix none)))
ewan@12604 50 #
ewan@14609 51 # Optionally, the TCP Xen-API server can use SSL by specifying the private
ewan@14609 52 # key and certificate location:
ewan@14609 53 #
ewan@14609 54 # (9367 pam '' /etc/xen/xen-api.key /etc/xen/xen-api.crt)
ewan@14609 55 #
ewan@12604 56 # Default:
ewan@12604 57 # (xen-api-server ((unix)))
ewan@12604 58
ewan@12606 59
emellor@7467 60 #(xend-http-server no)
emellor@9425 61 #(xend-unix-server no)
emellor@9425 62 #(xend-tcp-xmlrpc-server no)
emellor@9425 63 #(xend-unix-xmlrpc-server yes)
emellor@7467 64 #(xend-relocation-server no)
emellor@7467 65 (xend-relocation-server yes)
keir@17712 66 #(xend-relocation-ssl-server no)
keir@19365 67 #(xend-udev-event-server no)
emellor@7467 68
emellor@7467 69 #(xend-unix-path /var/lib/xend/xend-socket)
mjw@4095 70
ewan@14609 71
ewan@14609 72 # Address and port xend should use for the legacy TCP XMLRPC interface,
keir@17535 73 # if xend-tcp-xmlrpc-server is set.
keir@17535 74 #(xend-tcp-xmlrpc-server-address 'localhost')
keir@17535 75 #(xend-tcp-xmlrpc-server-port 8006)
atse@13616 76
ewan@14609 77 # SSL key and certificate to use for the legacy TCP XMLRPC interface.
ewan@14609 78 # Setting these will mean that this port serves only SSL connections as
ewan@14609 79 # opposed to plaintext ones.
ewan@14609 80 #(xend-tcp-xmlrpc-server-ssl-key-file /etc/xen/xmlrpc.key)
ewan@14609 81 #(xend-tcp-xmlrpc-server-ssl-cert-file /etc/xen/xmlrpc.crt)
ewan@14609 82
atse@13616 83
emellor@7467 84 # Port xend should use for the HTTP interface, if xend-http-server is set.
emellor@7467 85 #(xend-port 8000)
emellor@7467 86
emellor@7467 87 # Port xend should use for the relocation interface, if xend-relocation-server
emellor@7467 88 # is set.
emellor@7467 89 #(xend-relocation-port 8002)
emellor@7467 90
keir@17712 91 # Port xend should use for the ssl relocation interface, if
keir@17712 92 # xend-relocation-ssl-server is set.
keir@17712 93 #(xend-relocation-ssl-port 8003)
keir@17534 94
keir@17712 95 # SSL key and certificate to use for the ssl relocation interface, if
keir@17712 96 # xend-relocation-ssl-server is set.
keir@17534 97 #(xend-relocation-server-ssl-key-file /etc/xen/xmlrpc.key)
keir@17534 98 #(xend-relocation-server-ssl-cert-file /etc/xen/xmlrpc.crt)
keir@17534 99
keir@17712 100 # Whether to use ssl as default when relocating.
keir@17712 101 #(xend-relocation-ssl no)
keir@17712 102
emellor@7467 103 # Address xend should listen on for HTTP connections, if xend-http-server is
emellor@7467 104 # set.
mjw@1723 105 # Specifying 'localhost' prevents remote connections.
emellor@7467 106 # Specifying the empty string '' (the default) allows all connections.
emellor@7467 107 #(xend-address '')
nivedita@8404 108 #(xend-address localhost)
mjw@1723 109
emellor@7467 110 # Address xend should listen on for relocation-socket connections, if
emellor@7467 111 # xend-relocation-server is set.
emellor@7467 112 # Meaning and default as for xend-address above.
emellor@7467 113 #(xend-relocation-address '')
emellor@8326 114
emellor@8326 115 # The hosts allowed to talk to the relocation port. If this is empty (the
emellor@8326 116 # default), then all connections are allowed (assuming that the connection
emellor@8326 117 # arrives on a port and interface on which we are listening; see
emellor@8326 118 # xend-relocation-port and xend-relocation-address above). Otherwise, this
emellor@8326 119 # should be a space-separated sequence of regular expressions. Any host with
emellor@8326 120 # a fully-qualified domain name or an IP address that matches one of these
emellor@8326 121 # regular expressions will be accepted.
emellor@8326 122 #
emellor@8326 123 # For example:
ewan@12208 124 # (xend-relocation-hosts-allow '^localhost$ ^.*\\.example\\.org$')
emellor@8326 125 #
emellor@8326 126 #(xend-relocation-hosts-allow '')
kfraser@11071 127 (xend-relocation-hosts-allow '^localhost$ ^localhost\\.localdomain$')
mjw@4095 128
emellor@7441 129 # The limit (in kilobytes) on the size of the console buffer
emellor@7467 130 #(console-limit 1024)
emellor@7441 131
emellor@7557 132 ##
emellor@7557 133 # To bridge network traffic, like this:
emellor@7557 134 #
kfraser@15258 135 # dom0: ----------------- bridge -> real eth0 -> the network
emellor@7557 136 # |
emellor@7557 137 # domU: fake eth0 -> vifN.0 -+
emellor@7557 138 #
emellor@7557 139 # use
emellor@7557 140 #
emellor@7557 141 # (network-script network-bridge)
emellor@7557 142 #
emellor@8821 143 # Your default ethernet device is used as the outgoing interface, by default.
emellor@8821 144 # To use a different one (e.g. eth1) use
emellor@7557 145 #
emellor@7557 146 # (network-script 'network-bridge netdev=eth1')
emellor@7557 147 #
emellor@7557 148 # The bridge is named xenbr0, by default. To rename the bridge, use
emellor@7557 149 #
emellor@7557 150 # (network-script 'network-bridge bridge=<name>')
emellor@7557 151 #
emellor@7557 152 # It is possible to use the network-bridge script in more complicated
emellor@7557 153 # scenarios, such as having two outgoing interfaces, with two bridges, and
emellor@7557 154 # two fake interfaces per guest domain. To do things like this, write
emellor@7557 155 # yourself a wrapper script, and call network-bridge from it, as appropriate.
emellor@7557 156 #
emellor@7557 157 (network-script network-bridge)
kaf24@3431 158
emellor@7557 159 # The script used to control virtual interfaces. This can be overridden on a
emellor@7557 160 # per-vif basis when creating a domain or a configuring a new vif. The
emellor@7557 161 # vif-bridge script is designed for use with the network-bridge script, or
emellor@7557 162 # similar configurations.
emellor@7557 163 #
emellor@7557 164 # If you have overridden the bridge name using
emellor@7557 165 # (network-script 'network-bridge bridge=<name>') then you may wish to do the
emellor@7557 166 # same here. The bridge name can also be set when creating a domain or
emellor@7557 167 # configuring a new vif, but a value specified here would act as a default.
emellor@7557 168 #
emellor@7557 169 # If you are using only one bridge, the vif-bridge script will discover that,
emellor@7557 170 # so there is no need to specify it explicitly.
emellor@7557 171 #
emellor@7557 172 (vif-script vif-bridge)
emellor@7557 173
emellor@7557 174
emellor@7557 175 ## Use the following if network traffic is routed, as an alternative to the
emellor@7557 176 # settings for bridged networking given above.
emellor@7557 177 #(network-script network-route)
emellor@7557 178 #(vif-script vif-route)
emellor@7557 179
emellor@7557 180
emellor@7557 181 ## Use the following if network traffic is routed with NAT, as an alternative
emellor@7557 182 # to the settings for bridged networking given above.
emellor@7557 183 #(network-script network-nat)
emellor@7557 184 #(vif-script vif-nat)
emellor@7557 185
keir@17401 186 # dom0-min-mem is the lowest permissible memory level (in MB) for dom0.
keir@17401 187 # This is a minimum both for auto-ballooning (as enabled by
keir@17401 188 # enable-dom0-ballooning below) and for xm mem-set when applied to dom0.
keir@17401 189 (dom0-min-mem 196)
mjw@1723 190
keir@17401 191 # Whether to enable auto-ballooning of dom0 to allow domUs to be created.
keir@17401 192 # If enable-dom0-ballooning = no, dom0 will never balloon out.
keir@17401 193 (enable-dom0-ballooning yes)
kaf24@5932 194
cl349@6916 195 # In SMP system, dom0 will use dom0-cpus # of CPUS
kaf24@5932 196 # If dom0-cpus = 0, dom0 will take all cpus available
kaf24@5932 197 (dom0-cpus 0)
emellor@7467 198
emellor@7467 199 # Whether to enable core-dumps when domains crash.
emellor@7467 200 #(enable-dump no)
emellor@9727 201
emellor@9727 202 # The tool used for initiating virtual TPM migration
emellor@9727 203 #(external-migration-tool '')
ewan@12191 204
ewan@12191 205 # The interface for VNC servers to listen on. Defaults
ewan@12191 206 # to 127.0.0.1 To restore old 'listen everywhere' behaviour
ewan@12191 207 # set this to 0.0.0.0
ewan@12191 208 #(vnc-listen '127.0.0.1')
ewan@12191 209
ewan@12191 210 # The default password for VNC console on HVM domain.
ewan@12191 211 # Empty string is no authentication.
ewan@12191 212 (vncpasswd '')
kfraser@15519 213
keir@16272 214 # The VNC server can be told to negotiate a TLS session
keir@16272 215 # to encryption all traffic, and provide x509 cert to
keir@16272 216 # clients enalbing them to verify server identity. The
keir@16272 217 # GTK-VNC widget, virt-viewer, virt-manager and VeNCrypt
keir@16272 218 # all support the VNC extension for TLS used in QEMU. The
keir@16272 219 # TightVNC/RealVNC/UltraVNC clients do not.
keir@16272 220 #
keir@16272 221 # To enable this create x509 certificates / keys in the
keir@16272 222 # directory /etc/xen/vnc
keir@16272 223 #
keir@16272 224 # ca-cert.pem - The CA certificate
keir@16272 225 # server-cert.pem - The Server certificate signed by the CA
keir@16272 226 # server-key.pem - The server private key
keir@16272 227 #
keir@16272 228 # and then uncomment this next line
keir@16272 229 # (vnc-tls 1)
keir@16272 230
keir@16272 231 # The certificate dir can be pointed elsewhere..
keir@16272 232 #
keir@16272 233 # (vnc-x509-cert-dir /etc/xen/vnc)
keir@16272 234
keir@16272 235 # The server can be told to request & validate an x509
keir@16272 236 # certificate from the client. Only clients with a cert
keir@16272 237 # signed by the trusted CA will be able to connect. This
keir@16272 238 # is more secure the password auth alone. Passwd auth can
keir@16272 239 # used at the same time if desired. To enable client cert
keir@16272 240 # checking uncomment this:
keir@16272 241 #
keir@16272 242 # (vnc-x509-verify 1)
keir@16272 243
kfraser@15519 244 # The default keymap to use for the VM's virtual keyboard
kfraser@15519 245 # when not specififed in VM's configuration
kfraser@15519 246 #(keymap 'en-us')
kfraser@15519 247
keir@16260 248 # Script to run when the label of a resource has changed.
keir@16260 249 #(resource-label-change-script '')
keir@17932 250
keir@17932 251 # Rotation count of qemu-dm log file.
keir@17932 252 #(qemu-dm-logrotate-count 10)
keir@18273 253
keir@18273 254 # Path where persistent domain configuration is stored.
keir@18273 255 # Default is /var/lib/xend/domains/
keir@18273 256 #(xend-domains-path /var/lib/xend/domains)
keir@19617 257
keir@19617 258 # Number of seconds xend will wait for device creation and
keir@19617 259 # destruction
keir@19617 260 #(device-create-timeout 100)
keir@19617 261 #(device-destroy-timeout 100)
keir@19617 262