Index: libvirt-1.2.12/src/qemu/qemu.conf =================================================================== --- libvirt-1.2.12.orig/src/qemu/qemu.conf +++ libvirt-1.2.12/src/qemu/qemu.conf @@ -204,7 +204,7 @@ # If set to non-zero, then the default security labeling # will make guests confined. If set to zero, then guests -# will be unconfined by default. Defaults to 1. +# will be unconfined by default. Defaults to 0. #security_default_confined = 1 # If set to non-zero, then attempts to create unconfined @@ -417,11 +417,22 @@ #allow_disk_format_probing = 1 -# In order to prevent accidentally starting two domains that -# share one writable disk, libvirt offers two approaches for -# locking files. The first one is sanlock, the other one, -# virtlockd, is then our own implementation. Accepted values -# are "sanlock" and "lockd". +# SUSE note: +# Two lock managers are supported: lockd and sanlock. lockd, which +# is provided by the virtlockd service, uses advisory locks (flock(2)) +# to protect virtual machine disks. sanlock uses the notion of leases +# to protect virtual machine disks and is more appropriate in a SAN +# environment. +# +# For most deployments that require virtual machine disk protection, +# lockd is recommended since it is easy to configure and the virtlockd +# service can be restarted without terminating any running virtual +# machines. sanlock, which may be preferred in some SAN environments, +# has the disadvantage of not being able to be restarted without +# first terminating all virtual machines for which it holds leases. +# +# Specify lockd or sanlock to enable protection of virtual machine disk +# content. # #lock_manager = "lockd" Index: libvirt-1.2.12/src/qemu/qemu_conf.c =================================================================== --- libvirt-1.2.12.orig/src/qemu/qemu_conf.c +++ libvirt-1.2.12/src/qemu/qemu_conf.c @@ -249,7 +249,7 @@ virQEMUDriverConfigPtr virQEMUDriverConf cfg->clearEmulatorCapabilities = true; - cfg->securityDefaultConfined = true; + cfg->securityDefaultConfined = false; cfg->securityRequireConfined = false; cfg->keepAliveInterval = 5;