2016-06-15 21:29:46 +02:00
|
|
|
SUSE adjustments to qemu.conf
|
|
|
|
|
|
|
|
This patch contains SUSE-specific adjustments to the upstream
|
|
|
|
qemu.conf configuration file. In the future, it might make
|
|
|
|
sense to separate these changes into individual patches (e.g.
|
|
|
|
suse-qemu-conf-secdriver.patch, suse-qemu-conf-lockmgr.patch,
|
|
|
|
etc.), but for now they are all lumped together in this
|
|
|
|
single patch.
|
|
|
|
|
2019-05-08 21:35:37 +02:00
|
|
|
Index: libvirt-5.3.0/src/qemu/qemu.conf
|
2011-10-18 23:25:37 +02:00
|
|
|
===================================================================
|
2019-05-08 21:35:37 +02:00
|
|
|
--- libvirt-5.3.0.orig/src/qemu/qemu.conf
|
|
|
|
+++ libvirt-5.3.0/src/qemu/qemu.conf
|
Accepting request 681981 from home:jfehlig:branches:Virtualization
- Update to libvirt 5.1.0
- Many incremental improvements and bug fixes, see
http://libvirt.org/news.html
- Dropped patches:
11c8aca9-libxl-set-mem-after-balloon.patch,
70c2933d-apparmor-named-profiles.patch,
a3ab6d42-apparmor-conv-libvirtd-named-profile.patch,
b6440119-qemu-conf-sev.patch,
a404ac34-qemu-cgroup-sev.patch,
6fd4c8f8-qemu-domain-sev.patch,
17f6a257-security-dac-sev.patch,
a2d3dea9-qemu-caps-dac-override-sev.patch,
620d9dd5-qemu-no-dac-override-nonroot.patch
- jsc#SLE-3887, jsc#SLE-4480, jsc#SLE-4577
OBS-URL: https://build.opensuse.org/request/show/681981
OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=734
2019-03-06 03:00:59 +01:00
|
|
|
@@ -420,11 +420,20 @@
|
2015-03-11 16:35:20 +01:00
|
|
|
# isolation, but it cannot appear in a list of drivers.
|
|
|
|
#
|
|
|
|
#security_driver = "selinux"
|
|
|
|
+#security_driver = "apparmor"
|
2011-10-18 23:25:37 +02:00
|
|
|
|
2012-02-15 20:01:07 +01:00
|
|
|
# If set to non-zero, then the default security labeling
|
|
|
|
# will make guests confined. If set to zero, then guests
|
2014-11-25 14:41:55 +01:00
|
|
|
-# will be unconfined by default. Defaults to 1.
|
2015-03-11 16:35:20 +01:00
|
|
|
-#security_default_confined = 1
|
2014-11-25 14:41:55 +01:00
|
|
|
+# will be unconfined by default. Defaults to 0.
|
2015-03-11 16:35:20 +01:00
|
|
|
+#
|
|
|
|
+# SUSE Note:
|
|
|
|
+# Currently, Apparmor is the default security framework in SUSE
|
|
|
|
+# distros. If Apparmor is enabled on the host, libvirtd is
|
|
|
|
+# generously confined but users must opt-in to confine qemu
|
|
|
|
+# instances. Change this to a non-zero value to enable default
|
|
|
|
+# Apparmor confinement of qemu instances.
|
|
|
|
+#
|
|
|
|
+security_default_confined = 0
|
2014-11-25 14:41:55 +01:00
|
|
|
|
|
|
|
# If set to non-zero, then attempts to create unconfined
|
2015-03-11 16:35:20 +01:00
|
|
|
# guests will be blocked. Defaults to 0.
|
Accepting request 681981 from home:jfehlig:branches:Virtualization
- Update to libvirt 5.1.0
- Many incremental improvements and bug fixes, see
http://libvirt.org/news.html
- Dropped patches:
11c8aca9-libxl-set-mem-after-balloon.patch,
70c2933d-apparmor-named-profiles.patch,
a3ab6d42-apparmor-conv-libvirtd-named-profile.patch,
b6440119-qemu-conf-sev.patch,
a404ac34-qemu-cgroup-sev.patch,
6fd4c8f8-qemu-domain-sev.patch,
17f6a257-security-dac-sev.patch,
a2d3dea9-qemu-caps-dac-override-sev.patch,
620d9dd5-qemu-no-dac-override-nonroot.patch
- jsc#SLE-3887, jsc#SLE-4480, jsc#SLE-4577
OBS-URL: https://build.opensuse.org/request/show/681981
OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=734
2019-03-06 03:00:59 +01:00
|
|
|
@@ -655,11 +664,22 @@
|
2018-07-16 18:42:10 +02:00
|
|
|
#relaxed_acs_check = 1
|
2012-06-20 02:00:14 +02:00
|
|
|
|
2012-02-16 18:05:01 +01:00
|
|
|
|
2014-04-02 14:48:46 +02:00
|
|
|
-# In order to prevent accidentally starting two domains that
|
|
|
|
-# share one writable disk, libvirt offers two approaches for
|
|
|
|
-# locking files. The first one is sanlock, the other one,
|
|
|
|
-# virtlockd, is then our own implementation. Accepted values
|
|
|
|
-# are "sanlock" and "lockd".
|
2012-02-16 18:05:01 +01:00
|
|
|
+# SUSE note:
|
2014-03-04 20:05:01 +01:00
|
|
|
+# Two lock managers are supported: lockd and sanlock. lockd, which
|
|
|
|
+# is provided by the virtlockd service, uses advisory locks (flock(2))
|
|
|
|
+# to protect virtual machine disks. sanlock uses the notion of leases
|
|
|
|
+# to protect virtual machine disks and is more appropriate in a SAN
|
|
|
|
+# environment.
|
2012-02-16 18:05:01 +01:00
|
|
|
+#
|
2014-03-04 20:05:01 +01:00
|
|
|
+# For most deployments that require virtual machine disk protection,
|
|
|
|
+# lockd is recommended since it is easy to configure and the virtlockd
|
|
|
|
+# service can be restarted without terminating any running virtual
|
|
|
|
+# machines. sanlock, which may be preferred in some SAN environments,
|
|
|
|
+# has the disadvantage of not being able to be restarted without
|
|
|
|
+# first terminating all virtual machines for which it holds leases.
|
|
|
|
+#
|
2014-04-02 14:48:46 +02:00
|
|
|
+# Specify lockd or sanlock to enable protection of virtual machine disk
|
|
|
|
+# content.
|
2014-03-04 20:05:01 +01:00
|
|
|
#
|
2014-04-02 14:48:46 +02:00
|
|
|
#lock_manager = "lockd"
|
2014-03-04 20:05:01 +01:00
|
|
|
|