Index: libvirt-1.2.6/src/qemu/qemu.conf =================================================================== --- libvirt-1.2.6.orig/src/qemu/qemu.conf +++ libvirt-1.2.6/src/qemu/qemu.conf @@ -200,7 +200,16 @@ # a special value; security_driver can be set to that value in # isolation, but it cannot appear in a list of drivers. # +# SUSE Note: +# Currently, Apparmor is the default security framework in SUSE +# distros. If Apparmor is enabled on the host, libvirtd is +# generously confined but users must opt-in to confine qemu +# instances. Change this to 'apparmor' to enable Apparmor +# confinement of qemu instances. +# #security_driver = "selinux" +# security_driver = "apparmor" +security_driver = "none" # If set to non-zero, then the default security labeling # will make guests confined. If set to zero, then guests @@ -402,11 +411,22 @@ #allow_disk_format_probing = 1 -# In order to prevent accidentally starting two domains that -# share one writable disk, libvirt offers two approaches for -# locking files. The first one is sanlock, the other one, -# virtlockd, is then our own implementation. Accepted values -# are "sanlock" and "lockd". +# SUSE note: +# Two lock managers are supported: lockd and sanlock. lockd, which +# is provided by the virtlockd service, uses advisory locks (flock(2)) +# to protect virtual machine disks. sanlock uses the notion of leases +# to protect virtual machine disks and is more appropriate in a SAN +# environment. +# +# For most deployments that require virtual machine disk protection, +# lockd is recommended since it is easy to configure and the virtlockd +# service can be restarted without terminating any running virtual +# machines. sanlock, which may be preferred in some SAN environments, +# has the disadvantage of not being able to be restarted without +# first terminating all virtual machines for which it holds leases. +# +# Specify lockd or sanlock to enable protection of virtual machine disk +# content. # #lock_manager = "lockd"