Merge pull request #2 from bodsch/feature/qemu-configuration

Feature/qemu configuration
bodsch · Mar 7, 2023 · c13c293 · c13c293
2 parents e408be9 + 8a4cef9
commit c13c293
Show file tree

Hide file tree

Showing 23 changed files with 862 additions and 263 deletions.
diff --git a/README.md b/README.md
@@ -96,7 +96,7 @@ libvirt_libvirtd:
   prio_workers: 5                # 5
   max_requests: ""               # ?
   max_client_requests: 5         # 5
-  admin_min_workers: 1           # 1
+  admin_min_workers: 1           # true
   admin_max_workers: 5           # 5
   admin_max_clients: 5           # 5
   admin_max_queued_clients: 5    # 5
@@ -263,6 +263,118 @@ libvirt_qemu:
     drivers: []
 ```
 
+All possible configuration options:
+
+```yaml
+libvirt_defaults_qemu:
+  default:
+    tls_x509_cert_dir: ""       # "/etc/pki/qemu"
+    tls_x509_verify: ""         #  1
+    tls_x509_secret_uuid: ""    # "00000000-0000-0000-0000-000000000000"
+
+  auto:
+    dump_path: "/var/lib/libvirt/qemu/dump"
+    dump_bypass_cache: false
+    start_bypass_cache: false
+
+  backup:
+    tls_x509_cert_dir: ""       # "/etc/pki/libvirt-backup"
+    tls_x509_verify: ""         # true
+    tls_x509_secret_uuid: ""    # "00000000-0000-0000-0000-000000000000"
+
+  cgroup:
+    controllers: []
+      # - cpu
+      # - devices
+      # - memory
+      # - blkio
+      # - cpuset
+      # - cpuacct
+    device_acl: []
+      # - "/dev/null"
+      # - "/dev/full"
+      # - "/dev/zero"
+      # - "/dev/random"
+      # - "/dev/urandom"
+      # - "/dev/ptmx"
+      # - "/dev/kvm"
+
+  chardev:
+    tls: ""                   # true
+    tls_x509_cert_dir: ""     # "/etc/pki/libvirt-chardev"
+    tls_x509_verify: ""       # true
+    tls_x509_secret_uuid: ""  # "00000000-0000-0000-0000-000000000000"
+
+  migrate:
+    tls_x509_cert_dir: ""     # "/etc/pki/libvirt-migrate"
+    tls_x509_verify: ""       # true
+    tls_x509_secret_uuid: ""  # "00000000-0000-0000-0000-000000000000"
+    tls_force: ""             # false
+
+  migration:
+    address: "0.0.0.0"
+    host: ""                  # "host.example.com"
+    port_min: ""              # 49152
+    port_max: ""              # 49215
+
+  nbd:
+    tls: ""                   # true
+    tls_x509_cert_dir: ""     # "/etc/pki/libvirt-nbd"
+    tls_x509_secret_uuid: ""  # "00000000-0000-0000-0000-000000000000"
+
+  nographics:
+    allow_host_audio: true
+
+  remote:
+    display_port_min: 5900
+    display_port_max: 65535
+    websocket_port_min: 5700
+    websocket_port_max: 65535
+
+  security:
+    drivers: []
+    #  - selinux
+    #  - apparmor
+    default_confined: false
+    require_confined: false
+
+  spice:
+    listen: "0.0.0.0"
+    tls: false
+    tls_x509_cert_dir: ""     # "/etc/pki/libvirt-spice"
+    auto_unix_socket: ""      # true
+    password: ""              # "XYZ12345"
+    sasl: ""                  # true
+    sasl_dir: ""              # "/some/directory/sasl2"
+
+  vnc:
+    listen: "127.0.0.1"
+    auto_unix_socket: true
+    tls: false
+    tls_x509_cert_dir: ""     # "/etc/pki/libvirt-vnc"
+    tls_x509_secret_uuid: ""  # "00000000-0000-0000-0000-000000000000"
+    tls_x509_verify: ""       # true
+    password: ""              # "XYZ12345"
+    sasl: ""                  # true
+    sasl_dir: ""              # "/some/directory/sasl2"
+    allow_host_audio: ""      # false
+
+  vxhs:
+    tls: ""                   # true
+    tls_x509_cert_dir: ""     # "/etc/pki/libvirt-vxhs"
+    tls_x509_secret_uuid: ""  # "00000000-0000-0000-0000-000000000000"
+
+  system:
+    user: "root"
+    group: "root"
+    dynamic_ownership: true
+    remember_owner: true
+
+  image_format:
+    save_image_format: ""     # "raw"
+    dump_image_format: ""     # "raw"
+    snapshot_image_format: "" # "raw"
+```
 
 ### `libvirt_virtual_networks`
 
@@ -306,5 +418,4 @@ libvirt_storage_pools:
 
 [Apache](LICENSE)
 
-`FREE SOFTWARE, HELL YEAH!`
-
+**FREE SOFTWARE, HELL YEAH!**
diff --git a/templates/etc/libvirt/qemu.conf.j2 b/templates/etc/libvirt/qemu.conf.j2
@@ -1,15 +1,20 @@
 #jinja2: trim_blocks: True, lstrip_blocks: True
 # {{ ansible_managed }}
 
-{% include('qemu.d/default.j2') %}
-{% include('qemu.d/vnc.j2') %}
-{% include('qemu.d/spice.j2') %}
-{% include('qemu.d/chardev.j2') %}
-{% include('qemu.d/vxhs.j2') %}
-{% include('qemu.d/nbd.j2') %}
-{% include('qemu.d/migrate.j2') %}
-{% include('qemu.d/backup.j2') %}
-{% include('qemu.d/nographics.j2') %}
-{% include('qemu.d/remote.j2') %}
-{% include('qemu.d/security.j2') %}
-{% include('qemu.d/cgroup.j2') %}
+{%- include('qemu.d/default.j2') %}
+{%- include('qemu.d/auto.j2') %}
+{%- include('qemu.d/backup.j2') %}
+{%- include('qemu.d/cgroup.j2') %}
+{%- include('qemu.d/chardev.j2') %}
+{%- include('qemu.d/image_format.j2') %}
+{%- include('qemu.d/migrate.j2') %}
+{%- include('qemu.d/migration.j2') %}
+{%- include('qemu.d/nbd.j2') %}
+{%- include('qemu.d/nographics.j2') %}
+{%- include('qemu.d/remote.j2') %}
+{%- include('qemu.d/security.j2') %}
+{%- include('qemu.d/spice.j2') %}
+{%- include('qemu.d/system.j2') %}
+{%- include('qemu.d/vnc.j2') %}
+{%- include('qemu.d/vxhs.j2') %}
+{%- include('qemu.d/misc.j2') %}
diff --git a/templates/etc/libvirt/qemu.d/auto.j2 b/templates/etc/libvirt/qemu.d/auto.j2
@@ -0,0 +1,39 @@
+
+{% if libvirt_qemu.auto is defined and
+      libvirt_qemu.auto | count > 0 %}
+  {% if libvirt_qemu.auto.dump_path is defined and
+        libvirt_qemu.auto.dump_path | string | length > 0 %}
+auto_dump_path                = "{{ libvirt_qemu.auto.dump_path }}"
+  {% endif %}
+  {% if libvirt_qemu.auto.dump_bypass_cache is defined and
+        libvirt_qemu.auto.dump_bypass_cache | string | length > 0 %}
+auto_dump_bypass_cache        = {{ libvirt_qemu.auto.dump_bypass_cache | bool | ternary('1', '0') }}
+  {% endif %}
+  {% if libvirt_qemu.auto.start_bypass_cache is defined and
+        libvirt_qemu.auto.start_bypass_cache | string | length > 0 %}
+auto_start_bypass_cache       = {{ libvirt_qemu.auto.start_bypass_cache | bool | ternary('1', '0') }}
+  {% endif %}
+{% endif %}
+{#
+# When a domain is configured to be auto-dumped when libvirtd receives a
+# watchdog event from qemu guest, libvirtd will save dump files in directory
+# specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump
+#
+#auto_dump_path = "/var/lib/libvirt/qemu/dump"
+
+# When a domain is configured to be auto-dumped, enabling this flag
+# has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the
+# virDomainCoreDump API.  That is, the system will avoid using the
+# file system cache while writing the dump file, but may cause
+# slower operation.
+#
+#auto_dump_bypass_cache = 0
+
+# When a domain is configured to be auto-started, enabling this flag
+# has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag
+# with the virDomainCreateWithFlags API.  That is, the system will
+# avoid using the file system cache when restoring any managed state
+# file, but may cause slower operation.
+#
+#auto_start_bypass_cache = 0
+#}
diff --git a/templates/etc/libvirt/qemu.d/backup.j2 b/templates/etc/libvirt/qemu.d/backup.j2
@@ -1,4 +1,19 @@
 
+{% if libvirt_qemu.backup is defined and
+      libvirt_qemu.backup | count > 0 %}
+  {% if libvirt_qemu.backup.tls_x509_cert_dir is defined and
+        libvirt_qemu.backup.tls_x509_cert_dir | string | length > 0 %}
+backup_tls_x509_cert_dir      = "{{ libvirt_qemu.backup.tls_x509_cert_dir }}"
+  {% endif %}
+  {% if libvirt_qemu.backup.tls_x509_verify is defined and
+        libvirt_qemu.backup.tls_x509_verify | string | length > 0 %}
+backup_tls_x509_verify        = {{ libvirt_qemu.backup.tls_x509_verify | bool | ternary('1', '0') }}
+  {% endif %}
+  {% if libvirt_qemu.backup.tls_x509_secret_uuid is defined and
+        libvirt_qemu.backup.tls_x509_secret_uuid | string | length > 0 %}
+backup_tls_x509_secret_uuid   = "{{ libvirt_qemu.backup.tls_x509_secret_uuid }}"
+  {% endif %}
+{% endif %}
 {#
 # In order to override the default TLS certificate location for backup NBD
 # server certificates, supply a valid path to the certificate directory. If the
@@ -8,7 +23,6 @@
 #
 #backup_tls_x509_cert_dir = "/etc/pki/libvirt-backup"
 
-
 # The default TLS configuration only uses certificates for the server
 # allowing the client to verify the server's identity and establish
 # an encrypted channel.
@@ -26,7 +40,6 @@
 #
 #backup_tls_x509_verify = 1
 
-
 # Uncomment and use the following option to override the default secret
 # UUID provided in the default_tls_x509_secret_uuid parameter.
 #

diff --git a/templates/etc/libvirt/qemu.d/capability.j2 b/templates/etc/libvirt/qemu.d/capability.j2
@@ -0,0 +1,7 @@
+
+# For debugging and testing purposes it's sometimes useful to be able to disable
+# libvirt behaviour based on the capabilities of the qemu process. This option
+# allows to do so. DO _NOT_ use in production and beaware that the behaviour
+# may change across versions.
+#
+#capability_filters = [ "capname" ]
diff --git a/templates/etc/libvirt/qemu.d/cgroup.j2 b/templates/etc/libvirt/qemu.d/cgroup.j2
@@ -1,16 +1,16 @@
 
-# {{ libvirt_qemu.cgroup | default({}) }}
 {% if libvirt_qemu.cgroup is defined and
       libvirt_qemu.cgroup | count > 0 %}
   {% if libvirt_qemu.cgroup.controllers is defined and
         libvirt_qemu.cgroup.controllers | count > 0 %}
-    {% set _attr = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ] %}
     {% set _controllers = libvirt_qemu.cgroup.controllers | cgroup_controllers() %}
-cgroup_controllers        = [ "{{ _controllers | join('", "') }}" ]
+cgroup_controllers            = [ "{{ _controllers | join('", "') }}" ]
   {% endif %}
   {% if libvirt_qemu.cgroup.device_acl is defined and
         libvirt_qemu.cgroup.device_acl | count > 0 %}
-cgroup_device_acl         = [ "{{ libvirt_qemu.cgroup.device_acl | join('", "') }}" ]
+cgroup_device_acl             = [
+  "{{ libvirt_qemu.cgroup.device_acl | join('", "') }}"
+]
 
 # RDMA migration requires the following extra files to be added to the list:
 #   "/dev/infiniband/rdma_cm",
@@ -21,3 +21,48 @@ cgroup_device_acl         = [ "{{ libvirt_qemu.cgroup.device_acl | join('", "')
 #   "/dev/infiniband/uverbs0"
   {% endif %}
 {% endif %}
+{#
+# What cgroup controllers to make use of with QEMU guests
+#
+#  - 'cpu' - use for scheduler tunables
+#  - 'devices' - use for device access control
+#  - 'memory' - use for memory tunables
+#  - 'blkio' - use for block devices I/O tunables
+#  - 'cpuset' - use for CPUs and memory nodes
+#  - 'cpuacct' - use for CPUs statistics.
+#
+# NB, even if configured here, they won't be used unless
+# the administrator has mounted cgroups, e.g.:
+#
+#  mkdir /dev/cgroup
+#  mount -t cgroup -o devices,cpu,memory,blkio,cpuset none /dev/cgroup
+#
+# They can be mounted anywhere, and different controllers
+# can be mounted in different locations. libvirt will detect
+# where they are located.
+#
+#cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ]
+
+# This is the basic set of devices allowed / required by
+# all virtual machines.
+#
+# As well as this, any configured block backed disks,
+# all sound device, and all PTY devices are allowed.
+#
+# This will only need setting if newer QEMU suddenly
+# wants some device we don't already know about.
+#
+#cgroup_device_acl = [
+#    "/dev/null", "/dev/full", "/dev/zero",
+#    "/dev/random", "/dev/urandom",
+#    "/dev/ptmx", "/dev/kvm"
+#]
+#
+# RDMA migration requires the following extra files to be added to the list:
+#   "/dev/infiniband/rdma_cm",
+#   "/dev/infiniband/issm0",
+#   "/dev/infiniband/issm1",
+#   "/dev/infiniband/umad0",
+#   "/dev/infiniband/umad1",
+#   "/dev/infiniband/uverbs0"
+#}
diff --git a/templates/etc/libvirt/qemu.d/chardev.j2 b/templates/etc/libvirt/qemu.d/chardev.j2
@@ -1,4 +1,23 @@
 
+{% if libvirt_qemu.chardev is defined and
+      libvirt_qemu.chardev | count > 0 %}
+  {% if libvirt_qemu.chardev.tls is defined and
+        libvirt_qemu.chardev.tls | string | length > 0 %}
+chardev_tls                   = {{ libvirt_qemu.chardev.tls | bool | ternary('1', '0') }}
+  {% endif %}
+  {% if libvirt_qemu.chardev.tls_x509_cert_dir is defined and
+        libvirt_qemu.chardev.tls_x509_cert_dir | string | length > 0 %}
+chardev_tls_x509_cert_dir     = "{{ libvirt_qemu.chardev.tls_x509_cert_dir }}"
+  {% endif %}
+  {% if libvirt_qemu.chardev.tls_x509_verify is defined and
+        libvirt_qemu.chardev.tls_x509_verify | string | length > 0 %}
+chardev_tls_x509_verify       = {{ libvirt_qemu.chardev.tls_x509_verify | bool | ternary('1', '0') }}
+  {% endif %}
+  {% if libvirt_qemu.chardev.tls_x509_secret_uuid is defined and
+        libvirt_qemu.chardev.tls_x509_secret_uuid | string | length > 0 %}
+chardev_tls_x509_secret_uuid  = "{{ libvirt_qemu.chardev.tls_x509_secret_uuid }}"
+  {% endif %}
+{% endif %}
 {#
 # Enable use of TLS encryption on the chardev TCP transports.
 #

diff --git a/templates/etc/libvirt/qemu.d/image_format.j2 b/templates/etc/libvirt/qemu.d/image_format.j2
@@ -0,0 +1,49 @@
+
+{% if libvirt_qemu.image_format is defined and
+      libvirt_qemu.image_format | count > 0 %}
+  {# "raw", "lzop", "gzip", "bzip2", or "xz" #}
+  {% set _attr = ["raw", "lzop", "gzip", "bzip2", "xz"] %}
+  {% if libvirt_qemu.image_format.save_image_format is defined and
+        libvirt_qemu.image_format.save_image_format | string | length > 0 and
+        libvirt_qemu.image_format.save_image_format in _attr %}
+save_image_format             = "{{ libvirt_qemu.image_format.save_image_format }}"
+  {% endif %}
+  {% if libvirt_qemu.image_format.dump_image_format is defined and
+        libvirt_qemu.image_format.dump_image_format | string | length > 0 and
+        libvirt_qemu.image_format.dump_image_format in _attr %}
+dump_image_format             = "{{ libvirt_qemu.image_format.dump_image_format }}"
+  {% endif %}
+  {% if libvirt_qemu.image_format.snapshot_image_format is defined and
+        libvirt_qemu.image_format.snapshot_image_format | string | length > 0 and
+        libvirt_qemu.image_format.snapshot_image_format in _attr %}
+snapshot_image_format         = "{{ libvirt_qemu.image_format.snapshot_image_format }}"
+  {% endif %}
+{% endif %}
+{#
+# The default format for QEMU/KVM guest save images is raw; that is, the
+# memory from the domain is dumped out directly to a file.  If you have
+# guests with a large amount of memory, however, this can take up quite
+# a bit of space.  If you would like to compress the images while they
+# are being saved to disk, you can also set "lzop", "gzip", "bzip2", or "xz"
+# for save_image_format.  Note that this means you slow down the process of
+# saving a domain in order to save disk space; the list above is in descending
+# order by performance and ascending order by compression ratio.
+#
+# save_image_format is used when you use 'virsh save' or 'virsh managedsave'
+# at scheduled saving, and it is an error if the specified save_image_format
+# is not valid, or the requested compression program can't be found.
+#
+# dump_image_format is used when you use 'virsh dump' at emergency
+# crashdump, and if the specified dump_image_format is not valid, or
+# the requested compression program can't be found, this falls
+# back to "raw" compression.
+#
+# snapshot_image_format specifies the compression algorithm of the memory save
+# image when an external snapshot of a domain is taken. This does not apply
+# on disk image format. It is an error if the specified format isn't valid,
+# or the requested compression program can't be found.
+#
+#save_image_format = "raw"
+#dump_image_format = "raw"
+#snapshot_image_format = "raw"
+#}