From 6921381e6831f942029b922e6f0ef6b7ca0c6c58 Mon Sep 17 00:00:00 2001 Message-ID: <6921381e6831f942029b922e6f0ef6b7ca0c6c58.1755522824.git.jdenemar@redhat.com> From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Wed, 16 Jul 2025 16:30:52 +0100 Subject: [PATCH] qemu: sanitize blank lines in config file MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We mostly use 2 blank lines between config file entries to improve readability. Fix where we don't do that. Reviewed-by: Peter Krempa Signed-off-by: Daniel P. Berrangé (cherry picked from commit 0b9cfa791f2bd135ea36fe03fd1a8d6c8bf5e3d6) Resolves: https://issues.redhat.com/browse/RHEL-106276 Signed-off-by: Daniel P. Berrangé --- src/qemu/qemu.conf.in | 41 ++++++++++++++++++++++++++++++++++++++--- 1 file changed, 38 insertions(+), 3 deletions(-) diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in index 3365834200..988d176a28 100644 --- a/src/qemu/qemu.conf.in +++ b/src/qemu/qemu.conf.in @@ -48,7 +48,7 @@ # #default_tls_x509_verify = 1 -# + # Libvirt assumes the server-key.pem file is unencrypted by default. # To use an encrypted server-key.pem file, the password to decrypt # the PEM file is required. This can be provided by creating a secret @@ -71,6 +71,7 @@ # #vnc_listen = "0.0.0.0" + # Enable this option to have VNC served over an automatically created # unix socket. This prevents unprivileged access from users on the # host machine, though most VNC clients do not support it. @@ -81,6 +82,7 @@ # #vnc_auto_unix_socket = 1 + # Enable use of TLS encryption on the VNC server. This requires # a VNC client which supports the VeNCrypt protocol extension. # Examples include vinagre, virt-viewer, virt-manager and vencrypt @@ -222,6 +224,7 @@ # #spice_sasl = 1 + # The default SASL configuration file is located in /etc/sasl2/ # When running libvirtd unprivileged, it may be desirable to # override the configs in this location. Set this parameter to @@ -229,6 +232,7 @@ # #spice_sasl_dir = "/some/directory/sasl2" + # Enable use of TLS encryption on the chardev TCP transports. # # It is necessary to setup CA and issue a server certificate @@ -468,6 +472,7 @@ #remote_display_port_min = 5900 #remote_display_port_max = 65535 + # VNC WebSocket port policies, same rules apply as with remote display # ports. VNC WebSockets use similar display <-> port mappings, with # the exception being that ports start from 5700 instead of 5900. @@ -475,6 +480,7 @@ #remote_websocket_port_min = 5700 #remote_websocket_port_max = 65535 + # The default security driver is SELinux. If SELinux is disabled # on the host, then the security driver will automatically disable # itself. If you wish to disable QEMU SELinux security driver while @@ -492,15 +498,18 @@ # #security_driver = "selinux" + # If set to non-zero, then the default security labeling # will make guests confined. If set to zero, then guests # will be unconfined by default. Defaults to 1. #security_default_confined = 1 + # If set to non-zero, then attempts to create unconfined # guests will be blocked. Defaults to 0. #security_require_confined = 1 + # The user for QEMU processes run by the system instance. It can be # specified as a user name or as a user id. The qemu driver will try to # parse this value first as a name and then, if the name doesn't exist, @@ -518,20 +527,24 @@ # #user = "@QEMU_USER@" + # The group for QEMU processes run by the system instance. It can be # specified in a similar way to user. #group = "@QEMU_GROUP@" + # Whether libvirt should dynamically change file ownership # to match the configured user/group above. Defaults to 1. # Set to 0 to disable file ownership changes. #dynamic_ownership = 1 + # Whether libvirt should remember and restore the original # ownership over files it is relabeling. Defaults to 1, set # to 0 to disable the feature. #remember_owner = 1 + # What cgroup controllers to make use of with QEMU guests # # - 'cpu' - use for scheduler tunables @@ -553,6 +566,7 @@ # #cgroup_controllers = [ "cpu", "devices", "memory", "blkio", "cpuset", "cpuacct" ] + # This is the basic set of devices allowed / required by # all virtual machines. # @@ -612,12 +626,14 @@ #dump_image_format = "raw" #snapshot_image_format = "raw" + # When a domain is configured to be auto-dumped when libvirtd receives a # watchdog event from qemu guest, libvirtd will save dump files in directory # specified by auto_dump_path. Default value is /var/lib/libvirt/qemu/dump # #auto_dump_path = "/var/lib/libvirt/qemu/dump" + # When a domain is configured to be auto-dumped, enabling this flag # has the same effect as using the VIR_DUMP_BYPASS_CACHE flag with the # virDomainCoreDump API. That is, the system will avoid using the @@ -626,6 +642,7 @@ # #auto_dump_bypass_cache = 0 + # When a domain is configured to be auto-started, enabling this flag # has the same effect as using the VIR_DOMAIN_START_BYPASS_CACHE flag # with the virDomainCreateWithFlags API. That is, the system will @@ -634,6 +651,7 @@ # #auto_start_bypass_cache = 0 + # If provided by the host and a hugetlbfs mount point is configured, # a guest may request huge page backing. When this mount point is # unspecified here, determination of a host mount point in /proc/mounts @@ -682,6 +700,7 @@ #max_processes = 0 #max_files = 0 + # If max_threads_per_process is set to a positive integer, libvirt # will use it to set the maximum number of threads that can be # created by a qemu process. Some VM configurations can result in @@ -692,6 +711,7 @@ # #max_threads_per_process = 0 + # If max_core is set to a non-zero integer, then QEMU will be # permitted to create core dumps when it crashes, provided its # RAM size is smaller than the limit set. @@ -716,6 +736,7 @@ # #max_core = "unlimited" + # Determine if guest RAM is included in QEMU core dumps. By # default guest RAM will be excluded if a new enough QEMU is # present and host kernel supports it. Setting this to '1' will @@ -726,6 +747,7 @@ # #dump_guest_core = 1 + # mac_filter enables MAC addressed based filtering on bridge ports. # This currently requires ebtables to be installed. # @@ -755,6 +777,7 @@ # #max_queued = 0 + ################################################################### # Keepalive protocol: # This allows qemu driver to detect broken connections to remote @@ -778,7 +801,6 @@ #keepalive_count = 5 - # Use seccomp syscall filtering sandbox in QEMU. # 1 == filter enabled, 0 == filter disabled # @@ -813,7 +835,6 @@ #migration_port_max = 49215 - # Timestamp QEMU's log messages (if QEMU supports it) # # Defaults to 1. @@ -853,6 +874,7 @@ # "/usr/share/AAVMF/AAVMF32_CODE.fd:/usr/share/AAVMF/AAVMF32_VARS.fd" #] + # The backend to use for handling stdout/stderr output from # QEMU processes. # @@ -868,6 +890,7 @@ # #stdio_handler = "logd" + # QEMU gluster libgfapi log level, debug levels are 0-9, with 9 being the # most verbose, and 0 representing no debugging output. # @@ -888,6 +911,7 @@ # #gluster_debug_level = 9 + # virtiofsd debug # # Whether to enable the debugging output of the virtiofsd daemon. @@ -895,6 +919,7 @@ # #virtiofsd_debug = 1 + # To enhance security, QEMU driver is capable of creating private namespaces # for each domain started. Well, so far only "mount" namespace is supported. If # enabled it means qemu process is unable to see all the devices on the system, @@ -903,24 +928,29 @@ # by default. #namespaces = [ "mount" ] + # This directory is used for memoryBacking source if configured as file. # NOTE: big files will be stored here #memory_backing_dir = "/var/lib/libvirt/qemu/ram" + # Path to the SCSI persistent reservations helper. This helper is # used whenever are enabled for SCSI LUN devices. # If this is not an absolute path, the program will be searched for # in $PATH as well as a few additional directories. #pr_helper = "qemu-pr-helper" + # Path to the SLIRP networking helper. #slirp_helper = "/usr/bin/slirp-helper" + # Path to the dbus-daemon # If this is not an absolute path, the program will be searched for # in $PATH. #dbus_daemon = "dbus-daemon" + # User for the swtpm TPM Emulator # # Default is 'tss'; this is the same user that tcsd (TrouSerS) installs @@ -929,6 +959,7 @@ #swtpm_user = "tss" #swtpm_group = "tss" + # For debugging and testing purposes it's sometimes useful to be able to disable # libvirt behaviour based on the capabilities of the qemu process. This option # allows to do so. DO _NOT_ use in production and beaware that the behaviour @@ -936,6 +967,7 @@ # #capability_filters = [ "capname" ] + # 'deprecation_behavior' setting controls how the qemu process behaves towards # deprecated commands and arguments used by libvirt. # @@ -967,6 +999,7 @@ # #deprecation_behavior = "none" + # If this is set then QEMU and its threads will run in a separate scheduling # group meaning no other process will share Hyper Threads of a single core with # QEMU. Each QEMU has its own group. @@ -983,6 +1016,7 @@ # scheduling group #sched_core = "none" + # Using nbdkit to access remote disk sources # # If this is set then libvirt will use nbdkit to access remote disk sources @@ -994,6 +1028,7 @@ # #storage_use_nbdkit = @USE_NBDKIT_DEFAULT@ + # libvirt will normally prevent migration if the storage backing the VM is not # on a shared filesystems. Sometimes, however, the storage *is* shared despite # not being detected as such: for example, this is the case when one of the -- 2.50.1