"swtpm": # Candidate paths for the executable "executable": [ "/usr/bin/swtpm" ] # Arguments may be specified as nested lists for better readability. # The arguments are flattened before being passed to the process. "arguments": - "socket" - "--tpm2" - [ "--tpmstate", "dir=${ dataDir }" ] - [ "--ctrl", "type=unixio,path=${ runtimeDir }/swtpm-sock,mode=0600" ] - "--terminate" "cloudInitImg": # Candidate paths for the executable "executable": [ "/bin/sh", "/usr/bin/sh" ] # Arguments may be specified as nested lists for better readability. # The arguments are flattened before being passed to the process. "arguments": - "-c" - >- mformat -C -f 1440 -v CIDATA -i ${ runtimeDir }/cloud-init.img && mcopy -i ${ runtimeDir }/cloud-init.img ${ dataDir }/cloud-init/meta-data ${ dataDir }/cloud-init/user-data :: && if [ -r ${ dataDir }/cloud-init/network-config ]; then mcopy -i ${ runtimeDir }/cloud-init.img ${ dataDir }/cloud-init/network-config :: ; fi "qemu": # Candidate paths for the executable "executable": [ "/usr/bin/qemu-system-x86_64" ] # Arguments may be specified as nested lists for better readability. # The arguments are flattened before being passed to the process. # Unless otherwise noted, flags can be found on # https://www.qemu.org/docs/master/system/invocation.html # # Useful links: # - https://joonas.fi/2021/02/uefi-pc-boot-process-and-uefi-with-qemu/ "arguments": # Mandatory - "-S" # Qemu configuration - "-no-user-config" # * https://www.kernel.org/doc/Documentation/virtual/kvm/api.txt - [ "-global", "kvm-pit.lost_tick_policy=delay" ] # * Allow spawn for network setup (tap/bridge) - [ "-sandbox", "on,obsolete=deny,elevateprivileges=deny,\ spawn=allow,resourcecontrol=deny" ] # * Qemu monitor connection - [ "-chardev", "socket,id=charmonitor,\ path=${ runtimeDir }/monitor.sock,server=on,wait=off" ] - [ "-mon", "chardev=charmonitor,id=monitor,mode=control" ] # VM configuration - [ "-name", "guest=${ vm.name },debug-threads=on" ] - [ "-uuid", "${ vm.uuid }"] # * Configure "modern" machine (pc-q35-7.0). USB is off, because we # configure (better) xhci later. No VMWare IO port (obviously). # For smm=on see https://scumjr.github.io/2016/01/04/playing-with-smm-and-qemu/. # Configure ROM/EEPROM for UEFI. - [ "-machine", "pc-q35-7.0,usb=off,vmport=off,dump-guest-core=off\ <#if vm.firmware?starts_with("secure")>,smm=on\ <#if firmwareRom??>,pflash0=fw-rom-device\ ,pflash1=fw-eeprom-device,memory-backend=pc.ram,hpet=off" ] # * https://bugzilla.redhat.com/show_bug.cgi?id=1170533, may be unnecessary - [ "-global", "ICH9-LPC.disable_s3=1" ] - [ "-global", "ICH9-LPC.disable_s4=1" ] <#if firmwareRom??> # * Provide ROM/EEPROM devices (instead of built-in BIOS). # Don't use cache.direct=on for these as this can results in # incredibly bad performance when booting. - [ "-blockdev", "node-name=fw-rom-file,driver=file,\ filename=${ firmwareRom },auto-read-only=true,discard=unmap" ] - [ "-blockdev", "node-name=fw-rom-device,driver=raw,\ read-only=true,file=fw-rom-file" ] - [ "-blockdev", "node-name=fw-eeprom-file,driver=file,\ filename=${ firmwareVars },auto-read-only=true,discard=unmap" ] - [ "-blockdev", "node-name=fw-eeprom-device,driver=raw,\ read-only=false,file=fw-eeprom-file" ] # * Driver tuning for secure boot # https://wiki.debian.org/SecureBoot/VirtualMachine # http://www.linux-kvm.org/downloads/lersek/ovmf-whitepaper-c770f8c.txt <#if vm.firmware?starts_with("secure")> - [ "-global", "driver=cfi.pflash01,property=secure,value=on" ] <#if vm.bootMenu> - [ "-boot", "menu=on" ] # * Provide RAM - [ "-object", "memory-backend-ram,id=pc.ram,\ size=${ (vm.maximumRam!1073741824)?c }" ] - [ "-m", "${ ((vm.maximumRam!1073741824)/1048576)?round?c }" ] - [ "-device", "virtio-balloon-pci,id=balloon0" ] <#if vm.useTpm> # Attach TPM - [ "-chardev", "socket,id=chrtpm,path=${ runtimeDir }/swtpm-sock" ] - [ "-tpmdev", "emulator,id=tpm0,chardev=chrtpm" ] - [ "-device", "tpm-tis,tpmdev=tpm0" ] - [ "-cpu", "${ vm.cpuModel }" ] <#if vm.maximumCpus gt 1> - [ "-smp", "1,maxcpus=${ vm.maximumCpus }\ <#if vm.sockets gt 0>,sockets=${ vm.sockets }\ <#if vm.diesPerSocket gt 0>,dies=${ vm.diesPerSocket }\ <#if vm.coresPerDie gt 0>,cores=${ vm.coresPerDie }\ <#if vm.threadsPerCore gt 0>,threads=${ vm.threadsPerCore }" ] <#if vm.accelerator != "none"> - [ "-accel", "${ vm.accelerator }" ] - [ "-device", "intel-iommu,device-iotlb=on" ] # (More devices:) # * RTC - [ "-rtc", "base=${ vm.rtcBase },clock=${ vm.rtcClock },driftfix=slew" ] # On-board serial, made available as pty on host (not used) - [ "-chardev", "pty,id=ptyserial0" ] - [ "-device", "isa-serial,chardev=ptyserial0,id=serial0,index=0" ] # * PCI Serial device(s) (more in SPICE configuration below) # Best explanation found: # https://fedoraproject.org/wiki/Features/VirtioSerial - [ "-device", "virtio-serial-pci,id=virtio-serial0" ] # - Guest agent serial connection - [ "-device", "virtserialport,id=channel0,name=org.qemu.guest_agent.0,\ chardev=guest-agent-socket" ] - [ "-chardev","socket,id=guest-agent-socket,\ path=${ runtimeDir }/org.qemu.guest_agent.0,server=on,wait=off" ] # * USB Hub and devices (more in SPICE configuration below) # https://qemu-project.gitlab.io/qemu/system/devices/usb.html # https://github.com/qemu/qemu/blob/master/hw/usb/hcd-xhci.c - [ "-device", "qemu-xhci,p2=15,p3=15,id=usb" ] - [ "-device", "usb-tablet" ] # * Random number generator - [ "-object", "rng-random,id=objrng0,filename=/dev/random" ] - [ "-device", "virtio-rng-pci,rng=objrng0,id=rng0" ] # * Graphics and Audio Card # This is the only video "card" without a flickering cursor. - [ "-device", "virtio-vga,id=video0,max_outputs=1" ] - [ "-device", "ich9-intel-hda,id=sound0" ] # Network <#assign nwCounter = 0/> <#list vm.network![] as itf> <#switch itf.type!"tap"> <#case "tap"> - [ "-netdev", "bridge,id=hostnet${ nwCounter }\ <#if itf.bridge??>,br=${ itf.bridge }" ] - [ "-device", "${ itf.device },netdev=hostnet${ nwCounter }\ <#if itf.mac??>,mac=${ itf.mac }" ] <#break> <#case "user"> - [ "-netdev", "user,id=hostnet${ nwCounter }\ <#if itf.net??>,net=${ itf.net }" ] - [ "-device", "${ itf.device },netdev=hostnet${ nwCounter }\ <#if itf.mac??>,mac=${ itf.mac }" ] <#break> <#assign nwCounter += 1/> # Drives # * CD-Drives <#assign cdCounter = 0/> <#list vm.drives![] as drive> <#if (drive.type!"") == "ide-cd"> - [ "-drive", "id=drive-cdrom${ cdCounter },if=none,media=cdrom,\ readonly=on<#if drive.file??>,file=${ drive.file }" ] # (IDE is old, but faster than usb-storage. virtio-blk-pci does not # work without file [empty drive]) - [ "-device", "ide-cd,id=cd${ cdCounter },bus=ide.${ cdCounter },\ drive=drive-cdrom${ cdCounter }\ <#if drive.bootindex??>,bootindex=${ drive.bootindex }" ] <#assign cdCounter += 1/> # * Disks <#assign drvCounter = 0/> <#list vm.drives![] as drive> <#switch (drive.type!"raw")> <#case "raw"> # - how to access the resource on the host (a file or a block device) <#if drive.file??> - [ "-blockdev", "node-name=drive-${ drvCounter }-host-resource,\ driver=file,filename=${ drive.file }" ] <#if drive.device??> - [ "-blockdev", "node-name=drive-${ drvCounter }-host-resource,\ driver=host_device,filename=${ drive.device },\ aio=native,cache.direct=on,cache.no-flush=off,\ auto-read-only=true,discard=unmap" ] # - how to use the file (as sequence of literal blocks) - [ "-blockdev", "node-name=drive-${ drvCounter }-backend,driver=raw,\ file=drive-${ drvCounter }-host-resource" ] # - the driver (what the guest sees) - [ "-device", "virtio-blk-pci,drive=drive-${ drvCounter }-backend\ <#if drive.bootindex??>,bootindex=${ drive.bootindex }" ] <#assign drvCounter += 1/> <#break> # Cloud-init image <#if cloudInit??> - [ "-blockdev", "node-name=drive-${ drvCounter }-host-resource,\ driver=file,filename=${ runtimeDir }/cloud-init.img" ] # - how to use the file (as sequence of literal blocks) - [ "-blockdev", "node-name=drive-${ drvCounter }-backend,driver=raw,\ file=drive-${ drvCounter }-host-resource" ] # - the driver (what the guest sees) - [ "-device", "virtio-blk-pci,drive=drive-${ drvCounter }-backend" ] <#if vm.display??> <#if vm.display.spice??> <#assign spice = vm.display.spice/> # SPICE (display, channels ...) # https://www.linux-kvm.org/page/SPICE <#if ticketPath??> - [ "-object", "secret,id=spiceTicket,file=${ ticketPath }" ] - [ "-spice", "port=${ spice.port?c }\ <#if spice.ticket??>,password-secret=spiceTicket\ <#else>,disable-ticketing=on\ <#if spice.streamingVideo??>,streaming-video=${ spice.streamingVideo }\ ,seamless-migration=on" ] - [ "-chardev", "spicevmc,id=vdagentdev,name=vdagent" ] - [ "-device", "virtserialport,name=com.redhat.spice.0,\ chardev=vdagentdev" ] # * Audio - [ "-audiodev", "driver=spice,id=audio1" ] - [ "-device", "hda-duplex,audiodev=audio1" ] # * USB redirection <#list 0.. - [ "-chardev", "spicevmc,id=charredir${ index },name=usbredir" ] - [ "-device", "usb-redir,id=redir${ index },chardev=charredir${ index }" ]