Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Missing space in rule example

...

Info
iconNone

Copyright 2013 by Citrix Systems, Inc. This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/.

 


Table of Contents

Introduction

...

Code Block
languagebash
# nothing can be done by default deny all

# allow stubdoms to talk to surfman,xenmgr,dbus allow stubdom true destination 
com.citrix.xenclient.surfman allow stubdom true destination com.citrix.xenclient.xenmgr allow stubdom true destination org.freedesktop.DBus interface org.freedesktop.DBus

# allow guests to call 'gather' on diagnostics interface (required by xc-diag)allow destination 
com.citrix.xenclient.xenmgr interface com.citrix.xenclient.xenmgr.diag member gather

# allow anybody to do some vm queries required for switcher bar allow destination 
com.citrix.xenclient.xenmgr interface org.freedesktop.DBus.Properties member Get allow destination com.citrix.xenclient.xenmgr interface com.citrix.xenclient.xenmgr member list_vms allow destination com.citrix.xenclient.xenmgr interface com.citrix.xenclient.xenmgr.vm member get_db_key allow destination com.citrix.xenclient.xenmgr interface com.citrix.xenclient.xenmgr.vm member read_icon allow destination com.citrix.xenclient.xenmgr interface com.citrix.xenclient.xenmgr.vm member switch allow destination com.citrix.xenclient.input interface com.citrix.xenclient.input member get_focus_domid allow destination com.citrix.xenclient.xenmgr interface com.citrix.xenclient.xenmgr member find_vm_by_domid

# allow guest to do some requests allow destination 
com.citrix.xenclient.xenmgr interface com.citrix.xenclient.xenmgr.guestreq member request_attention

# allow conditional domstore (private db space) access allow destination 
com.citrix.xenclient.db interface com.citrix.xenclient.db member read if-boolean domstore-read-access true allow destination com.citrix.xenclient.db interface com.citrix.xenclient.db member read_binary if-boolean domstore-read-access true trueallowallow destination com.citrix.xenclient.db interface com.citrix.xenclient.db member list if-boolean domstore-read-access true allow destination com.citrix.xenclient.db interface com.citrix.xenclient.db member exists if-boolean domstore-read-access true

# allow destination com.citrix.xenclient.db interface com.citrix.xenclient.db member write if-boolean domstore-write-access true allow destination com.citrix.xenclient.db interface com.citrix.xenclient.db member rm if-boolean domstore-write-access true

...

key nametypedescription
hvmscommand line given to the kernel
startupsspecify what to do with the domain at startup possibles value: started, paused, shutdown or restore
debugblogs all operations to /tmp/xenvm-debug-%uuid
uuidsspecify the domain uuid (default to autogeneration)
on_crashsspecify the action to be taken after notifying a
on_haltscrash/halt/reboot. possible values:
on_rebootspreserve, reboot, destroy
kernelsspecify where to find the kernel to boot (can be empty for hvm. default to hvmloader)
memoryispecify the memory given to the guest in megabytes
vcpusinumber of vcpus available to the guest
disksadd a virtual disk.  


format: physpath:phystype:virtpath:mode:devty[:k=v...]  


- physpath: path to the disk image, raw device, .. 


 - phystype: phy  


- virtpath: hd(a-d) 


 - mode: r 


 - devtype = cdrom


  - extra k=v arguments (cipher, key-size, key-file)
nicsadd a virtual nic.  


format: key=value,key=value,... (can be empty)


  supported key: bridge, mac, id  


examples:  


"nic = bridge=xen-br0,mac=ab:ef:fe:dc:ba:ab"  


"nic = mac=ab:ef:fe:dc:ba:ab"


  "nic = "
pcisadd a pci device.  


format: devid,bind,domain:bus device.function
serialsredirect serial to device or network tcp:ip:port  


ex: "pty" or "tcp:1.2.3.4:1234"
displaysdetails the type of display available for the guest  


format: :key[=value],key[=value],...  


possible values: 


 - none  


- vnc (keys allowed: use-port-unused, keymap, port) 


 - sdl 


 - intel

(the following are just useful for pv)

...

key nametypedescription
paebspecify that the guest is using PAE
acpibspecify that the guest is using ACPI
apicbspecify that the guest is using APIC
nxbspecify that the guest is using NX
smbios-ptbspecify that the guest is using smbios pass-through
smbios-oem-type-ptitables number to passthrough
acpi-ptbspecify that the guest is using ACPI pass-through
diskinfo-ptbspecify the guest is using SCSI diskinfo pass-through
bootsspecify the qemu boot string
extra-hvmk=vspecify extra arguments passthrough to qemu as -k v
power-managementispecify the power management passthrough mode


  - 1 : pass-through mode (limited scope)  


- 2 : non pass-through mode (in doubt use this)
oem-featuresispecify whether or not to pass through oem features. 


 Note: At the moment any integer value can be passed 


 but this is likely to change in future especially if  


we decide to pass through a subset of oem features  


and let user configure that subset.
timer-modeispecify the timer mode used.
timeoffsetsspecify the time offset (i.e. timezone) used.
pci-msitranslateispecify whether to use MSI-INTx translation for guest.
pci-power-managementispecify whether or not to enable Dx power management


  for passthrough devices.
inject-sciispecify whether or not to inject SCIs like lid close,  


power button press to guest. (Default: no injection)

...