NAME

vm.conf — virtual machine configuration

DESCRIPTION

vm.conf is the configuration file to configure the virtual machine monitor (VMM) subsystem. A VMM manages virtual machines (VMs) on a host. The VMM subsystem is responsible for creating, destroying, and executing VMs.

vm.conf is divided into the following main sections:

Macros: User-defined variables may be defined and used later, simplifying the configuration file.
Global Configuration: Global settings for vmd(8).
VM Configuration: Configuration for each individual virtual machine.
Switch Configuration: Configuration for virtual switches.

Within the sections, the bytes argument can be specified with a human-readable scale, using the format described in scan_scaled(3).

The current line can be extended over multiple lines using a backslash (‘\’). Comments can be put anywhere in the file using a hash mark (‘#’), and extend to the end of the current line. Care should be taken when commenting out multi-line text: the comment is effective until the end of the entire block.

Argument names not beginning with a letter, digit, underscore, or slash must be quoted.

Additional configuration files can be included with the include keyword, for example:

include "/etc/vm1.example.com.conf"

MACROS

Macros can be defined that will later be expanded in context. Macro names must start with a letter, digit, or underscore, and may contain any of those characters. Macro names may not be reserved words (for example, vm, memory, or disk). Macros are not expanded inside quotes.

For example:

ramdisk="/bsd.rd"
vm "vm1.example.com" {
	memory 512M
	boot $ramdisk
}

GLOBAL CONFIGURATION

The following setting can be configured globally:

agentx [context context] [path path]: Export vm metrics via an AgentX compatible (snmp) daemon by connecting to path. Metrics can be found under the vmMIB subtree (mib-2.236). If path is omitted it will default to /var/agentx/master. context is the SNMPv3 context and can usually be omitted.
local prefix address/prefix: Set the network prefix that is used to allocate subnets for local interfaces, see local interface in the VM CONFIGURATION section below. The default is 100.64.0.0/10.
local inet6 [prefix address/prefix]: Enable IPv6 on local interfaces and allocate routable subnets. If the prefix is not specified, a random prefix from the “unique local” network range fd00::/8 will be generated on startup. The specified prefix length must be /64 or smaller.
socket owner user:group: Set the control socket owner to the specified user and group. Users with access to the control socket will be allowed to use vmctl(8) for restricted access to vmd(8). If only user is given, only the user is set. If only :group is given, only the group is set. The default is root:wheel.
staggered start parallel parallelism delay seconds: Start all configured VMs in a staggered fashion with parallelism instances in parallel every delay seconds. Defaults to parallelism equal to number of online CPUs and a delay of 30 seconds.

VM CONFIGURATION

Each vm section starts with a declaration of the virtual machine name:

vm name {...}: The name can only consist of alphanumeric characters, as well as '.', '-', and '_', and must start with a letter. Typically this is a hostname.

Followed by a block of parameters that is enclosed in curly brackets:

allow instance {...}

Set the permissions to create VM instances. See VM INSTANCES.

boot path

Kernel or BIOS image to load when booting the VM. If not specified, the default is to boot using the BIOS image in /etc/firmware/vmm-bios.

boot device device

Force VM to boot from device. Valid values are:

cdrom: Boot the ISO image file specified using the cdrom parameter.
disk: Boot from the disk image file specified using the disk parameter.
net: Boot the kernel specified using the boot parameter as if the VM was network booted. In addition, the DHCP lease will advertise “auto_install” in the bootfile option making it suitable for use with autoinstall(8). Note, this is not to be confused with pxeboot(8) but rather a simulated network boot.

Currently disk and cdrom only work with VMs booted using BIOS.

cdrom path

ISO image file.

enable

Automatically start the VM. This is the default if neither enable nor disable is specified.

disable

Do not start this VM.

disk path [format fmt]

Disk image file (may be specified multiple times to add multiple disk images). The format may be specified as either qcow2 (a sparse file format which reduces storage) or raw. If left unspecified, the format defaults to raw if it cannot be derived automatically.

[local] interface [name] [{...}]

Network interface to add to the VM. The optional name can be either tap to select the next available tap(4) interface on the VM host side (the default) or tapN to select a specific one.

Valid options are:

group group-name: Assign the interface to a specific interface “group”. For example, this can be used to write pf.conf(5) rules for several VM interfaces in the same group. The group-name must not be longer than 15 characters or end with a digit, as described in ifconfig(8).
[locked] lladdr [etheraddr]: Change the link layer address (MAC address) of the interface on the VM guest side. If not specified, a randomized address will be assigned by vmd(8). If the locked keyword is specified, vmd(8) will drop packets from the VM with altered source addresses.
rdomain rdomainid: Attach the interface to the routing domain with the specified rdomainid. If attaching to a switch that also has an rdomainid set, the rdomainid configured for the interface takes precedence.
switch name: Set the virtual switch by name. See the SWITCH CONFIGURATION section about virtual switches. This option is ignored if a switch with a matching name cannot be found.
up: Start the interface forwarding packets. This is the default.
down: Stop the interface from forwarding packets.

A local interface will auto-generate an IPv4 subnet for the interface, configure a gateway address on the VM host side, and run a simple DHCP/BOOTP server for the VM. This option can be used for layer 3 mode without configuring a switch.

If the global local inet6 option is enabled, a routable IPv6 gateway address will be generated on the host side. Unlike the IPv4 option, vmd(8) does not respond to DHCPv6 or router solicitation messages itself. Use rad(8) listening on the interface group, e.g. interface tap for auto-configuring the VMs accordingly.

interfaces count

Optional minimum number of network interfaces to add to the VM. If the count is greater than the number of interface statements, additional default interfaces will be added.

memory bytes

Memory size of the VM, in bytes, rounded to megabytes. The default is 512M.

owner user:group

Set the owner of the VM to the specified user and group. The owner will be allowed to start or stop the VM, pause or unpause the VM, and open the VM's console. If only user is given, only the user is set. If only :group is given, only the group is set.

sev

Enables AMD Secure Encrypted Virtualization for guest. vmd(8) uses psp(4) to configure the guest for SEV.

VM INSTANCES

It is possible to use configured or running VMs as a template for additional instances of the VM. An instance is just like a normal vm and is configured with the following declaration of the virtual machine name:

vm parent instance name {...}: A virtual machine can be created as an instance of any other configured VM.

The new instance will inherit settings from the VM parent, except for exclusive options such as disk, interface lladdr, or interface name. The configuration options are identical to the VM CONFIGURATION, but restricted to the allowed instance options.

The allowed instance options are configured in the parent VM:

allow instance {...}: Allow users to use this VM as a template for VM instances. By default, the root user can always create instances without restrictions and users or non-root owners cannot create instances. An instance will inherit the configuration from the VM and the user, if permitted, will be allowed to configure individual VM options.

Valid options are:

boot: Allow user to configure the kernel or BIOS image. The user needs read access to the image.
cdrom: Allow user to configure the ISO file. The user needs read access to the file.
disk: Allow user to configure the disk images. The user needs read and write access to image and instances are not allowed to reuse disks from the parent VM.
instance: Allow user to create additional instances from the instances.
interface: Allow user to change network interface settings.
memory: Allow user to configure the memory size.
owner user[:group]: Allow the specified user or group to create the instances. The owner will be allowed to create VM instances, start or stop the instances, pause or unpause the instances, and open the instances' consoles.
owner :group: Set the owner to the specified group.

SWITCH CONFIGURATION

A virtual switch allows VMs to communicate with other network interfaces on the host system via either bridge(4) or veb(4). The network interface for each virtual switch defined in vm.conf is pre-configured using hostname.if(5) or ifconfig(8) (see the BRIDGE and VEB sections in ifconfig(8) accordingly). When a VM is started, virtual network interfaces which are assigned to a virtual switch have their tap(4) interface automatically added into the corresponding bridge(4) or veb(4) interface underlying the virtual switch.

Virtual switches can be configured at any point in the configuration file. Each switch section starts with a declaration of the virtual switch:

switch name {...}: This name can be any string, and is typically a network name.

Followed by a block of parameters that is enclosed in curly brackets:

enable: Automatically configure the switch. This is the default if neither enable nor disable is specified.
locked lladdr: If this option is specified, vmd(8) will drop packets with altered source addresses that do not match the link layer addresses (MAC addresses) of the VM interfaces in this switch.
disable: Do not configure this switch.
group group-name: Assign each interface to a specific interface “group”. For example, this can be used to write pf.conf(5) rules for several VM interfaces in the same group. The group-name must not be longer than 15 characters or end with a digit, as described in ifconfig(8).
interface name: Set the bridge(4) or veb(4) network interface of this switch.
rdomain rdomainid: Set the routing domain of the switch and all of its VM interfaces to rdomainid.
up: Start the switch forwarding packets. This is the default.
down: Stop the switch from forwarding packets.

FILES

/etc/vm.conf
/etc/examples/vm.conf

EXAMPLES

Create a new VM with 1GB memory, 1 network interface connected to “uplink”, with one disk image /home/joe/vm2-disk.img, owned by user ‘joe’:

vm "vm2.example.com" {
	memory 1G
	disk "/home/joe/vm2-disk.img"
	interface { switch "uplink" }
	owner joe
}

Create a new VM as an instance from ‘vm2.example.com’:

vm "vm2.example.com" instance "vm3.example.com" {
	disk "/home/joe/vm3-disk.img"
}

Create the switch "uplink" with an additional physical network interface:

switch "uplink" {
	interface bridge0
}

HISTORY

The vm.conf file format first appeared in OpenBSD 5.9.

AUTHORS

Mike Larkin <mlarkin@openbsd.org> and Reyk Floeter <reyk@openbsd.org>.

CAVEATS

Each guest requires one tap(4) device per assigned interface and one pty(4) device. Administrators may need to create additional devices using MAKEDEV(8).