NAME

vm.conf — virtual machine configuration

DESCRIPTION

vm.conf is the configuration file for the virtual machine monitor, vmm(4), which is responsible for creating, destroying, and executing virtual machines (VMs).

vm.conf is divided into the following main sections:

Macros: Definitions of variables that can be used later, simplifying the configuration file.
Global configuration: Global settings for vmd(8).
VM configuration and VM instances: Configuration for each individual virtual machine.
Switch configuration: Configuration for virtual switches.

The current line can be extended over multiple lines using a backslash (‘\’). Comments can be put anywhere in the file using a hash mark (‘#’) and extend to the end of the current line. Care should be taken when commenting out multi-line text: the comment is effective until the end of the entire block.

Arguments not beginning with a letter, digit, underscore, or slash must be quoted.

Additional configuration files can be included with the include keyword, for example:

include "/etc/vm1.example.com.conf"

Macros

A macro is defined with a command of the form name=value. The macro name can contain letters, digits, and underscores and cannot be a reserved word (for example, vm, memory, or disk). Within unquoted arguments, the string $name is later expanded to value.

For example:

ramdisk="/bsd.rd"
vm "vm1.example.com" {
	memory 512M
	boot $ramdisk
}

Global configuration

The following settings can be configured globally:

agentx [context context] [path socket]: Export vm metrics via an AgentX compatible snmpd(8) by connecting to the socket. Metrics can be found under the vmMIB subtree (mib-2.236). If socket is omitted it defaults to /var/agentx/master. context is the SNMPv3 context and can usually be omitted.
local prefix address/prefix: Set the IPv4 network prefix that is used to allocate subnets for local interfaces, see local interface in the VM configuration section below. The default is 100.64.0.0/10.
local inet6 [prefix address/prefix]: Enable IPv6 on local interfaces and allocate routable subnets. If the prefix is not specified, a random prefix from the “unique local” network range fd00::/8 is generated on startup. The specified prefix length must be /64 or smaller.
socket owner user:group: Set the vmd(8) control socket owner to the specified user and group. Users with access to the control socket are allowed to use vmctl(8) for restricted access to vmd(8). If only user is given, only the user is set. If only :group is given, only the group is set. The default is root:wheel.
staggered start parallel parallelism delay delay: Start all configured VMs in a staggered fashion with parallelism instances in parallel every delay seconds. Defaults to parallelism equal to number of online CPUs and a delay of 30 seconds.

VM configuration

Each vm section starts with the declaration of a virtual machine name:

vm name {...}: The name starts with a letter and can contain alphanumeric characters, dots (‘.’), dashes (‘-’), and underscores (‘_’). Typically this is a hostname.

The block enclosed in curly braces can contain the following parameters:

allow instance {...}

Set the permissions to create VM instances.

boot path

Kernel or BIOS image to load when booting the VM. If not specified, the default is to boot using the BIOS image in /etc/firmware/vmm-bios.

boot device device

Force VM to boot from device. Valid values are:

cdrom: Boot the ISO image file specified using the cdrom parameter.
disk: Boot from the disk image file specified using the disk parameter.
net: Boot the kernel specified using the boot parameter as if the VM was network booted. In addition, the DHCP lease advertises “auto_install” in the bootfile option making it suitable for use with autoinstall(8). Note, this is not to be confused with pxeboot(8) but rather a simulated network boot.

Currently disk and cdrom only work with VMs booted using BIOS.

cdrom path

ISO image file.

enable

Automatically start the VM. This is the default if neither enable nor disable is specified.

disable

Do not automatically start this VM.

disk path [format fmt]

Disk image file (may be specified multiple times to add multiple disk images). The format may be specified as either qcow2 (a sparse file format which reduces storage) or raw. If left unspecified, the format defaults to raw if it cannot be derived automatically.

[local] interface [name] [{...}]

Network interface to add to the VM. The optional name can be either tap to select the next available tap(4) interface on the VM host side (the default) or tapN to select a specific one.

Valid options are:

group group-name: Assign the interface to a specific interface “group”. For example, this can be used to write pf.conf(5) rules for several VM interfaces in the same group. The group-name must not be longer than 15 characters or end with a digit, as described in ifconfig(8).
[locked] lladdr [etheraddr]: Change the link layer address (MAC address) of the interface on the VM guest side. If not specified, a randomized address is assigned by vmd(8). If the locked keyword is specified, vmd(8) drops packets from the VM with altered source addresses.
rdomain rdomainid: Attach the interface to the routing domain with the specified rdomainid. If attaching to a switch that also has an rdomainid set, the rdomainid configured for the interface takes precedence.
switch name: Set the virtual switch by name. See the Switch configuration section about virtual switches. This option is ignored if a switch with a matching name cannot be found.
up: Start the interface forwarding packets. This is the default.
down: Stop the interface from forwarding packets.

A local interface auto-generates an IPv4 subnet for the interface, configures a gateway address on the VM host side, and runs a simple DHCP/BOOTP server for the VM. This option can be used for layer 3 mode without configuring a switch.

If the global local inet6 option is enabled, a routable IPv6 gateway address is generated on the host side. Unlike the IPv4 option, vmd(8) does not respond to DHCPv6 or router solicitation messages itself. Use rad(8) listening on the interface group, e.g. interface tap for auto-configuring the VMs accordingly.

interfaces count

Optional minimum number of network interfaces to add to the VM. If the count is greater than the number of interface statements, additional default interfaces are added.

memory bytes

Memory size of the VM in bytes, rounded to megabytes. A scale multiplier can be used as described in scan_scaled(3). The default is 512M.

owner user:group

Set the owner of the VM to the specified user and group. The owner is allowed to start or stop the VM, pause or unpause the VM, and open the VM's console. If only user is given, only the user is set. If only :group is given, only the group is set.

sev

Enables AMD Secure Encrypted Virtualization (SEV) for the guest. vmd(8) uses psp(4) to configure the guest for SEV.

seves

Enables AMD Encrypted State (SEV-ES) for the guest. This implicitly enables SEV, too.

VM instances

It is possible to use configured or running VMs as a template for additional instances of the VM. An instance is just like a normal vm and is configured with the following declaration of the virtual machine name:

vm parent instance name {...}: A virtual machine can be created as an instance of any other configured VM.

The new instance inherits settings from the VM parent, except for exclusive options such as disk, interface lladdr, or interface name. The configuration options are identical to the VM configuration, but restricted to the allowed instance options.

The allowed instance options are configured in the parent VM:

allow instance {...}: Allow users to use this VM as a template for VM instances. By default, the root user can always create instances without restrictions and users or non-root owners cannot create instances. An instance inherits the configuration from the VM and the user, if permitted, is allowed to configure individual VM options.

Valid options are:

boot: Allow user to configure the kernel or BIOS image. The user needs read access to the image.
cdrom: Allow user to configure the ISO file. The user needs read access to the file.
disk: Allow user to configure the disk images. The user needs read and write access to image and instances are not allowed to reuse disks from the parent VM.
instance: Allow user to create additional instances from the instances.
interface: Allow user to change network interface settings.
memory: Allow user to configure the memory size.
owner user[:group]: Allow the specified user or group to create the instances. The owner is allowed to create VM instances, start or stop the instances, pause or unpause the instances, and open the instances' consoles.
owner :group: Set the owner to the specified group.

Switch configuration

A virtual switch allows VMs to communicate with other network interfaces on the host system via either bridge(4) or veb(4). The network interface for each virtual switch defined in vm.conf is pre-configured using hostname.if(5) or ifconfig(8) (see the BRIDGE and VEB sections in ifconfig(8) accordingly). When a VM is started, virtual network interfaces which are assigned to a virtual switch have their tap(4) interface automatically added into the corresponding bridge(4) or veb(4) interface underlying the virtual switch.

Virtual switches can be configured at any point in the configuration file. Each switch section starts with a declaration of the virtual switch:

switch name {...}: This name can be any string, and is typically a network name.

The block enclosed in curly braces can contain the following parameters:

enable: Automatically configure the switch. This is the default if neither enable nor disable is specified.
locked lladdr: If this option is specified, vmd(8) drops packets with altered source addresses that do not match the link layer addresses (MAC addresses) of the VM interfaces in this switch.
disable: Do not automatically configure this switch.
group group-name: Assign each interface to a specific interface “group”. For example, this can be used to write pf.conf(5) rules for several VM interfaces in the same group. The group-name must not be longer than 15 characters or end with a digit, as described in ifconfig(8).
interface name: Set the bridge(4) or veb(4) network interface of this switch.
rdomain rdomainid: Set the routing domain of the switch and all of its VM interfaces to rdomainid.
up: Start the switch forwarding packets. This is the default.
down: Stop the switch from forwarding packets.

FILES

/etc/vm.conf: default vmd(8) and vmctl(8) configuration file
/etc/examples/vm.conf: example configuration file
/var/run/vmd.sock: Unix domain socket(2) where vmd(8) listens
/etc/firmware/vmm-bios: default BIOS image for booting
/var/agentx/master: default Unix domain socket(2) where snmpd(8) listens

EXAMPLES

Create a new VM with 1GB memory, 1 network interface connected to “uplink”, with one disk image /home/joe/vm2-disk.img, owned by user ‘joe’:

vm "vm2.example.com" {
	memory 1G
	disk "/home/joe/vm2-disk.img"
	interface { switch "uplink" }
	owner joe
}

Create a new VM as an instance from ‘vm2.example.com’:

vm "vm2.example.com" instance "vm3.example.com" {
	disk "/home/joe/vm3-disk.img"
}

Create the switch "uplink" with an additional physical network interface:

switch "uplink" {
	interface bridge0
}

HISTORY

The vm.conf file format first appeared in OpenBSD 5.9.

AUTHORS

Mike Larkin <mlarkin@openbsd.org> and Reyk Floeter <reyk@openbsd.org>.

CAVEATS

Each guest requires one tap(4) device per assigned interface and one pty(4) device. Administrators may need to create additional devices using MAKEDEV(8).