1QEMU.1(1) QEMU.1(1)
2
3
4
6 qemu-doc - QEMU version 4.2.0 User Documentation
7
9 qemu-system-x86_64 [options] [disk_image]
10
12 The QEMU PC System emulator simulates the following peripherals:
13
14 - i440FX host PCI bridge and PIIX3 PCI to ISA bridge
15
16 - Cirrus CLGD 5446 PCI VGA card or dummy VGA card with Bochs VESA
17 extensions (hardware level, including all non standard modes).
18
19 - PS/2 mouse and keyboard
20
21 - 2 PCI IDE interfaces with hard disk and CD-ROM support
22
23 - Floppy disk
24
25 - PCI and ISA network adapters
26
27 - Serial ports
28
29 - IPMI BMC, either and internal or external one
30
31 - Creative SoundBlaster 16 sound card
32
33 - ENSONIQ AudioPCI ES1370 sound card
34
35 - Intel 82801AA AC97 Audio compatible sound card
36
37 - Intel HD Audio Controller and HDA codec
38
39 - Adlib (OPL2) - Yamaha YM3812 compatible chip
40
41 - Gravis Ultrasound GF1 sound card
42
43 - CS4231A compatible sound card
44
45 - PCI UHCI, OHCI, EHCI or XHCI USB controller and a virtual USB-1.1
46 hub.
47
48 SMP is supported with up to 255 CPUs.
49
50 QEMU uses the PC BIOS from the Seabios project and the Plex86/Bochs
51 LGPL VGA BIOS.
52
53 QEMU uses YM3812 emulation by Tatsuyuki Satoh.
54
55 QEMU uses GUS emulation (GUSEMU32 <http://www.deinmeister.de/gusemu/>)
56 by Tibor "TS" Schütz.
57
58 Note that, by default, GUS shares IRQ(7) with parallel ports and so
59 QEMU must be told to not have parallel ports to have working GUS.
60
61 qemu-system-x86_64 dos.img -soundhw gus -parallel none
62
63 Alternatively:
64
65 qemu-system-x86_64 dos.img -device gus,irq=5
66
67 Or some other unclaimed IRQ.
68
69 CS4231A is the chip used in Windows Sound System and GUSMAX products
70
72 disk_image is a raw hard disk image for IDE hard disk 0. Some targets
73 do not need a disk image.
74
75 Standard options
76
77 -h Display help and exit
78
79 -version
80 Display version information and exit
81
82 -machine [type=]name[,prop=value[,...]]
83 Select the emulated machine by name. Use "-machine help" to list
84 available machines.
85
86 For architectures which aim to support live migration compatibility
87 across releases, each release will introduce a new versioned
88 machine type. For example, the 2.8.0 release introduced machine
89 types "pc-i440fx-2.8" and "pc-q35-2.8" for the x86_64/i686
90 architectures.
91
92 To allow live migration of guests from QEMU version 2.8.0, to QEMU
93 version 2.9.0, the 2.9.0 version must support the "pc-i440fx-2.8"
94 and "pc-q35-2.8" machines too. To allow users live migrating VMs to
95 skip multiple intermediate releases when upgrading, new releases of
96 QEMU will support machine types from many previous versions.
97
98 Supported machine properties are:
99
100 accel=accels1[:accels2[:...]]
101 This is used to enable an accelerator. Depending on the target
102 architecture, kvm, xen, hax, hvf, whpx or tcg can be available.
103 By default, tcg is used. If there is more than one accelerator
104 specified, the next one is used if the previous one fails to
105 initialize.
106
107 kernel_irqchip=on|off
108 Controls in-kernel irqchip support for the chosen accelerator
109 when available.
110
111 gfx_passthru=on|off
112 Enables IGD GFX passthrough support for the chosen machine when
113 available.
114
115 vmport=on|off|auto
116 Enables emulation of VMWare IO port, for vmmouse etc. auto says
117 to select the value based on accel. For accel=xen the default
118 is off otherwise the default is on.
119
120 kvm_shadow_mem=size
121 Defines the size of the KVM shadow MMU.
122
123 dump-guest-core=on|off
124 Include guest memory in a core dump. The default is on.
125
126 mem-merge=on|off
127 Enables or disables memory merge support. This feature, when
128 supported by the host, de-duplicates identical memory pages
129 among VMs instances (enabled by default).
130
131 aes-key-wrap=on|off
132 Enables or disables AES key wrapping support on s390-ccw hosts.
133 This feature controls whether AES wrapping keys will be created
134 to allow execution of AES cryptographic functions. The default
135 is on.
136
137 dea-key-wrap=on|off
138 Enables or disables DEA key wrapping support on s390-ccw hosts.
139 This feature controls whether DEA wrapping keys will be created
140 to allow execution of DEA cryptographic functions. The default
141 is on.
142
143 nvdimm=on|off
144 Enables or disables NVDIMM support. The default is off.
145
146 enforce-config-section=on|off
147 If enforce-config-section is set to on, force migration code to
148 send configuration section even if the machine-type sets the
149 migration.send-configuration property to off. NOTE: this
150 parameter is deprecated. Please use -global
151 migration.send-configuration=on|off instead.
152
153 memory-encryption=
154 Memory encryption object to use. The default is none.
155
156 -cpu model
157 Select CPU model ("-cpu help" for list and additional feature
158 selection)
159
160 -accel name[,prop=value[,...]]
161 This is used to enable an accelerator. Depending on the target
162 architecture, kvm, xen, hax, hvf, whpx or tcg can be available. By
163 default, tcg is used. If there is more than one accelerator
164 specified, the next one is used if the previous one fails to
165 initialize.
166
167 thread=single|multi
168 Controls number of TCG threads. When the TCG is multi-threaded
169 there will be one thread per vCPU therefor taking advantage of
170 additional host cores. The default is to enable multi-threading
171 where both the back-end and front-ends support it and no
172 incompatible TCG features have been enabled (e.g.
173 icount/replay).
174
175 -smp
176 [cpus=]n[,cores=cores][,threads=threads][,dies=dies][,sockets=sockets][,maxcpus=maxcpus]
177 Simulate an SMP system with n CPUs. On the PC target, up to 255
178 CPUs are supported. On Sparc32 target, Linux limits the number of
179 usable CPUs to 4. For the PC target, the number of cores per die,
180 the number of threads per cores, the number of dies per packages
181 and the total number of sockets can be specified. Missing values
182 will be computed. If any on the three values is given, the total
183 number of CPUs n can be omitted. maxcpus specifies the maximum
184 number of hotpluggable CPUs.
185
186 -numa node[,mem=size][,cpus=firstcpu[-lastcpu]][,nodeid=node]
187 -numa node[,memdev=id][,cpus=firstcpu[-lastcpu]][,nodeid=node]
188 -numa dist,src=source,dst=destination,val=distance
189 -numa cpu,node-id=node[,socket-id=x][,core-id=y][,thread-id=z]
190 Define a NUMA node and assign RAM and VCPUs to it. Set the NUMA
191 distance from a source node to a destination node.
192
193 Legacy VCPU assignment uses cpus option where firstcpu and lastcpu
194 are CPU indexes. Each cpus option represent a contiguous range of
195 CPU indexes (or a single VCPU if lastcpu is omitted). A non-
196 contiguous set of VCPUs can be represented by providing multiple
197 cpus options. If cpus is omitted on all nodes, VCPUs are
198 automatically split between them.
199
200 For example, the following option assigns VCPUs 0, 1, 2 and 5 to a
201 NUMA node:
202
203 -numa node,cpus=0-2,cpus=5
204
205 cpu option is a new alternative to cpus option which uses
206 socket-id|core-id|thread-id properties to assign CPU objects to a
207 node using topology layout properties of CPU. The set of
208 properties is machine specific, and depends on used machine
209 type/smp options. It could be queried with hotpluggable-cpus
210 monitor command. node-id property specifies node to which CPU
211 object will be assigned, it's required for node to be declared with
212 node option before it's used with cpu option.
213
214 For example:
215
216 -M pc \
217 -smp 1,sockets=2,maxcpus=2 \
218 -numa node,nodeid=0 -numa node,nodeid=1 \
219 -numa cpu,node-id=0,socket-id=0 -numa cpu,node-id=1,socket-id=1
220
221 mem assigns a given RAM amount to a node. memdev assigns RAM from a
222 given memory backend device to a node. If mem and memdev are
223 omitted in all nodes, RAM is split equally between them.
224
225 mem and memdev are mutually exclusive. Furthermore, if one node
226 uses memdev, all of them have to use it.
227
228 source and destination are NUMA node IDs. distance is the NUMA
229 distance from source to destination. The distance from a node to
230 itself is always 10. If any pair of nodes is given a distance, then
231 all pairs must be given distances. Although, when distances are
232 only given in one direction for each pair of nodes, then the
233 distances in the opposite directions are assumed to be the same.
234 If, however, an asymmetrical pair of distances is given for even
235 one node pair, then all node pairs must be provided distance values
236 for both directions, even when they are symmetrical. When a node is
237 unreachable from another node, set the pair's distance to 255.
238
239 Note that the -numa option doesn't allocate any of the specified
240 resources, it just assigns existing resources to NUMA nodes. This
241 means that one still has to use the -m, -smp options to allocate
242 RAM and VCPUs respectively.
243
244 -add-fd fd=fd,set=set[,opaque=opaque]
245 Add a file descriptor to an fd set. Valid options are:
246
247 fd=fd
248 This option defines the file descriptor of which a duplicate is
249 added to fd set. The file descriptor cannot be stdin, stdout,
250 or stderr.
251
252 set=set
253 This option defines the ID of the fd set to add the file
254 descriptor to.
255
256 opaque=opaque
257 This option defines a free-form string that can be used to
258 describe fd.
259
260 You can open an image using pre-opened file descriptors from an fd
261 set:
262
263 qemu-system-x86_64 \
264 -add-fd fd=3,set=2,opaque="rdwr:/path/to/file" \
265 -add-fd fd=4,set=2,opaque="rdonly:/path/to/file" \
266 -drive file=/dev/fdset/2,index=0,media=disk
267
268 -set group.id.arg=value
269 Set parameter arg for item id of type group
270
271 -global driver.prop=value
272 -global driver=driver,property=property,value=value
273 Set default value of driver's property prop to value, e.g.:
274
275 qemu-system-x86_64 -global ide-hd.physical_block_size=4096 disk-image.img
276
277 In particular, you can use this to set driver properties for
278 devices which are created automatically by the machine model. To
279 create a device which is not created automatically and set
280 properties on it, use -device.
281
282 -global driver.prop=value is shorthand for -global
283 driver=driver,property=prop,value=value. The longhand syntax works
284 even when driver contains a dot.
285
286 -boot
287 [order=drives][,once=drives][,menu=on|off][,splash=sp_name][,splash-time=sp_time][,reboot-timeout=rb_timeout][,strict=on|off]
288 Specify boot order drives as a string of drive letters. Valid drive
289 letters depend on the target architecture. The x86 PC uses: a, b
290 (floppy 1 and 2), c (first hard disk), d (first CD-ROM), n-p
291 (Etherboot from network adapter 1-4), hard disk boot is the
292 default. To apply a particular boot order only on the first
293 startup, specify it via once. Note that the order or once parameter
294 should not be used together with the bootindex property of devices,
295 since the firmware implementations normally do not support both at
296 the same time.
297
298 Interactive boot menus/prompts can be enabled via menu=on as far as
299 firmware/BIOS supports them. The default is non-interactive boot.
300
301 A splash picture could be passed to bios, enabling user to show it
302 as logo, when option splash=sp_name is given and menu=on, If
303 firmware/BIOS supports them. Currently Seabios for X86 system
304 support it. limitation: The splash file could be a jpeg file or a
305 BMP file in 24 BPP format(true color). The resolution should be
306 supported by the SVGA mode, so the recommended is 320x240, 640x480,
307 800x640.
308
309 A timeout could be passed to bios, guest will pause for rb_timeout
310 ms when boot failed, then reboot. If reboot-timeout is not set,
311 guest will not reboot by default. Currently Seabios for X86 system
312 support it.
313
314 Do strict boot via strict=on as far as firmware/BIOS supports it.
315 This only effects when boot priority is changed by bootindex
316 options. The default is non-strict boot.
317
318 # try to boot from network first, then from hard disk
319 qemu-system-x86_64 -boot order=nc
320 # boot from CD-ROM first, switch back to default order after reboot
321 qemu-system-x86_64 -boot once=d
322 # boot with a splash picture for 5 seconds.
323 qemu-system-x86_64 -boot menu=on,splash=/root/boot.bmp,splash-time=5000
324
325 Note: The legacy format '-boot drives' is still supported but its
326 use is discouraged as it may be removed from future versions.
327
328 -m [size=]megs[,slots=n,maxmem=size]
329 Sets guest startup RAM size to megs megabytes. Default is 128 MiB.
330 Optionally, a suffix of "M" or "G" can be used to signify a value
331 in megabytes or gigabytes respectively. Optional pair slots, maxmem
332 could be used to set amount of hotpluggable memory slots and
333 maximum amount of memory. Note that maxmem must be aligned to the
334 page size.
335
336 For example, the following command-line sets the guest startup RAM
337 size to 1GB, creates 3 slots to hotplug additional memory and sets
338 the maximum memory the guest can reach to 4GB:
339
340 qemu-system-x86_64 -m 1G,slots=3,maxmem=4G
341
342 If slots and maxmem are not specified, memory hotplug won't be
343 enabled and the guest startup RAM will never increase.
344
345 -mem-path path
346 Allocate guest RAM from a temporarily created file in path.
347
348 -mem-prealloc
349 Preallocate memory when using -mem-path.
350
351 -k language
352 Use keyboard layout language (for example "fr" for French). This
353 option is only needed where it is not easy to get raw PC keycodes
354 (e.g. on Macs, with some X11 servers or with a VNC or curses
355 display). You don't normally need to use it on PC/Linux or
356 PC/Windows hosts.
357
358 The available layouts are:
359
360 ar de-ch es fo fr-ca hu ja mk no pt-br sv
361 da en-gb et fr fr-ch is lt nl pl ru th
362 de en-us fi fr-be hr it lv nl-be pt sl tr
363
364 The default is "en-us".
365
366 -audio-help
367 Will show the -audiodev equivalent of the currently specified
368 (deprecated) environment variables.
369
370 -audiodev [driver=]driver,id=id[,prop[=value][,...]]
371 Adds a new audio backend driver identified by id. There are global
372 and driver specific properties. Some values can be set differently
373 for input and output, they're marked with "in|out.". You can set
374 the input's property with "in.prop" and the output's property with
375 "out.prop". For example:
376
377 -audiodev alsa,id=example,in.frequency=44110,out.frequency=8000
378 -audiodev alsa,id=example,out.channels=1 # leaves in.channels unspecified
379
380 NOTE: parameter validation is known to be incomplete, in many cases
381 specifying an invalid option causes QEMU to print an error message
382 and continue emulation without sound.
383
384 Valid global options are:
385
386 id=identifier
387 Identifies the audio backend.
388
389 timer-period=period
390 Sets the timer period used by the audio subsystem in
391 microseconds. Default is 10000 (10 ms).
392
393 in|out.mixing-engine=on|off
394 Use QEMU's mixing engine to mix all streams inside QEMU and
395 convert audio formats when not supported by the backend. When
396 off, fixed-settings must be off too. Note that disabling this
397 option means that the selected backend must support multiple
398 streams and the audio formats used by the virtual cards,
399 otherwise you'll get no sound. It's not recommended to disable
400 this option unless you want to use 5.1 or 7.1 audio, as mixing
401 engine only supports mono and stereo audio. Default is on.
402
403 in|out.fixed-settings=on|off
404 Use fixed settings for host audio. When off, it will change
405 based on how the guest opens the sound card. In this case you
406 must not specify frequency, channels or format. Default is on.
407
408 in|out.frequency=frequency
409 Specify the frequency to use when using fixed-settings.
410 Default is 44100Hz.
411
412 in|out.channels=channels
413 Specify the number of channels to use when using fixed-
414 settings. Default is 2 (stereo).
415
416 in|out.format=format
417 Specify the sample format to use when using fixed-settings.
418 Valid values are: "s8", "s16", "s32", "u8", "u16", "u32".
419 Default is "s16".
420
421 in|out.voices=voices
422 Specify the number of voices to use. Default is 1.
423
424 in|out.buffer-length=usecs
425 Sets the size of the buffer in microseconds.
426
427 -audiodev none,id=id[,prop[=value][,...]]
428 Creates a dummy backend that discards all outputs. This backend
429 has no backend specific properties.
430
431 -audiodev alsa,id=id[,prop[=value][,...]]
432 Creates backend using the ALSA. This backend is only available on
433 Linux.
434
435 ALSA specific options are:
436
437 in|out.dev=device
438 Specify the ALSA device to use for input and/or output.
439 Default is "default".
440
441 in|out.period-length=usecs
442 Sets the period length in microseconds.
443
444 in|out.try-poll=on|off
445 Attempt to use poll mode with the device. Default is on.
446
447 threshold=threshold
448 Threshold (in microseconds) when playback starts. Default is
449 0.
450
451 -audiodev coreaudio,id=id[,prop[=value][,...]]
452 Creates a backend using Apple's Core Audio. This backend is only
453 available on Mac OS and only supports playback.
454
455 Core Audio specific options are:
456
457 in|out.buffer-count=count
458 Sets the count of the buffers.
459
460 -audiodev dsound,id=id[,prop[=value][,...]]
461 Creates a backend using Microsoft's DirectSound. This backend is
462 only available on Windows and only supports playback.
463
464 DirectSound specific options are:
465
466 latency=usecs
467 Add extra usecs microseconds latency to playback. Default is
468 10000 (10 ms).
469
470 -audiodev oss,id=id[,prop[=value][,...]]
471 Creates a backend using OSS. This backend is available on most
472 Unix-like systems.
473
474 OSS specific options are:
475
476 in|out.dev=device
477 Specify the file name of the OSS device to use. Default is
478 "/dev/dsp".
479
480 in|out.buffer-count=count
481 Sets the count of the buffers.
482
483 in|out.try-poll=on|of
484 Attempt to use poll mode with the device. Default is on.
485
486 try-mmap=on|off
487 Try using memory mapped device access. Default is off.
488
489 exclusive=on|off
490 Open the device in exclusive mode (vmix won't work in this
491 case). Default is off.
492
493 dsp-policy=policy
494 Sets the timing policy (between 0 and 10, where smaller number
495 means smaller latency but higher CPU usage). Use -1 to use
496 buffer sizes specified by "buffer" and "buffer-count". This
497 option is ignored if you do not have OSS 4. Default is 5.
498
499 -audiodev pa,id=id[,prop[=value][,...]]
500 Creates a backend using PulseAudio. This backend is available on
501 most systems.
502
503 PulseAudio specific options are:
504
505 server=server
506 Sets the PulseAudio server to connect to.
507
508 in|out.name=sink
509 Use the specified source/sink for recording/playback.
510
511 in|out.latency=usecs
512 Desired latency in microseconds. The PulseAudio server will
513 try to honor this value but actual latencies may be lower or
514 higher.
515
516 -audiodev sdl,id=id[,prop[=value][,...]]
517 Creates a backend using SDL. This backend is available on most
518 systems, but you should use your platform's native backend if
519 possible. This backend has no backend specific properties.
520
521 -audiodev spice,id=id[,prop[=value][,...]]
522 Creates a backend that sends audio through SPICE. This backend
523 requires "-spice" and automatically selected in that case, so
524 usually you can ignore this option. This backend has no backend
525 specific properties.
526
527 -audiodev wav,id=id[,prop[=value][,...]]
528 Creates a backend that writes audio to a WAV file.
529
530 Backend specific options are:
531
532 path=path
533 Write recorded audio into the specified file. Default is
534 "qemu.wav".
535
536 -soundhw card1[,card2,...] or -soundhw all
537 Enable audio and selected sound hardware. Use 'help' to print all
538 available sound hardware. For example:
539
540 qemu-system-x86_64 -soundhw sb16,adlib disk.img
541 qemu-system-x86_64 -soundhw es1370 disk.img
542 qemu-system-x86_64 -soundhw ac97 disk.img
543 qemu-system-x86_64 -soundhw hda disk.img
544 qemu-system-x86_64 -soundhw all disk.img
545 qemu-system-x86_64 -soundhw help
546
547 Note that Linux's i810_audio OSS kernel (for AC97) module might
548 require manually specifying clocking.
549
550 modprobe i810_audio clocking=48000
551
552 -device driver[,prop[=value][,...]]
553 Add device driver. prop=value sets driver properties. Valid
554 properties depend on the driver. To get help on possible drivers
555 and properties, use "-device help" and "-device driver,help".
556
557 Some drivers are:
558
559 -device
560 ipmi-bmc-sim,id=id[,slave_addr=val][,sdrfile=file][,furareasize=val][,furdatafile=file][,guid=uuid]
561 Add an IPMI BMC. This is a simulation of a hardware management
562 interface processor that normally sits on a system. It provides a
563 watchdog and the ability to reset and power control the system.
564 You need to connect this to an IPMI interface to make it useful
565
566 The IPMI slave address to use for the BMC. The default is 0x20.
567 This address is the BMC's address on the I2C network of management
568 controllers. If you don't know what this means, it is safe to
569 ignore it.
570
571 id=id
572 The BMC id for interfaces to use this device.
573
574 slave_addr=val
575 Define slave address to use for the BMC. The default is 0x20.
576
577 sdrfile=file
578 file containing raw Sensor Data Records (SDR) data. The default
579 is none.
580
581 fruareasize=val
582 size of a Field Replaceable Unit (FRU) area. The default is
583 1024.
584
585 frudatafile=file
586 file containing raw Field Replaceable Unit (FRU) inventory
587 data. The default is none.
588
589 guid=uuid
590 value for the GUID for the BMC, in standard UUID format. If
591 this is set, get "Get GUID" command to the BMC will return it.
592 Otherwise "Get GUID" will return an error.
593
594 -device ipmi-bmc-extern,id=id,chardev=id[,slave_addr=val]
595 Add a connection to an external IPMI BMC simulator. Instead of
596 locally emulating the BMC like the above item, instead connect to
597 an external entity that provides the IPMI services.
598
599 A connection is made to an external BMC simulator. If you do this,
600 it is strongly recommended that you use the "reconnect=" chardev
601 option to reconnect to the simulator if the connection is lost.
602 Note that if this is not used carefully, it can be a security
603 issue, as the interface has the ability to send resets, NMIs, and
604 power off the VM. It's best if QEMU makes a connection to an
605 external simulator running on a secure port on localhost, so
606 neither the simulator nor QEMU is exposed to any outside network.
607
608 See the "lanserv/README.vm" file in the OpenIPMI library for more
609 details on the external interface.
610
611 -device isa-ipmi-kcs,bmc=id[,ioport=val][,irq=val]
612 Add a KCS IPMI interafce on the ISA bus. This also adds a
613 corresponding ACPI and SMBIOS entries, if appropriate.
614
615 bmc=id
616 The BMC to connect to, one of ipmi-bmc-sim or ipmi-bmc-extern
617 above.
618
619 ioport=val
620 Define the I/O address of the interface. The default is 0xca0
621 for KCS.
622
623 irq=val
624 Define the interrupt to use. The default is 5. To disable
625 interrupts, set this to 0.
626
627 -device isa-ipmi-bt,bmc=id[,ioport=val][,irq=val]
628 Like the KCS interface, but defines a BT interface. The default
629 port is 0xe4 and the default interrupt is 5.
630
631 -name name
632 Sets the name of the guest. This name will be displayed in the SDL
633 window caption. The name will also be used for the VNC server.
634 Also optionally set the top visible process name in Linux. Naming
635 of individual threads can also be enabled on Linux to aid
636 debugging.
637
638 -uuid uuid
639 Set system UUID.
640
641 Block device options
642
643 -fda file
644 -fdb file
645 Use file as floppy disk 0/1 image.
646
647 -hda file
648 -hdb file
649 -hdc file
650 -hdd file
651 Use file as hard disk 0, 1, 2 or 3 image.
652
653 -cdrom file
654 Use file as CD-ROM image (you cannot use -hdc and -cdrom at the
655 same time). You can use the host CD-ROM by using /dev/cdrom as
656 filename.
657
658 -blockdev option[,option[,option[,...]]]
659 Define a new block driver node. Some of the options apply to all
660 block drivers, other options are only accepted for a specific block
661 driver. See below for a list of generic options and options for the
662 most common block drivers.
663
664 Options that expect a reference to another node (e.g. "file") can
665 be given in two ways. Either you specify the node name of an
666 already existing node (file=node-name), or you define a new node
667 inline, adding options for the referenced node after a dot
668 (file.filename=path,file.aio=native).
669
670 A block driver node created with -blockdev can be used for a guest
671 device by specifying its node name for the "drive" property in a
672 -device argument that defines a block device.
673
674 Valid options for any block driver node:
675 "driver"
676 Specifies the block driver to use for the given node.
677
678 "node-name"
679 This defines the name of the block driver node by which it
680 will be referenced later. The name must be unique, i.e. it
681 must not match the name of a different block driver node,
682 or (if you use -drive as well) the ID of a drive.
683
684 If no node name is specified, it is automatically
685 generated. The generated node name is not intended to be
686 predictable and changes between QEMU invocations. For the
687 top level, an explicit node name must be specified.
688
689 "read-only"
690 Open the node read-only. Guest write attempts will fail.
691
692 Note that some block drivers support only read-only access,
693 either generally or in certain configurations. In this
694 case, the default value read-only=off does not work and the
695 option must be specified explicitly.
696
697 "auto-read-only"
698 If auto-read-only=on is set, QEMU may fall back to read-
699 only usage even when read-only=off is requested, or even
700 switch between modes as needed, e.g. depending on whether
701 the image file is writable or whether a writing user is
702 attached to the node.
703
704 "force-share"
705 Override the image locking system of QEMU by forcing the
706 node to utilize weaker shared access for permissions where
707 it would normally request exclusive access. When there is
708 the potential for multiple instances to have the same file
709 open (whether this invocation of QEMU is the first or the
710 second instance), both instances must permit shared access
711 for the second instance to succeed at opening the file.
712
713 Enabling force-share=on requires read-only=on.
714
715 "cache.direct"
716 The host page cache can be avoided with cache.direct=on.
717 This will attempt to do disk IO directly to the guest's
718 memory. QEMU may still perform an internal copy of the
719 data.
720
721 "cache.no-flush"
722 In case you don't care about data integrity over host
723 failures, you can use cache.no-flush=on. This option tells
724 QEMU that it never needs to write any data to the disk but
725 can instead keep things in cache. If anything goes wrong,
726 like your host losing power, the disk storage getting
727 disconnected accidentally, etc. your image will most
728 probably be rendered unusable.
729
730 "discard=discard"
731 discard is one of "ignore" (or "off") or "unmap" (or "on")
732 and controls whether "discard" (also known as "trim" or
733 "unmap") requests are ignored or passed to the filesystem.
734 Some machine types may not support discard requests.
735
736 "detect-zeroes=detect-zeroes"
737 detect-zeroes is "off", "on" or "unmap" and enables the
738 automatic conversion of plain zero writes by the OS to
739 driver specific optimized zero write commands. You may even
740 choose "unmap" if discard is set to "unmap" to allow a zero
741 write to be converted to an "unmap" operation.
742
743 Driver-specific options for "file"
744 This is the protocol-level block driver for accessing regular
745 files.
746
747 "filename"
748 The path to the image file in the local filesystem
749
750 "aio"
751 Specifies the AIO backend (threads/native, default:
752 threads)
753
754 "locking"
755 Specifies whether the image file is protected with Linux
756 OFD / POSIX locks. The default is to use the Linux Open
757 File Descriptor API if available, otherwise no lock is
758 applied. (auto/on/off, default: auto)
759
760 Example:
761
762 -blockdev driver=file,node-name=disk,filename=disk.img
763
764 Driver-specific options for "raw"
765 This is the image format block driver for raw images. It is
766 usually stacked on top of a protocol level block driver such as
767 "file".
768
769 "file"
770 Reference to or definition of the data source block driver
771 node (e.g. a "file" driver node)
772
773 Example 1:
774
775 -blockdev driver=file,node-name=disk_file,filename=disk.img
776 -blockdev driver=raw,node-name=disk,file=disk_file
777
778 Example 2:
779
780 -blockdev driver=raw,node-name=disk,file.driver=file,file.filename=disk.img
781
782 Driver-specific options for "qcow2"
783 This is the image format block driver for qcow2 images. It is
784 usually stacked on top of a protocol level block driver such as
785 "file".
786
787 "file"
788 Reference to or definition of the data source block driver
789 node (e.g. a "file" driver node)
790
791 "backing"
792 Reference to or definition of the backing file block device
793 (default is taken from the image file). It is allowed to
794 pass "null" here in order to disable the default backing
795 file.
796
797 "lazy-refcounts"
798 Whether to enable the lazy refcounts feature (on/off;
799 default is taken from the image file)
800
801 "cache-size"
802 The maximum total size of the L2 table and refcount block
803 caches in bytes (default: the sum of l2-cache-size and
804 refcount-cache-size)
805
806 "l2-cache-size"
807 The maximum size of the L2 table cache in bytes (default:
808 if cache-size is not specified - 32M on Linux platforms,
809 and 8M on non-Linux platforms; otherwise, as large as
810 possible within the cache-size, while permitting the
811 requested or the minimal refcount cache size)
812
813 "refcount-cache-size"
814 The maximum size of the refcount block cache in bytes
815 (default: 4 times the cluster size; or if cache-size is
816 specified, the part of it which is not used for the L2
817 cache)
818
819 "cache-clean-interval"
820 Clean unused entries in the L2 and refcount caches. The
821 interval is in seconds. The default value is 600 on
822 supporting platforms, and 0 on other platforms. Setting it
823 to 0 disables this feature.
824
825 "pass-discard-request"
826 Whether discard requests to the qcow2 device should be
827 forwarded to the data source (on/off; default: on if
828 discard=unmap is specified, off otherwise)
829
830 "pass-discard-snapshot"
831 Whether discard requests for the data source should be
832 issued when a snapshot operation (e.g. deleting a snapshot)
833 frees clusters in the qcow2 file (on/off; default: on)
834
835 "pass-discard-other"
836 Whether discard requests for the data source should be
837 issued on other occasions where a cluster gets freed
838 (on/off; default: off)
839
840 "overlap-check"
841 Which overlap checks to perform for writes to the image
842 (none/constant/cached/all; default: cached). For details or
843 finer granularity control refer to the QAPI documentation
844 of "blockdev-add".
845
846 Example 1:
847
848 -blockdev driver=file,node-name=my_file,filename=/tmp/disk.qcow2
849 -blockdev driver=qcow2,node-name=hda,file=my_file,overlap-check=none,cache-size=16777216
850
851 Example 2:
852
853 -blockdev driver=qcow2,node-name=disk,file.driver=http,file.filename=http://example.com/image.qcow2
854
855 Driver-specific options for other drivers
856 Please refer to the QAPI documentation of the "blockdev-add"
857 QMP command.
858
859 -drive option[,option[,option[,...]]]
860 Define a new drive. This includes creating a block driver node (the
861 backend) as well as a guest device, and is mostly a shortcut for
862 defining the corresponding -blockdev and -device options.
863
864 -drive accepts all options that are accepted by -blockdev. In
865 addition, it knows the following options:
866
867 file=file
868 This option defines which disk image to use with this drive. If
869 the filename contains comma, you must double it (for instance,
870 "file=my,,file" to use file "my,file").
871
872 Special files such as iSCSI devices can be specified using
873 protocol specific URLs. See the section for "Device URL Syntax"
874 for more information.
875
876 if=interface
877 This option defines on which type on interface the drive is
878 connected. Available types are: ide, scsi, sd, mtd, floppy,
879 pflash, virtio, none.
880
881 bus=bus,unit=unit
882 These options define where is connected the drive by defining
883 the bus number and the unit id.
884
885 index=index
886 This option defines where is connected the drive by using an
887 index in the list of available connectors of a given interface
888 type.
889
890 media=media
891 This option defines the type of the media: disk or cdrom.
892
893 snapshot=snapshot
894 snapshot is "on" or "off" and controls snapshot mode for the
895 given drive (see -snapshot).
896
897 cache=cache
898 cache is "none", "writeback", "unsafe", "directsync" or
899 "writethrough" and controls how the host cache is used to
900 access block data. This is a shortcut that sets the
901 cache.direct and cache.no-flush options (as in -blockdev), and
902 additionally cache.writeback, which provides a default for the
903 write-cache option of block guest devices (as in -device). The
904 modes correspond to the following settings:
905
906 │ cache.writeback cache.direct cache.no-flush
907 ─────────────┼─────────────────────────────────────────────────
908 writeback │ on off off
909 none │ on on off
910 writethrough │ off off off
911 directsync │ off on off
912 unsafe │ on off on
913
914 The default mode is cache=writeback.
915
916 aio=aio
917 aio is "threads", or "native" and selects between pthread based
918 disk I/O and native Linux AIO.
919
920 format=format
921 Specify which disk format will be used rather than detecting
922 the format. Can be used to specify format=raw to avoid
923 interpreting an untrusted format header.
924
925 werror=action,rerror=action
926 Specify which action to take on write and read errors. Valid
927 actions are: "ignore" (ignore the error and try to continue),
928 "stop" (pause QEMU), "report" (report the error to the guest),
929 "enospc" (pause QEMU only if the host disk is full; report the
930 error to the guest otherwise). The default setting is
931 werror=enospc and rerror=report.
932
933 copy-on-read=copy-on-read
934 copy-on-read is "on" or "off" and enables whether to copy read
935 backing file sectors into the image file.
936
937 bps=b,bps_rd=r,bps_wr=w
938 Specify bandwidth throttling limits in bytes per second, either
939 for all request types or for reads or writes only. Small
940 values can lead to timeouts or hangs inside the guest. A safe
941 minimum for disks is 2 MB/s.
942
943 bps_max=bm,bps_rd_max=rm,bps_wr_max=wm
944 Specify bursts in bytes per second, either for all request
945 types or for reads or writes only. Bursts allow the guest I/O
946 to spike above the limit temporarily.
947
948 iops=i,iops_rd=r,iops_wr=w
949 Specify request rate limits in requests per second, either for
950 all request types or for reads or writes only.
951
952 iops_max=bm,iops_rd_max=rm,iops_wr_max=wm
953 Specify bursts in requests per second, either for all request
954 types or for reads or writes only. Bursts allow the guest I/O
955 to spike above the limit temporarily.
956
957 iops_size=is
958 Let every is bytes of a request count as a new request for iops
959 throttling purposes. Use this option to prevent guests from
960 circumventing iops limits by sending fewer but larger requests.
961
962 group=g
963 Join a throttling quota group with given name g. All drives
964 that are members of the same group are accounted for together.
965 Use this option to prevent guests from circumventing throttling
966 limits by using many small disks instead of a single larger
967 disk.
968
969 By default, the cache.writeback=on mode is used. It will report
970 data writes as completed as soon as the data is present in the host
971 page cache. This is safe as long as your guest OS makes sure to
972 correctly flush disk caches where needed. If your guest OS does not
973 handle volatile disk write caches correctly and your host crashes
974 or loses power, then the guest may experience data corruption.
975
976 For such guests, you should consider using cache.writeback=off.
977 This means that the host page cache will be used to read and write
978 data, but write notification will be sent to the guest only after
979 QEMU has made sure to flush each write to the disk. Be aware that
980 this has a major impact on performance.
981
982 When using the -snapshot option, unsafe caching is always used.
983
984 Copy-on-read avoids accessing the same backing file sectors
985 repeatedly and is useful when the backing file is over a slow
986 network. By default copy-on-read is off.
987
988 Instead of -cdrom you can use:
989
990 qemu-system-x86_64 -drive file=file,index=2,media=cdrom
991
992 Instead of -hda, -hdb, -hdc, -hdd, you can use:
993
994 qemu-system-x86_64 -drive file=file,index=0,media=disk
995 qemu-system-x86_64 -drive file=file,index=1,media=disk
996 qemu-system-x86_64 -drive file=file,index=2,media=disk
997 qemu-system-x86_64 -drive file=file,index=3,media=disk
998
999 You can open an image using pre-opened file descriptors from an fd
1000 set:
1001
1002 qemu-system-x86_64 \
1003 -add-fd fd=3,set=2,opaque="rdwr:/path/to/file" \
1004 -add-fd fd=4,set=2,opaque="rdonly:/path/to/file" \
1005 -drive file=/dev/fdset/2,index=0,media=disk
1006
1007 You can connect a CDROM to the slave of ide0:
1008
1009 qemu-system-x86_64 -drive file=file,if=ide,index=1,media=cdrom
1010
1011 If you don't specify the "file=" argument, you define an empty
1012 drive:
1013
1014 qemu-system-x86_64 -drive if=ide,index=1,media=cdrom
1015
1016 Instead of -fda, -fdb, you can use:
1017
1018 qemu-system-x86_64 -drive file=file,index=0,if=floppy
1019 qemu-system-x86_64 -drive file=file,index=1,if=floppy
1020
1021 By default, interface is "ide" and index is automatically
1022 incremented:
1023
1024 qemu-system-x86_64 -drive file=a -drive file=b"
1025
1026 is interpreted like:
1027
1028 qemu-system-x86_64 -hda a -hdb b
1029
1030 -mtdblock file
1031 Use file as on-board Flash memory image.
1032
1033 -sd file
1034 Use file as SecureDigital card image.
1035
1036 -pflash file
1037 Use file as a parallel flash image.
1038
1039 -snapshot
1040 Write to temporary files instead of disk image files. In this case,
1041 the raw disk image you use is not written back. You can however
1042 force the write back by pressing C-a s.
1043
1044 -fsdev local,id=id,path=path,security_model=security_model
1045 [,writeout=writeout][,readonly][,fmode=fmode][,dmode=dmode]
1046 [,throttling.option=value[,throttling.option=value[,...]]]
1047 -fsdev proxy,id=id,socket=socket[,writeout=writeout][,readonly]
1048 -fsdev proxy,id=id,sock_fd=sock_fd[,writeout=writeout][,readonly]
1049 -fsdev synth,id=id[,readonly]
1050 Define a new file system device. Valid options are:
1051
1052 local
1053 Accesses to the filesystem are done by QEMU.
1054
1055 proxy
1056 Accesses to the filesystem are done by virtfs-proxy-helper(1).
1057
1058 synth
1059 Synthetic filesystem, only used by QTests.
1060
1061 id=id
1062 Specifies identifier for this device.
1063
1064 path=path
1065 Specifies the export path for the file system device. Files
1066 under this path will be available to the 9p client on the
1067 guest.
1068
1069 security_model=security_model
1070 Specifies the security model to be used for this export path.
1071 Supported security models are "passthrough", "mapped-xattr",
1072 "mapped-file" and "none". In "passthrough" security model,
1073 files are stored using the same credentials as they are created
1074 on the guest. This requires QEMU to run as root. In "mapped-
1075 xattr" security model, some of the file attributes like uid,
1076 gid, mode bits and link target are stored as file attributes.
1077 For "mapped-file" these attributes are stored in the hidden
1078 .virtfs_metadata directory. Directories exported by this
1079 security model cannot interact with other unix tools. "none"
1080 security model is same as passthrough except the sever won't
1081 report failures if it fails to set file attributes like
1082 ownership. Security model is mandatory only for local fsdriver.
1083 Other fsdrivers (like proxy) don't take security model as a
1084 parameter.
1085
1086 writeout=writeout
1087 This is an optional argument. The only supported value is
1088 "immediate". This means that host page cache will be used to
1089 read and write data but write notification will be sent to the
1090 guest only when the data has been reported as written by the
1091 storage subsystem.
1092
1093 readonly
1094 Enables exporting 9p share as a readonly mount for guests. By
1095 default read-write access is given.
1096
1097 socket=socket
1098 Enables proxy filesystem driver to use passed socket file for
1099 communicating with virtfs-proxy-helper(1).
1100
1101 sock_fd=sock_fd
1102 Enables proxy filesystem driver to use passed socket descriptor
1103 for communicating with virtfs-proxy-helper(1). Usually a helper
1104 like libvirt will create socketpair and pass one of the fds as
1105 sock_fd.
1106
1107 fmode=fmode
1108 Specifies the default mode for newly created files on the host.
1109 Works only with security models "mapped-xattr" and "mapped-
1110 file".
1111
1112 dmode=dmode
1113 Specifies the default mode for newly created directories on the
1114 host. Works only with security models "mapped-xattr" and
1115 "mapped-file".
1116
1117 throttling.bps-total=b,throttling.bps-read=r,throttling.bps-write=w
1118 Specify bandwidth throttling limits in bytes per second, either
1119 for all request types or for reads or writes only.
1120
1121 throttling.bps-total-max=bm,bps-read-max=rm,bps-write-max=wm
1122 Specify bursts in bytes per second, either for all request
1123 types or for reads or writes only. Bursts allow the guest I/O
1124 to spike above the limit temporarily.
1125
1126 throttling.iops-total=i,throttling.iops-read=r,
1127 throttling.iops-write=w
1128 Specify request rate limits in requests per second, either for
1129 all request types or for reads or writes only.
1130
1131 throttling.iops-total-max=im,throttling.iops-read-max=irm,
1132 throttling.iops-write-max=iwm
1133 Specify bursts in requests per second, either for all request
1134 types or for reads or writes only. Bursts allow the guest I/O
1135 to spike above the limit temporarily.
1136
1137 throttling.iops-size=is
1138 Let every is bytes of a request count as a new request for iops
1139 throttling purposes.
1140
1141 -fsdev option is used along with -device driver "virtio-9p-...".
1142
1143 -device virtio-9p-type,fsdev=id,mount_tag=mount_tag
1144 Options for virtio-9p-... driver are:
1145
1146 type
1147 Specifies the variant to be used. Supported values are "pci",
1148 "ccw" or "device", depending on the machine type.
1149
1150 fsdev=id
1151 Specifies the id value specified along with -fsdev option.
1152
1153 mount_tag=mount_tag
1154 Specifies the tag name to be used by the guest to mount this
1155 export point.
1156
1157 -virtfs local,path=path,mount_tag=mount_tag
1158 ,security_model=security_model[,writeout=writeout][,readonly]
1159 [,fmode=fmode][,dmode=dmode][,multidevs=multidevs]
1160 -virtfs proxy,socket=socket,mount_tag=mount_tag
1161 [,writeout=writeout][,readonly]
1162 -virtfs proxy,sock_fd=sock_fd,mount_tag=mount_tag
1163 [,writeout=writeout][,readonly]
1164 -virtfs synth,mount_tag=mount_tag
1165 Define a new filesystem device and expose it to the guest using a
1166 virtio-9p-device. The general form of a Virtual File system pass-
1167 through options are:
1168
1169 local
1170 Accesses to the filesystem are done by QEMU.
1171
1172 proxy
1173 Accesses to the filesystem are done by virtfs-proxy-helper(1).
1174
1175 synth
1176 Synthetic filesystem, only used by QTests.
1177
1178 id=id
1179 Specifies identifier for the filesystem device
1180
1181 path=path
1182 Specifies the export path for the file system device. Files
1183 under this path will be available to the 9p client on the
1184 guest.
1185
1186 security_model=security_model
1187 Specifies the security model to be used for this export path.
1188 Supported security models are "passthrough", "mapped-xattr",
1189 "mapped-file" and "none". In "passthrough" security model,
1190 files are stored using the same credentials as they are created
1191 on the guest. This requires QEMU to run as root. In "mapped-
1192 xattr" security model, some of the file attributes like uid,
1193 gid, mode bits and link target are stored as file attributes.
1194 For "mapped-file" these attributes are stored in the hidden
1195 .virtfs_metadata directory. Directories exported by this
1196 security model cannot interact with other unix tools. "none"
1197 security model is same as passthrough except the sever won't
1198 report failures if it fails to set file attributes like
1199 ownership. Security model is mandatory only for local fsdriver.
1200 Other fsdrivers (like proxy) don't take security model as a
1201 parameter.
1202
1203 writeout=writeout
1204 This is an optional argument. The only supported value is
1205 "immediate". This means that host page cache will be used to
1206 read and write data but write notification will be sent to the
1207 guest only when the data has been reported as written by the
1208 storage subsystem.
1209
1210 readonly
1211 Enables exporting 9p share as a readonly mount for guests. By
1212 default read-write access is given.
1213
1214 socket=socket
1215 Enables proxy filesystem driver to use passed socket file for
1216 communicating with virtfs-proxy-helper(1). Usually a helper
1217 like libvirt will create socketpair and pass one of the fds as
1218 sock_fd.
1219
1220 sock_fd
1221 Enables proxy filesystem driver to use passed 'sock_fd' as the
1222 socket descriptor for interfacing with virtfs-proxy-helper(1).
1223
1224 fmode=fmode
1225 Specifies the default mode for newly created files on the host.
1226 Works only with security models "mapped-xattr" and "mapped-
1227 file".
1228
1229 dmode=dmode
1230 Specifies the default mode for newly created directories on the
1231 host. Works only with security models "mapped-xattr" and
1232 "mapped-file".
1233
1234 mount_tag=mount_tag
1235 Specifies the tag name to be used by the guest to mount this
1236 export point.
1237
1238 multidevs=multidevs
1239 Specifies how to deal with multiple devices being shared with a
1240 9p export. Supported behaviours are either "remap", "forbid"
1241 or "warn". The latter is the default behaviour on which virtfs
1242 9p expects only one device to be shared with the same export,
1243 and if more than one device is shared and accessed via the same
1244 9p export then only a warning message is logged (once) by qemu
1245 on host side. In order to avoid file ID collisions on guest you
1246 should either create a separate virtfs export for each device
1247 to be shared with guests (recommended way) or you might use
1248 "remap" instead which allows you to share multiple devices with
1249 only one export instead, which is achieved by remapping the
1250 original inode numbers from host to guest in a way that would
1251 prevent such collisions. Remapping inodes in such use cases is
1252 required because the original device IDs from host are never
1253 passed and exposed on guest. Instead all files of an export
1254 shared with virtfs always share the same device id on guest. So
1255 two files with identical inode numbers but from actually
1256 different devices on host would otherwise cause a file ID
1257 collision and hence potential misbehaviours on guest. "forbid"
1258 on the other hand assumes like "warn" that only one device is
1259 shared by the same export, however it will not only log a
1260 warning message but also deny access to additional devices on
1261 guest. Note though that "forbid" does currently not block all
1262 possible file access operations (e.g. readdir() would still
1263 return entries from other devices).
1264
1265 -virtfs_synth
1266 Create synthetic file system image. Note that this option is now
1267 deprecated. Please use "-fsdev synth" and "-device virtio-9p-..."
1268 instead.
1269
1270 -iscsi
1271 Configure iSCSI session parameters.
1272
1273 USB options
1274
1275 -usb
1276 Enable USB emulation on machine types with an on-board USB host
1277 controller (if not enabled by default). Note that on-board USB
1278 host controllers may not support USB 3.0. In this case -device
1279 qemu-xhci can be used instead on machines with PCI.
1280
1281 -usbdevice devname
1282 Add the USB device devname. Note that this option is deprecated,
1283 please use "-device usb-..." instead.
1284
1285 mouse
1286 Virtual Mouse. This will override the PS/2 mouse emulation when
1287 activated.
1288
1289 tablet
1290 Pointer device that uses absolute coordinates (like a
1291 touchscreen). This means QEMU is able to report the mouse
1292 position without having to grab the mouse. Also overrides the
1293 PS/2 mouse emulation when activated.
1294
1295 braille
1296 Braille device. This will use BrlAPI to display the braille
1297 output on a real or fake device.
1298
1299 Display options
1300
1301 -display type
1302 Select type of display to use. This option is a replacement for the
1303 old style -sdl/-curses/... options. Valid values for type are
1304
1305 sdl Display video output via SDL (usually in a separate graphics
1306 window; see the SDL documentation for other possibilities).
1307
1308 curses
1309 Display video output via curses. For graphics device models
1310 which support a text mode, QEMU can display this output using a
1311 curses/ncurses interface. Nothing is displayed when the
1312 graphics device is in graphical mode or if the graphics device
1313 does not support a text mode. Generally only the VGA device
1314 models support text mode. The font charset used by the guest
1315 can be specified with the "charset" option, for example
1316 "charset=CP850" for IBM CP850 encoding. The default is "CP437".
1317
1318 none
1319 Do not display video output. The guest will still see an
1320 emulated graphics card, but its output will not be displayed to
1321 the QEMU user. This option differs from the -nographic option
1322 in that it only affects what is done with video output;
1323 -nographic also changes the destination of the serial and
1324 parallel port data.
1325
1326 gtk Display video output in a GTK window. This interface provides
1327 drop-down menus and other UI elements to configure and control
1328 the VM during runtime.
1329
1330 vnc Start a VNC server on display <arg>
1331
1332 egl-headless
1333 Offload all OpenGL operations to a local DRI device. For any
1334 graphical display, this display needs to be paired with either
1335 VNC or SPICE displays.
1336
1337 spice-app
1338 Start QEMU as a Spice server and launch the default Spice
1339 client application. The Spice server will redirect the serial
1340 consoles and QEMU monitors. (Since 4.0)
1341
1342 -nographic
1343 Normally, if QEMU is compiled with graphical window support, it
1344 displays output such as guest graphics, guest console, and the QEMU
1345 monitor in a window. With this option, you can totally disable
1346 graphical output so that QEMU is a simple command line application.
1347 The emulated serial port is redirected on the console and muxed
1348 with the monitor (unless redirected elsewhere explicitly).
1349 Therefore, you can still use QEMU to debug a Linux kernel with a
1350 serial console. Use C-a h for help on switching between the console
1351 and monitor.
1352
1353 -curses
1354 Normally, if QEMU is compiled with graphical window support, it
1355 displays output such as guest graphics, guest console, and the QEMU
1356 monitor in a window. With this option, QEMU can display the VGA
1357 output when in text mode using a curses/ncurses interface. Nothing
1358 is displayed in graphical mode.
1359
1360 -alt-grab
1361 Use Ctrl-Alt-Shift to grab mouse (instead of Ctrl-Alt). Note that
1362 this also affects the special keys (for fullscreen, monitor-mode
1363 switching, etc).
1364
1365 -ctrl-grab
1366 Use Right-Ctrl to grab mouse (instead of Ctrl-Alt). Note that this
1367 also affects the special keys (for fullscreen, monitor-mode
1368 switching, etc).
1369
1370 -no-quit
1371 Disable SDL window close capability.
1372
1373 -sdl
1374 Enable SDL.
1375
1376 -spice option[,option[,...]]
1377 Enable the spice remote desktop protocol. Valid options are
1378
1379 port=<nr>
1380 Set the TCP port spice is listening on for plaintext channels.
1381
1382 addr=<addr>
1383 Set the IP address spice is listening on. Default is any
1384 address.
1385
1386 ipv4
1387 ipv6
1388 unix
1389 Force using the specified IP version.
1390
1391 password=<secret>
1392 Set the password you need to authenticate.
1393
1394 sasl
1395 Require that the client use SASL to authenticate with the
1396 spice. The exact choice of authentication method used is
1397 controlled from the system / user's SASL configuration file for
1398 the 'qemu' service. This is typically found in
1399 /etc/sasl2/qemu.conf. If running QEMU as an unprivileged user,
1400 an environment variable SASL_CONF_PATH can be used to make it
1401 search alternate locations for the service config. While some
1402 SASL auth methods can also provide data encryption (eg GSSAPI),
1403 it is recommended that SASL always be combined with the 'tls'
1404 and 'x509' settings to enable use of SSL and server
1405 certificates. This ensures a data encryption preventing
1406 compromise of authentication credentials.
1407
1408 disable-ticketing
1409 Allow client connects without authentication.
1410
1411 disable-copy-paste
1412 Disable copy paste between the client and the guest.
1413
1414 disable-agent-file-xfer
1415 Disable spice-vdagent based file-xfer between the client and
1416 the guest.
1417
1418 tls-port=<nr>
1419 Set the TCP port spice is listening on for encrypted channels.
1420
1421 x509-dir=<dir>
1422 Set the x509 file directory. Expects same filenames as -vnc
1423 $display,x509=$dir
1424
1425 x509-key-file=<file>
1426 x509-key-password=<file>
1427 x509-cert-file=<file>
1428 x509-cacert-file=<file>
1429 x509-dh-key-file=<file>
1430 The x509 file names can also be configured individually.
1431
1432 tls-ciphers=<list>
1433 Specify which ciphers to use.
1434
1435 tls-channel=[main|display|cursor|inputs|record|playback]
1436 plaintext-channel=[main|display|cursor|inputs|record|playback]
1437 Force specific channel to be used with or without TLS
1438 encryption. The options can be specified multiple times to
1439 configure multiple channels. The special name "default" can be
1440 used to set the default mode. For channels which are not
1441 explicitly forced into one mode the spice client is allowed to
1442 pick tls/plaintext as he pleases.
1443
1444 image-compression=[auto_glz|auto_lz|quic|glz|lz|off]
1445 Configure image compression (lossless). Default is auto_glz.
1446
1447 jpeg-wan-compression=[auto|never|always]
1448 zlib-glz-wan-compression=[auto|never|always]
1449 Configure wan image compression (lossy for slow links).
1450 Default is auto.
1451
1452 streaming-video=[off|all|filter]
1453 Configure video stream detection. Default is off.
1454
1455 agent-mouse=[on|off]
1456 Enable/disable passing mouse events via vdagent. Default is
1457 on.
1458
1459 playback-compression=[on|off]
1460 Enable/disable audio stream compression (using celt 0.5.1).
1461 Default is on.
1462
1463 seamless-migration=[on|off]
1464 Enable/disable spice seamless migration. Default is off.
1465
1466 gl=[on|off]
1467 Enable/disable OpenGL context. Default is off.
1468
1469 rendernode=<file>
1470 DRM render node for OpenGL rendering. If not specified, it will
1471 pick the first available. (Since 2.9)
1472
1473 -portrait
1474 Rotate graphical output 90 deg left (only PXA LCD).
1475
1476 -rotate deg
1477 Rotate graphical output some deg left (only PXA LCD).
1478
1479 -vga type
1480 Select type of VGA card to emulate. Valid values for type are
1481
1482 cirrus
1483 Cirrus Logic GD5446 Video card. All Windows versions starting
1484 from Windows 95 should recognize and use this graphic card. For
1485 optimal performances, use 16 bit color depth in the guest and
1486 the host OS. (This card was the default before QEMU 2.2)
1487
1488 std Standard VGA card with Bochs VBE extensions. If your guest OS
1489 supports the VESA 2.0 VBE extensions (e.g. Windows XP) and if
1490 you want to use high resolution modes (>= 1280x1024x16) then
1491 you should use this option. (This card is the default since
1492 QEMU 2.2)
1493
1494 vmware
1495 VMWare SVGA-II compatible adapter. Use it if you have
1496 sufficiently recent XFree86/XOrg server or Windows guest with a
1497 driver for this card.
1498
1499 qxl QXL paravirtual graphic card. It is VGA compatible (including
1500 VESA 2.0 VBE support). Works best with qxl guest drivers
1501 installed though. Recommended choice when using the spice
1502 protocol.
1503
1504 tcx (sun4m only) Sun TCX framebuffer. This is the default
1505 framebuffer for sun4m machines and offers both 8-bit and 24-bit
1506 colour depths at a fixed resolution of 1024x768.
1507
1508 cg3 (sun4m only) Sun cgthree framebuffer. This is a simple 8-bit
1509 framebuffer for sun4m machines available in both 1024x768
1510 (OpenBIOS) and 1152x900 (OBP) resolutions aimed at people
1511 wishing to run older Solaris versions.
1512
1513 virtio
1514 Virtio VGA card.
1515
1516 none
1517 Disable VGA card.
1518
1519 -full-screen
1520 Start in full screen.
1521
1522 -g widthxheight[xdepth]
1523 Set the initial graphical resolution and depth (PPC, SPARC only).
1524
1525 -vnc display[,option[,option[,...]]]
1526 Normally, if QEMU is compiled with graphical window support, it
1527 displays output such as guest graphics, guest console, and the QEMU
1528 monitor in a window. With this option, you can have QEMU listen on
1529 VNC display display and redirect the VGA display over the VNC
1530 session. It is very useful to enable the usb tablet device when
1531 using this option (option -device usb-tablet). When using the VNC
1532 display, you must use the -k parameter to set the keyboard layout
1533 if you are not using en-us. Valid syntax for the display is
1534
1535 to=L
1536 With this option, QEMU will try next available VNC displays,
1537 until the number L, if the origianlly defined "-vnc display" is
1538 not available, e.g. port 5900+display is already used by
1539 another application. By default, to=0.
1540
1541 host:d
1542 TCP connections will only be allowed from host on display d.
1543 By convention the TCP port is 5900+d. Optionally, host can be
1544 omitted in which case the server will accept connections from
1545 any host.
1546
1547 unix:path
1548 Connections will be allowed over UNIX domain sockets where path
1549 is the location of a unix socket to listen for connections on.
1550
1551 none
1552 VNC is initialized but not started. The monitor "change"
1553 command can be used to later start the VNC server.
1554
1555 Following the display value there may be one or more option flags
1556 separated by commas. Valid options are
1557
1558 reverse
1559 Connect to a listening VNC client via a "reverse" connection.
1560 The client is specified by the display. For reverse network
1561 connections (host:d,"reverse"), the d argument is a TCP port
1562 number, not a display number.
1563
1564 websocket
1565 Opens an additional TCP listening port dedicated to VNC
1566 Websocket connections. If a bare websocket option is given,
1567 the Websocket port is 5700+display. An alternative port can be
1568 specified with the syntax "websocket"=port.
1569
1570 If host is specified connections will only be allowed from this
1571 host. It is possible to control the websocket listen address
1572 independently, using the syntax "websocket"=host:port.
1573
1574 If no TLS credentials are provided, the websocket connection
1575 runs in unencrypted mode. If TLS credentials are provided, the
1576 websocket connection requires encrypted client connections.
1577
1578 password
1579 Require that password based authentication is used for client
1580 connections.
1581
1582 The password must be set separately using the "set_password"
1583 command in the pcsys_monitor. The syntax to change your
1584 password is: "set_password <protocol> <password>" where
1585 <protocol> could be either "vnc" or "spice".
1586
1587 If you would like to change <protocol> password expiration, you
1588 should use "expire_password <protocol> <expiration-time>" where
1589 expiration time could be one of the following options: now,
1590 never, +seconds or UNIX time of expiration, e.g. +60 to make
1591 password expire in 60 seconds, or 1335196800 to make password
1592 expire on "Mon Apr 23 12:00:00 EDT 2012" (UNIX time for this
1593 date and time).
1594
1595 You can also use keywords "now" or "never" for the expiration
1596 time to allow <protocol> password to expire immediately or
1597 never expire.
1598
1599 tls-creds=ID
1600 Provides the ID of a set of TLS credentials to use to secure
1601 the VNC server. They will apply to both the normal VNC server
1602 socket and the websocket socket (if enabled). Setting TLS
1603 credentials will cause the VNC server socket to enable the
1604 VeNCrypt auth mechanism. The credentials should have been
1605 previously created using the -object tls-creds argument.
1606
1607 tls-authz=ID
1608 Provides the ID of the QAuthZ authorization object against
1609 which the client's x509 distinguished name will validated. This
1610 object is only resolved at time of use, so can be deleted and
1611 recreated on the fly while the VNC server is active. If
1612 missing, it will default to denying access.
1613
1614 sasl
1615 Require that the client use SASL to authenticate with the VNC
1616 server. The exact choice of authentication method used is
1617 controlled from the system / user's SASL configuration file for
1618 the 'qemu' service. This is typically found in
1619 /etc/sasl2/qemu.conf. If running QEMU as an unprivileged user,
1620 an environment variable SASL_CONF_PATH can be used to make it
1621 search alternate locations for the service config. While some
1622 SASL auth methods can also provide data encryption (eg GSSAPI),
1623 it is recommended that SASL always be combined with the 'tls'
1624 and 'x509' settings to enable use of SSL and server
1625 certificates. This ensures a data encryption preventing
1626 compromise of authentication credentials. See the vnc_security
1627 section for details on using SASL authentication.
1628
1629 sasl-authz=ID
1630 Provides the ID of the QAuthZ authorization object against
1631 which the client's SASL username will validated. This object is
1632 only resolved at time of use, so can be deleted and recreated
1633 on the fly while the VNC server is active. If missing, it will
1634 default to denying access.
1635
1636 acl Legacy method for enabling authorization of clients against the
1637 x509 distinguished name and SASL username. It results in the
1638 creation of two "authz-list" objects with IDs of "vnc.username"
1639 and "vnc.x509dname". The rules for these objects must be
1640 configured with the HMP ACL commands.
1641
1642 This option is deprecated and should no longer be used. The new
1643 sasl-authz and tls-authz options are a replacement.
1644
1645 lossy
1646 Enable lossy compression methods (gradient, JPEG, ...). If this
1647 option is set, VNC client may receive lossy framebuffer updates
1648 depending on its encoding settings. Enabling this option can
1649 save a lot of bandwidth at the expense of quality.
1650
1651 non-adaptive
1652 Disable adaptive encodings. Adaptive encodings are enabled by
1653 default. An adaptive encoding will try to detect frequently
1654 updated screen regions, and send updates in these regions using
1655 a lossy encoding (like JPEG). This can be really helpful to
1656 save bandwidth when playing videos. Disabling adaptive
1657 encodings restores the original static behavior of encodings
1658 like Tight.
1659
1660 share=[allow-exclusive|force-shared|ignore]
1661 Set display sharing policy. 'allow-exclusive' allows clients
1662 to ask for exclusive access. As suggested by the rfb spec this
1663 is implemented by dropping other connections. Connecting
1664 multiple clients in parallel requires all clients asking for a
1665 shared session (vncviewer: -shared switch). This is the
1666 default. 'force-shared' disables exclusive client access.
1667 Useful for shared desktop sessions, where you don't want
1668 someone forgetting specify -shared disconnect everybody else.
1669 'ignore' completely ignores the shared flag and allows
1670 everybody connect unconditionally. Doesn't conform to the rfb
1671 spec but is traditional QEMU behavior.
1672
1673 key-delay-ms
1674 Set keyboard delay, for key down and key up events, in
1675 milliseconds. Default is 10. Keyboards are low-bandwidth
1676 devices, so this slowdown can help the device and guest to keep
1677 up and not lose events in case events are arriving in bulk.
1678 Possible causes for the latter are flaky network connections,
1679 or scripts for automated testing.
1680
1681 audiodev=audiodev
1682 Use the specified audiodev when the VNC client requests audio
1683 transmission. When not using an -audiodev argument, this option
1684 must be omitted, otherwise is must be present and specify a
1685 valid audiodev.
1686
1687 i386 target only
1688
1689 -win2k-hack
1690 Use it when installing Windows 2000 to avoid a disk full bug. After
1691 Windows 2000 is installed, you no longer need this option (this
1692 option slows down the IDE transfers).
1693
1694 -no-fd-bootchk
1695 Disable boot signature checking for floppy disks in BIOS. May be
1696 needed to boot from old floppy disks.
1697
1698 -no-acpi
1699 Disable ACPI (Advanced Configuration and Power Interface) support.
1700 Use it if your guest OS complains about ACPI problems (PC target
1701 machine only).
1702
1703 -no-hpet
1704 Disable HPET support.
1705
1706 -acpitable
1707 [sig=str][,rev=n][,oem_id=str][,oem_table_id=str][,oem_rev=n]
1708 [,asl_compiler_id=str][,asl_compiler_rev=n][,data=file1[:file2]...]
1709 Add ACPI table with specified header fields and context from
1710 specified files. For file=, take whole ACPI table from the
1711 specified files, including all ACPI headers (possible overridden by
1712 other options). For data=, only data portion of the table is used,
1713 all header information is specified in the command line. If a SLIC
1714 table is supplied to QEMU, then the SLIC's oem_id and oem_table_id
1715 fields will override the same in the RSDT and the FADT (a.k.a.
1716 FACP), in order to ensure the field matches required by the
1717 Microsoft SLIC spec and the ACPI spec.
1718
1719 -smbios file=binary
1720 Load SMBIOS entry from binary file.
1721
1722 -smbios
1723 type=0[,vendor=str][,version=str][,date=str][,release=%d.%d][,uefi=on|off]
1724 Specify SMBIOS type 0 fields
1725
1726 -smbios
1727 type=1[,manufacturer=str][,product=str][,version=str][,serial=str][,uuid=uuid][,sku=str][,family=str]
1728 Specify SMBIOS type 1 fields
1729
1730 -smbios
1731 type=2[,manufacturer=str][,product=str][,version=str][,serial=str][,asset=str][,location=str]
1732 Specify SMBIOS type 2 fields
1733
1734 -smbios
1735 type=3[,manufacturer=str][,version=str][,serial=str][,asset=str][,sku=str]
1736 Specify SMBIOS type 3 fields
1737
1738 -smbios
1739 type=4[,sock_pfx=str][,manufacturer=str][,version=str][,serial=str][,asset=str][,part=str]
1740 Specify SMBIOS type 4 fields
1741
1742 -smbios
1743 type=17[,loc_pfx=str][,bank=str][,manufacturer=str][,serial=str][,asset=str][,part=str][,speed=%d]
1744 Specify SMBIOS type 17 fields
1745
1746 Network options
1747
1748 -nic
1749 [tap|bridge|user|l2tpv3|vde|netmap|vhost-user|socket][,...][,mac=macaddr][,model=mn]
1750 This option is a shortcut for configuring both the on-board
1751 (default) guest NIC hardware and the host network backend in one
1752 go. The host backend options are the same as with the corresponding
1753 -netdev options below. The guest NIC model can be set with
1754 model=modelname. Use model=help to list the available device
1755 types. The hardware MAC address can be set with mac=macaddr.
1756
1757 The following two example do exactly the same, to show how -nic can
1758 be used to shorten the command line length (note that the e1000 is
1759 the default on i386, so the model=e1000 parameter could even be
1760 omitted here, too):
1761
1762 qemu-system-x86_64 -netdev user,id=n1,ipv6=off -device e1000,netdev=n1,mac=52:54:98:76:54:32
1763 qemu-system-x86_64 -nic user,ipv6=off,model=e1000,mac=52:54:98:76:54:32
1764
1765 -nic none
1766 Indicate that no network devices should be configured. It is used
1767 to override the default configuration (default NIC with "user" host
1768 network backend) which is activated if no other networking options
1769 are provided.
1770
1771 -netdev user,id=id[,option][,option][,...]
1772 Configure user mode host network backend which requires no
1773 administrator privilege to run. Valid options are:
1774
1775 id=id
1776 Assign symbolic name for use in monitor commands.
1777
1778 ipv4=on|off and ipv6=on|off
1779 Specify that either IPv4 or IPv6 must be enabled. If neither is
1780 specified both protocols are enabled.
1781
1782 net=addr[/mask]
1783 Set IP network address the guest will see. Optionally specify
1784 the netmask, either in the form a.b.c.d or as number of valid
1785 top-most bits. Default is 10.0.2.0/24.
1786
1787 host=addr
1788 Specify the guest-visible address of the host. Default is the
1789 2nd IP in the guest network, i.e. x.x.x.2.
1790
1791 ipv6-net=addr[/int]
1792 Set IPv6 network address the guest will see (default is
1793 fec0::/64). The network prefix is given in the usual
1794 hexadecimal IPv6 address notation. The prefix size is optional,
1795 and is given as the number of valid top-most bits (default is
1796 64).
1797
1798 ipv6-host=addr
1799 Specify the guest-visible IPv6 address of the host. Default is
1800 the 2nd IPv6 in the guest network, i.e. xxxx::2.
1801
1802 restrict=on|off
1803 If this option is enabled, the guest will be isolated, i.e. it
1804 will not be able to contact the host and no guest IP packets
1805 will be routed over the host to the outside. This option does
1806 not affect any explicitly set forwarding rules.
1807
1808 hostname=name
1809 Specifies the client hostname reported by the built-in DHCP
1810 server.
1811
1812 dhcpstart=addr
1813 Specify the first of the 16 IPs the built-in DHCP server can
1814 assign. Default is the 15th to 31st IP in the guest network,
1815 i.e. x.x.x.15 to x.x.x.31.
1816
1817 dns=addr
1818 Specify the guest-visible address of the virtual nameserver.
1819 The address must be different from the host address. Default is
1820 the 3rd IP in the guest network, i.e. x.x.x.3.
1821
1822 ipv6-dns=addr
1823 Specify the guest-visible address of the IPv6 virtual
1824 nameserver. The address must be different from the host
1825 address. Default is the 3rd IP in the guest network, i.e.
1826 xxxx::3.
1827
1828 dnssearch=domain
1829 Provides an entry for the domain-search list sent by the built-
1830 in DHCP server. More than one domain suffix can be transmitted
1831 by specifying this option multiple times. If supported, this
1832 will cause the guest to automatically try to append the given
1833 domain suffix(es) in case a domain name can not be resolved.
1834
1835 Example:
1836
1837 qemu-system-x86_64 -nic user,dnssearch=mgmt.example.org,dnssearch=example.org
1838
1839 domainname=domain
1840 Specifies the client domain name reported by the built-in DHCP
1841 server.
1842
1843 tftp=dir
1844 When using the user mode network stack, activate a built-in
1845 TFTP server. The files in dir will be exposed as the root of a
1846 TFTP server. The TFTP client on the guest must be configured
1847 in binary mode (use the command "bin" of the Unix TFTP client).
1848
1849 tftp-server-name=name
1850 In BOOTP reply, broadcast name as the "TFTP server name"
1851 (RFC2132 option 66). This can be used to advise the guest to
1852 load boot files or configurations from a different server than
1853 the host address.
1854
1855 bootfile=file
1856 When using the user mode network stack, broadcast file as the
1857 BOOTP filename. In conjunction with tftp, this can be used to
1858 network boot a guest from a local directory.
1859
1860 Example (using pxelinux):
1861
1862 qemu-system-x86_64 -hda linux.img -boot n -device e1000,netdev=n1 \
1863 -netdev user,id=n1,tftp=/path/to/tftp/files,bootfile=/pxelinux.0
1864
1865 smb=dir[,smbserver=addr]
1866 When using the user mode network stack, activate a built-in SMB
1867 server so that Windows OSes can access to the host files in dir
1868 transparently. The IP address of the SMB server can be set to
1869 addr. By default the 4th IP in the guest network is used, i.e.
1870 x.x.x.4.
1871
1872 In the guest Windows OS, the line:
1873
1874 10.0.2.4 smbserver
1875
1876 must be added in the file C:\WINDOWS\LMHOSTS (for windows
1877 9x/Me) or C:\WINNT\SYSTEM32\DRIVERS\ETC\LMHOSTS (Windows
1878 NT/2000).
1879
1880 Then dir can be accessed in \\smbserver\qemu.
1881
1882 Note that a SAMBA server must be installed on the host OS.
1883
1884 hostfwd=[tcp|udp]:[hostaddr]:hostport-[guestaddr]:guestport
1885 Redirect incoming TCP or UDP connections to the host port
1886 hostport to the guest IP address guestaddr on guest port
1887 guestport. If guestaddr is not specified, its value is x.x.x.15
1888 (default first address given by the built-in DHCP server). By
1889 specifying hostaddr, the rule can be bound to a specific host
1890 interface. If no connection type is set, TCP is used. This
1891 option can be given multiple times.
1892
1893 For example, to redirect host X11 connection from screen 1 to
1894 guest screen 0, use the following:
1895
1896 # on the host
1897 qemu-system-x86_64 -nic user,hostfwd=tcp:127.0.0.1:6001-:6000
1898 # this host xterm should open in the guest X11 server
1899 xterm -display :1
1900
1901 To redirect telnet connections from host port 5555 to telnet
1902 port on the guest, use the following:
1903
1904 # on the host
1905 qemu-system-x86_64 -nic user,hostfwd=tcp::5555-:23
1906 telnet localhost 5555
1907
1908 Then when you use on the host "telnet localhost 5555", you
1909 connect to the guest telnet server.
1910
1911 guestfwd=[tcp]:server:port-dev
1912 guestfwd=[tcp]:server:port-cmd:command
1913 Forward guest TCP connections to the IP address server on port
1914 port to the character device dev or to a program executed by
1915 cmd:command which gets spawned for each connection. This option
1916 can be given multiple times.
1917
1918 You can either use a chardev directly and have that one used
1919 throughout QEMU's lifetime, like in the following example:
1920
1921 # open 10.10.1.1:4321 on bootup, connect 10.0.2.100:1234 to it whenever
1922 # the guest accesses it
1923 qemu-system-x86_64 -nic user,guestfwd=tcp:10.0.2.100:1234-tcp:10.10.1.1:4321
1924
1925 Or you can execute a command on every TCP connection
1926 established by the guest, so that QEMU behaves similar to an
1927 inetd process for that virtual server:
1928
1929 # call "netcat 10.10.1.1 4321" on every TCP connection to 10.0.2.100:1234
1930 # and connect the TCP stream to its stdin/stdout
1931 qemu-system-x86_64 -nic 'user,id=n1,guestfwd=tcp:10.0.2.100:1234-cmd:netcat 10.10.1.1 4321'
1932
1933 -netdev
1934 tap,id=id[,fd=h][,ifname=name][,script=file][,downscript=dfile][,br=bridge][,helper=helper]
1935 Configure a host TAP network backend with ID id.
1936
1937 Use the network script file to configure it and the network script
1938 dfile to deconfigure it. If name is not provided, the OS
1939 automatically provides one. The default network configure script is
1940 /etc/qemu-ifup and the default network deconfigure script is
1941 /etc/qemu-ifdown. Use script=no or downscript=no to disable script
1942 execution.
1943
1944 If running QEMU as an unprivileged user, use the network helper
1945 helper to configure the TAP interface and attach it to the bridge.
1946 The default network helper executable is
1947 /path/to/qemu-bridge-helper and the default bridge device is br0.
1948
1949 fd=h can be used to specify the handle of an already opened host
1950 TAP interface.
1951
1952 Examples:
1953
1954 #launch a QEMU instance with the default network script
1955 qemu-system-x86_64 linux.img -nic tap
1956
1957
1958
1959 #launch a QEMU instance with two NICs, each one connected
1960 #to a TAP device
1961 qemu-system-x86_64 linux.img \
1962 -netdev tap,id=nd0,ifname=tap0 -device e1000,netdev=nd0 \
1963 -netdev tap,id=nd1,ifname=tap1 -device rtl8139,netdev=nd1
1964
1965
1966
1967 #launch a QEMU instance with the default network helper to
1968 #connect a TAP device to bridge br0
1969 qemu-system-x86_64 linux.img -device virtio-net-pci,netdev=n1 \
1970 -netdev tap,id=n1,"helper=/path/to/qemu-bridge-helper"
1971
1972 -netdev bridge,id=id[,br=bridge][,helper=helper]
1973 Connect a host TAP network interface to a host bridge device.
1974
1975 Use the network helper helper to configure the TAP interface and
1976 attach it to the bridge. The default network helper executable is
1977 /path/to/qemu-bridge-helper and the default bridge device is br0.
1978
1979 Examples:
1980
1981 #launch a QEMU instance with the default network helper to
1982 #connect a TAP device to bridge br0
1983 qemu-system-x86_64 linux.img -netdev bridge,id=n1 -device virtio-net,netdev=n1
1984
1985
1986
1987 #launch a QEMU instance with the default network helper to
1988 #connect a TAP device to bridge qemubr0
1989 qemu-system-x86_64 linux.img -netdev bridge,br=qemubr0,id=n1 -device virtio-net,netdev=n1
1990
1991 -netdev socket,id=id[,fd=h][,listen=[host]:port][,connect=host:port]
1992 This host network backend can be used to connect the guest's
1993 network to another QEMU virtual machine using a TCP socket
1994 connection. If listen is specified, QEMU waits for incoming
1995 connections on port (host is optional). connect is used to connect
1996 to another QEMU instance using the listen option. fd=h specifies an
1997 already opened TCP socket.
1998
1999 Example:
2000
2001 # launch a first QEMU instance
2002 qemu-system-x86_64 linux.img \
2003 -device e1000,netdev=n1,mac=52:54:00:12:34:56 \
2004 -netdev socket,id=n1,listen=:1234
2005 # connect the network of this instance to the network of the first instance
2006 qemu-system-x86_64 linux.img \
2007 -device e1000,netdev=n2,mac=52:54:00:12:34:57 \
2008 -netdev socket,id=n2,connect=127.0.0.1:1234
2009
2010 -netdev socket,id=id[,fd=h][,mcast=maddr:port[,localaddr=addr]]
2011 Configure a socket host network backend to share the guest's
2012 network traffic with another QEMU virtual machines using a UDP
2013 multicast socket, effectively making a bus for every QEMU with same
2014 multicast address maddr and port. NOTES:
2015
2016 1. Several QEMU can be running on different hosts and share same
2017 bus (assuming correct multicast setup for these hosts).
2018
2019 2. mcast support is compatible with User Mode Linux (argument
2020 ethN=mcast), see <http://user-mode-linux.sf.net>.
2021
2022 3. Use fd=h to specify an already opened UDP multicast socket.
2023
2024 Example:
2025
2026 # launch one QEMU instance
2027 qemu-system-x86_64 linux.img \
2028 -device e1000,netdev=n1,mac=52:54:00:12:34:56 \
2029 -netdev socket,id=n1,mcast=230.0.0.1:1234
2030 # launch another QEMU instance on same "bus"
2031 qemu-system-x86_64 linux.img \
2032 -device e1000,netdev=n2,mac=52:54:00:12:34:57 \
2033 -netdev socket,id=n2,mcast=230.0.0.1:1234
2034 # launch yet another QEMU instance on same "bus"
2035 qemu-system-x86_64 linux.img \
2036 -device e1000,netdev=n3,mac=52:54:00:12:34:58 \
2037 -netdev socket,id=n3,mcast=230.0.0.1:1234
2038
2039 Example (User Mode Linux compat.):
2040
2041 # launch QEMU instance (note mcast address selected is UML's default)
2042 qemu-system-x86_64 linux.img \
2043 -device e1000,netdev=n1,mac=52:54:00:12:34:56 \
2044 -netdev socket,id=n1,mcast=239.192.168.1:1102
2045 # launch UML
2046 /path/to/linux ubd0=/path/to/root_fs eth0=mcast
2047
2048 Example (send packets from host's 1.2.3.4):
2049
2050 qemu-system-x86_64 linux.img \
2051 -device e1000,netdev=n1,mac=52:54:00:12:34:56 \
2052 -netdev socket,id=n1,mcast=239.192.168.1:1102,localaddr=1.2.3.4
2053
2054 -netdev
2055 l2tpv3,id=id,src=srcaddr,dst=dstaddr[,srcport=srcport][,dstport=dstport],txsession=txsession[,rxsession=rxsession][,ipv6][,udp][,cookie64][,counter][,pincounter][,txcookie=txcookie][,rxcookie=rxcookie][,offset=offset]
2056 Configure a L2TPv3 pseudowire host network backend. L2TPv3
2057 (RFC3391) is a popular protocol to transport Ethernet (and other
2058 Layer 2) data frames between two systems. It is present in routers,
2059 firewalls and the Linux kernel (from version 3.3 onwards).
2060
2061 This transport allows a VM to communicate to another VM, router or
2062 firewall directly.
2063
2064 src=srcaddr
2065 source address (mandatory)
2066
2067 dst=dstaddr
2068 destination address (mandatory)
2069
2070 udp select udp encapsulation (default is ip).
2071
2072 srcport=srcport
2073 source udp port.
2074
2075 dstport=dstport
2076 destination udp port.
2077
2078 ipv6
2079 force v6, otherwise defaults to v4.
2080
2081 rxcookie=rxcookie
2082 txcookie=txcookie
2083 Cookies are a weak form of security in the l2tpv3
2084 specification. Their function is mostly to prevent
2085 misconfiguration. By default they are 32 bit.
2086
2087 cookie64
2088 Set cookie size to 64 bit instead of the default 32
2089
2090 counter=off
2091 Force a 'cut-down' L2TPv3 with no counter as in
2092 draft-mkonstan-l2tpext-keyed-ipv6-tunnel-00
2093
2094 pincounter=on
2095 Work around broken counter handling in peer. This may also help
2096 on networks which have packet reorder.
2097
2098 offset=offset
2099 Add an extra offset between header and data
2100
2101 For example, to attach a VM running on host 4.3.2.1 via L2TPv3 to
2102 the bridge br-lan on the remote Linux host 1.2.3.4:
2103
2104 # Setup tunnel on linux host using raw ip as encapsulation
2105 # on 1.2.3.4
2106 ip l2tp add tunnel remote 4.3.2.1 local 1.2.3.4 tunnel_id 1 peer_tunnel_id 1 \
2107 encap udp udp_sport 16384 udp_dport 16384
2108 ip l2tp add session tunnel_id 1 name vmtunnel0 session_id \
2109 0xFFFFFFFF peer_session_id 0xFFFFFFFF
2110 ifconfig vmtunnel0 mtu 1500
2111 ifconfig vmtunnel0 up
2112 brctl addif br-lan vmtunnel0
2113
2114
2115 # on 4.3.2.1
2116 # launch QEMU instance - if your network has reorder or is very lossy add ,pincounter
2117
2118 qemu-system-x86_64 linux.img -device e1000,netdev=n1 \
2119 -netdev l2tpv3,id=n1,src=4.2.3.1,dst=1.2.3.4,udp,srcport=16384,dstport=16384,rxsession=0xffffffff,txsession=0xffffffff,counter
2120
2121 -netdev
2122 vde,id=id[,sock=socketpath][,port=n][,group=groupname][,mode=octalmode]
2123 Configure VDE backend to connect to PORT n of a vde switch running
2124 on host and listening for incoming connections on socketpath. Use
2125 GROUP groupname and MODE octalmode to change default ownership and
2126 permissions for communication port. This option is only available
2127 if QEMU has been compiled with vde support enabled.
2128
2129 Example:
2130
2131 # launch vde switch
2132 vde_switch -F -sock /tmp/myswitch
2133 # launch QEMU instance
2134 qemu-system-x86_64 linux.img -nic vde,sock=/tmp/myswitch
2135
2136 -netdev vhost-user,chardev=id[,vhostforce=on|off][,queues=n]
2137 Establish a vhost-user netdev, backed by a chardev id. The chardev
2138 should be a unix domain socket backed one. The vhost-user uses a
2139 specifically defined protocol to pass vhost ioctl replacement
2140 messages to an application on the other end of the socket. On non-
2141 MSIX guests, the feature can be forced with vhostforce. Use
2142 'queues=n' to specify the number of queues to be created for
2143 multiqueue vhost-user.
2144
2145 Example:
2146
2147 qemu -m 512 -object memory-backend-file,id=mem,size=512M,mem-path=/hugetlbfs,share=on \
2148 -numa node,memdev=mem \
2149 -chardev socket,id=chr0,path=/path/to/socket \
2150 -netdev type=vhost-user,id=net0,chardev=chr0 \
2151 -device virtio-net-pci,netdev=net0
2152
2153 -netdev hubport,id=id,hubid=hubid[,netdev=nd]
2154 Create a hub port on the emulated hub with ID hubid.
2155
2156 The hubport netdev lets you connect a NIC to a QEMU emulated hub
2157 instead of a single netdev. Alternatively, you can also connect the
2158 hubport to another netdev with ID nd by using the netdev=nd option.
2159
2160 -net nic[,netdev=nd][,macaddr=mac][,model=type]
2161 [,name=name][,addr=addr][,vectors=v]
2162 Legacy option to configure or create an on-board (or machine
2163 default) Network Interface Card(NIC) and connect it either to the
2164 emulated hub with ID 0 (i.e. the default hub), or to the netdev
2165 nd. The NIC is an e1000 by default on the PC target. Optionally,
2166 the MAC address can be changed to mac, the device address set to
2167 addr (PCI cards only), and a name can be assigned for use in
2168 monitor commands. Optionally, for PCI cards, you can specify the
2169 number v of MSI-X vectors that the card should have; this option
2170 currently only affects virtio cards; set v = 0 to disable MSI-X. If
2171 no -net option is specified, a single NIC is created. QEMU can
2172 emulate several different models of network card. Use "-net
2173 nic,model=help" for a list of available devices for your target.
2174
2175 -net user|tap|bridge|socket|l2tpv3|vde[,...][,name=name]
2176 Configure a host network backend (with the options corresponding to
2177 the same -netdev option) and connect it to the emulated hub 0 (the
2178 default hub). Use name to specify the name of the hub port.
2179
2180 Character device options
2181
2182 The general form of a character device option is:
2183
2184 -chardev backend,id=id[,mux=on|off][,options]
2185 Backend is one of: null, socket, udp, msmouse, vc, ringbuf, file,
2186 pipe, console, serial, pty, stdio, braille, tty, parallel, parport,
2187 spicevmc, spiceport. The specific backend will determine the
2188 applicable options.
2189
2190 Use "-chardev help" to print all available chardev backend types.
2191
2192 All devices must have an id, which can be any string up to 127
2193 characters long. It is used to uniquely identify this device in
2194 other command line directives.
2195
2196 A character device may be used in multiplexing mode by multiple
2197 front-ends. Specify mux=on to enable this mode. A multiplexer is
2198 a "1:N" device, and here the "1" end is your specified chardev
2199 backend, and the "N" end is the various parts of QEMU that can talk
2200 to a chardev. If you create a chardev with id=myid and mux=on,
2201 QEMU will create a multiplexer with your specified ID, and you can
2202 then configure multiple front ends to use that chardev ID for their
2203 input/output. Up to four different front ends can be connected to a
2204 single multiplexed chardev. (Without multiplexing enabled, a
2205 chardev can only be used by a single front end.) For instance you
2206 could use this to allow a single stdio chardev to be used by two
2207 serial ports and the QEMU monitor:
2208
2209 -chardev stdio,mux=on,id=char0 \
2210 -mon chardev=char0,mode=readline \
2211 -serial chardev:char0 \
2212 -serial chardev:char0
2213
2214 You can have more than one multiplexer in a system configuration;
2215 for instance you could have a TCP port multiplexed between UART 0
2216 and UART 1, and stdio multiplexed between the QEMU monitor and a
2217 parallel port:
2218
2219 -chardev stdio,mux=on,id=char0 \
2220 -mon chardev=char0,mode=readline \
2221 -parallel chardev:char0 \
2222 -chardev tcp,...,mux=on,id=char1 \
2223 -serial chardev:char1 \
2224 -serial chardev:char1
2225
2226 When you're using a multiplexed character device, some escape
2227 sequences are interpreted in the input.
2228
2229 Note that some other command line options may implicitly create
2230 multiplexed character backends; for instance -serial mon:stdio
2231 creates a multiplexed stdio backend connected to the serial port
2232 and the QEMU monitor, and -nographic also multiplexes the console
2233 and the monitor to stdio.
2234
2235 There is currently no support for multiplexing in the other
2236 direction (where a single QEMU front end takes input and output
2237 from multiple chardevs).
2238
2239 Every backend supports the logfile option, which supplies the path
2240 to a file to record all data transmitted via the backend. The
2241 logappend option controls whether the log file will be truncated or
2242 appended to when opened.
2243
2244 The available backends are:
2245
2246 -chardev null,id=id
2247 A void device. This device will not emit any data, and will drop
2248 any data it receives. The null backend does not take any options.
2249
2250 -chardev socket,id=id[,TCP options or unix
2251 options][,server][,nowait][,telnet][,websocket][,reconnect=seconds][,tls-creds=id][,tls-authz=id]
2252 Create a two-way stream socket, which can be either a TCP or a unix
2253 socket. A unix socket will be created if path is specified.
2254 Behaviour is undefined if TCP options are specified for a unix
2255 socket.
2256
2257 server specifies that the socket shall be a listening socket.
2258
2259 nowait specifies that QEMU should not block waiting for a client to
2260 connect to a listening socket.
2261
2262 telnet specifies that traffic on the socket should interpret telnet
2263 escape sequences.
2264
2265 websocket specifies that the socket uses WebSocket protocol for
2266 communication.
2267
2268 reconnect sets the timeout for reconnecting on non-server sockets
2269 when the remote end goes away. qemu will delay this many seconds
2270 and then attempt to reconnect. Zero disables reconnecting, and is
2271 the default.
2272
2273 tls-creds requests enablement of the TLS protocol for encryption,
2274 and specifies the id of the TLS credentials to use for the
2275 handshake. The credentials must be previously created with the
2276 -object tls-creds argument.
2277
2278 tls-auth provides the ID of the QAuthZ authorization object against
2279 which the client's x509 distinguished name will be validated. This
2280 object is only resolved at time of use, so can be deleted and
2281 recreated on the fly while the chardev server is active. If
2282 missing, it will default to denying access.
2283
2284 TCP and unix socket options are given below:
2285
2286 TCP options: port=port[,host=host][,to=to][,ipv4][,ipv6][,nodelay]
2287 host for a listening socket specifies the local address to be
2288 bound. For a connecting socket species the remote host to
2289 connect to. host is optional for listening sockets. If not
2290 specified it defaults to 0.0.0.0.
2291
2292 port for a listening socket specifies the local port to be
2293 bound. For a connecting socket specifies the port on the remote
2294 host to connect to. port can be given as either a port number
2295 or a service name. port is required.
2296
2297 to is only relevant to listening sockets. If it is specified,
2298 and port cannot be bound, QEMU will attempt to bind to
2299 subsequent ports up to and including to until it succeeds. to
2300 must be specified as a port number.
2301
2302 ipv4 and ipv6 specify that either IPv4 or IPv6 must be used.
2303 If neither is specified the socket may use either protocol.
2304
2305 nodelay disables the Nagle algorithm.
2306
2307 unix options: path=path
2308 path specifies the local path of the unix socket. path is
2309 required.
2310
2311 -chardev
2312 udp,id=id[,host=host],port=port[,localaddr=localaddr][,localport=localport][,ipv4][,ipv6]
2313 Sends all traffic from the guest to a remote host over UDP.
2314
2315 host specifies the remote host to connect to. If not specified it
2316 defaults to "localhost".
2317
2318 port specifies the port on the remote host to connect to. port is
2319 required.
2320
2321 localaddr specifies the local address to bind to. If not specified
2322 it defaults to 0.0.0.0.
2323
2324 localport specifies the local port to bind to. If not specified any
2325 available local port will be used.
2326
2327 ipv4 and ipv6 specify that either IPv4 or IPv6 must be used. If
2328 neither is specified the device may use either protocol.
2329
2330 -chardev msmouse,id=id
2331 Forward QEMU's emulated msmouse events to the guest. msmouse does
2332 not take any options.
2333
2334 -chardev
2335 vc,id=id[[,width=width][,height=height]][[,cols=cols][,rows=rows]]
2336 Connect to a QEMU text console. vc may optionally be given a
2337 specific size.
2338
2339 width and height specify the width and height respectively of the
2340 console, in pixels.
2341
2342 cols and rows specify that the console be sized to fit a text
2343 console with the given dimensions.
2344
2345 -chardev ringbuf,id=id[,size=size]
2346 Create a ring buffer with fixed size size. size must be a power of
2347 two and defaults to "64K".
2348
2349 -chardev file,id=id,path=path
2350 Log all traffic received from the guest to a file.
2351
2352 path specifies the path of the file to be opened. This file will be
2353 created if it does not already exist, and overwritten if it does.
2354 path is required.
2355
2356 -chardev pipe,id=id,path=path
2357 Create a two-way connection to the guest. The behaviour differs
2358 slightly between Windows hosts and other hosts:
2359
2360 On Windows, a single duplex pipe will be created at \\.pipe\path.
2361
2362 On other hosts, 2 pipes will be created called path.in and
2363 path.out. Data written to path.in will be received by the guest.
2364 Data written by the guest can be read from path.out. QEMU will not
2365 create these fifos, and requires them to be present.
2366
2367 path forms part of the pipe path as described above. path is
2368 required.
2369
2370 -chardev console,id=id
2371 Send traffic from the guest to QEMU's standard output. console does
2372 not take any options.
2373
2374 console is only available on Windows hosts.
2375
2376 -chardev serial,id=id,path=path
2377 Send traffic from the guest to a serial device on the host.
2378
2379 On Unix hosts serial will actually accept any tty device, not only
2380 serial lines.
2381
2382 path specifies the name of the serial device to open.
2383
2384 -chardev pty,id=id
2385 Create a new pseudo-terminal on the host and connect to it. pty
2386 does not take any options.
2387
2388 pty is not available on Windows hosts.
2389
2390 -chardev stdio,id=id[,signal=on|off]
2391 Connect to standard input and standard output of the QEMU process.
2392
2393 signal controls if signals are enabled on the terminal, that
2394 includes exiting QEMU with the key sequence Control-c. This option
2395 is enabled by default, use signal=off to disable it.
2396
2397 -chardev braille,id=id
2398 Connect to a local BrlAPI server. braille does not take any
2399 options.
2400
2401 -chardev tty,id=id,path=path
2402 tty is only available on Linux, Sun, FreeBSD, NetBSD, OpenBSD and
2403 DragonFlyBSD hosts. It is an alias for serial.
2404
2405 path specifies the path to the tty. path is required.
2406
2407 -chardev parallel,id=id,path=path
2408 -chardev parport,id=id,path=path
2409 parallel is only available on Linux, FreeBSD and DragonFlyBSD
2410 hosts.
2411
2412 Connect to a local parallel port.
2413
2414 path specifies the path to the parallel port device. path is
2415 required.
2416
2417 -chardev spicevmc,id=id,debug=debug,name=name
2418 spicevmc is only available when spice support is built in.
2419
2420 debug debug level for spicevmc
2421
2422 name name of spice channel to connect to
2423
2424 Connect to a spice virtual machine channel, such as vdiport.
2425
2426 -chardev spiceport,id=id,debug=debug,name=name
2427 spiceport is only available when spice support is built in.
2428
2429 debug debug level for spicevmc
2430
2431 name name of spice port to connect to
2432
2433 Connect to a spice port, allowing a Spice client to handle the
2434 traffic identified by a name (preferably a fqdn).
2435
2436 Bluetooth(R) options
2437
2438 -bt hci[...]
2439 Defines the function of the corresponding Bluetooth HCI. -bt
2440 options are matched with the HCIs present in the chosen machine
2441 type. For example when emulating a machine with only one HCI built
2442 into it, only the first "-bt hci[...]" option is valid and defines
2443 the HCI's logic. The Transport Layer is decided by the machine
2444 type. Currently the machines "n800" and "n810" have one HCI and
2445 all other machines have none.
2446
2447 Note: This option and the whole bluetooth subsystem is considered
2448 as deprecated. If you still use it, please send a mail to
2449 <qemu-devel@nongnu.org> where you describe your usecase.
2450
2451 The following three types are recognized:
2452
2453 -bt hci,null
2454 (default) The corresponding Bluetooth HCI assumes no internal
2455 logic and will not respond to any HCI commands or emit events.
2456
2457 -bt hci,host[:id]
2458 ("bluez" only) The corresponding HCI passes commands / events
2459 to / from the physical HCI identified by the name id (default:
2460 "hci0") on the computer running QEMU. Only available on
2461 "bluez" capable systems like Linux.
2462
2463 -bt hci[,vlan=n]
2464 Add a virtual, standard HCI that will participate in the
2465 Bluetooth scatternet n (default 0). Similarly to -net VLANs,
2466 devices inside a bluetooth network n can only communicate with
2467 other devices in the same network (scatternet).
2468
2469 -bt vhci[,vlan=n]
2470 (Linux-host only) Create a HCI in scatternet n (default 0) attached
2471 to the host bluetooth stack instead of to the emulated target.
2472 This allows the host and target machines to participate in a common
2473 scatternet and communicate. Requires the Linux "vhci" driver
2474 installed. Can be used as following:
2475
2476 qemu-system-x86_64 [...OPTIONS...] -bt hci,vlan=5 -bt vhci,vlan=5
2477
2478 -bt device:dev[,vlan=n]
2479 Emulate a bluetooth device dev and place it in network n (default
2480 0). QEMU can only emulate one type of bluetooth devices currently:
2481
2482 keyboard
2483 Virtual wireless keyboard implementing the HIDP bluetooth
2484 profile.
2485
2486 TPM device options
2487
2488 The general form of a TPM device option is:
2489
2490 -tpmdev backend,id=id[,options]
2491 The specific backend type will determine the applicable options.
2492 The "-tpmdev" option creates the TPM backend and requires a
2493 "-device" option that specifies the TPM frontend interface model.
2494
2495 Use "-tpmdev help" to print all available TPM backend types.
2496
2497 The available backends are:
2498
2499 -tpmdev passthrough,id=id,path=path,cancel-path=cancel-path
2500 (Linux-host only) Enable access to the host's TPM using the
2501 passthrough driver.
2502
2503 path specifies the path to the host's TPM device, i.e., on a Linux
2504 host this would be "/dev/tpm0". path is optional and by default
2505 "/dev/tpm0" is used.
2506
2507 cancel-path specifies the path to the host TPM device's sysfs entry
2508 allowing for cancellation of an ongoing TPM command. cancel-path
2509 is optional and by default QEMU will search for the sysfs entry to
2510 use.
2511
2512 Some notes about using the host's TPM with the passthrough driver:
2513
2514 The TPM device accessed by the passthrough driver must not be used
2515 by any other application on the host.
2516
2517 Since the host's firmware (BIOS/UEFI) has already initialized the
2518 TPM, the VM's firmware (BIOS/UEFI) will not be able to initialize
2519 the TPM again and may therefore not show a TPM-specific menu that
2520 would otherwise allow the user to configure the TPM, e.g., allow
2521 the user to enable/disable or activate/deactivate the TPM.
2522 Further, if TPM ownership is released from within a VM then the
2523 host's TPM will get disabled and deactivated. To enable and
2524 activate the TPM again afterwards, the host has to be rebooted and
2525 the user is required to enter the firmware's menu to enable and
2526 activate the TPM. If the TPM is left disabled and/or deactivated
2527 most TPM commands will fail.
2528
2529 To create a passthrough TPM use the following two options:
2530
2531 -tpmdev passthrough,id=tpm0 -device tpm-tis,tpmdev=tpm0
2532
2533 Note that the "-tpmdev" id is "tpm0" and is referenced by
2534 "tpmdev=tpm0" in the device option.
2535
2536 -tpmdev emulator,id=id,chardev=dev
2537 (Linux-host only) Enable access to a TPM emulator using Unix domain
2538 socket based chardev backend.
2539
2540 chardev specifies the unique ID of a character device backend that
2541 provides connection to the software TPM server.
2542
2543 To create a TPM emulator backend device with chardev socket
2544 backend:
2545
2546 -chardev socket,id=chrtpm,path=/tmp/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0
2547
2548 Linux/Multiboot boot specific
2549
2550 When using these options, you can use a given Linux or Multiboot kernel
2551 without installing it in the disk image. It can be useful for easier
2552 testing of various kernels.
2553
2554 -kernel bzImage
2555 Use bzImage as kernel image. The kernel can be either a Linux
2556 kernel or in multiboot format.
2557
2558 -append cmdline
2559 Use cmdline as kernel command line
2560
2561 -initrd file
2562 Use file as initial ram disk.
2563
2564 -initrd "file1 arg=foo,file2"
2565 This syntax is only available with multiboot.
2566
2567 Use file1 and file2 as modules and pass arg=foo as parameter to the
2568 first module.
2569
2570 -dtb file
2571 Use file as a device tree binary (dtb) image and pass it to the
2572 kernel on boot.
2573
2574 Debug/Expert options
2575
2576 -fw_cfg [name=]name,file=file
2577 Add named fw_cfg entry with contents from file file.
2578
2579 -fw_cfg [name=]name,string=str
2580 Add named fw_cfg entry with contents from string str.
2581
2582 The terminating NUL character of the contents of str will not be
2583 included as part of the fw_cfg item data. To insert contents with
2584 embedded NUL characters, you have to use the file parameter.
2585
2586 The fw_cfg entries are passed by QEMU through to the guest.
2587
2588 Example:
2589
2590 -fw_cfg name=opt/com.mycompany/blob,file=./my_blob.bin
2591
2592 creates an fw_cfg entry named opt/com.mycompany/blob with contents
2593 from ./my_blob.bin.
2594
2595 -serial dev
2596 Redirect the virtual serial port to host character device dev. The
2597 default device is "vc" in graphical mode and "stdio" in non
2598 graphical mode.
2599
2600 This option can be used several times to simulate up to 4 serial
2601 ports.
2602
2603 Use "-serial none" to disable all serial ports.
2604
2605 Available character devices are:
2606
2607 vc[:WxH]
2608 Virtual console. Optionally, a width and height can be given in
2609 pixel with
2610
2611 vc:800x600
2612
2613 It is also possible to specify width or height in characters:
2614
2615 vc:80Cx24C
2616
2617 pty [Linux only] Pseudo TTY (a new PTY is automatically allocated)
2618
2619 none
2620 No device is allocated.
2621
2622 null
2623 void device
2624
2625 chardev:id
2626 Use a named character device defined with the "-chardev"
2627 option.
2628
2629 /dev/XXX
2630 [Linux only] Use host tty, e.g. /dev/ttyS0. The host serial
2631 port parameters are set according to the emulated ones.
2632
2633 /dev/parportN
2634 [Linux only, parallel port only] Use host parallel port N.
2635 Currently SPP and EPP parallel port features can be used.
2636
2637 file:filename
2638 Write output to filename. No character can be read.
2639
2640 stdio
2641 [Unix only] standard input/output
2642
2643 pipe:filename
2644 name pipe filename
2645
2646 COMn
2647 [Windows only] Use host serial port n
2648
2649 udp:[remote_host]:remote_port[@[src_ip]:src_port]
2650 This implements UDP Net Console. When remote_host or src_ip
2651 are not specified they default to 0.0.0.0. When not using a
2652 specified src_port a random port is automatically chosen.
2653
2654 If you just want a simple readonly console you can use "netcat"
2655 or "nc", by starting QEMU with: "-serial udp::4555" and nc as:
2656 "nc -u -l -p 4555". Any time QEMU writes something to that port
2657 it will appear in the netconsole session.
2658
2659 If you plan to send characters back via netconsole or you want
2660 to stop and start QEMU a lot of times, you should have QEMU use
2661 the same source port each time by using something like "-serial
2662 udp::4555@4556" to QEMU. Another approach is to use a patched
2663 version of netcat which can listen to a TCP port and send and
2664 receive characters via udp. If you have a patched version of
2665 netcat which activates telnet remote echo and single char
2666 transfer, then you can use the following options to set up a
2667 netcat redirector to allow telnet on port 5555 to access the
2668 QEMU port.
2669
2670 "QEMU Options:"
2671 -serial udp::4555@4556
2672
2673 "netcat options:"
2674 -u -P 4555 -L 0.0.0.0:4556 -t -p 5555 -I -T
2675
2676 "telnet options:"
2677 localhost 5555
2678
2679 tcp:[host]:port[,server][,nowait][,nodelay][,reconnect=seconds]
2680 The TCP Net Console has two modes of operation. It can send
2681 the serial I/O to a location or wait for a connection from a
2682 location. By default the TCP Net Console is sent to host at
2683 the port. If you use the server option QEMU will wait for a
2684 client socket application to connect to the port before
2685 continuing, unless the "nowait" option was specified. The
2686 "nodelay" option disables the Nagle buffering algorithm. The
2687 "reconnect" option only applies if noserver is set, if the
2688 connection goes down it will attempt to reconnect at the given
2689 interval. If host is omitted, 0.0.0.0 is assumed. Only one TCP
2690 connection at a time is accepted. You can use "telnet" to
2691 connect to the corresponding character device.
2692
2693 "Example to send tcp console to 192.168.0.2 port 4444"
2694 -serial tcp:192.168.0.2:4444
2695
2696 "Example to listen and wait on port 4444 for connection"
2697 -serial tcp::4444,server
2698
2699 "Example to not wait and listen on ip 192.168.0.100 port 4444"
2700 -serial tcp:192.168.0.100:4444,server,nowait
2701
2702 telnet:host:port[,server][,nowait][,nodelay]
2703 The telnet protocol is used instead of raw tcp sockets. The
2704 options work the same as if you had specified "-serial tcp".
2705 The difference is that the port acts like a telnet server or
2706 client using telnet option negotiation. This will also allow
2707 you to send the MAGIC_SYSRQ sequence if you use a telnet that
2708 supports sending the break sequence. Typically in unix telnet
2709 you do it with Control-] and then type "send break" followed by
2710 pressing the enter key.
2711
2712 websocket:host:port,server[,nowait][,nodelay]
2713 The WebSocket protocol is used instead of raw tcp socket. The
2714 port acts as a WebSocket server. Client mode is not supported.
2715
2716 unix:path[,server][,nowait][,reconnect=seconds]
2717 A unix domain socket is used instead of a tcp socket. The
2718 option works the same as if you had specified "-serial tcp"
2719 except the unix domain socket path is used for connections.
2720
2721 mon:dev_string
2722 This is a special option to allow the monitor to be multiplexed
2723 onto another serial port. The monitor is accessed with key
2724 sequence of Control-a and then pressing c. dev_string should
2725 be any one of the serial devices specified above. An example
2726 to multiplex the monitor onto a telnet server listening on port
2727 4444 would be:
2728
2729 "-serial mon:telnet::4444,server,nowait"
2730
2731 When the monitor is multiplexed to stdio in this way, Ctrl+C
2732 will not terminate QEMU any more but will be passed to the
2733 guest instead.
2734
2735 braille
2736 Braille device. This will use BrlAPI to display the braille
2737 output on a real or fake device.
2738
2739 msmouse
2740 Three button serial mouse. Configure the guest to use Microsoft
2741 protocol.
2742
2743 -parallel dev
2744 Redirect the virtual parallel port to host device dev (same devices
2745 as the serial port). On Linux hosts, /dev/parportN can be used to
2746 use hardware devices connected on the corresponding host parallel
2747 port.
2748
2749 This option can be used several times to simulate up to 3 parallel
2750 ports.
2751
2752 Use "-parallel none" to disable all parallel ports.
2753
2754 -monitor dev
2755 Redirect the monitor to host device dev (same devices as the serial
2756 port). The default device is "vc" in graphical mode and "stdio" in
2757 non graphical mode. Use "-monitor none" to disable the default
2758 monitor.
2759
2760 -qmp dev
2761 Like -monitor but opens in 'control' mode.
2762
2763 -qmp-pretty dev
2764 Like -qmp but uses pretty JSON formatting.
2765
2766 -mon [chardev=]name[,mode=readline|control][,pretty[=on|off]]
2767 Setup monitor on chardev name. "pretty" turns on JSON pretty
2768 printing easing human reading and debugging.
2769
2770 -debugcon dev
2771 Redirect the debug console to host device dev (same devices as the
2772 serial port). The debug console is an I/O port which is typically
2773 port 0xe9; writing to that I/O port sends output to this device.
2774 The default device is "vc" in graphical mode and "stdio" in non
2775 graphical mode.
2776
2777 -pidfile file
2778 Store the QEMU process PID in file. It is useful if you launch QEMU
2779 from a script.
2780
2781 -singlestep
2782 Run the emulation in single step mode.
2783
2784 --preconfig
2785 Pause QEMU for interactive configuration before the machine is
2786 created, which allows querying and configuring properties that will
2787 affect machine initialization. Use QMP command 'x-exit-preconfig'
2788 to exit the preconfig state and move to the next state (i.e. run
2789 guest if -S isn't used or pause the second time if -S is used).
2790 This option is experimental.
2791
2792 -S Do not start CPU at startup (you must type 'c' in the monitor).
2793
2794 -realtime mlock=on|off
2795 Run qemu with realtime features. mlocking qemu and guest memory
2796 can be enabled via mlock=on (enabled by default).
2797
2798 -overcommit mem-lock=on|off
2799 -overcommit cpu-pm=on|off
2800 Run qemu with hints about host resource overcommit. The default is
2801 to assume that host overcommits all resources.
2802
2803 Locking qemu and guest memory can be enabled via mem-lock=on
2804 (disabled by default). This works when host memory is not
2805 overcommitted and reduces the worst-case latency for guest. This
2806 is equivalent to realtime.
2807
2808 Guest ability to manage power state of host cpus (increasing
2809 latency for other processes on the same host cpu, but decreasing
2810 latency for guest) can be enabled via cpu-pm=on (disabled by
2811 default). This works best when host CPU is not overcommitted. When
2812 used, host estimates of CPU cycle and power utilization will be
2813 incorrect, not taking into account guest idle time.
2814
2815 -gdb dev
2816 Wait for gdb connection on device dev. Typical connections will
2817 likely be TCP-based, but also UDP, pseudo TTY, or even stdio are
2818 reasonable use case. The latter is allowing to start QEMU from
2819 within gdb and establish the connection via a pipe:
2820
2821 (gdb) target remote | exec qemu-system-x86_64 -gdb stdio ...
2822
2823 -s Shorthand for -gdb tcp::1234, i.e. open a gdbserver on TCP port
2824 1234.
2825
2826 -d item1[,...]
2827 Enable logging of specified items. Use '-d help' for a list of log
2828 items.
2829
2830 -D logfile
2831 Output log in logfile instead of to stderr
2832
2833 -dfilter range1[,...]
2834 Filter debug output to that relevant to a range of target
2835 addresses. The filter spec can be either start+size, start-size or
2836 start..end where start end and size are the addresses and sizes
2837 required. For example:
2838
2839 -dfilter 0x8000..0x8fff,0xffffffc000080000+0x200,0xffffffc000060000-0x1000
2840
2841 Will dump output for any code in the 0x1000 sized block starting at
2842 0x8000 and the 0x200 sized block starting at 0xffffffc000080000 and
2843 another 0x1000 sized block starting at 0xffffffc00005f000.
2844
2845 -seed number
2846 Force the guest to use a deterministic pseudo-random number
2847 generator, seeded with number. This does not affect crypto
2848 routines within the host.
2849
2850 -L path
2851 Set the directory for the BIOS, VGA BIOS and keymaps.
2852
2853 To list all the data directories, use "-L help".
2854
2855 -bios file
2856 Set the filename for the BIOS.
2857
2858 -enable-kvm
2859 Enable KVM full virtualization support. This option is only
2860 available if KVM support is enabled when compiling.
2861
2862 -xen-domid id
2863 Specify xen guest domain id (XEN only).
2864
2865 -xen-attach
2866 Attach to existing xen domain. libxl will use this when starting
2867 QEMU (XEN only). Restrict set of available xen operations to
2868 specified domain id (XEN only).
2869
2870 -no-reboot
2871 Exit instead of rebooting.
2872
2873 -no-shutdown
2874 Don't exit QEMU on guest shutdown, but instead only stop the
2875 emulation. This allows for instance switching to monitor to commit
2876 changes to the disk image.
2877
2878 -loadvm file
2879 Start right away with a saved state ("loadvm" in monitor)
2880
2881 -daemonize
2882 Daemonize the QEMU process after initialization. QEMU will not
2883 detach from standard IO until it is ready to receive connections on
2884 any of its devices. This option is a useful way for external
2885 programs to launch QEMU without having to cope with initialization
2886 race conditions.
2887
2888 -option-rom file
2889 Load the contents of file as an option ROM. This option is useful
2890 to load things like EtherBoot.
2891
2892 -rtc
2893 [base=utc|localtime|datetime][,clock=host|rt|vm][,driftfix=none|slew]
2894 Specify base as "utc" or "localtime" to let the RTC start at the
2895 current UTC or local time, respectively. "localtime" is required
2896 for correct date in MS-DOS or Windows. To start at a specific point
2897 in time, provide datetime in the format "2006-06-17T16:01:21" or
2898 "2006-06-17". The default base is UTC.
2899
2900 By default the RTC is driven by the host system time. This allows
2901 using of the RTC as accurate reference clock inside the guest,
2902 specifically if the host time is smoothly following an accurate
2903 external reference clock, e.g. via NTP. If you want to isolate the
2904 guest time from the host, you can set clock to "rt" instead, which
2905 provides a host monotonic clock if host support it. To even
2906 prevent the RTC from progressing during suspension, you can set
2907 clock to "vm" (virtual clock). clock=vm is recommended especially
2908 in icount mode in order to preserve determinism; however, note that
2909 in icount mode the speed of the virtual clock is variable and can
2910 in general differ from the host clock.
2911
2912 Enable driftfix (i386 targets only) if you experience time drift
2913 problems, specifically with Windows' ACPI HAL. This option will try
2914 to figure out how many timer interrupts were not processed by the
2915 Windows guest and will re-inject them.
2916
2917 -icount
2918 [shift=N|auto][,rr=record|replay,rrfile=filename,rrsnapshot=snapshot]
2919 Enable virtual instruction counter. The virtual cpu will execute
2920 one instruction every 2^N ns of virtual time. If "auto" is
2921 specified then the virtual cpu speed will be automatically adjusted
2922 to keep virtual time within a few seconds of real time.
2923
2924 When the virtual cpu is sleeping, the virtual time will advance at
2925 default speed unless sleep=on|off is specified. With sleep=on|off,
2926 the virtual time will jump to the next timer deadline instantly
2927 whenever the virtual cpu goes to sleep mode and will not advance if
2928 no timer is enabled. This behavior give deterministic execution
2929 times from the guest point of view.
2930
2931 Note that while this option can give deterministic behavior, it
2932 does not provide cycle accurate emulation. Modern CPUs contain
2933 superscalar out of order cores with complex cache hierarchies. The
2934 number of instructions executed often has little or no correlation
2935 with actual performance.
2936
2937 align=on will activate the delay algorithm which will try to
2938 synchronise the host clock and the virtual clock. The goal is to
2939 have a guest running at the real frequency imposed by the shift
2940 option. Whenever the guest clock is behind the host clock and if
2941 align=on is specified then we print a message to the user to inform
2942 about the delay. Currently this option does not work when shift is
2943 "auto". Note: The sync algorithm will work for those shift values
2944 for which the guest clock runs ahead of the host clock. Typically
2945 this happens when the shift value is high (how high depends on the
2946 host machine).
2947
2948 When rr option is specified deterministic record/replay is enabled.
2949 Replay log is written into filename file in record mode and read
2950 from this file in replay mode.
2951
2952 Option rrsnapshot is used to create new vm snapshot named snapshot
2953 at the start of execution recording. In replay mode this option is
2954 used to load the initial VM state.
2955
2956 -watchdog model
2957 Create a virtual hardware watchdog device. Once enabled (by a
2958 guest action), the watchdog must be periodically polled by an agent
2959 inside the guest or else the guest will be restarted. Choose a
2960 model for which your guest has drivers.
2961
2962 The model is the model of hardware watchdog to emulate. Use
2963 "-watchdog help" to list available hardware models. Only one
2964 watchdog can be enabled for a guest.
2965
2966 The following models may be available:
2967
2968 ib700
2969 iBASE 700 is a very simple ISA watchdog with a single timer.
2970
2971 i6300esb
2972 Intel 6300ESB I/O controller hub is a much more featureful PCI-
2973 based dual-timer watchdog.
2974
2975 diag288
2976 A virtual watchdog for s390x backed by the diagnose 288
2977 hypercall (currently KVM only).
2978
2979 -watchdog-action action
2980 The action controls what QEMU will do when the watchdog timer
2981 expires. The default is "reset" (forcefully reset the guest).
2982 Other possible actions are: "shutdown" (attempt to gracefully
2983 shutdown the guest), "poweroff" (forcefully poweroff the guest),
2984 "inject-nmi" (inject a NMI into the guest), "pause" (pause the
2985 guest), "debug" (print a debug message and continue), or "none" (do
2986 nothing).
2987
2988 Note that the "shutdown" action requires that the guest responds to
2989 ACPI signals, which it may not be able to do in the sort of
2990 situations where the watchdog would have expired, and thus
2991 "-watchdog-action shutdown" is not recommended for production use.
2992
2993 Examples:
2994
2995 "-watchdog i6300esb -watchdog-action pause"
2996 "-watchdog ib700"
2997 -echr numeric_ascii_value
2998 Change the escape character used for switching to the monitor when
2999 using monitor and serial sharing. The default is 0x01 when using
3000 the "-nographic" option. 0x01 is equal to pressing "Control-a".
3001 You can select a different character from the ascii control keys
3002 where 1 through 26 map to Control-a through Control-z. For
3003 instance you could use the either of the following to change the
3004 escape character to Control-t.
3005
3006 "-echr 0x14"
3007 "-echr 20"
3008 -show-cursor
3009 Show cursor.
3010
3011 -tb-size n
3012 Set TB size.
3013
3014 -incoming tcp:[host]:port[,to=maxport][,ipv4][,ipv6]
3015 -incoming rdma:host:port[,ipv4][,ipv6]
3016 Prepare for incoming migration, listen on a given tcp port.
3017
3018 -incoming unix:socketpath
3019 Prepare for incoming migration, listen on a given unix socket.
3020
3021 -incoming fd:fd
3022 Accept incoming migration from a given filedescriptor.
3023
3024 -incoming exec:cmdline
3025 Accept incoming migration as an output from specified external
3026 command.
3027
3028 -incoming defer
3029 Wait for the URI to be specified via migrate_incoming. The monitor
3030 can be used to change settings (such as migration parameters) prior
3031 to issuing the migrate_incoming to allow the migration to begin.
3032
3033 -only-migratable
3034 Only allow migratable devices. Devices will not be allowed to enter
3035 an unmigratable state.
3036
3037 -nodefaults
3038 Don't create default devices. Normally, QEMU sets the default
3039 devices like serial port, parallel port, virtual console, monitor
3040 device, VGA adapter, floppy and CD-ROM drive and others. The
3041 "-nodefaults" option will disable all those default devices.
3042
3043 -chroot dir
3044 Immediately before starting guest execution, chroot to the
3045 specified directory. Especially useful in combination with -runas.
3046
3047 -runas user
3048 Immediately before starting guest execution, drop root privileges,
3049 switching to the specified user.
3050
3051 -prom-env variable=value
3052 Set OpenBIOS nvram variable to given value (PPC, SPARC only).
3053
3054 -semihosting
3055 Enable semihosting mode (ARM, M68K, Xtensa, MIPS, Nios II only).
3056
3057 -semihosting-config
3058 [enable=on|off][,target=native|gdb|auto][,chardev=id][,arg=str[,...]]
3059 Enable and configure semihosting (ARM, M68K, Xtensa, MIPS, Nios II
3060 only).
3061
3062 target="native|gdb|auto"
3063 Defines where the semihosting calls will be addressed, to QEMU
3064 ("native") or to GDB ("gdb"). The default is "auto", which
3065 means "gdb" during debug sessions and "native" otherwise.
3066
3067 chardev=str1
3068 Send the output to a chardev backend output for native or auto
3069 output when not in gdb
3070
3071 arg=str1,arg=str2,...
3072 Allows the user to pass input arguments, and can be used
3073 multiple times to build up a list. The old-style
3074 "-kernel"/"-append" method of passing a command line is still
3075 supported for backward compatibility. If both the
3076 "--semihosting-config arg" and the "-kernel"/"-append" are
3077 specified, the former is passed to semihosting as it always
3078 takes precedence.
3079
3080 -old-param
3081 Old param mode (ARM only).
3082
3083 -sandbox
3084 arg[,obsolete=string][,elevateprivileges=string][,spawn=string][,resourcecontrol=string]
3085 Enable Seccomp mode 2 system call filter. 'on' will enable syscall
3086 filtering and 'off' will disable it. The default is 'off'.
3087
3088 obsolete=string
3089 Enable Obsolete system calls
3090
3091 elevateprivileges=string
3092 Disable set*uid|gid system calls
3093
3094 spawn=string
3095 Disable *fork and execve
3096
3097 resourcecontrol=string
3098 Disable process affinity and schedular priority
3099
3100 -readconfig file
3101 Read device configuration from file. This approach is useful when
3102 you want to spawn QEMU process with many command line options but
3103 you don't want to exceed the command line character limit.
3104
3105 -writeconfig file
3106 Write device configuration to file. The file can be either filename
3107 to save command line and device configuration into file or dash
3108 "-") character to print the output to stdout. This can be later
3109 used as input file for "-readconfig" option.
3110
3111 -no-user-config
3112 The "-no-user-config" option makes QEMU not load any of the user-
3113 provided config files on sysconfdir.
3114
3115 -trace [[enable=]pattern][,events=file][,file=file]
3116 Specify tracing options.
3117
3118 [enable=]pattern
3119 Immediately enable events matching pattern (either event name
3120 or a globbing pattern). This option is only available if QEMU
3121 has been compiled with the simple, log or ftrace tracing
3122 backend. To specify multiple events or patterns, specify the
3123 -trace option multiple times.
3124
3125 Use "-trace help" to print a list of names of trace points.
3126
3127 events=file
3128 Immediately enable events listed in file. The file must
3129 contain one event name (as listed in the trace-events-all file)
3130 per line; globbing patterns are accepted too. This option is
3131 only available if QEMU has been compiled with the simple, log
3132 or ftrace tracing backend.
3133
3134 file=file
3135 Log output traces to file. This option is only available if
3136 QEMU has been compiled with the simple tracing backend.
3137
3138 -plugin file=file[,arg=string]
3139 Load a plugin.
3140
3141 file=file
3142 Load the given plugin from a shared library file.
3143
3144 arg=string
3145 Argument string passed to the plugin. (Can be given multiple
3146 times.)
3147
3148 -enable-fips
3149 Enable FIPS 140-2 compliance mode.
3150
3151 -msg timestamp[=on|off]
3152 prepend a timestamp to each log message.(default:on)
3153
3154 -dump-vmstate file
3155 Dump json-encoded vmstate information for current machine type to
3156 file in file
3157
3158 -enable-sync-profile
3159 Enable synchronization profiling.
3160
3161 Generic object creation
3162
3163 -object typename[,prop1=value1,...]
3164 Create a new object of type typename setting properties in the
3165 order they are specified. Note that the 'id' property must be set.
3166 These objects are placed in the '/objects' path.
3167
3168 -object
3169 memory-backend-file,id=id,size=size,mem-path=dir,share=on|off,discard-data=on|off,merge=on|off,dump=on|off,prealloc=on|off,host-nodes=host-
3170 nodes,policy=default|preferred|bind|interleave,align=align
3171 Creates a memory file backend object, which can be used to back
3172 the guest RAM with huge pages.
3173
3174 The id parameter is a unique ID that will be used to reference
3175 this memory region when configuring the -numa argument.
3176
3177 The size option provides the size of the memory region, and
3178 accepts common suffixes, eg 500M.
3179
3180 The mem-path provides the path to either a shared memory or
3181 huge page filesystem mount.
3182
3183 The share boolean option determines whether the memory region
3184 is marked as private to QEMU, or shared. The latter allows a
3185 co-operating external process to access the QEMU memory region.
3186
3187 The share is also required for pvrdma devices due to
3188 limitations in the RDMA API provided by Linux.
3189
3190 Setting share=on might affect the ability to configure NUMA
3191 bindings for the memory backend under some circumstances, see
3192 Documentation/vm/numa_memory_policy.txt on the Linux kernel
3193 source tree for additional details.
3194
3195 Setting the discard-data boolean option to on indicates that
3196 file contents can be destroyed when QEMU exits, to avoid
3197 unnecessarily flushing data to the backing file. Note that
3198 discard-data is only an optimization, and QEMU might not
3199 discard file contents if it aborts unexpectedly or is
3200 terminated using SIGKILL.
3201
3202 The merge boolean option enables memory merge, also known as
3203 MADV_MERGEABLE, so that Kernel Samepage Merging will consider
3204 the pages for memory deduplication.
3205
3206 Setting the dump boolean option to off excludes the memory from
3207 core dumps. This feature is also known as MADV_DONTDUMP.
3208
3209 The prealloc boolean option enables memory preallocation.
3210
3211 The host-nodes option binds the memory range to a list of NUMA
3212 host nodes.
3213
3214 The policy option sets the NUMA policy to one of the following
3215 values:
3216
3217 default
3218 default host policy
3219
3220 preferred
3221 prefer the given host node list for allocation
3222
3223 bind
3224 restrict memory allocation to the given host node list
3225
3226 interleave
3227 interleave memory allocations across the given host node
3228 list
3229
3230 The align option specifies the base address alignment when QEMU
3231 mmap(2) mem-path, and accepts common suffixes, eg 2M. Some
3232 backend store specified by mem-path requires an alignment
3233 different than the default one used by QEMU, eg the device DAX
3234 /dev/dax0.0 requires 2M alignment rather than 4K. In such
3235 cases, users can specify the required alignment via this
3236 option.
3237
3238 The pmem option specifies whether the backing file specified by
3239 mem-path is in host persistent memory that can be accessed
3240 using the SNIA NVM programming model (e.g. Intel NVDIMM). If
3241 pmem is set to 'on', QEMU will take necessary operations to
3242 guarantee the persistence of its own writes to mem-path (e.g.
3243 in vNVDIMM label emulation and live migration). Also, we will
3244 map the backend-file with MAP_SYNC flag, which ensures the file
3245 metadata is in sync for mem-path in case of host crash or a
3246 power failure. MAP_SYNC requires support from both the host
3247 kernel (since Linux kernel 4.15) and the filesystem of mem-path
3248 mounted with DAX option.
3249
3250 -object
3251 memory-backend-ram,id=id,merge=on|off,dump=on|off,share=on|off,prealloc=on|off,size=size,host-nodes=host-
3252 nodes,policy=default|preferred|bind|interleave
3253 Creates a memory backend object, which can be used to back the
3254 guest RAM. Memory backend objects offer more control than the
3255 -m option that is traditionally used to define guest RAM.
3256 Please refer to memory-backend-file for a description of the
3257 options.
3258
3259 -object
3260 memory-backend-memfd,id=id,merge=on|off,dump=on|off,share=on|off,prealloc=on|off,size=size,host-nodes=host-
3261 nodes,policy=default|preferred|bind|interleave,seal=on|off,hugetlb=on|off,hugetlbsize=size
3262 Creates an anonymous memory file backend object, which allows
3263 QEMU to share the memory with an external process (e.g. when
3264 using vhost-user). The memory is allocated with memfd and
3265 optional sealing. (Linux only)
3266
3267 The seal option creates a sealed-file, that will block further
3268 resizing the memory ('on' by default).
3269
3270 The hugetlb option specify the file to be created resides in
3271 the hugetlbfs filesystem (since Linux 4.14). Used in
3272 conjunction with the hugetlb option, the hugetlbsize option
3273 specify the hugetlb page size on systems that support multiple
3274 hugetlb page sizes (it must be a power of 2 value supported by
3275 the system).
3276
3277 In some versions of Linux, the hugetlb option is incompatible
3278 with the seal option (requires at least Linux 4.16).
3279
3280 Please refer to memory-backend-file for a description of the
3281 other options.
3282
3283 The share boolean option is on by default with memfd.
3284
3285 -object rng-builtin,id=id
3286 Creates a random number generator backend which obtains entropy
3287 from QEMU builtin functions. The id parameter is a unique ID
3288 that will be used to reference this entropy backend from the
3289 virtio-rng device. By default, the virtio-rng device uses this
3290 RNG backend.
3291
3292 -object rng-random,id=id,filename=/dev/random
3293 Creates a random number generator backend which obtains entropy
3294 from a device on the host. The id parameter is a unique ID that
3295 will be used to reference this entropy backend from the virtio-
3296 rng device. The filename parameter specifies which file to
3297 obtain entropy from and if omitted defaults to /dev/urandom.
3298
3299 -object rng-egd,id=id,chardev=chardevid
3300 Creates a random number generator backend which obtains entropy
3301 from an external daemon running on the host. The id parameter
3302 is a unique ID that will be used to reference this entropy
3303 backend from the virtio-rng device. The chardev parameter is
3304 the unique ID of a character device backend that provides the
3305 connection to the RNG daemon.
3306
3307 -object
3308 tls-creds-anon,id=id,endpoint=endpoint,dir=/path/to/cred/dir,verify-peer=on|off
3309 Creates a TLS anonymous credentials object, which can be used
3310 to provide TLS support on network backends. The id parameter is
3311 a unique ID which network backends will use to access the
3312 credentials. The endpoint is either server or client depending
3313 on whether the QEMU network backend that uses the credentials
3314 will be acting as a client or as a server. If verify-peer is
3315 enabled (the default) then once the handshake is completed, the
3316 peer credentials will be verified, though this is a no-op for
3317 anonymous credentials.
3318
3319 The dir parameter tells QEMU where to find the credential
3320 files. For server endpoints, this directory may contain a file
3321 dh-params.pem providing diffie-hellman parameters to use for
3322 the TLS server. If the file is missing, QEMU will generate a
3323 set of DH parameters at startup. This is a computationally
3324 expensive operation that consumes random pool entropy, so it is
3325 recommended that a persistent set of parameters be generated
3326 upfront and saved.
3327
3328 -object
3329 tls-creds-psk,id=id,endpoint=endpoint,dir=/path/to/keys/dir[,username=username]
3330 Creates a TLS Pre-Shared Keys (PSK) credentials object, which
3331 can be used to provide TLS support on network backends. The id
3332 parameter is a unique ID which network backends will use to
3333 access the credentials. The endpoint is either server or client
3334 depending on whether the QEMU network backend that uses the
3335 credentials will be acting as a client or as a server. For
3336 clients only, username is the username which will be sent to
3337 the server. If omitted it defaults to "qemu".
3338
3339 The dir parameter tells QEMU where to find the keys file. It
3340 is called "dir/keys.psk" and contains "username:key" pairs.
3341 This file can most easily be created using the GnuTLS "psktool"
3342 program.
3343
3344 For server endpoints, dir may also contain a file dh-params.pem
3345 providing diffie-hellman parameters to use for the TLS server.
3346 If the file is missing, QEMU will generate a set of DH
3347 parameters at startup. This is a computationally expensive
3348 operation that consumes random pool entropy, so it is
3349 recommended that a persistent set of parameters be generated up
3350 front and saved.
3351
3352 -object
3353 tls-creds-x509,id=id,endpoint=endpoint,dir=/path/to/cred/dir,priority=priority,verify-peer=on|off,passwordid=id
3354 Creates a TLS anonymous credentials object, which can be used
3355 to provide TLS support on network backends. The id parameter is
3356 a unique ID which network backends will use to access the
3357 credentials. The endpoint is either server or client depending
3358 on whether the QEMU network backend that uses the credentials
3359 will be acting as a client or as a server. If verify-peer is
3360 enabled (the default) then once the handshake is completed, the
3361 peer credentials will be verified. With x509 certificates, this
3362 implies that the clients must be provided with valid client
3363 certificates too.
3364
3365 The dir parameter tells QEMU where to find the credential
3366 files. For server endpoints, this directory may contain a file
3367 dh-params.pem providing diffie-hellman parameters to use for
3368 the TLS server. If the file is missing, QEMU will generate a
3369 set of DH parameters at startup. This is a computationally
3370 expensive operation that consumes random pool entropy, so it is
3371 recommended that a persistent set of parameters be generated
3372 upfront and saved.
3373
3374 For x509 certificate credentials the directory will contain
3375 further files providing the x509 certificates. The certificates
3376 must be stored in PEM format, in filenames ca-cert.pem,
3377 ca-crl.pem (optional), server-cert.pem (only servers),
3378 server-key.pem (only servers), client-cert.pem (only clients),
3379 and client-key.pem (only clients).
3380
3381 For the server-key.pem and client-key.pem files which contain
3382 sensitive private keys, it is possible to use an encrypted
3383 version by providing the passwordid parameter. This provides
3384 the ID of a previously created "secret" object containing the
3385 password for decryption.
3386
3387 The priority parameter allows to override the global default
3388 priority used by gnutls. This can be useful if the system
3389 administrator needs to use a weaker set of crypto priorities
3390 for QEMU without potentially forcing the weakness onto all
3391 applications. Or conversely if one wants wants a stronger
3392 default for QEMU than for all other applications, they can do
3393 this through this parameter. Its format is a gnutls priority
3394 string as described at
3395 <https://gnutls.org/manual/html_node/Priority-Strings.html>.
3396
3397 -object
3398 filter-buffer,id=id,netdev=netdevid,interval=t[,queue=all|rx|tx][,status=on|off]
3399 Interval t can't be 0, this filter batches the packet delivery:
3400 all packets arriving in a given interval on netdev netdevid are
3401 delayed until the end of the interval. Interval is in
3402 microseconds. status is optional that indicate whether the
3403 netfilter is on (enabled) or off (disabled), the default status
3404 for netfilter will be 'on'.
3405
3406 queue all|rx|tx is an option that can be applied to any
3407 netfilter.
3408
3409 all: the filter is attached both to the receive and the
3410 transmit queue of the netdev (default).
3411
3412 rx: the filter is attached to the receive queue of the netdev,
3413 where it will receive packets sent to the netdev.
3414
3415 tx: the filter is attached to the transmit queue of the netdev,
3416 where it will receive packets sent by the netdev.
3417
3418 -object
3419 filter-mirror,id=id,netdev=netdevid,outdev=chardevid,queue=all|rx|tx[,vnet_hdr_support]
3420 filter-mirror on netdev netdevid,mirror net packet to
3421 chardevchardevid, if it has the vnet_hdr_support flag, filter-
3422 mirror will mirror packet with vnet_hdr_len.
3423
3424 -object
3425 filter-redirector,id=id,netdev=netdevid,indev=chardevid,outdev=chardevid,queue=all|rx|tx[,vnet_hdr_support]
3426 filter-redirector on netdev netdevid,redirect filter's net
3427 packet to chardev chardevid,and redirect indev's packet to
3428 filter.if it has the vnet_hdr_support flag, filter-redirector
3429 will redirect packet with vnet_hdr_len. Create a filter-
3430 redirector we need to differ outdev id from indev id, id can
3431 not be the same. we can just use indev or outdev, but at least
3432 one of indev or outdev need to be specified.
3433
3434 -object
3435 filter-rewriter,id=id,netdev=netdevid,queue=all|rx|tx,[vnet_hdr_support]
3436 Filter-rewriter is a part of COLO project.It will rewrite tcp
3437 packet to secondary from primary to keep secondary tcp
3438 connection,and rewrite tcp packet to primary from secondary
3439 make tcp packet can be handled by client.if it has the
3440 vnet_hdr_support flag, we can parse packet with vnet header.
3441
3442 usage: colo secondary: -object
3443 filter-redirector,id=f1,netdev=hn0,queue=tx,indev=red0 -object
3444 filter-redirector,id=f2,netdev=hn0,queue=rx,outdev=red1 -object
3445 filter-rewriter,id=rew0,netdev=hn0,queue=all
3446
3447 -object filter-dump,id=id,netdev=dev[,file=filename][,maxlen=len]
3448 Dump the network traffic on netdev dev to the file specified by
3449 filename. At most len bytes (64k by default) per packet are
3450 stored. The file format is libpcap, so it can be analyzed with
3451 tools such as tcpdump or Wireshark.
3452
3453 -object
3454 colo-compare,id=id,primary_in=chardevid,secondary_in=chardevid,outdev=chardevid,iothread=id[,vnet_hdr_support][,notify_dev=id]
3455 Colo-compare gets packet from primary_inchardevid and
3456 secondary_inchardevid, than compare primary packet with
3457 secondary packet. If the packets are same, we will output
3458 primary packet to outdevchardevid, else we will notify colo-
3459 frame do checkpoint and send primary packet to outdevchardevid.
3460 In order to improve efficiency, we need to put the task of
3461 comparison in another thread. If it has the vnet_hdr_support
3462 flag, colo compare will send/recv packet with vnet_hdr_len. If
3463 you want to use Xen COLO, will need the notify_dev to notify
3464 Xen colo-frame to do checkpoint.
3465
3466 we must use it with the help of filter-mirror and filter-
3467 redirector.
3468
3469 KVM COLO
3470
3471 primary:
3472 -netdev tap,id=hn0,vhost=off,script=/etc/qemu-ifup,downscript=/etc/qemu-ifdown
3473 -device e1000,id=e0,netdev=hn0,mac=52:a4:00:12:78:66
3474 -chardev socket,id=mirror0,host=3.3.3.3,port=9003,server,nowait
3475 -chardev socket,id=compare1,host=3.3.3.3,port=9004,server,nowait
3476 -chardev socket,id=compare0,host=3.3.3.3,port=9001,server,nowait
3477 -chardev socket,id=compare0-0,host=3.3.3.3,port=9001
3478 -chardev socket,id=compare_out,host=3.3.3.3,port=9005,server,nowait
3479 -chardev socket,id=compare_out0,host=3.3.3.3,port=9005
3480 -object iothread,id=iothread1
3481 -object filter-mirror,id=m0,netdev=hn0,queue=tx,outdev=mirror0
3482 -object filter-redirector,netdev=hn0,id=redire0,queue=rx,indev=compare_out
3483 -object filter-redirector,netdev=hn0,id=redire1,queue=rx,outdev=compare0
3484 -object colo-compare,id=comp0,primary_in=compare0-0,secondary_in=compare1,outdev=compare_out0,iothread=iothread1
3485
3486 secondary:
3487 -netdev tap,id=hn0,vhost=off,script=/etc/qemu-ifup,down script=/etc/qemu-ifdown
3488 -device e1000,netdev=hn0,mac=52:a4:00:12:78:66
3489 -chardev socket,id=red0,host=3.3.3.3,port=9003
3490 -chardev socket,id=red1,host=3.3.3.3,port=9004
3491 -object filter-redirector,id=f1,netdev=hn0,queue=tx,indev=red0
3492 -object filter-redirector,id=f2,netdev=hn0,queue=rx,outdev=red1
3493
3494
3495 Xen COLO
3496
3497 primary:
3498 -netdev tap,id=hn0,vhost=off,script=/etc/qemu-ifup,downscript=/etc/qemu-ifdown
3499 -device e1000,id=e0,netdev=hn0,mac=52:a4:00:12:78:66
3500 -chardev socket,id=mirror0,host=3.3.3.3,port=9003,server,nowait
3501 -chardev socket,id=compare1,host=3.3.3.3,port=9004,server,nowait
3502 -chardev socket,id=compare0,host=3.3.3.3,port=9001,server,nowait
3503 -chardev socket,id=compare0-0,host=3.3.3.3,port=9001
3504 -chardev socket,id=compare_out,host=3.3.3.3,port=9005,server,nowait
3505 -chardev socket,id=compare_out0,host=3.3.3.3,port=9005
3506 -chardev socket,id=notify_way,host=3.3.3.3,port=9009,server,nowait
3507 -object filter-mirror,id=m0,netdev=hn0,queue=tx,outdev=mirror0
3508 -object filter-redirector,netdev=hn0,id=redire0,queue=rx,indev=compare_out
3509 -object filter-redirector,netdev=hn0,id=redire1,queue=rx,outdev=compare0
3510 -object iothread,id=iothread1
3511 -object colo-compare,id=comp0,primary_in=compare0-0,secondary_in=compare1,outdev=compare_out0,notify_dev=nofity_way,iothread=iothread1
3512
3513 secondary:
3514 -netdev tap,id=hn0,vhost=off,script=/etc/qemu-ifup,down script=/etc/qemu-ifdown
3515 -device e1000,netdev=hn0,mac=52:a4:00:12:78:66
3516 -chardev socket,id=red0,host=3.3.3.3,port=9003
3517 -chardev socket,id=red1,host=3.3.3.3,port=9004
3518 -object filter-redirector,id=f1,netdev=hn0,queue=tx,indev=red0
3519 -object filter-redirector,id=f2,netdev=hn0,queue=rx,outdev=red1
3520
3521 If you want to know the detail of above command line, you can
3522 read the colo-compare git log.
3523
3524 -object cryptodev-backend-builtin,id=id[,queues=queues]
3525 Creates a cryptodev backend which executes crypto opreation
3526 from the QEMU cipher APIS. The id parameter is a unique ID that
3527 will be used to reference this cryptodev backend from the
3528 virtio-crypto device. The queues parameter is optional, which
3529 specify the queue number of cryptodev backend, the default of
3530 queues is 1.
3531
3532 # qemu-system-x86_64 \
3533 [...] \
3534 -object cryptodev-backend-builtin,id=cryptodev0 \
3535 -device virtio-crypto-pci,id=crypto0,cryptodev=cryptodev0 \
3536 [...]
3537
3538 -object
3539 cryptodev-vhost-user,id=id,chardev=chardevid[,queues=queues]
3540 Creates a vhost-user cryptodev backend, backed by a chardev
3541 chardevid. The id parameter is a unique ID that will be used
3542 to reference this cryptodev backend from the virtio-crypto
3543 device. The chardev should be a unix domain socket backed one.
3544 The vhost-user uses a specifically defined protocol to pass
3545 vhost ioctl replacement messages to an application on the other
3546 end of the socket. The queues parameter is optional, which
3547 specify the queue number of cryptodev backend for multiqueue
3548 vhost-user, the default of queues is 1.
3549
3550 # qemu-system-x86_64 \
3551 [...] \
3552 -chardev socket,id=chardev0,path=/path/to/socket \
3553 -object cryptodev-vhost-user,id=cryptodev0,chardev=chardev0 \
3554 -device virtio-crypto-pci,id=crypto0,cryptodev=cryptodev0 \
3555 [...]
3556
3557 -object
3558 secret,id=id,data=string,format=raw|base64[,keyid=secretid,iv=string]
3559 -object
3560 secret,id=id,file=filename,format=raw|base64[,keyid=secretid,iv=string]
3561 Defines a secret to store a password, encryption key, or some
3562 other sensitive data. The sensitive data can either be passed
3563 directly via the data parameter, or indirectly via the file
3564 parameter. Using the data parameter is insecure unless the
3565 sensitive data is encrypted.
3566
3567 The sensitive data can be provided in raw format (the default),
3568 or base64. When encoded as JSON, the raw format only supports
3569 valid UTF-8 characters, so base64 is recommended for sending
3570 binary data. QEMU will convert from which ever format is
3571 provided to the format it needs internally. eg, an RBD password
3572 can be provided in raw format, even though it will be base64
3573 encoded when passed onto the RBD sever.
3574
3575 For added protection, it is possible to encrypt the data
3576 associated with a secret using the AES-256-CBC cipher. Use of
3577 encryption is indicated by providing the keyid and iv
3578 parameters. The keyid parameter provides the ID of a previously
3579 defined secret that contains the AES-256 decryption key. This
3580 key should be 32-bytes long and be base64 encoded. The iv
3581 parameter provides the random initialization vector used for
3582 encryption of this particular secret and should be a base64
3583 encrypted string of the 16-byte IV.
3584
3585 The simplest (insecure) usage is to provide the secret inline
3586
3587 # qemu-system-x86_64 -object secret,id=sec0,data=letmein,format=raw
3588
3589 The simplest secure usage is to provide the secret via a file
3590
3591 # printf "letmein" > mypasswd.txt # qemu-system-x86_64 -object
3592 secret,id=sec0,file=mypasswd.txt,format=raw
3593
3594 For greater security, AES-256-CBC should be used. To illustrate
3595 usage, consider the openssl command line tool which can encrypt
3596 the data. Note that when encrypting, the plaintext must be
3597 padded to the cipher block size (32 bytes) using the standard
3598 PKCS#5/6 compatible padding algorithm.
3599
3600 First a master key needs to be created in base64 encoding:
3601
3602 # openssl rand -base64 32 > key.b64
3603 # KEY=$(base64 -d key.b64 | hexdump -v -e '/1 "%02X"')
3604
3605 Each secret to be encrypted needs to have a random
3606 initialization vector generated. These do not need to be kept
3607 secret
3608
3609 # openssl rand -base64 16 > iv.b64
3610 # IV=$(base64 -d iv.b64 | hexdump -v -e '/1 "%02X"')
3611
3612 The secret to be defined can now be encrypted, in this case
3613 we're telling openssl to base64 encode the result, but it could
3614 be left as raw bytes if desired.
3615
3616 # SECRET=$(printf "letmein" |
3617 openssl enc -aes-256-cbc -a -K $KEY -iv $IV)
3618
3619 When launching QEMU, create a master secret pointing to
3620 "key.b64" and specify that to be used to decrypt the user
3621 password. Pass the contents of "iv.b64" to the second secret
3622
3623 # qemu-system-x86_64 \
3624 -object secret,id=secmaster0,format=base64,file=key.b64 \
3625 -object secret,id=sec0,keyid=secmaster0,format=base64,\
3626 data=$SECRET,iv=$(<iv.b64)
3627
3628 -object
3629 sev-guest,id=id,cbitpos=cbitpos,reduced-phys-bits=val,[sev-device=string,policy=policy,handle=handle,dh-cert-file=file,session-file=file]
3630 Create a Secure Encrypted Virtualization (SEV) guest object,
3631 which can be used to provide the guest memory encryption
3632 support on AMD processors.
3633
3634 When memory encryption is enabled, one of the physical address
3635 bit (aka the C-bit) is utilized to mark if a memory page is
3636 protected. The cbitpos is used to provide the C-bit position.
3637 The C-bit position is Host family dependent hence user must
3638 provide this value. On EPYC, the value should be 47.
3639
3640 When memory encryption is enabled, we loose certain bits in
3641 physical address space. The reduced-phys-bits is used to
3642 provide the number of bits we loose in physical address space.
3643 Similar to C-bit, the value is Host family dependent. On EPYC,
3644 the value should be 5.
3645
3646 The sev-device provides the device file to use for
3647 communicating with the SEV firmware running inside AMD Secure
3648 Processor. The default device is '/dev/sev'. If hardware
3649 supports memory encryption then /dev/sev devices are created by
3650 CCP driver.
3651
3652 The policy provides the guest policy to be enforced by the SEV
3653 firmware and restrict what configuration and operational
3654 commands can be performed on this guest by the hypervisor. The
3655 policy should be provided by the guest owner and is bound to
3656 the guest and cannot be changed throughout the lifetime of the
3657 guest. The default is 0.
3658
3659 If guest policy allows sharing the key with another SEV guest
3660 then handle can be use to provide handle of the guest from
3661 which to share the key.
3662
3663 The dh-cert-file and session-file provides the guest owner's
3664 Public Diffie-Hillman key defined in SEV spec. The PDH and
3665 session parameters are used for establishing a cryptographic
3666 session with the guest owner to negotiate keys used for
3667 attestation. The file must be encoded in base64.
3668
3669 e.g to launch a SEV guest
3670
3671 # qemu-system-x86_64 \
3672 ......
3673 -object sev-guest,id=sev0,cbitpos=47,reduced-phys-bits=5 \
3674 -machine ...,memory-encryption=sev0
3675 .....
3676
3677 -object authz-simple,id=id,identity=string
3678 Create an authorization object that will control access to
3679 network services.
3680
3681 The identity parameter is identifies the user and its format
3682 depends on the network service that authorization object is
3683 associated with. For authorizing based on TLS x509
3684 certificates, the identity must be the x509 distinguished name.
3685 Note that care must be taken to escape any commas in the
3686 distinguished name.
3687
3688 An example authorization object to validate a x509
3689 distinguished name would look like:
3690
3691 # qemu-system-x86_64 \
3692 ...
3693 -object 'authz-simple,id=auth0,identity=CN=laptop.example.com,,O=Example Org,,L=London,,ST=London,,C=GB' \
3694 ...
3695
3696 Note the use of quotes due to the x509 distinguished name
3697 containing whitespace, and escaping of ','.
3698
3699 -object authz-listfile,id=id,filename=path,refresh=yes|no
3700 Create an authorization object that will control access to
3701 network services.
3702
3703 The filename parameter is the fully qualified path to a file
3704 containing the access control list rules in JSON format.
3705
3706 An example set of rules that match against SASL usernames might
3707 look like:
3708
3709 {
3710 "rules": [
3711 { "match": "fred", "policy": "allow", "format": "exact" },
3712 { "match": "bob", "policy": "allow", "format": "exact" },
3713 { "match": "danb", "policy": "deny", "format": "glob" },
3714 { "match": "dan*", "policy": "allow", "format": "exact" },
3715 ],
3716 "policy": "deny"
3717 }
3718
3719 When checking access the object will iterate over all the rules
3720 and the first rule to match will have its policy value returned
3721 as the result. If no rules match, then the default policy value
3722 is returned.
3723
3724 The rules can either be an exact string match, or they can use
3725 the simple UNIX glob pattern matching to allow wildcards to be
3726 used.
3727
3728 If refresh is set to true the file will be monitored and
3729 automatically reloaded whenever its content changes.
3730
3731 As with the "authz-simple" object, the format of the identity
3732 strings being matched depends on the network service, but is
3733 usually a TLS x509 distinguished name, or a SASL username.
3734
3735 An example authorization object to validate a SASL username
3736 would look like:
3737
3738 # qemu-system-x86_64 \
3739 ...
3740 -object authz-simple,id=auth0,filename=/etc/qemu/vnc-sasl.acl,refresh=yes
3741 ...
3742
3743 -object authz-pam,id=id,service=string
3744 Create an authorization object that will control access to
3745 network services.
3746
3747 The service parameter provides the name of a PAM service to use
3748 for authorization. It requires that a file "/etc/pam.d/service"
3749 exist to provide the configuration for the "account" subsystem.
3750
3751 An example authorization object to validate a TLS x509
3752 distinguished name would look like:
3753
3754 # qemu-system-x86_64 \
3755 ...
3756 -object authz-pam,id=auth0,service=qemu-vnc
3757 ...
3758
3759 There would then be a corresponding config file for PAM at
3760 "/etc/pam.d/qemu-vnc" that contains:
3761
3762 account requisite pam_listfile.so item=user sense=allow \
3763 file=/etc/qemu/vnc.allow
3764
3765 Finally the "/etc/qemu/vnc.allow" file would contain the list
3766 of x509 distingished names that are permitted access
3767
3768 CN=laptop.example.com,O=Example Home,L=London,ST=London,C=GB
3769
3770 During the graphical emulation, you can use special key combinations to
3771 change modes. The default key mappings are shown below, but if you use
3772 "-alt-grab" then the modifier is Ctrl-Alt-Shift (instead of Ctrl-Alt)
3773 and if you use "-ctrl-grab" then the modifier is the right Ctrl key
3774 (instead of Ctrl-Alt):
3775
3776 Ctrl-Alt-f
3777 Toggle full screen
3778
3779 Ctrl-Alt-+
3780 Enlarge the screen
3781
3782 Ctrl-Alt--
3783 Shrink the screen
3784
3785 Ctrl-Alt-u
3786 Restore the screen's un-scaled dimensions
3787
3788 Ctrl-Alt-n
3789 Switch to virtual console 'n'. Standard console mappings are:
3790
3791 1 Target system display
3792
3793 2 Monitor
3794
3795 3 Serial port
3796
3797 Ctrl-Alt
3798 Toggle mouse and keyboard grab.
3799
3800 In the virtual consoles, you can use Ctrl-Up, Ctrl-Down, Ctrl-PageUp
3801 and Ctrl-PageDown to move in the back log.
3802
3803 During emulation, if you are using a character backend multiplexer
3804 (which is the default if you are using -nographic) then several
3805 commands are available via an escape sequence. These key sequences all
3806 start with an escape character, which is Ctrl-a by default, but can be
3807 changed with -echr. The list below assumes you're using the default.
3808
3809 Ctrl-a h
3810 Print this help
3811
3812 Ctrl-a x
3813 Exit emulator
3814
3815 Ctrl-a s
3816 Save disk data back to file (if -snapshot)
3817
3818 Ctrl-a t
3819 Toggle console timestamps
3820
3821 Ctrl-a b
3822 Send break (magic sysrq in Linux)
3823
3824 Ctrl-a c
3825 Rotate between the frontends connected to the multiplexer (usually
3826 this switches between the monitor and the console)
3827
3828 Ctrl-a Ctrl-a
3829 Send the escape character to the frontend
3830
3831 The following options are specific to the PowerPC emulation:
3832
3833 -g WxH[xDEPTH]
3834 Set the initial VGA graphic mode. The default is 800x600x32.
3835
3836 -prom-env string
3837 Set OpenBIOS variables in NVRAM, for example:
3838
3839 qemu-system-ppc -prom-env 'auto-boot?=false' \
3840 -prom-env 'boot-device=hd:2,\yaboot' \
3841 -prom-env 'boot-args=conf=hd:2,\yaboot.conf'
3842
3843 These variables are not used by Open Hack'Ware.
3844
3845 The following options are specific to the Sparc32 emulation:
3846
3847 -g WxHx[xDEPTH]
3848 Set the initial graphics mode. For TCX, the default is 1024x768x8
3849 with the option of 1024x768x24. For cgthree, the default is
3850 1024x768x8 with the option of 1152x900x8 for people who wish to use
3851 OBP.
3852
3853 -prom-env string
3854 Set OpenBIOS variables in NVRAM, for example:
3855
3856 qemu-system-sparc -prom-env 'auto-boot?=false' \
3857 -prom-env 'boot-device=sd(0,2,0):d' -prom-env 'boot-args=linux single'
3858
3859 -M [SS-4|SS-5|SS-10|SS-20|SS-600MP|LX|Voyager|SPARCClassic]
3860 [|SPARCbook]
3861 Set the emulated machine type. Default is SS-5.
3862
3863 The following options are specific to the Sparc64 emulation:
3864
3865 -prom-env string
3866 Set OpenBIOS variables in NVRAM, for example:
3867
3868 qemu-system-sparc64 -prom-env 'auto-boot?=false'
3869
3870 -M [sun4u|sun4v|niagara]
3871 Set the emulated machine type. The default is sun4u.
3872
3873 The following options are specific to the ARM emulation:
3874
3875 -semihosting
3876 Enable semihosting syscall emulation.
3877
3878 On ARM this implements the "Angel" interface.
3879
3880 Note that this allows guest direct access to the host filesystem,
3881 so should only be used with trusted guest OS.
3882
3883 The following options are specific to the ColdFire emulation:
3884
3885 -semihosting
3886 Enable semihosting syscall emulation.
3887
3888 On M68K this implements the "ColdFire GDB" interface used by
3889 libgloss.
3890
3891 Note that this allows guest direct access to the host filesystem,
3892 so should only be used with trusted guest OS.
3893
3894 The following options are specific to the Xtensa emulation:
3895
3896 -semihosting
3897 Enable semihosting syscall emulation.
3898
3899 Xtensa semihosting provides basic file IO calls, such as
3900 open/read/write/seek/select. Tensilica baremetal libc for ISS and
3901 linux platform "sim" use this interface.
3902
3903 Note that this allows guest direct access to the host filesystem,
3904 so should only be used with trusted guest OS.
3905
3907 In addition to using normal file images for the emulated storage
3908 devices, QEMU can also use networked resources such as iSCSI devices.
3909 These are specified using a special URL syntax.
3910
3911 iSCSI
3912 iSCSI support allows QEMU to access iSCSI resources directly and
3913 use as images for the guest storage. Both disk and cdrom images are
3914 supported.
3915
3916 Syntax for specifying iSCSI LUNs is
3917 "iscsi://<target-ip>[:<port>]/<target-iqn>/<lun>"
3918
3919 By default qemu will use the iSCSI initiator-name
3920 'iqn.2008-11.org.linux-kvm[:<name>]' but this can also be set from
3921 the command line or a configuration file.
3922
3923 Since version Qemu 2.4 it is possible to specify a iSCSI request
3924 timeout to detect stalled requests and force a reestablishment of
3925 the session. The timeout is specified in seconds. The default is 0
3926 which means no timeout. Libiscsi 1.15.0 or greater is required for
3927 this feature.
3928
3929 Example (without authentication):
3930
3931 qemu-system-x86_64 -iscsi initiator-name=iqn.2001-04.com.example:my-initiator \
3932 -cdrom iscsi://192.0.2.1/iqn.2001-04.com.example/2 \
3933 -drive file=iscsi://192.0.2.1/iqn.2001-04.com.example/1
3934
3935 Example (CHAP username/password via URL):
3936
3937 qemu-system-x86_64 -drive file=iscsi://user%password@192.0.2.1/iqn.2001-04.com.example/1
3938
3939 Example (CHAP username/password via environment variables):
3940
3941 LIBISCSI_CHAP_USERNAME="user" \
3942 LIBISCSI_CHAP_PASSWORD="password" \
3943 qemu-system-x86_64 -drive file=iscsi://192.0.2.1/iqn.2001-04.com.example/1
3944
3945 NBD QEMU supports NBD (Network Block Devices) both using TCP protocol
3946 as well as Unix Domain Sockets. With TCP, the default port is
3947 10809.
3948
3949 Syntax for specifying a NBD device using TCP, in preferred URI
3950 form: "nbd://<server-ip>[:<port>]/[<export>]"
3951
3952 Syntax for specifying a NBD device using Unix Domain Sockets;
3953 remember that '?' is a shell glob character and may need quoting:
3954 "nbd+unix:///[<export>]?socket=<domain-socket>"
3955
3956 Older syntax that is also recognized:
3957 "nbd:<server-ip>:<port>[:exportname=<export>]"
3958
3959 Syntax for specifying a NBD device using Unix Domain Sockets
3960 "nbd:unix:<domain-socket>[:exportname=<export>]"
3961
3962 Example for TCP
3963
3964 qemu-system-x86_64 --drive file=nbd:192.0.2.1:30000
3965
3966 Example for Unix Domain Sockets
3967
3968 qemu-system-x86_64 --drive file=nbd:unix:/tmp/nbd-socket
3969
3970 SSH QEMU supports SSH (Secure Shell) access to remote disks.
3971
3972 Examples:
3973
3974 qemu-system-x86_64 -drive file=ssh://user@host/path/to/disk.img
3975 qemu-system-x86_64 -drive file.driver=ssh,file.user=user,file.host=host,file.port=22,file.path=/path/to/disk.img
3976
3977 Currently authentication must be done using ssh-agent. Other
3978 authentication methods may be supported in future.
3979
3980 Sheepdog
3981 Sheepdog is a distributed storage system for QEMU. QEMU supports
3982 using either local sheepdog devices or remote networked devices.
3983
3984 Syntax for specifying a sheepdog device
3985
3986 sheepdog[+tcp|+unix]://[host:port]/vdiname[?socket=path][#snapid|#tag]
3987
3988 Example
3989
3990 qemu-system-x86_64 --drive file=sheepdog://192.0.2.1:30000/MyVirtualMachine
3991
3992 See also <https://sheepdog.github.io/sheepdog/>.
3993
3994 GlusterFS
3995 GlusterFS is a user space distributed file system. QEMU supports
3996 the use of GlusterFS volumes for hosting VM disk images using TCP,
3997 Unix Domain Sockets and RDMA transport protocols.
3998
3999 Syntax for specifying a VM disk image on GlusterFS volume is
4000
4001 URI:
4002 gluster[+type]://[host[:port]]/volume/path[?socket=...][,debug=N][,logfile=...]
4003
4004 JSON:
4005 'json:{"driver":"qcow2","file":{"driver":"gluster","volume":"testvol","path":"a.img","debug":N,"logfile":"...",
4006 "server":[{"type":"tcp","host":"...","port":"..."},
4007 {"type":"unix","socket":"..."}]}}'
4008
4009 Example
4010
4011 URI:
4012 qemu-system-x86_64 --drive file=gluster://192.0.2.1/testvol/a.img,
4013 file.debug=9,file.logfile=/var/log/qemu-gluster.log
4014
4015 JSON:
4016 qemu-system-x86_64 'json:{"driver":"qcow2",
4017 "file":{"driver":"gluster",
4018 "volume":"testvol","path":"a.img",
4019 "debug":9,"logfile":"/var/log/qemu-gluster.log",
4020 "server":[{"type":"tcp","host":"1.2.3.4","port":24007},
4021 {"type":"unix","socket":"/var/run/glusterd.socket"}]}}'
4022 qemu-system-x86_64 -drive driver=qcow2,file.driver=gluster,file.volume=testvol,file.path=/path/a.img,
4023 file.debug=9,file.logfile=/var/log/qemu-gluster.log,
4024 file.server.0.type=tcp,file.server.0.host=1.2.3.4,file.server.0.port=24007,
4025 file.server.1.type=unix,file.server.1.socket=/var/run/glusterd.socket
4026
4027 See also <http://www.gluster.org>.
4028
4029 HTTP/HTTPS/FTP/FTPS
4030 QEMU supports read-only access to files accessed over http(s) and
4031 ftp(s).
4032
4033 Syntax using a single filename:
4034
4035 <protocol>://[<username>[:<password>]@]<host>/<path>
4036
4037 where:
4038
4039 protocol
4040 'http', 'https', 'ftp', or 'ftps'.
4041
4042 username
4043 Optional username for authentication to the remote server.
4044
4045 password
4046 Optional password for authentication to the remote server.
4047
4048 host
4049 Address of the remote server.
4050
4051 path
4052 Path on the remote server, including any query string.
4053
4054 The following options are also supported:
4055
4056 url The full URL when passing options to the driver explicitly.
4057
4058 readahead
4059 The amount of data to read ahead with each range request to the
4060 remote server. This value may optionally have the suffix 'T',
4061 'G', 'M', 'K', 'k' or 'b'. If it does not have a suffix, it
4062 will be assumed to be in bytes. The value must be a multiple of
4063 512 bytes. It defaults to 256k.
4064
4065 sslverify
4066 Whether to verify the remote server's certificate when
4067 connecting over SSL. It can have the value 'on' or 'off'. It
4068 defaults to 'on'.
4069
4070 cookie
4071 Send this cookie (it can also be a list of cookies separated by
4072 ';') with each outgoing request. Only supported when using
4073 protocols such as HTTP which support cookies, otherwise
4074 ignored.
4075
4076 timeout
4077 Set the timeout in seconds of the CURL connection. This timeout
4078 is the time that CURL waits for a response from the remote
4079 server to get the size of the image to be downloaded. If not
4080 set, the default timeout of 5 seconds is used.
4081
4082 Note that when passing options to qemu explicitly, driver is the
4083 value of <protocol>.
4084
4085 Example: boot from a remote Fedora 20 live ISO image
4086
4087 qemu-system-x86_64 --drive media=cdrom,file=https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/20/Live/x86_64/Fedora-Live-Desktop-x86_64-20-1.iso,readonly
4088
4089 qemu-system-x86_64 --drive media=cdrom,file.driver=http,file.url=http://archives.fedoraproject.org/pub/fedora/linux/releases/20/Live/x86_64/Fedora-Live-Desktop-x86_64-20-1.iso,readonly
4090
4091 Example: boot from a remote Fedora 20 cloud image using a local
4092 overlay for writes, copy-on-read, and a readahead of 64k
4093
4094 qemu-img create -f qcow2 -o backing_file='json:{"file.driver":"http",, "file.url":"http://archives.fedoraproject.org/pub/archive/fedora/linux/releases/20/Images/x86_64/Fedora-x86_64-20-20131211.1-sda.qcow2",, "file.readahead":"64k"}' /tmp/Fedora-x86_64-20-20131211.1-sda.qcow2
4095
4096 qemu-system-x86_64 -drive file=/tmp/Fedora-x86_64-20-20131211.1-sda.qcow2,copy-on-read=on
4097
4098 Example: boot from an image stored on a VMware vSphere server with
4099 a self-signed certificate using a local overlay for writes, a
4100 readahead of 64k and a timeout of 10 seconds.
4101
4102 qemu-img create -f qcow2 -o backing_file='json:{"file.driver":"https",, "file.url":"https://user:password@vsphere.example.com/folder/test/test-flat.vmdk?dcPath=Datacenter&dsName=datastore1",, "file.sslverify":"off",, "file.readahead":"64k",, "file.timeout":10}' /tmp/test.qcow2
4103
4104 qemu-system-x86_64 -drive file=/tmp/test.qcow2
4105
4107 The HTML documentation of QEMU for more precise information and Linux
4108 user mode emulator invocation.
4109
4111 Fabrice Bellard
4112
4113
4114
4115 2020-03-17 QEMU.1(1)