Provided by: libvirt-clients_8.0.0-1ubuntu7.11_amd64 
NAME
virsh - management user interface
SYNOPSIS
virsh [OPTION]... [COMMAND_STRING]
virsh [OPTION]... COMMAND [ARG]...
DESCRIPTION
The virsh program is the main interface for managing virsh guest domains. The program can be used to
create, pause, and shutdown domains. It can also be used to list current domains. Libvirt is a C toolkit
to interact with the virtualization capabilities of recent versions of Linux (and other OSes). It is free
software available under the GNU Lesser General Public License. Virtualization of the Linux Operating
System means the ability to run multiple instances of Operating Systems concurrently on a single hardware
system where the basic resources are driven by a Linux instance. The library aims at providing a long
term stable C API. It currently supports Xen, QEMU, KVM, LXC, OpenVZ, VirtualBox and VMware ESX.
The basic structure of most virsh usage is:
virsh [OPTION]... <command> <domain> [ARG]...
Where command is one of the commands listed below; domain is the numeric domain id, or the domain name,
or the domain UUID; and ARGS are command specific options. There are a few exceptions to this rule in
the cases where the command in question acts on all domains, the entire machine, or directly on the xen
hypervisor. Those exceptions will be clear for each of those commands. Note: it is permissible to give
numeric names to domains, however, doing so will result in a domain that can only be identified by domain
id. In other words, if a numeric value is supplied it will be interpreted as a domain id, not as a name.
Any command starting with # is treated as a comment and silently ignored, all other unrecognized commands
are diagnosed.
The virsh program can be used either to run one COMMAND by giving the command and its arguments on the
shell command line, or a COMMAND_STRING which is a single shell argument consisting of multiple COMMAND
actions and their arguments joined with whitespace and separated by semicolons or newlines between
commands, where unquoted backslash-newline pairs are elided. Within COMMAND_STRING, virsh understands
the same single, double, and backslash escapes as the shell, although you must add another layer of shell
escaping in creating the single shell argument, and any word starting with unquoted # begins a comment
that ends at newline. If no command is given in the command line, virsh will then start a minimal
interpreter waiting for your commands, and the quit command will then exit the program.
The virsh program understands the following OPTIONS.
-c, --connect URI
Connect to the specified URI, as if by the connect command, instead of the default connection.
-d, --debug LEVEL
Enable debug messages at integer LEVEL and above. LEVEL can range from 0 to 4 (default). See the
documentation of VIRSH_DEBUG environment variable below for the description of each LEVEL.
• -e, --escape string
Set alternative escape sequence for console command. By default, telnet's ^] is used. Allowed characters
when using hat notation are: alphabetic character, @, [, ], , ^, _.
• -h, --help
Ignore all other arguments, and behave as if the help command were given instead.
• -k, --keepalive-interval INTERVAL
Set an INTERVAL (in seconds) for sending keepalive messages to check whether connection to the server is
still alive. Setting the interval to 0 disables client keepalive mechanism.
• -K, --keepalive-count COUNT
Set a number of times keepalive message can be sent without getting an answer from the server without
marking the connection dead. There is no effect to this setting in case the INTERVAL is set to 0.
• -l, --log FILE
Output logging details to FILE.
• -q, --quiet
Avoid extra informational messages.
• -r, --readonly
Make the initial connection read-only, as if by the --readonly option of the connect command.
• -t, --timing
Output elapsed time information for each command.
• -v, --version[=short]
Ignore all other arguments, and prints the version of the libvirt library virsh is coming from
• -V, --version=long
Ignore all other arguments, and prints the version of the libvirt library virsh is coming from and which
options and driver are compiled in.
NOTES
Most virsh operations rely upon the libvirt library being able to connect to an already running libvirtd
service. This can usually be done using the command service libvirtd start.
Most virsh commands require root privileges to run due to the communications channels used to talk to the
hypervisor. Running as non root will return an error.
Most virsh commands act synchronously, except maybe shutdown, setvcpus and setmem. In those cases the
fact that the virsh program returned, may not mean the action is complete and you must poll periodically
to detect that the guest completed the operation.
virsh strives for backward compatibility. Although the help command only lists the preferred usage of a
command, if an older version of virsh supported an alternate spelling of a command or option (such as
--tunnelled instead of --tunneled), then scripts using that older spelling will continue to work.
Several virsh commands take an optionally scaled integer; if no scale is provided, then the default is
listed in the command (for historical reasons, some commands default to bytes, while other commands
default to kibibytes). The following case-insensitive suffixes can be used to select a specific scale:
b, byte byte 1
KB kilobyte 1,000
k, KiB kibibyte 1,024
MB megabyte 1,000,000
M, MiB mebibyte 1,048,576
GB gigabyte 1,000,000,000
G, GiB gibibyte 1,073,741,824
TB terabyte 1,000,000,000,000
T, TiB tebibyte 1,099,511,627,776
PB petabyte 1,000,000,000,000,000
P, PiB pebibyte 1,125,899,906,842,624
EB exabyte 1,000,000,000,000,000,000
E, EiB exbibyte 1,152,921,504,606,846,976
GENERIC COMMANDS
The following commands are generic i.e. not specific to a domain.
help
Syntax:
help [command-or-group]
This lists each of the virsh commands. When used without options, all commands are listed, one per line,
grouped into related categories, displaying the keyword for each group.
To display only commands for a specific group, give the keyword for that group as an option. For
example:
Example 1:
virsh # help host
Host and Hypervisor (help keyword 'host'):
capabilities capabilities
cpu-models show the CPU models for an architecture
connect (re)connect to hypervisor
freecell NUMA free memory
hostname print the hypervisor hostname
qemu-attach Attach to existing QEMU process
qemu-monitor-command QEMU Monitor Command
qemu-agent-command QEMU Guest Agent Command
sysinfo print the hypervisor sysinfo
uri print the hypervisor canonical URI
To display detailed information for a specific command, give its name as the option instead. For
example:
Example 2:
virsh # help list
NAME
list - list domains
SYNOPSIS
list [--inactive] [--all]
DESCRIPTION
Returns list of domains.
OPTIONS
--inactive list inactive domains
--all list inactive & active domains
quit, exit
Syntax:
quit
exit
quit this interactive terminal
version
Syntax:
version [--daemon]
Will print out the major version info about what this built from. If --daemon is specified then the
version of the libvirt daemon is included in the output.
Example:
$ virsh version
Compiled against library: libvirt 1.2.3
Using library: libvirt 1.2.3
Using API: QEMU 1.2.3
Running hypervisor: QEMU 2.0.50
$ virsh version --daemon
Compiled against library: libvirt 1.2.3
Using library: libvirt 1.2.3
Using API: QEMU 1.2.3
Running hypervisor: QEMU 2.0.50
Running against daemon: 1.2.6
cd
Syntax:
cd [directory]
Will change current directory to directory. The default directory for the cd command is the home
directory or, if there is no HOME variable in the environment, the root directory.
This command is only available in interactive mode.
pwd
Syntax:
pwd
Will print the current directory.
connect
Syntax:
connect [URI] [--readonly]
(Re)-Connect to the hypervisor. When the shell is first started, this is automatically run with the URI
parameter requested by the -c option on the command line. The URI parameter specifies how to connect to
the hypervisor. The URI docs https://libvirt.org/uri.html list the values supported, but the most common
are:
• xen:///system
this is used to connect to the local Xen hypervisor
• qemu:///system
connect locally as root to the daemon supervising QEMU and KVM domains
• qemu:///session
connect locally as a normal user to his own set of QEMU and KVM domains
• lxc:///system
connect to a local linux container
To find the currently used URI, check the uri command documented below.
For remote access see the URI docs https://libvirt.org/uri.html on how to make URIs. The --readonly
option allows for read-only connection
uri
Syntax:
uri
Prints the hypervisor canonical URI, can be useful in shell mode.
hostname
Syntax:
hostname
Print the hypervisor hostname.
sysinfo
Syntax:
sysinfo
Print the XML representation of the hypervisor sysinfo, if available.
nodeinfo
Syntax:
nodeinfo
Returns basic information about the node, like number and type of CPU, and size of the physical memory.
The output corresponds to virNodeInfo structure. Specifically, the "CPU socket(s)" field means number of
CPU sockets per NUMA cell. The information libvirt displays is dependent upon what each architecture may
provide.
nodecpumap
Syntax:
nodecpumap [--pretty]
Displays the node's total number of CPUs, the number of online CPUs and the list of online CPUs.
With --pretty the online CPUs are printed as a range instead of a list.
nodecpustats
Syntax:
nodecpustats [cpu] [--percent]
Returns cpu stats of the node. If cpu is specified, this will print the specified cpu statistics only.
If --percent is specified, this will print the percentage of each kind of cpu statistics during 1 second.
nodememstats
Syntax:
nodememstats [cell]
Returns memory stats of the node. If cell is specified, this will print the specified cell statistics
only.
nodesevinfo
Syntax:
nodesevinfo
Reports information about the AMD SEV launch security features for the node, if any. Some of this
information is also reported in the domain capabilities XML document.
nodesuspend
Syntax:
nodesuspend [target] [duration]
Puts the node (host machine) into a system-wide sleep state and schedule the node's Real-Time-Clock
interrupt to resume the node after the time duration specified by duration is out. target specifies the
state to which the host will be suspended to, it can be "mem" (suspend to RAM), "disk" (suspend to disk),
or "hybrid" (suspend to both RAM and disk). duration specifies the time duration in seconds for which
the host has to be suspended, it should be at least 60 seconds.
node-memory-tune
Syntax:
node-memory-tune [shm-pages-to-scan] [shm-sleep-millisecs] [shm-merge-across-nodes]
Allows you to display or set the node memory parameters. shm-pages-to-scan can be used to set the number
of pages to scan before the shared memory service goes to sleep; shm-sleep-millisecs can be used to set
the number of millisecs the shared memory service should sleep before next scan; shm-merge-across-nodes
specifies if pages from different numa nodes can be merged. When set to 0, only pages which physically
reside in the memory area of same NUMA node can be merged. When set to 1, pages from all nodes can be
merged. Default to 1.
Note: Currently the "shared memory service" only means KSM (Kernel Samepage Merging).
capabilities
Syntax:
capabilities
Print an XML document describing the capabilities of the hypervisor we are currently connected to. This
includes a section on the host capabilities in terms of CPU and features, and a set of description for
each kind of guest which can be virtualized. For a more complete description see:
https://libvirt.org/formatcaps.html
The XML also show the NUMA topology information if available.
domcapabilities
Syntax:
domcapabilities [virttype] [emulatorbin] [arch] [machine]
Print an XML document describing the domain capabilities for the hypervisor we are connected to using
information either sourced from an existing domain or taken from the virsh capabilities output. This may
be useful if you intend to create a new domain and are curious if for instance it could make use of VFIO
by creating a domain for the hypervisor with a specific emulator and architecture.
Each hypervisor will have different requirements regarding which options are required and which are
optional. A hypervisor can support providing a default value for any of the options.
The virttype option specifies the virtualization type used. The value to be used is either from the
'type' attribute of the <domain/> top level element from the domain XML or the 'type' attribute found
within each <guest/> element from the virsh capabilities output. The emulatorbin option specifies the
path to the emulator. The value to be used is either the <emulator> element in the domain XML or the
virsh capabilities output. The arch option specifies the architecture to be used for the domain. The
value to be used is either the "arch" attribute from the domain's XML <os/> element and <type/>
subelement or the "name" attribute of an <arch/> element from the virsh capabililites output. The machine
specifies the machine type for the emulator. The value to be used is either the "machine" attribute from
the domain's XML <os/> element and <type/> subelement or one from a list of machines from the virsh
capabilities output for a specific architecture and domain type.
For the QEMU hypervisor, a virttype of either 'qemu' or 'kvm' must be supplied along with either the
emulatorbin or arch in order to generate output for the default machine. Supplying a machine value will
generate output for the specific machine.
pool-capabilities
Syntax:
pool-capabilities
Print an XML document describing the storage pool capabilities for the connected storage driver. This may
be useful if you intend to create a new storage pool and need to know the available pool types and
supported storage pool source and target volume formats as well as the required source elements to create
the pool.
inject-nmi
Syntax:
inject-nmi domain
Inject NMI to the guest.
list
Syntax:
list [--inactive | --all]
[--managed-save] [--title]
{ [--table] | --name | --uuid | --id }
[--persistent] [--transient]
[--with-managed-save] [--without-managed-save]
[--autostart] [--no-autostart]
[--with-snapshot] [--without-snapshot]
[--with-checkpoint] [--without-checkpoint]
[--state-running] [--state-paused]
[--state-shutoff] [--state-other]
Prints information about existing domains. If no options are specified it prints out information about
running domains.
Example 1:
An example format for the list is as follows:
``virsh`` list
Id Name State
----------------------------------------------------
0 Domain-0 running
2 fedora paused
Name is the name of the domain. ID the domain numeric id. State is the run state (see below).
STATES
The State field lists what state each domain is currently in. A domain can be in one of the following
possible states:
• running
The domain is currently running on a CPU
• idle
The domain is idle, and not running or runnable. This can be caused because the domain is waiting on
IO (a traditional wait state) or has gone to sleep because there was nothing else for it to do.
• paused
The domain has been paused, usually occurring through the administrator running virsh suspend. When in
a paused state the domain will still consume allocated resources like memory, but will not be eligible
for scheduling by the hypervisor.
• in shutdown
The domain is in the process of shutting down, i.e. the guest operating system has been notified and
should be in the process of stopping its operations gracefully.
• shut off
The domain is not running. Usually this indicates the domain has been shut down completely, or has not
been started.
• crashed
The domain has crashed, which is always a violent ending. Usually this state can only occur if the
domain has been configured not to restart on crash.
• pmsuspended
The domain has been suspended by guest power management, e.g. entered into s3 state.
Normally only active domains are listed. To list inactive domains specify --inactive or --all to list
both active and inactive domains.
Filtering
To further filter the list of domains you may specify one or more of filtering flags supported by the
list command. These flags are grouped by function. Specifying one or more flags from a group enables the
filter group. Note that some combinations of flags may yield no results. Supported filtering flags and
groups:
Persistence
Flag --persistent is used to include persistent guests in the returned list. To include transient guests
specify --transient.
Existence of managed save image
To list domains having a managed save image specify flag --with-managed-save. For domains that don't have
a managed save image specify --without-managed-save.
Domain state
The following filter flags select a domain by its state: --state-running for running domains,
--state-paused for paused domains, --state-shutoff for turned off domains and --state-other for all
other states as a fallback.
Autostarting domains
To list autostarting domains use the flag --autostart. To list domains with this feature disabled use
--no-autostart.
Snapshot existence
Domains that have snapshot images can be listed using flag --with-snapshot, domains without a snapshot
--without-snapshot.
Checkpoint existence
Domains that have checkpoints can be listed using flag --with-checkpoint, domains without a checkpoint
--without-checkpoint.
When talking to older servers, this command is forced to use a series of API calls with an inherent race,
where a domain might not be listed or might appear more than once if it changed state between calls while
the list was being collected. Newer servers do not have this problem.
If --managed-save is specified, then domains that have managed save state (only possible if they are in
the shut off state, so you need to specify --inactive or --all to actually list them) will instead show
as saved in the listing. This flag is usable only with the default --table output. Note that this flag
does not filter the list of domains.
If --name is specified, domain names are printed instead of the table formatted one per line. If --uuid
is specified domain's UUID's are printed instead of names. If --id is specified then domain's ID's are
printed indead of names. However, it is possible to combine --name, --uuid and --id to select only
desired fields for printing. Flag --table specifies that the legacy table-formatted output should be
used, but it is mutually exclusive with --name, --uuid and --id. This is the default and will be used if
neither of --name, --uuid or --id is specified. If neither --name nor --uuid is specified, but --id is,
then only active domains are listed, even with the --all parameter as otherwise the output would just
contain bunch of lines with just -1.
If --title is specified, then the short domain description (title) is printed in an extra column. This
flag is usable only with the default --table output.
Example 2:
$ virsh list --title
Id Name State Title
-------------------------------------------
0 Domain-0 running Mailserver 1
2 fedora paused
freecell
Syntax:
freecell [{ [--cellno] cellno | --all }]
Prints the available amount of memory on the machine or within a NUMA cell. The freecell command can
provide one of three different displays of available memory on the machine depending on the options
specified. With no options, it displays the total free memory on the machine. With the --all option, it
displays the free memory in each cell and the total free memory on the machine. Finally, with a numeric
argument or with --cellno plus a cell number it will display the free memory for the specified cell only.
freepages
Syntax:
freepages [{ [--cellno] cellno [--pagesize] pagesize | --all }]
Prints the available amount of pages within a NUMA cell. cellno refers to the NUMA cell you're interested
in. pagesize is a scaled integer (see NOTES above). Alternatively, if --all is used, info on each
possible combination of NUMA cell and page size is printed out.
allocpages
Syntax:
allocpages [--pagesize] pagesize [--pagecount] pagecount [[--cellno] cellno] [--add] [--all]
Change the size of pages pool of pagesize on the host. If --add is specified, then pagecount pages are
added into the pool. However, if --add wasn't specified, then the pagecount is taken as the new absolute
size of the pool (this may be used to free some pages and size the pool down). The cellno modifier can be
used to narrow the modification down to a single host NUMA cell. On the other end of spectrum lies --all
which executes the modification on all NUMA cells.
cpu-baseline
Syntax:
cpu-baseline FILE [--features] [--migratable]
Compute baseline CPU which will be supported by all host CPUs given in <file>. (See
hypervisor-cpu-baseline command to get a CPU which can be provided by a specific hypervisor.) The list of
host CPUs is built by extracting all <cpu> elements from the <file>. Thus, the <file> can contain either
a set of <cpu> elements separated by new lines or even a set of complete <capabilities> elements printed
by capabilities command. If --features is specified, then the resulting XML description will explicitly
include all features that make up the CPU, without this option features that are part of the CPU model
will not be listed in the XML description. If --migratable is specified, features that block migration
will not be included in the resulting CPU.
cpu-compare
Syntax:
cpu-compare FILE [--error] [--validate]
Compare CPU definition from XML <file> with host CPU. (See hypervisor-cpu-compare command for comparing
the CPU definition with the CPU which a specific hypervisor is able to provide on the host.) The XML
<file> may contain either host or guest CPU definition. The host CPU definition is the <cpu> element and
its contents as printed by capabilities command. The guest CPU definition is the <cpu> element and its
contents from domain XML definition or the CPU definition created from the host CPU model found in domain
capabilities XML (printed by domcapabilities command). In addition to the <cpu> element itself, this
command accepts full domain XML, capabilities XML, or domain capabilities XML containing the CPU
definition. For more information on guest CPU definition see:
https://libvirt.org/formatdomain.html#elementsCPU. If --error is specified, the command will return an
error when the given CPU is incompatible with host CPU and a message providing more details about the
incompatibility will be printed out. If --validate is specified, validates the format of the XML document
against an internal RNG schema.
cpu-models
Syntax:
cpu-models arch
Print the list of CPU models known by libvirt for the specified architecture. Whether a specific
hypervisor is able to create a domain which uses any of the printed CPU models is a separate question
which can be answered by looking at the domain capabilities XML returned by domcapabilities command.
Moreover, for some architectures libvirt does not know any CPU models and the usable CPU models are only
limited by the hypervisor. This command will print that all CPU models are accepted for these
architectures and the actual list of supported CPU models can be checked in the domain capabilities XML.
hypervisor-cpu-compare
Syntax:
hypervisor-cpu-compare FILE [virttype] [emulator] [arch] [machine] [--error] [--validate]
Compare CPU definition from XML <file> with the CPU the hypervisor is able to provide on the host. (This
is different from cpu-compare which compares the CPU definition with the host CPU without considering any
specific hypervisor and its abilities.)
The XML FILE may contain either a host or guest CPU definition. The host CPU definition is the <cpu>
element and its contents as printed by the capabilities command. The guest CPU definition is the <cpu>
element and its contents from the domain XML definition or the CPU definition created from the host CPU
model found in the domain capabilities XML (printed by the domcapabilities command). In addition to the
<cpu> element itself, this command accepts full domain XML, capabilities XML, or domain capabilities XML
containing the CPU definition. For more information on guest CPU definition see:
https://libvirt.org/formatdomain.html#elementsCPU.
The virttype option specifies the virtualization type (usable in the 'type' attribute of the <domain> top
level element from the domain XML). emulator specifies the path to the emulator, arch specifies the CPU
architecture, and machine specifies the machine type. If --error is specified, the command will return an
error when the given CPU is incompatible with the host CPU and a message providing more details about the
incompatibility will be printed out. If --validate is specified, validates the format of the XML
document against an internal RNG schema.
hypervisor-cpu-baseline
Syntax:
hypervisor-cpu-baseline FILE [virttype] [emulator] [arch] [machine] [--features] [--migratable]
Compute a baseline CPU which will be compatible with all CPUs defined in an XML file and with the CPU the
hypervisor is able to provide on the host. (This is different from cpu-baseline which does not consider
any hypervisor abilities when computing the baseline CPU.)
The XML FILE may contain either host or guest CPU definitions describing the host CPU model. The host CPU
definition is the <cpu> element and its contents as printed by capabilities command. The guest CPU
definition may be created from the host CPU model found in domain capabilities XML (printed by
domcapabilities command). In addition to the <cpu> elements, this command accepts full capabilities XMLs,
or domain capabilities XMLs containing the CPU definitions. It is recommended to use only the CPU
definitions from domain capabilities, as on some architectures using the host CPU definition may either
fail or provide unexpected results.
When FILE contains only a single CPU definition, the command will print the same CPU with restrictions
imposed by the capabilities of the hypervisor. Specifically, running th virsh hypervisor-cpu-baseline
command with no additional options on the result of virsh domcapabilities will transform the host CPU
model from domain capabilities XML to a form directly usable in domain XML.
The virttype option specifies the virtualization type (usable in the 'type' attribute of the <domain> top
level element from the domain XML). emulator specifies the path to the emulator, arch specifies the CPU
architecture, and machine specifies the machine type. If --features is specified, then the resulting XML
description will explicitly include all features that make up the CPU, without this option features that
are part of the CPU model will not be listed in the XML description. If --migratable is specified,
features that block migration will not be included in the resulting CPU.
DOMAIN COMMANDS
The following commands manipulate domains directly, as stated previously most commands take domain as the
first parameter. The domain can be specified as a short integer, a name or a full UUID.
autostart
Syntax:
autostart [--disable] domain
Configure a domain to be automatically started at boot.
The option --disable disables autostarting.
blkdeviotune
Syntax:
blkdeviotune domain device [[--config] [--live] | [--current]]
[[total-bytes-sec] | [read-bytes-sec] [write-bytes-sec]]
[[total-iops-sec] | [read-iops-sec] [write-iops-sec]]
[[total-bytes-sec-max] | [read-bytes-sec-max] [write-bytes-sec-max]]
[[total-iops-sec-max] | [read-iops-sec-max] [write-iops-sec-max]]
[[total-bytes-sec-max-length] |
[read-bytes-sec-max-length] [write-bytes-sec-max-length]]
[[total-iops-sec-max-length] |
[read-iops-sec-max-length] [write-iops-sec-max-length]]
[size-iops-sec] [group-name]
Set or query the block disk io parameters for a block device of domain. device specifies a unique target
name (<target dev='name'/>) or source file (<source file='name'/>) for one of the disk devices attached
to domain (see also domblklist for listing these names).
If no limit is specified, it will query current I/O limits setting. Otherwise, alter the limits with
these flags: --total-bytes-sec specifies total throughput limit as a scaled integer, the default being
bytes per second if no suffix is specified. --read-bytes-sec specifies read throughput limit as a scaled
integer, the default being bytes per second if no suffix is specified. --write-bytes-sec specifies write
throughput limit as a scaled integer, the default being bytes per second if no suffix is specified.
--total-iops-sec specifies total I/O operations limit per second. --read-iops-sec specifies read I/O
operations limit per second. --write-iops-sec specifies write I/O operations limit per second.
--total-bytes-sec-max specifies maximum total throughput limit as a scaled integer, the default being
bytes per second if no suffix is specified --read-bytes-sec-max specifies maximum read throughput limit
as a scaled integer, the default being bytes per second if no suffix is specified. --write-bytes-sec-max
specifies maximum write throughput limit as a scaled integer, the default being bytes per second if no
suffix is specified. --total-iops-sec-max specifies maximum total I/O operations limit per second.
--read-iops-sec-max specifies maximum read I/O operations limit per second. --write-iops-sec-max
specifies maximum write I/O operations limit per second. --total-bytes-sec-max-length specifies duration
in seconds to allow maximum total throughput limit. --read-bytes-sec-max-length specifies duration in
seconds to allow maximum read throughput limit. --write-bytes-sec-max-length specifies duration in
seconds to allow maximum write throughput limit. --total-iops-sec-max-length specifies duration in
seconds to allow maximum total I/O operations limit. --read-iops-sec-max-length specifies duration in
seconds to allow maximum read I/O operations limit. --write-iops-sec-max-length specifies duration in
seconds to allow maximum write I/O operations limit. --size-iops-sec specifies size I/O operations limit
per second. --group-name specifies group name to share I/O quota between multiple drives. For a QEMU
domain, if no name is provided, then the default is to have a single group for each device.
Older versions of virsh only accepted these options with underscore instead of dash, as in
--total_bytes_sec.
Bytes and iops values are independent, but setting only one value (such as --read-bytes-sec) resets the
other two in that category to unlimited. An explicit 0 also clears any limit. A non-zero value for a
given total cannot be mixed with non-zero values for read or write.
It is up to the hypervisor to determine how to handle the length values. For the QEMU hypervisor, if an
I/O limit value or maximum value is set, then the default value of 1 second will be displayed. Supplying
a 0 will reset the value back to the default.
If --live is specified, affect a running guest. If --config is specified, affect the next start of a
persistent guest. If --current is specified, it is equivalent to either --live or --config, depending on
the current state of the guest. When setting the disk io parameters both --live and --config flags may
be given, but --current is exclusive. For querying only one of --live, --config or --current can be
specified. If no flag is specified, behavior is different depending on hypervisor.
blkiotune
Syntax:
blkiotune domain [--weight weight] [--device-weights device-weights]
[--device-read-iops-sec device-read-iops-sec]
[--device-write-iops-sec device-write-iops-sec]
[--device-read-bytes-sec device-read-bytes-sec]
[--device-write-bytes-sec device-write-bytes-sec]
[[--config] [--live] | [--current]]
Display or set the blkio parameters. QEMU/KVM supports --weight. --weight is in range [100, 1000]. After
kernel 2.6.39, the value could be in the range [10, 1000].
device-weights is a single string listing one or more device/weight pairs, in the format of
/path/to/device,weight,/path/to/device,weight. Each weight is in the range [100, 1000], [10, 1000] after
kernel 2.6.39, or the value 0 to remove that device from per-device listings. Only the devices listed in
the string are modified; any existing per-device weights for other devices remain unchanged.
device-read-iops-sec is a single string listing one or more device/read_iops_sec pairs, int the format of
/path/to/device,read_iops_sec,/path/to/device,read_iops_sec. Each read_iops_sec is a number which type
is unsigned int, value 0 to remove that device from per-device listing. Only the devices listed in the
string are modified; any existing per-device read_iops_sec for other devices remain unchanged.
device-write-iops-sec is a single string listing one or more device/write_iops_sec pairs, int the format
of /path/to/device,write_iops_sec,/path/to/device,write_iops_sec. Each write_iops_sec is a number which
type is unsigned int, value 0 to remove that device from per-device listing. Only the devices listed in
the string are modified; any existing per-device write_iops_sec for other devices remain unchanged.
device-read-bytes-sec is a single string listing one or more device/read_bytes_sec pairs, int the format
of /path/to/device,read_bytes_sec,/path/to/device,read_bytes_sec. Each read_bytes_sec is a number which
type is unsigned long long, value 0 to remove that device from per-device listing. Only the devices
listed in the string are modified; any existing per-device read_bytes_sec for other devices remain
unchanged.
device-write-bytes-sec is a single string listing one or more device/write_bytes_sec pairs, int the
format of /path/to/device,write_bytes_sec,/path/to/device,write_bytes_sec. Each write_bytes_sec is a
number which type is unsigned long long, value 0 to remove that device from per-device listing. Only the
devices listed in the string are modified; any existing per-device write_bytes_sec for other devices
remain unchanged.
If --live is specified, affect a running guest. If --config is specified, affect the next start of a
persistent guest. If --current is specified, it is equivalent to either --live or --config, depending on
the current state of the guest. Both --live and --config flags may be given, but --current is exclusive.
If no flag is specified, behavior is different depending on hypervisor.
blockcommit
Syntax:
blockcommit domain path [bandwidth] [--bytes] [base]
[--shallow] [top] [--delete] [--keep-relative]
[--wait [--async] [--verbose]] [--timeout seconds]
[--active] [{--pivot | --keep-overlay}]
Reduce the length of a backing image chain, by committing changes at the top of the chain (snapshot or
delta files) into backing images. By default, this command attempts to flatten the entire chain. If
base and/or top are specified as files within the backing chain, then the operation is constrained to
committing just that portion of the chain; --shallow can be used instead of base to specify the immediate
backing file of the resulting top image to be committed. The files being committed are rendered invalid,
possibly as soon as the operation starts; using the --delete flag will attempt to remove these
invalidated files at the successful completion of the commit operation. When the --keep-relative flag is
used, the backing file paths will be kept relative.
When top is omitted or specified as the active image, it is also possible to specify --active to trigger
a two-phase active commit. In the first phase, top is copied into base and the job can only be canceled,
with top still containing data not yet in base. In the second phase, top and base remain identical until
a call to blockjob with the --abort flag (keeping top as the active image that tracks changes from that
point in time) or the --pivot flag (making base the new active image and invalidating top).
By default, this command returns as soon as possible, and data for the entire disk is committed in the
background; the progress of the operation can be checked with blockjob. However, if --wait is specified,
then this command will block until the operation completes (or for --active, enters the second phase), or
until the operation is canceled because the optional timeout in seconds elapses or SIGINT is sent
(usually with Ctrl-C). Using --verbose along with --wait will produce periodic status updates. If job
cancellation is triggered, --async will return control to the user as fast as possible, otherwise the
command may continue to block a little while longer until the job is done cleaning up. Using --pivot is
shorthand for combining --active --wait with an automatic blockjob --pivot; and using --keep-overlay is
shorthand for combining --active --wait with an automatic blockjob --abort.
path specifies fully-qualified path of the disk; it corresponds to a unique target name (<target
dev='name'/>) or source file (<source file='name'/>) for one of the disk devices attached to domain (see
also domblklist for listing these names). bandwidth specifies copying bandwidth limit in MiB/s, although
for QEMU, it may be non-zero only for an online domain. For further information on the bandwidth argument
see the corresponding section for the blockjob command.
blockcopy
Syntax:
blockcopy domain path { dest [format] [--blockdev] | --xml file }
[--shallow] [--reuse-external] [bandwidth]
[--wait [--async] [--verbose]] [{--pivot | --finish}]
[--timeout seconds] [granularity] [buf-size] [--bytes]
[--transient-job] [--synchronous-writes]
Copy a disk backing image chain to a destination. Either dest as the destination file name, or --xml
with the name of an XML file containing a top-level <disk> element describing the destination, must be
present. Additionally, if dest is given, format should be specified to declare the format of the
destination (if format is omitted, then libvirt will reuse the format of the source, or with
--reuse-external will be forced to probe the destination format, which could be a potential security
hole). The command supports --raw as a boolean flag synonym for --format=raw. When using dest, the
destination is treated as a regular file unless --blockdev is used to signal that it is a block device.
By default, this command flattens the entire chain; but if --shallow is specified, the copy shares the
backing chain.
If --reuse-external is specified, then the destination must exist and have sufficient space to hold the
copy. If --shallow is used in conjunction with --reuse-external then the pre-created image must have
guest visible contents identical to guest visible contents of the backing file of the original image.
This may be used to modify the backing file names on the destination.
By default, the copy job runs in the background, and consists of two phases. Initially, the job must
copy all data from the source, and during this phase, the job can only be canceled to revert back to the
source disk, with no guarantees about the destination. After this phase completes, both the source and
the destination remain mirrored until a call to blockjob with the --abort and --pivot flags pivots over
to the copy, or a call without --pivot leaves the destination as a faithful copy of that point in time.
However, if --wait is specified, then this command will block until the mirroring phase begins, or cancel
the operation if the optional timeout in seconds elapses or SIGINT is sent (usually with Ctrl-C). Using
--verbose along with --wait will produce periodic status updates. Using --pivot (similar to blockjob
--pivot) or --finish (similar to blockjob --abort) implies --wait, and will additionally end the job
cleanly rather than leaving things in the mirroring phase. If job cancellation is triggered by timeout
or by --finish, --async will return control to the user as fast as possible, otherwise the command may
continue to block a little while longer until the job has actually cancelled.
path specifies fully-qualified path of the disk. bandwidth specifies copying bandwidth limit in MiB/s.
Specifying a negative value is interpreted as an unsigned long long value that might be essentially
unlimited, but more likely would overflow; it is safer to use 0 for that purpose. For further information
on the bandwidth argument see the corresponding section for the blockjob command. Specifying granularity
allows fine-tuning of the granularity that will be copied when a dirty region is detected; larger values
trigger less I/O overhead but may end up copying more data overall (the default value is usually
correct); hypervisors may restrict this to be a power of two or fall within a certain range. Specifying
buf-size will control how much data can be simultaneously in-flight during the copy; larger values use
more memory but may allow faster completion (the default value is usually correct).
--transient-job allows specifying that the user does not require the job to be recovered if the VM
crashes or is turned off before the job completes. This flag removes the restriction of copy jobs to
transient domains if that restriction is applied by the hypervisor.
If --synchronous-writes is specified the block job will wait for guest writes to be propagated both to
the original image and to the destination of the copy so that it's guaranteed that the job converges if
the destination storage is slower. This may impact performance of writes while the blockjob is running.
blockjob
Syntax:
blockjob domain path { [--abort] [--async] [--pivot] |
[--info] [--raw] [--bytes] | [bandwidth] }
Manage active block operations. There are three mutually-exclusive modes: --info, bandwidth, and
--abort. --async and --pivot imply abort mode; --raw implies info mode; and if no mode was given, --info
mode is assumed.
path specifies fully-qualified path of the disk; it corresponds to a unique target name (<target
dev='name'/>) or source file (<source file='name'/>) for one of the disk devices attached to domain (see
also domblklist for listing these names).
In --abort mode, the active job on the specified disk will be aborted. If --async is also specified,
this command will return immediately, rather than waiting for the cancellation to complete. If --pivot
is specified, this requests that an active copy or active commit job be pivoted over to the new image.
In --info mode, the active job information on the specified disk will be printed. By default, the output
is a single human-readable summary line; this format may change in future versions. Adding --raw lists
each field of the struct, in a stable format. If the --bytes flag is set, then the command errors out if
the server could not supply bytes/s resolution; when omitting the flag, raw output is listed in MiB/s and
human-readable output automatically selects the best resolution supported by the server.
bandwidth can be used to set bandwidth limit for the active job in MiB/s. If --bytes is specified then
the bandwidth value is interpreted in bytes/s. Specifying a negative value is interpreted as an unsigned
long value or essentially unlimited. The hypervisor can choose whether to reject the value or convert it
to the maximum value allowed. Optionally a scaled positive number may be used as bandwidth (see NOTES
above). Using --bytes with a scaled value permits a finer granularity to be selected. A scaled value
used without --bytes will be rounded down to MiB/s. Note that the --bytes may be unsupported by the
hypervisor.
Note that the progress reported for blockjobs corresponding to a pull-mode backup don't report progress
of the backup but rather usage of temporary space required for the backup.
blockpull
Syntax:
blockpull domain path [bandwidth] [--bytes] [base]
[--wait [--verbose] [--timeout seconds] [--async]]
[--keep-relative]
Populate a disk from its backing image chain. By default, this command flattens the entire chain; but if
base is specified, containing the name of one of the backing files in the chain, then that file becomes
the new backing file and only the intermediate portion of the chain is pulled. Once all requested data
from the backing image chain has been pulled, the disk no longer depends on that portion of the backing
chain.
By default, this command returns as soon as possible, and data for the entire disk is pulled in the
background; the progress of the operation can be checked with blockjob. However, if --wait is specified,
then this command will block until the operation completes, or cancel the operation if the optional
timeout in seconds elapses or SIGINT is sent (usually with Ctrl-C). Using --verbose along with --wait
will produce periodic status updates. If job cancellation is triggered, --async will return control to
the user as fast as possible, otherwise the command may continue to block a little while longer until the
job is done cleaning up.
Using the --keep-relative flag will keep the backing chain names relative.
path specifies fully-qualified path of the disk; it corresponds to a unique target name (<target
dev='name'/>) or source file (<source file='name'/>) for one of the disk devices attached to domain (see
also domblklist for listing these names). bandwidth specifies copying bandwidth limit in MiB/s. For
further information on the bandwidth argument see the corresponding section for the blockjob command.
blockresize
Syntax:
blockresize domain path size
Resize a block device of domain while the domain is running, path specifies the absolute path of the
block device; it corresponds to a unique target name (<target dev='name'/>) or source file (<source
file='name'/>) for one of the disk devices attached to domain (see also domblklist for listing these
names).
size is a scaled integer (see NOTES above) which defaults to KiB (blocks of 1024 bytes) if there is no
suffix. You must use a suffix of "B" to get bytes (note that for historical reasons, this differs from
vol-resize which defaults to bytes without a suffix).
console
Syntax:
console domain [devname] [--safe] [--force]
Connect the virtual serial console for the guest. The optional devname parameter refers to the device
alias of an alternate console, serial or parallel device configured for the guest. If omitted, the
primary console will be opened.
If the flag --safe is specified, the connection is only attempted if the driver supports safe console
handling. This flag specifies that the server has to ensure exclusive access to console devices.
Optionally the --force flag may be specified, requesting to disconnect any existing sessions, such as in
a case of a broken connection.
cpu-stats
Syntax:
cpu-stats domain [--total] [start] [count]
Provide cpu statistics information of a domain. The domain should be running. Default it shows stats for
all CPUs, and a total. Use --total for only the total stats, start for only the per-cpu stats of the CPUs
from start, count for only count CPUs' stats.
create
Syntax:
create FILE [--console] [--paused] [--autodestroy]
[--pass-fds N,M,...] [--validate]
Create a domain from an XML <file>. Optionally, --validate option can be passed to validate the format of
the input XML file against an internal RNG schema (identical to using virt-xml-validate(1) tool). Domains
created using this command are going to be either transient (temporary ones that will vanish once
destroyed) or existing persistent guests that will run with one-time use configuration, leaving the
persistent XML untouched (this can come handy during an automated testing of various configurations all
based on the original XML). See the example below for usage demonstration.
The domain will be paused if the --paused option is used and supported by the driver; otherwise it will
be running. If --console is requested, attach to the console after creation. If --autodestroy is
requested, then the guest will be automatically destroyed when virsh closes its connection to libvirt, or
otherwise exits.
If --pass-fds is specified, the argument is a comma separated list of open file descriptors which should
be pass on into the guest. The file descriptors will be re-numbered in the guest, starting from 3. This
is only supported with container based virtualization.
Example:
1. prepare a template from an existing domain (skip directly to 3a if writing one from scratch)
# virsh dumpxml <domain> > domain.xml
2. edit the template using an editor of your choice and:
a. DO CHANGE! <name> and <uuid> (<uuid> can also be removed), or
b. DON'T CHANGE! either <name> or <uuid>
# $EDITOR domain.xml
3. create a domain from domain.xml, depending on whether following 2a or 2b respectively:
a. the domain is going to be transient
b. an existing persistent guest will run with a modified one-time configuration
# virsh create domain.xml
define
Syntax:
define FILE [--validate]
Define a domain from an XML <file>. Optionally, the format of the input XML file can be validated against
an internal RNG schema with --validate (identical to using virt-xml-validate(1) tool). The domain
definition is registered but not started. If domain is already running, the changes will take effect on
the next boot.
desc
Syntax:
desc domain [[--live] [--config] |
[--current]] [--title] [--edit] [--new-desc
New description or title message]
Show or modify description and title of a domain. These values are user fields that allow storing
arbitrary textual data to allow easy identification of domains. Title should be short, although it's not
enforced. (See also metadata that works with XML based domain metadata.)
Flags --live or --config select whether this command works on live or persistent definitions of the
domain. If both --live and --config are specified, the --config option takes precedence on getting the
current description and both live configuration and config are updated while setting the description.
--current is exclusive and implied if none of these was specified.
Flag --edit specifies that an editor with the contents of current description or title should be opened
and the contents saved back afterwards.
Flag --title selects operation on the title field instead of description.
If neither of --edit and --new-desc are specified the note or description is displayed instead of being
modified.
destroy
Syntax:
destroy domain [--graceful]
Immediately terminate the domain domain. This doesn't give the domain OS any chance to react, and it's
the equivalent of ripping the power cord out on a physical machine. In most cases you will want to use
the shutdown command instead. However, this does not delete any storage volumes used by the guest, and
if the domain is persistent, it can be restarted later.
If domain is transient, then the metadata of any snapshots will be lost once the guest stops running, but
the snapshot contents still exist, and a new domain with the same name and UUID can restore the snapshot
metadata with snapshot-create. Similarly, the metadata of any checkpoints will be lost, but can be
restored with checkpoint-create.
If --graceful is specified, don't resort to extreme measures (e.g. SIGKILL) when the guest doesn't stop
after a reasonable timeout; return an error instead.
domblkerror
Syntax:
domblkerror domain
Show errors on block devices. This command usually comes handy when domstate command says that a domain
was paused due to I/O error. The domblkerror command lists all block devices in error state and the
error seen on each of them.
domblkinfo
Syntax:
domblkinfo domain [block-device --all] [--human]
Get block device size info for a domain. A block-device corresponds to a unique target name (<target
dev='name'/>) or source file (<source file='name'/>) for one of the disk devices attached to domain (see
also domblklist for listing these names). If --human is set, the output will have a human readable
output. If --all is set, the output will be a table showing all block devices size info associated with
domain. The --all option takes precedence of the others.
domblklist
Syntax:
domblklist domain [--inactive] [--details]
Print a table showing the brief information of all block devices associated with domain. If --inactive is
specified, query the block devices that will be used on the next boot, rather than those currently in use
by a running domain. If --details is specified, disk type and device value will also be printed. Other
contexts that require a block device name (such as domblkinfo or snapshot-create for disk snapshots) will
accept either target or unique source names printed by this command.
domblkstat
Syntax:
domblkstat domain [block-device] [--human]
Get device block stats for a running domain. A block-device corresponds to a unique target name (<target
dev='name'/>) or source file (<source file='name'/>) for one of the disk devices attached to domain (see
also domblklist for listing these names). On a LXC or QEMU domain, omitting the block-device yields
device block stats summarily for the entire domain.
Use --human for a more human readable output.
Availability of these fields depends on hypervisor. Unsupported fields are missing from the output. Other
fields may appear if communicating with a newer version of libvirtd.
Explanation of fields (fields appear in the following order):
• rd_req - count of read operations
• rd_bytes - count of read bytes
• wr_req - count of write operations
• wr_bytes - count of written bytes
• errs - error count
• flush_operations - count of flush operations
• rd_total_times - total time read operations took (ns)
• wr_total_times - total time write operations took (ns)
• flush_total_times - total time flush operations took (ns)
• <-- other fields provided by hypervisor -->
domblkthreshold
Syntax:
domblkthreshold domain dev threshold
Set the threshold value for delivering the block-threshold event. dev specifies the disk device target or
backing chain element of given device using the 'target[1]' syntax. threshold is a scaled value of the
offset. If the block device should write beyond that offset the event will be delivered.
domcontrol
Syntax:
domcontrol domain
Returns state of an interface to VMM used to control a domain. For states other than "ok" or "error" the
command also prints number of seconds elapsed since the control interface entered its current state.
domdirtyrate-calc
Syntax:
domdirtyrate-calc <domain> [--seconds <sec>]
Calculate an active domain's memory dirty rate which may be expected by user in order to decide whether
it's proper to be migrated out or not. The seconds parameter can be used to calculate dirty rate in a
specific time which allows 60s at most now and would be default to 1s if missing. The calculated dirty
rate information is available by calling 'domstats --dirtyrate'.
domdisplay
Syntax:
domdisplay domain [--include-password] [[--type] type] [--all]
Output a URI which can be used to connect to the graphical display of the domain via VNC, SPICE or RDP.
The particular graphical display type can be selected using the type parameter (e.g. "vnc", "spice",
"rdp"). If --include-password is specified, the SPICE channel password will be included in the URI. If
--all is specified, then all show all possible graphical displays, for a VM could have more than one
graphical displays.
domfsfreeze
Syntax:
domfsfreeze domain [[--mountpoint] mountpoint...]
Freeze mounted filesystems within a running domain to prepare for consistent snapshots.
The --mountpoint option takes a parameter mountpoint, which is a mount point path of the filesystem to be
frozen. This option can occur multiple times. If this is not specified, every mounted filesystem is
frozen.
Note: snapshot-create command has a --quiesce option to freeze and thaw the filesystems automatically to
keep snapshots consistent. domfsfreeze command is only needed when a user wants to utilize the native
snapshot features of storage devices not supported by libvirt.
domfsinfo
Syntax:
domfsinfo domain
Show a list of mounted filesystems within the running domain. The list contains mountpoints, names of a
mounted device in the guest, filesystem types, and unique target names used in the domain XML (<target
dev='name'/>).
Note that this command requires a guest agent configured and running in the domain's guest OS.
domfsthaw
Syntax:
domfsthaw domain [[--mountpoint] mountpoint...]
Thaw mounted filesystems within a running domain, which have been frozen by domfsfreeze command.
The --mountpoint option takes a parameter mountpoint, which is a mount point path of the filesystem to be
thawed. This option can occur multiple times. If this is not specified, every mounted filesystem is
thawed.
domfstrim
Syntax:
domfstrim domain [--minimum bytes] [--mountpoint mountPoint]
Issue a fstrim command on all mounted filesystems within a running domain. It discards blocks which are
not in use by the filesystem. If --minimum bytes is specified, it tells guest kernel length of
contiguous free range. Smaller than this may be ignored (this is a hint and the guest may not respect
it). By increasing this value, the fstrim operation will complete more quickly for filesystems with badly
fragmented free space, although not all blocks will be discarded. The default value is zero, meaning
"discard every free block". Moreover, if a user wants to trim only one mount point, it can be specified
via optional --mountpoint parameter.
domhostname
Syntax:
domhostname domain [--source lease|agent]
Returns the hostname of a domain, if the hypervisor makes it available.
The --source argument specifies what data source to use for the hostnames, currently 'lease' to read DHCP
leases or 'agent' to query the guest OS via an agent. If unspecified, driver returns the default method
available (some drivers support only one type of source).
domid
Syntax:
domid domain-name-or-uuid
Convert a domain name (or UUID) to a domain id
domif-getlink
Syntax:
domif-getlink domain interface-device [--config]
Query link state of the domain's virtual interface. If --config is specified, query the persistent
configuration, for compatibility purposes, --persistent is alias of --config.
interface-device can be the interface's target name or the MAC address.
domif-setlink
Syntax:
domif-setlink domain interface-device state [--config]
Modify link state of the domain's virtual interface. Possible values for state are "up" and "down". If
--config is specified, only the persistent configuration of the domain is modified, for compatibility
purposes, --persistent is alias of --config. interface-device can be the interface's target name or the
MAC address.
domifaddr
Syntax:
domifaddr domain [interface] [--full]
[--source lease|agent|arp]
Get a list of interfaces of a running domain along with their IP and MAC addresses, or limited output
just for one interface if interface is specified. Note that interface can be driver dependent, it can be
the name within guest OS or the name you would see in domain XML. Moreover, the whole command may require
a guest agent to be configured for the queried domain under some hypervisors, notably QEMU.
If --full is specified, the interface name and MAC address is always displayed when the interface has
multiple IP addresses or aliases; otherwise, only the interface name and MAC address is displayed for the
first name and MAC address with "-" for the others using the same name and MAC address.
The --source argument specifies what data source to use for the addresses, currently 'lease' to read DHCP
leases, 'agent' to query the guest OS via an agent, or 'arp' to get IP from host's arp tables. If
unspecified, 'lease' is the default.
backup-begin
Syntax:
backup-begin domain [backupxml] [checkpointxml] [--reuse-external]
Begin a new backup job. If backupxml is omitted, this defaults to a full backup using a push model to
filenames generated by libvirt; supplying XML allows fine-tuning such as requesting an incremental backup
relative to an earlier checkpoint, controlling which disks participate or which filenames are involved,
or requesting the use of a pull model backup. The backup-dumpxml command shows any resulting values
assigned by libvirt. For more information on backup XML, see: https://libvirt.org/formatbackup.html
If --reuse-external is used it instructs libvirt to reuse temporary and output files provided by the user
in backupxml.
If checkpointxml is specified, a second file with a top-level element of domaincheckpoint is used to
create a simultaneous checkpoint, for doing a later incremental backup relative to the time the backup
was created. See checkpoint-create for more details on checkpoints.
This command returns as soon as possible, and the backup job runs in the background; the progress of a
push model backup can be checked with domjobinfo or by waiting for an event with event (the progress of a
pull model backup is under the control of whatever third party connects to the NBD export). The job is
ended with domjobabort.
backup-dumpxml
Syntax:
backup-dumpxml domain
Output XML describing the current backup job.
domiflist
Syntax:
domiflist domain [--inactive]
Print a table showing the brief information of all virtual interfaces associated with domain. If
--inactive is specified, query the virtual interfaces that will be used on the next boot, rather than
those currently in use by a running domain. Other contexts that require a MAC address of virtual
interface (such as detach-interface or domif-setlink) will accept the MAC address printed by this
command.
domifstat
Syntax:
domifstat domain interface-device
Get network interface stats for a running domain. The network interface stats are only available for
interfaces that have a physical source interface. This does not include, for example, a 'user' interface
type since it is a virtual LAN with NAT to the outside world. interface-device can be the interface
target by name or MAC address.
domiftune
Syntax:
domiftune domain interface-device [[--config] [--live] | [--current]]
[*--inbound average,peak,burst,floor*]
[*--outbound average,peak,burst*]
Set or query the domain's network interface's bandwidth parameters. interface-device can be the
interface's target name (<target dev='name'/>), or the MAC address.
If no --inbound or --outbound is specified, this command will query and show the bandwidth settings.
Otherwise, it will set the inbound or outbound bandwidth. average,peak,burst,floor is the same as in
command attach-interface. Values for average, peak and floor are expressed in kilobytes per second,
while burst is expressed in kilobytes in a single burst at peak speed as described in the Network XML
documentation at https://libvirt.org/formatnetwork.html#elementQoS.
To clear inbound or outbound settings, use --inbound or --outbound respectfully with average value of
zero.
If --live is specified, affect a running guest. If --config is specified, affect the next start of a
persistent guest. If --current is specified, it is equivalent to either --live or --config, depending on
the current state of the guest. Both --live and --config flags may be given, but --current is exclusive.
If no flag is specified, behavior is different depending on hypervisor.
dominfo
Syntax:
dominfo domain
Returns basic information about the domain.
domjobabort
Syntax:
domjobabort domain
Abort the currently running domain job.
domjobinfo
Syntax:
domjobinfo domain [--completed [--keep-completed]] [--anystats] [--rawstats]
Returns information about jobs running on a domain. --completed tells virsh to return information about a
recently finished job. Statistics of a completed job are automatically destroyed once read (unless
--keep-completed is used) or when libvirtd is restarted.
Normally only statistics for running and successful completed jobs are printed. --anystats can be used
to also display statistics for failed jobs.
In case --rawstats is used, all fields are printed as received from the server without any attempts to
interpret the data. The "Job type:" field is special, since it's reported by the API and not part of
stats.
Note that time information returned for completed migrations may be completely irrelevant unless both
source and destination hosts have synchronized time (i.e., NTP daemon is running on both of them).
domlaunchsecinfo
Syntax:
domlaunchsecinfo domain
Returns information about the launch security parameters associated with a running domain.
The set of parameters reported will vary depending on which type of launch security protection is active.
If none is active, no parameters will be reported.
domsetlaunchsecstate
Syntax:
domsetlaunchsecstate domain --secrethdr hdr-filename
--secret secret-filename [--set-address address]
Set a launch security secret in the guest's memory. The guest must have a launchSecurity type enabled in
its configuration and be in a paused state. On success, the guest can be transitioned to a running
state. On failure, the guest should be destroyed.
--secrethdr specifies a filename containing the base64-encoded secret header. The header includes
artifacts needed by the hypervisor firmware to recover the plain text of the launch secret. --secret
specifies the filename containing the base64-encoded encrypted launch secret.
The --set-address option can be used to specify a physical address within the guest's memory to set the
secret. If not specified, the address will be determined by the hypervisor.
dommemstat
Syntax:
dommemstat domain [--period seconds] [[--config] [--live] | [--current]]
Get memory stats for a running domain.
Availability of these fields depends on hypervisor. Unsupported fields are missing from the output. Other
fields may appear if communicating with a newer version of libvirtd.
Explanation of fields:
• swap_in - The amount of data read from swap space (in KiB)
• swap_out - The amount of memory written out to swap space (in KiB)
• major_fault - The number of page faults where disk IO was required
• minor_fault - The number of other page faults
• unused - The amount of memory left unused by the system (in KiB)
• available - The amount of usable memory as seen by the domain (in KiB)
• actual - Current balloon value (in KiB)
• rss - Resident Set Size of the running domain's process (in KiB)
• usable - The amount of memory which can be reclaimed by balloon without causing host
swapping (in KiB)
• last-update - Timestamp of the last update of statistics (in seconds)
• disk_caches - The amount of memory that can be reclaimed without additional I/O, typically disk
caches (in KiB)
• hugetlb_pgalloc - The number of successful huge page allocations initiated from within the domain
• hugetlb_pgfail - The number of failed huge page allocations initiated from within the domain
For QEMU/KVM with a memory balloon, setting the optional --period to a value larger than 0 in seconds
will allow the balloon driver to return additional statistics which will be displayed by subsequent
dommemstat commands. Setting the --period to 0 will stop the balloon driver collection, but does not
clear the statistics in the balloon driver. Requires at least QEMU/KVM 1.5 to be running on the host.
The --live, --config, and --current flags are only valid when using the --period option in order to set
the collection period for the balloon driver. If --live is specified, only the running guest collection
period is affected. If --config is specified, affect the next start of a persistent guest. If --current
is specified, it is equivalent to either --live or --config, depending on the current state of the guest.
Both --live and --config flags may be given, but --current is exclusive. If no flag is specified,
behavior is different depending on the guest state.
domname
Syntax:
domname domain-id-or-uuid
Convert a domain Id (or UUID) to domain name
dompmsuspend
Syntax:
dompmsuspend domain target [--duration]
Suspend a running domain into one of these states (possible target values):
• mem - equivalent of S3 ACPI state
• disk - equivalent of S4 ACPI state
• hybrid - RAM is saved to disk but not powered off
The --duration argument specifies number of seconds before the domain is woken up after it was suspended
(see also dompmwakeup). Default is 0 for unlimited suspend time. (This feature isn't currently supported
by any hypervisor driver and 0 should be used.).
Note that this command requires a guest agent configured and running in the domain's guest OS.
Beware that at least for QEMU, the domain's process will be terminated when target disk is used and a new
process will be launched when libvirt is asked to wake up the domain. As a result of this, any runtime
changes, such as device hotplug or memory settings, are lost unless such changes were made with --config
flag.
dompmwakeup
Syntax:
dompmwakeup domain
Wakeup a domain from pmsuspended state (either suspended by dompmsuspend or from the guest itself).
Injects a wakeup into the guest that is in pmsuspended state, rather than waiting for the previously
requested duration (if any) to elapse. This operation does not necessarily fail if the domain is running.
domrename
Syntax:
domrename domain new-name
Rename a domain. This command changes current domain name to the new name specified in the second
argument.
Note: Domain must be inactive.
domstate
Syntax:
domstate domain [--reason]
Returns state about a domain. --reason tells virsh to also print reason for the state.
domstats
Syntax:
domstats [--raw] [--enforce] [--backing] [--nowait] [--state]
[--cpu-total] [--balloon] [--vcpu] [--interface]
[--block] [--perf] [--iothread] [--memory] [--dirtyrate]
[[--list-active] [--list-inactive]
[--list-persistent] [--list-transient] [--list-running]y
[--list-paused] [--list-shutoff] [--list-other]] | [domain ...]
Get statistics for multiple or all domains. Without any argument this command prints all available
statistics for all domains.
The list of domains to gather stats for can be either limited by listing the domains as a space separated
list, or by specifying one of the filtering flags --list-NNN. (The approaches can't be combined.)
By default some of the returned fields may be converted to more human friendly values by a set of
pretty-printers. To suppress this behavior use the --raw flag.
The individual statistics groups are selectable via specific flags. By default all supported statistics
groups are returned. Supported statistics groups flags are: --state, --cpu-total, --balloon, --vcpu,
--interface, --block, --perf, --iothread, --memory, --dirtyrate.
Note that - depending on the hypervisor type and version or the domain state - not all of the following
statistics may be returned.
When selecting the --state group the following fields are returned:
• state.state - state of the VM, returned as number from virDomainState enum
• state.reason - reason for entering given state, returned as int from virDomain*Reason enum
corresponding to given state
--cpu-total returns:
• cpu.time - total cpu time spent for this domain in nanoseconds
• cpu.user - user cpu time spent in nanoseconds
• cpu.system - system cpu time spent in nanoseconds
• cpu.haltpoll.success.time - cpu halt polling success time spent in nanoseconds
• cpu.haltpoll.fail.time - cpu halt polling fail time spent in nanoseconds
• cpu.cache.monitor.count - the number of cache monitors for this domain
• cpu.cache.monitor.<num>.name - the name of cache monitor <num>
• cpu.cache.monitor.<num>.vcpus - vcpu list of cache monitor <num>
• cpu.cache.monitor.<num>.bank.count - the number of cache banks in cache monitor <num>
• cpu.cache.monitor.<num>.bank.<index>.id - host allocated cache id for bank <index> in cache monitor
<num>
• cpu.cache.monitor.<num>.bank.<index>.bytes - the number of bytes of last level cache that the domain is
using on cache bank <index>
--balloon returns:
• balloon.current - the memory in KiB currently used
• balloon.maximum - the maximum memory in KiB allowed
• balloon.swap_in - the amount of data read from swap space (in KiB)
• balloon.swap_out - the amount of memory written out to swap space (in KiB)
• balloon.major_fault - the number of page faults when disk IO was required
• balloon.minor_fault - the number of other page faults
• balloon.unused - the amount of memory left unused by the system (in KiB)
• balloon.available - the amount of usable memory as seen by the domain (in KiB)
• balloon.rss - Resident Set Size of running domain's process (in KiB)
• balloon.usable - the amount of memory which can be reclaimed by balloon without causing host swapping
(in KiB)
• balloon.last-update - timestamp of the last update of statistics (in seconds)
• balloon.disk_caches - the amount of memory that can be reclaimed without additional I/O, typically disk
(in KiB)
• balloon.hugetlb_pgalloc - the number of successful huge page allocations from inside the domain via
virtio balloon
• balloon.hugetlb_pgfail - the number of failed huge page allocations from inside the domain via virtio
balloon
--vcpu returns:
• vcpu.current - current number of online virtual CPUs
• vcpu.maximum - maximum number of online virtual CPUs
• vcpu.<num>.state - state of the virtual CPU <num>, as number from virVcpuState enum
• vcpu.<num>.time - virtual cpu time spent by virtual CPU <num> (in microseconds)
• vcpu.<num>.wait - virtual cpu time spent by virtual CPU <num> waiting on I/O (in microseconds)
• vcpu.<num>.halted - virtual CPU <num> is halted: yes or no (may indicate the processor is idle or even
disabled, depending on the architecture)
• vcpu.<num>.delay - time the vCPU <num> thread was enqueued by the host scheduler, but was waiting in
the queue instead of running. Exposed to the VM as a steal time.
--interface returns:
• net.count - number of network interfaces on this domain
• net.<num>.name - name of the interface <num>
• net.<num>.rx.bytes - number of bytes received
• net.<num>.rx.pkts - number of packets received
• net.<num>.rx.errs - number of receive errors
• net.<num>.rx.drop - number of receive packets dropped
• net.<num>.tx.bytes - number of bytes transmitted
• net.<num>.tx.pkts - number of packets transmitted
• net.<num>.tx.errs - number of transmission errors
• net.<num>.tx.drop - number of transmit packets dropped
--perf returns the statistics of all enabled perf events:
• perf.cmt - the cache usage in Byte currently used
• perf.mbmt - total system bandwidth from one level of cache
• perf.mbml - bandwidth of memory traffic for a memory controller
• perf.cpu_cycles - the count of cpu cycles (total/elapsed)
• perf.instructions - the count of instructions
• perf.cache_references - the count of cache hits
• perf.cache_misses - the count of caches misses
• perf.branch_instructions - the count of branch instructions
• perf.branch_misses - the count of branch misses
• perf.bus_cycles - the count of bus cycles
• perf.stalled_cycles_frontend - the count of stalled frontend cpu cycles
• perf.stalled_cycles_backend - the count of stalled backend cpu cycles
• perf.ref_cpu_cycles - the count of ref cpu cycles
• perf.cpu_clock - the count of cpu clock time
• perf.task_clock - the count of task clock time
• perf.page_faults - the count of page faults
• perf.context_switches - the count of context switches
• perf.cpu_migrations - the count of cpu migrations
• perf.page_faults_min - the count of minor page faults
• perf.page_faults_maj - the count of major page faults
• perf.alignment_faults - the count of alignment faults
• perf.emulation_faults - the count of emulation faults
See the perf command for more details about each event.
--block returns information about disks associated with each domain. Using the --backing flag extends
this information to cover all resources in the backing chain, rather than the default of limiting
information to the active layer for each guest disk. Information listed includes:
• block.count - number of block devices being listed
• block.<num>.name - name of the target of the block device <num> (the same name for multiple entries if
--backing is present)
• block.<num>.backingIndex - when --backing is present, matches up with the <backingStore> index listed
in domain XML for backing files
• block.<num>.path - file source of block device <num>, if it is a local file or block device
• block.<num>.rd.reqs - number of read requests
• block.<num>.rd.bytes - number of read bytes
• block.<num>.rd.times - total time (ns) spent on reads
• block.<num>.wr.reqs - number of write requests
• block.<num>.wr.bytes - number of written bytes
• block.<num>.wr.times - total time (ns) spent on writes
• block.<num>.fl.reqs - total flush requests
• block.<num>.fl.times - total time (ns) spent on cache flushing
• block.<num>.errors - Xen only: the 'oo_req' value
• block.<num>.allocation - offset of highest written sector in bytes
• block.<num>.capacity - logical size of source file in bytes
• block.<num>.physical - physical size of source file in bytes
• block.<num>.threshold - threshold (in bytes) for delivering the VIR_DOMAIN_EVENT_ID_BLOCK_THRESHOLD
event. See domblkthreshold.
--iothread returns information about IOThreads on the running guest if supported by the hypervisor.
The "poll-max-ns" for each thread is the maximum nanoseconds to allow each polling interval to occur. A
polling interval is a period of time allowed for a thread to process data before being the guest gives up
its CPU quantum back to the host. A value set too small will not allow the IOThread to run long enough on
a CPU to process data. A value set too high will consume too much CPU time per IOThread failing to allow
other threads running on the CPU to get time. The polling interval is not available for statistical
purposes.
•
iothread.count - maximum number of IOThreads in the subsequent list
as unsigned int. Each IOThread in the list will will use it's iothread_id value as the <id>.
There may be fewer <id> entries than the iothread.count value if the polling values are not
supported.
• iothread.<id>.poll-max-ns - maximum polling time in nanoseconds used by the <id> IOThread. A value of 0
(zero) indicates polling is disabled.
• iothread.<id>.poll-grow - polling time grow value. A value of 0 (zero) growth is managed by the
hypervisor.
• iothread.<id>.poll-shrink - polling time shrink value. A value of (zero) indicates shrink is managed by
hypervisor.
--memory returns:
• memory.bandwidth.monitor.count - the number of memory bandwidth monitors for this domain
• memory.bandwidth.monitor.<num>.name - the name of monitor <num>
• memory.bandwidth.monitor.<num>.vcpus - the vcpu list of monitor <num>
•
memory.bandwidth.monitor.<num>.node.count - the number of memory
controller in monitor <num>
• memory.bandwidth.monitor.<num>.node.<index>.id - host allocated memory controller id for controller
<index> of monitor <num>
• memory.bandwidth.monitor.<num>.node.<index>.bytes.local - the accumulative bytes consumed by @vcpus
that passing through the memory controller in the same processor that the scheduled host CPU belongs
to.
• memory.bandwidth.monitor.<num>.node.<index>.bytes.total - the total bytes consumed by @vcpus that
passing through all memory controllers, either local or remote controller.
--dirtyrate returns:
• dirtyrate.calc_status - the status of last memory dirty rate calculation, returned as number from
virDomainDirtyRateStatus enum.
• dirtyrate.calc_start_time - the start time of last memory dirty rate calculation.
• dirtyrate.calc_period - the period of last memory dirty rate calculation.
• dirtyrate.megabytes_per_second - the calculated memory dirty rate in MiB/s.
Selecting a specific statistics groups doesn't guarantee that the daemon supports the selected group of
stats. Flag --enforce forces the command to fail if the daemon doesn't support the selected group.
When collecting stats libvirtd may wait for some time if there's already another job running on given
domain for it to finish. This may cause unnecessary delay in delivering stats. Using --nowait suppresses
this behaviour. On the other hand some statistics might be missing for such domain.
domtime
Syntax:
domtime domain { [--now] [--pretty] [--sync] [--time time] }
Gets or sets the domain's system time. When run without any arguments (but domain), the current domain's
system time is printed out. The --pretty modifier can be used to print the time in more human readable
form.
When --time time is specified, the domain's time is not gotten but set instead. The --now modifier acts
like if it was an alias for --time $now, which means it sets the time that is currently on the host virsh
is running at. In both cases (setting and getting), time is in seconds relative to Epoch of 1970-01-01 in
UTC. The --sync modifies the set behavior a bit: The time passed is ignored, but the time to set is read
from domain's RTC instead. Please note, that some hypervisors may require a guest agent to be configured
in order to get or set the guest time.
domuuid
Syntax:
domuuid domain-name-or-id
Convert a domain name or id to domain UUID
domxml-from-native
Syntax:
domxml-from-native format config
Convert the file config in the native guest configuration format named by format to a domain XML format.
For QEMU/KVM hypervisor, the format argument must be qemu-argv. For Xen hypervisor, the format argument
may be xen-xm, xen-xl, or xen-sxpr. For LXC hypervisor, the format argument must be lxc-tools. For
VMware/ESX hypervisor, the format argument must be vmware-vmx. For the Bhyve hypervisor, the format
argument must be bhyve-argv.
domxml-to-native
Syntax:
domxml-to-native format { [--xml] xml | --domain domain-name-or-id-or-uuid }
Convert the file xml into domain XML format or convert an existing --domain to the native guest
configuration format named by format. The xml and --domain arguments are mutually exclusive. For the
types of format argument, refer to domxml-from-native.
dump
Syntax:
dump domain corefilepath [--bypass-cache]
{ [--live] | [--crash] | [--reset] }
[--verbose] [--memory-only] [--format string]
Dumps the core of a domain to a file for analysis. If --live is specified, the domain continues to run
until the core dump is complete, rather than pausing up front. If --crash is specified, the domain is
halted with a crashed status, rather than merely left in a paused state. If --reset is specified, the
domain is reset after successful dump. Note, these three switches are mutually exclusive. If
--bypass-cache is specified, the save will avoid the file system cache, although this may slow down the
operation. If --memory-only is specified, the file is elf file, and will only include domain's memory
and cpu common register value. It is very useful if the domain uses host devices directly. --format
string is used to specify the format of 'memory-only' dump, and string can be one of: elf,
kdump-zlib(kdump-compressed format with zlib-compressed), kdump-lzo(kdump-compressed format with
lzo-compressed), kdump-snappy(kdump-compressed format with snappy-compressed), win-dmp(Windows full
crashdump format).
The progress may be monitored using domjobinfo virsh command and canceled with domjobabort command (sent
by another virsh instance). Another option is to send SIGINT (usually with Ctrl-C) to the virsh process
running dump command. --verbose displays the progress of dump.
NOTE: Some hypervisors may require the user to manually ensure proper permissions on file and path
specified by argument corefilepath.
NOTE: Crash dump in a old kvmdump format is being obsolete and cannot be loaded and processed by crash
utility since its version 6.1.0. A --memory-only option is required in order to produce valid ELF file
which can be later processed by the crash utility.
dumpxml
Syntax:
dumpxml domain [--inactive] [--security-info] [--update-cpu] [--migratable]
Output the domain information as an XML dump to stdout, this format can be used by the create command.
Additional options affecting the XML dump may be used. --inactive tells virsh to dump domain
configuration that will be used on next start of the domain as opposed to the current domain
configuration. Using --security-info will also include security sensitive information in the XML dump.
--update-cpu updates domain CPU requirements according to host CPU. With --migratable one can request an
XML that is suitable for migrations, i.e., compatible with older libvirt releases and possibly amended
with internal run-time options. This option may automatically enable other options (--update-cpu,
--security-info, ...) as necessary.
edit
Syntax:
edit domain
Edit the XML configuration file for a domain, which will affect the next boot of the guest.
This is equivalent to:
virsh dumpxml --inactive --security-info domain > domain.xml
vi domain.xml (or make changes with your other text editor)
virsh define domain.xml
except that it does some error checking.
The editor used can be supplied by the $VISUAL or $EDITOR environment variables, and defaults to vi.
emulatorpin
Syntax:
emulatorpin domain [cpulist] [[--live] [--config] | [--current]]
Query or change the pinning of domain's emulator threads to host physical CPUs.
See vcpupin for cpulist.
If --live is specified, affect a running guest. If --config is specified, affect the next start of a
persistent guest. If --current is specified, it is equivalent to either --live or --config, depending on
the current state of the guest. Both --live and --config flags may be given if cpulist is present, but
--current is exclusive. If no flag is specified, behavior is different depending on hypervisor.
event
Syntax:
event {[domain] { event | --all } [--loop] [--timeout seconds] [--timestamp] | --list}
Wait for a class of domain events to occur, and print appropriate details of events as they happen. The
events can optionally be filtered by domain. Using --list as the only argument will provide a list of
possible event values known by this client, although the connection might not allow registering for all
these events. It is also possible to use --all instead of event to register for all possible event types
at once.
By default, this command is one-shot, and returns success once an event occurs; you can send SIGINT
(usually via Ctrl-C) to quit immediately. If --timeout is specified, the command gives up waiting for
events after seconds have elapsed. With --loop, the command prints all events until a timeout or
interrupt key.
When --timestamp is used, a human-readable timestamp will be printed before the event.
get-user-sshkeys
Syntax:
get-user-sshkeys domain user
Print SSH authorized keys for given user in the guest domain. Please note, that an entry in the file has
internal structure as defined by sshd(8) and virsh/libvirt does handle keys as opaque strings, i.e. does
not interpret them.
guest-agent-timeout
Syntax:
guest-agent-timeout domain [--timeout value]
Set how long to wait for a response from guest agent commands. By default, agent commands block forever
waiting for a response. value must be a positive value (wait for given amount of seconds) or one of the
following values:
• -2 - block forever waiting for a result (used when --timeout is omitted),
• -1 - reset timeout to the default value (currently defined as 5 seconds in libvirt daemon),
• 0 - do not wait at all,
guestinfo
Syntax:
guestinfo domain [--user] [--os] [--timezone] [--hostname] [--filesystem]
[--disk] [--interface]
Print information about the guest from the point of view of the guest agent. Note that this command
requires a guest agent to be configured and running in the domain's guest OS.
When run without any arguments, this command prints all information types that are supported by the guest
agent. You can limit the types of information that are returned by specifying one or more flags. If a
requested information type is not supported, the processes will provide an exit code of 1. Available
information types flags are --user, --os, --timezone, --hostname, --filesystem, --disk and --interface.
Note that depending on the hypervisor type and the version of the guest agent running within the domain,
not all of the following information may be returned.
When selecting the --user information type, the following fields may be returned:
• user.count - the number of active users on this domain
• user.<num>.name - username of user <num>
• user.<num>.domain - domain of the user <num> (may only be present on certain guets types)
• user.<num>.login-time - the login time of user <num> in milliseconds since the epoch
--os returns:
• os.id - a string identifying the operating system
• os.name - the name of the operating system
• os.pretty-name - a pretty name for the operating system
• os.version - the version of the operating system
• os.version-id - the version id of the operating system
• os.kernel-release - the release of the operating system kernel
• os.kernel-version - the version of the operating system kernel
• os.machine - the machine hardware name
• os.variant - a specific variant or edition of the operating system
• os.variant-id - the id for a specific variant or edition of the operating system
--timezone returns:
• timezone.name - the name of the timezone
• timezone.offset - the offset to UTC in seconds
--hostname returns:
• hostname - the hostname of the domain
--filesystem returns:
• fs.count - the number of filesystems defined on this domain
• fs.<num>.mountpoint - the path to the mount point for filesystem <num>
• fs.<num>.name - device name in the guest (e.g. sda1) for filesystem <num>
• fs.<num>.fstype - the type of filesystem <num>
• fs.<num>.total-bytes - the total size of filesystem <num>
• fs.<num>.used-bytes - the number of bytes used in filesystem <num>
• fs.<num>.disk.count - the number of disks targeted by filesystem <num>
• fs.<num>.disk.<num>.alias - the device alias of disk <num> (e.g. sda)
• fs.<num>.disk.<num>.serial - the serial number of disk <num>
• fs.<num>.disk.<num>.device - the device node of disk <num>
--disk returns:
• disk.count - the number of disks defined on this domain
• disk.<num>.name - device node (Linux) or device UNC (Windows)
• disk.<num>.partition - whether this is a partition or disk
• disk.<num>.dependency.count - the number of device dependencies
• disk.<num>.dependency.<num>.name - a dependency name
• disk.<num>.serial - optional disk serial number
• disk.<num>.alias - the device alias of the disk (e.g. sda)
• disk.<num>.guest_alias - optional alias assigned to the disk
--interface returns: * if.count - the number of interfaces defined on this domain * if.<num>.name - name
in the guest (e.g. eth0) for interface <num> * if.<num>.hwaddr - hardware address in the guest for
interface <num> * if.<num>.addr.count - the number of IP addresses of interface <num> *
if.<num>.addr.<num1>.type - the IP address type of addr <num1> (e.g. ipv4) * if.<num>.addr.<num1>.addr -
the IP address of addr <num1> * if.<num>.addr.<num1>.prefix - the prefix of IP address of addr <num1>
guestvcpus
Syntax:
guestvcpus domain [[--enable] | [--disable]] [cpulist]
Query or change state of vCPUs from guest's point of view using the guest agent. When invoked without
cpulist the guest is queried for available guest vCPUs, their state and possibility to be offlined.
If cpulist is provided then one of --enable or --disable must be provided too. The desired operation is
then executed on the domain.
See vcpupin for information on cpulist.
iothreadadd
Syntax:
iothreadadd domain iothread_id [[--config] [--live] | [--current]]
Add a new IOThread to the domain using the specified iothread_id. If the iothread_id already exists, the
command will fail. The iothread_id must be greater than zero.
If --live is specified, affect a running guest. If the guest is not running an error is returned. If
--config is specified, affect the next start of a persistent guest. If --current is specified, it is
equivalent to either --live or --config, depending on the current state of the guest.
iothreaddel
Syntax:
iothreaddel domain iothread_id [[--config] [--live] | [--current]]
Delete an IOThread from the domain using the specified iothread_id. If an IOThread is currently assigned
to a disk resource such as via the attach-disk command, then the attempt to remove the IOThread will
fail. If the iothread_id does not exist an error will occur.
If --live is specified, affect a running guest. If the guest is not running an error is returned. If
--config is specified, affect the next start of a persistent guest. If --current is specified, it is
equivalent to either --live or --config, depending on the current state of the guest.
iothreadinfo
Syntax:
iothreadinfo domain [[--live] [--config] | [--current]]
Display basic domain IOThreads information including the IOThread ID and the CPU Affinity for each
IOThread.
If --live is specified, get the IOThreads data from the running guest. If the guest is not running, an
error is returned. If --config is specified, get the IOThreads data from the next start of a persistent
guest. If --current is specified or --live and --config are not specified, then get the IOThread data
based on the current guest state, which can either be live or offline.
iothreadpin
Syntax:
iothreadpin domain iothread cpulist [[--live] [--config] | [--current]]
Change the pinning of a domain IOThread to host physical CPUs. In order to retrieve a list of all
IOThreads, use iothreadinfo. To pin an iothread specify the cpulist desired for the IOThread ID as listed
in the iothreadinfo output.
cpulist is a list of physical CPU numbers. Its syntax is a comma separated list and a special markup
using '-' and '^' (ex. '0-4', '0-3,^2') can also be allowed. The '-' denotes the range and the '^'
denotes exclusive. If you want to reset iothreadpin setting, that is, to pin an iothread to all physical
cpus, simply specify 'r' as a cpulist.
If --live is specified, affect a running guest. If the guest is not running, an error is returned. If
--config is specified, affect the next start of a persistent guest. If --current is specified, it is
equivalent to either --live or --config, depending on the current state of the guest. Both --live and
--config flags may be given if cpulist is present, but --current is exclusive. If no flag is specified,
behavior is different depending on hypervisor.
Note: The expression is sequentially evaluated, so "0-15,^8" is identical to "9-14,0-7,15" but not
identical to "^8,0-15".
iothreadset
Syntax:
iothreadset domain iothread_id [[--poll-max-ns ns] [--poll-grow factor]
[--poll-shrink divisor]]
[[--config] [--live] | [--current]]
Modifies an existing iothread of the domain using the specified iothread_id. The --poll-max-ns provides
the maximum polling interval to be allowed for an IOThread in ns. If a 0 (zero) is provided, then polling
for the IOThread is disabled. The --poll-grow is the factor by which the current polling time will be
adjusted in order to reach the maximum polling time. If a 0 (zero) is provided, then the default factor
will be used. The --poll-shrink is the quotient by which the current polling time will be reduced in
order to get below the maximum polling interval. If a 0 (zero) is provided, then the default quotient
will be used. The polling values are purely dynamic for a running guest. Saving, destroying, stopping,
etc. the guest will result in the polling values returning to hypervisor defaults at the next start,
restore, etc.
If --live is specified, affect a running guest. If the guest is not running an error is returned. If
--current is specified or --live is not specified, then handle as if --live was specified. (Where
"current" here means whatever the present guest state is: live or offline.)
managedsave
Syntax:
managedsave domain [--bypass-cache] [{--running | --paused}] [--verbose]
Save and destroy (stop) a running domain, so it can be restarted from the same state at a later time.
When the virsh start command is next run for the domain, it will automatically be started from this saved
state. If --bypass-cache is specified, the save will avoid the file system cache, although this may slow
down the operation.
The progress may be monitored using domjobinfo virsh command and canceled with domjobabort command (sent
by another virsh instance). Another option is to send SIGINT (usually with Ctrl-C) to the virsh process
running managedsave command. --verbose displays the progress of save.
Normally, starting a managed save will decide between running or paused based on the state the domain was
in when the save was done; passing either the --running or --paused flag will allow overriding which
state the start should use.
The dominfo command can be used to query whether a domain currently has any managed save image.
managedsave-define
Syntax:
managedsave-define domain xml [{--running | --paused}]
Update the domain XML that will be used when domain is later started. The xml argument must be a file
name containing the alternative XML, with changes only in the host-specific portions of the domain XML.
For example, it can be used to change disk file paths.
The managed save image records whether the domain should be started to a running or paused state.
Normally, this command does not alter the recorded state; passing either the --running or --paused flag
will allow overriding which state the start should use.
managedsave-dumpxml
Syntax:
managedsave-dumpxml domain [--security-info]
Extract the domain XML that was in effect at the time the saved state file file was created with the
managedsave command. Using --security-info will also include security sensitive information.
managedsave-edit
Syntax:
managedsave-edit domain [{--running | --paused}]
Edit the XML configuration associated with a saved state file of a domain was created by the managedsave
command.
The managed save image records whether the domain should be started to a running or paused state.
Normally, this command does not alter the recorded state; passing either the --running or --paused flag
will allow overriding which state the restore should use.
This is equivalent to:
virsh managedsave-dumpxml domain-name > state-file.xml
vi state-file.xml (or make changes with your other text editor)
virsh managedsave-define domain-name state-file-xml
except that it does some error checking.
The editor used can be supplied by the $VISUAL or $EDITOR environment variables, and defaults to vi.
managedsave-remove
Syntax:
managedsave-remove domain
Remove the managedsave state file for a domain, if it exists. This ensures the domain will do a full
boot the next time it is started.
maxvcpus
Syntax:
maxvcpus [type]
Provide the maximum number of virtual CPUs supported for a guest VM on this connection. If provided, the
type parameter must be a valid type attribute for the <domain> element of XML.
memtune
Syntax:
memtune domain [--hard-limit size] [--soft-limit size] [--swap-hard-limit size]
[--min-guarantee size] [[--config] [--live] | [--current]]
Allows you to display or set the domain memory parameters. Without flags, the current settings are
displayed; with a flag, the appropriate limit is adjusted if supported by the hypervisor. LXC and
QEMU/KVM support --hard-limit, --soft-limit, and --swap-hard-limit. --min-guarantee is supported only by
ESX hypervisor. Each of these limits are scaled integers (see NOTES above), with a default of kibibytes
(blocks of 1024 bytes) if no suffix is present. Libvirt rounds up to the nearest kibibyte. Some
hypervisors require a larger granularity than KiB, and requests that are not an even multiple will be
rounded up. For example, vSphere/ESX rounds the parameter up to mebibytes (1024 kibibytes).
If --live is specified, affect a running guest. If --config is specified, affect the next start of a
persistent guest. If --current is specified, it is equivalent to either --live or --config, depending on
the current state of the guest. Both --live and --config flags may be given, but --current is exclusive.
If no flag is specified, behavior is different depending on hypervisor.
For QEMU/KVM, the parameters are applied to the QEMU process as a whole. Thus, when counting them, one
needs to add up guest RAM, guest video RAM, and some memory overhead of QEMU itself. The last piece is
hard to determine so one needs guess and try.
For LXC, the displayed hard_limit value is the current memory setting from the XML or the results from a
virsh setmem command.
• --hard-limit
The maximum memory the guest can use.
• --soft-limit
The memory limit to enforce during memory contention.
• --swap-hard-limit
The maximum memory plus swap the guest can use. This has to be more than hard-limit value provided.
• --min-guarantee
The guaranteed minimum memory allocation for the guest.
Specifying -1 as a value for these limits is interpreted as unlimited.
metadata
Syntax:
metadata domain [[--live] [--config] | [--current]]
[--edit] [uri] [key] [set] [--remove]
Show or modify custom XML metadata of a domain. The metadata is a user defined XML that allows storing
arbitrary XML data in the domain definition. Multiple separate custom metadata pieces can be stored in
the domain XML. The pieces are identified by a private XML namespace provided via the uri argument. (See
also desc that works with textual metadata of a domain.)
Flags --live or --config select whether this command works on live or persistent definitions of the
domain. If both --live and --config are specified, the --config option takes precedence on getting the
current description and both live configuration and config are updated while setting the description.
--current is exclusive and implied if none of these was specified.
Flag --remove specifies that the metadata element specified by the uri argument should be removed rather
than updated.
Flag --edit specifies that an editor with the metadata identified by the uri argument should be opened
and the contents saved back afterwards. Otherwise the new contents can be provided via the set argument.
When setting metadata via --edit or set the key argument must be specified and is used to prefix the
custom elements to bind them to the private namespace.
If neither of --edit and set are specified the XML metadata corresponding to the uri namespace is
displayed instead of being modified.
migrate
Syntax:
migrate [--live] [--offline] [--direct] [--p2p [--tunnelled]]
[--persistent] [--undefinesource] [--suspend] [--copy-storage-all]
[--copy-storage-inc] [--change-protection] [--unsafe] [--verbose]
[--rdma-pin-all] [--abort-on-error] [--postcopy] [--postcopy-after-precopy]
domain desturi [migrateuri] [graphicsuri] [listen-address] [dname]
[--timeout seconds [--timeout-suspend | --timeout-postcopy]]
[--xml file] [--migrate-disks disk-list] [--disks-port port]
[--compressed] [--comp-methods method-list]
[--comp-mt-level] [--comp-mt-threads] [--comp-mt-dthreads]
[--comp-xbzrle-cache] [--auto-converge] [auto-converge-initial]
[auto-converge-increment] [--persistent-xml file] [--tls]
[--postcopy-bandwidth bandwidth]
[--parallel [--parallel-connections connections]]
[--bandwidth bandwidth] [--tls-destination hostname]
[--disks-uri URI] [--copy-storage-synchronous-writes]
Migrate domain to another host. Add --live for live migration; <--p2p> for peer-2-peer migration;
--direct for direct migration; or --tunnelled for tunnelled migration. --offline migrates domain
definition without starting the domain on destination and without stopping it on source host. Offline
migration may be used with inactive domains and it must be used with --persistent option.
--persistent leaves the domain persistent on destination host, --undefinesource undefines the domain on
the source host, and --suspend leaves the domain paused on the destination host.
--copy-storage-all indicates migration with non-shared storage with full disk copy, --copy-storage-inc
indicates migration with non-shared storage with incremental copy (same base image shared between source
and destination). In both cases the disk images have to exist on destination host, the
--copy-storage-... options only tell libvirt to transfer data from the images on source host to the
images found at the same place on the destination host. By default only non-shared non-readonly images
are transferred. Use --migrate-disks to explicitly specify a list of disk targets to transfer via the
comma separated disk-list argument. With --copy-storage-synchronous-writes flag used the disk data
migration will synchronously handle guest disk writes to both the original source and the destination to
ensure that the disk migration converges at the price of possibly decreased burst performance.
--change-protection enforces that no incompatible configuration changes will be made to the domain while
the migration is underway; this flag is implicitly enabled when supported by the hypervisor, but can be
explicitly used to reject the migration if the hypervisor lacks change protection support.
--verbose displays the progress of migration.
--abort-on-error cancels the migration if a soft error (for example I/O error) happens during the
migration.
--postcopy enables post-copy logic in migration, but does not actually start post-copy, i.e., migration
is started in pre-copy mode. Once migration is running, the user may switch to post-copy using the
migrate-postcopy command sent from another virsh instance or use --postcopy-after-precopy along with
--postcopy to let libvirt automatically switch to post-copy after the first pass of pre-copy is finished.
The maximum bandwidth consumed during the post-copy phase may be limited using --postcopy-bandwidth. The
maximum bandwidth consumed during the pre-copy phase may be limited using --bandwidth.
--auto-converge forces convergence during live migration. The initial guest CPU throttling rate can be
set with auto-converge-initial. If the initial throttling rate is not enough to ensure convergence, the
rate is periodically increased by auto-converge-increment.
--rdma-pin-all can be used with RDMA migration (i.e., when migrateuri starts with rdma://) to tell the
hypervisor to pin all domain's memory at once before migration starts rather than letting it pin memory
pages as needed. For QEMU/KVM this requires hard_limit memory tuning element (in the domain XML) to be
used and set to the maximum memory configured for the domain plus any memory consumed by the QEMU process
itself. Beware of setting the memory limit too high (and thus allowing the domain to lock most of the
host's memory). Doing so may be dangerous to both the domain and the host itself since the host's kernel
may run out of memory.
Note: Individual hypervisors usually do not support all possible types of migration. For example, QEMU
does not support direct migration.
In some cases libvirt may refuse to migrate the domain because doing so may lead to potential problems
such as data corruption, and thus the migration is considered unsafe. For QEMU domain, this may happen if
the domain uses disks without explicitly setting cache mode to "none". Migrating such domains is unsafe
unless the disk images are stored on coherent clustered filesystem, such as GFS2 or GPFS. If you are sure
the migration is safe or you just do not care, use --unsafe to force the migration.
dname is used for renaming the domain to new name during migration, which also usually can be omitted.
Likewise, --xml file is usually omitted, but can be used to supply an alternative XML file for use on the
destination to supply a larger set of changes to any host-specific portions of the domain XML, such as
accounting for naming differences between source and destination in accessing underlying storage. If
--persistent is enabled, --persistent-xml file can be used to supply an alternative XML file which will
be used as the persistent guest definition on the destination host.
--timeout seconds tells virsh to run a specified action when live migration exceeds that many seconds.
It can only be used with --live. If --timeout-suspend is specified, the domain will be suspended after
the timeout and the migration will complete offline; this is the default if no --timeout-\`` option is
specified on the command line. When *--timeout-postcopy is used, virsh will switch migration from
pre-copy to post-copy upon timeout; migration has to be started with --postcopy option for this to work.
--compressed activates compression, the compression method is chosen with --comp-methods. Supported
methods are "mt" and "xbzrle" and can be used in any combination. When no methods are specified, a
hypervisor default methods will be used. QEMU defaults to "xbzrle". Compression methods can be tuned
further. --comp-mt-level sets compression level. Values are in range from 0 to 9, where 1 is maximum
speed and 9 is maximum compression. --comp-mt-threads and --comp-mt-dthreads set the number of compress
threads on source and the number of decompress threads on target respectively. --comp-xbzrle-cache sets
size of page cache in bytes.
Providing --tls causes the migration to use the host configured TLS setup (see migrate_tls_x509_cert_dir
in /etc/libvirt/qemu.conf) in order to perform the migration of the domain. Usage requires proper TLS
setup for both source and target. Normally the TLS certificate from the destination host must match the
host's name for TLS verification to succeed. When the certificate does not match the destination hostname
and the expected certificate's hostname is known, --tls-destination can be used to pass the expected
hostname when starting the migration.
--parallel option will cause migration data to be sent over multiple parallel connections. The number of
such connections can be set using --parallel-connections. Parallel connections may help with saturating
the network link between the source and the target and thus speeding up the migration.
Running migration can be canceled by interrupting virsh (usually using Ctrl-C) or by domjobabort command
sent from another virsh instance.
The desturi and migrateuri parameters can be used to control which destination the migration uses.
desturi is important for managed migration, but unused for direct migration; migrateuri is required for
direct migration, but can usually be automatically determined for managed migration.
Note: The desturi parameter for normal migration and peer2peer migration has different semantics:
• normal migration: the desturi is an address of the target host as seen from the client machine.
• peer2peer migration: the desturi is an address of the target host as seen from the source machine.
In a special circumstance where you require a complete control of the connection and/or libvirt does not
have network access to the remote side you can use a UNIX transport in the URI and specify a socket path
in the query, for example with the qemu driver you could use this:
qemu+unix:///system?socket=/path/to/socket
When migrateuri is not specified, libvirt will automatically determine the hypervisor specific URI. Some
hypervisors, including QEMU, have an optional "migration_host" configuration parameter (useful when the
host has multiple network interfaces). If this is unspecified, libvirt determines a name by looking up
the target host's configured hostname.
There are a few scenarios where specifying migrateuri may help:
• The configured hostname is incorrect, or DNS is broken. If a host has a hostname which will not
resolve to match one of its public IP addresses, then libvirt will generate an incorrect URI. In this
case migrateuri should be explicitly specified, using an IP address, or a correct hostname.
• The host has multiple network interfaces. If a host has multiple network interfaces, it might be
desirable for the migration data stream to be sent over a specific interface for either security or
performance reasons. In this case migrateuri should be explicitly specified, using an IP address
associated with the network to be used.
• The firewall restricts what ports are available. When libvirt generates a migration URI, it will pick
a port number using hypervisor specific rules. Some hypervisors only require a single port to be open
in the firewalls, while others require a whole range of port numbers. In the latter case migrateuri
might be specified to choose a specific port number outside the default range in order to comply with
local firewall policies.
• The desturi uses UNIX transport method. In this advanced case libvirt should not guess a migrateuri
and it should be specified using UNIX socket path URI:
unix:///path/to/socket
See https://libvirt.org/migration.html#uris for more details on migration URIs.
Optional graphicsuri overrides connection parameters used for automatically reconnecting a graphical
clients at the end of migration. If omitted, libvirt will compute the parameters based on target host IP
address. In case the client does not have a direct access to the network virtualization hosts are
connected to and needs to connect through a proxy, graphicsuri may be used to specify the address the
client should connect to. The URI is formed as follows:
protocol://hostname[:port]/[?parameters]
where protocol is either "spice" or "vnc" and parameters is a list of protocol specific parameters
separated by '&'. Currently recognized parameters are "tlsPort" and "tlsSubject". For example,
spice://target.host.com:1234/?tlsPort=4567
Optional listen-address sets the listen address that hypervisor on the destination side should bind to
for incoming migration. Both IPv4 and IPv6 addresses are accepted as well as hostnames (the resolving is
done on destination). Some hypervisors do not support specifying the listen address and will return an
error if this parameter is used. This parameter cannot be used if desturi uses UNIX transport method.
Optional disks-port sets the port that hypervisor on destination side should bind to for incoming disks
traffic. Currently it is supported only by QEMU.
Optional disks-uri can also be specified (mutually exclusive with disks-port) to specify what the remote
hypervisor should bind/connect to when migrating disks. This can be tcp://address:port to specify a
listen address (which overrides --migrate-uri and --listen-address for the disk migration) and a port or
unix:///path/to/socket in case you need the disk migration to happen over a UNIX socket with that
specified path. In this case you need to make sure the same socket path is accessible to both source and
destination hypervisors and connecting to the socket on the source (after hypervisor creates it on the
destination) will actually connect to the destination. If you are using SELinux (at least on the source
host) you need to make sure the socket on the source is accessible to libvirtd/QEMU for connection.
Libvirt cannot change the context of the existing socket because it is different from the file
representation of the socket and the context is chosen by its creator (usually by using
setsockcreatecon{,_raw}() functions).
migrate-compcache
Syntax:
migrate-compcache domain [--size bytes]
Sets and/or gets size of the cache (in bytes) used for compressing repeatedly transferred memory pages
during live migration. When called without size, the command just prints current size of the compression
cache. When size is specified, the hypervisor is asked to change compression cache to size bytes and then
the current size is printed (the result may differ from the requested size due to rounding done by the
hypervisor). The size option is supposed to be used while the domain is being live-migrated as a reaction
to migration progress and increasing number of compression cache misses obtained from domjobinfo.
migrate-getmaxdowntime
Syntax:
migrate-getmaxdowntime domain
Get the maximum tolerable downtime for a domain which is being live-migrated to another host. This is
the number of milliseconds the guest is allowed to be down at the end of live migration.
migrate-getspeed
Syntax:
migrate-getspeed domain [--postcopy]
Get the maximum migration bandwidth (in MiB/s) for a domain. If the --postcopy option is specified, the
command will get the maximum bandwidth allowed during a post-copy migration phase.
migrate-postcopy
Syntax:
migrate-postcopy domain
Switch the current migration from pre-copy to post-copy. This is only supported for a migration started
with --postcopy option.
migrate-setmaxdowntime
Syntax:
migrate-setmaxdowntime domain downtime
Set maximum tolerable downtime for a domain which is being live-migrated to another host. The downtime
is a number of milliseconds the guest is allowed to be down at the end of live migration.
migrate-setspeed
Syntax:
migrate-setspeed domain bandwidth [--postcopy]
Set the maximum migration bandwidth (in MiB/s) for a domain which is being migrated to another host.
bandwidth is interpreted as an unsigned long long value. Specifying a negative value results in an
essentially unlimited value being provided to the hypervisor. The hypervisor can choose whether to reject
the value or convert it to the maximum value allowed. If the --postcopy option is specified, the command
will set the maximum bandwidth allowed during a post-copy migration phase.
numatune
Syntax:
numatune domain [--mode mode] [--nodeset nodeset]
[[--config] [--live] | [--current]]
Set or get a domain's numa parameters, corresponding to the <numatune> element of domain XML. Without
flags, the current settings are displayed.
mode can be one of `strict', `interleave', `preferred' and 'restrictive' or any valid number from the
virDomainNumatuneMemMode enum in case the daemon supports it. For a running domain, the mode can't be
changed, and the nodeset can be changed only if the domain was started with `restrictive' mode.
nodeset is a list of numa nodes used by the host for running the domain. Its syntax is a comma separated
list, with '-' for ranges and '^' for excluding a node.
If --live is specified, set scheduler information of a running guest. If --config is specified, affect
the next start of a persistent guest. If --current is specified, it is equivalent to either --live or
--config, depending on the current state of the guest.
For running guests in Linux hosts, the changes made in the domain's numa parameters does not imply that
the guest memory will be moved to a different nodeset immediately. The memory migration depends on the
guest activity, and the memory of an idle guest will remain in its previous nodeset for longer. The
presence of VFIO devices will also lock parts of the guest memory in the same nodeset used to start the
guest, regardless of nodeset changes.
perf
Syntax:
perf domain [--enable eventSpec] [--disable eventSpec]
[[--config] [--live] | [--current]]
Get the current perf events setting or enable/disable specific perf events for a guest domain.
Perf is a performance analyzing tool in Linux, and it can instrument CPU performance counters,
tracepoints, kprobes, and uprobes (dynamic tracing). Perf supports a list of measurable events, and can
measure events coming from different sources. For instance, some event are pure kernel counters, in this
case they are called software events, including context-switches, minor-faults, etc.. Now dozens of
events from different sources can be supported by perf.
Currently only QEMU/KVM supports this command. The --enable and --disable option combined with eventSpec
can be used to enable or disable specific performance event. eventSpec is a string list of one or more
events separated by commas. Valid event names are as follows:
Valid perf event names
• cmt - A PQos (Platform Qos) feature to monitor the usage of cache by applications running on the
platform.
• mbmt - Provides a way to monitor the total system memory bandwidth between one level of cache and
another.
• mbml - Provides a way to limit the amount of data (bytes/s) send through the memory controller on the
socket.
• cache_misses - Provides the count of cache misses by applications running on the platform.
• cache_references - Provides the count of cache hits by applications running on th e platform.
• instructions - Provides the count of instructions executed by applications running on the platform.
• cpu_cycles - Provides the count of cpu cycles (total/elapsed). May be used with instructions in order
to get a cycles per instruction.
• branch_instructions - Provides the count of branch instructions executed by applications running on the
platform.
• branch_misses - Provides the count of branch misses executed by applications running on the platform.
• bus_cycles - Provides the count of bus cycles executed by applications running on the platform.
• stalled_cycles_frontend - Provides the count of stalled cpu cycles in the frontend of the instruction
processor pipeline by applications running on the platform.
• stalled_cycles_backend - Provides the count of stalled cpu cycles in the backend of the instruction
processor pipeline by applications running on the platform.
• ref_cpu_cycles - Provides the count of total cpu cycles not affected by CPU frequency scaling by
applications running on the platform.
• cpu_clock - Provides the cpu clock time consumed by applications running on the platform.
• task_clock - Provides the task clock time consumed by applications running on the platform.
• page_faults - Provides the count of page faults by applications running on the platform.
• context_switches - Provides the count of context switches by applications running on the platform.
• cpu_migrations - Provides the count cpu migrations by applications running on the platform.
• page_faults_min - Provides the count minor page faults by applications running on the platform.
• page_faults_maj - Provides the count major page faults by applications running on the platform.
• alignment_faults - Provides the count alignment faults by applications running on the platform.
• emulation_faults - Provides the count emulation faults by applications running on the platform.
Note: The statistics can be retrieved using the domstats command using the --perf flag.
If --live is specified, affect a running guest. If --config is specified, affect the next start of a
persistent guest. If --current is specified, it is equivalent to either --live or --config, depending on
the current state of the guest. Both --live and --config flags may be given, but --current is exclusive.
If no flag is specified, behavior is different depending on hypervisor.
reboot
Syntax:
reboot domain [--mode MODE-LIST]
Reboot a domain. This acts just as if the domain had the reboot command run from the console. The
command returns as soon as it has executed the reboot action, which may be significantly before the
domain actually reboots.
The exact behavior of a domain when it reboots is set by the on_reboot parameter in the domain's XML
definition.
By default the hypervisor will try to pick a suitable shutdown method. To specify an alternative method,
the --mode parameter can specify a comma separated list which includes acpi, agent, initctl, signal and
paravirt. The order in which drivers will try each mode is undefined, and not related to the order
specified to virsh. For strict control over ordering, use a single mode at a time and repeat the
command.
reset
Syntax:
reset domain
Reset a domain immediately without any guest shutdown. reset emulates the power reset button on a
machine, where all guest hardware sees the RST line set and reinitializes internal state.
Note: Reset without any guest OS shutdown risks data loss.
restore
Syntax:
restore state-file [--bypass-cache] [--xml file]
[{--running | --paused}]
Restores a domain from a virsh save state file. See save for more info.
If --bypass-cache is specified, the restore will avoid the file system cache, although this may slow down
the operation.
--xml file is usually omitted, but can be used to supply an alternative XML file for use on the restored
guest with changes only in the host-specific portions of the domain XML. For example, it can be used to
account for file naming differences in underlying storage due to disk snapshots taken after the guest was
saved.
Normally, restoring a saved image will use the state recorded in the save image to decide between running
or paused; passing either the --running or --paused flag will allow overriding which state the domain
should be started in.
Note: To avoid corrupting file system contents within the domain, you should not reuse the saved state
file for a second restore unless you have also reverted all storage volumes back to the same contents as
when the state file was created.
resume
Syntax:
resume domain
Moves a domain out of the suspended state. This will allow a previously suspended domain to now be
eligible for scheduling by the underlying hypervisor.
save
Syntax:
save domain state-file [--bypass-cache] [--xml file]
[{--running | --paused}] [--verbose]
Saves a running domain (RAM, but not disk state) to a state file so that it can be restored later. Once
saved, the domain will no longer be running on the system, thus the memory allocated for the domain will
be free for other domains to use. virsh restore restores from this state file. If --bypass-cache is
specified, the save will avoid the file system cache, although this may slow down the operation.
The progress may be monitored using domjobinfo virsh command and canceled with domjobabort command (sent
by another virsh instance). Another option is to send SIGINT (usually with Ctrl-C) to the virsh process
running save command. --verbose displays the progress of save.
This is roughly equivalent to doing a hibernate on a running computer, with all the same limitations.
Open network connections may be severed upon restore, as TCP timeouts may have expired.
--xml file is usually omitted, but can be used to supply an alternative XML file for use on the restored
guest with changes only in the host-specific portions of the domain XML. For example, it can be used to
account for file naming differences that are planned to be made via disk snapshots of underlying storage
after the guest is saved.
Normally, restoring a saved image will decide between running or paused based on the state the domain was
in when the save was done; passing either the --running or --paused flag will allow overriding which
state the restore should use.
Domain saved state files assume that disk images will be unchanged between the creation and restore
point. For a more complete system restore point, where the disk state is saved alongside the memory
state, see the snapshot family of commands.
save-image-define
Syntax:
save-image-define file xml [{--running | --paused}]
Update the domain XML that will be used when file is later used in the restore command. The xml argument
must be a file name containing the alternative XML, with changes only in the host-specific portions of
the domain XML. For example, it can be used to account for file naming differences resulting from
creating disk snapshots of underlying storage after the guest was saved.
The save image records whether the domain should be restored to a running or paused state. Normally,
this command does not alter the recorded state; passing either the --running or --paused flag will allow
overriding which state the restore should use.
save-image-dumpxml
Syntax:
save-image-dumpxml file [--security-info]
Extract the domain XML that was in effect at the time the saved state file file was created with the save
command. Using --security-info will also include security sensitive information.
save-image-edit
Syntax:
save-image-edit file [{--running | --paused}]
Edit the XML configuration associated with a saved state file file created by the save command.
The save image records whether the domain should be restored to a running or paused state. Normally,
this command does not alter the recorded state; passing either the --running or --paused flag will allow
overriding which state the restore should use.
This is equivalent to:
virsh save-image-dumpxml state-file > state-file.xml
vi state-file.xml (or make changes with your other text editor)
virsh save-image-define state-file state-file-xml
except that it does some error checking.
The editor used can be supplied by the $VISUAL or $EDITOR environment variables, and defaults to vi.
schedinfo
Syntax:
schedinfo domain [[--config] [--live] | [--current]] [[--set] parameter=value]...
schedinfo [--weight number] [--cap number] domain
Allows you to show (and set) the domain scheduler parameters. The parameters available for each
hypervisor are:
LXC (posix scheduler) : cpu_shares, vcpu_period, vcpu_quota
QEMU/KVM (posix scheduler): cpu_shares, vcpu_period, vcpu_quota, emulator_period, emulator_quota,
global_period, global_quota, iothread_period, iothread_quota
Xen (credit scheduler): weight, cap
ESX (allocation scheduler): reservation, limit, shares
If --live is specified, set scheduler information of a running guest. If --config is specified, affect
the next start of a persistent guest. If --current is specified, it is equivalent to either --live or
--config, depending on the current state of the guest.
Note: The cpu_shares parameter has a valid value range of 2-262144.
Note: The weight and cap parameters are defined only for the XEN_CREDIT scheduler.
Note: The vcpu_period, emulator_period, and iothread_period parameters have a valid value range of
1000-1000000 or 0, and the vcpu_quota, emulator_quota, and iothread_quota parameters have a valid value
range of 1000-17592186044415 or less than 0. The value 0 for either parameter is the same as not
specifying that parameter.
screenshot
Syntax:
screenshot domain [imagefilepath] [--screen screenID]
Takes a screenshot of a current domain console and stores it into a file. Optionally, if the hypervisor
supports more displays for a domain, screenID allows specifying which screen will be captured. It is the
sequential number of screen. In case of multiple graphics cards, heads are enumerated before devices,
e.g. having two graphics cards, both with four heads, screen ID 5 addresses the second head on the second
card.
send-key
Syntax:
send-key domain [--codeset codeset] [--holdtime holdtime] keycode...
Parse the keycode sequence as keystrokes to send to domain. Each keycode can either be a numeric value
or a symbolic name from the corresponding codeset. If --holdtime is given, each keystroke will be held
for that many milliseconds. The default codeset is linux, but use of the --codeset option allows other
codesets to be chosen.
If multiple keycodes are specified, they are all sent simultaneously to the guest, and they may be
received in random order. If you need distinct keypresses, you must use multiple send-key invocations.
• linux
The numeric values are those defined by the Linux generic input event subsystem. The symbolic names
match the corresponding Linux key constant macro names.
See virkeycode-linux(7) and virkeyname-linux(7)
• xt
The numeric values are those defined by the original XT keyboard controller. No symbolic names are
provided
See virkeycode-xt(7)
• atset1
The numeric values are those defined by the AT keyboard controller, set 1 (aka XT compatible set).
Extended keycoes from atset1 may differ from extended keycodes in the xt codeset. No symbolic names are
provided
See virkeycode-atset1(7)
• atset2
The numeric values are those defined by the AT keyboard controller, set 2. No symbolic names are
provided
See virkeycode-atset2(7)
• atset3
The numeric values are those defined by the AT keyboard controller, set 3 (aka PS/2 compatible set). No
symbolic names are provided
See virkeycode-atset3(7)
• os_x
The numeric values are those defined by the macOS keyboard input subsystem. The symbolic names match
the corresponding macOS key constant macro names
See virkeycode-osx(7) and virkeyname-osx(7)
• xt_kbd
The numeric values are those defined by the Linux KBD device. These are a variant on the original XT
codeset, but often with different encoding for extended keycodes. No symbolic names are provided.
See virkeycode-xtkbd(7)
• win32
The numeric values are those defined by the Win32 keyboard input subsystem. The symbolic names match
the corresponding Win32 key constant macro names
See virkeycode-win32(7) and virkeyname-win32(7)
• usb
The numeric values are those defined by the USB HID specification for keyboard input. No symbolic names
are provided
See virkeycode-usb(7)
• qnum
The numeric values are those defined by the QNUM extension for sending raw keycodes. These are a
variant on the XT codeset, but extended keycodes have the low bit of the second byte set, instead of
the high bit of the first byte. No symbolic names are provided.
See virkeycode-qnum(7)
Examples:
# send three strokes 'k', 'e', 'y', using xt codeset. these
# are all pressed simultaneously and may be received by the guest
# in random order
virsh send-key dom --codeset xt 37 18 21
# send one stroke 'right-ctrl+C'
virsh send-key dom KEY_RIGHTCTRL KEY_C
# send a tab, held for 1 second
virsh send-key --holdtime 1000 0xf
send-process-signal
Syntax:
send-process-signal domain-id pid signame
Send a signal signame to the process identified by pid running in the virtual domain domain-id. The pid
is a process ID in the virtual domain namespace.
The signame argument may be either an integer signal constant number, or one of the symbolic names:
"nop", "hup", "int", "quit", "ill",
"trap", "abrt", "bus", "fpe", "kill",
"usr1", "segv", "usr2", "pipe", "alrm",
"term", "stkflt", "chld", "cont", "stop",
"tstp", "ttin", "ttou", "urg", "xcpu",
"xfsz", "vtalrm", "prof", "winch", "poll",
"pwr", "sys", "rt0", "rt1", "rt2", "rt3",
"rt4", "rt5", "rt6", "rt7", "rt8", "rt9",
"rt10", "rt11", "rt12", "rt13", "rt14", "rt15",
"rt16", "rt17", "rt18", "rt19", "rt20", "rt21",
"rt22", "rt23", "rt24", "rt25", "rt26", "rt27",
"rt28", "rt29", "rt30", "rt31", "rt32"
The symbol name may optionally be prefixed with sig or sig_ and may be in uppercase or lowercase.
Examples:
virsh send-process-signal myguest 1 15
virsh send-process-signal myguest 1 term
virsh send-process-signal myguest 1 sigterm
virsh send-process-signal myguest 1 SIG_HUP
set-lifecycle-action
Syntax:
set-lifecycle-action domain type action
[[--config] [--live] | [--current]]
Set the lifecycle action for specified lifecycle type. The valid types are "poweroff", "reboot" and
"crash", and for each of them valid action is one of "destroy", "restart", "rename-restart", "preserve".
For type "crash", additional actions "coredump-destroy" and "coredump-restart" are supported.
set-user-password
Syntax:
set-user-password domain user password [--encrypted]
Set the password for the user account in the guest domain.
If --encrypted is specified, the password is assumed to be already encrypted by the method required by
the guest OS.
For QEMU/KVM, this requires the guest agent to be configured and running.
set-user-sshkeys
Syntax:
set-user-sshkeys domain user [--file FILE] [{--reset | --remove}]
Append keys read from FILE into user's SSH authorized keys file in the guest domain. In the FILE keys
must be on separate lines and each line must follow authorized keys format as defined by sshd(8).
If --reset is specified, then the guest authorized keys file content is removed before appending new
keys. As a special case, if --reset is provided and no FILE was provided then no new keys are added and
the authorized keys file is cleared out.
If --remove is specified, then instead of adding any new keys then keys read from FILE are removed from
the authorized keys file. It is not considered an error if the key does not exist in the file.
setmaxmem
Syntax:
setmaxmem domain size [[--config] [--live] | [--current]]
Change the maximum memory allocation limit for a guest domain. If --live is specified, affect a running
guest. If --config is specified, affect the next start of a persistent guest. If --current is
specified, it is equivalent to either --live or --config, depending on the current state of the guest.
Both --live and --config flags may be given, but --current is exclusive. If no flag is specified,
behavior is different depending on hypervisor.
Some hypervisors such as QEMU/KVM don't support live changes (especially increasing) of the maximum
memory limit. Even persistent configuration changes might not be performed with some
hypervisors/configuration (e.g. on NUMA enabled domains on QEMU). For complex configuration changes use
command edit instead).
size is a scaled integer (see NOTES above); it defaults to kibibytes (blocks of 1024 bytes) unless you
provide a suffix (and the older option name --kilobytes is available as a deprecated synonym) . Libvirt
rounds up to the nearest kibibyte. Some hypervisors require a larger granularity than KiB, and requests
that are not an even multiple will be rounded up. For example, vSphere/ESX rounds the parameter up to
mebibytes (1024 kibibytes).
setmem
Syntax:
setmem domain size [[--config] [--live] | [--current]]
Change the memory allocation for a guest domain. If --live is specified, perform a memory balloon of a
running guest. If --config is specified, affect the next start of a persistent guest. If --current is
specified, it is equivalent to either --live or --config, depending on the current state of the guest.
Both --live and --config flags may be given, but --current is exclusive. If no flag is specified,
behavior is different depending on hypervisor.
size is a scaled integer (see NOTES above); it defaults to kibibytes (blocks of 1024 bytes) unless you
provide a suffix (and the older option name --kilobytes is available as a deprecated synonym) . Libvirt
rounds up to the nearest kibibyte. Some hypervisors require a larger granularity than KiB, and requests
that are not an even multiple will be rounded up. For example, vSphere/ESX rounds the parameter up to
mebibytes (1024 kibibytes).
For Xen, you can only adjust the memory of a running domain if the domain is paravirtualized or running
the PV balloon driver.
For LXC, the value being set is the cgroups value for limit_in_bytes or the maximum amount of user memory
(including file cache). When viewing memory inside the container, this is the /proc/meminfo "MemTotal"
value. When viewing the value from the host, use the virsh memtune command. In order to view the current
memory in use and the maximum value allowed to set memory, use the virsh dominfo command.
setvcpus
Syntax:
setvcpus domain count [--maximum] [[--config] [--live] | [--current]] [--guest] [--hotpluggable]
Change the number of virtual CPUs active in a guest domain. By default, this command works on active
guest domains. To change the settings for an inactive guest domain, use the --config flag.
The count value may be limited by host, hypervisor, or a limit coming from the original description of
the guest domain. For Xen, you can only adjust the virtual CPUs of a running domain if the domain is
paravirtualized.
If the --config flag is specified, the change is made to the stored XML configuration for the guest
domain, and will only take effect when the guest domain is next started.
If --live is specified, the guest domain must be active, and the change takes place immediately. Both
the --config and --live flags may be specified together if supported by the hypervisor. If this command
is run before the guest has finished booting, the guest may fail to process the change.
If --current is specified, it is equivalent to either --live or --config, depending on the current state
of the guest.
When no flags are given, the --live flag is assumed and the guest domain must be active. In this
situation it is up to the hypervisor whether the --config flag is also assumed, and therefore whether the
XML configuration is adjusted to make the change persistent.
If --guest is specified, then the count of cpus is modified in the guest instead of the hypervisor. This
flag is usable only for live domains and may require guest agent to be configured in the guest.
To allow adding vcpus to persistent definitions that can be later hotunplugged after the domain is booted
it is necessary to specify the --hotpluggable flag. Vcpus added to live domains supporting vcpu unplug
are automatically marked as hotpluggable.
The --maximum flag controls the maximum number of virtual cpus that can be hot-plugged the next time the
domain is booted. As such, it must only be used with the --config flag, and not with the --live or the
--current flag. Note that it may not be possible to change the maximum vcpu count if the processor
topology is specified for the guest.
setvcpu
Syntax:
setvcpu domain vcpulist [--enable] | [--disable]
[[--live] [--config] | [--current]]
Change state of individual vCPUs using hot(un)plug mechanism.
See vcpupin for information on format of vcpulist. Hypervisor drivers may require that vcpulist contains
exactly vCPUs belonging to one hotpluggable entity. This is usually just a single vCPU but certain
architectures such as ppc64 require a full core to be specified at once.
Note that hypervisors may refuse to disable certain vcpus such as vcpu 0 or others.
If --live is specified, affect a running domain. If --config is specified, affect the next startup of a
persistent guest. If --current is specified, it is equivalent to either --live or --config, depending on
the current state of the guest. This is the default. Both --live and --config flags may be given, but
--current is exclusive.
shutdown
Syntax:
shutdown domain [--mode MODE-LIST]
Gracefully shuts down a domain. This coordinates with the domain OS to perform graceful shutdown, so
there is no guarantee that it will succeed, and may take a variable length of time depending on what
services must be shutdown in the domain.
The exact behavior of a domain when it shuts down is set by the on_poweroff parameter in the domain's XML
definition.
If domain is transient, then the metadata of any snapshots and checkpoints will be lost once the guest
stops running, but the underlying contents still exist, and a new domain with the same name and UUID can
restore the snapshot metadata with snapshot-create, and the checkpoint metadata with checkpoint-create.
By default the hypervisor will try to pick a suitable shutdown method. To specify an alternative method,
the --mode parameter can specify a comma separated list which includes acpi, agent, initctl, signal and
paravirt. The order in which drivers will try each mode is undefined, and not related to the order
specified to virsh. For strict control over ordering, use a single mode at a time and repeat the
command.
start
Syntax:
start domain-name-or-uuid [--console] [--paused]
[--autodestroy] [--bypass-cache] [--force-boot]
[--pass-fds N,M,...]
Start a (previously defined) inactive domain, either from the last managedsave state, or via a fresh boot
if no managedsave state is present. The domain will be paused if the --paused option is used and
supported by the driver; otherwise it will be running. If --console is requested, attach to the console
after creation. If --autodestroy is requested, then the guest will be automatically destroyed when virsh
closes its connection to libvirt, or otherwise exits. If --bypass-cache is specified, and managedsave
state exists, the restore will avoid the file system cache, although this may slow down the operation.
If --force-boot is specified, then any managedsave state is discarded and a fresh boot occurs.
If --pass-fds is specified, the argument is a comma separated list of open file descriptors which should
be pass on into the guest. The file descriptors will be re-numbered in the guest, starting from 3. This
is only supported with container based virtualization.
suspend
Syntax:
suspend domain
Suspend a running domain. It is kept in memory but won't be scheduled anymore.
ttyconsole
Syntax:
ttyconsole domain
Output the device used for the TTY console of the domain. If the information is not available the
processes will provide an exit code of 1.
undefine
Syntax:
undefine domain [--managed-save] [--snapshots-metadata]
[--checkpoints-metadata] [--nvram] [--keep-nvram]
[ {--storage volumes | --remove-all-storage
[--delete-storage-volume-snapshots]} --wipe-storage]
Undefine a domain. If the domain is running, this converts it to a transient domain, without stopping it.
If the domain is inactive, the domain configuration is removed.
The --managed-save flag guarantees that any managed save image (see the managedsave command) is also
cleaned up. Without the flag, attempts to undefine a domain with a managed save image will fail.
The --snapshots-metadata flag guarantees that any snapshots (see the snapshot-list command) are also
cleaned up when undefining an inactive domain. Without the flag, attempts to undefine an inactive domain
with snapshot metadata will fail. If the domain is active, this flag is ignored.
The --checkpoints-metadata flag guarantees that any checkpoints (see the checkpoint-list command) are
also cleaned up when undefining an inactive domain. Without the flag, attempts to undefine an inactive
domain with checkpoint metadata will fail. If the domain is active, this flag is ignored.
--nvram and --keep-nvram specify accordingly to delete or keep nvram (/domain/os/nvram/) file. If the
domain has an nvram file and the flags are omitted, the undefine will fail.
The --storage flag takes a parameter volumes, which is a comma separated list of volume target names or
source paths of storage volumes to be removed along with the undefined domain. Volumes can be undefined
and thus removed only on inactive domains. Volume deletion is only attempted after the domain is
undefined; if not all of the requested volumes could be deleted, the error message indicates what still
remains behind. If a volume path is not found in the domain definition, it's treated as if the volume was
successfully deleted. Only volumes managed by libvirt in storage pools can be removed this way. (See
domblklist for list of target names associated to a domain). Example: --storage vda,/path/to/storage.img
The --remove-all-storage flag specifies that all of the domain's storage volumes should be deleted.
The --delete-storage-volume-snapshots (previously --delete-snapshots) flag specifies that any snapshots
associated with the storage volume should be deleted as well. Requires the --remove-all-storage flag to
be provided. Not all storage drivers support this option, presently only rbd. Using this when also
removing volumes handled by a storage driver which does not support the flag will result in failure.
The flag --wipe-storage specifies that the storage volumes should be wiped before removal.
NOTE: For an inactive domain, the domain name or UUID must be used as the domain.
vcpucount
Syntax:
vcpucount domain [{--maximum | --active}
{--config | --live | --current}] [--guest]
Print information about the virtual cpu counts of the given domain. If no flags are specified, all
possible counts are listed in a table; otherwise, the output is limited to just the numeric value
requested. For historical reasons, the table lists the label "current" on the rows that can be queried
in isolation via the --active flag, rather than relating to the --current flag.
--maximum requests information on the maximum cap of vcpus that a domain can add via setvcpus, while
--active shows the current usage; these two flags cannot both be specified. --config requires a
persistent guest and requests information regarding the next time the domain will be booted, --live
requires a running domain and lists current values, and --current queries according to the current state
of the domain (corresponding to --live if running, or --config if inactive); these three flags are
mutually exclusive.
If --guest is specified, then the count of cpus is reported from the perspective of the guest. This flag
is usable only for live domains and may require guest agent to be configured in the guest.
vcpuinfo
Syntax:
vcpuinfo domain [--pretty]
Returns basic information about the domain virtual CPUs, like the number of vCPUs, the running time, the
affinity to physical processors.
With --pretty, cpu affinities are shown as ranges.
Example:
$ virsh vcpuinfo fedora
VCPU: 0
CPU: 0
State: running
CPU time: 7,0s
CPU Affinity: yyyy
VCPU: 1
CPU: 1
State: running
CPU time: 0,7s
CPU Affinity: yyyy
STATES
The State field displays the current operating state of a virtual CPU
• offline
The virtual CPU is offline and not usable by the domain. This state is not supported by all
hypervisors.
• running
The virtual CPU is available to the domain and is operating.
• blocked
The virtual CPU is available to the domain but is waiting for a resource. This state is not supported
by all hypervisors, in which case running may be reported instead.
• no state
The virtual CPU state could not be determined. This could happen if the hypervisor is newer than virsh.
• N/A
There's no information about the virtual CPU state available. This can be the case if the domain is not
running or the hypervisor does not report the virtual CPU state.
vcpupin
Syntax:
vcpupin domain [vcpu] [cpulist] [[--live] [--config] | [--current]]
Query or change the pinning of domain VCPUs to host physical CPUs. To pin a single vcpu, specify
cpulist; otherwise, you can query one vcpu or omit vcpu to list all at once.
cpulist is a list of physical CPU numbers. Its syntax is a comma separated list and a special markup
using '-' and '^' (ex. '0-4', '0-3,^2') can also be allowed. The '-' denotes the range and the '^'
denotes exclusive. For pinning the vcpu to all physical cpus specify 'r' as a cpulist. If --live is
specified, affect a running guest. If --config is specified, affect the next start of a persistent
guest. If --current is specified, it is equivalent to either --live or --config, depending on the
current state of the guest. Both --live and --config flags may be given if cpulist is present, but
--current is exclusive. If no flag is specified, behavior is different depending on hypervisor.
Note: The expression is sequentially evaluated, so "0-15,^8" is identical to "9-14,0-7,15" but not
identical to "^8,0-15".
vncdisplay
Syntax:
vncdisplay domain
Output the IP address and port number for the VNC display. If the information is not available the
processes will provide an exit code of 1.
DEVICE COMMANDS
The following commands manipulate devices associated to domains. The domain can be specified as a short
integer, a name or a full UUID. To better understand the values allowed as options for the command
reading the documentation at https://libvirt.org/formatdomain.html on the format of the device sections
to get the most accurate set of accepted values.
attach-device
Syntax:
attach-device domain FILE [[[--live] [--config] | [--current]] | [--persistent]]
Attach a device to the domain, using a device definition in an XML file using a device definition element
such as <disk> or <interface> as the top-level element. See the documentation at
https://libvirt.org/formatdomain.html#elementsDevices to learn about libvirt XML format for a device. If
--config is specified the command alters the persistent guest configuration with the device attach taking
effect the next time libvirt starts the domain. For cdrom and floppy devices, this command only replaces
the media within an existing device; consider using update-device for this usage. For passthrough host
devices, see also nodedev-detach, needed if the PCI device does not use managed mode.
If --live is specified, affect a running domain. If --config is specified, affect the next startup of a
persistent guest. If --current is specified, it is equivalent to either --live or --config, depending on
the current state of the guest. Both --live and --config flags may be given, but --current is exclusive.
When no flag is specified legacy API is used whose behavior depends on the hypervisor driver.
For compatibility purposes, --persistent behaves like --config for an offline domain, and like --live
--config for a running domain.
Note: using of partial device definition XML files may lead to unexpected results as some fields may be
autogenerated and thus match devices other than expected.
attach-disk
Syntax:
attach-disk domain source target [[[--live] [--config] |
[--current]] | [--persistent]] [--targetbus bus]
[--driver driver] [--subdriver subdriver] [--iothread iothread]
[--cache cache] [--io io] [--type type] [--alias alias]
[--mode mode] [--sourcetype sourcetype]
[--source-protocol protocol] [--source-host-name hostname:port]
[--source-host-transport transport] [--source-host-socket socket]
[--serial serial] [--wwn wwn] [--rawio] [--address address]
[--multifunction] [--print-xml]
Attach a new disk device to the domain. source is path for the files and devices unless
--source-protocol is specified, in which case source is the name of a network disk. target controls the
bus or device under which the disk is exposed to the guest OS. It indicates the "logical" device name;
the optional targetbus attribute specifies the type of disk device to emulate; possible values are driver
specific, with typical values being ide, scsi, virtio, xen, usb, sata, or sd, if omitted, the bus type is
inferred from the style of the device name (e.g. a device named 'sda' will typically be exported using a
SCSI bus). driver can be file, tap or phy for the Xen hypervisor depending on the kind of access; or
qemu for the QEMU emulator. Further details to the driver can be passed using subdriver. For Xen
subdriver can be aio, while for QEMU subdriver should match the format of the disk source, such as raw or
qcow2. Hypervisor default will be used if subdriver is not specified. However, the default may not be
correct, esp. for QEMU as for security reasons it is configured not to detect disk formats. type can
indicate lun, cdrom or floppy as alternative to the disk default, although this use only replaces the
media within the existing virtual cdrom or floppy device; consider using update-device for this usage
instead. alias can set user supplied alias. mode can specify the two specific mode readonly or
shareable. sourcetype can indicate the type of source (block|file|network) cache can be one of
"default", "none", "writethrough", "writeback", "directsync" or "unsafe". io controls specific policies
on I/O; QEMU guests support "threads", "native" and "io_uring". iothread is the number within the range
of domain IOThreads to which this disk may be attached (QEMU only). serial is the serial of disk device.
wwn is the wwn of disk device. rawio indicates the disk needs rawio capability. address is the address
of disk device in the form of pci:domain.bus.slot.function, scsi:controller.bus.unit,
ide:controller.bus.unit, usb:bus.port, sata:controller.bus.unit or ccw:cssid.ssid.devno. Virtio-ccw
devices must have their cssid set to 0xfe. multifunction indicates specified pci address is a
multifunction pci device address.
There is also support for using a network disk. As specified, the user can provide a --source-protocol in
which case the source parameter will be interpreted as the source name. --source-protocol must be
provided if the user intends to provide a network disk or host information. Host information can be
provided using the tags --source-host-name, --source-host-transport, and --source-host-socket, which
respectively denote the name of the host, the host's transport method, and the socket that the host uses.
--source-host-socket and --source-host-name cannot both be provided, and the user must provide a
--source-host-transport if they want to provide a --source-host-socket. The --source-host-name parameter
supports host:port syntax if the user wants to provide a port as well.
If --print-xml is specified, then the XML of the disk that would be attached is printed instead.
If --live is specified, affect a running domain. If --config is specified, affect the next startup of a
persistent guest. If --current is specified, it is equivalent to either --live or --config, depending on
the current state of the guest. Both --live and --config flags may be given, but --current is exclusive.
When no flag is specified legacy API is used whose behavior depends on the hypervisor driver.
For compatibility purposes, --persistent behaves like --config for an offline domain, and like --live
--config for a running domain. Likewise, --shareable is an alias for --mode shareable.
attach-interface
Syntax:
attach-interface domain type source [[[--live]
[--config] | [--current]] | [--persistent]]
[--target target] [--mac mac] [--script script] [--model model]
[--inbound average,peak,burst,floor] [--outbound average,peak,burst]
[--alias alias] [--managed] [--print-xml]
[--source-mode mode]
Attach a new network interface to the domain.
type can be one of the:
network to indicate connection via a libvirt virtual network,
bridge to indicate connection via a bridge device on the host,
direct to indicate connection directly to one of the host's network interfaces or bridges,
hostdev to indicate connection using a passthrough of PCI device on the host,
vhostuser to indicate connection using a virtio transport protocol.
source indicates the source of the connection. The source depends on the type of the interface:
network name of the virtual network,
bridge the name of the bridge device,
direct the name of the host's interface or bridge,
hostdev the PCI address of the host's interface formatted as domain:bus:slot.function.
vhostuser the path to UNIX socket (control plane)
--target is used to specify the tap/macvtap device to be used to connect the domain to the source. Names
starting with 'vnet' are considered as auto-generated and are blanked out/regenerated each time the
interface is attached.
--mac specifies the MAC address of the network interface; if a MAC address is not given, a new address
will be automatically generated (and stored in the persistent configuration if "--config" is given on the
command line).
--script is used to specify a path to a custom script to be called while attaching to a bridge - this
will be called instead of the default script not in addition to it. This is valid only for interfaces of
bridge type and only for Xen domains.
--model specifies the network device model to be presented to the domain.
alias can set user supplied alias.
--inbound and --outbound control the bandwidth of the interface. At least one from the average, floor
pair must be specified. The other two peak and burst are optional, so "average,peak", "average,,burst",
"average,,,floor", "average" and ",,,floor" are also legal. Values for average, floor and peak are
expressed in kilobytes per second, while burst is expressed in kilobytes in a single burst at peak speed
as described in the Network XML documentation at https://libvirt.org/formatnetwork.html#elementQoS.
--managed is usable only for hostdev type and tells libvirt that the interface should be managed, which
means detached and reattached from/to the host by libvirt.
--source-mode is mandatory for vhostuser interface and accepts values server and client that control
whether hypervisor waits for the other process to connect, or initiates connection, respectively.
If --print-xml is specified, then the XML of the interface that would be attached is printed instead.
If --live is specified, affect a running domain. If --config is specified, affect the next startup of a
persistent guest. If --current is specified, affect the current domain state, which can either be live
or offline. Both --live and --config flags may be given, but --current is exclusive. When no flag is
specified legacy API is used whose behavior depends on the hypervisor driver.
For compatibility purposes, --persistent behaves like --config for an offline domain, and like --live
--config for a running domain.
Note: the optional target value is the name of a device to be created as the back-end on the node. If
not provided a device named "vnetN" or "vifN" will be created automatically.
detach-device
Syntax:
detach-device domain FILE [[[--live] [--config] |
[--current]] | [--persistent]]
Detach a device from the domain, takes the same kind of XML descriptions as command attach-device. For
passthrough host devices, see also nodedev-reattach, needed if the device does not use managed mode.
Note: The supplied XML description of the device should be as specific as its definition in the domain
XML. The set of attributes used to match the device are internal to the drivers. Using a partial
definition, or attempting to detach a device that is not present in the domain XML, but shares some
specific attributes with one that is present, may lead to unexpected results.
Quirk: Device unplug is asynchronous in most cases and requires guest cooperation. This means that it's
up to the discretion of the guest to disallow or delay the unplug arbitrarily. As the libvirt API used in
this command was designed as synchronous it returns success after some timeout even if the device was not
unplugged yet to allow further interactions with the domain e.g. if the guest is unresponsive. Callers
which need to make sure that the device was unplugged can use libvirt events (see virsh event) to be
notified when the device is removed. Note that the event may arrive before the command returns.
If --live is specified, affect a running domain. If --config is specified, affect the next startup of a
persistent guest. If --current is specified, it is equivalent to either --live or --config, depending on
the current state of the guest. Both --live and --config flags may be given, but --current is exclusive.
When no flag is specified legacy API is used whose behavior depends on the hypervisor driver.
For compatibility purposes, --persistent behaves like --config for an offline domain, and like --live
--config for a running domain.
Note that older versions of virsh used --config as an alias for --persistent.
detach-device-alias
Syntax:
detach-device-alias domain alias [[[--live] [--config] | [--current]]]]
Detach a device with given alias from the domain. This command returns successfully after the unplug
request was sent to the hypervisor. The actual removal of the device is notified asynchronously via
libvirt events (see virsh event).
If --live is specified, affect a running domain. If --config is specified, affect the next startup of a
persistent guest. If --current is specified, it is equivalent to either --live or --config, depending on
the current state of the guest. Both --live and --config flags may be given, but --current is exclusive.
detach-disk
Syntax:
detach-disk domain target [[[--live] [--config] |
[--current]] | [--persistent]] [--print-xml]
Detach a disk device from a domain. The target is the device as seen from the domain.
If --live is specified, affect a running domain. If --config is specified, affect the next startup of a
persistent guest. If --current is specified, it is equivalent to either --live or --config, depending on
the current state of the guest. Both --live and --config flags may be given, but --current is exclusive.
When no flag is specified legacy API is used whose behavior depends on the hypervisor driver.
For compatibility purposes, --persistent behaves like --config for an offline domain, and like --live
--config for a running domain.
Note that older versions of virsh used --config as an alias for --persistent.
If --print-xml is specified, then the XML which would be used to detach the disk is printed instead.
Please see documentation for detach-device for known quirks.
detach-interface
Syntax:
detach-interface domain type [--mac mac]
[[[--live] [--config] | [--current]] | [--persistent]]
Detach a network interface from a domain. type can be either network to indicate a physical network
device or bridge to indicate a bridge to a device. It is recommended to use the mac option to distinguish
between the interfaces if more than one are present on the domain.
If --live is specified, affect a running domain. If --config is specified, affect the next startup of a
persistent guest. If --current is specified, it is equivalent to either --live or --config, depending on
the current state of the guest. Both --live and --config flags may be given, but --current is exclusive.
When no flag is specified legacy API is used whose behavior depends on the hypervisor driver.
For compatibility purposes, --persistent behaves like --config for an offline domain, and like --live
--config for a running domain.
Note that older versions of virsh used --config as an alias for --persistent.
Please see documentation for detach-device for known quirks.
update-device
Syntax:
update-device domain file [--force] [[[--live]
[--config] | [--current]] | [--persistent]]
Update the characteristics of a device associated with domain, based on the device definition in an XML
file. The --force option can be used to force device update, e.g., to eject a CD-ROM even if it is
locked/mounted in the domain. See the documentation at
https://libvirt.org/formatdomain.html#elementsDevices to learn about libvirt XML format for a device.
If --live is specified, affect a running domain. If --config is specified, affect the next startup of a
persistent guest. If --current is specified, it is equivalent to either --live or --config, depending on
the current state of the guest. Both --live and --config flags may be given, but --current is exclusive.
Not specifying any flag is the same as specifying --current.
For compatibility purposes, --persistent behaves like --config for an offline domain, and like --live
--config for a running domain.
Note that older versions of virsh used --config as an alias for --persistent.
Note: using of partial device definition XML files may lead to unexpected results as some fields may be
autogenerated and thus match devices other than expected.
update-memory-device
Syntax:
update-memory-device domain [--print-xml] [[--alias alias] | [--node node]]
[[--live] [--config] | [--current]]
[--requested-size size]
This command finds <memory/> device inside given domain, changes requested values and passes updated
device XML to daemon. If --print-xml is specified then the device is not changed, but the updated device
XML is printed to stdout. If there are more than one <memory/> devices in domain use --alias or --node
to select the desired one.
If --live is specified, affect a running domain. If --config is specified, affect the next startup of a
persistent guest. If --current is specified, it is equivalent to either --live or --config, depending on
the current state of the guest. Both --live and --config flags may be given, but --current is exclusive.
Not specifying any flag is the same as specifying --current.
If --requested-size is specified then <requested/> under memory target is changed to requested size (as
scaled integer, see NOTES above). It defaults to kibibytes if no suffix is provided. The option is valid
only for virtio-mem memory device model.
change-media
Syntax:
change-media domain path [--eject] [--insert]
[--update] [source] [--force] [[--live] [--config] |
[--current]] [--print-xml] [--block]
Change media of CDROM or floppy drive. path can be the fully-qualified path or the unique target name
(<target dev='hdc'>) of the disk device. source specifies the path of the media to be inserted or
updated. The --block flag allows setting the backing type in case a block device is used as media for the
CDROM or floppy drive instead of a file.
--eject indicates the media will be ejected. --insert indicates the media will be inserted. source must
be specified. If the device has source (e.g. <source file='media'>), and source is not specified,
--update is equal to --eject. If the device has no source, and source is specified, --update is equal to
--insert. If the device has source, and source is specified, --update behaves like combination of --eject
and --insert. If none of --eject, --insert, and --update is specified, --update is used by default. The
--force option can be used to force media changing. If --live is specified, alter live configuration of
running guest. If --config is specified, alter persistent configuration, effect observed on next startup
of the guest. --current can be either or both of live and config, depends on the hypervisor's
implementation. Both --live and --config flags may be given, but --current is exclusive. If no flag is
specified, behavior is different depending on hypervisor. If --print-xml is specified, the XML that
would be used to change media is printed instead of changing the media.
NODEDEV COMMANDS
The following commands manipulate host devices that are intended to be passed through to guest domains
via <hostdev> elements in a domain's <devices> section. A node device key is generally specified by the
bus name followed by its address, using underscores between all components, such as pci_0000_00_02_1,
usb_1_5_3, or net_eth1_00_27_13_6a_fe_00. The nodedev-list gives the full list of host devices that are
known to libvirt, although this includes devices that cannot be assigned to a guest (for example,
attempting to detach the PCI device that controls the host's hard disk controller where the guest's disk
images live could cause the host system to lock up or reboot).
For more information on node device definition see: https://libvirt.org/formatnode.html.
Passthrough devices cannot be simultaneously used by the host and its guest domains, nor by multiple
active guests at once. If the <hostdev> description of a PCI device includes the attribute
managed='yes', and the hypervisor driver supports it, then the device is in managed mode, and attempts to
use that passthrough device in an active guest will automatically behave as if nodedev-detach (guest
start, device hot-plug) and nodedev-reattach (guest stop, device hot-unplug) were called at the right
points. If a PCI device is not marked as managed, then it must manually be detached before guests can
use it, and manually reattached to be returned to the host. Also, if a device is manually detached, then
the host does not regain control of the device without a matching reattach, even if the guests use the
device in managed mode.
nodedev-create
Syntax:
nodedev-create FILE
Create a device on the host node that can then be assigned to virtual machines. Normally, libvirt is able
to automatically determine which host nodes are available for use, but this allows registration of host
hardware that libvirt did not automatically detect. file contains xml for a top-level <device>
description of a node device.
nodedev-destroy
Syntax:
nodedev-destroy device
Destroy (stop) a device on the host. device can be either device name or wwn pair in "wwnn,wwpn" format
(only works for vHBA currently). Note that this makes libvirt quit managing a host device, and may even
make that device unusable by the rest of the physical host until a reboot.
nodedev-define
Syntax:
nodedev-define FILE
Define an inactive persistent device or modify an existing persistent one from the XML FILE.
nodedev-undefine
Syntax:
nodedev-undefine device
Undefine the configuration for a persistent device. If the device is active, make it transient.
nodedev-start
Syntax:
nodedev-start device
Start a (previously defined) inactive device.
nodedev-detach
Syntax:
nodedev-detach nodedev [--driver backend_driver]
Detach nodedev from the host, so that it can safely be used by guests via <hostdev> passthrough. This is
reversed with nodedev-reattach, and is done automatically for managed devices.
Different backend drivers expect the device to be bound to different dummy devices. For example, QEMU's
"kvm" backend driver (the default) expects the device to be bound to pci-stub, but its "vfio" backend
driver expects the device to be bound to vfio-pci. The --driver parameter can be used to specify the
desired backend driver.
nodedev-dumpxml
Syntax:
nodedev-dumpxml device
Dump a <device> XML representation for the given node device, including such information as the device
name, which bus owns the device, the vendor and product id, and any capabilities of the device usable by
libvirt (such as whether device reset is supported). device can be either device name or wwn pair in
"wwnn,wwpn" format (only works for HBA).
nodedev-info
Syntax:
nodedev-info device
Returns basic information about the device object.
nodedev-list
Syntax:
nodedev-list [--cap capability] [--tree] [--inactive | --all]
List all of the devices available on the node that are known by libvirt. cap is used to filter the list
by capability types, the types must be separated by comma, e.g. --cap pci,scsi. Valid capability types
include 'system', 'pci', 'usb_device', 'usb', 'net', 'scsi_host', 'scsi_target', 'scsi', 'storage',
'fc_host', 'vports', 'scsi_generic', 'drm', 'mdev', 'mdev_types', 'ccw', 'css', 'ap_card', 'ap_queue',
'ap_matrix'. By default, only active devices are listed. --inactive is used to list only inactive
devices, and -all is used to list both active and inactive devices. If --tree is used, the output is
formatted in a tree representing parents of each node. --tree is mutually exclusive with all other
options.
nodedev-reattach
Syntax:
nodedev-reattach nodedev
Declare that nodedev is no longer in use by any guests, and that the host can resume normal use of the
device. This is done automatically for PCI devices in managed mode and USB devices, but must be done
explicitly to match any explicit nodedev-detach.
nodedev-reset
Syntax:
nodedev-reset nodedev
Trigger a device reset for nodedev, useful prior to transferring a node device between guest passthrough
or the host. Libvirt will often do this action implicitly when required, but this command allows an
explicit reset when needed.
nodedev-event
Syntax:
nodedev-event {[nodedev] event [--loop] [--timeout seconds] [--timestamp] | --list}
Wait for a class of node device events to occur, and print appropriate details of events as they happen.
The events can optionally be filtered by nodedev. Using --list as the only argument will provide a list
of possible event values known by this client, although the connection might not allow registering for
all these events.
By default, this command is one-shot, and returns success once an event occurs; you can send SIGINT
(usually via Ctrl-C) to quit immediately. If --timeout is specified, the command gives up waiting for
events after seconds have elapsed. With --loop, the command prints all events until a timeout or
interrupt key.
When --timestamp is used, a human-readable timestamp will be printed before the event.
nodedev-autostart
Syntax:
nodedev-autostart [--disable] device
Configure a device to be automatically started when the host machine boots or the parent device becomes
available. With --disable, the device will be set to manual mode and will no longer be automatically
started by the host. This command is only supported for persistently-defined mediated devices.
VIRTUAL NETWORK COMMANDS
The following commands manipulate networks. Libvirt has the capability to define virtual networks which
can then be used by domains and linked to actual network devices. For more detailed information about
this feature see the documentation at https://libvirt.org/formatnetwork.html . Many of the commands for
virtual networks are similar to the ones used for domains, but the way to name a virtual network is
either by its name or UUID.
net-autostart
Syntax:
net-autostart network [--disable]
Configure a virtual network to be automatically started at boot. The --disable option disable
autostarting.
net-create
Syntax:
net-create file [--validate]
Create a transient (temporary) virtual network from an XML file and instantiate (start) the network. See
the documentation at https://libvirt.org/formatnetwork.html to get a description of the XML network
format used by libvirt.
Optionally, the format of the input XML file can be validated against an internal RNG schema with
--validate.
net-define
Syntax:
net-define file [--validate]
Define an inactive persistent virtual network or modify an existing persistent one from the XML file.
Optionally, the format of the input XML file can be validated against an internal RNG schema with
--validate.
net-destroy
Syntax:
net-destroy network
Destroy (stop) a given transient or persistent virtual network specified by its name or UUID. This takes
effect immediately.
net-dumpxml
Syntax:
net-dumpxml network [--inactive]
Output the virtual network information as an XML dump to stdout. If --inactive is specified, then
physical functions are not expanded into their associated virtual functions.
net-edit
Syntax:
net-edit network
Edit the XML configuration file for a network.
This is equivalent to:
virsh net-dumpxml --inactive network > network.xml
vi network.xml (or make changes with your other text editor)
virsh net-define network.xml
except that it does some error checking.
The editor used can be supplied by the $VISUAL or $EDITOR environment variables, and defaults to vi.
net-event
Syntax:
net-event {[network] event [--loop] [--timeout seconds] [--timestamp] | --list}
Wait for a class of network events to occur, and print appropriate details of events as they happen. The
events can optionally be filtered by network. Using --list as the only argument will provide a list of
possible event values known by this client, although the connection might not allow registering for all
these events.
By default, this command is one-shot, and returns success once an event occurs; you can send SIGINT
(usually via Ctrl-C) to quit immediately. If --timeout is specified, the command gives up waiting for
events after seconds have elapsed. With --loop, the command prints all events until a timeout or
interrupt key.
When --timestamp is used, a human-readable timestamp will be printed before the event.
net-info
Syntax:
net-info network
Returns basic information about the network object.
net-list
Syntax:
net-list [--inactive | --all]
{ [--table] | --name | --uuid }
[--persistent] [<--transient>]
[--autostart] [<--no-autostart>]
Returns the list of active networks, if --all is specified this will also include defined but inactive
networks, if --inactive is specified only the inactive ones will be listed. You may also want to filter
the returned networks by --persistent to list the persistent ones, --transient to list the transient
ones, --autostart to list the ones with autostart enabled, and --no-autostart to list the ones with
autostart disabled.
If --name is specified, network names are printed instead of the table formatted one per line. If --uuid
is specified network's UUID's are printed instead of names. Flag --table specifies that the legacy
table-formatted output should be used. This is the default. All of these are mutually exclusive.
NOTE: When talking to older servers, this command is forced to use a series of API calls with an inherent
race, where a pool might not be listed or might appear more than once if it changed state between calls
while the list was being collected. Newer servers do not have this problem.
net-name
Syntax:
net-name network-UUID
Convert a network UUID to network name.
net-start
Syntax:
net-start network
Start a (previously defined) inactive network.
net-undefine
Syntax:
net-undefine network
Undefine the configuration for a persistent network. If the network is active, make it transient.
net-uuid
Syntax:
net-uuid network-name
Convert a network name to network UUID.
net-update
Syntax:
net-update network command section xml
[--parent-index index] [[--live] [--config] | [--current]]
Update the given section of an existing network definition, with the changes optionally taking effect
immediately, without needing to destroy and re-start the network.
command is one of "add-first", "add-last", "add" (a synonym for add-last), "delete", or "modify".
section is one of "bridge", "domain", "ip", "ip-dhcp-host", "ip-dhcp-range", "forward",
"forward-interface", "forward-pf", "portgroup", "dns-host", "dns-txt", or "dns-srv", each section being
named by a concatenation of the xml element hierarchy leading to the element being changed. For example,
"ip-dhcp-host" will change a <host> element that is contained inside a <dhcp> element inside an <ip>
element of the network.
xml is either the text of a complete xml element of the type being changed (e.g. "<host
mac="00:11:22:33:44:55' ip='1.2.3.4'/>", or the name of a file that contains a complete xml element.
Disambiguation is done by looking at the first character of the provided text - if the first character is
"<", it is xml text, if the first character is not "<", it is the name of a file that contains the xml
text to be used.
The --parent-index option is used to specify which of several parent elements the requested element is in
(0-based). For example, a dhcp <host> element could be in any one of multiple <ip> elements in the
network; if a parent-index isn't provided, the "most appropriate" <ip> element will be selected (usually
the only one that already has a <dhcp> element), but if --parent-index is given, that particular instance
of <ip> will get the modification.
If --live is specified, affect a running network. If --config is specified, affect the next startup of a
persistent network. If --current is specified, it is equivalent to either --live or --config, depending
on the current state of the guest. Both --live and --config flags may be given, but --current is
exclusive. Not specifying any flag is the same as specifying --current.
net-dhcp-leases
Syntax:
net-dhcp-leases network [mac]
Get a list of dhcp leases for all network interfaces connected to the given virtual network or limited
output just for one interface if mac is specified.
NETWORK PORT COMMANDS
The following commands manipulate network ports. Libvirt virtual networks have ports created when a
virtual machine has a virtual network interface added. In general there should be no need to use any of
the commands here, since the hypervisor drivers run these commands are the right point in a virtual
machine's lifecycle. They can be useful for debugging problems and / or recovering from bugs / stale
state.
net-port-list
Syntax:
net-port-list { [--table] | --uuid } network
List all network ports recorded against the network.
If --uuid is specified network ports' UUID's are printed instead of a table. Flag --table specifies that
the legacy table-formatted output should be used. This is the default. All of these are mutually
exclusive.
net-port-create
Syntax:
net-port-create network file [--validate]
Allocate a new network port reserving resources based on the port description. Optionally, the format of
the input XML file can be validated against an internal RNG schema with --validate.
net-port-dumpxml
Syntax:
net-port-dumpxml network port
Output the network port information as an XML dump to stdout.
net-port-delete
Syntax:
net-port-delete network port
Delete record of the network port and release its resources
INTERFACE COMMANDS
The following commands manipulate host interfaces. Often, these host interfaces can then be used by name
within domain <interface> elements (such as a system-created bridge interface), but there is no
requirement that host interfaces be tied to any particular guest configuration XML at all.
Many of the commands for host interfaces are similar to the ones used for domains, and the way to name an
interface is either by its name or its MAC address. However, using a MAC address for an iface argument
only works when that address is unique (if an interface and a bridge share the same MAC address, which is
often the case, then using that MAC address results in an error due to ambiguity, and you must resort to
a name instead).
iface-bridge
Syntax:
iface-bridge interface bridge [--no-stp] [delay] [--no-start]
Create a bridge device named bridge, and attach the existing network device interface to the new bridge.
The new bridge defaults to starting immediately, with STP enabled and a delay of 0; these settings can be
altered with --no-stp, --no-start, and an integer number of seconds for delay. All IP address
configuration of interface will be moved to the new bridge device.
See also iface-unbridge for undoing this operation.
iface-define
Syntax:
iface-define file [--validate]
Define an inactive persistent physical host interface or modify an existing persistent one from the XML
file. Optionally, the format of the input XML file can be validated against an internal RNG schema with
--validate.
iface-destroy
Syntax:
iface-destroy interface
Destroy (stop) a given host interface, such as by running "if-down" to disable that interface from active
use. This takes effect immediately.
iface-dumpxml
Syntax:
iface-dumpxml interface [--inactive]
Output the host interface information as an XML dump to stdout. If --inactive is specified, then the
output reflects the persistent state of the interface that will be used the next time it is started.
iface-edit
Syntax:
iface-edit interface
Edit the XML configuration file for a host interface.
This is equivalent to:
virsh iface-dumpxml iface > iface.xml
vi iface.xml (or make changes with your other text editor)
virsh iface-define iface.xml
except that it does some error checking.
The editor used can be supplied by the $VISUAL or $EDITOR environment variables, and defaults to vi.
iface-list
Syntax:
iface-list [--inactive | --all]
Returns the list of active host interfaces. If --all is specified this will also include defined but
inactive interfaces. If --inactive is specified only the inactive ones will be listed.
iface-name
Syntax:
iface-name interface
Convert a host interface MAC to interface name, if the MAC address is unique among the host's interfaces.
interface specifies the interface MAC address.
iface-mac
Syntax:
iface-mac interface
Convert a host interface name to MAC address.
interface specifies the interface name.
iface-start
Syntax:
iface-start interface
Start a (previously defined) host interface, such as by running "if-up".
iface-unbridge
Syntax:
iface-unbridge bridge [--no-start]
Tear down a bridge device named bridge, releasing its underlying interface back to normal usage, and
moving all IP address configuration from the bridge device to the underlying device. The underlying
interface is restarted unless --no-start is present; this flag is present for symmetry, but generally not
recommended.
See also iface-bridge for creating a bridge.
iface-undefine
Syntax:
iface-undefine interface
Undefine the configuration for an inactive host interface.
iface-begin
Syntax:
iface-begin
Create a snapshot of current host interface settings, which can later be committed (iface-commit) or
restored (iface-rollback). If a snapshot already exists, then this command will fail until the previous
snapshot has been committed or restored. Undefined behavior results if any external changes are made to
host interfaces outside of the libvirt API between the beginning of a snapshot and its eventual commit or
rollback.
iface-commit
Syntax:
iface-commit
Declare all changes since the last iface-begin as working, and delete the rollback point. If no
interface snapshot has already been started, then this command will fail.
iface-rollback
Syntax:
iface-rollback
Revert all host interface settings back to the state recorded in the last iface-begin. If no interface
snapshot has already been started, then this command will fail. Rebooting the host also serves as an
implicit rollback point.
STORAGE POOL COMMANDS
The following commands manipulate storage pools. Libvirt has the capability to manage various storage
solutions, including files, raw partitions, and domain-specific formats, used to provide the storage
volumes visible as devices within virtual machines. For more detailed information about this feature, see
the documentation at https://libvirt.org/formatstorage.html . Many of the commands for pools are similar
to the ones used for domains.
find-storage-pool-sources
Syntax:
find-storage-pool-sources type [srcSpec]
Returns XML describing all possible available storage pool sources that could be used to create or define
a storage pool of a given type. If srcSpec is provided, it is a file that contains XML to further
restrict the query for pools.
Not all storage pools support discovery in this manner. Furthermore, for those that do support discovery,
only specific XML elements are required in order to return valid data, while other elements and even
attributes of some elements are ignored since they are not necessary to find the pool based on the search
criteria. The following lists the supported type options and the expected minimal XML elements used to
perform the search.
For a "netfs" or "gluster" pool, the minimal expected XML required is the <host> element with a "name"
attribute describing the IP address or hostname to be used to find the pool. The "port" attribute will be
ignored as will any other provided XML elements in srcSpec.
For a "logical" pool, the contents of the srcSpec file are ignored, although if provided the file must at
least exist.
For an "iscsi" or "iscsi-direct" pool, the minimal expect XML required is the <host> element with a
"name" attribute describing the IP address or hostname to be used to find the pool (the iSCSI server
address). Optionally, the "port" attribute may be provided, although it will default to 3260. Optionally,
an <initiator> XML element with a "name" attribute may be provided to further restrict the iSCSI target
search to a specific initiator for multi-iqn iSCSI storage pools.
find-pool-sources-as
Syntax:
find-storage-pool-sources-as type [host] [port] [initiator]
Rather than providing srcSpec XML file for find-storage-pool-sources use this command option in order to
have virsh generate the query XML file using the optional arguments. The command will return the same
output XML as find-storage-pool-sources.
Use host to describe a specific host to use for networked storage, such as netfs, gluster, and iscsi type
pools.
Use port to further restrict which networked port to utilize for the connection if required by the
specific storage backend, such as iscsi.
Use initiator to further restrict the iscsi type pool searches to specific target initiators.
pool-autostart
Syntax:
pool-autostart pool-or-uuid [--disable]
Configure whether pool should automatically start at boot.
pool-build
Syntax:
pool-build pool-or-uuid [--overwrite] [--no-overwrite]
Build a given pool.
Options --overwrite and --no-overwrite can only be used for pool-build a filesystem, disk, or logical
pool.
For a file system pool if neither flag is specified, then pool-build just makes the target path directory
and no attempt to run mkfs on the target volume device. If --no-overwrite is specified, it probes to
determine if a filesystem already exists on the target device, returning an error if one exists or using
mkfs to format the target device if not. If --overwrite is specified, mkfs is always executed and any
existing data on the target device is overwritten unconditionally.
For a disk pool, if neither of them is specified or --no-overwrite is specified, pool-build will check
the target volume device for existing filesystems or partitions before attempting to write a new label on
the target volume device. If the target volume device already has a label, the command will fail. If
--overwrite is specified, then no check will be made on the target volume device prior to writing a new
label. Writing of the label uses the pool source format type or "dos" if not specified.
For a logical pool, if neither of them is specified or --no-overwrite is specified, pool-build will check
the target volume devices for existing filesystems or partitions before attempting to initialize and
format each device for usage by the logical pool. If any target volume device already has a label, the
command will fail. If --overwrite is specified, then no check will be made on the target volume devices
prior to initializing and formatting each device. Once all the target volume devices are properly
formatted via pvcreate, the volume group will be created using all the devices.
pool-create
Syntax:
pool-create file [--build] [[--overwrite] | [--no-overwrite]]
Create and start a pool object from the XML file.
[--build] [[--overwrite] | [--no-overwrite]] perform a pool-build after creation in order to remove the
need for a follow-up command to build the pool. The --overwrite and --no-overwrite flags follow the same
rules as pool-build. If just --build is provided, then pool-build is called with no flags.
pool-create-as
Syntax:
pool-create-as name type
[--source-host hostname] [--source-path path] [--source-dev path]
[--source-name name] [--target path] [--source-format format]
[--source-initiator initiator-iqn]
[--auth-type authtype --auth-username username
[--secret-usage usage | --secret-uuid uuid]]
[--source-protocol-ver ver]
[[--adapter-name name] | [--adapter-wwnn wwnn --adapter-wwpn wwpn]
[--adapter-parent parent |
--adapter-parent-wwnn parent_wwnn adapter-parent-wwpn parent_wwpn |
--adapter-parent-fabric-wwn parent_fabric_wwn]]
[--build] [[--overwrite] | [--no-overwrite]] [--print-xml]
Create and start a pool object name from the raw parameters. If --print-xml is specified, then print the
XML of the pool object without creating the pool. Otherwise, the pool has the specified type. When using
pool-create-as for a pool of type "disk", the existing partitions found on the --source-dev path will be
used to populate the disk pool. Therefore, it is suggested to use pool-define-as and pool-build with the
--overwrite in order to properly initialize the disk pool.
[--source-host hostname] provides the source hostname for pools backed by storage from a remote server
(pool types netfs, iscsi, rbd, sheepdog, gluster).
[--source-path path] provides the source directory path for pools backed by directories (pool type dir).
[--source-dev path] provides the source path for pools backed by physical devices (pool types fs,
logical, disk, iscsi, zfs).
[--source-name name] provides the source name for pools backed by storage from a named element (pool
types logical, rbd, sheepdog, gluster).
[--target path] is the path for the mapping of the storage pool into the host file system.
[--source-format format] provides information about the format of the pool (pool types fs, netfs, disk,
logical).
[--source-initiator initiator-iqn] provides the initiator iqn for iscsi connection of the pool (pool type
iscsi-direct).
[--auth-type authtype --auth-username username [--secret-usage usage | --secret-uuid uuid]] provides the
elements required to generate authentication credentials for the storage pool. The authtype is either
chap for iscsi type pools or ceph for rbd type pools. Either the secret usage or uuid value may be
provided, but not both.
[--source-protocol-ver ver] provides the NFS protocol version number used to contact the server's NFS
service via nfs mount option 'nfsvers=n'. It is expect the ver value is an unsigned integer.
[--adapter-name name] defines the scsi_hostN adapter name to be used for the scsi_host adapter type pool.
[--adapter-wwnn wwnn --adapter-wwpn wwpn [--adapter-parent parent | --adapter-parent-wwnn parent_wwnn
adapter-parent-wwpn parent_wwpn | --adapter-parent-fabric-wwn parent_fabric_wwn]] defines the wwnn and
wwpn to be used for the fc_host adapter type pool. Optionally provide the parent scsi_hostN node device
to be used for the vHBA either by parent name, parent_wwnn and parent_wwpn, or parent_fabric_wwn. The
parent name could change between reboots if the hardware environment changes, so providing the
parent_wwnn and parent_wwpn ensure usage of the same physical HBA even if the scsi_hostN node device
changes. Usage of the parent_fabric_wwn allows a bit more flexibility to choose an HBA on the same
storage fabric in order to define the pool.
[--build] [[--overwrite] | [--no-overwrite]] perform a pool-build after creation in order to remove the
need for a follow-up command to build the pool. The --overwrite and --no-overwrite flags follow the same
rules as pool-build. If just --build is provided, then pool-build is called with no flags.
For a "logical" pool only [--name] needs to be provided. The [--source-name] if provided must match the
Volume Group name. If not provided, one will be generated using the [--name]. If provided the [--target]
is ignored and a target source is generated using the [--source-name] (or as generated from the
[--name]).
pool-define
Syntax:
pool-define file [--validate]
Define an inactive persistent storage pool or modify an existing persistent one from the XML file.
Optionally, the format of the input XML file can be validated against an internal RNG schema with
--validate.
pool-define-as
Syntax:
pool-define-as name type
[--source-host hostname] [--source-path path] [--source-dev path]
[*--source-name name*] [*--target path*] [*--source-format format*]
[--source-initiator initiator-iqn]
[*--auth-type authtype* *--auth-username username*
[*--secret-usage usage* | *--secret-uuid uuid*]]
[*--source-protocol-ver ver*]
[[*--adapter-name name*] | [*--adapter-wwnn* *--adapter-wwpn*]
[*--adapter-parent parent*]] [*--print-xml*]
Create, but do not start, a pool object name from the raw parameters. If --print-xml is specified, then
print the XML of the pool object without defining the pool. Otherwise, the pool has the specified type.
Use the same arguments as pool-create-as, except for the --build, --overwrite, and --no-overwrite
options.
pool-destroy
Syntax:
pool-destroy pool-or-uuid
Destroy (stop) a given pool object. Libvirt will no longer manage the storage described by the pool
object, but the raw data contained in the pool is not changed, and can be later recovered with
pool-create.
pool-delete
Syntax:
pool-delete pool-or-uuid
Destroy the resources used by a given pool object. This operation is non-recoverable. The pool object
will still exist after this command, ready for the creation of new storage volumes.
pool-dumpxml
Syntax:
pool-dumpxml [--inactive] pool-or-uuid
Returns the XML information about the pool object. --inactive tells virsh to dump pool configuration
that will be used on next start of the pool as opposed to the current pool configuration.
pool-edit
Syntax:
pool-edit pool-or-uuid
Edit the XML configuration file for a storage pool.
This is equivalent to:
virsh pool-dumpxml pool > pool.xml
vi pool.xml (or make changes with your other text editor)
virsh pool-define pool.xml
except that it does some error checking.
The editor used can be supplied by the $VISUAL or $EDITOR environment variables, and defaults to vi.
pool-info
Syntax:
pool-info [--bytes] pool-or-uuid
Returns basic information about the pool object. If --bytes is specified the sizes of basic info are not
converted to human friendly units.
pool-list
Syntax:
pool-list [--inactive] [--all]
[--persistent] [--transient]
[--autostart] [--no-autostart]
[[--details] [--uuid]
[--name] [<type>]
List pool objects known to libvirt. By default, only active pools are listed; --inactive lists just the
inactive pools, and --all lists all pools.
In addition, there are several sets of filtering flags. --persistent is to list the persistent pools,
--transient is to list the transient pools. --autostart lists the autostarting pools, --no-autostart
lists the pools with autostarting disabled. If --uuid is specified only pool's UUIDs are printed. If
--name is specified only pool's names are printed. If both --name and --uuid are specified, pool's UUID
and names are printed side by side without any header. Option --details is mutually exclusive with
options --uuid and --name.
You may also want to list pools with specified types using type, the pool types must be separated by
comma, e.g. --type dir,disk. The valid pool types include 'dir', 'fs', 'netfs', 'logical', 'disk',
'iscsi', 'scsi', 'mpath', 'rbd', 'sheepdog', 'gluster', 'zfs', 'vstorage' and 'iscsi-direct'.
The --details option instructs virsh to additionally display pool persistence and capacity related
information where available.
NOTE: When talking to older servers, this command is forced to use a series of API calls with an inherent
race, where a pool might not be listed or might appear more than once if it changed state between calls
while the list was being collected. Newer servers do not have this problem.
pool-name
Syntax:
pool-name uuid
Convert the uuid to a pool name.
pool-refresh
Syntax:
pool-refresh pool-or-uuid
Refresh the list of volumes contained in pool.
pool-start
Syntax:
pool-start pool-or-uuid [--build] [[--overwrite] | [--no-overwrite]]
Start the storage pool, which is previously defined but inactive.
[--build] [[--overwrite] | [--no-overwrite]] perform a pool-build prior to pool-start to ensure the pool
environment is in an expected state rather than needing to run the build command prior to startup. The
--overwrite and --no-overwrite flags follow the same rules as pool-build. If just --build is provided,
then pool-build is called with no flags.
Note: A storage pool that relies on remote resources such as an "iscsi" or a (v)HBA backed "scsi" pool
may need to be refreshed multiple times in order to have all the volumes detected (see pool-refresh).
This is because the corresponding volume devices may not be present in the host's filesystem during the
initial pool startup or the current refresh attempt. The number of refresh retries is dependent upon the
network connection and the time the host takes to export the corresponding devices.
pool-undefine
Syntax:
pool-undefine pool-or-uuid
Undefine the configuration for an inactive pool.
pool-uuid
Syntax:
pool-uuid pool
Returns the UUID of the named pool.
pool-event
Syntax:
pool-event {[pool] event [--loop] [--timeout seconds] [--timestamp] | --list}
Wait for a class of storage pool events to occur, and print appropriate details of events as they happen.
The events can optionally be filtered by pool. Using --list as the only argument will provide a list of
possible event values known by this client, although the connection might not allow registering for all
these events.
By default, this command is one-shot, and returns success once an event occurs; you can send SIGINT
(usually via Ctrl-C) to quit immediately. If --timeout is specified, the command gives up waiting for
events after seconds have elapsed. With --loop, the command prints all events until a timeout or
interrupt key.
When --timestamp is used, a human-readable timestamp will be printed before the event.
VOLUME COMMANDS
vol-create
Syntax:
vol-create pool-or-uuid FILE [--prealloc-metadata]
Create a volume from an XML <file>.
pool-or-uuid is the name or UUID of the storage pool to create the volume in.
FILE is the XML <file> with the volume definition. An easy way to create the XML <file> is to use the
vol-dumpxml command to obtain the definition of a pre-existing volume.
[--prealloc-metadata] preallocate metadata (for qcow2 images which don't support full allocation). This
option creates a sparse image file with metadata, resulting in higher performance compared to images with
no preallocation and only slightly higher initial disk space usage.
Example:
virsh vol-dumpxml --pool storagepool1 appvolume1 > newvolume.xml
vi newvolume.xml (or make changes with your other text editor)
virsh vol-create differentstoragepool newvolume.xml
vol-create-from
Syntax:
vol-create-from pool-or-uuid FILE vol-name-or-key-or-path
[--inputpool pool-or-uuid] [--prealloc-metadata] [--reflink]
Create a volume, using another volume as input.
pool-or-uuid is the name or UUID of the storage pool to create the volume in.
FILE is the XML <file> with the volume definition.
vol-name-or-key-or-path is the name or key or path of the source volume.
--inputpool pool-or-uuid is the name or uuid of the storage pool the source volume is in.
[--prealloc-metadata] preallocate metadata (for qcow2 images which don't support full allocation). This
option creates a sparse image file with metadata, resulting in higher performance compared to images with
no preallocation and only slightly higher initial disk space usage.
When --reflink is specified, perform a COW lightweight copy, where the data blocks are copied only when
modified. If this is not possible, the copy fails.
vol-create-as
Syntax:
vol-create-as pool-or-uuid name capacity [--allocation size] [--format string]
[--backing-vol vol-name-or-key-or-path]
[--backing-vol-format string] [--prealloc-metadata] [--print-xml]
Create a volume from a set of arguments unless --print-xml is specified, in which case just the XML of
the volume object is printed out without any actual object creation.
pool-or-uuid is the name or UUID of the storage pool to create the volume in.
name is the name of the new volume. For a disk pool, this must match the partition name as determined
from the pool's source device path and the next available partition. For example, a source device path of
/dev/sdb and there are no partitions on the disk, then the name must be sdb1 with the next name being
sdb2 and so on.
capacity is the size of the volume to be created, as a scaled integer (see NOTES above), defaulting to
bytes if there is no suffix.
--allocation size is the initial size to be allocated in the volume, also as a scaled integer defaulting
to bytes.
--format string is used in file based storage pools to specify the volume file format to use; raw, bochs,
qcow, qcow2, vmdk, qed. Use extended for disk storage pools in order to create an extended partition
(other values are validity checked but not preserved when libvirtd is restarted or the pool is
refreshed).
--backing-vol vol-name-or-key-or-path is the source backing volume to be used if taking a snapshot of an
existing volume.
--backing-vol-format string is the format of the snapshot backing volume; raw, bochs, qcow, qcow2, qed,
vmdk, host_device. These are, however, meant for file based storage pools.
[--prealloc-metadata] preallocate metadata (for qcow2 images which don't support full allocation). This
option creates a sparse image file with metadata, resulting in higher performance compared to images with
no preallocation and only slightly higher initial disk space usage.
vol-clone
Syntax:
vol-clone vol-name-or-key-or-path name
[--pool pool-or-uuid] [--prealloc-metadata] [--reflink]
Clone an existing volume within the parent pool. Less powerful, but easier to type, version of
vol-create-from.
vol-name-or-key-or-path is the name or key or path of the source volume.
name is the name of the new volume.
--pool pool-or-uuid is the name or UUID of the storage pool that contains the source volume and will
contain the new volume. If the source volume name is provided instead of the key or path, then providing
the pool is necessary to find the volume to be cloned; otherwise, the first volume found by the key or
path will be used.
[--prealloc-metadata] preallocate metadata (for qcow2 images which don't support full allocation). This
option creates a sparse image file with metadata, resulting in higher performance compared to images with
no preallocation and only slightly higher initial disk space usage.
When --reflink is specified, perform a COW lightweight copy, where the data blocks are copied only when
modified. If this is not possible, the copy fails.
vol-delete
Syntax:
vol-delete vol-name-or-key-or-path [--pool pool-or-uuid] [--delete-snapshots]
Delete a given volume.
vol-name-or-key-or-path is the volume name or key or path of the volume to delete.
[--pool pool-or-uuid] is the name or UUID of the storage pool the volume is in. If the volume name is
provided instead of the key or path, then providing the pool is necessary to find the volume to be
deleted; otherwise, the first volume found by the key or path will be used.
The --delete-snapshots flag specifies that any snapshots associated with the storage volume should be
deleted as well. Not all storage drivers support this option, presently only rbd.
vol-upload
Syntax:
vol-upload vol-name-or-key-or-path local-file
[--pool pool-or-uuid] [--offset bytes]
[--length bytes] [--sparse]
Upload the contents of local-file to a storage volume.
vol-name-or-key-or-path is the name or key or path of the volume where the local-file will be uploaded.
--pool pool-or-uuid is the name or UUID of the storage pool the volume is in. If the volume name is
provided instead of the key or path, then providing the pool is necessary to find the volume to be
uploaded into; otherwise, the first volume found by the key or path will be used.
--offset is the position in the storage volume at which to start writing the data. The value must be 0 or
larger.
--length is an upper bound of the amount of data to be uploaded. A negative value is interpreted as an
unsigned long long value to essentially include everything from the offset to the end of the volume.
If --sparse is specified, this command will preserve volume sparseness.
An error will occur if the local-file is greater than the specified length.
See the description for the libvirt virStorageVolUpload API for details regarding possible target volume
and pool changes as a result of the pool refresh when the upload is attempted.
vol-download
Syntax:
vol-download vol-name-or-key-or-path local-file
[--pool pool-or-uuid] [--offset bytes] [--length bytes]
[--sparse]
Download the contents of a storage volume to local-file.
vol-name-or-key-or-path is the name or key or path of the volume to download into local-file.
--pool pool-or-uuid is the name or UUID of the storage pool the volume is in. If the volume name is
provided instead of the key or path, then providing the pool is necessary to find the volume to be
uploaded into; otherwise, the first volume found by the key or path will be used.
--offset is the position in the storage volume at which to start reading the data. The value must be 0 or
larger.
--length is an upper bound of the amount of data to be downloaded. A negative value is interpreted as an
unsigned long long value to essentially include everything from the offset to the end of the volume.
If --sparse is specified, this command will preserve volume sparseness.
vol-wipe
Syntax:
vol-wipe vol-name-or-key-or-path [--pool pool-or-uuid] [--algorithm algorithm]
Wipe a volume, ensure data previously on the volume is not accessible to future reads.
vol-name-or-key-or-path is the name or key or path of the volume to wipe. It is possible to choose
different wiping algorithms instead of re-writing volume with zeroes.
--pool pool-or-uuid is the name or UUID of the storage pool the volume is in. If the volume name is
provided instead of the key or path, then providing the pool is necessary to find the volume to be wiped;
otherwise, the first volume found by the key or path will be used.
Use the --algorithm switch choosing from the list of the following algorithms in order to define which
algorithm to use for the wipe.
Supported algorithms
• zero - 1-pass all zeroes
• nnsa - 4-pass NNSA Policy Letter NAP-14.1-C (XVI-8) for sanitizing removable and non-removable
hard disks: random x2, 0x00, verify.
• dod - 4-pass DoD 5220.22-M section 8-306 procedure for sanitizing removable and non-removable
rigid disks: random, 0x00, 0xff, verify.
• bsi - 9-pass method recommended by the German Center of Security in Information Technologies (‐
https://www.bsi.bund.de): 0xff, 0xfe, 0xfd, 0xfb, 0xf7, 0xef, 0xdf, 0xbf, 0x7f.
• gutmann - The canonical 35-pass sequence described in Gutmann's paper.
• schneier - 7-pass method described by Bruce Schneier in "Applied Cryptography" (1996): 0x00, 0xff,
random x5.
• pfitzner7 - Roy Pfitzner's 7-random-pass method: random x7.
• pfitzner33 - Roy Pfitzner's 33-random-pass method: random x33.
• random - 1-pass pattern: random.
• trim - 1-pass trimming the volume using TRIM or DISCARD
Note: The scrub binary will be used to handle the 'nnsa', 'dod', 'bsi', 'gutmann', 'schneier',
'pfitzner7' and 'pfitzner33' algorithms. The availability of the algorithms may be limited by the
version of the scrub binary installed on the host. The 'zero' algorithm will write zeroes to the entire
volume. For some volumes, such as sparse or rbd volumes, this may result in completely filling the volume
with zeroes making it appear to be completely full. As an alternative, the 'trim' algorithm does not
overwrite all the data in a volume, rather it expects the storage driver to be able to discard all bytes
in a volume. It is up to the storage driver to handle how the discarding occurs. Not all storage drivers
or volume types can support 'trim'.
vol-dumpxml
Syntax:
vol-dumpxml vol-name-or-key-or-path [--pool pool-or-uuid]
Output the volume information as an XML dump to stdout.
vol-name-or-key-or-path is the name or key or path of the volume to output the XML.
--pool pool-or-uuid is the name or UUID of the storage pool the volume is in. If the volume name is
provided instead of the key or path, then providing the pool is necessary to find the volume to be
uploaded into; otherwise, the first volume found by the key or path will be used.
vol-info
Syntax:
vol-info vol-name-or-key-or-path [--pool pool-or-uuid] [--bytes] [--physical]
Returns basic information about the given storage volume.
vol-name-or-key-or-path is the name or key or path of the volume to return information for.
--pool pool-or-uuid is the name or UUID of the storage pool the volume is in. If the volume name is
provided instead of the key or path, then providing the pool is necessary to find the volume to be
uploaded into; otherwise, the first volume found by the key or path will be used.
If --bytes is specified the sizes are not converted to human friendly units.
If --physical is specified, then the host physical size is returned and displayed instead of the
allocation value. The physical value for some file types, such as qcow2 may have a different (larger)
physical value than is shown for allocation. Additionally sparse files will have different physical and
allocation values.
vol-list
Syntax:
vol-list [--pool pool-or-uuid] [--details]
Return the list of volumes in the given storage pool.
--pool pool-or-uuid is the name or UUID of the storage pool.
The --details option instructs virsh to additionally display volume type and capacity related information
where available.
vol-pool
Syntax:
vol-pool vol-key-or-path [--uuid]
Return the pool name or UUID for a given volume. By default, the pool name is returned.
vol-key-or-path is the key or path of the volume to return the pool information.
If the --uuid option is given, the pool UUID is returned instead.
vol-path
Syntax:
vol-path vol-name-or-key [--pool pool-or-uuid]
Return the path for a given volume.
vol-name-or-key is the name or key of the volume to return the path.
--pool pool-or-uuid is the name or UUID of the storage pool the volume is in. If the volume name is
provided instead of the key, then providing the pool is necessary to find the volume to be uploaded into;
otherwise, the first volume found by the key will be used.
vol-name
Syntax:
vol-name vol-key-or-path
Return the name for a given volume.
vol-key-or-path is the key or path of the volume to return the name.
vol-key
Syntax:
vol-key vol-name-or-path [--pool pool-or-uuid]
Return the volume key for a given volume.
vol-name-or-path is the name or path of the volume to return the volume key.
--pool pool-or-uuid is the name or UUID of the storage pool the volume is in. If the volume name is
provided instead of the path, then providing the pool is necessary to find the volume to be uploaded
into; otherwise, the first volume found by the path will be used.
vol-resize
Syntax:
vol-resize vol-name-or-path capacity [--pool pool-or-uuid] [--allocate] [--delta] [--shrink]
Resize the capacity of the given volume, in bytes.
vol-name-or-key-or-path is the name or key or path of the volume to resize.
capacity is a scaled integer (see NOTES above) for the volume, which defaults to bytes if there is no
suffix.
--pool pool-or-uuid is the name or UUID of the storage pool the volume is in. If the volume name is
provided instead of the key or path, then providing the pool is necessary to find the volume to be
uploaded into; otherwise, the first volume found by the key or path will be used.
The new capacity might be sparse unless --allocate is specified.
Normally, capacity is the new size, but if --delta is present, then it is added to the existing size.
Attempts to shrink the volume will fail unless --shrink is present. The capacity cannot be negative
unless --shrink is provided, but a negative sign is not necessary.
This command is only safe for storage volumes not in use by an active guest; see also blockresize for
live resizing.
SECRET COMMANDS
The following commands manipulate "secrets" (e.g. passwords, passphrases and encryption keys). Libvirt
can store secrets independently from their use, and other objects (e.g. volumes or domains) can refer to
the secrets for encryption or possibly other uses. Secrets are identified using a UUID. See
https://libvirt.org/formatsecret.html for documentation of the XML format used to represent properties of
secrets.
secret-define
Syntax:
secret-define file [--validate]
Create a secret with the properties specified in file, with no associated secret value. If file does not
specify a UUID, choose one automatically. If file specifies a UUID of an existing secret, replace its
properties by properties defined in file, without affecting the secret value.
Optionally, the format of the input XML file can be validated against an internal RNG schema with
--validate.
secret-dumpxml
Syntax:
secret-dumpxml secret
Output properties of secret (specified by its UUID) as an XML dump to stdout.
secret-event
Syntax:
secret-event {[secret] event [--loop] [--timeout seconds] [--timestamp] | --list}
Wait for a class of secret events to occur, and print appropriate details of events as they happen. The
events can optionally be filtered by secret. Using --list as the only argument will provide a list of
possible event values known by this client, although the connection might not allow registering for all
these events.
By default, this command is one-shot, and returns success once an event occurs; you can send SIGINT
(usually via Ctrl-C) to quit immediately. If --timeout is specified, the command gives up waiting for
events after seconds have elapsed. With --loop, the command prints all events until a timeout or
interrupt key.
When --timestamp is used, a human-readable timestamp will be printed before the event.
secret-set-value
Syntax:
secret-set-value secret (--file filename [--plain] | --interactive | base64)
Set the value associated with secret (specified by its UUID) to the value Base64-encoded value base64 or
Base-64-encoded contents of file named filename. Using the --plain flag is together with --file allows
one to use the file contents directly as the secret value.
If --interactive flag is used the secret value is read as a password from the terminal.
Note that --file, --interactive and base64 options are mutually exclusive.
Passing secrets via the base64 option on command line is INSECURE and deprecated. Use the --file option
instead.
secret-get-value
Syntax:
secret-get-value [--plain] secret
Output the value associated with secret (specified by its UUID) to stdout, encoded using Base64.
If the --plain flag is used the value is not base64 encoded, but rather printed raw. Note that unless
virsh is started in quiet mode (virsh -q) it prints a newline at the end of the command. This newline is
not part of the secret.
secret-undefine
Syntax:
secret-undefine secret
Delete a secret (specified by its UUID), including the associated value, if any.
secret-list
Syntax:
secret-list [--ephemeral] [--no-ephemeral]
[--private] [--no-private]
Returns the list of secrets. You may also want to filter the returned secrets by --ephemeral to list the
ephemeral ones, --no-ephemeral to list the non-ephemeral ones, --private to list the private ones, and
--no-private to list the non-private ones.
SNAPSHOT COMMANDS
The following commands manipulate domain snapshots. Snapshots take the disk, memory, and device state of
a domain at a point-of-time, and save it for future use. They have many uses, from saving a "clean" copy
of an OS image to saving a domain's state before a potentially destructive operation. Snapshots are
identified with a unique name. See https://libvirt.org/formatsnapshot.html for documentation of the XML
format used to represent properties of snapshots.
snapshot-create
Syntax:
snapshot-create domain [xmlfile] {[--redefine [--current]] |
[--no-metadata] [--halt] [--disk-only] [--reuse-external]
[--quiesce] [--atomic] [--live]} [--validate]
Create a snapshot for domain domain with the properties specified in xmlfile. Optionally, the
--validate option can be passed to validate the format of the input XML file against an internal RNG
schema (identical to using the virt-xml-validate(1) tool). Normally, the only properties settable for a
domain snapshot are the <name> and <description> elements, as well as <disks> if --disk-only is given;
the rest of the fields are ignored, and automatically filled in by libvirt. If xmlfile is completely
omitted, then libvirt will choose a value for all fields. The new snapshot will become current, as
listed by snapshot-current.
If --halt is specified, the domain will be left in an inactive state after the snapshot is created.
If --disk-only is specified, the snapshot will only include disk content rather than the usual full
system snapshot with vm state. Disk snapshots are captured faster than full system snapshots, but
reverting to a disk snapshot may require fsck or journal replays, since it is like the disk state at the
point when the power cord is abruptly pulled; and mixing --halt and --disk-only loses any data that was
not flushed to disk at the time.
If --redefine is specified, then all XML elements produced by snapshot-dumpxml are valid; this can be
used to migrate snapshot hierarchy from one machine to another, to recreate hierarchy for the case of a
transient domain that goes away and is later recreated with the same name and UUID, or to make slight
alterations in the snapshot metadata (such as host-specific aspects of the domain XML embedded in the
snapshot). When this flag is supplied, the xmlfile argument is mandatory, and the domain's current
snapshot will not be altered unless the --current flag is also given.
If --no-metadata is specified, then the snapshot data is created, but any metadata is immediately
discarded (that is, libvirt does not treat the snapshot as current, and cannot revert to the snapshot
unless --redefine is later used to teach libvirt about the metadata again).
If --reuse-external is specified, and the snapshot XML requests an external snapshot with a destination
of an existing file, then the destination must exist and be pre-created with correct format and metadata.
The file is then reused; otherwise, a snapshot is refused to avoid losing contents of the existing files.
If --quiesce is specified, libvirt will try to use guest agent to freeze and unfreeze domain's mounted
file systems. However, if domain has no guest agent, snapshot creation will fail. Currently, this
requires --disk-only to be passed as well.
If --atomic is specified, libvirt will guarantee that the snapshot either succeeds, or fails with no
changes; not all hypervisors support this. If this flag is not specified, then some hypervisors may fail
after partially performing the action, and dumpxml must be used to see whether any partial changes
occurred.
If --live is specified, libvirt takes the snapshot while the guest is running. Both disk snapshot and
domain memory snapshot are taken. This increases the size of the memory image of the external snapshot.
This is currently supported only for full system external snapshots.
Existence of snapshot metadata will prevent attempts to undefine a persistent guest. However, for
transient domains, snapshot metadata is silently lost when the domain quits running (whether by command
such as destroy or by internal guest action).
For now, it is not possible to create snapshots in a domain that has checkpoints, although this
restriction will be lifted in a future release.
snapshot-create-as
Syntax:
snapshot-create-as domain {[--print-xml] [--no-metadata]
[--halt] [--reuse-external]} [name]
[description] [--disk-only [--quiesce]] [--atomic] [--validate]
[[--live] [--memspec memspec]] [--diskspec] diskspec]...
Create a snapshot for domain domain with the given <name> and <description>; if either value is omitted,
libvirt will choose a value. If --print-xml is specified, then XML appropriate for snapshot-create is
output, rather than actually creating a snapshot. Otherwise, if --halt is specified, the domain will be
left in an inactive state after the snapshot is created, and if --disk-only is specified, the snapshot
will not include vm state.
The --memspec option can be used to control whether a full system snapshot is internal or external. The
--memspec flag is mandatory, followed by a memspec of the form [file=]name[,snapshot=type], where type
can be no, internal, or external. To include a literal comma in file=name, escape it with a second
comma. --memspec cannot be used together with --disk-only.
The --diskspec option can be used to control how --disk-only and external full system snapshots create
external files. This option can occur multiple times, according to the number of <disk> elements in the
domain xml. Each <diskspec> is in the form disk[,snapshot=type][,driver=type][,stype=type][,file=name].
A diskspec must be provided for disks backed by block devices as libvirt doesn't auto-generate file names
for those. The optional stype parameter allows one to control the type of the source file. Supported
values are 'file' (default) and 'block'. To exclude a disk from an external snapshot use --diskspec
disk,snapshot=no.
To include a literal comma in disk or in file=name, escape it with a second comma. A literal --diskspec
must precede each diskspec unless all three of domain, name, and description are also present. For
example, a diskspec of "vda,snapshot=external,file=/path/to,,new" results in the following XML:
<disk name='vda' snapshot='external'>
<source file='/path/to,new'/>
</disk>
If --reuse-external is specified, and the domain XML or diskspec option requests an external snapshot
with a destination of an existing file, then the destination must exist and be pre-created with correct
format and metadata. The file is then reused; otherwise, a snapshot is refused to avoid losing contents
of the existing files.
If --quiesce is specified, libvirt will try to use guest agent to freeze and unfreeze domain's mounted
file systems. However, if domain has no guest agent, snapshot creation will fail. Currently, this
requires --disk-only to be passed as well.
If --no-metadata is specified, then the snapshot data is created, but any metadata is immediately
discarded (that is, libvirt does not treat the snapshot as current, and cannot revert to the snapshot
unless snapshot-create is later used to teach libvirt about the metadata again).
If --atomic is specified, libvirt will guarantee that the snapshot either succeeds, or fails with no
changes; not all hypervisors support this. If this flag is not specified, then some hypervisors may fail
after partially performing the action, and dumpxml must be used to see whether any partial changes
occurred.
If --live is specified, libvirt takes the snapshot while the guest is running. This increases the size of
the memory image of the external snapshot. This is currently supported only for external full system
snapshots.
For now, it is not possible to create snapshots in a domain that has checkpoints, although this
restriction will be lifted in a future release.
Optionally, the --validate option can be passed to validate XML document which is internally generated by
this command against the internal RNG schema.
snapshot-current
Syntax:
snapshot-current domain {[--name] | [--security-info] | [snapshotname]}
Without snapshotname, this will output the snapshot XML for the domain's current snapshot (if any). If
--name is specified, just the current snapshot name instead of the full xml. Otherwise, using
--security-info will also include security sensitive information in the XML.
With snapshotname, this is a request to make the existing named snapshot become the current snapshot,
without reverting the domain.
snapshot-edit
Syntax:
snapshot-edit domain [snapshotname] [--current] {[--rename] | [--clone]}
Edit the XML configuration file for snapshotname of a domain. If both snapshotname and --current are
specified, also force the edited snapshot to become the current snapshot. If snapshotname is omitted,
then --current must be supplied, to edit the current snapshot.
This is equivalent to:
virsh snapshot-dumpxml dom name > snapshot.xml
vi snapshot.xml (or make changes with your other text editor)
virsh snapshot-create dom snapshot.xml --redefine [--current]
except that it does some error checking.
The editor used can be supplied by the $VISUAL or $EDITOR environment variables, and defaults to vi.
If --rename is specified, then the edits can change the snapshot name. If --clone is specified, then
changing the snapshot name will create a clone of the snapshot metadata. If neither is specified, then
the edits must not change the snapshot name. Note that changing a snapshot name must be done with care,
since the contents of some snapshots, such as internal snapshots within a single qcow2 file, are
accessible only from the original name.
snapshot-info
Syntax:
snapshot-info domain {snapshot | --current}
Output basic information about a named <snapshot>, or the current snapshot with --current.
snapshot-list
Syntax:
snapshot-list domain [--metadata] [--no-metadata]
[{--parent | --roots | [{--tree | --name}]}] [--topological]
[{[--from] snapshot | --current} [--descendants]]
[--leaves] [--no-leaves] [--inactive] [--active]
[--disk-only] [--internal] [--external]
List all of the available snapshots for the given domain, defaulting to show columns for the snapshot
name, creation time, and domain state.
Normally, table form output is sorted by snapshot name; using --topological instead sorts so that no
child is listed before its ancestors (although there may be more than one possible ordering with this
property).
If --parent is specified, add a column to the output table giving the name of the parent of each
snapshot. If --roots is specified, the list will be filtered to just snapshots that have no parents. If
--tree is specified, the output will be in a tree format, listing just snapshot names. These three
options are mutually exclusive. If --name is specified only the snapshot name is printed. This option is
mutually exclusive with --tree.
If --from is provided, filter the list to snapshots which are children of the given snapshot; or if
--current is provided, start at the current snapshot. When used in isolation or with --parent, the list
is limited to direct children unless --descendants is also present. When used with --tree, the use of
--descendants is implied. This option is not compatible with --roots. Note that the starting point of
--from or --current is not included in the list unless the --tree option is also present.
If --leaves is specified, the list will be filtered to just snapshots that have no children. Likewise,
if --no-leaves is specified, the list will be filtered to just snapshots with children. (Note that
omitting both options does no filtering, while providing both options will either produce the same list
or error out depending on whether the server recognizes the flags). Filtering options are not compatible
with --tree.
If --metadata is specified, the list will be filtered to just snapshots that involve libvirt metadata,
and thus would prevent undefine of a persistent guest, or be lost on destroy of a transient domain.
Likewise, if --no-metadata is specified, the list will be filtered to just snapshots that exist without
the need for libvirt metadata.
If --inactive is specified, the list will be filtered to snapshots that were taken when the domain was
shut off. If --active is specified, the list will be filtered to snapshots that were taken when the
domain was running, and where the snapshot includes the memory state to revert to that running state. If
--disk-only is specified, the list will be filtered to snapshots that were taken when the domain was
running, but where the snapshot includes only disk state.
If --internal is specified, the list will be filtered to snapshots that use internal storage of existing
disk images. If --external is specified, the list will be filtered to snapshots that use external files
for disk images or memory state.
snapshot-dumpxml
Syntax:
snapshot-dumpxml domain snapshot [--security-info]
Output the snapshot XML for the domain's snapshot named snapshot. Using --security-info will also
include security sensitive information. Use snapshot-current to easily access the XML of the current
snapshot.
snapshot-parent
Syntax:
snapshot-parent domain {snapshot | --current}
Output the name of the parent snapshot, if any, for the given snapshot, or for the current snapshot with
--current.
snapshot-revert
Syntax:
snapshot-revert domain {snapshot | --current} [{--running | --paused}] [--force]
Revert the given domain to the snapshot specified by snapshot, or to the current snapshot with --current.
Be aware that this is a destructive action; any changes in the domain since the last snapshot was taken
will be lost. Also note that the state of the domain after snapshot-revert is complete will be the state
of the domain at the time the original snapshot was taken.
Normally, reverting to a snapshot leaves the domain in the state it was at the time the snapshot was
created, except that a disk snapshot with no vm state leaves the domain in an inactive state. Passing
either the --running or --paused flag will perform additional state changes (such as booting an inactive
domain, or pausing a running domain). Since transient domains cannot be inactive, it is required to use
one of these flags when reverting to a disk snapshot of a transient domain.
Since libvirt 7.10.0 the VM process is always restarted so the following paragraph is no longer valid. If
the snapshot metadata lacks the full VM XML it's no longer possible to revert to such snapshot.
There are a number of cases where a snapshot revert involves extra risk, which requires the use of
--force to proceed:
• One is the case of a snapshot that lacks full domain information for reverting configuration (such
as snapshots created prior to libvirt 0.9.5); since libvirt cannot prove that the current
configuration matches what was in use at the time of the snapshot, supplying --force assures libvirt
that the snapshot is compatible with the current configuration (and if it is not, the domain will
likely fail to run).
• Another is the case of reverting from a running domain to an active state where a new hypervisor has
to be created rather than reusing the existing hypervisor, because it implies drawbacks such as
breaking any existing VNC or Spice connections; this condition happens with an active snapshot that
uses a provably incompatible configuration, as well as with an inactive snapshot that is combined
with the --start or --pause flag.
• Also, libvirt will refuse to restore snapshots of inactive QEMU domains while there is managed saved
state. This is because those snapshots do not contain memory state and will therefore not replace
the existing memory state. This ends up switching a disk underneath a running system and will likely
cause extensive filesystem corruption or crashes due to swap content mismatches when run.
snapshot-delete
Syntax:
snapshot-delete domain {snapshot | --current}
[--metadata] [{--children | --children-only}]
Delete the snapshot for the domain named snapshot, or the current snapshot with --current. If this
snapshot has child snapshots, changes from this snapshot will be merged into the children. If --children
is passed, then delete this snapshot and any children of this snapshot. If --children-only is passed,
then delete any children of this snapshot, but leave this snapshot intact. These two flags are mutually
exclusive.
If --metadata is specified, then only delete the snapshot metadata maintained by libvirt, while leaving
the snapshot contents intact for access by external tools; otherwise deleting a snapshot also removes the
data contents from that point in time.
CHECKPOINT COMMANDS
The following commands manipulate domain checkpoints. Checkpoints serve as a point in time to identify
which portions of a guest's disks have changed after that time, making it possible to perform incremental
and differential backups. Checkpoints are identified with a unique name. See
https://libvirt.org/formatcheckpoint.html for documentation of the XML format used to represent
properties of checkpoints.
checkpoint-create
Syntax:
checkpoint-create domain [xmlfile] { --redefine [--redefine-validate] | [--quiesce]}
Create a checkpoint for domain domain with the properties specified in xmlfile describing a
<domaincheckpoint> top-level element. The format of the input XML file will be validated against an
internal RNG schema (identical to using the virt-xml-validate(1) tool). If xmlfile is completely omitted,
then libvirt will create a checkpoint with a name based on the current time.
If --redefine is specified, then all XML elements produced by checkpoint-dumpxml are valid; this can be
used to migrate checkpoint hierarchy from one machine to another, to recreate hierarchy for the case of a
transient domain that goes away and is later recreated with the same name and UUID, or to make slight
alterations in the checkpoint metadata (such as host-specific aspects of the domain XML embedded in the
checkpoint). When this flag is supplied, the xmlfile argument is mandatory.
If --redefine-validate is specified along with --redefine the hypervisor performs validation of metadata
associated with the checkpoint stored in places besides the checkpoint XML. Note that some hypervisors
may require that the domain is running to perform validation.
If --quiesce is specified, libvirt will try to use guest agent to freeze and unfreeze domain's mounted
file systems. However, if domain has no guest agent, checkpoint creation will fail.
Existence of checkpoint metadata will prevent attempts to undefine a persistent guest. However, for
transient domains, checkpoint metadata is silently lost when the domain quits running (whether by command
such as destroy or by internal guest action).
For now, it is not possible to create checkpoints in a domain that has snapshots, although this
restriction will be lifted in a future release.
checkpoint-create-as
Syntax:
checkpoint-create-as domain [--print-xml] [name]
[description] [--quiesce] [--diskspec] diskspec]...
Create a checkpoint for domain domain with the given <name> and <description>; if either value is
omitted, libvirt will choose a value. If --print-xml is specified, then XML appropriate for
checkpoint-create is output, rather than actually creating a checkpoint.
The --diskspec option can be used to control which guest disks participate in the checkpoint. This option
can occur multiple times, according to the number of <disk> elements in the domain xml. Each <diskspec>
is in the form disk[,checkpoint=type][,bitmap=name]. A literal --diskspec must precede each diskspec
unless all three of domain, name, and description are also present. For example, a diskspec of
"vda,checkpoint=bitmap,bitmap=map1" results in the following XML:
<disk name='vda' checkpoint='bitmap' bitmap='map1'/>
If --quiesce is specified, libvirt will try to use guest agent to freeze and unfreeze domain's mounted
file systems. However, if domain has no guest agent, checkpoint creation will fail.
For now, it is not possible to create checkpoints in a domain that has snapshots, although this
restriction will be lifted in a future release.
checkpoint-edit
Syntax:
checkpoint-edit domain checkpointname
Edit the XML configuration file for checkpointname of a domain.
This is equivalent to:
virsh checkpoint-dumpxml dom name > checkpoint.xml
vi checkpoint.xml (or make changes with your other text editor)
virsh checkpoint-create dom checkpoint.xml --redefine
except that it does some error checking, including that the edits should not attempt to change the
checkpoint name.
The editor used can be supplied by the $VISUAL or $EDITOR environment variables, and defaults to vi.
checkpoint-info
Syntax:
checkpoint-info domain checkpoint
Output basic information about a named <checkpoint>.
checkpoint-list
Syntax:
checkpoint-list domain [{--parent | --roots |
[{--tree | --name}]}] [--topological]
[[--from] checkpoint | [--descendants]]
[--leaves] [--no-leaves]
List all of the available checkpoints for the given domain, defaulting to show columns for the checkpoint
name and creation time.
Normally, table form output is sorted by checkpoint name; using --topological instead sorts so that no
child is listed before its ancestors (although there may be more than one possible ordering with this
property).
If --parent is specified, add a column to the output table giving the name of the parent of each
checkpoint. If --roots is specified, the list will be filtered to just checkpoints that have no parents.
If --tree is specified, the output will be in a tree format, listing just checkpoint names. These three
options are mutually exclusive. If --name is specified only the checkpoint name is printed. This option
is mutually exclusive with --tree.
If --from is provided, filter the list to checkpoints which are children of the given checkpoint. When
used in isolation or with --parent, the list is limited to direct children unless --descendants is also
present. When used with --tree, the use of --descendants is implied. This option is not compatible with
--roots. Note that the starting point of --from is not included in the list unless the --tree option is
also present.
If --leaves is specified, the list will be filtered to just checkpoints that have no children. Likewise,
if --no-leaves is specified, the list will be filtered to just checkpoints with children. (Note that
omitting both options does no filtering, while providing both options will either produce the same list
or error out depending on whether the server recognizes the flags). Filtering options are not compatible
with --tree.
checkpoint-dumpxml
Syntax:
checkpoint-dumpxml domain checkpoint [--security-info] [--no-domain] [--size]
Output the checkpoint XML for the domain's checkpoint named checkpoint. Using --security-info will also
include security sensitive information.
Using --size will add XML indicating the current size in bytes of guest data that has changed since the
checkpoint was created (although remember that guest activity between a size check and actually creating
a backup can result in the backup needing slightly more space). Note that some hypervisors may require
that domain is running when --size is used.
Using --no-domain will omit the <domain> element from the output for a more compact view.
checkpoint-parent
Syntax:
checkpoint-parent domain checkpoint
Output the name of the parent checkpoint, if any, for the given checkpoint.
checkpoint-delete
Syntax:
checkpoint-delete domain checkpoint
[--metadata] [{--children | --children-only}]
Delete the checkpoint for the domain named checkpoint. The record of which portions of the disk changed
since the checkpoint are merged into the parent checkpoint (if any). If --children is passed, then delete
this checkpoint and any children of this checkpoint. If --children-only is passed, then delete any
children of this checkpoint, but leave this checkpoint intact. These two flags are mutually exclusive.
If --metadata is specified, then only delete the checkpoint metadata maintained by libvirt, while leaving
the checkpoint contents intact for access by external tools; otherwise deleting a checkpoint also removes
the ability to perform an incremental backup from that point in time.
NWFILTER COMMANDS
The following commands manipulate network filters. Network filters allow filtering of the network traffic
coming from and going to virtual machines. Individual network traffic filters are written in XML and may
contain references to other network filters, describe traffic filtering rules, or contain both. Network
filters are referenced by virtual machines from within their interface description. A network filter may
be referenced by multiple virtual machines' interfaces.
nwfilter-define
Syntax:
nwfilter-define xmlfile [--validate]
Make a new network filter known to libvirt. If a network filter with the same name already exists, it
will be replaced with the new XML. Any running virtual machine referencing this network filter will have
its network traffic rules adapted. If for any reason the network traffic filtering rules cannot be
instantiated by any of the running virtual machines, then the new XML will be rejected.
Optionally, the format of the input XML file can be validated against an internal RNG schema with
--validate.
nwfilter-undefine
Syntax:
nwfilter-undefine nwfilter-name
Delete a network filter. The deletion will fail if any running virtual machine is currently using this
network filter.
nwfilter-list
Syntax:
nwfilter-list
List all of the available network filters.
nwfilter-dumpxml
Syntax:
nwfilter-dumpxml nwfilter-name
Output the network filter XML.
nwfilter-edit
Syntax:
nwfilter-edit nwfilter-name
Edit the XML of a network filter.
This is equivalent to:
virsh nwfilter-dumpxml myfilter > myfilter.xml
vi myfilter.xml (or make changes with your other text editor)
virsh nwfilter-define myfilter.xml
except that it does some error checking. The new network filter may be rejected due to the same reason
as mentioned in nwfilter-define.
The editor used can be supplied by the $VISUAL or $EDITOR environment variables, and defaults to vi.
NWFILTER BINDING COMMANDS
The following commands manipulate network filter bindings. Network filter bindings track the association
between a network port and a network filter. Generally the bindings are managed automatically by the
hypervisor drivers when adding/removing NICs on a guest.
If an admin is creating/deleting TAP devices for non-guest usage, however, the network filter binding
commands provide a way to make use of the network filters directly.
nwfilter-binding-create
Syntax:
nwfilter-binding-create xmlfile [--validate]
Associate a network port with a network filter. The network filter backend will immediately attempt to
instantiate the filter rules on the port. This command may be used to associate a filter with a currently
running guest that does not have a filter defined for a specific network port. Since the bindings are
generally automatically managed by the hypervisor, using this command to define a filter for a network
port and then starting the guest afterwards may prevent the guest from starting if it attempts to use the
network port and finds a filter already defined.
Optionally, the format of the input XML file can be validated against an internal RNG schema with
--validate.
nwfilter-binding-delete
Syntax:
nwfilter-binding-delete port-name
Disassociate a network port from a network filter. The network filter backend will immediately tear down
the filter rules that exist on the port. This command may be used to remove the network port binding for
a filter currently in use for the guest while the guest is running without needing to restart the guest.
Restoring the network port binding filter for the running guest would be accomplished by using
nwfilter-binding-create.
nwfilter-binding-list
Syntax:
nwfilter-binding-list
List all of the network ports which have filters associated with them.
nwfilter-binding-dumpxml
Syntax:
nwfilter-binding-dumpxml port-name
Output the network filter binding XML for the network device called port-name.
HYPERVISOR-SPECIFIC COMMANDS
NOTE: Use of the following commands is strongly discouraged. They can cause libvirt to become confused
and do the wrong thing on subsequent operations. Once you have used these commands, please do not report
problems to the libvirt developers; the reports will be ignored. If you find that these commands are the
only way to accomplish something, then it is better to request that the feature be added as a first-class
citizen in the regular libvirt library.
qemu-attach
Syntax:
qemu-attach pid
Attach an externally launched QEMU process to the libvirt QEMU driver. The QEMU process must have been
created with a monitor connection using the UNIX driver. Ideally the process will also have had the
'-name' argument specified.
$ qemu-kvm -cdrom ~/demo.iso \
-monitor unix:/tmp/demo,server,nowait \
-name foo \
-uuid cece4f9f-dff0-575d-0e8e-01fe380f12ea &
$ QEMUPID=$!
$ virsh qemu-attach $QEMUPID
Not all functions of libvirt are expected to work reliably after attaching to an externally launched QEMU
process. There may be issues with the guest ABI changing upon migration and device hotplug or hotunplug
may not work. The attached environment should be considered primarily read-only.
qemu-monitor-command
Syntax:
qemu-monitor-command domain { [--hmp] | [--pretty] [--return-value] } command...
Send an arbitrary monitor command command to domain domain through the QEMU monitor. The results of the
command will be printed on stdout.
If more than one argument is provided for command, they are concatenated with a space in between before
passing the single command to the monitor.
Note that libvirt uses the QMP to talk to qemu so command must be valid JSON in QMP format to work
properly. If command is not a JSON object libvirt tries to wrap it as a JSON object to provide convenient
interface such as the groups of commands with identical handling:
# simple command
$ virsh qemu-monitor-command VM commandname
$ virsh qemu-monitor-command VM '{"execute":"commandname"}'
# with arguments
$ virsh qemu-monitor-command VM commandname '"arg1":123' '"arg2":"test"'
$ virsh qemu-monitor-command VM commandname '{"arg1":123,"arg2":"test"}'
$ virsh qemu-monitor-command VM '{"execute":"commandname", "arguments":{"arg1":123,"arg2":"test"}}'
If --pretty is given the QMP reply is pretty-printed.
If --return-value is given the 'return' key of the QMP response object is extracted rather than passing
through the full reply from QEMU.
If --hmp is passed, the command is considered to be a human monitor command and libvirt will
automatically convert it into QMP and convert the result back.
qemu-agent-command
Syntax:
qemu-agent-command domain [--timeout seconds | --async | --block] command...
Send an arbitrary guest agent command command to domain domain through QEMU agent. --timeout, --async
and --block options are exclusive. --timeout requires timeout seconds seconds and it must be positive.
When --aysnc is given, the command waits for timeout whether success or failed. And when --block is
given, the command waits forever with blocking timeout.
qemu-monitor-event
Syntax:
qemu-monitor-event [domain] [--event event-name]
[--loop] [--timeout seconds] [--pretty] [--regex] [--no-case]
[--timestamp]
Wait for arbitrary QEMU monitor events to occur, and print out the details of events as they happen. The
events can optionally be filtered by domain or event-name. The 'query-events' QMP command can be used
via qemu-monitor-command to learn what events are supported. If --regex is used, event-name is a basic
regular expression instead of a literal string. If --no-case is used, event-name will match
case-insensitively.
By default, this command is one-shot, and returns success once an event occurs; you can send SIGINT
(usually via Ctrl-C) to quit immediately. If --timeout is specified, the command gives up waiting for
events after seconds have elapsed. With --loop, the command prints all events until a timeout or
interrupt key. If --pretty is specified, any JSON event details are pretty-printed for better
legibility.
When --timestamp is used, a human-readable timestamp will be printed before the event, and the timing
information provided by QEMU will be omitted.
lxc-enter-namespace
Syntax:
lxc-enter-namespace domain [--noseclabel] --
/path/to/binary [arg1, [arg2, ...]]
Enter the namespace of domain and execute the command /path/to/binary passing the requested args. The
binary path is relative to the container root filesystem, not the host root filesystem. The binary will
inherit the environment variables / console visible to virsh. The command will be run with the same sVirt
context and cgroups placement as processes within the container. This command only works when connected
to the LXC hypervisor driver. This command succeeds only if /path/to/binary has 0 exit status.
By default the new process will run with the security label of the new parent container. Use the
--noseclabel option to instead have the process keep the same security label as virsh.
ENVIRONMENT
The following environment variables can be set to alter the behaviour of virsh
• VIRSH_DEBUG=<0 to 4>
Turn on verbose debugging of virsh commands. Valid levels are
• VIRSH_DEBUG=0
DEBUG - Messages at ALL levels get logged
• VIRSH_DEBUG=1
INFO - Logs messages at levels INFO, NOTICE, WARNING and ERROR
• VIRSH_DEBUG=2
NOTICE - Logs messages at levels NOTICE, WARNING and ERROR
• VIRSH_DEBUG=3
WARNING - Logs messages at levels WARNING and ERROR
• VIRSH_DEBUG=4
ERROR - Messages at only ERROR level gets logged.
• VIRSH_LOG_FILE=``LOGFILE``
The file to log virsh debug messages.
• VIRSH_DEFAULT_CONNECT_URI
The hypervisor to connect to by default. Set this to a URI, in the same format as accepted by the
connect option. This environment variable is deprecated in favour of the global LIBVIRT_DEFAULT_URI
variable which serves the same purpose.
• LIBVIRT_DEFAULT_URI
The hypervisor to connect to by default. Set this to a URI, in the same format as accepted by the
connect option. This overrides the default URI set in any client config file and prevents libvirt from
probing for drivers.
• VISUAL
The editor to use by the edit and related options.
• EDITOR
The editor to use by the edit and related options, if VISUAL is not set.
• VIRSH_HISTSIZE
The number of commands to remember in the command history. The default value is 500.
• LIBVIRT_DEBUG=LEVEL
Turn on verbose debugging of all libvirt API calls. Valid levels are
• LIBVIRT_DEBUG=1
Messages at level DEBUG or above
• LIBVIRT_DEBUG=2
Messages at level INFO or above
• LIBVIRT_DEBUG=3
Messages at level WARNING or above
• LIBVIRT_DEBUG=4
Messages at level ERROR
For further information about debugging options consult https://libvirt.org/logging.html
BUGS
Please report all bugs you discover. This should be done via either:
1. the mailing list
https://libvirt.org/contact.html
2. the bug tracker
https://libvirt.org/bugs.html
Alternatively, you may report bugs to your software distributor / vendor.
AUTHORS
Please refer to the AUTHORS file distributed with libvirt.
COPYRIGHT
Copyright (C) 2005, 2007-2015 Red Hat, Inc., and the authors listed in the libvirt AUTHORS file.
LICENSE
virsh is distributed under the terms of the GNU LGPL v2+. This is free software; see the source for
copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE
SEE ALSO
virt-install(1), virt-xml-validate(1), virt-top(1), virt-df(1), https://libvirt.org/
VIRSH(1)