services: Normalize and improve libvirt-configuration documentation.

* gnu/services/virtualization.scm (libvirt-configuration): Fix typos and punctuation, and decorate with more Texinfo adornments. Remove extraneous text. Convert enumerations to sentences re-generating the Texinfo documentation with configuration->documentation doesn't require fixing these by hand after (the text is re-flowed, breaking enumerations). Mention the use of 'log-filters' is preferable to 'log-level', as commented in the defaut libvirt.conf template. * doc/guix.texi (Virtualization Services): Re-generate. Change-Id: Icc2abe21a787b4bb6ac3b35a95f6aaaf3bbda9aa
2025-10-02 02:15:12 +00:00 · 2025-05-01 14:24:56 +09:00 · 2025-05-01 14:24:56 +09:00 · 74325f91c9
commit 74325f91c9
parent 266a713ae3
2 changed files with 214 additions and 312 deletions
--- a/doc/guix.texi
+++ b/doc/guix.texi
@ -38927,6 +38927,7 @@ Its value must be a @code{libvirt-configuration}.
@c Auto-generated with (configuration->documentation 'libvirt-configuration)
@c %start of fragment
@deftp {Data Type} libvirt-configuration
 Available @code{libvirt-configuration} fields are:
@ -38935,7 +38936,7 @@ Available @code{libvirt-configuration} fields are:
 Libvirt package.
@item @code{qemu} (default: @code{qemu}) (type: file-like)
-Qemu package.
+The QEMU package to use.
@item @code{firmwares} (default: @code{(ovmf-x86-64)}) (type: list-of-file-likes)
 List of UEFI/BIOS firmware packages to make available.  Each firmware
@ -38952,31 +38953,29 @@ Listen for unencrypted TCP connections on the public TCP/IP port.  must
 set @code{listen} for this to have any effect.  Using the TCP socket
 requires SASL authentication by default.  Only SASL mechanisms which
 support data encryption are allowed.  This is DIGEST_MD5 and GSSAPI
-(Kerberos5)
+(Kerberos5).
@item @code{tls-port} (default: @code{"16514"}) (type: string)
 Port for accepting secure TLS connections This can be a port number, or
-service name
+service name.
@item @code{tcp-port} (default: @code{"16509"}) (type: string)
 Port for accepting insecure TCP connections This can be a port number,
-or service name
+or service name.
@item @code{listen-addr} (default: @code{"0.0.0.0"}) (type: string)
 IP address or hostname used for client connections.
@item @code{mdns-adv?} (default: @code{#f}) (type: boolean)
-Flag toggling mDNS advertisement of the libvirt service.  Alternatively
+Flag toggling mDNS advertisement of the libvirt service.
 can disable for all services on a host by stopping the Avahi daemon.
@item @code{mdns-name} (default: @code{"Virtualization Host terra"}) (type: string)
 Default mDNS advertisement name.  This must be unique on the immediate
 broadcast network.
@item @code{unix-sock-group} (default: @code{"libvirt"}) (type: string)
-UNIX domain socket group ownership.  This can be used to allow a
+UNIX domain socket group ownership.  This can be used to allow a trusted
-'trusted' set of users access to management capabilities without
+set of users access to management capabilities without becoming root.
 becoming root.
@item @code{unix-sock-ro-perms} (default: @code{"0777"}) (type: string)
 UNIX socket permissions for the R/O socket.  This is used for monitoring
@ -38985,7 +38984,7 @@ VM status only.
@item @code{unix-sock-rw-perms} (default: @code{"0770"}) (type: string)
 UNIX socket permissions for the R/W socket.  Default allows only root.
 If PolicyKit is enabled on the socket, the default will change to allow
-everyone (eg, 0777)
+everyone (e.g., @code{"0777"}).
@item @code{unix-sock-admin-perms} (default: @code{"0777"}) (type: string)
 UNIX socket permissions for the admin socket.  Default allows only owner
@ -38997,7 +38996,7 @@ The directory in which sockets will be found/created.
@item @code{auth-unix-ro} (default: @code{"polkit"}) (type: string)
 Authentication scheme for UNIX read-only sockets.  By default socket
-permissions allow anyone to connect
+permissions allow anyone to connect.
@item @code{auth-unix-rw} (default: @code{"polkit"}) (type: string)
 Authentication scheme for UNIX read-write sockets.  By default socket
@ -39006,14 +39005,14 @@ libvirt, the default will be to use 'polkit' auth.
@item @code{auth-tcp} (default: @code{"sasl"}) (type: string)
 Authentication scheme for TCP sockets.  If you don't enable SASL, then
-all TCP traffic is cleartext.  Don't do this outside of a dev/test
+all TCP traffic is cleartext.  Don't do this outside of a
-scenario.
+development/test scenario.
@item @code{auth-tls} (default: @code{"none"}) (type: string)
 Authentication scheme for TLS sockets.  TLS sockets already have
 encryption provided by the TLS layer, and limited authentication is done
 by certificates.  It is possible to make use of any SASL authentication
-mechanism as well, by using 'sasl' for this option
+mechanism as well, by using @code{"sasl"} for this option
@item @code{access-drivers} (default: @code{()}) (type: optional-list)
 API access control scheme.  By default an authenticated user is allowed
@ -39036,8 +39035,9 @@ Certificate revocation list path.  If set to an empty string, then no
 CRL is loaded.
@item @code{tls-no-sanity-cert} (default: @code{#f}) (type: boolean)
-Disable verification of our own server certificates.  When libvirtd
+Disable verification of our own server certificates.  When
-starts it performs some sanity checks against its own certificates.
+@command{libvirtd} starts it performs some sanity checks against its own
 certificates.
@item @code{tls-no-verify-cert} (default: @code{#f}) (type: boolean)
 Disable verification of client certificates.  Client certificate
@ -39053,7 +39053,7 @@ the SASL authentication mechanism.
@item @code{tls-priority} (default: @code{"NORMAL"}) (type: string)
 Override the compile time default TLS priority string.  The default is
-usually "NORMAL" unless overridden at build time.  Only set this is it
+usually "NORMAL" unless overridden at build time.  Only set this if it
 is desired for libvirt to deviate from the global default settings.
@item @code{max-clients} (default: @code{5000}) (type: integer)
@ -39062,12 +39062,12 @@ sockets combined.
@item @code{max-queued-clients} (default: @code{1000}) (type: integer)
 Maximum length of queue of connections waiting to be accepted by the
-daemon.  Note, that some protocols supporting retransmission may obey
+daemon.  Note, that some protocols supporting re-transmission may obey
 this so that a later reattempt at connection succeeds.
@item @code{max-anonymous-clients} (default: @code{20}) (type: integer)
 Maximum length of queue of accepted but not yet authenticated clients.
-Set this to zero to turn this feature off
+Set this to zero to turn this feature off.
@item @code{min-workers} (default: @code{5}) (type: integer)
 Number of workers to start up initially.
@ -39075,8 +39075,8 @@ Number of workers to start up initially.
@item @code{max-workers} (default: @code{20}) (type: integer)
 Maximum number of worker threads.  If the number of active clients
 exceeds @code{min-workers}, then more threads are spawned, up to
-max_workers limit.  Typically you'd want max_workers to equal maximum
+@code{max_workers} limit.  Typically you'd want @code{max_workers} to
-number of clients allowed.
+equal maximum number of clients allowed.
@item @code{prio-workers} (default: @code{5}) (type: integer)
 Number of priority workers.  If all workers from above pool are stuck,
@ -39107,74 +39107,47 @@ Same as @code{max-queued-clients} but for the admin interface.
 Same as @code{max-client-requests} but for the admin interface.
@item @code{log-level} (default: @code{3}) (type: integer)
-Logging level.  4 errors, 3 warnings, 2 information, 1 debug.
+Semi-deprecated option for the logging level: using the
@code{log-filters} option instead is recommend, as it provides finer
 control.  The log level can be set to @code{4} for errors, @code{3} for
 warnings, @code{2} for information or @code{1} for debug.  Note that
 since @code{log-filters} and @code{log-outputs} take precedence over
 this option, you will need to also adjust their logging levels to avoid
 filtering out messages.
@item @code{log-filters} (default: @code{"3:remote 4:event"}) (type: string)
 Logging filters.  A filter allows selecting a different logging level
-for a given category of logs The format for a filter is one of:
+for a given category of logs.  The format for a filter is either
-
+@samp{@var{x}:@var{name}} or @samp{@var{x}:+@var{name}}, where name is a
-@itemize @bullet
+string which is matched against the category given in the
-@item x:name
+@code{VIR_LOG_INIT()} at the top of each libvirt source file, e.g.,
-@item x:+name
+@samp{"remote"}, @samp{"qemu"}, or @samp{"util.json"}.  @var{name} can
@end itemize
 where @code{name} is a string which is matched against the category
 given in the @code{VIR_LOG_INIT()} at the top of each libvirt source
 file, e.g., "remote", "qemu", or "util.json" (the name in the filter can
 be a substring of the full category name, in order to match multiple
-similar categories), the optional "+" prefix tells libvirt to log stack
+similar categories.  The optional @samp{+} prefix tells libvirt to log
-trace for each message matching name, and @code{x} is the minimal level
+stack traces for each message matching @var{name}.  @var{x} is the log
-where matching messages should be logged:
+level value used to filter the associated message category.  @var{x} can
-
+be set to @samp{4} for errors, @samp{3} for warnings, @samp{2} for
-@itemize @bullet
+information, or @samp{1} for debug.  Multiple filters can be defined in
-@item 1: DEBUG
+a single filters statement, as space-separated values.  Since
-@item 2: INFO
+@code{log-outputs} also include a level filter, you may need to also
-@item 3: WARNING
+adjust its value to see all the filtered messages.
@item 4: ERROR
@end itemize
 Multiple filters can be defined in a single filters statement, they just
 need to be separated by spaces.
@item @code{log-outputs} (default: @code{"3:syslog:libvirtd"}) (type: string)
 Logging outputs.  An output is one of the places to save logging
-information The format for an output can be:
+information.  The format for an output has the form
-
+@code{"@var{x}:var@{output@}"}, where @var{output} can be @samp{stderr},
-@table @code
+@samp{syslog:@var{name}}, where @var{name} is the syslog @code{ident}
-@item x:stderr
+value to use, or @samp{file:@var{file_name}}, where @var{file_name} is
-output goes to stderr
+the file name of the file to output to.  @var{x} is the minimal level,
-
+which acts as a filter.  @var{x} can be set to @var{x} can be set to
-@item x:syslog:name
+@samp{4} for errors, @samp{3} for warnings, @samp{2} for information, or
-use syslog for the output and use the given name as the ident
+@samp{1} for debug.  Multiple filters can be defined in a single filters
-
+statement, as space-separated values.
@item x:file:file_path
 output to a file, with the given filepath
@item x:journald
 output to journald logging system
@end table
 In all case the x prefix is the minimal level, acting as a
 filter
@itemize @bullet
@item 1: DEBUG
@item 2: INFO
@item 3: WARNING
@item 4: ERROR
@end itemize
 Multiple outputs can be defined, they just need to be separated by
 spaces.
@item @code{audit-level} (default: @code{1}) (type: integer)
-Allows usage of the auditing subsystem to be altered
+Modify the behavior of the auditing subsystem.  @samp{0} disables all
-
+auditing, samp@{1@} enables auditing only if enabled on thehost and
-@itemize @bullet
+@samp{2} enables auditing but exits if it is disabled on the host.
@item 0: disable all auditing
@item 1: enable auditing, only if enabled on host
@item 2: enable auditing, and exit if disabled on host.
@end itemize
@item @code{audit-logging} (default: @code{#f}) (type: boolean)
 Send audit messages via libvirt logging infrastructure.
@ -39183,31 +39156,26 @@ Send audit messages via libvirt logging infrastructure.
 Host UUID.  UUID must not have all digits be the same.
@item @code{host-uuid-source} (default: @code{"smbios"}) (type: string)
-Source to read host UUID.
+Source to read host UUID.  Use @code{"smbios"} to fetch the UUID via
-
+@code{dmidecode -s system-uuid}, or @code{"machine-id"} to fetch the
-@itemize @bullet
+UUID from @code{/etc/machine-id}.  If @code{dmidecode} does not provide
-@item @code{smbios}: fetch the UUID from @code{dmidecode -s system-uuid}
+a valid UUID a temporary UUID will be generated.
@item @code{machine-id}: fetch the UUID from @code{/etc/machine-id}
@end itemize
 If @code{dmidecode} does not provide a valid UUID a temporary UUID will
 be generated.
@item @code{keepalive-interval} (default: @code{5}) (type: integer)
 A keepalive message is sent to a client after @code{keepalive_interval}
 seconds of inactivity to check if the client is still responding.  If
-set to -1, libvirtd will never send keepalive requests; however clients
+set to @code{-1}, libvirtd won't send keepalive requests; however
-can still send them and the daemon will send responses.
+clients can still send them and the daemon will send responses.
@item @code{keepalive-count} (default: @code{5}) (type: integer)
 Maximum number of keepalive messages that are allowed to be sent to the
 client without getting any response before the connection is considered
 broken.  In other words, the connection is automatically closed
-approximately after @code{keepalive_interval * (keepalive_count + 1)}
+approximately after @samp{keepalive_interval * (keepalive_count + 1)}
 seconds since the last message received from the client.  When
-@code{keepalive-count} is set to 0, connections will be automatically
+@code{keepalive-count} is set to @code{0}, connections will be
-closed after @code{keepalive-interval} seconds of inactivity without
+automatically closed after @code{keepalive-interval} seconds of
-sending any keepalive messages.
+inactivity without sending any keepalive messages.
@item @code{admin-keepalive-interval} (default: @code{5}) (type: integer)
 Same as above but for admin interface.
@ -39221,7 +39189,10 @@ for the configuration and its timeout option is set by default to 5
 seconds to avoid potential infinite waits blocking libvirt.
@end table
@end deftp
@c %end of fragment
@subsubheading Virtlog daemon
--- a/gnu/services/virtualization.scm
+++ b/gnu/services/virtualization.scm
@ -217,7 +217,7 @@
   "Libvirt package.")
  (qemu
   (file-like qemu)
-   "Qemu package.")
+   "The QEMU package to use.")
  (firmwares
   (list-of-file-likes (list ovmf-x86-64))
   "List of UEFI/BIOS firmware packages to make available.  Each firmware
@ -227,313 +227,244 @@ firmware metadata file."
  (listen-tls?
   (boolean #t)
   "Flag listening for secure TLS connections on the public TCP/IP port.
-must set @code{listen} for this to have any effect.
+must set @code{listen} for this to have any effect.  It is necessary to setup
-
+a CA and issue server certificates before using this capability.")
 It is necessary to setup a CA and issue server certificates before
 using this capability.")
  (listen-tcp?
   (boolean #f)
   "Listen for unencrypted TCP connections on the public TCP/IP port.
-must set @code{listen} for this to have any effect.
+must set @code{listen} for this to have any effect.  Using the TCP socket
-
+requires SASL authentication by default.  Only SASL mechanisms which support
-Using the TCP socket requires SASL authentication by default. Only
+data encryption are allowed.  This is DIGEST_MD5 and GSSAPI (Kerberos5).")
 SASL mechanisms which support data encryption are allowed. This is
 DIGEST_MD5 and GSSAPI (Kerberos5)")
  (tls-port
   (string "16514")
   "Port for accepting secure TLS connections This can be a port number,
-or service name")
+or service name.")
  (tcp-port
   (string "16509")
   "Port for accepting insecure TCP connections This can be a port number,
-or service name")
+or service name.")
  (listen-addr
   (string "0.0.0.0")
   "IP address or hostname used for client connections.")
  (mdns-adv?
   (boolean #f)
-   "Flag toggling mDNS advertisement of the libvirt service.
+   "Flag toggling mDNS advertisement of the libvirt service.")
 Alternatively can disable for all services on a host by
 stopping the Avahi daemon.")
  (mdns-name
   (string (string-append "Virtualization Host " (gethostname)))
-   "Default mDNS advertisement name. This must be unique on the
+   "Default mDNS advertisement name.  This must be unique on the
 immediate broadcast network.")
  (unix-sock-group
   (string "libvirt")
-   "UNIX domain socket group ownership. This can be used to
+   "UNIX domain socket group ownership.  This can be used to allow a trusted
-allow a 'trusted' set of users access to management capabilities
+set of users access to management capabilities without becoming root.")
 without becoming root.")
  (unix-sock-ro-perms
   (string "0777")
-   "UNIX socket permissions for the R/O socket. This is used
+   "UNIX socket permissions for the R/O socket.  This is used for monitoring
-for monitoring VM status only.")
+VM status only.")
  (unix-sock-rw-perms
   (string "0770")
-   "UNIX socket permissions for the R/W socket. Default allows
+   "UNIX socket permissions for the R/W socket.  Default allows only root.  If
-only root. If PolicyKit is enabled on the socket, the default
+PolicyKit is enabled on the socket, the default will change to allow
-will change to allow everyone (eg, 0777)")
+everyone (e.g., @code{\"0777\"}).")
  (unix-sock-admin-perms
   (string "0777")
-   "UNIX socket permissions for the admin socket. Default allows
+   "UNIX socket permissions for the admin socket.  Default allows only
-only owner (root), do not change it unless you are sure to whom
+owner (root), do not change it unless you are sure to whom you are exposing
-you are exposing the access to.")
+the access to.")
  (unix-sock-dir
   (string "/var/run/libvirt")
   "The directory in which sockets will be found/created.")
  (auth-unix-ro
   (string "polkit")
-   "Authentication scheme for UNIX read-only sockets. By default
+   "Authentication scheme for UNIX read-only sockets.  By default socket
-socket permissions allow anyone to connect")
+permissions allow anyone to connect.")
  (auth-unix-rw
   (string "polkit")
-   "Authentication scheme for UNIX read-write sockets. By default
+   "Authentication scheme for UNIX read-write sockets.  By default socket
-socket permissions only allow root. If PolicyKit support was compiled
+permissions only allow root.  If PolicyKit support was compiled into libvirt,
-into libvirt, the default will be to use 'polkit' auth.")
+the default will be to use 'polkit' auth.")
  (auth-tcp
   (string "sasl")
-   "Authentication scheme for TCP sockets. If you don't enable SASL,
+   "Authentication scheme for TCP sockets.  If you don't enable SASL,
-then all TCP traffic is cleartext. Don't do this outside of a dev/test
+then all TCP traffic is cleartext.  Don't do this outside of a
-scenario.")
+development/test scenario.")
  (auth-tls
   (string "none")
-   "Authentication scheme for TLS sockets. TLS sockets already have
+   "Authentication scheme for TLS sockets.  TLS sockets already have
-encryption provided by the TLS layer, and limited authentication is
+encryption provided by the TLS layer, and limited authentication is done by
-done by certificates.
+certificates.  It is possible to make use of any SASL authentication mechanism
-
+as well, by using @code{\"sasl\"} for this option")
 It is possible to make use of any SASL authentication mechanism as
 well, by using 'sasl' for this option")
  (access-drivers
   (optional-list '())
-   "API access control scheme.
+   "API access control scheme.  By default an authenticated user is allowed
-
+access to all APIs.  Access drivers can place restrictions on this.")
 By default an authenticated user is allowed access to all APIs. Access
 drivers can place restrictions on this.")
  (key-file
   (string "")
-   "Server key file path. If set to an empty string, then no private key
+   "Server key file path.  If set to an empty string, then no private key is
-is loaded.")
+loaded.")
  (cert-file
   (string "")
-   "Server key file path. If set to an empty string, then no certificate
+   "Server key file path.  If set to an empty string, then no certificate is
-is loaded.")
+loaded.")
  (ca-file
   (string "")
-   "Server key file path. If set to an empty string, then no CA certificate
+   "Server key file path.  If set to an empty string, then no CA certificate
 is loaded.")
  (crl-file
   (string "")
-   "Certificate revocation list path. If set to an empty string, then no
+   "Certificate revocation list path.  If set to an empty string, then no CRL
-CRL is loaded.")
+is loaded.")
  (tls-no-sanity-cert
   (boolean #f)
-   "Disable verification of our own server certificates.
+   "Disable verification of our own server certificates.  When
-
+@command{libvirtd} starts it performs some sanity checks against its own
 When libvirtd starts it performs some sanity checks against its own
 certificates.")
  (tls-no-verify-cert
   (boolean #f)
-   "Disable verification of client certificates.
+   "Disable verification of client certificates.  Client certificate
-
+verification is the primary authentication mechanism.  Any client which does
-Client certificate verification is the primary authentication mechanism.
+not present a certificate signed by the CA will be rejected.")
 Any client which does not present a certificate signed by the CA
 will be rejected.")
  (tls-allowed-dn-list
   (optional-list '())
   "Whitelist of allowed x509 Distinguished Name.")
  (sasl-allowed-usernames
   (optional-list '())
-   "Whitelist of allowed SASL usernames. The format for username
+   "Whitelist of allowed SASL usernames.  The format for username depends on
-depends on the SASL authentication mechanism.")
+the SASL authentication mechanism.")
  (tls-priority
   (string "NORMAL")
-   "Override the compile time default TLS priority string. The
+   "Override the compile time default TLS priority string.  The default is
-default is usually \"NORMAL\" unless overridden at build time.
+usually \"NORMAL\" unless overridden at build time.  Only set this if it is
-Only set this is it is desired for libvirt to deviate from
+desired for libvirt to deviate from the global default settings.")
 the global default settings.")
  (max-clients
   (integer 5000)
-   "Maximum number of concurrent client connections to allow
+   "Maximum number of concurrent client connections to allow over all sockets
-over all sockets combined.")
+combined.")
  (max-queued-clients
   (integer 1000)
-   "Maximum length of queue of connections waiting to be
+   "Maximum length of queue of connections waiting to be accepted by the
-accepted by the daemon. Note, that some protocols supporting
+daemon.  Note, that some protocols supporting re-transmission may obey this so
-retransmission may obey this so that a later reattempt at
+that a later reattempt at connection succeeds.")
 connection succeeds.")
  (max-anonymous-clients
   (integer 20)
-   "Maximum length of queue of accepted but not yet authenticated
+   "Maximum length of queue of accepted but not yet authenticated clients.
-clients. Set this to zero to turn this feature off")
+Set this to zero to turn this feature off.")
  (min-workers
   (integer 5)
   "Number of workers to start up initially.")
  (max-workers
   (integer 20)
-   "Maximum number of worker threads.
+   "Maximum number of worker threads.  If the number of active clients exceeds
-
+@code{min-workers}, then more threads are spawned, up to @code{max_workers}
-If the number of active clients exceeds @code{min-workers},
+limit.  Typically you'd want @code{max_workers} to equal maximum number of
-then more threads are spawned, up to max_workers limit.
+clients allowed.")
 Typically you'd want max_workers to equal maximum number
 of clients allowed.")
  (prio-workers
   (integer 5)
-   "Number of priority workers. If all workers from above
+   "Number of priority workers.  If all workers from above pool are stuck,
-pool are stuck, some calls marked as high priority
+some calls marked as high priority (notably domainDestroy) can be executed in
-(notably domainDestroy) can be executed in this pool.")
+this pool.")
  (max-requests
-    (integer 20)
+   (integer 20)
-    "Total global limit on concurrent RPC calls.")
+   "Total global limit on concurrent RPC calls.")
  (max-client-requests
-    (integer 5)
+   (integer 5)
-    "Limit on concurrent requests from a single client
+   "Limit on concurrent requests from a single client connection.  To avoid
-connection. To avoid one client monopolizing the server
+one client monopolizing the server this should be a small fraction of the
-this should be a small fraction of the global max_requests
+global max_requests and max_workers parameter.")
 and max_workers parameter.")
  (admin-min-workers
-    (integer 1)
+   (integer 1)
-    "Same as @code{min-workers} but for the admin interface.")
+   "Same as @code{min-workers} but for the admin interface.")
  (admin-max-workers
-     (integer 5)
+   (integer 5)
-    "Same as @code{max-workers} but for the admin interface.")
+   "Same as @code{max-workers} but for the admin interface.")
  (admin-max-clients
-    (integer 5)
+   (integer 5)
-    "Same as @code{max-clients} but for the admin interface.")
+   "Same as @code{max-clients} but for the admin interface.")
  (admin-max-queued-clients
-    (integer 5)
+   (integer 5)
-    "Same as @code{max-queued-clients} but for the admin interface.")
+   "Same as @code{max-queued-clients} but for the admin interface.")
  (admin-max-client-requests
-    (integer 5)
+   (integer 5)
-    "Same as @code{max-client-requests} but for the admin interface.")
+   "Same as @code{max-client-requests} but for the admin interface.")
  (log-level
-    (integer 3)
+   (integer 3)
-    "Logging level. 4 errors, 3 warnings, 2 information, 1 debug.")
+   "Semi-deprecated option for the logging level: using the @code{log-filters}
 option instead is recommend, as it provides finer control.  The log level can
 be set to @code{4} for errors, @code{3} for warnings, @code{2} for information
 or @code{1} for debug.  Note that since @code{log-filters} and
@code{log-outputs} take precedence over this option, you will need to also
 adjust their logging levels to avoid filtering out messages.")
  (log-filters
-    (string "3:remote 4:event")
+   (string "3:remote 4:event")
-    "Logging filters.
+   "Logging filters.  A filter allows selecting a different logging level for
-
+a given category of logs.  The format for a filter is either
-A filter allows selecting a different logging level for a given category
+@samp{@var{x}:@var{name}} or @samp{@var{x}:+@var{name}}, where name is a
-of logs
+string which is matched against the category given in the
-The format for a filter is one of:
+@code{VIR_LOG_INIT()} at the top of each libvirt source file, e.g.,
-@itemize
+@samp{\"remote\"}, @samp{\"qemu\"}, or @samp{\"util.json\"}.  @var{name} can
-@item x:name
+be a substring of the full category name, in order to match multiple similar
-
+categories.  The optional @samp{+} prefix tells libvirt to log stack traces
-@item x:+name
+for each message matching @var{name}.  @var{x} is the log level value used to
-@end itemize
+filter the associated message category.  @var{x} can be set to @samp{4} for
-
+errors, @samp{3} for warnings, @samp{2} for information, or @samp{1} for
-where @code{name} is a string which is matched against the category
+debug.  Multiple filters can be defined in a single filters statement, as
-given in the @code{VIR_LOG_INIT()} at the top of each libvirt source
+space-separated values.  Since @code{log-outputs} also include a level filter,
-file, e.g., \"remote\", \"qemu\", or \"util.json\" (the name in the
+you may need to also adjust its value to see all the filtered messages.")
 filter can be a substring of the full category name, in order
 to match multiple similar categories), the optional \"+\" prefix
 tells libvirt to log stack trace for each message matching
 name, and @code{x} is the minimal level where matching messages should
 be logged:
@itemize
@item 1: DEBUG
@item 2: INFO
@item 3: WARNING
@item 4: ERROR
@end itemize
 Multiple filters can be defined in a single filters statement, they just
 need to be separated by spaces.")
  (log-outputs
-    (string "3:syslog:libvirtd")
+   (string "3:syslog:libvirtd")
-    "Logging outputs.
+   "Logging outputs.  An output is one of the places to save logging
-
+information.  The format for an output has the form
-An output is one of the places to save logging information
+@code{\"@var{x}:var{output}\"}, where @var{output} can be @samp{stderr},
-The format for an output can be:
+@samp{syslog:@var{name}}, where @var{name} is the syslog @code{ident} value to
-
+use, or @samp{file:@var{file_name}}, where @var{file_name} is the file name of
-@table @code
+the file to output to.  @var{x} is the minimal level, which acts as a filter.
-@item x:stderr
+@var{x} can be set to @var{x} can be set to @samp{4} for errors, @samp{3} for
-output goes to stderr
+warnings, @samp{2} for information, or @samp{1} for debug.  Multiple filters
-
+can be defined in a single filters statement, as space-separated values.")
@item x:syslog:name
 use syslog for the output and use the given name as the ident
@item x:file:file_path
 output to a file, with the given filepath
@item x:journald
 output to journald logging system
@end table
 In all case the x prefix is the minimal level, acting as a filter
@itemize
@item 1: DEBUG
@item 2: INFO
@item 3: WARNING
@item 4: ERROR
@end itemize
 Multiple outputs can be defined, they just need to be separated by spaces.")
  (audit-level
-    (integer 1)
+   (integer 1)
-    "Allows usage of the auditing subsystem to be altered
+   "Modify the behavior of the auditing subsystem.  @samp{0} disables all
-
+auditing, samp{1} enables auditing only if enabled on thehost and @samp{2}
-@itemize
+enables auditing but exits if it is disabled on the host.")
@item 0: disable all auditing
@item 1: enable auditing, only if enabled on host
@item 2: enable auditing, and exit if disabled on host.
@end itemize
 ")
  (audit-logging
-    (boolean #f)
+   (boolean #f)
-    "Send audit messages via libvirt logging infrastructure.")
+   "Send audit messages via libvirt logging infrastructure.")
  (host-uuid
-    (optional-string "")
+   (optional-string "")
-    "Host UUID. UUID must not have all digits be the same.")
+   "Host UUID. UUID must not have all digits be the same.")
  (host-uuid-source
-    (string "smbios")
+   (string "smbios")
-    "Source to read host UUID.
+   "Source to read host UUID.  Use @code{\"smbios\"} to fetch the UUID via
-
+@code{dmidecode -s system-uuid}, or @code{\"machine-id\"} to fetch the UUID
-@itemize
+from @code{/etc/machine-id}.  If @code{dmidecode} does not provide a valid
-
+UUID a temporary UUID will be generated.")
@item @code{smbios}: fetch the UUID from @code{dmidecode -s system-uuid}
@item @code{machine-id}: fetch the UUID from @code{/etc/machine-id}
@end itemize
 If @code{dmidecode} does not provide a valid UUID a temporary UUID
 will be generated.")
  (keepalive-interval
-    (integer 5)
+   (integer 5)
-    "A keepalive message is sent to a client after
+   "A keepalive message is sent to a client after @code{keepalive_interval}
-@code{keepalive_interval} seconds of inactivity to check if
+seconds of inactivity to check if the client is still responding.  If set to
-the client is still responding. If set to -1, libvirtd will
+@code{-1}, libvirtd won't send keepalive requests; however clients can still
-never send keepalive requests; however clients can still send
+send them and the daemon will send responses.")
 them and the daemon will send responses.")
  (keepalive-count
-    (integer 5)
+   (integer 5)
-    "Maximum number of keepalive messages that are allowed to be sent
+   "Maximum number of keepalive messages that are allowed to be sent to the
-to the client without getting any response before the connection is
+client without getting any response before the connection is considered
-considered broken.
+broken.  In other words, the connection is automatically closed approximately
-
+after @samp{keepalive_interval * (keepalive_count + 1)} seconds since the last
-In other words, the connection is automatically
+message received from the client.  When @code{keepalive-count} is set to
-closed approximately after
+@code{0}, connections will be automatically closed after
-@code{keepalive_interval * (keepalive_count + 1)} seconds since the last
+@code{keepalive-interval} seconds of inactivity without sending any keepalive
-message received from the client. When @code{keepalive-count} is
+messages.")
 set to 0, connections will be automatically closed after
@code{keepalive-interval} seconds of inactivity without sending any
 keepalive messages.")
  (admin-keepalive-interval
-    (integer 5)
+   (integer 5)
-    "Same as above but for admin interface.")
+   "Same as above but for admin interface.")
  (admin-keepalive-count
-    (integer 5)
+   (integer 5)
-    "Same as above but for admin interface.")
+   "Same as above but for admin interface.")
  (ovs-timeout
-    (integer 5)
+   (integer 5)
-    "Timeout for Open vSwitch calls.
+   "Timeout for Open vSwitch calls.  The @code{ovs-vsctl} utility is used for
-
+the configuration and its timeout option is set by default to 5 seconds to
-The @code{ovs-vsctl} utility is used for the configuration and
+avoid potential infinite waits blocking libvirt."))
 its timeout option is set by default to 5 seconds to avoid
 potential infinite waits blocking libvirt."))
 (define* (libvirt-conf-file config)
  "Return a libvirtd config file."