🠛
QuantaVirt ›
VM Configuration Schema
VM Configuration Schema
QV-REF-SCHEMA
Rev 1.0 — January 2026
Reference
Complete JSON schema reference for QuantaVirt VM configuration files. Every field, type, constraint, default value, and validation rule for defining virtual machines.
Schema Overview #
VM configurations are JSON files passed to quantavirt vm create --config <file.json>. The schema version is 1.0. All sizes accept human-readable suffixes: K, M, G, T (powers of 1024).
{
"name": /* required — string */
"description": /* optional — string */
"uuid": /* optional — auto-generated UUID v4 */
"cpu": /* required — object */
"memory": /* required — object */
"storage": /* required — array of disk objects */
"network": /* optional — array of NIC objects */
"console": /* optional — object */
"graphics": /* optional — object */
"usb": /* optional — array of USB device objects */
"boot": /* optional — object */
"pqc": /* optional — object */
"migration": /* optional — object */
"security": /* optional — object */
}Top-Level Fields #
Field Type Required Default Constraints Description
namestring ✅ — 1–64 chars, [a-zA-Z0-9._-] Unique VM name used in CLI/API descriptionstring ⌠""0–512 chars Human-readable description uuidstring ⌠auto UUID v4 RFC 4122 format Globally unique identifier — auto-generated if omitted cpuobject ✅ — See cpu schema vCPU configuration memoryobject ✅ — See memory schema RAM configuration storagearray ✅ — ≥1 disk Disk device attachments networkarray ⌠[]0–16 NICs Network device attachments consoleobject ⌠virtio-console See console schema Serial / virtio console graphicsobject ⌠none See graphics schema Display adapter and VNC usbarray ⌠[]0–8 devices USB host device passthrough bootobject ⌠SeaBIOS, disk first See boot schema Boot order, firmware, direct kernel boot pqcobject ⌠disabled See pqc schema Post-quantum cryptography settings migrationobject ⌠defaults See migration schema Live migration policies securityobject ⌠defaults See security schema SEV-SNP / TDX / secure boot
cpu Object #
Field Type Required Default Constraints Description
countinteger ✅ — 1–256 Number of virtual CPUs modelstring ⌠"host""host" or named model"host" = full CPUID passthrough; named = mask to model baselinefeaturesstring[] ⌠[]"+flag" or "-flag"CPUID feature overrides (e.g. ["+aes", "-avx512f"]) topologyobject ⌠1 socket, N cores, 1 thread sockets × cores × threads = count vCPU topology exposed via CPUID 0x1F topology.socketsinteger ⌠1 1–8 Number of CPU sockets topology.coresinteger ⌠=count 1–128 Cores per socket topology.threadsinteger ⌠1 1–2 Threads per core (SMT) pinobject ⌠none (float) {"0":4,"1":5}vCPU → pCPU pinning map weightinteger ⌠256 1–65535 Scheduler weight (Credit/Credit2) capinteger ⌠0 (unlimited) 0–100 Max % of one pCPU per vCPU (0 = no cap) numa_nodeinteger ⌠auto 0–N Preferred NUMA node for scheduling and memory allocation
Named CPU Models
Model Name Baseline Notable Features
Skylake-ServerXeon Scalable 1st Gen AVX-512, AES-NI, ADX Cascadelake-ServerXeon Scalable 2nd Gen + VNNI Icelake-ServerXeon Scalable 3rd Gen + SHA-NI, VPCLMULQDQ SapphireRapidsXeon Scalable 4th Gen + AMX, AVX-512 BF16 EPYCAMD EPYC 7001 AVX2, AES-NI, SHA EPYC-RomeAMD EPYC 7002 + RDPID, WBNOINVD EPYC-MilanAMD EPYC 7003 + VAES, VPCLMULQDQ EPYC-GenoaAMD EPYC 9004 + AVX-512
memory Object #
Field Type Required Default Constraints Description
sizestring ✅ — "128M"–"4T"VM RAM size (e.g. "512M", "8G") hugepagesstring|bool ⌠falsefalse, "2M", "1G"Use hugepages for EPT/NPT backing balloonboolean ⌠false— Enable VirtIO memory balloon for dynamic sizing max_sizestring ⌠=size ≥size Maximum memory for hot-add (e.g. "32G") preallocboolean ⌠false— Pre-allocate all memory at VM creation (avoids page faults) encryptedboolean ⌠falseRequires SEV or TDX Hardware memory encryption (SEV AES-128 / TDX AES-128)
storage[] Array #
Each element defines a virtual block device attached to the VM.
Field Type Required Default Constraints Description
typestring ⌠"virtio-blk"virtio-blk, nvme, ahci, ideStorage controller type pathstring ✅ — Absolute path Path to disk image or block device formatstring ⌠auto-detect raw, qcow2, encryptedDisk image format readonlyboolean ⌠false— Mount disk read-only mediastring ⌠"disk"disk, cdromMedia type boot_indexinteger ⌠none 0–99 Boot priority (lower = higher priority) cachestring ⌠"writeback"none, writeback, writethrough, directsyncHost cache mode iostring ⌠"threads"native, threadsI/O backend (native requires cache:none or directsync) queuesinteger ⌠1 1–64 Multi-queue count (VirtIO-blk only, match vCPU count) discardboolean ⌠false— Pass TRIM/UNMAP to host (VirtIO-blk only) io_limitstring ⌠unlimited e.g. "500M" I/O bandwidth limit (bytes/sec) iops_limitinteger ⌠unlimited 1–1000000 I/O operations per second limit encryptedobject ⌠none — PQC disk encryption (see below)
storage[].encrypted Object
Field Type Default Values Description
kemstring "ML-KEM-768"ML-KEM-512, ML-KEM-768, ML-KEM-1024Key encapsulation mechanism for key wrapping aeadstring "AES-256-GCM"AES-256-GCM, ChaCha20-Poly1305Authenticated encryption for disk sectors
network[] Array #
Field Type Required Default Constraints Description
typestring ⌠"virtio-net"virtio-net, e1000, e1000eNIC device model networkstring ✅ — Existing network name Virtual network to attach to macstring ⌠auto 52:54:00:xx:xx:xx Valid MAC address MAC address (auto-generated if omitted) queuesinteger ⌠1 1–16 Multi-queue (VirtIO-net only, match vCPU count) vhostboolean ⌠true— Enable vhost-net kernel acceleration vhost_userobject ⌠none — vhost-user socket configuration for DPDK vhost_user.socketstring cond. — Unix socket path vhost-user socket path vhost_user.serverboolean ⌠false— true = QuantaVirt creates socket; false = connectsmtuinteger ⌠1500 576–9000 Maximum transmission unit vlaninteger ⌠none 1–4094 802.1Q VLAN tag offloadobject ⌠all enabled — Offload feature toggles offload.tsoboolean ⌠true— TCP segmentation offload offload.gsoboolean ⌠true— Generic segmentation offload offload.groboolean ⌠true— Generic receive offload offload.csumboolean ⌠true— TCP/UDP checksum offload pqc_tunnelboolean ⌠false— Encrypt this NIC's traffic with PQC pqc_kemstring ⌠"ML-KEM-768"ML-KEM variants KEM for tunnel key exchange pqc_aeadstring ⌠"AES-256-GCM"AEAD ciphers Bulk cipher for tunnel encryption
console Object #
Field Type Default Values Description
typestring "virtio-console"virtio-console, serialConsole device type logstring none File path Log console output to file
graphics Object #
Field Type Default Values Description
typestring "none"virtio-gpu, noneGPU device type virglboolean false— Enable Virgl 3D acceleration vncobject none — VNC remote display settings vnc.listenstring "127.0.0.1"IP address VNC bind address vnc.portinteger 5900 1024–65535 VNC listen port vnc.passwordstring none ≤8 chars VNC authentication password vnc.websocketboolean false— Enable WebSocket transport (for GUI)
usb[] Array #
Field Type Required Description
vendor_idstring ✅ USB vendor ID (hex, e.g. "0x046d") product_idstring ✅ USB product ID (hex, e.g. "0xc52b") businteger ⌠Host USB bus number (for disambiguation) portinteger ⌠Host USB port number
boot Object #
Field Type Default Values Description
orderstring[] ["disk","cdrom"]disk, cdrom, networkBoot device priority uefiboolean false— true = OVMF/UEFI; false = SeaBIOS/legacysecure_bootboolean falseRequires uefi:true Enable UEFI Secure Boot kernelstring none File path Direct kernel boot — path to vmlinuz initrdstring none File path Direct kernel boot — path to initramfs cmdlinestring none Kernel args Direct kernel boot — kernel command line
pqc Object #
Field Type Default Values Description
enabledboolean false— Enable PQC subsystem for this VM backendstring "auto"auto, quac100, softwareauto = QUAC 100 if available, else softwareattestationobject disabled — VM attestation settings attestation.enabledboolean false— Enable boot-time attestation attestation.algorithmstring "ML-DSA-65"ML-DSA-44, ML-DSA-65, ML-DSA-87Digital signature algorithm for attestation storage_encryptionobject disabled — PQC storage encryption defaults for this VM storage_encryption.enabledboolean false— Encrypt all disks by default storage_encryption.kemstring "ML-KEM-768"ML-KEM variants Key encapsulation for disk key wrapping storage_encryption.aeadstring "AES-256-GCM"AEAD ciphers Bulk cipher for sector encryption
migration Object #
Field Type Default Values Description
allowedboolean true— Allow this VM to be migrated max_downtime_msinteger 300 1–10000 Maximum acceptable downtime in milliseconds bandwidthstring "1G"Size string Maximum migration bandwidth compressboolean false— Enable page compression during transfer auto_convergeboolean false— Throttle guest CPU if dirty rate exceeds transfer rate
security Object #
Field Type Default Values Description
sevobject disabled — AMD SEV configuration sev.enabledboolean false— Enable AMD SEV memory encryption sev.policyinteger 0 Bitmask SEV guest policy (see AMD SEV API spec) sev.esboolean falseRequires EPYC 7002+ Enable SEV-ES (encrypted register state) sev.snpboolean falseRequires EPYC 7003+ Enable SEV-SNP (integrity + attestation) — beta tdxobject disabled — Intel TDX configuration tdx.enabledboolean falseRequires Xeon 4th Gen+ Enable Intel TDX trust domain — beta
Validation Rules #
Rule Constraint Error if Violated
CPU topology consistency sockets × cores × threads = countQV_ERR_INVAL: CPU topology does not match countMemory minimum size ≥ 128MQV_ERR_INVAL: memory size below minimum (128 MB)At least one storage device len(storage) ≥ 1QV_ERR_INVAL: no storage devices configuredDisk path exists File or block device at path QV_ERR_NOENT: disk image not foundNetwork exists Named network must exist QV_ERR_NOENT: network 'X' not foundUEFI required for Secure Boot secure_boot requires uefi: trueQV_ERR_INVAL: secure_boot requires UEFI firmwareSEV requires AMD EPYC Host must have AMD SEV capability QV_ERR_NODEV: AMD SEV not available on this hostTDX requires Intel Xeon 4th+ Host must have TDX capability QV_ERR_NODEV: Intel TDX not available on this hostNative AIO requires direct cache io: "native" requires cache: "none" or "directsync"QV_ERR_INVAL: native AIO incompatible with writeback cacheName uniqueness No other VM with same name QV_ERR_EXIST: VM name already in use
Complete Examples #
Minimal Linux VM
{
"name": "minimal-linux",
"cpu": { "count": 1 },
"memory": { "size": "512M" },
"storage": [
{ "path": "/var/lib/quantavirt/disks/minimal.qcow2" }
]
}High-Performance Database Server
{
"name": "postgres-prod",
"description": "Production PostgreSQL server",
"cpu": {
"count": 16,
"model": "host",
"topology": { "sockets": 1, "cores": 16, "threads": 1 },
"pin": { "0":0,"1":1,"2":2,"3":3,"4":4,"5":5,"6":6,"7":7,
"8":8,"9":9,"10":10,"11":11,"12":12,"13":13,"14":14,"15":15 },
"numa_node": 0
},
"memory": { "size": "64G", "hugepages": "1G", "prealloc": true },
"storage": [
{
"type": "virtio-blk", "path": "/dev/nvme0n1p4", "format": "raw",
"cache": "none", "io": "native", "queues": 16
}
],
"network": [
{ "type": "virtio-net", "network": "datacenter", "queues": 16, "vhost": true }
],
"boot": { "uefi": true }
}PQC-Secured Confidential VM
{
"name": "classified-workload",
"cpu": { "count": 8, "model": "EPYC-Milan" },
"memory": { "size": "32G", "hugepages": "2M", "encrypted": true },
"storage": [
{
"type": "virtio-blk",
"path": "/var/lib/quantavirt/disks/classified.qcow2",
"format": "encrypted",
"encrypted": { "kem": "ML-KEM-1024", "aead": "AES-256-GCM" },
"queues": 8
}
],
"network": [
{
"type": "virtio-net", "network": "secure-enclave",
"pqc_tunnel": true, "pqc_kem": "ML-KEM-1024", "pqc_aead": "AES-256-GCM"
}
],
"boot": { "uefi": true, "secure_boot": true },
"pqc": {
"enabled": true, "backend": "quac100",
"attestation": { "enabled": true, "algorithm": "ML-DSA-87" },
"storage_encryption": { "enabled": true, "kem": "ML-KEM-1024", "aead": "AES-256-GCM" }
},
"security": {
"sev": { "enabled": true, "snp": true }
}
}