[libvirt PATCH] docs: add a kbase explaining security protections for QEMU passthrough
by Daniel P. Berrangé
When using command line passthrough users will often trip up over the
security protections like SELinux, DAC, namespaces, etc which will
deny access to files they are passing. This document explains the
various protections and how to deal with their policy, and/or how
to disable them.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
docs/kbase.html.in | 4 +
docs/kbase/qemu-passthrough-security.rst | 157 +++++++++++++++++++++++
2 files changed, 161 insertions(+)
create mode 100644 docs/kbase/qemu-passthrough-security.rst
diff --git a/docs/kbase.html.in b/docs/kbase.html.in
index c156414c41..db84b95b60 100644
--- a/docs/kbase.html.in
+++ b/docs/kbase.html.in
@@ -29,6 +29,10 @@
<dt><a href="kbase/backing_chains.html">Backing chain management</a></dt>
<dd>Explanation of how disk backing chain specification impacts libvirt's
behaviour and basic troubleshooting steps of disk problems.</dd>
+
+ <dt><a href="kbase/qemu-passthrough-security.html">Security with QEMU passthrough</a></dt>
+ <dd>Examination of the security protections used for QEMU and how they need
+ configuring to allow use of QEMU passthrough with host files/devices.</dd>
</dl>
</div>
diff --git a/docs/kbase/qemu-passthrough-security.rst b/docs/kbase/qemu-passthrough-security.rst
new file mode 100644
index 0000000000..7fb1f6fbdd
--- /dev/null
+++ b/docs/kbase/qemu-passthrough-security.rst
@@ -0,0 +1,157 @@
+=============================
+QEMU command line passthrough
+=============================
+
+.. contents::
+
+Libvirt aims to provide explicit modelling of virtualization features in
+the domain XML document schema. QEMU has a very broad range of features
+and not all of these can be mapped to elements in the domain XML. Libvirt
+would like to reduce the gap to QEMU, however, with finite resources there
+will always be cases which aren't covered by the domain XML schema.
+
+
+XML document additions
+======================
+
+To deal with the problem, libvirt introduced support for command line
+passthrough of QEMU arguments. This is achieved by supporting a custom
+XML namespace, under which some QEMU driver specific elements are defined.
+
+The canonical place to declare the namespace is on the top level ``<domain>``
+element. At the very end of the document, arbitrary command line arguments
+can now be added, using the namespace prefix ``qemu:``
+
+::
+
+ <domain type='kvm' xmlns:qemu='http://libvirt.org/schemas/domain/qemu/1.0'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ ...
+ <qemu:commandline>
+ <qemu:arg value='-newarg'/>
+ <qemu:arg value='parameter'/>
+ <qemu:env name='ID' value='wibble'/>
+ <qemu:env name='BAR'/>
+ </qemu:commandline>
+ </domain>
+
+Note that when an argument takes a value eg ``-newarg parameter``, the argument
+and the value must be passed as separate ``<qemu:arg>`` entries.
+
+Instead of declaring the XML namespace on the top level ``<domain>`` it is also
+possible to declare it at time of use, which is more convenient for humans
+writing the XML documents manually. So the following example is functionally
+identical:
+
+::
+
+ <domain type='kvm'>
+ <name>QEMUGuest1</name>
+ <uuid>c7a5fdbd-edaf-9455-926a-d65c16db1809</uuid>
+ ...
+ <commandline xmlns="http://libvirt.org/schemas/domain/qemu/1.0">
+ <arg value='-newarg'/>
+ <arg value='parameter'/>
+ <env name='ID' value='wibble'/>
+ <env name='BAR'/>
+ </commandline>
+ </domain>
+
+Note that when querying the XML from libvirt, it will have been translated into
+the canonical syntax once more with the namespace on the top level element.
+
+Security confinement / sandboxing
+=================================
+
+When libvirt launches a QEMU process it makes use of a number of security
+technologies to confine QEMU and thus protect the host from malicious VM
+breakouts.
+
+When configuring security protection, however, libvirt generally needs to know
+exactly which host resources the VM is permitted to access. It gets this
+information from the domain XML document. This only works for elements in the
+regular schema, the arguments used with command line passthrough are completely
+opaque to libvirt.
+
+As a result, if command line passthrough is used to expose a file on the host
+to QEMU, the security protections will activate and either kill QEMU or deny it
+access.
+
+There are two strategies for dealing with this problem, either figure out what
+steps are needed to grant QEMU access to the device, or disable the security
+protections. The former is harder, but more secure, while the latter is simple.
+
+Granting access per VM
+----------------------
+
+* SELinux - the file on the host needs an SELinux label that will grant access
+ to QEMU's ``svirt_t`` policy.
+
+ - Read only access - use the ``virt_content_t`` label
+ - Shared, write access - use the ``svirt_image_t:s0`` label (ie no MCS
+ category appended)
+ - Exclusive, write access - use the ``svirt_image_t:s0:MCS`` label for the VM.
+ The MCS is auto-generatd at boot time, so this may require re-configuring
+ the VM to have a fixed MCS label
+
+* DAC - the file on the host needs to be readable/writable to the ``qemu``
+ user or ``qemu`` group. This can be done by changing the file ownership to
+ ``qemu``, or relaxing the permissions to allow world read, or adding file
+ ACLs to allow access to ``qemu``.
+
+* Namespaces - a private ``mount`` namespace is used for QEMU by default
+ which populates a new ``/dev`` with only the device nodes needed by QEMU.
+ There is no way to augment the set of device nodes ahead of time.
+
+* Seccomp - libvirt launches QEMU with its built-in seccomp policy enabled with
+ ``obsolete=deny``, ``elevateprivileges=deny``, ``spawn=deny`` and
+ ``resourcecontrol=deny`` settings active. There is no way to change this
+ policy on a per VM basis
+
+* Cgroups - a custom cgroup is created per VM and this will either use the
+ ``devices`` controller or an ``BPF`` rule to whitelist a set of device nodes.
+ There is no way to change this policy on a per VM basis.
+
+Disabling security protection per VM
+------------------------------------
+
+Some of the security protections can be disabled per-VM:
+
+* SELinux - in the domain XML the ``<seclabel>`` model can be changed to
+ ``none`` instead of ``selinux``, which will make the VM run unconfined.
+
+* DAC - in the domain XML an ``<seclabel>`` element with the ``dac`` model can
+ be added, configured with a user / group account of ``root`` to make QEMU run
+ with full privileges
+
+* Namespaces - there is no way to disable this per VM
+
+* Seccomp - there is no way to disable this per VM
+
+* Cgroups - there is no way to disable this per VM
+
+Disabling security protection host-wide
+---------------------------------------
+
+As a last resort it is possible to disable security protection host wide which
+will affect all virtual machines. These settings are all made in
+``/etc/libvirt/qemu.conf``
+
+* SELinux - set ``security_default_confied = 0`` to make QEMU run unconfined by
+ default, while still allowing explicit opt-in to SELinux for VMs.
+
+* DAC - set ``user = root`` and ``group = root`` to make QEMU run as the root
+ account
+
+* SELinux, DAC - set ``security_driver = []`` to entirely disable both the
+ SELinux and DAC security drivers.
+
+* Namespaces - set ``namespaces = []`` to disable use of the ``mount``
+ namespaces, causing QEMU to see the normal fully popualated ``dev``
+
+* Seccomp - set ``seccomp_sandbox = 0`` to disable use of the Seccomp sandboxing
+ in QEMU
+
+* Cgroups - set ``cgroup_device_acl`` to include the desired device node, or
+ ``cgroup_controllers = [...]`` to exclude the ``devices`` controller.
--
2.24.1
5 years, 1 month
[jenkins-ci PATCH 0/8] lcitool: Support MinGW cross-build Dockerfiles
by Andrea Bolognani
More details in the commit message for patch 7/8.
Pavel pointed out today that the current method of triggering MinGW
builds using our CI scaffolding, eg.
$ make ci-build@fedora-30 CI_CONFIGURE=mingw64-configure
is easy to get wrong and not very discoverable, so I took that as
motivation to implement a change that I had been thinking about for
a long time anyway. The new usage will be
$ make ci-build@fedora-30-cross-mingw64
which aligns with how we're already doing cross-builds for other
architectures and is discoverable via 'make ci-list-images'.
The implementation is not the prettiest, but the Dockerfile
generator in general could use some love so I don't think this
improvement should be blocked because of that; I'll try to spend
some time refactoring and cleaning up once this has been merged.
Andrea Bolognani (8):
lcitool: Introduce cross_arch local variable
lcitool: Change check for pip_pkgs formatting
lcitool: Separate computation and formatting
lcitool: Introduce _dockerfile_format()
lcitool: Introduce _dockerfile_build_varmap()
lcitool: Add RPM-specific _dockerfile_build_varmap() variant
lcitool: Support MinGW cross-build Dockerfiles on Fedora
lcitool: Add more checks to _action_dockerfile()
guests/lcitool | 219 ++++++++++++++++++++++++++++++++++++++-----------
1 file changed, 172 insertions(+), 47 deletions(-)
--
2.24.1
5 years, 1 month
[PATCH] storage: Add support to set{uid,gid} and sticky bit
by Julio Faracco
This commit add more features to storages that supports setuid, setgid
and sticky bit. This extend some permission levels of volumes when you
run an hypervisor using a specific user that can run but cannot delete
volumes for instance. Additionally, when you create a directory without
`pool-build` command, you cannot import those extra permissions.
Example:
# mkdir /var/lib/libvirt/images/
# chmod 0755 /var/lib/libvirt/images/
# chmod u+s /var/lib/libvirt/images/
# pool-start default
# pool-dumpxml default
No setuid from `<mode>0755</mode>`.
Output should expect `<mode>4755</mode>`.
Signed-off-by: Julio Faracco <jcfaracco(a)gmail.com>
---
src/conf/storage_conf.c | 11 ++++++++---
src/storage/storage_util.c | 12 ++++++++----
2 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/src/conf/storage_conf.c b/src/conf/storage_conf.c
index 252d28cbfb..54e4a60ded 100644
--- a/src/conf/storage_conf.c
+++ b/src/conf/storage_conf.c
@@ -746,7 +746,7 @@ virStorageDefParsePerms(xmlXPathContextPtr ctxt,
if ((mode = virXPathString("string(./mode)", ctxt))) {
int tmp;
- if (virStrToLong_i(mode, NULL, 8, &tmp) < 0 || (tmp & ~0777)) {
+ if (virStrToLong_i(mode, NULL, 8, &tmp) < 0 || (tmp & ~07777)) {
virReportError(VIR_ERR_XML_ERROR, "%s",
_("malformed octal mode"));
goto error;
@@ -1187,9 +1187,14 @@ virStoragePoolDefFormatBuf(virBufferPtr buf,
def->target.perms.label) {
virBufferAddLit(buf, "<permissions>\n");
virBufferAdjustIndent(buf, 2);
- if (def->target.perms.mode != (mode_t) -1)
- virBufferAsprintf(buf, "<mode>0%o</mode>\n",
+ if (def->target.perms.mode != (mode_t) -1) {
+ if (def->target.perms.mode & (S_ISUID | S_ISGID | S_ISVTX))
+ virBufferAsprintf(buf, "<mode>%4o</mode>\n",
def->target.perms.mode);
+ else
+ virBufferAsprintf(buf, "<mode>0%o</mode>\n",
+ def->target.perms.mode);
+ }
if (def->target.perms.uid != (uid_t) -1)
virBufferAsprintf(buf, "<owner>%d</owner>\n",
(int) def->target.perms.uid);
diff --git a/src/storage/storage_util.c b/src/storage/storage_util.c
index c2754dbb93..5352ab9120 100644
--- a/src/storage/storage_util.c
+++ b/src/storage/storage_util.c
@@ -82,6 +82,10 @@ VIR_LOG_INIT("storage.storage_util");
# define S_IRWXUGO (S_IRWXU | S_IRWXG | S_IRWXO)
#endif
+#ifndef S_IALLUGO
+# define S_IALLUGO (S_ISUID | S_ISGID | S_ISVTX | S_IRWXUGO)
+#endif
+
/* virStorageBackendNamespaceInit:
* @poolType: virStoragePoolType
* @xmlns: Storage Pool specific namespace callback methods
@@ -512,7 +516,7 @@ virStorageBackendCreateExecCommand(virStoragePoolObjPtr pool,
virCommandSetUID(cmd, vol->target.perms->uid);
virCommandSetGID(cmd, vol->target.perms->gid);
- virCommandSetUmask(cmd, S_IRWXUGO ^ mode);
+ virCommandSetUmask(cmd, S_IALLUGO ^ mode);
if (virCommandRun(cmd, NULL) == 0) {
/* command was successfully run, check if the file was created */
@@ -523,7 +527,7 @@ virStorageBackendCreateExecCommand(virStoragePoolObjPtr pool,
* If that doesn't match what we expect, then let's try to
* re-open the file and attempt to force the mode change.
*/
- if (mode != (st.st_mode & S_IRWXUGO)) {
+ if (mode != (st.st_mode & S_IALLUGO)) {
VIR_AUTOCLOSE fd = -1;
int flags = VIR_FILE_OPEN_FORK | VIR_FILE_OPEN_FORCE_MODE;
@@ -569,7 +573,7 @@ virStorageBackendCreateExecCommand(virStoragePoolObjPtr pool,
goto cleanup;
}
- if (mode != (st.st_mode & S_IRWXUGO) &&
+ if (mode != (st.st_mode & S_IALLUGO) &&
chmod(vol->target.path, mode) < 0) {
virReportSystemError(errno,
_("cannot set mode of '%s' to %04o"),
@@ -1825,7 +1829,7 @@ virStorageBackendUpdateVolTargetInfoFD(virStorageSourcePtr target,
if (!target->perms && VIR_ALLOC(target->perms) < 0)
return -1;
- target->perms->mode = sb->st_mode & S_IRWXUGO;
+ target->perms->mode = sb->st_mode & S_IALLUGO;
target->perms->uid = sb->st_uid;
target->perms->gid = sb->st_gid;
--
2.20.1
5 years, 1 month
[PATCH 0/7] util: More storage file detection cleanups
by Peter Krempa
Found while investigating options of how to improve image detection.
Peter Krempa (7):
tests: virstorage: Fix backing file format of created image
virStorageSourceUpdateCapacity: Drop 'probe' argument
util: storage: Store backing store format in virStorageSource
virStorageSourceNewFromBacking: Also transfer the format
virStorageBackendGlusterRefreshVol: Refactor handling of backing store
virStorageFileGetMetadataFromBuf: Remove 'backingFormat' argument
virStorageFileGetMetadataFromFD: Remove unused 'backingFormat'
argument
src/qemu/qemu_driver.c | 2 +-
src/storage/storage_backend_gluster.c | 12 ++---
src/storage/storage_util.c | 8 +--
src/util/virstoragefile.c | 75 +++++++++------------------
src/util/virstoragefile.h | 10 ++--
tests/virstoragetest.c | 2 +-
6 files changed, 36 insertions(+), 73 deletions(-)
--
2.24.1
5 years, 1 month
[libvirt PATCH] bhyve: command: remove unused includes
by Ján Tomko
These were needed for virBhyveTapGetRealDeviceName
but were not deleted after the function was moved
to src/util.
Signed-off-by: Ján Tomko <jtomko(a)redhat.com>
Fixes: a1bd8d2546c3e469f6a5ce119fad7da1cd473db5
---
Pushed as trivial.
src/bhyve/bhyve_command.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/src/bhyve/bhyve_command.c b/src/bhyve/bhyve_command.c
index 2df7b60115..03bb99d496 100644
--- a/src/bhyve/bhyve_command.c
+++ b/src/bhyve/bhyve_command.c
@@ -21,10 +21,6 @@
#include <config.h>
-#include <sys/types.h>
-#include <net/if.h>
-#include <net/if_tap.h>
-
#include "bhyve_capabilities.h"
#include "bhyve_command.h"
#include "bhyve_domain.h"
--
2.24.1
5 years, 1 month
[libvirt PATCH] syms: fix comment for domain_driver.h
by Ján Tomko
Signed-off-by: Ján Tomko <jtomko(a)redhat.com>
Fixes: 8595948bc855bc5fb65c8362a5e5832a30f97f7e
---
Pushed as trivial.
src/libvirt_private.syms | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 28a3553bcf..907cef2390 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -1397,7 +1397,7 @@ virDomainCgroupSetupDomainBlkioParameters;
virDomainCgroupSetupMemtune;
-# hypervisor/domain_cgroup.h
+# hypervisor/domain_driver.h
virDomainDriverMergeBlkioDevice;
virDomainDriverParseBlkioDeviceStr;
virDomainDriverSetupPersistentDefBlkioParams;
--
2.24.1
5 years, 1 month
[PATCH v2 00/14] vircgroup code duplication purge
by Daniel Henrique Barboza
Based on the feedback from version 1 [1], we can't put cross
directory dependencies in the utils files, but ATM we have no
good spot to put common driver code as well.
The solution then was to add a new directory structure, as proposed in
[2], to put the common cgroup and driver code between LXC and QEMU
into.
changes from v1:
- introduced src/hypervisor/domain_cgroup.c/h. Cgroup duplicated
code that depends on /conf includes now goes to this file
- introduced src/hypervisor/domain_driver.c/h. Common driver
code now goes to this file instead of putting more stuff in
domain_conf.c
[1] https://www.redhat.com/archives/libvir-list/2020-February/msg00425.html
[2] https://www.redhat.com/archives/libvir-list/2019-December/msg00817.html
Daniel Henrique Barboza (14):
vircgroup.c: adding virCgroupSetupBlkioDevice* helpers
lxc,qemu: use virCgroupSetupBlkioDevice* helpers
vircgroup.c: turn virCgroup{Get/Set}BlkioDevice* into static
src: introducing hypervisor/domain_cgroup.c
domain_cgroup.c: add virDomainCgroupSetupMemtune()
vircgroup.c: add virCgroupSetupCpusetCpus()
vircgroup.c: add virCgroupSetupCpuShares()
vircgroup.c: add virCgroupSetupCpuPeriodQuota()
src/hypervisor: introduce domain_driver.c
domain_driver.c: add virDomainDriverParseBlkioDeviceStr()
domain_cgroup.c: add virDomainCgroupSetupDomainBlkioParameters()
domain_driver.c: add virDomainDriverSetupPersistentDefBlkioParams()
domain_cgroup.c: add virDomainCgroupSetMemoryLimitParameters()
vircgroup: add virCgroupGetCpuPeriodQuota()
po/POTFILES.in | 2 +
src/Makefile.am | 1 +
src/hypervisor/Makefile.inc.am | 16 ++
src/hypervisor/domain_cgroup.c | 268 ++++++++++++++++++++
src/hypervisor/domain_cgroup.h | 38 +++
src/hypervisor/domain_driver.c | 252 +++++++++++++++++++
src/hypervisor/domain_driver.h | 36 +++
src/libvirt_private.syms | 32 ++-
src/lxc/Makefile.inc.am | 2 +
src/lxc/lxc_cgroup.c | 91 +------
src/lxc/lxc_driver.c | 430 ++-------------------------------
src/qemu/Makefile.inc.am | 1 +
src/qemu/qemu_cgroup.c | 112 +--------
src/qemu/qemu_driver.c | 401 +-----------------------------
src/util/vircgroup.c | 212 ++++++++++++++--
src/util/vircgroup.h | 53 ++--
16 files changed, 894 insertions(+), 1053 deletions(-)
create mode 100644 src/hypervisor/Makefile.inc.am
create mode 100644 src/hypervisor/domain_cgroup.c
create mode 100644 src/hypervisor/domain_cgroup.h
create mode 100644 src/hypervisor/domain_driver.c
create mode 100644 src/hypervisor/domain_driver.h
--
2.24.1
5 years, 1 month
[libvirt PATCH] fix paths to openrc.init.in files
by Ján Tomko
The inc.am Makfiles are included by src/Makefile.am.
Adjust the paths added to OPENRC_INIT_FILES_IN
accordingly.
Signed-off-by: Ján Tomko <jtomko(a)redhat.com>
Fixes: f4b1c020a2c8493473bf868231cee6a952d57e6f
---
Pushed as a build fix.
src/locking/Makefile.inc.am | 2 +-
src/logging/Makefile.inc.am | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/locking/Makefile.inc.am b/src/locking/Makefile.inc.am
index d0e36705b2..d1bf49cd3f 100644
--- a/src/locking/Makefile.inc.am
+++ b/src/locking/Makefile.inc.am
@@ -83,7 +83,7 @@ OPENRC_INIT_FILES += \
virtlockd.init \
$(NULL)
OPENRC_INIT_FILES_IN += \
- virtlockd.init.in \
+ locking/virtlockd.init.in \
$(NULL)
noinst_LTLIBRARIES += libvirt_driver_lock.la
diff --git a/src/logging/Makefile.inc.am b/src/logging/Makefile.inc.am
index 083d8773cb..dc09cfe3fa 100644
--- a/src/logging/Makefile.inc.am
+++ b/src/logging/Makefile.inc.am
@@ -59,7 +59,7 @@ OPENRC_INIT_FILES += \
virtlogd.init \
$(NULL)
OPENRC_INIT_FILES_IN += \
- virtlogd.init.in \
+ logging/virtlogd.init.in \
$(NULL)
noinst_LTLIBRARIES += libvirt_driver_log.la
--
2.24.1
5 years, 1 month
Re: [PATCH] Add missing files for OpenRC
by Michal Prívozník
On 2/22/20 4:04 PM, Ryan Moeller wrote:
> On Sat, Feb 22, 2020 at 9:24 AM Michal Prívozník <mprivozn(a)redhat.com> wrote:
>>
>> However, I have done fixes locally. How do you feel about me squashing
>> this in and then pushing?
>>
>
> That sounds terrific! Thank you :)
>
Alright then. Squashed in, and pushed.
Reviewed-by: Michal Privoznik <mprivozn(a)redhat.com>
Congratulations on your first libvirt contribution!
Michal
5 years, 2 months
[PATCH] Add missing files for OpenRC
by Ryan Moeller
Signed-off-by: Ryan Moeller <ryan(a)iXsystems.com>
---
src/locking/Makefile.inc.am | 7 +++++++
src/locking/virtlockd.init.in | 14 ++++++++++++++
src/logging/Makefile.inc.am | 10 ++++++++++
src/logging/virtlogd.init.in | 14 ++++++++++++++
4 files changed, 45 insertions(+)
create mode 100644 src/locking/virtlockd.init.in
create mode 100644 src/logging/virtlogd.init.in
diff --git a/src/locking/Makefile.inc.am b/src/locking/Makefile.inc.am
index e663d7146b..243e3ae767 100644
--- a/src/locking/Makefile.inc.am
+++ b/src/locking/Makefile.inc.am
@@ -79,6 +79,13 @@ VIRTLOCKD_UNIT_FILES_IN = \
SYSTEMD_UNIT_FILES += $(notdir $(VIRTLOCKD_UNIT_FILES_IN:%.in=%))
SYSTEMD_UNIT_FILES_IN += $(VIRTLOCKD_UNIT_FILES_IN)
+OPENRC_INIT_FILES += \
+ virtlockd.init \
+ $(NULL)
+OPENRC_INIT_FILES_IN += \
+ virtlockd.init.in \
+ $(NULL)
+
noinst_LTLIBRARIES += libvirt_driver_lock.la
libvirt_la_BUILT_LIBADD += libvirt_driver_lock.la
diff --git a/src/locking/virtlockd.init.in b/src/locking/virtlockd.init.in
new file mode 100644
index 0000000000..45eaed7971
--- /dev/null
+++ b/src/locking/virtlockd.init.in
@@ -0,0 +1,14 @@
+#!/sbin/openrc-run
+
+name=virtlogd
+
+command=@sbindir@/virtlockd
+pidfile="@runstatedir(a)/virtlockd.pid"
+command_args="--daemon --pid-file=${pidfile}"
+PATH="${PATH}:@sbindir@:@bindir@"
+supervisor=supervise-daemon
+
+depend() {
+ provide virtlockd
+ keyword -shutdown
+}
diff --git a/src/logging/Makefile.inc.am b/src/logging/Makefile.inc.am
index c4fa49106e..083d8773cb 100644
--- a/src/logging/Makefile.inc.am
+++ b/src/logging/Makefile.inc.am
@@ -55,6 +55,13 @@ VIRTLOGD_UNIT_FILES_IN = \
SYSTEMD_UNIT_FILES += $(notdir $(VIRTLOGD_UNIT_FILES_IN:%.in=%))
SYSTEMD_UNIT_FILES_IN += $(VIRTLOGD_UNIT_FILES_IN)
+OPENRC_INIT_FILES += \
+ virtlogd.init \
+ $(NULL)
+OPENRC_INIT_FILES_IN += \
+ virtlogd.init.in \
+ $(NULL)
+
noinst_LTLIBRARIES += libvirt_driver_log.la
libvirt_la_BUILT_LIBADD += libvirt_driver_log.la
@@ -126,6 +133,9 @@ logging/log_daemon_dispatch_stubs.h: $(LOG_PROTOCOL) \
virLogManagerProtocol VIR_LOG_MANAGER_PROTOCOL \
$(LOG_PROTOCOL) > logging/log_daemon_dispatch_stubs.h
+virtlogd.init: logging/virtlogd.init.in $(top_builddir)/config.status
+ $(AM_V_GEN)$(SED) $(COMMON_UNIT_VARS) $< > $@-t && mv $@-t $@
+
virtlogd.service: logging/virtlogd.service.in $(top_builddir)/config.status
$(AM_V_GEN)sed $(COMMON_UNIT_VARS) $< > $@-t && mv $@-t $@
diff --git a/src/logging/virtlogd.init.in b/src/logging/virtlogd.init.in
new file mode 100644
index 0000000000..61e41f7689
--- /dev/null
+++ b/src/logging/virtlogd.init.in
@@ -0,0 +1,14 @@
+#!/sbin/openrc-run
+
+name=virtlogd
+
+command=@sbindir@/virtlogd
+pidfile="@runstatedir(a)/virtlogd.pid"
+command_args="--daemon --pid-file=${pidfile}"
+PATH="${PATH}:@sbindir@:@bindir@"
+supervisor=supervise-daemon
+
+depend() {
+ provide virtlogd
+ keyword -shutdown
+}
--
2.24.1
5 years, 2 months
