Re: [libvirt PATCH 35/42] systemd: Replace Requires with BindTo+After for sockets

Tuesday, 26 September 2023

On Mon, Sep 25, 2023 at 08:58:33PM +0200, Andrea Bolognani wrote:
...
 This is the strongest relationship that can be declared between
 two units, and causes the service to be terminated immediately
 if any of its sockets disappear. This is the behavior we want. 
IIUC, this prevents running the service with /only/ the main
socket, and ro/admin sockets disabled. Running without the
ro socket in particular was something we wanted to allow to
reduce exposure to unprivileged services (there have been
a number of CVEs where the read-only socket was the way in)

...

 Signed-off-by: Andrea Bolognani <abologna(a)redhat.com&gt;
 ---
  src/locking/virtlockd.service.in | 6 ++++--
  src/logging/virtlogd.service.in  | 6 ++++--
  src/virtd.service.in             | 9 ++++++---
  3 files changed, 14 insertions(+), 7 deletions(-)

 diff --git a/src/locking/virtlockd.service.in b/src/locking/virtlockd.service.in
 index 9e91fa3261..a21a2c2c19 100644
 --- a/src/locking/virtlockd.service.in
 +++ b/src/locking/virtlockd.service.in
 @@ -1,7 +1,9 @@
  [Unit]
  Description=Virtual machine lock manager
 -Requires=virtlockd.socket
 -Requires=virtlockd-admin.socket
 +BindsTo=virtlockd.socket
 +BindsTo=virtlockd-admin.socket
 +After=virtlockd.socket
 +After=virtlockd-admin.socket
  Before=libvirtd.service
  Documentation=man:virtlockd(8)
  Documentation=https://libvirt.org
 diff --git a/src/logging/virtlogd.service.in b/src/logging/virtlogd.service.in
 index 97c942ffb0..f3bd576301 100644
 --- a/src/logging/virtlogd.service.in
 +++ b/src/logging/virtlogd.service.in
 @@ -1,7 +1,9 @@
  [Unit]
  Description=Virtual machine log manager
 -Requires=virtlogd.socket
 -Requires=virtlogd-admin.socket
 +BindsTo=virtlogd.socket
 +BindsTo=virtlogd-admin.socket
 +After=virtlogd.socket
 +After=virtlogd-admin.socket
  Before=libvirtd.service
  Documentation=man:virtlogd(8)
  Documentation=https://libvirt.org
 diff --git a/src/virtd.service.in b/src/virtd.service.in
 index 21391a65b0..b9e6345e8c 100644
 --- a/src/virtd.service.in
 +++ b/src/virtd.service.in
 @@ -1,8 +1,11 @@
  [Unit]
  Description=@name@ daemon
 -Requires=@service@.socket
 -Requires=@service(a)-ro.socket
 -Requires=@service(a)-admin.socket
 +BindsTo=@service@.socket
 +BindsTo=@service(a)-ro.socket
 +BindsTo=@service(a)-admin.socket
 +After=@service@.socket
 +After=@service(a)-ro.socket
 +After=@service(a)-admin.socket
  Conflicts=libvirtd.service
  After=libvirtd.service
  After=network.target
 -- 
 2.41.0

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

Re: [libvirt PATCH 35/42] systemd: Replace Requires with BindTo+After for sockets