On Mon, Sep 25, 2023 at 08:58:33PM +0200, Andrea Bolognani wrote:
This is the strongest relationship that can be declared between two units, and causes the service to be terminated immediately if any of its sockets disappear. This is the behavior we want.
IIUC, this prevents running the service with /only/ the main socket, and ro/admin sockets disabled. Running without the ro socket in particular was something we wanted to allow to reduce exposure to unprivileged services (there have been a number of CVEs where the read-only socket was the way in)
Signed-off-by: Andrea Bolognani <abologna@redhat.com> --- src/locking/virtlockd.service.in | 6 ++++-- src/logging/virtlogd.service.in | 6 ++++-- src/virtd.service.in | 9 ++++++--- 3 files changed, 14 insertions(+), 7 deletions(-)
diff --git a/src/locking/virtlockd.service.in b/src/locking/virtlockd.service.in index 9e91fa3261..a21a2c2c19 100644 --- a/src/locking/virtlockd.service.in +++ b/src/locking/virtlockd.service.in @@ -1,7 +1,9 @@ [Unit] Description=Virtual machine lock manager -Requires=virtlockd.socket -Requires=virtlockd-admin.socket +BindsTo=virtlockd.socket +BindsTo=virtlockd-admin.socket +After=virtlockd.socket +After=virtlockd-admin.socket Before=libvirtd.service Documentation=man:virtlockd(8) Documentation=https://libvirt.org diff --git a/src/logging/virtlogd.service.in b/src/logging/virtlogd.service.in index 97c942ffb0..f3bd576301 100644 --- a/src/logging/virtlogd.service.in +++ b/src/logging/virtlogd.service.in @@ -1,7 +1,9 @@ [Unit] Description=Virtual machine log manager -Requires=virtlogd.socket -Requires=virtlogd-admin.socket +BindsTo=virtlogd.socket +BindsTo=virtlogd-admin.socket +After=virtlogd.socket +After=virtlogd-admin.socket Before=libvirtd.service Documentation=man:virtlogd(8) Documentation=https://libvirt.org diff --git a/src/virtd.service.in b/src/virtd.service.in index 21391a65b0..b9e6345e8c 100644 --- a/src/virtd.service.in +++ b/src/virtd.service.in @@ -1,8 +1,11 @@ [Unit] Description=@name@ daemon -Requires=@service@.socket -Requires=@service@-ro.socket -Requires=@service@-admin.socket +BindsTo=@service@.socket +BindsTo=@service@-ro.socket +BindsTo=@service@-admin.socket +After=@service@.socket +After=@service@-ro.socket +After=@service@-admin.socket Conflicts=libvirtd.service After=libvirtd.service After=network.target -- 2.41.0
With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|