4:54 a.m.
Certain libvirtd.conf settings are not honoured when using systemd
socket activation.
Certain systemd unit file settings must match those defined in
libvirtd.conf for systemd socket activation to work with systemd
version < 227, otherwise libvirtd cannot determine which inherited
FD to use for which service.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
---
src/remote/libvirtd-admin.socket.in | 2 ++
src/remote/libvirtd-ro.socket.in | 2 ++
src/remote/libvirtd-tcp.socket.in | 2 ++
src/remote/libvirtd-tls.socket.in | 2 ++
src/remote/libvirtd.conf | 31 +++++++++++++++++++++++++++++
src/remote/libvirtd.socket.in | 2 ++
src/remote/libvirtd.sysconf | 3 ++-
7 files changed, 43 insertions(+), 1 deletion(-)
diff --git a/src/remote/libvirtd-admin.socket.in b/src/remote/libvirtd-admin.socket.in
index b791a2eb1b..307c9ba24b 100644
--- a/src/remote/libvirtd-admin.socket.in
+++ b/src/remote/libvirtd-admin.socket.in
@@ -5,6 +5,8 @@ BindsTo=libvirtd.socket
After=libvirtd.socket
[Socket]
+# The directory must match the /etc/libvirt/libvirtd.conf unix_sock_dir setting
+# when using systemd version < 227
ListenStream=@localstatedir@/run/libvirt/libvirt-admin-sock
Service=libvirtd.service
SocketMode=0600
diff --git a/src/remote/libvirtd-ro.socket.in b/src/remote/libvirtd-ro.socket.in
index 55c44944b4..876daf0c9c 100644
--- a/src/remote/libvirtd-ro.socket.in
+++ b/src/remote/libvirtd-ro.socket.in
@@ -5,6 +5,8 @@ BindsTo=libvirtd.socket
After=libvirtd.socket
[Socket]
+# The directory must match the /etc/libvirt/libvirtd.conf unix_sock_dir setting
+# when using systemd version < 227
ListenStream=@localstatedir@/run/libvirt/libvirt-sock-ro
Service=libvirtd.service
SocketMode=0666
diff --git a/src/remote/libvirtd-tcp.socket.in b/src/remote/libvirtd-tcp.socket.in
index 09d5d3d67a..16a4764283 100644
--- a/src/remote/libvirtd-tcp.socket.in
+++ b/src/remote/libvirtd-tcp.socket.in
@@ -5,6 +5,8 @@ BindsTo=libvirtd.socket
After=libvirtd.socket
[Socket]
+# This must match the /etc/libvirt/libvirtd.conf tcp_port setting
+# when using systemd version < 227
ListenStream=16509
Service=libvirtd.service
diff --git a/src/remote/libvirtd-tls.socket.in b/src/remote/libvirtd-tls.socket.in
index c60f0c9c77..e904583cf9 100644
--- a/src/remote/libvirtd-tls.socket.in
+++ b/src/remote/libvirtd-tls.socket.in
@@ -5,6 +5,8 @@ BindsTo=libvirtd.socket
After=libvirtd.socket
[Socket]
+# This must match the /etc/libvirt/libvirtd.conf tls_port setting
+# when using systemd version < 227
ListenStream=16514
Service=libvirtd.service
diff --git a/src/remote/libvirtd.conf b/src/remote/libvirtd.conf
index bbeb053495..b63b8d61b7 100644
--- a/src/remote/libvirtd.conf
+++ b/src/remote/libvirtd.conf
@@ -10,6 +10,9 @@
# NB, must pass the --listen flag to the libvirtd process for this to
# have any effect.
#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
# It is necessary to setup a CA and issue server certificates before
# using this capability.
#
@@ -20,6 +23,9 @@
# NB, must pass the --listen flag to the libvirtd process for this to
# have any effect.
#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
# Using the TCP socket requires SASL authentication by default. Only
# SASL mechanisms which support data encryption are allowed. This is
# DIGEST_MD5 and GSSAPI (Kerberos5)
@@ -32,17 +38,26 @@
# Override the port for accepting secure TLS connections
# This can be a port number, or service name
#
+# This setting is not required or honoured if using systemd socket
+# activation with systemd version >= 227
+#
#tls_port = "16514"
# Override the port for accepting insecure TCP connections
# This can be a port number, or service name
#
+# This setting is not required or honoured if using systemd socket
+# activation with systemd version >= 227
+#
#tcp_port = "16509"
# Override the default configuration which binds to all network
# interfaces. This can be a numeric IPv4/6 address, or hostname
#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
# If the libvirtd service is started in parallel with network
# startup (e.g. with systemd), binding to addresses other than
# the wildcards (0.0.0.0/::) might not be available yet.
@@ -59,12 +74,18 @@
# allow a 'trusted' set of users access to management capabilities
# without becoming root.
#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
# This is restricted to 'root' by default.
#unix_sock_group = "libvirt"
# Set the UNIX socket permissions for the R/O socket. This is used
# for monitoring VM status only
#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
# Default allows any user. If setting group ownership, you may want to
# restrict this too.
#unix_sock_ro_perms = "0777"
@@ -72,6 +93,9 @@
# Set the UNIX socket permissions for the R/W socket. This is used
# for full management of VMs
#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
# Default allows only root. If PolicyKit is enabled on the socket,
# the default will change to allow everyone (eg, 0777)
#
@@ -81,11 +105,18 @@
# Set the UNIX socket permissions for the admin interface socket.
#
+# This setting is not required or honoured if using systemd socket
+# activation.
+#
# Default allows only owner (root), do not change it unless you are
# sure to whom you are exposing the access to.
#unix_sock_admin_perms = "0700"
# Set the name of the directory in which sockets will be found/created.
+#
+# This setting is not required or honoured if using systemd socket
+# activation with systemd version >= 227
+#
#unix_sock_dir = "/var/run/libvirt"
diff --git a/src/remote/libvirtd.socket.in b/src/remote/libvirtd.socket.in
index e194c6e76e..2ee4d7d7a2 100644
--- a/src/remote/libvirtd.socket.in
+++ b/src/remote/libvirtd.socket.in
@@ -3,6 +3,8 @@ Description=Libvirt local socket
Before=libvirtd.service
[Socket]
+# The directory must match the /etc/libvirt/libvirtd.conf unix_sock_dir setting
+# when using systemd version < 227
ListenStream=@localstatedir@/run/libvirt/libvirt-sock
Service=libvirtd.service
SocketMode=0666
diff --git a/src/remote/libvirtd.sysconf b/src/remote/libvirtd.sysconf
index f15e5956eb..7af41c207f 100644
--- a/src/remote/libvirtd.sysconf
+++ b/src/remote/libvirtd.sysconf
@@ -4,7 +4,8 @@
# in LIBVIRTD_ARGS instead.
#LIBVIRTD_CONFIG=/etc/libvirt/libvirtd.conf
-# Listen for TCP/IP connections
+# Listen for TCP/IP connections. This is not required if using systemd
+# socket activation.
# NB. must setup TLS/SSL keys prior to using this
#LIBVIRTD_ARGS="--listen"
--
2.21.0