[PATCH v2 0/2] remote: Remove dependency of virt-secret-init-encryption from libvirtd
The monolithic libvirtd.service currently has a dependency on virt-secret-init-encryption.service. This causes libvirtd to fail to start on systems where the secret driver is not installed or enabled, as systemd cannot satisfy the Requires= unit or the LoadCredentialEncrypted= path. See below, Requires=virt-secret-init-encryption.service LoadCredentialEncrypted=secrets-encryption-key:@localstatedir@/lib/libvirt/secrets/secrets-encryption-key This series accomplishes the following: The first commit decouples the secrets encryption logic from the main libvirtd service file. It is moved into a new systemd drop-in (10-secret.conf) which is only installed when libvirt is built with secret driver support. The override snippet is added to the daemon-driver-secret package. The second commit is a simple refactoring configuration_data of virt-secret-init-encryption. No functional change is intended. Arun Menon (2): remote: Move secrets encryption dependency to a systemd drop-in secret: Update virt_secret_init_encryption_conf initialization libvirt.spec.in | 2 ++ src/remote/libvirtd.service.in | 4 ---- src/remote/meson.build | 15 +++++++++++++++ src/remote/secret.conf.in | 7 +++++++ src/secret/meson.build | 6 +++--- 5 files changed, 27 insertions(+), 7 deletions(-) create mode 100644 src/remote/secret.conf.in -- 2.53.0
From: Arun Menon <armenon@redhat.com> The monolithic libvirtd.service currently has a dependency on virt-secret-init-encryption.service. This causes libvirtd to fail to start on systems where the secret driver is not installed or enabled, as systemd cannot satisfy the Requires= unit or the LoadCredentialEncrypted= path. See below, Requires=virt-secret-init-encryption.service LoadCredentialEncrypted=secrets-encryption-key:@localstatedir@/lib/libvirt/secrets/secrets-encryption-key This patch decouples the secrets encryption logic from the main libvirtd service file. It is moved into a new systemd drop-in (10-secret.conf) which is only installed when libvirt is built with secret driver support. The override snippet is added to the daemon-driver-secret package. Fixes: 97758bc9a0b1fccf8c0009308658f1204b113b89 Signed-off-by: Arun Menon <armenon@redhat.com> Fix-Suggested-by: Andrea Bolognani <abologna@redhat.com> --- libvirt.spec.in | 2 ++ src/remote/libvirtd.service.in | 4 ---- src/remote/meson.build | 15 +++++++++++++++ src/remote/secret.conf.in | 7 +++++++ 4 files changed, 24 insertions(+), 4 deletions(-) create mode 100644 src/remote/secret.conf.in diff --git a/libvirt.spec.in b/libvirt.spec.in index 00316a03f2..2fddfcd606 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -2259,6 +2259,8 @@ exit 0 %{_unitdir}/virtsecretd.socket %{_unitdir}/virtsecretd-ro.socket %{_unitdir}/virtsecretd-admin.socket +%dir %attr(0755, root, root) %{_unitdir}/libvirtd.service.d/ +%{_unitdir}/libvirtd.service.d/10-secret.conf %attr(0755, root, root) %{_sbindir}/virtsecretd %dir %attr(0700, root, root) %{_sysconfdir}/libvirt/secrets/ %dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/secrets/ diff --git a/src/remote/libvirtd.service.in b/src/remote/libvirtd.service.in index 7965010a0a..b0a062e885 100644 --- a/src/remote/libvirtd.service.in +++ b/src/remote/libvirtd.service.in @@ -12,8 +12,6 @@ After=libvirtd.socket After=libvirtd-ro.socket After=libvirtd-admin.socket Requires=virtlogd.socket -Requires=virt-secret-init-encryption.service -After=virt-secret-init-encryption.service Wants=virtlockd.socket After=virtlogd.socket After=virtlockd.socket @@ -31,8 +29,6 @@ Conflicts=xendomains.service Type=notify-reload Environment=LIBVIRTD_ARGS="--timeout 120" EnvironmentFile=-@initconfdir@/libvirtd -Environment=SECRETS_ENCRYPTION_KEY=%d/secrets-encryption-key -LoadCredentialEncrypted=secrets-encryption-key:@localstatedir@/lib/libvirt/secrets/secrets-encryption-key ExecStart=@sbindir@/libvirtd $LIBVIRTD_ARGS ExecReload=/bin/kill -HUP $MAINPID KillMode=process diff --git a/src/remote/meson.build b/src/remote/meson.build index e503263266..7c53e4a54f 100644 --- a/src/remote/meson.build +++ b/src/remote/meson.build @@ -343,4 +343,19 @@ if conf.has('WITH_SASL') ) endif +# The monolithic libvirt daemon only attempts to load the +# secrets encryption credentials if the secret driver is enabled +if conf.has('WITH_SECRETS') + secret_dropin_conf = configuration_data({ + 'localstatedir': localstatedir, + }) + + configure_file( + input: 'secret.conf.in', + output: '10-secret.conf', + configuration: secret_dropin_conf, + install_dir: unitdir / 'libvirtd.service.d' + ) +endif + remote_inc_dir = include_directories('.') diff --git a/src/remote/secret.conf.in b/src/remote/secret.conf.in new file mode 100644 index 0000000000..a718b44be9 --- /dev/null +++ b/src/remote/secret.conf.in @@ -0,0 +1,7 @@ +[Unit] +Requires=virt-secret-init-encryption.service +After=virt-secret-init-encryption.service + +[Service] +Environment=SECRETS_ENCRYPTION_KEY=%d/secrets-encryption-key +LoadCredentialEncrypted=secrets-encryption-key:@localstatedir@/lib/libvirt/secrets/secrets-encryption-key -- 2.53.0
On Mon, Apr 06, 2026 at 04:23:25PM +0530, Arun Menon via Devel wrote:
From: Arun Menon <armenon@redhat.com>
The monolithic libvirtd.service currently has a dependency on virt-secret-init-encryption.service. This causes libvirtd to fail to start on systems where the secret driver is not installed or enabled, as systemd cannot satisfy the Requires= unit or the LoadCredentialEncrypted= path. See below,
Requires=virt-secret-init-encryption.service LoadCredentialEncrypted=secrets-encryption-key:@localstatedir@/lib/libvirt/secrets/secrets-encryption-key
This patch decouples the secrets encryption logic from the main libvirtd service file. It is moved into a new systemd drop-in (10-secret.conf) which is only installed when libvirt is built with secret driver support. The override snippet is added to the daemon-driver-secret package.
Fixes: 97758bc9a0b1fccf8c0009308658f1204b113b89 Signed-off-by: Arun Menon <armenon@redhat.com> Fix-Suggested-by: Andrea Bolognani <abologna@redhat.com> --- libvirt.spec.in | 2 ++ src/remote/libvirtd.service.in | 4 ---- src/remote/meson.build | 15 +++++++++++++++ src/remote/secret.conf.in | 7 +++++++
Since this is only for libvirtd, can we call it libvirtd-secret.conf.in With regards, Daniel -- |: https://berrange.com ~~ https://hachyderm.io/@berrange :| |: https://libvirt.org ~~ https://entangle-photo.org :| |: https://pixelfed.art/berrange ~~ https://fstop138.berrange.com :|
On Tue, Apr 07, 2026 at 12:03:36PM +0100, Daniel P. Berrangé via Devel wrote:
On Mon, Apr 06, 2026 at 04:23:25PM +0530, Arun Menon via Devel wrote:
From: Arun Menon <armenon@redhat.com>
The monolithic libvirtd.service currently has a dependency on virt-secret-init-encryption.service. This causes libvirtd to fail to start on systems where the secret driver is not installed or enabled, as systemd cannot satisfy the Requires= unit or the LoadCredentialEncrypted= path. See below,
Requires=virt-secret-init-encryption.service LoadCredentialEncrypted=secrets-encryption-key:@localstatedir@/lib/libvirt/secrets/secrets-encryption-key
This patch decouples the secrets encryption logic from the main libvirtd service file. It is moved into a new systemd drop-in (10-secret.conf) which is only installed when libvirt is built with secret driver support. The override snippet is added to the daemon-driver-secret package.
Fixes: 97758bc9a0b1fccf8c0009308658f1204b113b89 Signed-off-by: Arun Menon <armenon@redhat.com> Fix-Suggested-by: Andrea Bolognani <abologna@redhat.com> --- libvirt.spec.in | 2 ++ src/remote/libvirtd.service.in | 4 ---- src/remote/meson.build | 15 +++++++++++++++ src/remote/secret.conf.in | 7 +++++++
Since this is only for libvirtd, can we call it libvirtd-secret.conf.in
I squashed in the change Daniel suggested, added my Reviewed-by: Andrea Bolognani <abologna@redhat.com> and pushed the series. Thanks! -- Andrea Bolognani / Red Hat / Virtualization
On Tue, Apr 07, 2026 at 09:55:35AM -0400, Andrea Bolognani wrote:
On Tue, Apr 07, 2026 at 12:03:36PM +0100, Daniel P. Berrangé via Devel wrote:
On Mon, Apr 06, 2026 at 04:23:25PM +0530, Arun Menon via Devel wrote:
From: Arun Menon <armenon@redhat.com>
The monolithic libvirtd.service currently has a dependency on virt-secret-init-encryption.service. This causes libvirtd to fail to start on systems where the secret driver is not installed or enabled, as systemd cannot satisfy the Requires= unit or the LoadCredentialEncrypted= path. See below,
Requires=virt-secret-init-encryption.service LoadCredentialEncrypted=secrets-encryption-key:@localstatedir@/lib/libvirt/secrets/secrets-encryption-key
This patch decouples the secrets encryption logic from the main libvirtd service file. It is moved into a new systemd drop-in (10-secret.conf) which is only installed when libvirt is built with secret driver support. The override snippet is added to the daemon-driver-secret package.
Fixes: 97758bc9a0b1fccf8c0009308658f1204b113b89 Signed-off-by: Arun Menon <armenon@redhat.com> Fix-Suggested-by: Andrea Bolognani <abologna@redhat.com> --- libvirt.spec.in | 2 ++ src/remote/libvirtd.service.in | 4 ---- src/remote/meson.build | 15 +++++++++++++++ src/remote/secret.conf.in | 7 +++++++
Since this is only for libvirtd, can we call it libvirtd-secret.conf.in
I squashed in the change Daniel suggested, added my
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
and pushed the series. Thanks!
-- Andrea Bolognani / Red Hat / Virtualization
Thank you Andrea and Daniel. Much appreciated! Regards, Arun Menon
From: Arun Menon <armenon@redhat.com> Refactor the configuration data setup to pass the localstatedir variable directly during initialization. No functional change intended. Signed-off-by: Arun Menon <armenon@redhat.com> --- src/secret/meson.build | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/secret/meson.build b/src/secret/meson.build index 32105dad9f..e7b1ad9045 100644 --- a/src/secret/meson.build +++ b/src/secret/meson.build @@ -50,9 +50,9 @@ if conf.has('WITH_SECRETS') 'name': 'virtsecretd', } - virt_secret_init_encryption_conf = configuration_data() - - virt_secret_init_encryption_conf.set('localstatedir', localstatedir) + virt_secret_init_encryption_conf = configuration_data({ + 'localstatedir': localstatedir, + }) if init_script == 'systemd' configure_file( -- 2.53.0
participants (3)
-
Andrea Bolognani -
Arun Menon -
Daniel P. Berrangé