[PATCH 0/3] docs improvements
Peter Krempa (3): kbase: debuglogs: Emphasize disabling daemon timeout in 'TL;DR' section docs: manpages: Clarify that only TLS/TCP remote access needs 'virtproxyd' docs: manpages: State that TCP connection is insecure in 'virtproxyd' man page docs/kbase/debuglogs.rst | 6 ++++-- docs/manpages/virtbhyved.rst | 4 ++-- docs/manpages/virtinterfaced.rst | 4 ++-- docs/manpages/virtlxcd.rst | 4 ++-- docs/manpages/virtnetworkd.rst | 4 ++-- docs/manpages/virtnodedevd.rst | 4 ++-- docs/manpages/virtnwfilterd.rst | 4 ++-- docs/manpages/virtproxyd.rst | 3 +++ docs/manpages/virtqemud.rst | 4 ++-- docs/manpages/virtsecretd.rst | 4 ++-- docs/manpages/virtstoraged.rst | 4 ++-- docs/manpages/virtvboxd.rst | 4 ++-- docs/manpages/virtvzd.rst | 4 ++-- docs/manpages/virtxend.rst | 4 ++-- 14 files changed, 31 insertions(+), 26 deletions(-) -- 2.39.2
Disabling the daemon timeout is important so that the settings don't get discarded. Remove the comment saying it's optional and add a paragraph outlining what to do if it is not available. Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- docs/kbase/debuglogs.rst | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/kbase/debuglogs.rst b/docs/kbase/debuglogs.rst index 811ccf0102..f08132d099 100644 --- a/docs/kbase/debuglogs.rst +++ b/docs/kbase/debuglogs.rst @@ -25,10 +25,12 @@ the system clears this setting:: # virt-admin -c virtqemud:///system daemon-log-outputs "3:journald 1:file:/var/log/libvirt/libvirtd.log" # virt-admin -c virtqemud:///system daemon-log-filters "3:remote 4:event 3:util.json 3:util.object 3:util.dbus 3:util.netlink 3:node_device 3:rpc 3:access 1:*" - - # # optionally disable timeout of the daemon # virt-admin -c virtqemud:///system daemon-timeout 0 +The last command disabling timeout of the daemon is available since +``libvirt-8.6.0``. With older versions make sure to reproduce the issue within +120 seconds or have a VM running which prevents the daemon from timing out. + For any other configuration please read the rest of the document. If you want to persist the log level and log outputs settings edit ``/etc/libvirt/virtqemud.conf`` and look for ``log-filters`` and ``log-outputs`` -- 2.39.2
Spell out that TCP and TLS needs virtproxyd as 'off-host' might mean that also ssh transport requires it. Also fix the name of the 'virtproxyd' daemon. Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- docs/manpages/virtbhyved.rst | 4 ++-- docs/manpages/virtinterfaced.rst | 4 ++-- docs/manpages/virtlxcd.rst | 4 ++-- docs/manpages/virtnetworkd.rst | 4 ++-- docs/manpages/virtnodedevd.rst | 4 ++-- docs/manpages/virtnwfilterd.rst | 4 ++-- docs/manpages/virtqemud.rst | 4 ++-- docs/manpages/virtsecretd.rst | 4 ++-- docs/manpages/virtstoraged.rst | 4 ++-- docs/manpages/virtvboxd.rst | 4 ++-- docs/manpages/virtvzd.rst | 4 ++-- docs/manpages/virtxend.rst | 4 ++-- 12 files changed, 24 insertions(+), 24 deletions(-) diff --git a/docs/manpages/virtbhyved.rst b/docs/manpages/virtbhyved.rst index 895fb97ffe..b9e0402f85 100644 --- a/docs/manpages/virtbhyved.rst +++ b/docs/manpages/virtbhyved.rst @@ -30,8 +30,8 @@ This daemon runs on virtualization hosts to provide management for bhyve virtual machines. The ``virtbhyved`` daemon only listens for requests on a local Unix domain -socket. Remote off-host access and backwards compatibility with legacy -clients expecting ``libvirtd`` is provided by the ``virtproxy`` daemon. +socket. Remote access via TLS/TCP and backwards compatibility with legacy +clients expecting ``libvirtd`` is provided by the ``virtproxyd`` daemon. Restarting ``virtbhyved`` does not interrupt running guests. Guests continue to operate and changes in their state will generally be picked up automatically diff --git a/docs/manpages/virtinterfaced.rst b/docs/manpages/virtinterfaced.rst index bdd4be7d87..247a8c4009 100644 --- a/docs/manpages/virtinterfaced.rst +++ b/docs/manpages/virtinterfaced.rst @@ -30,8 +30,8 @@ This daemon runs on virtualization hosts to provide management for host network interfaces. The ``virtinterfaced`` daemon only listens for requests on a local Unix domain -socket. Remote off-host access and backwards compatibility with legacy -clients expecting ``libvirtd`` is provided by the ``virtproxy`` daemon. +socket. Remote access via TLS/TCP and backwards compatibility with legacy +clients expecting ``libvirtd`` is provided by the ``virtproxyd`` daemon. Restarting ``virtinterfaced`` does not interrupt running guests. Guests continue to operate and changes in their state will generally be picked up automatically diff --git a/docs/manpages/virtlxcd.rst b/docs/manpages/virtlxcd.rst index 709c893ca6..a0c1dbbbaa 100644 --- a/docs/manpages/virtlxcd.rst +++ b/docs/manpages/virtlxcd.rst @@ -30,8 +30,8 @@ This daemon runs on virtualization hosts to provide management for LXC containers. The ``virtlxcd`` daemon only listens for requests on a local Unix domain -socket. Remote off-host access and backwards compatibility with legacy -clients expecting ``libvirtd`` is provided by the ``virtproxy`` daemon. +socket. Remote access via TLS/TCP and backwards compatibility with legacy +clients expecting ``libvirtd`` is provided by the ``virtproxyd`` daemon. Restarting ``virtlxcd`` does not interrupt running guests. Guests continue to operate and changes in their state will generally be picked up automatically diff --git a/docs/manpages/virtnetworkd.rst b/docs/manpages/virtnetworkd.rst index 2932e7c213..22b3fc0f2d 100644 --- a/docs/manpages/virtnetworkd.rst +++ b/docs/manpages/virtnetworkd.rst @@ -30,8 +30,8 @@ This daemon runs on virtualization hosts to provide management for virtual networks. The ``virtnetworkd`` daemon only listens for requests on a local Unix domain -socket. Remote off-host access and backwards compatibility with legacy -clients expecting ``libvirtd`` is provided by the ``virtproxy`` daemon. +socket. Remote access via TLS/TCP and backwards compatibility with legacy +clients expecting ``libvirtd`` is provided by the ``virtproxyd`` daemon. Restarting ``virtnetworkd`` does not interrupt running guests. Guests continue to operate and changes in their state will generally be picked up automatically diff --git a/docs/manpages/virtnodedevd.rst b/docs/manpages/virtnodedevd.rst index 9044946ad6..0948318907 100644 --- a/docs/manpages/virtnodedevd.rst +++ b/docs/manpages/virtnodedevd.rst @@ -29,8 +29,8 @@ previously provided by the monolithic ``libvirtd`` daemon. This daemon runs on virtualization hosts to provide management for host devices. The ``virtnodedevd`` daemon only listens for requests on a local Unix domain -socket. Remote off-host access and backwards compatibility with legacy -clients expecting ``libvirtd`` is provided by the ``virtproxy`` daemon. +socket. Remote access via TLS/TCP and backwards compatibility with legacy +clients expecting ``libvirtd`` is provided by the ``virtproxyd`` daemon. Restarting ``virtnodedevd`` does not interrupt running guests. Guests continue to operate and changes in their state will generally be picked up automatically diff --git a/docs/manpages/virtnwfilterd.rst b/docs/manpages/virtnwfilterd.rst index c90f71cfd2..b1fc45e7a2 100644 --- a/docs/manpages/virtnwfilterd.rst +++ b/docs/manpages/virtnwfilterd.rst @@ -30,8 +30,8 @@ This daemon runs on virtualization hosts to provide management for network filters. The ``virtnwfilterd`` daemon only listens for requests on a local Unix domain -socket. Remote off-host access and backwards compatibility with legacy -clients expecting ``libvirtd`` is provided by the ``virtproxy`` daemon. +socket. Remote access via TLS/TCP and backwards compatibility with legacy +clients expecting ``libvirtd`` is provided by the ``virtproxyd`` daemon. Restarting ``virtnwfilterd`` does not interrupt running guests. Guests continue to operate and changes in their state will generally be picked up automatically diff --git a/docs/manpages/virtqemud.rst b/docs/manpages/virtqemud.rst index 25cd5361dc..42810d7146 100644 --- a/docs/manpages/virtqemud.rst +++ b/docs/manpages/virtqemud.rst @@ -30,8 +30,8 @@ This daemon runs on virtualization hosts to provide management for QEMU virtual machines. The ``virtqemud`` daemon only listens for requests on a local Unix domain -socket. Remote off-host access and backwards compatibility with legacy -clients expecting ``libvirtd`` is provided by the ``virtproxy`` daemon. +socket. Remote access via TLS/TCP and backwards compatibility with legacy +clients expecting ``libvirtd`` is provided by the ``virtproxyd`` daemon. Restarting ``virtqemud`` does not interrupt running guests. Guests continue to operate and changes in their state will generally be picked up automatically diff --git a/docs/manpages/virtsecretd.rst b/docs/manpages/virtsecretd.rst index 3c88f9b4d0..21138b630a 100644 --- a/docs/manpages/virtsecretd.rst +++ b/docs/manpages/virtsecretd.rst @@ -29,8 +29,8 @@ previously provided by the monolithic ``libvirtd`` daemon. This daemon runs on virtualization hosts to provide management for secret data. The ``virtsecretd`` daemon only listens for requests on a local Unix domain -socket. Remote off-host access and backwards compatibility with legacy -clients expecting ``libvirtd`` is provided by the ``virtproxy`` daemon. +socket. Remote access via TLS/TCP and backwards compatibility with legacy +clients expecting ``libvirtd`` is provided by the ``virtproxyd`` daemon. Restarting ``virtsecretd`` does not interrupt running guests. Guests continue to operate and changes in their state will generally be picked up automatically diff --git a/docs/manpages/virtstoraged.rst b/docs/manpages/virtstoraged.rst index 5164547e88..70863282d1 100644 --- a/docs/manpages/virtstoraged.rst +++ b/docs/manpages/virtstoraged.rst @@ -30,8 +30,8 @@ This daemon runs on virtualization hosts to provide management for storage pools. The ``virtstoraged`` daemon only listens for requests on a local Unix domain -socket. Remote off-host access and backwards compatibility with legacy -clients expecting ``libvirtd`` is provided by the ``virtproxy`` daemon. +socket. Remote access via TLS/TCP and backwards compatibility with legacy +clients expecting ``libvirtd`` is provided by the ``virtproxyd`` daemon. Restarting ``virtstoraged`` does not interrupt running guests. Guests continue to operate and changes in their state will generally be picked up automatically diff --git a/docs/manpages/virtvboxd.rst b/docs/manpages/virtvboxd.rst index 0c551b8c09..f449e0e29d 100644 --- a/docs/manpages/virtvboxd.rst +++ b/docs/manpages/virtvboxd.rst @@ -30,8 +30,8 @@ This daemon runs on virtualization hosts to provide management for VirtualBox virtual machines. The ``virtvboxd`` daemon only listens for requests on a local Unix domain -socket. Remote off-host access and backwards compatibility with legacy -clients expecting ``libvirtd`` is provided by the ``virtproxy`` daemon. +socket. Remote access via TLS/TCP and backwards compatibility with legacy +clients expecting ``libvirtd`` is provided by the ``virtproxyd`` daemon. Restarting ``virtvboxd`` does not interrupt running guests. Guests continue to operate and changes in their state will generally be picked up automatically diff --git a/docs/manpages/virtvzd.rst b/docs/manpages/virtvzd.rst index a5f351c27e..aa44885d46 100644 --- a/docs/manpages/virtvzd.rst +++ b/docs/manpages/virtvzd.rst @@ -30,8 +30,8 @@ This daemon runs on virtualization hosts to provide management for Virtuozzo virtual machines. The ``virtvzd`` daemon only listens for requests on a local Unix domain -socket. Remote off-host access and backwards compatibility with legacy -clients expecting ``libvirtd`` is provided by the ``virtproxy`` daemon. +socket. Remote access via TLS/TCP and backwards compatibility with legacy +clients expecting ``libvirtd`` is provided by the ``virtproxyd`` daemon. Restarting ``virtvzd`` does not interrupt running guests. Guests continue to operate and changes in their state will generally be picked up automatically diff --git a/docs/manpages/virtxend.rst b/docs/manpages/virtxend.rst index eda210f5dd..39ddcc4efc 100644 --- a/docs/manpages/virtxend.rst +++ b/docs/manpages/virtxend.rst @@ -30,8 +30,8 @@ This daemon runs on virtualization hosts to provide management for Xen virtual machines. The ``virtxend`` daemon only listens for requests on a local Unix domain -socket. Remote off-host access and backwards compatibility with legacy -clients expecting ``libvirtd`` is provided by the ``virtproxy`` daemon. +socket. Remote access via TLS/TCP and backwards compatibility with legacy +clients expecting ``libvirtd`` is provided by the ``virtproxyd`` daemon. Restarting ``virtxend`` does not interrupt running guests. Guests continue to operate and changes in their state will generally be picked up automatically -- 2.39.2
Copy the wording we have in docs/uri.rst Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- docs/manpages/virtproxyd.rst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/manpages/virtproxyd.rst b/docs/manpages/virtproxyd.rst index 814575e504..cb29ccbaad 100644 --- a/docs/manpages/virtproxyd.rst +++ b/docs/manpages/virtproxyd.rst @@ -73,6 +73,9 @@ Or $ systemctl start virtproxyd-tcp.socket +**Note**: The TCP socket uses plain unencrypted TCP connection and thus is +insecure and should not be used. + Traditional service mode ------------------------ -- 2.39.2
On 4/20/23 11:09, Peter Krempa wrote:
Peter Krempa (3): kbase: debuglogs: Emphasize disabling daemon timeout in 'TL;DR' section docs: manpages: Clarify that only TLS/TCP remote access needs 'virtproxyd' docs: manpages: State that TCP connection is insecure in 'virtproxyd' man page
docs/kbase/debuglogs.rst | 6 ++++-- docs/manpages/virtbhyved.rst | 4 ++-- docs/manpages/virtinterfaced.rst | 4 ++-- docs/manpages/virtlxcd.rst | 4 ++-- docs/manpages/virtnetworkd.rst | 4 ++-- docs/manpages/virtnodedevd.rst | 4 ++-- docs/manpages/virtnwfilterd.rst | 4 ++-- docs/manpages/virtproxyd.rst | 3 +++ docs/manpages/virtqemud.rst | 4 ++-- docs/manpages/virtsecretd.rst | 4 ++-- docs/manpages/virtstoraged.rst | 4 ++-- docs/manpages/virtvboxd.rst | 4 ++-- docs/manpages/virtvzd.rst | 4 ++-- docs/manpages/virtxend.rst | 4 ++-- 14 files changed, 31 insertions(+), 26 deletions(-)
Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Michal
participants (2)
-
Michal Prívozník -
Peter Krempa