[PATCH v4 9/9] daemon: use socket activation with systemd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Signed-off-by: Martin Kletzander <mkletzan@xxxxxxxxxx>
---
 .gitignore                 |  1 +
 daemon/Makefile.am         | 14 ++++++++++++--
 daemon/libvirtd.conf       |  5 +++++
 daemon/libvirtd.service.in |  5 -----
 daemon/libvirtd.socket.in  | 11 +++++++++++
 libvirt.spec.in            | 25 ++++++++++++++++++++-----
 6 files changed, 49 insertions(+), 12 deletions(-)
 create mode 100644 daemon/libvirtd.socket.in

diff --git a/.gitignore b/.gitignore
index 90fee91..9776ea1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -60,6 +60,7 @@
 /daemon/libvirtd.pod
 /daemon/libvirtd.policy
 /daemon/libvirtd.service
+/daemon/libvirtd.socket
 /daemon/test_libvirtd.aug
 /docs/aclperms.htmlinc
 /docs/apibuild.py.stamp
diff --git a/daemon/Makefile.am b/daemon/Makefile.am
index 00221ab..70b7655 100644
--- a/daemon/Makefile.am
+++ b/daemon/Makefile.am
@@ -55,6 +55,7 @@ EXTRA_DIST =						\
 	libvirtd.policy.in				\
 	libvirtd.sasl					\
 	libvirtd.service.in				\
+	libvirtd.socket.in				\
 	libvirtd.sysconf				\
 	libvirtd.sysctl					\
 	libvirtd.aug                                    \
@@ -388,15 +389,18 @@ endif ! LIBVIRT_INIT_SCRIPT_UPSTART
 if LIBVIRT_INIT_SCRIPT_SYSTEMD

 SYSTEMD_UNIT_DIR = $(prefix)/lib/systemd/system
-BUILT_SOURCES += libvirtd.service
+BUILT_SOURCES += libvirtd.service libvirtd.socket

-install-init-systemd: install-sysconfig libvirtd.service
+install-init-systemd: install-sysconfig libvirtd.service libvirtd.socket
 	$(MKDIR_P) $(DESTDIR)$(SYSTEMD_UNIT_DIR)
 	$(INSTALL_DATA) libvirtd.service \
 	  $(DESTDIR)$(SYSTEMD_UNIT_DIR)/libvirtd.service
+	$(INSTALL_DATA) libvirtd.socket \
+	  $(DESTDIR)$(SYSTEMD_UNIT_DIR)/libvirtd.socket

 uninstall-init-systemd: uninstall-sysconfig
 	rm -f $(DESTDIR)$(SYSTEMD_UNIT_DIR)/libvirtd.service
+	rm -f $(DESTDIR)$(SYSTEMD_UNIT_DIR)/libvirtd.socket
 	rmdir $(DESTDIR)$(SYSTEMD_UNIT_DIR) || :
 else ! LIBVIRT_INIT_SCRIPT_SYSTEMD
 install-init-systemd:
@@ -420,6 +424,12 @@ libvirtd.service: libvirtd.service.in $(top_builddir)/config.status
 	    < $< > $@-t &&					\
 	    mv $@-t $@

+libvirtd.socket: libvirtd.socket.in $(top_builddir)/config.status
+	$(AM_V_GEN)sed						\
+	    -e 's|[@]runstatedir[@]|$(runstatedir)|g'		\
+	    < $< > $@-t &&					\
+	    mv $@-t $@
+

 check-local: check-augeas

diff --git a/daemon/libvirtd.conf b/daemon/libvirtd.conf
index 2d80274..d4f6a1c 100644
--- a/daemon/libvirtd.conf
+++ b/daemon/libvirtd.conf
@@ -77,6 +77,11 @@
 # UNIX socket access controls
 #

+# Beware that if you are changing *any* of these options, and you use
+# socket activation with systemd, you need to adjust the settings in
+# the libvirtd.socket file as well since it could impose a security
+# risk if you rely on file permission checking only.
+
 # Set the UNIX domain socket group ownership. This can be used to
 # allow a 'trusted' set of users access to management capabilities
 # without becoming root.
diff --git a/daemon/libvirtd.service.in b/daemon/libvirtd.service.in
index 086da36..1759ac8 100644
--- a/daemon/libvirtd.service.in
+++ b/daemon/libvirtd.service.in
@@ -1,8 +1,3 @@
-# NB we don't use socket activation. When libvirtd starts it will
-# spawn any virtual machines registered for autostart. We want this
-# to occur on every boot, regardless of whether any client connects
-# to a socket. Thus socket activation doesn't have any benefit
-
 [Unit]
 Description=Virtualization daemon
 Before=libvirt-guests.service
diff --git a/daemon/libvirtd.socket.in b/daemon/libvirtd.socket.in
new file mode 100644
index 0000000..0915bb3
--- /dev/null
+++ b/daemon/libvirtd.socket.in
@@ -0,0 +1,11 @@
+[Socket]
+ListenStream=@runstatedir@/libvirt/libvirt-sock
+ListenStream=@runstatedir@/libvirt/libvirt-sock-ro
+
+; The following settings must match libvirtd.conf file in order to
+; work as expected because libvirtd can't change them later.
+; SocketMode=0777 is safe only if authentication on the socket is set
+; up.  For further information, please see the libvirtd.conf file.
+SocketMode=0777
+SocketUser=root
+SocketGroup=root
diff --git a/libvirt.spec.in b/libvirt.spec.in
index 29da071..7fc6a8d 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -1670,11 +1670,13 @@ done

     %if %{with_systemd}
         %if %{with_systemd_macros}
-            %systemd_post virtlockd.socket libvirtd.service
+            %systemd_post virtlockd.socket libvirtd.service libvirtd.socket
         %else
 if [ $1 -eq 1 ] ; then
     # Initial installation
-    /bin/systemctl enable virtlockd.socket libvirtd.service >/dev/null 2>&1 || :
+    /bin/systemctl enable \
+        virtlockd.socket \
+        libvirtd.service >/dev/null 2>&1 || :
 fi
         %endif
     %else
@@ -1695,12 +1697,24 @@ fi
 %preun daemon
     %if %{with_systemd}
         %if %{with_systemd_macros}
-            %systemd_preun libvirtd.service virtlockd.socket virtlockd.service
+            %systemd_preun \
+                libvirtd.socket \
+                libvirtd.service \
+                virtlockd.socket \
+                virtlockd.service
         %else
 if [ $1 -eq 0 ] ; then
     # Package removal, not upgrade
-    /bin/systemctl --no-reload disable libvirtd.service virtlockd.socket virtlockd.service > /dev/null 2>&1 || :
-    /bin/systemctl stop libvirtd.service virtlockd.socket virtlockd.service > /dev/null 2>&1 || :
+    /bin/systemctl --no-reload disable \
+        libvirtd.socket \
+        libvirtd.service \
+        virtlockd.socket \
+        virtlockd.service > /dev/null 2>&1 || :
+    /bin/systemctl stop \
+        libvirtd.socket \
+        libvirtd.service \
+        virtlockd.socket \
+        virtlockd.service > /dev/null 2>&1 || :
 fi
         %endif
     %else
@@ -1857,6 +1871,7 @@ exit 0

     %if %{with_systemd}
 %{_unitdir}/libvirtd.service
+%{_unitdir}/libvirtd.socket
 %{_unitdir}/virtlockd.service
 %{_unitdir}/virtlockd.socket
     %else
-- 
2.0.4

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]