Certain libvirtd.conf settings are not honoured when using systemd socket activation. Certain systemd unit file settings must match those defined in libvirtd.conf for systemd socket activation to work with systemd version < 227, otherwise libvirtd cannot determine which inherited FD to use for which service. Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> --- src/remote/libvirtd-admin.socket.in | 2 ++ src/remote/libvirtd-ro.socket.in | 2 ++ src/remote/libvirtd-tcp.socket.in | 2 ++ src/remote/libvirtd-tls.socket.in | 2 ++ src/remote/libvirtd.conf | 31 +++++++++++++++++++++++++++++ src/remote/libvirtd.socket.in | 2 ++ src/remote/libvirtd.sysconf | 3 ++- 7 files changed, 43 insertions(+), 1 deletion(-) diff --git a/src/remote/libvirtd-admin.socket.in b/src/remote/libvirtd-admin.socket.in index b791a2eb1b..307c9ba24b 100644 --- a/src/remote/libvirtd-admin.socket.in +++ b/src/remote/libvirtd-admin.socket.in @@ -5,6 +5,8 @@ BindsTo=libvirtd.socket After=libvirtd.socket [Socket] +# The directory must match the /etc/libvirt/libvirtd.conf unix_sock_dir setting +# when using systemd version < 227 ListenStream=@localstatedir@/run/libvirt/libvirt-admin-sock Service=libvirtd.service SocketMode=0600 diff --git a/src/remote/libvirtd-ro.socket.in b/src/remote/libvirtd-ro.socket.in index 55c44944b4..876daf0c9c 100644 --- a/src/remote/libvirtd-ro.socket.in +++ b/src/remote/libvirtd-ro.socket.in @@ -5,6 +5,8 @@ BindsTo=libvirtd.socket After=libvirtd.socket [Socket] +# The directory must match the /etc/libvirt/libvirtd.conf unix_sock_dir setting +# when using systemd version < 227 ListenStream=@localstatedir@/run/libvirt/libvirt-sock-ro Service=libvirtd.service SocketMode=0666 diff --git a/src/remote/libvirtd-tcp.socket.in b/src/remote/libvirtd-tcp.socket.in index 09d5d3d67a..16a4764283 100644 --- a/src/remote/libvirtd-tcp.socket.in +++ b/src/remote/libvirtd-tcp.socket.in @@ -5,6 +5,8 @@ BindsTo=libvirtd.socket After=libvirtd.socket [Socket] +# This must match the /etc/libvirt/libvirtd.conf tcp_port setting +# when using systemd version < 227 ListenStream=16509 Service=libvirtd.service diff --git a/src/remote/libvirtd-tls.socket.in b/src/remote/libvirtd-tls.socket.in index c60f0c9c77..e904583cf9 100644 --- a/src/remote/libvirtd-tls.socket.in +++ b/src/remote/libvirtd-tls.socket.in @@ -5,6 +5,8 @@ BindsTo=libvirtd.socket After=libvirtd.socket [Socket] +# This must match the /etc/libvirt/libvirtd.conf tls_port setting +# when using systemd version < 227 ListenStream=16514 Service=libvirtd.service diff --git a/src/remote/libvirtd.conf b/src/remote/libvirtd.conf index bbeb053495..b63b8d61b7 100644 --- a/src/remote/libvirtd.conf +++ b/src/remote/libvirtd.conf @@ -10,6 +10,9 @@ # NB, must pass the --listen flag to the libvirtd process for this to # have any effect. # +# This setting is not required or honoured if using systemd socket +# activation. +# # It is necessary to setup a CA and issue server certificates before # using this capability. # @@ -20,6 +23,9 @@ # NB, must pass the --listen flag to the libvirtd process for this to # have any effect. # +# This setting is not required or honoured if using systemd socket +# activation. +# # Using the TCP socket requires SASL authentication by default. Only # SASL mechanisms which support data encryption are allowed. This is # DIGEST_MD5 and GSSAPI (Kerberos5) @@ -32,17 +38,26 @@ # Override the port for accepting secure TLS connections # This can be a port number, or service name # +# This setting is not required or honoured if using systemd socket +# activation with systemd version >= 227 +# #tls_port = "16514" # Override the port for accepting insecure TCP connections # This can be a port number, or service name # +# This setting is not required or honoured if using systemd socket +# activation with systemd version >= 227 +# #tcp_port = "16509" # Override the default configuration which binds to all network # interfaces. This can be a numeric IPv4/6 address, or hostname # +# This setting is not required or honoured if using systemd socket +# activation. +# # If the libvirtd service is started in parallel with network # startup (e.g. with systemd), binding to addresses other than # the wildcards (0.0.0.0/::) might not be available yet. @@ -59,12 +74,18 @@ # allow a 'trusted' set of users access to management capabilities # without becoming root. # +# This setting is not required or honoured if using systemd socket +# activation. +# # This is restricted to 'root' by default. #unix_sock_group = "libvirt" # Set the UNIX socket permissions for the R/O socket. This is used # for monitoring VM status only # +# This setting is not required or honoured if using systemd socket +# activation. +# # Default allows any user. If setting group ownership, you may want to # restrict this too. #unix_sock_ro_perms = "0777" @@ -72,6 +93,9 @@ # Set the UNIX socket permissions for the R/W socket. This is used # for full management of VMs # +# This setting is not required or honoured if using systemd socket +# activation. +# # Default allows only root. If PolicyKit is enabled on the socket, # the default will change to allow everyone (eg, 0777) # @@ -81,11 +105,18 @@ # Set the UNIX socket permissions for the admin interface socket. # +# This setting is not required or honoured if using systemd socket +# activation. +# # Default allows only owner (root), do not change it unless you are # sure to whom you are exposing the access to. #unix_sock_admin_perms = "0700" # Set the name of the directory in which sockets will be found/created. +# +# This setting is not required or honoured if using systemd socket +# activation with systemd version >= 227 +# #unix_sock_dir = "/var/run/libvirt" diff --git a/src/remote/libvirtd.socket.in b/src/remote/libvirtd.socket.in index e194c6e76e..2ee4d7d7a2 100644 --- a/src/remote/libvirtd.socket.in +++ b/src/remote/libvirtd.socket.in @@ -3,6 +3,8 @@ Description=Libvirt local socket Before=libvirtd.service [Socket] +# The directory must match the /etc/libvirt/libvirtd.conf unix_sock_dir setting +# when using systemd version < 227 ListenStream=@localstatedir@/run/libvirt/libvirt-sock Service=libvirtd.service SocketMode=0666 diff --git a/src/remote/libvirtd.sysconf b/src/remote/libvirtd.sysconf index f15e5956eb..7af41c207f 100644 --- a/src/remote/libvirtd.sysconf +++ b/src/remote/libvirtd.sysconf @@ -4,7 +4,8 @@ # in LIBVIRTD_ARGS instead. #LIBVIRTD_CONFIG=/etc/libvirt/libvirtd.conf -# Listen for TCP/IP connections +# Listen for TCP/IP connections. This is not required if using systemd +# socket activation. # NB. must setup TLS/SSL keys prior to using this #LIBVIRTD_ARGS="--listen" -- 2.21.0 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list