On Thu, 2020-03-05 at 14:57 +0000, Daniel P. Berrangé wrote:
> On Thu, Mar 05, 2020 at 03:49:46PM +0100, Andrea Bolognani wrote:
> > I've spotted a few minor issues and I've fixed them, along with the
> > ones that Erik had already pointed out, in the attached patch. Please
> > squash it in before pushing.
>
> There's no patch attached.
Oops :) I've actually attached it now.
> > I've enabled split-daemon mode on my laptop and it seems to work
> > quite seamlessly; however, I had to put SELinux into Permissive mode
> > because I was getting
> >
> > audit[470365]: AVC avc: denied { search } for
> > pid=470365 comm="virtlogd" name="470092" dev="proc" ino=1314622
> > scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023
> > tcontext=system_u:system_r:unconfined_service_t:s0
> > tclass=dir permissive=0
>
> There is an RFE open with SELinux maintainers to apply labelling to
> the new daemons.
>
> They all currently run unconfined_service_t.
>
> We requested to make them use virtd_t to have parity with libvirtd
> policy.
That's great news!
--
Andrea Bolognani / Red Hat / Virtualization
From 8156b596395b39b30a6556000e6f8d2c95457390 Mon Sep 17 00:00:00 2001
From: Andrea Bolognani <abologna@xxxxxxxxxx>
Date: Thu, 5 Mar 2020 14:31:47 +0100
Subject: [libvirt PATCH] fixup
Signed-off-by: Andrea Bolognani <abologna@xxxxxxxxxx>
---
docs/daemons.rst | 72 +++++++++++++++++++++++++++---------------------
1 file changed, 41 insertions(+), 31 deletions(-)
diff --git a/docs/daemons.rst b/docs/daemons.rst
index a74b228025..13c244de7b 100644
--- a/docs/daemons.rst
+++ b/docs/daemons.rst
@@ -69,7 +69,7 @@ Monolithic sockets
------------------
When running in system mode, ``libvirtd`` exposes three UNIX domain sockets, and
-optionally, one or two TCP sockets
+optionally, one or two TCP sockets:
* ``/var/run/libvirt/libvirt-sock`` - the primary socket for accessing libvirt
APIs, with full read-write privileges. A connection to this socket gives the
@@ -78,7 +78,7 @@ optionally, one or two TCP sockets
* ``/var/run/libvirt/libvirt-sock-ro`` - the secondary socket for accessing
libvirt APIs, with limited read-only privileges. A connection to this socket
- gives the ability to query the existance of objects and monitor some aspects
+ gives the ability to query the existence of objects and monitor some aspects
of their operation. This is the socket that most management applications
connect to when requesting read only mode. Typically this is what a
monitoring app would use.
@@ -105,7 +105,7 @@ optionally, one or two TCP sockets
NB, some distros will use ``/run`` instead of ``/var/run``.
-When running in session mode, ``libvirtd`` exposes two UNIX domain sockets
+When running in session mode, ``libvirtd`` exposes two UNIX domain sockets:
* ``$XDG_RUNTIME_DIR/libvirt/libvirt-sock`` - the primary socket for accessing
libvirt APIs, with full read-write privileges. A connection to this socket
@@ -131,11 +131,11 @@ Monolithic Systemd Integration
When the ``libvirtd`` daemon is managed by ``systemd`` a number of desirable
features are available, most notably socket activation.
-Libvirt ships a number of unit files for controlling libvirtd
+Libvirt ships a number of unit files for controlling ``libvirtd``:
-* ``libvirtd.service`` - the main unit file for launching the libvirtd daemon
- in system mode. The command line arguments passed can be configured by
- editting ``/etc/sysconfig/libvirtd``. This is typically only needed to control
+* ``libvirtd.service`` - the main unit file for launching the ``libvirtd``
+ daemon in system mode. The command line arguments passed can be configured by
+ editing ``/etc/sysconfig/libvirtd``. This is typically only needed to control
the use of the auto shutdown timeout value. It is recommended that this
service unit be configured to start on boot. This is because various
libvirt drivers support autostart of their objects. If it is known that
@@ -163,11 +163,13 @@ Libvirt ships a number of unit files for controlling libvirtd
until the administrator has deployed x509 certificates and optionally
configured a suitable authentication mechanism.
+NB, some distros will use ``/etc/default`` instead of ``/etc/sysconfig``.
+
The socket unit files are newly introduced in 5.6.0. On newly installed hosts
the UNIX socket units should be enabled by default. When upgrading an existing
host from a previous version of libvirt, the socket unit files will be masked
-if libvirtd is currently configured to use the ``--listen`` argument, since the
-``--listen`` argument is mutually exclusive with use of socket activation.
+if ``libvirtd`` is currently configured to use the ``--listen`` argument, since
+the ``--listen`` argument is mutually exclusive with use of socket activation.
When systemd socket activation is used a number of configuration settings in
``libvirtd.conf`` are no longer honoured. Instead these settings must be
@@ -261,7 +263,7 @@ sockets:
* ``/var/run/libvirt/virt${DRIVER}d-sock-ro`` - the secondary socket for
accessing libvirt APIs, with limited read-only privileges. A connection to
- this socket gives the ability to query the existance of objects and monitor
+ this socket gives the ability to query the existence of objects and monitor
some aspects of their operation. This is the socket that most management
applications connect to when requesting read only mode. Typically this is
what a monitoring app would use.
@@ -273,7 +275,7 @@ sockets:
NB, some distros will use ``/run`` instead of ``/var/run``.
-When running in session mode, ``virt${DRIVER}d`` exposes two UNIX domain sockets
+When running in session mode, ``virt${DRIVER}d`` exposes two UNIX domain sockets:
* ``$XDG_RUNTIME_DIR/libvirt/virt${DRIVER}d-sock`` - the primary socket for
accessing libvirt APIs, with full read-write privileges. A connection to this
@@ -298,11 +300,11 @@ Modular Systemd Integration
When the ``virt${DRIVER}d`` daemon is managed by ``systemd`` a number of
desirable features are available, most notably socket activation.
-Libvirt ships a number of unit files for controlling virt${DRIVER}d
+Libvirt ships a number of unit files for controlling ``virt${DRIVER}d``:
* ``virt${DRIVER}d.service`` - the main unit file for launching the
- ``virt${DRIVER}d daemon`` in system mode. The command line arguments passed
- can be configured by editting ``/etc/sysconfig/virt${DRIVER}d``. This is
+ ``virt${DRIVER}d`` daemon in system mode. The command line arguments passed
+ can be configured by editing ``/etc/sysconfig/virt${DRIVER}d``. This is
typically only needed to control the use of the auto shutdown timeout value.
It is recommended that this service unit be configured to start on boot.
This is because various libvirt drivers support autostart of their objects.
@@ -321,16 +323,18 @@ Libvirt ships a number of unit files for controlling virt${DRIVER}d
administrative UNIX socket ``/var/run/libvirt/virt${DRIVER}d-admin-sock``.
This socket is recommended to be started on boot by default.
+NB, some distros will use ``/etc/default`` instead of ``/etc/sysconfig``.
+
The socket unit files are newly introduced in 5.6.0. On newly installed hosts
the UNIX socket units should be enabled by default. When upgrading an existing
host from a previous version of libvirt, the socket unit files will be masked
-if virt${DRIVER}d is currently configured to use the ``--listen`` argument,
+if ``virt${DRIVER}d`` is currently configured to use the ``--listen`` argument,
since the ``--listen`` argument is mutually exclusive with use of socket
activation.
When systemd socket activation is used a number of configuration settings in
``virt${DRIVER}d.conf`` are no longer honoured. Instead these settings must be
-controlled via the system unit files
+controlled via the system unit files:
* ``unix_sock_group`` - UNIX socket group owner, controlled via the
``SocketGroup`` parameter in the ``virt${DRIVER}d.socket`` and
@@ -365,7 +369,7 @@ to be migrated to the monolithic daemons a number of services need to be
changed. The steps below outline the process on hosts using the systemd init
service.
-While it is technically possible todo this while virtual machines are running,
+While it is technically possible to do this while virtual machines are running,
it is recommended that virtual machines be stopped or live migrated to a new
host first.
@@ -456,11 +460,11 @@ Proxy Systemd Integration
When the ``virtproxyd`` daemon is managed by ``systemd`` a number of desirable
features are available, most notably socket activation.
-Libvirt ships a number of unit files for controlling virtproxyd
+Libvirt ships a number of unit files for controlling ``virtproxyd``:
-* ``virtproxyd.service`` - the main unit file for launching the virtproxyd
+* ``virtproxyd.service`` - the main unit file for launching the ``virtproxyd``
daemon in system mode. The command line arguments passed can be configured by
- editting ``/etc/sysconfig/virtproxyd``. This is typically only needed to
+ editing ``/etc/sysconfig/virtproxyd``. This is typically only needed to
control the use of the auto shutdown timeout value.
* ``virtproxyd.socket`` - the unit file corresponding to the main read-write
@@ -485,10 +489,12 @@ Libvirt ships a number of unit files for controlling virtproxyd
until the administrator has deployed x509 certificates and optionally
configured a suitable authentication mechanism.
+NB, some distros will use ``/etc/default`` instead of ``/etc/sysconfig``.
+
The socket unit files are newly introduced in 5.6.0. On newly installed hosts
the UNIX socket units should be enabled by default. When upgrading an existing
host from a previous version of libvirt, the socket unit files will be masked
-if virtproxyd is currently configured to use the ``--listen`` argument, since
+if ``virtproxyd`` is currently configured to use the ``--listen`` argument, since
the ``--listen`` argument is mutually exclusive with use of socket activation.
When systemd socket activation is used a number of configuration settings in
@@ -527,7 +533,7 @@ When running in system mode, ``virtlogd`` exposes two UNIX domain sockets:
NB, some distros will use ``/run`` instead of ``/var/run``.
-When running in session mode, ``virtlogd`` exposes two UNIX domain sockets
+When running in session mode, ``virtlogd`` exposes two UNIX domain sockets:
* ``$XDG_RUNTIME_DIR/libvirt/virtlogd-sock`` - the primary socket for
accessing libvirt APIs, with full read-write privileges. Access to the
@@ -547,11 +553,11 @@ Logging Systemd Integration
When the ``virtlogd`` daemon is managed by ``systemd`` a number of desirable
features are available, most notably socket activation.
-Libvirt ships a number of unit files for controlling virtlogd
+Libvirt ships a number of unit files for controlling ``virtlogd``:
* ``virtlogd.service`` - the main unit file for launching the
- ``virtlogd daemon`` in system mode. The command line arguments passed
- can be configured by editting ``/etc/sysconfig/virtlogd``. This is
+ ``virtlogd`` daemon in system mode. The command line arguments passed
+ can be configured by editing ``/etc/sysconfig/virtlogd``. This is
typically only needed to control the use of the auto shutdown timeout value.
* ``virtlogd.socket`` - the unit file corresponding to the main read-write
@@ -562,9 +568,11 @@ Libvirt ships a number of unit files for controlling virtlogd
UNIX socket ``/var/run/libvirt/virtlogd-admin-sock``. This socket is
recommended to be started on boot by default.
+NB, some distros will use ``/etc/default`` instead of ``/etc/sysconfig``.
+
When systemd socket activation is used a number of configuration settings in
``virtlogd.conf`` are no longer honoured. Instead these settings must be
-controlled via the system unit files
+controlled via the system unit files:
* ``unix_sock_group`` - UNIX socket group owner, controlled via the
``SocketGroup`` parameter in the ``virtlogd.socket`` and
@@ -619,7 +627,7 @@ When running in system mode, ``virtlockd`` exposes two UNIX domain sockets:
NB, some distros will use ``/run`` instead of ``/var/run``.
-When running in session mode, ``virtlockd`` exposes two UNIX domain sockets
+When running in session mode, ``virtlockd`` exposes two UNIX domain sockets:
* ``$XDG_RUNTIME_DIR/libvirt/virtlockd-sock`` - the primary socket for
accessing libvirt APIs, with full read-write privileges. Access to the
@@ -639,11 +647,11 @@ Locking Systemd Integration
When the ``virtlockd`` daemon is managed by ``systemd`` a number of desirable
features are available, most notably socket activation.
-Libvirt ships a number of unit files for controlling virtlockd
+Libvirt ships a number of unit files for controlling ``virtlockd``:
* ``virtlockd.service`` - the main unit file for launching the
- ``virtlockd daemon`` in system mode. The command line arguments passed
- can be configured by editting ``/etc/sysconfig/virtlockd``. This is
+ ``virtlockd`` daemon in system mode. The command line arguments passed
+ can be configured by editing ``/etc/sysconfig/virtlockd``. This is
typically only needed to control the use of the auto shutdown timeout value.
* ``virtlockd.socket`` - the unit file corresponding to the main read-write
@@ -654,9 +662,11 @@ Libvirt ships a number of unit files for controlling virtlockd
UNIX socket ``/var/run/libvirt/virtlockd-admin-sock``. This socket is
recommended to be started on boot by default.
+NB, some distros will use ``/etc/default`` instead of ``/etc/sysconfig``.
+
When systemd socket activation is used a number of configuration settings in
``virtlockd.conf`` are no longer honoured. Instead these settings must be
-controlled via the system unit files
+controlled via the system unit files:
* ``unix_sock_group`` - UNIX socket group owner, controlled via the
``SocketGroup`` parameter in the ``virtlockd.socket`` and
--
2.24.1
