Re: [libvirt PATCH 35/42] systemd: Replace Requires with BindTo+After for sockets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, Sep 25, 2023 at 08:58:33PM +0200, Andrea Bolognani wrote:
> This is the strongest relationship that can be declared between
> two units, and causes the service to be terminated immediately
> if any of its sockets disappear. This is the behavior we want.

IIUC, this prevents running the service with /only/ the main
socket, and ro/admin sockets disabled. Running without the
ro socket in particular was something we wanted to allow to
reduce exposure to unprivileged services (there have been
a number of CVEs where the read-only socket was the way in)

> 
> Signed-off-by: Andrea Bolognani <abologna@xxxxxxxxxx>
> ---
>  src/locking/virtlockd.service.in | 6 ++++--
>  src/logging/virtlogd.service.in  | 6 ++++--
>  src/virtd.service.in             | 9 ++++++---
>  3 files changed, 14 insertions(+), 7 deletions(-)
> 
> diff --git a/src/locking/virtlockd.service.in b/src/locking/virtlockd.service.in
> index 9e91fa3261..a21a2c2c19 100644
> --- a/src/locking/virtlockd.service.in
> +++ b/src/locking/virtlockd.service.in
> @@ -1,7 +1,9 @@
>  [Unit]
>  Description=Virtual machine lock manager
> -Requires=virtlockd.socket
> -Requires=virtlockd-admin.socket
> +BindsTo=virtlockd.socket
> +BindsTo=virtlockd-admin.socket
> +After=virtlockd.socket
> +After=virtlockd-admin.socket
>  Before=libvirtd.service
>  Documentation=man:virtlockd(8)
>  Documentation=https://libvirt.org
> diff --git a/src/logging/virtlogd.service.in b/src/logging/virtlogd.service.in
> index 97c942ffb0..f3bd576301 100644
> --- a/src/logging/virtlogd.service.in
> +++ b/src/logging/virtlogd.service.in
> @@ -1,7 +1,9 @@
>  [Unit]
>  Description=Virtual machine log manager
> -Requires=virtlogd.socket
> -Requires=virtlogd-admin.socket
> +BindsTo=virtlogd.socket
> +BindsTo=virtlogd-admin.socket
> +After=virtlogd.socket
> +After=virtlogd-admin.socket
>  Before=libvirtd.service
>  Documentation=man:virtlogd(8)
>  Documentation=https://libvirt.org
> diff --git a/src/virtd.service.in b/src/virtd.service.in
> index 21391a65b0..b9e6345e8c 100644
> --- a/src/virtd.service.in
> +++ b/src/virtd.service.in
> @@ -1,8 +1,11 @@
>  [Unit]
>  Description=@name@ daemon
> -Requires=@service@.socket
> -Requires=@service@-ro.socket
> -Requires=@service@-admin.socket
> +BindsTo=@service@.socket
> +BindsTo=@service@-ro.socket
> +BindsTo=@service@-admin.socket
> +After=@service@.socket
> +After=@service@-ro.socket
> +After=@service@-admin.socket
>  Conflicts=libvirtd.service
>  After=libvirtd.service
>  After=network.target
> -- 
> 2.41.0
> 

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux