[libvirt PATCH 35/42] systemd: Replace Requires with BindTo+After for sockets
Daniel P. Berrangé
berrange at redhat.com
Tue Sep 26 08:44:52 UTC 2023
On Mon, Sep 25, 2023 at 08:58:33PM +0200, Andrea Bolognani wrote:
> This is the strongest relationship that can be declared between
> two units, and causes the service to be terminated immediately
> if any of its sockets disappear. This is the behavior we want.
IIUC, this prevents running the service with /only/ the main
socket, and ro/admin sockets disabled. Running without the
ro socket in particular was something we wanted to allow to
reduce exposure to unprivileged services (there have been
a number of CVEs where the read-only socket was the way in)
>
> Signed-off-by: Andrea Bolognani <abologna at redhat.com>
> ---
> src/locking/virtlockd.service.in | 6 ++++--
> src/logging/virtlogd.service.in | 6 ++++--
> src/virtd.service.in | 9 ++++++---
> 3 files changed, 14 insertions(+), 7 deletions(-)
>
> diff --git a/src/locking/virtlockd.service.in b/src/locking/virtlockd.service.in
> index 9e91fa3261..a21a2c2c19 100644
> --- a/src/locking/virtlockd.service.in
> +++ b/src/locking/virtlockd.service.in
> @@ -1,7 +1,9 @@
> [Unit]
> Description=Virtual machine lock manager
> -Requires=virtlockd.socket
> -Requires=virtlockd-admin.socket
> +BindsTo=virtlockd.socket
> +BindsTo=virtlockd-admin.socket
> +After=virtlockd.socket
> +After=virtlockd-admin.socket
> Before=libvirtd.service
> Documentation=man:virtlockd(8)
> Documentation=https://libvirt.org
> diff --git a/src/logging/virtlogd.service.in b/src/logging/virtlogd.service.in
> index 97c942ffb0..f3bd576301 100644
> --- a/src/logging/virtlogd.service.in
> +++ b/src/logging/virtlogd.service.in
> @@ -1,7 +1,9 @@
> [Unit]
> Description=Virtual machine log manager
> -Requires=virtlogd.socket
> -Requires=virtlogd-admin.socket
> +BindsTo=virtlogd.socket
> +BindsTo=virtlogd-admin.socket
> +After=virtlogd.socket
> +After=virtlogd-admin.socket
> Before=libvirtd.service
> Documentation=man:virtlogd(8)
> Documentation=https://libvirt.org
> diff --git a/src/virtd.service.in b/src/virtd.service.in
> index 21391a65b0..b9e6345e8c 100644
> --- a/src/virtd.service.in
> +++ b/src/virtd.service.in
> @@ -1,8 +1,11 @@
> [Unit]
> Description=@name@ daemon
> -Requires=@service at .socket
> -Requires=@service at -ro.socket
> -Requires=@service at -admin.socket
> +BindsTo=@service at .socket
> +BindsTo=@service at -ro.socket
> +BindsTo=@service at -admin.socket
> +After=@service at .socket
> +After=@service at -ro.socket
> +After=@service at -admin.socket
> Conflicts=libvirtd.service
> After=libvirtd.service
> After=network.target
> --
> 2.41.0
>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list