[libvirt PATCH 35/42] systemd: Replace Requires with BindTo+After for sockets

Daniel P. Berrangé berrange at redhat.com
Tue Sep 26 08:44:52 UTC 2023


On Mon, Sep 25, 2023 at 08:58:33PM +0200, Andrea Bolognani wrote:
> This is the strongest relationship that can be declared between
> two units, and causes the service to be terminated immediately
> if any of its sockets disappear. This is the behavior we want.

IIUC, this prevents running the service with /only/ the main
socket, and ro/admin sockets disabled. Running without the
ro socket in particular was something we wanted to allow to
reduce exposure to unprivileged services (there have been
a number of CVEs where the read-only socket was the way in)

> 
> Signed-off-by: Andrea Bolognani <abologna at redhat.com>
> ---
>  src/locking/virtlockd.service.in | 6 ++++--
>  src/logging/virtlogd.service.in  | 6 ++++--
>  src/virtd.service.in             | 9 ++++++---
>  3 files changed, 14 insertions(+), 7 deletions(-)
> 
> diff --git a/src/locking/virtlockd.service.in b/src/locking/virtlockd.service.in
> index 9e91fa3261..a21a2c2c19 100644
> --- a/src/locking/virtlockd.service.in
> +++ b/src/locking/virtlockd.service.in
> @@ -1,7 +1,9 @@
>  [Unit]
>  Description=Virtual machine lock manager
> -Requires=virtlockd.socket
> -Requires=virtlockd-admin.socket
> +BindsTo=virtlockd.socket
> +BindsTo=virtlockd-admin.socket
> +After=virtlockd.socket
> +After=virtlockd-admin.socket
>  Before=libvirtd.service
>  Documentation=man:virtlockd(8)
>  Documentation=https://libvirt.org
> diff --git a/src/logging/virtlogd.service.in b/src/logging/virtlogd.service.in
> index 97c942ffb0..f3bd576301 100644
> --- a/src/logging/virtlogd.service.in
> +++ b/src/logging/virtlogd.service.in
> @@ -1,7 +1,9 @@
>  [Unit]
>  Description=Virtual machine log manager
> -Requires=virtlogd.socket
> -Requires=virtlogd-admin.socket
> +BindsTo=virtlogd.socket
> +BindsTo=virtlogd-admin.socket
> +After=virtlogd.socket
> +After=virtlogd-admin.socket
>  Before=libvirtd.service
>  Documentation=man:virtlogd(8)
>  Documentation=https://libvirt.org
> diff --git a/src/virtd.service.in b/src/virtd.service.in
> index 21391a65b0..b9e6345e8c 100644
> --- a/src/virtd.service.in
> +++ b/src/virtd.service.in
> @@ -1,8 +1,11 @@
>  [Unit]
>  Description=@name@ daemon
> -Requires=@service at .socket
> -Requires=@service at -ro.socket
> -Requires=@service at -admin.socket
> +BindsTo=@service at .socket
> +BindsTo=@service at -ro.socket
> +BindsTo=@service at -admin.socket
> +After=@service at .socket
> +After=@service at -ro.socket
> +After=@service at -admin.socket
>  Conflicts=libvirtd.service
>  After=libvirtd.service
>  After=network.target
> -- 
> 2.41.0
> 

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|


More information about the libvir-list mailing list