From: Arun Menon <armenon@redhat.com>
The monolithic libvirtd.service currently has a dependency on
virt-secret-init-encryption.service. This causes libvirtd to fail
to start on systems where the secret driver is not installed or
enabled, as systemd cannot satisfy the Requires= / After= units or the
LoadCredentialEncrypted= path. See below,
Requires=virt-secret-init-encryption.service
After=virt-secret-init-encryption.service
LoadCredentialEncrypted=secrets-encryption-key:@localstatedir@/lib/libvirt/secrets/secrets-encryption-key
This patch decouples the secrets encryption logic from the main
libvirtd service file. It is moved into a new systemd drop-in
(50-libvirtd-secret.conf) which is only installed when libvirt is built
with secret driver support. The override snippet is added to the
daemon-driver-secret package.
Fixes: 97758bc9a0b1fccf8c0009308658f1204b113b89
Signed-off-by: Arun Menon <armenon@redhat.com>
Fix-Suggested-by: Andrea Bolognani <abologna@redhat.com>
---
libvirt.spec.in | 2 ++
src/remote/libvirtd-secret.conf.in | 7 +++++++
src/remote/libvirtd.service.in | 4 ----
src/remote/meson.build | 15 +++++++++++++++
4 files changed, 24 insertions(+), 4 deletions(-)
create mode 100644 src/remote/libvirtd-secret.conf.in
diff --git a/libvirt.spec.in b/libvirt.spec.in
index 00316a03f2..d840c829d1 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -2259,6 +2259,8 @@ exit 0
%{_unitdir}/virtsecretd.socket
%{_unitdir}/virtsecretd-ro.socket
%{_unitdir}/virtsecretd-admin.socket
+%dir %attr(0700, root, root) %{_unitdir}/libvirtd.service.d/
+%{_unitdir}/libvirtd.service.d/50-libvirtd-secret.conf
%attr(0755, root, root) %{_sbindir}/virtsecretd
%dir %attr(0700, root, root) %{_sysconfdir}/libvirt/secrets/
%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/secrets/
diff --git a/src/remote/libvirtd-secret.conf.in b/src/remote/libvirtd-secret.conf.in
new file mode 100644
index 0000000000..d64a6cf63e
--- /dev/null
+++ b/src/remote/libvirtd-secret.conf.in
@@ -0,0 +1,7 @@
+[Unit]
+Requires=@service@
+After=@service@
+
+[Service]
+Environment=SECRETS_ENCRYPTION_KEY=%d/secrets-encryption-key
+LoadCredentialEncrypted=secrets-encryption-key:@localstatedir@/lib/libvirt/secrets/secrets-encryption-key
diff --git a/src/remote/libvirtd.service.in b/src/remote/libvirtd.service.in
index 7965010a0a..b0a062e885 100644
--- a/src/remote/libvirtd.service.in
+++ b/src/remote/libvirtd.service.in
@@ -12,8 +12,6 @@ After=libvirtd.socket
After=libvirtd-ro.socket
After=libvirtd-admin.socket
Requires=virtlogd.socket
-Requires=virt-secret-init-encryption.service
-After=virt-secret-init-encryption.service
Wants=virtlockd.socket
After=virtlogd.socket
After=virtlockd.socket
@@ -31,8 +29,6 @@ Conflicts=xendomains.service
Type=notify-reload
Environment=LIBVIRTD_ARGS="--timeout 120"
EnvironmentFile=-@initconfdir@/libvirtd
-Environment=SECRETS_ENCRYPTION_KEY=%d/secrets-encryption-key
-LoadCredentialEncrypted=secrets-encryption-key:@localstatedir@/lib/libvirt/secrets/secrets-encryption-key
ExecStart=@sbindir@/libvirtd $LIBVIRTD_ARGS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
diff --git a/src/remote/meson.build b/src/remote/meson.build
index e503263266..f1c521444f 100644
--- a/src/remote/meson.build
+++ b/src/remote/meson.build
@@ -343,4 +343,19 @@ if conf.has('WITH_SASL')
)
endif
+# The monolithic libvirt daemon only attempts to load the
+# secrets encryption credentials if the secret driver is enabled
+if conf.has('WITH_SECRETS')
+ secret_dropin_conf = configuration_data()
+ secret_dropin_conf.set('service', 'virt-secret-init-encryption.service')
+ secret_dropin_conf.set('localstatedir', localstatedir)
+
+ configure_file(
+ input: 'libvirtd-secret.conf.in',
+ output: '50-libvirtd-secret.conf',
+ configuration: secret_dropin_conf,
+ install_dir: unitdir / 'libvirtd.service.d'
+ )
+endif
+
remote_inc_dir = include_directories('.')
--
2.53.0