From nobody Thu Apr  2 01:29:08 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1774887347; cv=none;
	d=zohomail.com; s=zohoarc;
	b=fOqqoeg/f8MhY1jMXrsasncam17ou8Tz0quXz5HbkC4/9OWD4Tdt1RPPWGiL9LRzawZQTU/M5ABUYRGjdI7UdjhBCuYywgmFKT1xUzJLkKA54GrHCruauaNFIZ/tww6R32SjQPAQXcYa8FLDFCP3b3xhGHAz7tgr/8HPQj+0kD8=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1774887347;
 h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:Subject:Subject:To:To:Message-Id;
	bh=dFzWyOdECHb6R9IkG7hx6/OcFgumBmHxIZysds2Vz6g=;
	b=NDiy9JUlQQ5D8jPd8MZt/kwa7otBtSLVgoi/X0MryePz+nkN0slnn6YKFvqYfJJ529lsvpHVsM/BbsZhNVZChCYhwfD2j6kGDOzZ0MfgBuxupTPzJCx/1mT6X//XTMpxoUVKtvZLnlc1kx5BWEXuJPjexcYd6kmieLgvK3y8aPs=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 1774887347094637.8319734305268;
 Mon, 30 Mar 2026 09:15:47 -0700 (PDT)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id DC8133F8B4; Mon, 30 Mar 2026 12:15:45 -0400 (EDT)
Received: from [172.19.199.12] (lists.libvirt.org [8.43.85.245])
	by lists.libvirt.org (Postfix) with ESMTP id EFA273F9B8;
	Mon, 30 Mar 2026 12:15:05 -0400 (EDT)
Received: by lists.libvirt.org (Postfix, from userid 993)
	id A83663F280; Mon, 30 Mar 2026 12:15:00 -0400 (EDT)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest
 SHA256)
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id 461D23F35C
	for <devel@lists.libvirt.org>; Mon, 30 Mar 2026 12:14:59 -0400 (EDT)
Received: from mail-pl1-f199.google.com (mail-pl1-f199.google.com
 [209.85.214.199]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-133-iITx30yQN9-KWDYpg59ihw-1; Mon, 30 Mar 2026 12:14:57 -0400
Received: by mail-pl1-f199.google.com with SMTP id
 d9443c01a7336-2b250d3699aso39527045ad.2
        for <devel@lists.libvirt.org>; Mon, 30 Mar 2026 09:14:57 -0700 (PDT)
Received: from fedora.armenon-thinkpadp16vgen1.bengluru.csb ([49.36.106.26])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2b24278501esm88495925ad.58.2026.03.30.09.14.54
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 30 Mar 2026 09:14:55 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,HELO_MISC_IP,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,
	RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=no autolearn_force=no
	version=4.0.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1774887298;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=dFzWyOdECHb6R9IkG7hx6/OcFgumBmHxIZysds2Vz6g=;
	b=PIsd7ofH2uDgyiVqTXUIwrtOK0w39jpN0gB4rKjSazNBbpkiYMgV5964zzwaQB8BLoy4D+
	dVl2AGfdUJUsElIqAn2v6nGj6RvAIBRQksCEtmfTsNbdLNtjP5TTf3KsvVLWHhlxemhVtJ
	Y7RWca4EZkl/x45+vDR+oNbWZw7L3VE=
X-MC-Unique: iITx30yQN9-KWDYpg59ihw-1
X-Mimecast-MFC-AGG-ID: iITx30yQN9-KWDYpg59ihw_1774887296
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1774887296; x=1775492096;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=dFzWyOdECHb6R9IkG7hx6/OcFgumBmHxIZysds2Vz6g=;
        b=lNBIIfaKsq4/GbERqCa3cJ/trLfqgY+E/g8yNMZP0pyjRBv8lrry1md1pjcv2309On
         LHNHVsBKpUlZMuwJGVwnmJSuRlulJEWMEWHVm3uYae2K6CS5gTr2WE6k1M24u6dtNyL4
         JFMCkvk+BulDAWd8idjwFo4Rs6K+4Z7GRbW8SlwQp2+XeU0DjAtIbEMAphXnNSl3oooE
         n7ygsZoXPlc/bZPB94hLH8x+gT9FYbHvw9+5Z6Lf9SplwQN043Z6fncsU40wkYkfmPy4
         MX0Rod2ymMoxCjKX7vS0Nyxq+Of8F9meDbu6n/n++EDdBcN0+0nOXc2dn1wqhnrRgBpW
         CrGg==
X-Gm-Message-State: AOJu0YwHFqRMhSq3N6hYJ2518PwpMYfPXGfFT9zF68HeXXUTWr0c5hlY
	44gWf5Sj2MmZf8vx0bcGCPtZDP7MTMM5bWEcaXFV+LPxoAjW1COmYtjege6ba8pfV+zJuvzuETp
	pC8HxZXMf04T79eMOSZbgO7uTC3ZBbWdmAN4ssJkjfYjYQYrpml+FUViyPTK8rFLAUfg7LkFTDp
	E76b0NRAbr8DbVGnM1ZtZwz1zN0GDegSogzNd1kO8oKg==
X-Gm-Gg: ATEYQzz0didhucfxVZrXKzp0+96810PNHPhcAT3QYb2kLViwdurTT2PfcjWO4/1kpJg
	bLw41UWgXgAfUGyLKM5qR6zazo1imfmDLHSWWxcgum5ouLWYqfuVWjwch2Hei9sSkein3XpcWda
	kujd9Nu1bM6nxm91PgdeROYSpPBSjWqOLn/V1y7X/qACmEY5X1huZZK/T2zvdeOwP/awSlqaqrl
	NhBt0Q6Q9ewCE8k/KKDEbpCsbsNkuM8BtcBVNvZJqb463lHCsTAvLPQmHuaZx4Z9FeQOOksMnpl
	NfsjoIAm/TIq6XHIxR4KasrDdLqq5MHR7FfZdDv23UNt12g9G00iQiQ2IceTkFRNZhK2f/KyA2Y
	2i+yATkc0bU2tWVZYrR4hvU5G3/j5Iqe41CVLJ+pInvT3UTK+PDt1giy0YDGbyQ==
X-Received: by 2002:a17:903:2983:b0:2b2:4f43:b498 with SMTP id
 d9443c01a7336-2b24f43b9f1mr57832715ad.13.1774887296044;
        Mon, 30 Mar 2026 09:14:56 -0700 (PDT)
X-Received: by 2002:a17:903:2983:b0:2b2:4f43:b498 with SMTP id
 d9443c01a7336-2b24f43b9f1mr57832295ad.13.1774887295389;
        Mon, 30 Mar 2026 09:14:55 -0700 (PDT)
To: devel@lists.libvirt.org
Subject: [PATCH] remote: Move secrets encryption dependency to a systemd
 drop-in
Date: Mon, 30 Mar 2026 21:44:51 +0530
Message-ID: <20260330161451.87796-1-armenon@redhat.com>
X-Mailer: git-send-email 2.53.0
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-MFC-PROC-ID: sPe93fxLeVsKAOwPHChjCfG-TTm3SkDDQJKPv4yD_3Y_1774887296
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: DDS4CQZFUZFDGXEBAFNZX4ZMH5KWVZX5
X-Message-ID-Hash: DDS4CQZFUZFDGXEBAFNZX4ZMH5KWVZX5
X-MailFrom: armenon@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; header-match-devel.lists.libvirt.org-0; emergency;
 member-moderation; nonmember-moderation; administrivia; implicit-dest;
 max-recipients; max-size; news-moderation; no-subject; digests;
 suspicious-header
CC: Arun Menon <armenon@redhat.com>
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/DDS4CQZFUZFDGXEBAFNZX4ZMH5KWVZX5/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Owner: <mailto:devel-owner@lists.libvirt.org>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Arun Menon via Devel <devel@lists.libvirt.org>
Reply-To: Arun Menon <armenon@redhat.com>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1774887357848158500
Content-Type: text/plain; charset="utf-8"; x-default="true"

From: Arun Menon <armenon@redhat.com>

The monolithic libvirtd.service currently has a dependency on
virt-secret-init-encryption.service. This causes libvirtd to fail
to start on systems where the secret driver is not installed or
enabled, as systemd cannot satisfy the Requires=3D / After=3D units or the
LoadCredentialEncrypted=3D path. See below,

Requires=3Dvirt-secret-init-encryption.service
After=3Dvirt-secret-init-encryption.service
LoadCredentialEncrypted=3Dsecrets-encryption-key:@localstatedir@/lib/libvir=
t/secrets/secrets-encryption-key

This patch decouples the secrets encryption logic from the main
libvirtd service file. It is moved into a new systemd drop-in
(50-libvirtd-secret.conf) which is only installed when libvirt is built
with secret driver support. The override snippet is added to the
daemon-driver-secret package.

Fixes: 97758bc9a0b1fccf8c0009308658f1204b113b89
Signed-off-by: Arun Menon <armenon@redhat.com>
Fix-Suggested-by: Andrea Bolognani <abologna@redhat.com>
---
 libvirt.spec.in                    |  2 ++
 src/remote/libvirtd-secret.conf.in |  7 +++++++
 src/remote/libvirtd.service.in     |  4 ----
 src/remote/meson.build             | 15 +++++++++++++++
 4 files changed, 24 insertions(+), 4 deletions(-)
 create mode 100644 src/remote/libvirtd-secret.conf.in

diff --git a/libvirt.spec.in b/libvirt.spec.in
index 00316a03f2..d840c829d1 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -2259,6 +2259,8 @@ exit 0
 %{_unitdir}/virtsecretd.socket
 %{_unitdir}/virtsecretd-ro.socket
 %{_unitdir}/virtsecretd-admin.socket
+%dir %attr(0700, root, root) %{_unitdir}/libvirtd.service.d/
+%{_unitdir}/libvirtd.service.d/50-libvirtd-secret.conf
 %attr(0755, root, root) %{_sbindir}/virtsecretd
 %dir %attr(0700, root, root) %{_sysconfdir}/libvirt/secrets/
 %dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/secrets/
diff --git a/src/remote/libvirtd-secret.conf.in b/src/remote/libvirtd-secre=
t.conf.in
new file mode 100644
index 0000000000..d64a6cf63e
--- /dev/null
+++ b/src/remote/libvirtd-secret.conf.in
@@ -0,0 +1,7 @@
+[Unit]
+Requires=3D@service@
+After=3D@service@
+
+[Service]
+Environment=3DSECRETS_ENCRYPTION_KEY=3D%d/secrets-encryption-key
+LoadCredentialEncrypted=3Dsecrets-encryption-key:@localstatedir@/lib/libvi=
rt/secrets/secrets-encryption-key
diff --git a/src/remote/libvirtd.service.in b/src/remote/libvirtd.service.in
index 7965010a0a..b0a062e885 100644
--- a/src/remote/libvirtd.service.in
+++ b/src/remote/libvirtd.service.in
@@ -12,8 +12,6 @@ After=3Dlibvirtd.socket
 After=3Dlibvirtd-ro.socket
 After=3Dlibvirtd-admin.socket
 Requires=3Dvirtlogd.socket
-Requires=3Dvirt-secret-init-encryption.service
-After=3Dvirt-secret-init-encryption.service
 Wants=3Dvirtlockd.socket
 After=3Dvirtlogd.socket
 After=3Dvirtlockd.socket
@@ -31,8 +29,6 @@ Conflicts=3Dxendomains.service
 Type=3Dnotify-reload
 Environment=3DLIBVIRTD_ARGS=3D"--timeout 120"
 EnvironmentFile=3D-@initconfdir@/libvirtd
-Environment=3DSECRETS_ENCRYPTION_KEY=3D%d/secrets-encryption-key
-LoadCredentialEncrypted=3Dsecrets-encryption-key:@localstatedir@/lib/libvi=
rt/secrets/secrets-encryption-key
 ExecStart=3D@sbindir@/libvirtd $LIBVIRTD_ARGS
 ExecReload=3D/bin/kill -HUP $MAINPID
 KillMode=3Dprocess
diff --git a/src/remote/meson.build b/src/remote/meson.build
index e503263266..f1c521444f 100644
--- a/src/remote/meson.build
+++ b/src/remote/meson.build
@@ -343,4 +343,19 @@ if conf.has('WITH_SASL')
   )
 endif
=20
+# The monolithic libvirt daemon only attempts to load the
+# secrets encryption credentials if the secret driver is enabled
+if conf.has('WITH_SECRETS')
+  secret_dropin_conf =3D configuration_data()
+  secret_dropin_conf.set('service', 'virt-secret-init-encryption.service')
+  secret_dropin_conf.set('localstatedir', localstatedir)
+
+  configure_file(
+    input: 'libvirtd-secret.conf.in',
+    output: '50-libvirtd-secret.conf',
+    configuration: secret_dropin_conf,
+    install_dir: unitdir / 'libvirtd.service.d'
+  )
+endif
+
 remote_inc_dir =3D include_directories('.')
--=20
2.53.0