remote: Move secrets encryption dependency to a systemd drop-in

The monolithic libvirtd.service currently has a dependency on
virt-secret-init-encryption.service. This causes libvirtd to fail
to start on systems where the secret driver is not installed or
enabled, as systemd cannot satisfy the Requires= unit or the
LoadCredentialEncrypted= path. See below,

Requires=virt-secret-init-encryption.service
LoadCredentialEncrypted=secrets-encryption-key:@localstatedir@/lib/libvirt/secrets/secrets-encryption-key

This patch decouples the secrets encryption logic from the main
libvirtd service file. It is moved into a new systemd drop-in
(10-secret.conf) which is only installed when libvirt is built
with secret driver support. The override snippet is added to the
daemon-driver-secret package.

Fixes: 97758bc9a0b1fccf8c0009308658f1204b113b89
Signed-off-by: Arun Menon <armenon@redhat.com>
Fix-Suggested-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>

diff --git a/libvirt.spec.in b/libvirt.spec.in
index 00316a03f2d37f42cec13d927a550b038c5b47eb..2fddfcd606d1e9f63016a76d6ac437c2c727da6d 100644 (file)
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -2259,6 +2259,8 @@ exit 0
 %{_unitdir}/virtsecretd.socket
 %{_unitdir}/virtsecretd-ro.socket
 %{_unitdir}/virtsecretd-admin.socket
+%dir %attr(0755, root, root) %{_unitdir}/libvirtd.service.d/
+%{_unitdir}/libvirtd.service.d/10-secret.conf
 %attr(0755, root, root) %{_sbindir}/virtsecretd
 %dir %attr(0700, root, root) %{_sysconfdir}/libvirt/secrets/
 %dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/secrets/

diff --git a/src/remote/libvirtd-secret.conf.in b/src/remote/libvirtd-secret.conf.in
new file mode 100644 (file)
index 0000000..a718b44
--- /dev/null
+++ b/src/remote/libvirtd-secret.conf.in
@@ -0,0 +1,7 @@
+[Unit]
+Requires=virt-secret-init-encryption.service
+After=virt-secret-init-encryption.service
+
+[Service]
+Environment=SECRETS_ENCRYPTION_KEY=%d/secrets-encryption-key
+LoadCredentialEncrypted=secrets-encryption-key:@localstatedir@/lib/libvirt/secrets/secrets-encryption-key

diff --git a/src/remote/libvirtd.service.in b/src/remote/libvirtd.service.in
index 7965010a0a79ca5e1664e7cceab2f7a152aed9f5..b0a062e8858bd99d38e91e426a9fa093d11632d4 100644 (file)
--- a/src/remote/libvirtd.service.in
+++ b/src/remote/libvirtd.service.in
@@ -12,8 +12,6 @@ After=libvirtd.socket
 After=libvirtd-ro.socket
 After=libvirtd-admin.socket
 Requires=virtlogd.socket
-Requires=virt-secret-init-encryption.service
-After=virt-secret-init-encryption.service
 Wants=virtlockd.socket
 After=virtlogd.socket
 After=virtlockd.socket
@@ -31,8 +29,6 @@ Conflicts=xendomains.service
 Type=notify-reload
 Environment=LIBVIRTD_ARGS="--timeout 120"
 EnvironmentFile=-@initconfdir@/libvirtd
-Environment=SECRETS_ENCRYPTION_KEY=%d/secrets-encryption-key
-LoadCredentialEncrypted=secrets-encryption-key:@localstatedir@/lib/libvirt/secrets/secrets-encryption-key
 ExecStart=@sbindir@/libvirtd $LIBVIRTD_ARGS
 ExecReload=/bin/kill -HUP $MAINPID
 KillMode=process

diff --git a/src/remote/meson.build b/src/remote/meson.build
index e503263266b6a84fb6cdd29bde79c19a0b614229..dfd61df62fbf6d1a87fc7777bccf3fda4421429f 100644 (file)
--- a/src/remote/meson.build
+++ b/src/remote/meson.build
@@ -343,4 +343,19 @@ if conf.has('WITH_SASL')
   )
 endif
 
+# The monolithic libvirt daemon only attempts to load the
+# secrets encryption credentials if the secret driver is enabled
+if conf.has('WITH_SECRETS')
+  secret_dropin_conf = configuration_data({
+    'localstatedir': localstatedir,
+  })
+
+  configure_file(
+    input: 'libvirtd-secret.conf.in',
+    output: '10-secret.conf',
+    configuration: secret_dropin_conf,
+    install_dir: unitdir / 'libvirtd.service.d',
+  )
+endif
+
 remote_inc_dir = include_directories('.')