1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
|
===============
Libvirt Daemons
===============
.. contents::
A libvirt deployment for accessing one of the stateful drivers will require
one or more daemons to be deployed on the virtualization host. There are a
number of ways the daemons can be configured which will be outlined in this
page.
Architectural options
=====================
Monolithic vs modular daemons
-----------------------------
Traditionally libvirt provided a single monolithic daemon called ``libvirtd``
which exposed support for all the stateful drivers, both primary hypervisor
drivers and secondary supporting drivers. It also enables secure remote access
from clients running off host.
Work is underway for the monolithic daemon to be replaced by a new set of
modular daemons ``virt${DRIVER}d``, each one servicing a single stateful
driver. A further ``virtproxyd`` daemon will provide secure remote access, as
well as backcompatibility for clients using the UNIX socket path of the
monolithic daemon.
The change to modular daemons should not affect API functionality used by
management applications. It will, however, have an impact on host provisioning
tools since there are new systemd services and configuration files to be
managed.
Currently both monolithic and modular daemons are built by default, but the RPC
client still prefers connecting to the monolithic daemon. It is intended to
switch the RPC client to prefer the modular daemons in the near future. At
least 1 year after this switch (but not more than 2 years), the monolithic
daemon will be deleted entirely.
Operating modes
---------------
The libvirt daemons, whether monolithic or modular, can often operate in two
modes
* *System mode* - the daemon is running as the root user account, enabling
access to its full range of functionality. A read-write connection to
daemons in system mode **typically implies privileges equivalent to having
a root shell**. Suitable `authentication mechanisms <auth.html>`__ **must
be enabled** to secure it against untrustworthy clients/users.
* *Session mode* - the daemon is running as any non-root user account,
providing access to a more restricted range of functionality. Only client
apps/users running under **the same UID are permitted to connect**, thus a
connection does not imply any elevation of privileges.
Not all drivers support session mode and as such the corresponding
modular daemon may not support running in this mode
Monolithic driver daemon
========================
The monolithic daemon is known as ``libvirtd`` and has historically been the
default in libvirt. It is configured via the file ``/etc/libvirt/libvirtd.conf``
Monolithic sockets
------------------
When running in system mode, ``libvirtd`` exposes three UNIX domain sockets, and
optionally, one or two TCP sockets:
* ``/var/run/libvirt/libvirt-sock`` - the primary socket for accessing libvirt
APIs, with full read-write privileges. A connection to this socket gives the
client privileges that are equivalent to having a root shell. This is the
socket that most management applications connect to by default.
* ``/var/run/libvirt/libvirt-sock-ro`` - the secondary socket for accessing
libvirt APIs, with limited read-only privileges. A connection to this socket
gives the ability to query the existence of objects and monitor some aspects
of their operation. This is the socket that most management applications
connect to when requesting read only mode. Typically this is what a
monitoring app would use.
* ``/var/run/libvirt/libvirt-admin-sock`` - the administrative socket for
controlling operation of the daemon itself (as opposed to drivers it is
running). This can be used to dynamically reconfigure some aspects of the
daemon and monitor/control connected clients.
* ``TCP 16509`` - the non-TLS socket for remotely accessing the libvirt APIs,
with full read-write privileges. A connection to this socket gives the
client privileges that are equivalent to having a root shell. Since it does
not use TLS, an `authentication mechanism <auth.html>`__ that provides
encryption must be used. Only the GSSAPI/Kerberos mechanism is capable of
satisfying this requirement. In general applications should not use this
socket except for debugging in a development/test environment.
* ``TCP 16514`` - the TLS socket for remotely accessing the libvirt APIs,
with full read-write privileges. A connection to this socket gives the
client privileges that are equivalent to having a root shell. Access control
can be enforced either through validation of `x509 certificates
<kbase/tlscerts.html>`__, and/or by enabling an `authentication mechanism
<auth.html>`__.
NB, some distros will use ``/run`` instead of ``/var/run``.
When running in session mode, ``libvirtd`` exposes two UNIX domain sockets:
* ``$XDG_RUNTIME_DIR/libvirt/libvirt-sock`` - the primary socket for accessing
libvirt APIs, with full read-write privileges. A connection to this socket
does not alter the privileges that the client already has. This is the
socket that most management applications connect to by default.
* ``$XDG_RUNTIME_DIR/libvirt/libvirt-admin-sock`` - the administrative socket
for controlling operation of the daemon itself (as opposed to drivers it is
running). This can be used to dynamically reconfigure some aspects of the
daemon and monitor/control connected clients.
Notice that the session mode does not have a separate read-only socket. Since
the clients must be running as the same user as the daemon itself, there is
not any security benefit from attempting to enforce a read-only mode.
``$XDG_RUNTIME_DIR`` commonly points to a per-user private location on tmpfs,
such as ``/run/user/$UID``.
Monolithic Systemd Integration
------------------------------
When the ``libvirtd`` daemon is managed by ``systemd`` a number of desirable
features are available, most notably socket activation.
Libvirt ships a number of unit files for controlling ``libvirtd``:
* ``libvirtd.service`` - the main unit file for launching the ``libvirtd``
daemon in system mode. The command line arguments passed can be configured by
editing ``/etc/sysconfig/libvirtd``. This is typically only needed to control
the use of the auto shutdown timeout value. It is recommended that this
service unit be configured to start on boot. This is because various
libvirt drivers support autostart of their objects. If it is known that
autostart is not required, this unit can be left to start on demand.
* ``libvirtd.socket`` - the unit file corresponding to the main read-write
UNIX socket ``/var/run/libvirt/libvirt-sock``. This socket is recommended to
be started on boot by default.
* ``libvirtd-ro.socket`` - the unit file corresponding to the main read-only
UNIX socket ``/var/run/libvirt/libvirt-sock-ro``. This socket is recommended
to be started on boot by default.
* ``libvirtd-admin.socket`` - the unit file corresponding to the administrative
UNIX socket ``/var/run/libvirt/libvirt-admin-sock``. This socket is
recommended to be started on boot by default.
* ``libvirtd-tcp.socket`` - the unit file corresponding to the TCP 16509 port
for non-TLS remote access. This socket should not be configured to start on
boot until the administrator has configured a suitable authentication
mechanism.
* ``libvirtd-tls.socket`` - the unit file corresponding to the TCP 16509 port
for TLS remote access. This socket should not be configured to start on boot
until the administrator has deployed x509 certificates and optionally
configured a suitable authentication mechanism.
NB, some distros will use ``/etc/default`` instead of ``/etc/sysconfig``.
The socket unit files are newly introduced in 5.6.0. On newly installed hosts
the UNIX socket units should be enabled by default. When upgrading an existing
host from a previous version of libvirt, the socket unit files will be masked
if ``libvirtd`` is currently configured to use the ``--listen`` argument, since
the ``--listen`` argument is mutually exclusive with use of socket activation.
When systemd socket activation is used a number of configuration settings in
``libvirtd.conf`` are no longer honoured. Instead these settings must be
controlled via the system unit files
* ``listen_tcp`` - TCP socket usage is enabled by starting the
``libvirtd-tcp.socket`` unit file.
* ``listen_tls`` - TLS socket usage is enabled by starting the
``libvirtd-tls.socket`` unit file.
* ``tcp_port`` - Port for the non-TLS TCP socket, controlled via the
``ListenStream`` parameter in the ``libvirtd-tcp.socket`` unit file.
* ``tls_port`` - Port for the TLS TCP socket, controlled via the
``ListenStream`` parameter in the ``libvirtd-tls.socket`` unit file.
* ``listen_addr`` - IP address to listen on, independently controlled via the
``ListenStream`` parameter in the ``libvirtd-tcp.socket`` or
``libvirtd-tls.socket`` unit files.
* ``unix_sock_group`` - UNIX socket group owner, controlled via the
``SocketGroup`` parameter in the ``libvirtd.socket`` and
``libvirtd-ro.socket`` unit files
* ``unix_sock_ro_perms`` - read-only UNIX socket permissions, controlled via the
``SocketMode`` parameter in the ``libvirtd-ro.socket`` unit file
* ``unix_sock_rw_perms`` - read-write UNIX socket permissions, controlled via
the ``SocketMode`` parameter in the ``libvirtd.socket`` unit file
* ``unix_sock_admin_perms`` - admin UNIX socket permissions, controlled via the
``SocketMode`` parameter in the ``libvirtd-admin.socket`` unit file
* ``unix_sock_dir`` - directory in which all UNIX sockets are created
independently controlled via the ``ListenStream`` parameter in any of the
``libvirtd.socket``, ``libvirtd-ro.socket`` and ``libvirtd-admin.socket`` unit
files.
Modular driver daemons
======================
The modular daemons are named after the driver which they are running, with
the pattern ``virt${DRIVER}d`` and will become the default in future libvirt.
They are configured via the files ``/etc/libvirt/virt${DRIVER}d.conf``
The following modular daemons currently exist for hypervisor drivers
* ``virtqemud`` - the QEMU management daemon, for running virtual machines
on UNIX platforms, optionally with KVM acceleration, in either system or
session mode
* ``virtxend`` - the Xen management daemon, for running virtual machines
on the Xen hypervisor, in system mode only
* ``virtlxcd`` - the Linux Container management daemon, for running LXC guests
in system mode only
* ``virtbhyved`` - the BHyve management daemon, for running virtual machines
on FreeBSD with the BHyve hypervisor, in system mode.
* ``virtvboxd`` - the VirtualBox management daemon, for running virtual machines
on UNIX platforms.
The additional modular daemons service secondary drivers
* ``virtinterfaced`` - the host NIC management daemon, in system mode only
* ``virtnetworkd`` - the virtual network management daemon, in system mode only
* ``virtnodedevd`` - the host physical device management daemon, in system mode
only
* ``virtnwfilterd`` - the host firewall management daemon, in system mode only
* ``virtsecretd`` - the host secret management daemon, in system or session mode
* ``virtstoraged`` - the host storage management daemon, in system or session
mode
Modular Sockets
---------------
When running in system mode, ``virt${DRIVER}d`` exposes three UNIX domain
sockets:
* ``/var/run/libvirt/virt${DRIVER}d-sock`` - the primary socket for accessing
libvirt APIs, with full read-write privileges. For many of the daemons, a
connection to this socket gives the client privileges that are equivalent to
having a root shell. This is the socket that most management applications
connect to by default.
* ``/var/run/libvirt/virt${DRIVER}d-sock-ro`` - the secondary socket for
accessing libvirt APIs, with limited read-only privileges. A connection to
this socket gives the ability to query the existence of objects and monitor
some aspects of their operation. This is the socket that most management
applications connect to when requesting read only mode. Typically this is
what a monitoring app would use.
* ``/var/run/libvirt/virt${DRIVER}d-admin-sock`` - the administrative socket for
controlling operation of the daemon itself (as opposed to drivers it is
running). This can be used to dynamically reconfigure some aspects of the
daemon and monitor/control connected clients.
NB, some distros will use ``/run`` instead of ``/var/run``.
When running in session mode, ``virt${DRIVER}d`` exposes two UNIX domain sockets:
* ``$XDG_RUNTIME_DIR/libvirt/virt${DRIVER}d-sock`` - the primary socket for
accessing libvirt APIs, with full read-write privileges. A connection to this
socket does not alter the privileges that the client already has. This is the
socket that most management applications connect to by default.
* ``$XDG_RUNTIME_DIR/libvirt/virt${DRIVER}d-admin-sock`` - the administrative
socket for controlling operation of the daemon itself (as opposed to drivers
it is running). This can be used to dynamically reconfigure some aspects of
the daemon and monitor/control connected clients.
Notice that the session mode does not have a separate read-only socket. Since
the clients must be running as the same user as the daemon itself, there is
not any security benefit from attempting to enforce a read-only mode.
``$XDG_RUNTIME_DIR`` commonly points to a per-user private location on tmpfs,
such as ``/run/user/$UID``.
Modular Systemd Integration
---------------------------
When the ``virt${DRIVER}d`` daemon is managed by ``systemd`` a number of
desirable features are available, most notably socket activation.
Libvirt ships a number of unit files for controlling ``virt${DRIVER}d``:
* ``virt${DRIVER}d.service`` - the main unit file for launching the
``virt${DRIVER}d`` daemon in system mode. The command line arguments passed
can be configured by editing ``/etc/sysconfig/virt${DRIVER}d``. This is
typically only needed to control the use of the auto shutdown timeout value.
It is recommended that this service unit be configured to start on boot.
This is because various libvirt drivers support autostart of their objects.
If it is known that autostart is not required, this unit can be left to start
on demand.
* ``virt${DRIVER}d.socket`` - the unit file corresponding to the main read-write
UNIX socket ``/var/run/libvirt/virt${DRIVER}d-sock``. This socket is
recommended to be started on boot by default.
* ``virt${DRIVER}d-ro.socket`` - the unit file corresponding to the main
read-only UNIX socket ``/var/run/libvirt/virt${DRIVER}d-sock-ro``. This
socket is recommended to be started on boot by default.
* ``virt${DRIVER}d-admin.socket`` - the unit file corresponding to the
administrative UNIX socket ``/var/run/libvirt/virt${DRIVER}d-admin-sock``.
This socket is recommended to be started on boot by default.
NB, some distros will use ``/etc/default`` instead of ``/etc/sysconfig``.
The socket unit files are newly introduced in 5.6.0. On newly installed hosts
the UNIX socket units should be enabled by default. When upgrading an existing
host from a previous version of libvirt, the socket unit files will be masked
if ``virt${DRIVER}d`` is currently configured to use the ``--listen`` argument,
since the ``--listen`` argument is mutually exclusive with use of socket
activation.
When systemd socket activation is used a number of configuration settings in
``virt${DRIVER}d.conf`` are no longer honoured. Instead these settings must be
controlled via the system unit files:
* ``unix_sock_group`` - UNIX socket group owner, controlled via the
``SocketGroup`` parameter in the ``virt${DRIVER}d.socket`` and
``virt${DRIVER}d-ro.socket`` unit files
* ``unix_sock_ro_perms`` - read-only UNIX socket permissions, controlled via the
``SocketMode`` parameter in the ``virt${DRIVER}d-ro.socket`` unit file
* ``unix_sock_rw_perms`` - read-write UNIX socket permissions, controlled via
the ``SocketMode`` parameter in the ``virt${DRIVER}d.socket`` unit file
* ``unix_sock_admin_perms`` - admin UNIX socket permissions, controlled via the
``SocketMode`` parameter in the ``virt${DRIVER}d-admin.socket`` unit file
* ``unix_sock_dir`` - directory in which all UNIX sockets are created
independently controlled via the ``ListenStream`` parameter in any of the
``virt${DRIVER}d.socket``, ``virt${DRIVER}d-ro.socket`` and
``virt${DRIVER}d-admin.socket`` unit files.
Switching to modular daemons
----------------------------
If a host is currently set to use the monolithic ``libvirtd`` daemon and needs
to be migrated to the modular daemons a number of services need to be
changed. The steps below outline the process on hosts using the systemd init
service.
While it is technically possible to do this while virtual machines are running,
it is recommended that virtual machines be stopped or live migrated to a new
host first.
#. Stop the current monolithic daemon and its socket units
::
$ systemctl stop libvirtd.service
$ systemctl stop libvirtd{,-ro,-admin,-tcp,-tls}.socket
#. Disable future start of the monolithic daemon
::
$ systemctl disable libvirtd.service
$ systemctl disable libvirtd{,-ro,-admin,-tcp,-tls}.socket
For stronger protection it is valid to use ``mask`` instead of ``disable``
too.
#. Enable the new daemons for the particular virtualizationd driver desired,
and any of the secondary drivers to accompany it. The following example
enables the QEMU driver and all the secondary drivers:
::
$ for drv in qemu interface network nodedev nwfilter secret storage
do
systemctl unmask virt${drv}d.service
systemctl unmask virt${drv}d{,-ro,-admin}.socket
systemctl enable virt${drv}d.service
systemctl enable virt${drv}d{,-ro,-admin}.socket
done
#. Start the sockets for the same set of daemons. There is no need to start the
services as they will get started when the first socket connection is
established
::
$ for drv in qemu network nodedev nwfilter secret storage
do
systemctl start virt${drv}d{,-ro,-admin}.socket
done
#. If connections from remote hosts need to be supported the proxy daemon
must be enabled and started
::
$ systemctl unmask virtproxyd.service
$ systemctl unmask virtproxyd{,-ro,-admin}.socket
$ systemctl enable virtproxyd.service
$ systemctl enable virtproxyd{,-ro,-admin}.socket
$ systemctl start virtproxyd{,-ro,-admin}.socket
The UNIX sockets allow for remote access using SSH tunneling. If ``libvirtd``
had TCP or TLS sockets configured, those should be started too
::
$ systemctl unmask virtproxyd-tls.socket
$ systemctl enable virtproxyd-tls.socket
$ systemctl start virtproxyd-tls.socket
Checking whether modular/monolithic mode is in use
==================================================
New distributions are likely to use the modular mode although the upgrade
process preserves whichever mode was in use before the upgrade.
To determine whether modular or monolithic mode is in use on a host running
``systemd`` as the init system you can take the following steps:
#. Check whether the modular daemon infrastructure is in use
First check whether the modular daemon you are interested (see
`Modular driver daemons`_ for a summary of which daemons are provided by
libvirt) in is running:
#. Check ``.socket`` for socket activated services
::
# systemctl is-active virtqemud.socket
active
#. Check ``.service`` for always-running daemons
::
# systemctl is-active virtqemud.service
active
If either of the above is ``active`` your system is using the modular daemons.
#. Check whether the monolithic daemon is in use
#. Check ``libvirtd.socket``
::
# systemctl is-active libvirtd.socket
active
#. Check ``libvirtd.service`` for always-running daemon
::
# systemctl is-active libvirtd.service
active
If either of the above is ``active`` your system is using the monolithic
daemon.
#. To determine which of the above will be in use on the next boot of the system,
substitute ``is-enabled`` for ``is-active`` in the above examples.
Proxy daemon
============
Proxy sockets
-------------
When running in system mode, ``virtproxyd`` exposes three UNIX domain sockets,
and optionally, one or two TCP sockets. These sockets are identical to those
provided by the traditional ``libvirtd`` so refer to earlier documentation in
this page.
When running in session mode, ``virtproxyd`` exposes two UNIX domain sockets,
which are again identical to those provided by ``libvirtd``.
Proxy Systemd Integration
-------------------------
When the ``virtproxyd`` daemon is managed by ``systemd`` a number of desirable
features are available, most notably socket activation.
Libvirt ships a number of unit files for controlling ``virtproxyd``:
* ``virtproxyd.service`` - the main unit file for launching the ``virtproxyd``
daemon in system mode. The command line arguments passed can be configured by
editing ``/etc/sysconfig/virtproxyd``. This is typically only needed to
control the use of the auto shutdown timeout value.
* ``virtproxyd.socket`` - the unit file corresponding to the main read-write
UNIX socket ``/var/run/libvirt/libvirt-sock``. This socket is recommended to
be started on boot by default.
* ``virtproxyd-ro.socket`` - the unit file corresponding to the main read-only
UNIX socket ``/var/run/libvirt/libvirt-sock-ro``. This socket is recommended
to be started on boot by default.
* ``virtproxyd-admin.socket`` - the unit file corresponding to the
administrative UNIX socket ``/var/run/libvirt/libvirt-admin-sock``. This
socket is recommended to be started on boot by default.
* ``virtproxyd-tcp.socket`` - the unit file corresponding to the TCP 16509 port
for non-TLS remote access. This socket should not be configured to start on
boot until the administrator has configured a suitable authentication
mechanism.
* ``virtproxyd-tls.socket`` - the unit file corresponding to the TCP 16509 port
for TLS remote access. This socket should not be configured to start on boot
until the administrator has deployed x509 certificates and optionally
configured a suitable authentication mechanism.
NB, some distros will use ``/etc/default`` instead of ``/etc/sysconfig``.
The socket unit files are newly introduced in 5.6.0. On newly installed hosts
the UNIX socket units should be enabled by default. When upgrading an existing
host from a previous version of libvirt, the socket unit files will be masked
if ``virtproxyd`` is currently configured to use the ``--listen`` argument, since
the ``--listen`` argument is mutually exclusive with use of socket activation.
When systemd socket activation is used a number of configuration settings in
``virtproxyd.conf`` are no longer honoured. Instead these settings must be
controlled via the system unit files. Refer to the earlier documentation on
the ``libvirtd`` service socket configuration for further information.
Logging daemon
==============
The ``virtlogd`` daemon provides a service for managing log files associated
with QEMU virtual machines. The QEMU process is given one or more pipes, the
other end of which are owned by the ``virtlogd`` daemon. It will then write
data on those pipes to log files, while enforcing a maximum file size and
performing log rollover at the size limit.
Since the daemon holds open anonymous pipe file descriptors, it must never be
stopped while any QEMU virtual machines are running. To enable software updates
to be applied, the daemon is capable of re-executing itself while keeping all
file descriptors open. This can be triggered by sending the daemon ``SIGUSR1``
Logging Sockets
---------------
When running in system mode, ``virtlogd`` exposes two UNIX domain sockets:
* ``/var/run/libvirt/virtlogd-sock`` - the primary socket for accessing
libvirt APIs, with full read-write privileges. Access to the socket is
restricted to the root user.
* ``/var/run/libvirt/virtlogd-admin-sock`` - the administrative socket for
controlling operation of the daemon itself (as opposed to drivers it is
running). This can be used to dynamically reconfigure some aspects of the
daemon and monitor/control connected clients.
NB, some distros will use ``/run`` instead of ``/var/run``.
When running in session mode, ``virtlogd`` exposes two UNIX domain sockets:
* ``$XDG_RUNTIME_DIR/libvirt/virtlogd-sock`` - the primary socket for
accessing libvirt APIs, with full read-write privileges. Access to the
socket is restricted to the unprivileged user running the daemon.
* ``$XDG_RUNTIME_DIR/libvirt/virtlogd-admin-sock`` - the administrative
socket for controlling operation of the daemon itself (as opposed to drivers
it is running). This can be used to dynamically reconfigure some aspects of
the daemon and monitor/control connected clients.
``$XDG_RUNTIME_DIR`` commonly points to a per-user private location on tmpfs,
such as ``/run/user/$UID``.
Logging Systemd Integration
---------------------------
When the ``virtlogd`` daemon is managed by ``systemd`` a number of desirable
features are available, most notably socket activation.
Libvirt ships a number of unit files for controlling ``virtlogd``:
* ``virtlogd.service`` - the main unit file for launching the
``virtlogd`` daemon in system mode. The command line arguments passed
can be configured by editing ``/etc/sysconfig/virtlogd``. This is
typically only needed to control the use of the auto shutdown timeout value.
* ``virtlogd.socket`` - the unit file corresponding to the main read-write
UNIX socket ``/var/run/libvirt/virtlogd-sock``. This socket is recommended
to be started on boot by default.
* ``virtlogd-admin.socket`` - the unit file corresponding to the administrative
UNIX socket ``/var/run/libvirt/virtlogd-admin-sock``. This socket is
recommended to be started on boot by default.
NB, some distros will use ``/etc/default`` instead of ``/etc/sysconfig``.
When systemd socket activation is used a number of configuration settings in
``virtlogd.conf`` are no longer honoured. Instead these settings must be
controlled via the system unit files:
* ``unix_sock_group`` - UNIX socket group owner, controlled via the
``SocketGroup`` parameter in the ``virtlogd.socket`` and
``virtlogd-ro.socket`` unit files
* ``unix_sock_ro_perms`` - read-only UNIX socket permissions, controlled via the
``SocketMode`` parameter in the ``virtlogd-ro.socket`` unit file
* ``unix_sock_rw_perms`` - read-write UNIX socket permissions, controlled via
the ``SocketMode`` parameter in the ``virtlogd.socket`` unit file
* ``unix_sock_admin_perms`` - admin UNIX socket permissions, controlled via the
``SocketMode`` parameter in the ``virtlogd-admin.socket`` unit file
* ``unix_sock_dir`` - directory in which all UNIX sockets are created
independently controlled via the ``ListenStream`` parameter in any of the
``virtlogd.socket`` and ``virtlogd-admin.socket`` unit files.
Locking daemon
==============
The ``virtlockd`` daemon provides a service for holding locks against file
images and devices serving as backing storage for virtual disks. The locks
will be held for as long as there is a QEMU process running with the disk
open.
To ensure continuity of locking, the daemon holds open anonymous file
descriptors, it must never be stopped while any QEMU virtual machines are
running. To enable software updates to be applied, the daemon is capable of
re-executing itself while keeping all file descriptors open. This can be
triggered by sending the daemon ``SIGUSR1``
Locking Sockets
---------------
When running in system mode, ``virtlockd`` exposes two UNIX domain sockets:
* ``/var/run/libvirt/virtlockd-sock`` - the primary socket for accessing
libvirt APIs, with full read-write privileges. Access to the socket is
restricted to the root user.
* ``/var/run/libvirt/virtlockd-admin-sock`` - the administrative socket for
controlling operation of the daemon itself (as opposed to drivers it is
running). This can be used to dynamically reconfigure some aspects of the
daemon and monitor/control connected clients.
NB, some distros will use ``/run`` instead of ``/var/run``.
When running in session mode, ``virtlockd`` exposes two UNIX domain sockets:
* ``$XDG_RUNTIME_DIR/libvirt/virtlockd-sock`` - the primary socket for
accessing libvirt APIs, with full read-write privileges. Access to the
socket is restricted to the unprivileged user running the daemon.
* ``$XDG_RUNTIME_DIR/libvirt/virtlockd-admin-sock`` - the administrative
socket for controlling operation of the daemon itself (as opposed to drivers
it is running). This can be used to dynamically reconfigure some aspects of
the daemon and monitor/control connected clients.
``$XDG_RUNTIME_DIR`` commonly points to a per-user private location on tmpfs,
such as ``/run/user/$UID``.
Locking Systemd Integration
---------------------------
When the ``virtlockd`` daemon is managed by ``systemd`` a number of desirable
features are available, most notably socket activation.
Libvirt ships a number of unit files for controlling ``virtlockd``:
* ``virtlockd.service`` - the main unit file for launching the
``virtlockd`` daemon in system mode. The command line arguments passed
can be configured by editing ``/etc/sysconfig/virtlockd``. This is
typically only needed to control the use of the auto shutdown timeout value.
* ``virtlockd.socket`` - the unit file corresponding to the main read-write
UNIX socket ``/var/run/libvirt/virtlockd-sock``. This socket is recommended
to be started on boot by default.
* ``virtlockd-admin.socket`` - the unit file corresponding to the administrative
UNIX socket ``/var/run/libvirt/virtlockd-admin-sock``. This socket is
recommended to be started on boot by default.
NB, some distros will use ``/etc/default`` instead of ``/etc/sysconfig``.
When systemd socket activation is used a number of configuration settings in
``virtlockd.conf`` are no longer honoured. Instead these settings must be
controlled via the system unit files:
* ``unix_sock_group`` - UNIX socket group owner, controlled via the
``SocketGroup`` parameter in the ``virtlockd.socket`` and
``virtlockd-ro.socket`` unit files
* ``unix_sock_ro_perms`` - read-only UNIX socket permissions, controlled via the
``SocketMode`` parameter in the ``virtlockd-ro.socket`` unit file
* ``unix_sock_rw_perms`` - read-write UNIX socket permissions, controlled via
the ``SocketMode`` parameter in the ``virtlockd.socket`` unit file
* ``unix_sock_admin_perms`` - admin UNIX socket permissions, controlled via the
``SocketMode`` parameter in the ``virtlockd-admin.socket`` unit file
* ``unix_sock_dir`` - directory in which all UNIX sockets are created
independently controlled via the ``ListenStream`` parameter in any of the
``virtlockd.socket`` and ``virtlockd-admin.socket`` unit files.
Changing command line options for daemons
=========================================
Two ways exist to override the defaults in the provided service files:
either a systemd "drop-in" configuration file, or a ``/etc/sysconfig/$daemon``
file must be created. For example, to change the command line option
for a debug session of ``libvirtd``, create a file
``/etc/systemd/system/libvirtd.service.d/debug.conf`` with the following content:
::
[Unit]
Description=Virtualization daemon, with override from debug.conf
[Service]
Environment=G_DEBUG=fatal-warnings
Environment=LIBVIRTD_ARGS="--listen --verbose"
After changes to systemd "drop-in" configuration files it is required to run
``systemctl daemon-reload``.
|
