Hello,
On my personal laptop, I would like to deactivate monolithic mode (Fedora 39) & reinforced systemd use, in order to secure my setup and permit easy non-root access.
I would like to share my approach (systemd v255) & have validation from someone more experienced than me on the approach & help me resolve one last small problem.
Nota Bene - activate session mode:
- session mode only has two unix sockets (no ro socket, unlike system mode)
disable monolitic mode:
#check rights
systemctl cat 'libvirt*' |egrep --line-buffered "Socket|# /"
systemctl stop libvirtd.service
systemctl stop libvirtd{,-ro,-admin,-tcp,-tls}.socket
systemctl disable libvirtd.service
systemctl disable libvirtd{,-ro,-admin,-tcp,-tls}.socket
systemctl mask libvirtd.service
systemctl mask libvirtd{,-ro,-admin,-tcp,-tls}.socket
add relevant rights:
usermod -d /var/lib/libvirt/qemu qemu
install --group=libvirt --owner=qemu --mode=775 -d /var/lib/libvirt/qemu/{.cache,.local/share,.config} /run/libvirt/
Creation of service confs:
for drv in qemu interface network nodedev nwfilter secret storage log proxy lock
do
SYSTEMD_EDITOR=tee systemctl edit --full --force --system virt${drv}d.service <<-gnark
[Service]
User=qemu
Group=libvirt
Environment=VIRTNETWORKD_ARGS="--timeout 120"
ExecStart=/usr/sbin/virt${drv}d \$VIRTNETWORKD_ARGS
RunTimeDirectory=libvirt:user/$(id -u qemu)/
RunTimeDirectoryMode=775
RunTimeDirectoryPreserve=yes
gnark
done
Creation of socket confs:
for drv in qemu interface network nodedev nwfilter secret storage log proxy lock
do
SYSTEMD_EDITOR=tee systemctl edit --full --force --system virt${drv}d{,-admin}.socket <<-EOF
[Socket]
SocketUser=qemu
SocketGroup=libvirt
DirectoryMode=0777
SocketMode=0660
ListenStream=/run/libvirt/%N-sock
RemoveOnStop=yes
Service=virt${drv}d.service
EOF
done
should not exist and be necessary. But I donât know how to easily ignore the system conf: Requires=virtqemud-ro.socket:
for drv in qemu interface network nodedev nwfilter secret storage proxy
do
SYSTEMD_EDITOR=tee systemctl edit --full --force --system virt${drv}d-ro.socket <<-EOF
[Socket]
#Before=virt${drv}d.service
SocketUser=qemu
SocketGroup=libvirt
DirectoryMode=0777
SocketMode=0660
ListenStream=/run/libvirt/${drv}-sock-ro
RemoveOnStop=yes
Service=virt${drv}d.service
EOF
done
Activate services and sockets:
for drv in qemu interface network nodedev nwfilter secret storage log proxy
do
systemctl unmask virt${drv}d.service
systemctl unmask virt${drv}d{,-admin}.socket
systemctl enable virt${drv}d.service
systemctl enable --now virt${drv}d{,-admin}.socket
done
RUN:
for drv in qemu interface network nodedev nwfilter secret storage
do
systemctl start virt${drv}d{-ro,-admin}.socket
done
but
journactl
virtsecretd[1410]: libvirt version: 9.7.0, package: 3.fc39 (Fedora Project, 2024-03-12-17:39:29, )
virtsecretd[1410]: hostname: mymachine.local.example.fr
virtsecretd[1410]: erreur interne : Certains descripteurs de fichiers dâactivation nâont pas Ă©tĂ© rĂ©clamĂ©s
virtinterfaced[1397]: libvirt version: 9.7.0, package: 3.fc39 (Fedora Project, 2024-03-12-17:39:29, )
virtinterfaced[1397]: hostname: mymachine.local.example.fr
virtinterfaced[1397]: erreur interne : Certains descripteurs de fichiers dâactivation nâont pas Ă©tĂ© rĂ©clamĂ©s
virtnodedevd[1401]: libvirt version: 9.7.0, package: 3.fc39 (Fedora Project, 2024-03-12-17:39:29, )
virtnodedevd[1401]: hostname: mymachine.local.example.fr
virtnodedevd[1401]: erreur interne : Certains descripteurs de fichiers dâactivation nâont pas Ă©tĂ© rĂ©clamĂ©s
virtproxyd[1403]: libvirt version: 9.7.0, package: 3.fc39 (Fedora Project, 2024-03-12-17:39:29, )
virtproxyd[1403]: hostname: mymachine.local.example.fr
virtproxyd[1403]: erreur interne : Certains descripteurs de fichiers dâactivation nâont pas Ă©tĂ© rĂ©clamĂ©s
virtnetworkd[1399]: libvirt version: 9.7.0, package: 3.fc39 (Fedora Project, 2024-03-12-17:39:29, )
virtnetworkd[1399]: hostname: mymachine.local.example.fr
virtnetworkd[1399]: erreur interne : Certains descripteurs de fichiers dâactivation nâont pas Ă©tĂ© rĂ©clamĂ©s
systemd[1]: virtsecretd.service: Main process exited, code=exited, status=6/NOTCONFIGURED
systemd[1]: virtsecretd.service: Failed with result âexit-codeâ.
virtqemud[1406]: libvirt version: 9.7.0, package: 3.fc39 (Fedora Project, 2024-03-12-17:39:29, )
virtqemud[1406]: hostname: mymachine.local.example.fr
virtqemud[1406]: erreur interne : Certains descripteurs de fichiers dâactivation nâont pas Ă©tĂ© rĂ©clamĂ©s
systemd[1]: virtinterfaced.service: Main process exited, code=exited, status=6/NOTCONFIGURED
systemd[1]: virtinterfaced.service: Failed with result âexit-codeâ.
virtnwfilterd[1402]: libvirt version: 9.7.0, package: 3.fc39 (Fedora Project, 2024-03-12-17:39:29, )
virtnwfilterd[1402]: hostname: mymachine.local.example.fr
virtnwfilterd[1402]: erreur interne : Certains descripteurs de fichiers dâactivation nâont pas Ă©tĂ© rĂ©clamĂ©s
systemd[1]: virtnetworkd.service: Main process exited, code=exited, status=6/NOTCONFIGURED
systemd[1]: virtnetworkd.service: Failed with result âexit-codeâ.
systemd[1]: virtnodedevd.service: Main process exited, code=exited, status=6/NOTCONFIGURED
systemd[1]: virtnodedevd.service: Failed with result âexit-codeâ.
systemd[1]: virtnwfilterd.service: Main process exited, code=exited, status=6/NOTCONFIGURED
systemd[1]: virtnwfilterd.service: Failed with result âexit-codeâ.
systemd[1]: virtproxyd.service: Main process exited, code=exited, status=6/NOTCONFIGURED
systemd[1]: virtproxyd.service: Failed with result âexit-codeâ.
systemd[1]: virtqemud.service: Main process exited, code=exited, status=6/NOTCONFIGURED
systemd[1]: virtqemud.service: Failed with result âexit-codeâ.
virtstoraged[1411]: libvirt version: 9.7.0, package: 3.fc39 (Fedora Project, 2024-03-12-17:39:29, )
virtstoraged[1411]: hostname: mymachine.local.example.fr
virtstoraged[1411]: erreur interne : Certains descripteurs de fichiers dâactivation nâont pas Ă©tĂ© rĂ©clamĂ©s
systemd[1]: virtstoraged.service: Main process exited, code=exited, status=6/NOTCONFIGURED
systemd[1]: virtstoraged.service: Failed with result âexit-codeâ.
ping mymachine.local.example.fr is ok
Thanks in advance for your help!
Best regards