system/systemd
system/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd synced 2024-07-09 04:26:06 +00:00
Code Issues Projects Releases Wiki Activity

Document new vsock literals

Browse Source 
Fixes #31849
This commit is contained in:
Daan De Meyer 2024-03-19 12:29:49 +01:00 committed by Luca Boccassi
parent e19186359a
commit db7374e156
4 changed files with 16 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
docs/CREDENTIALS.md
View File

@ -380,7 +380,8 @@ Various services shipped with `systemd` consume credentials for tweaking behavio
to receive a notification via VSOCK when a virtual machine has finished booting.
Note that in case the hypervisor does not support `SOCK_DGRAM` over `AF_VSOCK`,
`SOCK_SEQPACKET` will be tried instead. The credential payload should be in the
form: `vsock:<CID>:<PORT>`. Also note that this requires support for VHOST to be
form: `vsock:<CID>:<PORT>`. `vsock` may be replaced with `vsock-stream`, `vsock-dgram` or `vsock-seqpacket`
to force usage of the corresponding socket type. Also note that this requires support for VHOST to be
built-in both the guest and the host kernels, and the kernel modules to be loaded.
* [`systemd-sysusers(8)`](https://www.freedesktop.org/software/systemd/man/systemd-sysusers.html)

14
man/sd_notify.xml
View File

@ -485,12 +485,14 @@
<constant>AF_VSOCK</constant> address, which is useful for hypervisors/VMMs or other processes on the
host to receive a notification when a virtual machine has finished booting. Note that in case the
hypervisor does not support <constant>SOCK_DGRAM</constant> over <constant>AF_VSOCK</constant>,
<constant>SOCK_SEQPACKET</constant> will be used instead. The address should be in the form:
<literal>vsock:CID:PORT</literal>. Note that unlike other uses of vsock, the CID is mandatory and cannot
be <literal>VMADDR_CID_ANY</literal>. Note that PID1 will send the VSOCK packets from a privileged port
(i.e.: lower than 1024), as an attempt to address concerns that unprivileged processes in the guest might
try to send malicious notifications to the host, driving it to make destructive decisions based on
them.</para>
<constant>SOCK_SEQPACKET</constant> will be used instead. <literal>vsock-stream</literal>,
<literal>vsock-dgram</literal> and <literal>vsock-seqpacket</literal> can be used instead of
<literal>vsock</literal> to force usage of the corresponding socket type. The address should be in the
form: <literal>vsock:CID:PORT</literal>. Note that unlike other uses of vsock, the CID is mandatory and
cannot be <literal>VMADDR_CID_ANY</literal>. Note that PID1 will send the VSOCK packets from a
privileged port (i.e.: lower than 1024), as an attempt to address concerns that unprivileged processes in
the guest might try to send malicious notifications to the host, driving it to make destructive decisions
based on them.</para>
</refsect1>
<refsect1>

4
man/systemd.socket.xml
View File

@ -221,7 +221,9 @@
<replaceable>x</replaceable> on a port <replaceable>y</replaceable> address in the
<constant>AF_VSOCK</constant> family. The CID is a unique 32-bit integer identifier in
<constant>AF_VSOCK</constant> analogous to an IP address. Specifying the CID is optional, and may be
set to the empty string.</para>
set to the empty string. <literal>vsock</literal> may be replaced with
<literal>vsock-stream</literal>, <literal>vsock-dgram</literal> or <literal>vsock-seqpacket</literal>
to force usage of the corresponding socket type.</para>
<para>Note that <constant>SOCK_SEQPACKET</constant> (i.e.
<varname>ListenSequentialPacket=</varname>) is only available

4
man/systemd.xml
View File

@ -1167,7 +1167,9 @@
<constant>SOCK_DGRAM</constant> over <constant>AF_VSOCK</constant>,
<constant>SOCK_SEQPACKET</constant> will be tried instead. The credential payload for
<constant>AF_VSOCK</constant> should be a string in the form
<literal>vsock:CID:PORT</literal>.</para>
<literal>vsock:CID:PORT</literal>. <literal>vsock-stream</literal>, <literal>vsock-dgram</literal>
and <literal>vsock-seqpacket</literal> can be used instead of <literal>vsock</literal> to force
usage of the corresponding socket type.</para>
<para>This feature is useful for machine managers or other processes on the host to receive a
notification via VSOCK when a virtual machine has finished booting.</para>