diff --git a/docs/CREDENTIALS.md b/docs/CREDENTIALS.md index ed30eacf2b..9c245dbf2b 100644 --- a/docs/CREDENTIALS.md +++ b/docs/CREDENTIALS.md @@ -380,7 +380,8 @@ Various services shipped with `systemd` consume credentials for tweaking behavio to receive a notification via VSOCK when a virtual machine has finished booting. Note that in case the hypervisor does not support `SOCK_DGRAM` over `AF_VSOCK`, `SOCK_SEQPACKET` will be tried instead. The credential payload should be in the - form: `vsock::`. Also note that this requires support for VHOST to be + form: `vsock::`. `vsock` may be replaced with `vsock-stream`, `vsock-dgram` or `vsock-seqpacket` + to force usage of the corresponding socket type. Also note that this requires support for VHOST to be built-in both the guest and the host kernels, and the kernel modules to be loaded. * [`systemd-sysusers(8)`](https://www.freedesktop.org/software/systemd/man/systemd-sysusers.html) diff --git a/man/sd_notify.xml b/man/sd_notify.xml index d8fe6468a2..1e611fe6d8 100644 --- a/man/sd_notify.xml +++ b/man/sd_notify.xml @@ -485,12 +485,14 @@ AF_VSOCK address, which is useful for hypervisors/VMMs or other processes on the host to receive a notification when a virtual machine has finished booting. Note that in case the hypervisor does not support SOCK_DGRAM over AF_VSOCK, - SOCK_SEQPACKET will be used instead. The address should be in the form: - vsock:CID:PORT. Note that unlike other uses of vsock, the CID is mandatory and cannot - be VMADDR_CID_ANY. Note that PID1 will send the VSOCK packets from a privileged port - (i.e.: lower than 1024), as an attempt to address concerns that unprivileged processes in the guest might - try to send malicious notifications to the host, driving it to make destructive decisions based on - them. + SOCK_SEQPACKET will be used instead. vsock-stream, + vsock-dgram and vsock-seqpacket can be used instead of + vsock to force usage of the corresponding socket type. The address should be in the + form: vsock:CID:PORT. Note that unlike other uses of vsock, the CID is mandatory and + cannot be VMADDR_CID_ANY. Note that PID1 will send the VSOCK packets from a + privileged port (i.e.: lower than 1024), as an attempt to address concerns that unprivileged processes in + the guest might try to send malicious notifications to the host, driving it to make destructive decisions + based on them. diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml index 1ac97ae137..c7166e4f64 100644 --- a/man/systemd.socket.xml +++ b/man/systemd.socket.xml @@ -221,7 +221,9 @@ x on a port y address in the AF_VSOCK family. The CID is a unique 32-bit integer identifier in AF_VSOCK analogous to an IP address. Specifying the CID is optional, and may be - set to the empty string. + set to the empty string. vsock may be replaced with + vsock-stream, vsock-dgram or vsock-seqpacket + to force usage of the corresponding socket type. Note that SOCK_SEQPACKET (i.e. ListenSequentialPacket=) is only available diff --git a/man/systemd.xml b/man/systemd.xml index b66707faba..cb798af34c 100644 --- a/man/systemd.xml +++ b/man/systemd.xml @@ -1167,7 +1167,9 @@ SOCK_DGRAM over AF_VSOCK, SOCK_SEQPACKET will be tried instead. The credential payload for AF_VSOCK should be a string in the form - vsock:CID:PORT. + vsock:CID:PORT. vsock-stream, vsock-dgram + and vsock-seqpacket can be used instead of vsock to force + usage of the corresponding socket type. This feature is useful for machine managers or other processes on the host to receive a notification via VSOCK when a virtual machine has finished booting.