[systemd-devel] Antw: [EXT] Re: Still confused with socket activation

Ulrich Windl Ulrich.Windl at rz.uni-regensburg.de
Wed Feb 3 09:34:53 UTC 2021 

>>> Lennart Poettering <lennart at poettering.net> schrieb am 02.02.2021 um 15:59
in
Nachricht <20210202145954.GB36677 at gardel-login>:
> On Di, 02.02.21 10:43, Ulrich Windl (Ulrich.Windl at rz.uni‑regensburg.de)
wrote:
> 
>> Hi!
>>
>> Having:
>> ‑‑‑
>> # /usr/lib/systemd/system/virtlockd.service
>> [Unit]
>> Description=Virtual machine lock manager
>> Requires=virtlockd.socket
>> Requires=virtlockd‑admin.socket
>> Before=libvirtd.service
>> ...
>> ‑‑‑
>>
>> How would I start both sockets successfully unter program control?
>> If I start one socket, I cannot start the other without an error (as 
> libvirtd.service is running already, see my earlier message from last
week).
>> If I mask the socket units, I cannot start the libvirtd.service.
>> So would I disable the socket units and start libvirtd.service?
>> Unfortunately if someone (update when vendor‑preset is enabled) re‑enables
the 
> socket units, it would break things, so I tried to mask them, but that 
> failed, too.
>> error: Could not issue start for prm_virtlockd: Unit virtlockd.socket is 
> masked.
> 
> I don't grok what you are trying to say, the excerpt of the unit file
> is too short. Please provide the relevant parts of the other unit
> files too.

So you get it:


# systemctl cat virtlockd.service
# /usr/lib/systemd/system/virtlockd.service
[Unit]
Description=Virtual machine lock manager
Requires=virtlockd.socket
Requires=virtlockd-admin.socket
Before=libvirtd.service
Documentation=man:virtlockd(8)
Documentation=https://libvirt.org 

[Service]
EnvironmentFile=-/etc/sysconfig/virtlockd
ExecStart=/usr/sbin/virtlockd $VIRTLOCKD_ARGS
ExecReload=/bin/kill -USR1 $MAINPID
# Loosing the locks is a really bad thing that will
# cause the machine to be fenced (rebooted), so make
# sure we discourage OOM killer
OOMScoreAdjust=-900
# Needs to allow for max guests * average disks per guest
# libvirtd.service written to expect 4096 guests, so if we
# allow for 10 disks per guest, we get:
LimitNOFILE=40960

[Install]
Also=virtlockd.socket

# /run/systemd/system/virtlockd.service.d/50-pacemaker.conf
[Unit]
Description=Cluster Controlled virtlockd
Before=pacemaker.service pacemaker_remote.service

[Service]
Restart=no

# systemctl cat virtlockd.socket
# /usr/lib/systemd/system/virtlockd.socket
[Unit]
Description=Virtual machine lock manager socket
Before=libvirtd.service

[Socket]
ListenStream=/run/libvirt/virtlockd-sock
SocketMode=0600

[Install]
WantedBy=sockets.target

# /usr/lib/systemd/system/virtlockd-admin.socket
[Unit]
Description=Virtual machine lock manager admin socket
Before=libvirtd.service
BindsTo=virtlockd.socket
After=virtlockd.socket

[Socket]
ListenStream=/run/libvirt/virtlockd-admin-sock
Service=virtlockd.service
SocketMode=0600

[Install]
WantedBy=sockets.target

To make things worse: libvirtd also requires virtlockd:

# systemctl cat libvirtd.service
# /usr/lib/systemd/system/libvirtd.service
[Unit]
Description=Virtualization daemon
Requires=virtlogd.socket
Requires=virtlockd.socket
# Use Wants instead of Requires so that users
# can disable these three .socket units to revert
# to a traditional non-activation deployment setup
Wants=libvirtd.socket
Wants=libvirtd-ro.socket
Wants=libvirtd-admin.socket
Wants=systemd-machined.service
Before=libvirt-guests.service
After=network.target
After=dbus.service
After=iscsid.service
After=apparmor.service
After=local-fs.target
After=remote-fs.target
After=systemd-logind.service
After=systemd-machined.service
After=xencommons.service
Conflicts=xendomains.service
Documentation=man:libvirtd(8)
Documentation=https://libvirt.org 

[Service]
Type=notify
EnvironmentFile=-/etc/sysconfig/libvirtd
ExecStart=/usr/sbin/libvirtd $LIBVIRTD_ARGS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
# At least 1 FD per guest, often 2 (eg qemu monitor + qemu agent).
# eg if we want to support 4096 guests, we'll typically need 8192 FDs
# If changing this, also consider virtlogd.service & virtlockd.service
# limits which are also related to number of guests
LimitNOFILE=8192
# The cgroups pids controller can limit the number of tasks started by
# the daemon, which can limit the number of domains for some hypervisors.
# A conservative default of 8 tasks per guest results in a TasksMax of
# 32k to support 4096 guests.
TasksMax=32768

[Install]
WantedBy=multi-user.target
Also=virtlockd.socket
Also=virtlogd.socket
Also=libvirtd.socket
Also=libvirtd-ro.socket

# systemctl cat libvirtd.socket
# /usr/lib/systemd/system/libvirtd.socket
[Unit]
Description=Libvirt local socket
Before=libvirtd.service


[Socket]
# The directory must match the /etc/libvirt/libvirtd.conf unix_sock_dir
setting
# when using systemd version < 227
ListenStream=/run/libvirt/libvirt-sock
Service=libvirtd.service
SocketMode=0666

[Install]
WantedBy=sockets.target

# systemctl cat libvirtd-admin.socket
# /usr/lib/systemd/system/libvirtd-admin.socket
[Unit]
Description=Libvirt admin socket
Before=libvirtd.service
BindsTo=libvirtd.socket
After=libvirtd.socket


[Socket]
# The directory must match the /etc/libvirt/libvirtd.conf unix_sock_dir
setting
# when using systemd version < 227
ListenStream=/run/libvirt/libvirt-admin-sock
Service=libvirtd.service
SocketMode=0600

[Install]
WantedBy=sockets.target

# systemctl cat libvirtd-ro.socket
# /usr/lib/systemd/system/libvirtd-ro.socket
[Unit]
Description=Libvirt local read-only socket
Before=libvirtd.service
BindsTo=libvirtd.socket
After=libvirtd.socket


[Socket]
# The directory must match the /etc/libvirt/libvirtd.conf unix_sock_dir
setting
# when using systemd version < 227
ListenStream=/run/libvirt/libvirt-sock-ro
Service=libvirtd.service
SocketMode=0666

[Install]
WantedBy=sockets.target

# systemctl cat libvirtd-tcp.socket
# /usr/lib/systemd/system/libvirtd-tcp.socket
[Unit]
Description=Libvirt non-TLS IP socket
Before=libvirtd.service
BindsTo=libvirtd.socket
After=libvirtd.socket


[Socket]
# This must match the /etc/libvirt/libvirtd.conf tcp_port setting
# when using systemd version < 227
ListenStream=16509
Service=libvirtd.service

[Install]
WantedBy=sockets.target

# systemctl cat libvirtd-tls.socket
# /usr/lib/systemd/system/libvirtd-tls.socket
[Unit]
Description=Libvirt TLS IP socket
Before=libvirtd.service
BindsTo=libvirtd.socket
After=libvirtd.socket


[Socket]
# This must match the /etc/libvirt/libvirtd.conf tls_port setting
# when using systemd version < 227
ListenStream=16514
Service=libvirtd.service

[Install]
WantedBy=sockets.target

(You asked for it; you got it ;-)

> 
> Masking is a big hammer, the last resort. It should not be part of the
> usual workflow.
> 
> Note that Requires= in almost all cases should be combined with an
> order dep of After= onto the same unit. If the unit above doesn't do
> that it's almost certainly broken.

The mess is that systemd starts the services when it should not:

Feb 02 12:09:09 h18 systemd[1]: Starting Virtualization daemon...
Feb 02 12:09:09 h18 systemd[1]: Started Virtualization daemon.
Feb 02 12:09:09 h18 systemd[1]: Started Virtual machine lock manager.

The actual start should happen later:
Feb 02 12:09:11 h18 pacemaker-execd[18833]:  notice: executing -
rsc:prm_virtlockd action:start call_id:88
Feb 02 12:09:14 h18 pacemaker-execd[18833]:  notice: executing -
rsc:prm_libvirtd action:start call_id:90

The reason is the virtlockd uses a filesystem that has to be mounted first.
And it should be terminating before the filesystem is unmounted.

The status is:
# systemctl status libvirtd\* | grep Loaded
   Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; disabled; vendor
preset: enabled)
   Loaded: loaded (/usr/lib/systemd/system/libvirtd-admin.socket; disabled;
vendor preset: disabled)
   Loaded: loaded (/usr/lib/systemd/system/libvirtd.socket; disabled; vendor
preset: disabled)
   Loaded: loaded (/usr/lib/systemd/system/libvirtd-ro.socket; disabled;
vendor preset: disabled)
# systemctl status virtlock\* | grep Loaded
   Loaded: loaded (/usr/lib/systemd/system/virtlockd.service; indirect; vendor
preset: disabled)
   Loaded: loaded (/usr/lib/systemd/system/virtlockd.socket; disabled; vendor
preset: disabled)
   Loaded: loaded (/usr/lib/systemd/system/virtlockd-admin.socket; disabled;
vendor preset: disabled)

So everything is disabled, but somehow it still starts automatically...

Regards,
Ulrich

> 
> Lennart
> 
> ‑‑
> Lennart Poettering, Berlin

More information about the systemd-devel mailing list