diff --git a/docs/manpages/index.rst b/docs/manpages/index.rst index 67357419eb..fb62dc86a2 100644 --- a/docs/manpages/index.rst +++ b/docs/manpages/index.rst @@ -24,6 +24,7 @@ These daemons provide functionality to a single libvirt driver * `virtnodedevd(8) `__ - libvirt host device management daemon * `virtnwfilterd(8) `__ - libvirt network filter management daemon * `virtqemud(8) `__ - libvirt QEMU management daemon +* `virtsecretd(8) `__ - libvirt secret data management daemon Tools ===== diff --git a/docs/manpages/meson.build b/docs/manpages/meson.build index e08365b780..1476722bde 100644 --- a/docs/manpages/meson.build +++ b/docs/manpages/meson.build @@ -32,6 +32,7 @@ docs_man_files = [ { 'name': 'virtnwfilterd', 'section': '8', 'install': conf.has('WITH_NWFILTER') }, { 'name': 'virtproxyd', 'section': '8', 'install': conf.has('WITH_LIBVIRTD') }, { 'name': 'virtqemud', 'section': '8', 'install': conf.has('WITH_QEMU') }, + { 'name': 'virtsecretd', 'section': '8', 'install': conf.has('WITH_SECRETS') }, ] foreach name : keycode_list diff --git a/docs/manpages/virtsecretd.rst b/docs/manpages/virtsecretd.rst new file mode 100644 index 0000000000..fffb3a24f6 --- /dev/null +++ b/docs/manpages/virtsecretd.rst @@ -0,0 +1,214 @@ +=========== +virtsecretd +=========== + +------------------------------------- +libvirt secret data management daemon +------------------------------------- + +:Manual section: 8 +:Manual group: Virtualization Support + +.. contents:: + +SYNOPSIS +======== + +``virtsecretd`` [*OPTION*]... + + +DESCRIPTION +=========== + +The ``virtsecretd`` program is a server side daemon component of the libvirt +virtualization management system. + +It is one of a collection of modular daemons that replace functionality +previously provided by the monolithic ``libvirtd`` daemon. + +This daemon runs on virtualization hosts to provide management for secret data. + +The ``virtsecretd`` daemon only listens for requests on a local Unix domain +socket. Remote off-host access and backwards compatibility with legacy +clients expecting ``libvirtd`` is provided by the ``virtproxy`` daemon. + +Restarting ``virtsecretd`` does not interrupt running guests. Guests continue to +operate and changes in their state will generally be picked up automatically +during startup. None the less it is recommended to avoid restarting with +running guests whenever practical. + + +SYSTEM SOCKET ACTIVATION +======================== + +The ``virtsecretd`` daemon is capable of starting in two modes. + +In the traditional mode, it will create and listen on UNIX sockets itself. + +In socket activation mode, it will rely on systemd to create and listen +on the UNIX sockets and pass them as pre-opened file descriptors. In this +mode most of the socket related config options in +``/etc/libvirt/virtsecretd.conf`` will no longer have any effect. + +Socket activation mode is generally the default when running on a host +OS that uses systemd. To revert to the traditional mode, all the socket +unit files must be masked: + +:: + + $ systemctl mask virtsecretd.socket virtsecretd-ro.socket \ + virtsecretd-admin.socket + + +OPTIONS +======= + +``-h``, ``--help`` + +Display command line help usage then exit. + +``-d``, ``--daemon`` + +Run as a daemon & write PID file. + +``-f``, ``--config *FILE*`` + +Use this configuration file, overriding the default value. + +``-p``, ``--pid-file *FILE*`` + +Use this name for the PID file, overriding the default value. + +``-t``, ``--timeout *SECONDS*`` + +Exit after timeout period (in seconds), provided there are neither any client +connections nor any running domains. + +``-v``, ``--verbose`` + +Enable output of verbose messages. + +``--version`` + +Display version information then exit. + + +SIGNALS +======= + +On receipt of ``SIGHUP`` ``virtsecretd`` will reload its configuration. + + +FILES +===== + +When run as *root* +------------------ + +* ``@SYSCONFDIR@/libvirt/virtsecretd.conf`` + +The default configuration file used by ``virtsecretd``, unless overridden on the +command line using the ``-f`` | ``--config`` option. + +* ``@RUNSTATEDIR@/libvirt/virtsecretd-sock`` +* ``@RUNSTATEDIR@/libvirt/virtsecretd-sock-ro`` +* ``@RUNSTATEDIR@/libvirt/virtsecretd-admin-sock`` + +The sockets ``virtsecretd`` will use. + +The TLS **Server** private key ``virtsecretd`` will use. + +* ``@RUNSTATEDIR@/virtsecretd.pid`` + +The PID file to use, unless overridden by the ``-p`` | ``--pid-file`` option. + + +When run as *non-root* +---------------------- + +* ``$XDG_CONFIG_HOME/libvirt/virtsecretd.conf`` + +The default configuration file used by ``virtsecretd``, unless overridden on the +command line using the ``-f``|``--config`` option. + +* ``$XDG_RUNTIME_DIR/libvirt/virtsecretd-sock`` +* ``$XDG_RUNTIME_DIR/libvirt/virtsecretd-admin-sock`` + +The sockets ``virtsecretd`` will use. + +* ``$XDG_RUNTIME_DIR/libvirt/virtsecretd.pid`` + +The PID file to use, unless overridden by the ``-p``|``--pid-file`` option. + + +If ``$XDG_CONFIG_HOME`` is not set in your environment, ``virtsecretd`` will use +``$HOME/.config`` + +If ``$XDG_RUNTIME_DIR`` is not set in your environment, ``virtsecretd`` will use +``$HOME/.cache`` + + +EXAMPLES +======== + +To retrieve the version of ``virtsecretd``: + +:: + + # virtsecretd --version + virtsecretd (libvirt) @VERSION@ + + +To start ``virtsecretd``, instructing it to daemonize and create a PID file: + +:: + + # virtsecretd -d + # ls -la @RUNSTATEDIR@/virtsecretd.pid + -rw-r--r-- 1 root root 6 Jul 9 02:40 @RUNSTATEDIR@/virtsecretd.pid + + +BUGS +==== + +Please report all bugs you discover. This should be done via either: + +#. the mailing list + + `https://libvirt.org/contact.html `_ + +#. the bug tracker + + `https://libvirt.org/bugs.html `_ + +Alternatively, you may report bugs to your software distributor / vendor. + + +AUTHORS +======= + +Please refer to the AUTHORS file distributed with libvirt. + + +COPYRIGHT +========= + +Copyright (C) 2006-2020 Red Hat, Inc., and the authors listed in the +libvirt AUTHORS file. + + +LICENSE +======= + +``virtsecretd`` is distributed under the terms of the GNU LGPL v2.1+. +This is free software; see the source for copying conditions. There +is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR +PURPOSE + + +SEE ALSO +======== + +virsh(1), libvirtd(8), +`https://www.libvirt.org/daemons.html `_, +`https://www.libvirt.org/drvsecret.html `_ diff --git a/libvirt.spec.in b/libvirt.spec.in index 80c5591e5d..68232535a0 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -1670,6 +1670,7 @@ exit 0 %{_unitdir}/virtsecretd-admin.socket %attr(0755, root, root) %{_sbindir}/virtsecretd %{_libdir}/%{name}/connection-driver/libvirt_driver_secret.so +%{_mandir}/man8/virtsecretd.8* %files daemon-driver-storage