[V2][mete-virtualization][PATCH 1/2] libvirt: Drop the deprecated workaround

[V2][mete-virtualization][PATCH 1/2] libvirt: Drop the deprecated workaround

[Zhixiong Chi]

The workaround is not needed anymore as the systemd supporting.
The libvirtd.service Type has been changed from notify to notify-reload,
so the final Type will be 'forking-reload', that's invalid for systemd.
Here we delete it to avoid the following output information:
>/lib/systemd/system/libvirtd.service:29: Failed to parse Type=forking-reload, ignoring: Invalid argument

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
 recipes-extended/libvirt/libvirt_git.bb | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/recipes-extended/libvirt/libvirt_git.bb b/recipes-extended/libvirt/libvirt_git.bb
index 62931d17..b5b0a5f2 100644
--- a/recipes-extended/libvirt/libvirt_git.bb
+++ b/recipes-extended/libvirt/libvirt_git.bb
@@ -232,13 +232,6 @@ do_install:append() {
                 mv ${D}${prefix}/lib/systemd/system/* ${D}${systemd_system_unitdir}
                 rmdir ${D}${prefix}/lib/systemd/system ${D}${prefix}/lib/systemd
             fi
-
-	    # We can't use 'notify' when we don't support 'sd_notify' dbus capabilities.
-	    # Change default LIBVIRTD_ARGS to start libvirtd in the right mode.
-	    sed -i -e 's/Type=notify/Type=forking/' \
-	           -e '/Type=forking/a PIDFile=/run/libvirtd.pid' \
-	           -e 's/\(Environment=LIBVIRTD_ARGS="--timeout 120"\)/#\1\nEnvironment=LIBVIRTD_ARGS="--listen --daemon"/' \
-		   ${D}/${systemd_system_unitdir}/libvirtd.service
 	fi
 
 	# The /run/libvirt directories created by the Makefile are 
-- 
2.53.0

[V2][mete-virtualization][PATCH 2/2] libvirt: add secrets PACKAGECONFIG

[Zhixiong Chi]

After being upgraded to v12.1.0, the new virt-secret-init-encryption.service
has been introduced, and it requires systemd to add openssl to PACKAGECONFIG.
Because systemd-creds encrypt command will be executed in the service file.

Meanwhile this service was added into the dependency chain of the main service
libvirtd.service, and will be enabled by default by libvirtd service without
any build dependency detection according to the original upstream commit
https://github.com/libvirt/libvirt/commit/97758bc9a0b1fccf8c0009308658f1204b113b89

In systemd recipe, the openssl PACKAGECONFIG is disabled at default. Finally
the service file virt-secret-init-encryption.service and libvirtd will be
failed as the following error:
># systemctl status libvirtd -l
 * libvirtd.service - libvirt legacy monolithic daemon
     Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; preset: enabled)
     Active: inactive (dead)
 TriggeredBy: * libvirtd.socket
              * libvirtd-ro.socket
              * libvirtd-admin.socket
       Docs: man:libvirtd(8)
             https://libvirt.org/

 systemd[1]: Dependency failed for libvirt legacy monolithic daemon.
 systemd[1]: libvirtd.service: Job libvirtd.service/start failed with result 'dependency'

># journalctl -xe

   A start job for unit virt-secret-init-encryption.service has begun execution.

 systemd-creds[1251]: Support for encrypted credentials not available.
 systemd[1]: virt-secret-init-encryption.service: Main process exited, code=exited, status=1/FAILURE

The above error info "Support for encrypted credentials not available." comes
from systemd-creds command provided by systemd without HAVE_OPENSSL option at
the source code src/shared/creds-utils.c

Here we add secrets PACKAGECONFIG for libvirt and conditional removal the new
virt-secret-init-encryption in the libvirt.service.

Perhaps an alternative approach is to enable the openssl configuration for
the systemd package—for instance, by creating a systemd.bbappend file.

However, the method here grants users the flexibility to independently select
the specific configurations they wish to activate, thereby avoiding potential
PACKAGECONFIG conflicts between packages.

The users can add the following configs in the conf/local.conf file, if they
want to enable the full libvirt secrets functions:
PACKAGECONFIG:append:pn-systemd = " openssl"
PACKAGECONFIG:append:pn-libvirt = " secrets"

Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
---
 recipes-extended/libvirt/libvirt_git.bb | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/recipes-extended/libvirt/libvirt_git.bb b/recipes-extended/libvirt/libvirt_git.bb
index b5b0a5f2..a9e6180a 100644
--- a/recipes-extended/libvirt/libvirt_git.bb
+++ b/recipes-extended/libvirt/libvirt_git.bb
@@ -177,6 +177,8 @@ PACKAGECONFIG[firewalld] = "-Dfirewalld=enabled, -Dfirewalld=disabled,"
 PACKAGECONFIG[libpcap] = "-Dlibpcap=enabled, -Dlibpcap=disabled,libpcap,libpcap"
 PACKAGECONFIG[numad] = "-Dnumad=enabled, -Dnumad=disabled,"
 PACKAGECONFIG[nftables] = ""
+# Require systemd to add openssl to PACKAGECONFIG, so disable it at default.
+PACKAGECONFIG[secrets] = "-Ddriver_secrets=enabled, -Ddriver_secrets=disabled,"
 
 CVE_STATUS[CVE-2014-8135] = "fixed-version: Fixed in 1.2.11, NVD tracks this as version-less vulnerability"
 CVE_STATUS[CVE-2014-8136] = "fixed-version: Fixed in 1.2.11, NVD tracks this as version-less vulnerability"
@@ -232,6 +234,16 @@ do_install:append() {
                 mv ${D}${prefix}/lib/systemd/system/* ${D}${systemd_system_unitdir}
                 rmdir ${D}${prefix}/lib/systemd/system ${D}${prefix}/lib/systemd
             fi
+
+            # secret service is completely removed in libvritd.service dependency when secrets disabled.
+            if ! ${@bb.utils.contains('PACKAGECONFIG', 'secrets', 'true', 'false', d)}; then
+                sed -i \
+                    -e '/^Requires=virt-secret-init-encryption.service/d' \
+                    -e '/^After=virt-secret-init-encryption.service/d' \
+                    -e '/^Environment=SECRETS_ENCRYPTION_KEY=/d' \
+                    -e '/^LoadCredentialEncrypted=/d' \
+                    ${D}${systemd_system_unitdir}/libvirtd.service
+            fi
 	fi
 
 	# The /run/libvirt directories created by the Makefile are 
-- 
2.53.0

Re: [meta-virtualization] [V2][mete-virtualization][PATCH 2/2] libvirt: add secrets PACKAGECONFIG

[Bruce Ashfield]

Sorry for the slow reply, I've been out of the office for the
past few days.

In message: [meta-virtualization] [V2][mete-virtualization][PATCH 2/2] libvirt: add secrets PACKAGECONFIG
on 14/04/2026 Zhixiong Chi via lists.yoctoproject.org wrote:

> After being upgraded to v12.1.0, the new virt-secret-init-encryption.service
> has been introduced, and it requires systemd to add openssl to PACKAGECONFIG.
> Because systemd-creds encrypt command will be executed in the service file.
> 
> Meanwhile this service was added into the dependency chain of the main service
> libvirtd.service, and will be enabled by default by libvirtd service without
> any build dependency detection according to the original upstream commit
> https://github.com/libvirt/libvirt/commit/97758bc9a0b1fccf8c0009308658f1204b113b89
> 
> In systemd recipe, the openssl PACKAGECONFIG is disabled at default. Finally
> the service file virt-secret-init-encryption.service and libvirtd will be
> failed as the following error:
> ># systemctl status libvirtd -l
>  * libvirtd.service - libvirt legacy monolithic daemon
>      Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; preset: enabled)
>      Active: inactive (dead)
>  TriggeredBy: * libvirtd.socket
>               * libvirtd-ro.socket
>               * libvirtd-admin.socket
>        Docs: man:libvirtd(8)
>              https://libvirt.org/
> 
>  systemd[1]: Dependency failed for libvirt legacy monolithic daemon.
>  systemd[1]: libvirtd.service: Job libvirtd.service/start failed with result 'dependency'
> 
> ># journalctl -xe
> 
>    A start job for unit virt-secret-init-encryption.service has begun execution.
> 
>  systemd-creds[1251]: Support for encrypted credentials not available.
>  systemd[1]: virt-secret-init-encryption.service: Main process exited, code=exited, status=1/FAILURE
> 
> The above error info "Support for encrypted credentials not available." comes
> from systemd-creds command provided by systemd without HAVE_OPENSSL option at
> the source code src/shared/creds-utils.c
> 
> Here we add secrets PACKAGECONFIG for libvirt and conditional removal the new
> virt-secret-init-encryption in the libvirt.service.
> 
> Perhaps an alternative approach is to enable the openssl configuration for
> the systemd package—for instance, by creating a systemd.bbappend file.
> 
> However, the method here grants users the flexibility to independently select
> the specific configurations they wish to activate, thereby avoiding potential
> PACKAGECONFIG conflicts between packages.
> 
> The users can add the following configs in the conf/local.conf file, if they
> want to enable the full libvirt secrets functions:
> PACKAGECONFIG:append:pn-systemd = " openssl"
> PACKAGECONFIG:append:pn-libvirt = " secrets"
> 
> Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
> ---
>  recipes-extended/libvirt/libvirt_git.bb | 12 ++++++++++++
>  1 file changed, 12 insertions(+)
> 
> diff --git a/recipes-extended/libvirt/libvirt_git.bb b/recipes-extended/libvirt/libvirt_git.bb
> index b5b0a5f2..a9e6180a 100644
> --- a/recipes-extended/libvirt/libvirt_git.bb
> +++ b/recipes-extended/libvirt/libvirt_git.bb
> @@ -177,6 +177,8 @@ PACKAGECONFIG[firewalld] = "-Dfirewalld=enabled, -Dfirewalld=disabled,"
>  PACKAGECONFIG[libpcap] = "-Dlibpcap=enabled, -Dlibpcap=disabled,libpcap,libpcap"
>  PACKAGECONFIG[numad] = "-Dnumad=enabled, -Dnumad=disabled,"
>  PACKAGECONFIG[nftables] = ""
> +# Require systemd to add openssl to PACKAGECONFIG, so disable it at default.
> +PACKAGECONFIG[secrets] = "-Ddriver_secrets=enabled, -Ddriver_secrets=disabled,"

The problem with this is that we are creating two independent configuation
items, and if they aren't both set .. it won't work.

While a distro feature is probably overkill, it is distro and image features
which are supposed to do this sort of coordination.

Maybe an image feature ? or more simply, just enable the requirement in
systemd when "virtualization" is in the image features. That can be a
bbbapend to systemd gated on the distro feature (like the rest of the
similar items in meta-virtualization.)

With that, the comment above the secrets packageconfig could be dropped.

Bruce

>  
>  CVE_STATUS[CVE-2014-8135] = "fixed-version: Fixed in 1.2.11, NVD tracks this as version-less vulnerability"
>  CVE_STATUS[CVE-2014-8136] = "fixed-version: Fixed in 1.2.11, NVD tracks this as version-less vulnerability"
> @@ -232,6 +234,16 @@ do_install:append() {
>                  mv ${D}${prefix}/lib/systemd/system/* ${D}${systemd_system_unitdir}
>                  rmdir ${D}${prefix}/lib/systemd/system ${D}${prefix}/lib/systemd
>              fi
> +
> +            # secret service is completely removed in libvritd.service dependency when secrets disabled.
> +            if ! ${@bb.utils.contains('PACKAGECONFIG', 'secrets', 'true', 'false', d)}; then
> +                sed -i \
> +                    -e '/^Requires=virt-secret-init-encryption.service/d' \
> +                    -e '/^After=virt-secret-init-encryption.service/d' \
> +                    -e '/^Environment=SECRETS_ENCRYPTION_KEY=/d' \
> +                    -e '/^LoadCredentialEncrypted=/d' \
> +                    ${D}${systemd_system_unitdir}/libvirtd.service
> +            fi
>  	fi
>  
>  	# The /run/libvirt directories created by the Makefile are 
> -- 
> 2.53.0
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9699): https://lists.yoctoproject.org/g/meta-virtualization/message/9699
> Mute This Topic: https://lists.yoctoproject.org/mt/118818275/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>