Re: [meta-virtualization] [V2][mete-virtualization][PATCH 2/2] libvirt: add secrets PACKAGECONFIG

[Bruce Ashfield <bruce.ashfield@gmail.com>]

Sorry for the slow reply, I've been out of the office for the
past few days.

In message: [meta-virtualization] [V2][mete-virtualization][PATCH 2/2] libvirt: add secrets PACKAGECONFIG
on 14/04/2026 Zhixiong Chi via lists.yoctoproject.org wrote:

> After being upgraded to v12.1.0, the new virt-secret-init-encryption.service
> has been introduced, and it requires systemd to add openssl to PACKAGECONFIG.
> Because systemd-creds encrypt command will be executed in the service file.
> 
> Meanwhile this service was added into the dependency chain of the main service
> libvirtd.service, and will be enabled by default by libvirtd service without
> any build dependency detection according to the original upstream commit
> https://github.com/libvirt/libvirt/commit/97758bc9a0b1fccf8c0009308658f1204b113b89
> 
> In systemd recipe, the openssl PACKAGECONFIG is disabled at default. Finally
> the service file virt-secret-init-encryption.service and libvirtd will be
> failed as the following error:
> ># systemctl status libvirtd -l
>  * libvirtd.service - libvirt legacy monolithic daemon
>      Loaded: loaded (/usr/lib/systemd/system/libvirtd.service; enabled; preset: enabled)
>      Active: inactive (dead)
>  TriggeredBy: * libvirtd.socket
>               * libvirtd-ro.socket
>               * libvirtd-admin.socket
>        Docs: man:libvirtd(8)
>              https://libvirt.org/
> 
>  systemd[1]: Dependency failed for libvirt legacy monolithic daemon.
>  systemd[1]: libvirtd.service: Job libvirtd.service/start failed with result 'dependency'
> 
> ># journalctl -xe
> 
>    A start job for unit virt-secret-init-encryption.service has begun execution.
> 
>  systemd-creds[1251]: Support for encrypted credentials not available.
>  systemd[1]: virt-secret-init-encryption.service: Main process exited, code=exited, status=1/FAILURE
> 
> The above error info "Support for encrypted credentials not available." comes
> from systemd-creds command provided by systemd without HAVE_OPENSSL option at
> the source code src/shared/creds-utils.c
> 
> Here we add secrets PACKAGECONFIG for libvirt and conditional removal the new
> virt-secret-init-encryption in the libvirt.service.
> 
> Perhaps an alternative approach is to enable the openssl configuration for
> the systemd package—for instance, by creating a systemd.bbappend file.
> 
> However, the method here grants users the flexibility to independently select
> the specific configurations they wish to activate, thereby avoiding potential
> PACKAGECONFIG conflicts between packages.
> 
> The users can add the following configs in the conf/local.conf file, if they
> want to enable the full libvirt secrets functions:
> PACKAGECONFIG:append:pn-systemd = " openssl"
> PACKAGECONFIG:append:pn-libvirt = " secrets"
> 
> Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
> ---
>  recipes-extended/libvirt/libvirt_git.bb | 12 ++++++++++++
>  1 file changed, 12 insertions(+)
> 
> diff --git a/recipes-extended/libvirt/libvirt_git.bb b/recipes-extended/libvirt/libvirt_git.bb
> index b5b0a5f2..a9e6180a 100644
> --- a/recipes-extended/libvirt/libvirt_git.bb
> +++ b/recipes-extended/libvirt/libvirt_git.bb
> @@ -177,6 +177,8 @@ PACKAGECONFIG[firewalld] = "-Dfirewalld=enabled, -Dfirewalld=disabled,"
>  PACKAGECONFIG[libpcap] = "-Dlibpcap=enabled, -Dlibpcap=disabled,libpcap,libpcap"
>  PACKAGECONFIG[numad] = "-Dnumad=enabled, -Dnumad=disabled,"
>  PACKAGECONFIG[nftables] = ""
> +# Require systemd to add openssl to PACKAGECONFIG, so disable it at default.
> +PACKAGECONFIG[secrets] = "-Ddriver_secrets=enabled, -Ddriver_secrets=disabled,"

The problem with this is that we are creating two independent configuation
items, and if they aren't both set .. it won't work.

While a distro feature is probably overkill, it is distro and image features
which are supposed to do this sort of coordination.

Maybe an image feature ? or more simply, just enable the requirement in
systemd when "virtualization" is in the image features. That can be a
bbbapend to systemd gated on the distro feature (like the rest of the
similar items in meta-virtualization.)

With that, the comment above the secrets packageconfig could be dropped.

Bruce

>  
>  CVE_STATUS[CVE-2014-8135] = "fixed-version: Fixed in 1.2.11, NVD tracks this as version-less vulnerability"
>  CVE_STATUS[CVE-2014-8136] = "fixed-version: Fixed in 1.2.11, NVD tracks this as version-less vulnerability"
> @@ -232,6 +234,16 @@ do_install:append() {
>                  mv ${D}${prefix}/lib/systemd/system/* ${D}${systemd_system_unitdir}
>                  rmdir ${D}${prefix}/lib/systemd/system ${D}${prefix}/lib/systemd
>              fi
> +
> +            # secret service is completely removed in libvritd.service dependency when secrets disabled.
> +            if ! ${@bb.utils.contains('PACKAGECONFIG', 'secrets', 'true', 'false', d)}; then
> +                sed -i \
> +                    -e '/^Requires=virt-secret-init-encryption.service/d' \
> +                    -e '/^After=virt-secret-init-encryption.service/d' \
> +                    -e '/^Environment=SECRETS_ENCRYPTION_KEY=/d' \
> +                    -e '/^LoadCredentialEncrypted=/d' \
> +                    ${D}${systemd_system_unitdir}/libvirtd.service
> +            fi
>  	fi
>  
>  	# The /run/libvirt directories created by the Makefile are 
> -- 
> 2.53.0
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9699): https://lists.yoctoproject.org/g/meta-virtualization/message/9699
> Mute This Topic: https://lists.yoctoproject.org/mt/118818275/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>