[Unit] Description=libvirt logging daemon Documentation=man:virtlogd(8) Documentation=https://libvirt.org/ BindsTo=virtlogd.socket Wants=virtlogd-admin.socket After=virtlogd.socket After=virtlogd-admin.socket [Service] Type=notify Environment=VIRTLOGD_ARGS= EnvironmentFile=-/etc/default/virtlogd ExecStart=/usr/sbin/virtlogd $VIRTLOGD_ARGS ExecReload=/bin/kill -USR1 $MAINPID CapabilityBoundingSet=~CAP_AUDIT_CONTROL CapabilityBoundingSet=~CAP_AUDIT_READ CapabilityBoundingSet=~CAP_AUDIT_WRITE CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CapabilityBoundingSet=~CAP_CHOWN # Mgmt app/user might have pre-created log files that we're # told to open and write to, or be storing them in otherwise # inaccessible locations like $HOME. So we need to ignore # DAC permission checks. #CapabilityBoundingSet=~CAP_DAC_OVERRIDE #CapabilityBoundingSet=~CAP_DAC_READ_SEARCH CapabilityBoundingSet=~CAP_FOWNER CapabilityBoundingSet=~CAP_FSETID CapabilityBoundingSet=~CAP_IPC_LOCK CapabilityBoundingSet=~CAP_IPC_OWNER CapabilityBoundingSet=~CAP_KILL CapabilityBoundingSet=~CAP_LEASE CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE CapabilityBoundingSet=~CAP_MAC_ADMIN CapabilityBoundingSet=~CAP_MAC_OVERRIDE CapabilityBoundingSet=~CAP_MKNOD CapabilityBoundingSet=~CAP_NET_ADMIN CapabilityBoundingSet=~CAP_NET_BIND_SERVICE CapabilityBoundingSet=~CAP_NET_BROADCAST CapabilityBoundingSet=~CAP_NET_RAW CapabilityBoundingSet=~CAP_SETFCAP CapabilityBoundingSet=~CAP_SETPCAP CapabilityBoundingSet=~CAP_SETGID CapabilityBoundingSet=~CAP_SETUID CapabilityBoundingSet=~CAP_SYSLOG CapabilityBoundingSet=~CAP_SYS_ADMIN CapabilityBoundingSet=~CAP_SYS_BOOT CapabilityBoundingSet=~CAP_SYS_CHROOT CapabilityBoundingSet=~CAP_SYS_MODULE CapabilityBoundingSet=~CAP_SYS_NICE CapabilityBoundingSet=~CAP_SYS_PACCT CapabilityBoundingSet=~CAP_SYS_PTRACE CapabilityBoundingSet=~CAP_SYS_RAWIO CapabilityBoundingSet=~CAP_SYS_RESOURCE CapabilityBoundingSet=~CAP_SYS_TIME CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG CapabilityBoundingSet=~CAP_WAKE_ALARM LockPersonality=true MemoryDenyWriteExecute=true # Cannot enable this as it prevents transitioning to # the confined SELinux virtlogd_t domain on execve # unless we modify the policy to allow this. #NoNewPrivileges=true PrivateDevices=true PrivateMounts=true PrivateNetwork=true # XXX someone could configure QEMU to log a serial port to an # arbitrary directory, including /tmp, even if this is ill-advised #PrivateTmp=true # Not until oldest build target has systemd >= v245 #ProtectClock=true ProtectControlGroups=true # Not until oldest build target has systemd >= v241 #ProtectHostname=true # Not until oldest build target has systemd >= v244 #ProtectKernelLogs=true ProtectKernelModules=true ProtectKernelTunables=true # Not until oldest build target has systemd >= v247 #ProtectProc=invisible ProtectSystem=full RestrictAddressFamilies=AF_UNIX RestrictNamespaces=~cgroup RestrictNamespaces=~ipc RestrictNamespaces=~mnt RestrictNamespaces=~net RestrictNamespaces=~pid RestrictNamespaces=~user RestrictNamespaces=~uts RestrictRealtime=true RestrictSUIDSGID=true SystemCallArchitectures=native SystemCallFilter=~@clock SystemCallFilter=~@debug SystemCallFilter=~@module SystemCallFilter=~@mount SystemCallFilter=~@raw-io SystemCallFilter=~@reboot SystemCallFilter=~@swap SystemCallFilter=~@privileged # Unfortunately we link to libnuma via libvirt.so which # has a constructor that runs unconditionally that invokes # set_mempolicy() #SystemCallFilter=~@resources SystemCallFilter=~@cpu-emulation SystemCallFilter=~@obsolete UMask=077 # Losing this daemon is a really bad thing that will # cause the machine to be fenced (rebooted), so make # sure we discourage OOM killer OOMScoreAdjust=-900 # Raise hard limits to match behaviour of systemd >= 240. # During startup, daemon will set soft limit to match hard limit # per systemd recommendations LimitNOFILE=1024:524288 [Install] WantedBy=multi-user.target Also=virtlogd.socket Also=virtlogd-admin.socket