diff options
| author | Daan De Meyer <daan.j.demeyer@gmail.com> | 2024-03-19 12:29:49 +0100 |
|---|---|---|
| committer | Luca Boccassi <luca.boccassi@gmail.com> | 2024-03-19 13:31:36 +0100 |
| commit | db7374e1560fca564eb0cec84f3389bcda94c8af (patch) | |
| tree | e1fff84c8dd54982991b828014e19efbeb557776 | |
| parent | Add a set of assertion macros to tests.h (diff) | |
| download | systemd-db7374e1560fca564eb0cec84f3389bcda94c8af.tar.xz systemd-db7374e1560fca564eb0cec84f3389bcda94c8af.zip | |
Document new vsock literals
Fixes #31849
| -rw-r--r-- | docs/CREDENTIALS.md | 3 | ||||
| -rw-r--r-- | man/sd_notify.xml | 14 | ||||
| -rw-r--r-- | man/systemd.socket.xml | 4 | ||||
| -rw-r--r-- | man/systemd.xml | 4 |
4 files changed, 16 insertions, 9 deletions
diff --git a/docs/CREDENTIALS.md b/docs/CREDENTIALS.md index ed30eacf2b..9c245dbf2b 100644 --- a/docs/CREDENTIALS.md +++ b/docs/CREDENTIALS.md @@ -380,7 +380,8 @@ Various services shipped with `systemd` consume credentials for tweaking behavio to receive a notification via VSOCK when a virtual machine has finished booting. Note that in case the hypervisor does not support `SOCK_DGRAM` over `AF_VSOCK`, `SOCK_SEQPACKET` will be tried instead. The credential payload should be in the - form: `vsock:<CID>:<PORT>`. Also note that this requires support for VHOST to be + form: `vsock:<CID>:<PORT>`. `vsock` may be replaced with `vsock-stream`, `vsock-dgram` or `vsock-seqpacket` + to force usage of the corresponding socket type. Also note that this requires support for VHOST to be built-in both the guest and the host kernels, and the kernel modules to be loaded. * [`systemd-sysusers(8)`](https://www.freedesktop.org/software/systemd/man/systemd-sysusers.html) diff --git a/man/sd_notify.xml b/man/sd_notify.xml index d8fe6468a2..1e611fe6d8 100644 --- a/man/sd_notify.xml +++ b/man/sd_notify.xml @@ -485,12 +485,14 @@ <constant>AF_VSOCK</constant> address, which is useful for hypervisors/VMMs or other processes on the host to receive a notification when a virtual machine has finished booting. Note that in case the hypervisor does not support <constant>SOCK_DGRAM</constant> over <constant>AF_VSOCK</constant>, - <constant>SOCK_SEQPACKET</constant> will be used instead. The address should be in the form: - <literal>vsock:CID:PORT</literal>. Note that unlike other uses of vsock, the CID is mandatory and cannot - be <literal>VMADDR_CID_ANY</literal>. Note that PID1 will send the VSOCK packets from a privileged port - (i.e.: lower than 1024), as an attempt to address concerns that unprivileged processes in the guest might - try to send malicious notifications to the host, driving it to make destructive decisions based on - them.</para> + <constant>SOCK_SEQPACKET</constant> will be used instead. <literal>vsock-stream</literal>, + <literal>vsock-dgram</literal> and <literal>vsock-seqpacket</literal> can be used instead of + <literal>vsock</literal> to force usage of the corresponding socket type. The address should be in the + form: <literal>vsock:CID:PORT</literal>. Note that unlike other uses of vsock, the CID is mandatory and + cannot be <literal>VMADDR_CID_ANY</literal>. Note that PID1 will send the VSOCK packets from a + privileged port (i.e.: lower than 1024), as an attempt to address concerns that unprivileged processes in + the guest might try to send malicious notifications to the host, driving it to make destructive decisions + based on them.</para> </refsect1> <refsect1> diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml index 1ac97ae137..c7166e4f64 100644 --- a/man/systemd.socket.xml +++ b/man/systemd.socket.xml @@ -221,7 +221,9 @@ <replaceable>x</replaceable> on a port <replaceable>y</replaceable> address in the <constant>AF_VSOCK</constant> family. The CID is a unique 32-bit integer identifier in <constant>AF_VSOCK</constant> analogous to an IP address. Specifying the CID is optional, and may be - set to the empty string.</para> + set to the empty string. <literal>vsock</literal> may be replaced with + <literal>vsock-stream</literal>, <literal>vsock-dgram</literal> or <literal>vsock-seqpacket</literal> + to force usage of the corresponding socket type.</para> <para>Note that <constant>SOCK_SEQPACKET</constant> (i.e. <varname>ListenSequentialPacket=</varname>) is only available diff --git a/man/systemd.xml b/man/systemd.xml index b66707faba..cb798af34c 100644 --- a/man/systemd.xml +++ b/man/systemd.xml @@ -1167,7 +1167,9 @@ <constant>SOCK_DGRAM</constant> over <constant>AF_VSOCK</constant>, <constant>SOCK_SEQPACKET</constant> will be tried instead. The credential payload for <constant>AF_VSOCK</constant> should be a string in the form - <literal>vsock:CID:PORT</literal>.</para> + <literal>vsock:CID:PORT</literal>. <literal>vsock-stream</literal>, <literal>vsock-dgram</literal> + and <literal>vsock-seqpacket</literal> can be used instead of <literal>vsock</literal> to force + usage of the corresponding socket type.</para> <para>This feature is useful for machine managers or other processes on the host to receive a notification via VSOCK when a virtual machine has finished booting.</para> |