Ubuntu
libvirt package

Bug #1960937
Comment #2

Comment 2 for bug 1960937

Revision history for this message

Christian Ehrhardt  (paelzer) wrote on 2022-02-16: Re: Libvirtd on 20.04 does not listen on port 16509

Hi,
thank you for your report!

The config in /etc/default/libvirtd is pretty much there for compatibility reasons with older setups and (on Debian) people using still sys-V init.
And even with systemd some other options than "-l" can still be sued that way e.g. "-v" for extra verbosity.

If one sets that option the error message gladly is pretty clear:
libvirtd[2725397]: --listen parameter not permitted with systemd activation sockets, see 'man libvirtd' for further guidance

In that man page it explains (as that isn't a Ubuntu only problem):

```
...
       In socket activation mode, it will rely on systemd to create and listen on the UNIX, and optionally TCP/IP, sockets and pass them as pre-opened file descriptors. In this mode, it
       is not permitted to pass the --listen parameter, and most of the socket related config options in /etc/libvirt/libvirtd.conf will no longer have any effect. To enable TCP or TLS
       sockets use either

          $ systemctl start libvirtd-tls.socket
       Or
          $ systemctl start libvirtd-tcp.socket
...
```

There is no need to change the .service file as you did, and in fact any subsequent update would eliminate that change.

As a TL;DR and I hope IIRC it would be like:
$ sudo systemctl stop libvirtd
$ sudo systemctl start libvirtd-tcp.socket
# in any real setup you'd now setup SASL, but for this to
# be short I set auth_tcp = "none" in /etc/libvirt/libvirtd.conf

With that in place
$ virsh -c qemu+tcp://127.0.0.1/system list

Will start libvirtd and it accepts tcp connections.

In addition there also is TLS which is more complex there is:

#setup CA and issue/config certificates for libvirtd
# see TLS x509 certificate configuration and any entry related to
# *tls* and *certificates* in /etc/libvirt/libvirtd.conf
$ sudo systemctl stop libvirtd
$ sudo systemctl start libvirtd-tls.socket

What to do from here:
- I agree that a hint in /etc/default/libvirtd would be great to have as its current
  form is misleading.
- This bug demonstrates that it is unclear how to be used.
  Therefore a documentation entry in the Ubuntu server guide would be very helpful.
  It should show how this can be done (for TCP) and also include an example of a
  cert setup and end by accessing via TLS

Triaging the bug with that in mind, but please speak up for a discussion on this if you want.