2 # SPDX-License-Identifier: LGPL-2.1-or-later
3 # shellcheck disable=SC2016
7 if [[ ! -x /usr
/lib
/systemd
/systemd-journal-remote ||
! -x /usr
/lib
/systemd
/systemd-journal-upload
]]; then
8 echo "Built without systemd-journal-remote/upload support, skipping the test"
12 if ! command -v openssl
>/dev
/null
; then
13 echo "openssl command not available, skipping the tests"
20 systemctl stop systemd-journal-upload
21 systemctl stop systemd-journal-remote.
{socket
,service
}
22 # Remove any remote journals on exit, so we don't try to export them together
23 # with the local journals, causing a mess
24 rm -rf /var
/log
/journal
/remote
29 TEST_MESSAGE
="-= This is a test message $RANDOM =-"
30 TEST_TAG
="$(systemd-id128 new)"
32 echo "$TEST_MESSAGE" | systemd-cat
-t "$TEST_TAG"
35 /usr
/lib
/systemd
/systemd-journal-remote
--version
36 /usr
/lib
/systemd
/systemd-journal-remote
--help
37 /usr
/lib
/systemd
/systemd-journal-upload
--version
38 /usr
/lib
/systemd
/systemd-journal-upload
--help
40 # Generate a self-signed certificate for systemd-journal-remote
42 # Note: older OpenSSL requires a config file with some extra options, unfortunately
43 # Note2: /run here is used on purpose, since the systemd-journal-remote service uses PrivateTmp=yes
44 mkdir
-p /run
/systemd
/journal-remote-tls
45 cat >/tmp
/openssl.conf
<<EOF
48 distinguished_name = req_distinguished_name
50 [ req_distinguished_name ]
57 openssl req
-x509 -nodes -newkey rsa
:2048 -sha256 -days 7 \
58 -config /tmp
/openssl.conf \
59 -keyout /run
/systemd
/journal-remote-tls
/key.pem \
60 -out /run
/systemd
/journal-remote-tls
/cert.pem
61 chown
-R systemd-journal-remote
/run
/systemd
/journal-remote-tls
63 # Configure journal-upload to upload journals to journal-remote without client certificates
64 mkdir
-p /run
/systemd
/journal-
{remote
,upload
}.conf.d
65 cat >/run
/systemd
/journal-remote.conf.d
/99-test.conf
<<EOF
68 ServerKeyFile=/run/systemd/journal-remote-tls/key.pem
69 ServerCertificateFile=/run/systemd/journal-remote-tls/cert.pem
70 TrustedCertificateFile=-
72 cat >/run
/systemd
/journal-upload.conf.d
/99-test.conf
<<EOF
74 URL=https://localhost:19532
76 ServerCertificateFile=-
77 TrustedCertificateFile=-
79 systemd-analyze cat-config systemd
/journal-remote.conf
80 systemd-analyze cat-config systemd
/journal-upload.conf
82 systemctl restart systemd-journal-remote.socket
83 systemctl restart systemd-journal-upload
84 timeout
15 bash
-xec 'until systemctl -q is-active systemd-journal-remote.service; do sleep 1; done'
85 systemctl status systemd-journal-
{remote
,upload
}
87 # It may take a bit until the whole journal is transferred
88 timeout
30 bash
-xec "until journalctl --directory=/var/log/journal/remote --identifier='$TEST_TAG' --grep='$TEST_MESSAGE'; do sleep 1; done"
90 systemctl stop systemd-journal-upload
91 systemctl stop systemd-journal-remote.
{socket
,service
}
92 rm -rf /var
/log
/journal
/remote
/*
94 # Now let's do the same, but with a full PKI setup
96 # journal-upload keeps the cursor of the last uploaded message, so let's send a fresh one
97 echo "$TEST_MESSAGE" | systemd-cat
-t "$TEST_TAG"
100 mkdir
/run
/systemd
/remote-pki
101 cat >/run
/systemd
/remote-pki
/ca.conf
<<EOF
104 distinguished_name = req_distinguished_name
106 [ req_distinguished_name ]
113 cat >/run
/systemd
/remote-pki
/client.conf
<<EOF
116 distinguished_name = req_distinguished_name
118 [ req_distinguished_name ]
125 cat >/run
/systemd
/remote-pki
/server.conf
<<EOF
128 distinguished_name = req_distinguished_name
130 [ req_distinguished_name ]
137 # Generate a dummy CA
138 openssl req
-x509 -nodes -newkey rsa
:2048 -sha256 -days 7 \
139 -config /run
/systemd
/remote-pki
/ca.conf \
140 -keyout /run
/systemd
/remote-pki
/ca.key \
141 -out /run
/systemd
/remote-pki
/ca.crt
142 echo 01 >/run
/systemd
/remote-pki
/ca.srl
143 # Generate a client key and signing request
144 openssl req
-nodes -newkey rsa
:2048 -sha256 \
145 -config /run
/systemd
/remote-pki
/client.conf \
146 -keyout /run
/systemd
/remote-pki
/client.key \
147 -out /run
/systemd
/remote-pki
/client.csr
148 # Sign the request with the CA key
149 openssl x509
-req -days 7 \
150 -in /run
/systemd
/remote-pki
/client.csr \
151 -CA /run
/systemd
/remote-pki
/ca.crt \
152 -CAkey /run
/systemd
/remote-pki
/ca.key \
153 -out /run
/systemd
/remote-pki
/client.crt
154 # And do the same for the server
155 openssl req
-nodes -newkey rsa
:2048 -sha256 \
156 -config /run
/systemd
/remote-pki
/server.conf \
157 -keyout /run
/systemd
/remote-pki
/server.key \
158 -out /run
/systemd
/remote-pki
/server.csr
159 openssl x509
-req -days 7 \
160 -in /run
/systemd
/remote-pki
/server.csr \
161 -CA /run
/systemd
/remote-pki
/ca.crt \
162 -CAkey /run
/systemd
/remote-pki
/ca.key \
163 -out /run
/systemd
/remote-pki
/server.crt
164 setfacl
-R -m "u:systemd-journal-remote:rwX" /run
/systemd
/remote-pki
165 setfacl
-R -m "u:systemd-journal-upload:rwX" /run
/systemd
/remote-pki
167 # Reconfigure journal-upload/journal remote with the new keys
168 cat >/run
/systemd
/journal-remote.conf.d
/99-test.conf
<<EOF
171 ServerKeyFile=/run/systemd/remote-pki/server.key
172 ServerCertificateFile=/run/systemd/remote-pki/server.crt
173 TrustedCertificateFile=/run/systemd/remote-pki/ca.crt
175 cat >/run
/systemd
/journal-upload.conf.d
/99-test.conf
<<EOF
177 URL=https://localhost:19532
178 ServerKeyFile=/run/systemd/remote-pki/client.key
179 ServerCertificateFile=/run/systemd/remote-pki/client.crt
180 TrustedCertificateFile=/run/systemd/remote-pki/ca.crt
182 systemd-analyze cat-config systemd
/journal-remote.conf
183 systemd-analyze cat-config systemd
/journal-upload.conf
185 systemctl restart systemd-journal-remote.socket
186 systemctl restart systemd-journal-upload
187 timeout
15 bash
-xec 'until systemctl -q is-active systemd-journal-remote.service; do sleep 1; done'
188 systemctl status systemd-journal-
{remote
,upload
}
190 # It may take a bit until the whole journal is transferred
191 timeout
30 bash
-xec "until journalctl --directory=/var/log/journal/remote --identifier='$TEST_TAG' --grep='$TEST_MESSAGE'; do sleep 1; done"
193 systemctl stop systemd-journal-upload
194 systemctl stop systemd-journal-remote.
{socket
,service
}
196 # Let's test if journal-remote refuses connection from journal-upload with invalid client certs
198 # We should end up with something like this:
199 # systemd-journal-remote[726]: Client is not authorized
200 # systemd-journal-upload[738]: Upload to https://localhost:19532/upload failed with code 401:
201 # systemd[1]: systemd-journal-upload.service: Main process exited, code=exited, status=1/FAILURE
202 # systemd[1]: systemd-journal-upload.service: Failed with result 'exit-code'.
204 cat >/run
/systemd
/journal-upload.conf.d
/99-test.conf
<<EOF
206 URL=https://localhost:19532
207 ServerKeyFile=/run/systemd/journal-remote-tls/key.pem
208 ServerCertificateFile=/run/systemd/journal-remote-tls/cert.pem
209 TrustedCertificateFile=/run/systemd/remote-pki/ca.crt
211 systemd-analyze cat-config systemd
/journal-upload.conf
212 setfacl
-R -m "u:systemd-journal-upload:rwX" /run
/systemd
/journal-remote-tls
214 systemctl restart systemd-journal-upload
215 timeout
10 bash
-xec 'while [[ "$(systemctl show -P ActiveState systemd-journal-upload)" != failed ]]; do sleep 1; done'
216 (! systemctl status systemd-journal-upload
)