core: consult credentials for machine ID to use for host

Let's hook up one more thing with credentials: the machine ID to use
when none is initialized yet.

This requires some reordering of initialization steps in PID 1: we need
to import credentials first, and only then initialize the machine ID.

diff --git a/man/systemd.system-credentials.xml b/man/systemd.system-credentials.xml
index 97507cf25257fd73efd6fc633fb41993ce7129ca..ceb84d29b9fab22c8edda5f99215d1d3c922da5a 100644 (file)
--- a/man/systemd.system-credentials.xml
+++ b/man/systemd.system-credentials.xml
@@ -208,6 +208,15 @@
           <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><varname>system.machine_id</varname></term>
+        <listitem>
+          <para>Takes a 128bit ID to initialize the machine ID from (if it is not set yet). Interpreted by
+          the service manager (PID 1). For details see
+          <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 

diff --git a/man/systemd.xml b/man/systemd.xml
index d63e70f0c879cebfd822deb4a4f815f6efba5cd5..2cffe01aff10515d12e630eba196d0ace961a8c5 100644 (file)
--- a/man/systemd.xml
+++ b/man/systemd.xml
@@ -1069,6 +1069,16 @@
           notification via VSOCK when a virtual machine has finished booting.</para>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><varname>system.machine_id</varname></term>
+        <listitem>
+          <para>Takes a 128bit hexadecimal ID to initialize <filename>/etc/machine-id</filename> from, if the
+          file is not set up yet. See
+          <citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
+          details.</para>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 

diff --git a/src/core/main.c b/src/core/main.c
index 3f78f035d0e71126e7cb022d1343487b919f3cd6..6290ec131c02ddd4d2fb797ddf78934a2f413f82 100644 (file)
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -2224,10 +2224,15 @@ static int initialize_runtime(
                                 return r;
                         }
 
+                        /* Pull credentials from various sources into a common credential directory (we do
+                         * this here, before setting up the machine ID, so that we can use credential info
+                         * for setting up the machine ID) */
+                        (void) import_credentials();
+
                         (void) os_release_status();
                         (void) hostname_setup(true);
                         /* Force transient machine-id on first boot. */
-                        machine_id_setup(NULL, /* force_transient= */ first_boot, arg_machine_id, NULL);
+                        machine_id_setup(/* root= */ NULL, /* force_transient= */ first_boot, arg_machine_id, /* ret_machine_id */ NULL);
                         (void) loopback_setup();
                         bump_unix_max_dgram_qlen();
                         bump_file_max_and_nr_open();
@@ -2306,10 +2311,6 @@ static int initialize_runtime(
         (void) bump_rlimit_nofile(saved_rlimit_nofile);
         (void) bump_rlimit_memlock(saved_rlimit_memlock);
 
-        /* Pull credentials from various sources into a common credential directory */
-        if (arg_runtime_scope == RUNTIME_SCOPE_SYSTEM && !skip_setup)
-                (void) import_credentials();
-
         return 0;
 }
 

diff --git a/src/shared/machine-id-setup.c b/src/shared/machine-id-setup.c
index f27c3d768bfcd5b7cd0b4102d3f0a6299d55cc91..e059c71105157ccf594161ead0563c659b5dc629 100644 (file)
--- a/src/shared/machine-id-setup.c
+++ b/src/shared/machine-id-setup.c
@@ -9,6 +9,7 @@
 
 #include "alloc-util.h"
 #include "chase.h"
+#include "creds-util.h"
 #include "fd-util.h"
 #include "id128-util.h"
 #include "io-util.h"
@@ -27,6 +28,24 @@
 #include "umask-util.h"
 #include "virt.h"
 
+static int acquire_machine_id_from_credential(sd_id128_t *ret) {
+        _cleanup_free_ char *buf = NULL;
+        int r;
+
+        r = read_credential_with_decryption("system.machine_id", (void**) &buf, /* ret_size= */ NULL);
+        if (r < 0)
+                return log_warning_errno(r, "Failed to read system.machine_id credential, ignoring: %m");
+        if (r == 0) /* not found */
+                return -ENXIO;
+
+        r = sd_id128_from_string(buf, ret);
+        if (r < 0)
+                return log_warning_errno(r, "Failed to parse system.machine_id credential, ignoring: %m");
+
+        log_info("Initializing machine ID from credential.");
+        return 0;
+}
+
 static int generate_machine_id(const char *root, sd_id128_t *ret) {
         _cleanup_close_ int fd = -EBADF;
         int r;
@@ -41,6 +60,11 @@ static int generate_machine_id(const char *root, sd_id128_t *ret) {
         }
 
         if (isempty(root) && running_in_chroot() <= 0) {
+                /* Let's use a system credential for the machine ID if we can */
+                r = acquire_machine_id_from_credential(ret);
+                if (r >= 0)
+                        return r;
+
                 /* If that didn't work, see if we are running in a container,
                  * and a machine ID was passed in via $container_uuid the way
                  * libvirt/LXC does it */