units: symlink well-known Varlink services into /run/varlink/registry/

So far we didn't provide any concept to enumerate local Varlink
services. Let's change that.

Let's define very light-weight scheme for this: provide a well-known dir
/run/varlink/registry/ where services that implement public interfaces
can link their sockets into. When enumerating services it's thus
sufficient to enumerate inodes in that directory.

The usecase for this is twofold:

1. It's simply very useful to be able to see which public services are
   bound on the local system, for debugging/admin/development purposes.

2. At Amutable we'd like to optionally provide a HTTP-to-Varlink bridge
   on individual nodes, that allows remote peers (after authentication)
   to access local Varlink services. For that it's essential we know the
   list of services and their entrypoints to expose, it would be
   security-wise highly problematic for clients to provide AF_UNIX
   entrypoint paths when connecting. hence: let's instead just have a
   dir with the public stuff, and let's ensure the HTTP-to-Varlink
   bridge simply exposes that stuff, and nothing else.

Non-public interfaces (such as the oomd interfaces between PID 1 and
oomd), and interfaces with multiple implementors (such as the resolved
hook interface, or the metrics collection stuff) should not be linked
in.

This is inspired by the Varlink.org "registry" concept, briefly
explained here:

https://varlink.org/FAQ#how-do-i-find-the-service-which-implements-a-local-interface

Note however that the described Varlink interface is not actually
implemented here, the directory is introduced however in a fashion that
conceptually matches the registry defined there, and would allow us to
implement the registry interface on top of it. (One of the reason the
registry Varlink API is not implemented right now is that the URI format
it relies on is entirely unspecified in the Varlink docs right now. Some
research needs to be done to extract what's implemented in the reference
implementation and to determine how it maps to the Varlink entrypoint
address format systemd's own tooling currently uses)

This primarily installs the symlinks via Symlinks= in unit files and via
a new tmpfiles.d/ drop-in. But since we touch all .socket units relating
to Varlink this also sets the FileDescriptorName= to varlink for each,
just to minimize diffrences and make things work more alike (the
services in questin don't care about the name, so this doesn't change).
In one case we replace a pair of separate sockets for two closely
related varlink services by a socket and a symlink, so that we can
safely use Symlinks= to also install the registry symlinks.

diff --git a/tmpfiles.d/20-systemd-varlink.conf b/tmpfiles.d/20-systemd-varlink.conf
new file mode 100644 (file)
index 0000000..96905ff
--- /dev/null
+++ b/tmpfiles.d/20-systemd-varlink.conf
@@ -0,0 +1,18 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+# See tmpfiles.d(5) for details.
+
+# Varlink AF_UNIX entrypoint socket inodes of relevant system services may be
+# linked into this directory, to make them "well-known". Typically, tools such
+# as the Varlink HTTP bridge expose services linked in here as public
+# interfaces. The symlink should be named after the Varlink interface to
+# expose. Interfaces that may be implemented by multiple services (such as
+# the generic "io.systemd.service") should not be symlinked here.
+d /run/varlink/registry/ 0755 root root
+
+# Socket activated services should use Symlinks= in the .socket unit file to
+# create these symlinks. If that's not applicable, consider creating the
+# symlinks via a tmpfiles.d/ snippet, like we do here, so that registration can
+# be influenced by the administrator.
+L /run/varlink/registry/io.systemd.Unit - - - - ../../systemd/io.systemd.Manager
+L /run/varlink/registry/io.systemd.Manager - - - - ../../systemd/io.systemd.Manager
+L /run/varlink/registry/io.systemd.Journal - - - - ../../systemd/journal/io.systemd.journal

diff --git a/tmpfiles.d/meson.build b/tmpfiles.d/meson.build
index 7f3fce48c9f11eb4a55c79a17db8fb310fe04830..c8f9015b2ecc8b54247c53dda96b1ae80e4a15bd 100644 (file)
--- a/tmpfiles.d/meson.build
+++ b/tmpfiles.d/meson.build
@@ -13,6 +13,7 @@ files = [['README'                                  ],
          ['systemd-nspawn.conf',  'ENABLE_MACHINED' ],
          ['systemd-pstore.conf',  'ENABLE_PSTORE'   ],
          ['systemd-resolve.conf', 'ENABLE_RESOLVE'  ],
+         ['20-systemd-varlink.conf'                 ],
          ['systemd-tmp.conf'                        ],
          ['tmp.conf'                                ],
          ['x11.conf'                                ],
@@ -59,3 +60,5 @@ endforeach
 if install_sysconfdir
         install_emptydir(sysconfdir / 'tmpfiles.d')
 endif
+
+subdir('user')

diff --git a/tmpfiles.d/user/20-systemd-varlink.conf b/tmpfiles.d/user/20-systemd-varlink.conf
new file mode 100644 (file)
index 0000000..6df6408
--- /dev/null
+++ b/tmpfiles.d/user/20-systemd-varlink.conf
@@ -0,0 +1,7 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+# See tmpfiles.d(5) for details.
+
+d %t/varlink/registry/ 0755
+
+L %t/varlink/registry/io.systemd.Unit - - - - ../../systemd/io.systemd.Manager
+L %t/varlink/registry/io.systemd.Manager - - - - ../../systemd/io.systemd.Manager

diff --git a/tmpfiles.d/user/meson.build b/tmpfiles.d/user/meson.build
new file mode 100644 (file)
index 0000000..551e4fe
--- /dev/null
+++ b/tmpfiles.d/user/meson.build
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+files = [ '20-systemd-varlink.conf' ]
+
+foreach f : files
+        install_data(f, install_dir : usertmpfilesdir)
+endforeach
+
+if install_sysconfdir
+        install_emptydir(sysconfdir / 'user-tmpfiles.d')
+endif

diff --git a/units/systemd-ask-password.socket b/units/systemd-ask-password.socket
index c8d203b077bf994d42c89267174668e90b4d8f0c..df5eaffc22bd1698f70b65c39190360917ac71a6 100644 (file)
--- a/units/systemd-ask-password.socket
+++ b/units/systemd-ask-password.socket
@@ -15,6 +15,7 @@ Before=sockets.target
 
 [Socket]
 ListenStream=/run/systemd/io.systemd.AskPassword
+Symlinks=/run/varlink/registry/io.systemd.AskPassword
 FileDescriptorName=varlink
 SocketMode=0666
 Accept=yes

diff --git a/units/systemd-bootctl.socket b/units/systemd-bootctl.socket
index f9553b840be4861a73a0a06a09130aed29df3085..e720f24f54382ae66e36e909f002d30ffd945f99 100644 (file)
--- a/units/systemd-bootctl.socket
+++ b/units/systemd-bootctl.socket
@@ -16,6 +16,7 @@ Before=sockets.target
 
 [Socket]
 ListenStream=/run/systemd/io.systemd.BootControl
+Symlinks=/run/varlink/registry/io.systemd.BootControl
 FileDescriptorName=varlink
 SocketMode=0600
 Accept=yes

diff --git a/units/systemd-creds.socket b/units/systemd-creds.socket
index bf13c11e0fa905f997e3cf1883f043f4137ae38b..3ea3ca5b05398f721ae22d4e36aeeba2ea9c0b55 100644 (file)
--- a/units/systemd-creds.socket
+++ b/units/systemd-creds.socket
@@ -15,6 +15,7 @@ Before=sockets.target
 
 [Socket]
 ListenStream=/run/systemd/io.systemd.Credentials
+Symlinks=/run/varlink/registry/io.systemd.Credentials
 FileDescriptorName=varlink
 SocketMode=0666
 Accept=yes

diff --git a/units/systemd-factory-reset.socket b/units/systemd-factory-reset.socket
index d833ffdb9956caf67c5db074697c11940fea41eb..467517ec24b79028f1c1cd37d23f240774d5190c 100644 (file)
--- a/units/systemd-factory-reset.socket
+++ b/units/systemd-factory-reset.socket
@@ -15,6 +15,7 @@ Before=sockets.target
 
 [Socket]
 ListenStream=/run/systemd/io.systemd.FactoryReset
+Symlinks=/run/varlink/registry/io.systemd.FactoryReset
 FileDescriptorName=varlink
 SocketMode=0666
 Accept=yes

diff --git a/units/systemd-hostnamed.socket b/units/systemd-hostnamed.socket
index 2a2cfce6531667c23d7c33d87901fe3011060f79..288e736b47134d2946d79bd54ac2a87b9cb3e5fe 100644 (file)
--- a/units/systemd-hostnamed.socket
+++ b/units/systemd-hostnamed.socket
@@ -15,5 +15,6 @@ Documentation=man:machine-info(5)
 
 [Socket]
 ListenStream=/run/systemd/io.systemd.Hostname
+Symlinks=/run/varlink/registry/io.systemd.Hostname
 FileDescriptorName=varlink
 SocketMode=0666

diff --git a/units/systemd-importd.socket b/units/systemd-importd.socket
index d1c9c22a4cde667077302ee19a4cc109f7d3fdd2..a538ef0d0e0029fb271be00e8336aa236378f527 100644 (file)
--- a/units/systemd-importd.socket
+++ b/units/systemd-importd.socket
@@ -20,5 +20,6 @@ Before=shutdown.target
 
 [Socket]
 ListenStream=/run/systemd/io.systemd.Import
+Symlinks=/run/varlink/registry/io.systemd.Import
 FileDescriptorName=varlink
 SocketMode=0666

diff --git a/units/systemd-logind-varlink.socket b/units/systemd-logind-varlink.socket
index 3978e8ab903d53c7ca0263e48a9d098f575f5c14..1d3652e0497421ec5b7bebad53df658112f23fe6 100644 (file)
--- a/units/systemd-logind-varlink.socket
+++ b/units/systemd-logind-varlink.socket
@@ -13,6 +13,7 @@ Documentation=man:systemd-logind.service(8)
 
 [Socket]
 ListenStream=/run/systemd/io.systemd.Login
+Symlinks=/run/varlink/registry/io.systemd.Login
 FileDescriptorName=varlink
 SocketMode=0666
 Service=systemd-logind.service

diff --git a/units/systemd-machined.socket b/units/systemd-machined.socket
index 3df5c7d8c30c275eabe31b06c27ed3a0648b9223..75a91bb0cccab4f549d89aa479395ab3dbb51d7b 100644 (file)
--- a/units/systemd-machined.socket
+++ b/units/systemd-machined.socket
@@ -13,6 +13,6 @@ Documentation=man:systemd-machined.service(8)
 
 [Socket]
 ListenStream=/run/systemd/machine/io.systemd.Machine
-ListenStream=/run/systemd/machine/io.systemd.MachineImage
+Symlinks=/run/systemd/machine/io.systemd.MachineImage /run/varlink/registry/io.systemd.Machine /run/varlink/registry/io.systemd.MachineImage
 FileDescriptorName=varlink
 SocketMode=0666

diff --git a/units/systemd-mountfsd.socket b/units/systemd-mountfsd.socket
index cd88003af90708c2544b3289b7cf1c7b04855179..431369a1a181e785300e7076025d6f9bc14a869f 100644 (file)
--- a/units/systemd-mountfsd.socket
+++ b/units/systemd-mountfsd.socket
@@ -16,6 +16,8 @@ Before=sockets.target shutdown.target
 
 [Socket]
 ListenStream=/run/systemd/io.systemd.MountFileSystem
+Symlinks=/run/varlink/registry/io.systemd.MountFileSystem
+FileDescriptorName=varlink
 SocketMode=0666
 
 [Install]

diff --git a/units/systemd-mute-console.socket b/units/systemd-mute-console.socket
index 16032e94b4cb5767308a127f36566bc40f29b1cc..5eae6d5acd0ad6b703f91179823fd59d864f96a0 100644 (file)
--- a/units/systemd-mute-console.socket
+++ b/units/systemd-mute-console.socket
@@ -17,6 +17,7 @@ Before=shutdown.target
 
 [Socket]
 ListenStream=/run/systemd/io.systemd.MuteConsole
+Symlinks=/run/varlink/registry/io.systemd.MuteConsole
 FileDescriptorName=varlink
 SocketMode=0600
 Accept=yes

diff --git a/units/systemd-networkd-varlink.socket b/units/systemd-networkd-varlink.socket
index 7d194fff345671f646e92067ccd538a9226ea19a..1f4db858bc6adf0c60aa492be5e038cea2031072 100644 (file)
--- a/units/systemd-networkd-varlink.socket
+++ b/units/systemd-networkd-varlink.socket
@@ -17,6 +17,7 @@ Conflicts=shutdown.target
 
 [Socket]
 ListenStream=/run/systemd/netif/io.systemd.Network
+Symlinks=/run/varlink/registry/io.systemd.Network
 FileDescriptorName=varlink
 SocketMode=0666
 Service=systemd-networkd.service

diff --git a/units/systemd-nsresourced.socket b/units/systemd-nsresourced.socket
index 2e3c8e9baa2fe5f7e03cb8e88687d0acb9fc2c14..c159a5676ae2fc82002e4f0a561f1edfb6166fb2 100644 (file)
--- a/units/systemd-nsresourced.socket
+++ b/units/systemd-nsresourced.socket
@@ -16,7 +16,8 @@ Before=sockets.target shutdown.target
 
 [Socket]
 ListenStream=/run/systemd/io.systemd.NamespaceResource
-Symlinks=/run/systemd/userdb/io.systemd.NamespaceResource
+Symlinks=/run/systemd/userdb/io.systemd.NamespaceResource /run/varlink/registry/io.systemd.NamespaceResource
+FileDescriptorName=varlink
 SocketMode=0666
 
 [Install]

diff --git a/units/systemd-pcrextend.socket b/units/systemd-pcrextend.socket
index 4f7474812544024308fb8696e628e670cc8b0288..d429150eda0d784b03623b6bdea73a63c1910343 100644 (file)
--- a/units/systemd-pcrextend.socket
+++ b/units/systemd-pcrextend.socket
@@ -17,6 +17,7 @@ ConditionSecurity=measured-uki
 
 [Socket]
 ListenStream=/run/systemd/io.systemd.PCRExtend
+Symlinks=/run/varlink/registry/io.systemd.PCRExtend
 FileDescriptorName=varlink
 SocketMode=0600
 Accept=yes

diff --git a/units/systemd-pcrlock.socket b/units/systemd-pcrlock.socket
index ca1cd53aeacf02d7af5a9ca090cf2462e5486a36..e166caf3d842bea362b434888a4d9504414cb4e3 100644 (file)
--- a/units/systemd-pcrlock.socket
+++ b/units/systemd-pcrlock.socket
@@ -17,6 +17,7 @@ ConditionSecurity=measured-uki
 
 [Socket]
 ListenStream=/run/systemd/io.systemd.PCRLock
+Symlinks=/run/varlink/registry/io.systemd.PCRLock
 FileDescriptorName=varlink
 SocketMode=0600
 Accept=yes

diff --git a/units/systemd-repart.socket b/units/systemd-repart.socket
index c9fc308b1b2d68c5a9b2407c00f4fdfd053cb64b..ecd275414d54016ce40b2170835883846febd1d0 100644 (file)
--- a/units/systemd-repart.socket
+++ b/units/systemd-repart.socket
@@ -17,6 +17,7 @@ Before=shutdown.target
 
 [Socket]
 ListenStream=/run/systemd/io.systemd.Repart
+Symlinks=/run/varlink/registry/io.systemd.Repart
 FileDescriptorName=varlink
 SocketMode=0600
 Accept=yes

diff --git a/units/systemd-resolved-monitor.socket b/units/systemd-resolved-monitor.socket
index a778e60dd29007545dce4a34b2f598f58cab62dc..3674a1f876eda3256672559872c47b8fe7e8b749 100644 (file)
--- a/units/systemd-resolved-monitor.socket
+++ b/units/systemd-resolved-monitor.socket
@@ -17,6 +17,7 @@ Conflicts=shutdown.target
 [Socket]
 Service=systemd-resolved.service
 ListenStream=/run/systemd/resolve/io.systemd.Resolve.Monitor
+Symlinks=/run/varlink/registry/io.systemd.Resolve.Monitor
 FileDescriptorName=varlink-monitor
 SocketMode=0666
 

diff --git a/units/systemd-resolved-varlink.socket b/units/systemd-resolved-varlink.socket
index 7ac83e5ec9a1b0203985c2106a6f8b2f99334122..a5701683732b5da5c1f1726f846c91f900a45d16 100644 (file)
--- a/units/systemd-resolved-varlink.socket
+++ b/units/systemd-resolved-varlink.socket
@@ -17,6 +17,7 @@ Conflicts=shutdown.target
 [Socket]
 Service=systemd-resolved.service
 ListenStream=/run/systemd/resolve/io.systemd.Resolve
+Symlinks=/run/varlink/registry/io.systemd.Resolve
 FileDescriptorName=varlink
 SocketMode=0666
 

diff --git a/units/systemd-sysext.socket b/units/systemd-sysext.socket
index 97d1695780e65953e7a5059422b86a45c51ed852..61d7268f377d97176f273769ec2bfd03825ecf12 100644 (file)
--- a/units/systemd-sysext.socket
+++ b/units/systemd-sysext.socket
@@ -17,6 +17,7 @@ ConditionCapability=CAP_SYS_ADMIN
 
 [Socket]
 ListenStream=/run/systemd/io.systemd.sysext
+Symlinks=/run/varlink/registry/io.systemd.sysext
 FileDescriptorName=varlink
 SocketMode=0666
 Accept=yes

diff --git a/units/systemd-udevd-varlink.socket b/units/systemd-udevd-varlink.socket
index 74353e7f1aec66c0db50961597f9a76914948264..c2b7652e5eaeb098724c8a51501a9419497ff19a 100644 (file)
--- a/units/systemd-udevd-varlink.socket
+++ b/units/systemd-udevd-varlink.socket
@@ -17,6 +17,7 @@ ConditionPathIsReadWrite=/sys
 [Socket]
 Service=systemd-udevd.service
 ListenStream=/run/udev/io.systemd.Udev
+Symlinks=/run/varlink/registry/io.systemd.Udev
 FileDescriptorName=varlink
 SocketMode=0600
 RemoveOnStop=yes

diff --git a/units/systemd-userdbd.socket b/units/systemd-userdbd.socket
index 6ef1adeca74b22a132d2a95bd6922559520d6d2a..6793d1b41df1b88af54bde312bcce0e8311cf7d7 100644 (file)
--- a/units/systemd-userdbd.socket
+++ b/units/systemd-userdbd.socket
@@ -15,7 +15,8 @@ Before=sockets.target
 
 [Socket]
 ListenStream=/run/systemd/userdb/io.systemd.Multiplexer
-Symlinks=/run/systemd/userdb/io.systemd.NameServiceSwitch /run/systemd/userdb/io.systemd.DropIn
+Symlinks=/run/systemd/userdb/io.systemd.NameServiceSwitch /run/systemd/userdb/io.systemd.DropIn /run/varlink/registry/io.systemd.UserDatabase
+FileDescriptorName=varlink
 SocketMode=0666
 RemoveOnStop=yes
 

diff --git a/units/user/systemd-ask-password.socket b/units/user/systemd-ask-password.socket
index ce9ccd9e55aec8beab0a5d6e29aa21141e56d3fd..56492fae54df5a3611938cac36ff4748bc58f9ca 100644 (file)
--- a/units/user/systemd-ask-password.socket
+++ b/units/user/systemd-ask-password.socket
@@ -15,6 +15,7 @@ Before=sockets.target
 
 [Socket]
 ListenStream=%t/systemd/io.systemd.AskPassword
+Symlinks=%t/varlink/registry/io.systemd.AskPassword
 FileDescriptorName=varlink
 SocketMode=0600
 Accept=yes

diff --git a/units/user/systemd-importd.socket b/units/user/systemd-importd.socket
index d266d927f8593fce902a534251cd4ceadfb2a900..67ea62bdb0aee4b0a1f7f3ee54ef6c701941a9f7 100644 (file)
--- a/units/user/systemd-importd.socket
+++ b/units/user/systemd-importd.socket
@@ -14,5 +14,6 @@ Documentation=man:org.freedesktop.import1(5)
 
 [Socket]
 ListenStream=%t/systemd/io.systemd.Import
+Symlinks=%t/varlink/registry/io.systemd.Import
 FileDescriptorName=varlink
 SocketMode=0600

diff --git a/units/user/systemd-machined.socket b/units/user/systemd-machined.socket
index d368215e98e9d9e053da04a0e3a8e2b46926dbfb..17e552a7dcb56a43c4b69d8935e953a85b8df468 100644 (file)
--- a/units/user/systemd-machined.socket
+++ b/units/user/systemd-machined.socket
@@ -13,6 +13,6 @@ Documentation=man:systemd-machined.service(8)
 
 [Socket]
 ListenStream=%t/systemd/machine/io.systemd.Machine
-ListenStream=%t/systemd/machine/io.systemd.MachineImage
+Symlinks=%t/systemd/machine/io.systemd.MachineImage %t/varlink/registry/io.systemd.Machine %t/varlink/registry/io.systemd.MachineImage
 FileDescriptorName=varlink
 SocketMode=0600