From: Daan De Meyer Date: Thu, 25 Apr 2024 14:58:44 +0000 (+0200) Subject: TEST-50-DISSECT: Make sure logging sockets are mounted into images X-Git-Tag: v256-rc1~4^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=69dc36f69bb31acbd1a692ffaff80b6618b4f15e;p=thirdparty%2Fsystemd.git TEST-50-DISSECT: Make sure logging sockets are mounted into images Otherwise we lose valuable logging from systemd-executor when things go wrong since it can only log to the journal and not to the console in these cases. --- diff --git a/test/units/testsuite-50.dissect.sh b/test/units/testsuite-50.dissect.sh index 34e60aa76f0..25bf4d8f939 100755 --- a/test/units/testsuite-50.dissect.sh +++ b/test/units/testsuite-50.dissect.sh @@ -9,6 +9,12 @@ set -o pipefail # shellcheck source=test/units/util.sh . "$(dirname "$0")"/util.sh +BIND_LOG_SOCKETS=( + --property BindReadOnlyPaths=/dev/log + --property BindReadOnlyPaths=/run/systemd/journal/socket + --property BindReadOnlyPaths=/run/systemd/journal/stdout +) + systemd-dissect --json=short "$MINIMAL_IMAGE.raw" | \ grep -q -F '{"rw":"ro","designator":"root","partition_uuid":null,"partition_label":null,"fstype":"squashfs","architecture":null,"verity":"external"' systemd-dissect "$MINIMAL_IMAGE.raw" | grep -q -F "MARKER=1" @@ -73,19 +79,21 @@ fi systemd-dissect --umount "$IMAGE_DIR/mount" systemd-dissect --umount "$IMAGE_DIR/mount2" -systemd-run -P -p RootImage="$MINIMAL_IMAGE.raw" cat /usr/lib/os-release | grep -q -F "MARKER=1" +systemd-run -P -p RootImage="$MINIMAL_IMAGE.raw" "${BIND_LOG_SOCKETS[@]}" cat /usr/lib/os-release | grep -q -F "MARKER=1" mv "$MINIMAL_IMAGE.verity" "$MINIMAL_IMAGE.fooverity" mv "$MINIMAL_IMAGE.roothash" "$MINIMAL_IMAGE.foohash" systemd-run -P \ -p RootImage="$MINIMAL_IMAGE.raw" \ -p RootHash="$MINIMAL_IMAGE.foohash" \ -p RootVerity="$MINIMAL_IMAGE.fooverity" \ + "${BIND_LOG_SOCKETS[@]}" \ cat /usr/lib/os-release | grep -q -F "MARKER=1" # Let's use the long option name just here as a test systemd-run -P \ --property RootImage="$MINIMAL_IMAGE.raw" \ --property RootHash="$MINIMAL_IMAGE_ROOTHASH" \ --property RootVerity="$MINIMAL_IMAGE.fooverity" \ + "${BIND_LOG_SOCKETS[@]}" \ cat /usr/lib/os-release | grep -q -F "MARKER=1" mv "$MINIMAL_IMAGE.fooverity" "$MINIMAL_IMAGE.verity" mv "$MINIMAL_IMAGE.foohash" "$MINIMAL_IMAGE.roothash" @@ -133,48 +141,56 @@ systemd-run --wait -P \ -p RootImage="$MINIMAL_IMAGE.gpt" \ -p RootHash="$MINIMAL_IMAGE_ROOTHASH" \ -p MountAPIVFS=yes \ + "${BIND_LOG_SOCKETS[@]}" \ cat /usr/lib/os-release | grep -q -F "MARKER=1" systemd-run --wait -P \ -p RootImage="$MINIMAL_IMAGE.gpt" \ -p RootHash="$MINIMAL_IMAGE_ROOTHASH" \ -p RootImagePolicy='*' \ -p MountAPIVFS=yes \ + "${BIND_LOG_SOCKETS[@]}" \ cat /usr/lib/os-release | grep -q -F "MARKER=1" (! systemd-run --wait -P \ -p RootImage="$MINIMAL_IMAGE.gpt" \ -p RootHash="$MINIMAL_IMAGE_ROOTHASH" \ -p RootImagePolicy='~' \ -p MountAPIVFS=yes \ + "${BIND_LOG_SOCKETS[@]}" \ cat /usr/lib/os-release | grep -q -F "MARKER=1") (! systemd-run --wait -P \ -p RootImage="$MINIMAL_IMAGE.gpt" \ -p RootHash="$MINIMAL_IMAGE_ROOTHASH" \ -p RootImagePolicy='-' \ -p MountAPIVFS=yes \ + "${BIND_LOG_SOCKETS[@]}" \ cat /usr/lib/os-release | grep -q -F "MARKER=1") (! systemd-run --wait -P \ -p RootImage="$MINIMAL_IMAGE.gpt" \ -p RootHash="$MINIMAL_IMAGE_ROOTHASH" \ -p RootImagePolicy='root=absent' \ -p MountAPIVFS=yes \ + "${BIND_LOG_SOCKETS[@]}" \ cat /usr/lib/os-release | grep -q -F "MARKER=1") systemd-run --wait -P \ -p RootImage="$MINIMAL_IMAGE.gpt" \ -p RootHash="$MINIMAL_IMAGE_ROOTHASH" \ -p RootImagePolicy='root=verity' \ -p MountAPIVFS=yes \ + "${BIND_LOG_SOCKETS[@]}" \ cat /usr/lib/os-release | grep -q -F "MARKER=1" systemd-run --wait -P \ -p RootImage="$MINIMAL_IMAGE.gpt" \ -p RootHash="$MINIMAL_IMAGE_ROOTHASH" \ -p RootImagePolicy='root=signed' \ -p MountAPIVFS=yes \ + "${BIND_LOG_SOCKETS[@]}" \ cat /usr/lib/os-release | grep -q -F "MARKER=1" (! systemd-run --wait -P \ -p RootImage="$MINIMAL_IMAGE.gpt" \ -p RootHash="$MINIMAL_IMAGE_ROOTHASH" \ -p RootImagePolicy='root=encrypted' \ -p MountAPIVFS=yes \ + "${BIND_LOG_SOCKETS[@]}" \ cat /usr/lib/os-release | grep -q -F "MARKER=1") systemd-dissect --root-hash "$MINIMAL_IMAGE_ROOTHASH" --mount "$MINIMAL_IMAGE.gpt" "$IMAGE_DIR/mount" @@ -194,14 +210,17 @@ systemd-run -P \ -p RootImage="$MINIMAL_IMAGE.gpt" \ -p RootHash="$MINIMAL_IMAGE_ROOTHASH" \ -p MountAPIVFS=yes \ + "${BIND_LOG_SOCKETS[@]}" \ cat /usr/lib/os-release | grep -q -F "MARKER=1" systemd-run -P \ -p RootImage="$MINIMAL_IMAGE.raw" \ -p RootImageOptions="root:nosuid,dev home:ro,dev ro,noatime" \ + "${BIND_LOG_SOCKETS[@]}" \ mount | grep -F "squashfs" | grep -q -F "nosuid" systemd-run -P \ -p RootImage="$MINIMAL_IMAGE.gpt" \ -p RootImageOptions="root:ro,noatime root:ro,dev" \ + "${BIND_LOG_SOCKETS[@]}" \ mount | grep -F "squashfs" | grep -q -F "noatime" mkdir -p "$IMAGE_DIR/result" @@ -214,6 +233,7 @@ TemporaryFileSystem=/run RootImage=$MINIMAL_IMAGE.raw RootImageOptions=root:ro,noatime home:ro,dev relatime,dev RootImageOptions=nosuid,dev +BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout EOF systemctl start testservice-50a.service grep -F "squashfs" "$IMAGE_DIR/result/a" | grep -q -F "noatime" @@ -230,6 +250,7 @@ RootImageOptions=root:ro,noatime,nosuid home:ro,dev nosuid,dev RootImageOptions=home:ro,dev nosuid,dev,%%foo # this is the default, but let's specify once to test the parser MountAPIVFS=yes +BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout EOF systemctl start testservice-50b.service grep -F "squashfs" "$IMAGE_DIR/result/b" | grep -q -F "noatime" @@ -262,23 +283,27 @@ systemd-run -P \ -p TemporaryFileSystem=/run \ -p RootImage="$MINIMAL_IMAGE.raw" \ -p MountImages="$MINIMAL_IMAGE.gpt:/run/img1 $MINIMAL_IMAGE.raw:/run/img2" \ + "${BIND_LOG_SOCKETS[@]}" \ cat /usr/lib/os-release | grep -q -F "MARKER=1" systemd-run -P \ -p TemporaryFileSystem=/run \ -p RootImage="$MINIMAL_IMAGE.raw" \ -p MountImages="$MINIMAL_IMAGE.gpt:/run/img1 $MINIMAL_IMAGE.raw:/run/img2" \ + "${BIND_LOG_SOCKETS[@]}" \ cat /run/img1/usr/lib/os-release | grep -q -F "MARKER=1" systemd-run -P \ -p TemporaryFileSystem=/run \ -p RootImage="$MINIMAL_IMAGE.gpt" \ -p RootHash="$MINIMAL_IMAGE_ROOTHASH" \ -p MountImages="$MINIMAL_IMAGE.gpt:/run/img1 $MINIMAL_IMAGE.raw:/run/img2" \ + "${BIND_LOG_SOCKETS[@]}" \ cat /run/img2/usr/lib/os-release | grep -q -F "MARKER=1" cat >/run/systemd/system/testservice-50c.service </run/result/c" @@ -326,34 +351,42 @@ systemctl is-active testservice-50d.service systemd-run -P \ --property ExtensionImages=/usr/share/app0.raw \ --property RootImage="$MINIMAL_IMAGE.raw" \ + "${BIND_LOG_SOCKETS[@]}" \ cat /opt/script0.sh | grep -q -F "extension-release.app0" systemd-run -P \ --property ExtensionImages=/usr/share/app0.raw \ --property RootImage="$MINIMAL_IMAGE.raw" \ + "${BIND_LOG_SOCKETS[@]}" \ cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1" systemd-run -P \ --property ExtensionImages="/usr/share/app0.raw /usr/share/app1.raw" \ --property RootImage="$MINIMAL_IMAGE.raw" \ + "${BIND_LOG_SOCKETS[@]}" \ cat /opt/script0.sh | grep -q -F "extension-release.app0" systemd-run -P \ --property ExtensionImages="/usr/share/app0.raw /usr/share/app1.raw" \ --property RootImage="$MINIMAL_IMAGE.raw" \ + "${BIND_LOG_SOCKETS[@]}" \ cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1" systemd-run -P \ --property ExtensionImages="/usr/share/app0.raw /usr/share/app1.raw" \ --property RootImage="$MINIMAL_IMAGE.raw" \ + "${BIND_LOG_SOCKETS[@]}" \ cat /opt/script1.sh | grep -q -F "extension-release.app2" systemd-run -P \ --property ExtensionImages="/usr/share/app0.raw /usr/share/app1.raw" \ --property RootImage="$MINIMAL_IMAGE.raw" \ + "${BIND_LOG_SOCKETS[@]}" \ cat /usr/lib/systemd/system/other_file | grep -q -F "MARKER=1" systemd-run -P \ --property ExtensionImages=/usr/share/app-nodistro.raw \ --property RootImage="$MINIMAL_IMAGE.raw" \ + "${BIND_LOG_SOCKETS[@]}" \ cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1" systemd-run -P \ --property ExtensionImages=/etc/service-scoped-test.raw \ --property RootImage="$MINIMAL_IMAGE.raw" \ + "${BIND_LOG_SOCKETS[@]}" \ cat /etc/systemd/system/some_file | grep -q -F "MARKER_CONFEXT_123" # Check that using a symlink to NAME-VERSION.raw works as long as the symlink has the correct name NAME.raw mkdir -p /usr/share/symlink-test/ @@ -362,6 +395,7 @@ ln -fs /usr/share/symlink-test/app-nodistro-v1.raw /usr/share/symlink-test/app-n systemd-run -P \ --property ExtensionImages=/usr/share/symlink-test/app-nodistro.raw \ --property RootImage="$MINIMAL_IMAGE.raw" \ + "${BIND_LOG_SOCKETS[@]}" \ cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1" # Symlink check again but for confext @@ -371,17 +405,20 @@ ln -fs /etc/symlink-test/service-scoped-test-v1.raw /etc/symlink-test/service-sc systemd-run -P \ --property ExtensionImages=/etc/symlink-test/service-scoped-test.raw \ --property RootImage="$MINIMAL_IMAGE.raw" \ + "${BIND_LOG_SOCKETS[@]}" \ cat /etc/systemd/system/some_file | grep -q -F "MARKER_CONFEXT_123" # And again mixing sysext and confext systemd-run -P \ --property ExtensionImages=/usr/share/symlink-test/app-nodistro.raw \ --property ExtensionImages=/etc/symlink-test/service-scoped-test.raw \ --property RootImage="$MINIMAL_IMAGE.raw" \ + "${BIND_LOG_SOCKETS[@]}" \ cat /etc/systemd/system/some_file | grep -q -F "MARKER_CONFEXT_123" systemd-run -P \ --property ExtensionImages=/usr/share/symlink-test/app-nodistro.raw \ --property ExtensionImages=/etc/symlink-test/service-scoped-test.raw \ --property RootImage="$MINIMAL_IMAGE.raw" \ + "${BIND_LOG_SOCKETS[@]}" \ cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1" cat >/run/systemd/system/testservice-50e.service </run/systemd/system/testservice-50f.service <