From: Michael Vogt Date: Mon, 26 Jan 2026 18:25:50 +0000 (+0100) Subject: vmspawn: keep stderr fd connected when running ssh-keygen X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8c5c04ed279ff15d398120e70f327f705725e521;p=thirdparty%2Fsystemd.git vmspawn: keep stderr fd connected when running ssh-keygen When vmspawn executes ssh-keygen it currently hides all std{out,err}. This is not ideal when errors happen, so this commit tweaks the code to include stderr in the output. My use case is that I recently ran into the issue that inside a `mkosi box` my systemd-homed user was not available so ssh-keygen errored with `No user exists for uid 1000` [0] but that error was not visible, only the generic: `'/usr/bin/ssh-keygen' failed with exit status 255.` was displayed. This also adds FORK_REOPEN_LOG to the pidref_safe_fork flags, thanks to Mike Yuan for the suggestion. [0] Arguably this is also an issue in ssh-keygen because it does not need to do the user lookup when `-f /path/` is passed. --- diff --git a/src/vmspawn/vmspawn.c b/src/vmspawn/vmspawn.c index b12e260fa4d..2b6055349f0 100644 --- a/src/vmspawn/vmspawn.c +++ b/src/vmspawn/vmspawn.c @@ -1739,9 +1739,11 @@ static int generate_ssh_keypair(const char *key_path, const char *key_type) { log_debug("Executing: %s", joined); } - r = pidref_safe_fork( + r = pidref_safe_fork_full( ssh_keygen, - FORK_WAIT|FORK_RESET_SIGNALS|FORK_CLOSE_ALL_FDS|FORK_DEATHSIG_SIGTERM|FORK_LOG|FORK_RLIMIT_NOFILE_SAFE|FORK_REARRANGE_STDIO, + (int[]) { -EBADF, -EBADF, STDERR_FILENO }, + /* except_fds= */ NULL, /* n_except_fds= */ 0, + FORK_WAIT|FORK_RESET_SIGNALS|FORK_CLOSE_ALL_FDS|FORK_DEATHSIG_SIGTERM|FORK_LOG|FORK_RLIMIT_NOFILE_SAFE|FORK_REARRANGE_STDIO|FORK_REOPEN_LOG, /* ret= */ NULL); if (r < 0) return r;