From: Mike Yuan <me@yhndnzj.com>
Date: Tue, 7 May 2024 11:45:06 +0000 (+0800)
Subject: core/exec-credential: complain louder if inherited credential is missing
X-Git-Tag: v256-rc2~59^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F32689%2Fhead;p=thirdparty%2Fsystemd.git

core/exec-credential: complain louder if inherited credential is missing

Also document that a missing inherited credential
is not considered fatal.

Closes #32667
---

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index d9ec44983fc..56eb6af8728 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -3385,6 +3385,9 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX
         a terse way to declare credentials to inherit from the service manager into a service. This option
         may be used multiple times, each time defining an additional credential to pass to the unit.</para>
 
+        <para>Note that if the path is not specified or a valid credential identifier is given, i.e.
+        in the above two cases, a missing credential is not considered fatal.</para>
+
         <para>If an absolute path referring to a directory is specified, every file in that directory
         (recursively) will be loaded as a separate credential. The ID for each credential will be the
         provided ID suffixed with <literal>_$FILENAME</literal> (e.g., <literal>Key_file1</literal>). When
diff --git a/src/core/exec-credential.c b/src/core/exec-credential.c
index 1dbf70930e8..9c48bd8d0f1 100644
--- a/src/core/exec-credential.c
+++ b/src/core/exec-credential.c
@@ -443,7 +443,7 @@ static int load_credential(
 
                 /* Pass some minimal info about the unit and the credential name we are looking to acquire
                  * via the source socket address in case we read off an AF_UNIX socket. */
-                if (asprintf(&bindname, "@%" PRIx64"/unit/%s/%s", random_u64(), unit, id) < 0)
+                if (asprintf(&bindname, "@%" PRIx64 "/unit/%s/%s", random_u64(), unit, id) < 0)
                         return -ENOMEM;
 
                 missing_ok = false;
@@ -467,7 +467,7 @@ static int load_credential(
 
         maxsz = encrypted ? CREDENTIAL_ENCRYPTED_SIZE_MAX : CREDENTIAL_SIZE_MAX;
 
-        if (search_path) {
+        if (search_path)
                 STRV_FOREACH(d, search_path) {
                         _cleanup_free_ char *j = NULL;
 
@@ -485,7 +485,7 @@ static int load_credential(
                         if (r != -ENOENT)
                                 break;
                 }
-        } else if (source)
+        else if (source)
                 r = read_full_file_full(
                                 read_dfd, source,
                                 UINT64_MAX,
@@ -504,7 +504,8 @@ static int load_credential(
                  *
                  * Also, if the source file doesn't exist, but a fallback is set via SetCredentials=
                  * we are fine, too. */
-                log_debug_errno(r, "Couldn't read inherited credential '%s', skipping: %m", path);
+                log_full_errno(hashmap_contains(context->set_credentials, id) ? LOG_DEBUG : LOG_WARNING,
+                               r, "Couldn't read inherited credential '%s', skipping: %m", path);
                 return 0;
         }
         if (r < 0)