network: gracefully disable resolve hook when socket is disabled

systemd-networkd cannot create the directory /run/systemd/resolve.hook/. Even
if the directory exists, it is not owned by systemd-network user/group, so
systemd-networkd cannot create socket file in the directory. Hence, if the
systemd-networkd-resolve-hook.socket unit is disabled, networkd fails to open
the varlink socket, and fail to start:

  systemd-networkd[1304645]: Failed to bind to systemd-resolved hook Varlink socket: Permission denied
  systemd-networkd[1304645]: Could not set up manager: Permission denied
  systemd[1]: systemd-networkd.service: Main process exited, code=exited, status=1/FAILURE
  systemd[1]: systemd-networkd.service: Failed with result 'exit-code'.
  systemd[1]: Failed to start systemd-networkd.service - Network Management.

If the socket unit is disabled, that should mean the system administrator wants
to disable the feature. Let's not try to setup the varlink socket in that case.

Now the resolve hook feature can be toggled by enabling/disabling the socket
unit, let's drop the $SYSTEMD_NETWORK_RESOLVE_HOOK environment variable.

Follow-up for a7fa29b1b52210e33f4e43efc1a2f06b7c7233c0.
Co-authored-by: Yu Watanabe <watanabe.yu+github@gmail.com>

diff --git a/src/network/networkd-resolve-hook.c b/src/network/networkd-resolve-hook.c
index 6c437be9db6132d5b7812cf7aa1f0e4f1d6b6e09..3abe8262e2a3c3a9ed5b72bd390f6986ed859130 100644 (file)
--- a/src/network/networkd-resolve-hook.c
+++ b/src/network/networkd-resolve-hook.c
@@ -5,12 +5,14 @@
 #include "sd-varlink.h"
 
 #include "alloc-util.h"
+#include "argv-util.h"
 #include "dns-answer.h"
 #include "dns-domain.h"
 #include "dns-packet.h"
 #include "dns-question.h"
 #include "dns-rr.h"
 #include "env-util.h"
+#include "errno-util.h"
 #include "fd-util.h"
 #include "networkd-link.h"
 #include "networkd-manager.h"
@@ -214,17 +216,14 @@ int manager_varlink_init_resolve_hook(Manager *m, int fd) {
         if (m->varlink_resolve_hook_server)
                 return 0;
 
-        r = getenv_bool("SYSTEMD_NETWORK_RESOLVE_HOOK");
-        if (r < 0 && r != -ENXIO)
-                log_warning_errno(r, "Failed to parse $SYSTEMD_NETWORK_RESOLVE_HOOK, ignoring: %m");
-        if (r == 0) {
-                log_notice("Resolve hook disabled via $SYSTEMD_NETWORK_RESOLVE_HOOK.");
+        if (fd < 0 && invoked_by_systemd()) {
+                log_debug("systemd-networkd-resolve-hook.socket seems to be disabled, not installing varlink server.");
                 return 0;
         }
 
         r = varlink_server_new(&s, SD_VARLINK_SERVER_ACCOUNT_UID|SD_VARLINK_SERVER_INHERIT_USERDATA, m);
         if (r < 0)
-                return log_error_errno(r, "Failed to allocate varlink server object: %m");
+                return log_error_errno(r, "Failed to allocate varlink server: %m");
 
         (void) sd_varlink_server_set_description(s, "varlink-resolve-hook");
 
@@ -243,12 +242,17 @@ int manager_varlink_init_resolve_hook(Manager *m, int fd) {
         if (r < 0)
                 return log_error_errno(r, "Failed to bind on resolve hook disconnection events: %m");
 
-        if (fd < 0)
-                r = sd_varlink_server_listen_address(s, "/run/systemd/resolve.hook/io.systemd.Network", 0666 | SD_VARLINK_SERVER_MODE_MKDIR_0755);
-        else
+        if (fd < 0) {
+                r = sd_varlink_server_listen_address(s, "/run/systemd/resolve.hook/io.systemd.Network",
+                                                     0666 | SD_VARLINK_SERVER_MODE_MKDIR_0755);
+                if (ERRNO_IS_NEG_PRIVILEGE(r)) {
+                        log_info_errno(r, "Failed to bind to systemd-resolved hook varlink socket, ignoring: %m");
+                        return 0;
+                }
+        } else
                 r = sd_varlink_server_listen_fd(s, fd);
         if (r < 0)
-                return log_error_errno(r, "Failed to bind to systemd-resolved hook Varlink socket: %m");
+                return log_error_errno(r, "Failed to bind to systemd-resolved hook varlink socket: %m");
 
         TAKE_FD(fd_close);
 

diff --git a/test/networkd-test.py b/test/networkd-test.py
index 691f58b2d3aed3351aeb27c11b9db6e672788bd4..a082f5456fc8be49a057d11e20980da66485a742 100755 (executable)
--- a/test/networkd-test.py
+++ b/test/networkd-test.py
@@ -97,9 +97,6 @@ def setUpModule():
     if os.path.isdir('/run/systemd/resolve'):
         os.chmod('/run/systemd/resolve', 0o755)
         shutil.chown('/run/systemd/resolve', 'systemd-resolve', 'systemd-resolve')
-    if os.path.isdir('/run/systemd/resolve.hook'):
-        os.chmod('/run/systemd/resolve.hook', 0o755)
-        shutil.chown('/run/systemd/resolve.hook', 'systemd-network', 'systemd-network')
     if os.path.isdir('/run/systemd/netif'):
         os.chmod('/run/systemd/netif', 0o755)
         shutil.chown('/run/systemd/netif', 'systemd-network', 'systemd-network')
@@ -976,9 +973,6 @@ EOF
 # Hence, 'networkctl persistent-storage yes' cannot be used.
 export SYSTEMD_NETWORK_PERSISTENT_STORAGE_READY=1
 
-# Don't try to register resolved hook for our testcase
-export SYSTEMD_NETWORK_RESOLVE_HOOK=0
-
 # Generate debugging logs.
 export SYSTEMD_LOG_LEVEL=debug