From 6b34871f5d3b0729ef125d79dfe2d493f3b52b40 Mon Sep 17 00:00:00 2001 From: Mike Yuan Date: Tue, 7 May 2024 19:45:06 +0800 Subject: [PATCH] core/exec-credential: complain louder if inherited credential is missing Also document that a missing inherited credential is not considered fatal. Closes #32667 --- man/systemd.exec.xml | 3 +++ src/core/exec-credential.c | 9 +++++---- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index d9ec44983fc..56eb6af8728 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -3385,6 +3385,9 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX a terse way to declare credentials to inherit from the service manager into a service. This option may be used multiple times, each time defining an additional credential to pass to the unit. + Note that if the path is not specified or a valid credential identifier is given, i.e. + in the above two cases, a missing credential is not considered fatal. + If an absolute path referring to a directory is specified, every file in that directory (recursively) will be loaded as a separate credential. The ID for each credential will be the provided ID suffixed with _$FILENAME (e.g., Key_file1). When diff --git a/src/core/exec-credential.c b/src/core/exec-credential.c index 1dbf70930e8..9c48bd8d0f1 100644 --- a/src/core/exec-credential.c +++ b/src/core/exec-credential.c @@ -443,7 +443,7 @@ static int load_credential( /* Pass some minimal info about the unit and the credential name we are looking to acquire * via the source socket address in case we read off an AF_UNIX socket. */ - if (asprintf(&bindname, "@%" PRIx64"/unit/%s/%s", random_u64(), unit, id) < 0) + if (asprintf(&bindname, "@%" PRIx64 "/unit/%s/%s", random_u64(), unit, id) < 0) return -ENOMEM; missing_ok = false; @@ -467,7 +467,7 @@ static int load_credential( maxsz = encrypted ? CREDENTIAL_ENCRYPTED_SIZE_MAX : CREDENTIAL_SIZE_MAX; - if (search_path) { + if (search_path) STRV_FOREACH(d, search_path) { _cleanup_free_ char *j = NULL; @@ -485,7 +485,7 @@ static int load_credential( if (r != -ENOENT) break; } - } else if (source) + else if (source) r = read_full_file_full( read_dfd, source, UINT64_MAX, @@ -504,7 +504,8 @@ static int load_credential( * * Also, if the source file doesn't exist, but a fallback is set via SetCredentials= * we are fine, too. */ - log_debug_errno(r, "Couldn't read inherited credential '%s', skipping: %m", path); + log_full_errno(hashmap_contains(context->set_credentials, id) ? LOG_DEBUG : LOG_WARNING, + r, "Couldn't read inherited credential '%s', skipping: %m", path); return 0; } if (r < 0) -- 2.47.3