system/systemd
system/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd synced 2024-07-22 18:55:10 +00:00
Code Issues Actions 7 Packages Projects Releases Wiki Activity

TEST-50-DISSECT: Make sure logging sockets are mounted into images

Browse source 
Otherwise we lose valuable logging from systemd-executor when things
go wrong since it can only log to the journal and not to the console
in these cases.
This commit is contained in:
Daan De Meyer 2024-04-25 16:58:44 +02:00
parent e85be4983d
commit 69dc36f69b
1 changed files with 53 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

56
test/units/testsuite-50.dissect.sh
View file

@ -9,6 +9,12 @@ set -o pipefail
# shellcheck source=test/units/util.sh
. "$(dirname "$0")"/util.sh
BIND_LOG_SOCKETS=(
--property BindReadOnlyPaths=/dev/log
--property BindReadOnlyPaths=/run/systemd/journal/socket
--property BindReadOnlyPaths=/run/systemd/journal/stdout
)
systemd-dissect --json=short "$MINIMAL_IMAGE.raw" | \
grep -q -F '{"rw":"ro","designator":"root","partition_uuid":null,"partition_label":null,"fstype":"squashfs","architecture":null,"verity":"external"'
systemd-dissect "$MINIMAL_IMAGE.raw" | grep -q -F "MARKER=1"
@ -73,19 +79,21 @@ fi
systemd-dissect --umount "$IMAGE_DIR/mount"
systemd-dissect --umount "$IMAGE_DIR/mount2"
systemd-run -P -p RootImage="$MINIMAL_IMAGE.raw" cat /usr/lib/os-release | grep -q -F "MARKER=1"
systemd-run -P -p RootImage="$MINIMAL_IMAGE.raw" "${BIND_LOG_SOCKETS[@]}" cat /usr/lib/os-release | grep -q -F "MARKER=1"
mv "$MINIMAL_IMAGE.verity" "$MINIMAL_IMAGE.fooverity"
mv "$MINIMAL_IMAGE.roothash" "$MINIMAL_IMAGE.foohash"
systemd-run -P \
-p RootImage="$MINIMAL_IMAGE.raw" \
-p RootHash="$MINIMAL_IMAGE.foohash" \
-p RootVerity="$MINIMAL_IMAGE.fooverity" \
"${BIND_LOG_SOCKETS[@]}" \
cat /usr/lib/os-release | grep -q -F "MARKER=1"
# Let's use the long option name just here as a test
systemd-run -P \
--property RootImage="$MINIMAL_IMAGE.raw" \
--property RootHash="$MINIMAL_IMAGE_ROOTHASH" \
--property RootVerity="$MINIMAL_IMAGE.fooverity" \
"${BIND_LOG_SOCKETS[@]}" \
cat /usr/lib/os-release | grep -q -F "MARKER=1"
mv "$MINIMAL_IMAGE.fooverity" "$MINIMAL_IMAGE.verity"
mv "$MINIMAL_IMAGE.foohash" "$MINIMAL_IMAGE.roothash"
@ -133,48 +141,56 @@ systemd-run --wait -P \
-p RootImage="$MINIMAL_IMAGE.gpt" \
-p RootHash="$MINIMAL_IMAGE_ROOTHASH" \
-p MountAPIVFS=yes \
"${BIND_LOG_SOCKETS[@]}" \
cat /usr/lib/os-release | grep -q -F "MARKER=1"
systemd-run --wait -P \
-p RootImage="$MINIMAL_IMAGE.gpt" \
-p RootHash="$MINIMAL_IMAGE_ROOTHASH" \
-p RootImagePolicy='*' \
-p MountAPIVFS=yes \
"${BIND_LOG_SOCKETS[@]}" \
cat /usr/lib/os-release | grep -q -F "MARKER=1"
(! systemd-run --wait -P \
-p RootImage="$MINIMAL_IMAGE.gpt" \
-p RootHash="$MINIMAL_IMAGE_ROOTHASH" \
-p RootImagePolicy='~' \
-p MountAPIVFS=yes \
"${BIND_LOG_SOCKETS[@]}" \
cat /usr/lib/os-release | grep -q -F "MARKER=1")
(! systemd-run --wait -P \
-p RootImage="$MINIMAL_IMAGE.gpt" \
-p RootHash="$MINIMAL_IMAGE_ROOTHASH" \
-p RootImagePolicy='-' \
-p MountAPIVFS=yes \
"${BIND_LOG_SOCKETS[@]}" \
cat /usr/lib/os-release | grep -q -F "MARKER=1")
(! systemd-run --wait -P \
-p RootImage="$MINIMAL_IMAGE.gpt" \
-p RootHash="$MINIMAL_IMAGE_ROOTHASH" \
-p RootImagePolicy='root=absent' \
-p MountAPIVFS=yes \
"${BIND_LOG_SOCKETS[@]}" \
cat /usr/lib/os-release | grep -q -F "MARKER=1")
systemd-run --wait -P \
-p RootImage="$MINIMAL_IMAGE.gpt" \
-p RootHash="$MINIMAL_IMAGE_ROOTHASH" \
-p RootImagePolicy='root=verity' \
-p MountAPIVFS=yes \
"${BIND_LOG_SOCKETS[@]}" \
cat /usr/lib/os-release | grep -q -F "MARKER=1"
systemd-run --wait -P \
-p RootImage="$MINIMAL_IMAGE.gpt" \
-p RootHash="$MINIMAL_IMAGE_ROOTHASH" \
-p RootImagePolicy='root=signed' \
-p MountAPIVFS=yes \
"${BIND_LOG_SOCKETS[@]}" \
cat /usr/lib/os-release | grep -q -F "MARKER=1"
(! systemd-run --wait -P \
-p RootImage="$MINIMAL_IMAGE.gpt" \
-p RootHash="$MINIMAL_IMAGE_ROOTHASH" \
-p RootImagePolicy='root=encrypted' \
-p MountAPIVFS=yes \
"${BIND_LOG_SOCKETS[@]}" \
cat /usr/lib/os-release | grep -q -F "MARKER=1")
systemd-dissect --root-hash "$MINIMAL_IMAGE_ROOTHASH" --mount "$MINIMAL_IMAGE.gpt" "$IMAGE_DIR/mount"
@ -194,14 +210,17 @@ systemd-run -P \
-p RootImage="$MINIMAL_IMAGE.gpt" \
-p RootHash="$MINIMAL_IMAGE_ROOTHASH" \
-p MountAPIVFS=yes \
"${BIND_LOG_SOCKETS[@]}" \
cat /usr/lib/os-release | grep -q -F "MARKER=1"
systemd-run -P \
-p RootImage="$MINIMAL_IMAGE.raw" \
-p RootImageOptions="root:nosuid,dev home:ro,dev ro,noatime" \
"${BIND_LOG_SOCKETS[@]}" \
mount | grep -F "squashfs" | grep -q -F "nosuid"
systemd-run -P \
-p RootImage="$MINIMAL_IMAGE.gpt" \
-p RootImageOptions="root:ro,noatime root:ro,dev" \
"${BIND_LOG_SOCKETS[@]}" \
mount | grep -F "squashfs" | grep -q -F "noatime"
mkdir -p "$IMAGE_DIR/result"
@ -214,6 +233,7 @@ TemporaryFileSystem=/run
RootImage=$MINIMAL_IMAGE.raw
RootImageOptions=root:ro,noatime home:ro,dev relatime,dev
RootImageOptions=nosuid,dev
BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout
EOF
systemctl start testservice-50a.service
grep -F "squashfs" "$IMAGE_DIR/result/a" | grep -q -F "noatime"
@ -230,6 +250,7 @@ RootImageOptions=root:ro,noatime,nosuid home:ro,dev nosuid,dev
RootImageOptions=home:ro,dev nosuid,dev,%%foo
# this is the default, but let's specify once to test the parser
MountAPIVFS=yes
BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout
EOF
systemctl start testservice-50b.service
grep -F "squashfs" "$IMAGE_DIR/result/b" | grep -q -F "noatime"
@ -262,23 +283,27 @@ systemd-run -P \
-p TemporaryFileSystem=/run \
-p RootImage="$MINIMAL_IMAGE.raw" \
-p MountImages="$MINIMAL_IMAGE.gpt:/run/img1 $MINIMAL_IMAGE.raw:/run/img2" \
"${BIND_LOG_SOCKETS[@]}" \
cat /usr/lib/os-release | grep -q -F "MARKER=1"
systemd-run -P \
-p TemporaryFileSystem=/run \
-p RootImage="$MINIMAL_IMAGE.raw" \
-p MountImages="$MINIMAL_IMAGE.gpt:/run/img1 $MINIMAL_IMAGE.raw:/run/img2" \
"${BIND_LOG_SOCKETS[@]}" \
cat /run/img1/usr/lib/os-release | grep -q -F "MARKER=1"
systemd-run -P \
-p TemporaryFileSystem=/run \
-p RootImage="$MINIMAL_IMAGE.gpt" \
-p RootHash="$MINIMAL_IMAGE_ROOTHASH" \
-p MountImages="$MINIMAL_IMAGE.gpt:/run/img1 $MINIMAL_IMAGE.raw:/run/img2" \
"${BIND_LOG_SOCKETS[@]}" \
cat /run/img2/usr/lib/os-release | grep -q -F "MARKER=1"
cat >/run/systemd/system/testservice-50c.service <<EOF
[Service]
MountAPIVFS=yes
TemporaryFileSystem=/run
RootImage=$MINIMAL_IMAGE.raw
BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout
MountImages=$MINIMAL_IMAGE.gpt:/run/img1:root:noatime:home:relatime
MountImages=$MINIMAL_IMAGE.raw:/run/img2\:3:nosuid
ExecStart=bash -c "cat /run/img1/usr/lib/os-release >/run/result/c"
@ -326,34 +351,42 @@ systemctl is-active testservice-50d.service
systemd-run -P \
--property ExtensionImages=/usr/share/app0.raw \
--property RootImage="$MINIMAL_IMAGE.raw" \
"${BIND_LOG_SOCKETS[@]}" \
cat /opt/script0.sh | grep -q -F "extension-release.app0"
systemd-run -P \
--property ExtensionImages=/usr/share/app0.raw \
--property RootImage="$MINIMAL_IMAGE.raw" \
"${BIND_LOG_SOCKETS[@]}" \
cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1"
systemd-run -P \
--property ExtensionImages="/usr/share/app0.raw /usr/share/app1.raw" \
--property RootImage="$MINIMAL_IMAGE.raw" \
"${BIND_LOG_SOCKETS[@]}" \
cat /opt/script0.sh | grep -q -F "extension-release.app0"
systemd-run -P \
--property ExtensionImages="/usr/share/app0.raw /usr/share/app1.raw" \
--property RootImage="$MINIMAL_IMAGE.raw" \
"${BIND_LOG_SOCKETS[@]}" \
cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1"
systemd-run -P \
--property ExtensionImages="/usr/share/app0.raw /usr/share/app1.raw" \
--property RootImage="$MINIMAL_IMAGE.raw" \
"${BIND_LOG_SOCKETS[@]}" \
cat /opt/script1.sh | grep -q -F "extension-release.app2"
systemd-run -P \
--property ExtensionImages="/usr/share/app0.raw /usr/share/app1.raw" \
--property RootImage="$MINIMAL_IMAGE.raw" \
"${BIND_LOG_SOCKETS[@]}" \
cat /usr/lib/systemd/system/other_file | grep -q -F "MARKER=1"
systemd-run -P \
--property ExtensionImages=/usr/share/app-nodistro.raw \
--property RootImage="$MINIMAL_IMAGE.raw" \
"${BIND_LOG_SOCKETS[@]}" \
cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1"
systemd-run -P \
--property ExtensionImages=/etc/service-scoped-test.raw \
--property RootImage="$MINIMAL_IMAGE.raw" \
"${BIND_LOG_SOCKETS[@]}" \
cat /etc/systemd/system/some_file | grep -q -F "MARKER_CONFEXT_123"
# Check that using a symlink to NAME-VERSION.raw works as long as the symlink has the correct name NAME.raw
mkdir -p /usr/share/symlink-test/
@ -362,6 +395,7 @@ ln -fs /usr/share/symlink-test/app-nodistro-v1.raw /usr/share/symlink-test/app-n
systemd-run -P \
--property ExtensionImages=/usr/share/symlink-test/app-nodistro.raw \
--property RootImage="$MINIMAL_IMAGE.raw" \
"${BIND_LOG_SOCKETS[@]}" \
cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1"
# Symlink check again but for confext
@ -371,17 +405,20 @@ ln -fs /etc/symlink-test/service-scoped-test-v1.raw /etc/symlink-test/service-sc
systemd-run -P \
--property ExtensionImages=/etc/symlink-test/service-scoped-test.raw \
--property RootImage="$MINIMAL_IMAGE.raw" \
"${BIND_LOG_SOCKETS[@]}" \
cat /etc/systemd/system/some_file | grep -q -F "MARKER_CONFEXT_123"
# And again mixing sysext and confext
systemd-run -P \
--property ExtensionImages=/usr/share/symlink-test/app-nodistro.raw \
--property ExtensionImages=/etc/symlink-test/service-scoped-test.raw \
--property RootImage="$MINIMAL_IMAGE.raw" \
"${BIND_LOG_SOCKETS[@]}" \
cat /etc/systemd/system/some_file | grep -q -F "MARKER_CONFEXT_123"
systemd-run -P \
--property ExtensionImages=/usr/share/symlink-test/app-nodistro.raw \
--property ExtensionImages=/etc/symlink-test/service-scoped-test.raw \
--property RootImage="$MINIMAL_IMAGE.raw" \
"${BIND_LOG_SOCKETS[@]}" \
cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1"
cat >/run/systemd/system/testservice-50e.service <<EOF
@ -391,6 +428,7 @@ TemporaryFileSystem=/run /var/lib
StateDirectory=app0
RootImage=$MINIMAL_IMAGE.raw
ExtensionImages=/usr/share/app0.raw /usr/share/app1.raw:nosuid
BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout
# Relevant only for sanitizer runs
UnsetEnvironment=LD_PRELOAD
ExecStart=bash -c '/opt/script0.sh | grep ID'
@ -418,10 +456,12 @@ mkdir -p "$IMAGE_DIR/app0" "$IMAGE_DIR/app1" "$IMAGE_DIR/app-nodistro" "$IMAGE_D
(! systemd-run -P \
--property ExtensionDirectories="$IMAGE_DIR/nonexistent" \
--property RootImage="$MINIMAL_IMAGE.raw" \
"${BIND_LOG_SOCKETS[@]}" \
cat /opt/script0.sh)
(! systemd-run -P \
--property ExtensionDirectories="$IMAGE_DIR/app0" \
--property RootImage="$MINIMAL_IMAGE.raw" \
"${BIND_LOG_SOCKETS[@]}" \
cat /opt/script0.sh)
systemd-dissect --mount /usr/share/app0.raw "$IMAGE_DIR/app0"
systemd-dissect --mount /usr/share/app1.raw "$IMAGE_DIR/app1"
@ -430,34 +470,42 @@ systemd-dissect --mount /etc/service-scoped-test.raw "$IMAGE_DIR/service-scoped-
systemd-run -P \
--property ExtensionDirectories="$IMAGE_DIR/app0" \
--property RootImage="$MINIMAL_IMAGE.raw" \
"${BIND_LOG_SOCKETS[@]}" \
cat /opt/script0.sh | grep -q -F "extension-release.app0"
systemd-run -P \
--property ExtensionDirectories="$IMAGE_DIR/app0" \
--property RootImage="$MINIMAL_IMAGE.raw" \
"${BIND_LOG_SOCKETS[@]}" \
cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1"
systemd-run -P \
--property ExtensionDirectories="$IMAGE_DIR/app0 $IMAGE_DIR/app1" \
--property RootImage="$MINIMAL_IMAGE.raw" \
"${BIND_LOG_SOCKETS[@]}" \
cat /opt/script0.sh | grep -q -F "extension-release.app0"
systemd-run -P \
--property ExtensionDirectories="$IMAGE_DIR/app0 $IMAGE_DIR/app1" \
--property RootImage="$MINIMAL_IMAGE.raw" \
"${BIND_LOG_SOCKETS[@]}" \
cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1"
systemd-run -P \
--property ExtensionDirectories="$IMAGE_DIR/app0 $IMAGE_DIR/app1" \
--property RootImage="$MINIMAL_IMAGE.raw" \
"${BIND_LOG_SOCKETS[@]}" \
cat /opt/script1.sh | grep -q -F "extension-release.app2"
systemd-run -P \
--property ExtensionDirectories="$IMAGE_DIR/app0 $IMAGE_DIR/app1" \
--property RootImage="$MINIMAL_IMAGE.raw" \
"${BIND_LOG_SOCKETS[@]}" \
cat /usr/lib/systemd/system/other_file | grep -q -F "MARKER=1"
systemd-run -P \
--property ExtensionDirectories="$IMAGE_DIR/app-nodistro" \
--property RootImage="$MINIMAL_IMAGE.raw" \
"${BIND_LOG_SOCKETS[@]}" \
cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1"
systemd-run -P \
--property ExtensionDirectories="$IMAGE_DIR/service-scoped-test" \
--property RootImage="$MINIMAL_IMAGE.raw" \
"${BIND_LOG_SOCKETS[@]}" \
cat /etc/systemd/system/some_file | grep -q -F "MARKER_CONFEXT_123"
cat >/run/systemd/system/testservice-50f.service <<EOF
[Service]
@ -465,6 +513,7 @@ MountAPIVFS=yes
TemporaryFileSystem=/run /var/lib
StateDirectory=app0
RootImage=$MINIMAL_IMAGE.raw
BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout
ExtensionDirectories=$IMAGE_DIR/app0 $IMAGE_DIR/app1
# Relevant only for sanitizer runs
UnsetEnvironment=LD_PRELOAD
@ -534,7 +583,7 @@ ln -s "$MINIMAL_IMAGE.raw" "$VDIR/${VBASE}_33.raw"
ln -s "$MINIMAL_IMAGE.raw" "$VDIR/${VBASE}_34.raw"
ln -s "$MINIMAL_IMAGE.raw" "$VDIR/${VBASE}_35.raw"
systemd-run -P -p RootImage="$VDIR" cat /usr/lib/os-release | grep -q -F "MARKER=1"
systemd-run -P -p RootImage="$VDIR" "${BIND_LOG_SOCKETS[@]}" cat /usr/lib/os-release | grep -q -F "MARKER=1"
rm "$VDIR/${VBASE}_33.raw" "$VDIR/${VBASE}_34.raw" "$VDIR/${VBASE}_35.raw"
rmdir "$VDIR"
@ -612,6 +661,7 @@ systemd-run --unit=test-root-ephemeral \
-p RootDirectory=/tmp/img \
-p RootEphemeral=yes \
-p Type=exec \
"${BIND_LOG_SOCKETS[@]}" \
bash -c "touch /abc && sleep infinity"
test -n "$(ls -A /var/lib/systemd/ephemeral-trees)"
systemctl stop test-root-ephemeral
@ -661,7 +711,7 @@ grep -q -F "MARKER_CONFEXT_123" /etc/testfile
systemd-confext unmerge
rm -rf /run/confexts/ testjob/
systemd-run -P -p RootImage="$MINIMAL_IMAGE.raw" cat /run/host/os-release | cmp "$OS_RELEASE"
systemd-run -P -p RootImage="$MINIMAL_IMAGE.raw" "${BIND_LOG_SOCKETS[@]}" cat /run/host/os-release | cmp "$OS_RELEASE"
# Test that systemd-sysext reloads the daemon.
mkdir -p /var/lib/extensions/