Merge pull request #32033 from DaanDeMeyer/unit-creds

debug-generator: Add unit and drop-in credentials
2024-07-21 18:24:38 +00:00 · 2024-04-04 18:27:20 +02:00 · 2024-04-04 18:27:20 +02:00 · 7b62a246a6
parent 99a1ef8c9c 8595f578fe
commit 7b62a246a6
5 changed files with 144 additions and 9 deletions
--- a/man/systemd-debug-generator.xml
+++ b/man/systemd-debug-generator.xml
@ -6,7 +6,7 @@
 %entities;
 ]>
 <!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
-<refentry id="systemd-debug-generator">
+<refentry id="systemd-debug-generator" xmlns:xi="http://www.w3.org/2001/XInclude">

  <refentryinfo>
    <title>systemd-debug-generator</title>
@ -70,6 +70,36 @@
    <citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
  </refsect1>

+  <refsect1>
+    <title>System Credentials</title>
+
+    <variablelist class='system-credentials'>
+      <varlistentry>
+        <term><varname>systemd.extra-unit.*</varname></term>
+
+        <listitem><para>Credentials prefixed with <literal>systemd.extra-unit.</literal> specify additional
+        units to add to the final system. Note that these additional units are added to both the initrd and
+        the final system. <varname>ConditionPathExists=!/etc/initrd-release</varname> can be used to make
+        sure the unit is conditioned out in the initrd.</para>
+
+        <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><varname>systemd.unit-dropin.*</varname></term>
+
+        <listitem><para>Credentials prefixed with <literal>systemd.unit-dropin.</literal> add drop-ins for
+        the corresponding units in the final system. Each credential must be suffixed with the full unit name
+        including the unit extension. Its contents must be a valid unit drop-in file. Only one drop-in per
+        unit can be specified. The name of the generated drop-in will be
+        <literal>50-credential.conf</literal>. Note that these additional drop-ins are added to both the
+        initrd and the final system.</para>
+
+        <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
  <refsect1>
    <title>See Also</title>
    <para><simplelist type="inline">
--- a/man/systemd.system-credentials.xml
+++ b/man/systemd.system-credentials.xml
@ -367,6 +367,16 @@
          <xi:include href="version-info.xml" xpointer="v256"/>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term><varname>systemd.extra-unit.*</varname></term>
+        <term><varname>systemd.unit-dropin.*</varname></term>
+
+        <listitem><para>These credentials specify extra units and drop-ins to add to the system. For details
+        see <citerefentry><refentrytitle>systemd-debug-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
+
+        <xi:include href="version-info.xml" xpointer="v256"/></listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>

--- a/src/debug-generator/debug-generator.c
+++ b/src/debug-generator/debug-generator.c
@ -3,13 +3,17 @@
 #include <unistd.h>

 #include "alloc-util.h"
+#include "creds-util.h"
 #include "dropin.h"
+#include "errno-util.h"
+#include "fd-util.h"
+#include "fileio-label.h"
 #include "generator.h"
 #include "initrd-util.h"
-#include "mkdir-label.h"
 #include "parse-util.h"
 #include "path-util.h"
 #include "proc-cmdline.h"
+#include "recurse-dir.h"
 #include "special.h"
 #include "string-util.h"
 #include "strv.h"
@ -141,14 +145,14 @@ static int generate_wants_symlinks(void) {
        return r;
 }

-static void install_debug_shell_dropin(const char *dir) {
+static void install_debug_shell_dropin(void) {
        const char *tty = arg_debug_tty ?: arg_default_debug_tty;
        int r;

        if (!tty || path_equal(tty, skip_dev_prefix(DEBUGTTY)))
                return;

-        r = write_drop_in_format(dir, "debug-shell.service", 50, "tty",
+        r = write_drop_in_format(arg_dest, "debug-shell.service", 50, "tty",
                        "[Unit]\n"
                        "Description=Early root shell on /dev/%s FOR DEBUGGING ONLY\n"
                        "ConditionPathExists=\n"
@ -159,8 +163,74 @@ static void install_debug_shell_dropin(const char *dir) {
                log_warning_errno(r, "Failed to write drop-in for debug-shell.service, ignoring: %m");
 }

+static int process_unit_credentials(const char *credentials_dir) {
+        int r;
+
+        assert(credentials_dir);
+
+        _cleanup_free_ DirectoryEntries *des = NULL;
+        r = readdir_all_at(AT_FDCWD, credentials_dir, RECURSE_DIR_SORT|RECURSE_DIR_IGNORE_DOT|RECURSE_DIR_ENSURE_TYPE, &des);
+        if (r < 0)
+                return log_error_errno(r, "Failed to enumerate credentials from credentials directory '%s': %m", credentials_dir);
+
+        FOREACH_ARRAY(i, des->entries, des->n_entries) {
+                _cleanup_free_ void *d = NULL;
+                struct dirent *de = *i;
+                const char *unit, *dropin;
+
+                if (de->d_type != DT_REG)
+                        continue;
+
+                unit = startswith(de->d_name, "systemd.extra-unit.");
+                dropin = startswith(de->d_name, "systemd.unit-dropin.");
+
+                if (!unit && !dropin)
+                        continue;
+
+                if (!unit_name_is_valid(unit ?: dropin, UNIT_NAME_ANY)) {
+                        log_warning("Invalid unit name '%s' in credential '%s', ignoring.",
+                                    unit ?: dropin, de->d_name);
+                        continue;
+                }
+
+                r = read_credential_with_decryption(de->d_name, &d, NULL);
+                if (r < 0)
+                        continue;
+
+                if (unit) {
+                        _cleanup_free_ char *p = NULL;
+
+                        p = path_join(arg_dest, unit);
+                        if (!p)
+                                return log_oom();
+
+                        r = write_string_file_atomic_label(p, d);
+                        if (r < 0) {
+                                log_warning_errno(r, "Failed to write unit file '%s' from credential '%s', ignoring: %m",
+                                                  unit, de->d_name);
+                                continue;
+                        }
+
+                        log_debug("Wrote unit file '%s' from credential '%s'", unit, de->d_name);
+
+                } else {
+                        r = write_drop_in(arg_dest, dropin, 50, "credential", d);
+                        if (r < 0) {
+                                log_warning_errno(r, "Failed to write drop-in for unit '%s' from credential '%s', ignoring: %m",
+                                                  dropin, de->d_name);
+                                continue;
+                        }
+
+                        log_debug("Wrote drop-in for unit '%s' from credential '%s'", dropin, de->d_name);
+                }
+        }
+
+        return 0;
+}
+
 static int run(const char *dest, const char *dest_early, const char *dest_late) {
-        int r, q;
+        const char *credentials_dir;
+        int r = 0;

        assert_se(arg_dest = dest_early);

@ -173,13 +243,19 @@ static int run(const char *dest, const char *dest_early, const char *dest_late)
                if (r < 0)
                        return log_oom();

-                install_debug_shell_dropin(arg_dest);
+                install_debug_shell_dropin();
        }

-        r = generate_mask_symlinks();
-        q = generate_wants_symlinks();
+        if (get_credentials_dir(&credentials_dir) >= 0)
+                RET_GATHER(r, process_unit_credentials(credentials_dir));

-        return r < 0 ? r : q;
+        if (get_encrypted_credentials_dir(&credentials_dir) >= 0)
+                RET_GATHER(r, process_unit_credentials(credentials_dir));
+
+        RET_GATHER(r, generate_mask_symlinks());
+        RET_GATHER(r, generate_wants_symlinks());
+
+        return r;
 }

 DEFINE_MAIN_GENERATOR_FUNCTION(run);
--- a/test/TEST-54-CREDS/test.sh
+++ b/test/TEST-54-CREDS/test.sh
@ -9,6 +9,19 @@ NSPAWN_CREDS=(
 )
 NSPAWN_ARGUMENTS="${NSPAWN_ARGUMENTS:-} ${NSPAWN_CREDS[*]}"

+UNIT_CRED=$(base64 -w 0 <<EOF
+[Service]
+Type=oneshot
+ExecStart=touch /tmp/unit-cred
+EOF
+)
+DROPIN_CRED=$(base64 -w 0 <<EOF
+[Service]
+ExecStart=
+ExecStart=touch /tmp/unit-dropin
+EOF
+)
+
 QEMU_CREDS=(
    "-fw_cfg name=opt/io.systemd.credentials/myqemucredential,string=othervalue"
    "-smbios type=11,value=io.systemd.credential:smbioscredential=magicdata"
@ -17,6 +30,8 @@ QEMU_CREDS=(
    "-smbios type=11,value=io.systemd.credential.binary:tmpfiles.extra=ZiAvdG1wL3NvdXJjZWRmcm9tY3JlZGVudGlhbCAtIC0gLSAtIHRtcGZpbGVzc2VjcmV0Cg=="
    "-smbios type=11,value=io.systemd.credential.binary:fstab.extra=aW5qZWN0ZWQgL2luamVjdGVkIHRtcGZzIFgtbW91bnQubWtkaXIgMCAwCg=="
    "-smbios type=11,value=io.systemd.credential:getty.ttys.container=idontexist"
+    "-smbios type=11,value=io.systemd.credential.binary:systemd.extra-unit.my-service.service=$UNIT_CRED"
+    "-smbios type=11,value=io.systemd.credential.binary:systemd.unit-dropin.my-service.service=$DROPIN_CRED"
 )
 QEMU_OPTIONS="${QEMU_OPTIONS:-} ${QEMU_CREDS[*]}"

--- a/test/units/testsuite-54.sh
+++ b/test/units/testsuite-54.sh
@ -207,6 +207,10 @@ elif [ -d /sys/firmware/qemu_fw_cfg/by_name ]; then
    [ "$(cat /tmp/sourcedfromcredential)" = "tmpfilessecret" ]
    [ "$(cat /etc/motd.d/50-provision.conf)" = "hello" ]
    [ "$(cat /etc/issue.d/50-provision.conf)" = "welcome" ]
+
+    # Verify that adding a unit and drop-in via credentials worked
+    systemctl start my-service
+    test -f /tmp/unit-dropin
 else
    echo "qemu_fw_cfg support missing in kernel. Sniff!"
    expected_credential=""