core: consult credentials for machine ID to use for host

Let's hook up one more thing with credentials: the machine ID to use when none is initialized yet. This requires some reordering of initialization steps in PID 1: we need to import credentials first, and only then initialize the machine ID.
2024-10-06 16:21:34 +00:00 · 2023-06-28 18:11:15 +02:00 · 2023-06-28 18:11:15 +02:00 · deb0d489ea
parent d021aa8ee3
commit deb0d489ea
4 changed files with 49 additions and 5 deletions
--- a/man/systemd.system-credentials.xml
+++ b/man/systemd.system-credentials.xml
@ -208,6 +208,15 @@
          <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term><varname>system.machine_id</varname></term>
+        <listitem>
+          <para>Takes a 128bit ID to initialize the machine ID from (if it is not set yet). Interpreted by
+          the service manager (PID 1). For details see
+          <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
+        </listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>

--- a/man/systemd.xml
+++ b/man/systemd.xml
@ -1069,6 +1069,16 @@
          notification via VSOCK when a virtual machine has finished booting.</para>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term><varname>system.machine_id</varname></term>
+        <listitem>
+          <para>Takes a 128bit hexadecimal ID to initialize <filename>/etc/machine-id</filename> from, if the
+          file is not set up yet. See
+          <citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
+          details.</para>
+        </listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>

--- a/src/core/main.c
+++ b/src/core/main.c
@ -2224,10 +2224,15 @@ static int initialize_runtime(
                                return r;
                        }

+                        /* Pull credentials from various sources into a common credential directory (we do
+                         * this here, before setting up the machine ID, so that we can use credential info
+                         * for setting up the machine ID) */
+                        (void) import_credentials();
+
                        (void) os_release_status();
                        (void) hostname_setup(true);
                        /* Force transient machine-id on first boot. */
-                        machine_id_setup(NULL, /* force_transient= */ first_boot, arg_machine_id, NULL);
+                        machine_id_setup(/* root= */ NULL, /* force_transient= */ first_boot, arg_machine_id, /* ret_machine_id */ NULL);
                        (void) loopback_setup();
                        bump_unix_max_dgram_qlen();
                        bump_file_max_and_nr_open();
@ -2306,10 +2311,6 @@ static int initialize_runtime(
        (void) bump_rlimit_nofile(saved_rlimit_nofile);
        (void) bump_rlimit_memlock(saved_rlimit_memlock);

-        /* Pull credentials from various sources into a common credential directory */
-        if (arg_runtime_scope == RUNTIME_SCOPE_SYSTEM && !skip_setup)
-                (void) import_credentials();
-
        return 0;
 }

--- a/src/shared/machine-id-setup.c
+++ b/src/shared/machine-id-setup.c
@ -9,6 +9,7 @@

 #include "alloc-util.h"
 #include "chase.h"
+#include "creds-util.h"
 #include "fd-util.h"
 #include "id128-util.h"
 #include "io-util.h"
@ -27,6 +28,24 @@
 #include "umask-util.h"
 #include "virt.h"

+static int acquire_machine_id_from_credential(sd_id128_t *ret) {
+        _cleanup_free_ char *buf = NULL;
+        int r;
+
+        r = read_credential_with_decryption("system.machine_id", (void**) &buf, /* ret_size= */ NULL);
+        if (r < 0)
+                return log_warning_errno(r, "Failed to read system.machine_id credential, ignoring: %m");
+        if (r == 0) /* not found */
+                return -ENXIO;
+
+        r = sd_id128_from_string(buf, ret);
+        if (r < 0)
+                return log_warning_errno(r, "Failed to parse system.machine_id credential, ignoring: %m");
+
+        log_info("Initializing machine ID from credential.");
+        return 0;
+}
+
 static int generate_machine_id(const char *root, sd_id128_t *ret) {
        _cleanup_close_ int fd = -EBADF;
        int r;
@ -41,6 +60,11 @@ static int generate_machine_id(const char *root, sd_id128_t *ret) {
        }

        if (isempty(root) && running_in_chroot() <= 0) {
+                /* Let's use a system credential for the machine ID if we can */
+                r = acquire_machine_id_from_credential(ret);
+                if (r >= 0)
+                        return r;
+
                /* If that didn't work, see if we are running in a container,
                 * and a machine ID was passed in via $container_uuid the way
                 * libvirt/LXC does it */