From c5d0b3e51cea0f09e7067ecd68f37d9047d170e3 Mon Sep 17 00:00:00 2001
From: Ivan Shapovalov <intelfx@intelfx.name>
Date: Sat, 20 Jan 2024 12:52:28 +0100
Subject: [PATCH] nspawn: permit --ephemeral with --link-journal=try-* (treat
 as =no)

Common sense says that to "try" something means "to not fail if
something turns out not to be possible", thus do not make this
combination a hard error.

The actual implementation ignores any --link-journal= setting when
--ephemeral is in effect, so the semantics are upheld.

(cherry picked from commit 00fcd79e65305a0d2657312b001467a055b04801)
(cherry picked from commit 9a678a258d94a2fa7c02c8085d500cb07ae5b49e)
(cherry picked from commit ebd92b562d6fdf0bd78adbee5b24f8bea0617e3a)
---
 man/systemd-nspawn.xml | 3 ++-
 src/nspawn/nspawn.c    | 6 ++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml
index 937704b881..1b19f63a25 100644
--- a/man/systemd-nspawn.xml
+++ b/man/systemd-nspawn.xml
@@ -1317,7 +1317,8 @@ After=sys-subsystem-net-devices-ens1.device</programlisting>
         and the subdirectory is symlinked into the host at the same
         location. <literal>try-host</literal> and
         <literal>try-guest</literal> do the same but do not fail if
-        the host does not have persistent journaling enabled. If
+        the host does not have persistent journaling enabled, or if
+        the container is in the <option>--ephemeral</option> mode. If
         <literal>auto</literal> (the default), and the right
         subdirectory of <filename>/var/log/journal</filename> exists,
         it will be bind mounted into the container. If the
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 8895d8e6c6..1e80cfc963 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -1806,8 +1806,10 @@ static int verify_arguments(void) {
         if (arg_ephemeral && arg_template)
                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "--ephemeral and --template= may not be combined.");
 
-        if (arg_ephemeral && !IN_SET(arg_link_journal, LINK_NO, LINK_AUTO))
-                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "--ephemeral and --link-journal= may not be combined.");
+        /* Permit --ephemeral with --link-journal=try-* to satisfy principle of the least astonishment
+         * (by common sense, "try" means "do not fail if not possible") */
+        if (arg_ephemeral && !IN_SET(arg_link_journal, LINK_NO, LINK_AUTO) && !arg_link_journal_try)
+                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "--ephemeral and --link-journal={host,guest} may not be combined.");
 
         if (arg_userns_mode != USER_NAMESPACE_NO && !userns_supported())
                 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "--private-users= is not supported, kernel compiled without user namespace support.");