mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
sysctl: also process sysctl requests via the "sysctl.extra" credential
This commit is contained in:
parent
bbe29ca29b
commit
39f0d1d2e7
@ -73,6 +73,30 @@
|
|||||||
</variablelist>
|
</variablelist>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
|
<refsect1>
|
||||||
|
<title>Credentials</title>
|
||||||
|
|
||||||
|
<para><command>systemd-sysctl</command> supports the service credentials logic as implemented by
|
||||||
|
<varname>LoadCredential=</varname>/<varname>SetCredential=</varname> (see
|
||||||
|
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
|
||||||
|
details). The following credentials are used when passed in:</para>
|
||||||
|
|
||||||
|
<variablelist>
|
||||||
|
<varlistentry>
|
||||||
|
<term><literal>sysctl.extra</literal></term>
|
||||||
|
|
||||||
|
<listitem><para>The contents of this credential may contain additional lines to operate on. The
|
||||||
|
credential contents should follow the same format as any other <filename>sysctl.d/</filename>
|
||||||
|
drop-in. If this credential is passed it is processed after all of the drop-in files read from the
|
||||||
|
file system. The settings configured in the credential hence take precedence over those in the file
|
||||||
|
system.</para></listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
|
||||||
|
<para>Note that by default the <filename>systemd-sysctl.service</filename> unit file is set up to inherit
|
||||||
|
the <literal>sysctl.extra</literal> credential from the service manager.</para>
|
||||||
|
</refsect1>
|
||||||
|
|
||||||
<refsect1>
|
<refsect1>
|
||||||
<title>Examples</title>
|
<title>Examples</title>
|
||||||
|
|
||||||
|
@ -10,6 +10,7 @@
|
|||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
|
|
||||||
#include "conf-files.h"
|
#include "conf-files.h"
|
||||||
|
#include "creds-util.h"
|
||||||
#include "def.h"
|
#include "def.h"
|
||||||
#include "errno-util.h"
|
#include "errno-util.h"
|
||||||
#include "fd-util.h"
|
#include "fd-util.h"
|
||||||
@ -277,6 +278,25 @@ static int parse_file(OrderedHashmap **sysctl_options, const char *path, bool ig
|
|||||||
return r;
|
return r;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int read_credential_lines(OrderedHashmap **sysctl_options) {
|
||||||
|
_cleanup_free_ char *j = NULL;
|
||||||
|
const char *d;
|
||||||
|
int r;
|
||||||
|
|
||||||
|
r = get_credentials_dir(&d);
|
||||||
|
if (r == -ENXIO)
|
||||||
|
return 0;
|
||||||
|
if (r < 0)
|
||||||
|
return log_error_errno(r, "Failed to get credentials directory: %m");
|
||||||
|
|
||||||
|
j = path_join(d, "sysctl.extra");
|
||||||
|
if (!j)
|
||||||
|
return log_oom();
|
||||||
|
|
||||||
|
(void) parse_file(sysctl_options, j, /* ignore_enoent= */ true);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
static int help(void) {
|
static int help(void) {
|
||||||
_cleanup_free_ char *link = NULL;
|
_cleanup_free_ char *link = NULL;
|
||||||
int r;
|
int r;
|
||||||
@ -416,6 +436,10 @@ static int run(int argc, char *argv[]) {
|
|||||||
if (k < 0 && r == 0)
|
if (k < 0 && r == 0)
|
||||||
r = k;
|
r = k;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
k = read_credential_lines(&sysctl_options);
|
||||||
|
if (k < 0 && r == 0)
|
||||||
|
r = k;
|
||||||
}
|
}
|
||||||
|
|
||||||
k = apply_all(sysctl_options);
|
k = apply_all(sysctl_options);
|
||||||
|
@ -5,7 +5,7 @@ set -e
|
|||||||
TEST_DESCRIPTION="test credentials"
|
TEST_DESCRIPTION="test credentials"
|
||||||
NSPAWN_ARGUMENTS="${NSPAWN_ARGUMENTS:-} --set-credential=mynspawncredential:strangevalue"
|
NSPAWN_ARGUMENTS="${NSPAWN_ARGUMENTS:-} --set-credential=mynspawncredential:strangevalue"
|
||||||
QEMU_OPTIONS="${QEMU_OPTIONS:-} -fw_cfg name=opt/io.systemd.credentials/myqemucredential,string=othervalue"
|
QEMU_OPTIONS="${QEMU_OPTIONS:-} -fw_cfg name=opt/io.systemd.credentials/myqemucredential,string=othervalue"
|
||||||
KERNEL_APPEND="${KERNEL_APPEND:-} systemd.set_credential=kernelcmdlinecred:uff rd.systemd.import_credentials=no"
|
KERNEL_APPEND="${KERNEL_APPEND:-} systemd.set_credential=kernelcmdlinecred:uff systemd.set_credential=sysctl.extra:kernel.domainname=sysctltest rd.systemd.import_credentials=no"
|
||||||
|
|
||||||
# shellcheck source=test/test-functions
|
# shellcheck source=test/test-functions
|
||||||
. "${TEST_BASE_DIR:?}/test-functions"
|
. "${TEST_BASE_DIR:?}/test-functions"
|
||||||
|
@ -33,6 +33,9 @@ elif [ -d /sys/firmware/qemu_fw_cfg/by_name ]; then
|
|||||||
systemd-detect-virt -q -v
|
systemd-detect-virt -q -v
|
||||||
expected_credential=myqemucredential
|
expected_credential=myqemucredential
|
||||||
expected_value=othervalue
|
expected_value=othervalue
|
||||||
|
|
||||||
|
# Verify that writing a sysctl via the kernel cmdline worked
|
||||||
|
[ "$(cat /proc/sys/kernel/domainname)" = "sysctltest" ]
|
||||||
else
|
else
|
||||||
echo "qemu_fw_cfg support missing in kernel. Sniff!"
|
echo "qemu_fw_cfg support missing in kernel. Sniff!"
|
||||||
expected_credential=""
|
expected_credential=""
|
||||||
|
@ -21,3 +21,4 @@ Type=oneshot
|
|||||||
RemainAfterExit=yes
|
RemainAfterExit=yes
|
||||||
ExecStart={{ROOTLIBEXECDIR}}/systemd-sysctl
|
ExecStart={{ROOTLIBEXECDIR}}/systemd-sysctl
|
||||||
TimeoutSec=90s
|
TimeoutSec=90s
|
||||||
|
LoadCredential=sysctl.extra
|
||||||
|
Loading…
Reference in New Issue
Block a user