1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-23 21:35:11 +03:00
Commit Graph

15 Commits

Author SHA1 Message Date
Daan De Meyer
18bb30c3b2
core: Bind mount notify socket to /run/host/notify in sandboxed units (#35573)
To be able to run systemd in a Type=notify transient unit, the notify
socket can't be bind mounted to /run/systemd/notify as systemd in the
transient unit wants to use that as its own notify socket which
conflicts with systemd on the host.

Instead, for sandboxed units, let's bind mount the notify socket to
/run/host/notify as documented in the container interface. Since we
don't guarantee a stable location for the notify socket and insist users
use $NOTIFY_SOCKET to get its path, this is safe to do.
2024-12-13 13:48:07 +00:00
Daan De Meyer
284dd31e9d core: Bind mount notify socket to /run/host/notify in sandboxed units
To be able to run systemd in a Type=notify transient unit, the notify
socket can't be bind mounted to /run/systemd/notify as systemd in the
transient unit wants to use that as its own notify socket which conflicts
with systemd on the host.

Instead, for sandboxed units, let's bind mount the notify socket to
/run/host/notify as documented in the container interface. Since we don't
guarantee a stable location for the notify socket and insist users use
$NOTIFY_SOCKET to get its path, this is safe to do.
2024-12-13 13:37:02 +01:00
Luca Boccassi
c7fcb08324 test: add more coverage for extensions and verity 2024-12-12 00:58:20 +00:00
Luca Boccassi
59a83e1188 core: fix loading verity settings for MountImages=
The MountEntry logic was refactored to store the verity
settings, and updated for ExtensionImages=, but not for
MountImages=.

Follow-up for a1a40297db
2024-12-12 00:58:20 +00:00
Luca Boccassi
e1efa9d804 core: do not fail if ignorable img.v/ vpick dir is missing
Do not fail if the directory is missing entirely, other than just empty

Follow-up for 00f546e25e
Follow-up for 5e79dd96a8
Follow-up for 622efc544d
2024-10-15 18:17:25 +02:00
Lennart Poettering
96c9e4a2de test: add --more flag when enumerating via List varlink method
The call returns multiple entries, hence should be called with `--more`.
2024-10-02 09:22:52 +02:00
Luca Boccassi
00f546e25e core: do not fail if ignorable img.v/ vpick dir is empty
If the vpick directory is configured to be ignored if missing, do not
fail and just skip ahead.

Follow-up for 5e79dd96a8
Follow-up for 622efc544d
2024-09-13 17:32:00 +02:00
Mike Yuan
7a9f0125bb
core: rename BindJournalSockets= to BindLogSockets=
Addresses https://github.com/systemd/systemd/pull/32487#issuecomment-2328465309
2024-09-04 21:44:25 +02:00
Mike Yuan
1a64b42c46
TEST-50-DISSECT: add explicit coverage for BindJournalSockets= 2024-09-03 21:04:52 +02:00
Mike Yuan
e2e6c23fdb
test: drop unneeded journal socket bind mounts
(where BindJournalSockets=yes is implied)
2024-09-03 21:04:52 +02:00
Luca Boccassi
a1a40297db core: deduplicate identical dm-verity ExtensionImages=
It turns out OverlayFS doesn't handle gracefully when the same source is
specified multiple times in lowerdir= and it fails with ELOOP:

Failed to mount overlay (type overlay) on /run/systemd/mount-rootfs/opt (MS_RDONLY "lowerdir=/run/systemd/unit-extensions/1/opt:/run/systemd/unit-extensions/0/opt:/run/systemd/mount-rootfs/opt"): Too many levels of symbolic links

This happens even if we mount each image in a different internal mount
path, as OverlayFS will resolve it and look for the backing device, which
will be the same device mapper entity, and return a hard error.
This error does not appear if dm-verity is not used, so it is very
confusing for users, and unnecessary.

When mounting ExtensionImages, check if an image is dm-veritied,
and drop duplicates if the root hashes match, to avoid this user-unfriendly
hard error.
2024-06-28 14:37:58 +01:00
Yu Watanabe
fbe1e72eff test: use SYSLOG_IDENTIFIER= filter instead of "journalctl -u"
"journalctl -u foo.service" may not work as expected, especially entries
for _TRANSPORT=stdout, for short-living services or when the service manager
generates debugging logs. Instead, SYSLOG_IDENTIFIER= should be reliable for
stdout. Let's use it.

An example case:
```
__CURSOR=s=06278e3bf011458e973c81d370a8f7a5;i=1e4dc;b=1b0258a5c78341609bf462c72d4541c3;m=308de65;t=6194c3895a13f;x=50c7e9af5b8cfc37
__REALTIME_TIMESTAMP=1716665017803071
__MONOTONIC_TIMESTAMP=50912869
_BOOT_ID=1b0258a5c78341609bf462c72d4541c3
SYSLOG_FACILITY=3
_UID=0
_GID=0
_MACHINE_ID=d3490e076ab24968bfa19a6aab26beb3
_HOSTNAME=H
_RUNTIME_SCOPE=system
_TRANSPORT=stdout
PRIORITY=6
_PID=2668
_STREAM_ID=3f9b8855636041988d003a9c63379b8a
SYSLOG_IDENTIFIER=echo
MESSAGE=foo
```
As you can see, there is no unit identifier.
2024-05-26 11:00:22 +02:00
Yu Watanabe
505b20ecdd test: replace journal checkers with journalctl --follow + grep -m
Recently, for slow test environments, journalctl --sync was added to the
loop in the timeout. However, journalctl --sync may be slow in such systems,
and timeout easily triggered during syncing.
Hopefully, reading journal with --follow and grep the output with an expected
line should be efficient.

Hopefully fixes #32712.
2024-05-22 12:03:35 +02:00
Yu Watanabe
702fdd3135 test: sync journal before read
Similar to recent commits, e.g. f961f0e47c2caf9af735a22e7f23210e746d0c8b.

Fixes #32926.
2024-05-21 02:00:08 +09:00
Daan De Meyer
7a321b5a21 test: Rename testsuite-XX units to match test name
Having these named differently than the test itself mostly creates
unecessary confusion and makes writing logic against the tests harder
so let's rename the testsuite-xx units and scripts to just use the
test name itself.
2024-05-14 12:43:28 +02:00