mirror of
https://github.com/systemd/systemd.git
synced 2025-01-12 13:18:14 +03:00
4481a30855
In a few cases, also avoid a sleep in the last (failed) iteration of the loop. It doesn't matter too much, but it's still ugly.
314 lines
10 KiB
Bash
Executable File
314 lines
10 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# SPDX-License-Identifier: LGPL-2.1-or-later
|
|
set -eux
|
|
set -o pipefail
|
|
|
|
# Check if homectl is installed, and if it isn't bail out early instead of failing
|
|
if ! test -x /usr/bin/homectl ; then
|
|
echo "no homed" >/skipped
|
|
exit 0
|
|
fi
|
|
|
|
inspect() {
|
|
# As updating disk-size-related attributes can take some time on some
|
|
# filesystems, let's drop these fields before comparing the outputs to
|
|
# avoid unexpected fails. To see the full outputs of both homectl &
|
|
# userdbctl (for debugging purposes) drop the fields just before the
|
|
# comparison.
|
|
local USERNAME="${1:?}"
|
|
homectl inspect "$USERNAME" | tee /tmp/a
|
|
userdbctl user "$USERNAME" | tee /tmp/b
|
|
|
|
# diff uses the grep BREs for pattern matching
|
|
diff -I '^\s*Disk \(Size\|Free\|Floor\|Ceiling\):' /tmp/{a,b}
|
|
rm /tmp/{a,b}
|
|
|
|
homectl inspect --json=pretty "$USERNAME"
|
|
}
|
|
|
|
wait_for_state() {
|
|
for i in {1..10}; do
|
|
(( i > 1 )) && sleep 0.5
|
|
homectl inspect "$1" | grep -qF "State: $2" && break
|
|
done
|
|
}
|
|
|
|
systemd-analyze log-level debug
|
|
systemctl service-log-level systemd-homed debug
|
|
|
|
# Create a tmpfs to use as backing store for the home dir. That way we can enforce a size limit nicely.
|
|
mkdir -p /home
|
|
mount -t tmpfs tmpfs /home -o size=290M
|
|
|
|
# we enable --luks-discard= since we run our tests in a tight VM, hence don't
|
|
# needlessly pressure for storage. We also set the cheapest KDF, since we don't
|
|
# want to waste CI CPU cycles on it.
|
|
NEWPASSWORD=xEhErW0ndafV4s homectl create test-user \
|
|
--disk-size=min \
|
|
--luks-discard=yes \
|
|
--image-path=/home/test-user.home \
|
|
--luks-pbkdf-type=pbkdf2 \
|
|
--luks-pbkdf-time-cost=1ms
|
|
inspect test-user
|
|
|
|
PASSWORD=xEhErW0ndafV4s homectl authenticate test-user
|
|
|
|
PASSWORD=xEhErW0ndafV4s homectl activate test-user
|
|
inspect test-user
|
|
|
|
PASSWORD=xEhErW0ndafV4s homectl update test-user --real-name="Inline test"
|
|
inspect test-user
|
|
|
|
homectl deactivate test-user
|
|
inspect test-user
|
|
|
|
PASSWORD=xEhErW0ndafV4s NEWPASSWORD=yPN4N0fYNKUkOq homectl passwd test-user
|
|
inspect test-user
|
|
|
|
PASSWORD=yPN4N0fYNKUkOq homectl activate test-user
|
|
inspect test-user
|
|
|
|
SYSTEMD_LOG_LEVEL=debug PASSWORD=yPN4N0fYNKUkOq NEWPASSWORD=xEhErW0ndafV4s homectl passwd test-user
|
|
inspect test-user
|
|
|
|
homectl deactivate test-user
|
|
inspect test-user
|
|
|
|
PASSWORD=xEhErW0ndafV4s homectl activate test-user
|
|
inspect test-user
|
|
|
|
homectl deactivate test-user
|
|
inspect test-user
|
|
|
|
PASSWORD=xEhErW0ndafV4s homectl update test-user --real-name="Offline test"
|
|
inspect test-user
|
|
|
|
PASSWORD=xEhErW0ndafV4s homectl activate test-user
|
|
inspect test-user
|
|
|
|
homectl deactivate test-user
|
|
inspect test-user
|
|
|
|
# Do some resize tests, but only if we run on real kernels, as quota inside of containers will fail
|
|
if ! systemd-detect-virt -cq ; then
|
|
# grow while inactive
|
|
PASSWORD=xEhErW0ndafV4s homectl resize test-user 300M
|
|
inspect test-user
|
|
|
|
# minimize while inactive
|
|
PASSWORD=xEhErW0ndafV4s homectl resize test-user min
|
|
inspect test-user
|
|
|
|
PASSWORD=xEhErW0ndafV4s homectl activate test-user
|
|
inspect test-user
|
|
|
|
# grow while active
|
|
PASSWORD=xEhErW0ndafV4s homectl resize test-user max
|
|
inspect test-user
|
|
|
|
# minimize while active
|
|
PASSWORD=xEhErW0ndafV4s homectl resize test-user 0
|
|
inspect test-user
|
|
|
|
# grow while active
|
|
PASSWORD=xEhErW0ndafV4s homectl resize test-user 300M
|
|
inspect test-user
|
|
|
|
# shrink to original size while active
|
|
PASSWORD=xEhErW0ndafV4s homectl resize test-user 256M
|
|
inspect test-user
|
|
|
|
# minimize again
|
|
PASSWORD=xEhErW0ndafV4s homectl resize test-user min
|
|
inspect test-user
|
|
|
|
# Increase space, so that we can reasonably rebalance free space between to home dirs
|
|
mount /home -o remount,size=800M
|
|
|
|
# create second user
|
|
NEWPASSWORD=uuXoo8ei homectl create test-user2 \
|
|
--disk-size=min \
|
|
--luks-discard=yes \
|
|
--image-path=/home/test-user2.home \
|
|
--luks-pbkdf-type=pbkdf2 \
|
|
--luks-pbkdf-time-cost=1ms
|
|
inspect test-user2
|
|
|
|
# activate second user
|
|
PASSWORD=uuXoo8ei homectl activate test-user2
|
|
inspect test-user2
|
|
|
|
# set second user's rebalance weight to 100
|
|
PASSWORD=uuXoo8ei homectl update test-user2 --rebalance-weight=100
|
|
inspect test-user2
|
|
|
|
# set first user's rebalance weight to quarter of that of the second
|
|
PASSWORD=xEhErW0ndafV4s homectl update test-user --rebalance-weight=25
|
|
inspect test-user
|
|
|
|
# synchronously rebalance
|
|
homectl rebalance
|
|
inspect test-user
|
|
inspect test-user2
|
|
fi
|
|
|
|
PASSWORD=xEhErW0ndafV4s homectl with test-user -- test ! -f /home/test-user/xyz
|
|
(! PASSWORD=xEhErW0ndafV4s homectl with test-user -- test -f /home/test-user/xyz)
|
|
PASSWORD=xEhErW0ndafV4s homectl with test-user -- touch /home/test-user/xyz
|
|
PASSWORD=xEhErW0ndafV4s homectl with test-user -- test -f /home/test-user/xyz
|
|
PASSWORD=xEhErW0ndafV4s homectl with test-user -- rm /home/test-user/xyz
|
|
PASSWORD=xEhErW0ndafV4s homectl with test-user -- test ! -f /home/test-user/xyz
|
|
(! PASSWORD=xEhErW0ndafV4s homectl with test-user -- test -f /home/test-user/xyz)
|
|
|
|
wait_for_state test-user inactive
|
|
homectl remove test-user
|
|
|
|
if ! systemd-detect-virt -cq ; then
|
|
wait_for_state test-user2 active
|
|
homectl deactivate test-user2
|
|
wait_for_state test-user2 inactive
|
|
homectl remove test-user2
|
|
fi
|
|
|
|
# userdbctl tests
|
|
export PAGER=
|
|
|
|
# Create a couple of user/group records to test io.systemd.DropIn
|
|
# See docs/USER_RECORD.md and docs/GROUP_RECORD.md
|
|
mkdir -p /run/userdb/
|
|
cat >"/run/userdb/dropingroup.group" <<\EOF
|
|
{
|
|
"groupName" : "dropingroup",
|
|
"gid" : 1000000
|
|
}
|
|
EOF
|
|
cat >"/run/userdb/dropinuser.user" <<\EOF
|
|
{
|
|
"userName" : "dropinuser",
|
|
"uid" : 2000000,
|
|
"realName" : "🐱",
|
|
"memberOf" : [
|
|
"dropingroup"
|
|
]
|
|
}
|
|
EOF
|
|
cat >"/run/userdb/dropinuser.user-privileged" <<\EOF
|
|
{
|
|
"privileged" : {
|
|
"hashedPassword" : [
|
|
"$6$WHBKvAFFT9jKPA4k$OPY4D4TczKN/jOnJzy54DDuOOagCcvxxybrwMbe1SVdm.Bbr.zOmBdATp.QrwZmvqyr8/SafbbQu.QZ2rRvDs/"
|
|
],
|
|
"sshAuthorizedKeys" : [
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA//dxI2xLg4MgxIKKZv1nqwTEIlE/fdakii2Fb75pG+ foo@bar.tld",
|
|
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMlaqG2rTMje5CQnfjXJKmoSpEVJ2gWtx4jBvsQbmee2XbU/Qdq5+SRisssR9zVuxgg5NA5fv08MgjwJQMm+csc= hello@world.tld"
|
|
]
|
|
}
|
|
}
|
|
EOF
|
|
# Set permissions and create necessary symlinks as described in nss-systemd(8)
|
|
chmod 0600 "/run/userdb/dropinuser.user-privileged"
|
|
ln -svrf "/run/userdb/dropingroup.group" "/run/userdb/1000000.group"
|
|
ln -svrf "/run/userdb/dropinuser.user" "/run/userdb/2000000.user"
|
|
ln -svrf "/run/userdb/dropinuser.user-privileged" "/run/userdb/2000000.user-privileged"
|
|
|
|
userdbctl
|
|
userdbctl --version
|
|
userdbctl --help --no-pager
|
|
userdbctl --no-legend
|
|
userdbctl --output=classic
|
|
userdbctl --output=friendly
|
|
userdbctl --output=table
|
|
userdbctl --output=json | jq
|
|
userdbctl -j --json=pretty | jq
|
|
userdbctl -j --json=short | jq
|
|
userdbctl --with-varlink=no
|
|
|
|
userdbctl user
|
|
userdbctl user testuser
|
|
userdbctl user root
|
|
userdbctl user testuser root
|
|
userdbctl user -j testuser root | jq
|
|
# Check only UID for the nobody user, since the name is build-configurable
|
|
userdbctl user --with-nss=no --synthesize=yes
|
|
userdbctl user --with-nss=no --synthesize=yes 0 root 65534
|
|
userdbctl user dropinuser
|
|
userdbctl user 2000000
|
|
userdbctl user --with-nss=no --with-varlink=no --synthesize=no --multiplexer=no dropinuser
|
|
userdbctl user --with-nss=no 2000000
|
|
(! userdbctl user '')
|
|
(! userdbctl user 🐱)
|
|
(! userdbctl user 🐱 '' bar)
|
|
(! userdbctl user i-do-not-exist)
|
|
(! userdbctl user root i-do-not-exist testuser)
|
|
(! userdbctl user --with-nss=no --synthesize=no 0 root 65534)
|
|
(! userdbctl user -N root nobody)
|
|
(! userdbctl user --with-dropin=no dropinuser)
|
|
(! userdbctl user --with-dropin=no 2000000)
|
|
|
|
userdbctl group
|
|
userdbctl group testuser
|
|
userdbctl group root
|
|
userdbctl group testuser root
|
|
userdbctl group -j testuser root | jq
|
|
# Check only GID for the nobody group, since the name is build-configurable
|
|
userdbctl group --with-nss=no --synthesize=yes
|
|
userdbctl group --with-nss=no --synthesize=yes 0 root 65534
|
|
userdbctl group dropingroup
|
|
userdbctl group 1000000
|
|
userdbctl group --with-nss=no --with-varlink=no --synthesize=no --multiplexer=no dropingroup
|
|
userdbctl group --with-nss=no 1000000
|
|
(! userdbctl group '')
|
|
(! userdbctl group 🐱)
|
|
(! userdbctl group 🐱 '' bar)
|
|
(! userdbctl group i-do-not-exist)
|
|
(! userdbctl group root i-do-not-exist testuser)
|
|
(! userdbctl group --with-nss=no --synthesize=no 0 root 65534)
|
|
(! userdbctl group --with-dropin=no dropingroup)
|
|
(! userdbctl group --with-dropin=no 1000000)
|
|
|
|
userdbctl users-in-group
|
|
userdbctl users-in-group testuser
|
|
userdbctl users-in-group testuser root
|
|
userdbctl users-in-group -j testuser root | jq
|
|
userdbctl users-in-group 🐱
|
|
(! userdbctl users-in-group '')
|
|
(! userdbctl users-in-group foo '' bar)
|
|
|
|
userdbctl groups-of-user
|
|
userdbctl groups-of-user testuser
|
|
userdbctl groups-of-user testuser root
|
|
userdbctl groups-of-user -j testuser root | jq
|
|
userdbctl groups-of-user 🐱
|
|
(! userdbctl groups-of-user '')
|
|
(! userdbctl groups-of-user foo '' bar)
|
|
|
|
userdbctl services
|
|
userdbctl services -j | jq
|
|
|
|
userdbctl ssh-authorized-keys dropinuser | tee /tmp/authorized-keys
|
|
grep "ssh-ed25519" /tmp/authorized-keys
|
|
grep "ecdsa-sha2-nistp256" /tmp/authorized-keys
|
|
echo "my-top-secret-key 🐱" >/tmp/my-top-secret-key
|
|
userdbctl ssh-authorized-keys dropinuser --chain /bin/cat /tmp/my-top-secret-key | tee /tmp/authorized-keys
|
|
grep "ssh-ed25519" /tmp/authorized-keys
|
|
grep "ecdsa-sha2-nistp256" /tmp/authorized-keys
|
|
grep "my-top-secret-key 🐱" /tmp/authorized-keys
|
|
(! userdbctl ssh-authorized-keys 🐱)
|
|
(! userdbctl ssh-authorized-keys dropin-user --chain)
|
|
(! userdbctl ssh-authorized-keys dropin-user --chain '')
|
|
(! SYSTEMD_LOG_LEVEL=debug userdbctl ssh-authorized-keys dropin-user --chain /bin/false)
|
|
|
|
(! userdbctl '')
|
|
for opt in json multiplexer output synthesize with-dropin with-nss with-varlink; do
|
|
(! userdbctl "--$opt=''")
|
|
(! userdbctl "--$opt='🐱'")
|
|
(! userdbctl "--$opt=foo")
|
|
(! userdbctl "--$opt=foo" "--$opt=''" "--$opt=🐱")
|
|
done
|
|
|
|
systemd-analyze log-level info
|
|
|
|
echo OK >/testok
|
|
|
|
exit 0
|