Merge pull request #12877 from poettering/dynamic-user-re-migrate2

DynamicUser=1 → = 0 migration follow-up
2019-06-25 12:20:26 +02:00 · 2019-06-25 12:20:26 +02:00 · 12a9fbe649
parent b5bd7a29f9 33a5137cf0
commit 12a9fbe649
5 changed files with 117 additions and 10 deletions
--- a/man/systemd.xml
+++ b/man/systemd.xml
@ -71,12 +71,13 @@
        <term><option>--test</option></term>

        <listitem><para>Determine the initial start-up transaction (i.e. the list of jobs enqueued at
-        start-up), dump it and exit. This option is useful for debugging only. Note that during regular
-        service manager start-up further units might be started than this operation shows, because hardware,
-        socket, bus or other kinds of activation might add additional jobs. Use <option>--system</option> to
-        request the initial transaction of the system service manager (this is also the implied default),
-        combine with <option>--user</option> to request the initial transaction of the per-user service
-        manager instead.</para></listitem>
+        start-up), dump it and exit — without actually executing any of the determined jobs. This option is
+        useful for debugging only. Note that during regular service manager start-up additional units not
+        shown by this operation may be started, because hardware, socket, bus or other kinds of activation
+        might add additional jobs as the transaction is executed. Use <option>--system</option> to request
+        the initial transaction of the system service manager (this is also the implied default), combine
+        with <option>--user</option> to request the initial transaction of the per-user service manager
+        instead.</para></listitem>
      </varlistentry>
      <varlistentry>
        <term><option>--dump-configuration-items</option></term>
@ -88,9 +89,8 @@
      <varlistentry>
        <term><option>--dump-bus-properties</option></term>

-        <listitem><para>Dump exposed bus properties. This outputs
-        a terse but complete list of properties exposed to dbus.
-        </para></listitem>
+        <listitem><para>Dump exposed bus properties. This outputs a terse but complete list of properties
+        exposed on D-Bus.</para></listitem>
      </varlistentry>
      <varlistentry>
        <term><option>--unit=</option></term>
--- a/src/core/execute.c
+++ b/src/core/execute.c
@ -2153,6 +2153,10 @@ static int setup_exec_directory(
                                 * it over. Most likely the service has been upgraded from one that didn't use
                                 * DynamicUser=1, to one that does. */

+                                log_info("Found pre-existing public %s= directory %s, migrating to %s.\n"
+                                         "Apparently, service previously had DynamicUser= turned off, and has now turned it on.",
+                                         exec_directory_type_to_string(type), p, pp);
+
                                if (rename(p, pp) < 0) {
                                        r = -errno;
                                        goto fail;
@ -2178,7 +2182,11 @@ static int setup_exec_directory(
                                _cleanup_free_ char *q = NULL;

                                /* This already exists and is a symlink? Interesting. Maybe it's one created
-                                 * by DynamicUser=1 (see above)? */
+                                 * by DynamicUser=1 (see above)?
+                                 *
+                                 * We do this for all directory types except for ConfigurationDirectory=,
+                                 * since they all support the private/ symlink logic at least in some
+                                 * configurations, see above. */

                                q = path_join(params->prefix[type], "private", *rt);
                                if (!q) {
@ -2191,6 +2199,10 @@ static int setup_exec_directory(
                                        /* Hmm, apparently DynamicUser= was once turned on for this service,
                                         * but is no longer. Let's move the directory back up. */

+                                        log_info("Found pre-existing private %s= directory %s, migrating to %s.\n"
+                                                 "Apparently, service previously had DynamicUser= turned on, and has now turned it off.",
+                                                 exec_directory_type_to_string(type), q, p);
+
                                        if (unlink(p) < 0) {
                                                r = -errno;
                                                goto fail;
--- a/test/TEST-34-DYNAMICUSERMIGRATE/Makefile
+++ b/test/TEST-34-DYNAMICUSERMIGRATE/Makefile
@ -0,0 +1 @@
+../TEST-01-BASIC/Makefile
--- a/test/TEST-34-DYNAMICUSERMIGRATE/test.sh
+++ b/test/TEST-34-DYNAMICUSERMIGRATE/test.sh
@ -0,0 +1,48 @@
+#!/bin/bash
+set -e
+TEST_DESCRIPTION="test migrating state directory from DynamicUser=1 to DynamicUser=0 and back"
+
+. $TEST_BASE_DIR/test-functions
+
+test_setup() {
+    create_empty_image
+    mkdir -p $TESTDIR/root
+    mount ${LOOPDEV}p1 $TESTDIR/root
+
+    (
+        LOG_LEVEL=5
+        eval $(udevadm info --export --query=env --name=${LOOPDEV}p2)
+
+        setup_basic_environment
+
+        # mask some services that we do not want to run in these tests
+        ln -fs /dev/null $initdir/etc/systemd/system/systemd-hwdb-update.service
+        ln -fs /dev/null $initdir/etc/systemd/system/systemd-journal-catalog-update.service
+        ln -fs /dev/null $initdir/etc/systemd/system/systemd-networkd.service
+        ln -fs /dev/null $initdir/etc/systemd/system/systemd-networkd.socket
+        ln -fs /dev/null $initdir/etc/systemd/system/systemd-resolved.service
+        ln -fs /dev/null $initdir/etc/systemd/system/systemd-machined.service
+
+        # setup the testsuite service
+        cat >$initdir/etc/systemd/system/testsuite.service <<EOF
+[Unit]
+Description=Testsuite service
+
+[Service]
+ExecStart=/bin/bash -x /testsuite.sh
+Type=oneshot
+StandardOutput=tty
+StandardError=tty
+NotifyAccess=all
+EOF
+        cp testsuite.sh $initdir/
+
+        setup_testsuite
+    ) || return 1
+    setup_nspawn_root
+
+    ddebug "umount $TESTDIR/root"
+    umount $TESTDIR/root
+}
+
+do_test "$@"
--- a/test/TEST-34-DYNAMICUSERMIGRATE/testsuite.sh
+++ b/test/TEST-34-DYNAMICUSERMIGRATE/testsuite.sh
@ -0,0 +1,46 @@
+#!/bin/bash
+set -ex
+set -o pipefail
+
+systemd-analyze log-level debug
+systemd-analyze log-target console
+
+# Set everything up without DynamicUser=1
+
+systemd-run --wait -p DynamicUser=0 -p StateDirectory=zzz touch /var/lib/zzz/test
+systemd-run --wait -p DynamicUser=0 -p StateDirectory=zzz test -f /var/lib/zzz/test
+! systemd-run --wait -p DynamicUser=0 -p StateDirectory=zzz test -f /var/lib/zzz/test-missing
+
+test -d /var/lib/zzz
+! test -L /var/lib/zzz
+! test -e /var/lib/private/zzz
+test -f /var/lib/zzz/test
+! test -f /var/lib/zzz/test-missing
+
+# Convert to DynamicUser=1
+
+systemd-run --wait -p DynamicUser=1 -p StateDirectory=zzz test -f /var/lib/zzz/test
+! systemd-run --wait -p DynamicUser=1 -p StateDirectory=zzz test -f /var/lib/zzz/test-missing
+
+test -L /var/lib/zzz
+test -d /var/lib/private/zzz
+
+test -f /var/lib/zzz/test
+! test -f /var/lib/zzz/test-missing
+
+# Convert back
+
+systemd-run --wait -p DynamicUser=0 -p StateDirectory=zzz test -f /var/lib/zzz/test
+! systemd-run --wait -p DynamicUser=0 -p StateDirectory=zzz test -f /var/lib/zzz/test-missing
+
+test -d /var/lib/zzz
+! test -L /var/lib/zzz
+! test -e /var/lib/private/zzz
+test -f /var/lib/zzz/test
+! test -f /var/lib/zzz/test-missing
+
+systemd-analyze log-level info
+
+echo OK > /testok
+
+exit 0