Merge pull request #12877 from poettering/dynamic-user-re-migrate2

DynamicUser=1 → = 0 migration follow-up

man/systemd.xml

@@ -71,12 +71,13 @@
         <term><option>--test</option></term>
 
         <listitem><para>Determine the initial start-up transaction (i.e. the list of jobs enqueued at
-        start-up), dump it and exit. This option is useful for debugging only. Note that during regular
+        start-up), dump it and exit — without actually executing any of the determined jobs. This option is
-        service manager start-up further units might be started than this operation shows, because hardware,
+        useful for debugging only. Note that during regular service manager start-up additional units not
-        socket, bus or other kinds of activation might add additional jobs. Use <option>--system</option> to
+        shown by this operation may be started, because hardware, socket, bus or other kinds of activation
-        request the initial transaction of the system service manager (this is also the implied default),
+        might add additional jobs as the transaction is executed. Use <option>--system</option> to request
-        combine with <option>--user</option> to request the initial transaction of the per-user service
+        the initial transaction of the system service manager (this is also the implied default), combine
-        manager instead.</para></listitem>
+        with <option>--user</option> to request the initial transaction of the per-user service manager
+        instead.</para></listitem>
       </varlistentry>
       <varlistentry>
         <term><option>--dump-configuration-items</option></term>
@@ -88,9 +89,8 @@
       <varlistentry>
         <term><option>--dump-bus-properties</option></term>
 
-        <listitem><para>Dump exposed bus properties. This outputs
+        <listitem><para>Dump exposed bus properties. This outputs a terse but complete list of properties
-        a terse but complete list of properties exposed to dbus.
+        exposed on D-Bus.</para></listitem>
-        </para></listitem>
       </varlistentry>
       <varlistentry>
         <term><option>--unit=</option></term>

src/core/execute.c

@@ -2153,6 +2153,10 @@ static int setup_exec_directory(
                                  * it over. Most likely the service has been upgraded from one that didn't use
                                  * DynamicUser=1, to one that does. */
 
+                                log_info("Found pre-existing public %s= directory %s, migrating to %s.\n"
+                                         "Apparently, service previously had DynamicUser= turned off, and has now turned it on.",
+                                         exec_directory_type_to_string(type), p, pp);
+
                                 if (rename(p, pp) < 0) {
                                         r = -errno;
                                         goto fail;
@@ -2178,7 +2182,11 @@ static int setup_exec_directory(
                                 _cleanup_free_ char *q = NULL;
 
                                 /* This already exists and is a symlink? Interesting. Maybe it's one created
-                                 * by DynamicUser=1 (see above)? */
+                                 * by DynamicUser=1 (see above)?
+                                 *
+                                 * We do this for all directory types except for ConfigurationDirectory=,
+                                 * since they all support the private/ symlink logic at least in some
+                                 * configurations, see above. */
 
                                 q = path_join(params->prefix[type], "private", *rt);
                                 if (!q) {
@@ -2191,6 +2199,10 @@ static int setup_exec_directory(
                                         /* Hmm, apparently DynamicUser= was once turned on for this service,
                                          * but is no longer. Let's move the directory back up. */
 
+                                        log_info("Found pre-existing private %s= directory %s, migrating to %s.\n"
+                                                 "Apparently, service previously had DynamicUser= turned on, and has now turned it off.",
+                                                 exec_directory_type_to_string(type), q, p);
+
                                         if (unlink(p) < 0) {
                                                 r = -errno;
                                                 goto fail;

test/TEST-34-DYNAMICUSERMIGRATE/Makefile

@@ -0,0 +1 @@
+../TEST-01-BASIC/Makefile

test/TEST-34-DYNAMICUSERMIGRATE/test.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+set -e
+TEST_DESCRIPTION="test migrating state directory from DynamicUser=1 to DynamicUser=0 and back"
+
+. $TEST_BASE_DIR/test-functions
+
+test_setup() {
+    create_empty_image
+    mkdir -p $TESTDIR/root
+    mount ${LOOPDEV}p1 $TESTDIR/root
+
+    (
+        LOG_LEVEL=5
+        eval $(udevadm info --export --query=env --name=${LOOPDEV}p2)
+
+        setup_basic_environment
+
+        # mask some services that we do not want to run in these tests
+        ln -fs /dev/null $initdir/etc/systemd/system/systemd-hwdb-update.service
+        ln -fs /dev/null $initdir/etc/systemd/system/systemd-journal-catalog-update.service
+        ln -fs /dev/null $initdir/etc/systemd/system/systemd-networkd.service
+        ln -fs /dev/null $initdir/etc/systemd/system/systemd-networkd.socket
+        ln -fs /dev/null $initdir/etc/systemd/system/systemd-resolved.service
+        ln -fs /dev/null $initdir/etc/systemd/system/systemd-machined.service
+
+        # setup the testsuite service
+        cat >$initdir/etc/systemd/system/testsuite.service <<EOF
+[Unit]
+Description=Testsuite service
+
+[Service]
+ExecStart=/bin/bash -x /testsuite.sh
+Type=oneshot
+StandardOutput=tty
+StandardError=tty
+NotifyAccess=all
+EOF
+        cp testsuite.sh $initdir/
+
+        setup_testsuite
+    ) || return 1
+    setup_nspawn_root
+
+    ddebug "umount $TESTDIR/root"
+    umount $TESTDIR/root
+}
+
+do_test "$@"

test/TEST-34-DYNAMICUSERMIGRATE/testsuite.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+set -ex
+set -o pipefail
+
+systemd-analyze log-level debug
+systemd-analyze log-target console
+
+# Set everything up without DynamicUser=1
+
+systemd-run --wait -p DynamicUser=0 -p StateDirectory=zzz touch /var/lib/zzz/test
+systemd-run --wait -p DynamicUser=0 -p StateDirectory=zzz test -f /var/lib/zzz/test
+! systemd-run --wait -p DynamicUser=0 -p StateDirectory=zzz test -f /var/lib/zzz/test-missing
+
+test -d /var/lib/zzz
+! test -L /var/lib/zzz
+! test -e /var/lib/private/zzz
+test -f /var/lib/zzz/test
+! test -f /var/lib/zzz/test-missing
+
+# Convert to DynamicUser=1
+
+systemd-run --wait -p DynamicUser=1 -p StateDirectory=zzz test -f /var/lib/zzz/test
+! systemd-run --wait -p DynamicUser=1 -p StateDirectory=zzz test -f /var/lib/zzz/test-missing
+
+test -L /var/lib/zzz
+test -d /var/lib/private/zzz
+
+test -f /var/lib/zzz/test
+! test -f /var/lib/zzz/test-missing
+
+# Convert back
+
+systemd-run --wait -p DynamicUser=0 -p StateDirectory=zzz test -f /var/lib/zzz/test
+! systemd-run --wait -p DynamicUser=0 -p StateDirectory=zzz test -f /var/lib/zzz/test-missing
+
+test -d /var/lib/zzz
+! test -L /var/lib/zzz
+! test -e /var/lib/private/zzz
+test -f /var/lib/zzz/test
+! test -f /var/lib/zzz/test-missing
+
+systemd-analyze log-level info
+
+echo OK > /testok
+
+exit 0