parent
26de8c6e9e
commit
a59a3bd39b
102
0007-core-allow-omitting-second-part-of-LoadCredentials-a.patch
Normal file
102
0007-core-allow-omitting-second-part-of-LoadCredentials-a.patch
Normal file
@ -0,0 +1,102 @@
|
|||||||
|
From 5aa097c851aebc056871485c35e65d8badc8f69f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lennart Poettering <lennart@poettering.net>
|
||||||
|
Date: Thu, 11 Mar 2021 10:02:46 +0100
|
||||||
|
Subject: [PATCH] core: allow omitting second part of LoadCredentials= argument
|
||||||
|
|
||||||
|
This allows "LoadCredentials=foo" to be used as shortcut for
|
||||||
|
"LoadCredentials=foo:foo", i.e. it's a very short way to inherit a
|
||||||
|
credential under its original name from the service manager into a
|
||||||
|
service.
|
||||||
|
|
||||||
|
(cherry picked from commit 8a29862e32fc7981fe16fc8dd79ad6863a8dc486)
|
||||||
|
|
||||||
|
Resolves: #1949568
|
||||||
|
---
|
||||||
|
man/systemd.exec.xml | 30 ++++++++++++++++--------------
|
||||||
|
src/core/load-fragment.c | 25 +++++++++++++++++--------
|
||||||
|
2 files changed, 33 insertions(+), 22 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
|
||||||
|
index 5bb9af3e7d..6ae630f615 100644
|
||||||
|
--- a/man/systemd.exec.xml
|
||||||
|
+++ b/man/systemd.exec.xml
|
||||||
|
@@ -2821,7 +2821,7 @@ StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy
|
||||||
|
<variablelist class='unit-directives'>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
- <term><varname>LoadCredential=</varname><replaceable>ID</replaceable>:<replaceable>PATH</replaceable></term>
|
||||||
|
+ <term><varname>LoadCredential=</varname><replaceable>ID</replaceable><optional>:<replaceable>PATH</replaceable></optional></term>
|
||||||
|
|
||||||
|
<listitem><para>Pass a credential to the unit. Credentials are limited-size binary or textual objects
|
||||||
|
that may be passed to unit processes. They are primarily used for passing cryptographic keys (both
|
||||||
|
@@ -2834,19 +2834,21 @@ StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy
|
||||||
|
environment variable to the unit's processes.</para>
|
||||||
|
|
||||||
|
<para>The <varname>LoadCredential=</varname> setting takes a textual ID to use as name for a
|
||||||
|
- credential plus a file system path. The ID must be a short ASCII string suitable as filename in the
|
||||||
|
- filesystem, and may be chosen freely by the user. If the specified path is absolute it is opened as
|
||||||
|
- regular file and the credential data is read from it. If the absolute path refers to an
|
||||||
|
- <constant>AF_UNIX</constant> stream socket in the file system a connection is made to it (only once
|
||||||
|
- at unit start-up) and the credential data read from the connection, providing an easy IPC integration
|
||||||
|
- point for dynamically providing credentials from other services. If the specified path is not
|
||||||
|
- absolute and itself qualifies as valid credential identifier it is understood to refer to a
|
||||||
|
- credential that the service manager itself received via the <varname>$CREDENTIALS_DIRECTORY</varname>
|
||||||
|
- environment variable, which may be used to propagate credentials from an invoking environment (e.g. a
|
||||||
|
- container manager that invoked the service manager) into a service. The contents of the file/socket
|
||||||
|
- may be arbitrary binary or textual data, including newline characters and <constant>NUL</constant>
|
||||||
|
- bytes. This option may be used multiple times, each time defining an additional credential to pass to
|
||||||
|
- the unit.</para>
|
||||||
|
+ credential plus a file system path, separated by a colon. The ID must be a short ASCII string
|
||||||
|
+ suitable as filename in the filesystem, and may be chosen freely by the user. If the specified path
|
||||||
|
+ is absolute it is opened as regular file and the credential data is read from it. If the absolute
|
||||||
|
+ path refers to an <constant>AF_UNIX</constant> stream socket in the file system a connection is made
|
||||||
|
+ to it (only once at unit start-up) and the credential data read from the connection, providing an
|
||||||
|
+ easy IPC integration point for dynamically providing credentials from other services. If the
|
||||||
|
+ specified path is not absolute and itself qualifies as valid credential identifier it is understood
|
||||||
|
+ to refer to a credential that the service manager itself received via the
|
||||||
|
+ <varname>$CREDENTIALS_DIRECTORY</varname> environment variable, which may be used to propagate
|
||||||
|
+ credentials from an invoking environment (e.g. a container manager that invoked the service manager)
|
||||||
|
+ into a service. The contents of the file/socket may be arbitrary binary or textual data, including
|
||||||
|
+ newline characters and <constant>NUL</constant> bytes. If the file system path is omitted it is
|
||||||
|
+ chosen identical to the credential name, i.e. this is a terse way do declare credentials to inherit
|
||||||
|
+ from the service manager into a service. This option may be used multiple times, each time defining
|
||||||
|
+ an additional credential to pass to the unit.</para>
|
||||||
|
|
||||||
|
<para>The credential files/IPC sockets must be accessible to the service manager, but don't have to
|
||||||
|
be directly accessible to the unit's processes: the credential data is read and copied into separate,
|
||||||
|
diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
|
||||||
|
index c6fc4fe083..6a998bb801 100644
|
||||||
|
--- a/src/core/load-fragment.c
|
||||||
|
+++ b/src/core/load-fragment.c
|
||||||
|
@@ -4606,14 +4606,23 @@ int config_parse_load_credential(
|
||||||
|
log_syntax(unit, LOG_WARNING, filename, line, 0, "Credential name \"%s\" not valid, ignoring.", k);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
- r = unit_full_printf(u, p, &q);
|
||||||
|
- if (r < 0) {
|
||||||
|
- log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to resolve unit specifiers in \"%s\", ignoring: %m", p);
|
||||||
|
- return 0;
|
||||||
|
- }
|
||||||
|
- if (path_is_absolute(q) ? !path_is_normalized(q) : !credential_name_valid(q)) {
|
||||||
|
- log_syntax(unit, LOG_WARNING, filename, line, r, "Credential source \"%s\" not valid, ignoring.", q);
|
||||||
|
- return 0;
|
||||||
|
+
|
||||||
|
+ if (isempty(p)) {
|
||||||
|
+ /* If only one field field is specified take it as shortcut for inheriting a credential named
|
||||||
|
+ * the same way from our parent */
|
||||||
|
+ q = strdup(k);
|
||||||
|
+ if (!q)
|
||||||
|
+ return log_oom();
|
||||||
|
+ } else {
|
||||||
|
+ r = unit_full_printf(u, p, &q);
|
||||||
|
+ if (r < 0) {
|
||||||
|
+ log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to resolve unit specifiers in \"%s\", ignoring: %m", p);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ if (path_is_absolute(q) ? !path_is_normalized(q) : !credential_name_valid(q)) {
|
||||||
|
+ log_syntax(unit, LOG_WARNING, filename, line, r, "Credential source \"%s\" not valid, ignoring.", q);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
r = strv_consume_pair(&context->load_credentials, TAKE_PTR(k), TAKE_PTR(q));
|
@ -21,7 +21,7 @@
|
|||||||
Name: systemd
|
Name: systemd
|
||||||
Url: https://www.freedesktop.org/wiki/Software/systemd
|
Url: https://www.freedesktop.org/wiki/Software/systemd
|
||||||
Version: 248
|
Version: 248
|
||||||
Release: 6%{?dist}
|
Release: 7%{?dist}
|
||||||
# For a breakdown of the licensing, see README
|
# For a breakdown of the licensing, see README
|
||||||
License: LGPLv2+ and MIT and GPLv2+
|
License: LGPLv2+ and MIT and GPLv2+
|
||||||
Summary: System and Service Manager
|
Summary: System and Service Manager
|
||||||
@ -83,6 +83,7 @@ Patch0003: 0003-logind-set-RemoveIPC-to-false-by-default.patch
|
|||||||
Patch0004: 0004-Revert-rfkill-fix-the-format-string-to-prevent-compi.patch
|
Patch0004: 0004-Revert-rfkill-fix-the-format-string-to-prevent-compi.patch
|
||||||
Patch0005: 0005-Revert-rfkill-don-t-compare-values-of-different-sign.patch
|
Patch0005: 0005-Revert-rfkill-don-t-compare-values-of-different-sign.patch
|
||||||
Patch0006: 0006-rfkill-add-some-casts-to-silence-Werror-sign-compare.patch
|
Patch0006: 0006-rfkill-add-some-casts-to-silence-Werror-sign-compare.patch
|
||||||
|
Patch0007: 0007-core-allow-omitting-second-part-of-LoadCredentials-a.patch
|
||||||
|
|
||||||
# Downstream-only patches (9000–9999)
|
# Downstream-only patches (9000–9999)
|
||||||
# https://github.com/systemd/systemd/pull/17050
|
# https://github.com/systemd/systemd/pull/17050
|
||||||
@ -851,6 +852,9 @@ getent passwd systemd-oom &>/dev/null || useradd -r -l -g systemd-oom -d / -s /s
|
|||||||
%files standalone-sysusers -f .file-list-standalone-sysusers
|
%files standalone-sysusers -f .file-list-standalone-sysusers
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Jun 17 2021 systemd maintenance team <systemd-maint@redhat.com> - 248-7
|
||||||
|
- core: allow omitting second part of LoadCredentials= argument (#1949568)
|
||||||
|
|
||||||
* Tue Jun 15 2021 Mohan Boddu <mboddu@redhat.com>
|
* Tue Jun 15 2021 Mohan Boddu <mboddu@redhat.com>
|
||||||
- Rebuilt for RHEL 9 BETA for openssl 3.0
|
- Rebuilt for RHEL 9 BETA for openssl 3.0
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user