From 5aa097c851aebc056871485c35e65d8badc8f69f Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 11 Mar 2021 10:02:46 +0100 Subject: [PATCH] core: allow omitting second part of LoadCredentials= argument This allows "LoadCredentials=foo" to be used as shortcut for "LoadCredentials=foo:foo", i.e. it's a very short way to inherit a credential under its original name from the service manager into a service. (cherry picked from commit 8a29862e32fc7981fe16fc8dd79ad6863a8dc486) Resolves: #1949568 --- man/systemd.exec.xml | 30 ++++++++++++++++-------------- src/core/load-fragment.c | 25 +++++++++++++++++-------- 2 files changed, 33 insertions(+), 22 deletions(-) diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 5bb9af3e7d..6ae630f615 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -2821,7 +2821,7 @@ StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy - LoadCredential=ID:PATH + LoadCredential=ID:PATH Pass a credential to the unit. Credentials are limited-size binary or textual objects that may be passed to unit processes. They are primarily used for passing cryptographic keys (both @@ -2834,19 +2834,21 @@ StandardInputData=SWNrIHNpdHplIGRhIHVuJyBlc3NlIEtsb3BzLAp1ZmYgZWVtYWwga2xvcHAncy environment variable to the unit's processes. The LoadCredential= setting takes a textual ID to use as name for a - credential plus a file system path. The ID must be a short ASCII string suitable as filename in the - filesystem, and may be chosen freely by the user. If the specified path is absolute it is opened as - regular file and the credential data is read from it. If the absolute path refers to an - AF_UNIX stream socket in the file system a connection is made to it (only once - at unit start-up) and the credential data read from the connection, providing an easy IPC integration - point for dynamically providing credentials from other services. If the specified path is not - absolute and itself qualifies as valid credential identifier it is understood to refer to a - credential that the service manager itself received via the $CREDENTIALS_DIRECTORY - environment variable, which may be used to propagate credentials from an invoking environment (e.g. a - container manager that invoked the service manager) into a service. The contents of the file/socket - may be arbitrary binary or textual data, including newline characters and NUL - bytes. This option may be used multiple times, each time defining an additional credential to pass to - the unit. + credential plus a file system path, separated by a colon. The ID must be a short ASCII string + suitable as filename in the filesystem, and may be chosen freely by the user. If the specified path + is absolute it is opened as regular file and the credential data is read from it. If the absolute + path refers to an AF_UNIX stream socket in the file system a connection is made + to it (only once at unit start-up) and the credential data read from the connection, providing an + easy IPC integration point for dynamically providing credentials from other services. If the + specified path is not absolute and itself qualifies as valid credential identifier it is understood + to refer to a credential that the service manager itself received via the + $CREDENTIALS_DIRECTORY environment variable, which may be used to propagate + credentials from an invoking environment (e.g. a container manager that invoked the service manager) + into a service. The contents of the file/socket may be arbitrary binary or textual data, including + newline characters and NUL bytes. If the file system path is omitted it is + chosen identical to the credential name, i.e. this is a terse way do declare credentials to inherit + from the service manager into a service. This option may be used multiple times, each time defining + an additional credential to pass to the unit. The credential files/IPC sockets must be accessible to the service manager, but don't have to be directly accessible to the unit's processes: the credential data is read and copied into separate, diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c index c6fc4fe083..6a998bb801 100644 --- a/src/core/load-fragment.c +++ b/src/core/load-fragment.c @@ -4606,14 +4606,23 @@ int config_parse_load_credential( log_syntax(unit, LOG_WARNING, filename, line, 0, "Credential name \"%s\" not valid, ignoring.", k); return 0; } - r = unit_full_printf(u, p, &q); - if (r < 0) { - log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to resolve unit specifiers in \"%s\", ignoring: %m", p); - return 0; - } - if (path_is_absolute(q) ? !path_is_normalized(q) : !credential_name_valid(q)) { - log_syntax(unit, LOG_WARNING, filename, line, r, "Credential source \"%s\" not valid, ignoring.", q); - return 0; + + if (isempty(p)) { + /* If only one field field is specified take it as shortcut for inheriting a credential named + * the same way from our parent */ + q = strdup(k); + if (!q) + return log_oom(); + } else { + r = unit_full_printf(u, p, &q); + if (r < 0) { + log_syntax(unit, LOG_WARNING, filename, line, r, "Failed to resolve unit specifiers in \"%s\", ignoring: %m", p); + return 0; + } + if (path_is_absolute(q) ? !path_is_normalized(q) : !credential_name_valid(q)) { + log_syntax(unit, LOG_WARNING, filename, line, r, "Credential source \"%s\" not valid, ignoring.", q); + return 0; + } } r = strv_consume_pair(&context->load_credentials, TAKE_PTR(k), TAKE_PTR(q));