systemd-tests-255.18-alt1.x86_64	unsafe-tmp-usage-in-scripts	fail	The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /usr/lib/systemd/tests/testdata/units/testsuite-82.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-82.sh test "$(systemctl show -P ActiveState testsuite-82-survive-argv.service)" = "active" test "$(systemctl show -P ActiveState testsuite-82-nosurvive-sigterm.service)" != "active" test "$(systemctl show -P ActiveState testsuite-82-nosurvive.service)" != "active" # This time we test the /run/nextroot/ root switching logic. (We synthesize a new rootfs from the old via overlayfs) mkdir -p /run/nextroot /tmp/nextroot-lower /original-root mount -t tmpfs tmpfs /tmp/nextroot-lower echo miep >/tmp/nextroot-lower/lower # Copy os-release away, so that we can manipulate it and check that it is updated in the propagate # directory across soft reboots. Try to cover corner cases by truncating it. mkdir -p /tmp/nextroot-lower/etc grep ID /etc/os-release >/tmp/nextroot-lower/etc/os-release echo MARKER=1 >>/tmp/nextroot-lower/etc/os-release cmp /etc/os-release /run/systemd/propagate/.os-release-stage/os-release (! grep -q MARKER=1 /etc/os-release) mount -t overlay nextroot /run/nextroot -o lowerdir=/tmp/nextroot-lower:/,ro # Bind our current root into the target so that we later can return to it mount --bind / /run/nextroot/original-root # Restart the unit that is not supposed to survive Found error in /usr/lib/systemd/tests/testdata/units/testsuite-81.system-update-generator.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-81.system-update-generator.sh # shellcheck source=test/units/generator-utils.sh . "$(dirname "$0")/generator-utils.sh" GENERATOR_BIN="/usr/lib/systemd/system-generators/systemd-system-update-generator" OUT_DIR="$(mktemp -d /tmp/system-update-generator-generator.XXX)" at_exit() { rm -frv "${OUT_DIR:?}" /system-update } -- link_endswith "$OUT_DIR/early/default.target" "/lib/systemd/system/system-update.target" : "system-update-generator: kernel cmdline warnings" # We should warn if the default target is overridden on the kernel cmdline # by a runlevel or systemd.unit=, but still generate the symlink SYSTEMD_PROC_CMDLINE="systemd.unit=foo.bar 3" run_and_list "$GENERATOR_BIN" "$OUT_DIR" |& tee /tmp/system-update-generator.log link_endswith "$OUT_DIR/early/default.target" "/lib/systemd/system/system-update.target" grep -qE "Offline system update overridden .* systemd.unit=" /tmp/system-update-generator.log grep -qE "Offline system update overridden .* runlevel" /tmp/system-update-generator.log Found error in /usr/lib/systemd/tests/testdata/units/testsuite-81.getty-generator.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-81.getty-generator.sh # shellcheck source=test/units/generator-utils.sh . "$(dirname "$0")/generator-utils.sh" GENERATOR_BIN="/usr/lib/systemd/system-generators/systemd-getty-generator" OUT_DIR="$(mktemp -d /tmp/getty-generator.XXX)" at_exit() { rm -frv "${OUT_DIR:?}" } -- done # Sneak in one "not-a-tty" console touch /dev/notatty99 # Temporarily replace /sys/class/tty/console/active with our list of dummy # consoles so getty-generator can process them echo -ne "${DUMMY_ACTIVE_CONSOLES[@]}" /dev/notatty99 >/tmp/dummy-active-consoles mount -v --bind /tmp/dummy-active-consoles /sys/class/tty/console/active : "getty-generator: no arguments" # Sneak in an invalid value for $SYSTEMD_GETTY_AUTO to test things out PID1_ENVIRON="SYSTEMD_GETTY_AUTO=foo" run_and_list "$GENERATOR_BIN" "$OUT_DIR" for console in "${DUMMY_ACTIVE_CONSOLES[@]}"; do Found error in /usr/lib/systemd/tests/testdata/units/testsuite-80.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-80.sh set -o pipefail # shellcheck source=test/units/util.sh . "$(dirname "$0")"/util.sh mkfifo /tmp/syncfifo1 /tmp/syncfifo2 sync_in() { read -r x < /tmp/syncfifo1 test "$x" = "$1" } sync_out() { echo "$1" > /tmp/syncfifo2 } export SYSTEMD_LOG_LEVEL=debug systemctl --no-block start notify.service -- assert_eq "$(systemctl show notify.service -p NotifyAccess --value)" "none" systemctl stop notify.service assert_eq "$(systemctl show notify.service -p NotifyAccess --value)" "all" rm /tmp/syncfifo1 /tmp/syncfifo2 # Now test basic fdstore behaviour MYSCRIPT="/tmp/myscript$RANDOM.sh" cat >> "$MYSCRIPT" <<'EOF' #!/usr/bin/env bash set -eux set -o pipefail test "$FDSTORE" -eq 7 N="/tmp/$RANDOM" echo $RANDOM > "$N" systemd-notify --fd=4 --fdname=quux --pid=parent 4< "$N" rm "$N" systemd-notify --ready exec sleep infinity -- MYUNIT="myunit$RANDOM.service" systemd-run -u "$MYUNIT" -p Type=notify -p FileDescriptorStoreMax=7 "$MYSCRIPT" test "$(systemd-analyze fdstore "$MYUNIT" | wc -l)" -eq 2 systemd-analyze fdstore "$MYUNIT" --json=short systemd-analyze fdstore "$MYUNIT" --json=short | grep -P -q '\[{"fdname":"quux","type":.*,"devno":\[.*\],"inode":.*,"rdevno":null,"path":"/tmp/.*","flags":"ro"}\]' systemctl stop "$MYUNIT" rm "$MYSCRIPT" systemd-analyze log-level debug Found error in /usr/lib/systemd/tests/testdata/units/testsuite-76.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-76.sh # shellcheck source=test/units/util.sh . "$(dirname "$0")"/util.sh export SYSTEMD_LOG_LEVEL=debug echo "foo.bar=42" >/tmp/foo.conf assert_rc 0 /usr/lib/systemd/systemd-sysctl /tmp/foo.conf assert_rc 1 /usr/lib/systemd/systemd-sysctl --strict /tmp/foo.conf echo "-foo.foo=42" >/tmp/foo.conf assert_rc 0 /usr/lib/systemd/systemd-sysctl /tmp/foo.conf assert_rc 0 /usr/lib/systemd/systemd-sysctl --strict /tmp/foo.conf if ! systemd-detect-virt --quiet --container; then ip link add hoge type dummy udevadm wait /sys/class/net/hoge cat >/tmp/foo.conf <<EOF net.ipv4.conf.*.drop_gratuitous_arp=1 net.ipv4.*.*.bootp_relay=1 net.ipv4.aaa.*.disable_policy=1 EOF echo 0 >/proc/sys/net/ipv4/conf/hoge/drop_gratuitous_arp echo 0 >/proc/sys/net/ipv4/conf/hoge/bootp_relay echo 0 >/proc/sys/net/ipv4/conf/hoge/disable_policy assert_rc 0 /usr/lib/systemd/systemd-sysctl --prefix=/net/ipv4/conf/hoge /tmp/foo.conf assert_eq "$(cat /proc/sys/net/ipv4/conf/hoge/drop_gratuitous_arp)" "1" assert_eq "$(cat /proc/sys/net/ipv4/conf/hoge/bootp_relay)" "1" assert_eq "$(cat /proc/sys/net/ipv4/conf/hoge/disable_policy)" "0" fi Found error in /usr/lib/systemd/tests/testdata/units/testsuite-74.modules-load.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-74.modules-load.sh "$MODULES_LOAD_BIN" --version # Explicit config file modprobe -v --all --remove loop dummy printf "loop\ndummy" >"$CONFIG_FILE" "$MODULES_LOAD_BIN" "$CONFIG_FILE" |& tee /tmp/out.log grep -E "Inserted module .*loop" /tmp/out.log grep -E "Inserted module .*dummy" /tmp/out.log # Implicit config file modprobe -v --all --remove loop dummy printf "loop\ndummy" >"$CONFIG_FILE" "$MODULES_LOAD_BIN" |& tee /tmp/out.log grep -E "Inserted module .*loop" /tmp/out.log grep -E "Inserted module .*dummy" /tmp/out.log # Valid & invalid data mixed together modprobe -v --all --remove loop dummy cat >"$CONFIG_FILE" <<EOF -- foo-bar-baz 1 " ' EOF "$MODULES_LOAD_BIN" |& tee /tmp/out.log grep -E "^Inserted module .*loop" /tmp/out.log grep -E "^Inserted module .*dummy" /tmp/out.log grep -E "^Failed to find module .*foo-bar-baz" /tmp/out.log (! grep -E "This is a comment" /tmp/out.log) # Each module should be loaded only once, even if specified multiple times [[ "$(grep -Ec "^Inserted module" /tmp/out.log)" -eq 2 ]] [[ "$(grep -Ec "^Failed to find module" /tmp/out.log)" -eq 7 ]] # Command line arguments modprobe -v --all --remove loop dummy # Make sure we have no config files left over that might interfere with # following tests rm -fv "$CONFIG_FILE" [[ -z "$(systemd-analyze cat-config modules-load.d)" ]] CMDLINE="ro root= modules_load= modules_load=, / = modules_load=foo-bar-baz,dummy modules_load=loop,loop,loop" SYSTEMD_PROC_CMDLINE="$CMDLINE" "$MODULES_LOAD_BIN" |& tee /tmp/out.log grep -E "^Inserted module .*loop" /tmp/out.log grep -E "^Inserted module .*dummy" /tmp/out.log grep -E "^Failed to find module .*foo-bar-baz" /tmp/out.log # Each module should be loaded only once, even if specified multiple times [[ "$(grep -Ec "^Inserted module" /tmp/out.log)" -eq 2 ]] (! "$MODULES_LOAD_BIN" --nope) (! "$MODULES_LOAD_BIN" /foo/bar/baz) Found error in /usr/lib/systemd/tests/testdata/units/testsuite-74.coredump.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-74.coredump.sh # shellcheck source=test/units/util.sh . "$(dirname "$0")"/util.sh # Make sure the binary name fits into 15 characters CORE_TEST_BIN="/tmp/test-dump" CORE_TEST_UNPRIV_BIN="/tmp/test-usr-dump" MAKE_DUMP_SCRIPT="/tmp/make-dump" # Unset $PAGER so we don't have to use --no-pager everywhere export PAGER= at_exit() { rm -fv -- "$CORE_TEST_BIN" "$CORE_TEST_UNPRIV_BIN" "$MAKE_DUMP_SCRIPT" -- coredumpctl --directory=/var/log/journal coredumpctl --file="/var/log/journal/$(</etc/machine-id)"/*.journal coredumpctl --since=@0 coredumpctl --since=yesterday --until=tomorrow # We should have a couple of externally stored coredumps coredumpctl --field=COREDUMP_FILENAME | tee /tmp/coredumpctl.out grep "/var/lib/systemd/coredump/core" /tmp/coredumpctl.out rm -f /tmp/coredumpctl.out coredumpctl info coredumpctl info "$CORE_TEST_BIN" coredumpctl info /foo /bar/ /baz "$CORE_TEST_BIN" coredumpctl info "${CORE_TEST_BIN##*/}" -- coredumpctl debug --debugger=/bin/true "$CORE_TEST_BIN" SYSTEMD_DEBUGGER=/bin/true coredumpctl debug "$CORE_TEST_BIN" coredumpctl debug --debugger=/bin/true --debugger-arguments="-this --does --not 'do anything' -a -t --all" "${CORE_TEST_BIN##*/}" coredumpctl dump "$CORE_TEST_BIN" >/tmp/core.redirected test -s /tmp/core.redirected coredumpctl dump -o /tmp/core.output "${CORE_TEST_BIN##*/}" test -s /tmp/core.output rm -f /tmp/core.{output,redirected} # Unprivileged stuff # Related issue: https://github.com/systemd/systemd/issues/26912 UNPRIV_CMD=(systemd-run --user --wait --pipe -M "testuser@.host" --) # Trigger a couple of coredumps as an unprivileged user -- "${UNPRIV_CMD[@]}" coredumpctl info "$CORE_TEST_UNPRIV_BIN" "${UNPRIV_CMD[@]}" coredumpctl info "${CORE_TEST_UNPRIV_BIN##*/}" (! "${UNPRIV_CMD[@]}" coredumpctl info --all "$CORE_TEST_BIN") (! "${UNPRIV_CMD[@]}" coredumpctl info --all "${CORE_TEST_BIN##*/}") # We should have a couple of externally stored coredumps "${UNPRIV_CMD[@]}" coredumpctl --field=COREDUMP_FILENAME | tee /tmp/coredumpctl.out grep "/var/lib/systemd/coredump/core" /tmp/coredumpctl.out rm -f /tmp/coredumpctl.out "${UNPRIV_CMD[@]}" coredumpctl debug --debugger=/bin/true "$CORE_TEST_UNPRIV_BIN" "${UNPRIV_CMD[@]}" coredumpctl debug --debugger=/bin/true --debugger-arguments="-this --does --not 'do anything' -a -t --all" "${CORE_TEST_UNPRIV_BIN##*/}" "${UNPRIV_CMD[@]}" coredumpctl dump "$CORE_TEST_UNPRIV_BIN" >/tmp/core.redirected test -s /tmp/core.redirected "${UNPRIV_CMD[@]}" coredumpctl dump -o /tmp/core.output "${CORE_TEST_UNPRIV_BIN##*/}" test -s /tmp/core.output rm -f /tmp/core.{output,redirected} (! "${UNPRIV_CMD[@]}" coredumpctl dump "$CORE_TEST_BIN" >/dev/null) # --backtrace mode # Pass one of the existing journal coredump records to systemd-coredump and # use our PID as the source to make matching the coredump later easier Found error in /usr/lib/systemd/tests/testdata/units/testsuite-70.pcrlock.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-70.pcrlock.sh # means we'll fail consistency check, but at least we'll fail them consistently # (as the PCR values simply won't match the log). rm -f /run/log/systemd/tpm2-measure.log # Ensure a truncated log doesn't crash pcrlock echo -n -e \\x1e >/tmp/borked set +e SYSTEMD_MEASURE_LOG_USERSPACE=/tmp/borked "$SD_PCRLOCK" cel --no-pager --json=pretty ret=$? set -e # If it crashes the exit code will be 149 test $ret -eq 1 -- PIN=huhu "$SD_PCRLOCK" make-policy --pcr="$PCRS" --recovery-pin=yes # Repeat immediately (this call will have to reuse the nvindex, rather than create it) "$SD_PCRLOCK" make-policy --pcr="$PCRS" "$SD_PCRLOCK" make-policy --pcr="$PCRS" --force img="/tmp/pcrlock.img" truncate -s 20M "$img" echo -n hoho >/tmp/pcrlockpwd chmod 0600 /tmp/pcrlockpwd cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom "$img" /tmp/pcrlockpwd systemd-cryptenroll --unlock-key-file=/tmp/pcrlockpwd --tpm2-device=auto --tpm2-pcrlock=/var/lib/systemd/pcrlock.json --tpm2-public-key= --wipe-slot=tpm2 "$img" systemd-cryptsetup attach pcrlock "$img" - tpm2-device=auto,tpm2-pcrlock=/var/lib/systemd/pcrlock.json,headless systemd-cryptsetup detach pcrlock # Ensure systemd-pcrlock not crashing on empty variant directory mkdir -p /var/lib/pcrlock.d/123-empty.pcrlock.d -- (! "$SD_PCRLOCK" lock-pe /bin/true) (! "$SD_PCRLOCK" lock-uki /dev/full) (! "$SD_PCRLOCK" lock-uki /bin/true) (! "$SD_PCRLOCK" lock-file-system "") rm "$img" /tmp/pcrlockpwd Found error in /usr/lib/systemd/tests/testdata/units/testsuite-70.measure.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-70.measure.sh if [[ ! -x "${SD_MEASURE:?}" ]]; then echo "$SD_MEASURE not found, skipping the test" exit 0 fi IMAGE="$(mktemp /tmp/systemd-measure-XXX.image)" echo HALLO >/tmp/tpmdata1 echo foobar >/tmp/tpmdata2 cat >/tmp/result <<EOF 11:sha1=5177e4ad69db92192c10e5f80402bf81bfec8a81 11:sha256=37b48bd0b222394dbe3cceff2fca4660c4b0a90ae9369ec90b42f14489989c13 11:sha384=5573f9b2caf55b1d0a6a701f890662d682af961899f0419cf1e2d5ea4a6a68c1f25bd4f5b8a0865eeee82af90f5cb087 11:sha512=961305d7e9981d6606d1ce97b3a9a1f92610cac033e9c39064895f0e306abc1680463d55767bd98e751eae115bdef3675a9ee1d29ed37da7885b1db45bb2555b EOF "$SD_MEASURE" calculate --linux=/tmp/tpmdata1 --initrd=/tmp/tpmdata2 --bank=sha1 --bank=sha256 --bank=sha384 --bank=sha512 --phase=: | cmp - /tmp/result cat >/tmp/result.json <<EOF {"sha1":[{"pcr":11,"hash":"5177e4ad69db92192c10e5f80402bf81bfec8a81"}],"sha256":[{"pcr":11,"hash":"37b48bd0b222394dbe3cceff2fca4660c4b0a90ae9369ec90b42f14489989c13"}],"sha384":[{"pcr":11,"hash":"5573f9b2caf55b1d0a6a701f890662d682af961899f0419cf1e2d5ea4a6a68c1f25bd4f5b8a0865eeee82af90f5cb087"}],"sha512":[{"pcr":11,"hash":"961305d7e9981d6606d1ce97b3a9a1f92610cac033e9c39064895f0e306abc1680463d55767bd98e751eae115bdef3675a9ee1d29ed37da7885b1db45bb2555b"}]} EOF "$SD_MEASURE" calculate --linux=/tmp/tpmdata1 --initrd=/tmp/tpmdata2 --bank=sha1 --bank=sha256 --bank=sha384 --bank=sha512 --phase=: -j | diff -u - /tmp/result.json cat >/tmp/result <<EOF 11:sha1=6765ee305db063040c454d32697d922b3d4f232b 11:sha256=21c49c1242042649e09c156546fd7d425ccc3c67359f840507b30be4e0f6f699 11:sha384=08d0b003a134878eee552070d51d58abe942f457ca85704131dd36f73728e7327ca837594bc9d5ac7de818d02a3d5dd2 11:sha512=65120f6ebc04b156421c6f3d543b2fad545363d9ca61c514205459e9c0e0b22e09c23605eae5853e38458ef3ca54e087168af8d8a882a98d220d9391e48be6d0 EOF "$SD_MEASURE" calculate --linux=/tmp/tpmdata1 --initrd=/tmp/tpmdata2 --bank=sha1 --bank=sha256 --bank=sha384 --bank=sha512 --phase=foo | cmp - /tmp/result cat >/tmp/result.json <<EOF {"sha1":[{"phase":"foo","pcr":11,"hash":"6765ee305db063040c454d32697d922b3d4f232b"}],"sha256":[{"phase":"foo","pcr":11,"hash":"21c49c1242042649e09c156546fd7d425ccc3c67359f840507b30be4e0f6f699"}],"sha384":[{"phase":"foo","pcr":11,"hash":"08d0b003a134878eee552070d51d58abe942f457ca85704131dd36f73728e7327ca837594bc9d5ac7de818d02a3d5dd2"}],"sha512":[{"phase":"foo","pcr":11,"hash":"65120f6ebc04b156421c6f3d543b2fad545363d9ca61c514205459e9c0e0b22e09c23605eae5853e38458ef3ca54e087168af8d8a882a98d220d9391e48be6d0"}]} EOF "$SD_MEASURE" calculate --linux=/tmp/tpmdata1 --initrd=/tmp/tpmdata2 --bank=sha1 --bank=sha256 --bank=sha384 --bank=sha512 --phase=foo -j | diff -u - /tmp/result.json rm /tmp/result /tmp/result.json if ! tpm_has_pcr sha1 11 || ! tpm_has_pcr sha256 11; then echo "PCR sysfs files not found, skipping signed PCR policy tests" exit 0 fi # Generate key pair openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out "/tmp/pcrsign-private.pem" openssl rsa -pubout -in "/tmp/pcrsign-private.pem" -out "/tmp/pcrsign-public.pem" MEASURE_BANKS=("--bank=sha256") # Check if SHA1 signatures are supported # # Some distros have started phasing out SHA1, so make sure the SHA1 # signatures are supported before trying to use them. if echo hello | openssl dgst -sign /tmp/pcrsign-private.pem -sha1 >/dev/null; then MEASURE_BANKS+=("--bank=sha1") fi # Sign current PCR state with it "$SD_MEASURE" sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: | tee "/tmp/pcrsign.sig" dd if=/dev/urandom of=/tmp/pcrtestdata bs=1024 count=64 systemd-creds encrypt /tmp/pcrtestdata /tmp/pcrtestdata.encrypted --with-key=host+tpm2-with-public-key --tpm2-public-key="/tmp/pcrsign-public.pem" systemd-creds decrypt /tmp/pcrtestdata.encrypted - --tpm2-signature="/tmp/pcrsign.sig" | cmp - /tmp/pcrtestdata # Invalidate PCR, decrypting should fail now tpm2_pcrextend 11:sha256=0000000000000000000000000000000000000000000000000000000000000000 (! systemd-creds decrypt /tmp/pcrtestdata.encrypted - --tpm2-signature="/tmp/pcrsign.sig" >/dev/null) # Sign new PCR state, decrypting should work now. "$SD_MEASURE" sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: >"/tmp/pcrsign.sig2" systemd-creds decrypt /tmp/pcrtestdata.encrypted - --tpm2-signature="/tmp/pcrsign.sig2" | cmp - /tmp/pcrtestdata # Now, do the same, but with a cryptsetup binding truncate -s 20M "$IMAGE" cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom "$IMAGE" /tmp/passphrase # Ensure that an unrelated signature, when not requested, is not used touch /run/systemd/tpm2-pcr-signature.json systemd-cryptenroll --unlock-key-file=/tmp/passphrase --tpm2-device=auto --tpm2-public-key="/tmp/pcrsign-public.pem" "$IMAGE" # Reset and use the signature now rm -f /run/systemd/tpm2-pcr-signature.json systemd-cryptenroll --wipe-slot=tpm2 "$IMAGE" systemd-cryptenroll --unlock-key-file=/tmp/passphrase --tpm2-device=auto --tpm2-public-key="/tmp/pcrsign-public.pem" --tpm2-signature="/tmp/pcrsign.sig2" "$IMAGE" # Check if we can activate that (without the token module stuff) SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=0 systemd-cryptsetup attach test-volume2 "$IMAGE" - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig2",headless=1 SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=0 systemd-cryptsetup detach test-volume2 # Check if we can activate that (and a second time with the token module stuff enabled) SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=1 systemd-cryptsetup attach test-volume2 "$IMAGE" - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig2",headless=1 SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=1 systemd-cryptsetup detach test-volume2 # After extending the PCR things should fail tpm2_pcrextend 11:sha256=0000000000000000000000000000000000000000000000000000000000000000 (! SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=0 systemd-cryptsetup attach test-volume2 "$IMAGE" - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig2",headless=1) (! SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=1 systemd-cryptsetup attach test-volume2 "$IMAGE" - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig2",headless=1) # But once we sign the current PCRs, we should be able to unlock again "$SD_MEASURE" sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: >"/tmp/pcrsign.sig3" SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=0 systemd-cryptsetup attach test-volume2 "$IMAGE" - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig3",headless=1 systemd-cryptsetup detach test-volume2 SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=1 systemd-cryptsetup attach test-volume2 "$IMAGE" - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig3",headless=1 systemd-cryptsetup detach test-volume2 # Test --append mode and de-duplication. With the same parameters signing should not add a new entry "$SD_MEASURE" sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: --append="/tmp/pcrsign.sig3" >"/tmp/pcrsign.sig4" cmp "/tmp/pcrsign.sig3" "/tmp/pcrsign.sig4" # Sign one more phase, this should "$SD_MEASURE" sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=quux:waldo --append="/tmp/pcrsign.sig4" >"/tmp/pcrsign.sig5" (! cmp "/tmp/pcrsign.sig4" "/tmp/pcrsign.sig5") # Should still be good to unlock, given the old entry still exists SYSTEMD_CRYPTSETUP_USE_TOKEN_MODULE=0 systemd-cryptsetup attach test-volume2 "$IMAGE" - tpm2-device=auto,tpm2-signature="/tmp/pcrsign.sig5",headless=1 systemd-cryptsetup detach test-volume2 # Adding both signatures once more should not change anything, due to the deduplication "$SD_MEASURE" sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=: --append="/tmp/pcrsign.sig5" >"/tmp/pcrsign.sig6" "$SD_MEASURE" sign --current "${MEASURE_BANKS[@]}" --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem" --phase=quux:waldo --append="/tmp/pcrsign.sig6" >"/tmp/pcrsign.sig7" cmp "/tmp/pcrsign.sig5" "/tmp/pcrsign.sig7" rm -f "$IMAGE" Found error in /usr/lib/systemd/tests/testdata/units/testsuite-70.cryptsetup.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-70.cryptsetup.sh } trap at_exit EXIT # Prepare a fresh disk image IMAGE="$(mktemp /tmp/systemd-cryptsetup-XXX.IMAGE)" truncate -s 20M "$IMAGE" echo -n passphrase >/tmp/passphrase # Change file mode to avoid "/tmp/passphrase has 0644 mode that is too permissive" messages chmod 0600 /tmp/passphrase cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom "$IMAGE" /tmp/passphrase # Unlocking via keyfile systemd-cryptenroll --unlock-key-file=/tmp/passphrase --tpm2-device=auto "$IMAGE" # Enroll unlock with default PCR policy PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto "$IMAGE" systemd-cryptsetup attach test-volume "$IMAGE" - tpm2-device=auto,headless=1 systemd-cryptsetup detach test-volume -- systemd-cryptsetup attach test-volume "$IMAGE" - tpm2-device=auto,headless=1 systemd-cryptsetup detach test-volume # Now the interesting part, enrolling using a hash value that doesn't match the current PCR value systemd-cryptenroll --wipe-slot=tpm2 "$IMAGE" tpm2_pcrread -Q -o /tmp/pcr.dat sha256:12 CURRENT_PCR_VALUE=$(cat /sys/class/tpm/tpm0/pcr-sha256/12) EXPECTED_PCR_VALUE=$(cat /tmp/pcr.dat /tmp/pcr.dat | openssl dgst -sha256 -r | cut -d ' ' -f 1) PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs="12:sha256=$EXPECTED_PCR_VALUE" "$IMAGE" (! systemd-cryptsetup attach test-volume "$IMAGE" - tpm2-device=auto,headless=1) tpm2_pcrextend "12:sha256=$CURRENT_PCR_VALUE" systemd-cryptsetup attach test-volume "$IMAGE" - tpm2-device=auto,headless=1 systemd-cryptsetup detach test-volume # enroll TPM using device key instead of direct access, then verify unlock using TPM tpm2_pcrread -Q -o /tmp/pcr.dat sha256:12 CURRENT_PCR_VALUE=$(cat /sys/class/tpm/tpm0/pcr-sha256/12) tpm2_readpublic -c 0x81000001 -o /tmp/srk.pub systemd-analyze srk > /tmp/srk2.pub cmp /tmp/srk.pub /tmp/srk2.pub if [ -f /run/systemd/tpm2-srk-public-key.tpm2b_public ] ; then cmp /tmp/srk.pub /run/systemd/tpm2-srk-public-key.tpm2b_public fi # --tpm2-device-key= requires OpenSSL >= 3 with KDF-SS if openssl_supports_kdf SSKDF; then PASSWORD=passphrase systemd-cryptenroll --tpm2-device-key=/tmp/srk.pub --tpm2-pcrs="12:sha256=$CURRENT_PCR_VALUE" "$IMAGE" systemd-cryptsetup attach test-volume "$IMAGE" - tpm2-device=auto,headless=1 systemd-cryptsetup detach test-volume fi rm -f /tmp/pcr.dat /tmp/srk.pub fi # Use default (0) seal key handle systemd-cryptenroll --wipe-slot=tpm2 "$IMAGE" PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-seal-key-handle=0 "$IMAGE" -- (! PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-seal-key-handle=0x02000001 "$IMAGE") # HMAC/loaded session (! PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-seal-key-handle=0x03000001 "$IMAGE") # Policy/saved session (! PASSWORD=passphrase systemd-cryptenroll --tpm2-device=auto --tpm2-seal-key-handle=0x40000001 "$IMAGE") # Permanent # Use non-SRK persistent seal key handle (by creating/persisting new key) PRIMARY=/tmp/primary.ctx tpm2_createprimary -c "$PRIMARY" PERSISTENT_LINE=$(tpm2_evictcontrol -c "$PRIMARY" | grep persistent-handle) PERSISTENT_HANDLE="0x${PERSISTENT_LINE##*0x}" tpm2_flushcontext -t -- systemd-cryptsetup detach test-volume # --tpm2-device-key= requires OpenSSL >= 3 with KDF-SS if openssl_supports_kdf SSKDF; then # Make sure that --tpm2-device-key= also works with systemd-repart tpm2_readpublic -c 0x81000001 -o /tmp/srk.pub mkdir /tmp/dditest cat > /tmp/dditest/50-root.conf <<EOF [Partition] Type=root Format=ext4 CopyFiles=/tmp/dditest:/ Encrypt=tpm2 EOF PASSWORD=passphrase systemd-repart --tpm2-device-key=/tmp/srk.pub --definitions=/tmp/dditest --empty=create --size=80M /tmp/dditest.raw --tpm2-pcrs= DEVICE="$(systemd-dissect --attach /tmp/dditest.raw)" udevadm wait --settle --timeout=10 "$DEVICE"p1 systemd-cryptsetup attach dditest "$DEVICE"p1 - tpm2-device=auto,headless=yes mkdir /tmp/dditest.mnt mount -t ext4 /dev/mapper/dditest /tmp/dditest.mnt cmp /tmp/dditest.mnt/50-root.conf /tmp/dditest/50-root.conf umount /tmp/dditest.mnt rmdir /tmp/dditest.mnt rm /tmp/dditest.raw rm /tmp/dditest/50-root.conf rmdir /tmp/dditest fi rm -f "$IMAGE" "$PRIMARY" Found error in /usr/lib/systemd/tests/testdata/units/testsuite-70.cryptenroll.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-70.cryptenroll.sh set -o pipefail cryptenroll_wipe_and_check() {( set +o pipefail : >/tmp/cryptenroll.out systemd-cryptenroll "$@" |& tee /tmp/cryptenroll.out grep -qE "Wiped slot [[:digit:]]+" /tmp/cryptenroll.out )} # There is an external issue with libcryptsetup on ppc64 that hits 95% of Ubuntu ppc64 test runs, so skip it if [[ "$(uname -m)" == "ppc64le" ]]; then echo "Skipping systemd-cryptenroll tests on ppc64le, see https://github.com/systemd/systemd/issues/27716" exit 0 fi export SYSTEMD_LOG_LEVEL=debug IMAGE="$(mktemp /tmp/systemd-cryptenroll-XXX.image)" truncate -s 20M "$IMAGE" echo -n password >/tmp/password # Change file mode to avoid "/tmp/password has 0644 mode that is too permissive" messages chmod 0600 /tmp/password cryptsetup luksFormat -q --pbkdf pbkdf2 --pbkdf-force-iterations 1000 --use-urandom "$IMAGE" /tmp/password # Enroll additional tokens, keys, and passwords to exercise the list and wipe stuff systemd-cryptenroll --unlock-key-file=/tmp/password --tpm2-device=auto "$IMAGE" NEWPASSWORD="" systemd-cryptenroll --unlock-key-file=/tmp/password --password "$IMAGE" NEWPASSWORD=foo systemd-cryptenroll --unlock-key-file=/tmp/password --password "$IMAGE" for _ in {0..9}; do systemd-cryptenroll --unlock-key-file=/tmp/password --recovery-key "$IMAGE" done PASSWORD="" NEWPIN=123456 systemd-cryptenroll --tpm2-device=auto --tpm2-with-pin=true "$IMAGE" # Do some basic checks before we start wiping stuff systemd-cryptenroll "$IMAGE" systemd-cryptenroll "$IMAGE" | grep password -- (! systemd-cryptenroll "$IMAGE" | grep recovery) # We shouldn't be able to wipe all keyslots without enrolling a new key first (! systemd-cryptenroll "$IMAGE" --wipe=all) PASSWORD=foo NEWPASSWORD=foo cryptenroll_wipe_and_check "$IMAGE" --password --wipe=all # Check if the newly (and only) enrolled password works (! systemd-cryptenroll --unlock-key-file=/tmp/password --recovery-key "$IMAGE") (! PASSWORD="" systemd-cryptenroll --recovery-key "$IMAGE") PASSWORD=foo systemd-cryptenroll --recovery-key "$IMAGE" systemd-cryptenroll --fido2-with-client-pin=false "$IMAGE" systemd-cryptenroll --fido2-with-user-presence=false "$IMAGE" systemd-cryptenroll --fido2-with-user-verification=false "$IMAGE" systemd-cryptenroll --tpm2-pcrs=8 "$IMAGE" systemd-cryptenroll --tpm2-pcrs=boot-loader-code+boot-loader-config "$IMAGE" (! systemd-cryptenroll --fido2-with-client-pin=false) (! systemd-cryptenroll --fido2-with-user-presence=f "$IMAGE" /tmp/foo) (! systemd-cryptenroll --fido2-with-client-pin=1234 "$IMAGE") (! systemd-cryptenroll --fido2-with-user-presence=1234 "$IMAGE") (! systemd-cryptenroll --fido2-with-user-verification=1234 "$IMAGE") (! systemd-cryptenroll --tpm2-with-pin=1234 "$IMAGE") (! systemd-cryptenroll --recovery-key --password "$IMAGE") (! systemd-cryptenroll --password --recovery-key "$IMAGE") (! systemd-cryptenroll --password --fido2-device=auto "$IMAGE") (! systemd-cryptenroll --password --pkcs11-token-uri=auto "$IMAGE") (! systemd-cryptenroll --password --tpm2-device=auto "$IMAGE") (! systemd-cryptenroll --unlock-fido2-device=auto --unlock-fido2-device=auto "$IMAGE") (! systemd-cryptenroll --unlock-fido2-device=auto --unlock-key-file=/tmp/unlock "$IMAGE") (! systemd-cryptenroll --fido2-credential-algorithm=es512 "$IMAGE") (! systemd-cryptenroll --tpm2-public-key-pcrs=key "$IMAGE") (! systemd-cryptenroll --tpm2-pcrs=key "$IMAGE") (! systemd-cryptenroll --tpm2-pcrs=44+8 "$IMAGE") (! systemd-cryptenroll --tpm2-pcrs=hello "$IMAGE") Found error in /usr/lib/systemd/tests/testdata/units/testsuite-70.creds.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-70.creds.sh set -o pipefail export SYSTEMD_LOG_LEVEL=debug # Ensure that sandboxing doesn't stop creds from being accessible echo "test" > /tmp/testdata systemd-creds encrypt /tmp/testdata /tmp/testdata.encrypted --with-key=tpm2 # LoadCredentialEncrypted systemd-run -p PrivateDevices=yes -p LoadCredentialEncrypted=testdata.encrypted:/tmp/testdata.encrypted --pipe --wait systemd-creds cat testdata.encrypted | cmp - /tmp/testdata # SetCredentialEncrypted systemd-run -p PrivateDevices=yes -p SetCredentialEncrypted=testdata.encrypted:"$(cat /tmp/testdata.encrypted)" --pipe --wait systemd-creds cat testdata.encrypted | cmp - /tmp/testdata rm -f /tmp/testdata Found error in /usr/lib/systemd/tests/testdata/units/testsuite-68.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-68.sh ExecStart=sh -c "exit 0" EOF # Script to check that when an OnSuccess= dependency fires, the correct # MONITOR* env variables are passed. cat >/tmp/check_on_success.sh <<"EOF" #!/bin/sh set -ex env | sort if [ "$MONITOR_SERVICE_RESULT" != "success" ]; then -- exit 1 fi exit 0 EOF chmod +x /tmp/check_on_success.sh cat >/run/systemd/system/testservice-success-exit-handler-68.service <<EOF [Service] ExecStartPre=/tmp/check_on_success.sh ExecStart=/tmp/check_on_success.sh EOF cp /run/systemd/system/testservice-success-exit-handler-68.service \ /run/systemd/system/testservice-transient-success-exit-handler-68.service # Template version. cat >/run/systemd/system/testservice-success-exit-handler-68-template@.service <<EOF [Service] ExecStartPre=echo "triggered by %i" ExecStartPre=/tmp/check_on_success.sh ExecStart=/tmp/check_on_success.sh EOF # Script to check that when an OnFailure= dependency fires, the correct # MONITOR* env variables are passed. cat >/tmp/check_on_failure.sh <<"EOF" #!/bin/sh set -ex env | sort if [ "$MONITOR_SERVICE_RESULT" != "exit-code" ]; then -- exit 1 fi exit 0 EOF chmod +x /tmp/check_on_failure.sh cat >/run/systemd/system/testservice-failure-exit-handler-68.service <<EOF [Service] # repeat the check to make sure that values are set correctly on repeated invocations Type=oneshot ExecStartPre=/tmp/check_on_failure.sh ExecStartPre=/tmp/check_on_failure.sh ExecStart=/tmp/check_on_failure.sh ExecStart=/tmp/check_on_failure.sh ExecStartPost=test -z '$MONITOR_SERVICE_RESULT' EOF cp /run/systemd/system/testservice-failure-exit-handler-68.service \ /run/systemd/system/testservice-transient-failure-exit-handler-68.service -- # Template version. cat >/run/systemd/system/testservice-failure-exit-handler-68-template@.service <<EOF [Service] Type=oneshot ExecStartPre=echo "triggered by %i" ExecStartPre=/tmp/check_on_failure.sh ExecStartPre=/tmp/check_on_failure.sh ExecStart=/tmp/check_on_failure.sh ExecStart=/tmp/check_on_failure.sh ExecStartPost=test -z '$MONITOR_SERVICE_RESULT' EOF systemctl daemon-reload Found error in /usr/lib/systemd/tests/testdata/units/testsuite-65.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-65.sh systemd-analyze security --json=pretty | jq systemd-analyze security --json=short | jq if [[ ! -v ASAN_OPTIONS ]]; then # check that systemd-analyze cat-config paths work in a chroot mkdir -p /tmp/root mount --bind / /tmp/root systemd-analyze cat-config systemd/system-preset >/tmp/out1 chroot /tmp/root systemd-analyze cat-config systemd/system-preset >/tmp/out2 diff /tmp/out{1,2} fi # verify mkdir -p /tmp/img/usr/lib/systemd/system/ mkdir -p /tmp/img/opt/ touch /tmp/img/opt/script0.sh chmod +x /tmp/img/opt/script0.sh cat <<EOF >/tmp/img/usr/lib/systemd/system/testfile.service [Service] ExecStart = /opt/script0.sh EOF set +e # Default behaviour is to recurse through all dependencies when unit is loaded (! systemd-analyze verify --root=/tmp/img/ testfile.service) # As above, recurses through all dependencies when unit is loaded (! systemd-analyze verify --recursive-errors=yes --root=/tmp/img/ testfile.service) # Recurses through unit file and its direct dependencies when unit is loaded (! systemd-analyze verify --recursive-errors=one --root=/tmp/img/ testfile.service) set -e # zero exit status since dependencies are ignored when unit is loaded systemd-analyze verify --recursive-errors=no --root=/tmp/img/ testfile.service rm /tmp/img/usr/lib/systemd/system/testfile.service cat <<EOF >/tmp/testfile.service [Unit] foo = bar [Service] ExecStart = echo hello EOF cat <<EOF >/tmp/testfile2.service [Unit] Requires = testfile.service [Service] ExecStart = echo hello EOF # Zero exit status since no additional dependencies are recursively loaded when the unit file is loaded systemd-analyze verify --recursive-errors=no /tmp/testfile2.service set +e # Non-zero exit status since all associated dependencies are recursively loaded when the unit file is loaded (! systemd-analyze verify --recursive-errors=yes /tmp/testfile2.service) set -e rm /tmp/testfile.service rm /tmp/testfile2.service cat <<EOF >/tmp/sample.service [Unit] Description = A Sample Service [Service] ExecStart = echo hello Slice=support.slice EOF # Zero exit status since no additional dependencies are recursively loaded when the unit file is loaded systemd-analyze verify --recursive-errors=no /tmp/sample.service cat <<EOF >/tmp/testfile.service [Service] ExecStart = echo hello DeviceAllow=/dev/sda EOF # Prevent regression from #13380 and #20859 where we can't verify hidden files cp /tmp/testfile.service /tmp/.testfile.service systemd-analyze verify /tmp/.testfile.service rm /tmp/.testfile.service # Alias a unit file's name on disk (see #20061) cp /tmp/testfile.service /tmp/testsrvc (! systemd-analyze verify /tmp/testsrvc) systemd-analyze verify /tmp/testsrvc:alias.service # Zero exit status since the value used for comparison determine exposure to security threats is by default 100 systemd-analyze security --offline=true /tmp/testfile.service #The overall exposure level assigned to the unit is greater than the set threshold (! systemd-analyze security --threshold=90 --offline=true /tmp/testfile.service) # Ensure we print the list of ACLs, see https://github.com/systemd/systemd/issues/23185 systemd-analyze security --offline=true /tmp/testfile.service | grep -q -F "/dev/sda" rm /tmp/testfile.service cat <<EOF >/tmp/img/usr/lib/systemd/system/testfile.service [Service] ExecStart = echo hello PrivateNetwork = yes PrivateDevices = yes PrivateUsers = yes EOF # The new overall exposure level assigned to the unit is less than the set thresholds # Verifies that the --offline= option works with --root= systemd-analyze security --threshold=90 --offline=true --root=/tmp/img/ testfile.service cat <<EOF >/tmp/foo@.service [Service] ExecStart=ls EOF cat <<EOF >/tmp/hoge@test.service [Service] ExecStart=ls EOF # issue #30357 -- systemd-analyze verify tmp/hoge@test.service (! systemd-analyze verify tmp/hoge@nonexist.service) (! systemd-analyze verify tmp/hoge@.service) popd pushd /usr systemd-analyze verify ../tmp/foo@bar.service systemd-analyze verify ../tmp/foo@.service systemd-analyze verify ../tmp/hoge@test.service (! systemd-analyze verify ../tmp/hoge@nonexist.service) (! systemd-analyze verify ../tmp/hoge@.service) popd systemd-analyze verify /tmp/foo@bar.service systemd-analyze verify /tmp/foo@.service systemd-analyze verify /tmp/hoge@test.service (! systemd-analyze verify /tmp/hoge@nonexist.service) (! systemd-analyze verify /tmp/hoge@.service) # Added an additional "INVALID_ID" id to the .json to verify that nothing breaks when input is malformed # The PrivateNetwork id description and weight was changed to verify that 'security' is actually reading in # values from the .json file when required. The default weight for "PrivateNetwork" is 2500, and the new weight # assigned to that id in the .json file is 6000. This increased weight means that when the "PrivateNetwork" key is # set to 'yes' (as above in the case of testfile.service) in the content of the unit file, the overall exposure # level for the unit file should decrease to account for that increased weight. cat <<EOF >/tmp/testfile.json {"UserOrDynamicUser": {"description_bad": "Service runs as root user", "weight": 0, "range": 10 }, -- } EOF # Reads in custom security requirements from the parsed .json file and uses these for comparison systemd-analyze security --threshold=90 --offline=true \ --security-policy=/tmp/testfile.json \ --root=/tmp/img/ testfile.service # The strict profile adds a lot of sanboxing options systemd-analyze security --threshold=25 --offline=true \ --security-policy=/tmp/testfile.json \ --profile=strict \ --root=/tmp/img/ testfile.service # The trusted profile doesn't add any sanboxing options (! systemd-analyze security --threshold=25 --offline=true \ --security-policy=/tmp/testfile.json \ --profile=/usr/lib/systemd/portable/profile/trusted/service.conf \ --root=/tmp/img/ testfile.service) (! systemd-analyze security --threshold=50 --offline=true \ --security-policy=/tmp/testfile.json \ --root=/tmp/img/ testfile.service) rm /tmp/img/usr/lib/systemd/system/testfile.service if systemd-analyze --version | grep -q -F "+ELFUTILS"; then systemd-analyze inspect-elf --json=short /lib/systemd/systemd | grep -q -F '"elfType":"executable"' fi Found error in /usr/lib/systemd/tests/testdata/units/testsuite-63.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-63.sh systemctl log-level debug # Test that a path unit continuously triggering a service that fails condition checks eventually fails with # the trigger-limit-hit error. rm -f /tmp/nonexistent systemctl start test63.path touch /tmp/test63 # Make sure systemd has sufficient time to hit the trigger limit for test63.path. # shellcheck disable=SC2016 timeout 30 bash -c 'until test "$(systemctl show test63.path -P ActiveState)" = failed; do sleep .2; done' test "$(systemctl show test63.service -P ActiveState)" = inactive test "$(systemctl show test63.service -P Result)" = success test "$(systemctl show test63.path -P Result)" = trigger-limit-hit # Test that starting the service manually doesn't affect the path unit. rm -f /tmp/test63 systemctl reset-failed systemctl start test63.path systemctl start test63.service test "$(systemctl show test63.service -P ActiveState)" = inactive test "$(systemctl show test63.service -P Result)" = success test "$(systemctl show test63.path -P ActiveState)" = active test "$(systemctl show test63.path -P Result)" = success # Test that glob matching works too, with $TRIGGER_PATH systemctl start test63-glob.path touch /tmp/test63-glob-foo timeout 60 bash -c 'until systemctl -q is-active test63-glob.service; do sleep .2; done' test "$(systemctl show test63-glob.service -P ActiveState)" = active test "$(systemctl show test63-glob.service -P Result)" = success test "$(busctl --json=short get-property org.freedesktop.systemd1 /org/freedesktop/systemd1/unit/test63_2dglob_2eservice org.freedesktop.systemd1.Unit ActivationDetails)" = '{"type":"a(ss)","data":[["trigger_unit","test63-glob.path"],["trigger_path","/tmp/test63-glob-foo"]]}' systemctl stop test63-glob.path test63-glob.service test "$(busctl --json=short get-property org.freedesktop.systemd1 /org/freedesktop/systemd1/unit/test63_2dglob_2eservice org.freedesktop.systemd1.Unit ActivationDetails)" = '{"type":"a(ss)","data":[]}' # tests for issue https://github.com/systemd/systemd/issues/24577#issuecomment-1522628906 rm -f /tmp/hoge systemctl start test63-issue-24577.path systemctl status -n 0 test63-issue-24577.path systemctl status -n 0 test63-issue-24577.service || : systemctl list-jobs output=$(systemctl list-jobs --no-legend) assert_not_in "test63-issue-24577.service" "$output" assert_not_in "test63-issue-24577-dep.service" "$output" touch /tmp/hoge systemctl status -n 0 test63-issue-24577.path systemctl status -n 0 test63-issue-24577.service || : systemctl list-jobs output=$(systemctl list-jobs --no-legend) assert_in "test63-issue-24577.service" "$output" -- systemctl list-jobs output=$(systemctl list-jobs --no-legend) assert_in "test63-issue-24577.service" "$output" assert_in "test63-issue-24577-dep.service" "$output" rm -f /tmp/hoge systemctl stop test63-issue-24577.service systemctl status -n 0 test63-issue-24577.path systemctl status -n 0 test63-issue-24577.service || : systemctl list-jobs output=$(systemctl list-jobs --no-legend) -- assert_in "test63-issue-24577-dep.service" "$output" # Test for race condition fixed by https://github.com/systemd/systemd/pull/30768 # Here's the schedule of events that we to happen during this test: # (This test) (The service) # .path unit monitors /tmp/copyme for changes # Take lock on /tmp/noexeit ↓ # Write to /tmp/copyme ↓ # Wait for deactivating Started # ↓ Copies /tmp/copyme to /tmp/copied # ↓ Tells manager it's shutting down # Ensure service did the copy Tries to lock /tmp/noexit and blocks # Write to /tmp/copyme ↓ # # Now at this point the test can diverge. If we regress, this second write is # missed and we'll see: # ... (second write) ... (blocked) # Drop lock on /tmp/noexit ↓ # Wait for service to do copy Unblocks and exits # ↓ (dead) # ↓ # (timeout) # Test fails # # Otherwise, we'll see: # ... (second write) ... (blocked) # Drop lock on /tmp/noexit ↓ and .path unit queues a new start job # Wait for service to do copy Unblocks and exits # ↓ Starts again b/c of queued job # ↓ Copies again # Test Passes systemctl start test63-pr-30768.path exec {lock}<>/tmp/noexit flock -e $lock echo test1 > /tmp/copyme # shellcheck disable=SC2016 timeout 30 bash -c 'until test "$(systemctl show test63-pr-30768.service -P ActiveState)" = deactivating; do sleep .2; done' diff /tmp/copyme /tmp/copied echo test2 > /tmp/copyme exec {lock}<&- timeout 30 bash -c 'until diff /tmp/copyme /tmp/copied >/dev/null; do sleep .2; done' systemctl log-level info touch /testok Found error in /usr/lib/systemd/tests/testdata/units/testsuite-54.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-54.sh # Sanity checks # # Create a dummy "full" disk (similar to /dev/full) to check out-of-space # scenarios mkdir /tmp/full mount -t tmpfs -o size=1,nr_inodes=1 tmpfs /tmp/full # verb: setup # Run this first, otherwise any encrypted credentials wouldn't be decryptable # as we regenerate the host key rm -fv /var/lib/systemd/credential.secret -- echo foo >"$CRED_DIR/insecure" echo foo | systemd-creds --name="encrypted" encrypt - "$ENC_CRED_DIR/encrypted" echo foo | systemd-creds encrypt - "$ENC_CRED_DIR/encrypted-unnamed" chmod -R 0400 "$CRED_DIR" "$ENC_CRED_DIR" chmod -R 0444 "$CRED_DIR/insecure" mkdir /tmp/empty/ systemd-creds --system systemd-creds --no-pager --help systemd-creds --version systemd-creds has-tpm2 || : -- systemd-creds list --system ENCRYPTED_CREDENTIALS_DIRECTORY="$ENC_CRED_DIR" CREDENTIALS_DIRECTORY="$CRED_DIR" systemd-creds list --no-legend ENCRYPTED_CREDENTIALS_DIRECTORY="$ENC_CRED_DIR" CREDENTIALS_DIRECTORY="$CRED_DIR" systemd-creds list --json=pretty | jq ENCRYPTED_CREDENTIALS_DIRECTORY="$ENC_CRED_DIR" CREDENTIALS_DIRECTORY="$CRED_DIR" systemd-creds list --json=short | jq ENCRYPTED_CREDENTIALS_DIRECTORY="$ENC_CRED_DIR" CREDENTIALS_DIRECTORY="$CRED_DIR" systemd-creds list --json=off ENCRYPTED_CREDENTIALS_DIRECTORY="/tmp/empty/" CREDENTIALS_DIRECTORY="/tmp/empty/" systemd-creds list # verb: cat for cred in secure-or-weak insecure encrypted encrypted-unnamed; do ENCRYPTED_CREDENTIALS_DIRECTORY="$ENC_CRED_DIR" CREDENTIALS_DIRECTORY="$CRED_DIR" systemd-creds cat "$cred" done -- run_with_cred_compare "mycred:68656c6c6f0a776f726c64" "hello\nworld" --transcode=unhex cat mycred run_with_cred_compare 'mycred:{ "foo" : "bar", "baz" : [ 3, 4 ] }' '{"foo":"bar","baz":[3,4]}\n' --json=short cat mycred systemd-run -p SetCredential='mycred:{ "foo" : "bar", "baz" : [ 3, 4 ] }' --wait --pipe -- systemd-creds --json=pretty cat mycred | jq # verb: encrypt/decrypt echo "According to all known laws of aviation..." >/tmp/cred.orig systemd-creds --with-key=host encrypt /tmp/cred.orig /tmp/cred.enc systemd-creds decrypt /tmp/cred.enc /tmp/cred.dec diff /tmp/cred.orig /tmp/cred.dec rm -f /tmp/cred.{enc,dec} # --pretty cred_name="fo'''o''bar" cred_option="$(systemd-creds --pretty --name="$cred_name" encrypt /tmp/cred.orig -)" mkdir -p /run/systemd/system cat >/run/systemd/system/test-54-pretty-cred.service <<EOF [Service] Type=oneshot ${cred_option:?} ExecStart=bash -c "diff <(systemd-creds cat \"$cred_name\") /tmp/cred.orig" EOF systemctl daemon-reload systemctl start test-54-pretty-cred rm /run/systemd/system/test-54-pretty-cred.service # Credential validation: name systemd-creds --name="foo" -H encrypt /tmp/cred.orig /tmp/cred.enc (! systemd-creds decrypt /tmp/cred.enc /tmp/cred.dec) (! systemd-creds --name="bar" decrypt /tmp/cred.enc /tmp/cred.dec) systemd-creds --name="" decrypt /tmp/cred.enc /tmp/cred.dec diff /tmp/cred.orig /tmp/cred.dec rm -f /tmp/cred.dec systemd-creds --name="foo" decrypt /tmp/cred.enc /tmp/cred.dec diff /tmp/cred.orig /tmp/cred.dec rm -f /tmp/cred.{enc,dec} # Credential validation: time systemd-creds --not-after="+1d" encrypt /tmp/cred.orig /tmp/cred.enc (! systemd-creds --timestamp="+2d" decrypt /tmp/cred.enc /tmp/cred.dec) systemd-creds decrypt /tmp/cred.enc /tmp/cred.dec diff /tmp/cred.orig /tmp/cred.dec rm -f /tmp/cred.{enc,dec} (! unshare -m bash -exc "mount -t tmpfs tmpfs /run/credentials && systemd-creds list") (! unshare -m bash -exc "mount -t tmpfs tmpfs /run/credentials && systemd-creds --system list") (! CREDENTIALS_DIRECTORY="" systemd-creds list) (! systemd-creds --system --foo) -- (! systemd-creds decrypt /foo/bar/baz -) (! systemd-creds decrypt / -) (! systemd-creds encrypt / -) (! echo foo | systemd-creds --with-key=foo encrypt - -) (! echo {0..20} | systemd-creds decrypt - -) (! systemd-creds --not-after= encrypt /tmp/cred.orig /tmp/cred.enc) (! systemd-creds --not-after="" encrypt /tmp/cred.orig /tmp/cred.enc) (! systemd-creds --not-after="-1d" encrypt /tmp/cred.orig /tmp/cred.enc) (! systemd-creds --timestamp= encrypt /tmp/cred.orig /tmp/cred.enc) (! systemd-creds --timestamp="" encrypt /tmp/cred.orig /tmp/cred.enc) (! dd if=/dev/zero count=2M | systemd-creds --with-key=tpm2-absent encrypt - /dev/null) (! dd if=/dev/zero count=2M | systemd-creds --with-key=tpm2-absent decrypt - /dev/null) (! echo foo | systemd-creds encrypt - /tmp/full/foo) (! echo foo | systemd-creds encrypt - - | systemd-creds decrypt - /tmp/full/foo) # Verify that the creds are properly loaded and we can read them from the service's unpriv user systemd-run -p LoadCredential=passwd:/etc/passwd \ -p LoadCredential=shadow:/etc/shadow \ -p SetCredential=dog:wuff \ -p DynamicUser=1 \ --unit=test-54-unpriv.service \ --wait \ --pipe \ cat '${CREDENTIALS_DIRECTORY}/passwd' '${CREDENTIALS_DIRECTORY}/shadow' '${CREDENTIALS_DIRECTORY}/dog' \ >/tmp/ts54-concat (cat /etc/passwd /etc/shadow && echo -n wuff) | cmp /tmp/ts54-concat rm /tmp/ts54-concat # Test that SetCredential= acts as fallback for LoadCredential= echo piff >/tmp/ts54-fallback [ "$(systemd-run -p LoadCredential=paff:/tmp/ts54-fallback -p SetCredential=paff:poff --pipe --wait systemd-creds cat paff)" = "piff" ] rm /tmp/ts54-fallback [ "$(systemd-run -p LoadCredential=paff:/tmp/ts54-fallback -p SetCredential=paff:poff --pipe --wait systemd-creds cat paff)" = "poff" ] if systemd-detect-virt -q -c ; then expected_credential=mynspawncredential expected_value=strangevalue elif [ -d /sys/firmware/qemu_fw_cfg/by_name ]; then -- # Verify that creating a user via sysusers via the kernel cmdline worked grep -q ^credtestuser: /etc/passwd # Verify that writing a file via tmpfiles worked [ "$(cat /tmp/sourcedfromcredential)" = "tmpfilessecret" ] [ "$(cat /etc/motd.d/50-provision.conf)" = "hello" ] [ "$(cat /etc/issue.d/50-provision.conf)" = "welcome" ] else echo "qemu_fw_cfg support missing in kernel. Sniff!" expected_credential="" -- --unit=test-54-immutable-rm.service \ --wait \ rm '${CREDENTIALS_DIRECTORY}/passwd') # Check directory-based loading mkdir -p /tmp/ts54-creds/sub echo -n a >/tmp/ts54-creds/foo echo -n b >/tmp/ts54-creds/bar echo -n c >/tmp/ts54-creds/baz echo -n d >/tmp/ts54-creds/sub/qux systemd-run -p LoadCredential=cred:/tmp/ts54-creds \ -p DynamicUser=1 \ --unit=test-54-dir.service \ --wait \ --pipe \ cat '${CREDENTIALS_DIRECTORY}/cred_foo' \ '${CREDENTIALS_DIRECTORY}/cred_bar' \ '${CREDENTIALS_DIRECTORY}/cred_baz' \ '${CREDENTIALS_DIRECTORY}/cred_sub_qux' >/tmp/ts54-concat cmp /tmp/ts54-concat <(echo -n abcd) rm /tmp/ts54-concat rm -rf /tmp/ts54-creds # Check that globs work as expected mkdir -p /run/credstore echo -n a >/run/credstore/test.creds.first echo -n b >/run/credstore/test.creds.second -- -p DynamicUser=1 \ --wait \ --pipe \ cat '${CREDENTIALS_DIRECTORY}/test.creds.first' \ '${CREDENTIALS_DIRECTORY}/test.creds.second' \ '${CREDENTIALS_DIRECTORY}/test.creds.third' >/tmp/ts54-concat cmp /tmp/ts54-concat <(echo -n abc) # Now test encrypted credentials (only supported when built with OpenSSL though) if systemctl --version | grep -q -- +OPENSSL ; then echo -n $RANDOM >/tmp/test-54-plaintext systemd-creds encrypt --name=test-54 /tmp/test-54-plaintext /tmp/test-54-ciphertext systemd-creds decrypt --name=test-54 /tmp/test-54-ciphertext | cmp /tmp/test-54-plaintext systemd-run -p LoadCredentialEncrypted=test-54:/tmp/test-54-ciphertext \ --wait \ --pipe \ cat '${CREDENTIALS_DIRECTORY}/test-54' | cmp /tmp/test-54-plaintext echo -n $RANDOM >/tmp/test-54-plaintext systemd-creds encrypt --name=test-54 /tmp/test-54-plaintext /tmp/test-54-ciphertext systemd-creds decrypt --name=test-54 /tmp/test-54-ciphertext | cmp /tmp/test-54-plaintext systemd-run -p SetCredentialEncrypted=test-54:"$(cat /tmp/test-54-ciphertext)" \ --wait \ --pipe \ cat '${CREDENTIALS_DIRECTORY}/test-54' | cmp /tmp/test-54-plaintext rm /tmp/test-54-plaintext /tmp/test-54-ciphertext fi # https://github.com/systemd/systemd/issues/27275 systemd-run -p DynamicUser=yes -p 'LoadCredential=os:/etc/os-release' \ -p 'ExecStartPre=true' \ Found error in /usr/lib/systemd/tests/testdata/units/testsuite-50.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-50.sh RemainAfterExit=yes MountAPIVFS=yes PrivateTmp=yes ExecStart=/bin/sh -c ' \\ systemd-notify --ready; \\ while [ ! -f /tmp/img/usr/lib/os-release ] || ! grep -q -F MARKER /tmp/img/usr/lib/os-release; do \\ sleep 0.1; \\ done; \\ mount; \\ mount | grep -F "on /tmp/img type squashfs" | grep -q -F "nosuid"; \\ ' EOF systemctl start testservice-50d.service # Mount twice to exercise mount-beneath (on kernel 6.5+, on older kernels it will just overmount) mkdir -p /tmp/wrong/foo mksquashfs /tmp/wrong/foo /tmp/wrong.raw systemctl mount-image --mkdir testservice-50d.service /tmp/wrong.raw /tmp/img test "$(systemctl show -P SubState testservice-50d.service)" = "running" systemctl mount-image --mkdir testservice-50d.service "${image}.raw" /tmp/img root:nosuid while systemctl show -P SubState testservice-50d.service | grep -q running do sleep 0.1 done -- rm /var/lib/extensions/app-nodistro.raw mkdir -p /run/machines /run/portables /run/extensions touch /run/machines/a.raw /run/portables/b.raw /run/extensions/c.raw systemd-dissect --discover --json=short >/tmp/discover.json grep -q -F '{"name":"a","type":"raw","class":"machine","ro":false,"path":"/run/machines/a.raw"' /tmp/discover.json grep -q -F '{"name":"b","type":"raw","class":"portable","ro":false,"path":"/run/portables/b.raw"' /tmp/discover.json grep -q -F '{"name":"c","type":"raw","class":"sysext","ro":false,"path":"/run/extensions/c.raw"' /tmp/discover.json rm /tmp/discover.json /run/machines/a.raw /run/portables/b.raw /run/extensions/c.raw # Check that the /sbin/mount.ddi helper works T="/tmp/mounthelper.$RANDOM" mount -t ddi "${image}.gpt" "$T" -o ro,X-mount.mkdir,discard umount -R "$T" rmdir "$T" LOOP="$(systemd-dissect --attach --loop-ref=waldo "${image}.raw")" -- (! /etc/testscript) systemd-confext status systemd-confext unmerge rm -rf /run/confexts/ unsquashfs -no-xattrs -d /tmp/img "${image}.raw" systemd-run --unit=test-root-ephemeral \ -p RootDirectory=/tmp/img \ -p RootEphemeral=yes \ -p Type=exec \ bash -c "touch /abc && sleep infinity" test -n "$(ls -A /var/lib/systemd/ephemeral-trees)" systemctl stop test-root-ephemeral # shellcheck disable=SC2016 timeout 10 bash -c 'until test -z "$(ls -A /var/lib/systemd/ephemeral-trees)"; do sleep .5; done' test ! -f /tmp/img/abc systemd-dissect --mtree /tmp/img systemd-dissect --list /tmp/img read -r SHA256SUM1 _ < <(systemd-dissect --copy-from /tmp/img etc/os-release | sha256sum) test "$SHA256SUM1" != "" echo abc > abc systemd-dissect --copy-to /tmp/img abc /abc test -f /tmp/img/abc # Test for dissect tool support with systemd-sysext mkdir -p /run/extensions/ testkit/usr/lib/extension-release.d/ echo "ID=_any" >testkit/usr/lib/extension-release.d/extension-release.testkit echo "ARCHITECTURE=_any" >>testkit/usr/lib/extension-release.d/extension-release.testkit -- rm /var/lib/extensions/app-reload.raw # Test systemd-repart --make-ddi=: if command -v mksquashfs >/dev/null 2>&1; then openssl req -config "$OPENSSL_CONFIG" -subj="/CN=waldo" -x509 -sha256 -nodes -days 365 -newkey rsa:4096 -keyout /tmp/test-50-privkey.key -out /tmp/test-50-cert.crt mkdir -p /tmp/test-50-confext/etc/extension-release.d/ echo "foobar50" > /tmp/test-50-confext/etc/waldo ( grep -e '^\(ID\|VERSION_ID\)=' /etc/os-release ; echo IMAGE_ID=waldo ; echo IMAGE_VERSION=7 ) > /tmp/test-50-confext/etc/extension-release.d/extension-release.waldo mkdir -p /run/confexts SYSTEMD_REPART_OVERRIDE_FSTYPE=squashfs systemd-repart -C -s /tmp/test-50-confext --certificate=/tmp/test-50-cert.crt --private-key=/tmp/test-50-privkey.key /run/confexts/waldo.confext.raw rm -rf /tmp/test-50-confext mkdir -p /run/verity.d cp /tmp/test-50-cert.crt /run/verity.d/ systemd-dissect --mtree /run/confexts/waldo.confext.raw systemd-confext refresh read -r X < /etc/waldo -- systemd-confext refresh (! test -f /etc/waldo ) mkdir -p /tmp/test-50-sysext/usr/lib/extension-release.d/ # Make sure the sysext is big enough to not fit in the minimum partition size of repart so we know the # Minimize= logic is working. truncate --size=50M /tmp/test-50-sysext/usr/waldo ( grep -e '^\(ID\|VERSION_ID\)=' /etc/os-release ; echo IMAGE_ID=waldo ; echo IMAGE_VERSION=7 ) > /tmp/test-50-sysext/usr/lib/extension-release.d/extension-release.waldo mkdir -p /run/extensions SYSTEMD_REPART_OVERRIDE_FSTYPE=squashfs systemd-repart -S -s /tmp/test-50-sysext --certificate=/tmp/test-50-cert.crt --private-key=/tmp/test-50-privkey.key /run/extensions/waldo.sysext.raw systemd-dissect --mtree /run/extensions/waldo.sysext.raw systemd-sysext refresh test -f /usr/waldo rm /run/verity.d/test-50-cert.crt /run/extensions/waldo.sysext.raw /tmp/test-50-cert.crt /tmp/test-50-privkey.key systemd-sysext refresh (! test -f /usr/waldo) fi Found error in /usr/lib/systemd/tests/testdata/units/testsuite-46.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-46.sh # filesystems, let's drop these fields before comparing the outputs to # avoid unexpected fails. To see the full outputs of both homectl & # userdbctl (for debugging purposes) drop the fields just before the # comparison. local USERNAME="${1:?}" homectl inspect "$USERNAME" | tee /tmp/a userdbctl user "$USERNAME" | tee /tmp/b # diff uses the grep BREs for pattern matching diff -I '^\s*Disk \(Size\|Free\|Floor\|Ceiling\|Usage\):' /tmp/{a,b} rm /tmp/{a,b} homectl inspect --json=pretty "$USERNAME" } wait_for_state() { -- varlinkctl call /run/systemd/userdb/io.systemd.Multiplexer io.systemd.UserDatabase.GetUserRecord '{"uid":2000000,"service":"io.systemd.Multiplexer"}' (! varlinkctl call /run/systemd/userdb/io.systemd.Multiplexer io.systemd.UserDatabase.GetUserRecord '{"userName":"","service":"io.systemd.Multiplexer"}') (! varlinkctl call /run/systemd/userdb/io.systemd.Multiplexer io.systemd.UserDatabase.GetUserRecord '{"userName":"🐱","service":"io.systemd.Multiplexer"}') (! varlinkctl call /run/systemd/userdb/io.systemd.Multiplexer io.systemd.UserDatabase.GetUserRecord '{"userName":"i-do-not-exist","service":"io.systemd.Multiplexer"}') userdbctl ssh-authorized-keys dropinuser | tee /tmp/authorized-keys grep "ssh-ed25519" /tmp/authorized-keys grep "ecdsa-sha2-nistp256" /tmp/authorized-keys echo "my-top-secret-key 🐱" >/tmp/my-top-secret-key userdbctl ssh-authorized-keys dropinuser --chain /bin/cat /tmp/my-top-secret-key | tee /tmp/authorized-keys grep "ssh-ed25519" /tmp/authorized-keys grep "ecdsa-sha2-nistp256" /tmp/authorized-keys grep "my-top-secret-key 🐱" /tmp/authorized-keys (! userdbctl ssh-authorized-keys 🐱) (! userdbctl ssh-authorized-keys dropin-user --chain) (! userdbctl ssh-authorized-keys dropin-user --chain '') (! SYSTEMD_LOG_LEVEL=debug userdbctl ssh-authorized-keys dropin-user --chain /bin/false) Found error in /usr/lib/systemd/tests/testdata/units/testsuite-44.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-44.sh systemd-analyze log-level debug systemd-run --wait -p LogNamespace=foobar echo "hello world" journalctl --namespace=foobar --sync journalctl -o cat --namespace=foobar >/tmp/hello-world journalctl -o cat >/tmp/no-hello-world grep "^hello world$" /tmp/hello-world (! grep "^hello world$" /tmp/no-hello-world) systemd-analyze log-level info touch /testok Found error in /usr/lib/systemd/tests/testdata/units/testsuite-29.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-29.sh portablectl list | grep -q -F "No images." busctl tree org.freedesktop.portable1 --no-pager | grep -q -F '/org/freedesktop/portable1/image/minimal_5f1' && exit 1 # portablectl also works with directory paths rather than images unsquashfs -dest /tmp/minimal_0 /usr/share/minimal_0.raw unsquashfs -dest /tmp/minimal_1 /usr/share/minimal_1.raw portablectl "${ARGS[@]}" attach --copy=symlink --now --runtime /tmp/minimal_0 minimal-app0 systemctl is-active minimal-app0.service systemctl is-active minimal-app0-foo.service systemctl is-active minimal-app0-bar.service && exit 1 portablectl "${ARGS[@]}" reattach --now --enable --runtime /tmp/minimal_1 minimal-app0 systemctl is-active minimal-app0.service systemctl is-active minimal-app0-bar.service systemctl is-active minimal-app0-foo.service && exit 1 portablectl list | grep -q -F "minimal_1" busctl tree org.freedesktop.portable1 --no-pager | grep -q -F '/org/freedesktop/portable1/image/minimal_5f1' portablectl detach --now --enable --runtime /tmp/minimal_1 minimal-app0 portablectl list | grep -q -F "No images." busctl tree org.freedesktop.portable1 --no-pager | grep -q -F '/org/freedesktop/portable1/image/minimal_5f1' && exit 1 portablectl "${ARGS[@]}" attach --now --runtime --extension /usr/share/app0.raw /usr/share/minimal_0.raw app0 -- portablectl detach --now --runtime --extension /usr/share/app0.raw /usr/share/minimal_1.raw app0 # Ensure versioned images are accepted without needing to use --force to override the extension-release # matching cp /usr/share/app0.raw /tmp/app0_1.0.raw portablectl "${ARGS[@]}" attach --now --runtime --extension /tmp/app0_1.0.raw /usr/share/minimal_0.raw app0 systemctl is-active app0.service status="$(portablectl is-attached --extension app0_1 minimal_0)" [[ "${status}" == "running-runtime" ]] portablectl detach --now --runtime --extension /tmp/app0_1.0.raw /usr/share/minimal_1.raw app0 rm -f /tmp/app0_1.0.raw portablectl "${ARGS[@]}" attach --now --runtime --extension /usr/share/app1.raw /usr/share/minimal_0.raw app1 systemctl is-active app1.service status="$(portablectl is-attached --extension app1 minimal_0)" [[ "${status}" == "running-runtime" ]] # Ensure that adding or removing a version to the image doesn't break reattaching cp /usr/share/app1.raw /tmp/app1_2.raw portablectl "${ARGS[@]}" reattach --now --runtime --extension /tmp/app1_2.raw /usr/share/minimal_1.raw app1 systemctl is-active app1.service status="$(portablectl is-attached --extension app1_2 minimal_1)" [[ "${status}" == "running-runtime" ]] -- # after the service is attached before the file appears. grep -q -F bar "${STATE_DIRECTORY}/app0/foo" grep -q -F baz "${STATE_DIRECTORY}/app1/foo" # Ensure that we can override the check on extension-release.NAME cp /usr/share/app0.raw /tmp/app10.raw portablectl "${ARGS[@]}" attach --force --now --runtime --extension /tmp/app10.raw /usr/share/minimal_0.raw app0 systemctl is-active app0.service status="$(portablectl is-attached --extension /tmp/app10.raw /usr/share/minimal_0.raw)" [[ "${status}" == "running-runtime" ]] portablectl inspect --force --cat --extension /tmp/app10.raw /usr/share/minimal_0.raw app0 | grep -q -F "Extension Release: /tmp/app10.raw" # Ensure that we can detach even when an image has been deleted already (stop the unit manually as # portablectl won't find it) rm -f /tmp/app10.raw systemctl stop app0.service portablectl detach --force --runtime --extension /tmp/app10.raw /usr/share/minimal_0.raw app0 # portablectl also accepts confexts portablectl "${ARGS[@]}" attach --now --runtime --extension /usr/share/app0.raw --extension /usr/share/conf0.raw /usr/share/minimal_0.raw app0 systemctl is-active app0.service -- portablectl detach --now --runtime --extension /usr/share/app0.raw --extension /usr/share/conf0.raw /usr/share/minimal_0.raw app0 # portablectl also works with directory paths rather than images mkdir /tmp/rootdir /tmp/app0 /tmp/app1 /tmp/overlay /tmp/os-release-fix /tmp/os-release-fix/etc mount /usr/share/app0.raw /tmp/app0 mount /usr/share/app1.raw /tmp/app1 mount /usr/share/minimal_0.raw /tmp/rootdir # Fix up os-release to drop the valid PORTABLE_SERVICES field (because we are # bypassing the sysext logic in portabled here it will otherwise not see the # extensions additional valid prefix) grep -v "^PORTABLE_PREFIXES=" /tmp/rootdir/etc/os-release >/tmp/os-release-fix/etc/os-release mount -t overlay overlay -o lowerdir=/tmp/os-release-fix:/tmp/app1:/tmp/rootdir /tmp/overlay grep . /tmp/overlay/usr/lib/extension-release.d/* grep . /tmp/overlay/etc/os-release portablectl "${ARGS[@]}" attach --copy=symlink --now --runtime /tmp/overlay app1 systemctl is-active app1.service portablectl detach --now --runtime overlay app1 -- [Unit] Description=App 1 EOF systemctl daemon-reload portablectl "${ARGS[@]}" attach --force --copy=symlink --now --runtime /tmp/overlay app1 systemctl is-active app1.service portablectl detach --now --runtime overlay app1 umount /tmp/overlay portablectl "${ARGS[@]}" attach --copy=symlink --now --runtime --extension /tmp/app0 --extension /tmp/app1 /tmp/rootdir app0 app1 systemctl is-active app0.service systemctl is-active app1.service portablectl inspect --cat --extension app0 --extension app1 rootdir app0 app1 | grep -q -f /tmp/rootdir/usr/lib/os-release portablectl inspect --cat --extension app0 --extension app1 rootdir app0 app1 | grep -q -f /tmp/app0/usr/lib/extension-release.d/extension-release.app0 portablectl inspect --cat --extension app0 --extension app1 rootdir app0 app1 | grep -q -f /tmp/app1/usr/lib/extension-release.d/extension-release.app2 portablectl inspect --cat --extension app0 --extension app1 rootdir app0 app1 | grep -q -f /tmp/app1/usr/lib/systemd/system/app1.service portablectl inspect --cat --extension app0 --extension app1 rootdir app0 app1 | grep -q -f /tmp/app0/usr/lib/systemd/system/app0.service grep -q -F "LogExtraFields=PORTABLE=app0" /run/systemd/system.attached/app0.service.d/20-portable.conf grep -q -F "LogExtraFields=PORTABLE_ROOT=rootdir" /run/systemd/system.attached/app0.service.d/20-portable.conf grep -q -F "LogExtraFields=PORTABLE_EXTENSION=app0" /run/systemd/system.attached/app0.service.d/20-portable.conf grep -q -F "LogExtraFields=PORTABLE_EXTENSION_NAME_AND_VERSION=app" /run/systemd/system.attached/app0.service.d/20-portable.conf -- grep -q -F "LogExtraFields=PORTABLE_EXTENSION=app0" /run/systemd/system.attached/app1.service.d/20-portable.conf grep -q -F "LogExtraFields=PORTABLE_EXTENSION_NAME_AND_VERSION=app" /run/systemd/system.attached/app1.service.d/20-portable.conf grep -q -F "LogExtraFields=PORTABLE_EXTENSION=app1" /run/systemd/system.attached/app1.service.d/20-portable.conf grep -q -F "LogExtraFields=PORTABLE_EXTENSION_NAME_AND_VERSION=app_1" /run/systemd/system.attached/app1.service.d/20-portable.conf portablectl detach --now --runtime --extension /tmp/app0 --extension /tmp/app1 /tmp/rootdir app0 app1 # Attempt to disable the app unit during detaching. Requires --copy=symlink to reproduce. # Provides coverage for https://github.com/systemd/systemd/issues/23481 portablectl "${ARGS[@]}" attach --copy=symlink --now --runtime /tmp/rootdir minimal-app0 portablectl detach --now --runtime --enable /tmp/rootdir minimal-app0 # attach and detach again to check if all drop-in configs are removed even if the main unit files are removed portablectl "${ARGS[@]}" attach --copy=symlink --now --runtime /tmp/rootdir minimal-app0 portablectl detach --now --runtime --enable /tmp/rootdir minimal-app0 # The wrong file should be ignored, given the right one has the xattr set trap 'rm -rf /var/cache/wrongext' EXIT mkdir -p /var/cache/wrongext/usr/lib/extension-release.d /var/cache/wrongext/usr/lib/systemd/system/ echo "[Service]" > /var/cache/wrongext/usr/lib/systemd/system/app0.service touch /var/cache/wrongext/usr/lib/extension-release.d/extension-release.wrongext_somethingwrong.txt cp /tmp/rootdir/usr/lib/os-release /var/cache/wrongext/usr/lib/extension-release.d/extension-release.app0 setfattr -n user.extension-release.strict -v "false" /var/cache/wrongext/usr/lib/extension-release.d/extension-release.app0 portablectl "${ARGS[@]}" attach --runtime --extension /var/cache/wrongext /tmp/rootdir app0 status="$(portablectl is-attached --extension wrongext rootdir)" [[ "${status}" == "attached-runtime" ]] portablectl detach --runtime --extension /var/cache/wrongext /tmp/rootdir app0 umount /tmp/rootdir umount /tmp/app0 umount /tmp/app1 # Lack of ID field in os-release should be rejected, but it caused a crash in the past instead mkdir -p /tmp/emptyroot/usr/lib mkdir -p /tmp/emptyext/usr/lib/extension-release.d touch /tmp/emptyroot/usr/lib/os-release touch /tmp/emptyext/usr/lib/extension-release.d/extension-release.emptyext # Remote peer disconnected -> portabled crashed res="$(! portablectl attach --extension /tmp/emptyext /tmp/emptyroot 2> >(grep "Remote peer disconnected"))" test -z "${res}" touch /testok Found error in /usr/lib/systemd/tests/testdata/units/testsuite-24.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-24.sh at_exit() { set +e mountpoint -q /proc/cmdline && umount /proc/cmdline rm -f /etc/crypttab [[ -e /tmp/crypttab.bak ]] && cp -fv /tmp/crypttab.bak /etc/crypttab [[ -n "${STORE_LOOP:-}" ]] && losetup -d "$STORE_LOOP" [[ -n "${WORKDIR:-}" ]] && rm -rf "$WORKDIR" systemctl daemon-reload } -- cp "$IMAGE_DETACHED_KEYFILE2" /mnt/keyfile umount /mnt udevadm settle --timeout=30 # Prepare our test crypttab [[ -e /etc/crypttab ]] && cp -fv /etc/crypttab /tmp/crypttab.bak cat >/etc/crypttab <<EOF # headless should translate to headless=1 empty_key $IMAGE_EMPTY $IMAGE_EMPTY_KEYFILE headless,x-systemd.device-timeout=1m empty_key_erase $IMAGE_EMPTY $IMAGE_EMPTY_KEYFILE_ERASE headless=1,keyfile-erase=1 empty_key_erase_fail $IMAGE_EMPTY $IMAGE_EMPTY_KEYFILE_ERASE_FAIL headless=1,keyfile-erase=1,keyfile-offset=4 -- EOF # Temporarily drop luks.name=/luks.uuid= from the kernel command line, as it makes # systemd-cryptsetup-generator ignore mounts from /etc/crypttab that are not also # specified on the kernel command line sed -r 's/luks.(name|uuid)=[^[:space:]+]//' /proc/cmdline >/tmp/cmdline.tmp mount --bind /tmp/cmdline.tmp /proc/cmdline # Run the systemd-cryptsetup-generator once explicitly, to collect coverage, # as during daemon-reload we run generators in a sandbox mkdir -p /tmp/systemd-cryptsetup-generator.out /usr/lib/systemd/system-generators/systemd-cryptsetup-generator /tmp/systemd-cryptsetup-generator.out/ systemctl daemon-reload systemctl list-unit-files "systemd-cryptsetup@*" cryptsetup_start_and_check empty_key test -e "$IMAGE_EMPTY_KEYFILE_ERASE" Found error in /usr/lib/systemd/tests/testdata/units/testsuite-23.ExecStopPost.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-23.ExecStopPost.sh (! systemd-run --unit=exec2.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=exec \ -p ExecStopPost='/bin/touch /run/exec2' sh -c 'sleep 1; false') test -f /run/exec2 cat >/tmp/forking1.sh <<EOF #!/usr/bin/env bash set -eux sleep 4 & MAINPID=\$! disown systemd-notify MAINPID=\$MAINPID EOF chmod +x /tmp/forking1.sh systemd-run --unit=forking1.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=forking -p NotifyAccess=exec \ -p ExecStopPost='/bin/touch /run/forking1' /tmp/forking1.sh test -f /run/forking1 cat >/tmp/forking2.sh <<EOF #!/usr/bin/env bash set -eux (sleep 4; exit 1) & MAINPID=\$! disown systemd-notify MAINPID=\$MAINPID EOF chmod +x /tmp/forking2.sh (! systemd-run --unit=forking2.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=forking -p NotifyAccess=exec \ -p ExecStopPost='/bin/touch /run/forking2' /tmp/forking2.sh) test -f /run/forking2 systemd-run --unit=oneshot1.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=oneshot \ -p ExecStopPost='/bin/touch /run/oneshot1' true test -f /run/oneshot1 -- # https://github.com/systemd/systemd/issues/19920 (! systemd-run --unit=dbus3.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=dbus \ -p ExecStopPost='/bin/touch /run/dbus3' true) cat >/tmp/notify1.sh <<EOF #!/usr/bin/env bash set -eux systemd-notify --ready EOF chmod +x /tmp/notify1.sh systemd-run --unit=notify1.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=notify \ -p ExecStopPost='/bin/touch /run/notify1' /tmp/notify1.sh test -f /run/notify1 (! systemd-run --unit=notify2.service --wait -p StandardOutput=tty -p StandardError=tty -p Type=notify \ -p ExecStopPost='/bin/touch /run/notify2' true) test -f /run/notify2 Found error in /usr/lib/systemd/tests/testdata/units/testsuite-23-short-lived.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-23-short-lived.sh #!/usr/bin/env bash # SPDX-License-Identifier: LGPL-2.1-or-later set -ex if [ -f /tmp/testsuite-23.counter ] ; then read -r counter < /tmp/testsuite-23.counter counter=$((counter + 1)) else counter=0 fi echo "$counter" >/tmp/testsuite-23.counter if [ "$counter" -eq 5 ] ; then systemctl kill --kill-whom=main -sUSR1 testsuite-23.service fi Found error in /usr/lib/systemd/tests/testdata/units/testsuite-22.03.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-22.03.sh # # Basic tests for types creating/writing files set -eux set -o pipefail rm -fr /tmp/{f,F,w} mkdir /tmp/{f,F,w} touch /tmp/file-owned-by-root # # 'f' # systemd-tmpfiles --create - <<EOF f /tmp/f/1 0644 - - - - f /tmp/f/2 0644 - - - This string should be written EOF ### '1' should exist and be empty test -f /tmp/f/1; test ! -s /tmp/f/1 test "$(stat -c %U:%G:%a /tmp/f/1)" = "root:root:644" test "$(stat -c %U:%G:%a /tmp/f/2)" = "root:root:644" test "$(< /tmp/f/2)" = "This string should be written" ### The perms are supposed to be updated even if the file already exists. systemd-tmpfiles --create - <<EOF f /tmp/f/1 0666 daemon daemon - This string should not be written EOF # file should be empty test ! -s /tmp/f/1 test "$(stat -c %U:%G:%a /tmp/f/1)" = "daemon:daemon:666" ### But we shouldn't try to set perms on an existing file which is not a ### regular one. mkfifo /tmp/f/fifo chmod 644 /tmp/f/fifo (! systemd-tmpfiles --create -) <<EOF f /tmp/f/fifo 0666 daemon daemon - This string should not be written EOF test -p /tmp/f/fifo test "$(stat -c %U:%G:%a /tmp/f/fifo)" = "root:root:644" ### 'f' should not follow symlinks. ln -s missing /tmp/f/dangling ln -s /tmp/file-owned-by-root /tmp/f/symlink (! systemd-tmpfiles --create -) <<EOF f /tmp/f/dangling 0644 daemon daemon - - f /tmp/f/symlink 0644 daemon daemon - - EOF test ! -e /tmp/f/missing test "$(stat -c %U:%G:%a /tmp/file-owned-by-root)" = "root:root:644" ### Handle read-only filesystem gracefully: we shouldn't fail if the target ### already exists and have the correct perms. mkdir /tmp/f/rw-fs mkdir /tmp/f/ro-fs touch /tmp/f/rw-fs/foo chmod 644 /tmp/f/rw-fs/foo mount -o bind,ro /tmp/f/rw-fs /tmp/f/ro-fs systemd-tmpfiles --create - <<EOF f /tmp/f/ro-fs/foo 0644 - - - - This string should not be written EOF test -f /tmp/f/ro-fs/foo; test ! -s /tmp/f/ro-fs/foo (! systemd-tmpfiles --create -) <<EOF f /tmp/f/ro-fs/foo 0666 - - - - EOF test "$(stat -c %U:%G:%a /tmp/f/fifo)" = "root:root:644" (! systemd-tmpfiles --create -) <<EOF f /tmp/f/ro-fs/bar 0644 - - - - EOF test ! -e /tmp/f/ro-fs/bar ### 'f' shouldn't follow unsafe paths. mkdir /tmp/f/daemon ln -s /root /tmp/f/daemon/unsafe-symlink chown -R --no-dereference daemon:daemon /tmp/f/daemon (! systemd-tmpfiles --create -) <<EOF f /tmp/f/daemon/unsafe-symlink/exploit 0644 daemon daemon - - EOF test ! -e /tmp/f/daemon/unsafe-symlink/exploit # # 'F' # echo "This should be truncated" >/tmp/F/truncated echo "This should be truncated" >/tmp/F/truncated-with-content systemd-tmpfiles --create - <<EOF F /tmp/F/created 0644 - - - - F /tmp/F/created-with-content 0644 - - - new content F /tmp/F/truncated 0666 daemon daemon - - F /tmp/F/truncated-with-content 0666 daemon daemon - new content EOF test -f /tmp/F/created; test ! -s /tmp/F/created test -f /tmp/F/created-with-content test "$(< /tmp/F/created-with-content)" = "new content" test -f /tmp/F/truncated; test ! -s /tmp/F/truncated test "$(stat -c %U:%G:%a /tmp/F/truncated)" = "daemon:daemon:666" test -s /tmp/F/truncated-with-content test "$(stat -c %U:%G:%a /tmp/F/truncated-with-content)" = "daemon:daemon:666" ### We shouldn't try to truncate anything but regular files since the behavior is ### unspecified in the other cases. mkfifo /tmp/F/fifo (! systemd-tmpfiles --create -) <<EOF F /tmp/F/fifo 0644 - - - - EOF test -p /tmp/F/fifo ### 'F' should not follow symlinks. ln -s missing /tmp/F/dangling ln -s /tmp/file-owned-by-root /tmp/F/symlink (! systemd-tmpfiles --create -) <<EOF f /tmp/F/dangling 0644 daemon daemon - - f /tmp/F/symlink 0644 daemon daemon - - EOF test ! -e /tmp/F/missing test "$(stat -c %U:%G:%a /tmp/file-owned-by-root)" = "root:root:644" ### Handle read-only filesystem gracefully: we shouldn't fail if the target ### already exists and is empty. mkdir /tmp/F/rw-fs mkdir /tmp/F/ro-fs touch /tmp/F/rw-fs/foo chmod 644 /tmp/F/rw-fs/foo mount -o bind,ro /tmp/F/rw-fs /tmp/F/ro-fs systemd-tmpfiles --create - <<EOF F /tmp/F/ro-fs/foo 0644 - - - - EOF test -f /tmp/F/ro-fs/foo; test ! -s /tmp/F/ro-fs/foo echo "truncating is not allowed anymore" >/tmp/F/rw-fs/foo (! systemd-tmpfiles --create -) <<EOF F /tmp/F/ro-fs/foo 0644 - - - - EOF (! systemd-tmpfiles --create -) <<EOF F /tmp/F/ro-fs/foo 0644 - - - - This string should not be written EOF test -f /tmp/F/ro-fs/foo grep -q 'truncating is not allowed' /tmp/F/ro-fs/foo # Trying to change the perms should fail. : >/tmp/F/rw-fs/foo (! systemd-tmpfiles --create -) <<EOF F /tmp/F/ro-fs/foo 0666 - - - - EOF test "$(stat -c %U:%G:%a /tmp/F/ro-fs/foo)" = "root:root:644" ### Try to create a new file. (! systemd-tmpfiles --create -) <<EOF F /tmp/F/ro-fs/bar 0644 - - - - EOF test ! -e /tmp/F/ro-fs/bar ### 'F' shouldn't follow unsafe paths. mkdir /tmp/F/daemon ln -s /root /tmp/F/daemon/unsafe-symlink chown -R --no-dereference daemon:daemon /tmp/F/daemon (! systemd-tmpfiles --create -) <<EOF F /tmp/F/daemon/unsafe-symlink/exploit 0644 daemon daemon - - EOF test ! -e /tmp/F/daemon/unsafe-symlink/exploit # # 'w' # touch /tmp/w/overwritten touch /tmp/w/appended ### nop if the target does not exist. systemd-tmpfiles --create - <<EOF w /tmp/w/unexistent 0644 - - - new content EOF test ! -e /tmp/w/unexistent ### no argument given -> fails. (! systemd-tmpfiles --create -) <<EOF w /tmp/w/unexistent 0644 - - - - EOF ### write into an empty file. systemd-tmpfiles --create - <<EOF w /tmp/w/overwritten 0644 - - - old content EOF test -f /tmp/w/overwritten test "$(< /tmp/w/overwritten)" = "old content" ### old content is overwritten systemd-tmpfiles --create - <<EOF w /tmp/w/overwritten 0644 - - - new content EOF test -f /tmp/w/overwritten test "$(< /tmp/w/overwritten)" = "new content" ### append lines systemd-tmpfiles --create - <<EOF w+ /tmp/w/appended 0644 - - - 1 w+ /tmp/w/appended 0644 - - - 2\n w+ /tmp/w/appended 0644 - - - 3 EOF test -f /tmp/w/appended test "$(< /tmp/w/appended)" = "$(echo -ne '12\n3')" ### writing into an 'exotic' file should be allowed. systemd-tmpfiles --create - <<EOF w /dev/null - - - - new content EOF ### 'w' follows symlinks ln -s ./overwritten /tmp/w/symlink systemd-tmpfiles --create - <<EOF w /tmp/w/symlink - - - - $(readlink -e /tmp/w/symlink) EOF readlink -e /tmp/w/symlink test "$(< /tmp/w/overwritten)" = "/tmp/w/overwritten" ### 'w' shouldn't follow unsafe paths. mkdir /tmp/w/daemon ln -s /root /tmp/w/daemon/unsafe-symlink chown -R --no-dereference daemon:daemon /tmp/w/daemon (! systemd-tmpfiles --create -) <<EOF f /tmp/w/daemon/unsafe-symlink/exploit 0644 daemon daemon - - EOF test ! -e /tmp/w/daemon/unsafe-symlink/exploit Found error in /usr/lib/systemd/tests/testdata/units/testsuite-22.02.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-22.02.sh # # Basic tests for types creating directories set -eux set -o pipefail rm -fr /tmp/{C,d,D,e} mkdir /tmp/{C,d,D,e} # # 'd' # mkdir /tmp/d/2 chmod 777 /tmp/d/2 systemd-tmpfiles --create - <<EOF d /tmp/d/1 0755 daemon daemon - - d /tmp/d/2 0755 daemon daemon - - EOF test -d /tmp/d/1 test "$(stat -c %U:%G:%a /tmp/d/1)" = "daemon:daemon:755" test -d /tmp/d/2 test "$(stat -c %U:%G:%a /tmp/d/2)" = "daemon:daemon:755" # # 'D' # mkdir /tmp/D/2 chmod 777 /tmp/D/2 touch /tmp/D/2/foo systemd-tmpfiles --create - <<EOF D /tmp/D/1 0755 daemon daemon - - D /tmp/D/2 0755 daemon daemon - - EOF test -d /tmp/D/1 test "$(stat -c %U:%G:%a /tmp/D/1)" = "daemon:daemon:755" test -d /tmp/D/2 test "$(stat -c %U:%G:%a /tmp/D/2)" = "daemon:daemon:755" systemd-tmpfiles --remove - <<EOF D /tmp/D/2 0755 daemon daemon - - EOF # the content of '2' should be removed test "$(echo /tmp/D/2/*)" = "/tmp/D/2/*" # # 'e' # mkdir -p /tmp/e/2/{d1,d2} chmod 777 /tmp/e/2 chmod 777 /tmp/e/2/d* systemd-tmpfiles --create - <<EOF e /tmp/e/1 0755 daemon daemon - - e /tmp/e/2/* 0755 daemon daemon - - EOF test ! -d /tmp/e/1 test -d /tmp/e/2 test "$(stat -c %U:%G:%a /tmp/e/2)" = "root:root:777" test -d /tmp/e/2/d1 test "$(stat -c %U:%G:%a /tmp/e/2/d1)" = "daemon:daemon:755" test -d /tmp/e/2/d2 test "$(stat -c %U:%G:%a /tmp/e/2/d2)" = "daemon:daemon:755" # 'e' operates on directories only mkdir -p /tmp/e/3/{d1,d2} chmod 777 /tmp/e/3 chmod 777 /tmp/e/3/d* touch /tmp/e/3/f1 chmod 644 /tmp/e/3/f1 systemd-tmpfiles --create - <<EOF e /tmp/e/3/* 0755 daemon daemon - - EOF # the directories should have been processed although systemd-tmpfiles failed # previously due to the presence of a file. test -d /tmp/e/3/d1 test "$(stat -c %U:%G:%a /tmp/e/3/d1)" = "daemon:daemon:755" test -d /tmp/e/3/d2 test "$(stat -c %U:%G:%a /tmp/e/3/d2)" = "daemon:daemon:755" test -f /tmp/e/3/f1 test "$(stat -c %U:%G:%a /tmp/e/3/f1)" = "root:root:644" # # 'C' # mkdir /tmp/C/{0,1,2,3}-origin touch /tmp/C/{1,2,3}-origin/f1 chmod 755 /tmp/C/{1,2,3}-origin/f1 mkdir /tmp/C/{2,3} touch /tmp/C/3/f1 systemd-tmpfiles --create - <<EOF C /tmp/C/1 0755 daemon daemon - /tmp/C/1-origin C /tmp/C/2 0755 daemon daemon - /tmp/C/2-origin EOF test -d /tmp/C/1 test "$(stat -c %U:%G:%a /tmp/C/1/f1)" = "daemon:daemon:755" test -d /tmp/C/2 test "$(stat -c %U:%G:%a /tmp/C/2/f1)" = "daemon:daemon:755" systemd-tmpfiles --create - <<EOF C /tmp/C/3 0755 daemon daemon - /tmp/C/3-origin C /tmp/C/4 0755 daemon daemon - /tmp/C/definitely-missing EOF test "$(stat -c %U:%G:%a /tmp/C/3/f1)" = "root:root:644" test ! -e /tmp/C/4 touch /tmp/C/3-origin/f{2,3,4} echo -n ABC > /tmp/C/3/f1 systemd-tmpfiles --create - <<EOF C+ /tmp/C/3 0755 daemon daemon - /tmp/C/3-origin EOF # Test that the trees got merged, even though /tmp/C/3 already exists. test -e /tmp/C/3/f1 test -e /tmp/C/3/f2 test -e /tmp/C/3/f3 test -e /tmp/C/3/f4 # Test that /tmp/C/3/f1 did not get overwritten. test "$(cat /tmp/C/3/f1)" = "ABC" # Check that %U expands to 0, both in the path and in the argument. home='/tmp/C' systemd-tmpfiles --create - <<EOF C $home/%U - - - - $home/%U-origin EOF test -d "$home/0" -- test -f "$home/5/f1" # Check that %h in the path is expanded, but # the result of this expansion is not expanded once again. root='/tmp/C/6' home='/%U' mkdir -p "$root/usr/share/factory$home" HOME="$home" \ systemd-tmpfiles --create --root="$root" - <<EOF C %h - - - - Found error in /usr/lib/systemd/tests/testdata/units/testsuite-19.ExitType-cgroup.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-19.ExitType-cgroup.sh fi systemd-analyze log-level debug # Multiple level process tree, parent process stays up cat >/tmp/test19-exit-cgroup.sh <<EOF #!/usr/bin/env bash set -eux # process tree: systemd -> sleep sleep infinity & -- (sleep 1; \$1) & # process tree: systemd -> bash -> sleep sleep infinity EOF chmod +x /tmp/test19-exit-cgroup.sh # service should be stopped cleanly systemd-run --wait \ --unit=one \ --property="Type=notify" \ --property="ExitType=cgroup" \ /tmp/test19-exit-cgroup.sh 'systemctl stop one' # same thing with a truthy exec condition systemd-run --wait \ --unit=two \ --property="Type=notify" \ --property="ExitType=cgroup" \ --property="ExecCondition=true" \ /tmp/test19-exit-cgroup.sh 'systemctl stop two' # false exec condition: systemd-run should exit immediately with status code: 1 (! systemd-run --wait \ --unit=three \ --property="Type=notify" \ --property="ExitType=cgroup" \ --property="ExecCondition=false" \ /tmp/test19-exit-cgroup.sh) # service should exit uncleanly (main process exits with SIGKILL) (! systemd-run --wait \ --unit=four \ --property="Type=notify" \ --property="ExitType=cgroup" \ /tmp/test19-exit-cgroup.sh 'systemctl kill --signal 9 four') # Multiple level process tree, parent process exits quickly cat >/tmp/test19-exit-cgroup-parentless.sh <<EOF #!/usr/bin/env bash set -eux # process tree: systemd -> sleep sleep infinity & -- systemd-notify --ready # Run the stop/kill command after this bash process exits (sleep 1; \$1) & EOF chmod +x /tmp/test19-exit-cgroup-parentless.sh # service should be stopped cleanly systemd-run --wait \ --unit=five \ --property="Type=notify" \ --property="ExitType=cgroup" \ /tmp/test19-exit-cgroup-parentless.sh 'systemctl stop five' # service should still exit cleanly despite SIGKILL (the main process already exited cleanly) systemd-run --wait \ --unit=six \ --property="Type=notify" \ --property="ExitType=cgroup" \ /tmp/test19-exit-cgroup-parentless.sh 'systemctl kill --signal 9 six' systemd-analyze log-level info Found error in /usr/lib/systemd/tests/testdata/units/testsuite-15.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-15.sh testcase_symlink_dropin_directory() { # For issue #21920. echo "Testing symlink drop-in directory..." create_services test15-a rmdir /{etc,run,usr/lib}/systemd/system/test15-a.service.d mkdir -p /tmp/testsuite-15-test15-a-dropin-directory ln -s /tmp/testsuite-15-test15-a-dropin-directory /etc/systemd/system/test15-a.service.d cat >/tmp/testsuite-15-test15-a-dropin-directory/override.conf <<EOF [Unit] Description=hogehoge EOF ln -s /tmp/testsuite-15-test15-a-dropin-directory-nonexistent /run/systemd/system/test15-a.service.d touch /tmp/testsuite-15-test15-a-dropin-directory-regular ln -s /tmp/testsuite-15-test15-a-dropin-directory-regular /usr/lib/systemd/system/test15-a.service.d check_ok test15-a Description hogehoge clear_units test15-a.service } Found error in /usr/lib/systemd/tests/testdata/units/testsuite-13.nspawn.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-13.nspawn.sh trap at_exit EXIT # check cgroup-v2 IS_CGROUPSV2_SUPPORTED=no mkdir -p /tmp/cgroup2 if mount -t cgroup2 cgroup2 /tmp/cgroup2; then IS_CGROUPSV2_SUPPORTED=yes umount /tmp/cgroup2 fi rmdir /tmp/cgroup2 # check cgroup namespaces IS_CGNS_SUPPORTED=no if [[ -f /proc/1/ns/cgroup ]]; then IS_CGNS_SUPPORTED=yes -- testcase_sanity() { local template root image uuid tmpdir tmpdir="$(mktemp -d)" template="$(mktemp -d /tmp/nspawn-template.XXX)" create_dummy_container "$template" # Create a simple image from the just created container template image="$(mktemp /var/lib/machines/testsuite-13.image-XXX.img)" dd if=/dev/zero of="$image" bs=1M count=64 mkfs.ext4 "$image" -- --port=udp:53 \ --port=tcp:22:2222 \ bash -xec 'ip addr add dev host0 10.0.0.10/24; ip a; ip addr del dev host0 10.0.0.10/24' # --load-credential=, --set-credential= echo "foo bar" >/tmp/cred.path systemd-nspawn --directory="$root" \ --load-credential=cred.path:/tmp/cred.path \ --set-credential="cred.set:hello world" \ bash -xec '[[ "$(</run/host/credentials/cred.path)" == "foo bar" ]]; [[ "$(</run/host/credentials/cred.set)" == "hello world" ]]' rm -f /tmp/cred.path # Assorted tests systemd-nspawn --directory="$root" --suppress-sync=yes bash -xec 'echo hello' systemd-nspawn --capability=help systemd-nspawn --resolv-conf=help -- [[ "$(hostname)" == nspawn-settings ]] [[ -e /etc/resolv.conf ]] [[ ! -e /etc/localtime ]] mountpoint /tmp touch /tmp/foo mountpoint /opt/tmp touch /opt/tmp/foo touch /opt/inaccessible/foo && exit 1 touch /opt/also-inaccessible/foo && exit 1 mountpoint /var ip link -- # https://github.com/systemd/systemd/issues/4789 local root root="$(mktemp -d /var/lib/machines/testsuite-13.bind-tmp-path.XXX)" create_dummy_container "$root" : >/tmp/bind systemd-nspawn --register=no \ --directory="$root" \ --bind=/tmp/bind \ bash -c 'test -e /tmp/bind' rm -fr "$root" /tmp/bind } testcase_norbind() { # https://github.com/systemd/systemd/issues/13170 local root root="$(mktemp -d /var/lib/machines/testsuite-13.norbind-path.XXX)" mkdir -p /tmp/binddir/subdir echo -n "outer" >/tmp/binddir/subdir/file mount -t tmpfs tmpfs /tmp/binddir/subdir echo -n "inner" >/tmp/binddir/subdir/file create_dummy_container "$root" systemd-nspawn --register=no \ --directory="$root" \ --bind=/tmp/binddir:/mnt:norbind \ bash -c 'CONTENT=$(cat /mnt/subdir/file); if [[ $CONTENT != "outer" ]]; then echo "*** unexpected content: $CONTENT"; exit 1; fi' umount /tmp/binddir/subdir rm -fr "$root" /tmp/binddir/ } rootidmap_cleanup() { local dir="${1:?}" -- local root cmd permissions local owner=1000 root="$(mktemp -d /var/lib/machines/testsuite-13.rootidmap-path.XXX)" # Create ext4 image, as ext4 supports idmapped-mounts. mkdir -p /tmp/rootidmap/bind dd if=/dev/zero of=/tmp/rootidmap/ext4.img bs=4k count=2048 mkfs.ext4 /tmp/rootidmap/ext4.img mount /tmp/rootidmap/ext4.img /tmp/rootidmap/bind trap "rootidmap_cleanup /tmp/rootidmap/" RETURN touch /tmp/rootidmap/bind/file chown -R "$owner:$owner" /tmp/rootidmap/bind create_dummy_container "$root" cmd='PERMISSIONS=$(stat -c "%u:%g" /mnt/file); if [[ $PERMISSIONS != "0:0" ]]; then echo "*** wrong permissions: $PERMISSIONS"; return 1; fi; touch /mnt/other_file' if ! SYSTEMD_LOG_TARGET=console \ systemd-nspawn --register=no \ --directory="$root" \ --bind=/tmp/rootidmap/bind:/mnt:rootidmap \ bash -c "$cmd" |& tee nspawn.out; then if grep -q "Failed to map ids for bind mount.*: Function not implemented" nspawn.out; then echo "idmapped mounts are not supported, skipping the test..." return 0 fi return 1 fi permissions=$(stat -c "%u:%g" /tmp/rootidmap/bind/other_file) if [[ $permissions != "$owner:$owner" ]]; then echo "*** wrong permissions: $permissions" [[ "$IS_USERNS_SUPPORTED" == "yes" ]] && return 1 fi } -- create_dummy_container "$root" entrypoint="$root/entrypoint.sh" cat >"$entrypoint" <<\EOF #!/usr/bin/bash -ex . /tmp/os-release [[ -n "${ID:-}" && "$ID" != "$container_host_id" ]] && exit 1 [[ -n "${VERSION_ID:-}" && "$VERSION_ID" != "$container_host_version_id" ]] && exit 1 [[ -n "${BUILD_ID:-}" && "$BUILD_ID" != "$container_host_build_id" ]] && exit 1 [[ -n "${VARIANT_ID:-}" && "$VARIANT_ID" != "$container_host_variant_id" ]] && exit 1 -- echo MARKER=1 >>/etc/os-release fi systemd-nspawn --register=no \ --directory="$root" \ --bind="$os_release_source:/tmp/os-release" \ "${entrypoint##"$root"}" if grep -q MARKER /etc/os-release; then ln -svrf /usr/lib/os-release /etc/os-release fi -- rm -fr "$root" } testcase_machinectl_bind() { local service_path service_name root container_name ec local cmd='for i in $(seq 1 20); do if test -f /tmp/marker; then exit 0; fi; sleep .5; done; exit 1;' root="$(mktemp -d /var/lib/machines/testsuite-13.machinectl-bind.XXX)" create_dummy_container "$root" container_name="$(basename "$root")" -- ExecStart=systemd-nspawn --directory="$root" --notify-ready=no /usr/bin/bash -xec "$cmd" EOF systemctl daemon-reload systemctl start "$service_name" touch /tmp/marker machinectl bind --mkdir "$container_name" /tmp/marker timeout 10 bash -c "while [[ '\$(systemctl show -P SubState $service_name)' == running ]]; do sleep .2; done" ec="$(systemctl show -P ExecMainStatus "$service_name")" systemctl stop "$service_name" -- mkdir -p /run/systemd/nspawn/ rm -f "/etc/systemd/nspawn/$container_name.nspawn" cat >"/run/systemd/nspawn/$container_name.nspawn" <<EOF [Files] ${COVERAGE_BUILD_DIR:+"Bind=$COVERAGE_BUILD_DIR"} BindReadOnly=/tmp/ephemeral-config EOF touch /tmp/ephemeral-config systemd-nspawn --register=no \ --directory="$root" \ --ephemeral \ bash -x -c "test -f /tmp/ephemeral-config" systemd-nspawn --register=no \ --directory="$root" \ --ephemeral \ --machine=foobar \ bash -x -c "! test -f /tmp/ephemeral-config" rm -fr "$root" "/run/systemd/nspawn/$container_name.nspawn" } matrix_run_one() { Found error in /usr/lib/systemd/tests/testdata/units/testsuite-13.machinectl.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-13.machinectl.sh machinectl reboot long-running long-running long-running machinectl kill --signal=SIGTRAP --kill-whom=leader long-running long-running long-running # All used signals should've been caught by a handler [[ "$(machinectl show --property=State --value long-running)" == "running" ]] cp /etc/machine-id /tmp/foo machinectl copy-to long-running /tmp/foo /root/foo test -f /var/lib/machines/long-running/root/foo machinectl copy-from long-running /root/foo /tmp/bar diff /tmp/foo /tmp/bar rm -f /tmp/{foo,bar} # machinectl bind is covered by testcase_check_machinectl_bind() in nspawn tests machinectl list-images machinectl list-images --no-legend -- test -d /var/lib/machines/.hidden1 machinectl clean test ! -d /var/lib/machines/.hidden1 # Prepare a simple raw container mkdir -p /tmp/mnt dd if=/dev/zero of=/tmp/container.raw bs=1M count=64 mkfs.ext4 /tmp/container.raw mount -o loop /tmp/container.raw /tmp/mnt cp -r /var/lib/machines/container1/* /tmp/mnt umount /tmp/mnt # Try to import it, run it, export it, and re-import it machinectl import-raw /tmp/container.raw container-raw [[ "$(machinectl show-image --property=Type --value container-raw)" == "raw" ]] machinectl start container-raw machinectl export-raw container-raw /tmp/container-export.raw machinectl import-raw /tmp/container-export.raw container-raw-reimport [[ "$(machinectl show-image --property=Type --value container-raw-reimport)" == "raw" ]] rm -f /tmp/container{,-export}.raw # Prepare a simple tar.gz container tar -pczf /tmp/container.tar.gz -C /var/lib/machines/container1 . # Try to import it, run it, export it, and re-import it machinectl import-tar /tmp/container.tar.gz container-tar [[ "$(machinectl show-image --property=Type --value container-tar)" == "directory" ]] machinectl start container-tar machinectl export-tar container-tar /tmp/container-export.tar.gz machinectl import-tar /tmp/container-export.tar.gz container-tar-reimport [[ "$(machinectl show-image --property=Type --value container-tar-reimport)" == "directory" ]] rm -f /tmp/container{,-export}.tar.gz # Try to import a container directory & run it cp -r /var/lib/machines/container1 /tmp/container.dir machinectl import-fs /tmp/container.dir container-dir [[ "$(machinectl show-image --property=Type --value container-dir)" == "directory" ]] machinectl start container-dir rm -fr /tmp/container.dir timeout 10 bash -c "until machinectl clean --all; do sleep .5; done" NSPAWN_FRAGMENT="machinectl-test-$RANDOM.nspawn" cat >"/var/lib/machines/$NSPAWN_FRAGMENT" <<EOF -- machinectl cat "$NSPAWN_FRAGMENT" EDITOR=true script -qec "machinectl edit $NSPAWN_FRAGMENT" /dev/null test -f "/etc/systemd/nspawn/$NSPAWN_FRAGMENT" diff "/var/lib/machines/$NSPAWN_FRAGMENT" "/etc/systemd/nspawn/$NSPAWN_FRAGMENT" cat >/tmp/fragment.nspawn <<EOF [Exec] Boot=false EOF machinectl cat /tmp/fragment.nspawn EDITOR="cp /tmp/fragment.nspawn" script -qec "machinectl edit $NSPAWN_FRAGMENT" /dev/null diff /tmp/fragment.nspawn "/etc/systemd/nspawn/$NSPAWN_FRAGMENT" for opt in format lines machine max-addresses output setenv verify; do (! machinectl status "--$opt=" long-running) (! machinectl status "--$opt=-1" long-running) (! machinectl status "--$opt=''" long-running) Found error in /usr/lib/systemd/tests/testdata/units/testsuite-07.main-PID-change.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-07.main-PID-change.sh # Update it back to our own PID, this should also work systemd-notify --uid=1000 MAINPID="$MAINPID" test "$(systemctl show -P MainPID testsuite-07.service)" -eq "$MAINPID" cat >/tmp/test-mainpid.sh <<\EOF #!/usr/bin/env bash set -eux set -o pipefail -- sleep infinity & disown echo $MAINPID >/run/mainpidsh/pid EOF chmod +x /tmp/test-mainpid.sh systemd-run --unit=test-mainpidsh.service \ -p StandardOutput=tty \ -p StandardError=tty \ -p Type=forking \ -p RuntimeDirectory=mainpidsh \ -p PIDFile=/run/mainpidsh/pid \ /tmp/test-mainpid.sh test "$(systemctl show -P MainPID test-mainpidsh.service)" -eq "$(cat /run/mainpidsh/pid)" cat >/tmp/test-mainpid2.sh <<\EOF #!/usr/bin/env bash set -eux set -o pipefail -- disown echo $MAINPID >/run/mainpidsh2/pid chown 1001:1001 /run/mainpidsh2/pid EOF chmod +x /tmp/test-mainpid2.sh systemd-run --unit=test-mainpidsh2.service \ -p StandardOutput=tty \ -p StandardError=tty \ -p Type=forking \ -p RuntimeDirectory=mainpidsh2 \ -p PIDFile=/run/mainpidsh2/pid \ /tmp/test-mainpid2.sh test "$(systemctl show -P MainPID test-mainpidsh2.service)" -eq "$(cat /run/mainpidsh2/pid)" cat >/dev/shm/test-mainpid3.sh <<EOF #!/usr/bin/env bash Found error in /usr/lib/systemd/tests/testdata/units/testsuite-04.journal.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-04.journal.sh # --output-fields restricts output ID="$(systemd-id128 new)" echo -ne "foo" | systemd-cat -t "$ID" --level-prefix false # Let's test varlinkctl a bit, i.e. implement the equivalent of 'journalctl --sync' via varlinkctl varlinkctl call /run/systemd/journal/io.systemd.journal io.systemd.Journal.Synchronize '{}' journalctl -b -o export --output-fields=MESSAGE,FOO --output-fields=PRIORITY,MESSAGE -t "$ID" >/tmp/output [[ $(wc -l </tmp/output) -eq 9 ]] grep -q '^__CURSOR=' /tmp/output grep -q '^MESSAGE=foo$' /tmp/output grep -q '^PRIORITY=6$' /tmp/output (! grep '^FOO=' /tmp/output) (! grep '^SYSLOG_FACILITY=' /tmp/output) # --truncate shows only first line, skip under asan due to logger ID="$(systemd-id128 new)" echo -e 'HEAD\nTAIL\nTAIL' | systemd-cat -t "$ID" journalctl --sync -- # '-b all' negates earlier use of -b (-b and -m are otherwise exclusive) journalctl -b -1 -b all -m >/dev/null # -b always behaves like -b0 journalctl -q -b-1 -b0 | head -1 >/tmp/expected journalctl -q -b-1 -b | head -1 >/tmp/output diff /tmp/expected /tmp/output # ... even when another option follows (both of these should fail due to -m) { journalctl -ball -b0 -m 2>&1 || :; } | head -1 >/tmp/expected { journalctl -ball -b -m 2>&1 || :; } | head -1 >/tmp/output diff /tmp/expected /tmp/output # https://github.com/systemd/systemd/issues/13708 ID=$(systemd-id128 new) systemd-cat -t "$ID" bash -c 'echo parent; (echo child) & wait' & PID=$! wait $PID journalctl --sync # We can drop this grep when https://github.com/systemd/systemd/issues/13937 # has a fix. journalctl -b -o export -t "$ID" --output-fields=_PID | grep '^_PID=' >/tmp/output [[ $(wc -l </tmp/output) -eq 2 ]] grep -q "^_PID=$PID" /tmp/output grep -vq "^_PID=$PID" /tmp/output # https://github.com/systemd/systemd/issues/15654 ID=$(systemd-id128 new) printf "This will\nusually fail\nand be truncated\n" >/tmp/expected systemd-cat -t "$ID" /bin/sh -c 'env echo -n "This will";echo;env echo -n "usually fail";echo;env echo -n "and be truncated";echo;' journalctl --sync journalctl -b -o cat -t "$ID" >/tmp/output diff /tmp/expected /tmp/output [[ $(journalctl -b -o cat -t "$ID" --output-fields=_TRANSPORT | grep -Pc "^stdout$") -eq 3 ]] [[ $(journalctl -b -o cat -t "$ID" --output-fields=_LINE_BREAK | grep -Pc "^pid-change$") -eq 3 ]] [[ $(journalctl -b -o cat -t "$ID" --output-fields=_PID | sort -u | grep -c "^.*$") -eq 3 ]] [[ $(journalctl -b -o cat -t "$ID" --output-fields=MESSAGE | grep -Pc "^(This will|usually fail|and be truncated)$") -eq 3 ]] -- systemctl start forever-print-hola sleep 3 systemctl restart systemd-journald sleep 3 systemctl stop forever-print-hola [[ ! -f "/tmp/i-lose-my-logs" ]] # https://github.com/systemd/systemd/issues/4408 rm -f /tmp/i-lose-my-logs systemctl start forever-print-hola sleep 3 systemctl kill --signal=SIGKILL systemd-journald sleep 3 [[ ! -f "/tmp/i-lose-my-logs" ]] systemctl stop forever-print-hola set +o pipefail # https://github.com/systemd/systemd/issues/15528 journalctl --follow --file=/var/log/journal/*/* | head -n1 | grep . # https://github.com/systemd/systemd/issues/24565 journalctl --follow --merge | head -n1 | grep . set -o pipefail # https://github.com/systemd/systemd/issues/26746 rm -f /tmp/issue-26746-log /tmp/issue-26746-cursor ID="$(systemd-id128 new)" journalctl -t "$ID" --follow --cursor-file=/tmp/issue-26746-cursor | tee /tmp/issue-26746-log & systemd-cat -t "$ID" /bin/sh -c 'echo hogehoge' # shellcheck disable=SC2016 timeout 10 bash -c 'until [[ -f /tmp/issue-26746-log && "$(cat /tmp/issue-26746-log)" =~ hogehoge ]]; do sleep .5; done' pkill -TERM journalctl timeout 10 bash -c 'until test -f /tmp/issue-26746-cursor; do sleep .5; done' CURSOR_FROM_FILE="$(cat /tmp/issue-26746-cursor)" CURSOR_FROM_JOURNAL="$(journalctl -t "$ID" --output=export MESSAGE=hogehoge | sed -n -e '/__CURSOR=/ { s/__CURSOR=//; p }')" test "$CURSOR_FROM_FILE" = "$CURSOR_FROM_JOURNAL" # Check that the seqnum field at least superficially works systemd-cat echo "ya" -- while read -r file; do filename="${file##*/}" unzstd "$file" -o "$JOURNAL_DIR/${filename%*.zst}" done < <(find /test-journals/no-rtc -name "*.zst") journalctl --directory="$JOURNAL_DIR" --list-boots --output=json >/tmp/lb1 diff -u /tmp/lb1 - <<'EOF' [{"index":-3,"boot_id":"5ea5fc4f82a14186b5332a788ef9435e","first_entry":1666569600994371,"last_entry":1666584266223608},{"index":-2,"boot_id":"bea6864f21ad4c9594c04a99d89948b0","first_entry":1666569601005945,"last_entry":1666584347230411},{"index":-1,"boot_id":"4c708e1fd0744336be16f3931aa861fb","first_entry":1666569601017222,"last_entry":1666584354649355},{"index":0,"boot_id":"35e8501129134edd9df5267c49f744a4","first_entry":1666569601009823,"last_entry":1666584438086856}] EOF rm -rf "$JOURNAL_DIR" /tmp/lb1 # v255-only: skip the following test case, as it suffers from systemd/systemd#30886 exit 0 # Check that using --after-cursor/--cursor-file= together with journal filters doesn't Found error in /usr/lib/systemd/tests/testdata/units/testsuite-04.journal-remote.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-04.journal-remote.sh # Generate a self-signed certificate for systemd-journal-remote # # Note: older OpenSSL requires a config file with some extra options, unfortunately # Note2: /run here is used on purpose, since the systemd-journal-remote service uses PrivateTmp=yes mkdir -p /run/systemd/journal-remote-tls cat >/tmp/openssl.conf <<EOF [ req ] prompt = no distinguished_name = req_distinguished_name [ req_distinguished_name ] -- O = Foo OU = Bar CN = localhost EOF openssl req -x509 -nodes -newkey rsa:2048 -sha256 -days 7 \ -config /tmp/openssl.conf \ -keyout /run/systemd/journal-remote-tls/key.pem \ -out /run/systemd/journal-remote-tls/cert.pem chown -R systemd-journal-remote /run/systemd/journal-remote-tls # Configure journal-upload to upload journals to journal-remote without client certificates Found error in /usr/lib/systemd/tests/testdata/units/testsuite-04.journal-gatewayd.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/units/testsuite-04.journal-gatewayd.sh # No idea how to properly parse this (jq won't cut it), so let's at least do some sanity checks that every # line is either empty or begins with data: curl -Lfs --header "Accept: text/event-stream" http://localhost:19531/entries | \ awk '!/^(data: \{.+\}|)$/ { exit 1; }' # Same thing as journalctl --output=export mkdir /tmp/remote-journal curl -Lfs --header "Accept: application/vnd.fdo.journal" http://localhost:19531/entries | \ /usr/lib/systemd/systemd-journal-remote --output=/tmp/remote-journal/system.journal --split-mode=none - journalctl --directory=/tmp/remote-journal -t "$TEST_TAG" --grep "$TEST_MESSAGE" rm -rf /tmp/remote-journal/* # Let's do the same thing again, but let systemd-journal-remote spawn curl itself /usr/lib/systemd/systemd-journal-remote --url=http://localhost:19531/entries \ --output=/tmp/remote-journal/system.journal \ --split-mode=none journalctl --directory=/tmp/remote-journal -t "$TEST_TAG" --grep "$TEST_MESSAGE" rm -rf /tmp/remote-journal # /machine curl -Lfs http://localhost:19531/machine | jq # /fields -- fi # Generate a self-signed certificate for systemd-journal-gatewayd # # Note: older OpenSSL requires a config file with some extra options, unfortunately cat >/tmp/openssl.conf <<EOF [ req ] prompt = no distinguished_name = req_distinguished_name [ req_distinguished_name ] -- O = Foo OU = Bar CN = localhost EOF openssl req -x509 -nodes -newkey rsa:2048 -sha256 -days 7 \ -config /tmp/openssl.conf \ -keyout /tmp/key.pem -out /tmp/cert.pem # Start HTTPS version of gatewayd via the systemd-socket-activate tool to give it some coverage as well systemd-socket-activate --listen=19531 -- \ /usr/lib/systemd/systemd-journal-gatewayd \ --cert=/tmp/cert.pem \ --key=/tmp/key.pem \ --file="/var/log/journal/*/*.journal" & GATEWAYD_PID=$! sleep 1 # Do a limited set of tests, since the underlying code should be the same past the HTTPS transport Found error in /usr/lib/systemd/tests/testdata/testsuite-80.units/test.sh: $ grep -A5 -B5 /tmp/ /usr/lib/systemd/tests/testdata/testsuite-80.units/test.sh # shellcheck disable=SC2016 set -eux set -o pipefail sync_in() { read -r x < /tmp/syncfifo2 test "$x" = "$1" } sync_out() { echo "$1" > /tmp/syncfifo1 } export SYSTEMD_LOG_LEVEL=debug echo "toplevel PID: $BASHPID"; 
udev-255.18-alt1.x86_64	sisyphus_check-check-dirlist	warn	sisyphus_check --check-dirlist failed: package contains a directory /etc/udev/rules.d that exclusively belongs to package udev-rules;