Compare commits
9 Commits
6fdd52b772
...
97f1e7566a
| Author | SHA1 | Date |
|---|---|---|
Ivan Kruglov
|
97f1e7566a | |
|
Luca Boccassi
|
c4d7a13c06 | |
|
Abderrahim Kitouni
|
0ae6f4843e | |
|
Yu Watanabe
|
1ea1a79aa1 | |
|
Luca Boccassi
|
7a9d0abe4d | |
|
Yu Watanabe
|
6046cc3660 | |
|
Ivan Kruglov
|
b1e226539e | |
|
Ivan Kruglov
|
6d077f1216 | |
|
Ivan Kruglov
|
997c1bba6b |
|
|
@ -684,6 +684,15 @@ fi</programlisting>
|
|||
<citerefentry><refentrytitle>file-hierarchy</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Notes</title>
|
||||
|
||||
<para>
|
||||
All example codes in this page are licensed under <literal>MIT No Attribution</literal>
|
||||
(SPDX-License-Identifier: MIT-0).
|
||||
</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>See Also</title>
|
||||
<para><simplelist type="inline">
|
||||
|
|
|
|||
|
|
@ -16,6 +16,7 @@
|
|||
#include "fileio.h"
|
||||
#include "format-util.h"
|
||||
#include "hexdecoct.h"
|
||||
#include "iovec-util.h"
|
||||
#include "macro.h"
|
||||
#include "memory-util.h"
|
||||
#include "parse-util.h"
|
||||
|
|
@ -31,8 +32,7 @@ int decrypt_pkcs11_key(
|
|||
const char *key_file, /* We either expect key_file and associated parameters to be set (for file keys) … */
|
||||
size_t key_file_size,
|
||||
uint64_t key_file_offset,
|
||||
const void *key_data, /* … or key_data and key_data_size (for literal keys) */
|
||||
size_t key_data_size,
|
||||
const struct iovec *key_data, /* … or literal keys via key_data */
|
||||
usec_t until,
|
||||
AskPasswordFlags askpw_flags,
|
||||
void **ret_decrypted_key,
|
||||
|
|
@ -47,15 +47,15 @@ int decrypt_pkcs11_key(
|
|||
|
||||
assert(friendly_name);
|
||||
assert(pkcs11_uri);
|
||||
assert(key_file || key_data);
|
||||
assert(key_file || iovec_is_set(key_data));
|
||||
assert(ret_decrypted_key);
|
||||
assert(ret_decrypted_key_size);
|
||||
|
||||
/* The functions called here log about all errors, except for EAGAIN which means "token not found right now" */
|
||||
|
||||
if (key_data) {
|
||||
data.encrypted_key = (void*) key_data;
|
||||
data.encrypted_key_size = key_data_size;
|
||||
if (iovec_is_set(key_data)) {
|
||||
data.encrypted_key = (void*) key_data->iov_base;
|
||||
data.encrypted_key_size = key_data->iov_len;
|
||||
|
||||
data.free_encrypted_key = false;
|
||||
} else {
|
||||
|
|
|
|||
|
|
@ -16,8 +16,7 @@ int decrypt_pkcs11_key(
|
|||
const char *key_file,
|
||||
size_t key_file_size,
|
||||
uint64_t key_file_offset,
|
||||
const void *key_data,
|
||||
size_t key_data_size,
|
||||
const struct iovec *key_data,
|
||||
usec_t until,
|
||||
AskPasswordFlags askpw_flags,
|
||||
void **ret_decrypted_key,
|
||||
|
|
@ -39,8 +38,7 @@ static inline int decrypt_pkcs11_key(
|
|||
const char *key_file,
|
||||
size_t key_file_size,
|
||||
uint64_t key_file_offset,
|
||||
const void *key_data,
|
||||
size_t key_data_size,
|
||||
const struct iovec *key_data,
|
||||
usec_t until,
|
||||
AskPasswordFlags askpw_flags,
|
||||
void **ret_decrypted_key,
|
||||
|
|
|
|||
|
|
@ -1471,8 +1471,7 @@ static int attach_luks_or_plain_or_bitlk_by_fido2(
|
|||
struct crypt_device *cd,
|
||||
const char *name,
|
||||
const char *key_file,
|
||||
const void *key_data,
|
||||
size_t key_data_size,
|
||||
const struct iovec *key_data,
|
||||
usec_t until,
|
||||
uint32_t flags,
|
||||
bool pass_volume_key) {
|
||||
|
|
@ -1489,7 +1488,7 @@ static int attach_luks_or_plain_or_bitlk_by_fido2(
|
|||
assert(name);
|
||||
assert(arg_fido2_device || arg_fido2_device_auto);
|
||||
|
||||
if (arg_fido2_cid && !key_file && !key_data)
|
||||
if (arg_fido2_cid && !key_file && !iovec_is_set(key_data))
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
||||
"FIDO2 mode with manual parameters selected, but no keyfile specified, refusing.");
|
||||
|
||||
|
|
@ -1513,7 +1512,7 @@ static int attach_luks_or_plain_or_bitlk_by_fido2(
|
|||
arg_fido2_rp_id,
|
||||
arg_fido2_cid, arg_fido2_cid_size,
|
||||
key_file, arg_keyfile_size, arg_keyfile_offset,
|
||||
key_data, key_data_size,
|
||||
key_data,
|
||||
until,
|
||||
arg_fido2_manual_flags,
|
||||
"cryptsetup.fido2-pin",
|
||||
|
|
@ -1623,8 +1622,7 @@ static int attach_luks_or_plain_or_bitlk_by_pkcs11(
|
|||
struct crypt_device *cd,
|
||||
const char *name,
|
||||
const char *key_file,
|
||||
const void *key_data,
|
||||
size_t key_data_size,
|
||||
const struct iovec *key_data,
|
||||
usec_t until,
|
||||
uint32_t flags,
|
||||
bool pass_volume_key) {
|
||||
|
|
@ -1635,6 +1633,7 @@ static int attach_luks_or_plain_or_bitlk_by_pkcs11(
|
|||
_cleanup_(erase_and_freep) void *decrypted_key = NULL;
|
||||
_cleanup_(sd_event_unrefp) sd_event *event = NULL;
|
||||
_cleanup_free_ void *discovered_key = NULL;
|
||||
struct iovec discovered_key_data = {};
|
||||
int keyslot = arg_key_slot, r;
|
||||
const char *uri = NULL;
|
||||
bool use_libcryptsetup_plugin = use_token_plugins();
|
||||
|
|
@ -1653,13 +1652,13 @@ static int attach_luks_or_plain_or_bitlk_by_pkcs11(
|
|||
return r;
|
||||
|
||||
uri = discovered_uri;
|
||||
key_data = discovered_key;
|
||||
key_data_size = discovered_key_size;
|
||||
discovered_key_data = IOVEC_MAKE(discovered_key, discovered_key_size);
|
||||
key_data = &discovered_key_data;
|
||||
}
|
||||
} else {
|
||||
uri = arg_pkcs11_uri;
|
||||
|
||||
if (!key_file && !key_data)
|
||||
if (!key_file && !iovec_is_set(key_data))
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "PKCS#11 mode selected but no key file specified, refusing.");
|
||||
}
|
||||
|
||||
|
|
@ -1682,7 +1681,7 @@ static int attach_luks_or_plain_or_bitlk_by_pkcs11(
|
|||
friendly,
|
||||
uri,
|
||||
key_file, arg_keyfile_size, arg_keyfile_offset,
|
||||
key_data, key_data_size,
|
||||
key_data,
|
||||
until,
|
||||
arg_ask_password_flags,
|
||||
&decrypted_key, &decrypted_key_size);
|
||||
|
|
@ -2231,9 +2230,9 @@ static int attach_luks_or_plain_or_bitlk(
|
|||
if (token_type == TOKEN_TPM2)
|
||||
return attach_luks_or_plain_or_bitlk_by_tpm2(cd, name, key_file, key_data, until, flags, pass_volume_key);
|
||||
if (token_type == TOKEN_FIDO2)
|
||||
return attach_luks_or_plain_or_bitlk_by_fido2(cd, name, key_file, key_data->iov_base, key_data->iov_len, until, flags, pass_volume_key);
|
||||
return attach_luks_or_plain_or_bitlk_by_fido2(cd, name, key_file, key_data, until, flags, pass_volume_key);
|
||||
if (token_type == TOKEN_PKCS11)
|
||||
return attach_luks_or_plain_or_bitlk_by_pkcs11(cd, name, key_file, key_data->iov_base, key_data->iov_len, until, flags, pass_volume_key);
|
||||
return attach_luks_or_plain_or_bitlk_by_pkcs11(cd, name, key_file, key_data, until, flags, pass_volume_key);
|
||||
if (key_data)
|
||||
return attach_luks_or_plain_or_bitlk_by_key_data(cd, name, key_data, flags, pass_volume_key);
|
||||
if (key_file)
|
||||
|
|
|
|||
|
|
@ -7,6 +7,7 @@
|
|||
#include "sd-varlink.h"
|
||||
|
||||
#include "bus-polkit.h"
|
||||
#include "copy.h"
|
||||
#include "fd-util.h"
|
||||
#include "hostname-util.h"
|
||||
#include "json-util.h"
|
||||
|
|
@ -570,3 +571,191 @@ int vl_method_open(sd_varlink *link, sd_json_variant *parameters, sd_varlink_met
|
|||
|
||||
return sd_varlink_reply(link, v);
|
||||
}
|
||||
|
||||
typedef struct MachineCopyParameters {
|
||||
const char *name;
|
||||
PidRef pidref;
|
||||
char *src, *dest;
|
||||
bool replace;
|
||||
} MachineCopyParameters;
|
||||
|
||||
static void machine_copy_paramaters_done(MachineCopyParameters *p) {
|
||||
assert(p);
|
||||
|
||||
pidref_done(&p->pidref);
|
||||
free(p->src);
|
||||
free(p->dest);
|
||||
}
|
||||
|
||||
static int copy_done(Operation *operation, int ret, sd_bus_error *error) {
|
||||
assert(operation);
|
||||
assert(operation->link);
|
||||
|
||||
// TODO(ikruglov): maybe just leaving a plain errno in response?
|
||||
if (ret == -EPERM || ret == -EACCES)
|
||||
return sd_varlink_error(operation->link, SD_VARLINK_ERROR_PERMISSION_DENIED, NULL);
|
||||
if (ERRNO_IS_NEG_NOT_SUPPORTED(ret))
|
||||
return sd_varlink_error(operation->link, "io.systemd.Machine.NotSupported", NULL);
|
||||
if (ret == -ENOENT)
|
||||
return sd_varlink_error(operation->link, "io.systemd.Machine.NoSuchFile", NULL);
|
||||
if (ret == -EEXIST)
|
||||
return sd_varlink_error(operation->link, "io.systemd.Machine.FileExists", NULL);
|
||||
if (ret < 0)
|
||||
return sd_varlink_error_errno(operation->link, ret);
|
||||
|
||||
return sd_varlink_reply(operation->link, NULL);
|
||||
}
|
||||
|
||||
int vl_method_copy_internal(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata, bool copy_from) {
|
||||
static const sd_json_dispatch_field dispatch_table[] = {
|
||||
VARLINK_DISPATCH_MACHINE_LOOKUP_FIELDS(MachineCopyParameters),
|
||||
{ "source", SD_JSON_VARIANT_STRING, json_dispatch_path, offsetof(MachineCopyParameters, src), SD_JSON_MANDATORY },
|
||||
{ "destination", SD_JSON_VARIANT_STRING, json_dispatch_path, offsetof(MachineCopyParameters, dest), 0 },
|
||||
{ "replace", SD_JSON_VARIANT_BOOLEAN, sd_json_dispatch_stdbool, offsetof(MachineCopyParameters, replace), 0 },
|
||||
VARLINK_DISPATCH_POLKIT_FIELD,
|
||||
{}
|
||||
};
|
||||
|
||||
Manager *manager = ASSERT_PTR(userdata);
|
||||
_cleanup_close_ int hostfd = -EBADF, mntns_fd = -EBADF;
|
||||
_cleanup_close_pair_ int errno_pipe_fd[2] = EBADF_PAIR;
|
||||
_cleanup_(machine_copy_paramaters_done) MachineCopyParameters p = { .pidref = PIDREF_NULL };
|
||||
_cleanup_free_ char *host_basename = NULL, *container_basename = NULL;
|
||||
CopyFlags copy_flags = COPY_REFLINK|COPY_MERGE|COPY_HARDLINKS;
|
||||
uid_t uid_shift;
|
||||
pid_t child;
|
||||
int r;
|
||||
|
||||
assert(link);
|
||||
assert(parameters);
|
||||
|
||||
if (manager->n_operations >= OPERATIONS_MAX)
|
||||
return sd_varlink_error(link, "io.systemd.MachineImage.TooManyOperations", NULL);
|
||||
|
||||
r = sd_varlink_dispatch(link, parameters, dispatch_table, &p);
|
||||
if (r != 0)
|
||||
return r;
|
||||
|
||||
/* There is no need for extra validation since path_is_absolute() does path_is_valid() and path_is_absolute().*/
|
||||
const char *dest = p.dest ?: p.src;
|
||||
const char *container_path = copy_from ? p.src : dest;
|
||||
const char *host_path = copy_from ? dest : p.src;
|
||||
copy_flags |= p.replace ? COPY_REPLACE : 0;
|
||||
|
||||
Machine *machine;
|
||||
r = lookup_machine_by_name_or_pidref(link, manager, p.name, &p.pidref, &machine);
|
||||
if (r == -ESRCH)
|
||||
return sd_varlink_error(link, "io.systemd.Machine.NoSuchMachine", NULL);
|
||||
if (r != 0)
|
||||
return r;
|
||||
|
||||
if (machine->class != MACHINE_CONTAINER)
|
||||
return sd_varlink_error(link, "io.systemd.Machine.NotSupported", NULL);
|
||||
|
||||
r = varlink_verify_polkit_async(
|
||||
link,
|
||||
manager->bus,
|
||||
"org.freedesktop.machine1.manage-machines",
|
||||
(const char**) STRV_MAKE("name", machine->name,
|
||||
"verb", "copy",
|
||||
"src", p.src,
|
||||
"dest", dest),
|
||||
&manager->polkit_registry);
|
||||
if (r <= 0)
|
||||
return r;
|
||||
|
||||
r = path_extract_filename(host_path, &host_basename);
|
||||
if (r < 0)
|
||||
return log_debug_errno(r, "Failed to extract file name of '%s' path: %m", host_path);
|
||||
|
||||
r = path_extract_filename(container_path, &container_basename);
|
||||
if (r < 0)
|
||||
return log_debug_errno(r, "Failed to extract file name of '%s' path: %m", container_path);
|
||||
|
||||
hostfd = open_parent(host_path, O_CLOEXEC, 0);
|
||||
if (hostfd < 0)
|
||||
return log_debug_errno(hostfd, "Failed to open host directory %s: %m", host_path);
|
||||
|
||||
r = machine_get_uid_shift(machine, &uid_shift);
|
||||
if (r < 0)
|
||||
return log_debug_errno(r, "Failed to get machine UID shift: %m");
|
||||
|
||||
r = pidref_namespace_open(&machine->leader,
|
||||
/* ret_pidns_fd = */ NULL,
|
||||
&mntns_fd,
|
||||
/* ret_netns_fd = */ NULL,
|
||||
/* ret_userns_fd = */ NULL,
|
||||
/* ret_root_fd = */ NULL);
|
||||
if (r < 0)
|
||||
return log_debug_errno(r, "Failed to open namespace: %m");
|
||||
|
||||
if (pipe2(errno_pipe_fd, O_CLOEXEC|O_NONBLOCK) < 0)
|
||||
return log_debug_errno(errno, "Failed to create pipe: %m");
|
||||
|
||||
r = namespace_fork("(sd-copyns)",
|
||||
"(sd-copy)",
|
||||
/* except_fds = */ NULL,
|
||||
/* n_except_fds = */ 0,
|
||||
FORK_RESET_SIGNALS|FORK_DEATHSIG_SIGKILL,
|
||||
/* pidns_fd = */ -1,
|
||||
mntns_fd,
|
||||
/* netns_fd = */ -1,
|
||||
/* userns_fd = */ -1,
|
||||
/* root_fd = */ -1,
|
||||
&child);
|
||||
if (r < 0)
|
||||
return log_debug_errno(r, "Failed to fork(): %m");
|
||||
if (r == 0) {
|
||||
errno_pipe_fd[0] = safe_close(errno_pipe_fd[0]);
|
||||
|
||||
_cleanup_close_ int containerfd = -EBADF;
|
||||
containerfd = open_parent(container_path, O_CLOEXEC, 0);
|
||||
if (containerfd < 0) {
|
||||
log_error_errno(containerfd, "Failed to open destination directory: %m");
|
||||
report_errno_and_exit(errno_pipe_fd[1], containerfd);
|
||||
}
|
||||
|
||||
/* Run the actual copy operation. Note that when a UID shift is set we'll either clamp the UID/GID to */
|
||||
/* 0 or to the actual UID shift depending on the direction we copy. If no UID shift is set we'll copy */
|
||||
/* the UID/GIDs as they are. */
|
||||
r = copy_from ? copy_tree_at(
|
||||
containerfd,
|
||||
container_basename,
|
||||
hostfd,
|
||||
host_basename,
|
||||
uid_shift == 0 ? UID_INVALID : 0,
|
||||
uid_shift == 0 ? GID_INVALID : 0,
|
||||
copy_flags,
|
||||
/* denylist = */ NULL,
|
||||
/* subvolumes = */ NULL)
|
||||
: copy_tree_at(
|
||||
hostfd,
|
||||
host_basename,
|
||||
containerfd,
|
||||
container_basename,
|
||||
uid_shift == 0 ? UID_INVALID : uid_shift,
|
||||
uid_shift == 0 ? GID_INVALID : uid_shift,
|
||||
copy_flags,
|
||||
/* denylist = */ NULL,
|
||||
/* subvolumes = */ NULL);
|
||||
|
||||
if (r < 0)
|
||||
log_error_errno(r, "Failed to copy tree: %m");
|
||||
|
||||
report_errno_and_exit(errno_pipe_fd[1], r);
|
||||
}
|
||||
|
||||
errno_pipe_fd[1] = safe_close(errno_pipe_fd[1]);
|
||||
|
||||
Operation *operation;
|
||||
r = operation_new_with_varlink_reply(manager, machine, child, link, errno_pipe_fd[0], &operation);
|
||||
if (r < 0) {
|
||||
sigkill_wait(child);
|
||||
return r;
|
||||
}
|
||||
|
||||
operation->done = copy_done;
|
||||
|
||||
TAKE_FD(errno_pipe_fd[0]);
|
||||
return 1;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -25,3 +25,4 @@ int vl_method_unregister_internal(sd_varlink *link, sd_json_variant *parameters,
|
|||
int vl_method_terminate_internal(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata);
|
||||
int vl_method_kill(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata);
|
||||
int vl_method_open(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata);
|
||||
int vl_method_copy_internal(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata, bool copy_from);
|
||||
|
|
|
|||
|
|
@ -590,6 +590,13 @@ static int vl_method_terminate(sd_varlink *link, sd_json_variant *parameters, sd
|
|||
return lookup_machine_and_call_method(link, parameters, flags, userdata, vl_method_terminate_internal);
|
||||
}
|
||||
|
||||
static int vl_method_copy_from(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata) {
|
||||
return vl_method_copy_internal(link, parameters, flags, userdata, /* copy_from = */ true);
|
||||
}
|
||||
static int vl_method_copy_to(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata) {
|
||||
return vl_method_copy_internal(link, parameters, flags, userdata, /* copy_from = */ false);
|
||||
}
|
||||
|
||||
static int list_image_one_and_maybe_read_metadata(sd_varlink *link, Image *image, bool more, AcquireMetadata am) {
|
||||
int r;
|
||||
|
||||
|
|
@ -774,6 +781,8 @@ static int manager_varlink_init_machine(Manager *m) {
|
|||
"io.systemd.Machine.Terminate", vl_method_terminate,
|
||||
"io.systemd.Machine.Kill", vl_method_kill,
|
||||
"io.systemd.Machine.Open", vl_method_open,
|
||||
"io.systemd.Machine.CopyFrom", vl_method_copy_from,
|
||||
"io.systemd.Machine.CopyTo", vl_method_copy_to,
|
||||
"io.systemd.MachineImage.List", vl_method_list_images,
|
||||
"io.systemd.MachineImage.Update", vl_method_update_image,
|
||||
"io.systemd.MachineImage.Clone", vl_method_clone_image,
|
||||
|
|
|
|||
|
|
@ -46,10 +46,13 @@ static int operation_done(sd_event_source *s, const siginfo_t *si, void *userdat
|
|||
if (r < 0)
|
||||
log_debug_errno(r, "Operation failed: %m");
|
||||
|
||||
/* If a completion routine (o->done) is set for this operation, call it. It sends a response, but can return an error in which case it expect us to reply.
|
||||
* Otherwise, the default action is to simply return an error on failure or an empty success message on success. */
|
||||
|
||||
if (o->message) {
|
||||
/* If a completion routine (o->done) is set for this operation,
|
||||
* call it. It sends a response, but can return an error in
|
||||
* which case it expect us to reply. Otherwise, the default
|
||||
* action is to simply return an error on failure or an empty
|
||||
* success message on success. */
|
||||
|
||||
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
|
||||
if (o->done)
|
||||
r = o->done(o, r, &error);
|
||||
|
|
@ -68,13 +71,13 @@ static int operation_done(sd_event_source *s, const siginfo_t *si, void *userdat
|
|||
log_error_errno(r, "Failed to reply to dbus message: %m");
|
||||
}
|
||||
} else if (o->link) {
|
||||
/* If a completion routine (o->done) is set for this operation,
|
||||
* then it's completely response for sending a response */
|
||||
if (o->done)
|
||||
r = o->done(o, r, /* error = */ NULL);
|
||||
|
||||
if (r < 0)
|
||||
(void) o->done(o, r, /* error = */ NULL);
|
||||
else if (r < 0)
|
||||
(void) sd_varlink_error_errno(o->link, r);
|
||||
else if (!o->done)
|
||||
/* when o->done set it's responsible for sending reply in a happy-path case */
|
||||
else
|
||||
(void) sd_varlink_reply(o->link, NULL);
|
||||
} else
|
||||
assert_not_reached();
|
||||
|
|
|
|||
|
|
@ -24,8 +24,7 @@ int acquire_fido2_key(
|
|||
const char *key_file,
|
||||
size_t key_file_size,
|
||||
uint64_t key_file_offset,
|
||||
const void *key_data,
|
||||
size_t key_data_size,
|
||||
const struct iovec *key_data,
|
||||
usec_t until,
|
||||
Fido2EnrollFlags required,
|
||||
const char *askpw_credential,
|
||||
|
|
@ -45,10 +44,10 @@ int acquire_fido2_key(
|
|||
"Local verification is required to unlock this volume, but the 'headless' parameter was set.");
|
||||
|
||||
assert(cid);
|
||||
assert(key_file || key_data);
|
||||
assert(key_file || iovec_is_set(key_data));
|
||||
|
||||
if (key_data)
|
||||
salt = IOVEC_MAKE(key_data, key_data_size);
|
||||
if (iovec_is_set(key_data))
|
||||
salt = *key_data;
|
||||
else {
|
||||
if (key_file_size > 0)
|
||||
log_debug("Ignoring 'keyfile-size=' option for a FIDO2 salt file.");
|
||||
|
|
@ -252,7 +251,7 @@ int acquire_fido2_key_auto(
|
|||
/* key_file= */ NULL, /* salt is read from LUKS header instead of key_file */
|
||||
/* key_file_size= */ 0,
|
||||
/* key_file_offset= */ 0,
|
||||
salt, salt_size,
|
||||
&IOVEC_MAKE(salt, salt_size),
|
||||
until,
|
||||
required,
|
||||
"cryptsetup.fido2-pin",
|
||||
|
|
|
|||
|
|
@ -20,8 +20,7 @@ int acquire_fido2_key(
|
|||
const char *key_file,
|
||||
size_t key_file_size,
|
||||
uint64_t key_file_offset,
|
||||
const void *key_data,
|
||||
size_t key_data_size,
|
||||
const struct iovec *key_data,
|
||||
usec_t until,
|
||||
Fido2EnrollFlags required,
|
||||
const char *askpw_credential,
|
||||
|
|
@ -52,8 +51,7 @@ static inline int acquire_fido2_key(
|
|||
const char *key_file,
|
||||
size_t key_file_size,
|
||||
uint64_t key_file_offset,
|
||||
const void *key_data,
|
||||
size_t key_data_size,
|
||||
const struct iovec *key_data,
|
||||
usec_t until,
|
||||
Fido2EnrollFlags required,
|
||||
const char *askpw_credential,
|
||||
|
|
|
|||
|
|
@ -121,9 +121,30 @@ static SD_VARLINK_DEFINE_METHOD(
|
|||
SD_VARLINK_DEFINE_OUTPUT(ptyFileDescriptor, SD_VARLINK_INT, 0),
|
||||
SD_VARLINK_FIELD_COMMENT("Path to the allocated pseudo TTY"),
|
||||
SD_VARLINK_DEFINE_OUTPUT(ptyPath, SD_VARLINK_STRING, 0));
|
||||
static SD_VARLINK_DEFINE_METHOD(
|
||||
CopyFrom,
|
||||
VARLINK_DEFINE_MACHINE_LOOKUP_AND_POLKIT_INPUT_FIELDS,
|
||||
SD_VARLINK_FIELD_COMMENT("A source directory in the container"),
|
||||
SD_VARLINK_DEFINE_INPUT(source, SD_VARLINK_STRING, 0),
|
||||
SD_VARLINK_FIELD_COMMENT("A destination directory in the container. If null, it's equal to 'source'"),
|
||||
SD_VARLINK_DEFINE_INPUT(destination, SD_VARLINK_STRING, SD_VARLINK_NULLABLE),
|
||||
SD_VARLINK_FIELD_COMMENT("If true the destination will be replaced"),
|
||||
SD_VARLINK_DEFINE_INPUT(replace, SD_VARLINK_BOOL, SD_VARLINK_NULLABLE));
|
||||
|
||||
static SD_VARLINK_DEFINE_METHOD(
|
||||
CopyTo,
|
||||
VARLINK_DEFINE_MACHINE_LOOKUP_AND_POLKIT_INPUT_FIELDS,
|
||||
SD_VARLINK_FIELD_COMMENT("A source directory on the host"),
|
||||
SD_VARLINK_DEFINE_INPUT(source, SD_VARLINK_STRING, 0),
|
||||
SD_VARLINK_FIELD_COMMENT("A destination directory in the container. If null, it's equal to 'source'"),
|
||||
SD_VARLINK_DEFINE_INPUT(destination, SD_VARLINK_STRING, SD_VARLINK_NULLABLE),
|
||||
SD_VARLINK_FIELD_COMMENT("If true the destination will be replaced"),
|
||||
SD_VARLINK_DEFINE_INPUT(replace, SD_VARLINK_BOOL, SD_VARLINK_NULLABLE));
|
||||
|
||||
static SD_VARLINK_DEFINE_ERROR(NoSuchMachine);
|
||||
static SD_VARLINK_DEFINE_ERROR(MachineExists);
|
||||
static SD_VARLINK_DEFINE_ERROR(NoSuchFile);
|
||||
static SD_VARLINK_DEFINE_ERROR(FileExists);
|
||||
static SD_VARLINK_DEFINE_ERROR(NoPrivateNetworking);
|
||||
static SD_VARLINK_DEFINE_ERROR(NoOSReleaseInformation);
|
||||
static SD_VARLINK_DEFINE_ERROR(NoUIDShift);
|
||||
|
|
@ -154,9 +175,17 @@ SD_VARLINK_DEFINE_INTERFACE(
|
|||
&vl_type_MachineOpenMode,
|
||||
SD_VARLINK_SYMBOL_COMMENT("Allocates a pseudo TTY in the container in various modes"),
|
||||
&vl_method_Open,
|
||||
SD_VARLINK_SYMBOL_COMMENT("Copy files or directories from a container into the host"),
|
||||
&vl_method_CopyFrom,
|
||||
SD_VARLINK_SYMBOL_COMMENT("Copy files or directories from the host into a container"),
|
||||
&vl_method_CopyTo,
|
||||
SD_VARLINK_SYMBOL_COMMENT("No matching machine currently running"),
|
||||
&vl_error_NoSuchMachine,
|
||||
&vl_error_MachineExists,
|
||||
SD_VARLINK_SYMBOL_COMMENT("No such file"),
|
||||
&vl_error_NoSuchFile,
|
||||
SD_VARLINK_SYMBOL_COMMENT("File exists"),
|
||||
&vl_error_FileExists,
|
||||
SD_VARLINK_SYMBOL_COMMENT("Machine does not use private networking"),
|
||||
&vl_error_NoPrivateNetworking,
|
||||
SD_VARLINK_SYMBOL_COMMENT("Machine does not contain OS release information"),
|
||||
|
|
|
|||
|
|
@ -1414,7 +1414,7 @@ static int verb_enable(int argc, char **argv, void *userdata) {
|
|||
"SetFeatureEnabled",
|
||||
&error,
|
||||
/* reply= */ NULL,
|
||||
"sbt",
|
||||
"sit",
|
||||
*feature,
|
||||
(int) enable,
|
||||
UINT64_C(0));
|
||||
|
|
|
|||
|
|
@ -252,7 +252,7 @@ done
|
|||
|
||||
####################
|
||||
# varlinkctl tests #
|
||||
# ##################
|
||||
####################
|
||||
|
||||
long_running_machine_start
|
||||
|
||||
|
|
@ -352,12 +352,7 @@ TS="$(date '+%H:%M:%S')"
|
|||
(! varlinkctl --more call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.List '{"acquireMetadata": "yes"}')
|
||||
journalctl --sync
|
||||
(! journalctl -u systemd-machined.service --since="$TS" --grep 'Connection busy')
|
||||
# terminate machines
|
||||
machinectl terminate container-without-os-release
|
||||
machinectl terminate long-running
|
||||
# wait for the container being stopped, otherwise acquiring image metadata by io.systemd.MachineImage.List may fail in the below.
|
||||
timeout 10 bash -c "while machinectl status long-running &>/dev/null; do sleep .5; done"
|
||||
systemctl kill --signal=KILL systemd-nspawn@long-running.service || :
|
||||
|
||||
(ip addr show lo | grep -q 192.168.1.100) || ip address add 192.168.1.100/24 dev lo
|
||||
(! varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.List '{"name": ".host"}' | grep 'addresses')
|
||||
|
|
@ -386,6 +381,30 @@ varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.Open
|
|||
timeout 30 bash -c "until test -e /tmp/none-existent-file; do sleep .5; done"
|
||||
grep -q "BAR" /tmp/none-existent-file
|
||||
|
||||
# test io.systemd.Machine.CopyTo
|
||||
long_running_machine_start
|
||||
rm -f /tmp/foo /var/lib/machines/long-running/root/foo
|
||||
cp /etc/machine-id /tmp/foo
|
||||
varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.CopyTo '{"name": "long-running", "source": "/tmp/foo", "destination": "/root/foo"}'
|
||||
diff /tmp/foo /var/lib/machines/long-running/root/foo
|
||||
(! varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.CopyTo '{"name": "long-running", "source": "/tmp/foo", "destination": "/root/foo"}')
|
||||
|
||||
echo "sample-test-output" > /tmp/foo
|
||||
varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.CopyTo '{"name": "long-running", "source": "/tmp/foo", "destination": "/root/foo", "replace": true}'
|
||||
diff /tmp/foo /var/lib/machines/long-running/root/foo
|
||||
rm -f /tmp/foo /var/lib/machines/long-running/root/foo
|
||||
|
||||
# test io.systemd.Machine.CopyFrom
|
||||
cp /etc/machine-id /var/lib/machines/long-running/foo
|
||||
varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.CopyFrom '{"name": "long-running", "source": "/foo"}'
|
||||
diff /var/lib/machines/long-running/foo /foo
|
||||
rm -f /var/lib/machines/long-running/root/foo /foo
|
||||
|
||||
# Terminating machine, otherwise acquiring image metadata by io.systemd.MachineImage.List may fail in the below.
|
||||
machinectl terminate long-running
|
||||
timeout 10 bash -c "while machinectl status long-running &>/dev/null; do sleep .5; done"
|
||||
systemctl kill --signal=KILL systemd-nspawn@long-running.service || :
|
||||
|
||||
# test io.systemd.MachineImage.List
|
||||
varlinkctl --more call /run/systemd/machine/io.systemd.MachineImage io.systemd.MachineImage.List '{}' | grep 'long-running'
|
||||
varlinkctl --more call /run/systemd/machine/io.systemd.MachineImage io.systemd.MachineImage.List '{}' | grep '.host'
|
||||
|
|
|
|||
Loading…
Reference in New Issue