Compare commits

...

12 Commits

Author SHA1 Message Date
Ivan Kruglov 0ad920765d
Merge b1e226539e into d209e197f8 2024-11-22 16:06:05 +01:00
Lennart Poettering d209e197f8
userdbctl: two trivial fixlets (#35296)
Fixes: #35294
2024-11-22 16:06:01 +01:00
Antonio Alvarez Feijoo 9ed090230e tpm2-util: fix parameter name 2024-11-22 16:04:16 +01:00
Luca Boccassi 9bf6ffe166
man: split cryptenroll man page into sections (#35297) 2024-11-22 12:01:07 +00:00
Lennart Poettering 47c5ca237b userdbctl: respect selected disposition also when showing gid boundaries
Follow-up for: ad5de3222f
2024-11-22 11:28:30 +01:00
Lennart Poettering 7f8a4f12df userdbctl: fix counting
Fixes: #35294
2024-11-22 11:28:28 +01:00
Lennart Poettering e412fc5e04 userbdctl: show 'mapped' user range only inside of userns
Outside of userns the concept makes no sense, there cannot be users
mapped from further outside.
2024-11-22 11:28:17 +01:00
Lennart Poettering cc6baba720 cryptenroll: it's called PKCS#11, not PKCS11
In the --help text we really should use the official spelling, just like
in the man page.
2024-11-22 10:42:37 +01:00
Lennart Poettering 3ae48d071c man: add enrollment type sections to cryptenroll man page
We have the same sections in the --help text, hence we even more so
should have them in the man page.
2024-11-22 10:42:37 +01:00
Ivan Kruglov b1e226539e machine: tests for io.systemd.Machine.{CopyFrom, CopyTo} methods 2024-11-20 10:38:59 +01:00
Ivan Kruglov 6d077f1216 machine: introduce io.system.Machine.{CopyFrom, CopyTo} methods 2024-11-20 10:38:59 +01:00
Ivan Kruglov 997c1bba6b machine: adjust operation callback logic for varlink
This is to simplyfy varlink callback. There is no use of this logic atm.
So, no harm.
2024-11-20 10:38:59 +01:00
10 changed files with 355 additions and 43 deletions

View File

@ -265,32 +265,11 @@
</refsect1>
<refsect1>
<title>Options</title>
<title>Unlocking</title>
<para>The following options are understood:</para>
<para>The following options are understood that may be used to unlock the device in preparation of the enrollment operations:</para>
<variablelist>
<varlistentry>
<term><option>--password</option></term>
<listitem><para>Enroll a regular password/passphrase. This command is mostly equivalent to
<command>cryptsetup luksAddKey</command>, however may be combined with
<option>--wipe-slot=</option> in one call, see below.</para>
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--recovery-key</option></term>
<listitem><para>Enroll a recovery key. Recovery keys are mostly identical to passphrases, but are
computer-generated instead of being chosen by a human, and thus have a guaranteed high entropy. The
key uses a character set that is easy to type in, and may be scanned off screen via a QR code.
</para>
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--unlock-key-file=<replaceable>PATH</replaceable></option></term>
@ -328,7 +307,45 @@
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Simple Enrollment</title>
<para>The following options are understood that may be used to enroll simple user input based
unlocking:</para>
<variablelist>
<varlistentry>
<term><option>--password</option></term>
<listitem><para>Enroll a regular password/passphrase. This command is mostly equivalent to
<command>cryptsetup luksAddKey</command>, however may be combined with
<option>--wipe-slot=</option> in one call, see below.</para>
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
</varlistentry>
<varlistentry>
<term><option>--recovery-key</option></term>
<listitem><para>Enroll a recovery key. Recovery keys are mostly identical to passphrases, but are
computer-generated instead of being chosen by a human, and thus have a guaranteed high entropy. The
key uses a character set that is easy to type in, and may be scanned off screen via a QR code.
</para>
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>PKCS#11 Enrollment</title>
<para>The following option is understood that may be used to enroll PKCS#11 tokens:</para>
<variablelist>
<varlistentry>
<term><option>--pkcs11-token-uri=<replaceable>URI</replaceable></option></term>
@ -361,7 +378,15 @@
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FIDO2 Enrollment</title>
<para>The following options are understood that may be used to enroll PKCS#11 tokens:</para>
<variablelist>
<varlistentry>
<term><option>--fido2-credential-algorithm=<replaceable>STRING</replaceable></option></term>
<listitem><para>Specify COSE algorithm used in credential generation. The default value is
@ -461,7 +486,15 @@
<xi:include href="version-info.xml" xpointer="v249"/></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>TPM2 Enrollment</title>
<para>The following options are understood that may be used to enroll TPM2 devices:</para>
<variablelist>
<varlistentry>
<term><option>--tpm2-device=<replaceable>PATH</replaceable></option></term>
@ -636,7 +669,15 @@
<xi:include href="version-info.xml" xpointer="v255"/></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Other Options</title>
<para>The following additional options are understood:</para>
<variablelist>
<varlistentry>
<term><option>--wipe-slot=<replaceable>SLOT<optional>,SLOT...</optional></replaceable></option></term>

View File

@ -193,7 +193,7 @@ static int help(void) {
"\n%3$sSimple Enrollment:%4$s\n"
" --password Enroll a user-supplied password\n"
" --recovery-key Enroll a recovery key\n"
"\n%3$sPKCS11 Enrollment:%4$s\n"
"\n%3$sPKCS#11 Enrollment:%4$s\n"
" --pkcs11-token-uri=URI\n"
" Specify PKCS#11 security token URI\n"
"\n%3$sFIDO2 Enrollment:%4$s\n"

View File

@ -7,6 +7,7 @@
#include "sd-varlink.h"
#include "bus-polkit.h"
#include "copy.h"
#include "fd-util.h"
#include "hostname-util.h"
#include "json-util.h"
@ -570,3 +571,191 @@ int vl_method_open(sd_varlink *link, sd_json_variant *parameters, sd_varlink_met
return sd_varlink_reply(link, v);
}
typedef struct MachineCopyParameters {
const char *name;
PidRef pidref;
char *src, *dest;
bool replace;
} MachineCopyParameters;
static void machine_copy_paramaters_done(MachineCopyParameters *p) {
assert(p);
pidref_done(&p->pidref);
free(p->src);
free(p->dest);
}
static int copy_done(Operation *operation, int ret, sd_bus_error *error) {
assert(operation);
assert(operation->link);
// TODO(ikruglov): maybe just leaving a plain errno in response?
if (ret == -EPERM || ret == -EACCES)
return sd_varlink_error(operation->link, SD_VARLINK_ERROR_PERMISSION_DENIED, NULL);
if (ERRNO_IS_NEG_NOT_SUPPORTED(ret))
return sd_varlink_error(operation->link, "io.systemd.Machine.NotSupported", NULL);
if (ret == -ENOENT)
return sd_varlink_error(operation->link, "io.systemd.Machine.NoSuchFile", NULL);
if (ret == -EEXIST)
return sd_varlink_error(operation->link, "io.systemd.Machine.FileExists", NULL);
if (ret < 0)
return sd_varlink_error_errno(operation->link, ret);
return sd_varlink_reply(operation->link, NULL);
}
int vl_method_copy_internal(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata, bool copy_from) {
static const sd_json_dispatch_field dispatch_table[] = {
VARLINK_DISPATCH_MACHINE_LOOKUP_FIELDS(MachineCopyParameters),
{ "source", SD_JSON_VARIANT_STRING, json_dispatch_path, offsetof(MachineCopyParameters, src), SD_JSON_MANDATORY },
{ "destination", SD_JSON_VARIANT_STRING, json_dispatch_path, offsetof(MachineCopyParameters, dest), 0 },
{ "replace", SD_JSON_VARIANT_BOOLEAN, sd_json_dispatch_stdbool, offsetof(MachineCopyParameters, replace), 0 },
VARLINK_DISPATCH_POLKIT_FIELD,
{}
};
Manager *manager = ASSERT_PTR(userdata);
_cleanup_close_ int hostfd = -EBADF, mntns_fd = -EBADF;
_cleanup_close_pair_ int errno_pipe_fd[2] = EBADF_PAIR;
_cleanup_(machine_copy_paramaters_done) MachineCopyParameters p = { .pidref = PIDREF_NULL };
_cleanup_free_ char *host_basename = NULL, *container_basename = NULL;
CopyFlags copy_flags = COPY_REFLINK|COPY_MERGE|COPY_HARDLINKS;
uid_t uid_shift;
pid_t child;
int r;
assert(link);
assert(parameters);
if (manager->n_operations >= OPERATIONS_MAX)
return sd_varlink_error(link, "io.systemd.MachineImage.TooManyOperations", NULL);
r = sd_varlink_dispatch(link, parameters, dispatch_table, &p);
if (r != 0)
return r;
/* There is no need for extra validation since path_is_absolute() does path_is_valid() and path_is_absolute().*/
const char *dest = p.dest ?: p.src;
const char *container_path = copy_from ? p.src : dest;
const char *host_path = copy_from ? dest : p.src;
copy_flags |= p.replace ? COPY_REPLACE : 0;
Machine *machine;
r = lookup_machine_by_name_or_pidref(link, manager, p.name, &p.pidref, &machine);
if (r == -ESRCH)
return sd_varlink_error(link, "io.systemd.Machine.NoSuchMachine", NULL);
if (r != 0)
return r;
if (machine->class != MACHINE_CONTAINER)
return sd_varlink_error(link, "io.systemd.Machine.NotSupported", NULL);
r = varlink_verify_polkit_async(
link,
manager->bus,
"org.freedesktop.machine1.manage-machines",
(const char**) STRV_MAKE("name", machine->name,
"verb", "copy",
"src", p.src,
"dest", dest),
&manager->polkit_registry);
if (r <= 0)
return r;
r = path_extract_filename(host_path, &host_basename);
if (r < 0)
return log_debug_errno(r, "Failed to extract file name of '%s' path: %m", host_path);
r = path_extract_filename(container_path, &container_basename);
if (r < 0)
return log_debug_errno(r, "Failed to extract file name of '%s' path: %m", container_path);
hostfd = open_parent(host_path, O_CLOEXEC, 0);
if (hostfd < 0)
return log_debug_errno(hostfd, "Failed to open host directory %s: %m", host_path);
r = machine_get_uid_shift(machine, &uid_shift);
if (r < 0)
return log_debug_errno(r, "Failed to get machine UID shift: %m");
r = pidref_namespace_open(&machine->leader,
/* ret_pidns_fd = */ NULL,
&mntns_fd,
/* ret_netns_fd = */ NULL,
/* ret_userns_fd = */ NULL,
/* ret_root_fd = */ NULL);
if (r < 0)
return log_debug_errno(r, "Failed to open namespace: %m");
if (pipe2(errno_pipe_fd, O_CLOEXEC|O_NONBLOCK) < 0)
return log_debug_errno(errno, "Failed to create pipe: %m");
r = namespace_fork("(sd-copyns)",
"(sd-copy)",
/* except_fds = */ NULL,
/* n_except_fds = */ 0,
FORK_RESET_SIGNALS|FORK_DEATHSIG_SIGKILL,
/* pidns_fd = */ -1,
mntns_fd,
/* netns_fd = */ -1,
/* userns_fd = */ -1,
/* root_fd = */ -1,
&child);
if (r < 0)
return log_debug_errno(r, "Failed to fork(): %m");
if (r == 0) {
errno_pipe_fd[0] = safe_close(errno_pipe_fd[0]);
_cleanup_close_ int containerfd = -EBADF;
containerfd = open_parent(container_path, O_CLOEXEC, 0);
if (containerfd < 0) {
log_error_errno(containerfd, "Failed to open destination directory: %m");
report_errno_and_exit(errno_pipe_fd[1], containerfd);
}
/* Run the actual copy operation. Note that when a UID shift is set we'll either clamp the UID/GID to */
/* 0 or to the actual UID shift depending on the direction we copy. If no UID shift is set we'll copy */
/* the UID/GIDs as they are. */
r = copy_from ? copy_tree_at(
containerfd,
container_basename,
hostfd,
host_basename,
uid_shift == 0 ? UID_INVALID : 0,
uid_shift == 0 ? GID_INVALID : 0,
copy_flags,
/* denylist = */ NULL,
/* subvolumes = */ NULL)
: copy_tree_at(
hostfd,
host_basename,
containerfd,
container_basename,
uid_shift == 0 ? UID_INVALID : uid_shift,
uid_shift == 0 ? GID_INVALID : uid_shift,
copy_flags,
/* denylist = */ NULL,
/* subvolumes = */ NULL);
if (r < 0)
log_error_errno(r, "Failed to copy tree: %m");
report_errno_and_exit(errno_pipe_fd[1], r);
}
errno_pipe_fd[1] = safe_close(errno_pipe_fd[1]);
Operation *operation;
r = operation_new_with_varlink_reply(manager, machine, child, link, errno_pipe_fd[0], &operation);
if (r < 0) {
sigkill_wait(child);
return r;
}
operation->done = copy_done;
TAKE_FD(errno_pipe_fd[0]);
return 1;
}

View File

@ -25,3 +25,4 @@ int vl_method_unregister_internal(sd_varlink *link, sd_json_variant *parameters,
int vl_method_terminate_internal(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata);
int vl_method_kill(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata);
int vl_method_open(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata);
int vl_method_copy_internal(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata, bool copy_from);

View File

@ -590,6 +590,13 @@ static int vl_method_terminate(sd_varlink *link, sd_json_variant *parameters, sd
return lookup_machine_and_call_method(link, parameters, flags, userdata, vl_method_terminate_internal);
}
static int vl_method_copy_from(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata) {
return vl_method_copy_internal(link, parameters, flags, userdata, /* copy_from = */ true);
}
static int vl_method_copy_to(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata) {
return vl_method_copy_internal(link, parameters, flags, userdata, /* copy_from = */ false);
}
static int list_image_one_and_maybe_read_metadata(sd_varlink *link, Image *image, bool more, AcquireMetadata am) {
int r;
@ -774,6 +781,8 @@ static int manager_varlink_init_machine(Manager *m) {
"io.systemd.Machine.Terminate", vl_method_terminate,
"io.systemd.Machine.Kill", vl_method_kill,
"io.systemd.Machine.Open", vl_method_open,
"io.systemd.Machine.CopyFrom", vl_method_copy_from,
"io.systemd.Machine.CopyTo", vl_method_copy_to,
"io.systemd.MachineImage.List", vl_method_list_images,
"io.systemd.MachineImage.Update", vl_method_update_image,
"io.systemd.MachineImage.Clone", vl_method_clone_image,

View File

@ -46,10 +46,13 @@ static int operation_done(sd_event_source *s, const siginfo_t *si, void *userdat
if (r < 0)
log_debug_errno(r, "Operation failed: %m");
/* If a completion routine (o->done) is set for this operation, call it. It sends a response, but can return an error in which case it expect us to reply.
* Otherwise, the default action is to simply return an error on failure or an empty success message on success. */
if (o->message) {
/* If a completion routine (o->done) is set for this operation,
* call it. It sends a response, but can return an error in
* which case it expect us to reply. Otherwise, the default
* action is to simply return an error on failure or an empty
* success message on success. */
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
if (o->done)
r = o->done(o, r, &error);
@ -68,13 +71,13 @@ static int operation_done(sd_event_source *s, const siginfo_t *si, void *userdat
log_error_errno(r, "Failed to reply to dbus message: %m");
}
} else if (o->link) {
/* If a completion routine (o->done) is set for this operation,
* then it's completely response for sending a response */
if (o->done)
r = o->done(o, r, /* error = */ NULL);
if (r < 0)
(void) o->done(o, r, /* error = */ NULL);
else if (r < 0)
(void) sd_varlink_error_errno(o->link, r);
else if (!o->done)
/* when o->done set it's responsible for sending reply in a happy-path case */
else
(void) sd_varlink_reply(o->link, NULL);
} else
assert_not_reached();

View File

@ -392,7 +392,7 @@ int tpm2_make_pcr_json_array(uint32_t pcr_mask, sd_json_variant **ret);
int tpm2_parse_pcr_json_array(sd_json_variant *v, uint32_t *ret);
int tpm2_make_luks2_json(int keyslot, uint32_t hash_pcr_mask, uint16_t pcr_bank, const struct iovec *pubkey, uint32_t pubkey_pcr_mask, uint16_t primary_alg, const struct iovec blobs[], size_t n_blobs, const struct iovec policy_hash[], size_t n_policy_hash, const struct iovec *salt, const struct iovec *srk, const struct iovec *pcrlock_nv, TPM2Flags flags, sd_json_variant **ret);
int tpm2_parse_luks2_json(sd_json_variant *v, int *ret_keyslot, uint32_t *ret_hash_pcr_mask, uint16_t *ret_pcr_bank, struct iovec *ret_pubkey, uint32_t *ret_pubkey_pcr_mask, uint16_t *ret_primary_alg, struct iovec **ret_blobs, size_t *ret_n_blobs, struct iovec **ret_policy_hash, size_t *ret_n_policy_hash, struct iovec *ret_salt, struct iovec *ret_srk, struct iovec *pcrlock_nv, TPM2Flags *ret_flags);
int tpm2_parse_luks2_json(sd_json_variant *v, int *ret_keyslot, uint32_t *ret_hash_pcr_mask, uint16_t *ret_pcr_bank, struct iovec *ret_pubkey, uint32_t *ret_pubkey_pcr_mask, uint16_t *ret_primary_alg, struct iovec **ret_blobs, size_t *ret_n_blobs, struct iovec **ret_policy_hash, size_t *ret_n_policy_hash, struct iovec *ret_salt, struct iovec *ret_srk, struct iovec *ret_pcrlock_nv, TPM2Flags *ret_flags);
/* Default to PCR 7 only */
#define TPM2_PCR_INDEX_DEFAULT UINT32_C(7)

View File

@ -121,9 +121,30 @@ static SD_VARLINK_DEFINE_METHOD(
SD_VARLINK_DEFINE_OUTPUT(ptyFileDescriptor, SD_VARLINK_INT, 0),
SD_VARLINK_FIELD_COMMENT("Path to the allocated pseudo TTY"),
SD_VARLINK_DEFINE_OUTPUT(ptyPath, SD_VARLINK_STRING, 0));
static SD_VARLINK_DEFINE_METHOD(
CopyFrom,
VARLINK_DEFINE_MACHINE_LOOKUP_AND_POLKIT_INPUT_FIELDS,
SD_VARLINK_FIELD_COMMENT("A source directory in the container"),
SD_VARLINK_DEFINE_INPUT(source, SD_VARLINK_STRING, 0),
SD_VARLINK_FIELD_COMMENT("A destination directory in the container. If null, it's equal to 'source'"),
SD_VARLINK_DEFINE_INPUT(destination, SD_VARLINK_STRING, SD_VARLINK_NULLABLE),
SD_VARLINK_FIELD_COMMENT("If true the destination will be replaced"),
SD_VARLINK_DEFINE_INPUT(replace, SD_VARLINK_BOOL, SD_VARLINK_NULLABLE));
static SD_VARLINK_DEFINE_METHOD(
CopyTo,
VARLINK_DEFINE_MACHINE_LOOKUP_AND_POLKIT_INPUT_FIELDS,
SD_VARLINK_FIELD_COMMENT("A source directory on the host"),
SD_VARLINK_DEFINE_INPUT(source, SD_VARLINK_STRING, 0),
SD_VARLINK_FIELD_COMMENT("A destination directory in the container. If null, it's equal to 'source'"),
SD_VARLINK_DEFINE_INPUT(destination, SD_VARLINK_STRING, SD_VARLINK_NULLABLE),
SD_VARLINK_FIELD_COMMENT("If true the destination will be replaced"),
SD_VARLINK_DEFINE_INPUT(replace, SD_VARLINK_BOOL, SD_VARLINK_NULLABLE));
static SD_VARLINK_DEFINE_ERROR(NoSuchMachine);
static SD_VARLINK_DEFINE_ERROR(MachineExists);
static SD_VARLINK_DEFINE_ERROR(NoSuchFile);
static SD_VARLINK_DEFINE_ERROR(FileExists);
static SD_VARLINK_DEFINE_ERROR(NoPrivateNetworking);
static SD_VARLINK_DEFINE_ERROR(NoOSReleaseInformation);
static SD_VARLINK_DEFINE_ERROR(NoUIDShift);
@ -154,9 +175,17 @@ SD_VARLINK_DEFINE_INTERFACE(
&vl_type_MachineOpenMode,
SD_VARLINK_SYMBOL_COMMENT("Allocates a pseudo TTY in the container in various modes"),
&vl_method_Open,
SD_VARLINK_SYMBOL_COMMENT("Copy files or directories from a container into the host"),
&vl_method_CopyFrom,
SD_VARLINK_SYMBOL_COMMENT("Copy files or directories from the host into a container"),
&vl_method_CopyTo,
SD_VARLINK_SYMBOL_COMMENT("No matching machine currently running"),
&vl_error_NoSuchMachine,
&vl_error_MachineExists,
SD_VARLINK_SYMBOL_COMMENT("No such file"),
&vl_error_NoSuchFile,
SD_VARLINK_SYMBOL_COMMENT("File exists"),
&vl_error_FileExists,
SD_VARLINK_SYMBOL_COMMENT("Machine does not use private networking"),
&vl_error_NoPrivateNetworking,
SD_VARLINK_SYMBOL_COMMENT("Machine does not contain OS release information"),

View File

@ -23,6 +23,7 @@
#include "user-util.h"
#include "userdb.h"
#include "verbs.h"
#include "virt.h"
static enum {
OUTPUT_CLASSIC,
@ -139,10 +140,16 @@ static int show_user(UserRecord *ur, Table *table) {
return 0;
}
static bool test_show_mapped(void) {
/* Show mapped user range only in environments where user mapping is a thing. */
return running_in_userns() > 0;
}
static const struct {
uid_t first, last;
const char *name;
UserDisposition disposition;
bool (*test)(void);
} uid_range_table[] = {
{
.first = 1,
@ -175,11 +182,12 @@ static const struct {
.last = MAP_UID_MAX,
.name = "mapped",
.disposition = USER_REGULAR,
.test = test_show_mapped,
},
};
static int table_add_uid_boundaries(Table *table, const UIDRange *p) {
int r;
int r, n_added = 0;
assert(table);
@ -192,6 +200,9 @@ static int table_add_uid_boundaries(Table *table, const UIDRange *p) {
if (!uid_range_covers(p, i->first, i->last - i->first + 1))
continue;
if (i->test && !i->test())
continue;
name = strjoin(special_glyph(SPECIAL_GLYPH_ARROW_DOWN),
" begin ", i->name, " users ",
special_glyph(SPECIAL_GLYPH_ARROW_DOWN));
@ -249,9 +260,11 @@ static int table_add_uid_boundaries(Table *table, const UIDRange *p) {
TABLE_INT, 1); /* sort after any other entry with the same UID */
if (r < 0)
return table_log_add_error(r);
n_added += 2;
}
return ELEMENTSOF(uid_range_table) * 2;
return n_added;
}
static int add_unavailable_uid(Table *table, uid_t start, uid_t end) {
@ -565,16 +578,22 @@ static int show_group(GroupRecord *gr, Table *table) {
}
static int table_add_gid_boundaries(Table *table, const UIDRange *p) {
int r;
int r, n_added = 0;
assert(table);
FOREACH_ELEMENT(i, uid_range_table) {
_cleanup_free_ char *name = NULL, *comment = NULL;
if (!FLAGS_SET(arg_disposition_mask, UINT64_C(1) << i->disposition))
continue;
if (!uid_range_covers(p, i->first, i->last - i->first + 1))
continue;
if (i->test && !i->test())
continue;
name = strjoin(special_glyph(SPECIAL_GLYPH_ARROW_DOWN),
" begin ", i->name, " groups ",
special_glyph(SPECIAL_GLYPH_ARROW_DOWN));
@ -626,9 +645,11 @@ static int table_add_gid_boundaries(Table *table, const UIDRange *p) {
TABLE_INT, 1); /* sort after any other entry with the same GID */
if (r < 0)
return table_log_add_error(r);
n_added += 2;
}
return ELEMENTSOF(uid_range_table) * 2;
return n_added;
}
static int add_unavailable_gid(Table *table, uid_t start, uid_t end) {

View File

@ -252,7 +252,7 @@ done
####################
# varlinkctl tests #
# ##################
####################
long_running_machine_start
@ -352,12 +352,7 @@ TS="$(date '+%H:%M:%S')"
(! varlinkctl --more call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.List '{"acquireMetadata": "yes"}')
journalctl --sync
(! journalctl -u systemd-machined.service --since="$TS" --grep 'Connection busy')
# terminate machines
machinectl terminate container-without-os-release
machinectl terminate long-running
# wait for the container being stopped, otherwise acquiring image metadata by io.systemd.MachineImage.List may fail in the below.
timeout 10 bash -c "while machinectl status long-running &>/dev/null; do sleep .5; done"
systemctl kill --signal=KILL systemd-nspawn@long-running.service || :
(ip addr show lo | grep -q 192.168.1.100) || ip address add 192.168.1.100/24 dev lo
(! varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.List '{"name": ".host"}' | grep 'addresses')
@ -386,6 +381,30 @@ varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.Open
timeout 30 bash -c "until test -e /tmp/none-existent-file; do sleep .5; done"
grep -q "BAR" /tmp/none-existent-file
# test io.systemd.Machine.CopyTo
long_running_machine_start
rm -f /tmp/foo /var/lib/machines/long-running/root/foo
cp /etc/machine-id /tmp/foo
varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.CopyTo '{"name": "long-running", "source": "/tmp/foo", "destination": "/root/foo"}'
diff /tmp/foo /var/lib/machines/long-running/root/foo
(! varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.CopyTo '{"name": "long-running", "source": "/tmp/foo", "destination": "/root/foo"}')
echo "sample-test-output" > /tmp/foo
varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.CopyTo '{"name": "long-running", "source": "/tmp/foo", "destination": "/root/foo", "replace": true}'
diff /tmp/foo /var/lib/machines/long-running/root/foo
rm -f /tmp/foo /var/lib/machines/long-running/root/foo
# test io.systemd.Machine.CopyFrom
cp /etc/machine-id /var/lib/machines/long-running/foo
varlinkctl call /run/systemd/machine/io.systemd.Machine io.systemd.Machine.CopyFrom '{"name": "long-running", "source": "/foo"}'
diff /var/lib/machines/long-running/foo /foo
rm -f /var/lib/machines/long-running/root/foo /foo
# Terminating machine, otherwise acquiring image metadata by io.systemd.MachineImage.List may fail in the below.
machinectl terminate long-running
timeout 10 bash -c "while machinectl status long-running &>/dev/null; do sleep .5; done"
systemctl kill --signal=KILL systemd-nspawn@long-running.service || :
# test io.systemd.MachineImage.List
varlinkctl --more call /run/systemd/machine/io.systemd.MachineImage io.systemd.MachineImage.List '{}' | grep 'long-running'
varlinkctl --more call /run/systemd/machine/io.systemd.MachineImage io.systemd.MachineImage.List '{}' | grep '.host'