update TODO

When a job is skipped, it's useful to know exactly which condition failed so
let's add this information to the error message.

To avoid having to dynamically generate a format string, we special case the
formatting of condition failed messages.

TODO

@@ -83,6 +83,8 @@ Janitorial Clean-ups:
 
 Features:
 
+* PAM: pick auf one authentication token from credentials
+
 * tpm2: figure out if we need to do anything for TPM2 parameter encryption? And
   if so, what precisely?
 
@@ -92,8 +94,6 @@ Features:
   data in the image, make sure the image filename actually matches this, so
   that images cannot be misused.
 
-* use credentials logic/TPM2 logic to store homed signing key
-
 * New udev block device symlink names:
   /dev/disk/by-parttypelabel/<pttype>/<ptlabel>. Use case: if pt label is used
   as partition image version string, this is a safe way to reference a specific
@@ -1199,45 +1199,35 @@ Features:
   - when homed is in use, maybe start the user session manager in a mount namespace with MS_SLAVE,
     so that mounts propagate down but not up - eg, user A setting up a backup volume
     doesn't mean user B sees it
-
+  - use credentials logic/TPM2 logic to store homed signing key
-* homed: during login resize fs automatically towards size goal. Specifically,
+  - during login resize fs automatically towards size goal. Specifically,
     resize to diskSize if possible, but leave a certain amount (configured by a
     new value diskLeaveFreeSize) of space free on the backing fs.
-
+  - permit multiple user record signing keys to be used locally, and pick
-* homed: permit multiple user record signing keys to be used locally, and pick
     the right one for signing records automatically depending on a pre-existing
     signature
-
+  - add a way to "adopt" a home directory, i.e. strip foreign signatures
-* homed: add a way to "adopt" a home directory, i.e. strip foreign signatures
     and insert a local signature instead.
-
+  - as an extension to the directory+subvolume backend: if located on
-* homed: as an extension to the directory+subvolume backend: if located on
     especially marked fs, then sync down password into LUKS header of that fs,
     and always verify passwords against it too. Bootstrapping is a problem
     though: if no one is logged in (or no other user even exists yet), how do you
     unlock the volume in order to create the first user and add the first pw.
-
+  - support new FS_IOC_ADD_ENCRYPTION_KEY ioctl for setting up fscrypt
-* homed: support new FS_IOC_ADD_ENCRYPTION_KEY ioctl for setting up fscrypt
+  - maybe pre-create ~/.cache as subvol so that it can have separate quota
-
-* homed: maybe pre-create ~/.cache as subvol so that it can have separate quota
     easily?
-
+  - if kernel 5.12 uid mapping mounts exist, use that instead of recursive
-* homed: if kernel 5.12 uid mapping mounts exist, use that instead of recursive
     chowns.
-
+  - add a switch to homectl (maybe called --first-boot) where it will check if
-* add a switch to homectl (maybe called --first-boot) where it will check if
     any non-system users exist, and if not prompts interactively for basic user
     info, mimicking systemd-firstboot. Then, place this in a service that runs
     after systemd-homed, but before gdm and friends, as a simple, barebones
     fallback logic to get a regular user created on uninitialized systems.
-
+  - store PKCS#11 + FIDO2 token info in LUKS2 header, compatible with
-* homed: store PKCS#11 + FIDO2 token info in LUKS2 header, compatible with
     systemd-cryptsetup, so that it can unlock homed volumes
-
+  - try to unmount in regular intervals when home dir was busy when we
-* homed: try to unmount in regular intervals when home dir was busy when we
     tried because idle.
-
+  - keep an fd to the homedir open at all times, to keep the fs pinned
-* homed: keep an fd to the homedir open at all times, to keep the fs pinned
     (autofs and such) while user is logged in.
 
 * add a new switch --auto-definitions=yes/no or so to systemd-repart. If

src/core/job.c

@@ -705,8 +705,39 @@ static void job_emit_done_message(Unit *u, uint32_t job_id, JobType t, JobResult
 
         if (!console_only) {  /* Skip printing if output goes to the console, and job_print_status_message()
                                * will actually print something to the console. */
-
+                Condition *c;
                 const char *mid = job_done_mid(t, result);  /* mid may be NULL. log_unit_struct() will ignore it. */
+
+                c = t == JOB_START && result == JOB_DONE ? unit_find_failed_condition(u) : NULL;
+                if (c) {
+                        /* Special case units that were skipped because of a failed condition check so that
+                         * we can add more information to the message. */
+                        if (c->trigger)
+                                log_unit_struct(
+                                        u,
+                                        job_done_messages[result].log_level,
+                                        "MESSAGE=%s was skipped because all trigger condition checks failed.",
+                                        ident,
+                                        "JOB_ID=%" PRIu32, job_id,
+                                        "JOB_TYPE=%s", job_type_to_string(t),
+                                        "JOB_RESULT=%s", job_result_to_string(result),
+                                        LOG_UNIT_INVOCATION_ID(u),
+                                        mid);
+                        else
+                                log_unit_struct(
+                                        u,
+                                        job_done_messages[result].log_level,
+                                        "MESSAGE=%s was skipped because of a failed condition check (%s=%s%s).",
+                                        ident,
+                                        condition_type_to_string(c->type),
+                                        c->negate ? "!" : "",
+                                        c->parameter,
+                                        "JOB_ID=%" PRIu32, job_id,
+                                        "JOB_TYPE=%s", job_type_to_string(t),
+                                        "JOB_RESULT=%s", job_result_to_string(result),
+                                        LOG_UNIT_INVOCATION_ID(u),
+                                        mid);
+                } else {
                         const char *msg_fmt = strjoina("MESSAGE=", format);
 
                         DISABLE_WARNING_FORMAT_NONLITERAL;
@@ -719,6 +750,7 @@ static void job_emit_done_message(Unit *u, uint32_t job_id, JobType t, JobResult
                                         mid);
                         REENABLE_WARNING;
                 }
+        }
 
         if (do_console) {
                 if (log_get_show_color())

src/core/unit.c

@@ -5848,6 +5848,25 @@ int unit_thaw_vtable_common(Unit *u) {
         return unit_cgroup_freezer_action(u, FREEZER_THAW);
 }
 
+Condition *unit_find_failed_condition(Unit *u) {
+        Condition *c, *failed_trigger = NULL;
+        bool has_succeeded_trigger = false;
+
+        if (u->condition_result)
+                return NULL;
+
+        LIST_FOREACH(conditions, c, u->conditions)
+                if (c->trigger) {
+                        if (c->result == CONDITION_SUCCEEDED)
+                                 has_succeeded_trigger = true;
+                        else if (!failed_trigger)
+                                 failed_trigger = c;
+                } else if (c->result != CONDITION_SUCCEEDED)
+                        return c;
+
+        return failed_trigger && !has_succeeded_trigger ? failed_trigger : NULL;
+}
+
 static const char* const collect_mode_table[_COLLECT_MODE_MAX] = {
         [COLLECT_INACTIVE] = "inactive",
         [COLLECT_INACTIVE_OR_FAILED] = "inactive-or-failed",

src/core/unit.h

@@ -984,6 +984,8 @@ void unit_thawed(Unit *u);
 int unit_freeze_vtable_common(Unit *u);
 int unit_thaw_vtable_common(Unit *u);
 
+Condition *unit_find_failed_condition(Unit *u);
+
 /* Macros which append UNIT= or USER_UNIT= to the message */
 
 #define log_unit_full_errno_zerook(unit, level, error, ...)             \