diff options
-rw-r--r-- | man/systemd-sysctl.service.xml | 24 | ||||
-rw-r--r-- | src/sysctl/sysctl.c | 24 | ||||
-rwxr-xr-x | test/TEST-54-CREDS/test.sh | 2 | ||||
-rwxr-xr-x | test/units/testsuite-54.sh | 3 | ||||
-rw-r--r-- | units/systemd-sysctl.service.in | 1 |
5 files changed, 53 insertions, 1 deletions
diff --git a/man/systemd-sysctl.service.xml b/man/systemd-sysctl.service.xml index 751aa2b09e..98533b451f 100644 --- a/man/systemd-sysctl.service.xml +++ b/man/systemd-sysctl.service.xml @@ -74,6 +74,30 @@ </refsect1> <refsect1> + <title>Credentials</title> + + <para><command>systemd-sysctl</command> supports the service credentials logic as implemented by + <varname>LoadCredential=</varname>/<varname>SetCredential=</varname> (see + <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>1</manvolnum></citerefentry> for + details). The following credentials are used when passed in:</para> + + <variablelist> + <varlistentry> + <term><literal>sysctl.extra</literal></term> + + <listitem><para>The contents of this credential may contain additional lines to operate on. The + credential contents should follow the same format as any other <filename>sysctl.d/</filename> + drop-in. If this credential is passed it is processed after all of the drop-in files read from the + file system. The settings configured in the credential hence take precedence over those in the file + system.</para></listitem> + </varlistentry> + </variablelist> + + <para>Note that by default the <filename>systemd-sysctl.service</filename> unit file is set up to inherit + the <literal>sysctl.extra</literal> credential from the service manager.</para> + </refsect1> + + <refsect1> <title>Examples</title> <example> diff --git a/src/sysctl/sysctl.c b/src/sysctl/sysctl.c index 2b854a7370..e92640d948 100644 --- a/src/sysctl/sysctl.c +++ b/src/sysctl/sysctl.c @@ -10,6 +10,7 @@ #include <sys/types.h> #include "conf-files.h" +#include "creds-util.h" #include "def.h" #include "errno-util.h" #include "fd-util.h" @@ -277,6 +278,25 @@ static int parse_file(OrderedHashmap **sysctl_options, const char *path, bool ig return r; } +static int read_credential_lines(OrderedHashmap **sysctl_options) { + _cleanup_free_ char *j = NULL; + const char *d; + int r; + + r = get_credentials_dir(&d); + if (r == -ENXIO) + return 0; + if (r < 0) + return log_error_errno(r, "Failed to get credentials directory: %m"); + + j = path_join(d, "sysctl.extra"); + if (!j) + return log_oom(); + + (void) parse_file(sysctl_options, j, /* ignore_enoent= */ true); + return 0; +} + static int help(void) { _cleanup_free_ char *link = NULL; int r; @@ -416,6 +436,10 @@ static int run(int argc, char *argv[]) { if (k < 0 && r == 0) r = k; } + + k = read_credential_lines(&sysctl_options); + if (k < 0 && r == 0) + r = k; } k = apply_all(sysctl_options); diff --git a/test/TEST-54-CREDS/test.sh b/test/TEST-54-CREDS/test.sh index 3b2c241323..8d5d796cc8 100755 --- a/test/TEST-54-CREDS/test.sh +++ b/test/TEST-54-CREDS/test.sh @@ -5,7 +5,7 @@ set -e TEST_DESCRIPTION="test credentials" NSPAWN_ARGUMENTS="${NSPAWN_ARGUMENTS:-} --set-credential=mynspawncredential:strangevalue" QEMU_OPTIONS="${QEMU_OPTIONS:-} -fw_cfg name=opt/io.systemd.credentials/myqemucredential,string=othervalue" -KERNEL_APPEND="${KERNEL_APPEND:-} systemd.set_credential=kernelcmdlinecred:uff rd.systemd.import_credentials=no" +KERNEL_APPEND="${KERNEL_APPEND:-} systemd.set_credential=kernelcmdlinecred:uff systemd.set_credential=sysctl.extra:kernel.domainname=sysctltest rd.systemd.import_credentials=no" # shellcheck source=test/test-functions . "${TEST_BASE_DIR:?}/test-functions" diff --git a/test/units/testsuite-54.sh b/test/units/testsuite-54.sh index c5347e351e..06f3beb287 100755 --- a/test/units/testsuite-54.sh +++ b/test/units/testsuite-54.sh @@ -33,6 +33,9 @@ elif [ -d /sys/firmware/qemu_fw_cfg/by_name ]; then systemd-detect-virt -q -v expected_credential=myqemucredential expected_value=othervalue + + # Verify that writing a sysctl via the kernel cmdline worked + [ "$(cat /proc/sys/kernel/domainname)" = "sysctltest" ] else echo "qemu_fw_cfg support missing in kernel. Sniff!" expected_credential="" diff --git a/units/systemd-sysctl.service.in b/units/systemd-sysctl.service.in index 44b8853521..77793f3894 100644 --- a/units/systemd-sysctl.service.in +++ b/units/systemd-sysctl.service.in @@ -21,3 +21,4 @@ Type=oneshot RemainAfterExit=yes ExecStart={{ROOTLIBEXECDIR}}/systemd-sysctl TimeoutSec=90s +LoadCredential=sysctl.extra |