Skip to content

Commit 69dc36f

Browse files
DaanDeMeyerDaanDeMeyer
committed
TEST-50-DISSECT: Make sure logging sockets are mounted into images
Otherwise we lose valuable logging from systemd-executor when things go wrong since it can only log to the journal and not to the console in these cases.
1 parent e85be49 commit 69dc36f

File tree

1 file changed

+53
-3
lines changed

1 file changed

+53
-3
lines changed

test/units/testsuite-50.dissect.sh

Lines changed: 53 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,12 @@ set -o pipefail
99
# shellcheck source=test/units/util.sh
1010
. "$(dirname "$0")"/util.sh
1111

12+
BIND_LOG_SOCKETS=(
13+
--property BindReadOnlyPaths=/dev/log
14+
--property BindReadOnlyPaths=/run/systemd/journal/socket
15+
--property BindReadOnlyPaths=/run/systemd/journal/stdout
16+
)
17+
1218
systemd-dissect --json=short "$MINIMAL_IMAGE.raw" | \
1319
grep -q -F '{"rw":"ro","designator":"root","partition_uuid":null,"partition_label":null,"fstype":"squashfs","architecture":null,"verity":"external"'
1420
systemd-dissect "$MINIMAL_IMAGE.raw" | grep -q -F "MARKER=1"
@@ -73,19 +79,21 @@ fi
7379
systemd-dissect --umount "$IMAGE_DIR/mount"
7480
systemd-dissect --umount "$IMAGE_DIR/mount2"
7581

76-
systemd-run -P -p RootImage="$MINIMAL_IMAGE.raw" cat /usr/lib/os-release | grep -q -F "MARKER=1"
82+
systemd-run -P -p RootImage="$MINIMAL_IMAGE.raw" "${BIND_LOG_SOCKETS[@]}" cat /usr/lib/os-release | grep -q -F "MARKER=1"
7783
mv "$MINIMAL_IMAGE.verity" "$MINIMAL_IMAGE.fooverity"
7884
mv "$MINIMAL_IMAGE.roothash" "$MINIMAL_IMAGE.foohash"
7985
systemd-run -P \
8086
-p RootImage="$MINIMAL_IMAGE.raw" \
8187
-p RootHash="$MINIMAL_IMAGE.foohash" \
8288
-p RootVerity="$MINIMAL_IMAGE.fooverity" \
89+
"${BIND_LOG_SOCKETS[@]}" \
8390
cat /usr/lib/os-release | grep -q -F "MARKER=1"
8491
# Let's use the long option name just here as a test
8592
systemd-run -P \
8693
--property RootImage="$MINIMAL_IMAGE.raw" \
8794
--property RootHash="$MINIMAL_IMAGE_ROOTHASH" \
8895
--property RootVerity="$MINIMAL_IMAGE.fooverity" \
96+
"${BIND_LOG_SOCKETS[@]}" \
8997
cat /usr/lib/os-release | grep -q -F "MARKER=1"
9098
mv "$MINIMAL_IMAGE.fooverity" "$MINIMAL_IMAGE.verity"
9199
mv "$MINIMAL_IMAGE.foohash" "$MINIMAL_IMAGE.roothash"
@@ -133,48 +141,56 @@ systemd-run --wait -P \
133141
-p RootImage="$MINIMAL_IMAGE.gpt" \
134142
-p RootHash="$MINIMAL_IMAGE_ROOTHASH" \
135143
-p MountAPIVFS=yes \
144+
"${BIND_LOG_SOCKETS[@]}" \
136145
cat /usr/lib/os-release | grep -q -F "MARKER=1"
137146
systemd-run --wait -P \
138147
-p RootImage="$MINIMAL_IMAGE.gpt" \
139148
-p RootHash="$MINIMAL_IMAGE_ROOTHASH" \
140149
-p RootImagePolicy='*' \
141150
-p MountAPIVFS=yes \
151+
"${BIND_LOG_SOCKETS[@]}" \
142152
cat /usr/lib/os-release | grep -q -F "MARKER=1"
143153
(! systemd-run --wait -P \
144154
-p RootImage="$MINIMAL_IMAGE.gpt" \
145155
-p RootHash="$MINIMAL_IMAGE_ROOTHASH" \
146156
-p RootImagePolicy='~' \
147157
-p MountAPIVFS=yes \
158+
"${BIND_LOG_SOCKETS[@]}" \
148159
cat /usr/lib/os-release | grep -q -F "MARKER=1")
149160
(! systemd-run --wait -P \
150161
-p RootImage="$MINIMAL_IMAGE.gpt" \
151162
-p RootHash="$MINIMAL_IMAGE_ROOTHASH" \
152163
-p RootImagePolicy='-' \
153164
-p MountAPIVFS=yes \
165+
"${BIND_LOG_SOCKETS[@]}" \
154166
cat /usr/lib/os-release | grep -q -F "MARKER=1")
155167
(! systemd-run --wait -P \
156168
-p RootImage="$MINIMAL_IMAGE.gpt" \
157169
-p RootHash="$MINIMAL_IMAGE_ROOTHASH" \
158170
-p RootImagePolicy='root=absent' \
159171
-p MountAPIVFS=yes \
172+
"${BIND_LOG_SOCKETS[@]}" \
160173
cat /usr/lib/os-release | grep -q -F "MARKER=1")
161174
systemd-run --wait -P \
162175
-p RootImage="$MINIMAL_IMAGE.gpt" \
163176
-p RootHash="$MINIMAL_IMAGE_ROOTHASH" \
164177
-p RootImagePolicy='root=verity' \
165178
-p MountAPIVFS=yes \
179+
"${BIND_LOG_SOCKETS[@]}" \
166180
cat /usr/lib/os-release | grep -q -F "MARKER=1"
167181
systemd-run --wait -P \
168182
-p RootImage="$MINIMAL_IMAGE.gpt" \
169183
-p RootHash="$MINIMAL_IMAGE_ROOTHASH" \
170184
-p RootImagePolicy='root=signed' \
171185
-p MountAPIVFS=yes \
186+
"${BIND_LOG_SOCKETS[@]}" \
172187
cat /usr/lib/os-release | grep -q -F "MARKER=1"
173188
(! systemd-run --wait -P \
174189
-p RootImage="$MINIMAL_IMAGE.gpt" \
175190
-p RootHash="$MINIMAL_IMAGE_ROOTHASH" \
176191
-p RootImagePolicy='root=encrypted' \
177192
-p MountAPIVFS=yes \
193+
"${BIND_LOG_SOCKETS[@]}" \
178194
cat /usr/lib/os-release | grep -q -F "MARKER=1")
179195

180196
systemd-dissect --root-hash "$MINIMAL_IMAGE_ROOTHASH" --mount "$MINIMAL_IMAGE.gpt" "$IMAGE_DIR/mount"
@@ -194,14 +210,17 @@ systemd-run -P \
194210
-p RootImage="$MINIMAL_IMAGE.gpt" \
195211
-p RootHash="$MINIMAL_IMAGE_ROOTHASH" \
196212
-p MountAPIVFS=yes \
213+
"${BIND_LOG_SOCKETS[@]}" \
197214
cat /usr/lib/os-release | grep -q -F "MARKER=1"
198215
systemd-run -P \
199216
-p RootImage="$MINIMAL_IMAGE.raw" \
200217
-p RootImageOptions="root:nosuid,dev home:ro,dev ro,noatime" \
218+
"${BIND_LOG_SOCKETS[@]}" \
201219
mount | grep -F "squashfs" | grep -q -F "nosuid"
202220
systemd-run -P \
203221
-p RootImage="$MINIMAL_IMAGE.gpt" \
204222
-p RootImageOptions="root:ro,noatime root:ro,dev" \
223+
"${BIND_LOG_SOCKETS[@]}" \
205224
mount | grep -F "squashfs" | grep -q -F "noatime"
206225

207226
mkdir -p "$IMAGE_DIR/result"
@@ -214,6 +233,7 @@ TemporaryFileSystem=/run
214233
RootImage=$MINIMAL_IMAGE.raw
215234
RootImageOptions=root:ro,noatime home:ro,dev relatime,dev
216235
RootImageOptions=nosuid,dev
236+
BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout
217237
EOF
218238
systemctl start testservice-50a.service
219239
grep -F "squashfs" "$IMAGE_DIR/result/a" | grep -q -F "noatime"
@@ -230,6 +250,7 @@ RootImageOptions=root:ro,noatime,nosuid home:ro,dev nosuid,dev
230250
RootImageOptions=home:ro,dev nosuid,dev,%%foo
231251
# this is the default, but let's specify once to test the parser
232252
MountAPIVFS=yes
253+
BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout
233254
EOF
234255
systemctl start testservice-50b.service
235256
grep -F "squashfs" "$IMAGE_DIR/result/b" | grep -q -F "noatime"
@@ -262,23 +283,27 @@ systemd-run -P \
262283
-p TemporaryFileSystem=/run \
263284
-p RootImage="$MINIMAL_IMAGE.raw" \
264285
-p MountImages="$MINIMAL_IMAGE.gpt:/run/img1 $MINIMAL_IMAGE.raw:/run/img2" \
286+
"${BIND_LOG_SOCKETS[@]}" \
265287
cat /usr/lib/os-release | grep -q -F "MARKER=1"
266288
systemd-run -P \
267289
-p TemporaryFileSystem=/run \
268290
-p RootImage="$MINIMAL_IMAGE.raw" \
269291
-p MountImages="$MINIMAL_IMAGE.gpt:/run/img1 $MINIMAL_IMAGE.raw:/run/img2" \
292+
"${BIND_LOG_SOCKETS[@]}" \
270293
cat /run/img1/usr/lib/os-release | grep -q -F "MARKER=1"
271294
systemd-run -P \
272295
-p TemporaryFileSystem=/run \
273296
-p RootImage="$MINIMAL_IMAGE.gpt" \
274297
-p RootHash="$MINIMAL_IMAGE_ROOTHASH" \
275298
-p MountImages="$MINIMAL_IMAGE.gpt:/run/img1 $MINIMAL_IMAGE.raw:/run/img2" \
299+
"${BIND_LOG_SOCKETS[@]}" \
276300
cat /run/img2/usr/lib/os-release | grep -q -F "MARKER=1"
277301
cat >/run/systemd/system/testservice-50c.service <<EOF
278302
[Service]
279303
MountAPIVFS=yes
280304
TemporaryFileSystem=/run
281305
RootImage=$MINIMAL_IMAGE.raw
306+
BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout
282307
MountImages=$MINIMAL_IMAGE.gpt:/run/img1:root:noatime:home:relatime
283308
MountImages=$MINIMAL_IMAGE.raw:/run/img2\:3:nosuid
284309
ExecStart=bash -c "cat /run/img1/usr/lib/os-release >/run/result/c"
@@ -326,34 +351,42 @@ systemctl is-active testservice-50d.service
326351
systemd-run -P \
327352
--property ExtensionImages=/usr/share/app0.raw \
328353
--property RootImage="$MINIMAL_IMAGE.raw" \
354+
"${BIND_LOG_SOCKETS[@]}" \
329355
cat /opt/script0.sh | grep -q -F "extension-release.app0"
330356
systemd-run -P \
331357
--property ExtensionImages=/usr/share/app0.raw \
332358
--property RootImage="$MINIMAL_IMAGE.raw" \
359+
"${BIND_LOG_SOCKETS[@]}" \
333360
cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1"
334361
systemd-run -P \
335362
--property ExtensionImages="/usr/share/app0.raw /usr/share/app1.raw" \
336363
--property RootImage="$MINIMAL_IMAGE.raw" \
364+
"${BIND_LOG_SOCKETS[@]}" \
337365
cat /opt/script0.sh | grep -q -F "extension-release.app0"
338366
systemd-run -P \
339367
--property ExtensionImages="/usr/share/app0.raw /usr/share/app1.raw" \
340368
--property RootImage="$MINIMAL_IMAGE.raw" \
369+
"${BIND_LOG_SOCKETS[@]}" \
341370
cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1"
342371
systemd-run -P \
343372
--property ExtensionImages="/usr/share/app0.raw /usr/share/app1.raw" \
344373
--property RootImage="$MINIMAL_IMAGE.raw" \
374+
"${BIND_LOG_SOCKETS[@]}" \
345375
cat /opt/script1.sh | grep -q -F "extension-release.app2"
346376
systemd-run -P \
347377
--property ExtensionImages="/usr/share/app0.raw /usr/share/app1.raw" \
348378
--property RootImage="$MINIMAL_IMAGE.raw" \
379+
"${BIND_LOG_SOCKETS[@]}" \
349380
cat /usr/lib/systemd/system/other_file | grep -q -F "MARKER=1"
350381
systemd-run -P \
351382
--property ExtensionImages=/usr/share/app-nodistro.raw \
352383
--property RootImage="$MINIMAL_IMAGE.raw" \
384+
"${BIND_LOG_SOCKETS[@]}" \
353385
cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1"
354386
systemd-run -P \
355387
--property ExtensionImages=/etc/service-scoped-test.raw \
356388
--property RootImage="$MINIMAL_IMAGE.raw" \
389+
"${BIND_LOG_SOCKETS[@]}" \
357390
cat /etc/systemd/system/some_file | grep -q -F "MARKER_CONFEXT_123"
358391
# Check that using a symlink to NAME-VERSION.raw works as long as the symlink has the correct name NAME.raw
359392
mkdir -p /usr/share/symlink-test/
@@ -362,6 +395,7 @@ ln -fs /usr/share/symlink-test/app-nodistro-v1.raw /usr/share/symlink-test/app-n
362395
systemd-run -P \
363396
--property ExtensionImages=/usr/share/symlink-test/app-nodistro.raw \
364397
--property RootImage="$MINIMAL_IMAGE.raw" \
398+
"${BIND_LOG_SOCKETS[@]}" \
365399
cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1"
366400

367401
# Symlink check again but for confext
@@ -371,17 +405,20 @@ ln -fs /etc/symlink-test/service-scoped-test-v1.raw /etc/symlink-test/service-sc
371405
systemd-run -P \
372406
--property ExtensionImages=/etc/symlink-test/service-scoped-test.raw \
373407
--property RootImage="$MINIMAL_IMAGE.raw" \
408+
"${BIND_LOG_SOCKETS[@]}" \
374409
cat /etc/systemd/system/some_file | grep -q -F "MARKER_CONFEXT_123"
375410
# And again mixing sysext and confext
376411
systemd-run -P \
377412
--property ExtensionImages=/usr/share/symlink-test/app-nodistro.raw \
378413
--property ExtensionImages=/etc/symlink-test/service-scoped-test.raw \
379414
--property RootImage="$MINIMAL_IMAGE.raw" \
415+
"${BIND_LOG_SOCKETS[@]}" \
380416
cat /etc/systemd/system/some_file | grep -q -F "MARKER_CONFEXT_123"
381417
systemd-run -P \
382418
--property ExtensionImages=/usr/share/symlink-test/app-nodistro.raw \
383419
--property ExtensionImages=/etc/symlink-test/service-scoped-test.raw \
384420
--property RootImage="$MINIMAL_IMAGE.raw" \
421+
"${BIND_LOG_SOCKETS[@]}" \
385422
cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1"
386423

387424
cat >/run/systemd/system/testservice-50e.service <<EOF
@@ -391,6 +428,7 @@ TemporaryFileSystem=/run /var/lib
391428
StateDirectory=app0
392429
RootImage=$MINIMAL_IMAGE.raw
393430
ExtensionImages=/usr/share/app0.raw /usr/share/app1.raw:nosuid
431+
BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout
394432
# Relevant only for sanitizer runs
395433
UnsetEnvironment=LD_PRELOAD
396434
ExecStart=bash -c '/opt/script0.sh | grep ID'
@@ -418,10 +456,12 @@ mkdir -p "$IMAGE_DIR/app0" "$IMAGE_DIR/app1" "$IMAGE_DIR/app-nodistro" "$IMAGE_D
418456
(! systemd-run -P \
419457
--property ExtensionDirectories="$IMAGE_DIR/nonexistent" \
420458
--property RootImage="$MINIMAL_IMAGE.raw" \
459+
"${BIND_LOG_SOCKETS[@]}" \
421460
cat /opt/script0.sh)
422461
(! systemd-run -P \
423462
--property ExtensionDirectories="$IMAGE_DIR/app0" \
424463
--property RootImage="$MINIMAL_IMAGE.raw" \
464+
"${BIND_LOG_SOCKETS[@]}" \
425465
cat /opt/script0.sh)
426466
systemd-dissect --mount /usr/share/app0.raw "$IMAGE_DIR/app0"
427467
systemd-dissect --mount /usr/share/app1.raw "$IMAGE_DIR/app1"
@@ -430,41 +470,50 @@ systemd-dissect --mount /etc/service-scoped-test.raw "$IMAGE_DIR/service-scoped-
430470
systemd-run -P \
431471
--property ExtensionDirectories="$IMAGE_DIR/app0" \
432472
--property RootImage="$MINIMAL_IMAGE.raw" \
473+
"${BIND_LOG_SOCKETS[@]}" \
433474
cat /opt/script0.sh | grep -q -F "extension-release.app0"
434475
systemd-run -P \
435476
--property ExtensionDirectories="$IMAGE_DIR/app0" \
436477
--property RootImage="$MINIMAL_IMAGE.raw" \
478+
"${BIND_LOG_SOCKETS[@]}" \
437479
cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1"
438480
systemd-run -P \
439481
--property ExtensionDirectories="$IMAGE_DIR/app0 $IMAGE_DIR/app1" \
440482
--property RootImage="$MINIMAL_IMAGE.raw" \
483+
"${BIND_LOG_SOCKETS[@]}" \
441484
cat /opt/script0.sh | grep -q -F "extension-release.app0"
442485
systemd-run -P \
443486
--property ExtensionDirectories="$IMAGE_DIR/app0 $IMAGE_DIR/app1" \
444487
--property RootImage="$MINIMAL_IMAGE.raw" \
488+
"${BIND_LOG_SOCKETS[@]}" \
445489
cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1"
446490
systemd-run -P \
447491
--property ExtensionDirectories="$IMAGE_DIR/app0 $IMAGE_DIR/app1" \
448492
--property RootImage="$MINIMAL_IMAGE.raw" \
493+
"${BIND_LOG_SOCKETS[@]}" \
449494
cat /opt/script1.sh | grep -q -F "extension-release.app2"
450495
systemd-run -P \
451496
--property ExtensionDirectories="$IMAGE_DIR/app0 $IMAGE_DIR/app1" \
452497
--property RootImage="$MINIMAL_IMAGE.raw" \
498+
"${BIND_LOG_SOCKETS[@]}" \
453499
cat /usr/lib/systemd/system/other_file | grep -q -F "MARKER=1"
454500
systemd-run -P \
455501
--property ExtensionDirectories="$IMAGE_DIR/app-nodistro" \
456502
--property RootImage="$MINIMAL_IMAGE.raw" \
503+
"${BIND_LOG_SOCKETS[@]}" \
457504
cat /usr/lib/systemd/system/some_file | grep -q -F "MARKER=1"
458505
systemd-run -P \
459506
--property ExtensionDirectories="$IMAGE_DIR/service-scoped-test" \
460507
--property RootImage="$MINIMAL_IMAGE.raw" \
508+
"${BIND_LOG_SOCKETS[@]}" \
461509
cat /etc/systemd/system/some_file | grep -q -F "MARKER_CONFEXT_123"
462510
cat >/run/systemd/system/testservice-50f.service <<EOF
463511
[Service]
464512
MountAPIVFS=yes
465513
TemporaryFileSystem=/run /var/lib
466514
StateDirectory=app0
467515
RootImage=$MINIMAL_IMAGE.raw
516+
BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout
468517
ExtensionDirectories=$IMAGE_DIR/app0 $IMAGE_DIR/app1
469518
# Relevant only for sanitizer runs
470519
UnsetEnvironment=LD_PRELOAD
@@ -534,7 +583,7 @@ ln -s "$MINIMAL_IMAGE.raw" "$VDIR/${VBASE}_33.raw"
534583
ln -s "$MINIMAL_IMAGE.raw" "$VDIR/${VBASE}_34.raw"
535584
ln -s "$MINIMAL_IMAGE.raw" "$VDIR/${VBASE}_35.raw"
536585

537-
systemd-run -P -p RootImage="$VDIR" cat /usr/lib/os-release | grep -q -F "MARKER=1"
586+
systemd-run -P -p RootImage="$VDIR" "${BIND_LOG_SOCKETS[@]}" cat /usr/lib/os-release | grep -q -F "MARKER=1"
538587

539588
rm "$VDIR/${VBASE}_33.raw" "$VDIR/${VBASE}_34.raw" "$VDIR/${VBASE}_35.raw"
540589
rmdir "$VDIR"
@@ -612,6 +661,7 @@ systemd-run --unit=test-root-ephemeral \
612661
-p RootDirectory=/tmp/img \
613662
-p RootEphemeral=yes \
614663
-p Type=exec \
664+
"${BIND_LOG_SOCKETS[@]}" \
615665
bash -c "touch /abc && sleep infinity"
616666
test -n "$(ls -A /var/lib/systemd/ephemeral-trees)"
617667
systemctl stop test-root-ephemeral
@@ -661,7 +711,7 @@ grep -q -F "MARKER_CONFEXT_123" /etc/testfile
661711
systemd-confext unmerge
662712
rm -rf /run/confexts/ testjob/
663713

664-
systemd-run -P -p RootImage="$MINIMAL_IMAGE.raw" cat /run/host/os-release | cmp "$OS_RELEASE"
714+
systemd-run -P -p RootImage="$MINIMAL_IMAGE.raw" "${BIND_LOG_SOCKETS[@]}" cat /run/host/os-release | cmp "$OS_RELEASE"
665715

666716
# Test that systemd-sysext reloads the daemon.
667717
mkdir -p /var/lib/extensions/

0 commit comments

Comments
 (0)