core/exec-credential: complain louder if inherited credential is missing

Also document that a missing inherited credential is not considered fatal. Closes systemd#32667
YHNdnzj · May 7, 2024 · 6b34871 · 6b34871
1 parent d568c4c
commit 6b34871
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 4 deletions.
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
@@ -3385,6 +3385,9 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX
         a terse way to declare credentials to inherit from the service manager into a service. This option
         may be used multiple times, each time defining an additional credential to pass to the unit.</para>
 
+        <para>Note that if the path is not specified or a valid credential identifier is given, i.e.
+        in the above two cases, a missing credential is not considered fatal.</para>
+
         <para>If an absolute path referring to a directory is specified, every file in that directory
         (recursively) will be loaded as a separate credential. The ID for each credential will be the
         provided ID suffixed with <literal>_$FILENAME</literal> (e.g., <literal>Key_file1</literal>). When

diff --git a/src/core/exec-credential.c b/src/core/exec-credential.c
@@ -443,7 +443,7 @@ static int load_credential(
 
                 /* Pass some minimal info about the unit and the credential name we are looking to acquire
                  * via the source socket address in case we read off an AF_UNIX socket. */
-                if (asprintf(&bindname, "@%" PRIx64"/unit/%s/%s", random_u64(), unit, id) < 0)
+                if (asprintf(&bindname, "@%" PRIx64 "/unit/%s/%s", random_u64(), unit, id) < 0)
                         return -ENOMEM;
 
                 missing_ok = false;
@@ -467,7 +467,7 @@ static int load_credential(
 
         maxsz = encrypted ? CREDENTIAL_ENCRYPTED_SIZE_MAX : CREDENTIAL_SIZE_MAX;
 
-        if (search_path) {
+        if (search_path)
                 STRV_FOREACH(d, search_path) {
                         _cleanup_free_ char *j = NULL;
 
@@ -485,7 +485,7 @@ static int load_credential(
                         if (r != -ENOENT)
                                 break;
                 }
-        } else if (source)
+        else if (source)
                 r = read_full_file_full(
                                 read_dfd, source,
                                 UINT64_MAX,
@@ -504,7 +504,8 @@ static int load_credential(
                  *
                  * Also, if the source file doesn't exist, but a fallback is set via SetCredentials=
                  * we are fine, too. */
-                log_debug_errno(r, "Couldn't read inherited credential '%s', skipping: %m", path);
+                log_full_errno(hashmap_contains(context->set_credentials, id) ? LOG_DEBUG : LOG_WARNING,
+                               r, "Couldn't read inherited credential '%s', skipping: %m", path);
                 return 0;
         }
         if (r < 0)