core/exec-credential: complain louder if inherited credential is missing

Also document that a missing inherited credential is not considered fatal. Closes #32667
2026-03-06 15:02:31 -08:00 · 2024-05-07 19:45:06 +08:00
parent d568c4c1a8
commit 6b34871f5d
2 changed files with 8 additions and 4 deletions
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -3385,6 +3385,9 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX
        a terse way to declare credentials to inherit from the service manager into a service. This option
        may be used multiple times, each time defining an additional credential to pass to the unit.</para>

+        <para>Note that if the path is not specified or a valid credential identifier is given, i.e.
+        in the above two cases, a missing credential is not considered fatal.</para>
+
        <para>If an absolute path referring to a directory is specified, every file in that directory
        (recursively) will be loaded as a separate credential. The ID for each credential will be the
        provided ID suffixed with <literal>_$FILENAME</literal> (e.g., <literal>Key_file1</literal>). When
--- a/src/core/exec-credential.c
+++ b/src/core/exec-credential.c
@@ -443,7 +443,7 @@ static int load_credential(

                /* Pass some minimal info about the unit and the credential name we are looking to acquire
                 * via the source socket address in case we read off an AF_UNIX socket. */
-                if (asprintf(&bindname, "@%" PRIx64"/unit/%s/%s", random_u64(), unit, id) < 0)
+                if (asprintf(&bindname, "@%" PRIx64 "/unit/%s/%s", random_u64(), unit, id) < 0)
                        return -ENOMEM;

                missing_ok = false;
@@ -467,7 +467,7 @@ static int load_credential(

        maxsz = encrypted ? CREDENTIAL_ENCRYPTED_SIZE_MAX : CREDENTIAL_SIZE_MAX;

-        if (search_path) {
+        if (search_path)
                STRV_FOREACH(d, search_path) {
                        _cleanup_free_ char *j = NULL;

@@ -485,7 +485,7 @@ static int load_credential(
                        if (r != -ENOENT)
                                break;
                }
-        } else if (source)
+        else if (source)
                r = read_full_file_full(
                                read_dfd, source,
                                UINT64_MAX,
@@ -504,7 +504,8 @@ static int load_credential(
                 *
                 * Also, if the source file doesn't exist, but a fallback is set via SetCredentials=
                 * we are fine, too. */
-                log_debug_errno(r, "Couldn't read inherited credential '%s', skipping: %m", path);
+                log_full_errno(hashmap_contains(context->set_credentials, id) ? LOG_DEBUG : LOG_WARNING,
+                               r, "Couldn't read inherited credential '%s', skipping: %m", path);
                return 0;
        }
        if (r < 0)