[systemd-devel] CREDENTIALS_DIRECTORY vs %d

Lennart Poettering mzxreary at 0pointer.de
Thu Aug 22 12:01:02 UTC 2024


On Do, 22.08.24 14:44, Gesh (gesh at gesh.uni.cx) wrote:

> On Thu, Aug 22, 2024 at 11:57:58AM GMT, Lennart Poettering wrote:
> > On Di, 13.08.24 01:28, Gesh (gesh at gesh.uni.cx) wrote:
> >
> > > systemd.exec(5) reads:
> > > > In order to reference the path a credential may be read from within a
> > > > ExecStart= command line use "${CREDENTIALS_DIRECTORY}/mycred", e.g.
> > > > "ExecStart=cat ${CREDENTIALS_DIRECTORY}/mycred". In order to reference the
> > > > path a credential may be read from within a Environment= line use "%d/mycred",
> > > > e.g.  "Environment=MYCREDPATH=%d/mycred".
> > >
> > > Is there a reason that the `ExecStart=` line should specifically refer to
> > > `$CREDENTIALS_DIRECTORY` and not `%d`? Surely these are equivalent?
> >
> > They are mostly equivalent. But note that people can override
> > CREDENTIALS_DIRECTORY locally via Environment=, if they really wish
> > to. %d would be unaffected by that.
> >
> > Also, if you do "systemctl show" on that unit, the %d thing will be
> > resolved at that time, but $CREDENTIALS_DIRECTORY will not be.
>
> Ah, fair enough, and this makes sense given the semantics.
> That gets us closer, but I still don't fully grasp the implications --
> is there a reason to recommend using one over the other?

specifiers are simple: they resolve directly and config parse
time. that makes them really simple: eager eval makes them mostly
"static" during runtime, and they are always available in their final
form.

env vars are terrible in contrast, they resolve lazily, and executoin
time, have many inputs, are different on every invocation, have to
deal with escaping and what not.

> At a guess, the `Environment=` directive would either be unaffected or
> have unclear semantics (in case of loops) if a user attempted to
> override `CREDENTIALS_DIRECTORY`, hence there's no harm in freezing
> its resolution; but the `Exec*` directives should be left
> influenceable in case the user's configuration requires moving
> `CREDENTIALS_DIRECTORY`?

i am not sure i follow.

Env vars in Exec*= are resolved at the  moment we actually fork off a
process, not early. And env vars combine Environment=,
EnvironmentFile= and various others sources of env vars in a defined
order. It's a complex system of inheritance and overriding.

Lennart

--
Lennart Poettering, Berlin


More information about the systemd-devel mailing list