[systemd-devel] CREDENTIALS_DIRECTORY vs %d

Gesh gesh at gesh.uni.cx
Thu Aug 22 12:29:51 UTC 2024


On Thu, Aug 22, 2024 at 02:01:02PM GMT, Lennart Poettering wrote:
> On Do, 22.08.24 14:44, Gesh (gesh at gesh.uni.cx) wrote:
> 
> > On Thu, Aug 22, 2024 at 11:57:58AM GMT, Lennart Poettering wrote:
> > > On Di, 13.08.24 01:28, Gesh (gesh at gesh.uni.cx) wrote:
> > >
> > > > systemd.exec(5) reads:
> > > > > In order to reference the path a credential may be read from within a
> > > > > ExecStart= command line use "${CREDENTIALS_DIRECTORY}/mycred", e.g.
> > > > > "ExecStart=cat ${CREDENTIALS_DIRECTORY}/mycred". In order to reference the
> > > > > path a credential may be read from within a Environment= line use "%d/mycred",
> > > > > e.g.  "Environment=MYCREDPATH=%d/mycred".
> 
> > At a guess, the `Environment=` directive would either be unaffected or
> > have unclear semantics (in case of loops) if a user attempted to
> > override `CREDENTIALS_DIRECTORY`, hence there's no harm in freezing
> > its resolution; but the `Exec*` directives should be left
> > influenceable in case the user's configuration requires moving
> > `CREDENTIALS_DIRECTORY`?
> 
> i am not sure i follow.
> 
> Env vars in Exec*= are resolved at the  moment we actually fork off a
> process, not early. And env vars combine Environment=,
> EnvironmentFile= and various others sources of env vars in a defined
> order. It's a complex system of inheritance and overriding.

I was trying to justify the man page in light of our discussion, which
recommends the environment variable in Exec* and the directive in
Environment=.
Given your above preference for directives, I would've expected the
recommendation to be %d throughout. That this is not the case for
Exec* directives suggests to me that we want the extra flexibility
there? I was then left grasping for why one would only want that
flexibility there, so I guessed it was to avoid the confusing
situation where (after chasing down environment configurations) we end
up with:
```
[Service]
Environment="MYCRED=${CREDENTIALS_DIRECTORY}/mycred"
Environment="CREDENTIALS_DIRECTORY=/custom/path/to/creds"
```
which would be dependent on the expansion order.

I'm not sure how useful the ability to change CREDENTIALS_DIRECTORY
via environment variables is in practice, though, on two counts:
- Are there any circumstances where you'd want multiple values for
  CREDENTIALS_DIRECTORY within the same service manager?
- Even if there are such cases, do they warrant the same amount of
  flexibility as general environment variables? Surely this is a bit
  of execution context of the same status as the other directives in
  `systemd.exec`? (cf the situation around $UID vs User=)

Regards,
Gesh


More information about the systemd-devel mailing list