系统执行(5)表示以下为Environment=:
执行说明符扩展,请参阅 systemd.unit(5) 中的“说明符”部分。
系统执行(5)表示以下为EnvironmentFile=:
如同
Environment=
那么,systemd 是否使用 执行说明符扩展EnvironmentFile=?
我期望如此,但我在 systemd 253.5 下的测试表明,没有使用EnvironmentFile=.
测试Environment=:
进行扩展:SECRET_FILE=/run/credentials/mycred1.service/mysecret
[root@mymachine:~]# systemctl cat mycred1.service
# /etc/systemd/system/mycred1.service
[Unit]
[Service]
Environment="LOCALE_ARCHIVE=/nix/store/5l0qzzkb3r3yxygdq3688fjcc18lwg3j-glibc-locales-2.37-8/lib/locale/locale-archive"
Environment="PATH=/nix/store/f11ibsj5vmqcy8ihfa8mzvpfs4af7cw5-coreutils-9.1/bin:/nix/store/jvh4fbqfxwwn162k5hb8ndc4h5555wfa-findutils-4.9.0/bin:/nix/store/rn5b13lbsslbvmmbqnqxdcagzqp4435w-gnugrep-3.7/bin:/nix/store/w64nwxs3r6cyqgy6ssxib5i2r6k8yfc2-gnused-4.9/bin:/nix/store/8lgs0dqh9ks1164fp4g14gq7w1ihjbf0-systemd-253.5/bin:/nix/store/f11ibsj5vmqcy8ihfa8mzvpfs4af7cw5-coreutils-9.1/sbin:/nix/store/jvh4fbqfxwwn162k5hb8ndc4h5555wfa-findutils-4.9.0/sbin:/nix/store/rn5b13lbsslbvmmbqnqxdcagzqp4435w-gnugrep-3.7/sbin:/nix/store/w64nwxs3r6cyqgy6ssxib5i2r6k8yfc2-gnused-4.9/sbin:/nix/store/8lgs0dqh9ks1164fp4g14gq7w1ihjbf0-systemd-253.5/sbin"
Environment="TZDIR=/nix/store/4faw3w020cjxvd1dnxhg73mi10wcxvpw-tzdata-2023c/share/zoneinfo"
DynamicUser=true
Environment=SECRET_FILE=%d/mysecret
ExecStart=/nix/store/wa8vcqsc5la5yxhazrq5rxmzy1y2igaj-unit-script-mycred1-start/bin/mycred1-start
LoadCredential=mysecret:/etc/hosts
[root@mymachine:~]# cat /nix/store/wa8vcqsc5la5yxhazrq5rxmzy1y2igaj-unit-script-mycred1-start/bin/mycred1-start
#!/nix/store/7q1b1bsmxi91zci6g8714rcljl620y7f-bash-5.2-p15/bin/bash
set -e
echo SECRET_FILE=${SECRET_FILE}
[root@mymachine:~]# systemctl start mycred1.service
[root@mymachine:~]# systemctl status mycred1.service
○ mycred1.service
Loaded: loaded (/etc/systemd/system/mycred1.service; linked; preset: enabled)
Active: inactive (dead)
Jul 18 07:24:21 mymachine systemd[1]: Started mycred1.service.
Jul 18 07:24:21 mymachine mycred1-start[4110]: SECRET_FILE=/run/credentials/mycred1.service/mysecret
Jul 18 07:24:21 mymachine systemd[1]: mycred1.service: Deactivated successfully.
测试EnvironmentFile=(文件内容中的说明符):
不进行扩展:SECRET_FILE=%d/mysecret
[root@mymachine:~]# systemctl cat mycred2.service
# /etc/systemd/system/mycred2.service
[Unit]
[Service]
Environment="LOCALE_ARCHIVE=/nix/store/5l0qzzkb3r3yxygdq3688fjcc18lwg3j-glibc-locales-2.37-8/lib/locale/locale-archive"
Environment="PATH=/nix/store/f11ibsj5vmqcy8ihfa8mzvpfs4af7cw5-coreutils-9.1/bin:/nix/store/jvh4fbqfxwwn162k5hb8ndc4h5555wfa-findutils-4.9.0/bin:/nix/store/rn5b13lbsslbvmmbqnqxdcagzqp4435w-gnugrep-3.7/bin:/nix/store/w64nwxs3r6cyqgy6ssxib5i2r6k8yfc2-gnused-4.9/bin:/nix/store/8lgs0dqh9ks1164fp4g14gq7w1ihjbf0-systemd-253.5/bin:/nix/store/f11ibsj5vmqcy8ihfa8mzvpfs4af7cw5-coreutils-9.1/sbin:/nix/store/jvh4fbqfxwwn162k5hb8ndc4h5555wfa-findutils-4.9.0/sbin:/nix/store/rn5b13lbsslbvmmbqnqxdcagzqp4435w-gnugrep-3.7/sbin:/nix/store/w64nwxs3r6cyqgy6ssxib5i2r6k8yfc2-gnused-4.9/sbin:/nix/store/8lgs0dqh9ks1164fp4g14gq7w1ihjbf0-systemd-253.5/sbin"
Environment="TZDIR=/nix/store/4faw3w020cjxvd1dnxhg73mi10wcxvpw-tzdata-2023c/share/zoneinfo"
DynamicUser=true
EnvironmentFile=/nix/store/x2ybfrhf1v3g7saadggkfap1134hnkv2-mysecret
ExecStart=/nix/store/prpm62xlw5q9lnrrxjkn8wqc3l7m9njy-unit-script-mycred2-start/bin/mycred2-start
LoadCredential=mysecret:/etc/hosts
[root@mymachine:~]# cat /nix/store/x2ybfrhf1v3g7saadggkfap1134hnkv2-mysecret
SECRET_FILE=%d/mysecret
[root@mymachine:~]# cat /nix/store/prpm62xlw5q9lnrrxjkn8wqc3l7m9njy-unit-script-mycred2-start/bin/mycred2-start
#!/nix/store/7q1b1bsmxi91zci6g8714rcljl620y7f-bash-5.2-p15/bin/bash
set -e
echo SECRET_FILE=${SECRET_FILE}
[root@mymachine:~]# systemctl start mycred2.service
[root@mymachine:~]# systemctl status mycred2.service
○ mycred2.service
Loaded: loaded (/etc/systemd/system/mycred2.service; linked; preset: enabled)
Active: inactive (dead)
Jul 18 07:25:24 mymachine systemd[1]: Started mycred2.service.
Jul 18 07:25:24 mymachine mycred2-start[4186]: SECRET_FILE=%d/mysecret
Jul 18 07:25:24 mymachine systemd[1]: mycred2.service: Deactivated successfully.
使用EnvironmentFile=(文件路径中的说明符)进行测试:
不进行扩展:Failed to load environment files: No such file or directory
[root@mymachine:~]# systemctl cat mycred3.service
# /etc/systemd/system/mycred3.service
[Unit]
[Service]
Environment="LOCALE_ARCHIVE=/nix/store/5l0qzzkb3r3yxygdq3688fjcc18lwg3j-glibc-locales-2.37-8/lib/locale/locale-archive"
Environment="PATH=/nix/store/f11ibsj5vmqcy8ihfa8mzvpfs4af7cw5-coreutils-9.1/bin:/nix/store/jvh4fbqfxwwn162k5hb8ndc4h5555wfa-findutils-4.9.0/bin:/nix/store/rn5b13lbsslbvmmbqnqxdcagzqp4435w-gnugrep-3.7/bin:/nix/store/w64nwxs3r6cyqgy6ssxib5i2r6k8yfc2-gnused-4.9/bin:/nix/store/8lgs0dqh9ks1164fp4g14gq7w1ihjbf0-systemd-253.5/bin:/nix/store/f11ibsj5vmqcy8ihfa8mzvpfs4af7cw5-coreutils-9.1/sbin:/nix/store/jvh4fbqfxwwn162k5hb8ndc4h5555wfa-findutils-4.9.0/sbin:/nix/store/rn5b13lbsslbvmmbqnqxdcagzqp4435w-gnugrep-3.7/sbin:/nix/store/w64nwxs3r6cyqgy6ssxib5i2r6k8yfc2-gnused-4.9/sbin:/nix/store/8lgs0dqh9ks1164fp4g14gq7w1ihjbf0-systemd-253.5/sbin"
Environment="TZDIR=/nix/store/4faw3w020cjxvd1dnxhg73mi10wcxvpw-tzdata-2023c/share/zoneinfo"
EnvironmentFile=%d/myenv
ExecStart=/nix/store/779g5cfp6yq0lcpd4snmikxk1bkvfh4n-unit-script-mycred3-start/bin/mycred3-start
LoadCredential=myenv:/etc/myenv
[root@mymachine:~]# l /etc/myenv
-rw-r--r-- 1 root root 23 2023-07-18 08:33:21 /etc/myenv
[root@mymachine:~]# cat /etc/myenv
SECRET_FILE=/etc/hosts
[root@mymachine:~]# cat /nix/store/779g5cfp6yq0lcpd4snmikxk1bkvfh4n-unit-script-mycred3-start/bin/mycred3-start
#!/nix/store/7q1b1bsmxi91zci6g8714rcljl620y7f-bash-5.2-p15/bin/bash
set -e
echo SECRET_FILE=${SECRET_FILE}
[root@mymachine:~]# systemctl start mycred3.service
Job for mycred3.service failed because of unavailable resources or another system error.
See "systemctl status mycred3.service" and "journalctl -xeu mycred3.service" for details.
[root@mymachine:~]# systemctl status mycred3.service
× mycred3.service
Loaded: loaded (/etc/systemd/system/mycred3.service; linked; preset: enabled)
Active: failed (Result: resources)
IP: 0B in, 0B out
CPU: 0
Jul 18 08:34:59 mymachine systemd[1]: mycred3.service: Failed to load environment files: No such file or directory
Jul 18 08:34:59 mymachine systemd[1]: mycred3.service: Failed to run 'start' task: No such file or directory
Jul 18 08:34:59 mymachine systemd[1]: mycred3.service: Failed with result 'resources'.
Jul 18 08:34:59 mymachine systemd[1]: Failed to start mycred3.service.
答案1
说明符扩展在 s 中完成EnvironmentFile,但请注意,说明符扩展是在传递给设置的值上完成的。因此,在 的情况下EnvironmentFile,值是文件路径,不是文件内容。
但是,特别是对于%d,可能会在EnvironmentFile加载凭据之前读取 s ,因此%d可能不是有用的说明符。检查代码,位于积分凭证已加载,文件中的环境变量是已经可用-setup_credentials()从函数调用exec_child,该函数的files_env参数包含文件中的环境变量。
有关于通过环境提供凭证的一些讨论,但 Lennart Poettering 认为“这不是一件安全的事情,因为环境变量默认是沿树继承的,即使存在权限转换”,因此这可能是一个故意的设计选择,使不安全的事情更难做。