On Do, 22.08.24 14:44, Gesh (gesh@xxxxxxxxxxx) wrote:
> On Thu, Aug 22, 2024 at 11:57:58AM GMT, Lennart Poettering wrote:
> > On Di, 13.08.24 01:28, Gesh (gesh@xxxxxxxxxxx) wrote:
> >
> > > systemd.exec(5) reads:
> > > > In order to reference the path a credential may be read from within a
> > > > ExecStart= command line use "${CREDENTIALS_DIRECTORY}/mycred", e.g.
> > > > "ExecStart=cat ${CREDENTIALS_DIRECTORY}/mycred". In order to reference the
> > > > path a credential may be read from within a Environment= line use "%d/mycred",
> > > > e.g. "Environment=MYCREDPATH=%d/mycred".
> > >
> > > Is there a reason that the `ExecStart=` line should specifically refer to
> > > `$CREDENTIALS_DIRECTORY` and not `%d`? Surely these are equivalent?
> >
> > They are mostly equivalent. But note that people can override
> > CREDENTIALS_DIRECTORY locally via Environment=, if they really wish
> > to. %d would be unaffected by that.
> >
> > Also, if you do "systemctl show" on that unit, the %d thing will be
> > resolved at that time, but $CREDENTIALS_DIRECTORY will not be.
>
> Ah, fair enough, and this makes sense given the semantics.
> That gets us closer, but I still don't fully grasp the implications --
> is there a reason to recommend using one over the other?
specifiers are simple: they resolve directly and config parse
time. that makes them really simple: eager eval makes them mostly
"static" during runtime, and they are always available in their final
form.
env vars are terrible in contrast, they resolve lazily, and executoin
time, have many inputs, are different on every invocation, have to
deal with escaping and what not.
> At a guess, the `Environment=` directive would either be unaffected or
> have unclear semantics (in case of loops) if a user attempted to
> override `CREDENTIALS_DIRECTORY`, hence there's no harm in freezing
> its resolution; but the `Exec*` directives should be left
> influenceable in case the user's configuration requires moving
> `CREDENTIALS_DIRECTORY`?
i am not sure i follow.
Env vars in Exec*= are resolved at the moment we actually fork off a
process, not early. And env vars combine Environment=,
EnvironmentFile= and various others sources of env vars in a defined
order. It's a complex system of inheritance and overriding.
Lennart
--
Lennart Poettering, Berlin
Re: CREDENTIALS_DIRECTORY vs %d
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: CREDENTIALS_DIRECTORY vs %d
- From: Lennart Poettering <mzxreary@xxxxxxxxxxx>
- Date: Thu, 22 Aug 2024 14:01:02 +0200
- Cc: systemd-devel@xxxxxxxxxxxxxxxxxxxxx
- In-reply-to: <wxiimfhoczbfao7hjxunna6brnjh34oeon4u2tslmergaogo4g@nqszvgqpkxgf>
- References: <gtgobs2qckexdbw2gn2tbxhj76ivqmshnbopxod4amsusdo6qe@ksvtk76k5ojw> <ZscLpsmORUI6U21T@gardel-login> <wxiimfhoczbfao7hjxunna6brnjh34oeon4u2tslmergaogo4g@nqszvgqpkxgf>
- Follow-Ups:
- Re: CREDENTIALS_DIRECTORY vs %d
- From: Gesh
- Re: CREDENTIALS_DIRECTORY vs %d
- References:
- CREDENTIALS_DIRECTORY vs %d
- From: Gesh
- Re: CREDENTIALS_DIRECTORY vs %d
- From: Lennart Poettering
- Re: CREDENTIALS_DIRECTORY vs %d
- From: Gesh
- CREDENTIALS_DIRECTORY vs %d
- Prev by Date: Re: Configuring units (Was: Re: Can I use an EnvironmentFile to configure a Timer?)
- Next by Date: Re: systemd-measure in cross compile environment, and measured-uki vs tpm2 in ConditionSecurity?
- Previous by thread: Re: CREDENTIALS_DIRECTORY vs %d
- Next by thread: Re: CREDENTIALS_DIRECTORY vs %d
- Index(es):
 |