nixos/systemd: unconditional systemd-journald-audit.socket (f551d91f) · Commits · nix / nixpkgs

nixos/modules/system/boot/systemd/journald.nix

+13 −16

Original line number	Diff line number	Diff line
		@@ -116,8 +116,7 @@ in
		};

		config = {
		systemd.additionalUpstreamSystemUnits =
		[
		systemd.additionalUpstreamSystemUnits = [
		"systemd-journald.socket"
		"systemd-journald@.socket"
		"systemd-journald-varlink@.socket"
		@@ -126,9 +125,7 @@ in
		"systemd-journal-flush.service"
		"systemd-journal-catalog-update.service"
		"systemd-journald-sync@.service"
		]
		++ (lib.optional (!config.boot.isContainer) "systemd-journald-audit.socket")
		++ [
		"systemd-journald-audit.socket"
		"systemd-journald-dev-log.socket"
		"syslog.socket"
		];

+16 −0

Original line number	Diff line number	Diff line
		@@ -24,6 +24,12 @@ import ./make-test-python.nix (
		boot.kernel.sysctl."kernel.printk_ratelimit" = 0;
		boot.kernelParams = [ "audit_backlog_limit=8192" ];
		};
		nodes.containerCheck = {
		containers.c1 = {
		autoStart = true;
		config = { };
		};
		};

		testScript = ''
		machine.wait_for_unit("multi-user.target")
		@@ -56,6 +62,16 @@ import ./make-test-python.nix (
		# logs ideally should NOT end up in kmesg, but they do due to
		# https://github.com/systemd/systemd/issues/15324
		journaldAudit.succeed("journalctl _TRANSPORT=kernel --grep 'unit=systemd-journald'")


		with subtest("container systemd-journald-audit not running"):
		containerCheck.wait_for_unit("multi-user.target");
		containerCheck.wait_until_succeeds("systemctl -M c1 is-active default.target");

		# systemd-journald-audit.socket should exist but not run due to the upstream unit's `Condition*` settings
		(status, output) = containerCheck.execute("systemctl -M c1 is-active systemd-journald-audit.socket")
		containerCheck.log(output)
		assert status == 3 and output == "inactive\n", f"systemd-journald-audit.socket should exist in a container but remain inactive, was {output}"
		'';
		}
		)