#!/usr/bin/env bash # SPDX-License-Identifier: LGPL-2.1-or-later # shellcheck disable=SC2016 set -eux set -o pipefail if [[ ! -x /usr/lib/systemd/systemd-journal-remote || ! -x /usr/lib/systemd/systemd-journal-upload ]]; then echo "Built without systemd-journal-remote/upload support, skipping the test" exit 0 fi if ! command -v openssl >/dev/null; then echo "openssl command not available, skipping the tests" exit 0 fi at_exit() { set +e systemctl stop systemd-journal-upload systemctl stop systemd-journal-remote.{socket,service} # Remove any remote journals on exit, so we don't try to export them together # with the local journals, causing a mess rm -rf /var/log/journal/remote } trap at_exit EXIT TEST_MESSAGE="-= This is a test message $RANDOM =-" TEST_TAG="$(systemd-id128 new)" echo "$TEST_MESSAGE" | systemd-cat -t "$TEST_TAG" journalctl --sync /usr/lib/systemd/systemd-journal-remote --version /usr/lib/systemd/systemd-journal-remote --help /usr/lib/systemd/systemd-journal-upload --version /usr/lib/systemd/systemd-journal-upload --help # Generate a self-signed certificate for systemd-journal-remote # # Note: older OpenSSL requires a config file with some extra options, unfortunately # Note2: /run here is used on purpose, since the systemd-journal-remote service uses PrivateTmp=yes mkdir -p /run/systemd/journal-remote-tls cat >/tmp/openssl.conf </run/systemd/journal-remote.conf.d/99-test.conf </run/systemd/journal-upload.conf.d/99-test.conf </run/systemd/remote-pki/ca.conf </run/systemd/remote-pki/client.conf </run/systemd/remote-pki/server.conf </run/systemd/remote-pki/ca.srl # Generate a client key and signing request openssl req -nodes -newkey rsa:2048 -sha256 \ -config /run/systemd/remote-pki/client.conf \ -keyout /run/systemd/remote-pki/client.key \ -out /run/systemd/remote-pki/client.csr # Sign the request with the CA key openssl x509 -req -days 7 \ -in /run/systemd/remote-pki/client.csr \ -CA /run/systemd/remote-pki/ca.crt \ -CAkey /run/systemd/remote-pki/ca.key \ -out /run/systemd/remote-pki/client.crt # And do the same for the server openssl req -nodes -newkey rsa:2048 -sha256 \ -config /run/systemd/remote-pki/server.conf \ -keyout /run/systemd/remote-pki/server.key \ -out /run/systemd/remote-pki/server.csr openssl x509 -req -days 7 \ -in /run/systemd/remote-pki/server.csr \ -CA /run/systemd/remote-pki/ca.crt \ -CAkey /run/systemd/remote-pki/ca.key \ -out /run/systemd/remote-pki/server.crt setfacl -R -m "u:systemd-journal-remote:rwX" /run/systemd/remote-pki setfacl -R -m "u:systemd-journal-upload:rwX" /run/systemd/remote-pki # Reconfigure journal-upload/journal remote with the new keys cat >/run/systemd/journal-remote.conf.d/99-test.conf </run/systemd/journal-upload.conf.d/99-test.conf </run/systemd/journal-upload.conf.d/99-test.conf <