network: gracefully disable resolve hook when socket is disabled

systemd-networkd cannot create the directory /run/systemd/resolve.hook/. Even
if the directory exists, it is not owned by systemd-network user/group, so
systemd-networkd cannot create socket file in the directory. Hence, if the
systemd-networkd-resolve-hook.socket unit is disabled, networkd fails to open
the varlink socket, and fail to start:

  systemd-networkd[1304645]: Failed to bind to systemd-resolved hook Varlink socket: Permission denied
  systemd-networkd[1304645]: Could not set up manager: Permission denied
  systemd[1]: systemd-networkd.service: Main process exited, code=exited, status=1/FAILURE
  systemd[1]: systemd-networkd.service: Failed with result 'exit-code'.
  systemd[1]: Failed to start systemd-networkd.service - Network Management.

If the socket unit is disabled, that should mean the system administrator wants
to disable the feature. Let's not try to setup the varlink socket in that case.

Now the resolve hook feature can be toggled by enabling/disabling the socket
unit, let's drop the $SYSTEMD_NETWORK_RESOLVE_HOOK environment variable.

Follow-up for a7fa29b1b5.
Co-authored-by: Yu Watanabe <watanabe.yu+github@gmail.com>

src/network/networkd-resolve-hook.c

@@ -5,12 +5,14 @@
 #include "sd-varlink.h"
 
 #include "alloc-util.h"
+#include "argv-util.h"
 #include "dns-answer.h"
 #include "dns-domain.h"
 #include "dns-packet.h"
 #include "dns-question.h"
 #include "dns-rr.h"
 #include "env-util.h"
+#include "errno-util.h"
 #include "fd-util.h"
 #include "networkd-link.h"
 #include "networkd-manager.h"
@@ -214,17 +216,14 @@ int manager_varlink_init_resolve_hook(Manager *m, int fd) {
         if (m->varlink_resolve_hook_server)
                 return 0;
 
-        r = getenv_bool("SYSTEMD_NETWORK_RESOLVE_HOOK");
-        if (r < 0 && r != -ENXIO)
-                log_warning_errno(r, "Failed to parse $SYSTEMD_NETWORK_RESOLVE_HOOK, ignoring: %m");
-        if (r == 0) {
-                log_notice("Resolve hook disabled via $SYSTEMD_NETWORK_RESOLVE_HOOK.");
+        if (fd < 0 && invoked_by_systemd()) {
+                log_debug("systemd-networkd-resolve-hook.socket seems to be disabled, not installing varlink server.");
                 return 0;
         }
 
         r = varlink_server_new(&s, SD_VARLINK_SERVER_ACCOUNT_UID|SD_VARLINK_SERVER_INHERIT_USERDATA, m);
         if (r < 0)
-                return log_error_errno(r, "Failed to allocate varlink server object: %m");
+                return log_error_errno(r, "Failed to allocate varlink server: %m");
 
         (void) sd_varlink_server_set_description(s, "varlink-resolve-hook");
 
@@ -243,12 +242,17 @@ int manager_varlink_init_resolve_hook(Manager *m, int fd) {
         if (r < 0)
                 return log_error_errno(r, "Failed to bind on resolve hook disconnection events: %m");
 
-        if (fd < 0)
-                r = sd_varlink_server_listen_address(s, "/run/systemd/resolve.hook/io.systemd.Network", 0666 | SD_VARLINK_SERVER_MODE_MKDIR_0755);
-        else
+        if (fd < 0) {
+                r = sd_varlink_server_listen_address(s, "/run/systemd/resolve.hook/io.systemd.Network",
+                                                     0666 | SD_VARLINK_SERVER_MODE_MKDIR_0755);
+                if (ERRNO_IS_NEG_PRIVILEGE(r)) {
+                        log_info_errno(r, "Failed to bind to systemd-resolved hook varlink socket, ignoring: %m");
+                        return 0;
+                }
+        } else
                 r = sd_varlink_server_listen_fd(s, fd);
         if (r < 0)
-                return log_error_errno(r, "Failed to bind to systemd-resolved hook Varlink socket: %m");
+                return log_error_errno(r, "Failed to bind to systemd-resolved hook varlink socket: %m");
 
         TAKE_FD(fd_close);
 

test/networkd-test.py

@@ -97,9 +97,6 @@ def setUpModule():
     if os.path.isdir('/run/systemd/resolve'):
         os.chmod('/run/systemd/resolve', 0o755)
         shutil.chown('/run/systemd/resolve', 'systemd-resolve', 'systemd-resolve')
-    if os.path.isdir('/run/systemd/resolve.hook'):
-        os.chmod('/run/systemd/resolve.hook', 0o755)
-        shutil.chown('/run/systemd/resolve.hook', 'systemd-network', 'systemd-network')
     if os.path.isdir('/run/systemd/netif'):
         os.chmod('/run/systemd/netif', 0o755)
         shutil.chown('/run/systemd/netif', 'systemd-network', 'systemd-network')
@@ -976,9 +973,6 @@ EOF
 # Hence, 'networkctl persistent-storage yes' cannot be used.
 export SYSTEMD_NETWORK_PERSISTENT_STORAGE_READY=1
 
-# Don't try to register resolved hook for our testcase
-export SYSTEMD_NETWORK_RESOLVE_HOOK=0
-
 # Generate debugging logs.
 export SYSTEMD_LOG_LEVEL=debug