meta-ibm: Enable emergency/rescue when root locked

When the root account is locked, the systemd emergency and rescue
targets fail with an error message.  That is because they run the
sulogin command, which prompts for the root password.

The solution is for those services to specify the sulogin --force
option.  For more information, see sulogin(8).

systemd uses a "wrapper" executable named systemd-sulogin-shell to run
sulogin.  If the environment variable SYSTEMD_SULOGIN_FORCE is set to 1,
systemd-sulogin-shell runs sulogin with the --force option.  For more
information, see https://systemd.io/ENVIRONMENT/

Create drop-in directories for the emergency and rescue service files.
In those directories, create a .conf file that sets
SYSTEMD_SULOGIN_FORCE to 1 for those services.

Signed-off-by: Shawn McCarney <shawnmm@us.ibm.com>
Change-Id: I39359e91d99e490b9e57508f96f56567b49c663e

2 files changed, 16 insertions, 0 deletions

diff --git a/meta-ibm/recipes-core/systemd/systemd/systemd-sulogin-force.conf b/meta-ibm/recipes-core/systemd/systemd/systemd-sulogin-force.conf
new file mode 100644
index 0000000000..919fc24fe0
--- /dev/null
+++ b/meta-ibm/recipes-core/systemd/systemd/systemd-sulogin-force.conf
@@ -0,0 +1,11 @@
+# This file sets the SYSTEMD_SULOGIN_FORCE environment variable used by
+# systemd-sulogin-shell.  This skips asking for the root password if the root
+# password is not available (such as when the root account is locked).
+#
+# This override is intended to be used with the emergency and rescue service
+# files.
+#
+# See https://systemd.io/ENVIRONMENT/ and sulogin(8) for more information.
+
+[Service]
+Environment=SYSTEMD_SULOGIN_FORCE=1
diff --git a/meta-ibm/recipes-core/systemd/systemd_%.bbappend b/meta-ibm/recipes-core/systemd/systemd_%.bbappend
index 0a09253650..1a3cf71dfb 100644
--- a/meta-ibm/recipes-core/systemd/systemd_%.bbappend
+++ b/meta-ibm/recipes-core/systemd/systemd_%.bbappend
@@ -9,6 +9,7 @@ SRC_URI:append:p10bmc = " file://journald-size-policy-16MB.conf"
 SRC_URI:append:p10bmc = " file://vm.conf"
 SRC_URI:append:p10bmc = " file://network.conf"
 SRC_URI:append:p10bmc = " file://systemd-networkd-only-wait-for-one.conf"
+SRC_URI:append:p10bmc = " file://systemd-sulogin-force.conf"
 
 SRC_URI:append:genesis3 = " file://systemd-networkd-only-wait-for-one.conf"
 SRC_URI:append:sbp1 = " file://systemd-networkd-only-wait-for-one.conf"
@@ -24,6 +25,8 @@ FILES:${PN}:append:p10bmc = " ${systemd_unitdir}/journald.conf.d/journald-size-p
 FILES:${PN}:append:p10bmc = " ${sysconfdir}/sysctl.d/vm.conf"
 FILES:${PN}:append:p10bmc = " ${sysconfdir}/sysctl.d/network.conf"
 FILES:${PN}:append:p10bmc = " ${systemd_system_unitdir}/systemd-networkd-wait-online.service.d/systemd-networkd-only-wait-for-one.conf"
+FILES:${PN}:append:p10bmc = " ${systemd_system_unitdir}/emergency.service.d/systemd-sulogin-force.conf"
+FILES:${PN}:append:p10bmc = " ${systemd_system_unitdir}/rescue.service.d/systemd-sulogin-force.conf"
 
 FILES:${PN}:append:genesis3 = " ${systemd_system_unitdir}/systemd-networkd-wait-online.service.d/systemd-networkd-only-wait-for-one.conf"
 FILES:${PN}:append:sbp1 = " ${systemd_system_unitdir}/systemd-networkd-wait-online.service.d/systemd-networkd-only-wait-for-one.conf"
@@ -41,6 +44,8 @@ do_install:append:p10bmc() {
         install -m 644 -D ${WORKDIR}/vm.conf ${D}${sysconfdir}/sysctl.d/vm.conf
         install -m 644 -D ${WORKDIR}/network.conf ${D}${sysconfdir}/sysctl.d/network.conf
         install -m 644 -D ${WORKDIR}/systemd-networkd-only-wait-for-one.conf ${D}${systemd_system_unitdir}/systemd-networkd-wait-online.service.d/systemd-networkd-only-wait-for-one.conf
+        install -m 644 -D ${WORKDIR}/systemd-sulogin-force.conf ${D}${systemd_system_unitdir}/emergency.service.d/systemd-sulogin-force.conf
+        install -m 644 -D ${WORKDIR}/systemd-sulogin-force.conf ${D}${systemd_system_unitdir}/rescue.service.d/systemd-sulogin-force.conf
 }
 
 # Genesis3 and SBP1 uses both BMC's RGMII MACs, so wait for only one to be online