logging: fix FSS setup idempotency, journal rotation, and test timer detection

juliuskoskela · brianmcgillion · commit 92fa53233ddf · 2026-02-03T14:46:18.000+04:00
Remove ConditionPathExists guard from setup service so it can re-run on
boot to write fss-config on existing deployments where the file was never
created. Add one-time journal rotation after FSS key setup to move
pre-FSS entries to archive, fixing EBADMSG ("Bad message") during
verification. Add systemctl cat fallback to test 6 for timer detection
in microVMs where list-unit-files may not show the timer.

Signed-off-by: Julius Koskela &lt;julius.koskela@unikie.com&gt;
diff --git a/modules/common/logging/fss.nix b/modules/common/logging/fss.nix
@@ -125,6 +125,12 @@ let
         # Write config pointer so test scripts can discover KEY_DIR without hostname
         echo "$KEY_DIR" > "/var/log/journal/$MACHINE_ID/fss-config"
         chmod 0644 "/var/log/journal/$MACHINE_ID/fss-config"
+        # One-time rotation to move pre-FSS entries to archive (fixes "Bad message")
+        if [ ! -f "/var/log/journal/$MACHINE_ID/fss-rotated" ]; then
+          echo "Rotating journal to ensure clean FSS state..."
+          journalctl --rotate 2>/dev/null || true
+          touch "/var/log/journal/$MACHINE_ID/fss-rotated"
+        fi
         exit 0
       fi
 
@@ -168,6 +174,9 @@ let
         echo "Warning: Journald restart failed - sealing may not be active"
       fi
 
+      # Rotate so active journal starts clean with FSS (pre-FSS entries become archive)
+      journalctl --rotate 2>/dev/null || true
+
       # Create sentinel file to prevent re-initialization
       touch "$INIT_FILE"
       chmod 0644 "$INIT_FILE"
@@ -176,6 +185,8 @@ let
       echo "$KEY_DIR" > "/var/log/journal/$MACHINE_ID/fss-config"
       chmod 0644 "/var/log/journal/$MACHINE_ID/fss-config"
 
+      touch "/var/log/journal/$MACHINE_ID/fss-rotated"
+
       echo "Forward Secure Sealing initialization complete"
       echo "Sealing key: $FSS_KEY_FILE"
       echo "Verification key: $KEY_DIR/verification-key (if extracted)"
@@ -438,11 +449,6 @@ in
       after = [ "systemd-journald.service" ];
       wants = [ "systemd-journald.service" ];
 
-      unitConfig = {
-        # Only run if not already initialized
-        ConditionPathExists = "!${cfg.keyPath}/initialized";
-      };
-
       serviceConfig = {
         Type = "oneshot";
         RemainAfterExit = true;
diff --git a/tests/logging/test_scripts/fss-test.nix b/tests/logging/test_scripts/fss-test.nix
@@ -222,6 +222,12 @@ writeShellApplication {
       else
         warn "journal-fss-verify.timer exists but is not active"
       fi
+    elif systemctl cat journal-fss-verify.timer &>/dev/null; then
+      if systemctl is-active --quiet journal-fss-verify.timer; then
+        pass "journal-fss-verify.timer is active"
+      else
+        pass "journal-fss-verify.timer exists"
+      fi
     else
       warn "journal-fss-verify.timer not found"
     fi
