]>
Commit | Line | Data |
---|---|---|
1b6f9b98 DDM |
1 | #!/bin/sh |
2 | # SPDX-License-Identifier: LGPL-2.1-or-later | |
2d1d0a6c | 3 | set -e |
1b6f9b98 | 4 | |
1ad84c9a DDM |
5 | if [ "$1" = "build" ]; then |
6 | exit 0 | |
7 | fi | |
8 | ||
9 | if [ -n "$SANITIZERS" ]; then | |
10 | LD_PRELOAD=$(ldd /usr/lib/systemd/systemd | grep libasan.so | awk '{print $3}') | |
01a07564 | 11 | |
1ad84c9a | 12 | mkdir -p /etc/systemd/system.conf.d |
01a07564 | 13 | |
1ad84c9a | 14 | cat >/etc/systemd/system.conf.d/10-asan.conf <<EOF |
01a07564 DDM |
15 | [Manager] |
16 | ManagerEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\ | |
17 | UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\ | |
18 | LD_PRELOAD=$LD_PRELOAD | |
19 | DefaultEnvironment=ASAN_OPTIONS=$MKOSI_ASAN_OPTIONS\\ | |
20 | UBSAN_OPTIONS=$MKOSI_UBSAN_OPTIONS\\ | |
21 | LD_PRELOAD=$LD_PRELOAD | |
5a4327d1 DDM |
22 | EOF |
23 | ||
1ad84c9a DDM |
24 | # ASAN logs to stderr by default. However, journald's stderr is connected to /dev/null, so we lose |
25 | # all the ASAN logs. To rectify that, let's connect journald's stdout to the console so that any | |
26 | # sanitizer failures appear directly on the user's console. | |
27 | mkdir -p /etc/systemd/system/systemd-journald.service.d | |
28 | cat >/etc/systemd/system/systemd-journald.service.d/10-stdout-tty.conf <<EOF | |
01a07564 DDM |
29 | [Service] |
30 | StandardOutput=tty | |
31 | EOF | |
32 | ||
1ad84c9a DDM |
33 | # Both systemd and util-linux's login call vhangup() on /dev/console which disconnects all users. |
34 | # This means systemd-journald can't log to /dev/console even if we configure `StandardOutput=tty`. As | |
35 | # a workaround, we modify console-getty.service to disable systemd's vhangup() and disallow login | |
36 | # from calling vhangup() so that journald's ASAN logs correctly end up in the console. | |
01a07564 | 37 | |
1ad84c9a DDM |
38 | mkdir -p /etc/systemd/system/console-getty.service.d |
39 | cat >/etc/systemd/system/console-getty.service.d/10-no-vhangup.conf <<EOF | |
01a07564 DDM |
40 | [Service] |
41 | TTYVHangup=no | |
42 | CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG | |
43 | EOF | |
1ad84c9a DDM |
44 | # ASAN and syscall filters aren't compatible with each other. |
45 | find / -name '*.service' -type f -exec sed -i 's/^\(MemoryDeny\|SystemCall\)/# \1/' {} + | |
69d638e6 | 46 | |
1ad84c9a DDM |
47 | # `systemd-hwdb update` takes > 50s when built with sanitizers so let's not run it by default. |
48 | systemctl mask systemd-hwdb-update.service | |
49 | fi | |
37d35150 | 50 | |
1ad84c9a DDM |
51 | if [ -n "$IMAGE_ID" ] ; then |
52 | sed -n \ | |
53 | -i \ | |
54 | -e '/^IMAGE_ID=/!p' \ | |
55 | -e "\$aIMAGE_ID=$IMAGE_ID" \ | |
56 | /usr/lib/os-release | |
57 | fi | |
01a07564 | 58 | |
1ad84c9a DDM |
59 | if [ -n "$IMAGE_VERSION" ] ; then |
60 | sed -n \ | |
61 | -i \ | |
62 | -e '/^IMAGE_VERSION=/!p' \ | |
63 | -e "\$aIMAGE_VERSION=$IMAGE_VERSION" \ | |
64 | /usr/lib/os-release | |
1b6f9b98 | 65 | fi |
6b7e774b | 66 | |
fe424384 DDM |
67 | if command -v authselect >/dev/null; then |
68 | authselect select minimal | |
69 | ||
70 | if authselect list-features minimal | grep -q "with-homed"; then | |
71 | authselect enable-feature with-homed | |
72 | fi | |
73 | fi | |
7cd64af5 | 74 | |
b57e7522 DDM |
75 | # Let tmpfiles.d/systemd-resolve.conf handle the symlink. /etc/resolv.conf might be mounted over so undo that |
76 | # if that's the case. | |
77 | mountpoint -q /etc/resolv.conf && umount /etc/resolv.conf | |
7cd64af5 | 78 | rm -f /etc/resolv.conf |
d052cc88 | 79 | |
6ac5aa97 | 80 | . /usr/lib/os-release |
d052cc88 DDM |
81 | |
82 | if [ "$ID" = "centos" ] && [ "$VERSION" = "8" ]; then | |
83 | alternatives --install /usr/bin/python3 python3 /usr/bin/python3.9 1 | |
84 | alternatives --set python3 /usr/bin/python3.9 | |
85 | fi | |
09477485 RM |
86 | |
87 | mkdir -p /usr/lib/sysusers.d | |
88 | cat >/usr/lib/sysusers.d/testuser.conf <<EOF | |
89 | u testuser 4711 "Test User" /home/testuser | |
90 | EOF | |
91 | mkdir -p /usr/lib/tmpfiles.d | |
92 | cat >/usr/lib/tmpfiles.d/testuser.conf <<EOF | |
93 | q /home/testuser 0700 4711 4711 | |
94 | EOF |