Adrian Vovk [Sat, 23 Dec 2023 22:03:42 +0000 (17:03 -0500)]
sleep: Always freeze user.slice
Previously, we'd only freeze user.slice in the case of s2h, because we
didn't want the user session to resume while systemd was transitioning
from suspend to hibernate.
This commit extends this freezing behavior to all sleep modes.
We also have an environment variable to disable the freezing behavior
outright. This is a necessary workaround for someone that has hooks
in /usr/lib/systemd/system-sleep/ which communicate with some
process running under user.slice, or if someone is using the proprietary
NVIDIA driver which breaks when user.slice is frozen (issue #27559)
Adrian Vovk [Sat, 23 Dec 2023 21:57:47 +0000 (16:57 -0500)]
bus-unit-util: Add utility to freeze/thaw units
This utility lets us freeze units, and then automatically thaw them
when via a _cleanup_ handler. For example, you can now write something
like:
```
_cleanup_(unit_freezer_thaw) UnitFreezer freezer = UNIT_FREEZER_NULL;
r = unit_freezer_freeze("myunit.service", &freezer);
if (r < 0)
return r;
// Freeze is thawed once this scope ends
```
Aside from the basic _freeze and _thaw methods, there's also
_cancel and _restore. Cancel destroys the UnitFreezer without
thawing the unit. Restore creates a UnitFreezer without freezing it.
The idea of these two methods is that it allows the freeze/thaw to
be separated from each other (i.e. done in response to two separate
DBus method calls). For example:
```
_cleanup_(unit_freezer_thaw) UnitFreezer freezer = UNIT_FREEZER_NULL;
r = unit_freezer_freeze("myunit.service", &freezer);
if (r < 0)
return r;
// Freeze is thawed once this scope ends
r = do_something()
if (r < 0)
return r; // Freeze is thawed
unit_freezer_cancel(&freezer); // Thaw is canceled.
```
Then in another scope:
```
// Bring back a UnitFreezer object for the already-frozen service
_cleanup_(unit_freezer_thaw) UnitFreezer freezer = UNIT_FREEZER_NULL;
r = unit_freezer_restore("myunit.service", &freezer);
if (r < 0)
return r;
// Freeze is thawed once this scope ends
```
Nick Rosbrook [Mon, 4 Mar 2024 20:43:57 +0000 (15:43 -0500)]
test: check for kernel.apparmor_restrict_unprivileged_userns
Some tests in test-execute are already skipped if we do not have
unprivileged user namespaces. Extend this check to look for an apparmor
specific sysctl indicating that unprivileged userns creation is
restricted.
Luca Boccassi [Sun, 3 Mar 2024 18:14:31 +0000 (18:14 +0000)]
test: fix test-resolved-stream unit test failure
On Noble setting this ioctl fails:
1570s 819/1330 systemd:resolve / test-resolved-stream FAIL 0.14s killed by signal 6 SIGABRT
1570s Successfully forked off '(usernstest)' as PID 27737.
1570s Skipping PR_SET_MM, as we don't have privileges.
1570s (usernstest) succeeded.
1570s Assertion 'ioctl(socket_fd, SIOCSIFFLAGS, &req) >= 0' failed at src/resolve/test-resolved-stream.c:372, function try_isolate_network(). Aborting.
Luca Boccassi [Sun, 3 Mar 2024 18:15:26 +0000 (18:15 +0000)]
test: fix test-loopback failure when lacking privileges
Setting up the loopback might fail due to lack of privileges, as it
happens when running unit tests in the Noble CI environment. Skip
the test when it happens.
1584s 862/1330 systemd:test / test-loopback FAIL 0.01s exit status 1
1584s /* test_loopback_setup */
1584s Failed to configure loopback network device, ignoring: Operation not permitted
1584s loopback: Operation not permitted
hostnamectl: gracefully handle old hostnamed replies to GetHardwareSerial()
Old versions of hostnamed used to propagate ENODEV/ENOENT as-is. Bad
idea. This was fixed in 171ddae1a122e9c97b4ef12ccb2d29e1ba7a318a, but
let's handle this gracefully in hostnamectl.
test: explicitly set TERM=linux for TEST-69-SHUTDOWN
sulogin from the latest util-linux started falling back to vt102 instead
of linux, which makes screen sad (because we install only the linux
terminfo into the test image) and expect trips over the unexpected
warning. Let's just explicitly set TERM=linux before invoking screen to
avoid this.
+ make -C TEST-69-SHUTDOWN setup run
...
INFO:test-shutdown:log in and start screen
root
root
Last login: Sun Mar 3 13:19:31 from 18.191.105.60
-bash-5.2# screen
screen
Cannot find terminfo entry for 'vt102'.
-bash-5.2# ERROR:test-shutdown:Timeout exceeded.
Mike Yuan [Sun, 3 Mar 2024 10:37:36 +0000 (18:37 +0800)]
man/sd_notify: be explicit that FDPOLL= is not a global setting
"submitted" is already used in the description of FDNAME=.
Let's use that instead of "stored" for FDPOLL= too, to make
it more clear that it's a per-submission/per-fdset setting.
Piotr Drąg [Sat, 2 Mar 2024 15:06:15 +0000 (16:06 +0100)]
po: add false positives to POTFILES.skip
Scripts used to detect files that should be in POTFILES.in, like
intltool-update -m used on https://l10n.gnome.org/module/systemd/,
falsely detect these files as containing translations. Avoid this
behavior by putting the files in POTFILES.skip.
Ronan Pigott [Fri, 1 Mar 2024 04:42:43 +0000 (21:42 -0700)]
resolve: skip IP_UNICAST_IF for local sockets
SO_BINDTODEVICE was used during connect() to fix an issue where
IP_UNICAST_IF was improperly ignored for route lookups made by connect
in linux. This has since been resolved upstream [1][2], but as a result
we must apply the local socket excpetion to IP_UNICAST_IF as well.
The SO_BINDTODEVICE is no longer necessary, but left in place for 5.x
kernels.
For the very similar case of the product UUID we have its own error
BUS_ERROR_NO_PRODUCT_UUID if we have no UUID. Let's mirror this for the
hardware serial, and expose the same, to keep things nicely symmteric.
This also replaces the Fedora download example with another one from
Ubuntu, since Fedora's images these days no longer qualify as DDIs, they
have no distinctive partition type UUIDs set for multiple of their
partitions, hence the images cannot be booted. A bit sad. Let's provide
a command that just works in its place.
It's a bit weird we allow importing/pulling/exporting images, but we
have no scheme for showing what#s already downloaded. Hence let's add
this, it's easy to add after all.
Let's downgrade log levels a bit on HTTP error codes. After all we
gracefully handle many of them, and we do generated an extra message for
the ones which are fatal anyway, hence there's no point in emphasizing
the HTTP erro message levels as we currently do.
importd: make keeping pristine copy of downloaded images optional
Previously, when downloading an image, importd would first download them
into one image which it would then consider immutable (named after the
originating URL/etag), and then immediately make a copy of it (named
after the client chosen name).
This makes some sense in VM/container cases where the images are
typically mutable, and thus the original downloaded copy is of some
value.
For sysexts/confexts/portable this doesn't make much sense though, as
they are typically immutable. Hence make the concept optional.
This adds --keep-download=yes/no as a new option that controls the
above. Moreover it disables the behaviour for all image classes but
"machine". The behaviour remains enabled for "machine", for compat.
importd: validate local image names with the right helper
A while back we introduced image_name_is_valid() for validating image
file names. It's more liberal than hostname_is_valid() in many ways (and
allows version suffixes and such). Since importd deals in offline images
(as opposed to machined otherwise which deals in running machines),
let's hence use the right helper to validate the identifiers.
importd: add support for downloading sysext/confext/portable images too
This adds "Ex" versions of all bus calls import implements, that make
two changes:
1. A "class" parameter is added that allows choosing between
machine/sysext/confext/portable images to download. Depending on the
chose class the target directory is selected differently (i.e. not
just /var/lib/machines/, but alternatively /var/lib/portables/,
/var/lib/extensions/, /var/lib/confexts/.
2. The boolean flags are replaced by a 64bit flags parameter.
The two enums are mostly the same, the former is just an extension of
the latter. Let's merge them, to simplify things. This is particularly
useful as we then can reuse this systematically as D-Bus method call
flags too, in a generic fashion that works for both imports and pulls
the same.
if we try to open file:// URLs that don't exist, we'll not get IO/timer
events about it, hence it is not sufficient to check for completion in
these events. Let's add a defer event, to deal with that.
Also, curl_multi_info_read() is a queue, make sure to handle all events
that might be queued.