glyph-util: bring glyphs into same order everywhere
The enum definition, the two string tables and the test all were using
different orders (and in case of the test even missed entries).
Let's unify this, and make sure we always use the same order. This
settles the confusion, and makes the order used for the unicode string
table the canonical one, adjusting the other lists to match it. And adds
the missing entries to the tets.
tpm2: whenever we measure, also write a tpm log record
Previously we only logged our measurements to the journal. This is not a
great solution though, since regular logs are subject to rotation, which
is something we really cannot have for measurements (as it means we can
never reproduce the PCR values from the data). Hence, let's maintain an
explicit log.
Ideally, we'd just use the TCG Canonical Event Log format 1:1
(https://trustedcomputinggroup.org/resource/canonical-event-log-format/).
However it's not a perfect fit fo us, for various reasons. But let's
follow it (in its JSON incantation) as closely at it makes sense, so
that it can easily be converted to the full format by programs consuming
it.
Code comments explain where we deviate from the TCG CEL-JSON, and what
to do about it when reading the data.
Yu Watanabe [Wed, 30 Aug 2023 08:33:01 +0000 (17:33 +0900)]
sd-dhcp-client: ensure IAID and DUID being set on start
After b2851e8d6287ab9bb3cd6e42395271c45ce0e377, if IAID and DUID are not
set on start, calling sd_dhcp_client_set_iaid_duid_en() in
client_message_init() triggers assertion, as the client is already
running at the stage. Let's set IAID and DUID earlier.
when provided `--root=` was failing for `status`:
```
$ systemd-sysext --root=/mnt status
Failed to open '/usr/.systemd-sysext/extensions': No such file or directory
```
path was not relative to the given `--root` - same goes for the `need_reload`
as it was inspired from the `verb_status` section.
Frantisek Sumsal [Mon, 28 Aug 2023 20:42:36 +0000 (22:42 +0200)]
test: fix debugging of nspawn tests
The pipe stuff introduced in 701e0c2660 causes nspawn to switch the
console from 'interactive' into 'read-only' which is a bit useless when
debugging. Let's set --console=interactive explicitly in such case.
msizanoen [Thu, 24 Aug 2023 09:42:37 +0000 (16:42 +0700)]
login: Properly handle -EIO in session_leave_vt
session_leave_vt may be called after the VT device was hung up, which
will cause vt_release to fail with -EIO. This is known to cause an issue
with GNOME 44 on Fedora where gdm-session-worker sometimes freezes when
trying to switch to VT 1 after a `loginctl terminate-user` operation.
Fix this by reopening the VT in session_leave_vt if we get an -EIO.
meson: restore specifications of dependency on version_h
This partially reverts 3c1eee5beda642707037b189481c3c30d1668da7.
I thought that it is not necessary, but
https://mesonbuild.com/Reference-manual_functions.html#vcs_tag says:
> This method returns a custom_tgt should be used to signal dependencies if
> other targets use the file outputted by this.
>
> For example, if you generate a header with this and want to use that in a
> build target, you must add the return value to the sources of that build
> target. Without that, Meson will not know the order in which to build the
> targets.
We can use version_h directly, since we already have it.
Luca Boccassi [Mon, 28 Aug 2023 10:03:45 +0000 (11:03 +0100)]
test-dhcp-client: add temporary workaround for assertion failure
Workaround for https://github.com/systemd/systemd/issues/28990
Introduced by https://github.com/systemd/systemd/pull/28932 but CI was
green there. Add a workaround to get the CI back in shape while it is
being investigated.
boot: don't pass kernel cmdline option to UKIs which have the very same line built-in
There's really no point in first extracting a command line from an UKI
to just pass it unmodified to the UKI. In particular as this is
systematically ignored in SecureBoot is enabled.
Let's drop this, so that unless the user actually edits the cmdline we
pass nothing to the invoked kernel.
Note that this low-key is a compat break, since the passed cmdline gets
measured. However, in the interest of minimized the difference between
systems with and without sd-boot to behave the same i think we should
suppress the command line anyway.
Chris Patterson [Fri, 25 Aug 2023 21:23:40 +0000 (17:23 -0400)]
99-systemd.rules.in: tag PTP devices with systemd
Chronyd and similar time services, when using PTP devices, may need
the BindsTo/After directives to ensure the devices are available
before starting. Tag PTP devices with systemd to allow for wider
adoption.
Signed-off-by: Chris Patterson <cpatterson@microsoft.com>
Yu Watanabe [Wed, 23 Aug 2023 04:25:35 +0000 (13:25 +0900)]
sd-dhcp-client: make client initially in stopped state
Previously, DHCP_STATE_STOPPED and DHCP_STATE_INIT are both handled as
not-running. Moreover, previously after sd_dhcp_client_start() is
called, the client still in INIT state (and thus handled as not-running)
even if its internal timer event sources are initialized.
Let's make only STOPPED state handled as not-running, and make the
client initially in STOPPED state.
Topi Miettinen [Wed, 9 Aug 2023 20:07:21 +0000 (23:07 +0300)]
network: firewall integration with NFT sets
New directive `NFTSet=` provides a method for integrating network configuration
into firewall rules with NFT sets. The benefit of using this setting is that
static network configuration or dynamically obtained network addresses can be
used in firewall rules with the indirection of NFT set types. For example,
access could be granted for hosts in the local subnetwork only. Firewall rules
using IP address of an interface are also instantly updated when the network
configuration changes, for example via DHCP.
This option expects a whitespace separated list of NFT set definitions. Each
definition consists of a colon-separated tuple of source type (one of
"address", "prefix", or "ifindex"), NFT address family (one of "arp", "bridge",
"inet", "ip", "ip6", or "netdev"), table name and set name. The names of tables
and sets must conform to lexical restrictions of NFT table names. The type of
the element used in the NFT filter must match the type implied by the
directive ("address", "prefix" or "ifindex") and address type (IPv4 or IPv6)
as shown type implied by the directive ("address", "prefix" or "ifindex") and
address type (IPv4 or IPv6) must also match the set definition.
When an interface is configured with IP addresses, the addresses, subnetwork
masks or interface index will be appended to the NFT sets. The information will
be removed when the interface is deconfigured. systemd-networkd only inserts
elements to (or removes from) the sets, so the related NFT rules, tables and
sets must be prepared elsewhere in advance. Failures to manage the sets will be
ignored.
Let's also use vcs_tag() when we're doing a non-git build. In those scenarios,
the build would normally be done just once in a given copy, so doing an extra
call does not matter. We can save a few lines of meson config.
The special path was added in 064b8e2c99ceb348c515353cc5c7d7bd05c49fcb, with
the justifaction that vcs_tag() is slow and -Dversion-tag=foo can be used to
fix the version tag and speed up partial rebuilds. I think the justification
for this is weak: having an accurate version tag is particularly useful when
developing the code. Shaving of a fraction of a second at the cost of having to
manually update the version seems iffy.
Secondly, with vcs_tag() we can be pretty sure that meson will build the
version file first and that it'll be available to all build steps. Because we
didn't use version tag, we had to manually specify the dependency on version.h
in various places. It seems nicer to use vcs_tag() and not have to deal with
this problem at all.
Finally, the savings in time seem much smaller than back when 064b8e2c99ceb348c515353cc5c7d7bd05c49fcb was made. It reported a change
from 94 ms to 521 ms. But now the difference seems to be about 50 ms:
Before this patch:
$ time ninja -C build
ninja: Entering directory `build'
ninja: no work to do.
ninja -C build 0.04s user 0.02s system 97% cpu 0.057 total
ninja -C build 0.03s user 0.01s system 97% cpu 0.049 total
ninja -C build 0.03s user 0.02s system 96% cpu 0.051 total
ninja -C build 0.03s user 0.01s system 96% cpu 0.049 total
ninja -C build 0.03s user 0.01s system 97% cpu 0.046 total
With the two patches in this PR:
systemd-stable [drop-versiondep] time ninja -C build
ninja: Entering directory `build'
[1/669] Generating version.h with a custom command
ninja -C build 0.08s user 0.03s system 98% cpu 0.106 total
ninja -C build 0.08s user 0.03s system 98% cpu 0.104 total
ninja -C build 0.09s user 0.02s system 98% cpu 0.116 total
ninja -C build 0.08s user 0.02s system 97% cpu 0.108 total
Overall, I think the tiny time savings are not worth the complexity.
Daan De Meyer [Fri, 25 Aug 2023 11:55:36 +0000 (13:55 +0200)]
Limit rlim_max in rlimit_nofile_safe() to nr_open
We might inherit a max rlim value that's larger than the kernel's
maximum (nr_open). This will cause setrlimit() to fail as the given
maximum is larger than the kernel's maximum. To get around this,
let's limit the max rlim we pass to rlimit() to the value of nr_open.
I always found it confusing that most of our TPM related definitions are
in tpm2-util.h, but the PCR names in tpm-pcr.h, without the "2". Let's
fix that and make this systematic, in particular as the definitions in
the file all start with TPM2_ already.
Let's a "b" helper for json_variant_set_field() that combines
json_build() with json_variant_set_field(), similar to the
json_variant_merge_objectb(), json_variant_append_arrayb().
json_append() is a useful wrapper around json_variant_merge(). However,
I think the naming sould be cleaned up a bit of both functions.
I thinker "merge" is the better word than "append", since it does
decidedly more than just append: it replaces existing fields of the same
name, hence "merge" sounds more appropriate. This is as opposed to the
similar operations for arrays, where no such override logic is applied
and we really just append, hence those functions are called "append"
already.
To make clearer that "merge" is about objects, and "append" about
arrays, also include "object" in the name.
Also, include "json_variant" in the name, like we do for almost all
other functions in the JSON API that take a JSON object as primary
input, and hence are kinda object methods.
Finally, let's follow the logic that helpers that combine json_build()
with some other operation get suffixed with "b" like we already have in
some cases.
This mirrors nicely the existing:
json_variant_append_array()
json_vairant_append_arrayb()
This also drops the variant of json_append() that takes a va_arg
parameter (i.e. json_appendv()). We have no user of that so far, and
given the nature as a helper function only I don#t see that happening,
and if it happens after all it's trivial to bring back.