If one of the cursor option is specified, we first seek to the cursor position.
So, the current position may be out of the time range specified by --until,
and we need to verify the timestamp of the current position.
Jan Macku [Wed, 20 Mar 2024 11:37:18 +0000 (12:37 +0100)]
ci(freezer): update `devel-freezer` GHA to `v1.1.0`
The new version of `devel-freezer` GitHub Action adds support for milestones, labels, and more. Now, when the `rc` tag is published, it won't post a development freeze comment on PRs included in the next milestone.
This commit also sets a delay of the 20s for PR validation to give some time for updating labels and milestones on submitted PRs.
basic/missing_*.h: add asserts that the values are as expected
It's great that we provide fallback values, but if we got one of those wrong,
it could be a long time before anyone noticed. So let's add asserts that the
our internal defines actually match the official ones, when the latter are
available.
I did not add '#include "macro.h"' to missing_{audit,capability}, because
those are processed by an awk script that would need additional include
directories and could be confused by the additional lines. We don't include
those headers standalone anyway, so this is not necessary anyway.
Gerd Hoffmann [Mon, 18 Mar 2024 16:04:22 +0000 (17:04 +0100)]
kernel-install: fix uki-copy deinstall
For "kernel-install remove ..." only the kernel version is passed, not
the kernel image. So auto-detecting KERNEL_INSTALL_IMAGE_TYPE and
setting KERNEL_INSTALL_LAYOUT does not work for uninstall.
The 90-uki-copy.install plugin must consider this and *not* exit early
for the "remove" command, otherwise $BOOT_ROOT will be filled with stale
kernel images.
Naming is always a matter of preference, and the old name would certainly work,
but I think the new one has the following advantages:
- A verb is better than a noun.
- The name more similar to "the competition", i.e. 'sudo', 'pkexec', 'runas',
'doas', which generally include an action verb.
- The connection between 'systemd-run' and 'run0' is more obvious.
There has been no release yet with the old name, so we can rename without
caring for backwards compatibility.
units: add one more equivalency of '-' in '_' on kernel cmdline
c0aeff4b999318d4da48328fff0ea93c8c457ace added this in one unit file, but the
same problem occurs here. (There are no other files where this would apply.)
I think we should solve this systematically somehow, but it's not clear how to
do that, so until we have that better solution, let's apply the manual solution
so that our units work as expected.
Unique-Usman [Fri, 15 Mar 2024 22:34:11 +0000 (04:04 +0530)]
Add a set of assertion macros to tests.h
(ASSERT_OK(), ASSERT_EQ(), ASSERT_GE(), ASSERT_LE()) that log the failed condition before crashing and convert test-gpt.c test file to use them
Yu Watanabe [Wed, 13 Mar 2024 17:28:06 +0000 (02:28 +0900)]
unit/network: use ProtectSystem=strict again
Now, networkd accesses the state directory through the file descriptor
passed from systemd-networkd-persistent-storage.service.
Hence, the networkd itself does not need to access the state directory
through its path, and we can use more stronger mode for ProtectSystem=.
Yu Watanabe [Fri, 15 Mar 2024 15:55:10 +0000 (00:55 +0900)]
network/varlink: pass file descriptor of state directory with SetPersistentStorage method
The state directory is owned by systemd-networkd-persistent-storage.service,
at least technically. Let's not directly access the storage through the path,
but through the fd.
Ronan Pigott [Mon, 18 Mar 2024 20:05:07 +0000 (13:05 -0700)]
resolved: request DS with DNSKEY
When validating, when we lookup a DNSKEY for validation we will almost
certainly need the corresponding DS to complete the chain of trust.
Let's go ahead and request it right away so that we don't have to wait
in this common case.
Ronan Pigott [Mon, 18 Mar 2024 01:02:22 +0000 (18:02 -0700)]
resolved: don't request the SOA for every dns label
When validating insecure delegations we don't actually need to request
the SOA for every single dns label. We need the DS records for the zone,
and we can seek them by querying for DS directly (in case we are at a
zone cut) and then following the SOA referrals or the parent name until
we have found a chain of trust.
Extra transactions and roundtrips, especially transactions for RRs that
aren't actually needed to validate and therefore aren't likely to be in
the recursive resolver's own cache are a big slowdown during validation.
Consequently, this change results in an enourmous speed up in validating
most names from our own cold-cache (10x or more), by eliminating a large
number of superfluous dnssec transactions.
Adrian Vovk [Thu, 14 Mar 2024 21:11:36 +0000 (17:11 -0400)]
homed: Minor function name cleanup
It's not actually a dbus method, just function that all the various dbus
methods end up calling to update the user record. So rename it to
reflect as such
Daan De Meyer [Mon, 18 Mar 2024 15:20:00 +0000 (16:20 +0100)]
mkosi: Install python3-pefile in OpenSUSE image
ukify is part of systemd-experimental on OpenSUSE and not its own
package. Because the OpenSUSE systemd maintainers do not want to
introduce a python dependency for systemd-experimental, we have to
install python3-pefile manually to make sure ukify works properly.
Nick Rosbrook [Fri, 15 Mar 2024 19:14:05 +0000 (15:14 -0400)]
shared/install: correctly install alias for units outside search path
Currently, if a unit file is enabled from outside of the search path,
and that unit has an alias, then the symlink ends up pointing outside of
the search path too. For example:
$ systemctl enable /tmp/a.service
Created symlink /etc/systemd/system/a.service → /tmp/a.service.
Created symlink /etc/systemd/system/b.service → /tmp/a.service.
Created symlink /etc/systemd/system/multi-user.target.wants/a.service → /tmp/a.service.
This then means the alias is treated as a separate unit:
$ systemctl start a.service
$ sudo systemctl status a
● a.service
Loaded: loaded (/etc/systemd/system/a.service; enabled; preset: enabled)
Active: active (running) since Fri 2024-03-15 15:17:49 EDT; 9s ago
Main PID: 769593 (sleep)
Tasks: 1 (limit: 18898)
Memory: 220.0K
CPU: 5ms
CGroup: /system.slice/a.service
└─769593 sleep infinity
Mar 15 15:17:49 six systemd[1]: Started a.service.
$ sudo systemctl status b
○ b.service
Loaded: loaded (/etc/systemd/system/b.service; alias)
Active: inactive (dead)
To fix this, make sure the alias uses a target that is inside the search
path. Since the unit file itself is outside of the search path, a
symlink inside the search path will have been created already. Hence,
just point the alias symlink to that recently created symlink.
Ronan Pigott [Fri, 15 Mar 2024 20:52:30 +0000 (13:52 -0700)]
resolved: wait to gc transactions if they might still give an answer
In some cases when a query completes there are still pending
transactions that are no longer useful to answer the query. But if this
query is repeated in the future and we don't have the answers cached,
we're going to ask and ignore the answer again.
Instead of purging these superfluous transactions, let's wait and see if
they produce an answer, since we already asked the question, and use it
to fill our cache.
Daan De Meyer [Sun, 17 Mar 2024 14:48:25 +0000 (15:48 +0100)]
Switch opensuse packaging specs source url to src.opensuse.org
opensuse's OBS has two git mirrors, code.opensuse.org uses pagure,
src.opensuse.org uses gitea. Let's try src.opensuse.org as pagure
doesn't seem to work properly when more advanced git functionality
is used.
Daan De Meyer [Sun, 17 Mar 2024 11:34:50 +0000 (12:34 +0100)]
tpm2-setup: Add --graceful
Currently the associated units fail if full tpm support is not available
on the system. Similar to systemd-pcrextend, let's add a --graceful option
that exits gracefully if no full TPM support is detected and use it in both
units.
Jörg Behrmann [Sat, 16 Mar 2024 11:53:29 +0000 (12:53 +0100)]
NEWS: style fixes and a few reformulations
- mention the version format spec for sytsemd-vpick
- say what "systemd-creds --user" can be used by unprivileged users as well
- say what importctl does
- use en dash instead of em dash
- add a missing article
Yu Watanabe [Fri, 15 Mar 2024 15:38:06 +0000 (00:38 +0900)]
network: pin file descriptor of persistent storage
This also drop the support of /run/systemd/netif/persistent-storage-ready,
as the file is anyway removed when networkd is stopped.
Let's use $SYSTEMD_NETWORK_PERSISTENT_STORAGE_READY=1 instead on testing.
Luca Boccassi [Thu, 14 Mar 2024 16:52:21 +0000 (16:52 +0000)]
portable: when logging about attaching, include the used profile
Useful information to have in the logs.
Mar 14 16:45:27 H systemd-portabled[510]: Successfully attached ephemeral '/usr/share/minimal_0.raw' and its extension(s) '/usr/share/app0.raw' using profile 'default'
Yu Watanabe [Tue, 12 Mar 2024 08:35:51 +0000 (17:35 +0900)]
network/address: acquire address in address_process_request()
Previously, if an [Address] section is configured with a null address,
e.g. Address=0.0.0.0/24, then we acquired a free address in
link_request_address().
With this commit, we queue a request with the null address as is, and
acquire a free address later in address_process_request(). Similary,
now IPv4ACD daemon is configured in address_process_request().
With this change, we can make the address acquisition depend on other
conditions, e.g. if the persistent storage is ready or not.
Yu Watanabe [Thu, 14 Mar 2024 09:40:14 +0000 (18:40 +0900)]
kbd-util: allow to override the default keymap directories
This introduces $SYSTEMD_KEYMAP_DIRECTORIES environment variable to
override the hardcoded keymap directories.
I think it is not necessary to provide the first class configuration
option for controlling the keymap directories, but it is not good to
hardcode the paths. So, let's introduce an environment variable to
override that.
Yu Watanabe [Thu, 14 Mar 2024 18:12:07 +0000 (03:12 +0900)]
locale: use O_PATH directory fd and faccessat() in find_converted_keymap()
Previously, it is assumed that the paths in KBD_KEYMAP_DIRS are ended
with a slash. But, in the next commit, paths will become controllable by
users, and each path may not be ended with a slash.
This should not change any effective behaviors.
Just refactoring and preparation.