measure: add --append= switch for merging signatures
Often it's useful to add multiple signatures in the signature JSON file
to embedd in a single .pcrsig. (For example, a signature by key X for
boot phase "enter-initrd" and one by key Y for
"enter-initrd:leave-initrd" or so). Make this easy, by adding the
ability to append signatures to a previously generated JSON file.
Use LogFilterPatterns from the unit's cgroup xattr in order to keep or
discard log messages before writing them to the journal.
When a log message is discarded, it won't be written to syslog, console...
either.
When a native, syslog, or standard output log message is received,
systemd-journald will process it if it matches against at least one
allowed pattern (if any) and none of the denied patterns (if any).
Define new unit parameter (LogFilterPatterns) to filter logs processed by
journald.
This option is used to store a regular expression which is carried from
PID1 to systemd-journald through a cgroup xattrs:
`user.journald_log_filter_patterns`.
Daan De Meyer [Tue, 13 Dec 2022 18:52:18 +0000 (18:52 +0000)]
repart: Rework Minimize= option settings
Instead of having Minimize= take a boolean let's allow for two
different ways to enable it. "best" means we want the most minimal
image possible, which currently is only possible for read-only
filesystems but can be extended in the future with bisection
to find the most minimal possible size.
We also add "guess", which is the current behavior, where we
populate once and use the sparse size to make a reasonable guess
on a size that fits all the sources without needing to O(log(n))
tries to find the most minimal size.
basic: do not output emojis if not on a proper terminal
$TERM would generally be set if we're connected to a proper graphical terminal
emulator. In all other cases, in particular if $TERM is not set, we almost
certainly are not connected to something that can output emojis. In particular
the text console is unlikely to ever do it correctly.
So let's invert the check, and only write emojis if $TERM is set.
fstab-generator: use log message that matches reality
We *assume* that when /sys is read-only, we're running in a container. But
there can other reasons, for example root is mount ro and nobody has mounted
/sys yet, or somebody forgot to add /sys to the list of filesystem not to
remount ro in a sandbox. So let's actually say what we know instead of assuming.
systemd-fstab-generator was reporting that it's running in a container and I
spent a good few minutes trying to figure out why 'systemd-detect-virt -c'
disagrees, before noticing that it's just checking a different condition.
This is an octal number. We used the 0 prefix in some places inconsistently.
The kernel always interprets in base-8, so this has no effect, but I think
it's nicer to use the 0 to remind the reader that this is not a decimal number.
manager: execute generators in a mount namespace "sandbox"
When generators are executed during early boot, /tmp might not be available
yet. This causes problems with bash, because here-docs don't work. Even
non-shell code can often assume that /tmp is available. This limitation is
known to trip up people, and when the code is tested on a "normal" system,
everything works.
We can solve this nicely, and get another small benefit, by making most of the
file system read-only and "punching holes" for some dirs that should be
writable. The generator code runs with full privileges and can do anything it
wants by writing appropriate systemd units, so it doesn't make much sense to do
any significant sandboxing around generators. But making root read-only is nice
because it can catch stupid mistakes where the generator tries to write to a
wrong path or something like that. We effectively also get a "private /tmp" for
the generators, which protects them against existing files in /tmp.
The path does the following:
when executing generators, we fork, and the child unshares root and makes
it recursively read-only, with the exception of /sys and /run. Error handling
is permissive — if some of this setup fails, we're in the same state as
before the patch.
If the flag is set, we mount /tmp/ in a way that is suitable for generators and
other quick jobs.
Unfortunately I had to move some code from shared/mount-util.c to
basic/mountpoint-util.c. The functions that are moved are very thin wrappers
around mount(2), so this doesn't actually change much in the code split between
libbasic and libshared.
Implications for the host would be weird if a private mount namespace is not
used, so assert on FORK_NEW_MOUNTNS when the flag is used.
Nick Rosbrook [Wed, 14 Dec 2022 15:07:40 +0000 (10:07 -0500)]
journal: skip part of test-journal-interleaving if no machine-id exists
When executed on a systemd with an empty /etc/machine-id,
test-journal-interleaving fails in test_sequence_numbers_one() when
re-opening the existing "two.journal". This is because opening the
existing journal file with managed_journal_file_open() causes
journal_file_verify_header() to be called. This function tries to
compare the current machine-id to the machine-id in the journal file
header, but does not handle the case where the machine-id is empty or
non-existent.
Check if we have an initialized machine-id before executing this portion
of the test.
Nick Rosbrook [Mon, 12 Dec 2022 19:37:52 +0000 (14:37 -0500)]
test-fs-util: skip part of test_chase_symlinks if machine-id is not initialized
The part of test_chase_symlink in test-fs-util that calls
sd_id128_get_machine will fail if /etc/machine-id is empty, so skip this
block if the machine-id is not initialized.
Felix Riemann [Wed, 14 Dec 2022 14:02:39 +0000 (15:02 +0100)]
timesync: Keep trying to connect even if the socket cannot be opened
This makes sure that after a server could not be contacted due to a
socket error, other (possibly working) NTP servers in the list of
configured NTP servers are (re-)tried.
Use dummy allocator to make accesses defined as per standard
systemd uses malloc_usable_size() everywhere to use memory blocks
obtained through malloc, but that is abuse since the
malloc_usable_size() interface isn't meant for this kind of use, it is
for diagnostics only. This is also why systemd behaviour is flaky when
built with _FORTIFY_SOURCE.
One way to make this more standard (and hence safer) is to, at every
malloc_usable_size() call, also 'reallocate' the block so that the
compiler can see the larger size. This is done through a dummy
reallocator whose only purpose is to tell the compiler about the larger
usable size, it doesn't do any actual reallocation.
Florian Weimer pointed out that this doesn't solve the problem of an
allocator potentially growing usable size at will, which will break the
implicit assumption in systemd use that the value returned remains
constant as long as the object is valid. The safest way to fix that is
for systemd to step away from using malloc_usable_size() like this.
Yu Watanabe [Wed, 14 Dec 2022 05:31:09 +0000 (14:31 +0900)]
sd-id128: make sd_id128_get_machine() or friends return -EUCLEAN when an ID is in an invalid format
EINVAL suggests that the caller passes an invalid argument. EIO is
for "input/output error", i.e. the error you'd get if the disk or
file system is borked, and this error code could be returned by the
underlying read/write functions.
Let's make the functions return an unambiguous error code.
David Tardon [Mon, 12 Dec 2022 15:21:30 +0000 (16:21 +0100)]
swap: tell swapon to reinitialize swap if needed
If the page size of a swap space doesn't match the page size of the
currently running kernel, swapon will fail. Let's instruct it to
reinitialize the swap space instead.
During the call today we agreed to work towards -rc1 in January. Nevertheless,
I already started writing this up and I'll push it so it doesn't get lost.
I didn't include all the changes to systemd-repart, because those are still in
flux.
Luca Boccassi [Mon, 12 Dec 2022 22:10:18 +0000 (22:10 +0000)]
manager: add option to rate limit daemon-reload
Reloading is a heavy-weight operation, and currently it is not
possible to stop an orchestrator from spamming reload requests.
Add configuration options to allow rate-limiting.
Luca Boccassi [Mon, 12 Dec 2022 15:34:43 +0000 (15:34 +0000)]
manager: log unit/pid of sender when Reload() is called
Reloading is a heavy-weight operation, and currently it is not
possible to figure out who/what requested it, even at debug level
logging.
Check the sender of the D-Bus message and print it out at info level.
Mike Yuan [Sat, 10 Dec 2022 12:55:42 +0000 (20:55 +0800)]
systemctl: is-*: return correct code when no unit is found
According to systemctl(1), we should use LSB return code 4
(EXIT_PROGRAM_OR_SERVICES_STATUS_UNKNOWN) when the state
is "no such unit" for is-{active,failed,enabled} verbs.
coredump: cescape invalid json data before logging
In both cases, the json string is short, so we can print it, which is useful
for diagnosing invalid data in packages. But we need escape non-printable
characters.