As pointed out in https://github.com/systemd/systemd/issues/29814, we need to
use phrases are are meaningful on their own, because the man page formatter
creates a list at the bottom. With <ulink>see docs</ulink>, we end up with:
NOTES:
1. see docs
https://some.url/page
2. see docs
https://some.url/page2
which is not very useful :(
Also, the text inside the tag should not include punctuation.
Python helper:
from xml_helper import xml_parse
for p in glob.glob('../man/*.xml'):
t = xml_parse(p)
ulinks = t.iterfind('.//ulink')
for ulink in ulinks:
if ulink.text is None: continue
text = ' '.join(ulink.text.split())
print(f'{p}: {text}')
- link->network->ipv6_hop_limit must not be updated, as it may be used
by multiple interfaces,
- We may receive multiple RA from multiple routers with different hop
limit, and we should not make the default hop limit flicking,
- First of all, there is no reason that we need to update the default hop
limit,
- The original issue should be caused by the hash and compare functions
for Route object.
Previously, OBJECT_UNUSED was used for 'pinning' the mmap cache for an
object. But, OBJECT_UNUSED is also used for reading object when type
cannot be determined before read, e.g. when reading the tail object.
Let's introduce another category for pinning mmap cache, and use it when
we want to temporary pin an object.
- Rename generic_array_bisect_one() -> generic_array_bisect_step(), as there
is also generic_array_bisect_plus_one(), so the original name is confusing.
- Make generic_array_bisect_step() return TEST_GOTO_NEXT or TEST_GOTO_PREVIOUS
when the current array does not contain any matching entries.
- Make generic_array_bisect_step() symmetric with respect to the direction
we are going to, except for the journal corruption handling.
- Make generic_array_bisect_step() gracefully handle journal corruptions,
so the corruption handling in the caller side can be mostly dropped.
- Especially, when the last entry in an array is corrupted, previously
we tried to find a valid entry sequentially from the end of the array,
but now we anyway bisect the array. That should improve performance of
reading corrupted journal files.
- Return earlier when no entry linked to the chained array (n == 0).
- Add many comments.
In the loop of the generic_array_bisect(), the offset of the entry array
object is unchanged, the object is read at the beginning of the loop, and
we do not read any other entry array object. Hence, it is not necessary to
re-read the object every time we use the object.
hexdecoct: implicitly parse URL-safe base64 format, too
JSON-I (RFC 7493) suggests to use the URL safe base64 alphabet, rather
than the regular one when encoding binary data in JSON strings. We
generally uses the regular alphabet though.
Let's be tolerant in what we parse however: simply accept both formats
when we parse base64.
This does nothing about base64 generation though, only about parsing.
David Tardon [Fri, 3 Nov 2023 13:01:54 +0000 (14:01 +0100)]
udevadm-control: return early if --exit is used
All the following commands would just fail with -ENOANO anyway, hence
there's no point in sending them. And it allows us to shave off some
error handling code.
David Tardon [Fri, 3 Nov 2023 12:12:42 +0000 (13:12 +0100)]
udevadm-control: parse all args in advance
This is mostly just refactoring to make the code more manageable and
extendable. It doesn't introduce any semantic changes, but it
"optimizes" the communication with udevd a bit:
* If an option is used multiple times, only one command will be sent. If
the option takes a value, the value of the final appearance of the
option is used. The only exception is --property, which is additive by
nature.
* Options --start-exec-queue and --stop-exec-queue are handled together.
Only one of START_QUEUE/STOP_QUEUE commands will be sent to udevd even
if both options appear on the command line.
Luca Boccassi [Wed, 1 Nov 2023 19:39:37 +0000 (19:39 +0000)]
core: check that extensions have the hierarchies before overlaying
Before confext was added, hierarchies always existed in extensions. Now
they are optional - i.e., a sysext will not contain /etc/. So mixing a
confext and a sysext fails, as we'll try to create an overlay with /etc/
from the base, the confext and the sysext, but the latter doesn't have
the directory.
After the source images are mounted, check that each hierarchy exists in
each source image before creating the overlay, and drop them if they
don't.
Let's install a simple no-op signal handler without SA_RESTART for
SIGINT/SIGTERM, which allows us to interrupt read_one_char() and follow
it up with a proper cleanup, including restoring the vt to the original
state.
Introduce a new env variable $SYSTEMD_NSPAWN_CHECK_OS_RELEASE, that can
be used to disable the os-release check for bootable OS trees. Useful
when trying to boot a container with empty /etc/ and bind-mounted /usr/.
tpm2-util: add generic helpers for sealing/unsealing data
These helpers tpm2_seal_data()/tpm2_unseal_data() are useful for
sealing/unsealing data without any further semantics around them. This
is different from the existing tpm2_seal()/tpm2_unseal() which seal with
a specific policy and serialize in a specific way, as we use it for disk
encryption.
These new helpers are more generic, they do not serialize in a specific
way or imply policy, they are just the core of the sealing/unsealing.
(We should look into porting tpm2_seal()/tpm2_unseal() onto these new
helpers, but this isn#t trivial, since the classic serialization we use
uses a merged marshalling of private/public key, which we'd have to
change in one way or another)
tpm2-util: add helper for creating/removing/updating NV index with stored policy
This is the primary core of what pcrlock is supposed to do eventually:
maintain a TPM2 policy hash inside an NV index which we then can
reference via a PolicyAuthorizeNV expression to lock other objects
against it.
tpm2-util: add helpers for marshalling public/private keys
Note: we export these new symbols for now. A later commit in this PR
will make them static again. The only reason they are exported here is
to make sure gcc doesn't complain about unused static symbols, and I
really wanted to commit them in a separate commit.
cryptsetup: pass AskPasswordFlags down into pkcs11 module
The pkcs11 cryptsetup token module is a bit different from the tpm2 +
fido2 ones: it asks for the PIN itself, rather than bubbling up a
request to get a PIN. That's because it might need multiple, and because
we don't want to destroy a the pkcs11 session half-way and thus risk
increasing pin counters.
Hence, we sometimes ask for PINs from our code, rather than let the
libcryptsetup caller do that. So far we didn't pass the AskPasswordFlags
field down into the module though. Fix that.
Yu Watanabe [Thu, 2 Nov 2023 05:12:42 +0000 (14:12 +0900)]
network: add meson option to rename .example files on install
Also this renames 80-ethernet.network.example -> 89-ethernet.network.example,
to make it have lower precedence over other default .network files for
Ethernet interfaces.
cryptsetup: disable activation via token plugin if we shall measure the volume key
if we allow cryptsetup to activate a volume via token plugin we never
get access to the volume key, which we'd like to measure. Hence disable
token plugins in that case.
(I tempted to say we probably should disable them entirely, and only use
them if classic cryptsetup is used, but that's a discussion for another
day.)