Daan De Meyer [Mon, 7 Dec 2020 23:00:37 +0000 (23:00 +0000)]
mkosi: Enable --qemu-headless option for all distros
--qemu-headless configures the generated image and mkosi's qemu
command to connect to the VM via the serial port. This allows
spawning a qemu VM within the user's terminal instead of spawning
a graphical GTK GUI. --qemu-headless sets TERM, COLUMNS and LINES
in serial-getty@ttyS0.service in the container which makes the
terminal in the VM behave almost equivalent to the one on the host.
This change makes testing changes to systemd using mkosi + QEMU a
lot easier compared to before as commands can be executed in the VM
from the comfort of one's terminal compared to the Linux console
available when running via the GTK GUI.
systemd-nspawn: Allow setting ambient capability set
The old code was only able to pass the value 0 for the inheritable
and ambient capability set when a non-root user was specified.
However, sometimes it is useful to run a program in its own container
with a user specification and some capabilities set. This is needed
when the capabilities cannot be provided by file capabilities (because
the file system is mounted with MS_NOSUID for additional security).
This commit introduces the option --ambient-capability and the config
file option AmbientCapability=. Both are used in a similar way to the
existing Capability= setting. It changes the inheritable and ambient
set (which is 0 by default). The code also checks that the settings
for the bounding set (as defined by Capability= and DropCapability=)
and the setting for the ambient set (as defined by AmbientCapability=)
are compatible. Otherwise, the operation would fail in any way.
Due to the current use of -1 to indicate no support for ambient
capability set the special value "all" cannot be supported.
Also, the setting of ambient capability is restricted to running a
single program in the container payload.
Fedora will deprecate support for nscd in the upcoming release [1] and plans to
drop it in the next one [2]. At that point we might as well build systemd
without that support too, since there'll be nothing to talk too.
Daan De Meyer [Sun, 6 Dec 2020 18:16:59 +0000 (18:16 +0000)]
meson: Respect MESON_INSTALL_QUIET
MESON_INSTALL_QUIET is set when --quiet is passed to meson install.
Make sure we check the variable in our custom install scripts and
don't output anything if it is set.
Daan De Meyer [Sun, 6 Dec 2020 16:45:45 +0000 (16:45 +0000)]
mkosi: Add --quiet and --no-rebuild options to meson install in mkosi.build
By default, meson install prints a line for every file it installs.
This is verbose and doesn't provide much value. Let's silence the
meson install step to remove this output from the mkosi build step.
The --no-rebuild option removes some additional duplicate output
by the meson install step.
Ubuntu Focal still has meson 0.53.0 so we add a version check and
only use the new feature if the meson version supports it.
cryptsetup: give command line parameters proper names
It's highly confusing to reference the command line parameters via
argv[] indexes. Let's clean this up, and introduce properly named local
variables that make this easier to follow.
No actualy code changes, just some renaming of variables.
Vito Caputo [Tue, 1 Dec 2020 07:00:34 +0000 (23:00 -0800)]
mmap-cache: replace stats accessors with log func
In preparation for logging more mmap-cache statistics get rid of this
piecemeal stats accessor api and just have a debug log output function
for producing the stats.
Updates the one call site using these accessors, moving what that site
did into the new log function. So the output is unchanged for now,
just a trivial refactor.
Yu Watanabe [Thu, 3 Dec 2020 05:16:41 +0000 (14:16 +0900)]
test-network: sleep 1s after reloading configs
As interfaces will be reconfigured asynchronously after `networkctl reload`.
So, right after `networkctl reload` is finished, interfaces may be still
in 'configured' state with the old .network files.
shared/build: make the version string definition less terrible
The BLKID and ELFUTILS strings were present twice. Let's reaarange things so that
each times requires definition in exactly one place.
Also let's sort things a bit:
the "heavy hitters" like PAM/MAC first,
then crypto libs,
then other libs, alphabetically,
compressors,
and external compat integrations.
I think it's useful for users to group similar concepts together to some extent.
For example, when checking what compression is available, it helps a lot to have
them listed together.
FDISK is renamed to LIBFDISK to make it clear that this is about he library and
the executable.
Florian Westphal [Fri, 19 Jun 2020 11:33:19 +0000 (13:33 +0200)]
fw_add_local_dnat: remove unused function arguments
All users pass a NULL/0 for those, things haven't changed since 2015
when this was added originally, so remove the arguments.
THe paramters are re-added as local function variables, initalised
to NULL or 0. A followup patch can then manually remove all
if (NULL) rather than leaving dead-branch optimization to compiler.
Reason for not doing it here is to ease patch review.
Not requiring support for this will ease initial nftables backend
implementation.
In case a use-case comues up later this feature can be re-added.
Yu Watanabe [Wed, 2 Dec 2020 10:19:06 +0000 (19:19 +0900)]
network: do not set broadcast if prefixlen is 31 or 32
After fe841414ef157f7f01d339c5d5730126e7b5fe0a, broadcast address is
also compared with existing one to determine whether the address is
foregin or not. So, the address object should not contain unnecessary
information.
resolved: beef up logic for suppressing "localhost" entry in /etc/hosts
Either suppress the entry entirely, or not at all. But do not suppress
the "localhost" names we recognize, leaving the ones we do not in place.
On Fedora, where "localhost4.localdomain4" is among those listed in
/etc/hosts for 127.0.0.1 we'd thus otherwise drop the "localhost" but
keep the "localhost4.localdomain4" and then on reverse lookups only
return that, which is highly confusing.
resolved: never allow _gateway lookups to go to the network
Make them rather fail than go to the network.
Previously we'd filter them on LLMNR (explicitly) and MDNS (implicitly,
because it doesn't have .local suffix), but not on DNS.
In order to make _gateway truly reliable, let's not allow it to go to
DNS either, and keep it local.
This is particular relevant, as clients can now request lookups without
local RR synthesis, where we'd rather have NXDOMAIN returned for
_gateway than have it hit the network.
resolved: lower SERVFAIL cache timeout from 30s to 10s
Apparently 30s is a bit too long for some cases, see #5552. But not
caching SERVFAIL at all also breaks stuff, see explanation in 201d99584ed7af8078bb243ce2587e5455074713.
Let's try to find some middle ground, by lowering the cache timeout to
10s. This should be ample for the problem 201d99584ed7af8078bb243ce2587e5455074713 attackes, but not as long as
half a miute, as #5552 complains.
Anita Zhang [Wed, 2 Dec 2020 22:41:38 +0000 (14:41 -0800)]
test: fix TEST-56-OOMD thresholds for linux 5.9 changes
Fixes #17533
The memory pressure values of the units in TEST-56-OOMD seemed to be a
lot lower after updating to linux 5.9. This is likely due to a fix from
https://github.com/torvalds/linux/commit/e22c6ed90aa91abc08f107344428ebb8c2629e98.
To account for this, I lowered memory.high on testbloat.service to
throttle it even more. This was enough to generate the 50%+ value to trigger
oomd for the test, but as an extra precaution I also lowered the oomd
threshold to 1% so it's certain to try and kill testbloat.service.
resolved: automatically flush caches on clock change
DNSSEC validation takes the system clock into account to validate
signatures. This means if we had incorrect time and the time is then
changed to the correct one we should flush out everything and
re-validate taking the new time into account.
(This logic will also trigger after system suspend, which is not bad
either, given that quite possibly we are connected to a different
network, and thus would get different DNS data, without us noticing
otherwise via link beat).
virt: Properly detect nested UML inside another hypervisor
UML runs as a user-process so it can quite easily be ran inside of
another hypervisor, for instance inside a KVM instance. UML passes
through the CPUID from the host machine so in this case detect_vm
incorrectly identifies as running under KVM. So check we are running
a UML kernel first, before we check any other hypervisors.
Resolves: #17754
Signed-off-by: Christopher Obbard <chris.obbard@collabora.com>
resolved: bind socket to interface during connect()
Apparently, IF_UNICAST_IF does not influence the routing decisions done
during connect(). But SO_BINDTODEVICE/SO_BINDTOINDEX does, which however
brings a lot of other semantics with it, we are not so interested in
(i.e. it doesn't not allow packets from any other iface to us, even if
routing otherwise allows it).
Hence, let's bind to the ifindex immediately before the connect() and
unbind right after again, so that we get the semantics we want, but not
the ones we don't.
meson: allow fuzzers to be built even if fuzz testing is disabled
This makes commands like 'ninja -C build fuzz-journal-remote' or
'ninja -C build fuzzers' work, even if we have -Dfuzz-tests=false.
Two advantages: correctness of the meson declarations is verified even
if fuzzers are not built, and it easier to do a one-off build to check for
regressions or such.
Yu Watanabe [Tue, 24 Nov 2020 06:47:13 +0000 (15:47 +0900)]
network: stop to assign UUID when reconfiguring link
This fixes the following race in reconfiguring link:
1. an interface requests UUID.
2. the interface is reconfigured and link_configure() is called.
3. sd-lldp client is started on the interface (it is enabled by default).
4. networkd acquires UUID, and get_product_uuid_handler() calls
link_configure() for the link again.
5. link_lldp_rx_configure() fails to set ifindex for already running
sd-lldp client.
6. the link enters failed state.
projects / thirdparty / systemd.git / log
