mkosi: Changes to allow booting with sanitizers in mkosi
- Extra memory because ASAN needs it
- The environment variables to make the sanitizers more useful
- LD_PRELOAD because the ASAN DSO needs to be the first in the list
- The sanitizer library packages
- Disable syscall filters because they interfere with ASAN
- Disable systemd-hwdb-update because it's super slow when systemd-hwdb
is built with sanitizers
- Take the value for meson's b_sanitize option from the SANITIZERS
environment variable
core: drop a stray %m specifier from a warning message
since in this specific case (r == 0) `errno` is irrelevant and most likely
set to zero, leading up to a confusing message:
```
[ 120.595085] H systemd[1]: session-5.scope: No PIDs left to attach to the scope's control group, refusing: Success
[ 120.595144] H systemd[1]: session-5.scope: Failed with result 'resources'.
```
coredump: Try to write journald coredump metadata to the journal
Currently, if journald coredumps, the coredump is written to
/var/lib/systemd/coredump but the coredump metadata is not written
to the journal meaning we can't find out about the coredump's
existence via the journal. This means that coredumpctl can't be
used to work with journald coredumps, as well as any other tools
that rely on journald to know about coredumps.
To solve the issue, let's have systemd-coredump try to write
systemd-journald coredump metadata to the journal. We have to be
careful though, since if journald coredumps, there's no active
reader on the receive end of the journal socket, so we have to make
sure we don't deadlock trying to write to the socket. To avoid the
deadlock, we put the socket in nonblocking mode before trying to
write to it.
fstab-generator: do not skip /sysroot prefix if the mount point is missing
When chase_symlinks() is called on something on a doesn't exist, it immediately
returns an error. But we were relying on it to prepend "/sysroot/". If it
fails, we need to do that ourselves.
For example, with /sysroot/etc/fstab containing a line for /foo, if /sysroot/foo
doesn't exist, we'd generate a mount point for /foo.
Originally (6b1dc2bd3cdb3bd932b0692be636ddd2879edb92) we had 'pre' and 'post'
to refer to remote-fs-pre.target and remote-fs.target or local-fs-pre.target
and local-fs.target. But 'pre' is long gone, and 'post' by itself doesn't
make much sense. Rename it for clarity.
fstab-generator: properly report the source of data
Mount information can come from /etc/fstab, /sysroot/etc/fstab, and
/proc/cmdline. Even when we had the path to the right source handy, we would
often write something inaccurate. In particular, in the initrd, we would
generally write "/etc/fstab" instead of "/sysroot/etc/fstab" for no good
reason.
generators: only redirect logging when invoked by systemd
We would always print output to the kmsg or journal, but that is only needed
and useful when invoked by systemd. So let's skip redirection unless we are
invoked by systemd. Otherwise, let's log normally. This makes test invocations
easier, and also helps when the generator is invoked by mistake. If redirection
is necessary, the generator can be invoked with SYSTEMD_LOG_TARGET=… even
during tests.
Ambient capabilities should not be passed implicitly to user
services. Dropping them does not affect the permitted and effective sets
which are important for the manager itself to operate.
cgroups-agent: connect stdin/stdout/stderr to /dev/null
Inspired by https://github.com/systemd/systemd/pull/24024 this is
another user mode helper, where this might be an issue. hence let's
rather be safe than sorry, and also connect stdin/stdout/stderr
explicitly with /dev/null.
generators: accept one or three args, do not write to /tmp
Since the general generator logic was established in the rewrite in 07719a21b6425d378b36bb8d7f47ad5ec5296d28, generators would always write to /tmp
by default. I think this not a good default at all, because generators write a
bunch of files and would create a mess in /tmp. And for debugging, one
generally needs to remove all the files in the output directory, because
generators will complain in the output paths are already present. Thus the
approach of disabling console logging and writing many files to /tmp when
invoked with no arguments is not nice, so let's disallow operation with no
args.
But when debugging, one generally does not care about the separate output dirs
(most generators use only one). Thus the general pattern I use is something
like:
rm -rf /tmp/x && mkdir /tmp/x && build/some-generator /tmp/{x,x,x}
This commit allows only one directory to be specified and simplifies this to:
rm -rf /tmp/x && mkdir /tmp/x && build/some-generator /tmp/x
tmpfiles: optionally, decode string to write to files with base64
This is useful to use "f" or "w" to write arbitrary binary files to
disk, or files with newlines and similar (for example to provision SSH
host keys and similar).
coredump: Connect stdout/stderr to /dev/null before doing anything
When invoked as the coredump handler by the kernel, systemd-coredump's
stdout and stderr streams are closed. This is dangerous as this means
the fd's can get reallocated, leading to hard to debug errors such as
log messages ending up being appended to a compressed coredump file.
To avoid such issues in the future, let's bind stdout/stderr to
/dev/null so the file descriptors can't get used for anything else.
pid1: import creds from SMBIOS too, not just qemu's fw_cfg
This imports credentials also via SMBIOS' "OEM vendor string" section,
similar to the existing import logic from fw_cfg.
Functionality-wise this is very similar to the existing fw_cfg logic,
both of which are easily settable on the qemu command line.
Pros and cons of each:
SMBIOS OEM vendor strings:
- pro: fast, because memory mapped
- pro: somewhat VMM independent, at least in theory
- pro: qemu upstream sees this as the future
- pro: no additional kernel module needed
- con: strings only, thus binary data is base64 encoded
fw_cfg:
- pro: has been supported for longer in qemu
- pro: supports binary data
- con: slow, because IO port based
- con: only qemu
- con: requires qemu_fw_cfg.ko kernel module
- con: qemu upstream sees this as legacy
This can be useful for users of slow block devices.
For example, the persistent-storage rules are needed for USB floppy
drives be recognized by udisks2, but the extra blkid calls cause
thrashing for 25+ seconds after every disk change.
With this change, a user wishing to avoid the extra blkid invocation(s)
could create /etc/udev/rules.d/55-floppy-noprobe.rules as follows:
# Don't probe PC floppy drives
SUBSYSTEM=="block", KERNEL=="fd*", \
ENV{UDEV_DISABLE_PERSISTENT_STORAGE_BLKID_FLAG}="1"
I didn't exclude floppies by default in this change, because floppy
devices are also emulated by some BIOSes/hypervisors in some cases, and
I don't know how many systems would fail to boot if /dev/disk/by-uuid/*
became unavailable for 'floppy disks' on those systems.
base-filesystem: pick more conservative access mode for /root/
Let's not allow anyone to look into /root/ if we create it via the
base-filesystem logic. i.e. change 0755 → 0750 as default access mode
for /root/, in case we create it if it happens to be missing.
growfs: Expand FS even if underlying block expansion fails
This allows growfs to expand the filesystem even when the underlying
block device cannot be expanded. This has been useful for example on
LUKS devices that have already been expanded using systemd-repart.
This works around the following error:
```
root@mobian:/home/mobian# /usr/lib/systemd/systemd-growfs /
crypt_resize() of /dev/block/179:2 failed: Operation not permitted
```
This causes systemd-growfs to exit before resizing the partition when
`--dry-run` is passed. Resizing during a dry run of a change breaks the
users expectations.
growfs: insist we open a directory when opening fs mount point
This is a simple safety check, since we shouldn't invoke ioctls on fds
without being reasonably sure they are of the right type since ioctls
are overloaded, and we might be tricked hence to execute an operation on
an fd which means something different than what we expect.
man: lift pam_systemd_homed description to Summary
Also change the title to describe the module more comprehensively.
Follow-up for 90bc309aa2c1430941f4c50f73e681ab3e488bd3. Suggested
in https://bugzilla.redhat.com/show_bug.cgi?id=2085485#c5.