anphir [Fri, 3 May 2024 08:34:05 +0000 (10:34 +0200)]
man: improve documentation about using resource-control options
According to the documentation in systemd.resource-control(5),
resource-control options may be used in mount, scope, service,
slice, socket and swap units.
While e.g. systemd.service(5) includes that information,
documentation for some other units does not.
The most problematic example is systemd.slice(5).
Its documentation states a slice unit may only contain [Install]
and [Unit] sections, while actually it may contain also a [Slice]
section with options from systemd.resource-control(5).
units/user/app.slice is an example of a slice unit having a [Slice]
section.
nspawn, vmspawn, run0: add env var for turning off background tinting
Some people are just sad, sad lost souls who don't like even the tiniest
ray of color in their life. Let's add an env var knob for allowing them
to turn the background tinting off, to drive the last bit of color from
their life so that they can stay in their grey grey life.
Yu Watanabe [Wed, 1 May 2024 21:18:52 +0000 (06:18 +0900)]
journal: explicitly sync namespaced journals before stopping socket units
Otherwise, if a service unit that requests LogNamespace= stopped before
systemd-journald@.service is started, logs generated by the service will be
lost, as systemd-journald@.socket is stopped and
systemd-journald@.service will never started.
To prevent the issue, let's introduce another implicit dependency to
a oneshot service that explicitly synchronizes a namespaced journal file
when the log namespace is not needed anymore.
libfido2-util: fix a regression in the pre-flight mechanism
The recently merged PR #32295 introduced support for the credProtect
extension, but in doing so, it broke the discoverability of credentials
by setting the policy to FIDO_CRED_PROT_UV_REQUIRED for UV-less,
PIN-protected credentials. This policy would require us to pass the PIN
to the token in the pre-flight request to be able to discover it,
which defeats the purpose of pre-flight requests as they're supposed
to be non-interactive.
This commit restricts the usage of credProtect to UV credentials only.
Looks like since [0] the Super-Linter repo was moved to
super-linter/super-linter and github/super-linter is just a fork, so
let's update the reference accordingly.
logs-show: adjust source timestamp with header timestamp
Previously, _SOURCE_REALTIME_TIMESTAMP was only used for realtime
timestamp, and _SOURCE_MONOTONIC_TIMESTAMP was for monotonic.
This make these journal field used more aggressively. If we need
realtime timestamp, but an entry has only _SOURCE_MONOTONIC_TIMESTAMP,
then now realtime timestamp is calculated based on
_SOURCE_MONOTONIC_TIMESTAMP and the header dual timestamp.
Similary, monotonic timestamp is obtained from
_SOURCE_REALTIME_TIMESTAMP and the header dual timestamp.
This should change shown timestamps not so much in most cases, but may
be improve the situation such as #32492.
resolved: validate authentic insecure delegation to CNAME
If the parent zone uses a non-opt-out method that provides authenticated
negative DS replies, we still can't expect signatures from the child
zone. sd-resolved was using the authenticated status of the DS reply to
require signatures for CNAMEs, even though it had already proved that no
signature exists.
Fixes: 47690634f157 ("resolved: don't request the SOA for every dns label")
Ronan Pigott [Wed, 1 May 2024 05:15:18 +0000 (22:15 -0700)]
resolved: probe for dnssec support in allow-downgrade mode
Previously, sd-resolved unnecessarily requested SOA records for each dns
label in the query, even though they are not needed for the chain of
trust. Since 47690634f157, only the necessary records are queried when
validating.
This is actually a problem in allow-downgrade mode, since we will no
longer attempt a query for a record that we know is signed a priori, and
will therefore never update our belief about the state of dnssec support
in the recursive resolver.
Rectify this by reintroducing a query for the root zone SOA in the
allow-downgrade case, specifically to test that the resolver attaches
the RRSIGs which we know must exist.
Fixes: 47690634f157 ("resolved: don't request the SOA for every dns label")
Daan De Meyer [Wed, 1 May 2024 12:41:41 +0000 (14:41 +0200)]
network/tc: Avoid concurrent set modification in tclass_drop()/qdisc_drop()
With the current algorithm, we can end up removing entries from the
qdisc/tclass sets while having multiple open iterators over the sets at
various positions which leads to assertion failures in the hashmap logic
as it's only safe to remove the "current" entry.
To avoid the problem, let's split up marking and dropping of tclasses
and qdiscs. First, we recursively iterate tclasses/qdiscs and mark all
that need to be removed. Next, we iterate once over tclasses and qdiscs
and remove all marked entries.
Daan De Meyer [Wed, 1 May 2024 14:10:48 +0000 (16:10 +0200)]
test: Follow symlinks when copying with rsync
We have e.g. 25-default.link in test-network/ which becomes a broken
symlink when installed so let's not copy the symlinks but follow them
instead so they don't become broken.
TEST-26-SYSTEMCTL is racy as we call systemctl is-active immediately
after systemctl kill. Let's implement --wait for systemctl kill and
use it in TEST-26-SYSTEMCTL to avoid the race.
On OpenSUSE the systemd-hostnamed does not fail and is unloaded which
causes reset-failed to fail. So let's ignore any errors from reset-failed
to make the test more robust.
The rootfs only has 64K UIDs available when booting with virtiofs,
whereas the nspawn tests want to use user namespace which require
more than 64K UIDs.
- drop unnecessary SYNTHETIC_ERRNO() when the logger does not propagate
error code,
- drop unnecessary '%m' in error message when the error code is
specified with SYNTHETIC_ERRNO(),
- add missing full stop at the end of log message,
- use RET_GATHER(),
- add missing ", ignoring.",
- upeercase the first letter, etc., etc...
TEST-04-JOURNAL: Make LogFilterPatterns= tests more robust
Let's use oneshot services as we don't need long running services
for the tests we're doing. Let's also increase the sleeps a little
as the current values weren't sufficient when running the test locally
on my machine with mkosi.
Richard Maw [Sat, 17 Feb 2024 21:42:45 +0000 (21:42 +0000)]
TEST-35-LOGIN: Handle multiple lock messages per sleep
If 3 lock messages get sent when going to sleep
then we can falsely assume we have woken up if we only assume we have at least two
so checking we have more than we did before sleeping addresses that issue.
mkosi: Use symlinks instead of bind mounts for Arch
With bind mounts, the directories we bind mount to get recorded as
the meson source and build directories. This means meson will complain
if we later try to run meson install -C /work/build in the virtual
machine or container. If we use symlinks, the directories we symlink to
will be recorded as the meson source and build directories, which means
meson install -C /work/build will work when executed after booting the
VM or container.
I tried to do the same for debian as well but the debian package tooling
changes directory into the build directory and then does meson setup ..
which is completely broken when switching to a symlink.
Piotr Drąg [Tue, 30 Apr 2024 12:36:16 +0000 (14:36 +0200)]
po: add a false positive to POTFILES.skip
Scripts used to detect files that should be in POTFILES.in, like
intltool-update -m used on https://l10n.gnome.org/module/systemd/,
falsely detect this file as containing translations. Avoid this
behavior by putting the file in POTFILES.skip.
docs: autopkgtest: refresh the docs with up-to-date information
@iainlane doesn't work on Ubuntu infrastructure anymore, and `bionic` is still ESM, but not really supported anymore either.
`noble`, which is the latest Ubuntu, probably is better for testing `systemd` in 2024, and pinging `qa-help` on IRC is the current official way to contact the team behind Ubuntu's infrastructure.
Recent lcov started complaining loudly about unknown lines in gperf
files:
...
Found gcov version: 13.2.1
Using intermediate gcov format
Recording 'internal' directories:
...
Finished processing 1634 GCNO files
Apply filtering..
Message summary:
1 error message:
range: 1
28 warning messages:
gcov: 27
usage: 1
geninfo: ERROR: (range) unknown line '33' in /build/src/home/homed-gperf.gperf: there are only 22 lines in the file.
Use 'geninfo --filter range' to remove out-of-range lines.
(use "geninfo --ignore-errors range ..." to bypass this error)
Since we drop the coverage of built files from the final report anyway,
let's do it also when capturing both initial and real coverage to avoid
this error.
test: Don't persist journal in mkosi image if we're not debugging tests
If we're not debugging tests, there's no point in persisting the journal,
so let's use the volatile journal storage mode in that case to avoid doing
unnecessary work.
We don't disable journal storage alltogether since various tests check
that stuff is written to the journal.