git: Add post-rewrite hook that invokes git submodule update
git rebase does not support a --recurse-submodules switch to automatically
check out the submodules at their registered commits during or after a rebase.
Instead, let's use the post-rewrite git hook to do this ourselves.
secure-boot: tighten enrollment logic a bit regarding file sizes
It's OK the dbx file is not loaded, but let's explicitly check for that
(i.e. if the buffer is actually non-NULL), rather than the size of the
bufer, since empty files actually do exist.
Or in other words, let's not magically suppress enrollment of empty
files, but let uefi firmware handle these on their own.
sd-journal: make sure sd_journal_add_match() also accepts SIZE_MAX as size
In many of our internal functions that take a pointer + a size we have
introduced the rule that SIZE_MAX as size means: take strlen().
sd_journal_add_match() has something similar, but the special value is
0, not SIZE_MAX. This is a bit ugly, since a zero size data block is
theoretically fine. The only reason sd_journal_add_match() gets away
with using this special value is because valid matches must consist of
at least 2 chars, hence cannot be zero.
But let's make this more robust and less surprising when compared to the
rest of our code, and *also* accept SIZE_MAX to mean strlen().
If we try to deserialize only a pidfd that points to a process that
has been reaped, creating the pidref object will fail, which means that
we'll try to create a pidref object from the serialized pid that comes
next. If the pid has already been reused, this will succeed and we'll
now have a pidref that points to a different process.
Let's avoid this issue by serializing both the pidfd and the pid and
creating the pidref object directly from both. This means we'll reuse
the deserialized pidfd instead of opening a new one. We'll then immediately
notice the pidfd is dead and do the appropriate follow up depending on
the unit type.
network/sysctl: round IPv6 MTU with the current device MTU rather than the maximum MTU
Otherwise, writing IPv6 MTU may fail.
This also makes link_set_ipv6_mtu() take log level about rounding IPv6 MTU,
and downgrade the log level from LOG_WARNING -> LOG_INFO, as we usually
use LOG_WARNING for per-interface critical failure.
The timeout on sd-resolved's side is 5-10s (UDP or TCP), but dig's
default timeout is 5s. Let's give sd-resolved enough time to timeout
before either giving up or checking if it served stale data on dig's
side.
test: let curl show a potential error in silent mode
I collected a couple of fails in this particular test, but without any
output they're impossible to debug. Let's make this slightly less
annoying and let curl show an error (if any) even in silent mode.
This patch uncovers that curl has been (silently) complaining about not
being able to write to the output destination, because `grep -q`
short-circuits on the first match and doesn't bother reading the rest,
so replace `grep -q` with `grep ... >/dev/null` to force grep to always
read the whole thing from curl.
test: forward journal to console in TEST-24-CRYPTSETUP
If we fail to mount the encrypted /var during boot we're left with
nothing to debug, so let's do the same thing we do for TEST-08-INITRD
and forward journal to the console.
network/address-generation: regenerate IPv6 prefix stable address on conflict
If a generated address with IPv6Token=prefixstable conflicts with the
one on another node or interface, let's generate another address and try
to assign it.
tree-wide: make sure net/if.h is included before any linux/ header
The linux/ headers include linux/libc-compat.h that makes sure the
linux/ headers won't redeclare symbols already declared by net/if.h, but
glibc's net/if.h doesn't do that, so if the include order is reversed
we'll end up with a bunch of errors about redeclared stuff:
This also drops remaining workarounds from the last time this issue was
brought up (6f270e6bd8) since they shouldn't be needed anymore if the
order of the includes is the "correct" one. I also added a comment to
each affected include when this is inevitably encountered again in the
future.
Just like we already have $SYSTEMD_PACKAGES for systemd packages to
re-install in the main image, let's add $INITRD_PACKAGES for all
systemd packages to re-install in the initrd.
mkosi: Install openSUSE-release instead of distribution-release
distribution-release is a virtual package that is by default satisfied
by the openSUSE MicroOS-release package. Let's make sure we pull in the
generic openSUSE-release package instead by installing
patterns-base-minimal_base which has a Suggests dependency on
openSUSE-release which makes sure it takes priority over the MicroOS one.
We might want to run the build scripts outside of mkosi as well at
some point, e.g. to build an rpm after booting the image, so let's
make them more generic by using /usr/lib/os-release to figure out
which pkg specs we should use instead of $PKG_SUBDIR. To make ubuntu
use the debian pkg spec, we add a symlink pkg/ubuntu which points to
debian/ in the same directory.
dns_transaction_request_dnssec_rr was already adjusted in 400171036592,
to allow for the return parameter to be passed uninitialized. However
this codepath was missed, meaning this function could sometimes return
success without having actually set the parameter.
Fixes: 400171036592 ("resolved: minor dnssec fixups") Fixes: 47690634f157 ("resolved: don't request the SOA for every dns label")
network/dhcp6: return earlier if no lease acquired
Previously, even If an interface has not acquired a DHCPv6 lease,
networkd logs a misleading message:
===
Apr 09 10:44:57 systemd-networkd[3970750]: veth99: DHCPv6 lease lost
===
The function should do nothing when no lease acquired. Let's return
earlier and suppress the log message.
This allows us to build and install after booting without having to
build a new image. Together with
https://github.com/systemd/mkosi/pull/2601 and after enabling
RuntimeBuildSources=yes, after booting, "meson install -C /work/build"
can be used to do an incremental build and install. This won't build
proper packages, but will be invaluable for having a quick compile,
edit, test cycle without having to rebuild the image all the time.
networkd: report error if lease file cannot be loaded and ignore
On my system, networkd would report that interface ve-rawhide is "Failed"
without anything in the logs:
systemd-networkd[651095]: ve-rawhide: Trying to reconfigure the interface.
systemd-networkd[651095]: ve-rawhide: Gained IPv6LL
systemd-networkd[651095]: ve-rawhide: Link DOWN
systemd-networkd[651095]: ve-rawhide: Lost carrier
systemd-networkd[651095]: ve-rawhide: Configuring with /usr/lib/systemd/network/80-container-ve.network.
systemd-networkd[651095]: ve-rawhide: Link UP
systemd-networkd[651095]: ve-rawhide: Gained carrier
systemd-networkd[651095]: ve-rawhide: Failed
At debug level:
systemd-networkd[799993]: dhcp-server-lease/ve-rawhide:1:1: Missing object field 'Address'.
I'm not sure why "Address" is missing, but anyway, in this case, we should ignore the
lease file rather than refusing to configure the interface. Also, warn at the point
where we know what the filename is.
test-execute: check for s390x first and duplicate test
s390x will define both s390x and s390, so exec-personality-s390.service is ran
in both cases but fails on s390x, as the personality returned is s390x.
Split the test and check specifically for s390x.