Ronan Pigott [Fri, 1 Mar 2024 04:42:43 +0000 (21:42 -0700)]
resolve: skip IP_UNICAST_IF for local sockets
SO_BINDTODEVICE was used during connect() to fix an issue where
IP_UNICAST_IF was improperly ignored for route lookups made by connect
in linux. This has since been resolved upstream [1][2], but as a result
we must apply the local socket excpetion to IP_UNICAST_IF as well.
The SO_BINDTODEVICE is no longer necessary, but left in place for 5.x
kernels.
For the very similar case of the product UUID we have its own error
BUS_ERROR_NO_PRODUCT_UUID if we have no UUID. Let's mirror this for the
hardware serial, and expose the same, to keep things nicely symmteric.
This also replaces the Fedora download example with another one from
Ubuntu, since Fedora's images these days no longer qualify as DDIs, they
have no distinctive partition type UUIDs set for multiple of their
partitions, hence the images cannot be booted. A bit sad. Let's provide
a command that just works in its place.
It's a bit weird we allow importing/pulling/exporting images, but we
have no scheme for showing what#s already downloaded. Hence let's add
this, it's easy to add after all.
Let's downgrade log levels a bit on HTTP error codes. After all we
gracefully handle many of them, and we do generated an extra message for
the ones which are fatal anyway, hence there's no point in emphasizing
the HTTP erro message levels as we currently do.
importd: make keeping pristine copy of downloaded images optional
Previously, when downloading an image, importd would first download them
into one image which it would then consider immutable (named after the
originating URL/etag), and then immediately make a copy of it (named
after the client chosen name).
This makes some sense in VM/container cases where the images are
typically mutable, and thus the original downloaded copy is of some
value.
For sysexts/confexts/portable this doesn't make much sense though, as
they are typically immutable. Hence make the concept optional.
This adds --keep-download=yes/no as a new option that controls the
above. Moreover it disables the behaviour for all image classes but
"machine". The behaviour remains enabled for "machine", for compat.
importd: validate local image names with the right helper
A while back we introduced image_name_is_valid() for validating image
file names. It's more liberal than hostname_is_valid() in many ways (and
allows version suffixes and such). Since importd deals in offline images
(as opposed to machined otherwise which deals in running machines),
let's hence use the right helper to validate the identifiers.
importd: add support for downloading sysext/confext/portable images too
This adds "Ex" versions of all bus calls import implements, that make
two changes:
1. A "class" parameter is added that allows choosing between
machine/sysext/confext/portable images to download. Depending on the
chose class the target directory is selected differently (i.e. not
just /var/lib/machines/, but alternatively /var/lib/portables/,
/var/lib/extensions/, /var/lib/confexts/.
2. The boolean flags are replaced by a 64bit flags parameter.
The two enums are mostly the same, the former is just an extension of
the latter. Let's merge them, to simplify things. This is particularly
useful as we then can reuse this systematically as D-Bus method call
flags too, in a generic fashion that works for both imports and pulls
the same.
if we try to open file:// URLs that don't exist, we'll not get IO/timer
events about it, hence it is not sufficient to check for completion in
these events. Let's add a defer event, to deal with that.
Also, curl_multi_info_read() is a queue, make sure to handle all events
that might be queued.
Luca Boccassi [Fri, 1 Mar 2024 16:53:50 +0000 (16:53 +0000)]
CI: free up diskspace before mkosi jobs
The runner has a lot of useless things installed, taking ~10GB, and
jobs have started to fail when booting images due to lack of disk
space, so delete some directories to make room.
2024-02-27T20:20:58.0998709Z ##[warning]You are running out of disk space. The runner will stop working when the machine runs out of disk space. Free space left: 0 MB
Co-authored-by: Daan De Meyer <daan.j.demeyer@gmail.com>
Luca Boccassi [Sat, 10 Feb 2024 23:51:57 +0000 (23:51 +0000)]
measure: add support for --certificate and --private-key-source for engine/provider signing
Allow signing with an OpenSSL engine/provider, such as PKCS11. A public key is
not enough, a full certificate is needed for PKCS11, so a new parameter is
added for that too.
Luca Boccassi [Sun, 11 Feb 2024 20:15:51 +0000 (20:15 +0000)]
repart: add --private-key-source and drop --private-key-uri
It turns out it's mostly PKCS11 that supports the URI format,
and other engines just take files. For example the tpm2-tss-openssl
engine just takes a sealed private key file path as the key input,
and the engine needs to be specified separately.
Add --private-key-source=file|engine:foo|provider:bar to
manually specify how to use the private key parameter.
Adrian Vovk [Mon, 5 Feb 2024 00:21:29 +0000 (19:21 -0500)]
user-record: Add preferredSession{Type,Launcher}
These will be used by display managers to pre-select the user's
preferred desktop environment and display server type. On homed, the
display manager will also be able to set these fields to cache the
user's last selection.
tree-wide: switch dlopen hooks over to DLSYM_PROTOTYPE()/DLSYM_FUNCTION()
We have these pretty macros, let's use them everywhere (so far we mostly
used them for newer additions only).
This PR is mostly an excercise in "perl -p -i -e", but there are some
special cases:
* idn-util.c exposes a function whose prototype in the official library
headers is marked with the "const" attribute, and this apparently does
not propagate along typeof() correctly and then
__builtin_types_compatible_p() fails later because it detects that
prototype and original function don't match in prototype.
* libbpf removed some symbols in newer versions, hence we need to define
some prototypes manually to still be able to build.
* libcryptsetup marked a symbol as deprecated we want to use (knowing it
is deprecated). By using the macros this is detected by the compiler.
We work around it via the usual warning off macros.
Note by using these macros we assume that all symbols are known during
build time. Which might not be the case. We might need to revert this
commit for some symbols if this trips up builds on older distros.
Tomáš Pecka [Thu, 7 Oct 2021 09:16:57 +0000 (11:16 +0200)]
sd-lldp-rx: serialize LLDP neighbors to JSON format
Add functions serializing LLDP neighbors to JSON (JsonVariant).
The entry contains a chassis id, system name and port id of the remote
neighbor. Also it possibly contains an integer coding the enabled system
capabilities and port description.
While it is generally worthwhile for systemd to drop split-usr support,
these options are NOT about split-usr support. The universal location of
POSIX sh is always /bin/sh. Bash is pretty reasonably standardized there
too.
This happens irrespective of /bin being a symlink to /usr/bin.
Ramifications of this change include things like:
- portably running shell scripts that might run very nearly anywhere
- /etc/shells support
For standardization and compatibility reasons, these commands with these
paths need to be consistently found on any system, and thus distros make
sure this works, although even on split-usr systems /usr/bin/bash may be
a symlink to /bin/bash.
Embedding the *access path* of bash as /usr/bin/bash in systemd, for
example in libnss_systemd.so, means that login shells must agree with
systemd on how they invoke the shell. End result: users fail to login
because of access violations.
This cannot be fixed by "fixing PAM" because PAM does not follow
symlinks by design: one example is that it needs to treat rbash as
different from bash.
Fixes: https://bugs.gentoo.org/919749 Signed-off-by: Eli Schwartz <eschwartz93@gmail.com>
ssh-generator: don't do AF_VSOCK stuff if we run in a container
Tighten our VM check: whether we run in a VM is not enough to do
AF_VSOCK. We also need to check if we are run in a container, because if
we run in a container inside a VM then we should *not* do the AF_VSOCK
stuff, but leave the port free for the VM itself.
This makes it easier for people packaging kernel-install plugins
to get the path right.
E.g. https://src.fedoraproject.org/rpms/python-virt-firmware/pull-request/3
fixes an issue where %{_libdir}/kernel/install.d was used,
which gives incorrect results on 64-bit architectures.
%_kernel_install_dir will make this even easier.
Michael Biebl [Wed, 28 Feb 2024 15:11:14 +0000 (16:11 +0100)]
Drop build-api support
It appears the build-api effort at
https://github.com/cgwalters/build-api hasn't really caught on.
systemd appears one of the very few projects actually supporting it.
It does confuse certain tools though. E.g. debhelper by finding a
configure script wrongly assumes this is an autoconf project and thus
needs to be told explicitly that this is in fact a Meson project [1].
Given that Meson is an established build system by now, it appears ok to
drop this compat layer, which will never be fully complete anyway.
Luca Boccassi [Wed, 28 Feb 2024 23:46:15 +0000 (23:46 +0000)]
semaphore: speed up build
- avoid stripping debug symbols and creating dbgsym packages
- avoid LTO, slows down build a lot
- avoid compressing packages, they are thrown out immediately after use
- avoid building udeb packages, not needed
projects / thirdparty / systemd.git / log
