This adds what #39101 and #39070 did for the regular firstboot wizard
but for the homectl firstboot part: i.e. port to the generic prompt
loop, show the "chrome" bars, and mute the console.
And then it also makes querying for aux groups and shells optional,
because quite frankly, i am not sure what to answer there.
vmspawn: try to set up swtpm state for 4K RSA keys support
The next version of swtpm will support RSA4096, but it needs to be called
with a new parameter in order to do so. Try with it first, and if
execution fails, fallback to running without it.
This is especially needed for OBS builds, as the signing key is RSA4096
and cannot be changed by users, so the generated UKIs have RSA4096 signatures
for the pcrsig sections, and swtpm refuses them without the new support.
Revert "Bump required minimum version of libfido2 to 1.5.0" and add missing def instead
It helps nobody to break compatibility for a missing definition
for printing an error.
Just add the missing definition if not present, as it is already
done for thousands of others from the kernel, glibc, etc.
time-util: fix issues in parse_timestamp() and optimize performance
Previously, an input string ends with short timezone spec e.g. WET,
was parsed by setting $TZ environment variable to the timezone.
But the timezone might be different from the original local timezone,
thus the result might not follow the timezone change in the original
local timezone.
This makes the check of the short timezone spec with tzname[] earlier,
then it is not necessary to load another timezone file for e.g. WET,
and provides expected time.
This also make it use SAVE_TIMEZONE macro and drop use of forking
process. This makes greatly improve performance when parsing string
that contains timezone different from the current local timezone.
Unfortunately, there is still one corner case that our test fails.
When tzdata is built with rearguard enabled, then at least
Africa/Windhoek timezone does not provide correct time, but time shifted
1 hour from the original.
man: add missing description for udev_enumerate_new functions
Add proper description section for udev_enumerate_new(), udev_enumerate_ref(),
and udev_enumerate_unref() functions. The description matches the source code
comments for consistency.
firstboot: don't talk about any 'new' installation
The firstboot interface might pop-up also during live mode (because it's
just very useful to have the right kbd mapping applied), and that's
hardly a "new installation". Hence use more generic terms
firstboot: optionally, don't query for keymap unless connected to a real VT
The keymap only really matters if there's local access to a system, i.e.
if there's actually a physical kbd directly connected to it, to apply it
to. If during firstboot we are not talked to via a VT (but via SSH,
container, or hypervisor console or so instead), then it's very unlikely
we ever are. Hence, don't ask for a keymap, and let#s shortcut the
questions asked at boot.
We only show this blurb on the first question, but the first question is
interactive anyway, hence no need to wait for input first explicitly, we
won't progress anyway without user input.
ethtool-util: drop use of union ethtool_link_usettings
Previously, we shift arrays on read and then shift back on write.
It is inefficient and not necessary.
Let's directly use the buffer that kernel provides as is.
The very initial implementation sets cmd with zero when the bitmap
length does not match. But, it is fixed by
https://github.com/torvalds/linux/commit/793cf87de9d1a62dc9079c3ec5fcc01cfc62fafb
Fortunately, our code does not follow the outdated comment, but checks
cmd field correctly.
ethtool-util: drop use of deprecated ETHTOOL_GSET and ETHTOOL_SSET
The methods are deprecated since kernel v4.20,
https://github.com/torvalds/linux/commit/9b3004953503462a4fab31b85e44ae446d48f0bd
and they are trivial wrapper of ETHTOOL_GLINKSETTINGS and ETHTOOL_SLINKSETTINGS,
respectively. Hence, the fallback logic is nowadays completely
meaningless. Let's drop them.
Let's check both the per user machined and the system machined instead
of only the system machined. We give preference to the per user machined
and fall back to the system machined.
mute console kernel log/pid1 status output while firstboot is running (#39101)
This is also preparation for the installer later, split out of #38764.
It makes the experience a lot nicer if our nice little tools aren't
constantly interrupted by log spew from the kernel.
mute-console: add simple varlink service that can disable log/status spew to kernel console
For "wizard" style interactive tools it's very annoying if they are
interrupted by kernel log output or PID1's status output. let's add some
infra to disable this temporarily. I decided to implement this as an IPC
service so that we can make this robust: if the client request the
muting dies we can automatically unmute again.
This is hence a tiny varlink service, but it can also be started
directly from the cmdline.
It seems
- the address sanitizer on fedora 42 reports false-positive, or
- probing partitions in libblkid 2.40.4 has a bug.
Not sure which causes the issue, but anyway the address sanitizer
kills udev-worker when sym_blkid_partition_get_name() is called
in udev-builtin-blkid.c.
```
systemd-udevd[488]: ==488==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7ffdd716e020 at pc 0x563e3ca66fcb bp 0x7ffdd716d970 sp 0x7ffdd716d968
systemd-udevd[488]: READ of size 8 at 0x7ffdd716e020 thread T0 ((udev-worker))
(snip)
systemd-udevd[488]: HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
systemd-udevd[488]: (longjmp and C++ exceptions *are* supported)
systemd-udevd[488]: SUMMARY: AddressSanitizer: stack-buffer-underflow (/usr/bin/udevadm+0x187fca) (BuildId: 1fb56dbdf0447aba1185d6e34560b782b76098be)
(snip)
systemd-udevd[488]: Command: (udev-worker)
systemd-udevd[488]: ==488==ABORTING
```
Anton Tiurin [Mon, 15 Sep 2025 19:32:39 +0000 (12:32 -0700)]
networkd: fia xRequiredOperationalStateForOnline serializtion
In integration tests (for example TEST-85-NETWORK-NetworkctlTests)
LINK_OPERSTATE_RANGE_INVALID and required_for_online == -1 are serialized as
```
"RequiredForOnline": "true",
"RequiredOperationalStateForOnline": [null, null]
```
Such link should be reported as required_for_online=False and not
serialize nulls.
core/bpf-firewall: replace unnecessary unit_setup_cgroup_runtime() with unit_get_cgroup_runtime()
Except for the test, bpf_firewall_compile() is only called by the following:
cgroup_context_apply() -> cgroup_apply_firewall() -> bpf_firewall_compile()
and in the early stage of cgroup_context_apply(), it checks if the cgroup
runtime exists. Hence, it is not necessary to try to allocate the
runtime in bpf_firewall_compile().
core/bpf-firewall: make failures in loading custom BPF program not critical
All other resource control features work as 'best-effort', and failures
in applying them are handled gracefully. However, unlike the other features,
we tested if the BPF programs can be loaded and refuse execution on failure.
Moreover, the previous behavior of testing loading BPF programs had
inconsistency: the test was silently skipped if the cgroup for the unit does
not exist yet, but tested when the cgroup already exists.
Let's not handle failures in loading custom BPF programs as critical, but
gracefully ignore them, like we do for the other resource control features.
core/unit: fail earlier before spawning executor when we failed to realize cgroup
Before 23ac08115af83e3a0a937fa207fc52511aba2ffa, even if we failed to
create the cgroup for a unit, a cgroup runtime object for the cgroup is
created with the cgroup path. Hence, the creation of cgroup is failed,
execution of the unit will fail in posix_spawn_wrapper() and logged
something like the following:
```
systemd[1]: testservice.service: Failed to create cgroup /testslice.slice/testservice.service: Cannot allocate memory
systemd[1]: testservice.service: Failed to spawn executor: No such file or directory
systemd[1]: testservice.service: Failed to spawn 'start' task: No such file or directory
systemd[1]: testservice.service: Failed with result 'resources'.
systemd[1]: Failed to start testservice.service.
```
However, after the commit, when we failed to create the cgroup, a cgroup
runtime object is not created, hence NULL will be assigned to
ExecParameters.cgroup_path in unit_set_exec_params().
Hence, the unit process will be invoked in the init.scope.
```
systemd[1]: testservice.service: Failed to create cgroup /testslice.slice/testservice.service: Cannot allocate memory
systemd[1]: Starting testservice.service...
cat[1094]: 0::/init.scope
systemd[1]: testservice.service: Deactivated successfully.
systemd[1]: Finished testservice.service.
```
where the test service calls 'cat /proc/self/cgroup'.
To fix the issue, let's fail earlier when we failed to create cgroup.
This is the first part of #38728, just the machined stuff, no the
importd stuff.
This definitely makes sense of its own, hence let's get this in first.
The original PR contains a tescase that tests machined + importd in
combination. This PR here hence is without a testcase, but it's there,
just in the other PR.
This looks large and is large, but do note that much of the machined
changes are very repetitive: they conditionalize PK checks to the system
version, as PK doesn't make sense in the use rversion.
integration tests: do not adjust log level in the test script
We passes log level through kernel command line. It is not necessary to
set to debug level at the beginning, and set to info at the end.
This is important when a test has several subtests. If a subtest sets
log level to info at the end, then subsequent tests may not generate any
useful logs.
When HAVE_SECCOMP is not set, a build error happens:
../src/analyze/analyze-security.c: In function ‘get_security_info’:
../src/analyze/analyze-security.c:2449:13: error: unused variable ‘r’ [-Werror=unused-variable]
2449 | int r;
| ^
cc1: some warnings being treated as errors
Mike Yuan [Thu, 25 Sep 2025 20:28:33 +0000 (22:28 +0200)]
core/cgroup: make sure deserialized accounting data is not voided
Currently, cgroup_path is (de-)serialized after all the cached
accounting data. This is bogus though, since unit_set_cgroup_path()
destroys the CGroupRuntime object and starts afresh, discarding
all deserialized values. This matters especially for IP accounting,
whose BPF maps get recreated on reload/reexec and the previous values
are exclusively retrievable from deserialization. Let's hence swap things
around and serialize cgroup_path first, accounting data only afterwards.
discover-image: support runtime scope also for .nspawn settings files and the pool dir
discover-image.[ch] largely already supports per-scope operations, let's
extend this however to also cover finding .nspawn settings files and
managing the pool dir.
machined: do not allow unprivileged users to shell into the root namespace
We intend to make self-registering machines an unprivileged operation,
but currently that would allow an unprivileged user to register a
process they own in the root namespace, and then login as any
user they like, including root, which is not ideal.
Forbid non-root from shelling into a machine that is running in
the root user namespace.
gpt: Introduce function to convert verity hash or sig to data partition
Let's rename the existing partition_verity_to_data() to
partition_verity_hash_to_data() and make a new partition_verity_to_data() that
handles both verity hash and verity signature partitions.
Currently it's next to impossible to find out why dissect_image()
has failed with EADDRNOTAVAIL, so let's add debug logging and use
EREMOTE for the different architectures error to help out with
debugging a bit.
projects / thirdparty / systemd.git / log
