ci: explicitly change oom-{score}-adj before running tests
For some reason root in GH actions is able to _decrease_ its oom score
even after dropping all capabilities (including CAP_SYS_RESOURCE), until
the oom score is changed explicitly after sudo:
$ systemd-detect-virt
microsoft
$ sudo su -
~# capsh --drop=all -- -c 'capsh --print; grep -H . /proc/self/oom*; choom -p $$ -n -101'
Current: =
Bounding set =
Ambient set =
Current IAB: !cap_chown,!cap_dac_override,!cap_dac_read_search,...,!cap_sys_resource,...,!cap_checkpoint_restore
Securebits: 00/0x0/1'b0
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
secure-no-ambient-raise: no (unlocked)
uid=0(root) euid=0(root)
gid=0(root)
groups=0(root)
Guessed mode: UNCERTAIN (0)
/proc/self/oom_adj:8
/proc/self/oom_score:1000
/proc/self/oom_score_adj:500
pid 22180's OOM score adjust value changed from 500 to -101
~# choom -p $$ -n 500
pid 22027's OOM score adjust value changed from 500 to 500
~# capsh --drop=all -- -c 'capsh --print; grep -H . /proc/self/oom*; choom -p $$ -n -101'
Current: =
Bounding set =
Ambient set =
...
uid=0(root) euid=0(root)
gid=0(root)
groups=0(root)
Guessed mode: UNCERTAIN (0)
/proc/self/oom_adj:8
/proc/self/oom_score:1000
/proc/self/oom_score_adj:500
choom: failed to set score adjust value: Permission denied
I have no idea what's going on, but it breaks
exec-oomscoreadjust-negative.service from test-execute when running
unprivileged.
ci: make the build dir accessible when running w/o privileges
Otherwise the unprivileged part of test-execute gets silently skipped:
/* test_run_tests_unprivileged */
Successfully forked off '(test-execute-unprivileged)' as PID 20998.
...
pin_callout_binary: build dir binary: /home/runner/work/systemd/systemd/build/systemd-executor
pin_callout_binary: open(/home/runner/work/systemd/systemd/build/systemd-executor)=-13
Failed to pin executor binary: No such file or directory
(test-execute-unprivileged): manager_new, skipping tests: No such file or directory
(test-execute-unprivileged) succeeded.
meson/man: allow man pages to use multiple conditions
This way the man pages are installed only when the corresponding binary is
installed. The conditions in man pages and man/rules/meson.build are adjusted to
match the conditions for units in units/meson.build.
test: use 'ahost' instead of 'hosts' where applicable
As explained in [0] the 'hosts' database uses deprecated
gethostbyname2() which uses AF_INET6 instead of AF_UNSPEC for IPv6
lookups which is broken and makes the test fail with disabled IPv6.
test: bump the timeout for test-execute subtests if running w/ QEMU
Bump the timeout for test-execute subtests if running with plain QEMU
(as part of TEST-02-UNITTESTS), since we might start hitting the default
2m timeout with some more involved subtests, especially when the AWS
region we're running in is under heavy load. I see this regularly in the
CentOS Stream 9 nightly cron job with exec-dynamicuser-statedir.service
which has a lot of ExecStart's.
resolved: remove entry from cache when goodbye packet received
RFC6762 10.1 says that queriers receiving a Multicast DNS response with a TTL
of zero SHOULD record a TTL of 1 and then delete the record one second later.
Added a timer event to trigger a callback to clean-up the cache one second after
a goodbye packet is received. The callback also checks for any cache entries
expiring within the next one second and schedules follow-up cleanup callbacks
accordingly.
Matteo Croce [Tue, 27 Feb 2024 20:28:14 +0000 (21:28 +0100)]
dynamically load compression libraries
Dynamically load liblz4, libzstd and liblzma with dlopen().
This helps to reduce the size of the initrd image when these libraries
are not really needed.
Matteo Croce [Tue, 27 Feb 2024 06:36:46 +0000 (07:36 +0100)]
move dlfcn-util into basic
I'm going to dlopen_many_sym_or_warn() in src/basic/compress.c, this
will introduce a circular dependency because libshared already depends
from libbasic.
To avoid this, move dlfcn-util.c from libshared to libbasic.
Nick Rosbrook [Mon, 4 Mar 2024 20:43:57 +0000 (15:43 -0500)]
test: check for kernel.apparmor_restrict_unprivileged_userns
Some tests in test-execute are already skipped if we do not have
unprivileged user namespaces. Extend this check to look for an apparmor
specific sysctl indicating that unprivileged userns creation is
restricted.
Luca Boccassi [Sun, 3 Mar 2024 18:14:31 +0000 (18:14 +0000)]
test: fix test-resolved-stream unit test failure
On Noble setting this ioctl fails:
1570s 819/1330 systemd:resolve / test-resolved-stream FAIL 0.14s killed by signal 6 SIGABRT
1570s Successfully forked off '(usernstest)' as PID 27737.
1570s Skipping PR_SET_MM, as we don't have privileges.
1570s (usernstest) succeeded.
1570s Assertion 'ioctl(socket_fd, SIOCSIFFLAGS, &req) >= 0' failed at src/resolve/test-resolved-stream.c:372, function try_isolate_network(). Aborting.
Luca Boccassi [Sun, 3 Mar 2024 18:15:26 +0000 (18:15 +0000)]
test: fix test-loopback failure when lacking privileges
Setting up the loopback might fail due to lack of privileges, as it
happens when running unit tests in the Noble CI environment. Skip
the test when it happens.
1584s 862/1330 systemd:test / test-loopback FAIL 0.01s exit status 1
1584s /* test_loopback_setup */
1584s Failed to configure loopback network device, ignoring: Operation not permitted
1584s loopback: Operation not permitted
hostnamectl: gracefully handle old hostnamed replies to GetHardwareSerial()
Old versions of hostnamed used to propagate ENODEV/ENOENT as-is. Bad
idea. This was fixed in 171ddae1a122e9c97b4ef12ccb2d29e1ba7a318a, but
let's handle this gracefully in hostnamectl.
test: explicitly set TERM=linux for TEST-69-SHUTDOWN
sulogin from the latest util-linux started falling back to vt102 instead
of linux, which makes screen sad (because we install only the linux
terminfo into the test image) and expect trips over the unexpected
warning. Let's just explicitly set TERM=linux before invoking screen to
avoid this.
+ make -C TEST-69-SHUTDOWN setup run
...
INFO:test-shutdown:log in and start screen
root
root
Last login: Sun Mar 3 13:19:31 from 18.191.105.60
-bash-5.2# screen
screen
Cannot find terminfo entry for 'vt102'.
-bash-5.2# ERROR:test-shutdown:Timeout exceeded.
Mike Yuan [Sun, 3 Mar 2024 10:37:36 +0000 (18:37 +0800)]
man/sd_notify: be explicit that FDPOLL= is not a global setting
"submitted" is already used in the description of FDNAME=.
Let's use that instead of "stored" for FDPOLL= too, to make
it more clear that it's a per-submission/per-fdset setting.
Piotr Drąg [Sat, 2 Mar 2024 15:06:15 +0000 (16:06 +0100)]
po: add false positives to POTFILES.skip
Scripts used to detect files that should be in POTFILES.in, like
intltool-update -m used on https://l10n.gnome.org/module/systemd/,
falsely detect these files as containing translations. Avoid this
behavior by putting the files in POTFILES.skip.
Ronan Pigott [Fri, 1 Mar 2024 04:42:43 +0000 (21:42 -0700)]
resolve: skip IP_UNICAST_IF for local sockets
SO_BINDTODEVICE was used during connect() to fix an issue where
IP_UNICAST_IF was improperly ignored for route lookups made by connect
in linux. This has since been resolved upstream [1][2], but as a result
we must apply the local socket excpetion to IP_UNICAST_IF as well.
The SO_BINDTODEVICE is no longer necessary, but left in place for 5.x
kernels.
For the very similar case of the product UUID we have its own error
BUS_ERROR_NO_PRODUCT_UUID if we have no UUID. Let's mirror this for the
hardware serial, and expose the same, to keep things nicely symmteric.
This also replaces the Fedora download example with another one from
Ubuntu, since Fedora's images these days no longer qualify as DDIs, they
have no distinctive partition type UUIDs set for multiple of their
partitions, hence the images cannot be booted. A bit sad. Let's provide
a command that just works in its place.
It's a bit weird we allow importing/pulling/exporting images, but we
have no scheme for showing what#s already downloaded. Hence let's add
this, it's easy to add after all.
projects / thirdparty / systemd.git / log
