Yu Watanabe [Tue, 21 Jan 2025 20:24:35 +0000 (05:24 +0900)]
catalog: modernize code
- set destructors to catalog_hash_ops,
- acquire OrderedHashmap when necessary,
- gracefully handle NULL catalog directories and output stream,
- rename function output arguments,
- add many many assertions,
- use RET_GATHER().
Andrew Sayers [Thu, 23 Jan 2025 08:06:57 +0000 (08:06 +0000)]
Clarify that Conflicts= only applies when starting units
The "vice versa" in the old text could be interpreted as either
(wrong) "stopping the former will start the latter", or
(right) "starting the latter will stop the former".
Yu Watanabe [Thu, 23 Jan 2025 09:11:30 +0000 (18:11 +0900)]
run: add --job-mode= argument (#34708)
systemctl has a --job-mode= argument, and adding the same argument to
systemd-run is useful for starting transient scopes with dependencies.
For example, if a transient scope BindsTo a service that is stopping,
specifying --job-mode=replace will wait for the service to stop before
starting it again, while the default job mode of "fail" will cause the
systemd-run invocation to fail.
Gavin Li [Thu, 10 Oct 2024 20:07:16 +0000 (16:07 -0400)]
run: add --job-mode= argument
systemctl has a --job-mode= argument, and adding the same argument to
systemd-run is useful for starting transient scopes with dependencies.
For example, if a transient scope BindsTo a service that is stopping,
specifying --job-mode=replace will wait for the service to stop before
starting it again, while the default job mode of "fail" will cause the
systemd-run invocation to fail.
Yu Watanabe [Thu, 23 Jan 2025 00:04:12 +0000 (09:04 +0900)]
core/device: do not drop backslashes in SYSTEMD_WANTS=/SYSTEMD_USER_WANTS= (#35869)
Let consider the following udev rules:
```
PROGRAM="/usr/bin/systemd-escape foo-bar-baz", ENV{SYSTEMD_WANTS}+="test1@$result.service"
PROGRAM="/usr/bin/systemd-escape aaa-bbb-ccc", ENV{SYSTEMD_WANTS}+="test2@$result.service"
```
Then, a device expectedly gains a property:
```
SYSTEMD_WANTS=test1@foo\x2dbar\x2dbaz.service test2@aaa\x2dbbb\x2dccc.service
```
After the event being processed by udevd, PID1 processes the device, the
property previously was parsed with
`extract_first_word(EXTRACT_UNQUOTE)`, then the device unit gained the
following dependencies:
```
Wants=test1@foox2dbarx2dbaz.service test2@aaax2dbbbx2dccc.service
```
So both `%i` and `%I` for the template services did not match with the
original data, and it was hard to use `systemd-escape` in `PROGRAM=`
udev rule token.
This makes the property parsed with
`extract_first_word(EXTRACT_UNQUOTE|EXTRACT_RETAIN_ESCAPE)`, hence the
device unit now gains the following dependencies:
```
Wants=test1@foo\x2dbar\x2dbaz.service test2@aaa\x2dbbb\x2dccc.service
```
and `%I` for the template services match with the original data.
The commit reworked job merging logic so that reload jobs
won't get merged. However, they might get dropped from
transaction due to being deemed redundant, i.e. way before
it even hits job_install(). Let's make sure reload jobs
are always kept during transaction construction stage, too.
Daan De Meyer [Wed, 22 Jan 2025 14:58:13 +0000 (15:58 +0100)]
mkosi: Update to latest
With the latest mkosi, mkosi takes care of making sure it is
available within mkosi sandbox so we get rid of all the --preserve-env=
options when we invoke mkosi sandbox with sudo as these are not
required anymore. It also doesn't matter anymore if mkosi is installed
in /usr on the host so we get rid of the documentation around that as
well.
Daan De Meyer [Wed, 22 Jan 2025 21:24:36 +0000 (22:24 +0100)]
mkosi: Run two more mkosi commands with sudo
Running some mkosi commands as root and other not can lead to cache
invalidations with the latest version, so make sure we run everything
as root after we've built the tools tree.
Yu Watanabe [Sat, 11 Jan 2025 08:54:43 +0000 (17:54 +0900)]
udevadm-test: allow to specify extra directories to load udev rules files
This adds -D/--extra-rules-dir=DIR switch for 'udevadm test' command.
When specified, udev rules files in the specified directory will be also
loaded. This may be useful for debugging udev rules by copying some udev
rules files to a temporary directory.
Yu Watanabe [Mon, 6 Jan 2025 08:26:52 +0000 (17:26 +0900)]
core/device: do not drop backslashes in SYSTEMD_WANTS=/SYSTEMD_USER_WANTS=
Let consider the following udev rules:
===
PROGRAM="/usr/bin/systemd-escape foo-bar-baz", ENV{SYSTEMD_WANTS}+="test1@$result.service"
PROGRAM="/usr/bin/systemd-escape aaa-bbb-ccc", ENV{SYSTEMD_WANTS}+="test2@$result.service"
===
Then, a device expectedly gains a property:
===
SYSTEMD_WANTS=test1@foo\x2dbar\x2dbaz.service test2@aaa\x2dbbb\x2dccc.service
===
After the event being processed by udevd, PID1 processes the device, the
property previously was parsed with extract_first_word(EXTRACT_UNQUOTE),
then the device unit gained the following dependencies:
===
Wants=test1@foox2dbarx2dbaz.service test2@aaax2dbbbx2dccc.service
===
So both '%i' and '%I' for the template services did not match with the original
data, and it was hard to use systemd-escape in PROGRAM= udev rule token.
This makes the property parsed with extract_first_word(EXTRACT_UNQUOTE|EXTRACT_RETAIN_ESCAPE),
hence the device unit now gains the following dependencies:
===
Wants=test1@foo\x2dbar\x2dbaz.service test2@aaa\x2dbbb\x2dccc.service
===
and '%I' for the template services match with the original data.
errno handling for NSS is always a bit weird since NSS modules generally
are not particularly careful with it. Hence let's initialize errno
explicitly before we invoke getpwent() so that we know it's in a
reasonable state afterwards on failure, or zero if not.
We do this in most places we use NSS, including in userdb when it comes
to getgrent(), just for getpwent() we don't so far. Address that.
The getopt() parser was completely wrong, it expected an argument where
wasn't expected or processes.
The test cases only passed by accident because they use the "user" verb
which is also the default verb. It would be accidently read as argument
for --fuzzy and ignored.
Daan De Meyer [Wed, 22 Jan 2025 13:55:45 +0000 (14:55 +0100)]
test: Make sure we run lcov from the meson source directory
In ac75c5192797082c1965ab30be4711490f2937bc, we accidentally changed
the working directory that the tools executed in the wrapper script
are invoked in. This broke our invocations of lcov. Let's explicitly
run those in the meson source directory again to fix the coverage
workflow.
Yu Watanabe [Tue, 21 Jan 2025 18:45:11 +0000 (03:45 +0900)]
networkd-test: unconditionally stop previous invocation of networkd before starting new one
When networkd is already running, creating some .network files and
friends and starting networkd does not take any effect. Let's always
restart networkd when we want to start a new invocation.
Mike Yuan [Mon, 20 Jan 2025 20:48:27 +0000 (21:48 +0100)]
mountpoint-util: some tweaks for fd_is_mount_point()
- Drop fstat() fallback path now that we assume fdinfo
is available
- Use at_flags_normalize_nofollow()
- Accept empty path the same way as NULL
- Accept fd being AT_FDCWD and filename being "."
The documentation and code agree on the same name, since always, but
when I put together the IDL I made a mistake and insert a "Not" that
wasn't supposed to be there.
Daan De Meyer [Tue, 21 Jan 2025 12:48:13 +0000 (13:48 +0100)]
TEST-74-AUX-UTILS: Move run0 pcrlock test to TEST-70-TPM
On CentOS Stream 9/10 booting mkosi qemu with --firmware=linux doesn't
add the virtual TPM to the virtual machine which means TEST-74-AUX-UTILS.run.sh
fails because it requires a TPM.
Let's move the systemd-pcrlock logic that requires a TPM to
TEST-70-TPM.pcrlock to avoid the problem.
Daan De Meyer [Mon, 20 Jan 2025 12:57:02 +0000 (13:57 +0100)]
mkosi: Run more commands as root
zypper has some new rather questionable userspace level permission
checking that blows ups completely when operating as root on an
cache directory owned by a non-root user, so let's build the tools
tree and set up meson as root to avoid the issue.
(https://github.com/openSUSE/libzypp/issues/603)
Also drop a leftover debug message from coverage.yml while we're at
it.
pam_systemd_home: support login with alias names + user names with realms
This in particular makes sure that we normalize the user name and update
it in the PAM session, once we acquire it. This means that if you have a
user with name "a" and alias "b", and the user logs in as "b" they end
up properly with "a" as user name set, as intended by the PAM gods.
Moreover, if you have a user "c" in a ralm "d", they may log in by
specifying "c" or "c@d", with equivalent results.
user-record: add helper that checks if a provided user name matches a record
This ensures that user names can be specified either in the regular
short syntax or with a realm appended, and both are accepted. (The
latter of course only if the record actually defines a realm)
Luca Boccassi [Mon, 20 Jan 2025 00:30:48 +0000 (00:30 +0000)]
ukify: add --policy-digest option
Uses the newly added policy-digest verb of systemd-measure, for the same
purpose: build a UKI and get digests for the .pcrsig section out, so
that they can be offline signed and reattached
Luca Boccassi [Sun, 19 Jan 2025 22:50:53 +0000 (22:50 +0000)]
measure: add policy-digest verb
When doing offline signing we need to know the exact payload
to sign, and the 'calculate' verb doesn't really show that, it
shows the PCR values. But what we sign is the hash of the policy.
So add a new verb that outputs the json payload that goes in the
.pcrsig section, without the .sig object, so that we can take them
and give the .pol object to an offline and asynchronous signing
service, such as SUSE's Open Build Service, and then add the .sig
object to the json and attach it to a UKI.
random-util: include pidfdid in fallback RNG buffer
This doesn't make the RNG cryptographic strength, but if we have it
easily accessible, why not include the pidfd id. It is after all not
vulnerable to reuse.
projects / thirdparty / systemd.git / log
