systemd-journald.service conflicts with soft-reboot.target,
so make sure anything surviving soft-reboot and trying
to log to journal doesn't fail the socket units.
The commit naively returned early from socket_enter_running(), which however
is quite problematic, as the socket will be woken up over and over again
without doing a thing, until we eventually hit Poll/TriggerLimit*=.
On top of that it requires hacks to hold the start job for initrd-switch-root.service
up. Overall I doubt that is the right approach.
Let's instead hook this into our job engine, and try to activate
the service again when some other units are stopped. If all installed
jobs have been run yet we're still seeing the conflict or the manually
selected timeout is reached, fail the socket as before.
The offending commit tries to block systemd-udevd.service
from being activated during switch-root, but it is a dirty hack
and causes problems with e.g. Ctrl-Alt-Delete handling which
actually need to start a conflicting target. Let's revert
this here, and the original issue will be resolved in a cleaner
fashion in later commits.
Nick Labich [Fri, 27 Jun 2025 15:39:46 +0000 (11:39 -0400)]
nspawn: Add --bind-user-shell= to control shells for --bind-user
Prior to this change, no user shell can be specified in the user
records passed into a container via --bind-user=. This new option
allows users to:
1. When false (the default), continue to specify no user shell for
each bound user record, resulting in the use of the container's
default shell for bound users.
2. When true, include each host user's shell in the corresponding
user record passed into a container (via --bind-user=).
3. When an absolute path, set that path as the user shell for each
user record passed into a container (via --bind-user=).
This does not change the existing behavior, but allows users to
opt-in to either copy the shells specified by the host user records
or override the shell explicitly by path.
Michael Ferrari [Fri, 27 Jun 2025 16:26:10 +0000 (18:26 +0200)]
repart: add support for `Format=empty`
This is a new meta value for the `Format=` option, which is equivalent
as specifying `Label=_empty` and `NoAuto=1` for compatibility with
sd-sysupdate.
Yu Watanabe [Tue, 24 Jun 2025 19:51:20 +0000 (04:51 +0900)]
tree-wide: include unistd.h where necessary
We use symbols provided by unistd.h without including it. E.g.
open(), close(), read(), write(), access(), symlink(), unlink(), rmdir(),
fsync(), syncfs(), lseek(), ftruncate(), fchown(), dup2(), pipe2(),
getuid(), getgid(), gettid(), getppid(), pipe2(), execv(), _exit(),
environ, STDIN_FILENO, STDOUT_FILENO, STDERR_FILENO, F_OK, and their
friends and variants, so on.
Currently, unistd.h is indirectly included mainly in the following two paths:
- through missing_syscall.h, which is planned to covert to .c file.
- through signal.h -> bits/sigstksz.h, which is new since glibc-2.34.
Note, signal.h is included by sd-eevent.h. So, many source files
indirectly include unistd.h if newer glibc is used.
Currently, our baseline on glibc is 2.31. We need to support glibc older
than 2.34, but unfortunately, we do not have any CI environments with
such old glibc. CIFuzz uses glibc-2.31, but it builds only fuzzers, and
many files are even not compiled.
Yu Watanabe [Sat, 28 Jun 2025 01:25:05 +0000 (10:25 +0900)]
conf-files: fix an empty root handling in conf_files_list_strv()
Before 50c81130b69d04288f50217bede709bac6ca2b1a, the function used
chase(), hence if root is an empty string, each config directory made
prefixed with the current working directory if it is relative. See
implementation of chase().
With 50c81130b69d04288f50217bede709bac6ca2b1a, conf_files_list_strv()
internally uses chaseat(), hence each config directory is not prefixed
anymore even if it is relative.
To restore the previous behavior, this makes
- if root is an empty string, prefix each config directories with the
current working directory if relative.
- if root is relative, make it absolute to make the prefixed results also
absolute, and debugging logs show absolute paths.
- use chaseat_prefix_root() to prefix the results, for safety.
Yu Watanabe [Sat, 28 Jun 2025 11:55:11 +0000 (20:55 +0900)]
path-util: move empty_or_root_to_null() from chase.c
And rename it to empty_or_root_harder_to_null(), as it also checks if
the input path effectively points to the root by calling path_is_root().
This also adds simple test cases for the function.
The commit was merged without review, and has several issues.
Let's revert the change now, and address the issue pointed out by
the commit later in another way.
The commit was mistakenly merged without review. Also as pointed at
https://github.com/systemd/systemd/pull/37972#discussion_r2173234198
now the output is confusing. Let's revert at least now.
[1] says:
> Since 0.60.0 the name argument is optional and defaults to the basename of
> the first output
We specify >= 0.62 as the supported version, so drop the duplicate name in all cases
where it is the same as outputs[0], i.e. almost all cases.
meson: quote paths in generated systemd-runtest.env
Looking at aecb6eaed7d39d73f296c86a882c644b18b7e634, it seems that we
want build paths with spaces to be supported. Let's use 'printf %q' here
to make that work. Also, use capture:true to make the command less complicated.
Yu Watanabe [Fri, 27 Jun 2025 01:42:24 +0000 (10:42 +0900)]
tree-wide: use CONF_FILES_CHASE_BASENAME where root directory is specified
Otherwise, the result may point to outside of the root directory.
This also sets CONF_FILES_REGULAR and CONF_FILES_FILTER_MASKED, as the
callers will call fopen() or friends for the result, thus the enumerated
results must be non-empty regular files.
Previously, symlinks in the replacement was not chased, hence we may
inserted a path to outside of the root directory, or we may have wrong
judgement whether we should insert the replacement or not.
This makes the symlinks in the replacement also resolved.
Also, as the function is only used by tmpfiles and sysusers, this
enables CONF_FILES_REGULAR, CONF_FILES_CHASE_BASENAME, and
CONF_FILES_FILTER_MASKED_BY_SYMLINK flags.
Yu Watanabe [Fri, 27 Jun 2025 00:20:08 +0000 (09:20 +0900)]
conf-files: introduce CONF_FILES_CHASE_BASENAME flag
Previously, when a root directory is specified to conf_files_list() and
friends, the last component of each result was not resolved, even though
they internally chases the last component. So the caller needs to chase
the path again when the file is used.
This introduce a new flag that makes the whole path of each result is
resolved, hence caller can use it as is.
Yu Watanabe [Thu, 26 Jun 2025 00:42:16 +0000 (09:42 +0900)]
userdb: fix enumeration of .membership files
The man page nss-systemd(8) says
> The contents of these files are currently not read, and the files
> should be created empty.
But previously we filtered out such files, as the CONF_FILES_FILTER_MASKED
flag checks if a file is empty (or symlink to null), thus any empty files
were ignored.
To accept empty .membership files, let's use CONF_FILES_FILTER_MASKED_BY_SYMLINK.
Yaping Li [Fri, 27 Jun 2025 18:53:12 +0000 (11:53 -0700)]
test-xml: migrate to new assertion macros (#37990)
We recently added a new set of assertion macros such as ASSERT_GE,
ASSERT_OK, ASSERT_EQ, ... which show not only the expression that failed
but also the values of the arguments of the expression. Let's use them.
resolved: don't wait for TLS close_notify replies unnecessarily
This is based on #35764 by Guruswamy Basavaiah, but covers further code
paths.
This ensures that when we initiate a TLS shutdown we'll write out our
own close_notify message, but not wait for the close_notify reply from
the server side anymore.
resolved: when determining error to return, prefer "conclusive" over "inconclusive" errors
When asked to look something up, and all scopes we contact fail we need
to pick a suitable error code for the failure, and given that we look up
things on multiple scopes we might have multiple errors to choose from.
So far we simply picked the error from the last scope in the list, which
hence would be pretty arbitrary.
Let's tweak this a bit, and if we have multiple errors to choose from,
let's prefer "conclusive" failures over "inconclusive" ones. The
"inconclusive" ones in this sense are the ones where we didn't even issue
a request, but couldn't even do that because we had no server, no
network or things like that. The "conclusive" ones are the errors we got
from a server, that hence a "real" in a way.
This addresses the confusion described in #37969. For LLMNR lookups we
generally refuse looking up A addresses via IPv6 and AAAA via IPv4. This
generates a DNS_TRANSACTION_NO_SERVERS error, which we would then return
for one type of lookup but not for the other, because the IPv6 scope is
generally created after the IPv4 one, and hence so far won.
timer: Do not recalculate monotonic elapse time on clock change
The only clock change that affects monotonic timers is suspend causing
CLOCK_MONOTONIC to fall behind CLOCK_BOOTTIME. However, monotonic timers
that use CLOCK_BOOTTIME are not intended to have their elapse time
changed after a suspend. Hence condition the calculation of monotonic
timers’ elapse times on the cause not being a clock change.
* b2fe7ba6b1 Do not use return in finally
* b4f3088535 Ensure directories exist before running sync scripts
* e83e7036b0 mkosi-obs: also allow enrolling additional certs in KEK
* b6432fbc29 initrd: Copy /etc/pki/rpm-gpg into sandbox tree
* 44b96b93c8 Partially revert "resources: add systemd-boot-efi"
* 7a22260179 Check that keys are both in context.cli and history
* 6570b21a4b fix: Remove `erofs-utils` from initrd
* ff61c5022a mkosi-initrd: Add atkbd and i8042 modules to the default
initrd modules
* eaa37f7c6c Generate initrds outside of umask context manager
* de09209520 ci: Drop differential shellcheck
* d07c6b93c9 build(deps): bump github/codeql-action from 3.28.16 to
3.28.18
* 9a12fb1bef Check that commit exists in config_parse_minimum_version()
* 9e5b4f8932 kmod: factor out comparison and also count empty
directories as invalid
* 39ed5ef6c2 apt: support including additional configuration for
reprepro
Let's make the fs sector size configurable. This also adds
infrastructure so that we can pick different sector sizes as defaults
eventually, but doesn't actually do that.
(Background: I think we should probably default to native sector size
for the ESP, but Daan disagrees, so I'll leave this out for now).
boot: downgrade log messages about invalid timeouts
We correctly handle invalid timeouts being stored in EFI variables, but
because we deal with this gracefully we should downgrade the log level
to warning, and say "ignoring" in the log message.
* b2fe7ba6b1 Do not use return in finally
* b4f3088535 Ensure directories exist before running sync scripts
* e83e7036b0 mkosi-obs: also allow enrolling additional certs in KEK
* b6432fbc29 initrd: Copy /etc/pki/rpm-gpg into sandbox tree
* 44b96b93c8 Partially revert "resources: add systemd-boot-efi"
* 7a22260179 Check that keys are both in context.cli and history
* 6570b21a4b fix: Remove `erofs-utils` from initrd
* ff61c5022a mkosi-initrd: Add atkbd and i8042 modules to the default initrd modules
* eaa37f7c6c Generate initrds outside of umask context manager
* de09209520 ci: Drop differential shellcheck
* d07c6b93c9 build(deps): bump github/codeql-action from 3.28.16 to 3.28.18
* 9a12fb1bef Check that commit exists in config_parse_minimum_version()
* 9e5b4f8932 kmod: factor out comparison and also count empty directories as invalid
* 39ed5ef6c2 apt: support including additional configuration for reprepro
Jan Čermák [Tue, 24 Jun 2025 16:54:44 +0000 (18:54 +0200)]
journal-gatewayd: fix handling of num_skip pointing beyond the last entry
When `num_skip` is supplied to the `Range` header, journal-gatewayd
always returns the very last record even though it should have been
skipped. This is because the `sd_journal_next_skip` always returns
non-zero value on the first call, leading to one iteration of the
`request_reader_entries` returning the last record.
To avoid this unexpected behavior, check that the number of lines we
have skipped by is not lower than the requested skip value. If it is,
then it means there are lines which should not be returned now -
decrement the n_skip counter then and return from the function, closing
the stream if follow flag is not set.
terminal-util: switch from TCSADRAIN to TCSANOW for all tcsetattr() calls
TCSADRAIN means tcsetattr() will become blocking (waiting for ability to
write out queued bytes), which is problematic, if the referenced TTY is
dead for some reason.
Since all these calls just modify *input* parameters anyway (i.e. mostly
local echo, and canonical mode), forcing out queued output is kinda
pointless anyway, hence just don't do it: leave it in the queue and just
change the flags we want to change.
The tcsetattr(3) man page kinda hints that we want to use TCSANOW here,
because it documents for TCSADRAIN:
"This option should be used when changing parameters that affect
output."
Which one can read so that TCSADRAIN should not be used if it doesn't
affect output, which is the case here.
I'm not convinced by the reasoning here. The practice of
forward declarations should be confined in headers only,
and any actual invocation of functions in source files
needs to include the original header. strv_split_full()
for instance takes ExtractFlags, and callers will need
to include extract-word.h to get the value definitions.
Now, indeed some -util headers export the most relevant
system header too, notably pidfd-util. But fs-util doesn't
seem to be coupled with any specific header, hence I'm
skeptical about such inclusion.
Yu Watanabe [Tue, 24 Jun 2025 17:31:48 +0000 (02:31 +0900)]
man: fix @BUILD_ROOT@ insertion
@BUILD_ROOT@ is replaced with the _quoted_ build path. Hence, if
@BUILD_ROOT@ is quoted, the result is doubly quoted, and the script does
not work if the path contains spaces.
Yu Watanabe [Sat, 21 Jun 2025 16:40:25 +0000 (01:40 +0900)]
fs-util: use int for argument that takes F_OK and friends
access_nofollow() is a simple wrapper of faccessat(), and it is defined as
```
int faccessat(int dirfd, const char *pathname, int mode, int flags);
```
Yu Watanabe [Sat, 21 Jun 2025 16:34:36 +0000 (01:34 +0900)]
fs-util: include fcntl.h in fs-util.h
fs-util.h provides access_nofollow() but it did not include neither
fcntl.h nor unistd.h, which define F_OK and friends. Hence we cannot use
the function without including one of the headers. Let's include fcntl.h
in fs-util.h, then we can use the function by simply including fs-util.h.
Yu Watanabe [Thu, 19 Jun 2025 15:59:32 +0000 (00:59 +0900)]
tree-wide: include missing_fs.h only where necessary
The additional definitions provided by the header are
- EXT4_IOC_RESIZE_FS, used in resize-fs.c,
- FILEID_KERNFS, used in cgroup-util.c and pidfd-util.c.
udev: reset loopback block device ownership and mode on detach
Loopback block devices are agressively reused, without being removed in
between. This means various inode attributes on their device nodes will
– so far – remain in effect between uses of the devices. Since there are
applications which change access mode/ownership of such devices after
attaching files to them, let's undo this again when we detect them to be
unused again.
user-record: also support "aliases" in the "status" section of user records
Some user record providers might want to implement case-insensitive user
record matching, or other forms of non-normalized matching. So far
uderdb didn't allow that, because client's typically revalidate the
returned user records against the search keys (at least our clients do)
– they check if the search user name is actually part of the user record
and its aliases.
In order to support such lookups we thus need to allow the looup keys to
be part of the user record, but also not be persisted in it, because
the number of casings/spellings of a username might be ridiculously
high.
A nice way out is to allow "aliases" not only in the main part of the
record, but also in the "status" part, that contains information
dynamically determined at query time. We can insert a second "aliases"
field there, which the parser will then merge with the primary "aliases"
field, but the existing rules around "status" ensure tha the data is
never persisted.
projects / thirdparty / systemd.git / log
