Yu Watanabe [Fri, 27 Jun 2025 01:42:24 +0000 (10:42 +0900)]
tree-wide: use CONF_FILES_CHASE_BASENAME where root directory is specified
Otherwise, the result may point to outside of the root directory.
This also sets CONF_FILES_REGULAR and CONF_FILES_FILTER_MASKED, as the
callers will call fopen() or friends for the result, thus the enumerated
results must be non-empty regular files.
Previously, symlinks in the replacement was not chased, hence we may
inserted a path to outside of the root directory, or we may have wrong
judgement whether we should insert the replacement or not.
This makes the symlinks in the replacement also resolved.
Also, as the function is only used by tmpfiles and sysusers, this
enables CONF_FILES_REGULAR, CONF_FILES_CHASE_BASENAME, and
CONF_FILES_FILTER_MASKED_BY_SYMLINK flags.
Yu Watanabe [Fri, 27 Jun 2025 00:20:08 +0000 (09:20 +0900)]
conf-files: introduce CONF_FILES_CHASE_BASENAME flag
Previously, when a root directory is specified to conf_files_list() and
friends, the last component of each result was not resolved, even though
they internally chases the last component. So the caller needs to chase
the path again when the file is used.
This introduce a new flag that makes the whole path of each result is
resolved, hence caller can use it as is.
Yu Watanabe [Thu, 26 Jun 2025 00:42:16 +0000 (09:42 +0900)]
userdb: fix enumeration of .membership files
The man page nss-systemd(8) says
> The contents of these files are currently not read, and the files
> should be created empty.
But previously we filtered out such files, as the CONF_FILES_FILTER_MASKED
flag checks if a file is empty (or symlink to null), thus any empty files
were ignored.
To accept empty .membership files, let's use CONF_FILES_FILTER_MASKED_BY_SYMLINK.
Yaping Li [Fri, 27 Jun 2025 18:53:12 +0000 (11:53 -0700)]
test-xml: migrate to new assertion macros (#37990)
We recently added a new set of assertion macros such as ASSERT_GE,
ASSERT_OK, ASSERT_EQ, ... which show not only the expression that failed
but also the values of the arguments of the expression. Let's use them.
resolved: don't wait for TLS close_notify replies unnecessarily
This is based on #35764 by Guruswamy Basavaiah, but covers further code
paths.
This ensures that when we initiate a TLS shutdown we'll write out our
own close_notify message, but not wait for the close_notify reply from
the server side anymore.
resolved: when determining error to return, prefer "conclusive" over "inconclusive" errors
When asked to look something up, and all scopes we contact fail we need
to pick a suitable error code for the failure, and given that we look up
things on multiple scopes we might have multiple errors to choose from.
So far we simply picked the error from the last scope in the list, which
hence would be pretty arbitrary.
Let's tweak this a bit, and if we have multiple errors to choose from,
let's prefer "conclusive" failures over "inconclusive" ones. The
"inconclusive" ones in this sense are the ones where we didn't even issue
a request, but couldn't even do that because we had no server, no
network or things like that. The "conclusive" ones are the errors we got
from a server, that hence a "real" in a way.
This addresses the confusion described in #37969. For LLMNR lookups we
generally refuse looking up A addresses via IPv6 and AAAA via IPv4. This
generates a DNS_TRANSACTION_NO_SERVERS error, which we would then return
for one type of lookup but not for the other, because the IPv6 scope is
generally created after the IPv4 one, and hence so far won.
timer: Do not recalculate monotonic elapse time on clock change
The only clock change that affects monotonic timers is suspend causing
CLOCK_MONOTONIC to fall behind CLOCK_BOOTTIME. However, monotonic timers
that use CLOCK_BOOTTIME are not intended to have their elapse time
changed after a suspend. Hence condition the calculation of monotonic
timers’ elapse times on the cause not being a clock change.
* b2fe7ba6b1 Do not use return in finally
* b4f3088535 Ensure directories exist before running sync scripts
* e83e7036b0 mkosi-obs: also allow enrolling additional certs in KEK
* b6432fbc29 initrd: Copy /etc/pki/rpm-gpg into sandbox tree
* 44b96b93c8 Partially revert "resources: add systemd-boot-efi"
* 7a22260179 Check that keys are both in context.cli and history
* 6570b21a4b fix: Remove `erofs-utils` from initrd
* ff61c5022a mkosi-initrd: Add atkbd and i8042 modules to the default
initrd modules
* eaa37f7c6c Generate initrds outside of umask context manager
* de09209520 ci: Drop differential shellcheck
* d07c6b93c9 build(deps): bump github/codeql-action from 3.28.16 to
3.28.18
* 9a12fb1bef Check that commit exists in config_parse_minimum_version()
* 9e5b4f8932 kmod: factor out comparison and also count empty
directories as invalid
* 39ed5ef6c2 apt: support including additional configuration for
reprepro
Let's make the fs sector size configurable. This also adds
infrastructure so that we can pick different sector sizes as defaults
eventually, but doesn't actually do that.
(Background: I think we should probably default to native sector size
for the ESP, but Daan disagrees, so I'll leave this out for now).
boot: downgrade log messages about invalid timeouts
We correctly handle invalid timeouts being stored in EFI variables, but
because we deal with this gracefully we should downgrade the log level
to warning, and say "ignoring" in the log message.
* b2fe7ba6b1 Do not use return in finally
* b4f3088535 Ensure directories exist before running sync scripts
* e83e7036b0 mkosi-obs: also allow enrolling additional certs in KEK
* b6432fbc29 initrd: Copy /etc/pki/rpm-gpg into sandbox tree
* 44b96b93c8 Partially revert "resources: add systemd-boot-efi"
* 7a22260179 Check that keys are both in context.cli and history
* 6570b21a4b fix: Remove `erofs-utils` from initrd
* ff61c5022a mkosi-initrd: Add atkbd and i8042 modules to the default initrd modules
* eaa37f7c6c Generate initrds outside of umask context manager
* de09209520 ci: Drop differential shellcheck
* d07c6b93c9 build(deps): bump github/codeql-action from 3.28.16 to 3.28.18
* 9a12fb1bef Check that commit exists in config_parse_minimum_version()
* 9e5b4f8932 kmod: factor out comparison and also count empty directories as invalid
* 39ed5ef6c2 apt: support including additional configuration for reprepro
Jan Čermák [Tue, 24 Jun 2025 16:54:44 +0000 (18:54 +0200)]
journal-gatewayd: fix handling of num_skip pointing beyond the last entry
When `num_skip` is supplied to the `Range` header, journal-gatewayd
always returns the very last record even though it should have been
skipped. This is because the `sd_journal_next_skip` always returns
non-zero value on the first call, leading to one iteration of the
`request_reader_entries` returning the last record.
To avoid this unexpected behavior, check that the number of lines we
have skipped by is not lower than the requested skip value. If it is,
then it means there are lines which should not be returned now -
decrement the n_skip counter then and return from the function, closing
the stream if follow flag is not set.
terminal-util: switch from TCSADRAIN to TCSANOW for all tcsetattr() calls
TCSADRAIN means tcsetattr() will become blocking (waiting for ability to
write out queued bytes), which is problematic, if the referenced TTY is
dead for some reason.
Since all these calls just modify *input* parameters anyway (i.e. mostly
local echo, and canonical mode), forcing out queued output is kinda
pointless anyway, hence just don't do it: leave it in the queue and just
change the flags we want to change.
The tcsetattr(3) man page kinda hints that we want to use TCSANOW here,
because it documents for TCSADRAIN:
"This option should be used when changing parameters that affect
output."
Which one can read so that TCSADRAIN should not be used if it doesn't
affect output, which is the case here.
I'm not convinced by the reasoning here. The practice of
forward declarations should be confined in headers only,
and any actual invocation of functions in source files
needs to include the original header. strv_split_full()
for instance takes ExtractFlags, and callers will need
to include extract-word.h to get the value definitions.
Now, indeed some -util headers export the most relevant
system header too, notably pidfd-util. But fs-util doesn't
seem to be coupled with any specific header, hence I'm
skeptical about such inclusion.
Yu Watanabe [Tue, 24 Jun 2025 17:31:48 +0000 (02:31 +0900)]
man: fix @BUILD_ROOT@ insertion
@BUILD_ROOT@ is replaced with the _quoted_ build path. Hence, if
@BUILD_ROOT@ is quoted, the result is doubly quoted, and the script does
not work if the path contains spaces.
Yu Watanabe [Sat, 21 Jun 2025 16:40:25 +0000 (01:40 +0900)]
fs-util: use int for argument that takes F_OK and friends
access_nofollow() is a simple wrapper of faccessat(), and it is defined as
```
int faccessat(int dirfd, const char *pathname, int mode, int flags);
```
Yu Watanabe [Sat, 21 Jun 2025 16:34:36 +0000 (01:34 +0900)]
fs-util: include fcntl.h in fs-util.h
fs-util.h provides access_nofollow() but it did not include neither
fcntl.h nor unistd.h, which define F_OK and friends. Hence we cannot use
the function without including one of the headers. Let's include fcntl.h
in fs-util.h, then we can use the function by simply including fs-util.h.
Yu Watanabe [Thu, 19 Jun 2025 15:59:32 +0000 (00:59 +0900)]
tree-wide: include missing_fs.h only where necessary
The additional definitions provided by the header are
- EXT4_IOC_RESIZE_FS, used in resize-fs.c,
- FILEID_KERNFS, used in cgroup-util.c and pidfd-util.c.
udev: reset loopback block device ownership and mode on detach
Loopback block devices are agressively reused, without being removed in
between. This means various inode attributes on their device nodes will
– so far – remain in effect between uses of the devices. Since there are
applications which change access mode/ownership of such devices after
attaching files to them, let's undo this again when we detect them to be
unused again.
user-record: also support "aliases" in the "status" section of user records
Some user record providers might want to implement case-insensitive user
record matching, or other forms of non-normalized matching. So far
uderdb didn't allow that, because client's typically revalidate the
returned user records against the search keys (at least our clients do)
– they check if the search user name is actually part of the user record
and its aliases.
In order to support such lookups we thus need to allow the looup keys to
be part of the user record, but also not be persisted in it, because
the number of casings/spellings of a username might be ridiculously
high.
A nice way out is to allow "aliases" not only in the main part of the
record, but also in the "status" part, that contains information
dynamically determined at query time. We can insert a second "aliases"
field there, which the parser will then merge with the primary "aliases"
field, but the existing rules around "status" ensure tha the data is
never persisted.
console: when switching console modes and one doesn't work, always go for the next
So far we already had a logic in place to go for the next mode if some
mode doesn't work – but it was only applied if we'd actively cycle
through resolutions.
Let's extend the logic and always apply it: whenever we try to switch to
a mode, and it doesn't work, go to the next one until we find one that
works.
Yu Watanabe [Fri, 20 Jun 2025 21:50:26 +0000 (06:50 +0900)]
cpu-set-util: introduce config_parse_cpu_set()
Then, make parse_cpu_set() as a tiny wrapper of it.
Note, previously when an invalid CPU range, e.g. "3-0", is specified,
we ignore the range but allocate an empty set. But, with this commit,
now the conf parser simply ignore it without no side effect.
This potentially changes behavior of a system with such invalid setting,
but the change should be favorable for consistency with other parsers.
Yu Watanabe [Sat, 21 Jun 2025 01:32:40 +0000 (10:32 +0900)]
udev/net: several cleanups for config_parse_rps_cpu_mask()
- Previously, `LinkConfig.rps_cpu_mask == NULL` indicates setting RPS
will be skipped, but now make the condition is changed to
`LinkConfig.rps_cpu_mask.set == NULL`. Then, we can avoid allocating
CPUSet when something configured.
- When "disable" or "all", now allocate a temporal object, and then
replace with it.
Yu Watanabe [Fri, 20 Jun 2025 22:37:36 +0000 (07:37 +0900)]
core,test: use parse_cpu_set()
As it is defined as
```
static inline int parse_cpu_set(const char *rvalue, CPUSet *cpu_set){
return parse_cpu_set_full(rvalue, cpu_set, false, NULL, NULL, 0, NULL);
}
```
Yu Watanabe [Fri, 20 Jun 2025 21:25:35 +0000 (06:25 +0900)]
cpu-set-util: several cleanups for cpu_set_realloc(), cpu_set_add() and friends
- introduce CPU_SET_MAX_NCPU and check overflow several more places,
- use GREEDY_REALLOC0(),
- introduce cpu_set_add_range() helper function,
- explicitly (re)alloc first before setting multiple bits.
Let's downgrade the log message about our attempts to deal with an
ordering cycle to warning, because this is a "positive" thing, we try to
improve an earlier error.
OTOH increase the log level when we first log about the cycle to error,
since that highlights the actual problem.
Yu Watanabe [Sun, 22 Jun 2025 23:55:54 +0000 (08:55 +0900)]
glob-util: rework safe_glob()
Currently, callers of safe_glob() set an empty glob_t or glob_t with
opendir func, and all other components are always zero.
So, let's introduce safe_glob_full() which optionally takes opendir
function, rather than glob_t, and returns result strv, rather than
storing results in glob_t.
Also, introduce safe_glob() which is a trivial wrapper of
safe_glob_full() without opendir func.
Yu Watanabe [Sun, 22 Jun 2025 02:09:11 +0000 (11:09 +0900)]
test-glob-util: drop redundant test cases
The removed glob() with GLOB_ALTDIRFUNC is exactly the same as what
safe_glob() does, which is tested in TEST(safe_glob) below.
Let's drop the test cases.
Valentin David [Mon, 10 Mar 2025 09:53:41 +0000 (10:53 +0100)]
Use paths specified from environment variables for /etc configuration files
Some configuration files that need updates are directly under in /etc. To
update them atomically, we need write access to /etc. For Ubuntu Core this is
an issue as /etc is not writable. Only a selection of subdirectories can be
writable. The general solution is symlinks or bind mounts to writable places.
But for atomic writes in /etc, that does not work. So Ubuntu has had a patch
for that that did not age well.
Instead we would like to introduce some environment variables for alternate
paths.
While it is for now expected that there is a symlink from the standard, we
still try to read them from that alternate path. This is important for
`/etc/localtime`, which is a symlink, so we cannot have an indirect symlink or
bind mount for it.
Since machine-id is typically written only once and not updated. This commit
does not cover it. An initrd can properly create it and bind mount it.
userdb: when loading a user record from JSON, mark 'secret' section in JSON variant as sensitive as side effect
When we load a user record we retain a reference to the original JSON.
Thus the loaded objects might live at least as long as our user record
object, hence we better make sure we set the 'sensitive' flag for the
'secret' section if it's not marked like that yet.
This is paranoia only: we already should be setting this flag properly
earlier, when acquiring the json variant in the first place. But it's
better to be safe than sorry.
projects / thirdparty / systemd.git / log
