Yu Watanabe [Thu, 7 Dec 2017 05:21:13 +0000 (14:21 +0900)]
bootspec: fix debug message about default entry
When no entries matches with entry_oneshot, entry_default and
default_pattern, then log message shows a wrong entry.
Moreover, if none of entry_oneshot, entry_default and default_pattern
are set, then the index `i` is uninitialized.
This fixes such problem.
```
$ ./src/test/test-systemd-tmpfiles.py valgrind --leak-check=full --error-exitcode=1 ./build/systemd-tmpfiles
...
Running valgrind --leak-check=full --error-exitcode=1 ./build/systemd-tmpfiles on 'w /unresolved/argument - - - - "%Y"'
...
[<stdin>:1] Failed to substitute specifiers in argument: Invalid slot
...
==22602== 5 bytes in 1 blocks are definitely lost in loss record 1 of 2
==22602== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==22602== by 0x4ECA7D4: malloc_multiply (alloc-util.h:74)
==22602== by 0x4ECA909: specifier_printf (specifier.c:59)
==22602== by 0x113490: specifier_expansion_from_arg (tmpfiles.c:1923)
==22602== by 0x1144E7: parse_line (tmpfiles.c:2159)
==22602== by 0x11551C: read_config_file (tmpfiles.c:2425)
==22602== by 0x115AB0: main (tmpfiles.c:2529)
```
Olaf Hering [Wed, 6 Dec 2017 18:59:30 +0000 (19:59 +0100)]
virt: use /proc/xen as indicator for a Xen domain (#6442, #6662) (#7555)
The file /proc/xen/capabilities is only available if xenfs is mounted.
With a classic xenlinux based kernel that file is available
unconditionally. But with a modern pvops based kernel, xenfs must be
mounted before the "capabilities" may appear. xenfs is mounted very late
via .services files provided by the Xen toolstack. Other units may be
scheduled before xenfs is mounted, which will confuse the detection of
VIRTUALIZATION_XEN.
In all Xen enabled kernels, and if that kernel is actually running on
the Xen hypervisor, the "/proc/xen" directory is the reliable indicator
that this instance runs in a "Xen guest".
Adjust the code to check for /proc/xen instead of
/proc/xen/capabilities.
Fixes commit 3f61278b5 ("basic: Bugfix Detect XEN Dom0 as no virtualization")
Max Resch [Wed, 6 Dec 2017 14:29:52 +0000 (15:29 +0100)]
Set secure_boot flag in Kernel Zero-Page (#7482)
Setting the secure_boot flag, avoids getting the printout
"EFI stub: UEFI Secure Boot is enabled." when booting
a Linux kernel with linuxx64.efi.stub and EFI SecureBoot enabled.
This is mainly a cosmetic fixup, as the "quiet" kernel parameter does
not silence pr_efi printouts in the linux kernel (this only works using
the efi stub from the linux source tree)
test-execute: use the "nogroup" group if it exists for testing
We currently look for "nobody" and "nfsnobody" when testing groups, both
of which do not exist on Ubuntu, our main testing environment. Let's
extend the tests slightly to also use "nogroup" if it exists.
journal,coredump: do not do ACL magic for "nobody" user either
The "nobody" user might possibly be seen by the journal or coredumping
code if unmapped userns-using processes are somehow visible to them.
Let's make sure we don't do the ACL magic for this user either, since
this is a special system user that might be backed by different real
users in different contexts.
user-util: synthesize user records for "nobody" the same way as for "root"
We already synthesize records for both "root" and "nobody" in
nss-systemd. Let's do the same in our own NSS wrappers that are supposed
to bypass NSS if possible. Previously this was done for "root" only, but
let's clean this up, and do the same for "nobody" too, so that we
synthesize records the same way everywhere, regardless whether in NSS or
internally.
nss-systemd: tweak checks when we consult PID 1 for dynamic UID/GID lookups
Instead of contacting PID 1 for dynamic UID/GID lookups for all
UIDs/GIDs that do not qualify as "system" do the more precise check
instead: check if they actually qualify for the "dynamic" range.
This adds uid_is_system() and gid_is_system(), similar in style to
uid_is_dynamic(). That a helper like this is useful is illustrated by
the fact that test-condition.c didn't get the check right so far, which
this patch fixes.
resolved: downgrade log messages about incoming LLMNR/mDNS packets on unexpected scopes
This might very well happen due to races between joining multicast
groups and network configuration and such, let's not complain, but just
drop the messages at debug level.
test-systemd-tmpfiles: respect $HOME in test for %h expansion
%h is a special specifier because we look at $HOME (unless running suid, but
let's say that this case does not apply to tmpfiles, since the code is
completely unready to be run suid). For all other specifiers we query the user
db and use those values directly. I'm not sure if this exception is good, but
let's just "document" status quo for now. If this is changes, it should be in
a separate PR.
sd_path_home() returns ENXIO when a variable (such as $XDG_RUNTIME_DIR) is not
defined. Previously we used ENOKEY for unresolvable specifiers. To avoid having
two codes, or translating ENXIO to ENOKEY, I replaced ENOKEY use with ENXIO.
v2:
- use sd_path_home and change to ENXIO everywhere
An explicit --user switch is necessary because for the user@0.service instance
systemd-tmpfiles is running as root, and we need to distinguish that from
systemd-tmpfiles running in systemd-tmpfiles*.service.
ayekat [Fri, 24 Nov 2017 11:44:08 +0000 (12:44 +0100)]
tmpfiles: Add specifiers to allow running as user instance
This commit adds specifiers %U, %u and %h for the user UID, name and
home directory, respectively.
[zj: drop untrue copy-pasted comments and move the next text
to the new "Specifiers" section.
Now that #7444 has been merged, also drop the specifier functions.]
I want to add presets/user/ later. This mirrors the layout for units:
we have units/ and units/user. The advantage is that we avoid having yet
another directory at the top level.
As of current master, systemd-tmpfiles behaves correctly, apart from a trivial
typo. So let's tell github to close the bug.
With current git:
$ sudo SYSTEMD_LOG_LEVEL=debug build/systemd-tmpfiles --create `pwd`/test/tmpfiles.d/link-loop.conf
Successfully loaded SELinux database in 2.385ms, size on heap is 321K.
Reading config file "/home/zbyszek/src/systemd-work/test/tmpfiles.d/link-loop.conf".
Running create action for entry D /run/hello2
Found existing directory "/run/hello2".
"/run/hello2" has right mode 41777
Running create action for entry f /run/hello2/hello2.test
"/run/hello2/hello2.test" has been created.
"/run/hello2/hello2.test" has right mode 101777
chown "/run/hello2/hello2.test" to 0.84
Running create action for entry L /run/hello2/hello2.link
Found existing symlink "/run/hello2/hello2.link".
Running create action for entry z /run/hello2/hello2.test
"/run/hello2/hello2.test" has right mode 101777
chown "/run/hello2/hello2.test" to 0.0
Running create action for entry z /run/hello2/hello2.link
Skipping mode an owner fix for symlink /run/hello2/hello2.link.
and the permissions are:
$ ls -dl /run/hello2/ /run/hello2/*
drwxrwxrwt. 2 foo bar 80 Nov 22 14:40 /run/hello2/
lrwxrwxrwx. 1 root root 23 Nov 22 14:40 /run/hello2/hello2.link -> /run/hello2/hello2.test
-rwxrwxrwt. 1 root root 0 Nov 22 14:40 /run/hello2/hello2.test
The code intentionally ignored unknown specifiers, treating them as text. This
needs to change because otherwise we can never add a new specifier in a backwards
compatible way. So just treat an unknown (potential) specifier as an error.
In principle this is a break of backwards compatibility, but the previous
behaviour was pretty much useless, since the expanded value could change every
time we add new specifiers, which we do all the time.
As a compromise for backwards compatibility, only fail on alphanumerical
characters. This should cover the most cases where an unescaped percent
character is used, like size=5% and such, which behave the same as before with
this patch. OTOH, this means that we will not be able to use non-alphanumerical
specifiers without breaking backwards compatibility again. I think that's an
acceptable compromise.
The loop preparation and part of the loop contents are actually the
same, let's merge this.
Also, it's so much fun tweaking around in the name_to_handle_at() code,
let's do more of it with this patch!
(This also adds two NULL assignments, that aren't strictly necessary.
However, I figured its safer to place them in there, just in case the
for() condition is changed later. After all the freeing of the handle
and the invalidation of the cleanup-controller pointer to it are
otherwise really far away from each other...)
Yu Watanabe [Thu, 30 Nov 2017 07:29:48 +0000 (16:29 +0900)]
run: Allows the user to reset CPUAffinity= back to an empty list
Before this CPUAffinity= requires a valid cpu set, and the setting
cannot be reset. Moreover, if CPUAffinity= with empty string is passed,
then message container is closed without no values appended, thus
we get error.
This makes CPUAffinity= accepts empty string to reset the setting
and avoid error.
Otherwise people might assume that systemd was installed in the $PATH,
but it is not. Do the same as for systemd-vconsole-setup.service and
friends: let's include the full path in the man page.
ptyfwd: before deciding that a pty is fully drained, ask the kernel again
Apparently there's no guarantee that EPOLLIN is immediately propagated
from a pty slave to the master when data is written to it, hence it's
not sufficient to check EPOLLIN to decide whether the pty device is
drained.
Let's fix this by asking the kernel directly through SIOCINQ + SIOCOUTQ,
if there's anything buffered left.
Michal Koutný [Tue, 5 Dec 2017 15:51:19 +0000 (16:51 +0100)]
service: Don't stop unneeded units needed by restarted service (#7526)
An auto-restarted unit B may depend on unit A with StopWhenUnneeded=yes.
If A stops before B's restart timeout expires, it'll be started again as part
of B's dependent jobs. However, if stopping takes longer than the timeout, B's
running stop job collides start job which also cancels B's start job. Result is
that neither A or B are active.
Currently, when a service with automatic restarting fails, it transitions
through following states:
1) SERVICE_FAILED or SERVICE_DEAD to indicate the failure,
2) SERVICE_AUTO_RESTART while restart timer is running.
The StopWhenUnneeded= check takes place in service_enter_dead between the two
state mentioned above. We temporarily store the auto restart flag to query it
during the check. Because we don't return control to the main event loop, this
new service unit flag needn't be serialized.
This patch prevents the pathologic situation when the service with Restart=
won't restart automatically. As a side effect it also avoid restarting the
dependency unit with StopWhenUnneeded=yes.
Hristo Venev [Tue, 5 Dec 2017 14:30:43 +0000 (16:30 +0200)]
Do not set `net.ipv4.conf.default.*`
It is redundant because in these cases the values in
`net.ipv4.conf.all.*` take precedence. Also, setting the `default` does
nothing for devices that already exist.
Yu Watanabe [Tue, 5 Dec 2017 14:30:10 +0000 (23:30 +0900)]
udevadm: getopt() and help message cleanup
This adds missing options, mainly '--version' in getopt(), removes
an unused option from getopt().
Also, this adds a deprecate message in `udevadm hwdb`, and cleanups
help messages.
tests: don't use "netcat" for testing TEST-10-ISSUE-2467
Apparently there are a myriad of netcat implementations around, and they
all behave slightly differently. The one I have on my Fedora 27
installation will cause a failure when invoked as "nc -U" on an AF_UNIX
socket whose connections are immediately disconnected, thus causing the
test to fail.
Let's avoid all ambiguities in this regard, and drop usage of netcat
altoegther. Instead let's use a FIFO in the file system, which we can
connect to with only shell commands, and is hence much simpler and
more reliable to test with.
The actual test is supposed to validate that PID 1 doesn't hang when
activation of a socket-activated service fails, hence which transport
mechanism is used ultimately doesn't matter, as long as we activate the
service, and we do here...
nspawn: when in hybrid mode, chown() both the legacy and the unified hierarchy to the root in the container
If user namespacing is used, let's make sure that the root user in the
container gets access to both /sys/fs/cgroup/systemd and
/sys/fs/cgroup/unified.
nspawn: make sure images containing an ESP are compatible with userns -U mode
In -U mode we might need to re-chown() all files and directories to
match the UID shift we want for the image. That's problematic on fat
partitions, such as the ESP (and which is generated by mkosi's
--bootable switch), because fat of course knows no UID/GID file
ownership natively.
With this change we take benefit of the uid= and gid= mount options FAT
knows: instead of chown()ing all files and directories we can just
specify the right UID/GID to use at mount time.
This beefs up the image dissection logic in two ways:
1. First of all support for mounting relevant file systems with
uid=/gid= is added: when a UID is specified during mount it is used for
all applicable file systems.
2. Secondly, two new mount flags are added:
DISSECT_IMAGE_MOUNT_ROOT_ONLY and DISSECT_IMAGE_MOUNT_NON_ROOT_ONLY.
If one is specified the mount routine will either only mount the root
partition of an image, or all partitions except the root partition.
This is used by nspawn: first the root partition is mounted, so that
we can determine the UID shift in use so far, based on ownership of
the image's root directory. Then, we mount the remaining partitions
in a second go, this time with the right UID/GID information.
string-util: rework strextend() to optionally inset separators between each appended string
This adds a new flavour of strextend(), called
strextend_with_separator(), which takes an optional separator string. If
specified, the separator is inserted between each appended string, as
well as before the first one, but only if the original string was
non-empty.
This new call is particularly useful when appending new options to mount
option strings and suchlike, which need to be comma-separated, and
initially start out from an empty string.
cgroup: also include "cgroups.threads" in the list of files to chown
Also, add "cgroups.stat". It's read-only anyway, hence its UID/GID
ownership matters little, but it's probably a good idea to keep it
ownership in sync with the other read-only files such as
"cgroups.controllers".
nspawn: figure out cgroup mode *after* mounting image
If we operate on a disk image (i.e. --image=) then it's pointless to
look into the mount directory before it is actually mounted to see which
systemd version is running inside...
Unfortunately we only mount the disk image in the child process, but the
parent needs to know the cgroup mode, hence add some IPC for this
purpose and communicate the cgroup mode determined from the image back
to the parent.
Yu Watanabe [Tue, 5 Dec 2017 05:04:12 +0000 (14:04 +0900)]
execute: define setup_smack() only if SMACK is enabled
This suppresses the following warning
```
execute.c:2149:12: warning: ‘setup_smack’ defined but not used [-Wunused-function]
static int setup_smack(
^~~~~~~~~~~
```
util-lib,tests: rework unbase64 so that we skip over whitespace automatically (#7522)
Let's optimize things a bit, and instead of having to strip whitespace
first before decoding base64, let's do that implicitly while doing so.
Given that base64 was designed the way it was designed specifically to
be tolerant to whitespace changes, it's a good idea to do this
automatically and implicitly.