Michal Koutný [Tue, 25 Feb 2025 10:36:51 +0000 (11:36 +0100)]
TEST-13-NSPAWN.nss-mymachines: Use negative matching switch
The test expects _not_ to find the patterns but the run_and_grep would
still print 'FAIL:' message. Use the dedicated -n option that inverts
the semantics cleaner than shell's !.
Jörg Behrmann [Sun, 2 Mar 2025 14:52:08 +0000 (15:52 +0100)]
tests: remove cache=unsafe from TEST-64-UDEV-STORAGE
mkosi switch to the newer -blockdev qemu option in systemd/mkosi#3557 [1], but
cache=unsafe is an option only -drive supports.
Since the qemu-system_x86-64 man page [2] says this, cache.writeback=on is the
default and mkosi setting the other two options to the values corresponding to
unsafe, it should be fine to drop the cache=unsafe option.
┌─────────────┬─────────────────┬──────────────┬────────────────┐
│ │ cache.writeback │ cache.direct │ cache.no-flush │
├─────────────┼─────────────────┼──────────────┼────────────────┤
│writeback │ on │ off │ off │
├─────────────┼─────────────────┼──────────────┼────────────────┤
│none │ on │ on │ off │
├─────────────┼─────────────────┼──────────────┼────────────────┤
│writethrough │ off │ off │ off │
├─────────────┼─────────────────┼──────────────┼────────────────┤
│directsync │ off │ on │ off │
├─────────────┼─────────────────┼──────────────┼────────────────┤
│unsafe │ on │ off │ on │
└─────────────┴─────────────────┴──────────────┴────────────────┘
sd-id128: gracefully handle systems where kernel keyring access is blocked
In various scenarios we invoke containers with access to the kernel
keyring blocked. Let's make sure we can handle this properly: when the
invocation ID is stored in in the kernel keyring and we try to read it
and get EPERM we should handle it gracefully, like EOPNOTSUPP.
Martin Wilck [Mon, 17 Feb 2025 17:40:35 +0000 (18:40 +0100)]
libfido2-util: accept cached pin in fido2_generate_hmac_hash()
fido2_generate_hmac_hash() sets req->keyring to "fido2-pin" when
calling ask_password_auto(), suggesting that a key by this name
can be read from the kernel keyring. But the keyring is never
opened because the ASK_PASSWORD_ACCEPT_CACHED flag is not set.
Set ASK_PASSWORD_ACCEPT_CACHED to allow automated / scripted
setup of encrypted volumes with FIDO2. If the PIN turns out to
be invalid, clear ASK_PASSWORD_ACCEPT_CACHED to avoid retrying
and possible lockout.
SERVICE_RELOAD_SIGNAL state can only be reached via explicit reload jobs,
and we have a clear distinction between that and plain RELOADING=1
notifications, the latter of which is issued by clients doing reload
outside of our job engine. I.e. upon SERVICE_RELOAD_SIGNAL + RELOADING=1
we don't propagate reload jobs again, since that's done during transaction
construction stage already. The handling of combined RELOADING=1 + READY=1
so far is bogus however, as it tries to propagate duplicate reload jobs.
Amend this by following the logic for standalone RELOADING=1.
Daan De Meyer [Wed, 26 Feb 2025 13:58:53 +0000 (14:58 +0100)]
docs: Use mkosi -R instead of mkosi -t none
mkosi now supports -R to rerun build scripts without rebuilding the
image so let's document that instead of the current hack to prevent
the rebuild by changing the output format.
Andreas Stührk [Tue, 25 Feb 2025 23:05:41 +0000 (00:05 +0100)]
copy: Invoke hardlink context cleanup before restoring timestamps
When hardlink recreation is requested, it creates temporary files that
will be deleted once the context is destroyed. The deletion
(potentially) updates the directory's timestamps, so it's crucial that
the deletion happens before the directory timestamps are restored when
`COPY_RESTORE_DIRECTORY_TIMESTAMPS` is requested.
Daan De Meyer [Mon, 24 Feb 2025 09:56:26 +0000 (10:56 +0100)]
mkosi: Enable History= option
This option makes mkosi "remember" all the CLI options specified on
the command line when building an image. This means they don't need
to be specified again when booting the image afterwards or doing any
other operation on the image with "mkosi xxx".
As an example of how this is useful, currently, when running "mkosi
-d opensuse -f" to build an opensuse image and then running "mkosi
sandbox -- meson test -C build TEST-86-MULTI-UKI-PROFILE", running
the test will try to add virtiofs mounts of the fedora~rawhide build
directory on my machine instead of the opensuse one. With the History=
option enabled, it will use the opensuse tumbleweed directory as expected.
We stop setting --extra-search-path and --output-dir in the integration test
wrapper as these are settings that are "remembered" by enabling the History=
option.
Daan De Meyer [Mon, 24 Feb 2025 16:14:01 +0000 (17:14 +0100)]
TEST-64-UDEV-STORAGE: Stop using mkosi configure scripts
Now that we have mkosi sandbox, meson runs with the mkosi tools tree
mounted (if one is used at all), so we can implement all the qemu feature
checks in meson itself, removing the need for mkosi configure scripts.
Daan De Meyer [Mon, 24 Feb 2025 16:12:22 +0000 (17:12 +0100)]
TEST-53-ISSUE-16347: Implement rtc via custom argument
Let's get rid of the configure script for this use case by just
implementing the necessary logic in integration-test-wrapper.py.
We need to get rid of our usage of configure scripts to allow enabling
the History= setting.
Luca Boccassi [Thu, 21 Nov 2024 09:51:14 +0000 (09:51 +0000)]
test: split VM-only subtests from TEST-74-AUX-UTILS to new VM-only test
TEST-74-AUX-UTILS covers many subtests, as it's a catch-all job, and a few
need a VM to run. The job is thus marked VM-only. But that means in settings
where we can't run VM tests (no KVM available), the entire thing is skipped,
losing tons of coverage that doesn't need skipping.
Move the VM-only subtests to TEST-87-AUX-UTILS-VM that is configured to only
run in VMs under both runners. This way we keep the existing tests as-is, and
we can add new VM-only tests without worrying. This is how the rest of the
tests are organized.
Yu Watanabe [Mon, 17 Feb 2025 17:08:10 +0000 (02:08 +0900)]
network/route: do not remove any foreign routes when KeepConfiguration=yes
Without this change, only foreign routes with RTPROT_KERNEL, RTPROT_STATIC,
RTPROT_DHCP, RTPROT_RA, and RTPROT_REDIRECT are kept, and foreign routes with
other protocol e.g. RTPROT_BOOT are removed even if KeepConfiguration=yes.
Daan De Meyer [Fri, 21 Feb 2025 21:41:26 +0000 (22:41 +0100)]
sbsign: Don't set bit in SpcPeImageData->flags
Neither sbsign nor pesign set this flag in SpcPeImageData->flags,
which is about which resources should be included specifying "Which
portions of the Windows PE file are hashed." according to the
authenticode spec. However, this is followed by "Although flags is
always present, it is ignored when calculating the file hash for both
signing and verification purposes". So as it doesn't seem to do
anything useful and the other tools don't set any of these flags
either, let's follow suite and not set this flag ourselves either.
Philip Withnall [Thu, 20 Feb 2025 18:15:43 +0000 (18:15 +0000)]
docs: Clarify that login1 signals are not emitted for convenience objects
While this is obvious if you spend a few minutes thinking about how
D-Bus signals work (in this case, they are broadcast from a system
service, so cannot apply to a specific user/session/seat), it’s a bit
easy to overlook this while putting code together which uses the login1
D-Bus API, so it’s helpful to point this hazard out specifically in the
docs.
The signals can only be emitted on the canonical objects. The
convenience objects are useful for method calls, as the calling context
can be used to dereference ‘self’ and ‘auto’, but this can’t work for
signals.
Luca Boccassi [Fri, 8 Nov 2024 22:41:09 +0000 (22:41 +0000)]
tools/dbus_exporter: set LD_ORIGIN_PATH if procfs is not available
The script runs the binaries which try to find the internal libs via /proc/self/exe due
to glibc's RPATH resolution and fail:
/var/cache/src/systemd/tools/dbus_exporter.py interfaces
/var/cache/src/systemd/build/systemd
/var/cache/src/systemd/build/systemd-homed
/var/cache/src/systemd/build/systemd-hostnamed
/var/cache/src/systemd/build/systemd-importd
/var/cache/src/systemd/build/systemd-localed
/var/cache/src/systemd/build/systemd-logind
/var/cache/src/systemd/build/systemd-machined
/var/cache/src/systemd/build/systemd-networkd
/var/cache/src/systemd/build/systemd-oomd
/var/cache/src/systemd/build/systemd-portabled
/var/cache/src/systemd/build/systemd-resolved
/var/cache/src/systemd/build/systemd-sysupdated
/var/cache/src/systemd/build/systemd-timedated
execve("/var/cache/src/systemd/build/systemd", ["/var/cache/src/systemd/build/sys"..., "--bus-introspect", "list"], 0x7ffc7ab68600 /* 20 vars */) = 0
brk(NULL) = 0x56265bf70000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f56ced7f000
readlinkat(AT_FDCWD, "/proc/self/exe", 0x7ffedeaa7a90, 4096) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=20293, ...}) = 0
mmap(NULL, 20293, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f56ced7a000
close(3) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v4/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v4/", 0x7ffedeaa80b0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v3/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v3/", 0x7ffedeaa80b0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v2/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v2/", 0x7ffedeaa80b0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/lib/x86_64-linux-gnu/", {st_mode=S_IFDIR|0755, st_size=19312, ...}, 0) = 0
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v4/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v4/", 0x7ffedeaa80b0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v3/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v3/", 0x7ffedeaa80b0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v2/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v2/", 0x7ffedeaa80b0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/", {st_mode=S_IFDIR|0755, st_size=19312, ...}, 0) = 0
openat(AT_FDCWD, "/lib/glibc-hwcaps/x86-64-v4/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/lib/glibc-hwcaps/x86-64-v4/", 0x7ffedeaa80b0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/glibc-hwcaps/x86-64-v3/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/lib/glibc-hwcaps/x86-64-v3/", 0x7ffedeaa80b0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/glibc-hwcaps/x86-64-v2/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/lib/glibc-hwcaps/x86-64-v2/", 0x7ffedeaa80b0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/lib/", {st_mode=S_IFDIR|0755, st_size=642, ...}, 0) = 0
openat(AT_FDCWD, "/usr/lib/glibc-hwcaps/x86-64-v4/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/glibc-hwcaps/x86-64-v4/", 0x7ffedeaa80b0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/glibc-hwcaps/x86-64-v3/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/glibc-hwcaps/x86-64-v3/", 0x7ffedeaa80b0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/glibc-hwcaps/x86-64-v2/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/glibc-hwcaps/x86-64-v2/", 0x7ffedeaa80b0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/", {st_mode=S_IFDIR|0755, st_size=642, ...}, 0) = 0
writev(2, [{iov_base="/var/cache/src/systemd/build/sys"..., iov_len=36},
{iov_base=": ", iov_len=2},
{iov_base="error while loading shared libra"..., iov_len=36},
{iov_base=": ", iov_len=2},
{iov_base="libsystemd-core-258.so", iov_len=22},
{iov_base=": ", iov_len=2},
{iov_base="cannot open shared object file", iov_len=30},
{iov_base=": ", iov_len=2},
{iov_base="No such file or directory", iov_len=25},
{iov_base="\n", iov_len=1}],
10/var/cache/src/systemd/build/systemd: error while loading shared libraries: libsystemd-core-258.so: cannot open shared object file: No such file or directory
) = 158
Luca Boccassi [Thu, 13 Feb 2025 19:44:12 +0000 (19:44 +0000)]
ukify: if the specified kernel is not a valid PE file try to decompress it
On some distros on some architectures (e.g.: Ubuntu arm64) the kernel is shipped as
a gzipped file, which the UEFI firmware does not understand.
If pefile fails to parse it, try to decompress it.
Luca Boccassi [Thu, 13 Feb 2025 19:43:00 +0000 (19:43 +0000)]
ukify: fix zboot parsing with zstd
The header starts with 'zstd', not 'zstd22':
$ ukify build --linux vmlinuz-6.13+unreleased-cloud-arm64 --initrd /boot/initrd.img-6.12.12-amd64 --output uki
Kernel version not specified, starting autodetection 😖.
Real-Mode Kernel Header magic not found
+ readelf --notes vmlinuz-6.13+unreleased-cloud-arm64
readelf: Error: Not an ELF file - it has the wrong magic bytes at the start
Traceback (most recent call last):
File "/home/bluca/git/systemd/src/ukify/ukify.py", line 2510, in <module>
main()
~~~~^^
File "/home/bluca/git/systemd/src/ukify/ukify.py", line 2499, in main
make_uki(opts)
~~~~~~~~^^^^^^
File "/home/bluca/git/systemd/src/ukify/ukify.py", line 1328, in make_uki
opts.uname = Uname.scrape(linux, opts=opts)
~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
File "/home/bluca/git/systemd/src/ukify/ukify.py", line 384, in scrape
version = func(filename, opts=opts)
File "/home/bluca/git/systemd/src/ukify/ukify.py", line 374, in scrape_generic
text = maybe_decompress(filename)
File "/home/bluca/git/systemd/src/ukify/ukify.py", line 221, in maybe_decompress
return get_zboot_kernel(f)
File "/home/bluca/git/systemd/src/ukify/ukify.py", line 201, in get_zboot_kernel
raise NotImplementedError(f'unknown compressed type: {comp_type!r}')
NotImplementedError: unknown compressed type: b'zstd\x00\x00'
Luca Boccassi [Thu, 13 Feb 2025 19:38:45 +0000 (19:38 +0000)]
ukify: switch from zstd to zstandard
The zstd library does not support stream decompression, and it
requires the zstd header to contain extra metadata, that the kernel
build does not append:
$ file -k vmlinuz-6.13+unreleased-cloud-arm64
vmlinuz-6.13+unreleased-cloud-arm64: PE32+ executable (EFI application) Aarch64 (stripped to external PDB), for MS Windows, 2 sections\012- data
$ ukify build --linux vmlinuz-6.13+unreleased-cloud-arm64 --initrd /boot/initrd.img-6.12.12-amd64 --output uki
Kernel version not specified, starting autodetection 😖.
Real-Mode Kernel Header magic not found
+ readelf --notes vmlinuz-6.13+unreleased-cloud-arm64
readelf: Error: Not an ELF file - it has the wrong magic bytes at the start
Traceback (most recent call last):
File "/home/bluca/git/systemd/src/ukify/ukify.py", line 2508, in <module>
main()
~~~~^^
File "/home/bluca/git/systemd/src/ukify/ukify.py", line 2497, in main
make_uki(opts)
~~~~~~~~^^^^^^
File "/home/bluca/git/systemd/src/ukify/ukify.py", line 1326, in make_uki
opts.uname = Uname.scrape(linux, opts=opts)
~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
File "/home/bluca/git/systemd/src/ukify/ukify.py", line 382, in scrape
version = func(filename, opts=opts)
File "/home/bluca/git/systemd/src/ukify/ukify.py", line 372, in scrape_generic
text = maybe_decompress(filename)
File "/home/bluca/git/systemd/src/ukify/ukify.py", line 219, in maybe_decompress
return get_zboot_kernel(f)
File "/home/bluca/git/systemd/src/ukify/ukify.py", line 199, in get_zboot_kernel
return cast(bytes, zstd.uncompress(f.read(size)))
~~~~~~~~~~~~~~~^^^^^^^^^^^^^^
zstd.Error: Input data invalid or missing content size in frame header.
Daan De Meyer [Thu, 13 Feb 2025 12:03:39 +0000 (13:03 +0100)]
sysupdate: Don't use compression extension for UKIs in manpage
UKIs should generally not be compressed since the kernel image and
initrd in them will already be compressed so let's remove the compression
suffix from the examples in the sysupdate manpage.
Daan De Meyer [Wed, 19 Feb 2025 12:46:47 +0000 (13:46 +0100)]
mkosi: update fedora commit reference
* 6c7c4a510d Do not use dynamic spec generation for non-upstream builds
* 6201755b36 Allow co-installation of systemd-sysusers-standalone and systemd
* eba1721678 Split out -sysusers and -shared
* ac9c438e27 Use dynamic spec generation for triggers
* 3671a5cc79 Move more auxiliary files into subpackages
* 5c40e08728 Remove patch that is already upstream
* 49ec9f3286 Move some files into subpackages
* 2c0b984bf4 Version 257.3
* d66f997915 Add explicit BR: libxcrypt-devel
* 1ffa7bf7c7 Make Georgian mapping patch downstream-only
* de4ae54a34 Backport PR #36194 to add Georgian mapping to kbd-model-map
* cc9bce7893 Drop override of $PATH in the user manager
* d0973df863 Backport patch to emit audit events from systemd-sysusers
* e54ec2f978 Trim changelog entries that are not relevant to users
* c7fecc18eb Skip test_sysusers_defined on upstream builds
* f257050ddd Add a .editorconfig file
* aa5546e9ed Add a few mkosi artifact directories to .gitignore
* 01e5bc1c93 Set SBAT in sd-boot when building on OBS
* a7eec4d33d Run upstream integration test suite with Fedora CI
Daan De Meyer [Mon, 13 Jan 2025 15:18:33 +0000 (16:18 +0100)]
mkosi: update fedora commit reference
* fd36e4c562 Rebuilt for the bin-sbin merge (2nd attempt)
* cddeca136f Rebuilt for the bin-sbin merge (2nd attempt)
* 20cc578e59 Enable signing systemd-boot on OBS builds
* b1bd57ecce Revert use of PrivateTmp=disconnected
* 30f50b1870 Drop patch numbers
* 1814bfe794 remove STI test
* 3a9c32b8a9 Version 257.2
* 4df2711a9f Add bcond for OBS-specific quirks
* e570cd53df spec: drop trailing whitespace
* c7379c9460 Replace 'udevadm hwdb' with systemd-hwdb
* 3386f5d704 Rename source .abignore file
* fd860fd12d Drop a build dependency on a linter package: pytest-flakes
* 133ae30e33 Drop patches based on %upstream macro instead of patch number
* e157552c6c Always build in release mode
* fc47a92e4a Re-enable upstream behaviour of systemd-tmpfiles --purge
* 62abb21906 Version 257.1
* 35e6814ef4 Add patch for test-time-util
* bd8339bf00 sysusers: support new ! line flag for creating fully locked accounts
* c2f5f4a68a Version 257
* 31aaef8e17 Enable slow tests during build
Daan De Meyer [Mon, 13 Jan 2025 15:11:07 +0000 (16:11 +0100)]
mkosi: update arch commit reference
* 8160e63e52 Limit logic required for building locally
* 3a62443e41 OBS build: add support for xz and zst compression formats
* 9667464ad7 Get rid of _tag variable
* 73dc492b5e upgpkg: 257.2-2: rebuild with changes for service restart
* 6b7355b5bb do not restart any templated units
* 332718f955 exclude vmspawn units from restart as well
* 5a749a6716 exclude systemd-nspawn@* services from restart
* 8a10796f8b upgpkg: 257.2-1: new upstream release
* 16294a0b44 Add support for building from git in OBS
* 38b664eed4 upgpkg: 257.1-1: new upstream release
* e26158dda9 upgpkg: 257-1: new upstream release
* c984b75c3f restart services after upgrade...
* 27fae2c192 upgpkg: 256.9-1: new upstream release
* 1afdd08a60 upgpkg: 256.8-2: apply: shutdown: close DM block device before issuing DM_DEV_REMOVE ioctl
Daan De Meyer [Sat, 15 Feb 2025 20:47:50 +0000 (21:47 +0100)]
mkosi: Install systemd in Fedora build image
rpm pulls in systemd-standalone-sysusers now by default to get
systemd-sysusers which causes a conflict later on during the prepare
script when systemd is pulled in as a dependency of device-mapper so
let's install systemd in the initial transaction so systemd provides
systemd-sysusers and systemd-standalone-sysusers is never installed
in the first place.
Daan De Meyer [Fri, 14 Feb 2025 14:22:05 +0000 (15:22 +0100)]
mkosi: Fix mkosi.clangd
- Add missing '--' delimiter
- Use the new BuildSubdirectory JSON field to figure out the build
subdirectory.
- Remove the /usr/include path mapping for now. This means we can't
jump into system headers anymore if they don't exist on the host,
we can find a way to add this back later if it turns out to be
crucial.
core/condition: fix segfault when key not found in os-release
'ConditionOSRelease=|ID_LIKE$=*rhel*' results in a segfault.
The key 'ID_LIKE' is not present in Fedora's os-release file.
I think the most reasonable behaviour is to treat missing keys as empty.
This matches the "shell-like" sprit, since in a shell empty keys would
by default be treated as empty too. Thus, "ID_LIKE=" would match, if
ID_LIKE is not present in the file, and ID_LIKE=!$foo" would also match.
The other option would be to make those matches fail, but I think that'd
make the feature harder to use, esp. with negative matches.
Documentation is updated to clarify the new behaviour.
Daan De Meyer [Wed, 12 Feb 2025 10:09:36 +0000 (11:09 +0100)]
mkosi: Update to latest
In https://github.com/systemd/mkosi/pull/3497, mkosi has started parsing
options passed after the verb as regular mkosi options instead of options
for the invoked command. We adapt to this change by adding '--' as a delimiter
everywhere where required.
Daan De Meyer [Wed, 29 Jan 2025 13:44:27 +0000 (14:44 +0100)]
ukify: Calculate section size more correctly
We should only use Misc_VirtualSize if it's smaller than SizeOfRawData,
since in that case it'll be the non-aligned section size. Otherwise we
have to use SizeOfRawData to get the size on disk.
Yu Watanabe [Wed, 12 Feb 2025 00:23:33 +0000 (09:23 +0900)]
udev-watch: do not try to remove invalid watch handle
When a new device is processed, there should be no watch handle for
the device, hence udev_watch_clear() provides -1. Let's not try to call
inotify_rm_watch() in that case.
This should not change any behavior. Just for suppressing spurious
debugging log:
=====
(udev-worker)[3626140]: zram1: Removing watch handle -1.
=====
Let's move the currently used/default/oneshot entry output after the
basic info about the boot loader itself, since conceptually these are
objects kinda "one level down" from the boot loader perspective. Hence,
let's *first* show all info about the boot loader itself before we
display the objects it manages.
This is just a trivial change in output, just swaps th elines for these
fields with the ones showing where the boot loader is installed.
bootctl: suppress output of empty partition info if we also have no idea about EFI binary path
So far we'd output both the partition and the binary path always, even
if we didn't know either (but in that case show empty information).
Let's address this, and show partition info only if we know it, or if we
know the EFI binary path, but suppress both if we know neither.
Note that we'll show the partition info if we don't know it still if we
know the EFI binary path used for boot, since it is relative to the
partition of course, and hence it's really strange to know one but not
the other, hence it deserves some mentioning in the output.
bootctl: also shown whether stub loader partition data was passed
Let's make the stub and loader output sections more alike, and say in
both cases whether we recieved that data from the boot phase or not the
same way.
Yu Watanabe [Wed, 18 Dec 2024 13:27:29 +0000 (22:27 +0900)]
update-utmp: do not give up if the first attempt at connecting bus failed
Otherwise, the program exits with failure if the first attempt in run() failed:
```
Dec 18 20:27:37 systemd-update-utmp[254]: Bus n/a: changing state UNSET → OPENING
Dec 18 20:27:37 systemd-update-utmp[254]: sd-bus: starting bus by connecting to /run/systemd/private...
Dec 18 20:27:37 systemd-update-utmp[254]: Bus n/a: changing state OPENING → CLOSED
Dec 18 20:27:37 systemd-update-utmp[254]: Failed to get D-Bus connection: Connection refused
```
By default, suite of each built test is determined by the directory of
the source file. Hence, before the mentioned commit, all tests in
src/boot/efi/ are in the 'efi' suite. The commit changed the directory
tree, but forgot to update the name of the test suite.
Yu Watanabe [Mon, 16 Dec 2024 02:50:53 +0000 (11:50 +0900)]
meson: allow to customize the access mode for tty/pts devices
Then, switch the default value to "0600", due to general security
concerns about terminals being written to by other users.
Closing #35599.
Backport note: the default is changed back to 0620 to keep backward
compatbility intact for the purpose of backporting. This lets
security-conscious users fix the issue if they want to, without
affecting users that do not want changes in the stable branches.
Yu Watanabe [Wed, 5 Feb 2025 00:14:51 +0000 (09:14 +0900)]
network/routing-policy-rule: fix compare func
Previously, when comparing an existing and requested routing policy
rules, `all` flag was unset, thus the from and to addresses in the two
rules were not compared. Hence, a new request with from and/or to
addresses might be considered as it already exists even the addresses of
existing one were different from the newly requested one.
All existing rules have valid family, i.e. AF_INET or AF_INET6. And,
all requesting rules with from and/or to addresses also have a valid
family. Hence, even `all` flag is unset, the addresses can be and must
be compared in that case.
errno handling for NSS is always a bit weird since NSS modules generally
are not particularly careful with it. Hence let's initialize errno
explicitly before we invoke getpwent() so that we know it's in a
reasonable state afterwards on failure, or zero if not.
We do this in most places we use NSS, including in userdb when it comes
to getgrent(), just for getpwent() we don't so far. Address that.
The getopt() parser was completely wrong, it expected an argument where
wasn't expected or processes.
The test cases only passed by accident because they use the "user" verb
which is also the default verb. It would be accidently read as argument
for --fuzzy and ignored.
This definition is broken as rpm internally does the following
since 4.20 to calculate the buildroot:
```
char *bn = rpmExpand("%{NAME}-%{VERSION}-build", NULL);
/* Tilde and caret in paths are evil, convert to underscores */
for (char *t = bn; *t; t++) {
if (*t == '^' || *t == '~')
*t = '_';
}
```
This has broken our upstream opensuse CI builds in systemd as
we do the following to fetch the list of unpackaged files by the rpm build:
```
rpmbuild
...
--define "__check_files sh -c '$(rpm --define "_topdir /var/tmp" --eval %__check_files) | tee /tmp/unpackaged-files'"
...
```
which stopped working because the check files script tries
to look for unpackaged files in the "/var/tmp/BUILD/systemd-258~devel-build/BUILDROOT"
directory (%buildroot) whereas it should be looking in "/var/tmp/BUILD/systemd-258_devel-build/BUILDROOT".
Let's remove the %buildroot compat definition until the bug is
addressed in opensuse tumbleweed.
Michal Sekletar [Tue, 21 Jan 2025 14:31:14 +0000 (15:31 +0100)]
core/namespace: relabel bind mount source based on the target path
Some bind mounts, e.g. /tmp bind mount when PrivateTmp=disconnected,
must be explicitly relabeled because now it would have incorrect SELinux
label. /tmp is expected to have well-known SELinux label, tmp_t. Now it
has label inherited from the source directory of the bind mount.
projects / thirdparty / systemd.git / log
