kernel-install: support full set of config files and drop-ins
This brings the handling of config for kernel-install in line with most of
systemd, i.e. we search the set of paths for the main config file, and the full
set of drop-in paths for drop-ins.
various: use new config loader instead of config_parse_config_file()
This means the main config file is loaded also from /run and /usr.
We should load the main config file from all the places where we load drop-ins.
I realize I had a giant blind spot: I always assumed that we load config files
from /etc, /run, /usr/local/lib, /usr/lib. But it turns out that we only used
those paths for drop-ins. For the main config file, we only looked in /etc. The
docs actually partially described this behaviour, i.e. most SYNOPSIS sections
and some parts of the text, but not others.
This is strange, because 6495361c7d5e8bf640841d1292ef6cfe1ea244cf was completely
bogus with the behaviour before this patch. We had a huge discussion before it
was merged, and clearly nobody noticed this. Similarly, in the previous version
of the current pull request, we had a long discussion about the appropriate
order of directories, and apparently nobody noticed that there was no order,
because only looked in one directory. So the blind spot seems to have been
shared.
Also, systemd-analyze cat-config behaved incorrectly, i.e. its behaviour matches
the new behaviour.
Possibly, in the future it'll make it easier to add support for --root.
shared/conf-parser: use chase() in config_parse_many_files()
The function was partially implementing chroot lookups. It would be given
file names that were prefixed with the chroot, so it would mostly work.
But if any of those files were symlinks, fopen() would do the wrong thing.
Also we don't need locking.
So give 'root' as the argument and use chase_and_fopen_unlocked() to get
proper chroot-aware lookups.
Also, use the more correct type of 'const char* const*' for the input strv.
This requires adding the cast in a few places, but also allows to remove some
casts in others.
shared/conf-parser: collapse pkgdir and conf_file args into one
This essentially reverts 5656cdfeeabc16b5489f5ec7a0a36025a2ec1f23. I find it
much easier to understand what is going on when the
path-relative-to-the-search-path is passed in full, instead of being constructed
from two parts, with one of the parts being implicit in some places.
Also, we call 'systemd-analyze cat-config <path>' with <path> with the same
meaning, so this makes the internal and external APIs more consistent.
Adrian Vovk [Tue, 20 Feb 2024 19:54:21 +0000 (14:54 -0500)]
fd-util: Add helpers to check if FD flags are safe
Adds a SAFE_FD_FLAGS define to list out all the safe FD flags, and also
an UNSAFE_FD_FLAGS() macro to strip out the safe flags and leave only
the unsafe flags. This can be used to quickly check if any unsafe flags
are set and print them for diagnostic purposes
analyze: always recommend saving the output to a file
The command will refuse to write to a TTY, so give a strong hint
that redirecting to a file is recommended. This makes the synopsis,
man page text, and --help output consistent.
Also drop the space after the redirection operator everywhere.
cryptsetup: drop "headless" bool, make it a flag in AskPasswordFlags instead
This bool controls whether we should interactively ask for a password,
which is pretty much what the ask_password-api.c APIs are about. Hence,
just make the bool a flag in AskPasswordFlags enum, and use it
everywhere.
This still catches the flag early in upper levels of the codebase,
exactly as before, but if the flag is still present in the lower layers
it's also handled there and results in ENOEXEC if seen.
This is mostly an excercise in simplifying our ridiculously long
function call parameter lists a bit.
cryptenroll,cryptsetup: clean up unlock credential for TPM2 + FIDO2
Let's make sure that when cryptenroll asks for the TPM2 or FIDO2 token
PIN it uses cryptenroll.* credential namespace, and cryptsetup uses
cryptsetup.*.
pkcs11-util: clean up credential handling for PKCS11 PIN
similar as the previous commit, let's clean up the credential name we
use. Use home.token-pin in case of homectl, and cryptenroll.pkcs11-pin
in case of cryptenroll.
cryptenroll: use a different credential for new new PIN
The TPM2 enrollment is the only of the three token enrollments where the
user picks a PIN at enrollment time (the others have a PIN set for the
token, not for the enrollment). Let's make sure it uses a different
credential for retrieving this PIN, in order to make sure people can
programmatically change PINs via credentials (in which case they need to
supply both).
Querying a fido2 PIN via askpw for enrolling is currently used in two
places: cryptenroll and homectl. So far we sloppily used the same fixed
credential name "fido2-pin" in both cases. Let's tweak that and make the
credential name match the other credentials cryptenroll or home query,
i.e. using the cryptenroll.* and home.* namespaces.
This is particular done in light of #31370, which wants to make the
credential name public. We really should get the name in order before
making it public.
The "id" is used in the askpw protocol to recognize password prompts, in
case a service is replying to them and needs some id. Previously we set
an incorrect id, the one of cryptsetup. Fix that.
(I guess the id is not used much, it comes from a time where we had no
credentials, and thus some people wanted to supply passphrases
programmatically rather interactively. The usecase is probably gone, but
we should still set some valid id I guess.)
Frantisek Sumsal [Mon, 19 Feb 2024 19:41:49 +0000 (20:41 +0100)]
test: verify our own units (where applicable)
This is inspired by one of our internal tests that does pretty much the
same thing. However, it is slightly more convoluted than I'd like it to
be, since I really don't want to duplicate the list of our units in
another place, so we need to, somehow, pass the list from the meson file
to the test script. I originally envisioned this to be a part of the
unit test suite, but this doesn't work for unit files with absolute
paths to binaries, as we'd have to install the build first (maybe using
a chroot would work?).
It doesn't check man pages (since they might not be installed on the
test machine) and also skip recursive dependencies (as that would trip
over issues in files that are not under our direct control), but it
should still cover typos and such.
There are currently two units for which the check had to be disabled -
syslog.socket, as the corresponding syslog.service might not be
installed, and rc-local.service as that's a compat API and the necessary
/etc/rc.d/rc.local file may not (and most likely won't be) present.
timesyncd: reorder structs instead of useless bitfields
Because of alignment, those bitfields were not doing anything useful,
and were causing the generated code to be more complicated. But in this
case, at least potentially there might be a number of copies of those
structs (if we have a bunch of time servers configured), so let's actually
implement the intended space savings by reording the fields to reduce the
size of holes.
core/kmod-setup: drop another pointless bitfield annotation
We have two bools followed by a func pointer, which is aligned to e.g. 8 bytes,
so whether the two bools take one bit, one byte, or even a full word, makes no
difference in storage size. But the code generated to service a bitfield is
more complicated.
- Allow to call the method without "name" and "type".
- Allow to specify SD_RESOLVE_NO_TXT and SD_RESOLVE_NO_ADDRESS.
- Allow to provide multiple services, and fix memory leak.
- Rearrange the return value format.
- Encode TXT field with octescape() to make the field matches with the
io.systemd.Resolve.Monitor interface.
gpt-auto-generator: fix argument passed to `parse_image_policy_argument`
Otherwise:
```
Feb 19 16:35:34 localhost systemd-gpt-auto-generator[188]: Assertion 's' failed at src/shared/image-policy.c:656, function parse_image_policy_argument(). Aborting.
```
Daan De Meyer [Mon, 19 Feb 2024 15:55:42 +0000 (16:55 +0100)]
pkcs11-util: Explicitly initiaiize variable to avoid warning
Avoid the following warning on C9S by explicitly initializing
"object".
"""
[389/2801] Compiling C object src/shared/libsystemd-shared-256-devel.a.p/pkcs11-util.c.o
../src/src/shared/pkcs11-util.c: In function ‘pkcs11_token_find_private_key’:
../src/src/shared/pkcs11-util.c:983:21: warning: ‘object’ may be used uninitialized in this function [-Wmaybe-uninitialized]
983 | *ret_object = object;
| ~~~~~~~~~~~~^~~~~~~~
"""
After the mentioned commit, when the ExecCommand executable is missing,
and failure will be ignored by manager, we exit with EXIT_SUCCESS at executor
side too. The behavior however contradicts systemd.service(5), which states:
> If the executable path is prefixed with "-", an exit code of the command
> normally considered a failure (i.e. non-zero exit status or abnormal exit
> due to signal is _recorded_, but has no further effect and is considered
> equivalent to success.
and thus makes debugging unexpected failures harder. Therefore, let's still
exit with EXIT_EXEC, but just skip LOG_ERR level log.
Adrian Vovk [Wed, 10 Jan 2024 03:06:35 +0000 (22:06 -0500)]
homework: Handle Update & Create w/ blob dir
Introduces new extended variants of the various incarnations of
Create and Update, which take a map of filenames to FDs. This map is
then used to populate the bulk directory.
FDs are used to prevent the client from abusing homed's blob directory
permissions (everything is made world-readable by homed) to open files
that they normally aren't allowed to open. Passing along an FD ensures
that the client has read access to the file it wants homed to make
world-readable.
Internally, homework uses the map to overwrite the system blob dir.
Later, homework's existing blob dir reconciliation logic will propagate
the new contents from the system blob dir into the embedded blob
dir
Adrian Vovk [Tue, 9 Jan 2024 19:39:38 +0000 (14:39 -0500)]
homework: Reconcile blob directories
Whenever the host & embedded records are reconciled, the host & embedded
blob directories are now reconciled too in the same direction.
Reconciling the blob directories serves exactly the same purpose as
reconciling the user records, and thus should behave in the same way.
Adrian Vovk [Mon, 8 Jan 2024 23:37:52 +0000 (18:37 -0500)]
homed: Create & advertise blob directory
This ensures that a user-specific blob directory exists in
/var/cache/systemd/homed for as long as the user exists, and gets
deleted if the user gets deleted.
It also advertises this blob directory via the user record, so that
clients can find and use it.
Adrian Vovk [Mon, 8 Jan 2024 22:21:55 +0000 (17:21 -0500)]
Document blob directory behavior
We're documenting the behavior of blob directories here. These docs
refer to things that aren't yet implemented at the time of the commit, but will be later in the same PR.
Adrian Vovk [Tue, 13 Feb 2024 20:09:54 +0000 (15:09 -0500)]
fd-util: Expose helper to pack fds into 3,4,5,...
This is useful for situations where an array of FDs is to be passed into
a child process (i.e. by passing it through safe_fork). This function
can be called in the child (before calling exec) to pack the FDs to all
be next to each-other starting from SD_LISTEN_FDS_START (i.e. 3)
In this context, "VM" doesn't need explaining. Make the texts more precise
and try to make them fit in one line. Help output is much easier to read
when it's not wrapped.
Frantisek Sumsal [Mon, 19 Feb 2024 10:23:31 +0000 (11:23 +0100)]
Revert "test: use btrfs by default on Arch as well"
There's something very wrong going on when using btrfs for the test
images, namely:
- there's a significant performance hit, i.e. the Arch Linux run is
~20% slower, in the coverage run the situation is even worse
- intermittent boot failures
- intermittent "No space left on device" errors (even though there's
enough free space)
Since debugging this might take a while, let's temporarily revert back
to ext4 to make the CI stable again.
projects / thirdparty / systemd.git / log
