1. Make the message a bit more visible, by adding ANSI color. This
matters in particular during boot, where the message otherwise might
be overprinted by other output
2. Let's turn off terminal echo so that whatever key is entered is not
made visible on screen, and we can handle newline and other keys
reasonably uniformly.
Luca Boccassi [Sun, 16 Feb 2025 23:25:43 +0000 (23:25 +0000)]
mkosi: update debian commit reference
* 08eb5e1eff Set tty device node mode to 0600
* e3955d1ca2 initramfs-tools: copy hwdb.bin to initramfs
* aff03b8933 d/rules: fix bpftool path discovery on ubuntu
* cab4f15666 Update changelog for 257.3-1 release
* 9bfeffe2a3 autopkgtest: fix mkosi config section
* 44487bfe02 ukify: depend on python3-zstandard and recommend python3-lz4
* 0a20294f18 d/rules: adjust vmlinux.h path for Ubuntu
* 94fa0939ed Drop fallback for missing linux-bpf-dev package
* b0b75e3f4b systemd-boot: check that bootvar really points to sd-boot
* 464453cbd6 systemd-boot: fix creating bootvar on arm64
* ce4a878ef7 systemd-boot: warn if efibootmgr is not installed
* cce6971f68 Install new udev rule for hidraw
* 0c483fbd26 d/t/control: do not pull in gdm3 on loong64
* 52451a0c14 d/t/control: depend on debian-archive-keyring and ubuntu-keyring
Yu Watanabe [Sun, 9 Feb 2025 20:29:12 +0000 (05:29 +0900)]
journal-upload: several follow-ups for Accept-Encoding header handling
This makes,
- When a wildcard value '*' is specified, use the first supported
compression algorithm,
- disable compression if Accept-Encoding header is unspecified or
no supported compression algorithm specified in the header,
- ignore all errors in parsing the header.
- use OrderedHashmap to manage configured compression algorithms, then
drop CompressionArgs,
- rename CompressionOpts -> CompressionConfig,
- refuse 'none' in Compression= setting, but accept boolean false, which
disables compression,
- when Compression= option is unspecified, enable all supported compression
algorithms by default,
- do not set 'none' to the Accept-Encoding header.
Daan De Meyer [Sat, 15 Feb 2025 23:24:52 +0000 (00:24 +0100)]
repart: Delay private key and certificate check until actual use
For many reasons, we might not actually sign a verity signature
partition, even if ope is specified in the partition definition files.
It might already exist, it might be deferred, it might be excluded, ...
Since we cannot check if partition already exists when reading the
configuration, let's delay the check for whether a certificate and
key have been provided until we're actually about to sign a roothash.
Daan De Meyer [Sat, 15 Feb 2025 20:47:50 +0000 (21:47 +0100)]
mkosi: Install systemd in Fedora build image
rpm pulls in systemd-standalone-sysusers now by default to get
systemd-sysusers which causes a conflict later on during the prepare
script when systemd is pulled in as a dependency of device-mapper so
let's install systemd in the initial transaction so systemd provides
systemd-sysusers and systemd-standalone-sysusers is never installed
in the first place.
Luca Boccassi [Fri, 14 Feb 2025 20:02:45 +0000 (20:02 +0000)]
mkosi: Fix mkosi.clangd (#36387)
- Add missing '--' delimiter
- Use the new BuildSubdirectory JSON field to figure out the build
subdirectory.
- Remove the /usr/include path mapping for now. This means we can't
jump into system headers anymore if they don't exist on the host,
we can find a way to add this back later if it turns out to be
crucial.
Daan De Meyer [Fri, 14 Feb 2025 14:22:05 +0000 (15:22 +0100)]
mkosi: Fix mkosi.clangd
- Add missing '--' delimiter
- Use the new BuildSubdirectory JSON field to figure out the build
subdirectory.
- Remove the /usr/include path mapping for now. This means we can't
jump into system headers anymore if they don't exist on the host,
we can find a way to add this back later if it turns out to be
crucial.
Luca Boccassi [Thu, 13 Feb 2025 19:44:12 +0000 (19:44 +0000)]
ukify: if the specified kernel is not a valid PE file try to decompress it
On some distros on some architectures (e.g.: Ubuntu arm64) the kernel is shipped as
a gzipped file, which the UEFI firmware does not understand.
If pefile fails to parse it, try to decompress it.
Luca Boccassi [Thu, 13 Feb 2025 19:43:00 +0000 (19:43 +0000)]
ukify: fix zboot parsing with zstd
The header starts with 'zstd', not 'zstd22':
$ ukify build --linux vmlinuz-6.13+unreleased-cloud-arm64 --initrd /boot/initrd.img-6.12.12-amd64 --output uki
Kernel version not specified, starting autodetection 😖.
Real-Mode Kernel Header magic not found
+ readelf --notes vmlinuz-6.13+unreleased-cloud-arm64
readelf: Error: Not an ELF file - it has the wrong magic bytes at the start
Traceback (most recent call last):
File "/home/bluca/git/systemd/src/ukify/ukify.py", line 2510, in <module>
main()
~~~~^^
File "/home/bluca/git/systemd/src/ukify/ukify.py", line 2499, in main
make_uki(opts)
~~~~~~~~^^^^^^
File "/home/bluca/git/systemd/src/ukify/ukify.py", line 1328, in make_uki
opts.uname = Uname.scrape(linux, opts=opts)
~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
File "/home/bluca/git/systemd/src/ukify/ukify.py", line 384, in scrape
version = func(filename, opts=opts)
File "/home/bluca/git/systemd/src/ukify/ukify.py", line 374, in scrape_generic
text = maybe_decompress(filename)
File "/home/bluca/git/systemd/src/ukify/ukify.py", line 221, in maybe_decompress
return get_zboot_kernel(f)
File "/home/bluca/git/systemd/src/ukify/ukify.py", line 201, in get_zboot_kernel
raise NotImplementedError(f'unknown compressed type: {comp_type!r}')
NotImplementedError: unknown compressed type: b'zstd\x00\x00'
Luca Boccassi [Thu, 13 Feb 2025 19:38:45 +0000 (19:38 +0000)]
ukify: switch from zstd to zstandard
The zstd library does not support stream decompression, and it
requires the zstd header to contain extra metadata, that the kernel
build does not append:
$ file -k vmlinuz-6.13+unreleased-cloud-arm64
vmlinuz-6.13+unreleased-cloud-arm64: PE32+ executable (EFI application) Aarch64 (stripped to external PDB), for MS Windows, 2 sections\012- data
$ ukify build --linux vmlinuz-6.13+unreleased-cloud-arm64 --initrd /boot/initrd.img-6.12.12-amd64 --output uki
Kernel version not specified, starting autodetection 😖.
Real-Mode Kernel Header magic not found
+ readelf --notes vmlinuz-6.13+unreleased-cloud-arm64
readelf: Error: Not an ELF file - it has the wrong magic bytes at the start
Traceback (most recent call last):
File "/home/bluca/git/systemd/src/ukify/ukify.py", line 2508, in <module>
main()
~~~~^^
File "/home/bluca/git/systemd/src/ukify/ukify.py", line 2497, in main
make_uki(opts)
~~~~~~~~^^^^^^
File "/home/bluca/git/systemd/src/ukify/ukify.py", line 1326, in make_uki
opts.uname = Uname.scrape(linux, opts=opts)
~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
File "/home/bluca/git/systemd/src/ukify/ukify.py", line 382, in scrape
version = func(filename, opts=opts)
File "/home/bluca/git/systemd/src/ukify/ukify.py", line 372, in scrape_generic
text = maybe_decompress(filename)
File "/home/bluca/git/systemd/src/ukify/ukify.py", line 219, in maybe_decompress
return get_zboot_kernel(f)
File "/home/bluca/git/systemd/src/ukify/ukify.py", line 199, in get_zboot_kernel
return cast(bytes, zstd.uncompress(f.read(size)))
~~~~~~~~~~~~~~~^^^^^^^^^^^^^^
zstd.Error: Input data invalid or missing content size in frame header.
core/condition: fix segfault when key not found in os-release
'ConditionOSRelease=|ID_LIKE$=*rhel*' results in a segfault.
The key 'ID_LIKE' is not present in Fedora's os-release file.
I think the most reasonable behaviour is to treat missing keys as empty.
This matches the "shell-like" sprit, since in a shell empty keys would
by default be treated as empty too. Thus, "ID_LIKE=" would match, if
ID_LIKE is not present in the file, and ID_LIKE=!$foo" would also match.
The other option would be to make those matches fail, but I think that'd
make the feature harder to use, esp. with negative matches.
Documentation is updated to clarify the new behaviour.
Daan De Meyer [Thu, 13 Feb 2025 12:03:39 +0000 (13:03 +0100)]
sysupdate: Don't use compression extension for UKIs in manpage
UKIs should generally not be compressed since the kernel image and
initrd in them will already be compressed so let's remove the compression
suffix from the examples in the sysupdate manpage.
Daan De Meyer [Mon, 10 Feb 2025 22:59:04 +0000 (23:59 +0100)]
ptyfwd: Forward various signals to forked process
We want systemd-pty-forward to be something that can be dropped in
somewhere without too much thought. To enable this, let's make sure
we forward various signals to the forked process. This makes sure that
any signals are delivered to the actual child process regardless of whether
it's running within systemd-pty-forward or not.
Daan De Meyer [Wed, 12 Feb 2025 10:09:36 +0000 (11:09 +0100)]
mkosi: Update to latest
In https://github.com/systemd/mkosi/pull/3497, mkosi has started parsing
options passed after the verb as regular mkosi options instead of options
for the invoked command. We adapt to this change by adding '--' as a delimiter
everywhere where required.
The mount option string is ubiquitous in that all of fstab,
kernel cmdline, credentials, systemd-mount, ... speak it.
And we already have x-systemd.device-bound= that's parsed
by pid1 instead of fstab-generator. It feels hence more natural
for graceful options to be an extension of that, rather than
its own property.
There's also one nice side effect that the setting itself
is now more graceful for systemd versions not supporting
such feature.
With the aforementioned commits, unit_release_resources()
is dispatched in a dedicated queue, and Service.n_keep_fd_store
has been dropped, hence the comment is outdated. Moreover,
the unit is added to GC queue in unit_notify() already.
No other unit types do this in corresponding _enter_dead()
functions, nor does Service need it anymore.
Mike Yuan [Sun, 9 Feb 2025 19:41:20 +0000 (20:41 +0100)]
core/mount: check parameters_fragment first in mount_enter_(re)mounting()
I.e. don't perform any action if we can't spawn mount task anyway.
Later the same check would be added to mount_can_start/reload(),
so this makes things more coherent too.
Paul Fertser [Tue, 11 Feb 2025 13:33:15 +0000 (13:33 +0000)]
socket: resolve unit specifiers in BindToDevice
There are cases where templated Socket unit files are used for network services
with interface name used as an instance. This patch allows using %i for
BindToDevice setting to limit the scope automatically.
Yu Watanabe [Wed, 12 Feb 2025 00:23:33 +0000 (09:23 +0900)]
udev-watch: do not try to remove invalid watch handle
When a new device is processed, there should be no watch handle for
the device, hence udev_watch_clear() provides -1. Let's not try to call
inotify_rm_watch() in that case.
This should not change any behavior. Just for suppressing spurious
debugging log:
=====
(udev-worker)[3626140]: zram1: Removing watch handle -1.
=====
resolve: add an option to explicitly disable query AAAA, SRV, MX, etc... (#34165)
Based on this patch i had submitted to RedHat
(https://issues.redhat.com/browse/RHEL-56280), i am submitting this
patch to this upstream systemd.
There is no way to explicitly enable/disable IPv6 AAAA queries.
Problem was that i am using RHEL9 and some applications does not use a
newer glibc that supports `no-aaaa` option in `/etc/resolv.conf`. So
some applications will still resolve IPv6 AAAA even with `no-aaaa`
option and it is inconsistent across the system where some work and some
don't.
So this systemd-resolved patch catch-all queries and disable IPv6 AAAA
queries for all applications in the OS by having an option
`RefuseRecordTypes=AAAA` to disable IPv6 AAAA queries.
Although https://github.com/systemd/systemd/pull/28136 tries to fix this
automatically but it still does not work with
`net.ipv6.conf.all.disable_ipv6 = 1`. Also tried with explicitly
removing the conditional and force set `family = AF_INET` and still
resolves AAAA records.
The issue is that i want to explicitly disable IPv6 AAAA queries instead
of systemd-resolved to figure out itself which address family it is
using, which always have problems.
projects / thirdparty / systemd.git / log
