gpt-auto-generator: write fsck override unit to "middle" generator dir
We generally let gpt-auto-generator write to the "late" generator dir,
so that the explicit fstab-generator can write to the "middle" one. And
I think we should leave it that way. But we also want to override the
generic systemd-fsck-root.service service potentially, and if we'd do
that in the "late" generator dir, it would be pointless, since that's
ordered *after* the static version hence would never be taken into
consdiration.
Hence clean this up: keep writing to the late dir for everything,
except for the fsck stuff.
veritysetup: when we fail to unlock a disk with the root hash signature logic, retry without
Currently, there's no nice way to get a key into the dm-verity kernel
keyring unless recompiling the kernel, or enabling SB or buying into
shim. Neither sounds particularly attractive.
hence provide a reasonable fallback: if unlocking with signed roothash
doesn#t work, just try without. maybe the kernel policy allows this,
maybe not. It's worth a try.
dissect-image: add a concept for "filtering" partitions we dissect
DDIs may contain multiple versions of the same OS, or even multiple
OSes. Hence it makes sense to not just pick the "newest", whatever that
might be, but only partitions associated with specific images, or in a
specific version.
Let's a concept for such filtering: a per-designator glob expression
that can be applied to the partition label string, and can be used for
such filtering.
Usecase: when picking UKI belonging to OS image X in version Y, make
sure we only pick a /usr/ partition belonging to X in version Y, and a
root and home partition belonging to X in any version.
This only adds the basic infrastructure, but doesn't actually expose it
anywhere.
gpt-auto-generator: add support for mount.usr=dissect
So far, we did not support auto-discovery the /usr/ partition at boot.
Change that: on explicit request (i.e. mount.usr=dissect) automatically
discover the /usr/ partition based on our usual dissection logic.
generator: add root=off to explicitly turn search for rootfs off
This is useful when booting into storage target mode, where we do not
want to enter a root fs, we just want to stay forever in the initrd,
and hence there's value in not even generating and jobs to find the
rootfs
gpt-auto-generator: optionally, set up root fs via dissection logic
This introduces root=dissect, which is a lot like root=gpt-auto, but
uses the image dissection logic to find the root partition. It's also
based on the GPT efi var telling us about the root disk, but instead of
just picking some suitable root disk manually it uses the dissection
logic.
This is a big step forward, since it means we can actually make
use of the image policy logic for the root fs too.
Previously if we found a verity signature partition in an image, and the
image policy required "verity" (but did not allow "signature") we'd
refuse the image. This is of course unnecessarily strict: if "verity" is
allowed, we can make use of the verity data, and ignore the signature
data.
hence, relax the rules here: when we pick up a partition and want to
test it against the policy, always consider all "weaker" uses too, maybe
they are allowed if the "stronger" users isn't.
dissect-image: guess verity root hash from the resources we found
When dissecting an image, let's make use of the Verity data even if we
got told no root hash explicitly: we can simply determine it by
concatenating the data partition uuid with the verity partition uuid.
Of course, on first thought this doesn't really add much: if the root
hash is not pinned from somewhere, this does not guarantee trust in
the image.
However, this is very useful for attestation: if we have the root hash
we can measure it before mounting things, even if we don't actually
authenticate it.
Hence, at best this helps us with attestation, at worst it doesn't improve
security but certainly doesn't hurt it.
dissect-image: rework how we determine that we are ready to do verity/verity-sig
Previously, if during early enumeration of the partition table we
figured out we have a verity + verity-sig partition, we determined we are
"ready" to do verity/verity-sig, as reported by the "verity_ready" and
"verity_ready_sig" fields of DissectedImage.
Let's rework this: only determine we are ready in case the VeritySettings
structure is fully populated. Mark verity-sig/verity only as ready once
we actually *load* the verity sig metadata from the special partition.
This is conceptually more correct, as we consider things "ready" only if
we actually have all data for it loaded. It's also preparation for a
later commit that guesses the verity root hash based on what we discover.
udev-builtin-blkid: look for ESP/XBOOTLDR only in initrd; afterwards just look at /
So far the gpt-auto symlinks would point to:
1. the disk the ESP/XBOOTLDR is located on
2. or to a loopback device whose filename field is set to "rootdisk"
or "rootdisk.raw"
This makes sense in the initrd. But once we transition to the host this
is quite confusing, since the symlinks might point to a different place
than what we actually ended up transitioning too: the actual backing
device of the root file system might be different from what gpt-auto
found.
Let's clean this up: let's avoid any ambiguities here: let's extend the
rules above with one more rule:
3. if we left the initrd, we'll make gpt-auto point to the selected
root file system, if it otherwise would have been a candidate.
Or in other words, the ID_PART_GPT_AUTO_ROOT_DISK=1 udev property now
always makes sense: in the initrd it points to the future root disk, and
on the host to the actual root disk.
rules: split out gpt-root rules from 99-systemd.rules
All other rules in 99-systemd.rules are pretty much concerned about
SYSTEMD_READY=1 and tagging devices the service manager shall track. But
the gpt-root symlink is different, and it makes sense independently of
the service manager. Hence give it a separate file.
This introduces indentation for inner sections skipped via GOTO=. The
rules parser supports that. In order to make this more readable, let's
maybe make use of this.
test: Unset JOURNAL_STREAM for integration test units
We use StandardOutput=journal+console for integration test units
to make sure the output from the test ends up on both the serial
console and in the journal. Unfortunately this only works for
messages written to stdout/stderr of the test service. All journal
messages logged by systemd tools will only end up in the journal and
not on the serial console. This makes test failures harder to debug
than needed because developers have to fetch the journal to figure
out the actual error that was logged by any systemd tool that failed
when invoked from the integration test script.
To fix this, let's unset $JOURNAL_STREAM for the integration test
units. This forces all output to go through stdout, which will make
journald forward it to the console and save it in the journal.
udev: use notify socket to send message from worker processes to manager process (#36922)
This replaces home-grown notification method from worker processes to
manager process with sd-notify. Then, we can reuse many library
functions commonly used by many components.
Hopefully, this does not change any effective functionalities.
Adjustments to match our current coding style, in particular ensures we
always print log messages for unexpected errors.
This changes our code assume mac_selinux_get_create_label_from_exe()
returns a valid label on success. I checked libselinux, this is
guaranteed, and is otherwise relied on in our tree, hence don't do the
pointless check here.
test: skip TEST-06-SELINUX if not on fedora/centos
The test skips at runtime on the same condition, but that's already too late
as it often gets stuck on boot in Debian/Ubuntu. Check in the meson
condition directly so that it's not even started.
mkosi: Stop passing package environment variables to tools image
The tools image is not guaranteed to be the same distribution as the
target distribution and so might have different package environment
variables than the main image yet we currently unconditionally use the
same package environment variables for both of them.
Let's fix this by not passing the package environment variables to the
tools image and subimages anymore, and instead having the main, tools and
build images separately include a config file with the required environment
variables.
mkosi: Use mkosi.tools.conf for tools tree configuration
This allows us to use the regular settings instead of having to bother
with ToolsTreeXXX variants. It'll also allow us to share configuration
between the regular images and the tools tree image, which we'll make
use of in the next commit.
mkosi: Drop number prefixes from configuration files
We already removed these in some places, let's migrate the others as
well. There's no ordering required at all between these configuration
files so let's not bother with any numbered prefixes.
unit: return a better error state for unit_get_unit_file_preset() if we have no fragment path
We'd previously return what was already set. Let's instead return a
clear ENOEXEC in this case, to make clear what is going on: preset logic
doesn't apply to units which lag a fragment path.
unit: initialize unit_file_preset field to valid value
"-1" is not a valid enum value. Use a better one. All code using this
considers negative values error codes anyway, hence the old code was
just a weird way to write -EPERM. Let's clean this up.
unit: don't bother determining unit install state for transient or perpetual units
I noticed that we keep querying the preset database for transient units,
which makes little sense, since transient units are well, transient, and
hence not suject to enablement/disablement. Hence, let's shortcut things
and simply not check the preset database for them.
While we are at it, shortcut unit file state checks for transient units,
too. We know they are transient already, we can return that directly,
no need to go to disk.
Finally, treat perpetual units like transient units for the the preset
case: also bypass the preset database. (But keep checking for the unit
file state for them, since it *is* relevant to know whether they were
generated or not.)
projects / thirdparty / systemd.git / log
