Currently translated at 100.0% (257 of 257 strings)
Co-authored-by: Javier Francisco <fserrador@gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/es/
Translation: systemd/main
mkosi: Fix arch build script version sed expression
Yours truly got rid of the _tag variable in the Arch Linux PKGBUILD
a while ago, so actually adapt the build script to that by changing
the pkgver= variable instead.
* 08ce156d74 fmf: Run mkosi genkey before mkosi summary
* 1126a7c6b8 Download commit archives via full sha instead of short one
* cc473d807f fmf: Check out mkosi to some directory in /var/tmp
build-path: make invoke_callout_binary() honour $PATH as last resort
If we cannot find the callout we need in the build dir let's look for it
in $PATH as last resort.
This makes invoke_callout_binary() usable for all binaries we install
into $PATH (as opposed to /usr/lib/systemd), but has no effect
on callout binaries specified with full path.
This is useful, since we soon want to invoke journalctl as a callout.
gpt-auto-generator: write fsck override unit to "middle" generator dir
We generally let gpt-auto-generator write to the "late" generator dir,
so that the explicit fstab-generator can write to the "middle" one. And
I think we should leave it that way. But we also want to override the
generic systemd-fsck-root.service service potentially, and if we'd do
that in the "late" generator dir, it would be pointless, since that's
ordered *after* the static version hence would never be taken into
consdiration.
Hence clean this up: keep writing to the late dir for everything,
except for the fsck stuff.
veritysetup: when we fail to unlock a disk with the root hash signature logic, retry without
Currently, there's no nice way to get a key into the dm-verity kernel
keyring unless recompiling the kernel, or enabling SB or buying into
shim. Neither sounds particularly attractive.
hence provide a reasonable fallback: if unlocking with signed roothash
doesn#t work, just try without. maybe the kernel policy allows this,
maybe not. It's worth a try.
dissect-image: add a concept for "filtering" partitions we dissect
DDIs may contain multiple versions of the same OS, or even multiple
OSes. Hence it makes sense to not just pick the "newest", whatever that
might be, but only partitions associated with specific images, or in a
specific version.
Let's a concept for such filtering: a per-designator glob expression
that can be applied to the partition label string, and can be used for
such filtering.
Usecase: when picking UKI belonging to OS image X in version Y, make
sure we only pick a /usr/ partition belonging to X in version Y, and a
root and home partition belonging to X in any version.
This only adds the basic infrastructure, but doesn't actually expose it
anywhere.
gpt-auto-generator: add support for mount.usr=dissect
So far, we did not support auto-discovery the /usr/ partition at boot.
Change that: on explicit request (i.e. mount.usr=dissect) automatically
discover the /usr/ partition based on our usual dissection logic.
generator: add root=off to explicitly turn search for rootfs off
This is useful when booting into storage target mode, where we do not
want to enter a root fs, we just want to stay forever in the initrd,
and hence there's value in not even generating and jobs to find the
rootfs
gpt-auto-generator: optionally, set up root fs via dissection logic
This introduces root=dissect, which is a lot like root=gpt-auto, but
uses the image dissection logic to find the root partition. It's also
based on the GPT efi var telling us about the root disk, but instead of
just picking some suitable root disk manually it uses the dissection
logic.
This is a big step forward, since it means we can actually make
use of the image policy logic for the root fs too.
Previously if we found a verity signature partition in an image, and the
image policy required "verity" (but did not allow "signature") we'd
refuse the image. This is of course unnecessarily strict: if "verity" is
allowed, we can make use of the verity data, and ignore the signature
data.
hence, relax the rules here: when we pick up a partition and want to
test it against the policy, always consider all "weaker" uses too, maybe
they are allowed if the "stronger" users isn't.
dissect-image: guess verity root hash from the resources we found
When dissecting an image, let's make use of the Verity data even if we
got told no root hash explicitly: we can simply determine it by
concatenating the data partition uuid with the verity partition uuid.
Of course, on first thought this doesn't really add much: if the root
hash is not pinned from somewhere, this does not guarantee trust in
the image.
However, this is very useful for attestation: if we have the root hash
we can measure it before mounting things, even if we don't actually
authenticate it.
Hence, at best this helps us with attestation, at worst it doesn't improve
security but certainly doesn't hurt it.
dissect-image: rework how we determine that we are ready to do verity/verity-sig
Previously, if during early enumeration of the partition table we
figured out we have a verity + verity-sig partition, we determined we are
"ready" to do verity/verity-sig, as reported by the "verity_ready" and
"verity_ready_sig" fields of DissectedImage.
Let's rework this: only determine we are ready in case the VeritySettings
structure is fully populated. Mark verity-sig/verity only as ready once
we actually *load* the verity sig metadata from the special partition.
This is conceptually more correct, as we consider things "ready" only if
we actually have all data for it loaded. It's also preparation for a
later commit that guesses the verity root hash based on what we discover.
udev-builtin-blkid: look for ESP/XBOOTLDR only in initrd; afterwards just look at /
So far the gpt-auto symlinks would point to:
1. the disk the ESP/XBOOTLDR is located on
2. or to a loopback device whose filename field is set to "rootdisk"
or "rootdisk.raw"
This makes sense in the initrd. But once we transition to the host this
is quite confusing, since the symlinks might point to a different place
than what we actually ended up transitioning too: the actual backing
device of the root file system might be different from what gpt-auto
found.
Let's clean this up: let's avoid any ambiguities here: let's extend the
rules above with one more rule:
3. if we left the initrd, we'll make gpt-auto point to the selected
root file system, if it otherwise would have been a candidate.
Or in other words, the ID_PART_GPT_AUTO_ROOT_DISK=1 udev property now
always makes sense: in the initrd it points to the future root disk, and
on the host to the actual root disk.
test: Be smarter about detecting the mkosi configuration directory
Instead of always looking up two directories from the
test/integration-tests/meson.build file, let's search in up to 4
parent directories from the given meson project source root. This
allows us to just pass in meson.project_source_root() to
integration-test-wrapper.py instead of having to pass in a fixed
relative offset from the current meson file.
It'll also allow us to install the integration tests and mkosi
configuration in the future without breaking the standalone
integrationt tests functionality;
udev-builtin-blkid: look for ESP/XBOOTLDR only in initrd; afterwards just look at /
So far the gpt-auto symlinks would point to:
1. the disk the ESP/XBOOTLDR is located on
2. or to a loopback device whose filename field is set to "rootdisk"
or "rootdisk.raw"
This makes sense in the initrd. But once we transition to the host this
is quite confusing, since the symlinks might point to a different place
than what we actually ended up transitioning too: the actual backing
device of the root file system might be different from what gpt-auto
found.
Let's clean this up: let's avoid any ambiguities here: let's extend the
rules above with one more rule:
3. if we left the initrd, we'll make gpt-auto point to the selected
root file system, if it otherwise would have been a candidate.
Or in other words, the ID_PART_GPT_AUTO_ROOT_DISK=1 udev property now
always makes sense: in the initrd it points to the future root disk, and
on the host to the actual root disk.
mkosi: Move all mkosi configuration into mkosi/ subdirectory
Now that mkosi can automatically pick up its main configuration from
a mkosi/ subdirectory if it exists and there is no configuration in the
top level directory, let's make use of it to reduce the amount of clutter
in the top level directory of the repository.
This will also make it easier to install the mkosi configuration files as
part of the testing packages later on.
* b17e5d64a1 Don't try to modify mkosi.repart config if mkosi conf is in subdir
* e2b2ea3776 fmf: Use mkosi/mkosi.local.conf if the mkosi/ directory exists
rules: split out gpt-root rules from 99-systemd.rules
All other rules in 99-systemd.rules are pretty much concerned about
SYSTEMD_READY=1 and tagging devices the service manager shall track. But
the gpt-root symlink is different, and it makes sense independently of
the service manager. Hence give it a separate file.
This introduces indentation for inner sections skipped via GOTO=. The
rules parser supports that. In order to make this more readable, let's
maybe make use of this.
test: Unset JOURNAL_STREAM for integration test units
We use StandardOutput=journal+console for integration test units
to make sure the output from the test ends up on both the serial
console and in the journal. Unfortunately this only works for
messages written to stdout/stderr of the test service. All journal
messages logged by systemd tools will only end up in the journal and
not on the serial console. This makes test failures harder to debug
than needed because developers have to fetch the journal to figure
out the actual error that was logged by any systemd tool that failed
when invoked from the integration test script.
To fix this, let's unset $JOURNAL_STREAM for the integration test
units. This forces all output to go through stdout, which will make
journald forward it to the console and save it in the journal.
udev: use notify socket to send message from worker processes to manager process (#36922)
This replaces home-grown notification method from worker processes to
manager process with sd-notify. Then, we can reuse many library
functions commonly used by many components.
Hopefully, this does not change any effective functionalities.
projects / thirdparty / systemd.git / log
