base-filesystem: avoid creating /lib64 symlink on existing rootfs
While all distributions agree on where the basic rootfs symlinks
(/bin /sbin /lib) should point to, not all of them agree on the
target of /lib64. Debian and derivatives, expect something different
than Fedora et al. This is mostly due to the different way multiarch
vs multilib are designed.
This can lead to the situation where running systemd-nspawn on Fedora
to boot a Debian container creates an incompatible symlink in the guest
persistent, pre-created and pre-populated root filesystem, causing
issues due to these incompatibilities.
While it would be great if Debian and derivatives had the same
expectations as the rest of the world, this is baked in many places
and not likely to ever be fixable, as the multiarch vs multilib
behaviours are now very entrenched, and changing it would break
compatibilities left and right.
The core purpose of base-filesystem was to allow bringing up a system
with an empty/ephemeral/etc rootfs (and a /usr/ image on top). So as
a workaround, create /lib64 only if we detect that we have created
/bin /lib and /sbin, as that's a sure sign we are booting into an
empty rootfs that needs to be populated.
Conversely, if the filesystem _already_ has /bin /sbin and /lib,
it means it is not ephemeral and it is pre-prepared and persistent,
so it's a good idea to avoid second-guessing the image builder tool
or the package manager and override what it does, and just let them
carry on with the system however they configured it.
Reworked and reworded, original author: Helmut Grohne <helmut@subdivi.de>
Mike Yuan [Sun, 6 Apr 2025 14:10:43 +0000 (16:10 +0200)]
core: do not use pidref_hash_ops_free for Manager.watch_pids
The PidRefs are in all cases owned by Unit.pids, and gets removed
from Manager.watch_pids(_more) when the unit is destructed, via
unit_unwatch_pidref(). This hasn't caused any issue because
manager_clear_jobs_and_units() is called before destroying
Manager.watch_pids(_more), but let's get this right.
We need to be extremely careful with using the path associated with fd,
since it contains the resolved path if a symlink was opened. In particular,
it's really not desirable to return the resolved executable path in
pin_callout_binary(), which would end up as argv[0] in udev_event_spawn(),
potentially changing the behavior of spawned process.
* 7948d79b63 upgpkg: 257.5-1: new upstream release
* d9badad1d4 drop use of deprecated nscd meson option
* af071243cf upgpkg: 257.4-1: new upstream release
shared/cred-util: Ensure TPM code is used with HAVE_TPM2 guards
Building with no TPM2 we end up with following error
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:29:10: note: in a call to built-in function ‘__builtin___memcpy_chk’
In function ‘memcpy’,
inlined from ‘encrypt_credential_and_warn’ at ../git/src/shared/creds-util.c:1091:17:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:29:10: error: argument 2 null where non-null expected [-Werror=nonnull]
29 | return __builtin___memcpy_chk (__dest, __src, __len,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
30 | __glibc_objsize0 (__dest));
| ~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:29:10: note: in a call to built-in function ‘__builtin___memcpy_chk’
cc1: some warnings being treated as errors 29 | return __builtin___memcpy_chk (__dest, __src, __len,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
30 | __glibc_objsize0 (__dest));
| ~~~~~~~~~~~~~~~~~~~~~~~~~~
This is because code referencing tpm2 data structures is still used while the
initialization of the function has been compiled out since its conditional on HAVE_TPM2
We add needed guards in places where it is missing to fix this problem
When compiling in systems which do not have gcc installed
(like a musl+llvm system) the forced linkage "-lgcc" is
stopping it to compile. As when compiler is clang it do not
need to link explicitelly to gcc I've modified meson to only
link to gcc library when compiler is gcc.
Add support for creating HSR/PRP interfaces. HSR (High-availability Seamless
Redundancy) and PRP (Parallel Redundancy Protocol) are two protocols that
provide seamless failover against failure of any single network component. They
are both implemented by the "hsr" kernel driver.
exec-invoke: Always go via stdin fd in setup_pam() to get tty
We might have resolved the tty to something else if it was set to
/dev/console, so let's always go via stdin in setup_pam(). This also
means we won't set the pam tty if only stdout or stderr are connected
to a tty, which seems like a sensible thing to do.
Daan De Meyer [Fri, 21 Mar 2025 09:39:46 +0000 (10:39 +0100)]
core: Resolve /dev/console if it's connected to stdin
If /dev/console is connected to stdin there's a possibility that
the unit might try to start a logind session from within the unit.
Let's make sure that any such sessions are started on the tty that
/dev/console points to and not on /dev/console itself.
udev-spawn: search executed command in build directory (#36985)
This makes pin_callout_binary() optionally provides the path of the pinned
binary, and makes it used in udev-spawn.c, to allow easy debugging of
program invocations requested by RUN{program} and friends.
Mike Yuan [Mon, 24 Mar 2025 18:46:46 +0000 (19:46 +0100)]
core/cgroup: drop extraneous CGRuntime check in unit_get_memory_available()
Currently, for units whose CGRuntime is not allocated just yet, e.g.
inactive ones, MemoryAvailable fails to account for their MemoryMax/High
settings. Let's remove the CGRuntime check hence. The call to
unit_get_memory_accounting() would certainly fail, but it doesn't matter,
since 'current' is initially set to 0 anyways.
Mike Yuan [Wed, 2 Apr 2025 19:08:48 +0000 (21:08 +0200)]
mkosi: update debian commit reference
* 4643263123 Add NEWS entry to warn about network connectivity loss due to mDNS, and workaround
* c995755707 Update changelog for 257.4-9 release
* 5e2ba1a045 resolved: break mDNS, remove conflict with avahi
* 6cf6fa39b4 Update changelog for 257.4-8 release
* 5067878f3a reintroduce systemd-resolved, with conflict on avahi-daemon
* 60c0d67e45 d/rules: drop nscd meson option
* 542de2ed44 Install new files for upstream CI
* 1e9b0e30da d/t/boot-and-services: skip gdm3 test in nested LXD run
* 4142fb487b systemd.preinst: fix shellcheck warnings
* 7879441e78 systemd.preinst: do not use systemctl
* 1d5ba16cf0 Update changelog for 257.4-7 release
* ddd3438e04 autopkgtest: re-enable integration tests
* 98698b582f autopkgtest: fix debugging leftover
* f62660777f Backport patches to fix integration tests skipping
* b7308013af autopkgtest: when nested tests-in-lxd skips don't fail outer run
* d5e96c6e56 Update changelog for 257.4-6 release
* 2493e2ffc7 Add Lintian override for 'unknown-field Protected'
* e27ebff834 d/control: fix systemd-boot and systemd-boot-tools descriptions
* 705fff1663 systemd: conflict with dracut on arm64
* 7e92bc39e9 Update changelog for 257.4-5 release
* 7638a4dcc1 autopkgtest: fix unit-tests for upstream CI
* 83a6bbe55a Add missing dh-exec shbang to d/systemd-tests.install
* 11b82593a5 Update changelog for 257.4-4 release
* f221a72abd Drop systemd-nspawn on arm64
* b8ecb66d05 Drop systemd-resolved package
* 560cde98d7 Move leftover resolved files to its own package
* fc2758d02d autopkgtest: drop versioning constraints on tzdata
* b2b7c59141 autopkgtest: remove workaround for 'meson compiile mkosi' and use 'mkosi -f' instead to avoid slow rebuilds
* 17e11869b5 systemd.postinst: add markers for janitor removals
* 581a5994f5 Handle new tmp mount on upgrade in preinst rather than postinst
* 58f6a4f689 d/control: only conflict against opensysusers << 0.7.3-4.1~
* 6dee609537 userdb: fix wildcard matching
* cf722bcd44 systemd-container: use more wildcards to install files
* 2339308f43 userdbd: use wildcard to install units
* a663f671bd Add myself to Uploaders
* 4a5bef9a48 Install new files
* c529659001 Drop systemd-cgroups-agent with upstream profile
* 970061c678 d/rules: add TODO reminder to drop Ubuntu-specific workaround
* 88fc574439 systemd-boot: do case-insensitive parsing of efibootmgr output
* eecb9466e0 Update tzdata-legacy version constraint for new bookworm-p-u tzdata version
* 5d9570efad Update changelog for 257.4-3 release
* 614efde487 Fix versioned breaks/replaces for sd-boot-tools
Currently translated at 100.0% (257 of 257 strings)
Co-authored-by: Javier Francisco <fserrador@gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/es/
Translation: systemd/main
mkosi: Fix arch build script version sed expression
Yours truly got rid of the _tag variable in the Arch Linux PKGBUILD
a while ago, so actually adapt the build script to that by changing
the pkgver= variable instead.
* 08ce156d74 fmf: Run mkosi genkey before mkosi summary
* 1126a7c6b8 Download commit archives via full sha instead of short one
* cc473d807f fmf: Check out mkosi to some directory in /var/tmp
build-path: make invoke_callout_binary() honour $PATH as last resort
If we cannot find the callout we need in the build dir let's look for it
in $PATH as last resort.
This makes invoke_callout_binary() usable for all binaries we install
into $PATH (as opposed to /usr/lib/systemd), but has no effect
on callout binaries specified with full path.
This is useful, since we soon want to invoke journalctl as a callout.
projects / thirdparty / systemd.git / log
