From 6ee4abe797c417e68181c0857a2ce2a2e46036cc Mon Sep 17 00:00:00 2001 From: Lukas Nykryn Date: Mon, 8 Jul 2024 16:16:18 +0200 Subject: [PATCH] systemd-256-3 Remove resolved scriptlets Don't install tests Resolves: RHEL-46277,RHEL-46576,RHEL-46280 --- 0001-Create-CNAME.patch | 18 +++ 0002-man-systemd-reorder-content-a-bit.patch | 103 +++++++++++++ ...allow-hostnamed-to-exit-on-idle-if-v.patch | 43 ++++++ ...p-server-clear-buffer-before-receive.patch | 30 ++++ ...number-of-device-units-generated-for.patch | 29 ++++ ...se-GREEDY_REALLOC-to-grow-the-buffer.patch | 81 ++++++++++ ...-fail-if-we-can-t-access-the-TPM-due.patch | 132 ++++++++++++++++ ...dnssec-rrtype-questions-when-we-aren.patch | 37 +++++ ...Use-crypt_reencrypt_run-if-available.patch | 123 +++++++++++++++ ...le-summary-at-the-end-of-TEST-02-UNI.patch | 136 +++++++++++++++++ 0011-repart-Use-CRYPT_ACTIVATE_PRIVATE.patch | 29 ++++ ...ew-stable-releases-will-be-in-the-ma.patch | 26 ++++ ...on-only-offer-devices-for-completion.patch | 29 ++++ ...E-document-reterr_-return-parameters.patch | 98 ++++++++++++ ...nalyze-show-pcrs-also-in-sha384-bank.patch | 27 ++++ ...are-flex-array-updated-for-gcc15-and.patch | 41 +++++ ...-a-warning-to-systemd-tmpfiles-purge.patch | 31 ++++ ...emporary-from-description-of-systemd.patch | 65 ++++++++ ...rivileged-user-ns-for-integration-te.patch | 24 +++ ...rts.ubuntu.com-for-non-x86-backports.patch | 74 +++++++++ ...I-packages-only-on-EFI-architectures.patch | 58 +++++++ ...kip-condition-before-installing-addi.patch | 31 ++++ ...-drop-unneeded-firmware-uefi-setting.patch | 37 +++++ 0024-test-drop-obsolete-comment.patch | 28 ++++ 0025-test-support-TEST_NO_KVM.patch | 25 +++ ...T_NO_QEMU-in-mkosi-integration-wrapp.patch | 30 ++++ ...stead-of-uefi-for-automated-fallback.patch | 27 ++++ ...ce-fix-accept-socket-deserialization.patch | 45 ++++++ ...tion-that-the-captive-portal-option-.patch | 26 ++++ ...isable-secure-boot-in-mkosi-GHA-runs.patch | 27 ++++ 0031-mkosi-bump-to-latest.patch | 23 +++ 0032-NEWS-fix-typo.patch | 23 +++ ...moving-symlinks-even-for-units-that-.patch | 69 +++++++++ ...ur-dry-run-when-removing-directories.patch | 35 +++++ ...on-at-least-one-configuration-file-b.patch | 68 +++++++++ ...rge-to-command-section-in-help-text-.patch | 37 +++++ ...rict-noble-backports-to-noble-builds.patch | 37 +++++ 0038-repart-fix-memory-leak.patch | 22 +++ ...-use-_SOURCE_MONOTONIC_TIMESTAMP-fie.patch | 42 +++++ ...workflows-to-run-on-source-git-setup.patch | 0 ... 0041-ci-setup-source-git-automation.patch | 0 ...i-deploy-systemd-man-to-GitHub-Pages.patch | 0 ...43-ci-reconfigure-Packit-for-RHEL-10.patch | 0 ...-parameters-together-with-rhel-only-.patch | 0 ...eate-user-journals-for-users-with-hi.patch | 0 ...-tmpfiles-make-purge-hard-to-mis-use.patch | 0 ...-use-system-auth-in-pam-systemd-user.patch | 0 ...e-start-rhel10-naming-and-include-rh.patch | 0 ...les-copy-40-redhat.rules-from-RHEL-9.patch | 0 ...nd-set-RemoveIPC-to-false-by-default.patch | 0 ...reate-resolv.conf-stub-resolv.conf-s.patch | 0 ...al-order-after-network-online.target.patch | 0 ...il-increase-random-seed-size-to-1024.patch | 0 ...able-systemd-journald-audit.socket-b.patch | 0 ...f-don-t-touch-current-audit-settings.patch | 0 ...evator-kernel-command-line-parameter.patch | 0 ...tTasksMax-to-80-of-the-kernel-pid.ma.patch | 0 ...ink-change-the-default-MACAddressPol.patch | 0 ...g-level-of-messages-about-use-of-Kil.patch | 0 ...n-rename-libbasic-to-libbasic_static.patch | 0 ...ystemd-core-via-an-intermediate-stat.patch | 0 ...-to-build-systemd-executor-staticall.patch | 0 0063-taint-remove-unmerged-bin.patch | 86 +++++++++++ 0064-presets-remove-resolved.patch | 28 ++++ sources | 2 +- systemd.spec | 144 +++++++++--------- 66 files changed, 2054 insertions(+), 72 deletions(-) create mode 100644 0001-Create-CNAME.patch create mode 100644 0002-man-systemd-reorder-content-a-bit.patch create mode 100644 0003-hostnamed-don-t-allow-hostnamed-to-exit-on-idle-if-v.patch create mode 100644 0004-sd-dhcp-server-clear-buffer-before-receive.patch create mode 100644 0005-rules-Limit-the-number-of-device-units-generated-for.patch create mode 100644 0006-strbuf-use-GREEDY_REALLOC-to-grow-the-buffer.patch create mode 100644 0007-tpm2-setup-Don-t-fail-if-we-can-t-access-the-TPM-due.patch create mode 100644 0008-resolved-permit-dnssec-rrtype-questions-when-we-aren.patch create mode 100644 0009-repart-Use-crypt_reencrypt_run-if-available.patch create mode 100644 0010-test-dump-a-simple-summary-at-the-end-of-TEST-02-UNI.patch create mode 100644 0011-repart-Use-CRYPT_ACTIVATE_PRIVATE.patch create mode 100644 0012-NEWS-note-that-new-stable-releases-will-be-in-the-ma.patch create mode 100644 0013-shell-completion-only-offer-devices-for-completion.patch create mode 100644 0014-CODING_STYLE-document-reterr_-return-parameters.patch create mode 100644 0015-analyze-show-pcrs-also-in-sha384-bank.patch create mode 100644 0016-fundamental-declare-flex-array-updated-for-gcc15-and.patch create mode 100644 0017-man-add-a-bit-of-a-warning-to-systemd-tmpfiles-purge.patch create mode 100644 0018-man-units-drop-temporary-from-description-of-systemd.patch create mode 100644 0019-mkosi-enable-unprivileged-user-ns-for-integration-te.patch create mode 100644 0020-mkosi-use-ports.ubuntu.com-for-non-x86-backports.patch create mode 100644 0021-mkosi-install-EFI-packages-only-on-EFI-architectures.patch create mode 100644 0022-test-check-the-skip-condition-before-installing-addi.patch create mode 100644 0023-test-drop-unneeded-firmware-uefi-setting.patch create mode 100644 0024-test-drop-obsolete-comment.patch create mode 100644 0025-test-support-TEST_NO_KVM.patch create mode 100644 0026-test-support-TEST_NO_QEMU-in-mkosi-integration-wrapp.patch create mode 100644 0027-test-use-auto-instead-of-uefi-for-automated-fallback.patch create mode 100644 0028-core-service-fix-accept-socket-deserialization.patch create mode 100644 0029-test-network-mention-that-the-captive-portal-option-.patch create mode 100644 0030-CI-disable-secure-boot-in-mkosi-GHA-runs.patch create mode 100644 0031-mkosi-bump-to-latest.patch create mode 100644 0032-NEWS-fix-typo.patch create mode 100644 0033-install-allow-removing-symlinks-even-for-units-that-.patch create mode 100644 0034-tmpfiles-honour-dry-run-when-removing-directories.patch create mode 100644 0035-tmpfiles-insist-on-at-least-one-configuration-file-b.patch create mode 100644 0036-tmpfiles-move-purge-to-command-section-in-help-text-.patch create mode 100644 0037-mkosi-restrict-noble-backports-to-noble-builds.patch create mode 100644 0038-repart-fix-memory-leak.patch create mode 100644 0039-logs-show-do-not-use-_SOURCE_MONOTONIC_TIMESTAMP-fie.patch rename 0001-ci-update-workflows-to-run-on-source-git-setup.patch => 0040-ci-update-workflows-to-run-on-source-git-setup.patch (100%) rename 0002-ci-setup-source-git-automation.patch => 0041-ci-setup-source-git-automation.patch (100%) rename 0003-ci-deploy-systemd-man-to-GitHub-Pages.patch => 0042-ci-deploy-systemd-man-to-GitHub-Pages.patch (100%) rename 0004-ci-reconfigure-Packit-for-RHEL-10.patch => 0043-ci-reconfigure-Packit-for-RHEL-10.patch (100%) rename 0005-ci-allow-to-pass-parameters-together-with-rhel-only-.patch => 0044-ci-allow-to-pass-parameters-together-with-rhel-only-.patch (100%) rename 0006-journal-again-create-user-journals-for-users-with-hi.patch => 0045-journal-again-create-user-journals-for-users-with-hi.patch (100%) rename 0007-tmpfiles-make-purge-hard-to-mis-use.patch => 0046-tmpfiles-make-purge-hard-to-mis-use.patch (100%) rename 0008-fedora-use-system-auth-in-pam-systemd-user.patch => 0047-fedora-use-system-auth-in-pam-systemd-user.patch (100%) rename 0009-net-naming-scheme-start-rhel10-naming-and-include-rh.patch => 0048-net-naming-scheme-start-rhel10-naming-and-include-rh.patch (100%) rename 0010-rules-copy-40-redhat.rules-from-RHEL-9.patch => 0049-rules-copy-40-redhat.rules-from-RHEL-9.patch (100%) rename 0011-logind-set-RemoveIPC-to-false-by-default.patch => 0050-logind-set-RemoveIPC-to-false-by-default.patch (100%) rename 0012-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch => 0051-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch (100%) rename 0013-rc-local-order-after-network-online.target.patch => 0052-rc-local-order-after-network-online.target.patch (100%) rename 0014-random-util-increase-random-seed-size-to-1024.patch => 0053-random-util-increase-random-seed-size-to-1024.patch (100%) rename 0015-journal-don-t-enable-systemd-journald-audit.socket-b.patch => 0054-journal-don-t-enable-systemd-journald-audit.socket-b.patch (100%) rename 0016-journald.conf-don-t-touch-current-audit-settings.patch => 0055-journald.conf-don-t-touch-current-audit-settings.patch (100%) rename 0017-rules-add-elevator-kernel-command-line-parameter.patch => 0056-rules-add-elevator-kernel-command-line-parameter.patch (100%) rename 0018-pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch => 0057-pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch (100%) rename 0019-udev-net-setup-link-change-the-default-MACAddressPol.patch => 0058-udev-net-setup-link-change-the-default-MACAddressPol.patch (100%) rename 0020-core-decrease-log-level-of-messages-about-use-of-Kil.patch => 0059-core-decrease-log-level-of-messages-about-use-of-Kil.patch (100%) rename 0021-meson-rename-libbasic-to-libbasic_static.patch => 0060-meson-rename-libbasic-to-libbasic_static.patch (100%) rename 0022-meson-build-libsystemd-core-via-an-intermediate-stat.patch => 0061-meson-build-libsystemd-core-via-an-intermediate-stat.patch (100%) rename 0023-meson-add-option-to-build-systemd-executor-staticall.patch => 0062-meson-add-option-to-build-systemd-executor-staticall.patch (100%) create mode 100644 0063-taint-remove-unmerged-bin.patch create mode 100644 0064-presets-remove-resolved.patch diff --git a/0001-Create-CNAME.patch b/0001-Create-CNAME.patch new file mode 100644 index 0000000..fbb444e --- /dev/null +++ b/0001-Create-CNAME.patch @@ -0,0 +1,18 @@ +From 1c27c902ad8316f490648a0e4415abd51b450b1a Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Tue, 11 Jun 2024 23:04:12 +0100 +Subject: [PATCH] Create CNAME + +--- + docs/CNAME | 1 + + 1 file changed, 1 insertion(+) + create mode 100644 docs/CNAME + +diff --git a/docs/CNAME b/docs/CNAME +new file mode 100644 +index 0000000000..cdcf4d9a52 +--- /dev/null ++++ b/docs/CNAME +@@ -0,0 +1 @@ ++systemd.io +\ No newline at end of file diff --git a/0002-man-systemd-reorder-content-a-bit.patch b/0002-man-systemd-reorder-content-a-bit.patch new file mode 100644 index 0000000..1469876 --- /dev/null +++ b/0002-man-systemd-reorder-content-a-bit.patch @@ -0,0 +1,103 @@ +From d918804408801bf46a49018e374ebdfbeae08805 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Wed, 5 Jun 2024 11:28:21 +0200 +Subject: [PATCH] man/systemd: reorder content a bit + +Section "Description" didn't actually say what systemd does. And we had a giant +"Concepts" section that actually described units types and other details about +them. So let's move the basic description of functionality to "Description" and +rename the following section to "Units". + +The link to the Original Design Document is moved to "See Also", it is of +historical interest mostly at this point. + +The only actual change is that when talking about API filesystems, /dev is also +mentioned. (I think /sys+/proc+/dev are the canonical set and should be always +listed on one breath.) + +(cherry picked from commit f11aaf7dfb295de429b1567282b19caaba036bba) +--- + man/systemd.xml | 49 ++++++++++++++++++++++++------------------------- + 1 file changed, 24 insertions(+), 25 deletions(-) + +diff --git a/man/systemd.xml b/man/systemd.xml +index 66db5bbf25..f4aa7e06ca 100644 +--- a/man/systemd.xml ++++ b/man/systemd.xml +@@ -62,10 +62,29 @@ + user.conf.d directories. See + systemd-system.conf5 + for more information. ++ ++ systemd contains native implementations of various tasks that need to be ++ executed as part of the boot process. For example, it sets the hostname or configures the loopback ++ network device. It also sets up and mounts various API file systems, such as /sys/, ++ /proc/, and /dev/. ++ ++ Note that some but not all interfaces provided by systemd are covered by the ++ Interface Portability and Stability Promise. ++ ++ The D-Bus API of systemd is described in ++ org.freedesktop.systemd15 ++ and ++ org.freedesktop.LogControl15. ++ ++ ++ Systems which invoke systemd in a container or initrd environment should implement the Container Interface or ++ initrd Interface ++ specifications, respectively. + + + +- Concepts ++ Units + + systemd provides a dependency system between various + entities called "units" of 11 different types. Units encapsulate +@@ -261,34 +280,10 @@ + example, start jobs for any of those inactive units getting queued as + well. + +- systemd contains native implementations of various tasks +- that need to be executed as part of the boot process. For example, +- it sets the hostname or configures the loopback network device. It +- also sets up and mounts various API file systems, such as +- /sys/ or /proc/. +- +- For more information about the concepts and +- ideas behind systemd, please refer to the +- Original Design Document. +- +- Note that some but not all interfaces provided by systemd are covered by the +- Interface Portability and Stability Promise. +- + Units may be generated dynamically at boot and system + manager reload time, for example based on other configuration + files or parameters passed on the kernel command line. For details, see + systemd.generator7. +- +- The D-Bus API of systemd is described in +- org.freedesktop.systemd15 +- and +- org.freedesktop.LogControl15. +- +- +- Systems which invoke systemd in a container or initrd environment should implement the Container Interface or +- initrd Interface +- specifications, respectively. + + + +@@ -1558,6 +1553,10 @@ + bootup7 + systemd.directives7 + ++ ++ For more information about the concepts and ++ ideas behind systemd, please refer to the ++ Original Design Document. + + + diff --git a/0003-hostnamed-don-t-allow-hostnamed-to-exit-on-idle-if-v.patch b/0003-hostnamed-don-t-allow-hostnamed-to-exit-on-idle-if-v.patch new file mode 100644 index 0000000..99e1e6e --- /dev/null +++ b/0003-hostnamed-don-t-allow-hostnamed-to-exit-on-idle-if-v.patch @@ -0,0 +1,43 @@ +From f2b5c1ff51b7c7876036c6c722e2a47b696695d9 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 8 May 2024 10:38:11 +0200 +Subject: [PATCH] hostnamed: don't allow hostnamed to exit on idle if varlink + connections are still ongoing + +And while we are at it, ongoing PK authorizations are also a reason to +block exit on idle. + +(cherry picked from commit ac908152b3b43a49f793d225c075423422cd3e33) +--- + src/hostname/hostnamed.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/hostname/hostnamed.c b/src/hostname/hostnamed.c +index 82d08803fa..fe1216fc1c 100644 +--- a/src/hostname/hostnamed.c ++++ b/src/hostname/hostnamed.c +@@ -1682,6 +1682,13 @@ static int connect_varlink(Context *c) { + return 0; + } + ++static bool context_check_idle(void *userdata) { ++ Context *c = ASSERT_PTR(userdata); ++ ++ return varlink_server_current_connections(c->varlink_server) == 0 && ++ hashmap_isempty(c->polkit_registry); ++} ++ + static int run(int argc, char *argv[]) { + _cleanup_(context_destroy) Context context = { + .hostname_source = _HOSTNAME_INVALID, /* appropriate value will be set later */ +@@ -1731,8 +1738,8 @@ static int run(int argc, char *argv[]) { + context.bus, + "org.freedesktop.hostname1", + DEFAULT_EXIT_USEC, +- /* check_idle= */ NULL, +- /* userdata= */ NULL); ++ context_check_idle, ++ &context); + if (r < 0) + return log_error_errno(r, "Failed to run event loop: %m"); + diff --git a/0004-sd-dhcp-server-clear-buffer-before-receive.patch b/0004-sd-dhcp-server-clear-buffer-before-receive.patch new file mode 100644 index 0000000..b51d6f3 --- /dev/null +++ b/0004-sd-dhcp-server-clear-buffer-before-receive.patch @@ -0,0 +1,30 @@ +From 0d573787ea1610ba57a359cf437841f62b186e77 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Wed, 12 Jun 2024 00:48:56 +0900 +Subject: [PATCH] sd-dhcp-server: clear buffer before receive + +I do not think this is necessary, but all other places in +libsystemd-network we clear buffer before receive. Without this, +Coverity warns about use-of-uninitialized-values. +Let's silence Coverity. + +Closes CID#1469721. + +(cherry picked from commit 40f9fa0af4c3094d93e833e62f7e301cd453da62) +--- + src/libsystemd-network/sd-dhcp-server.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libsystemd-network/sd-dhcp-server.c b/src/libsystemd-network/sd-dhcp-server.c +index c3b0f82dc4..4967f066dc 100644 +--- a/src/libsystemd-network/sd-dhcp-server.c ++++ b/src/libsystemd-network/sd-dhcp-server.c +@@ -1252,7 +1252,7 @@ static int server_receive_message(sd_event_source *s, int fd, + /* Preallocate the additional size for DHCP Relay Agent Information Option if needed */ + buflen += relay_agent_information_length(server->agent_circuit_id, server->agent_remote_id) + 2; + +- message = malloc(buflen); ++ message = malloc0(buflen); + if (!message) + return -ENOMEM; + diff --git a/0005-rules-Limit-the-number-of-device-units-generated-for.patch b/0005-rules-Limit-the-number-of-device-units-generated-for.patch new file mode 100644 index 0000000..8328a1d --- /dev/null +++ b/0005-rules-Limit-the-number-of-device-units-generated-for.patch @@ -0,0 +1,29 @@ +From a3d94332a2b5128697373d3093c1cfa56649ec61 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Mon, 10 Jun 2024 12:59:58 +0200 +Subject: [PATCH] rules: Limit the number of device units generated for serial + ttys + +As per the suggestion in https://github.com/systemd/systemd/issues/33242. + +This reduces the number of /dev/ttySXX device units generated in +mkosi from 32 to 4. + +(cherry picked from commit dc38f9addd04c34d1fd743efc407bdebb3573d05) +--- + rules.d/99-systemd.rules.in | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/rules.d/99-systemd.rules.in b/rules.d/99-systemd.rules.in +index ad0c7e2fb5..8ba6f177f8 100644 +--- a/rules.d/99-systemd.rules.in ++++ b/rules.d/99-systemd.rules.in +@@ -10,6 +10,8 @@ + ACTION=="remove", GOTO="systemd_end" + + SUBSYSTEM=="tty", KERNEL=="tty[a-zA-Z]*|hvc*|xvc*|hvsi*|ttysclp*|sclp_line*|3270/tty[0-9]*", TAG+="systemd" ++# Exclude 8250 serial ports with a zero IO port, as they are not usable until "setserial /dev/ttySxxx port …" is invoked. ++SUBSYSTEM=="tty", KERNEL=="ttyS*", DRIVERS=="serial8250", ATTR{port}=="0x0", ENV{SYSTEMD_READY}="0" + KERNEL=="vport*", TAG+="systemd" + + SUBSYSTEM=="ptp", TAG+="systemd" diff --git a/0006-strbuf-use-GREEDY_REALLOC-to-grow-the-buffer.patch b/0006-strbuf-use-GREEDY_REALLOC-to-grow-the-buffer.patch new file mode 100644 index 0000000..776f109 --- /dev/null +++ b/0006-strbuf-use-GREEDY_REALLOC-to-grow-the-buffer.patch @@ -0,0 +1,81 @@ +From 514ef0f93b76cbe0ba6b4de07a7b21fd0c2b7bae Mon Sep 17 00:00:00 2001 +From: q66 +Date: Thu, 6 Jun 2024 13:45:48 +0200 +Subject: [PATCH] strbuf: use GREEDY_REALLOC to grow the buffer + +This allows us to reserve a bunch of capacity ahead of time, +improving the performance of hwdb significantly thanks to not +having to reallocate so many times. + +Before: +``` +$ sudo time valgrind --leak-check=full ./systemd-hwdb update +==113297== Memcheck, a memory error detector +==113297== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al. +==113297== Using Valgrind-3.23.0 and LibVEX; rerun with -h for copyright info +==113297== Command: ./systemd-hwdb update +==113297== +==113297== +==113297== HEAP SUMMARY: +==113297== in use at exit: 0 bytes in 0 blocks +==113297== total heap usage: 1,412,640 allocs, 1,412,640 frees, 117,920,009,195 bytes allocated +==113297== +==113297== All heap blocks were freed -- no leaks are possible +==113297== +==113297== For lists of detected and suppressed errors, rerun with: -s +==113297== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) +132.44user 21.15system 2:35.61elapsed 98%CPU (0avgtext+0avgdata 228560maxresident)k +0inputs+25296outputs (0major+6886930minor)pagefaults 0swaps +``` + +After: +``` +$ sudo time valgrind --leak-check=full ./systemd-hwdb update +==112572== Memcheck, a memory error detector +==112572== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al. +==112572== Using Valgrind-3.23.0 and LibVEX; rerun with -h for copyright info +==112572== Command: ./systemd-hwdb update +==112572== +==112572== +==112572== HEAP SUMMARY: +==112572== in use at exit: 0 bytes in 0 blocks +==112572== total heap usage: 1,320,113 allocs, 1,320,113 frees, 70,614,501 bytes allocated +==112572== +==112572== All heap blocks were freed -- no leaks are possible +==112572== +==112572== For lists of detected and suppressed errors, rerun with: -s +==112572== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) +21.94user 0.19system 0:22.23elapsed 99%CPU (0avgtext+0avgdata 229876maxresident)k +0inputs+25264outputs (0major+57275minor)pagefaults 0swaps +``` + +Co-authored-by: Yu Watanabe +(cherry picked from commit 621b10fe2c3203c537996e84c7c89b0ff994ad93) +--- + src/basic/strbuf.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/src/basic/strbuf.c b/src/basic/strbuf.c +index 0617acc8d2..6d43955bb1 100644 +--- a/src/basic/strbuf.c ++++ b/src/basic/strbuf.c +@@ -107,7 +107,6 @@ static void bubbleinsert(struct strbuf_node *node, + /* add string, return the index/offset into the buffer */ + ssize_t strbuf_add_string(struct strbuf *str, const char *s, size_t len) { + uint8_t c; +- char *buf_new; + struct strbuf_child_entry *child; + struct strbuf_node *node; + ssize_t off; +@@ -147,10 +146,8 @@ ssize_t strbuf_add_string(struct strbuf *str, const char *s, size_t len) { + } + + /* add new string */ +- buf_new = realloc(str->buf, str->len + len+1); +- if (!buf_new) ++ if (!GREEDY_REALLOC(str->buf, str->len + len + 1)) + return -ENOMEM; +- str->buf = buf_new; + off = str->len; + memcpy(str->buf + off, s, len); + str->len += len; diff --git a/0007-tpm2-setup-Don-t-fail-if-we-can-t-access-the-TPM-due.patch b/0007-tpm2-setup-Don-t-fail-if-we-can-t-access-the-TPM-due.patch new file mode 100644 index 0000000..683891a --- /dev/null +++ b/0007-tpm2-setup-Don-t-fail-if-we-can-t-access-the-TPM-due.patch @@ -0,0 +1,132 @@ +From 30df42a9277bbf138d52887c9b79e452db425585 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Fri, 17 May 2024 16:20:11 +0200 +Subject: [PATCH] tpm2-setup: Don't fail if we can't access the TPM due to + authorization failure + +The TPM might be password/pin protected for various reasons even if +there is no SRK yet. Let's handle those cases gracefully instead of +failing the unit as it is enabled by default. + +(cherry picked from commit d6518003f8ebbfb6f85dbf227736ae05b0961199) +--- + catalog/systemd.catalog.in | 13 +++++++++++++ + src/shared/tpm2-util.c | 2 ++ + src/systemd/sd-messages.h | 3 +++ + src/tpm2-setup/tpm2-setup.c | 13 ++++++++++++- + units/systemd-tpm2-setup-early.service.in | 3 +++ + units/systemd-tpm2-setup.service.in | 3 +++ + 6 files changed, 36 insertions(+), 1 deletion(-) + +diff --git a/catalog/systemd.catalog.in b/catalog/systemd.catalog.in +index 3c9a6860da..2831152763 100644 +--- a/catalog/systemd.catalog.in ++++ b/catalog/systemd.catalog.in +@@ -780,3 +780,16 @@ Documentation: https://systemd.io/PORTABLE_SERVICES/ + A Portable Service @PORTABLE_ROOT@ (with extensions: @PORTABLE_EXTENSION@) has been + detached from the system and is no longer available for use. The list of attached + Portable Services can be queried with 'portablectl list'. ++ ++-- ad7089f928ac4f7ea00c07457d47ba8a ++Subject: Authorization failure while attempting to enroll SRK into TPM ++Defined-By: systemd ++Support: %SUPPORT_URL% ++Documentation: man:systemd-tpm2-setup.service(8) ++ ++An authorization failure occured while attempting to enroll a Storage Root Key (SRK) on the Trusted Platform ++Module (TPM). Most likely this means that a PIN/Password (authValue) has been set on the Owner hierarchy of ++the TPM. ++ ++Automatic SRK enrollment on TPMs in such scenarios is not supported. In order to unset the PIN/password ++protection on the owner hierarchy issue a command like the following: 'tpm2_changeauth -c o -p ""'. +diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c +index 87ce53cf95..9603f1837e 100644 +--- a/src/shared/tpm2-util.c ++++ b/src/shared/tpm2-util.c +@@ -2119,6 +2119,8 @@ int tpm2_create_primary( + /* creationData= */ NULL, + /* creationHash= */ NULL, + /* creationTicket= */ NULL); ++ if (rc == TPM2_RC_BAD_AUTH) ++ return log_debug_errno(SYNTHETIC_ERRNO(EDEADLK), "Authorization failure while attempting to enroll SRK into TPM."); + if (rc != TSS2_RC_SUCCESS) + return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), + "Failed to generate primary key in TPM: %s", +diff --git a/src/systemd/sd-messages.h b/src/systemd/sd-messages.h +index e3f68068a8..16e9986be3 100644 +--- a/src/systemd/sd-messages.h ++++ b/src/systemd/sd-messages.h +@@ -272,6 +272,9 @@ _SD_BEGIN_DECLARATIONS; + #define SD_MESSAGE_PORTABLE_DETACHED SD_ID128_MAKE(76,c5,c7,54,d6,28,49,0d,8e,cb,a4,c9,d0,42,11,2b) + #define SD_MESSAGE_PORTABLE_DETACHED_STR SD_ID128_MAKE_STR(76,c5,c7,54,d6,28,49,0d,8e,cb,a4,c9,d0,42,11,2b) + ++#define SD_MESSAGE_SRK_ENROLLMENT_NEEDS_AUTHORIZATION SD_ID128_MAKE(ad,70,89,f9,28,ac,4f,7e,a0,0c,07,45,7d,47,ba,8a) ++#define SD_MESSAGE_SRK_ENROLLMENT_NEEDS_AUTHORIZATION_STR SD_ID128_MAKE_STR(ad,70,89,f9,28,ac,4f,7e,a0,0c,07,45,7d,47,ba,8a) ++ + _SD_END_DECLARATIONS; + + #endif +diff --git a/src/tpm2-setup/tpm2-setup.c b/src/tpm2-setup/tpm2-setup.c +index 35628fc02a..b95c5e7a58 100644 +--- a/src/tpm2-setup/tpm2-setup.c ++++ b/src/tpm2-setup/tpm2-setup.c +@@ -3,6 +3,8 @@ + #include + #include + ++#include "sd-messages.h" ++ + #include "build.h" + #include "fd-util.h" + #include "fileio.h" +@@ -223,6 +225,8 @@ static int load_public_key_tpm2(struct public_key_data *ret) { + /* ret_name= */ NULL, + /* ret_qname= */ NULL, + NULL); ++ if (r == -EDEADLK) ++ return r; + if (r < 0) + return log_error_errno(r, "Failed to get or create SRK: %m"); + if (r > 0) +@@ -289,6 +293,13 @@ static int run(int argc, char *argv[]) { + } + + r = load_public_key_tpm2(&tpm2_key); ++ if (r == -EDEADLK) { ++ log_struct_errno(LOG_INFO, r, ++ LOG_MESSAGE("Insufficient permissions to access TPM, not generating SRK."), ++ "MESSAGE_ID=" SD_MESSAGE_SRK_ENROLLMENT_NEEDS_AUTHORIZATION_STR); ++ return 76; /* Special return value which means "Insufficient permissions to access TPM, ++ * cannot generate SRK". This isn't really an error when called at boot. */; ++ } + if (r < 0) + return r; + +@@ -383,4 +394,4 @@ static int run(int argc, char *argv[]) { + return 0; + } + +-DEFINE_MAIN_FUNCTION(run); ++DEFINE_MAIN_FUNCTION_WITH_POSITIVE_FAILURE(run); +diff --git a/units/systemd-tpm2-setup-early.service.in b/units/systemd-tpm2-setup-early.service.in +index 9982c84aba..7fdb99b53f 100644 +--- a/units/systemd-tpm2-setup-early.service.in ++++ b/units/systemd-tpm2-setup-early.service.in +@@ -21,3 +21,6 @@ ConditionPathExists=!/run/systemd/tpm2-srk-public-key.pem + Type=oneshot + RemainAfterExit=yes + ExecStart={{LIBEXECDIR}}/systemd-tpm2-setup --early=yes --graceful ++ ++# The tool returns 76 if the TPM cannot be accessed due to an authorization failure and we can't generate an SRK. ++SuccessExitStatus=76 +diff --git a/units/systemd-tpm2-setup.service.in b/units/systemd-tpm2-setup.service.in +index 0af7292528..ac29a76966 100644 +--- a/units/systemd-tpm2-setup.service.in ++++ b/units/systemd-tpm2-setup.service.in +@@ -22,3 +22,6 @@ ConditionPathExists=!/etc/initrd-release + Type=oneshot + RemainAfterExit=yes + ExecStart={{LIBEXECDIR}}/systemd-tpm2-setup --graceful ++ ++# The tool returns 76 if the TPM cannot be accessed due to an authorization failure and we can't generate an SRK. ++SuccessExitStatus=76 diff --git a/0008-resolved-permit-dnssec-rrtype-questions-when-we-aren.patch b/0008-resolved-permit-dnssec-rrtype-questions-when-we-aren.patch new file mode 100644 index 0000000..47ce5cf --- /dev/null +++ b/0008-resolved-permit-dnssec-rrtype-questions-when-we-aren.patch @@ -0,0 +1,37 @@ +From ba031f1fe86e36d7adc0340b047de32399c98bf7 Mon Sep 17 00:00:00 2001 +From: Ronan Pigott +Date: Fri, 8 Mar 2024 13:40:08 -0700 +Subject: [PATCH] resolved: permit dnssec rrtype questions when we aren't + validating + +This check introduced in 91adc4db33f6 is intended to spare us from +encountering broken resolver behavior we don't want to deal with. +However if we aren't validating we more than likely don't know the state +of the upstream resolver's support for dnssec. Let's let clients try +these queries if they want. + +This brings the behavior of sd-resolved in-line with previouly stated +change in the meaning of DNSSEC=no, which now means "don't validate" +rather than "don't validate, because the upstream resolver is declared to +be dnssec-unaware". + +Fixes: 9c47b334445a ("resolved: enable DNS proxy mode if client wants DNSSEC") +(cherry picked from commit 364c948707afa097f6ad177b61c2b51a86c0089a) +--- + src/resolve/resolved-dns-server.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/src/resolve/resolved-dns-server.c b/src/resolve/resolved-dns-server.c +index 340f11f4f4..b37f541c7f 100644 +--- a/src/resolve/resolved-dns-server.c ++++ b/src/resolve/resolved-dns-server.c +@@ -706,9 +706,6 @@ bool dns_server_dnssec_supported(DnsServer *server) { + if (dns_server_get_dnssec_mode(server) == DNSSEC_YES) /* If strict DNSSEC mode is enabled, always assume DNSSEC mode is supported. */ + return true; + +- if (!DNS_SERVER_FEATURE_LEVEL_IS_DNSSEC(server->possible_feature_level)) +- return false; +- + if (server->packet_bad_opt) + return false; + diff --git a/0009-repart-Use-crypt_reencrypt_run-if-available.patch b/0009-repart-Use-crypt_reencrypt_run-if-available.patch new file mode 100644 index 0000000..135eb65 --- /dev/null +++ b/0009-repart-Use-crypt_reencrypt_run-if-available.patch @@ -0,0 +1,123 @@ +From 70f5fb2f7ab585458008b1d3144e4ebaf98db42e Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Sun, 2 Jun 2024 16:24:52 +0200 +Subject: [PATCH] repart: Use crypt_reencrypt_run() if available + +crypt_reencrypt() is deprecated, so let's look for and prefer +crypt_reencrypt_run() if it is available. + +(cherry picked from commit b99b2941276a74878a23470b36c75b0c21dbdd4a) +--- + meson.build | 1 + + src/partition/repart.c | 6 +++++- + src/shared/cryptsetup-util.c | 19 ++++++++----------- + src/shared/cryptsetup-util.h | 6 +++--- + 4 files changed, 17 insertions(+), 15 deletions(-) + +diff --git a/meson.build b/meson.build +index ea4e12aa1c..e42151998b 100644 +--- a/meson.build ++++ b/meson.build +@@ -1262,6 +1262,7 @@ foreach ident : ['crypt_set_metadata_size', + 'crypt_token_max', + 'crypt_reencrypt_init_by_passphrase', + 'crypt_reencrypt', ++ 'crypt_reencrypt_run', + 'crypt_set_data_offset', + 'crypt_set_keyring_to_link', + 'crypt_resume_by_volume_key'] +diff --git a/src/partition/repart.c b/src/partition/repart.c +index 6f67d46025..2ecae4ca03 100644 +--- a/src/partition/repart.c ++++ b/src/partition/repart.c +@@ -3913,7 +3913,7 @@ static int partition_target_sync(Context *context, Partition *p, PartitionTarget + } + + static int partition_encrypt(Context *context, Partition *p, PartitionTarget *target, bool offline) { +-#if HAVE_LIBCRYPTSETUP && HAVE_CRYPT_SET_DATA_OFFSET && HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE && HAVE_CRYPT_REENCRYPT ++#if HAVE_LIBCRYPTSETUP && HAVE_CRYPT_SET_DATA_OFFSET && HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE && (HAVE_CRYPT_REENCRYPT_RUN || HAVE_CRYPT_REENCRYPT) + const char *node = partition_target_path(target); + struct crypt_params_luks2 luks_params = { + .label = strempty(ASSERT_PTR(p)->new_label), +@@ -4220,7 +4220,11 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta + if (r < 0) + return log_error_errno(r, "Failed to load reencryption context: %m"); + ++#if HAVE_CRYPT_REENCRYPT_RUN ++ r = sym_crypt_reencrypt_run(cd, NULL, NULL); ++#else + r = sym_crypt_reencrypt(cd, NULL); ++#endif + if (r < 0) + return log_error_errno(r, "Failed to encrypt %s: %m", node); + } else { +diff --git a/src/shared/cryptsetup-util.c b/src/shared/cryptsetup-util.c +index 288e6e8942..d0dd434df8 100644 +--- a/src/shared/cryptsetup-util.c ++++ b/src/shared/cryptsetup-util.c +@@ -54,10 +54,10 @@ DLSYM_FUNCTION(crypt_volume_key_get); + #if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE + DLSYM_FUNCTION(crypt_reencrypt_init_by_passphrase); + #endif +-#if HAVE_CRYPT_REENCRYPT +-DISABLE_WARNING_DEPRECATED_DECLARATIONS; ++#if HAVE_CRYPT_REENCRYPT_RUN ++DLSYM_FUNCTION(crypt_reencrypt_run); ++#elif HAVE_CRYPT_REENCRYPT + DLSYM_FUNCTION(crypt_reencrypt); +-REENABLE_WARNING; + #endif + DLSYM_FUNCTION(crypt_metadata_locking); + #if HAVE_CRYPT_SET_DATA_OFFSET +@@ -246,11 +246,8 @@ int dlopen_cryptsetup(void) { + + /* libcryptsetup added crypt_reencrypt() in 2.2.0, and marked it obsolete in 2.4.0, replacing it with + * crypt_reencrypt_run(), which takes one extra argument but is otherwise identical. The old call is +- * still available though, and given we want to support 2.2.0 for a while longer, we'll stick to the +- * old symbol. However, the old symbols now has a GCC deprecation decorator, hence let's turn off +- * warnings about this for now. */ +- +- DISABLE_WARNING_DEPRECATED_DECLARATIONS; ++ * still available though, and given we want to support 2.2.0 for a while longer, we'll use the old ++ * symbol if the new one is not available. */ + + ELF_NOTE_DLOPEN("cryptsetup", + "Support for disk encryption, integrity, and authentication", +@@ -304,7 +301,9 @@ int dlopen_cryptsetup(void) { + #if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE + DLSYM_ARG(crypt_reencrypt_init_by_passphrase), + #endif +-#if HAVE_CRYPT_REENCRYPT ++#if HAVE_CRYPT_REENCRYPT_RUN ++ DLSYM_ARG(crypt_reencrypt_run), ++#elif HAVE_CRYPT_REENCRYPT + DLSYM_ARG(crypt_reencrypt), + #endif + DLSYM_ARG(crypt_metadata_locking), +@@ -316,8 +315,6 @@ int dlopen_cryptsetup(void) { + if (r <= 0) + return r; + +- REENABLE_WARNING; +- + /* Redirect the default logging calls of libcryptsetup to our own logging infra. (Note that + * libcryptsetup also maintains per-"struct crypt_device" log functions, which we'll also set + * whenever allocating a "struct crypt_device" context. Why set both? To be defensive: maybe some +diff --git a/src/shared/cryptsetup-util.h b/src/shared/cryptsetup-util.h +index f00ac367b6..d255e59004 100644 +--- a/src/shared/cryptsetup-util.h ++++ b/src/shared/cryptsetup-util.h +@@ -70,10 +70,10 @@ DLSYM_PROTOTYPE(crypt_volume_key_get); + #if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE + DLSYM_PROTOTYPE(crypt_reencrypt_init_by_passphrase); + #endif +-#if HAVE_CRYPT_REENCRYPT +-DISABLE_WARNING_DEPRECATED_DECLARATIONS; ++#if HAVE_CRYPT_REENCRYPT_RUN ++DLSYM_PROTOTYPE(crypt_reencrypt_run); ++#elif HAVE_CRYPT_REENCRYPT + DLSYM_PROTOTYPE(crypt_reencrypt); +-REENABLE_WARNING; + #endif + DLSYM_PROTOTYPE(crypt_metadata_locking); + #if HAVE_CRYPT_SET_DATA_OFFSET diff --git a/0010-test-dump-a-simple-summary-at-the-end-of-TEST-02-UNI.patch b/0010-test-dump-a-simple-summary-at-the-end-of-TEST-02-UNI.patch new file mode 100644 index 0000000..315a5ff --- /dev/null +++ b/0010-test-dump-a-simple-summary-at-the-end-of-TEST-02-UNI.patch @@ -0,0 +1,136 @@ +From 4a468387acbc8a2bd51bffaeca242e415e55b614 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 12 Jun 2024 12:09:25 +0200 +Subject: [PATCH] test: dump a simple summary at the end of TEST-02-UNITTEST + +Let's dump a list of skipped tests and logs from failed tests at the end +of TEST-02-UNITTEST to make debugging fails in CI slightly less painful. + +(cherry picked from commit 2ac0e52f29eb5f0040882fc46bcfa369893577f3) +--- + test/TEST-02-UNITTESTS/test.sh | 8 ---- + test/test-functions | 68 --------------------------------- + test/units/TEST-02-UNITTESTS.sh | 14 +++++++ + 3 files changed, 14 insertions(+), 76 deletions(-) + +diff --git a/test/TEST-02-UNITTESTS/test.sh b/test/TEST-02-UNITTESTS/test.sh +index f165c99368..2cf9c31096 100755 +--- a/test/TEST-02-UNITTESTS/test.sh ++++ b/test/TEST-02-UNITTESTS/test.sh +@@ -37,12 +37,4 @@ test_append_files() { + fi + } + +-check_result_nspawn() { +- check_result_nspawn_unittests "${1}" +-} +- +-check_result_qemu() { +- check_result_qemu_unittests +-} +- + do_test "$@" +diff --git a/test/test-functions b/test/test-functions +index be6eb1d9b2..8b497b2e27 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -1860,74 +1860,6 @@ check_result_qemu() { + return $ret + } + +-check_result_nspawn_unittests() { +- local workspace="${1:?}" +- local ret=1 +- +- [[ -e "$workspace/testok" ]] && ret=0 +- +- if [[ -s "$workspace/failed" ]]; then +- ret=$((ret + 1)) +- echo "=== Failed test log ===" +- cat "$workspace/failed" +- else +- if [[ -s "$workspace/skipped" ]]; then +- echo "=== Skipped test log ==" +- cat "$workspace/skipped" +- # We might have only skipped tests - that should not fail the job +- ret=0 +- fi +- if [[ -s "$workspace/testok" ]]; then +- echo "=== Passed tests ===" +- cat "$workspace/testok" +- fi +- fi +- +- get_bool "${TIMED_OUT:=}" && ret=1 +- check_coverage_reports "$workspace" || ret=5 +- +- save_journal "$workspace/var/log/journal" $ret +- echo "${JOURNAL_LIST:-"No journals were saved"}" +- +- _umount_dir "${initdir:?}" +- +- return $ret +-} +- +-check_result_qemu_unittests() { +- local ret=1 +- +- mount_initdir +- [[ -e "${initdir:?}/testok" ]] && ret=0 +- +- if [[ -s "$initdir/failed" ]]; then +- ret=$((ret + 1)) +- echo "=== Failed test log ===" +- cat "$initdir/failed" +- else +- if [[ -s "$initdir/skipped" ]]; then +- echo "=== Skipped test log ==" +- cat "$initdir/skipped" +- # We might have only skipped tests - that should not fail the job +- ret=0 +- fi +- if [[ -s "$initdir/testok" ]]; then +- echo "=== Passed tests ===" +- cat "$initdir/testok" +- fi +- fi +- +- get_bool "${TIMED_OUT:=}" && ret=1 +- check_coverage_reports "$initdir" || ret=5 +- +- save_journal "$initdir/var/log/journal" $ret +- echo "${JOURNAL_LIST:-"No journals were saved"}" +- +- _umount_dir "$initdir" +- +- return $ret +-} +- + create_rc_local() { + dinfo "Create rc.local" + mkdir -p "${initdir:?}/etc/rc.d" +diff --git a/test/units/TEST-02-UNITTESTS.sh b/test/units/TEST-02-UNITTESTS.sh +index 6392425130..4448643f9a 100755 +--- a/test/units/TEST-02-UNITTESTS.sh ++++ b/test/units/TEST-02-UNITTESTS.sh +@@ -95,6 +95,20 @@ export -f run_test + find /usr/lib/systemd/tests/unit-tests/ -maxdepth 1 -type f -name "${TESTS_GLOB}" -print0 | + xargs -0 -I {} --max-procs="$MAX_QUEUE_SIZE" bash -ec "run_test {}" + ++# Write all pending messages, so they don't get mixed with the summaries below ++journalctl --sync ++ ++# No need for full test logs in this case ++if [[ -s /skipped-tests ]]; then ++ : "=== SKIPPED TESTS ===" ++ cat /skipped-tests ++fi ++ ++if [[ -s /failed ]]; then ++ : "=== FAILED TESTS ===" ++ cat /failed ++fi ++ + # Test logs are sometimes lost, as the system shuts down immediately after + journalctl --sync + diff --git a/0011-repart-Use-CRYPT_ACTIVATE_PRIVATE.patch b/0011-repart-Use-CRYPT_ACTIVATE_PRIVATE.patch new file mode 100644 index 0000000..8afa8c8 --- /dev/null +++ b/0011-repart-Use-CRYPT_ACTIVATE_PRIVATE.patch @@ -0,0 +1,29 @@ +From d316aed5d8e15fb5b13b5618f1b2d1d020b1e7bf Mon Sep 17 00:00:00 2001 +From: Daan De Meyer +Date: Mon, 3 Jun 2024 12:35:29 +0200 +Subject: [PATCH] repart: Use CRYPT_ACTIVATE_PRIVATE + +Let's skip udev device scanning when activating a LUKS volume in +systemd-repart as we don't depend on any udev symlinks and don't +expect anything except repart to access the volume. + +Suggested by https://github.com/systemd/systemd/issues/33129#issuecomment-2143390941. + +(cherry picked from commit 726fc7ae696510b04c24810f691d34f5d20529d6) +--- + src/partition/repart.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/partition/repart.c b/src/partition/repart.c +index 2ecae4ca03..78cf60f724 100644 +--- a/src/partition/repart.c ++++ b/src/partition/repart.c +@@ -4236,7 +4236,7 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta + dm_name, + NULL, + VOLUME_KEY_SIZE, +- arg_discard ? CRYPT_ACTIVATE_ALLOW_DISCARDS : 0); ++ (arg_discard ? CRYPT_ACTIVATE_ALLOW_DISCARDS : 0) | CRYPT_ACTIVATE_PRIVATE); + if (r < 0) + return log_error_errno(r, "Failed to activate LUKS superblock: %m"); + diff --git a/0012-NEWS-note-that-new-stable-releases-will-be-in-the-ma.patch b/0012-NEWS-note-that-new-stable-releases-will-be-in-the-ma.patch new file mode 100644 index 0000000..13f9173 --- /dev/null +++ b/0012-NEWS-note-that-new-stable-releases-will-be-in-the-ma.patch @@ -0,0 +1,26 @@ +From 4ebcdcb1360dbb10444f518bad7f04e10bcb6387 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Tue, 11 Jun 2024 23:09:30 +0100 +Subject: [PATCH] NEWS: note that new stable releases will be in the main repo + +(cherry picked from commit 40d637bace4041f081088673cb230669c1e34faf) +--- + NEWS | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/NEWS b/NEWS +index 02ad8b2c79..bbee0852be 100644 +--- a/NEWS ++++ b/NEWS +@@ -81,6 +81,11 @@ CHANGES WITH 256: + * systemd.crash_reboot and related settings are deprecated in favor of + systemd.crash_action=. + ++ * Stable releases for version v256 and newer will now be pushed in the ++ main repository. The systemd-stable repository will be used for existing ++ stable branches (v255-stable and lower), and when they reach EOL it will ++ be archived. ++ + General Changes and New Features: + + * Various programs will now attempt to load the main configuration file diff --git a/0013-shell-completion-only-offer-devices-for-completion.patch b/0013-shell-completion-only-offer-devices-for-completion.patch new file mode 100644 index 0000000..4d871f8 --- /dev/null +++ b/0013-shell-completion-only-offer-devices-for-completion.patch @@ -0,0 +1,29 @@ +From 2034de6157cc0d3e60489cdc16c7a5651f38783c Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Wed, 12 Jun 2024 14:35:34 +0200 +Subject: [PATCH] shell-completion: only offer devices for completion + +This skips directories and other stuff like /dev/core, /dev/initctl or +/dev/log. + +(cherry picked from commit bde35f4a91663ebb854330f582baeef0f9adcbfb) +--- + shell-completion/bash/udevadm | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/shell-completion/bash/udevadm b/shell-completion/bash/udevadm +index 05f921cf49..3842d722e7 100644 +--- a/shell-completion/bash/udevadm ++++ b/shell-completion/bash/udevadm +@@ -32,10 +32,7 @@ __get_all_sysdevs() { + } + + __get_all_device_nodes() { +- local i +- for i in /dev/* /dev/*/* /dev/*/*/*; do +- echo $i +- done ++ find /dev -xtype b -o -xtype c + } + + __get_all_device_units() { diff --git a/0014-CODING_STYLE-document-reterr_-return-parameters.patch b/0014-CODING_STYLE-document-reterr_-return-parameters.patch new file mode 100644 index 0000000..9a94776 --- /dev/null +++ b/0014-CODING_STYLE-document-reterr_-return-parameters.patch @@ -0,0 +1,98 @@ +From a61a83a22b5f464463f9ab9e3ee3950f299c9f43 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Wed, 12 Jun 2024 18:31:56 +0200 +Subject: [PATCH] CODING_STYLE: document "reterr_" return parameters + +In some recent PRs (e.g. #32628) I started to systematically name return +parameters that shall only be initialized on failure (because they carry +additional error meta information, such as the line/column number of +parse failures or so). Let's make this official in the coding style. + +(cherry picked from commit 7811864b08393eda5ff92145ea2776180d9b28ee) +--- + docs/CODING_STYLE.md | 62 ++++++++++++++++++++++++++++++++++---------- + 1 file changed, 48 insertions(+), 14 deletions(-) + +diff --git a/docs/CODING_STYLE.md b/docs/CODING_STYLE.md +index 8f687e6662..309436a397 100644 +--- a/docs/CODING_STYLE.md ++++ b/docs/CODING_STYLE.md +@@ -164,30 +164,64 @@ SPDX-License-Identifier: LGPL-2.1-or-later + thread. Use `is_main_thread()` to detect whether the calling thread is the + main thread. + +-- Do not write functions that clobber call-by-reference variables on +- failure. Use temporary variables for these cases and change the passed in +- variables only on success. The rule is: never clobber return parameters on +- failure, always initialize return parameters on success. +- +-- Typically, function parameters fit into three categories: input parameters, +- mutable objects, and call-by-reference return parameters. Input parameters +- should always carry suitable "const" declarators if they are pointers, to +- indicate they are input-only and not changed by the function. Return +- parameters are best prefixed with "ret_", to clarify they are return +- parameters. (Conversely, please do not prefix parameters that aren't +- output-only with "ret_", in particular not mutable parameters that are both +- input as well as output). Example: ++- Typically, function parameters fit into four categories: input parameters, ++ mutable objects, call-by-reference return parameters that are initialized on ++ success, and call-by-reference return parameters that are initialized on ++ failure. Input parameters should always carry suitable `const` declarators if ++ they are pointers, to indicate they are input-only and not changed by the ++ function. The name of return parameters that are initialized on success ++ should be prefixed with `ret_`, to clarify they are return parameters. The ++ name of return parameters that are initialized on failure should be prefixed ++ with `reterr_`. (Examples of such parameters: those which carry additional ++ error information, such as the row/column of parse errors or so). – ++ Conversely, please do not prefix parameters that aren't output-only with ++ `ret_` or `reterr_`, in particular not mutable parameters that are both input ++ as well as output. ++ ++ Example: + + ```c + static int foobar_frobnicate( + Foobar* object, /* the associated mutable object */ + const char *input, /* immutable input parameter */ +- char **ret_frobnicated) { /* return parameter */ ++ char **ret_frobnicated, /* return parameter on success */ ++ unsigned *reterr_line, /* return parameter on failure */ ++ unsigned *reterr_column) { /* ditto */ + … + return 0; + } + ``` + ++- Do not write functions that clobber call-by-reference success return ++ parameters on failure (i.e. `ret_xyz`, see above), or that clobber ++ call-by-reference failure return parameters on success ++ (i.e. `reterr_xyz`). Use temporary variables for these cases and change the ++ passed in variables only in the right condition. The rule is: never clobber ++ success return parameters on failure, always initialize success return ++ parameters on success (and the reverse for failure return parameters, of ++ course). ++ ++- Please put `reterr_` return parameters in the function parameter list last, ++ and `ret_` return parameters immediately before that. ++ ++ Good: ++ ++ ```c ++ static int do_something( ++ const char *input, ++ const char *ret_on_success, ++ const char *reterr_on_failure); ++ ``` ++ ++ Not good: ++ ++ ```c ++ static int do_something( ++ const char *reterr_on_failure, ++ const char *ret_on_success, ++ const char *input); ++ ``` ++ + - The order in which header files are included doesn't matter too + much. systemd-internal headers must not rely on an include order, so it is + safe to include them in any order possible. However, to not clutter global diff --git a/0015-analyze-show-pcrs-also-in-sha384-bank.patch b/0015-analyze-show-pcrs-also-in-sha384-bank.patch new file mode 100644 index 0000000..c94137a --- /dev/null +++ b/0015-analyze-show-pcrs-also-in-sha384-bank.patch @@ -0,0 +1,27 @@ +From 51390a1f41a762ef96d3c496d8a5d890d722907d Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 4 Jun 2024 11:02:34 +0200 +Subject: [PATCH] analyze: show pcrs also in sha384 bank + +SHA384 is pretty much the bank we actually *want* to use, since it's +faster to calculate than SHA256, hence at the very least, start +considering. + +(cherry picked from commit acaca5ab250a51be6ba07768bee80bf0f7b462fa) +--- + src/analyze/analyze-pcrs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/analyze/analyze-pcrs.c b/src/analyze/analyze-pcrs.c +index 43e415fc6d..1c3da3fd84 100644 +--- a/src/analyze/analyze-pcrs.c ++++ b/src/analyze/analyze-pcrs.c +@@ -11,7 +11,7 @@ + static int get_pcr_alg(const char **ret) { + assert(ret); + +- FOREACH_STRING(alg, "sha256", "sha1") { ++ FOREACH_STRING(alg, "sha256", "sha384", "sha1") { + _cleanup_free_ char *p = NULL; + + if (asprintf(&p, "/sys/class/tpm/tpm0/pcr-%s/0", alg) < 0) diff --git a/0016-fundamental-declare-flex-array-updated-for-gcc15-and.patch b/0016-fundamental-declare-flex-array-updated-for-gcc15-and.patch new file mode 100644 index 0000000..44ebc9b --- /dev/null +++ b/0016-fundamental-declare-flex-array-updated-for-gcc15-and.patch @@ -0,0 +1,41 @@ +From 3706b5e8e92fe6a4ff21cefe66f2eb27953a3fdf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Cristian=20Rodr=C3=ADguez?= +Date: Thu, 13 Jun 2024 11:59:28 -0400 +Subject: [PATCH] fundamental: declare flex array updated for gcc15 and clang + 19 + +Silly workaround that: +- allowed flexible arrays in unions +- allowed flexible arrays in otherwise empty structs + +Is no longer needed since https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=adb1c8a0f167c3a1f7593d75f5a10eb07a5d741a +(GCC15) or clang 19 https://github.com/llvm/llvm-project/commit/14ba782a87e16e9e15460a51f50e67e2744c26d9 + +(cherry picked from commit 3c2f2146f50c75662987541719bedc4aee9df939) +--- + src/fundamental/macro-fundamental.h | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/fundamental/macro-fundamental.h b/src/fundamental/macro-fundamental.h +index 5ccbda5186..8aca5f784a 100644 +--- a/src/fundamental/macro-fundamental.h ++++ b/src/fundamental/macro-fundamental.h +@@ -517,6 +517,10 @@ static inline uint64_t ALIGN_OFFSET_U64(uint64_t l, uint64_t ali) { + } \ + } + ++/* Restriction/bug (see above) was fixed in GCC 15 and clang 19.*/ ++#if __GNUC__ >= 15 || (defined(__clang__) && __clang_major__ >= 19) ++#define DECLARE_FLEX_ARRAY(type, name) type name[]; ++#else + /* Declare a flexible array usable in a union. + * This is essentially a work-around for a pointless constraint in C99 + * and might go away in some future version of the standard. +@@ -528,6 +532,7 @@ static inline uint64_t ALIGN_OFFSET_U64(uint64_t l, uint64_t ali) { + dummy_t __empty__ ## name; \ + type name[]; \ + } ++#endif + + /* Declares an ELF read-only string section that does not occupy memory at runtime. */ + #define DECLARE_NOALLOC_SECTION(name, text) \ diff --git a/0017-man-add-a-bit-of-a-warning-to-systemd-tmpfiles-purge.patch b/0017-man-add-a-bit-of-a-warning-to-systemd-tmpfiles-purge.patch new file mode 100644 index 0000000..a7a5afc --- /dev/null +++ b/0017-man-add-a-bit-of-a-warning-to-systemd-tmpfiles-purge.patch @@ -0,0 +1,31 @@ +From aedeaf745028a463150fd6d2b1aca778797735ac Mon Sep 17 00:00:00 2001 +From: Nick Rosbrook +Date: Fri, 14 Jun 2024 17:31:22 -0400 +Subject: [PATCH] man: add a bit of a warning to systemd-tmpfiles --purge + +Mention that by default, /home is managed by tmpfiles.d/home.conf, and +recommend that users run systemd-tmpfiles --dry-run --purge first to +see exactly what will be removed. + +(cherry picked from commit 9ebcac3b5125a8b0b11f371731ea167cd4684adc) +--- + man/systemd-tmpfiles.xml | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/man/systemd-tmpfiles.xml b/man/systemd-tmpfiles.xml +index 008bff62da..6f3ec66611 100644 +--- a/man/systemd-tmpfiles.xml ++++ b/man/systemd-tmpfiles.xml +@@ -150,7 +150,11 @@ + + + If this option is passed, all files and directories created by a +- tmpfiles.d/ entry will be deleted. ++ tmpfiles.d/ entry will be deleted. Keep in mind that by default, ++ /home is created by systemd-tmpfiles ++ (see /usr/lib/tmpfiles.d/home.conf). Therefore it is recommended ++ to first run systemd-tmpfiles --dry-run --purge to be certain which files ++ and directories will be deleted. + + + diff --git a/0018-man-units-drop-temporary-from-description-of-systemd.patch b/0018-man-units-drop-temporary-from-description-of-systemd.patch new file mode 100644 index 0000000..207204d --- /dev/null +++ b/0018-man-units-drop-temporary-from-description-of-systemd.patch @@ -0,0 +1,65 @@ +From 1a0e6961cfaed42bda542e111738c136f7b4d73f Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Sat, 15 Jun 2024 17:27:33 +0200 +Subject: [PATCH] man,units: drop "temporary" from description of + systemd-tmpfiles + +Historically, systemd-tmpfiles was designed to manager temporary +files, but nowadays it has become a generic tool for managing +all kinds of files. To avoid user confusion, let's remove "temporary" +from the tool's description. + +As discussed in #33349 + +(cherry picked from commit b5c8cc0a3b8e4e2fea0539d6420a76b524ea5735) +--- + man/systemd-tmpfiles.xml | 8 +++++--- + units/systemd-tmpfiles-setup.service | 2 +- + units/user/systemd-tmpfiles-setup.service | 2 +- + 3 files changed, 7 insertions(+), 5 deletions(-) + +diff --git a/man/systemd-tmpfiles.xml b/man/systemd-tmpfiles.xml +index 6f3ec66611..9767aead85 100644 +--- a/man/systemd-tmpfiles.xml ++++ b/man/systemd-tmpfiles.xml +@@ -55,9 +55,11 @@ + + Description + +- systemd-tmpfiles creates, deletes, and cleans up volatile and temporary files +- and directories, using the configuration file format and location specified in +- tmpfiles.d5. It must ++ systemd-tmpfiles creates, deletes, and cleans up files and directories, using ++ the configuration file format and location specified in ++ tmpfiles.d5. ++ Historically, it was designed to manage volatile and temporary files, as the name suggests, but it provides ++ generic file management functionality and can be used to manage any kind of files. It must + be invoked with one or more commands , , and + , to select the respective subset of operations. + +diff --git a/units/systemd-tmpfiles-setup.service b/units/systemd-tmpfiles-setup.service +index 6cae32850f..b92beb7314 100644 +--- a/units/systemd-tmpfiles-setup.service ++++ b/units/systemd-tmpfiles-setup.service +@@ -8,7 +8,7 @@ + # (at your option) any later version. + + [Unit] +-Description=Create Volatile Files and Directories ++Description=Create System Files and Directories + Documentation=man:tmpfiles.d(5) man:systemd-tmpfiles(8) + + DefaultDependencies=no +diff --git a/units/user/systemd-tmpfiles-setup.service b/units/user/systemd-tmpfiles-setup.service +index 156689edcd..54e453c4fc 100644 +--- a/units/user/systemd-tmpfiles-setup.service ++++ b/units/user/systemd-tmpfiles-setup.service +@@ -8,7 +8,7 @@ + # (at your option) any later version. + + [Unit] +-Description=Create User's Volatile Files and Directories ++Description=Create User Files and Directories + Documentation=man:tmpfiles.d(5) man:systemd-tmpfiles(8) + DefaultDependencies=no + Conflicts=shutdown.target diff --git a/0019-mkosi-enable-unprivileged-user-ns-for-integration-te.patch b/0019-mkosi-enable-unprivileged-user-ns-for-integration-te.patch new file mode 100644 index 0000000..ddc2f39 --- /dev/null +++ b/0019-mkosi-enable-unprivileged-user-ns-for-integration-te.patch @@ -0,0 +1,24 @@ +From 9f5f3c2f8bc2c3d82678672f3e700c1eb4e52d61 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Sun, 16 Jun 2024 11:16:21 +0100 +Subject: [PATCH] mkosi: enable unprivileged user ns for integration tests + +Ubuntu disables them by default in Noble, ship a sysctl to turn them back on +so that tests can use them + +(cherry picked from commit 4cfcde024f34b3e5f682364d4e0c6185ef07d467) +--- + .../usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf | 4 ++++ + 1 file changed, 4 insertions(+) + create mode 100644 mkosi.images/system/mkosi.extra/usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf + +diff --git a/mkosi.images/system/mkosi.extra/usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf b/mkosi.images/system/mkosi.extra/usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf +new file mode 100644 +index 0000000000..657ac72f8d +--- /dev/null ++++ b/mkosi.images/system/mkosi.extra/usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf +@@ -0,0 +1,4 @@ ++# Ubuntu since Noble disables unprivileged user namespaces by default, re-enable them as they are needed ++# for integration tests ++kernel.apparmor_restrict_unprivileged_unconfined = 0 ++kernel.apparmor_restrict_unprivileged_userns = 0 diff --git a/0020-mkosi-use-ports.ubuntu.com-for-non-x86-backports.patch b/0020-mkosi-use-ports.ubuntu.com-for-non-x86-backports.patch new file mode 100644 index 0000000..19dd89d --- /dev/null +++ b/0020-mkosi-use-ports.ubuntu.com-for-non-x86-backports.patch @@ -0,0 +1,74 @@ +From 21feae324e812580062c36aa14cc5e68a37aa151 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Sun, 16 Jun 2024 15:28:56 +0100 +Subject: [PATCH] mkosi: use ports.ubuntu.com for non-x86 backports + +Follow-up for 46368556afee7a1f3a1685609942438ef2d9d6c1 + +(cherry picked from commit c01cb8cbff8512b65b7903b55f78c8d12661b8d7) +--- + mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf | 3 --- + .../mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf | 9 +++++++++ + .../system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf | 9 +++++++++ + .../mkosi.conf.d/10-ubuntu/noble-backports-ports.sources | 6 ++++++ + 4 files changed, 24 insertions(+), 3 deletions(-) + create mode 100644 mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf + create mode 100644 mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf + create mode 100644 mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports-ports.sources + +diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf +index 25957b1e92..86f9736ed9 100644 +--- a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf ++++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf +@@ -3,9 +3,6 @@ + [Match] + Distribution=ubuntu + +-[Distribution] +-PackageManagerTrees=noble-backports.sources:/etc/apt/sources.list.d/noble-backports.sources +- + [Content] + Packages= + linux-image-generic +diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf +new file mode 100644 +index 0000000000..0ec4807822 +--- /dev/null ++++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf +@@ -0,0 +1,9 @@ ++# SPDX-License-Identifier: LGPL-2.1-or-later ++# The ports Ubuntu archive is for non i386/amd64 repositories ++ ++[Match] ++Architecture=!x86-64 ++Architecture=!x86 ++ ++[Distribution] ++PackageManagerTrees=noble-backports-ports.sources:/etc/apt/sources.list.d/noble-backports-ports.sources +diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf +new file mode 100644 +index 0000000000..c08eeac337 +--- /dev/null ++++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf +@@ -0,0 +1,9 @@ ++# SPDX-License-Identifier: LGPL-2.1-or-later ++# The main Ubuntu archive is only for i386/amd64 repositories ++ ++[Match] ++Architecture=|x86-64 ++Architecture=|x86 ++ ++[Distribution] ++PackageManagerTrees=noble-backports.sources:/etc/apt/sources.list.d/noble-backports.sources +diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports-ports.sources b/mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports-ports.sources +new file mode 100644 +index 0000000000..5b96dc544d +--- /dev/null ++++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports-ports.sources +@@ -0,0 +1,6 @@ ++# SPDX-License-Identifier: LGPL-2.1-or-later ++Types: deb ++URIs: http://ports.ubuntu.com ++Suites: noble-backports ++Components: main universe ++Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg diff --git a/0021-mkosi-install-EFI-packages-only-on-EFI-architectures.patch b/0021-mkosi-install-EFI-packages-only-on-EFI-architectures.patch new file mode 100644 index 0000000..3229128 --- /dev/null +++ b/0021-mkosi-install-EFI-packages-only-on-EFI-architectures.patch @@ -0,0 +1,58 @@ +From 9802a28b367b3d403c41b570949e3c91f505ede5 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Sun, 16 Jun 2024 20:42:12 +0100 +Subject: [PATCH] mkosi: install EFI packages only on EFI architectures + +sbsigntool, systemd-boot and systemd-boot-efi do not exist on other +architectures + +(cherry picked from commit 47fe3f29b4ba1b44ae71a7e67c579c4883731dd4) +--- + .../mkosi.conf.d/10-debian-ubuntu/mkosi.conf | 3 --- + .../10-debian-ubuntu/mkosi.conf.d/efi.conf | 16 ++++++++++++++++ + 2 files changed, 16 insertions(+), 3 deletions(-) + create mode 100644 mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/efi.conf + +diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf +index ae014fa966..ecac78049d 100644 +--- a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf ++++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf +@@ -20,8 +20,6 @@ VolatilePackages= + libsystemd-dev + libudev-dev + systemd +- systemd-boot +- systemd-boot-efi + systemd-container + systemd-coredump + systemd-dev +@@ -74,7 +72,6 @@ Packages= + python3-pexpect + python3-psutil + quota +- sbsigntool + softhsm2 + squashfs-tools + stress +diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/efi.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/efi.conf +new file mode 100644 +index 0000000000..781670a775 +--- /dev/null ++++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/efi.conf +@@ -0,0 +1,16 @@ ++# SPDX-License-Identifier: LGPL-2.1-or-later ++# sbsigntool exists only on UEFI architectures ++ ++[Match] ++Architecture=|x86 ++Architecture=|x86-64 ++Architecture=|arm ++Architecture=|arm64 ++Architecture=|riscv32 ++Architecture=|riscv64 ++ ++[Content] ++Packages= ++ sbsigntool ++ systemd-boot ++ systemd-boot-efi diff --git a/0022-test-check-the-skip-condition-before-installing-addi.patch b/0022-test-check-the-skip-condition-before-installing-addi.patch new file mode 100644 index 0000000..415f47d --- /dev/null +++ b/0022-test-check-the-skip-condition-before-installing-addi.patch @@ -0,0 +1,31 @@ +From 50b53b8221aa9d5e8fa3269b73d13b8a304728a8 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Sun, 16 Jun 2024 13:41:50 +0100 +Subject: [PATCH] test: check the skip condition before installing additional + files + +(cherry picked from commit e1daedb4be6d8180790e0b303872fb1c87ddc7fc) +--- + test/units/TEST-43-PRIVATEUSER-UNPRIV.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh b/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh +index 165af47f15..f8a2a62467 100755 +--- a/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh ++++ b/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh +@@ -6,13 +6,13 @@ set -o pipefail + # shellcheck source=test/units/util.sh + . "$(dirname "$0")"/util.sh + +-install_extension_images +- + if [[ "$(sysctl -ne kernel.apparmor_restrict_unprivileged_userns)" -eq 1 ]]; then + echo "Cannot create unprivileged user namespaces" >/skipped + exit 77 + fi + ++install_extension_images ++ + systemd-analyze log-level debug + + runas testuser systemd-run --wait --user --unit=test-private-users \ diff --git a/0023-test-drop-unneeded-firmware-uefi-setting.patch b/0023-test-drop-unneeded-firmware-uefi-setting.patch new file mode 100644 index 0000000..32a797a --- /dev/null +++ b/0023-test-drop-unneeded-firmware-uefi-setting.patch @@ -0,0 +1,37 @@ +From 51a2e7be5ec1a28be11d309897671c8dd4511ae8 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Sun, 16 Jun 2024 16:08:57 +0100 +Subject: [PATCH] test: drop unneeded firmware: uefi setting + +These tests no longer need this, as they are running in nspawn, drop it + +(cherry picked from commit f44fc531c95e37c83203375c411189009a01b482) +--- + test/TEST-09-REBOOT/meson.build | 2 -- + test/TEST-18-FAILUREACTION/meson.build | 2 -- + 2 files changed, 4 deletions(-) + +diff --git a/test/TEST-09-REBOOT/meson.build b/test/TEST-09-REBOOT/meson.build +index c4b41bc97b..b7556189f5 100644 +--- a/test/TEST-09-REBOOT/meson.build ++++ b/test/TEST-09-REBOOT/meson.build +@@ -4,7 +4,5 @@ integration_tests += [ + integration_test_template + { + 'name' : fs.name(meson.current_source_dir()), + 'storage' : 'persistent', +- # FIXME; Figure out why reboot sometimes hangs with 'linux' firmware. +- 'firmware' : 'uefi', + }, + ] +diff --git a/test/TEST-18-FAILUREACTION/meson.build b/test/TEST-18-FAILUREACTION/meson.build +index 5edfbcad1f..8dec5f37e7 100644 +--- a/test/TEST-18-FAILUREACTION/meson.build ++++ b/test/TEST-18-FAILUREACTION/meson.build +@@ -3,7 +3,5 @@ + integration_tests += [ + integration_test_template + { + 'name' : fs.name(meson.current_source_dir()), +- # FIXME; Figure out why reboot sometimes hangs with 'linux' firmware. +- 'firmware' : 'uefi', + }, + ] diff --git a/0024-test-drop-obsolete-comment.patch b/0024-test-drop-obsolete-comment.patch new file mode 100644 index 0000000..4b1e1ab --- /dev/null +++ b/0024-test-drop-obsolete-comment.patch @@ -0,0 +1,28 @@ +From df1e7d9572fab94209989f341bb1e1a86d88223b Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Sun, 16 Jun 2024 19:21:32 +0100 +Subject: [PATCH] test: drop obsolete comment + +We want to keep various logic here instead of mkosi, so drop the +temporary comment + +(cherry picked from commit 626518ecd5e7b0c0c708ba53d7eb62934506ed54) +--- + test/integration-test-wrapper.py | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/test/integration-test-wrapper.py b/test/integration-test-wrapper.py +index 5b098a3e01..1e015e7d47 100755 +--- a/test/integration-test-wrapper.py ++++ b/test/integration-test-wrapper.py +@@ -2,10 +2,6 @@ + # SPDX-License-Identifier: LGPL-2.1-or-later + + '''Test wrapper command for driving integration tests. +- +-Note: This is deliberately rough and only intended to drive existing tests +-with the expectation that as part of formally defining the API it will be tidy. +- + ''' + + import argparse diff --git a/0025-test-support-TEST_NO_KVM.patch b/0025-test-support-TEST_NO_KVM.patch new file mode 100644 index 0000000..e30df11 --- /dev/null +++ b/0025-test-support-TEST_NO_KVM.patch @@ -0,0 +1,25 @@ +From a36cb5660e4d84c16242c1d70b99d9a2e389f191 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Sun, 16 Jun 2024 19:15:24 +0100 +Subject: [PATCH] test: support TEST_NO_KVM + +The shell integration suite allows to manually deselect KVM, so +suppor the same env var for the same purpose in python. + +(cherry picked from commit 7d2701e7d1d0a7194026dd371071df6e63f59a82) +--- + test/integration-test-wrapper.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/test/integration-test-wrapper.py b/test/integration-test-wrapper.py +index 1e015e7d47..15b1ce1055 100755 +--- a/test/integration-test-wrapper.py ++++ b/test/integration-test-wrapper.py +@@ -124,6 +124,7 @@ def main(): + *args.mkosi_args, + '--append', + '--qemu-firmware', args.firmware, ++ '--qemu-kvm', "auto" if not bool(int(os.getenv("TEST_NO_KVM", "0"))) else "no", + '--kernel-command-line-extra', + ' '.join([ + 'systemd.hostname=H', diff --git a/0026-test-support-TEST_NO_QEMU-in-mkosi-integration-wrapp.patch b/0026-test-support-TEST_NO_QEMU-in-mkosi-integration-wrapp.patch new file mode 100644 index 0000000..95739e6 --- /dev/null +++ b/0026-test-support-TEST_NO_QEMU-in-mkosi-integration-wrapp.patch @@ -0,0 +1,30 @@ +From 6178aa4bbcc6b0531314c1a2e9df61e45e6c9ad4 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Mon, 17 Jun 2024 14:09:40 +0100 +Subject: [PATCH] test: support TEST_NO_QEMU in mkosi integration wrapper + +Same as the old integration test suite, allow skipping tests that +require qemu. +ppc64el's vsock support doesn't appear to work, so we'll skip it, +as it is already done in the legacy framework. + +(cherry picked from commit 464d182b3e470e4163ca376145539a537a6e43a2) +--- + test/integration-test-wrapper.py | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/test/integration-test-wrapper.py b/test/integration-test-wrapper.py +index 15b1ce1055..b6a16aa3ef 100755 +--- a/test/integration-test-wrapper.py ++++ b/test/integration-test-wrapper.py +@@ -57,6 +57,10 @@ def main(): + print(f"SYSTEMD_SLOW_TESTS=1 not found in environment, skipping {args.name}", file=sys.stderr) + exit(77) + ++ if args.vm and bool(int(os.getenv("TEST_NO_QEMU", "0"))): ++ print(f"TEST_NO_QEMU=1, skipping {args.name}", file=sys.stderr) ++ exit(77) ++ + name = args.name + (f"-{i}" if (i := os.getenv("MESON_TEST_ITERATION")) else "") + + dropin = textwrap.dedent( diff --git a/0027-test-use-auto-instead-of-uefi-for-automated-fallback.patch b/0027-test-use-auto-instead-of-uefi-for-automated-fallback.patch new file mode 100644 index 0000000..405e322 --- /dev/null +++ b/0027-test-use-auto-instead-of-uefi-for-automated-fallback.patch @@ -0,0 +1,27 @@ +From 7d65709901cb3fc746639398776cfdb7cb750a03 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Mon, 17 Jun 2024 15:37:43 +0100 +Subject: [PATCH] test: use 'auto' instead of 'uefi' for automated fallback + +mkosi will prefer UEFI if the architecture supports it, but fallback +to 'linux' if it doesn't. + +(cherry picked from commit 80468db8fa21ffd07dc2f28c656eeaf8f0292367) +--- + test/TEST-06-SELINUX/meson.build | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/test/TEST-06-SELINUX/meson.build b/test/TEST-06-SELINUX/meson.build +index 7a850beb81..9261a49c49 100644 +--- a/test/TEST-06-SELINUX/meson.build ++++ b/test/TEST-06-SELINUX/meson.build +@@ -5,7 +5,8 @@ integration_tests += [ + 'name' : fs.name(meson.current_source_dir()), + 'cmdline' : integration_test_template['cmdline'] + ['selinux=1', 'lsm=selinux'], + # FIXME; Figure out why reboot sometimes hangs with 'linux' firmware. +- 'firmware' : 'uefi', ++ # Use 'auto' to automatically fallback on non-uefi architectures. ++ 'firmware' : 'auto', + 'vm' : true, + }, + ] diff --git a/0028-core-service-fix-accept-socket-deserialization.patch b/0028-core-service-fix-accept-socket-deserialization.patch new file mode 100644 index 0000000..c92c6b2 --- /dev/null +++ b/0028-core-service-fix-accept-socket-deserialization.patch @@ -0,0 +1,45 @@ +From f7d55cc801611781fbff2817f2fd4a16ec96ca85 Mon Sep 17 00:00:00 2001 +From: Mike Yuan +Date: Mon, 17 Jun 2024 07:47:20 +0200 +Subject: [PATCH] core/service: fix accept-socket deserialization + +Follow-up for 45b1017488cef2a5bacdf82028ce900a311c9a1c + +(cherry picked from commit 9f5d8c3da4f505346bd1edfae907a2abcdbdc578) +--- + src/core/service.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/core/service.c b/src/core/service.c +index 8ec27c463a..6e81460ad0 100644 +--- a/src/core/service.c ++++ b/src/core/service.c +@@ -1351,7 +1351,7 @@ static int service_coldplug(Unit *u) { + service_start_watchdog(s); + + if (UNIT_ISSET(s->accept_socket)) { +- Socket* socket = SOCKET(UNIT_DEREF(s->accept_socket)); ++ Socket *socket = SOCKET(UNIT_DEREF(s->accept_socket)); + + if (socket->max_connections_per_source > 0) { + SocketPeer *peer; +@@ -3220,8 +3220,8 @@ static int service_deserialize_item(Unit *u, const char *key, const char *value, + } else if (streq(key, "accept-socket")) { + Unit *socket; + +- if (u->type != UNIT_SOCKET) { +- log_unit_debug(u, "Failed to deserialize accept-socket: unit is not a socket"); ++ if (unit_name_to_type(value) != UNIT_SOCKET) { ++ log_unit_debug(u, "Deserialized accept-socket is not a socket unit, ignoring: %s", value); + return 0; + } + +@@ -3230,7 +3230,7 @@ static int service_deserialize_item(Unit *u, const char *key, const char *value, + log_unit_debug_errno(u, r, "Failed to load accept-socket unit '%s': %m", value); + else { + unit_ref_set(&s->accept_socket, u, socket); +- SOCKET(socket)->n_connections++; ++ ASSERT_PTR(SOCKET(socket))->n_connections++; + } + + } else if (streq(key, "socket-fd")) { diff --git a/0029-test-network-mention-that-the-captive-portal-option-.patch b/0029-test-network-mention-that-the-captive-portal-option-.patch new file mode 100644 index 0000000..4e78bf7 --- /dev/null +++ b/0029-test-network-mention-that-the-captive-portal-option-.patch @@ -0,0 +1,26 @@ +From 4cc6da9a5dfb69f149404d5a784c57bca2a21237 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 18 Jun 2024 00:09:03 +0900 +Subject: [PATCH] test-network: mention that the captive portal option is + supported since v2.20 + +The current latest release is v2.19, hence the test is typically skipped now. + +(cherry picked from commit 4f6d8ab0767e534553bfa130f39dbb07ebb804a4) +--- + test/test-network/systemd-networkd-tests.py | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py +index 92cb07f11c..0355c7aca1 100755 +--- a/test/test-network/systemd-networkd-tests.py ++++ b/test/test-network/systemd-networkd-tests.py +@@ -5824,6 +5824,8 @@ class NetworkdRATests(unittest.TestCase, Utilities): + self.assertIn('pref high', output) + self.assertNotIn('pref low', output) + ++ # radvd supports captive portal since v2.20. ++ # https://github.com/radvd-project/radvd/commit/791179a7f730decbddb2290ef0e34aa85d71b1bc + @unittest.skipUnless(radvd_check_config('captive-portal.conf'), "Installed radvd doesn't support captive portals") + def test_captive_portal(self): + copy_network_unit('25-veth-client.netdev', diff --git a/0030-CI-disable-secure-boot-in-mkosi-GHA-runs.patch b/0030-CI-disable-secure-boot-in-mkosi-GHA-runs.patch new file mode 100644 index 0000000..72675ca --- /dev/null +++ b/0030-CI-disable-secure-boot-in-mkosi-GHA-runs.patch @@ -0,0 +1,27 @@ +From b455006ae189d4ceef4214d8d4ab2027781d37e0 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Mon, 17 Jun 2024 17:40:28 +0100 +Subject: [PATCH] CI: disable secure boot in mkosi GHA runs + +Booting a guest with secure boot is broken in Azure due to a hypervisor +bug. Disable it for now. Given there's no option, need to edit +the configuration on the fly. + +(cherry picked from commit bdd0b45bfd7190bb8eb50c71ff6f50a80d6e6e52) +--- + .github/workflows/mkosi.yml | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml +index 425d737b62..62efd367cb 100644 +--- a/.github/workflows/mkosi.yml ++++ b/.github/workflows/mkosi.yml +@@ -117,6 +117,8 @@ jobs: + + - name: Configure + run: | ++ # XXX: drop after the HyperV bug that breaks secure boot KVM guests is solved ++ sed -i "s/'firmware'\s*:\s*'auto'/'firmware' : 'uefi'/g" test/*/meson.build + tee mkosi.local.conf < +Date: Mon, 17 Jun 2024 15:40:10 +0100 +Subject: [PATCH] mkosi: bump to latest + +(cherry picked from commit 3001339dc5b3faf8f8edee4c07b14a4abdf3d66f) +--- + .github/workflows/mkosi.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml +index 62efd367cb..3a8dabd95c 100644 +--- a/.github/workflows/mkosi.yml ++++ b/.github/workflows/mkosi.yml +@@ -92,7 +92,7 @@ jobs: + + steps: + - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 +- - uses: systemd/mkosi@0081ea66faf56a35353d6aeadfe42f9679c7d1cf ++ - uses: systemd/mkosi@6972f9efba5c8472d990be3783b7e7dbf76e109e + + # Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space + # immediately, we remove the files in the background. However, we first move them to a different location diff --git a/0032-NEWS-fix-typo.patch b/0032-NEWS-fix-typo.patch new file mode 100644 index 0000000..4c4fbcd --- /dev/null +++ b/0032-NEWS-fix-typo.patch @@ -0,0 +1,23 @@ +From a776dcf7af3b189f4f9616d174dbfc53a9bd6db6 Mon Sep 17 00:00:00 2001 +From: Carlo Teubner +Date: Tue, 18 Jun 2024 09:41:59 +0100 +Subject: [PATCH] NEWS: fix typo + +(cherry picked from commit f6d517f8478bdd83b7d149b242a47d7686235c7e) +--- + NEWS | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/NEWS b/NEWS +index bbee0852be..da81fe3c5d 100644 +--- a/NEWS ++++ b/NEWS +@@ -195,7 +195,7 @@ CHANGES WITH 256: + additional per-user service managers, whose users are transient and + are only defined as long as the service manager is running. (This is + implemented via DynamicUser=1), allowing a user manager to be used to +- manager a group of processes without needing to create an actual user ++ manage a group of processes without needing to create an actual user + account. These service managers run with home directories of + /var/lib/capsules/ and can contain regular services and + other units. A capsule is started via a simple "systemctl start diff --git a/0033-install-allow-removing-symlinks-even-for-units-that-.patch b/0033-install-allow-removing-symlinks-even-for-units-that-.patch new file mode 100644 index 0000000..b8e614f --- /dev/null +++ b/0033-install-allow-removing-symlinks-even-for-units-that-.patch @@ -0,0 +1,69 @@ +From c26e56d08f30a2946dfa1d03781c63bfa9f56c1d Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Fri, 7 Jun 2024 21:39:45 +0100 +Subject: [PATCH] install: allow removing symlinks even for units that are gone + +If a symlink is leftover, still allow cleaning it up via 'disable'. This +happens when a unit is stopped and removed, but not disabled, and a reload +has already happened. At that point, cleaning up the old symlinks becomes +impossible through the APIs, and needs to be done manually. Always allow +cleaning up symlinks, if they exist, by only erroring out if there is an +OOM. + +Follow-up for f31f10a6207efc9ae9e0b1f73975b5b610914017 + +(cherry picked from commit 5163c9b1e56293b1bb2803420613c5b374570892) +--- + src/shared/install.c | 14 ++++++++++---- + test/units/TEST-26-SYSTEMCTL.sh | 6 ++++++ + 2 files changed, 16 insertions(+), 4 deletions(-) + +diff --git a/src/shared/install.c b/src/shared/install.c +index dd2bd5c948..c94b456c21 100644 +--- a/src/shared/install.c ++++ b/src/shared/install.c +@@ -2282,7 +2282,9 @@ static int install_context_mark_for_removal( + else { + log_debug_errno(r, "Unit %s not found, removing name.", i->name); + r = install_changes_add(changes, n_changes, r, i->path ?: i->name, NULL); +- if (r < 0) ++ /* In case there's no unit, we still want to remove any leftover symlink, even if ++ * the unit might have been removed already, hence treating ENOENT as non-fatal. */ ++ if (r != -ENOENT) + return r; + } + } else if (r < 0) { +@@ -2874,9 +2876,13 @@ static int do_unit_file_disable( + r = install_info_add(&ctx, *name, NULL, lp->root_dir, /* auxiliary= */ false, &info); + if (r >= 0) + r = install_info_traverse(&ctx, lp, info, SEARCH_LOAD|SEARCH_FOLLOW_CONFIG_SYMLINKS, NULL); +- +- if (r < 0) +- return install_changes_add(changes, n_changes, r, *name, NULL); ++ if (r < 0) { ++ r = install_changes_add(changes, n_changes, r, *name, NULL); ++ /* In case there's no unit, we still want to remove any leftover symlink, even if ++ * the unit might have been removed already, hence treating ENOENT as non-fatal. */ ++ if (r != -ENOENT) ++ return r; ++ } + + /* If we enable multiple units, some with install info and others without, + * the "empty [Install] section" warning is not shown. Let's make the behavior +diff --git a/test/units/TEST-26-SYSTEMCTL.sh b/test/units/TEST-26-SYSTEMCTL.sh +index ae7a5d6eb6..1471f3fd9e 100755 +--- a/test/units/TEST-26-SYSTEMCTL.sh ++++ b/test/units/TEST-26-SYSTEMCTL.sh +@@ -343,6 +343,12 @@ systemctl cat "$UNIT_NAME" + systemctl help "$UNIT_NAME" + systemctl service-watchdogs + systemctl service-watchdogs "$(systemctl service-watchdogs)" ++# Ensure that the enablement symlinks can still be removed after the user is gone, to avoid having leftovers ++systemctl enable "$UNIT_NAME" ++systemctl stop "$UNIT_NAME" ++rm -f "/usr/lib/systemd/system/$UNIT_NAME" ++systemctl daemon-reload ++systemctl disable "$UNIT_NAME" + + # show/set-environment + # Make sure PATH is set diff --git a/0034-tmpfiles-honour-dry-run-when-removing-directories.patch b/0034-tmpfiles-honour-dry-run-when-removing-directories.patch new file mode 100644 index 0000000..13b0e02 --- /dev/null +++ b/0034-tmpfiles-honour-dry-run-when-removing-directories.patch @@ -0,0 +1,35 @@ +From 90ec0265707d381ed8cc77de475cd963686eaba3 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 18 Jun 2024 09:54:33 +0200 +Subject: [PATCH] tmpfiles: honour --dry-run when removing directories + +(cherry picked from commit edeceb80a91e8400e8c22f08a41045a2ba270fe6) +--- + src/tmpfiles/tmpfiles.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c +index 807925f199..283be21d16 100644 +--- a/src/tmpfiles/tmpfiles.c ++++ b/src/tmpfiles/tmpfiles.c +@@ -3024,10 +3024,16 @@ static int remove_recursive( + return r; + + if (remove_instance) { +- log_debug("Removing directory \"%s\".", instance); +- r = RET_NERRNO(rmdir(instance)); +- if (r < 0 && !IN_SET(r, -ENOENT, -ENOTEMPTY)) +- return log_error_errno(r, "Failed to remove %s: %m", instance); ++ log_action("Would remove", "Removing", "%s directory \"%s\".", instance); ++ if (!arg_dry_run) { ++ r = RET_NERRNO(rmdir(instance)); ++ if (r < 0) { ++ bool fatal = !IN_SET(r, -ENOENT, -ENOTEMPTY); ++ log_full_errno(fatal ? LOG_ERR : LOG_DEBUG, r, "Failed to remove %s: %m", instance); ++ if (fatal) ++ return r; ++ } ++ } + } + return 0; + } diff --git a/0035-tmpfiles-insist-on-at-least-one-configuration-file-b.patch b/0035-tmpfiles-insist-on-at-least-one-configuration-file-b.patch new file mode 100644 index 0000000..0fc7532 --- /dev/null +++ b/0035-tmpfiles-insist-on-at-least-one-configuration-file-b.patch @@ -0,0 +1,68 @@ +From e76015738942246db70f444b3567afd1b132f824 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 18 Jun 2024 09:55:20 +0200 +Subject: [PATCH] tmpfiles: insist on at least one configuration file being + specified on --purge + +Also, extend the man page explanation substantially, matching more +closely what --create says. + +Fixes: #33349 +(cherry picked from commit 41064a3c97c9a53c97bbe8a1de799a82c4374a2d) +--- + man/systemd-tmpfiles.xml | 26 ++++++++++++++++++++------ + src/tmpfiles/tmpfiles.c | 4 ++++ + 2 files changed, 24 insertions(+), 6 deletions(-) + +diff --git a/man/systemd-tmpfiles.xml b/man/systemd-tmpfiles.xml +index 9767aead85..2a494b9c5c 100644 +--- a/man/systemd-tmpfiles.xml ++++ b/man/systemd-tmpfiles.xml +@@ -151,12 +151,26 @@ + + + +- If this option is passed, all files and directories created by a +- tmpfiles.d/ entry will be deleted. Keep in mind that by default, +- /home is created by systemd-tmpfiles +- (see /usr/lib/tmpfiles.d/home.conf). Therefore it is recommended +- to first run systemd-tmpfiles --dry-run --purge to be certain which files +- and directories will be deleted. ++ ++ If this option is passed, all files and directories marked for ++ creation by the tmpfiles.d/ files specified on the command ++ line will be deleted. Specifically, this acts on all files and directories ++ marked with f, F, d, D, ++ v, q, Q, p, ++ L, c, b, C, ++ w, e. If this switch is used at least one ++ tmpfiles.d/ file (or - for standard input) must be ++ specified on the command line or the invocation will be refused, for safety reasons (as otherwise ++ much of the installed system files might be removed). ++ ++ The primary usecase for this option is to automatically remove files and directories that ++ originally have been created on behalf of an installed packaged at package removal time. ++ ++ It is recommended to first run this command in combination with ++ (see below) to verify which files and directories will be deleted. ++ ++ Warning! This is is usually not the command you want! In most cases ++ is what you are looking for. + + + +diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c +index 283be21d16..1704197207 100644 +--- a/src/tmpfiles/tmpfiles.c ++++ b/src/tmpfiles/tmpfiles.c +@@ -4344,6 +4344,10 @@ static int parse_argv(int argc, char *argv[]) { + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), + "You need to specify at least one of --clean, --create, --remove, or --purge."); + ++ if (FLAGS_SET(arg_operation, OPERATION_PURGE) && optind >= argc) ++ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), ++ "Refusing --purge without specification of a configuration file."); ++ + if (arg_replace && arg_cat_flags != CAT_CONFIG_OFF) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), + "Option --replace= is not supported with --cat-config/--tldr."); diff --git a/0036-tmpfiles-move-purge-to-command-section-in-help-text-.patch b/0036-tmpfiles-move-purge-to-command-section-in-help-text-.patch new file mode 100644 index 0000000..954232f --- /dev/null +++ b/0036-tmpfiles-move-purge-to-command-section-in-help-text-.patch @@ -0,0 +1,37 @@ +From 08b8237303efdf072a0f61615b7f1633eafc8e0a Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 18 Jun 2024 09:56:15 +0200 +Subject: [PATCH] tmpfiles: move --purge to command section in --help text + where it belongs + +Also, make contrast between --remove and --purge clearer: one deletes +files marked for deletion, the other deletes files marked for creation. + +(cherry picked from commit 69d76823ce6e9c307184946ed55b207eb728e625) +--- + src/tmpfiles/tmpfiles.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c +index 1704197207..8cc8c1ccd6 100644 +--- a/src/tmpfiles/tmpfiles.c ++++ b/src/tmpfiles/tmpfiles.c +@@ -4148,7 +4148,9 @@ static int help(void) { + "\n%3$sCommands:%4$s\n" + " --create Create files and directories\n" + " --clean Clean up files and directories\n" +- " --remove Remove files and directories\n" ++ " --remove Remove files and directories marked for removal\n" ++ " --purge Delete files and directories marked for creation in\n" ++ " specified configuration files (careful!)\n" + " -h --help Show this help\n" + " --version Show package version\n" + "\n%3$sOptions:%4$s\n" +@@ -4157,7 +4159,6 @@ static int help(void) { + " --tldr Show non-comment parts of configuration\n" + " --boot Execute actions only safe at boot\n" + " --graceful Quietly ignore unknown users or groups\n" +- " --purge Delete all files owned by the configuration files\n" + " --prefix=PATH Only apply rules with the specified prefix\n" + " --exclude-prefix=PATH Ignore rules with the specified prefix\n" + " -E Ignore rules prefixed with /dev, /proc, /run, /sys\n" diff --git a/0037-mkosi-restrict-noble-backports-to-noble-builds.patch b/0037-mkosi-restrict-noble-backports-to-noble-builds.patch new file mode 100644 index 0000000..b2dd982 --- /dev/null +++ b/0037-mkosi-restrict-noble-backports-to-noble-builds.patch @@ -0,0 +1,37 @@ +From 7b18adadde58798a895366105c6c1517231029d9 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Tue, 18 Jun 2024 13:35:32 +0100 +Subject: [PATCH] mkosi: restrict noble-backports to noble builds + +Follow-up for c01cb8cbff8512b65b7903b55f78c8d12661b8d7 + +(cherry picked from commit f97b243edfcae211aade6ceb2fd89ae9d9209fac) +--- + .../system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf | 1 + + mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf +index 0ec4807822..582f038b5f 100644 +--- a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf ++++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf +@@ -4,6 +4,7 @@ + [Match] + Architecture=!x86-64 + Architecture=!x86 ++Release=noble + + [Distribution] + PackageManagerTrees=noble-backports-ports.sources:/etc/apt/sources.list.d/noble-backports-ports.sources +diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf +index c08eeac337..7347be9069 100644 +--- a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf ++++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf +@@ -4,6 +4,7 @@ + [Match] + Architecture=|x86-64 + Architecture=|x86 ++Release=noble + + [Distribution] + PackageManagerTrees=noble-backports.sources:/etc/apt/sources.list.d/noble-backports.sources diff --git a/0038-repart-fix-memory-leak.patch b/0038-repart-fix-memory-leak.patch new file mode 100644 index 0000000..1b81bdb --- /dev/null +++ b/0038-repart-fix-memory-leak.patch @@ -0,0 +1,22 @@ +From f8f669fd69bf15f386308ef8f4cbbbd5a7ad69cd Mon Sep 17 00:00:00 2001 +From: Antonio Alvarez Feijoo +Date: Tue, 18 Jun 2024 14:07:50 +0200 +Subject: [PATCH] repart: fix memory leak + +(cherry picked from commit a81f5ffd40081441dafc678fe83d185436dde35a) +--- + src/partition/repart.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/partition/repart.c b/src/partition/repart.c +index 78cf60f724..8f64520ee7 100644 +--- a/src/partition/repart.c ++++ b/src/partition/repart.c +@@ -187,6 +187,7 @@ STATIC_DESTRUCTOR_REGISTER(arg_tpm2_hash_pcr_values, freep); + STATIC_DESTRUCTOR_REGISTER(arg_tpm2_public_key, freep); + STATIC_DESTRUCTOR_REGISTER(arg_tpm2_pcrlock, freep); + STATIC_DESTRUCTOR_REGISTER(arg_filter_partitions, freep); ++STATIC_DESTRUCTOR_REGISTER(arg_defer_partitions, freep); + STATIC_DESTRUCTOR_REGISTER(arg_image_policy, image_policy_freep); + STATIC_DESTRUCTOR_REGISTER(arg_copy_from, strv_freep); + STATIC_DESTRUCTOR_REGISTER(arg_copy_source, freep); diff --git a/0039-logs-show-do-not-use-_SOURCE_MONOTONIC_TIMESTAMP-fie.patch b/0039-logs-show-do-not-use-_SOURCE_MONOTONIC_TIMESTAMP-fie.patch new file mode 100644 index 0000000..5e2315d --- /dev/null +++ b/0039-logs-show-do-not-use-_SOURCE_MONOTONIC_TIMESTAMP-fie.patch @@ -0,0 +1,42 @@ +From 34ba18b0124407403690738b46fbd6236fe65c92 Mon Sep 17 00:00:00 2001 +From: Yu Watanabe +Date: Tue, 18 Jun 2024 17:55:31 +0900 +Subject: [PATCH] logs-show: do not use _SOURCE_MONOTONIC_TIMESTAMP field + +The timestamp is not in CLOCK_MONOTONIC, but CLOCK_BOOTTIME, +while header monotonic timestamp is in CLOCK_MONOTONIC. Hence, we cannot +adjust timestamp by comparing with header monotonic timestamp and +_SOURCE_MONOTONIC_TIMESTAMP field. + +Fixes a regression caused by affde1d7e79a634ee6053dbd4a57b3b51b74c170. +Fixes #33293. + +(cherry picked from commit 144498e7e6efe2d90981cb14e3ed462a70a955c6) +--- + src/shared/logs-show.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/shared/logs-show.c b/src/shared/logs-show.c +index c71c868889..153a4110ce 100644 +--- a/src/shared/logs-show.c ++++ b/src/shared/logs-show.c +@@ -450,6 +450,9 @@ static void parse_display_realtime( + assert(j); + assert(ret); + ++ // FIXME: _SOURCE_MONOTONIC_TIMESTAMP is in CLOCK_BOOTTIME, hence we cannot use it for adjusting realtime. ++ source_monotonic = NULL; ++ + /* First, try _SOURCE_REALTIME_TIMESTAMP. */ + if (source_realtime && safe_atou64(source_realtime, &t) >= 0 && VALID_REALTIME(t)) { + *ret = t; +@@ -488,6 +491,9 @@ static void parse_display_timestamp( + assert(ret_display_ts); + assert(ret_boot_id); + ++ // FIXME: _SOURCE_MONOTONIC_TIMESTAMP is in CLOCK_BOOTTIME, hence we cannot use it for adjusting realtime. ++ source_monotonic = NULL; ++ + if (source_realtime && safe_atou64(source_realtime, &t) >= 0 && VALID_REALTIME(t)) + source_ts.realtime = t; + diff --git a/0001-ci-update-workflows-to-run-on-source-git-setup.patch b/0040-ci-update-workflows-to-run-on-source-git-setup.patch similarity index 100% rename from 0001-ci-update-workflows-to-run-on-source-git-setup.patch rename to 0040-ci-update-workflows-to-run-on-source-git-setup.patch diff --git a/0002-ci-setup-source-git-automation.patch b/0041-ci-setup-source-git-automation.patch similarity index 100% rename from 0002-ci-setup-source-git-automation.patch rename to 0041-ci-setup-source-git-automation.patch diff --git a/0003-ci-deploy-systemd-man-to-GitHub-Pages.patch b/0042-ci-deploy-systemd-man-to-GitHub-Pages.patch similarity index 100% rename from 0003-ci-deploy-systemd-man-to-GitHub-Pages.patch rename to 0042-ci-deploy-systemd-man-to-GitHub-Pages.patch diff --git a/0004-ci-reconfigure-Packit-for-RHEL-10.patch b/0043-ci-reconfigure-Packit-for-RHEL-10.patch similarity index 100% rename from 0004-ci-reconfigure-Packit-for-RHEL-10.patch rename to 0043-ci-reconfigure-Packit-for-RHEL-10.patch diff --git a/0005-ci-allow-to-pass-parameters-together-with-rhel-only-.patch b/0044-ci-allow-to-pass-parameters-together-with-rhel-only-.patch similarity index 100% rename from 0005-ci-allow-to-pass-parameters-together-with-rhel-only-.patch rename to 0044-ci-allow-to-pass-parameters-together-with-rhel-only-.patch diff --git a/0006-journal-again-create-user-journals-for-users-with-hi.patch b/0045-journal-again-create-user-journals-for-users-with-hi.patch similarity index 100% rename from 0006-journal-again-create-user-journals-for-users-with-hi.patch rename to 0045-journal-again-create-user-journals-for-users-with-hi.patch diff --git a/0007-tmpfiles-make-purge-hard-to-mis-use.patch b/0046-tmpfiles-make-purge-hard-to-mis-use.patch similarity index 100% rename from 0007-tmpfiles-make-purge-hard-to-mis-use.patch rename to 0046-tmpfiles-make-purge-hard-to-mis-use.patch diff --git a/0008-fedora-use-system-auth-in-pam-systemd-user.patch b/0047-fedora-use-system-auth-in-pam-systemd-user.patch similarity index 100% rename from 0008-fedora-use-system-auth-in-pam-systemd-user.patch rename to 0047-fedora-use-system-auth-in-pam-systemd-user.patch diff --git a/0009-net-naming-scheme-start-rhel10-naming-and-include-rh.patch b/0048-net-naming-scheme-start-rhel10-naming-and-include-rh.patch similarity index 100% rename from 0009-net-naming-scheme-start-rhel10-naming-and-include-rh.patch rename to 0048-net-naming-scheme-start-rhel10-naming-and-include-rh.patch diff --git a/0010-rules-copy-40-redhat.rules-from-RHEL-9.patch b/0049-rules-copy-40-redhat.rules-from-RHEL-9.patch similarity index 100% rename from 0010-rules-copy-40-redhat.rules-from-RHEL-9.patch rename to 0049-rules-copy-40-redhat.rules-from-RHEL-9.patch diff --git a/0011-logind-set-RemoveIPC-to-false-by-default.patch b/0050-logind-set-RemoveIPC-to-false-by-default.patch similarity index 100% rename from 0011-logind-set-RemoveIPC-to-false-by-default.patch rename to 0050-logind-set-RemoveIPC-to-false-by-default.patch diff --git a/0012-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch b/0051-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch similarity index 100% rename from 0012-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch rename to 0051-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch diff --git a/0013-rc-local-order-after-network-online.target.patch b/0052-rc-local-order-after-network-online.target.patch similarity index 100% rename from 0013-rc-local-order-after-network-online.target.patch rename to 0052-rc-local-order-after-network-online.target.patch diff --git a/0014-random-util-increase-random-seed-size-to-1024.patch b/0053-random-util-increase-random-seed-size-to-1024.patch similarity index 100% rename from 0014-random-util-increase-random-seed-size-to-1024.patch rename to 0053-random-util-increase-random-seed-size-to-1024.patch diff --git a/0015-journal-don-t-enable-systemd-journald-audit.socket-b.patch b/0054-journal-don-t-enable-systemd-journald-audit.socket-b.patch similarity index 100% rename from 0015-journal-don-t-enable-systemd-journald-audit.socket-b.patch rename to 0054-journal-don-t-enable-systemd-journald-audit.socket-b.patch diff --git a/0016-journald.conf-don-t-touch-current-audit-settings.patch b/0055-journald.conf-don-t-touch-current-audit-settings.patch similarity index 100% rename from 0016-journald.conf-don-t-touch-current-audit-settings.patch rename to 0055-journald.conf-don-t-touch-current-audit-settings.patch diff --git a/0017-rules-add-elevator-kernel-command-line-parameter.patch b/0056-rules-add-elevator-kernel-command-line-parameter.patch similarity index 100% rename from 0017-rules-add-elevator-kernel-command-line-parameter.patch rename to 0056-rules-add-elevator-kernel-command-line-parameter.patch diff --git a/0018-pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch b/0057-pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch similarity index 100% rename from 0018-pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch rename to 0057-pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch diff --git a/0019-udev-net-setup-link-change-the-default-MACAddressPol.patch b/0058-udev-net-setup-link-change-the-default-MACAddressPol.patch similarity index 100% rename from 0019-udev-net-setup-link-change-the-default-MACAddressPol.patch rename to 0058-udev-net-setup-link-change-the-default-MACAddressPol.patch diff --git a/0020-core-decrease-log-level-of-messages-about-use-of-Kil.patch b/0059-core-decrease-log-level-of-messages-about-use-of-Kil.patch similarity index 100% rename from 0020-core-decrease-log-level-of-messages-about-use-of-Kil.patch rename to 0059-core-decrease-log-level-of-messages-about-use-of-Kil.patch diff --git a/0021-meson-rename-libbasic-to-libbasic_static.patch b/0060-meson-rename-libbasic-to-libbasic_static.patch similarity index 100% rename from 0021-meson-rename-libbasic-to-libbasic_static.patch rename to 0060-meson-rename-libbasic-to-libbasic_static.patch diff --git a/0022-meson-build-libsystemd-core-via-an-intermediate-stat.patch b/0061-meson-build-libsystemd-core-via-an-intermediate-stat.patch similarity index 100% rename from 0022-meson-build-libsystemd-core-via-an-intermediate-stat.patch rename to 0061-meson-build-libsystemd-core-via-an-intermediate-stat.patch diff --git a/0023-meson-add-option-to-build-systemd-executor-staticall.patch b/0062-meson-add-option-to-build-systemd-executor-staticall.patch similarity index 100% rename from 0023-meson-add-option-to-build-systemd-executor-staticall.patch rename to 0062-meson-add-option-to-build-systemd-executor-staticall.patch diff --git a/0063-taint-remove-unmerged-bin.patch b/0063-taint-remove-unmerged-bin.patch new file mode 100644 index 0000000..d73f29b --- /dev/null +++ b/0063-taint-remove-unmerged-bin.patch @@ -0,0 +1,86 @@ +From 13a07024f674e770844de29cd3d01cb7117f56d9 Mon Sep 17 00:00:00 2001 +From: Lukas Nykryn +Date: Mon, 8 Jul 2024 14:44:45 +0200 +Subject: [PATCH] taint: remove unmerged-bin + +In rhel10 we will have separate bin and sbin + +RHEL-only: policy + +Resolves: RHEL-46277 +--- + catalog/systemd.catalog.in | 1 - + catalog/systemd.pl.catalog.in | 1 - + man/org.freedesktop.systemd1.xml | 9 --------- + src/core/taint.c | 7 +------ + 4 files changed, 1 insertion(+), 17 deletions(-) + +diff --git a/catalog/systemd.catalog.in b/catalog/systemd.catalog.in +index 2831152763..66ffefd1c8 100644 +--- a/catalog/systemd.catalog.in ++++ b/catalog/systemd.catalog.in +@@ -560,7 +560,6 @@ Support: %SUPPORT_URL% + The following "tags" are possible: + - "unmerged-usr" - /bin, /sbin, /lib* are not symlinks to their counterparts + under /usr/ +-- "unmerged-bin" - /usr/sbin is not a symlink to /usr/bin/ + - "var-run-bad" — /var/run is not a symlink to /run/ + - "cgroupsv1" - the system is using the deprecated cgroup v1 hierarchy + - "local-hwclock" - the local hardware clock (RTC) is configured to be in +diff --git a/catalog/systemd.pl.catalog.in b/catalog/systemd.pl.catalog.in +index 75039e9fcd..fcba4b500a 100644 +--- a/catalog/systemd.pl.catalog.in ++++ b/catalog/systemd.pl.catalog.in +@@ -566,7 +566,6 @@ Support: %SUPPORT_URL% + Możliwe są następujące „etykiety”: + • „unmerged-usr” — /bin, /sbin, /lib* nie są dowiązaniami symbolicznymi + do swoich odpowiedników pod /usr/, +-• „unmerged-bin” — /usr/sbin nie jest dowiązaniem symbolicznym do /usr/bin/, + • „var-run-bad” — /var/run nie jest dowiązaniem symbolicznym do /run/, + • „cgroupsv1” — system używa przestarzałej hierarchii cgroup v1, + • „local-hwclock” — lokalny zegar sprzętowy (RTC) jest skonfigurowany +diff --git a/man/org.freedesktop.systemd1.xml b/man/org.freedesktop.systemd1.xml +index b0b45097e3..f2b5ca39e7 100644 +--- a/man/org.freedesktop.systemd1.xml ++++ b/man/org.freedesktop.systemd1.xml +@@ -1666,15 +1666,6 @@ node /org/freedesktop/systemd1 { + + + +- +- unmerged-bin +- +- /usr/sbin is not a symlink to /usr/bin/. +- +- +- +- +- + + var-run-bad + +diff --git a/src/core/taint.c b/src/core/taint.c +index 969b37f209..4c98312f54 100644 +--- a/src/core/taint.c ++++ b/src/core/taint.c +@@ -32,7 +32,7 @@ static int short_uid_gid_range(UIDRangeUsernsMode mode) { + } + + char* taint_string(void) { +- const char *stage[12] = {}; ++ const char *stage[11] = {}; + size_t n = 0; + + /* Returns a "taint string", e.g. "local-hwclock:var-run-bad". Only things that are detected at +@@ -44,11 +44,6 @@ char* taint_string(void) { + if (readlink_malloc("/bin", &bin) < 0 || !PATH_IN_SET(bin, "usr/bin", "/usr/bin")) + stage[n++] = "unmerged-usr"; + +- /* Note that the check is different from default_PATH(), as we want to taint on uncanonical symlinks +- * too. */ +- if (readlink_malloc("/usr/sbin", &usr_sbin) < 0 || !PATH_IN_SET(usr_sbin, "bin", "/usr/bin")) +- stage[n++] = "unmerged-bin"; +- + if (readlink_malloc("/var/run", &var_run) < 0 || !PATH_IN_SET(var_run, "../run", "/run")) + stage[n++] = "var-run-bad"; + diff --git a/0064-presets-remove-resolved.patch b/0064-presets-remove-resolved.patch new file mode 100644 index 0000000..5ed7b6a --- /dev/null +++ b/0064-presets-remove-resolved.patch @@ -0,0 +1,28 @@ +From c2f507732264038dbef44b7652c8f5dee148e1e2 Mon Sep 17 00:00:00 2001 +From: Lukas Nykryn +Date: Mon, 8 Jul 2024 13:13:10 +0200 +Subject: [PATCH] presets: remove resolved + +We noticed that some people are installing systemd* and then +have daemons they don't need running. So let's remove resolved +from presets so its usage is a bit more deliberate + +RHEL-only: policy + +Resolves: RHEL-46576 +--- + presets/90-systemd.preset | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/presets/90-systemd.preset b/presets/90-systemd.preset +index 004ea6fe14..676f14f0d3 100644 +--- a/presets/90-systemd.preset ++++ b/presets/90-systemd.preset +@@ -27,7 +27,6 @@ enable systemd-networkd.service + enable systemd-networkd-wait-online.service + enable systemd-nsresourced.socket + enable systemd-pstore.service +-enable systemd-resolved.service + enable systemd-sysext.service + enable systemd-timesyncd.service + enable systemd-userdbd.socket diff --git a/sources b/sources index 3e64d3f..bc2cd5b 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-256.tar.gz) = d9080d31ced29cd288d3511f64f527808a880eb93aa95c3febd47d0296ae89197e46f6813fbde0c682bf73297d1bb4bb8f7ab92ccaf1ab30f019fbd9176099d6 +SHA512 (systemd-256.tar.gz) = cfb2bff8d9937245e65581253bba9278533b76ae0f0275fdad59471d8c6089bba2bcd3f0655b34f4b8d7d82fa037c4e6fe18c2227e9f93d62494a2a6cb2db4ec diff --git a/systemd.spec b/systemd.spec index dc4561c..7a42b0b 100644 --- a/systemd.spec +++ b/systemd.spec @@ -48,7 +48,7 @@ Url: https://systemd.io # Allow users to specify the version and release when building the rpm by # setting the %%version_override and %%release_override macros. Version: %{?version_override}%{!?version_override:256} -Release: 2%{?dist} +Release: 3%{?dist} %global stable %(c="%version"; [ "$c" = "${c#*.*}" ]; echo $?) @@ -106,29 +106,70 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[ # applying upstream pull requests. # RHEL-specific -Patch0001: 0001-ci-update-workflows-to-run-on-source-git-setup.patch -Patch0002: 0002-ci-setup-source-git-automation.patch -Patch0003: 0003-ci-deploy-systemd-man-to-GitHub-Pages.patch -Patch0004: 0004-ci-reconfigure-Packit-for-RHEL-10.patch -Patch0005: 0005-ci-allow-to-pass-parameters-together-with-rhel-only-.patch -Patch0006: 0006-journal-again-create-user-journals-for-users-with-hi.patch -Patch0007: 0007-tmpfiles-make-purge-hard-to-mis-use.patch -Patch0008: 0008-fedora-use-system-auth-in-pam-systemd-user.patch -Patch0009: 0009-net-naming-scheme-start-rhel10-naming-and-include-rh.patch -Patch0010: 0010-rules-copy-40-redhat.rules-from-RHEL-9.patch -Patch0011: 0011-logind-set-RemoveIPC-to-false-by-default.patch -Patch0012: 0012-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch -Patch0013: 0013-rc-local-order-after-network-online.target.patch -Patch0014: 0014-random-util-increase-random-seed-size-to-1024.patch -Patch0015: 0015-journal-don-t-enable-systemd-journald-audit.socket-b.patch -Patch0016: 0016-journald.conf-don-t-touch-current-audit-settings.patch -Patch0017: 0017-rules-add-elevator-kernel-command-line-parameter.patch -Patch0018: 0018-pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch -Patch0019: 0019-udev-net-setup-link-change-the-default-MACAddressPol.patch -Patch0020: 0020-core-decrease-log-level-of-messages-about-use-of-Kil.patch -Patch0021: 0021-meson-rename-libbasic-to-libbasic_static.patch -Patch0022: 0022-meson-build-libsystemd-core-via-an-intermediate-stat.patch -Patch0023: 0023-meson-add-option-to-build-systemd-executor-staticall.patch +Patch0001: 0001-Create-CNAME.patch +Patch0002: 0002-man-systemd-reorder-content-a-bit.patch +Patch0003: 0003-hostnamed-don-t-allow-hostnamed-to-exit-on-idle-if-v.patch +Patch0004: 0004-sd-dhcp-server-clear-buffer-before-receive.patch +Patch0005: 0005-rules-Limit-the-number-of-device-units-generated-for.patch +Patch0006: 0006-strbuf-use-GREEDY_REALLOC-to-grow-the-buffer.patch +Patch0007: 0007-tpm2-setup-Don-t-fail-if-we-can-t-access-the-TPM-due.patch +Patch0008: 0008-resolved-permit-dnssec-rrtype-questions-when-we-aren.patch +Patch0009: 0009-repart-Use-crypt_reencrypt_run-if-available.patch +Patch0010: 0010-test-dump-a-simple-summary-at-the-end-of-TEST-02-UNI.patch +Patch0011: 0011-repart-Use-CRYPT_ACTIVATE_PRIVATE.patch +Patch0012: 0012-NEWS-note-that-new-stable-releases-will-be-in-the-ma.patch +Patch0013: 0013-shell-completion-only-offer-devices-for-completion.patch +Patch0014: 0014-CODING_STYLE-document-reterr_-return-parameters.patch +Patch0015: 0015-analyze-show-pcrs-also-in-sha384-bank.patch +Patch0016: 0016-fundamental-declare-flex-array-updated-for-gcc15-and.patch +Patch0017: 0017-man-add-a-bit-of-a-warning-to-systemd-tmpfiles-purge.patch +Patch0018: 0018-man-units-drop-temporary-from-description-of-systemd.patch +Patch0019: 0019-mkosi-enable-unprivileged-user-ns-for-integration-te.patch +Patch0020: 0020-mkosi-use-ports.ubuntu.com-for-non-x86-backports.patch +Patch0021: 0021-mkosi-install-EFI-packages-only-on-EFI-architectures.patch +Patch0022: 0022-test-check-the-skip-condition-before-installing-addi.patch +Patch0023: 0023-test-drop-unneeded-firmware-uefi-setting.patch +Patch0024: 0024-test-drop-obsolete-comment.patch +Patch0025: 0025-test-support-TEST_NO_KVM.patch +Patch0026: 0026-test-support-TEST_NO_QEMU-in-mkosi-integration-wrapp.patch +Patch0027: 0027-test-use-auto-instead-of-uefi-for-automated-fallback.patch +Patch0028: 0028-core-service-fix-accept-socket-deserialization.patch +Patch0029: 0029-test-network-mention-that-the-captive-portal-option-.patch +Patch0030: 0030-CI-disable-secure-boot-in-mkosi-GHA-runs.patch +Patch0031: 0031-mkosi-bump-to-latest.patch +Patch0032: 0032-NEWS-fix-typo.patch +Patch0033: 0033-install-allow-removing-symlinks-even-for-units-that-.patch +Patch0034: 0034-tmpfiles-honour-dry-run-when-removing-directories.patch +Patch0035: 0035-tmpfiles-insist-on-at-least-one-configuration-file-b.patch +Patch0036: 0036-tmpfiles-move-purge-to-command-section-in-help-text-.patch +Patch0037: 0037-mkosi-restrict-noble-backports-to-noble-builds.patch +Patch0038: 0038-repart-fix-memory-leak.patch +Patch0039: 0039-logs-show-do-not-use-_SOURCE_MONOTONIC_TIMESTAMP-fie.patch +Patch0040: 0040-ci-update-workflows-to-run-on-source-git-setup.patch +Patch0041: 0041-ci-setup-source-git-automation.patch +Patch0042: 0042-ci-deploy-systemd-man-to-GitHub-Pages.patch +Patch0043: 0043-ci-reconfigure-Packit-for-RHEL-10.patch +Patch0044: 0044-ci-allow-to-pass-parameters-together-with-rhel-only-.patch +Patch0045: 0045-journal-again-create-user-journals-for-users-with-hi.patch +Patch0046: 0046-tmpfiles-make-purge-hard-to-mis-use.patch +Patch0047: 0047-fedora-use-system-auth-in-pam-systemd-user.patch +Patch0048: 0048-net-naming-scheme-start-rhel10-naming-and-include-rh.patch +Patch0049: 0049-rules-copy-40-redhat.rules-from-RHEL-9.patch +Patch0050: 0050-logind-set-RemoveIPC-to-false-by-default.patch +Patch0051: 0051-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch +Patch0052: 0052-rc-local-order-after-network-online.target.patch +Patch0053: 0053-random-util-increase-random-seed-size-to-1024.patch +Patch0054: 0054-journal-don-t-enable-systemd-journald-audit.socket-b.patch +Patch0055: 0055-journald.conf-don-t-touch-current-audit-settings.patch +Patch0056: 0056-rules-add-elevator-kernel-command-line-parameter.patch +Patch0057: 0057-pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch +Patch0058: 0058-udev-net-setup-link-change-the-default-MACAddressPol.patch +Patch0059: 0059-core-decrease-log-level-of-messages-about-use-of-Kil.patch +Patch0060: 0060-meson-rename-libbasic-to-libbasic_static.patch +Patch0061: 0061-meson-build-libsystemd-core-via-an-intermediate-stat.patch +Patch0062: 0062-meson-add-option-to-build-systemd-executor-staticall.patch +Patch0063: 0063-taint-remove-unmerged-bin.patch +Patch0064: 0064-presets-remove-resolved.patch # Downstream-only patches (9000–9999) @@ -614,7 +655,7 @@ CONFIGURE_OPTS=( -Dfirst-boot-full-preset=true -Ddefault-network=true -Dtests=unsafe - -Dinstall-tests=true + -Dinstall-tests=false -Dnobody-user=nobody -Dnobody-group=nobody -Dcompat-mutable-uid-boundaries=true @@ -818,7 +859,7 @@ install -Dm0644 10-timeout-abort.conf.user %{buildroot}%{user_unit_dir}/service. # https://fedoraproject.org/wiki/Changes/IncreaseVmMaxMapCount install -Dm0644 -t %{buildroot}%{_prefix}/lib/sysctl.d/ %{SOURCE17} -sed -i 's|#!/usr/bin/env python3|#!%{__python3}|' %{buildroot}/usr/lib/systemd/tests/run-unit-tests.py +sed -i 's|#!/usr/bin/env python3|#!%{__python3}|' %{buildroot}/usr/lib/systemd/tests/run-unit-tests.py || : install -m 0644 -D -t %{buildroot}%{_rpmconfigdir}/macros.d/ %{SOURCE21} # Use rpm's own sysusers provides where available @@ -965,17 +1006,6 @@ fi %firewalld_reload %post resolved -[ $1 -eq 1 ] || exit 0 -# Initial installation - -touch %{_localstatedir}/lib/rpm-state/systemd-resolved.initial-installation - -# Related to https://bugzilla.redhat.com/show_bug.cgi?id=1943263 -if ls /usr/lib/systemd/libsystemd-shared-24[0-8].so &>/dev/null; then - echo "Skipping presets for systemd-resolved.service, seems we are upgrading from old systemd." - exit 0 -fi - %systemd_post systemd-resolved.service %preun resolved @@ -996,40 +1026,6 @@ fi %postun resolved %systemd_postun_with_restart systemd-resolved.service -%posttrans resolved -[ -e %{_localstatedir}/lib/rpm-state/systemd-resolved.initial-installation ] || exit 0 -rm %{_localstatedir}/lib/rpm-state/systemd-resolved.initial-installation -# Initial installation - -# Create /etc/resolv.conf symlink. -# (https://bugzilla.redhat.com/show_bug.cgi?id=1873856) -# -# We would also create it using tmpfiles, but let's do this here too -# before NetworkManager gets a chance. (systemd-tmpfiles invocation -# above does not do this, because the line is marked with ! and -# tmpfiles is invoked without --boot in the scriptlet.) -# -# *Create* the symlink if nothing is present yet. -# (https://bugzilla.redhat.com/show_bug.cgi?id=2032085) -# -# *Override* the symlink if systemd is running. Don't do it if systemd -# is not running, because that will immediately break DNS resolution, -# since systemd-resolved is also not running -# (https://bugzilla.redhat.com/show_bug.cgi?id=1891847). -# -# Also don't create the symlink to the stub when the stub is disabled (#1891847 again). -if systemctl -q is-enabled systemd-resolved.service &>/dev/null && - ! systemd-analyze cat-config systemd/resolved.conf 2>/dev/null | - grep -iqE '^DNSStubListener\s*=\s*(no?|false|0|off)\s*$'; then - - if ! test -e /etc/resolv.conf && ! test -L /etc/resolv.conf; then - ln -sv ../run/systemd/resolve/stub-resolv.conf /etc/resolv.conf || : - elif test -d /run/systemd/system/ && - ! mountpoint /etc/resolv.conf &>/dev/null; then - ln -fsv ../run/systemd/resolve/stub-resolv.conf /etc/resolv.conf || : - fi -fi - %pre getent group systemd-oom &>/dev/null || groupadd -r systemd-oom 2>&1 || : getent passwd systemd-oom &>/dev/null || useradd -r -l -g systemd-oom -d / -s /sbin/nologin -c "systemd Userspace OOM Killer" systemd-oom &>/dev/null || : @@ -1101,6 +1097,12 @@ rm -f .file-list-* rm -f %{name}.lang %changelog +* Mon Jul 08 2024 systemd maintenance team - 256-3 +- taint: remove unmerged-bin (RHEL-46277) +- presets: remove resolved (RHEL-46576) +- remove resolved scriptlets +- don't install tests + * Thu Jul 04 2024 systemd maintenance team - 256-2 - logind: set RemoveIPC to false by default (RHEL-40924) - tmpfiles: don't create resolv.conf -> stub-resolv.conf symlink (RHEL-40924)