rpms/systemd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

systemd-256-3

Browse Source 
Remove resolved scriptlets
Don't install tests

Resolves: RHEL-46277,RHEL-46576,RHEL-46280
This commit is contained in:
Lukas Nykryn 2024-07-08 16:16:18 +02:00
parent e625cacc26
commit 6ee4abe797
66 changed files with 2054 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
0001-Create-CNAME.patch Normal file
View File

@ -0,0 +1,18 @@
From 1c27c902ad8316f490648a0e4415abd51b450b1a Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Tue, 11 Jun 2024 23:04:12 +0100
Subject: [PATCH] Create CNAME
---
docs/CNAME | 1 +
1 file changed, 1 insertion(+)
create mode 100644 docs/CNAME
diff --git a/docs/CNAME b/docs/CNAME
new file mode 100644
index 0000000000..cdcf4d9a52
--- /dev/null
+++ b/docs/CNAME
@@ -0,0 +1 @@
+systemd.io
\ No newline at end of file

103
0002-man-systemd-reorder-content-a-bit.patch Normal file
View File

@ -0,0 +1,103 @@
From d918804408801bf46a49018e374ebdfbeae08805 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 5 Jun 2024 11:28:21 +0200
Subject: [PATCH] man/systemd: reorder content a bit
Section "Description" didn't actually say what systemd does. And we had a giant
"Concepts" section that actually described units types and other details about
them. So let's move the basic description of functionality to "Description" and
rename the following section to "Units".
The link to the Original Design Document is moved to "See Also", it is of
historical interest mostly at this point.
The only actual change is that when talking about API filesystems, /dev is also
mentioned. (I think /sys+/proc+/dev are the canonical set and should be always
listed on one breath.)
(cherry picked from commit f11aaf7dfb295de429b1567282b19caaba036bba)
---
man/systemd.xml | 49 ++++++++++++++++++++++++-------------------------
1 file changed, 24 insertions(+), 25 deletions(-)
diff --git a/man/systemd.xml b/man/systemd.xml
index 66db5bbf25..f4aa7e06ca 100644
--- a/man/systemd.xml
+++ b/man/systemd.xml
@@ -62,10 +62,29 @@
<filename>user.conf.d</filename> directories. See
<citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for more information.</para>
+
+ <para><command>systemd</command> contains native implementations of various tasks that need to be
+ executed as part of the boot process. For example, it sets the hostname or configures the loopback
+ network device. It also sets up and mounts various API file systems, such as <filename>/sys/</filename>,
+ <filename>/proc/</filename>, and <filename>/dev/</filename>.</para>
+
+ <para>Note that some but not all interfaces provided by systemd are covered by the
+ <ulink url="https://systemd.io/PORTABILITY_AND_STABILITY/">Interface Portability and Stability Promise</ulink>.</para>
+
+ <para>The D-Bus API of <command>systemd</command> is described in
+ <citerefentry><refentrytitle>org.freedesktop.systemd1</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ and
+ <citerefentry><refentrytitle>org.freedesktop.LogControl1</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ </para>
+
+ <para>Systems which invoke systemd in a container or initrd environment should implement the <ulink
+ url="https://systemd.io/CONTAINER_INTERFACE">Container Interface</ulink> or
+ <ulink url="https://systemd.io/INITRD_INTERFACE/">initrd Interface</ulink>
+ specifications, respectively.</para>
</refsect1>
<refsect1>
- <title>Concepts</title>
+ <title>Units</title>
<para>systemd provides a dependency system between various
entities called "units" of 11 different types. Units encapsulate
@@ -261,34 +280,10 @@
example, start jobs for any of those inactive units getting queued as
well.</para>
- <para>systemd contains native implementations of various tasks
- that need to be executed as part of the boot process. For example,
- it sets the hostname or configures the loopback network device. It
- also sets up and mounts various API file systems, such as
- <filename>/sys/</filename> or <filename>/proc/</filename>.</para>
-
- <para>For more information about the concepts and
- ideas behind systemd, please refer to the
- <ulink url="https://0pointer.de/blog/projects/systemd.html">Original Design Document</ulink>.</para>
-
- <para>Note that some but not all interfaces provided by systemd are covered by the
- <ulink url="https://systemd.io/PORTABILITY_AND_STABILITY/">Interface Portability and Stability Promise</ulink>.</para>
-
<para>Units may be generated dynamically at boot and system
manager reload time, for example based on other configuration
files or parameters passed on the kernel command line. For details, see
<citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
-
- <para>The D-Bus API of <command>systemd</command> is described in
- <citerefentry><refentrytitle>org.freedesktop.systemd1</refentrytitle><manvolnum>5</manvolnum></citerefentry>
- and
- <citerefentry><refentrytitle>org.freedesktop.LogControl1</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
- </para>
-
- <para>Systems which invoke systemd in a container or initrd environment should implement the <ulink
- url="https://systemd.io/CONTAINER_INTERFACE">Container Interface</ulink> or
- <ulink url="https://systemd.io/INITRD_INTERFACE/">initrd Interface</ulink>
- specifications, respectively.</para>
</refsect1>
<refsect1>
@@ -1558,6 +1553,10 @@
<member><citerefentry project='man-pages'><refentrytitle>bootup</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
</simplelist></para>
+
+ <para>For more information about the concepts and
+ ideas behind systemd, please refer to the
+ <ulink url="https://0pointer.de/blog/projects/systemd.html">Original Design Document</ulink>.</para>
</refsect1>
</refentry>

43
0003-hostnamed-don-t-allow-hostnamed-to-exit-on-idle-if-v.patch Normal file
View File

@ -0,0 +1,43 @@
From f2b5c1ff51b7c7876036c6c722e2a47b696695d9 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 8 May 2024 10:38:11 +0200
Subject: [PATCH] hostnamed: don't allow hostnamed to exit on idle if varlink
connections are still ongoing
And while we are at it, ongoing PK authorizations are also a reason to
block exit on idle.
(cherry picked from commit ac908152b3b43a49f793d225c075423422cd3e33)
---
src/hostname/hostnamed.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/src/hostname/hostnamed.c b/src/hostname/hostnamed.c
index 82d08803fa..fe1216fc1c 100644
--- a/src/hostname/hostnamed.c
+++ b/src/hostname/hostnamed.c
@@ -1682,6 +1682,13 @@ static int connect_varlink(Context *c) {
return 0;
}
+static bool context_check_idle(void *userdata) {
+ Context *c = ASSERT_PTR(userdata);
+
+ return varlink_server_current_connections(c->varlink_server) == 0 &&
+ hashmap_isempty(c->polkit_registry);
+}
+
static int run(int argc, char *argv[]) {
_cleanup_(context_destroy) Context context = {
.hostname_source = _HOSTNAME_INVALID, /* appropriate value will be set later */
@@ -1731,8 +1738,8 @@ static int run(int argc, char *argv[]) {
context.bus,
"org.freedesktop.hostname1",
DEFAULT_EXIT_USEC,
- /* check_idle= */ NULL,
- /* userdata= */ NULL);
+ context_check_idle,
+ &context);
if (r < 0)
return log_error_errno(r, "Failed to run event loop: %m");

30
0004-sd-dhcp-server-clear-buffer-before-receive.patch Normal file
View File

@ -0,0 +1,30 @@
From 0d573787ea1610ba57a359cf437841f62b186e77 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Wed, 12 Jun 2024 00:48:56 +0900
Subject: [PATCH] sd-dhcp-server: clear buffer before receive
I do not think this is necessary, but all other places in
libsystemd-network we clear buffer before receive. Without this,
Coverity warns about use-of-uninitialized-values.
Let's silence Coverity.
Closes CID#1469721.
(cherry picked from commit 40f9fa0af4c3094d93e833e62f7e301cd453da62)
---
src/libsystemd-network/sd-dhcp-server.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/libsystemd-network/sd-dhcp-server.c b/src/libsystemd-network/sd-dhcp-server.c
index c3b0f82dc4..4967f066dc 100644
--- a/src/libsystemd-network/sd-dhcp-server.c
+++ b/src/libsystemd-network/sd-dhcp-server.c
@@ -1252,7 +1252,7 @@ static int server_receive_message(sd_event_source *s, int fd,
/* Preallocate the additional size for DHCP Relay Agent Information Option if needed */
buflen += relay_agent_information_length(server->agent_circuit_id, server->agent_remote_id) + 2;
- message = malloc(buflen);
+ message = malloc0(buflen);
if (!message)
return -ENOMEM;

29
0005-rules-Limit-the-number-of-device-units-generated-for.patch Normal file
View File

@ -0,0 +1,29 @@
From a3d94332a2b5128697373d3093c1cfa56649ec61 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Mon, 10 Jun 2024 12:59:58 +0200
Subject: [PATCH] rules: Limit the number of device units generated for serial
ttys
As per the suggestion in https://github.com/systemd/systemd/issues/33242.
This reduces the number of /dev/ttySXX device units generated in
mkosi from 32 to 4.
(cherry picked from commit dc38f9addd04c34d1fd743efc407bdebb3573d05)
---
rules.d/99-systemd.rules.in | 2 ++
1 file changed, 2 insertions(+)
diff --git a/rules.d/99-systemd.rules.in b/rules.d/99-systemd.rules.in
index ad0c7e2fb5..8ba6f177f8 100644
--- a/rules.d/99-systemd.rules.in
+++ b/rules.d/99-systemd.rules.in
@@ -10,6 +10,8 @@
ACTION=="remove", GOTO="systemd_end"
SUBSYSTEM=="tty", KERNEL=="tty[a-zA-Z]*|hvc*|xvc*|hvsi*|ttysclp*|sclp_line*|3270/tty[0-9]*", TAG+="systemd"
+# Exclude 8250 serial ports with a zero IO port, as they are not usable until "setserial /dev/ttySxxx port …" is invoked.
+SUBSYSTEM=="tty", KERNEL=="ttyS*", DRIVERS=="serial8250", ATTR{port}=="0x0", ENV{SYSTEMD_READY}="0"
KERNEL=="vport*", TAG+="systemd"
SUBSYSTEM=="ptp", TAG+="systemd"

81
0006-strbuf-use-GREEDY_REALLOC-to-grow-the-buffer.patch Normal file
View File

@ -0,0 +1,81 @@
From 514ef0f93b76cbe0ba6b4de07a7b21fd0c2b7bae Mon Sep 17 00:00:00 2001
From: q66 <q66@chimera-linux.org>
Date: Thu, 6 Jun 2024 13:45:48 +0200
Subject: [PATCH] strbuf: use GREEDY_REALLOC to grow the buffer
This allows us to reserve a bunch of capacity ahead of time,
improving the performance of hwdb significantly thanks to not
having to reallocate so many times.
Before:
```
$ sudo time valgrind --leak-check=full ./systemd-hwdb update
==113297== Memcheck, a memory error detector
==113297== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al.
==113297== Using Valgrind-3.23.0 and LibVEX; rerun with -h for copyright info
==113297== Command: ./systemd-hwdb update
==113297==
==113297==
==113297== HEAP SUMMARY:
==113297== in use at exit: 0 bytes in 0 blocks
==113297== total heap usage: 1,412,640 allocs, 1,412,640 frees, 117,920,009,195 bytes allocated
==113297==
==113297== All heap blocks were freed -- no leaks are possible
==113297==
==113297== For lists of detected and suppressed errors, rerun with: -s
==113297== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
132.44user 21.15system 2:35.61elapsed 98%CPU (0avgtext+0avgdata 228560maxresident)k
0inputs+25296outputs (0major+6886930minor)pagefaults 0swaps
```
After:
```
$ sudo time valgrind --leak-check=full ./systemd-hwdb update
==112572== Memcheck, a memory error detector
==112572== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al.
==112572== Using Valgrind-3.23.0 and LibVEX; rerun with -h for copyright info
==112572== Command: ./systemd-hwdb update
==112572==
==112572==
==112572== HEAP SUMMARY:
==112572== in use at exit: 0 bytes in 0 blocks
==112572== total heap usage: 1,320,113 allocs, 1,320,113 frees, 70,614,501 bytes allocated
==112572==
==112572== All heap blocks were freed -- no leaks are possible
==112572==
==112572== For lists of detected and suppressed errors, rerun with: -s
==112572== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
21.94user 0.19system 0:22.23elapsed 99%CPU (0avgtext+0avgdata 229876maxresident)k
0inputs+25264outputs (0major+57275minor)pagefaults 0swaps
```
Co-authored-by: Yu Watanabe <watanabe.yu+github@gmail.com>
(cherry picked from commit 621b10fe2c3203c537996e84c7c89b0ff994ad93)
---
src/basic/strbuf.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/src/basic/strbuf.c b/src/basic/strbuf.c
index 0617acc8d2..6d43955bb1 100644
--- a/src/basic/strbuf.c
+++ b/src/basic/strbuf.c
@@ -107,7 +107,6 @@ static void bubbleinsert(struct strbuf_node *node,
/* add string, return the index/offset into the buffer */
ssize_t strbuf_add_string(struct strbuf *str, const char *s, size_t len) {
uint8_t c;
- char *buf_new;
struct strbuf_child_entry *child;
struct strbuf_node *node;
ssize_t off;
@@ -147,10 +146,8 @@ ssize_t strbuf_add_string(struct strbuf *str, const char *s, size_t len) {
}
/* add new string */
- buf_new = realloc(str->buf, str->len + len+1);
- if (!buf_new)
+ if (!GREEDY_REALLOC(str->buf, str->len + len + 1))
return -ENOMEM;
- str->buf = buf_new;
off = str->len;
memcpy(str->buf + off, s, len);
str->len += len;

132
0007-tpm2-setup-Don-t-fail-if-we-can-t-access-the-TPM-due.patch Normal file
View File

@ -0,0 +1,132 @@
From 30df42a9277bbf138d52887c9b79e452db425585 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Fri, 17 May 2024 16:20:11 +0200
Subject: [PATCH] tpm2-setup: Don't fail if we can't access the TPM due to
authorization failure
The TPM might be password/pin protected for various reasons even if
there is no SRK yet. Let's handle those cases gracefully instead of
failing the unit as it is enabled by default.
(cherry picked from commit d6518003f8ebbfb6f85dbf227736ae05b0961199)
---
catalog/systemd.catalog.in | 13 +++++++++++++
src/shared/tpm2-util.c | 2 ++
src/systemd/sd-messages.h | 3 +++
src/tpm2-setup/tpm2-setup.c | 13 ++++++++++++-
units/systemd-tpm2-setup-early.service.in | 3 +++
units/systemd-tpm2-setup.service.in | 3 +++
6 files changed, 36 insertions(+), 1 deletion(-)
diff --git a/catalog/systemd.catalog.in b/catalog/systemd.catalog.in
index 3c9a6860da..2831152763 100644
--- a/catalog/systemd.catalog.in
+++ b/catalog/systemd.catalog.in
@@ -780,3 +780,16 @@ Documentation: https://systemd.io/PORTABLE_SERVICES/
A Portable Service @PORTABLE_ROOT@ (with extensions: @PORTABLE_EXTENSION@) has been
detached from the system and is no longer available for use. The list of attached
Portable Services can be queried with 'portablectl list'.
+
+-- ad7089f928ac4f7ea00c07457d47ba8a
+Subject: Authorization failure while attempting to enroll SRK into TPM
+Defined-By: systemd
+Support: %SUPPORT_URL%
+Documentation: man:systemd-tpm2-setup.service(8)
+
+An authorization failure occured while attempting to enroll a Storage Root Key (SRK) on the Trusted Platform
+Module (TPM). Most likely this means that a PIN/Password (authValue) has been set on the Owner hierarchy of
+the TPM.
+
+Automatic SRK enrollment on TPMs in such scenarios is not supported. In order to unset the PIN/password
+protection on the owner hierarchy issue a command like the following: 'tpm2_changeauth -c o -p <OLDPW> ""'.
diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index 87ce53cf95..9603f1837e 100644
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -2119,6 +2119,8 @@ int tpm2_create_primary(
/* creationData= */ NULL,
/* creationHash= */ NULL,
/* creationTicket= */ NULL);
+ if (rc == TPM2_RC_BAD_AUTH)
+ return log_debug_errno(SYNTHETIC_ERRNO(EDEADLK), "Authorization failure while attempting to enroll SRK into TPM.");
if (rc != TSS2_RC_SUCCESS)
return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to generate primary key in TPM: %s",
diff --git a/src/systemd/sd-messages.h b/src/systemd/sd-messages.h
index e3f68068a8..16e9986be3 100644
--- a/src/systemd/sd-messages.h
+++ b/src/systemd/sd-messages.h
@@ -272,6 +272,9 @@ _SD_BEGIN_DECLARATIONS;
#define SD_MESSAGE_PORTABLE_DETACHED SD_ID128_MAKE(76,c5,c7,54,d6,28,49,0d,8e,cb,a4,c9,d0,42,11,2b)
#define SD_MESSAGE_PORTABLE_DETACHED_STR SD_ID128_MAKE_STR(76,c5,c7,54,d6,28,49,0d,8e,cb,a4,c9,d0,42,11,2b)
+#define SD_MESSAGE_SRK_ENROLLMENT_NEEDS_AUTHORIZATION SD_ID128_MAKE(ad,70,89,f9,28,ac,4f,7e,a0,0c,07,45,7d,47,ba,8a)
+#define SD_MESSAGE_SRK_ENROLLMENT_NEEDS_AUTHORIZATION_STR SD_ID128_MAKE_STR(ad,70,89,f9,28,ac,4f,7e,a0,0c,07,45,7d,47,ba,8a)
+
_SD_END_DECLARATIONS;
#endif
diff --git a/src/tpm2-setup/tpm2-setup.c b/src/tpm2-setup/tpm2-setup.c
index 35628fc02a..b95c5e7a58 100644
--- a/src/tpm2-setup/tpm2-setup.c
+++ b/src/tpm2-setup/tpm2-setup.c
@@ -3,6 +3,8 @@
#include <getopt.h>
#include <unistd.h>
+#include "sd-messages.h"
+
#include "build.h"
#include "fd-util.h"
#include "fileio.h"
@@ -223,6 +225,8 @@ static int load_public_key_tpm2(struct public_key_data *ret) {
/* ret_name= */ NULL,
/* ret_qname= */ NULL,
NULL);
+ if (r == -EDEADLK)
+ return r;
if (r < 0)
return log_error_errno(r, "Failed to get or create SRK: %m");
if (r > 0)
@@ -289,6 +293,13 @@ static int run(int argc, char *argv[]) {
}
r = load_public_key_tpm2(&tpm2_key);
+ if (r == -EDEADLK) {
+ log_struct_errno(LOG_INFO, r,
+ LOG_MESSAGE("Insufficient permissions to access TPM, not generating SRK."),
+ "MESSAGE_ID=" SD_MESSAGE_SRK_ENROLLMENT_NEEDS_AUTHORIZATION_STR);
+ return 76; /* Special return value which means "Insufficient permissions to access TPM,
+ * cannot generate SRK". This isn't really an error when called at boot. */;
+ }
if (r < 0)
return r;
@@ -383,4 +394,4 @@ static int run(int argc, char *argv[]) {
return 0;
}
-DEFINE_MAIN_FUNCTION(run);
+DEFINE_MAIN_FUNCTION_WITH_POSITIVE_FAILURE(run);
diff --git a/units/systemd-tpm2-setup-early.service.in b/units/systemd-tpm2-setup-early.service.in
index 9982c84aba..7fdb99b53f 100644
--- a/units/systemd-tpm2-setup-early.service.in
+++ b/units/systemd-tpm2-setup-early.service.in
@@ -21,3 +21,6 @@ ConditionPathExists=!/run/systemd/tpm2-srk-public-key.pem
Type=oneshot
RemainAfterExit=yes
ExecStart={{LIBEXECDIR}}/systemd-tpm2-setup --early=yes --graceful
+
+# The tool returns 76 if the TPM cannot be accessed due to an authorization failure and we can't generate an SRK.
+SuccessExitStatus=76
diff --git a/units/systemd-tpm2-setup.service.in b/units/systemd-tpm2-setup.service.in
index 0af7292528..ac29a76966 100644
--- a/units/systemd-tpm2-setup.service.in
+++ b/units/systemd-tpm2-setup.service.in
@@ -22,3 +22,6 @@ ConditionPathExists=!/etc/initrd-release
Type=oneshot
RemainAfterExit=yes
ExecStart={{LIBEXECDIR}}/systemd-tpm2-setup --graceful
+
+# The tool returns 76 if the TPM cannot be accessed due to an authorization failure and we can't generate an SRK.
+SuccessExitStatus=76

37
0008-resolved-permit-dnssec-rrtype-questions-when-we-aren.patch Normal file
View File

@ -0,0 +1,37 @@
From ba031f1fe86e36d7adc0340b047de32399c98bf7 Mon Sep 17 00:00:00 2001
From: Ronan Pigott <ronan@rjp.ie>
Date: Fri, 8 Mar 2024 13:40:08 -0700
Subject: [PATCH] resolved: permit dnssec rrtype questions when we aren't
validating
This check introduced in 91adc4db33f6 is intended to spare us from
encountering broken resolver behavior we don't want to deal with.
However if we aren't validating we more than likely don't know the state
of the upstream resolver's support for dnssec. Let's let clients try
these queries if they want.
This brings the behavior of sd-resolved in-line with previouly stated
change in the meaning of DNSSEC=no, which now means "don't validate"
rather than "don't validate, because the upstream resolver is declared to
be dnssec-unaware".
Fixes: 9c47b334445a ("resolved: enable DNS proxy mode if client wants DNSSEC")
(cherry picked from commit 364c948707afa097f6ad177b61c2b51a86c0089a)
---
src/resolve/resolved-dns-server.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/src/resolve/resolved-dns-server.c b/src/resolve/resolved-dns-server.c
index 340f11f4f4..b37f541c7f 100644
--- a/src/resolve/resolved-dns-server.c
+++ b/src/resolve/resolved-dns-server.c
@@ -706,9 +706,6 @@ bool dns_server_dnssec_supported(DnsServer *server) {
if (dns_server_get_dnssec_mode(server) == DNSSEC_YES) /* If strict DNSSEC mode is enabled, always assume DNSSEC mode is supported. */
return true;
- if (!DNS_SERVER_FEATURE_LEVEL_IS_DNSSEC(server->possible_feature_level))
- return false;
-
if (server->packet_bad_opt)
return false;

123
0009-repart-Use-crypt_reencrypt_run-if-available.patch Normal file
View File

@ -0,0 +1,123 @@
From 70f5fb2f7ab585458008b1d3144e4ebaf98db42e Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Sun, 2 Jun 2024 16:24:52 +0200
Subject: [PATCH] repart: Use crypt_reencrypt_run() if available
crypt_reencrypt() is deprecated, so let's look for and prefer
crypt_reencrypt_run() if it is available.
(cherry picked from commit b99b2941276a74878a23470b36c75b0c21dbdd4a)
---
meson.build | 1 +
src/partition/repart.c | 6 +++++-
src/shared/cryptsetup-util.c | 19 ++++++++-----------
src/shared/cryptsetup-util.h | 6 +++---
4 files changed, 17 insertions(+), 15 deletions(-)
diff --git a/meson.build b/meson.build
index ea4e12aa1c..e42151998b 100644
--- a/meson.build
+++ b/meson.build
@@ -1262,6 +1262,7 @@ foreach ident : ['crypt_set_metadata_size',
'crypt_token_max',
'crypt_reencrypt_init_by_passphrase',
'crypt_reencrypt',
+ 'crypt_reencrypt_run',
'crypt_set_data_offset',
'crypt_set_keyring_to_link',
'crypt_resume_by_volume_key']
diff --git a/src/partition/repart.c b/src/partition/repart.c
index 6f67d46025..2ecae4ca03 100644
--- a/src/partition/repart.c
+++ b/src/partition/repart.c
@@ -3913,7 +3913,7 @@ static int partition_target_sync(Context *context, Partition *p, PartitionTarget
}
static int partition_encrypt(Context *context, Partition *p, PartitionTarget *target, bool offline) {
-#if HAVE_LIBCRYPTSETUP && HAVE_CRYPT_SET_DATA_OFFSET && HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE && HAVE_CRYPT_REENCRYPT
+#if HAVE_LIBCRYPTSETUP && HAVE_CRYPT_SET_DATA_OFFSET && HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE && (HAVE_CRYPT_REENCRYPT_RUN || HAVE_CRYPT_REENCRYPT)
const char *node = partition_target_path(target);
struct crypt_params_luks2 luks_params = {
.label = strempty(ASSERT_PTR(p)->new_label),
@@ -4220,7 +4220,11 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta
if (r < 0)
return log_error_errno(r, "Failed to load reencryption context: %m");
+#if HAVE_CRYPT_REENCRYPT_RUN
+ r = sym_crypt_reencrypt_run(cd, NULL, NULL);
+#else
r = sym_crypt_reencrypt(cd, NULL);
+#endif
if (r < 0)
return log_error_errno(r, "Failed to encrypt %s: %m", node);
} else {
diff --git a/src/shared/cryptsetup-util.c b/src/shared/cryptsetup-util.c
index 288e6e8942..d0dd434df8 100644
--- a/src/shared/cryptsetup-util.c
+++ b/src/shared/cryptsetup-util.c
@@ -54,10 +54,10 @@ DLSYM_FUNCTION(crypt_volume_key_get);
#if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE
DLSYM_FUNCTION(crypt_reencrypt_init_by_passphrase);
#endif
-#if HAVE_CRYPT_REENCRYPT
-DISABLE_WARNING_DEPRECATED_DECLARATIONS;
+#if HAVE_CRYPT_REENCRYPT_RUN
+DLSYM_FUNCTION(crypt_reencrypt_run);
+#elif HAVE_CRYPT_REENCRYPT
DLSYM_FUNCTION(crypt_reencrypt);
-REENABLE_WARNING;
#endif
DLSYM_FUNCTION(crypt_metadata_locking);
#if HAVE_CRYPT_SET_DATA_OFFSET
@@ -246,11 +246,8 @@ int dlopen_cryptsetup(void) {
/* libcryptsetup added crypt_reencrypt() in 2.2.0, and marked it obsolete in 2.4.0, replacing it with
* crypt_reencrypt_run(), which takes one extra argument but is otherwise identical. The old call is
- * still available though, and given we want to support 2.2.0 for a while longer, we'll stick to the
- * old symbol. However, the old symbols now has a GCC deprecation decorator, hence let's turn off
- * warnings about this for now. */
-
- DISABLE_WARNING_DEPRECATED_DECLARATIONS;
+ * still available though, and given we want to support 2.2.0 for a while longer, we'll use the old
+ * symbol if the new one is not available. */
ELF_NOTE_DLOPEN("cryptsetup",
"Support for disk encryption, integrity, and authentication",
@@ -304,7 +301,9 @@ int dlopen_cryptsetup(void) {
#if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE
DLSYM_ARG(crypt_reencrypt_init_by_passphrase),
#endif
-#if HAVE_CRYPT_REENCRYPT
+#if HAVE_CRYPT_REENCRYPT_RUN
+ DLSYM_ARG(crypt_reencrypt_run),
+#elif HAVE_CRYPT_REENCRYPT
DLSYM_ARG(crypt_reencrypt),
#endif
DLSYM_ARG(crypt_metadata_locking),
@@ -316,8 +315,6 @@ int dlopen_cryptsetup(void) {
if (r <= 0)
return r;
- REENABLE_WARNING;
-
/* Redirect the default logging calls of libcryptsetup to our own logging infra. (Note that
* libcryptsetup also maintains per-"struct crypt_device" log functions, which we'll also set
* whenever allocating a "struct crypt_device" context. Why set both? To be defensive: maybe some
diff --git a/src/shared/cryptsetup-util.h b/src/shared/cryptsetup-util.h
index f00ac367b6..d255e59004 100644
--- a/src/shared/cryptsetup-util.h
+++ b/src/shared/cryptsetup-util.h
@@ -70,10 +70,10 @@ DLSYM_PROTOTYPE(crypt_volume_key_get);
#if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE
DLSYM_PROTOTYPE(crypt_reencrypt_init_by_passphrase);
#endif
-#if HAVE_CRYPT_REENCRYPT
-DISABLE_WARNING_DEPRECATED_DECLARATIONS;
+#if HAVE_CRYPT_REENCRYPT_RUN
+DLSYM_PROTOTYPE(crypt_reencrypt_run);
+#elif HAVE_CRYPT_REENCRYPT
DLSYM_PROTOTYPE(crypt_reencrypt);
-REENABLE_WARNING;
#endif
DLSYM_PROTOTYPE(crypt_metadata_locking);
#if HAVE_CRYPT_SET_DATA_OFFSET

136
0010-test-dump-a-simple-summary-at-the-end-of-TEST-02-UNI.patch Normal file
View File

@ -0,0 +1,136 @@
From 4a468387acbc8a2bd51bffaeca242e415e55b614 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Wed, 12 Jun 2024 12:09:25 +0200
Subject: [PATCH] test: dump a simple summary at the end of TEST-02-UNITTEST
Let's dump a list of skipped tests and logs from failed tests at the end
of TEST-02-UNITTEST to make debugging fails in CI slightly less painful.
(cherry picked from commit 2ac0e52f29eb5f0040882fc46bcfa369893577f3)
---
test/TEST-02-UNITTESTS/test.sh | 8 ----
test/test-functions | 68 ---------------------------------
test/units/TEST-02-UNITTESTS.sh | 14 +++++++
3 files changed, 14 insertions(+), 76 deletions(-)
diff --git a/test/TEST-02-UNITTESTS/test.sh b/test/TEST-02-UNITTESTS/test.sh
index f165c99368..2cf9c31096 100755
--- a/test/TEST-02-UNITTESTS/test.sh
+++ b/test/TEST-02-UNITTESTS/test.sh
@@ -37,12 +37,4 @@ test_append_files() {
fi
}
-check_result_nspawn() {
- check_result_nspawn_unittests "${1}"
-}
-
-check_result_qemu() {
- check_result_qemu_unittests
-}
-
do_test "$@"
diff --git a/test/test-functions b/test/test-functions
index be6eb1d9b2..8b497b2e27 100644
--- a/test/test-functions
+++ b/test/test-functions
@@ -1860,74 +1860,6 @@ check_result_qemu() {
return $ret
}
-check_result_nspawn_unittests() {
- local workspace="${1:?}"
- local ret=1
-
- [[ -e "$workspace/testok" ]] && ret=0
-
- if [[ -s "$workspace/failed" ]]; then
- ret=$((ret + 1))
- echo "=== Failed test log ==="
- cat "$workspace/failed"
- else
- if [[ -s "$workspace/skipped" ]]; then
- echo "=== Skipped test log =="
- cat "$workspace/skipped"
- # We might have only skipped tests - that should not fail the job
- ret=0
- fi
- if [[ -s "$workspace/testok" ]]; then
- echo "=== Passed tests ==="
- cat "$workspace/testok"
- fi
- fi
-
- get_bool "${TIMED_OUT:=}" && ret=1
- check_coverage_reports "$workspace" || ret=5
-
- save_journal "$workspace/var/log/journal" $ret
- echo "${JOURNAL_LIST:-"No journals were saved"}"
-
- _umount_dir "${initdir:?}"
-
- return $ret
-}
-
-check_result_qemu_unittests() {
- local ret=1
-
- mount_initdir
- [[ -e "${initdir:?}/testok" ]] && ret=0
-
- if [[ -s "$initdir/failed" ]]; then
- ret=$((ret + 1))
- echo "=== Failed test log ==="
- cat "$initdir/failed"
- else
- if [[ -s "$initdir/skipped" ]]; then
- echo "=== Skipped test log =="
- cat "$initdir/skipped"
- # We might have only skipped tests - that should not fail the job
- ret=0
- fi
- if [[ -s "$initdir/testok" ]]; then
- echo "=== Passed tests ==="
- cat "$initdir/testok"
- fi
- fi
-
- get_bool "${TIMED_OUT:=}" && ret=1
- check_coverage_reports "$initdir" || ret=5
-
- save_journal "$initdir/var/log/journal" $ret
- echo "${JOURNAL_LIST:-"No journals were saved"}"
-
- _umount_dir "$initdir"
-
- return $ret
-}
-
create_rc_local() {
dinfo "Create rc.local"
mkdir -p "${initdir:?}/etc/rc.d"
diff --git a/test/units/TEST-02-UNITTESTS.sh b/test/units/TEST-02-UNITTESTS.sh
index 6392425130..4448643f9a 100755
--- a/test/units/TEST-02-UNITTESTS.sh
+++ b/test/units/TEST-02-UNITTESTS.sh
@@ -95,6 +95,20 @@ export -f run_test
find /usr/lib/systemd/tests/unit-tests/ -maxdepth 1 -type f -name "${TESTS_GLOB}" -print0 |
xargs -0 -I {} --max-procs="$MAX_QUEUE_SIZE" bash -ec "run_test {}"
+# Write all pending messages, so they don't get mixed with the summaries below
+journalctl --sync
+
+# No need for full test logs in this case
+if [[ -s /skipped-tests ]]; then
+ : "=== SKIPPED TESTS ==="
+ cat /skipped-tests
+fi
+
+if [[ -s /failed ]]; then
+ : "=== FAILED TESTS ==="
+ cat /failed
+fi
+
# Test logs are sometimes lost, as the system shuts down immediately after
journalctl --sync

29
0011-repart-Use-CRYPT_ACTIVATE_PRIVATE.patch Normal file
View File

@ -0,0 +1,29 @@
From d316aed5d8e15fb5b13b5618f1b2d1d020b1e7bf Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Mon, 3 Jun 2024 12:35:29 +0200
Subject: [PATCH] repart: Use CRYPT_ACTIVATE_PRIVATE
Let's skip udev device scanning when activating a LUKS volume in
systemd-repart as we don't depend on any udev symlinks and don't
expect anything except repart to access the volume.
Suggested by https://github.com/systemd/systemd/issues/33129#issuecomment-2143390941.
(cherry picked from commit 726fc7ae696510b04c24810f691d34f5d20529d6)
---
src/partition/repart.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/partition/repart.c b/src/partition/repart.c
index 2ecae4ca03..78cf60f724 100644
--- a/src/partition/repart.c
+++ b/src/partition/repart.c
@@ -4236,7 +4236,7 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta
dm_name,
NULL,
VOLUME_KEY_SIZE,
- arg_discard ? CRYPT_ACTIVATE_ALLOW_DISCARDS : 0);
+ (arg_discard ? CRYPT_ACTIVATE_ALLOW_DISCARDS : 0) | CRYPT_ACTIVATE_PRIVATE);
if (r < 0)
return log_error_errno(r, "Failed to activate LUKS superblock: %m");

26
0012-NEWS-note-that-new-stable-releases-will-be-in-the-ma.patch Normal file
View File

@ -0,0 +1,26 @@
From 4ebcdcb1360dbb10444f518bad7f04e10bcb6387 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Tue, 11 Jun 2024 23:09:30 +0100
Subject: [PATCH] NEWS: note that new stable releases will be in the main repo
(cherry picked from commit 40d637bace4041f081088673cb230669c1e34faf)
---
NEWS | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/NEWS b/NEWS
index 02ad8b2c79..bbee0852be 100644
--- a/NEWS
+++ b/NEWS
@@ -81,6 +81,11 @@ CHANGES WITH 256:
* systemd.crash_reboot and related settings are deprecated in favor of
systemd.crash_action=.
+ * Stable releases for version v256 and newer will now be pushed in the
+ main repository. The systemd-stable repository will be used for existing
+ stable branches (v255-stable and lower), and when they reach EOL it will
+ be archived.
+
General Changes and New Features:
* Various programs will now attempt to load the main configuration file

29
0013-shell-completion-only-offer-devices-for-completion.patch Normal file
View File

@ -0,0 +1,29 @@
From 2034de6157cc0d3e60489cdc16c7a5651f38783c Mon Sep 17 00:00:00 2001
From: David Tardon <dtardon@redhat.com>
Date: Wed, 12 Jun 2024 14:35:34 +0200
Subject: [PATCH] shell-completion: only offer devices for completion
This skips directories and other stuff like /dev/core, /dev/initctl or
/dev/log.
(cherry picked from commit bde35f4a91663ebb854330f582baeef0f9adcbfb)
---
shell-completion/bash/udevadm | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/shell-completion/bash/udevadm b/shell-completion/bash/udevadm
index 05f921cf49..3842d722e7 100644
--- a/shell-completion/bash/udevadm
+++ b/shell-completion/bash/udevadm
@@ -32,10 +32,7 @@ __get_all_sysdevs() {
}
__get_all_device_nodes() {
- local i
- for i in /dev/* /dev/*/* /dev/*/*/*; do
- echo $i
- done
+ find /dev -xtype b -o -xtype c
}
__get_all_device_units() {

98
0014-CODING_STYLE-document-reterr_-return-parameters.patch Normal file
View File

@ -0,0 +1,98 @@
From a61a83a22b5f464463f9ab9e3ee3950f299c9f43 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 12 Jun 2024 18:31:56 +0200
Subject: [PATCH] CODING_STYLE: document "reterr_" return parameters
In some recent PRs (e.g. #32628) I started to systematically name return
parameters that shall only be initialized on failure (because they carry
additional error meta information, such as the line/column number of
parse failures or so). Let's make this official in the coding style.
(cherry picked from commit 7811864b08393eda5ff92145ea2776180d9b28ee)
---
docs/CODING_STYLE.md | 62 ++++++++++++++++++++++++++++++++++----------
1 file changed, 48 insertions(+), 14 deletions(-)
diff --git a/docs/CODING_STYLE.md b/docs/CODING_STYLE.md
index 8f687e6662..309436a397 100644
--- a/docs/CODING_STYLE.md
+++ b/docs/CODING_STYLE.md
@@ -164,30 +164,64 @@ SPDX-License-Identifier: LGPL-2.1-or-later
thread. Use `is_main_thread()` to detect whether the calling thread is the
main thread.
-- Do not write functions that clobber call-by-reference variables on
- failure. Use temporary variables for these cases and change the passed in
- variables only on success. The rule is: never clobber return parameters on
- failure, always initialize return parameters on success.
-
-- Typically, function parameters fit into three categories: input parameters,
- mutable objects, and call-by-reference return parameters. Input parameters
- should always carry suitable "const" declarators if they are pointers, to
- indicate they are input-only and not changed by the function. Return
- parameters are best prefixed with "ret_", to clarify they are return
- parameters. (Conversely, please do not prefix parameters that aren't
- output-only with "ret_", in particular not mutable parameters that are both
- input as well as output). Example:
+- Typically, function parameters fit into four categories: input parameters,
+ mutable objects, call-by-reference return parameters that are initialized on
+ success, and call-by-reference return parameters that are initialized on
+ failure. Input parameters should always carry suitable `const` declarators if
+ they are pointers, to indicate they are input-only and not changed by the
+ function. The name of return parameters that are initialized on success
+ should be prefixed with `ret_`, to clarify they are return parameters. The
+ name of return parameters that are initialized on failure should be prefixed
+ with `reterr_`. (Examples of such parameters: those which carry additional
+ error information, such as the row/column of parse errors or so).
+ Conversely, please do not prefix parameters that aren't output-only with
+ `ret_` or `reterr_`, in particular not mutable parameters that are both input
+ as well as output.
+
+ Example:
```c
static int foobar_frobnicate(
Foobar* object, /* the associated mutable object */
const char *input, /* immutable input parameter */
- char **ret_frobnicated) { /* return parameter */
+ char **ret_frobnicated, /* return parameter on success */
+ unsigned *reterr_line, /* return parameter on failure */
+ unsigned *reterr_column) { /* ditto */
return 0;
}
```
+- Do not write functions that clobber call-by-reference success return
+ parameters on failure (i.e. `ret_xyz`, see above), or that clobber
+ call-by-reference failure return parameters on success
+ (i.e. `reterr_xyz`). Use temporary variables for these cases and change the
+ passed in variables only in the right condition. The rule is: never clobber
+ success return parameters on failure, always initialize success return
+ parameters on success (and the reverse for failure return parameters, of
+ course).
+
+- Please put `reterr_` return parameters in the function parameter list last,
+ and `ret_` return parameters immediately before that.
+
+ Good:
+
+ ```c
+ static int do_something(
+ const char *input,
+ const char *ret_on_success,
+ const char *reterr_on_failure);
+ ```
+
+ Not good:
+
+ ```c
+ static int do_something(
+ const char *reterr_on_failure,
+ const char *ret_on_success,
+ const char *input);
+ ```
+
- The order in which header files are included doesn't matter too
much. systemd-internal headers must not rely on an include order, so it is
safe to include them in any order possible. However, to not clutter global

27
0015-analyze-show-pcrs-also-in-sha384-bank.patch Normal file
View File

@ -0,0 +1,27 @@
From 51390a1f41a762ef96d3c496d8a5d890d722907d Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 4 Jun 2024 11:02:34 +0200
Subject: [PATCH] analyze: show pcrs also in sha384 bank
SHA384 is pretty much the bank we actually *want* to use, since it's
faster to calculate than SHA256, hence at the very least, start
considering.
(cherry picked from commit acaca5ab250a51be6ba07768bee80bf0f7b462fa)
---
src/analyze/analyze-pcrs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/analyze/analyze-pcrs.c b/src/analyze/analyze-pcrs.c
index 43e415fc6d..1c3da3fd84 100644
--- a/src/analyze/analyze-pcrs.c
+++ b/src/analyze/analyze-pcrs.c
@@ -11,7 +11,7 @@
static int get_pcr_alg(const char **ret) {
assert(ret);
- FOREACH_STRING(alg, "sha256", "sha1") {
+ FOREACH_STRING(alg, "sha256", "sha384", "sha1") {
_cleanup_free_ char *p = NULL;
if (asprintf(&p, "/sys/class/tpm/tpm0/pcr-%s/0", alg) < 0)

41
0016-fundamental-declare-flex-array-updated-for-gcc15-and.patch Normal file
View File

@ -0,0 +1,41 @@
From 3706b5e8e92fe6a4ff21cefe66f2eb27953a3fdf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cristian=20Rodr=C3=ADguez?= <cristian@rodriguez.im>
Date: Thu, 13 Jun 2024 11:59:28 -0400
Subject: [PATCH] fundamental: declare flex array updated for gcc15 and clang
19
Silly workaround that:
- allowed flexible arrays in unions
- allowed flexible arrays in otherwise empty structs
Is no longer needed since https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=adb1c8a0f167c3a1f7593d75f5a10eb07a5d741a
(GCC15) or clang 19 https://github.com/llvm/llvm-project/commit/14ba782a87e16e9e15460a51f50e67e2744c26d9
(cherry picked from commit 3c2f2146f50c75662987541719bedc4aee9df939)
---
src/fundamental/macro-fundamental.h | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/fundamental/macro-fundamental.h b/src/fundamental/macro-fundamental.h
index 5ccbda5186..8aca5f784a 100644
--- a/src/fundamental/macro-fundamental.h
+++ b/src/fundamental/macro-fundamental.h
@@ -517,6 +517,10 @@ static inline uint64_t ALIGN_OFFSET_U64(uint64_t l, uint64_t ali) {
} \
}
+/* Restriction/bug (see above) was fixed in GCC 15 and clang 19.*/
+#if __GNUC__ >= 15 || (defined(__clang__) && __clang_major__ >= 19)
+#define DECLARE_FLEX_ARRAY(type, name) type name[];
+#else
/* Declare a flexible array usable in a union.
* This is essentially a work-around for a pointless constraint in C99
* and might go away in some future version of the standard.
@@ -528,6 +532,7 @@ static inline uint64_t ALIGN_OFFSET_U64(uint64_t l, uint64_t ali) {
dummy_t __empty__ ## name; \
type name[]; \
}
+#endif
/* Declares an ELF read-only string section that does not occupy memory at runtime. */
#define DECLARE_NOALLOC_SECTION(name, text) \

31
0017-man-add-a-bit-of-a-warning-to-systemd-tmpfiles-purge.patch Normal file
View File

@ -0,0 +1,31 @@
From aedeaf745028a463150fd6d2b1aca778797735ac Mon Sep 17 00:00:00 2001
From: Nick Rosbrook <enr0n@ubuntu.com>
Date: Fri, 14 Jun 2024 17:31:22 -0400
Subject: [PATCH] man: add a bit of a warning to systemd-tmpfiles --purge
Mention that by default, /home is managed by tmpfiles.d/home.conf, and
recommend that users run systemd-tmpfiles --dry-run --purge first to
see exactly what will be removed.
(cherry picked from commit 9ebcac3b5125a8b0b11f371731ea167cd4684adc)
---
man/systemd-tmpfiles.xml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/man/systemd-tmpfiles.xml b/man/systemd-tmpfiles.xml
index 008bff62da..6f3ec66611 100644
--- a/man/systemd-tmpfiles.xml
+++ b/man/systemd-tmpfiles.xml
@@ -150,7 +150,11 @@
<varlistentry>
<term><option>--purge</option></term>
<listitem><para>If this option is passed, all files and directories created by a
- <filename>tmpfiles.d/</filename> entry will be deleted.</para>
+ <filename>tmpfiles.d/</filename> entry will be deleted. Keep in mind that by default,
+ <filename>/home</filename> is created by <command>systemd-tmpfiles</command>
+ (see <filename>/usr/lib/tmpfiles.d/home.conf</filename>). Therefore it is recommended
+ to first run <command>systemd-tmpfiles --dry-run --purge</command> to be certain which files
+ and directories will be deleted.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry>

65
0018-man-units-drop-temporary-from-description-of-systemd.patch Normal file
View File

@ -0,0 +1,65 @@
From 1a0e6961cfaed42bda542e111738c136f7b4d73f Mon Sep 17 00:00:00 2001
From: Mike Yuan <me@yhndnzj.com>
Date: Sat, 15 Jun 2024 17:27:33 +0200
Subject: [PATCH] man,units: drop "temporary" from description of
systemd-tmpfiles
Historically, systemd-tmpfiles was designed to manager temporary
files, but nowadays it has become a generic tool for managing
all kinds of files. To avoid user confusion, let's remove "temporary"
from the tool's description.
As discussed in #33349
(cherry picked from commit b5c8cc0a3b8e4e2fea0539d6420a76b524ea5735)
---
man/systemd-tmpfiles.xml | 8 +++++---
units/systemd-tmpfiles-setup.service | 2 +-
units/user/systemd-tmpfiles-setup.service | 2 +-
3 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/man/systemd-tmpfiles.xml b/man/systemd-tmpfiles.xml
index 6f3ec66611..9767aead85 100644
--- a/man/systemd-tmpfiles.xml
+++ b/man/systemd-tmpfiles.xml
@@ -55,9 +55,11 @@
<refsect1>
<title>Description</title>
- <para><command>systemd-tmpfiles</command> creates, deletes, and cleans up volatile and temporary files
- and directories, using the configuration file format and location specified in
- <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>. It must
+ <para><command>systemd-tmpfiles</command> creates, deletes, and cleans up files and directories, using
+ the configuration file format and location specified in
+ <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ Historically, it was designed to manage volatile and temporary files, as the name suggests, but it provides
+ generic file management functionality and can be used to manage any kind of files. It must
be invoked with one or more commands <option>--create</option>, <option>--remove</option>, and
<option>--clean</option>, to select the respective subset of operations.</para>
diff --git a/units/systemd-tmpfiles-setup.service b/units/systemd-tmpfiles-setup.service
index 6cae32850f..b92beb7314 100644
--- a/units/systemd-tmpfiles-setup.service
+++ b/units/systemd-tmpfiles-setup.service
@@ -8,7 +8,7 @@
# (at your option) any later version.
[Unit]
-Description=Create Volatile Files and Directories
+Description=Create System Files and Directories
Documentation=man:tmpfiles.d(5) man:systemd-tmpfiles(8)
DefaultDependencies=no
diff --git a/units/user/systemd-tmpfiles-setup.service b/units/user/systemd-tmpfiles-setup.service
index 156689edcd..54e453c4fc 100644
--- a/units/user/systemd-tmpfiles-setup.service
+++ b/units/user/systemd-tmpfiles-setup.service
@@ -8,7 +8,7 @@
# (at your option) any later version.
[Unit]
-Description=Create User's Volatile Files and Directories
+Description=Create User Files and Directories
Documentation=man:tmpfiles.d(5) man:systemd-tmpfiles(8)
DefaultDependencies=no
Conflicts=shutdown.target

24
0019-mkosi-enable-unprivileged-user-ns-for-integration-te.patch Normal file
View File

@ -0,0 +1,24 @@
From 9f5f3c2f8bc2c3d82678672f3e700c1eb4e52d61 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Sun, 16 Jun 2024 11:16:21 +0100
Subject: [PATCH] mkosi: enable unprivileged user ns for integration tests
Ubuntu disables them by default in Noble, ship a sysctl to turn them back on
so that tests can use them
(cherry picked from commit 4cfcde024f34b3e5f682364d4e0c6185ef07d467)
---
.../usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf | 4 ++++
1 file changed, 4 insertions(+)
create mode 100644 mkosi.images/system/mkosi.extra/usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf
diff --git a/mkosi.images/system/mkosi.extra/usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf b/mkosi.images/system/mkosi.extra/usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf
new file mode 100644
index 0000000000..657ac72f8d
--- /dev/null
+++ b/mkosi.images/system/mkosi.extra/usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf
@@ -0,0 +1,4 @@
+# Ubuntu since Noble disables unprivileged user namespaces by default, re-enable them as they are needed
+# for integration tests
+kernel.apparmor_restrict_unprivileged_unconfined = 0
+kernel.apparmor_restrict_unprivileged_userns = 0

74
0020-mkosi-use-ports.ubuntu.com-for-non-x86-backports.patch Normal file
View File

@ -0,0 +1,74 @@
From 21feae324e812580062c36aa14cc5e68a37aa151 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Sun, 16 Jun 2024 15:28:56 +0100
Subject: [PATCH] mkosi: use ports.ubuntu.com for non-x86 backports
Follow-up for 46368556afee7a1f3a1685609942438ef2d9d6c1
(cherry picked from commit c01cb8cbff8512b65b7903b55f78c8d12661b8d7)
---
mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf | 3 ---
.../mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf | 9 +++++++++
.../system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf | 9 +++++++++
.../mkosi.conf.d/10-ubuntu/noble-backports-ports.sources | 6 ++++++
4 files changed, 24 insertions(+), 3 deletions(-)
create mode 100644 mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf
create mode 100644 mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf
create mode 100644 mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports-ports.sources
diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf
index 25957b1e92..86f9736ed9 100644
--- a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf
@@ -3,9 +3,6 @@
[Match]
Distribution=ubuntu
-[Distribution]
-PackageManagerTrees=noble-backports.sources:/etc/apt/sources.list.d/noble-backports.sources
-
[Content]
Packages=
linux-image-generic
diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf
new file mode 100644
index 0000000000..0ec4807822
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+# The ports Ubuntu archive is for non i386/amd64 repositories
+
+[Match]
+Architecture=!x86-64
+Architecture=!x86
+
+[Distribution]
+PackageManagerTrees=noble-backports-ports.sources:/etc/apt/sources.list.d/noble-backports-ports.sources
diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf
new file mode 100644
index 0000000000..c08eeac337
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+# The main Ubuntu archive is only for i386/amd64 repositories
+
+[Match]
+Architecture=|x86-64
+Architecture=|x86
+
+[Distribution]
+PackageManagerTrees=noble-backports.sources:/etc/apt/sources.list.d/noble-backports.sources
diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports-ports.sources b/mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports-ports.sources
new file mode 100644
index 0000000000..5b96dc544d
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports-ports.sources
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+Types: deb
+URIs: http://ports.ubuntu.com
+Suites: noble-backports
+Components: main universe
+Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg

58
0021-mkosi-install-EFI-packages-only-on-EFI-architectures.patch Normal file
View File

@ -0,0 +1,58 @@
From 9802a28b367b3d403c41b570949e3c91f505ede5 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Sun, 16 Jun 2024 20:42:12 +0100
Subject: [PATCH] mkosi: install EFI packages only on EFI architectures
sbsigntool, systemd-boot and systemd-boot-efi do not exist on other
architectures
(cherry picked from commit 47fe3f29b4ba1b44ae71a7e67c579c4883731dd4)
---
.../mkosi.conf.d/10-debian-ubuntu/mkosi.conf | 3 ---
.../10-debian-ubuntu/mkosi.conf.d/efi.conf | 16 ++++++++++++++++
2 files changed, 16 insertions(+), 3 deletions(-)
create mode 100644 mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/efi.conf
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
index ae014fa966..ecac78049d 100644
--- a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
@@ -20,8 +20,6 @@ VolatilePackages=
libsystemd-dev
libudev-dev
systemd
- systemd-boot
- systemd-boot-efi
systemd-container
systemd-coredump
systemd-dev
@@ -74,7 +72,6 @@ Packages=
python3-pexpect
python3-psutil
quota
- sbsigntool
softhsm2
squashfs-tools
stress
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/efi.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/efi.conf
new file mode 100644
index 0000000000..781670a775
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/efi.conf
@@ -0,0 +1,16 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+# sbsigntool exists only on UEFI architectures
+
+[Match]
+Architecture=|x86
+Architecture=|x86-64
+Architecture=|arm
+Architecture=|arm64
+Architecture=|riscv32
+Architecture=|riscv64
+
+[Content]
+Packages=
+ sbsigntool
+ systemd-boot
+ systemd-boot-efi

31
0022-test-check-the-skip-condition-before-installing-addi.patch Normal file
View File

@ -0,0 +1,31 @@
From 50b53b8221aa9d5e8fa3269b73d13b8a304728a8 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Sun, 16 Jun 2024 13:41:50 +0100
Subject: [PATCH] test: check the skip condition before installing additional
files
(cherry picked from commit e1daedb4be6d8180790e0b303872fb1c87ddc7fc)
---
test/units/TEST-43-PRIVATEUSER-UNPRIV.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh b/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh
index 165af47f15..f8a2a62467 100755
--- a/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh
+++ b/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh
@@ -6,13 +6,13 @@ set -o pipefail
# shellcheck source=test/units/util.sh
. "$(dirname "$0")"/util.sh
-install_extension_images
-
if [[ "$(sysctl -ne kernel.apparmor_restrict_unprivileged_userns)" -eq 1 ]]; then
echo "Cannot create unprivileged user namespaces" >/skipped
exit 77
fi
+install_extension_images
+
systemd-analyze log-level debug
runas testuser systemd-run --wait --user --unit=test-private-users \

37
0023-test-drop-unneeded-firmware-uefi-setting.patch Normal file
View File

@ -0,0 +1,37 @@
From 51a2e7be5ec1a28be11d309897671c8dd4511ae8 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Sun, 16 Jun 2024 16:08:57 +0100
Subject: [PATCH] test: drop unneeded firmware: uefi setting
These tests no longer need this, as they are running in nspawn, drop it
(cherry picked from commit f44fc531c95e37c83203375c411189009a01b482)
---
test/TEST-09-REBOOT/meson.build | 2 --
test/TEST-18-FAILUREACTION/meson.build | 2 --
2 files changed, 4 deletions(-)
diff --git a/test/TEST-09-REBOOT/meson.build b/test/TEST-09-REBOOT/meson.build
index c4b41bc97b..b7556189f5 100644
--- a/test/TEST-09-REBOOT/meson.build
+++ b/test/TEST-09-REBOOT/meson.build
@@ -4,7 +4,5 @@ integration_tests += [
integration_test_template + {
'name' : fs.name(meson.current_source_dir()),
'storage' : 'persistent',
- # FIXME; Figure out why reboot sometimes hangs with 'linux' firmware.
- 'firmware' : 'uefi',
},
]
diff --git a/test/TEST-18-FAILUREACTION/meson.build b/test/TEST-18-FAILUREACTION/meson.build
index 5edfbcad1f..8dec5f37e7 100644
--- a/test/TEST-18-FAILUREACTION/meson.build
+++ b/test/TEST-18-FAILUREACTION/meson.build
@@ -3,7 +3,5 @@
integration_tests += [
integration_test_template + {
'name' : fs.name(meson.current_source_dir()),
- # FIXME; Figure out why reboot sometimes hangs with 'linux' firmware.
- 'firmware' : 'uefi',
},
]

28
0024-test-drop-obsolete-comment.patch Normal file
View File

@ -0,0 +1,28 @@
From df1e7d9572fab94209989f341bb1e1a86d88223b Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Sun, 16 Jun 2024 19:21:32 +0100
Subject: [PATCH] test: drop obsolete comment
We want to keep various logic here instead of mkosi, so drop the
temporary comment
(cherry picked from commit 626518ecd5e7b0c0c708ba53d7eb62934506ed54)
---
test/integration-test-wrapper.py | 4 ----
1 file changed, 4 deletions(-)
diff --git a/test/integration-test-wrapper.py b/test/integration-test-wrapper.py
index 5b098a3e01..1e015e7d47 100755
--- a/test/integration-test-wrapper.py
+++ b/test/integration-test-wrapper.py
@@ -2,10 +2,6 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
'''Test wrapper command for driving integration tests.
-
-Note: This is deliberately rough and only intended to drive existing tests
-with the expectation that as part of formally defining the API it will be tidy.
-
'''
import argparse

25
0025-test-support-TEST_NO_KVM.patch Normal file
View File

@ -0,0 +1,25 @@
From a36cb5660e4d84c16242c1d70b99d9a2e389f191 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Sun, 16 Jun 2024 19:15:24 +0100
Subject: [PATCH] test: support TEST_NO_KVM
The shell integration suite allows to manually deselect KVM, so
suppor the same env var for the same purpose in python.
(cherry picked from commit 7d2701e7d1d0a7194026dd371071df6e63f59a82)
---
test/integration-test-wrapper.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/test/integration-test-wrapper.py b/test/integration-test-wrapper.py
index 1e015e7d47..15b1ce1055 100755
--- a/test/integration-test-wrapper.py
+++ b/test/integration-test-wrapper.py
@@ -124,6 +124,7 @@ def main():
*args.mkosi_args,
'--append',
'--qemu-firmware', args.firmware,
+ '--qemu-kvm', "auto" if not bool(int(os.getenv("TEST_NO_KVM", "0"))) else "no",
'--kernel-command-line-extra',
' '.join([
'systemd.hostname=H',

30
0026-test-support-TEST_NO_QEMU-in-mkosi-integration-wrapp.patch Normal file
View File

@ -0,0 +1,30 @@
From 6178aa4bbcc6b0531314c1a2e9df61e45e6c9ad4 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Mon, 17 Jun 2024 14:09:40 +0100
Subject: [PATCH] test: support TEST_NO_QEMU in mkosi integration wrapper
Same as the old integration test suite, allow skipping tests that
require qemu.
ppc64el's vsock support doesn't appear to work, so we'll skip it,
as it is already done in the legacy framework.
(cherry picked from commit 464d182b3e470e4163ca376145539a537a6e43a2)
---
test/integration-test-wrapper.py | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/test/integration-test-wrapper.py b/test/integration-test-wrapper.py
index 15b1ce1055..b6a16aa3ef 100755
--- a/test/integration-test-wrapper.py
+++ b/test/integration-test-wrapper.py
@@ -57,6 +57,10 @@ def main():
print(f"SYSTEMD_SLOW_TESTS=1 not found in environment, skipping {args.name}", file=sys.stderr)
exit(77)
+ if args.vm and bool(int(os.getenv("TEST_NO_QEMU", "0"))):
+ print(f"TEST_NO_QEMU=1, skipping {args.name}", file=sys.stderr)
+ exit(77)
+
name = args.name + (f"-{i}" if (i := os.getenv("MESON_TEST_ITERATION")) else "")
dropin = textwrap.dedent(

27
0027-test-use-auto-instead-of-uefi-for-automated-fallback.patch Normal file
View File

@ -0,0 +1,27 @@
From 7d65709901cb3fc746639398776cfdb7cb750a03 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Mon, 17 Jun 2024 15:37:43 +0100
Subject: [PATCH] test: use 'auto' instead of 'uefi' for automated fallback
mkosi will prefer UEFI if the architecture supports it, but fallback
to 'linux' if it doesn't.
(cherry picked from commit 80468db8fa21ffd07dc2f28c656eeaf8f0292367)
---
test/TEST-06-SELINUX/meson.build | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/test/TEST-06-SELINUX/meson.build b/test/TEST-06-SELINUX/meson.build
index 7a850beb81..9261a49c49 100644
--- a/test/TEST-06-SELINUX/meson.build
+++ b/test/TEST-06-SELINUX/meson.build
@@ -5,7 +5,8 @@ integration_tests += [
'name' : fs.name(meson.current_source_dir()),
'cmdline' : integration_test_template['cmdline'] + ['selinux=1', 'lsm=selinux'],
# FIXME; Figure out why reboot sometimes hangs with 'linux' firmware.
- 'firmware' : 'uefi',
+ # Use 'auto' to automatically fallback on non-uefi architectures.
+ 'firmware' : 'auto',
'vm' : true,
},
]

45
0028-core-service-fix-accept-socket-deserialization.patch Normal file
View File

@ -0,0 +1,45 @@
From f7d55cc801611781fbff2817f2fd4a16ec96ca85 Mon Sep 17 00:00:00 2001
From: Mike Yuan <me@yhndnzj.com>
Date: Mon, 17 Jun 2024 07:47:20 +0200
Subject: [PATCH] core/service: fix accept-socket deserialization
Follow-up for 45b1017488cef2a5bacdf82028ce900a311c9a1c
(cherry picked from commit 9f5d8c3da4f505346bd1edfae907a2abcdbdc578)
---
src/core/service.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/core/service.c b/src/core/service.c
index 8ec27c463a..6e81460ad0 100644
--- a/src/core/service.c
+++ b/src/core/service.c
@@ -1351,7 +1351,7 @@ static int service_coldplug(Unit *u) {
service_start_watchdog(s);
if (UNIT_ISSET(s->accept_socket)) {
- Socket* socket = SOCKET(UNIT_DEREF(s->accept_socket));
+ Socket *socket = SOCKET(UNIT_DEREF(s->accept_socket));
if (socket->max_connections_per_source > 0) {
SocketPeer *peer;
@@ -3220,8 +3220,8 @@ static int service_deserialize_item(Unit *u, const char *key, const char *value,
} else if (streq(key, "accept-socket")) {
Unit *socket;
- if (u->type != UNIT_SOCKET) {
- log_unit_debug(u, "Failed to deserialize accept-socket: unit is not a socket");
+ if (unit_name_to_type(value) != UNIT_SOCKET) {
+ log_unit_debug(u, "Deserialized accept-socket is not a socket unit, ignoring: %s", value);
return 0;
}
@@ -3230,7 +3230,7 @@ static int service_deserialize_item(Unit *u, const char *key, const char *value,
log_unit_debug_errno(u, r, "Failed to load accept-socket unit '%s': %m", value);
else {
unit_ref_set(&s->accept_socket, u, socket);
- SOCKET(socket)->n_connections++;
+ ASSERT_PTR(SOCKET(socket))->n_connections++;
}
} else if (streq(key, "socket-fd")) {

26
0029-test-network-mention-that-the-captive-portal-option-.patch Normal file
View File

@ -0,0 +1,26 @@
From 4cc6da9a5dfb69f149404d5a784c57bca2a21237 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Tue, 18 Jun 2024 00:09:03 +0900
Subject: [PATCH] test-network: mention that the captive portal option is
supported since v2.20
The current latest release is v2.19, hence the test is typically skipped now.
(cherry picked from commit 4f6d8ab0767e534553bfa130f39dbb07ebb804a4)
---
test/test-network/systemd-networkd-tests.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py
index 92cb07f11c..0355c7aca1 100755
--- a/test/test-network/systemd-networkd-tests.py
+++ b/test/test-network/systemd-networkd-tests.py
@@ -5824,6 +5824,8 @@ class NetworkdRATests(unittest.TestCase, Utilities):
self.assertIn('pref high', output)
self.assertNotIn('pref low', output)
+ # radvd supports captive portal since v2.20.
+ # https://github.com/radvd-project/radvd/commit/791179a7f730decbddb2290ef0e34aa85d71b1bc
@unittest.skipUnless(radvd_check_config('captive-portal.conf'), "Installed radvd doesn't support captive portals")
def test_captive_portal(self):
copy_network_unit('25-veth-client.netdev',

27
0030-CI-disable-secure-boot-in-mkosi-GHA-runs.patch Normal file
View File

@ -0,0 +1,27 @@
From b455006ae189d4ceef4214d8d4ab2027781d37e0 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Mon, 17 Jun 2024 17:40:28 +0100
Subject: [PATCH] CI: disable secure boot in mkosi GHA runs
Booting a guest with secure boot is broken in Azure due to a hypervisor
bug. Disable it for now. Given there's no option, need to edit
the configuration on the fly.
(cherry picked from commit bdd0b45bfd7190bb8eb50c71ff6f50a80d6e6e52)
---
.github/workflows/mkosi.yml | 2 ++
1 file changed, 2 insertions(+)
diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml
index 425d737b62..62efd367cb 100644
--- a/.github/workflows/mkosi.yml
+++ b/.github/workflows/mkosi.yml
@@ -117,6 +117,8 @@ jobs:
- name: Configure
run: |
+ # XXX: drop after the HyperV bug that breaks secure boot KVM guests is solved
+ sed -i "s/'firmware'\s*:\s*'auto'/'firmware' : 'uefi'/g" test/*/meson.build
tee mkosi.local.conf <<EOF
[Distribution]
Distribution=${{ matrix.distro }}

23
0031-mkosi-bump-to-latest.patch Normal file
View File

@ -0,0 +1,23 @@
From d89c99c7ad165fa2471e1c5c1a3bdedab0818da9 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Mon, 17 Jun 2024 15:40:10 +0100
Subject: [PATCH] mkosi: bump to latest
(cherry picked from commit 3001339dc5b3faf8f8edee4c07b14a4abdf3d66f)
---
.github/workflows/mkosi.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml
index 62efd367cb..3a8dabd95c 100644
--- a/.github/workflows/mkosi.yml
+++ b/.github/workflows/mkosi.yml
@@ -92,7 +92,7 @@ jobs:
steps:
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
- - uses: systemd/mkosi@0081ea66faf56a35353d6aeadfe42f9679c7d1cf
+ - uses: systemd/mkosi@6972f9efba5c8472d990be3783b7e7dbf76e109e
# Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
# immediately, we remove the files in the background. However, we first move them to a different location

23
0032-NEWS-fix-typo.patch Normal file
View File

@ -0,0 +1,23 @@
From a776dcf7af3b189f4f9616d174dbfc53a9bd6db6 Mon Sep 17 00:00:00 2001
From: Carlo Teubner <carlo@cteubner.net>
Date: Tue, 18 Jun 2024 09:41:59 +0100
Subject: [PATCH] NEWS: fix typo
(cherry picked from commit f6d517f8478bdd83b7d149b242a47d7686235c7e)
---
NEWS | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/NEWS b/NEWS
index bbee0852be..da81fe3c5d 100644
--- a/NEWS
+++ b/NEWS
@@ -195,7 +195,7 @@ CHANGES WITH 256:
additional per-user service managers, whose users are transient and
are only defined as long as the service manager is running. (This is
implemented via DynamicUser=1), allowing a user manager to be used to
- manager a group of processes without needing to create an actual user
+ manage a group of processes without needing to create an actual user
account. These service managers run with home directories of
/var/lib/capsules/<capsule-name> and can contain regular services and
other units. A capsule is started via a simple "systemctl start

69
0033-install-allow-removing-symlinks-even-for-units-that-.patch Normal file
View File

@ -0,0 +1,69 @@
From c26e56d08f30a2946dfa1d03781c63bfa9f56c1d Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Fri, 7 Jun 2024 21:39:45 +0100
Subject: [PATCH] install: allow removing symlinks even for units that are gone
If a symlink is leftover, still allow cleaning it up via 'disable'. This
happens when a unit is stopped and removed, but not disabled, and a reload
has already happened. At that point, cleaning up the old symlinks becomes
impossible through the APIs, and needs to be done manually. Always allow
cleaning up symlinks, if they exist, by only erroring out if there is an
OOM.
Follow-up for f31f10a6207efc9ae9e0b1f73975b5b610914017
(cherry picked from commit 5163c9b1e56293b1bb2803420613c5b374570892)
---
src/shared/install.c | 14 ++++++++++----
test/units/TEST-26-SYSTEMCTL.sh | 6 ++++++
2 files changed, 16 insertions(+), 4 deletions(-)
diff --git a/src/shared/install.c b/src/shared/install.c
index dd2bd5c948..c94b456c21 100644
--- a/src/shared/install.c
+++ b/src/shared/install.c
@@ -2282,7 +2282,9 @@ static int install_context_mark_for_removal(
else {
log_debug_errno(r, "Unit %s not found, removing name.", i->name);
r = install_changes_add(changes, n_changes, r, i->path ?: i->name, NULL);
- if (r < 0)
+ /* In case there's no unit, we still want to remove any leftover symlink, even if
+ * the unit might have been removed already, hence treating ENOENT as non-fatal. */
+ if (r != -ENOENT)
return r;
}
} else if (r < 0) {
@@ -2874,9 +2876,13 @@ static int do_unit_file_disable(
r = install_info_add(&ctx, *name, NULL, lp->root_dir, /* auxiliary= */ false, &info);
if (r >= 0)
r = install_info_traverse(&ctx, lp, info, SEARCH_LOAD|SEARCH_FOLLOW_CONFIG_SYMLINKS, NULL);
-
- if (r < 0)
- return install_changes_add(changes, n_changes, r, *name, NULL);
+ if (r < 0) {
+ r = install_changes_add(changes, n_changes, r, *name, NULL);
+ /* In case there's no unit, we still want to remove any leftover symlink, even if
+ * the unit might have been removed already, hence treating ENOENT as non-fatal. */
+ if (r != -ENOENT)
+ return r;
+ }
/* If we enable multiple units, some with install info and others without,
* the "empty [Install] section" warning is not shown. Let's make the behavior
diff --git a/test/units/TEST-26-SYSTEMCTL.sh b/test/units/TEST-26-SYSTEMCTL.sh
index ae7a5d6eb6..1471f3fd9e 100755
--- a/test/units/TEST-26-SYSTEMCTL.sh
+++ b/test/units/TEST-26-SYSTEMCTL.sh
@@ -343,6 +343,12 @@ systemctl cat "$UNIT_NAME"
systemctl help "$UNIT_NAME"
systemctl service-watchdogs
systemctl service-watchdogs "$(systemctl service-watchdogs)"
+# Ensure that the enablement symlinks can still be removed after the user is gone, to avoid having leftovers
+systemctl enable "$UNIT_NAME"
+systemctl stop "$UNIT_NAME"
+rm -f "/usr/lib/systemd/system/$UNIT_NAME"
+systemctl daemon-reload
+systemctl disable "$UNIT_NAME"
# show/set-environment
# Make sure PATH is set

35
0034-tmpfiles-honour-dry-run-when-removing-directories.patch Normal file
View File

@ -0,0 +1,35 @@
From 90ec0265707d381ed8cc77de475cd963686eaba3 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 18 Jun 2024 09:54:33 +0200
Subject: [PATCH] tmpfiles: honour --dry-run when removing directories
(cherry picked from commit edeceb80a91e8400e8c22f08a41045a2ba270fe6)
---
src/tmpfiles/tmpfiles.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
index 807925f199..283be21d16 100644
--- a/src/tmpfiles/tmpfiles.c
+++ b/src/tmpfiles/tmpfiles.c
@@ -3024,10 +3024,16 @@ static int remove_recursive(
return r;
if (remove_instance) {
- log_debug("Removing directory \"%s\".", instance);
- r = RET_NERRNO(rmdir(instance));
- if (r < 0 && !IN_SET(r, -ENOENT, -ENOTEMPTY))
- return log_error_errno(r, "Failed to remove %s: %m", instance);
+ log_action("Would remove", "Removing", "%s directory \"%s\".", instance);
+ if (!arg_dry_run) {
+ r = RET_NERRNO(rmdir(instance));
+ if (r < 0) {
+ bool fatal = !IN_SET(r, -ENOENT, -ENOTEMPTY);
+ log_full_errno(fatal ? LOG_ERR : LOG_DEBUG, r, "Failed to remove %s: %m", instance);
+ if (fatal)
+ return r;
+ }
+ }
}
return 0;
}

68
0035-tmpfiles-insist-on-at-least-one-configuration-file-b.patch Normal file
View File

@ -0,0 +1,68 @@
From e76015738942246db70f444b3567afd1b132f824 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 18 Jun 2024 09:55:20 +0200
Subject: [PATCH] tmpfiles: insist on at least one configuration file being
specified on --purge
Also, extend the man page explanation substantially, matching more
closely what --create says.
Fixes: #33349
(cherry picked from commit 41064a3c97c9a53c97bbe8a1de799a82c4374a2d)
---
man/systemd-tmpfiles.xml | 26 ++++++++++++++++++++------
src/tmpfiles/tmpfiles.c | 4 ++++
2 files changed, 24 insertions(+), 6 deletions(-)
diff --git a/man/systemd-tmpfiles.xml b/man/systemd-tmpfiles.xml
index 9767aead85..2a494b9c5c 100644
--- a/man/systemd-tmpfiles.xml
+++ b/man/systemd-tmpfiles.xml
@@ -151,12 +151,26 @@
<varlistentry>
<term><option>--purge</option></term>
- <listitem><para>If this option is passed, all files and directories created by a
- <filename>tmpfiles.d/</filename> entry will be deleted. Keep in mind that by default,
- <filename>/home</filename> is created by <command>systemd-tmpfiles</command>
- (see <filename>/usr/lib/tmpfiles.d/home.conf</filename>). Therefore it is recommended
- to first run <command>systemd-tmpfiles --dry-run --purge</command> to be certain which files
- and directories will be deleted.</para>
+
+ <listitem><para>If this option is passed, all files and directories marked for
+ <emphasis>creation</emphasis> by the <filename>tmpfiles.d/</filename> files specified on the command
+ line will be <emphasis>deleted</emphasis>. Specifically, this acts on all files and directories
+ marked with <varname>f</varname>, <varname>F</varname>, <varname>d</varname>, <varname>D</varname>,
+ <varname>v</varname>, <varname>q</varname>, <varname>Q</varname>, <varname>p</varname>,
+ <varname>L</varname>, <varname>c</varname>, <varname>b</varname>, <varname>C</varname>,
+ <varname>w</varname>, <varname>e</varname>. If this switch is used at least one
+ <filename>tmpfiles.d/</filename> file (or <filename>-</filename> for standard input) must be
+ specified on the command line or the invocation will be refused, for safety reasons (as otherwise
+ much of the installed system files might be removed).</para>
+
+ <para>The primary usecase for this option is to automatically remove files and directories that
+ originally have been created on behalf of an installed packaged at package removal time.</para>
+
+ <para>It is recommended to first run this command in combination with <option>--dry-run</option>
+ (see below) to verify which files and directories will be deleted.</para>
+
+ <para><emphasis>Warning!</emphasis> This is is usually not the command you want! In most cases
+ <option>--remove</option> is what you are looking for.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry>
diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
index 283be21d16..1704197207 100644
--- a/src/tmpfiles/tmpfiles.c
+++ b/src/tmpfiles/tmpfiles.c
@@ -4344,6 +4344,10 @@ static int parse_argv(int argc, char *argv[]) {
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"You need to specify at least one of --clean, --create, --remove, or --purge.");
+ if (FLAGS_SET(arg_operation, OPERATION_PURGE) && optind >= argc)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Refusing --purge without specification of a configuration file.");
+
if (arg_replace && arg_cat_flags != CAT_CONFIG_OFF)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Option --replace= is not supported with --cat-config/--tldr.");

37
0036-tmpfiles-move-purge-to-command-section-in-help-text-.patch Normal file
View File

@ -0,0 +1,37 @@
From 08b8237303efdf072a0f61615b7f1633eafc8e0a Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 18 Jun 2024 09:56:15 +0200
Subject: [PATCH] tmpfiles: move --purge to command section in --help text
where it belongs
Also, make contrast between --remove and --purge clearer: one deletes
files marked for deletion, the other deletes files marked for creation.
(cherry picked from commit 69d76823ce6e9c307184946ed55b207eb728e625)
---
src/tmpfiles/tmpfiles.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
index 1704197207..8cc8c1ccd6 100644
--- a/src/tmpfiles/tmpfiles.c
+++ b/src/tmpfiles/tmpfiles.c
@@ -4148,7 +4148,9 @@ static int help(void) {
"\n%3$sCommands:%4$s\n"
" --create Create files and directories\n"
" --clean Clean up files and directories\n"
- " --remove Remove files and directories\n"
+ " --remove Remove files and directories marked for removal\n"
+ " --purge Delete files and directories marked for creation in\n"
+ " specified configuration files (careful!)\n"
" -h --help Show this help\n"
" --version Show package version\n"
"\n%3$sOptions:%4$s\n"
@@ -4157,7 +4159,6 @@ static int help(void) {
" --tldr Show non-comment parts of configuration\n"
" --boot Execute actions only safe at boot\n"
" --graceful Quietly ignore unknown users or groups\n"
- " --purge Delete all files owned by the configuration files\n"
" --prefix=PATH Only apply rules with the specified prefix\n"
" --exclude-prefix=PATH Ignore rules with the specified prefix\n"
" -E Ignore rules prefixed with /dev, /proc, /run, /sys\n"

37
0037-mkosi-restrict-noble-backports-to-noble-builds.patch Normal file
View File

@ -0,0 +1,37 @@
From 7b18adadde58798a895366105c6c1517231029d9 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Tue, 18 Jun 2024 13:35:32 +0100
Subject: [PATCH] mkosi: restrict noble-backports to noble builds
Follow-up for c01cb8cbff8512b65b7903b55f78c8d12661b8d7
(cherry picked from commit f97b243edfcae211aade6ceb2fd89ae9d9209fac)
---
.../system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf | 1 +
mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf | 1 +
2 files changed, 2 insertions(+)
diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf
index 0ec4807822..582f038b5f 100644
--- a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf
@@ -4,6 +4,7 @@
[Match]
Architecture=!x86-64
Architecture=!x86
+Release=noble
[Distribution]
PackageManagerTrees=noble-backports-ports.sources:/etc/apt/sources.list.d/noble-backports-ports.sources
diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf
index c08eeac337..7347be9069 100644
--- a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf
@@ -4,6 +4,7 @@
[Match]
Architecture=|x86-64
Architecture=|x86
+Release=noble
[Distribution]
PackageManagerTrees=noble-backports.sources:/etc/apt/sources.list.d/noble-backports.sources

22
0038-repart-fix-memory-leak.patch Normal file
View File

@ -0,0 +1,22 @@
From f8f669fd69bf15f386308ef8f4cbbbd5a7ad69cd Mon Sep 17 00:00:00 2001
From: Antonio Alvarez Feijoo <antonio.feijoo@suse.com>
Date: Tue, 18 Jun 2024 14:07:50 +0200
Subject: [PATCH] repart: fix memory leak
(cherry picked from commit a81f5ffd40081441dafc678fe83d185436dde35a)
---
src/partition/repart.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/partition/repart.c b/src/partition/repart.c
index 78cf60f724..8f64520ee7 100644
--- a/src/partition/repart.c
+++ b/src/partition/repart.c
@@ -187,6 +187,7 @@ STATIC_DESTRUCTOR_REGISTER(arg_tpm2_hash_pcr_values, freep);
STATIC_DESTRUCTOR_REGISTER(arg_tpm2_public_key, freep);
STATIC_DESTRUCTOR_REGISTER(arg_tpm2_pcrlock, freep);
STATIC_DESTRUCTOR_REGISTER(arg_filter_partitions, freep);
+STATIC_DESTRUCTOR_REGISTER(arg_defer_partitions, freep);
STATIC_DESTRUCTOR_REGISTER(arg_image_policy, image_policy_freep);
STATIC_DESTRUCTOR_REGISTER(arg_copy_from, strv_freep);
STATIC_DESTRUCTOR_REGISTER(arg_copy_source, freep);

42
0039-logs-show-do-not-use-_SOURCE_MONOTONIC_TIMESTAMP-fie.patch Normal file
View File

@ -0,0 +1,42 @@
From 34ba18b0124407403690738b46fbd6236fe65c92 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Tue, 18 Jun 2024 17:55:31 +0900
Subject: [PATCH] logs-show: do not use _SOURCE_MONOTONIC_TIMESTAMP field
The timestamp is not in CLOCK_MONOTONIC, but CLOCK_BOOTTIME,
while header monotonic timestamp is in CLOCK_MONOTONIC. Hence, we cannot
adjust timestamp by comparing with header monotonic timestamp and
_SOURCE_MONOTONIC_TIMESTAMP field.
Fixes a regression caused by affde1d7e79a634ee6053dbd4a57b3b51b74c170.
Fixes #33293.
(cherry picked from commit 144498e7e6efe2d90981cb14e3ed462a70a955c6)
---
src/shared/logs-show.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/shared/logs-show.c b/src/shared/logs-show.c
index c71c868889..153a4110ce 100644
--- a/src/shared/logs-show.c
+++ b/src/shared/logs-show.c
@@ -450,6 +450,9 @@ static void parse_display_realtime(
assert(j);
assert(ret);
+ // FIXME: _SOURCE_MONOTONIC_TIMESTAMP is in CLOCK_BOOTTIME, hence we cannot use it for adjusting realtime.
+ source_monotonic = NULL;
+
/* First, try _SOURCE_REALTIME_TIMESTAMP. */
if (source_realtime && safe_atou64(source_realtime, &t) >= 0 && VALID_REALTIME(t)) {
*ret = t;
@@ -488,6 +491,9 @@ static void parse_display_timestamp(
assert(ret_display_ts);
assert(ret_boot_id);
+ // FIXME: _SOURCE_MONOTONIC_TIMESTAMP is in CLOCK_BOOTTIME, hence we cannot use it for adjusting realtime.
+ source_monotonic = NULL;
+
if (source_realtime && safe_atou64(source_realtime, &t) >= 0 && VALID_REALTIME(t))
source_ts.realtime = t;

0
0001-ci-update-workflows-to-run-on-source-git-setup.patch → 0040-ci-update-workflows-to-run-on-source-git-setup.patch
View File

0
0002-ci-setup-source-git-automation.patch → 0041-ci-setup-source-git-automation.patch
View File

0
0003-ci-deploy-systemd-man-to-GitHub-Pages.patch → 0042-ci-deploy-systemd-man-to-GitHub-Pages.patch
View File

0
0004-ci-reconfigure-Packit-for-RHEL-10.patch → 0043-ci-reconfigure-Packit-for-RHEL-10.patch
View File

0
0005-ci-allow-to-pass-parameters-together-with-rhel-only-.patch → 0044-ci-allow-to-pass-parameters-together-with-rhel-only-.patch
View File

0
0006-journal-again-create-user-journals-for-users-with-hi.patch → 0045-journal-again-create-user-journals-for-users-with-hi.patch
View File

0
0007-tmpfiles-make-purge-hard-to-mis-use.patch → 0046-tmpfiles-make-purge-hard-to-mis-use.patch
View File

0
0008-fedora-use-system-auth-in-pam-systemd-user.patch → 0047-fedora-use-system-auth-in-pam-systemd-user.patch
View File

0
0009-net-naming-scheme-start-rhel10-naming-and-include-rh.patch → 0048-net-naming-scheme-start-rhel10-naming-and-include-rh.patch
View File

0
0010-rules-copy-40-redhat.rules-from-RHEL-9.patch → 0049-rules-copy-40-redhat.rules-from-RHEL-9.patch
View File

0
0011-logind-set-RemoveIPC-to-false-by-default.patch → 0050-logind-set-RemoveIPC-to-false-by-default.patch
View File

0
0012-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch → 0051-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch
View File

0
0013-rc-local-order-after-network-online.target.patch → 0052-rc-local-order-after-network-online.target.patch
View File

0
0014-random-util-increase-random-seed-size-to-1024.patch → 0053-random-util-increase-random-seed-size-to-1024.patch
View File

0
0015-journal-don-t-enable-systemd-journald-audit.socket-b.patch → 0054-journal-don-t-enable-systemd-journald-audit.socket-b.patch
View File

0
0016-journald.conf-don-t-touch-current-audit-settings.patch → 0055-journald.conf-don-t-touch-current-audit-settings.patch
View File

0
0017-rules-add-elevator-kernel-command-line-parameter.patch → 0056-rules-add-elevator-kernel-command-line-parameter.patch
View File

0
0018-pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch → 0057-pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch
View File

0
0019-udev-net-setup-link-change-the-default-MACAddressPol.patch → 0058-udev-net-setup-link-change-the-default-MACAddressPol.patch
View File

0
0020-core-decrease-log-level-of-messages-about-use-of-Kil.patch → 0059-core-decrease-log-level-of-messages-about-use-of-Kil.patch
View File

0
0021-meson-rename-libbasic-to-libbasic_static.patch → 0060-meson-rename-libbasic-to-libbasic_static.patch
View File

0
0022-meson-build-libsystemd-core-via-an-intermediate-stat.patch → 0061-meson-build-libsystemd-core-via-an-intermediate-stat.patch
View File

0
0023-meson-add-option-to-build-systemd-executor-staticall.patch → 0062-meson-add-option-to-build-systemd-executor-staticall.patch
View File

86
0063-taint-remove-unmerged-bin.patch Normal file
View File

@ -0,0 +1,86 @@
From 13a07024f674e770844de29cd3d01cb7117f56d9 Mon Sep 17 00:00:00 2001
From: Lukas Nykryn <lnykryn@redhat.com>
Date: Mon, 8 Jul 2024 14:44:45 +0200
Subject: [PATCH] taint: remove unmerged-bin
In rhel10 we will have separate bin and sbin
RHEL-only: policy
Resolves: RHEL-46277
---
catalog/systemd.catalog.in | 1 -
catalog/systemd.pl.catalog.in | 1 -
man/org.freedesktop.systemd1.xml | 9 ---------
src/core/taint.c | 7 +------
4 files changed, 1 insertion(+), 17 deletions(-)
diff --git a/catalog/systemd.catalog.in b/catalog/systemd.catalog.in
index 2831152763..66ffefd1c8 100644
--- a/catalog/systemd.catalog.in
+++ b/catalog/systemd.catalog.in
@@ -560,7 +560,6 @@ Support: %SUPPORT_URL%
The following "tags" are possible:
- "unmerged-usr" - /bin, /sbin, /lib* are not symlinks to their counterparts
under /usr/
-- "unmerged-bin" - /usr/sbin is not a symlink to /usr/bin/
- "var-run-bad" — /var/run is not a symlink to /run/
- "cgroupsv1" - the system is using the deprecated cgroup v1 hierarchy
- "local-hwclock" - the local hardware clock (RTC) is configured to be in
diff --git a/catalog/systemd.pl.catalog.in b/catalog/systemd.pl.catalog.in
index 75039e9fcd..fcba4b500a 100644
--- a/catalog/systemd.pl.catalog.in
+++ b/catalog/systemd.pl.catalog.in
@@ -566,7 +566,6 @@ Support: %SUPPORT_URL%
Możliwe są następujące „etykiety”:
• „unmerged-usr” — /bin, /sbin, /lib* nie są dowiązaniami symbolicznymi
do swoich odpowiedników pod /usr/,
-• „unmerged-bin” — /usr/sbin nie jest dowiązaniem symbolicznym do /usr/bin/,
• „var-run-bad” — /var/run nie jest dowiązaniem symbolicznym do /run/,
• „cgroupsv1” — system używa przestarzałej hierarchii cgroup v1,
• „local-hwclock” — lokalny zegar sprzętowy (RTC) jest skonfigurowany
diff --git a/man/org.freedesktop.systemd1.xml b/man/org.freedesktop.systemd1.xml
index b0b45097e3..f2b5ca39e7 100644
--- a/man/org.freedesktop.systemd1.xml
+++ b/man/org.freedesktop.systemd1.xml
@@ -1666,15 +1666,6 @@ node /org/freedesktop/systemd1 {
<xi:include href="version-info.xml" xpointer="v252"/></listitem>
</varlistentry>
- <varlistentry>
- <term><literal>unmerged-bin</literal></term>
-
- <listitem><para><filename>/usr/sbin</filename> is not a symlink to <filename>/usr/bin/</filename>.
- </para>
-
- <xi:include href="version-info.xml" xpointer="v256"/></listitem>
- </varlistentry>
-
<varlistentry>
<term><literal>var-run-bad</literal></term>
diff --git a/src/core/taint.c b/src/core/taint.c
index 969b37f209..4c98312f54 100644
--- a/src/core/taint.c
+++ b/src/core/taint.c
@@ -32,7 +32,7 @@ static int short_uid_gid_range(UIDRangeUsernsMode mode) {
}
char* taint_string(void) {
- const char *stage[12] = {};
+ const char *stage[11] = {};
size_t n = 0;
/* Returns a "taint string", e.g. "local-hwclock:var-run-bad". Only things that are detected at
@@ -44,11 +44,6 @@ char* taint_string(void) {
if (readlink_malloc("/bin", &bin) < 0 || !PATH_IN_SET(bin, "usr/bin", "/usr/bin"))
stage[n++] = "unmerged-usr";
- /* Note that the check is different from default_PATH(), as we want to taint on uncanonical symlinks
- * too. */
- if (readlink_malloc("/usr/sbin", &usr_sbin) < 0 || !PATH_IN_SET(usr_sbin, "bin", "/usr/bin"))
- stage[n++] = "unmerged-bin";
-
if (readlink_malloc("/var/run", &var_run) < 0 || !PATH_IN_SET(var_run, "../run", "/run"))
stage[n++] = "var-run-bad";

28
0064-presets-remove-resolved.patch Normal file
View File

@ -0,0 +1,28 @@
From c2f507732264038dbef44b7652c8f5dee148e1e2 Mon Sep 17 00:00:00 2001
From: Lukas Nykryn <lnykryn@redhat.com>
Date: Mon, 8 Jul 2024 13:13:10 +0200
Subject: [PATCH] presets: remove resolved
We noticed that some people are installing systemd* and then
have daemons they don't need running. So let's remove resolved
from presets so its usage is a bit more deliberate
RHEL-only: policy
Resolves: RHEL-46576
---
presets/90-systemd.preset | 1 -
1 file changed, 1 deletion(-)
diff --git a/presets/90-systemd.preset b/presets/90-systemd.preset
index 004ea6fe14..676f14f0d3 100644
--- a/presets/90-systemd.preset
+++ b/presets/90-systemd.preset
@@ -27,7 +27,6 @@ enable systemd-networkd.service
enable systemd-networkd-wait-online.service
enable systemd-nsresourced.socket
enable systemd-pstore.service
-enable systemd-resolved.service
enable systemd-sysext.service
enable systemd-timesyncd.service
enable systemd-userdbd.socket

2
sources
View File

@ -1 +1 @@
SHA512 (systemd-256.tar.gz) = d9080d31ced29cd288d3511f64f527808a880eb93aa95c3febd47d0296ae89197e46f6813fbde0c682bf73297d1bb4bb8f7ab92ccaf1ab30f019fbd9176099d6
SHA512 (systemd-256.tar.gz) = cfb2bff8d9937245e65581253bba9278533b76ae0f0275fdad59471d8c6089bba2bcd3f0655b34f4b8d7d82fa037c4e6fe18c2227e9f93d62494a2a6cb2db4ec

144
systemd.spec
View File

@ -48,7 +48,7 @@ Url: https://systemd.io
# Allow users to specify the version and release when building the rpm by
# setting the %%version_override and %%release_override macros.
Version: %{?version_override}%{!?version_override:256}
Release: 2%{?dist}
Release: 3%{?dist}
%global stable %(c="%version"; [ "$c" = "${c#*.*}" ]; echo $?)
@ -106,29 +106,70 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[
# applying upstream pull requests.
# RHEL-specific
Patch0001: 0001-ci-update-workflows-to-run-on-source-git-setup.patch
Patch0002: 0002-ci-setup-source-git-automation.patch
Patch0003: 0003-ci-deploy-systemd-man-to-GitHub-Pages.patch
Patch0004: 0004-ci-reconfigure-Packit-for-RHEL-10.patch
Patch0005: 0005-ci-allow-to-pass-parameters-together-with-rhel-only-.patch
Patch0006: 0006-journal-again-create-user-journals-for-users-with-hi.patch
Patch0007: 0007-tmpfiles-make-purge-hard-to-mis-use.patch
Patch0008: 0008-fedora-use-system-auth-in-pam-systemd-user.patch
Patch0009: 0009-net-naming-scheme-start-rhel10-naming-and-include-rh.patch
Patch0010: 0010-rules-copy-40-redhat.rules-from-RHEL-9.patch
Patch0011: 0011-logind-set-RemoveIPC-to-false-by-default.patch
Patch0012: 0012-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch
Patch0013: 0013-rc-local-order-after-network-online.target.patch
Patch0014: 0014-random-util-increase-random-seed-size-to-1024.patch
Patch0015: 0015-journal-don-t-enable-systemd-journald-audit.socket-b.patch
Patch0016: 0016-journald.conf-don-t-touch-current-audit-settings.patch
Patch0017: 0017-rules-add-elevator-kernel-command-line-parameter.patch
Patch0018: 0018-pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch
Patch0019: 0019-udev-net-setup-link-change-the-default-MACAddressPol.patch
Patch0020: 0020-core-decrease-log-level-of-messages-about-use-of-Kil.patch
Patch0021: 0021-meson-rename-libbasic-to-libbasic_static.patch
Patch0022: 0022-meson-build-libsystemd-core-via-an-intermediate-stat.patch
Patch0023: 0023-meson-add-option-to-build-systemd-executor-staticall.patch
Patch0001: 0001-Create-CNAME.patch
Patch0002: 0002-man-systemd-reorder-content-a-bit.patch
Patch0003: 0003-hostnamed-don-t-allow-hostnamed-to-exit-on-idle-if-v.patch
Patch0004: 0004-sd-dhcp-server-clear-buffer-before-receive.patch
Patch0005: 0005-rules-Limit-the-number-of-device-units-generated-for.patch
Patch0006: 0006-strbuf-use-GREEDY_REALLOC-to-grow-the-buffer.patch
Patch0007: 0007-tpm2-setup-Don-t-fail-if-we-can-t-access-the-TPM-due.patch
Patch0008: 0008-resolved-permit-dnssec-rrtype-questions-when-we-aren.patch
Patch0009: 0009-repart-Use-crypt_reencrypt_run-if-available.patch
Patch0010: 0010-test-dump-a-simple-summary-at-the-end-of-TEST-02-UNI.patch
Patch0011: 0011-repart-Use-CRYPT_ACTIVATE_PRIVATE.patch
Patch0012: 0012-NEWS-note-that-new-stable-releases-will-be-in-the-ma.patch
Patch0013: 0013-shell-completion-only-offer-devices-for-completion.patch
Patch0014: 0014-CODING_STYLE-document-reterr_-return-parameters.patch
Patch0015: 0015-analyze-show-pcrs-also-in-sha384-bank.patch
Patch0016: 0016-fundamental-declare-flex-array-updated-for-gcc15-and.patch
Patch0017: 0017-man-add-a-bit-of-a-warning-to-systemd-tmpfiles-purge.patch
Patch0018: 0018-man-units-drop-temporary-from-description-of-systemd.patch
Patch0019: 0019-mkosi-enable-unprivileged-user-ns-for-integration-te.patch
Patch0020: 0020-mkosi-use-ports.ubuntu.com-for-non-x86-backports.patch
Patch0021: 0021-mkosi-install-EFI-packages-only-on-EFI-architectures.patch
Patch0022: 0022-test-check-the-skip-condition-before-installing-addi.patch
Patch0023: 0023-test-drop-unneeded-firmware-uefi-setting.patch
Patch0024: 0024-test-drop-obsolete-comment.patch
Patch0025: 0025-test-support-TEST_NO_KVM.patch
Patch0026: 0026-test-support-TEST_NO_QEMU-in-mkosi-integration-wrapp.patch
Patch0027: 0027-test-use-auto-instead-of-uefi-for-automated-fallback.patch
Patch0028: 0028-core-service-fix-accept-socket-deserialization.patch
Patch0029: 0029-test-network-mention-that-the-captive-portal-option-.patch
Patch0030: 0030-CI-disable-secure-boot-in-mkosi-GHA-runs.patch
Patch0031: 0031-mkosi-bump-to-latest.patch
Patch0032: 0032-NEWS-fix-typo.patch
Patch0033: 0033-install-allow-removing-symlinks-even-for-units-that-.patch
Patch0034: 0034-tmpfiles-honour-dry-run-when-removing-directories.patch
Patch0035: 0035-tmpfiles-insist-on-at-least-one-configuration-file-b.patch
Patch0036: 0036-tmpfiles-move-purge-to-command-section-in-help-text-.patch
Patch0037: 0037-mkosi-restrict-noble-backports-to-noble-builds.patch
Patch0038: 0038-repart-fix-memory-leak.patch
Patch0039: 0039-logs-show-do-not-use-_SOURCE_MONOTONIC_TIMESTAMP-fie.patch
Patch0040: 0040-ci-update-workflows-to-run-on-source-git-setup.patch
Patch0041: 0041-ci-setup-source-git-automation.patch
Patch0042: 0042-ci-deploy-systemd-man-to-GitHub-Pages.patch
Patch0043: 0043-ci-reconfigure-Packit-for-RHEL-10.patch
Patch0044: 0044-ci-allow-to-pass-parameters-together-with-rhel-only-.patch
Patch0045: 0045-journal-again-create-user-journals-for-users-with-hi.patch
Patch0046: 0046-tmpfiles-make-purge-hard-to-mis-use.patch
Patch0047: 0047-fedora-use-system-auth-in-pam-systemd-user.patch
Patch0048: 0048-net-naming-scheme-start-rhel10-naming-and-include-rh.patch
Patch0049: 0049-rules-copy-40-redhat.rules-from-RHEL-9.patch
Patch0050: 0050-logind-set-RemoveIPC-to-false-by-default.patch
Patch0051: 0051-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch
Patch0052: 0052-rc-local-order-after-network-online.target.patch
Patch0053: 0053-random-util-increase-random-seed-size-to-1024.patch
Patch0054: 0054-journal-don-t-enable-systemd-journald-audit.socket-b.patch
Patch0055: 0055-journald.conf-don-t-touch-current-audit-settings.patch
Patch0056: 0056-rules-add-elevator-kernel-command-line-parameter.patch
Patch0057: 0057-pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch
Patch0058: 0058-udev-net-setup-link-change-the-default-MACAddressPol.patch
Patch0059: 0059-core-decrease-log-level-of-messages-about-use-of-Kil.patch
Patch0060: 0060-meson-rename-libbasic-to-libbasic_static.patch
Patch0061: 0061-meson-build-libsystemd-core-via-an-intermediate-stat.patch
Patch0062: 0062-meson-add-option-to-build-systemd-executor-staticall.patch
Patch0063: 0063-taint-remove-unmerged-bin.patch
Patch0064: 0064-presets-remove-resolved.patch
# Downstream-only patches (90009999)
@ -614,7 +655,7 @@ CONFIGURE_OPTS=(
-Dfirst-boot-full-preset=true
-Ddefault-network=true
-Dtests=unsafe
-Dinstall-tests=true
-Dinstall-tests=false
-Dnobody-user=nobody
-Dnobody-group=nobody
-Dcompat-mutable-uid-boundaries=true
@ -818,7 +859,7 @@ install -Dm0644 10-timeout-abort.conf.user %{buildroot}%{user_unit_dir}/service.
# https://fedoraproject.org/wiki/Changes/IncreaseVmMaxMapCount
install -Dm0644 -t %{buildroot}%{_prefix}/lib/sysctl.d/ %{SOURCE17}
sed -i 's|#!/usr/bin/env python3|#!%{__python3}|' %{buildroot}/usr/lib/systemd/tests/run-unit-tests.py
sed -i 's|#!/usr/bin/env python3|#!%{__python3}|' %{buildroot}/usr/lib/systemd/tests/run-unit-tests.py || :
install -m 0644 -D -t %{buildroot}%{_rpmconfigdir}/macros.d/ %{SOURCE21}
# Use rpm's own sysusers provides where available
@ -965,17 +1006,6 @@ fi
%firewalld_reload
%post resolved
[ $1 -eq 1 ] || exit 0
# Initial installation
touch %{_localstatedir}/lib/rpm-state/systemd-resolved.initial-installation
# Related to https://bugzilla.redhat.com/show_bug.cgi?id=1943263
if ls /usr/lib/systemd/libsystemd-shared-24[0-8].so &>/dev/null; then
echo "Skipping presets for systemd-resolved.service, seems we are upgrading from old systemd."
exit 0
fi
%systemd_post systemd-resolved.service
%preun resolved
@ -996,40 +1026,6 @@ fi
%postun resolved
%systemd_postun_with_restart systemd-resolved.service
%posttrans resolved
[ -e %{_localstatedir}/lib/rpm-state/systemd-resolved.initial-installation ] || exit 0
rm %{_localstatedir}/lib/rpm-state/systemd-resolved.initial-installation
# Initial installation
# Create /etc/resolv.conf symlink.
# (https://bugzilla.redhat.com/show_bug.cgi?id=1873856)
#
# We would also create it using tmpfiles, but let's do this here too
# before NetworkManager gets a chance. (systemd-tmpfiles invocation
# above does not do this, because the line is marked with ! and
# tmpfiles is invoked without --boot in the scriptlet.)
#
# *Create* the symlink if nothing is present yet.
# (https://bugzilla.redhat.com/show_bug.cgi?id=2032085)
#
# *Override* the symlink if systemd is running. Don't do it if systemd
# is not running, because that will immediately break DNS resolution,
# since systemd-resolved is also not running
# (https://bugzilla.redhat.com/show_bug.cgi?id=1891847).
#
# Also don't create the symlink to the stub when the stub is disabled (#1891847 again).
if systemctl -q is-enabled systemd-resolved.service &>/dev/null &&
! systemd-analyze cat-config systemd/resolved.conf 2>/dev/null |
grep -iqE '^DNSStubListener\s*=\s*(no?|false|0|off)\s*$'; then
if ! test -e /etc/resolv.conf && ! test -L /etc/resolv.conf; then
ln -sv ../run/systemd/resolve/stub-resolv.conf /etc/resolv.conf || :
elif test -d /run/systemd/system/ &&
! mountpoint /etc/resolv.conf &>/dev/null; then
ln -fsv ../run/systemd/resolve/stub-resolv.conf /etc/resolv.conf || :
fi
fi
%pre
getent group systemd-oom &>/dev/null || groupadd -r systemd-oom 2>&1 || :
getent passwd systemd-oom &>/dev/null || useradd -r -l -g systemd-oom -d / -s /sbin/nologin -c "systemd Userspace OOM Killer" systemd-oom &>/dev/null || :
@ -1101,6 +1097,12 @@ rm -f .file-list-*
rm -f %{name}.lang
%changelog
* Mon Jul 08 2024 systemd maintenance team <systemd-maint@redhat.com> - 256-3
- taint: remove unmerged-bin (RHEL-46277)
- presets: remove resolved (RHEL-46576)
- remove resolved scriptlets
- don't install tests
* Thu Jul 04 2024 systemd maintenance team <systemd-maint@redhat.com> - 256-2
- logind: set RemoveIPC to false by default (RHEL-40924)
- tmpfiles: don't create resolv.conf -> stub-resolv.conf symlink (RHEL-40924)