rpms/systemd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import systemd-239-70.el8

Browse Source
This commit is contained in:
CentOS Sources 2023-01-21 06:10:08 +00:00 committed by Stepan Oksanichenko
parent a6a51e8d0a
commit 781eabcc57
16 changed files with 1219 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
SOURCES/0839-basic-recognize-pdfs-filesystem-as-a-network-filesys.patch Normal file
View File

@ -0,0 +1,32 @@
From 2fe9fb3e844d7991105c40d4363eed9069a6837d Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Fri, 18 Nov 2022 16:16:36 +0100
Subject: [PATCH] basic: recognize pdfs filesystem as a network filesystem
Fujitsu advises their users to always use _netdev mount option with pdfs
mounts. Hence it makes sense to simply consider pdfs mounts as network
filesystem mounts.
https://software.fujitsu.com/jp/manual/manualfiles/m130027/j2ul1563/02enz200/j1563-02-06-02-02.html
RHEL-only
Resolves: #2094661
---
src/basic/mount-util.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/basic/mount-util.c b/src/basic/mount-util.c
index e7f9e514c2..983566b46b 100644
--- a/src/basic/mount-util.c
+++ b/src/basic/mount-util.c
@@ -634,7 +634,8 @@ bool fstype_is_network(const char *fstype) {
"glusterfs",
"pvfs2", /* OrangeFS */
"ocfs2",
- "lustre");
+ "lustre",
+ "pdfs");
}
bool fstype_is_api_vfs(const char *fstype) {

49
SOURCES/0840-core-move-reset_arguments-to-the-end-of-main-s-finis.patch Normal file
View File

@ -0,0 +1,49 @@
From 4bb425eea9f3037a583a23d99f15aa71562f2481 Mon Sep 17 00:00:00 2001
From: Anita Zhang <the.anitazha@gmail.com>
Date: Thu, 17 Sep 2020 01:49:17 -0700
Subject: [PATCH] core: move reset_arguments() to the end of main's finish
Fixes #16991
fb39af4ce42d7ef9af63009f271f404038703704 replaced `free_arguments()` with
`reset_arguments()`, which frees arg_* variables as before, but also resets all
of them to the default values. `reset_arguments()` was positioned
in such a way that it overrode some arg_* values still in use at shutdown.
To avoid further unintentional resets, I moved `reset_arguments()`
right before the return, when nothing else will be using the arg_* variables.
(cherry picked from commit 7d9eea2bd3d4f83668c7a78754d201b226acbf1e)
Resolves: #2127131
---
src/core/main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/core/main.c b/src/core/main.c
index bfd4c531a7..cfa6fec930 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -2631,7 +2631,6 @@ finish:
m = manager_free(m);
}
- reset_arguments();
mac_selinux_finish();
if (reexecute)
@@ -2656,6 +2655,7 @@ finish:
* in become_shutdown() so normally we cannot free them yet. */
watchdog_free_device();
arg_watchdog_device = mfree(arg_watchdog_device);
+ reset_arguments();
return retval;
}
#endif
@@ -2677,5 +2677,6 @@ finish:
freeze_or_reboot();
}
+ reset_arguments();
return retval;
}

91
SOURCES/0841-manager-move-inc.-of-n_reloading-into-a-function.patch Normal file
View File

@ -0,0 +1,91 @@
From 708c394b7ca35fe2328fa0760696ff95caab8ff8 Mon Sep 17 00:00:00 2001
From: David Tardon <dtardon@redhat.com>
Date: Tue, 29 Nov 2022 16:15:47 +0100
Subject: [PATCH] manager: move inc. of n_reloading into a function
[dtardon: This is inspired by commit d147e2b66b4d6b71db1bc59b62286b2eb9c3d29f ,
but it does just the minimal change needed for the next commit.]
Related: #2136869
---
src/core/main.c | 2 +-
src/core/manager.c | 12 ++++++++----
src/core/manager.h | 1 +
3 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/src/core/main.c b/src/core/main.c
index cfa6fec930..c3e2ce8956 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -1131,7 +1131,7 @@ static int prepare_reexecute(Manager *m, FILE **_f, FDSet **_fds, bool switching
return log_error_errno(r, "Failed to create serialization file: %m");
/* Make sure nothing is really destructed when we shut down */
- m->n_reloading++;
+ manager_reloading_start(m);
bus_manager_send_reloading(m, true);
fds = fdset_new();
diff --git a/src/core/manager.c b/src/core/manager.c
index f4611e6f8f..f923cbce37 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -1578,6 +1578,10 @@ static void manager_preset_all(Manager *m) {
log_info("Populated /etc with preset unit settings.");
}
+void manager_reloading_start(Manager *m) {
+ m->n_reloading++;
+}
+
int manager_startup(Manager *m, FILE *serialization, FDSet *fds) {
int r;
@@ -1609,7 +1613,7 @@ int manager_startup(Manager *m, FILE *serialization, FDSet *fds) {
* this is already known, so we increase the counter here
* already */
if (serialization)
- m->n_reloading++;
+ manager_reloading_start(m);
/* First, enumerate what we can from all config files */
dual_timestamp_get(m->timestamps + MANAGER_TIMESTAMP_UNITS_LOAD_START);
@@ -3093,7 +3097,7 @@ int manager_serialize(Manager *m, FILE *f, FDSet *fds, bool switching_root) {
assert(f);
assert(fds);
- m->n_reloading++;
+ manager_reloading_start(m);
fprintf(f, "current-job-id=%"PRIu32"\n", m->current_job_id);
fprintf(f, "n-installed-jobs=%u\n", m->n_installed_jobs);
@@ -3211,7 +3215,7 @@ int manager_deserialize(Manager *m, FILE *f, FDSet *fds) {
log_debug("Deserializing state...");
- m->n_reloading++;
+ manager_reloading_start(m);
for (;;) {
_cleanup_free_ char *line = NULL;
@@ -3455,7 +3459,7 @@ int manager_reload(Manager *m) {
if (r < 0)
return r;
- m->n_reloading++;
+ manager_reloading_start(m);
bus_manager_send_reloading(m, true);
fds = fdset_new();
diff --git a/src/core/manager.h b/src/core/manager.h
index 3f2cfc5e2e..adbbb518cb 100644
--- a/src/core/manager.h
+++ b/src/core/manager.h
@@ -386,6 +386,7 @@ int manager_new(UnitFileScope scope, unsigned test_run_flags, Manager **m);
Manager* manager_free(Manager *m);
DEFINE_TRIVIAL_CLEANUP_FUNC(Manager*, manager_free);
+void manager_reloading_start(Manager *m);
int manager_startup(Manager *m, FILE *serialization, FDSet *fds);
Job *manager_get_job(Manager *m, uint32_t id);

59
SOURCES/0842-core-Add-new-DBUS-properties-UnitsReloadStartTimesta.patch Normal file
View File

@ -0,0 +1,59 @@
From 22eb8fbdab14e5b1b11a4d84c83bef97317e1d2a Mon Sep 17 00:00:00 2001
From: Jan Macku <jamacku@redhat.com>
Date: Thu, 2 Sep 2021 16:37:13 +0200
Subject: [PATCH] core: Add new DBUS properties UnitsReloadStartTimestamp and
UnitsLoadTimestampMontonic
(cherry picked from commit 49fbe940a429c3d8807bacdfce03af834275257c)
Related: #2136869
---
src/core/dbus-manager.c | 1 +
src/core/manager.c | 2 ++
src/core/manager.h | 1 +
3 files changed, 4 insertions(+)
diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c
index 5b1ed3646e..8a41eda4a6 100644
--- a/src/core/dbus-manager.c
+++ b/src/core/dbus-manager.c
@@ -2486,6 +2486,7 @@ const sd_bus_vtable bus_manager_vtable[] = {
BUS_PROPERTY_DUAL_TIMESTAMP("GeneratorsFinishTimestamp", offsetof(Manager, timestamps[MANAGER_TIMESTAMP_GENERATORS_FINISH]), SD_BUS_VTABLE_PROPERTY_CONST),
BUS_PROPERTY_DUAL_TIMESTAMP("UnitsLoadStartTimestamp", offsetof(Manager, timestamps[MANAGER_TIMESTAMP_UNITS_LOAD_START]), SD_BUS_VTABLE_PROPERTY_CONST),
BUS_PROPERTY_DUAL_TIMESTAMP("UnitsLoadFinishTimestamp", offsetof(Manager, timestamps[MANAGER_TIMESTAMP_UNITS_LOAD_FINISH]), SD_BUS_VTABLE_PROPERTY_CONST),
+ BUS_PROPERTY_DUAL_TIMESTAMP("UnitsLoadTimestamp", offsetof(Manager, timestamps[MANAGER_TIMESTAMP_UNITS_LOAD]), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_WRITABLE_PROPERTY("LogLevel", "s", property_get_log_level, property_set_log_level, 0, 0),
SD_BUS_WRITABLE_PROPERTY("LogTarget", "s", property_get_log_target, property_set_log_target, 0, 0),
SD_BUS_PROPERTY("NNames", "u", property_get_hashmap_size, offsetof(Manager, units), 0),
diff --git a/src/core/manager.c b/src/core/manager.c
index f923cbce37..8aa398cac8 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -1580,6 +1580,7 @@ static void manager_preset_all(Manager *m) {
void manager_reloading_start(Manager *m) {
m->n_reloading++;
+ dual_timestamp_get(m->timestamps + MANAGER_TIMESTAMP_UNITS_LOAD);
}
int manager_startup(Manager *m, FILE *serialization, FDSet *fds) {
@@ -4622,6 +4623,7 @@ static const char *const manager_timestamp_table[_MANAGER_TIMESTAMP_MAX] = {
[MANAGER_TIMESTAMP_GENERATORS_FINISH] = "generators-finish",
[MANAGER_TIMESTAMP_UNITS_LOAD_START] = "units-load-start",
[MANAGER_TIMESTAMP_UNITS_LOAD_FINISH] = "units-load-finish",
+ [MANAGER_TIMESTAMP_UNITS_LOAD] = "units-load",
};
DEFINE_STRING_TABLE_LOOKUP(manager_timestamp, ManagerTimestamp);
diff --git a/src/core/manager.h b/src/core/manager.h
index adbbb518cb..98d381bc5b 100644
--- a/src/core/manager.h
+++ b/src/core/manager.h
@@ -67,6 +67,7 @@ typedef enum ManagerTimestamp {
MANAGER_TIMESTAMP_GENERATORS_FINISH,
MANAGER_TIMESTAMP_UNITS_LOAD_START,
MANAGER_TIMESTAMP_UNITS_LOAD_FINISH,
+ MANAGER_TIMESTAMP_UNITS_LOAD,
_MANAGER_TIMESTAMP_MAX,
_MANAGER_TIMESTAMP_INVALID = -1,
} ManagerTimestamp;

29
SOURCES/0843-core-Indicate-the-time-when-the-manager-started-load.patch Normal file
View File

@ -0,0 +1,29 @@
From f2de5398b0a1ebb3e6390506368c11329b843524 Mon Sep 17 00:00:00 2001
From: Jan Macku <jamacku@redhat.com>
Date: Thu, 2 Sep 2021 16:50:50 +0200
Subject: [PATCH] core: Indicate the time when the manager started loading
units the last time
(cherry picked from commit 15b9243c0d7f6d1531fa65dbc01bd11e8e6c12ca)
Resolves: #2136869
---
src/core/manager.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/core/manager.c b/src/core/manager.c
index 8aa398cac8..a9cd51b624 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -3554,6 +3554,11 @@ int manager_reload(Manager *m) {
/* Let's finally catch up with any changes that took place while we were reloading/reexecing */
manager_catchup(m);
+ /* Create a file which will indicate when the manager started loading units the last time. */
+ (void) touch_file("/run/systemd/systemd-units-load", false,
+ m->timestamps[MANAGER_TIMESTAMP_UNITS_LOAD].realtime ?: now(CLOCK_REALTIME),
+ UID_INVALID, GID_INVALID, 0444);
+
/* Sync current state of bus names with our set of listening units */
q = manager_enqueue_sync_bus_names(m);
if (q < 0 && r >= 0)

34
SOURCES/0844-core-do-not-touch-run-systemd-systemd-units-load-fro.patch Normal file
View File

@ -0,0 +1,34 @@
From 3c2d2345814935cea8525e802e764fb2949eb3df Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@microsoft.com>
Date: Mon, 27 Dec 2021 18:22:43 +0000
Subject: [PATCH] core: do not touch /run/systemd/systemd-units-load from user
session instances
Follow-up for: https://github.com/systemd/systemd/commit/15b9243c0d7f6d1531fa65dbc01bd11e8e6c12ca
Fixes: https://github.com/systemd/systemd/issues/21911
(cherry picked from commit 4b3ad81bfafcd97acb06db463495e348d159d8e6)
Related: #2136869
---
src/core/manager.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/core/manager.c b/src/core/manager.c
index a9cd51b624..e083596e58 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -3555,9 +3555,10 @@ int manager_reload(Manager *m) {
manager_catchup(m);
/* Create a file which will indicate when the manager started loading units the last time. */
- (void) touch_file("/run/systemd/systemd-units-load", false,
- m->timestamps[MANAGER_TIMESTAMP_UNITS_LOAD].realtime ?: now(CLOCK_REALTIME),
- UID_INVALID, GID_INVALID, 0444);
+ if (MANAGER_IS_SYSTEM(m))
+ (void) touch_file("/run/systemd/systemd-units-load", false,
+ m->timestamps[MANAGER_TIMESTAMP_UNITS_LOAD].realtime ?: now(CLOCK_REALTIME),
+ UID_INVALID, GID_INVALID, 0444);
/* Sync current state of bus names with our set of listening units */
q = manager_enqueue_sync_bus_names(m);

49
SOURCES/0845-sysctl-downgrade-message-when-we-have-no-permission.patch Normal file
View File

@ -0,0 +1,49 @@
From ffe4233155085b479c69abe844a34de212b8e5e1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Thu, 16 Jan 2020 14:45:28 +0100
Subject: [PATCH] sysctl: downgrade message when we have no permission
We need to run sysctl also in containers, because the network
subtree is namespaces and may legitimately be writable. But logging
all "errors" at notice level creates unwanted noise.
Also downgrade message about missing sysctls to log_info. This might also be
relatively common when configuration is targeted at different kernel
versions. With log_debug it'll still end up in the logs, but isn't really worth
of "notice" most of the time.
https://bugzilla.redhat.com/show_bug.cgi?id=1609806
(cherry picked from commit 32458cc9687c1b60ff0f22c0e71da93ce78b1534)
Resolves: #2158160
---
src/sysctl/sysctl.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/src/sysctl/sysctl.c b/src/sysctl/sysctl.c
index 4c85d6887f..dc14e1aaf1 100644
--- a/src/sysctl/sysctl.c
+++ b/src/sysctl/sysctl.c
@@ -82,13 +82,15 @@ static int apply_all(OrderedHashmap *sysctl_options) {
k = sysctl_write(option->key, option->value);
if (k < 0) {
/* If the sysctl is not available in the kernel or we are running with reduced
- * privileges and cannot write it, then log about the issue at LOG_NOTICE level, and
- * proceed without failing. (EROFS is treated as a permission problem here, since
- * that's how container managers usually protected their sysctls.) In all other cases
- * log an error and make the tool fail. */
-
- if (IN_SET(k, -EPERM, -EACCES, -EROFS, -ENOENT) || option->ignore_failure)
- log_notice_errno(k, "Couldn't write '%s' to '%s', ignoring: %m", option->value, option->key);
+ * privileges and cannot write it, then log about the issue, and proceed without
+ * failing. (EROFS is treated as a permission problem here, since that's how
+ * container managers usually protected their sysctls.) In all other cases log an
+ * error and make the tool fail. */
+
+ if (option->ignore_failure || k == -EROFS || ERRNO_IS_PRIVILEGE(k))
+ log_debug_errno(k, "Couldn't write '%s' to '%s', ignoring: %m", option->value, option->key);
+ else if (k == -ENOENT)
+ log_info_errno(k, "Couldn't write '%s' to '%s', ignoring: %m", option->value, option->key);
else {
log_error_errno(k, "Couldn't write '%s' to '%s': %m", option->value, option->key);
if (r == 0)

53
SOURCES/0846-core-respect-SELinuxContext-for-socket-creation.patch Normal file
View File

@ -0,0 +1,53 @@
From 1f408c8d9739b1038012eeec7bf0f918c8095bc4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Fri, 23 Sep 2022 19:00:22 +0200
Subject: [PATCH] core: respect SELinuxContext= for socket creation
On socket creation respect the SELinuxContext= setting of the associated
service, such that the initial created socket has the same label as the
future process accepting the connection (since w.r.t SELinux sockets
normally have the same label as the owning process).
Triggered by #24702
(cherry picked from commit 599b384924bbef9f8f7fa5700c6fa35a404d9a98)
Related: #2136738
---
src/core/socket.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/src/core/socket.c b/src/core/socket.c
index 9d47ca2616..d1ca0a07c5 100644
--- a/src/core/socket.c
+++ b/src/core/socket.c
@@ -1427,6 +1427,7 @@ fail:
static int socket_determine_selinux_label(Socket *s, char **ret) {
Service *service;
ExecCommand *c;
+ const char *exec_context;
_cleanup_free_ char *path = NULL;
int r;
@@ -1448,8 +1449,20 @@ static int socket_determine_selinux_label(Socket *s, char **ret) {
if (!UNIT_ISSET(s->service))
goto no_label;
-
service = SERVICE(UNIT_DEREF(s->service));
+
+ exec_context = service->exec_context.selinux_context;
+ if (exec_context) {
+ char *con;
+
+ con = strdup(exec_context);
+ if (!con)
+ return -ENOMEM;
+
+ *ret = TAKE_PTR(con);
+ return 0;
+ }
+
c = service->exec_command[SERVICE_EXEC_START];
if (!c)
goto no_label;

128
SOURCES/0847-manager-use-target-process-context-to-set-socket-con.patch Normal file
View File

@ -0,0 +1,128 @@
From 3f90090e70a5fa81bced17792fe08d9c46324da9 Mon Sep 17 00:00:00 2001
From: "Ted X. Toth" <txtoth@flycast.org>
Date: Thu, 13 Oct 2022 12:58:26 -0700
Subject: [PATCH] manager: use target process context to set socket context
Use target process context to set socket context when using SELinuxContextFromNet
not systemd's context. Currently when using the SELinuxContextFromNet option for
a socket activated services, systemd calls getcon_raw which returns init_t and
uses the resulting context to compute the context to be passed to the
setsockcreatecon call. A socket of type init_t is created and listened on and
this means that SELinux policy cannot be written to control which processes
(SELinux types) can connect to the socket since the ref policy allows all
'types' to connect to sockets of the type init_t. When security accessors see
that any process can connect to a socket this raises serious concerns. I have
spoken with SELinux contributors in person and on the mailing list and the
consensus is that the best solution is to use the target executables context
when computing the sockets context in all cases.
[zjs review/comment:
This removes the branch that was added in 16115b0a7b7cdf08fb38084d857d572d8a9088dc.
16115b0a7b7cdf08fb38084d857d572d8a9088dc did two things: it had the branch here
in 'socket_determine_selinux_label()' and a code in 'exec_child()' to call
'label_get_child_mls_label(socket_fd, command->path, &label)'.
Before this patch, the flow was:
'''
mac_selinux_get_child_mls_label:
peercon = getpeercon_raw(socket_fd);
if (!exec_label)
exec_label = getfilecon_raw(exe);
socket_open_fds:
if (params->selinux_context_net) #
label = mac_selinux_get_our_label(); # this part is removed
else #
label = mac_selinux_get_create_label_from_exe(path);
socket_address_listen_in_cgroup(s, &p->address, label);
exec_child():
exec_context = mac_selinux_get_child_mls_label(fd, executable, context->selinux_context);
setexeccon(exec_context);
'''
]
(cherry picked from commit 29dbc62d74f7b7881dc3136e68e03a03ea055b36)
Resolves: #2136738
---
src/core/socket.c | 58 ++++++++++++++++++++---------------------------
1 file changed, 24 insertions(+), 34 deletions(-)
diff --git a/src/core/socket.c b/src/core/socket.c
index d1ca0a07c5..8aa5463b25 100644
--- a/src/core/socket.c
+++ b/src/core/socket.c
@@ -1434,47 +1434,37 @@ static int socket_determine_selinux_label(Socket *s, char **ret) {
assert(s);
assert(ret);
- if (s->selinux_context_from_net) {
- /* If this is requested, get label from the network label */
-
- r = mac_selinux_get_our_label(ret);
- if (r == -EOPNOTSUPP)
- goto no_label;
-
- } else {
- /* Otherwise, get it from the executable we are about to start */
- r = socket_instantiate_service(s);
- if (r < 0)
- return r;
+ r = socket_instantiate_service(s);
+ if (r < 0)
+ return r;
- if (!UNIT_ISSET(s->service))
- goto no_label;
- service = SERVICE(UNIT_DEREF(s->service));
+ if (!UNIT_ISSET(s->service))
+ goto no_label;
+ service = SERVICE(UNIT_DEREF(s->service));
- exec_context = service->exec_context.selinux_context;
- if (exec_context) {
- char *con;
+ exec_context = service->exec_context.selinux_context;
+ if (exec_context) {
+ char *con;
- con = strdup(exec_context);
- if (!con)
- return -ENOMEM;
+ con = strdup(exec_context);
+ if (!con)
+ return -ENOMEM;
- *ret = TAKE_PTR(con);
- return 0;
- }
+ *ret = TAKE_PTR(con);
+ return 0;
+ }
- c = service->exec_command[SERVICE_EXEC_START];
- if (!c)
- goto no_label;
+ c = service->exec_command[SERVICE_EXEC_START];
+ if (!c)
+ goto no_label;
- r = chase_symlinks(c->path, service->exec_context.root_directory, CHASE_PREFIX_ROOT, &path);
- if (r < 0)
- goto no_label;
+ r = chase_symlinks(c->path, service->exec_context.root_directory, CHASE_PREFIX_ROOT, &path);
+ if (r < 0)
+ goto no_label;
- r = mac_selinux_get_create_label_from_exe(path, ret);
- if (IN_SET(r, -EPERM, -EOPNOTSUPP))
- goto no_label;
- }
+ r = mac_selinux_get_create_label_from_exe(path, ret);
+ if (IN_SET(r, -EPERM, -EOPNOTSUPP))
+ goto no_label;
return r;

142
SOURCES/0848-virt-detect-Amazon-EC2-Nitro-instance.patch Normal file
View File

@ -0,0 +1,142 @@
From 6ffd3de2ccc5901974f292c9694829e25441060d Mon Sep 17 00:00:00 2001
From: Bertrand Jacquin <bertrand@jacquin.bzh>
Date: Sun, 11 Oct 2020 21:25:00 +0100
Subject: [PATCH] virt: detect Amazon EC2 Nitro instance
Amazon EC2 Nitro hypervisor is technically based on KVM[1], which
systemd-detect-virt identify propely from CPUID. However the lack of
CPUID on aarch64 (A1, T4 instance type) prevents a correct
identification, impacting hostnamectl and systemd-random-seed. Instead
it's possible to identify virtualization from DMI vendor ID.
Prior to this commit:
# hostnamectl
Static hostname: n/a
Transient hostname: ip-10-97-8-12
Icon name: computer
Machine ID: 8e3772fbcfa3dd6f330a12ff5df5a63b
Boot ID: b7b7e2fe0079448db664839df59f9817
Operating System: Gentoo/Linux
Kernel: Linux 5.4.69-longterm
Architecture: arm64
After this commit:
# hostnamectl
Static hostname: n/a
Transient hostname: ip-10-97-8-12
Icon name: computer-vm
Chassis: vm
Machine ID: 8e3772fbcfa3dd6f330a12ff5df5a63b
Boot ID: bd04da57084e41078f20541101867113
Virtualization: amazon
Operating System: Gentoo/Linux
Kernel: Linux 5.4.69-longterm
Architecture: arm64
[1] https://aws.amazon.com/ec2/faqs/
(cherry picked from commit b6eca3731dd92b009b182f188936e1c2544574da)
Resolves: #2117948
---
man/systemd-detect-virt.xml | 7 ++++++-
man/systemd.unit.xml | 1 +
src/basic/virt.c | 8 +++++---
src/basic/virt.h | 1 +
src/test/test-condition.c | 1 +
5 files changed, 14 insertions(+), 4 deletions(-)
diff --git a/man/systemd-detect-virt.xml b/man/systemd-detect-virt.xml
index 6beb2c2aa1..61c210e24d 100644
--- a/man/systemd-detect-virt.xml
+++ b/man/systemd-detect-virt.xml
@@ -72,7 +72,12 @@
<row>
<entry><varname>kvm</varname></entry>
- <entry>Linux KVM kernel virtual machine, with whatever software, except Oracle Virtualbox</entry>
+ <entry>Linux KVM kernel virtual machine, in combination with QEMU. Not used for other virtualizers using the KVM interfaces, such as Oracle VirtualBox or Amazon EC2 Nitro, see below.</entry>
+ </row>
+
+ <row>
+ <entry><varname>amazon</varname></entry>
+ <entry>Amazon EC2 Nitro using Linux KVM</entry>
</row>
<row>
diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml
index 6f213ccd56..5207a5bb3c 100644
--- a/man/systemd.unit.xml
+++ b/man/systemd.unit.xml
@@ -1068,6 +1068,7 @@
virtualization solution, or one of
<varname>qemu</varname>,
<varname>kvm</varname>,
+ <literal>amazon</literal>,
<varname>zvm</varname>,
<varname>vmware</varname>,
<varname>microsoft</varname>,
diff --git a/src/basic/virt.c b/src/basic/virt.c
index 8d862b6d67..78c68d66e0 100644
--- a/src/basic/virt.c
+++ b/src/basic/virt.c
@@ -147,6 +147,7 @@ static int detect_vm_dmi(void) {
int id;
} dmi_vendor_table[] = {
{ "KVM", VIRTUALIZATION_KVM },
+ { "Amazon EC2", VIRTUALIZATION_AMAZON },
{ "QEMU", VIRTUALIZATION_QEMU },
/* http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1009458 */
{ "VMware", VIRTUALIZATION_VMWARE },
@@ -339,8 +340,8 @@ int detect_vm(void) {
/* We have to use the correct order here:
*
- * → First, try to detect Oracle Virtualbox, even if it uses KVM, as well as Xen even if it cloaks as Microsoft
- * Hyper-V.
+ * → First, try to detect Oracle Virtualbox and Amazon EC2 Nitro, even if they use KVM, as well as Xen even if
+ * it cloaks as Microsoft Hyper-V.
*
* → Second, try to detect from CPUID, this will report KVM for whatever software is used even if info in DMI is
* overwritten.
@@ -348,7 +349,7 @@ int detect_vm(void) {
* → Third, try to detect from DMI. */
dmi = detect_vm_dmi();
- if (IN_SET(dmi, VIRTUALIZATION_ORACLE, VIRTUALIZATION_XEN)) {
+ if (IN_SET(dmi, VIRTUALIZATION_ORACLE, VIRTUALIZATION_XEN, VIRTUALIZATION_AMAZON)) {
r = dmi;
goto finish;
}
@@ -631,6 +632,7 @@ int running_in_chroot(void) {
static const char *const virtualization_table[_VIRTUALIZATION_MAX] = {
[VIRTUALIZATION_NONE] = "none",
[VIRTUALIZATION_KVM] = "kvm",
+ [VIRTUALIZATION_AMAZON] = "amazon",
[VIRTUALIZATION_QEMU] = "qemu",
[VIRTUALIZATION_BOCHS] = "bochs",
[VIRTUALIZATION_XEN] = "xen",
diff --git a/src/basic/virt.h b/src/basic/virt.h
index 640b3ed779..ed4ff063e0 100644
--- a/src/basic/virt.h
+++ b/src/basic/virt.h
@@ -10,6 +10,7 @@ enum {
VIRTUALIZATION_VM_FIRST,
VIRTUALIZATION_KVM = VIRTUALIZATION_VM_FIRST,
+ VIRTUALIZATION_AMAZON,
VIRTUALIZATION_QEMU,
VIRTUALIZATION_BOCHS,
VIRTUALIZATION_XEN,
diff --git a/src/test/test-condition.c b/src/test/test-condition.c
index 24395dafc6..29ea63c4ff 100644
--- a/src/test/test-condition.c
+++ b/src/test/test-condition.c
@@ -510,6 +510,7 @@ static void test_condition_test_virtualization(void) {
NULSTR_FOREACH(virt,
"kvm\0"
+ "amazon\0"
"qemu\0"
"bochs\0"
"xen\0"

37
SOURCES/0849-machine-id-setup-generate-machine-id-from-DMI-produc.patch Normal file
View File

@ -0,0 +1,37 @@
From e320f72150829228f10ec24f3fba34d5377c5120 Mon Sep 17 00:00:00 2001
From: Bertrand Jacquin <bertrand@jacquin.bzh>
Date: Sun, 11 Oct 2020 22:25:56 +0100
Subject: [PATCH] machine-id-setup: generate machine-id from DMI product ID on
Amazon EC2
Amazon EC2 Nitro hypervisor is technically based on KVM[1].
[1] https://aws.amazon.com/ec2/faqs/
(cherry picked from commit 382a46d129899ca9027b07c325102cab173dd563)
Related: #2117948
---
src/core/machine-id-setup.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/core/machine-id-setup.c b/src/core/machine-id-setup.c
index 11528f83c4..fe2abc4e68 100644
--- a/src/core/machine-id-setup.c
+++ b/src/core/machine-id-setup.c
@@ -57,11 +57,11 @@ static int generate_machine_id(const char *root, sd_id128_t *ret) {
return 0;
}
- } else if (detect_vm() == VIRTUALIZATION_KVM) {
+ } else if (IN_SET(detect_vm(), VIRTUALIZATION_KVM, VIRTUALIZATION_AMAZON, VIRTUALIZATION_QEMU)) {
- /* If we are not running in a container, see if we are
- * running in qemu/kvm and a machine ID was passed in
- * via -uuid on the qemu/kvm command line */
+ /* If we are not running in a container, see if we are running in a VM that provides
+ * a system UUID via the SMBIOS/DMI interfaces. Such environments include QEMU/KVM
+ * with the -uuid on the qemu command line or the Amazon EC2 Nitro hypervisor. */
if (id128_read("/sys/class/dmi/id/product_uuid", ID128_UUID, ret) >= 0) {
log_info("Initializing machine ID from KVM UUID.");

134
SOURCES/0850-virt-use-string-table-to-detect-VM-or-container.patch Normal file
View File

@ -0,0 +1,134 @@
From efa2cdb699df3e5d5d7180e50f3ebfff74788c5c Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Tue, 7 Jan 2020 11:49:39 +0900
Subject: [PATCH] virt: use string table to detect VM or container
(cherry picked from commit 735ea55f5cd87a82757a8911edd80fba799b46ee)
Related: #2117948
---
src/basic/virt.c | 73 ++++++++++++++++++++++--------------------------
1 file changed, 33 insertions(+), 40 deletions(-)
diff --git a/src/basic/virt.c b/src/basic/virt.c
index 78c68d66e0..6e4c702051 100644
--- a/src/basic/virt.c
+++ b/src/basic/virt.c
@@ -22,27 +22,26 @@
#include "string-util.h"
#include "virt.h"
+static const char *const vm_table[_VIRTUALIZATION_MAX] = {
+ [VIRTUALIZATION_XEN] = "XenVMMXenVMM",
+ [VIRTUALIZATION_KVM] = "KVMKVMKVM",
+ [VIRTUALIZATION_QEMU] = "TCGTCGTCGTCG",
+ /* http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1009458 */
+ [VIRTUALIZATION_VMWARE] = "VMwareVMware",
+ /* https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs */
+ [VIRTUALIZATION_MICROSOFT] = "Microsoft Hv",
+ /* https://wiki.freebsd.org/bhyve */
+ [VIRTUALIZATION_BHYVE] = "bhyve bhyve ",
+ [VIRTUALIZATION_QNX] = "QNXQVMBSQG",
+};
+
+DEFINE_PRIVATE_STRING_TABLE_LOOKUP_FROM_STRING(vm, int);
+
static int detect_vm_cpuid(void) {
/* CPUID is an x86 specific interface. */
#if defined(__i386__) || defined(__x86_64__)
- static const struct {
- const char *cpuid;
- int id;
- } cpuid_vendor_table[] = {
- { "XenVMMXenVMM", VIRTUALIZATION_XEN },
- { "KVMKVMKVM", VIRTUALIZATION_KVM },
- { "TCGTCGTCGTCG", VIRTUALIZATION_QEMU },
- /* http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1009458 */
- { "VMwareVMware", VIRTUALIZATION_VMWARE },
- /* https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs */
- { "Microsoft Hv", VIRTUALIZATION_MICROSOFT },
- /* https://wiki.freebsd.org/bhyve */
- { "bhyve bhyve ", VIRTUALIZATION_BHYVE },
- { "QNXQVMBSQG", VIRTUALIZATION_QNX },
- };
-
uint32_t eax, ebx, ecx, edx;
bool hypervisor;
@@ -59,7 +58,7 @@ static int detect_vm_cpuid(void) {
uint32_t sig32[3];
char text[13];
} sig = {};
- unsigned j;
+ int v;
/* There is a hypervisor, see what it is */
__cpuid(0x40000000U, eax, ebx, ecx, edx);
@@ -70,11 +69,11 @@ static int detect_vm_cpuid(void) {
log_debug("Virtualization found, CPUID=%s", sig.text);
- for (j = 0; j < ELEMENTSOF(cpuid_vendor_table); j ++)
- if (streq(sig.text, cpuid_vendor_table[j].cpuid))
- return cpuid_vendor_table[j].id;
+ v = vm_from_string(sig.text);
+ if (v < 0)
+ return VIRTUALIZATION_VM_OTHER;
- return VIRTUALIZATION_VM_OTHER;
+ return v;
}
#endif
log_debug("No virtualization found in CPUID");
@@ -434,22 +433,20 @@ finish:
return r;
}
-int detect_container(void) {
- static const struct {
- const char *value;
- int id;
- } value_table[] = {
- { "lxc", VIRTUALIZATION_LXC },
- { "lxc-libvirt", VIRTUALIZATION_LXC_LIBVIRT },
- { "systemd-nspawn", VIRTUALIZATION_SYSTEMD_NSPAWN },
- { "docker", VIRTUALIZATION_DOCKER },
- { "rkt", VIRTUALIZATION_RKT },
- };
+static const char *const container_table[_VIRTUALIZATION_MAX] = {
+ [VIRTUALIZATION_LXC] = "lxc",
+ [VIRTUALIZATION_LXC_LIBVIRT] = "lxc-libvirt",
+ [VIRTUALIZATION_SYSTEMD_NSPAWN] = "systemd-nspawn",
+ [VIRTUALIZATION_DOCKER] = "docker",
+ [VIRTUALIZATION_RKT] = "rkt",
+};
+
+DEFINE_PRIVATE_STRING_TABLE_LOOKUP_FROM_STRING(container, int);
+int detect_container(void) {
static thread_local int cached_found = _VIRTUALIZATION_INVALID;
_cleanup_free_ char *m = NULL;
const char *e = NULL;
- unsigned j;
int r;
if (cached_found >= 0)
@@ -522,13 +519,9 @@ int detect_container(void) {
goto finish;
translate_name:
- for (j = 0; j < ELEMENTSOF(value_table); j++)
- if (streq(e, value_table[j].value)) {
- r = value_table[j].id;
- goto finish;
- }
-
- r = VIRTUALIZATION_CONTAINER_OTHER;
+ r = container_from_string(e);
+ if (r < 0)
+ r = VIRTUALIZATION_CONTAINER_OTHER;
finish:
log_debug("Found container virtualization %s.", virtualization_to_string(r));

194
SOURCES/0851-fileio-introduce-read_full_virtual_file-for-reading-.patch Normal file
View File

@ -0,0 +1,194 @@
From 7a3843972ea290daf1bec5e1133db654749b8c02 Mon Sep 17 00:00:00 2001
From: Franck Bui <fbui@suse.com>
Date: Tue, 22 Oct 2019 16:09:21 +0200
Subject: [PATCH] fileio: introduce read_full_virtual_file() for reading
virtual files in sysfs, procfs
Virtual filesystems such as sysfs or procfs use kernfs, and kernfs can work
with two sorts of virtual files.
One sort uses "seq_file", and the results of the first read are buffered for
the second read. The other sort uses "raw" reads which always go direct to the
device.
In the later case, the content of the virtual file must be retrieved with a
single read otherwise subsequent read might get the new value instead of
finding EOF immediately. That's the reason why the usage of fread(3) is
prohibited in this case as it always performs a second call to read(2) looking
for EOF which is subject to the race described previously.
Fixes: #13585.
(cherry picked from commit 21b40f16622f171a9969dc334d74fb5eb2f575c2)
Related: #2117948
---
src/basic/fileio.c | 115 ++++++++++++++++++++++++++-
src/basic/fileio.h | 1 +
src/libsystemd/sd-device/sd-device.c | 2 +-
3 files changed, 113 insertions(+), 5 deletions(-)
diff --git a/src/basic/fileio.c b/src/basic/fileio.c
index 6b0bad5b71..733fb42463 100644
--- a/src/basic/fileio.c
+++ b/src/basic/fileio.c
@@ -276,6 +276,113 @@ int verify_file(const char *fn, const char *blob, bool accept_extra_nl) {
return 1;
}
+int read_full_virtual_file(const char *filename, char **ret_contents, size_t *ret_size) {
+ _cleanup_free_ char *buf = NULL;
+ _cleanup_close_ int fd = -1;
+ struct stat st;
+ size_t n, size;
+ int n_retries;
+ char *p;
+
+ assert(ret_contents);
+
+ /* Virtual filesystems such as sysfs or procfs use kernfs, and kernfs can work
+ * with two sorts of virtual files. One sort uses "seq_file", and the results of
+ * the first read are buffered for the second read. The other sort uses "raw"
+ * reads which always go direct to the device. In the latter case, the content of
+ * the virtual file must be retrieved with a single read otherwise a second read
+ * might get the new value instead of finding EOF immediately. That's the reason
+ * why the usage of fread(3) is prohibited in this case as it always performs a
+ * second call to read(2) looking for EOF. See issue 13585. */
+
+ fd = open(filename, O_RDONLY|O_CLOEXEC);
+ if (fd < 0)
+ return -errno;
+
+ /* Start size for files in /proc which usually report a file size of 0. */
+ size = LINE_MAX / 2;
+
+ /* Limit the number of attempts to read the number of bytes returned by fstat(). */
+ n_retries = 3;
+
+ for (;;) {
+ if (n_retries <= 0)
+ return -EIO;
+
+ if (fstat(fd, &st) < 0)
+ return -errno;
+
+ if (!S_ISREG(st.st_mode))
+ return -EBADF;
+
+ /* Be prepared for files from /proc which generally report a file size of 0. */
+ if (st.st_size > 0) {
+ size = st.st_size;
+ n_retries--;
+ } else
+ size = size * 2;
+
+ if (size > READ_FULL_BYTES_MAX)
+ return -E2BIG;
+
+ p = realloc(buf, size + 1);
+ if (!p)
+ return -ENOMEM;
+ buf = TAKE_PTR(p);
+
+ for (;;) {
+ ssize_t k;
+
+ /* Read one more byte so we can detect whether the content of the
+ * file has already changed or the guessed size for files from /proc
+ * wasn't large enough . */
+ k = read(fd, buf, size + 1);
+ if (k >= 0) {
+ n = k;
+ break;
+ }
+
+ if (errno != -EINTR)
+ return -errno;
+ }
+
+ /* Consider a short read as EOF */
+ if (n <= size)
+ break;
+
+ /* Hmm... either we read too few bytes from /proc or less likely the content
+ * of the file might have been changed (and is now bigger) while we were
+ * processing, let's try again either with a bigger guessed size or the new
+ * file size. */
+
+ if (lseek(fd, 0, SEEK_SET) < 0)
+ return -errno;
+ }
+
+ if (n < size) {
+ p = realloc(buf, n + 1);
+ if (!p)
+ return -ENOMEM;
+ buf = TAKE_PTR(p);
+ }
+
+ if (!ret_size) {
+ /* Safety check: if the caller doesn't want to know the size of what we
+ * just read it will rely on the trailing NUL byte. But if there's an
+ * embedded NUL byte, then we should refuse operation as otherwise
+ * there'd be ambiguity about what we just read. */
+
+ if (memchr(buf, 0, n))
+ return -EBADMSG;
+ } else
+ *ret_size = n;
+
+ buf[n] = 0;
+ *ret_contents = TAKE_PTR(buf);
+
+ return 0;
+}
+
int read_full_stream(FILE *f, char **contents, size_t *size) {
_cleanup_free_ char *buf = NULL;
struct stat st;
@@ -300,9 +407,9 @@ int read_full_stream(FILE *f, char **contents, size_t *size) {
if (st.st_size > READ_FULL_BYTES_MAX)
return -E2BIG;
- /* Start with the right file size, but be prepared for files from /proc which generally report a file
- * size of 0. Note that we increase the size to read here by one, so that the first read attempt
- * already makes us notice the EOF. */
+ /* Start with the right file size. Note that we increase the size
+ * to read here by one, so that the first read attempt already
+ * makes us notice the EOF. */
if (st.st_size > 0)
n = st.st_size + 1;
}
@@ -986,7 +1093,7 @@ int get_proc_field(const char *filename, const char *pattern, const char *termin
assert(pattern);
assert(field);
- r = read_full_file(filename, &status, NULL);
+ r = read_full_virtual_file(filename, &status, NULL);
if (r < 0)
return r;
diff --git a/src/basic/fileio.h b/src/basic/fileio.h
index 77e6206e95..c6ad375b8d 100644
--- a/src/basic/fileio.h
+++ b/src/basic/fileio.h
@@ -38,6 +38,7 @@ int write_string_filef(const char *fn, WriteStringFileFlags flags, const char *f
int read_one_line_file(const char *fn, char **line);
int read_full_file(const char *fn, char **contents, size_t *size);
int read_full_stream(FILE *f, char **contents, size_t *size);
+int read_full_virtual_file(const char *filename, char **ret_contents, size_t *ret_size);
int verify_file(const char *fn, const char *blob, bool accept_extra_nl);
diff --git a/src/libsystemd/sd-device/sd-device.c b/src/libsystemd/sd-device/sd-device.c
index be29053f8c..49750ba9d7 100644
--- a/src/libsystemd/sd-device/sd-device.c
+++ b/src/libsystemd/sd-device/sd-device.c
@@ -1798,7 +1798,7 @@ _public_ int sd_device_get_sysattr_value(sd_device *device, const char *sysattr,
size_t size;
/* read attribute value */
- r = read_full_file(path, &value, &size);
+ r = read_full_virtual_file(path, &value, &size);
if (r < 0)
return r;

118
SOURCES/0852-Use-BIOS-characteristics-to-distinguish-EC2-bare-met.patch Normal file
View File

@ -0,0 +1,118 @@
From 44cbd79562ed55a8b0f2e5b5dc708265568ed9f8 Mon Sep 17 00:00:00 2001
From: Noah Meyerhans <nmeyerha@amazon.com>
Date: Fri, 30 Apr 2021 09:30:52 -0700
Subject: [PATCH] Use BIOS characteristics to distinguish EC2 bare-metal from
VMs
DMI vendor information fields do not provide enough information for us to
distinguish between Amazon EC2 virtual machines and bare-metal instances.
SMBIOS provides a BIOS Information
table (https://www.dmtf.org/sites/default/files/standards/documents/DSP0134_3.4.0.pdf
Ch. 7) that provides a field to indicate that the current machine is a virtual
machine. On EC2 virtual machine instances, this field is set, while bare-metal
instances leave this unset, so we inspect the field via the kernel's
/sys/firemware/dmi/entries interface.
Fixes #18929
(cherry picked from commit ce35037928f4c4c931088256853f07804ec7d235)
Related: #2117948
---
src/basic/virt.c | 65 +++++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 61 insertions(+), 4 deletions(-)
diff --git a/src/basic/virt.c b/src/basic/virt.c
index 6e4c702051..00d1c894e6 100644
--- a/src/basic/virt.c
+++ b/src/basic/virt.c
@@ -22,6 +22,12 @@
#include "string-util.h"
#include "virt.h"
+enum {
+ SMBIOS_VM_BIT_SET,
+ SMBIOS_VM_BIT_UNSET,
+ SMBIOS_VM_BIT_UNKNOWN,
+};
+
static const char *const vm_table[_VIRTUALIZATION_MAX] = {
[VIRTUALIZATION_XEN] = "XenVMMXenVMM",
[VIRTUALIZATION_KVM] = "KVMKVMKVM",
@@ -131,9 +137,8 @@ static int detect_vm_device_tree(void) {
#endif
}
-static int detect_vm_dmi(void) {
#if defined(__i386__) || defined(__x86_64__) || defined(__arm__) || defined(__aarch64__)
-
+static int detect_vm_dmi_vendor(void) {
static const char *const dmi_vendors[] = {
"/sys/class/dmi/id/product_name", /* Test this before sys_vendor to detect KVM over QEMU */
"/sys/class/dmi/id/sys_vendor",
@@ -179,11 +184,63 @@ static int detect_vm_dmi(void) {
return dmi_vendor_table[j].id;
}
}
-#endif
+ return VIRTUALIZATION_NONE;
+}
+
+static int detect_vm_smbios(void) {
+ /* The SMBIOS BIOS Charateristics Extension Byte 2 (Section 2.1.2.2 of
+ * https://www.dmtf.org/sites/default/files/standards/documents/DSP0134_3.4.0.pdf), specifies that
+ * the 4th bit being set indicates a VM. The BIOS Characteristics table is exposed via the kernel in
+ * /sys/firmware/dmi/entries/0-0. Note that in the general case, this bit being unset should not
+ * imply that the system is running on bare-metal. For example, QEMU 3.1.0 (with or without KVM)
+ * with SeaBIOS does not set this bit. */
+ _cleanup_free_ char *s = NULL;
+ size_t readsize;
+ int r;
+
+ r = read_full_virtual_file("/sys/firmware/dmi/entries/0-0/raw", &s, &readsize);
+ if (r < 0) {
+ log_debug_errno(r, "Unable to read /sys/firmware/dmi/entries/0-0/raw, ignoring: %m");
+ return SMBIOS_VM_BIT_UNKNOWN;
+ }
+ if (readsize < 20 || s[1] < 20) {
+ /* The spec indicates that byte 1 contains the size of the table, 0x12 + the number of
+ * extension bytes. The data we're interested in is in extension byte 2, which would be at
+ * 0x13. If we didn't read that much data, or if the BIOS indicates that we don't have that
+ * much data, we don't infer anything from the SMBIOS. */
+ log_debug("Only read %zu bytes from /sys/firmware/dmi/entries/0-0/raw (expected 20)", readsize);
+ return SMBIOS_VM_BIT_UNKNOWN;
+ }
- log_debug("No virtualization found in DMI");
+ uint8_t byte = (uint8_t) s[19];
+ if (byte & (1U<<4)) {
+ log_debug("DMI BIOS Extension table indicates virtualization");
+ return SMBIOS_VM_BIT_SET;
+ }
+ log_debug("DMI BIOS Extension table does not indicate virtualization");
+ return SMBIOS_VM_BIT_UNSET;
+}
+#endif /* defined(__i386__) || defined(__x86_64__) || defined(__arm__) || defined(__aarch64__) */
+
+static int detect_vm_dmi(void) {
+#if defined(__i386__) || defined(__x86_64__) || defined(__arm__) || defined(__aarch64__)
+
+ int r;
+ r = detect_vm_dmi_vendor();
+ /* The DMI vendor tables in /sys/class/dmi/id don't help us distinguish between Amazon EC2
+ * virtual machines and bare-metal instances, so we need to look at SMBIOS. */
+ if (r == VIRTUALIZATION_AMAZON && detect_vm_smbios() == SMBIOS_VM_BIT_UNSET)
+ return VIRTUALIZATION_NONE;
+
+ /* If we haven't identified a VM, but the firmware indicates that there is one, indicate as much. We
+ * have no further information about what it is. */
+ if (r == VIRTUALIZATION_NONE && detect_vm_smbios() == SMBIOS_VM_BIT_SET)
+ return VIRTUALIZATION_VM_OTHER;
+ return r;
+#else
return VIRTUALIZATION_NONE;
+#endif
}
static int detect_vm_xen(void) {

37
SOURCES/0853-device-drop-refuse_after.patch Normal file
View File

@ -0,0 +1,37 @@
From bb9d00035c00b8590c389e66b5d94334bbb7379d Mon Sep 17 00:00:00 2001
From: Franck Bui <fbui@suse.com>
Date: Mon, 30 Mar 2020 10:49:29 +0200
Subject: [PATCH] device: drop refuse_after
Scheduling devices after a given unit can be useful to start device *jobs* at a
specific time in the transaction, see commit 4195077ab4c823c.
This (hidden) change was introduced by commit eef85c4a3f8054d2.
(cherry picked from commit b862c25716520d9381d5a841dba0f0c14e9c970a)
[dtardon: This picks just the minimal relevant change from
c80a9a33d04fb4381327a69ce929c94a9f1d0e6c and
b862c25716520d9381d5a841dba0f0c14e9c970a]
Resolves: #2043524
---
src/core/unit.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/core/unit.c b/src/core/unit.c
index dfe0c243ef..9be2a0c326 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -2841,8 +2841,9 @@ int unit_add_dependency(
return 0;
}
- if ((d == UNIT_BEFORE && other->type == UNIT_DEVICE) ||
- (d == UNIT_AFTER && u->type == UNIT_DEVICE)) {
+ /* Note that ordering a device unit after a unit is permitted since it
+ * allows to start its job running timeout at a specific time. */
+ if (d == UNIT_BEFORE && other->type == UNIT_DEVICE) {
log_unit_warning(u, "Dependency Before=%s ignored (.device units cannot be delayed)", other->id);
return 0;
}

34
SPECS/systemd.spec
View File

@ -13,7 +13,7 @@
Name: systemd Name: systemd
Url: http://www.freedesktop.org/wiki/Software/systemd Url: http://www.freedesktop.org/wiki/Software/systemd
Version: 239 Version: 239
Release: 69%{?dist} Release: 70%{?dist}
# For a breakdown of the licensing, see README # For a breakdown of the licensing, see README
License: LGPLv2+ and MIT and GPLv2+ License: LGPLv2+ and MIT and GPLv2+
Summary: System and Service Manager Summary: System and Service Manager
@ -888,6 +888,21 @@ Patch0835: 0835-Fix-build-with-httpd-0.9.71.patch
Patch0836: 0836-ci-replace-LGTM-with-CodeQL.patch Patch0836: 0836-ci-replace-LGTM-with-CodeQL.patch
Patch0837: 0837-ci-mergify-Update-policy-Drop-LGTM-checks.patch Patch0837: 0837-ci-mergify-Update-policy-Drop-LGTM-checks.patch
Patch0838: 0838-time-util-fix-buffer-over-run.patch Patch0838: 0838-time-util-fix-buffer-over-run.patch
Patch0839: 0839-basic-recognize-pdfs-filesystem-as-a-network-filesys.patch
Patch0840: 0840-core-move-reset_arguments-to-the-end-of-main-s-finis.patch
Patch0841: 0841-manager-move-inc.-of-n_reloading-into-a-function.patch
Patch0842: 0842-core-Add-new-DBUS-properties-UnitsReloadStartTimesta.patch
Patch0843: 0843-core-Indicate-the-time-when-the-manager-started-load.patch
Patch0844: 0844-core-do-not-touch-run-systemd-systemd-units-load-fro.patch
Patch0845: 0845-sysctl-downgrade-message-when-we-have-no-permission.patch
Patch0846: 0846-core-respect-SELinuxContext-for-socket-creation.patch
Patch0847: 0847-manager-use-target-process-context-to-set-socket-con.patch
Patch0848: 0848-virt-detect-Amazon-EC2-Nitro-instance.patch
Patch0849: 0849-machine-id-setup-generate-machine-id-from-DMI-produc.patch
Patch0850: 0850-virt-use-string-table-to-detect-VM-or-container.patch
Patch0851: 0851-fileio-introduce-read_full_virtual_file-for-reading-.patch
Patch0852: 0852-Use-BIOS-characteristics-to-distinguish-EC2-bare-met.patch
Patch0853: 0853-device-drop-refuse_after.patch
%ifarch %{ix86} x86_64 aarch64 %ifarch %{ix86} x86_64 aarch64
%global have_gnu_efi 1 %global have_gnu_efi 1
@ -1517,6 +1532,23 @@ fi
%files tests -f .file-list-tests %files tests -f .file-list-tests
%changelog %changelog
* Mon Jan 16 2023 systemd maintenance team <systemd-maint@redhat.com> - 239-70
- basic: recognize pdfs filesystem as a network filesystem (#2094661)
- core: move reset_arguments() to the end of main's finish (#2127131)
- manager: move inc. of n_reloading into a function (#2136869)
- core: Add new DBUS properties UnitsReloadStartTimestamp and UnitsLoadTimestampMontonic (#2136869)
- core: Indicate the time when the manager started loading units the last time (#2136869)
- core: do not touch /run/systemd/systemd-units-load from user session instances (#2136869)
- sysctl: downgrade message when we have no permission (#2158160)
- core: respect SELinuxContext= for socket creation (#2136738)
- manager: use target process context to set socket context (#2136738)
- virt: detect Amazon EC2 Nitro instance (#2117948)
- machine-id-setup: generate machine-id from DMI product ID on Amazon EC2 (#2117948)
- virt: use string table to detect VM or container (#2117948)
- fileio: introduce read_full_virtual_file() for reading virtual files in sysfs, procfs (#2117948)
- Use BIOS characteristics to distinguish EC2 bare-metal from VMs (#2117948)
- device: drop refuse_after (#2043524)
* Tue Nov 08 2022 systemd maintenance team <systemd-maint@redhat.com> - 239-69 * Tue Nov 08 2022 systemd maintenance team <systemd-maint@redhat.com> - 239-69
- logind: optionally watch utmp for login data (#2122288) - logind: optionally watch utmp for login data (#2122288)
- logind: add hashtable for finding session by leader PID (#2122288) - logind: add hashtable for finding session by leader PID (#2122288)