diff --git a/0001-logind-set-RemoveIPC-to-false-by-default.patch b/0001-logind-set-RemoveIPC-to-false-by-default.patch new file mode 100644 index 0000000..b8a6be3 --- /dev/null +++ b/0001-logind-set-RemoveIPC-to-false-by-default.patch @@ -0,0 +1,47 @@ +From 5a66d993a5be88524d9952193b053eac607a5c17 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 1 Aug 2018 10:58:28 +0200 +Subject: [PATCH] logind: set RemoveIPC to false by default + +RHEL-only + +Resolves: #1959836 + +diff --git a/man/logind.conf.xml b/man/logind.conf.xml +index 3045c1b9ba..96fa076239 100644 +--- a/man/logind.conf.xml ++++ b/man/logind.conf.xml +@@ -354,7 +354,7 @@ + user fully logs out. Takes a boolean argument. If enabled, the user may not consume IPC resources after the + last of the user's sessions terminated. This covers System V semaphores, shared memory and message queues, as + well as POSIX shared memory and message queues. Note that IPC objects of the root user and other system users +- are excluded from the effect of this setting. Defaults to yes. ++ are excluded from the effect of this setting. Defaults to no. + + + +diff --git a/src/login/logind-core.c b/src/login/logind-core.c +index 254a1a69fb..616c08132a 100644 +--- a/src/login/logind-core.c ++++ b/src/login/logind-core.c +@@ -34,7 +34,7 @@ void manager_reset_config(Manager *m) { + + m->n_autovts = 6; + m->reserve_vt = 6; +- m->remove_ipc = true; ++ m->remove_ipc = false; + m->inhibit_delay_max = 5 * USEC_PER_SEC; + m->user_stop_delay = 10 * USEC_PER_SEC; + +diff --git a/src/login/logind.conf.in b/src/login/logind.conf.in +index 2d084e134d..79d685b3de 100644 +--- a/src/login/logind.conf.in ++++ b/src/login/logind.conf.in +@@ -40,6 +40,6 @@ + #IdleActionSec=30min + #RuntimeDirectorySize=10% + #RuntimeDirectoryInodes=400k +-#RemoveIPC=yes ++#RemoveIPC=no + #InhibitorsMax=8192 + #SessionsMax=8192 diff --git a/0002-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch b/0002-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch new file mode 100644 index 0000000..770bc36 --- /dev/null +++ b/0002-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch @@ -0,0 +1,38 @@ +From 92b6ae2097ae90355775217529d2fd55f7b84e31 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Thu, 5 Aug 2021 17:11:47 +0200 +Subject: [PATCH] tmpfiles: don't create resolv.conf -> stub-resolv.conf + symlink + +RHEL-only + +Resolves: #1989472 + +diff --git a/tmpfiles.d/meson.build b/tmpfiles.d/meson.build +index b8d3919025..6ae9e3e0b8 100644 +--- a/tmpfiles.d/meson.build ++++ b/tmpfiles.d/meson.build +@@ -7,7 +7,6 @@ files = [['README', ''], + ['journal-nocow.conf', ''], + ['systemd-nologin.conf', 'HAVE_PAM'], + ['systemd-nspawn.conf', 'ENABLE_MACHINED'], +- ['systemd-resolve.conf', 'ENABLE_RESOLVE'], + ['systemd-tmp.conf', ''], + ['portables.conf', 'ENABLE_PORTABLED'], + ['systemd-pstore.conf', 'ENABLE_PSTORE'], +diff --git a/tmpfiles.d/systemd-resolve.conf b/tmpfiles.d/systemd-resolve.conf +deleted file mode 100644 +index cb1c56d6a6..0000000000 +--- a/tmpfiles.d/systemd-resolve.conf ++++ /dev/null +@@ -1,10 +0,0 @@ +-# This file is part of systemd. +-# +-# systemd is free software; you can redistribute it and/or modify it +-# under the terms of the GNU Lesser General Public License as published by +-# the Free Software Foundation; either version 2.1 of the License, or +-# (at your option) any later version. +- +-# See tmpfiles.d(5) for details +- +-L! /etc/resolv.conf - - - - ../run/systemd/resolve/stub-resolv.conf diff --git a/0003-Copy-40-redhat.rules-from-RHEL-8.patch b/0003-Copy-40-redhat.rules-from-RHEL-8.patch new file mode 100644 index 0000000..ab25ac5 --- /dev/null +++ b/0003-Copy-40-redhat.rules-from-RHEL-8.patch @@ -0,0 +1,73 @@ +From 24f033a2a5c03848ae518278c8025e13130146af Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Fri, 2 Jul 2021 13:25:51 +0200 +Subject: [PATCH] Copy 40-redhat.rules from RHEL-8 + +RHEL-only + +Resolves: #1978639 + +diff --git a/rules.d/40-redhat.rules b/rules.d/40-redhat.rules +new file mode 100644 +index 0000000000..3c95cd2df0 +--- /dev/null ++++ b/rules.d/40-redhat.rules +@@ -0,0 +1,46 @@ ++# do not edit this file, it will be overwritten on update ++ ++# CPU hotadd request ++SUBSYSTEM=="cpu", ACTION=="add", TEST=="online", ATTR{online}=="0", ATTR{online}="1" ++ ++# Memory hotadd request ++SUBSYSTEM!="memory", GOTO="memory_hotplug_end" ++ACTION!="add", GOTO="memory_hotplug_end" ++CONST{arch}=="s390*", GOTO="memory_hotplug_end" ++CONST{arch}=="ppc64*", GOTO="memory_hotplug_end" ++ ++ENV{.state}="online" ++CONST{virt}=="none", ENV{.state}="online_movable" ++ATTR{state}=="offline", ATTR{state}="$env{.state}" ++ ++LABEL="memory_hotplug_end" ++ ++# reload sysctl.conf / sysctl.conf.d settings when the bridge module is loaded ++ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/bridge" ++ ++# load SCSI generic (sg) driver ++SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_device", TEST!="[module/sg]", RUN+="/sbin/modprobe -bv sg" ++SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_target", TEST!="[module/sg]", RUN+="/sbin/modprobe -bv sg" ++ ++# Rule for prandom character device node permissions ++KERNEL=="prandom", MODE="0644" ++ ++# Rules for creating the ID_PATH for SCSI devices based on the CCW bus ++# using the form: ccw--zfcp-: ++# ++ACTION=="remove", GOTO="zfcp_scsi_device_end" ++ ++# ++# Set environment variable "ID_ZFCP_BUS" to "1" if the devices ++# (both disk and partition) are SCSI devices based on FCP devices ++# ++KERNEL=="sd*", SUBSYSTEMS=="ccw", DRIVERS=="zfcp", ENV{.ID_ZFCP_BUS}="1" ++ ++# For SCSI disks ++KERNEL=="sd*[!0-9]", SUBSYSTEMS=="scsi", ENV{.ID_ZFCP_BUS}=="1", ENV{DEVTYPE}=="disk", SYMLINK+="disk/by-path/ccw-$attr{hba_id}-zfcp-$attr{wwpn}:$attr{fcp_lun}" ++ ++ ++# For partitions on a SCSI disk ++KERNEL=="sd*[0-9]", SUBSYSTEMS=="scsi", ENV{.ID_ZFCP_BUS}=="1", ENV{DEVTYPE}=="partition", SYMLINK+="disk/by-path/ccw-$attr{hba_id}-zfcp-$attr{wwpn}:$attr{fcp_lun}-part%n" ++ ++LABEL="zfcp_scsi_device_end" +diff --git a/rules.d/meson.build b/rules.d/meson.build +index 5cecddb34f..c5c3590b29 100644 +--- a/rules.d/meson.build ++++ b/rules.d/meson.build +@@ -5,6 +5,7 @@ install_data( + install_dir : udevrulesdir) + + rules = files(''' ++ 40-redhat.rules + 60-autosuspend.rules + 60-block.rules + 60-cdrom_id.rules diff --git a/0004-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch b/0004-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch new file mode 100644 index 0000000..f1d8ee6 --- /dev/null +++ b/0004-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch @@ -0,0 +1,41 @@ +From c9ca30a1debbdf24ab6fcbe1aa1ec7ac5f222cb4 Mon Sep 17 00:00:00 2001 +From: Jan Synacek +Date: Tue, 15 May 2018 09:24:20 +0200 +Subject: [PATCH] Avoid /tmp being mounted as tmpfs without the user's will + +Ensure PrivateTmp doesn't require tmpfs through tmp.mount, but rather +adds an After relationship. + +RHEL-only + +Resolves: #1959826 + +diff --git a/src/core/unit.c b/src/core/unit.c +index b1f1f5c82c..3a8251e2b8 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -1280,12 +1280,7 @@ int unit_add_exec_dependencies(Unit *u, ExecContext *c) { + } + + if (c->private_tmp) { +- +- /* FIXME: for now we make a special case for /tmp and add a weak dependency on +- * tmp.mount so /tmp being masked is supported. However there's no reason to treat +- * /tmp specifically and masking other mount units should be handled more +- * gracefully too, see PR#16894. */ +- r = unit_add_two_dependencies_by_name(u, UNIT_AFTER, UNIT_WANTS, "tmp.mount", true, UNIT_DEPENDENCY_FILE); ++ r = unit_add_dependency_by_name(u, UNIT_AFTER, "tmp.mount", true, UNIT_DEPENDENCY_FILE); + if (r < 0) + return r; + +diff --git a/units/basic.target b/units/basic.target +index d8cdd5ac14..9eae0782a2 100644 +--- a/units/basic.target ++++ b/units/basic.target +@@ -19,4 +19,5 @@ After=sysinit.target sockets.target paths.target slices.target tmp.mount + # require /var and /var/tmp, but only add a Wants= type dependency on /tmp, as + # we support that unit being masked, and this should not be considered an error. + RequiresMountsFor=/var /var/tmp +-Wants=tmp.mount ++# RHEL-only: Disable /tmp on tmpfs. ++#Wants=tmp.mount diff --git a/0005-unit-don-t-add-Requires-for-tmp.mount.patch b/0005-unit-don-t-add-Requires-for-tmp.mount.patch new file mode 100644 index 0000000..07c9962 --- /dev/null +++ b/0005-unit-don-t-add-Requires-for-tmp.mount.patch @@ -0,0 +1,34 @@ +From ba6b7f1b4409b337b5b4ffc47259ad5c43c436c4 Mon Sep 17 00:00:00 2001 +From: Lukas Nykryn +Date: Mon, 5 Sep 2016 12:47:09 +0200 +Subject: [PATCH] unit: don't add Requires for tmp.mount + +rhel-only +Resolves: #1619292 + +diff --git a/src/core/mount.c b/src/core/mount.c +index 0170406351..4d407ca4e5 100644 +--- a/src/core/mount.c ++++ b/src/core/mount.c +@@ -335,7 +335,7 @@ static int mount_add_mount_dependencies(Mount *m) { + if (r < 0) + return r; + +- if (UNIT(m)->fragment_path) { ++ if (UNIT(m)->fragment_path && !streq(UNIT(m)->id, "tmp.mount")) { + /* If we have fragment configuration, then make this dependency required */ + r = unit_add_dependency(other, UNIT_REQUIRES, UNIT(m), true, UNIT_DEPENDENCY_PATH); + if (r < 0) +diff --git a/src/core/unit.c b/src/core/unit.c +index 3a8251e2b8..d2adb447b6 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -1520,7 +1520,7 @@ static int unit_add_mount_dependencies(Unit *u) { + if (r < 0) + return r; + +- if (m->fragment_path) { ++ if (m->fragment_path && !streq(m->id, "tmp.mount")) { + r = unit_add_dependency(u, UNIT_REQUIRES, m, true, di.origin_mask); + if (r < 0) + return r; diff --git a/0006-units-add-Install-section-to-tmp.mount.patch b/0006-units-add-Install-section-to-tmp.mount.patch new file mode 100644 index 0000000..0fe1a2a --- /dev/null +++ b/0006-units-add-Install-section-to-tmp.mount.patch @@ -0,0 +1,21 @@ +From 0e4d18011e394d83c5e6ce045c05b03619fe7145 Mon Sep 17 00:00:00 2001 +From: Jan Synacek +Date: Tue, 22 Jan 2019 10:28:42 +0100 +Subject: [PATCH] units: add [Install] section to tmp.mount + +RHEL-only + +Related: #1959826 + +diff --git a/units/tmp.mount b/units/tmp.mount +index 4e1bb8de24..4874e8daff 100644 +--- a/units/tmp.mount ++++ b/units/tmp.mount +@@ -23,3 +23,7 @@ What=tmpfs + Where=/tmp + Type=tmpfs + Options=mode=1777,strictatime,nosuid,nodev,size=50%,nr_inodes=1m ++ ++# Make 'systemctl enable tmp.mount' work: ++[Install] ++WantedBy=local-fs.target diff --git a/0007-rc-local-order-after-network-online.target.patch b/0007-rc-local-order-after-network-online.target.patch new file mode 100644 index 0000000..1bb46de --- /dev/null +++ b/0007-rc-local-order-after-network-online.target.patch @@ -0,0 +1,26 @@ +From 6dc2d5628fded20609561ca3c63517b3dc381042 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Thu, 11 Mar 2021 15:48:23 +0100 +Subject: [PATCH] rc-local: order after network-online.target + +I think this was the intent of commit 91b684c7300879a8d2006038f7d9185d92c3c3bf, +just network-online.target didn't exist back then. + +RHEL-only + +Resolves: #1954429 + +diff --git a/units/rc-local.service.in b/units/rc-local.service.in +index 55e83dfe00..0eee722154 100644 +--- a/units/rc-local.service.in ++++ b/units/rc-local.service.in +@@ -13,7 +13,8 @@ + Description={{RC_LOCAL_PATH}} Compatibility + Documentation=man:systemd-rc-local-generator(8) + ConditionFileIsExecutable={{RC_LOCAL_PATH}} +-After=network.target ++After=network-online.target ++Wants=network-online.target + + [Service] + Type=forking diff --git a/0008-ci-drop-CIs-irrelevant-for-downstream.patch b/0008-ci-drop-CIs-irrelevant-for-downstream.patch new file mode 100644 index 0000000..1d3bc80 --- /dev/null +++ b/0008-ci-drop-CIs-irrelevant-for-downstream.patch @@ -0,0 +1,286 @@ +From b9c7cd794733257a17b2eb9eadc716007e509ca9 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Sun, 18 Apr 2021 20:46:06 +0200 +Subject: [PATCH] ci: drop CIs irrelevant for downstream + + * CIFuzz would need a separate project in oss-fuzz + * Coverity would also need a separate project + * the Labeler action is superfluous, since we already have a bot for + that + * mkosi testing on other distros is irrelevant for downstream RHEL + repo + +Resolves: #1960703 +rhel-only + +diff --git a/.github/labeler.yml b/.github/labeler.yml +deleted file mode 100644 +index 7d128f42d6..0000000000 +--- a/.github/labeler.yml ++++ /dev/null +@@ -1,40 +0,0 @@ +-# SPDX-License-Identifier: LGPL-2.1-or-later +- +-hwdb: +- - hwdb.d/**/* +-units: +- - units/**/* +-documentation: +- - NEWS +- - docs/* +-network: +- - src/libsystemd-network/**/* +- - src/network/**/* +-udev: +- - src/udev/**/* +- - src/libudev/* +-selinux: +- - '**/*selinux*' +-apparmor: +- - '**/*apparmor*' +-meson: +- - meson_option.txt +-mkosi: +- - .mkosi/* +- - mkosi.build +-busctl: +- - src/busctl/* +-systemctl: +- - src/systemctl/* +-journal: +- - src/journal/* +-journal-remote: +- - src/journal-remote/* +-portable: +- - src/portable/**/* +-resolve: +- - src/resolve/* +-timedate: +- - src/timedate/* +-timesync: +- - src/timesync/* +diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml +deleted file mode 100644 +index 11ea788a47..0000000000 +--- a/.github/workflows/cifuzz.yml ++++ /dev/null +@@ -1,55 +0,0 @@ +---- +-# vi: ts=2 sw=2 et: +-# SPDX-License-Identifier: LGPL-2.1-or-later +-# See: https://google.github.io/oss-fuzz/getting-started/continuous-integration/ +- +-name: CIFuzz +- +-permissions: +- contents: read +- +-on: +- pull_request: +- paths: +- - '**/meson.build' +- - '.github/workflows/**' +- - 'meson_options.txt' +- - 'src/**' +- - 'test/fuzz/**' +- - 'tools/oss-fuzz.sh' +- push: +- branches: +- - main +-jobs: +- Fuzzing: +- runs-on: ubuntu-latest +- if: github.repository == 'systemd/systemd' +- concurrency: +- group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ github.ref }} +- cancel-in-progress: true +- strategy: +- fail-fast: false +- matrix: +- sanitizer: [address, undefined, memory] +- steps: +- - name: Build Fuzzers (${{ matrix.sanitizer }}) +- id: build +- uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master +- with: +- oss-fuzz-project-name: 'systemd' +- dry-run: false +- allowed-broken-targets-percentage: 0 +- sanitizer: ${{ matrix.sanitizer }} +- - name: Run Fuzzers (${{ matrix.sanitizer }}) +- uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master +- with: +- oss-fuzz-project-name: 'systemd' +- fuzz-seconds: 600 +- dry-run: false +- sanitizer: ${{ matrix.sanitizer }} +- - name: Upload Crash +- uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 +- if: failure() && steps.build.outcome == 'success' +- with: +- name: ${{ matrix.sanitizer }}-artifacts +- path: ./out/artifacts +diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml +deleted file mode 100644 +index a164d16fbf..0000000000 +--- a/.github/workflows/coverity.yml ++++ /dev/null +@@ -1,43 +0,0 @@ +---- +-# vi: ts=2 sw=2 et: +-# SPDX-License-Identifier: LGPL-2.1-or-later +-# +-name: Coverity +- +-on: +- schedule: +- # Run Coverity daily at midnight +- - cron: '0 0 * * *' +- +-permissions: +- contents: read +- +-jobs: +- build: +- runs-on: ubuntu-20.04 +- if: github.repository == 'systemd/systemd' +- env: +- COVERITY_SCAN_BRANCH_PATTERN: "${{ github.ref}}" +- COVERITY_SCAN_NOTIFICATION_EMAIL: "" +- COVERITY_SCAN_PROJECT_NAME: "${{ github.repository }}" +- # Set in repo settings -> secrets -> repository secrets +- COVERITY_SCAN_TOKEN: "${{ secrets.COVERITY_SCAN_TOKEN }}" +- CURRENT_REF: "${{ github.ref }}" +- steps: +- - name: Repository checkout +- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 +- # https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-commands-for-github-actions#setting-an-environment-variable +- - name: Set the $COVERITY_SCAN_NOTIFICATION_EMAIL env variable +- run: echo "COVERITY_SCAN_NOTIFICATION_EMAIL=$(git log -1 ${{ github.sha }} --pretty=\"%aE\")" >> $GITHUB_ENV +- - name: Install Coverity tools +- run: tools/get-coverity.sh +- # Reuse the setup phase of the unit test script to avoid code duplication +- - name: Install build dependencies +- run: sudo -E .github/workflows/unit_tests.sh SETUP +- # Preconfigure with meson to prevent Coverity from capturing meson metadata +- - name: Preconfigure the build directory +- run: meson cov-build -Dman=false +- - name: Build +- run: tools/coverity.sh build +- - name: Upload the results +- run: tools/coverity.sh upload +diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml +deleted file mode 100644 +index 34d9d63d42..0000000000 +--- a/.github/workflows/labeler.yml ++++ /dev/null +@@ -1,23 +0,0 @@ +---- +-# vi: ts=2 sw=2 et: +-# SPDX-License-Identifier: LGPL-2.1-or-later +-# +-name: "Pull Request Labeler" +- +-on: +-- pull_request_target +- +-permissions: +- contents: read +- +-jobs: +- triage: +- runs-on: ubuntu-latest +- permissions: +- pull-requests: write +- steps: +- - uses: actions/labeler@69da01b8e0929f147b8943611bee75ee4175a49e +- with: +- repo-token: "${{ secrets.GITHUB_TOKEN }}" +- configuration-path: .github/labeler.yml +- sync-labels: "" # This is a workaround for issue 18671 +diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml +deleted file mode 100644 +index 8fd6c72e26..0000000000 +--- a/.github/workflows/mkosi.yml ++++ /dev/null +@@ -1,80 +0,0 @@ +---- +-# vi: ts=2 sw=2 et: +-# SPDX-License-Identifier: LGPL-2.1-or-later +-# Simple boot tests that build and boot the mkosi images generated by the mkosi config files in mkosi.default.d/. +-name: mkosi +- +-on: +- push: +- branches: +- - main +- - v[0-9]+-stable +- pull_request: +- branches: +- - main +- - v[0-9]+-stable +- +-permissions: +- contents: read +- +-env: +- # Enable debug logging in systemd, but keep udev's log level to info, +- # since it's _very_ verbose in the QEMU task +- KERNEL_CMDLINE: "systemd.unit=mkosi-check-and-shutdown.service !quiet systemd.log_level=debug systemd.log_target=console udev.log_level=info systemd.default_standard_output=journal+console" +- +-jobs: +- ci: +- runs-on: ubuntu-20.04 +- concurrency: +- group: ${{ github.workflow }}-${{ matrix.distro }}-${{ github.ref }} +- cancel-in-progress: true +- strategy: +- fail-fast: false +- matrix: +- distro: +- - arch +- - debian +- - ubuntu +- - fedora +- - opensuse +- +- steps: +- - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 +- - uses: systemd/mkosi@4d64fc8134f93d87ac584183e7762ac1d0efa0e5 +- +- - name: Install +- run: sudo apt-get update && sudo apt-get install --no-install-recommends python3-pexpect python3-jinja2 +- +- - name: Configure +- run: echo -e "[Distribution]\nDistribution=${{ matrix.distro }}\n" >mkosi.default +- +- # Ubuntu's systemd-nspawn doesn't support faccessat2() syscall, which is +- # required, since current Arch's glibc implements faccessat() via faccessat2(). +- - name: Update systemd-nspawn +- if: ${{ matrix.distro == 'arch' }} +- run: | +- echo "deb-src http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs) main restricted universe multiverse" | sudo tee -a /etc/apt/sources.list +- sudo apt update +- sudo apt build-dep systemd +- meson build +- ninja -C build +- sudo ln -svf $PWD/build/systemd-nspawn `which systemd-nspawn` +- systemd-nspawn --version +- +- - name: Build ${{ matrix.distro }} +- run: ./.github/workflows/run_mkosi.sh --build-environment=CI_BUILD=1 --kernel-command-line "${{ env.KERNEL_CMDLINE }}" build +- +- - name: Show ${{ matrix.distro }} image summary +- run: ./.github/workflows/run_mkosi.sh summary +- +- - name: Boot ${{ matrix.distro }} systemd-nspawn +- run: ./.github/workflows/run_mkosi.sh boot ${{ env.KERNEL_CMDLINE }} +- +- - name: Check ${{ matrix.distro }} systemd-nspawn +- run: ./.github/workflows/run_mkosi.sh shell bash -c "[[ -e /testok ]] || { cat /failed-services; exit 1; }" +- +- - name: Boot ${{ matrix.distro }} QEMU +- run: ./.github/workflows/run_mkosi.sh qemu +- +- - name: Check ${{ matrix.distro }} QEMU +- run: ./.github/workflows/run_mkosi.sh shell bash -c "[[ -e /testok ]] || { cat /failed-services; exit 1; }" diff --git a/0009-ci-reconfigure-Packit-for-RHEL-9.patch b/0009-ci-reconfigure-Packit-for-RHEL-9.patch new file mode 100644 index 0000000..8017d9f --- /dev/null +++ b/0009-ci-reconfigure-Packit-for-RHEL-9.patch @@ -0,0 +1,58 @@ +From d931821a263e34805f825cf12a0a0fcde9beda99 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Wed, 9 Jun 2021 15:23:59 +0200 +Subject: [PATCH] ci: reconfigure Packit for RHEL 9 + +Resolves: #1960703 +rhel-only + +diff --git a/.packit.yml b/.packit.yml +index 962c77913e..3461bccbc5 100644 +--- a/.packit.yml ++++ b/.packit.yml +@@ -16,14 +16,12 @@ upstream_tag_template: "v{version}" + + actions: + post-upstream-clone: +- # Use the Fedora Rawhide specfile +- - "git clone https://src.fedoraproject.org/rpms/systemd .packit_rpm --depth=1" ++ # Use the CentOS Stream specfile ++ - "git clone https://gitlab.com/redhat/centos-stream/rpms/systemd.git .packit_rpm --depth=1" + # Drop the "sources" file so rebase-helper doesn't think we're a dist-git + - "rm -fv .packit_rpm/sources" +- # Drop backported patches from the specfile, but keep the downstream-only ones +- # - Patch0000-0499: backported patches from upstream +- # - Patch0500-9999: downstream-only patches +- - "sed -ri '/^Patch0[0-4]?[0-9]{0,2}\\:.+\\.patch/d' .packit_rpm/systemd.spec" ++ # Drop all patches, since they're already included in the tarball ++ - "sed -ri '/^Patch[0-9]+:/d' .packit_rpm/systemd.spec" + # Build the RPM with --werror. Even though --werror doesn't work in all + # cases (see [0]), we can't use -Dc_args=/-Dcpp_args= here because of the + # RPM hardening macros, that use $CFLAGS/$CPPFLAGS (see [1]). +@@ -32,12 +30,22 @@ actions: + # [1] https://github.com/systemd/systemd/pull/18908#issuecomment-792250110 + - 'sed -i "/^CONFIGURE_OPTS=(/a--werror" .packit_rpm/systemd.spec' + ++# Available targets can be listed via `copr-cli list-chroots` + jobs: ++# Build test + - job: copr_build + trigger: pull_request + metadata: + targets: +- - fedora-rawhide-aarch64 +- - fedora-rawhide-i386 +- - fedora-rawhide-ppc64le +- - fedora-rawhide-x86_64 ++ # FIXME: change to CentOS 9 once it's available ++ - fedora-34-x86_64 ++ - fedora-34-aarch64 ++ ++# TODO: can't use TFT yet due to https://pagure.io/fedora-ci/general/issue/184 ++# Run tests (via testing farm) ++#- job: tests ++# trigger: pull_request ++# metadata: ++# targets: ++# # FIXME: change to CentOS 9 once it's available ++# - fedora-34-x86_64 diff --git a/0010-ci-run-unit-tests-on-z-stream-branches-as-well.patch b/0010-ci-run-unit-tests-on-z-stream-branches-as-well.patch new file mode 100644 index 0000000..880338d --- /dev/null +++ b/0010-ci-run-unit-tests-on-z-stream-branches-as-well.patch @@ -0,0 +1,25 @@ +From 785b53d7b16c6c56638029e8b4f59c436f1394b8 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Thu, 15 Jul 2021 12:23:27 +0200 +Subject: [PATCH] ci: run unit tests on z-stream branches as well + +Resolves: #1960703 +rhel-only + +diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml +index d4a4f3c723..2afde5d59d 100644 +--- a/.github/workflows/unit_tests.yml ++++ b/.github/workflows/unit_tests.yml +@@ -3,11 +3,7 @@ + # SPDX-License-Identifier: LGPL-2.1-or-later + # + name: Unit tests +-on: +- pull_request: +- branches: +- - main +- - v[0-9]+-stable ++on: [pull_request] + + permissions: + contents: read diff --git a/0011-random-util-increase-random-seed-size-to-1024.patch b/0011-random-util-increase-random-seed-size-to-1024.patch new file mode 100644 index 0000000..1255c88 --- /dev/null +++ b/0011-random-util-increase-random-seed-size-to-1024.patch @@ -0,0 +1,22 @@ +From c1555a7d38235cca32492c4606e30028dc008b35 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Thu, 15 Jul 2021 11:15:17 +0200 +Subject: [PATCH] random-util: increase random seed size to 1024 + +RHEL-only + +Resolves: #1982603 + +diff --git a/src/basic/random-util.h b/src/basic/random-util.h +index e6528ddc7f..fda78552f6 100644 +--- a/src/basic/random-util.h ++++ b/src/basic/random-util.h +@@ -34,7 +34,7 @@ static inline uint32_t random_u32(void) { + int rdrand(unsigned long *ret); + + /* Some limits on the pool sizes when we deal with the kernel random pool */ +-#define RANDOM_POOL_SIZE_MIN 512U ++#define RANDOM_POOL_SIZE_MIN 1024U + #define RANDOM_POOL_SIZE_MAX (10U*1024U*1024U) + + size_t random_pool_size(void); diff --git a/0012-journal-don-t-enable-systemd-journald-audit.socket-b.patch b/0012-journal-don-t-enable-systemd-journald-audit.socket-b.patch new file mode 100644 index 0000000..f606f7d --- /dev/null +++ b/0012-journal-don-t-enable-systemd-journald-audit.socket-b.patch @@ -0,0 +1,37 @@ +From f1d66259bcff8333d7dd495bbeef274206f7300d Mon Sep 17 00:00:00 2001 +From: Jan Synacek +Date: Thu, 2 May 2019 14:11:54 +0200 +Subject: [PATCH] journal: don't enable systemd-journald-audit.socket by + default + +RHEL-only + +Resolves: #1973856 + +diff --git a/units/meson.build b/units/meson.build +index a9bf28f6d9..69d53f4259 100644 +--- a/units/meson.build ++++ b/units/meson.build +@@ -124,8 +124,7 @@ units = [ + 'sysinit.target.wants/'], + ['systemd-journal-gatewayd.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'], + ['systemd-journal-remote.socket', 'ENABLE_REMOTE HAVE_MICROHTTPD'], +- ['systemd-journald-audit.socket', '', +- 'sockets.target.wants/'], ++ ['systemd-journald-audit.socket', ''], + ['systemd-journald-dev-log.socket', '', + 'sockets.target.wants/'], + ['systemd-journald.socket', '', +diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in +index cd17b6b4e7..d981273b07 100644 +--- a/units/systemd-journald.service.in ++++ b/units/systemd-journald.service.in +@@ -12,7 +12,7 @@ Description=Journal Service + Documentation=man:systemd-journald.service(8) man:journald.conf(5) + DefaultDependencies=no + Requires=systemd-journald.socket +-After=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket syslog.socket ++After=systemd-journald.socket systemd-journald-dev-log.socket syslog.socket + Before=sysinit.target + + [Service] diff --git a/0013-journald.conf-don-t-touch-current-audit-settings.patch b/0013-journald.conf-don-t-touch-current-audit-settings.patch new file mode 100644 index 0000000..661384c --- /dev/null +++ b/0013-journald.conf-don-t-touch-current-audit-settings.patch @@ -0,0 +1,19 @@ +From 56d9b62ce456e8c0e520bda3447db38864983173 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Thu, 5 Aug 2021 15:26:13 +0200 +Subject: [PATCH] journald.conf: don't touch current audit settings + +RHEL-only + +Related: #1973856 + +diff --git a/src/journal/journald.conf b/src/journal/journald.conf +index 5a60a9d39c..3544da2112 100644 +--- a/src/journal/journald.conf ++++ b/src/journal/journald.conf +@@ -44,4 +44,4 @@ + #MaxLevelWall=emerg + #LineMax=48K + #ReadKMsg=yes +-#Audit=yes ++Audit= diff --git a/0014-Revert-udev-remove-WAIT_FOR-key.patch b/0014-Revert-udev-remove-WAIT_FOR-key.patch new file mode 100644 index 0000000..8a5196d --- /dev/null +++ b/0014-Revert-udev-remove-WAIT_FOR-key.patch @@ -0,0 +1,132 @@ +From 2843766767452a69dade1ef8ab2d1d3e5e68a1d3 Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Tue, 10 Aug 2021 14:46:16 +0200 +Subject: [PATCH] Revert "udev: remove WAIT_FOR key" + +This reverts commit f2b8052fb648b788936dd3e85be6a9aca90fbb2f. + +RHEL-only + +Resolves: #1982666 + +diff --git a/man/udev.xml b/man/udev.xml +index f6ea2abc12..ce96e201e4 100644 +--- a/man/udev.xml ++++ b/man/udev.xml +@@ -592,6 +592,15 @@ + + + ++ ++ WAIT_FOR ++ ++ Wait for a file to become available or until a timeout of ++ 10 seconds expires. The path is relative to the sysfs device; ++ if no path is specified, this waits for an attribute to appear. ++ ++ ++ + + OPTIONS + +diff --git a/src/udev/udev-rules.c b/src/udev/udev-rules.c +index 1a384d6b38..243a792662 100644 +--- a/src/udev/udev-rules.c ++++ b/src/udev/udev-rules.c +@@ -79,6 +79,7 @@ typedef enum { + TK_M_TAG, /* strv, sd_device_get_tag_first(), sd_device_get_tag_next() */ + TK_M_SUBSYSTEM, /* string, sd_device_get_subsystem() */ + TK_M_DRIVER, /* string, sd_device_get_driver() */ ++ TK_M_WAITFOR, + TK_M_ATTR, /* string, takes filename through attribute, sd_device_get_sysattr_value(), udev_resolve_subsys_kernel(), etc. */ + TK_M_SYSCTL, /* string, takes kernel parameter through attribute */ + +@@ -416,6 +417,47 @@ static void rule_line_append_token(UdevRuleLine *rule_line, UdevRuleToken *token + rule_line->current_token = token; + } + ++#define WAIT_LOOP_PER_SECOND 50 ++static int wait_for_file(sd_device *dev, const char *file, int timeout) { ++ char filepath[UDEV_PATH_SIZE]; ++ char devicepath[UDEV_PATH_SIZE]; ++ struct stat stats; ++ int loop = timeout * WAIT_LOOP_PER_SECOND; ++ ++ /* a relative path is a device attribute */ ++ devicepath[0] = '\0'; ++ if (file[0] != '/') { ++ const char *val; ++ int r; ++ ++ r = sd_device_get_syspath(dev, &val); ++ if (r < 0) ++ return r; ++ strscpyl(devicepath, sizeof(devicepath), val, NULL); ++ strscpyl(filepath, sizeof(filepath), devicepath, "/", file, NULL); ++ file = filepath; ++ } ++ ++ while (--loop) { ++ const struct timespec duration = { 0, 1000 * 1000 * 1000 / WAIT_LOOP_PER_SECOND }; ++ ++ /* lookup file */ ++ if (stat(file, &stats) == 0) { ++ log_debug("file '%s' appeared after %i loops", file, (timeout * WAIT_LOOP_PER_SECOND) - loop-1); ++ return 0; ++ } ++ /* make sure, the device did not disappear in the meantime */ ++ if (devicepath[0] != '\0' && stat(devicepath, &stats) != 0) { ++ log_debug("device disappeared while waiting for '%s'", file); ++ return -2; ++ } ++ log_debug("wait for '%s' for %i mseconds", file, 1000 / WAIT_LOOP_PER_SECOND); ++ nanosleep(&duration, NULL); ++ } ++ log_debug("waiting for '%s' failed", file); ++ return -1; ++} ++ + static int rule_line_add_token(UdevRuleLine *rule_line, UdevRuleTokenType type, UdevRuleOperatorType op, char *value, void *data) { + UdevRuleToken *token; + UdevRuleMatchType match_type = _MATCH_TYPE_INVALID; +@@ -958,6 +1000,12 @@ static int parse_token(UdevRules *rules, const char *key, char *attr, UdevRuleOp + r = rule_line_add_token(rule_line, TK_A_RUN_BUILTIN, op, value, UDEV_BUILTIN_CMD_TO_PTR(cmd)); + } else + return log_token_invalid_attr(rules, key); ++ } else if (streq(key, "WAIT_FOR") || streq(key, "WAIT_FOR_SYSFS")) { ++ if (op == OP_REMOVE) ++ return log_token_invalid_op(rules, key); ++ ++ rule_line_add_token(rule_line, TK_M_WAITFOR, 0, value, NULL); ++ return 1; + } else if (streq(key, "GOTO")) { + if (attr) + return log_token_invalid_attr(rules, key); +@@ -1643,6 +1691,14 @@ static int udev_rule_apply_token_to_event( + + return token_match_string(token, val); + } ++ case TK_M_WAITFOR: { ++ char filename[UDEV_PATH_SIZE]; ++ int found; ++ ++ udev_event_apply_format(event, token->value, filename, sizeof(filename), false); ++ found = (wait_for_file(event->dev, filename, 10) == 0); ++ return found || (token->op == OP_NOMATCH); ++ } + case TK_M_ATTR: + case TK_M_PARENTS_ATTR: + return token_match_attr(token, dev, event); +diff --git a/test/rule-syntax-check.py b/test/rule-syntax-check.py +index 9a9e4d1658..0649bcf58e 100755 +--- a/test/rule-syntax-check.py ++++ b/test/rule-syntax-check.py +@@ -20,7 +20,7 @@ no_args_tests = re.compile(r'(ACTION|DEVPATH|KERNELS?|NAME|SYMLINK|SUBSYSTEMS?|D + # PROGRAM can also be specified as an assignment. + program_assign = re.compile(r'PROGRAM\s*=\s*' + quoted_string_re + '$') + args_tests = re.compile(r'(ATTRS?|ENV|CONST|TEST){([a-zA-Z0-9/_.*%-]+)}\s*(?:=|!)=\s*' + quoted_string_re + '$') +-no_args_assign = re.compile(r'(NAME|SYMLINK|OWNER|GROUP|MODE|TAG|RUN|LABEL|GOTO|OPTIONS|IMPORT)\s*(?:\+=|:=|=)\s*' + quoted_string_re + '$') ++no_args_assign = re.compile(r'(NAME|SYMLINK|OWNER|GROUP|MODE|TAG|RUN|LABEL|GOTO|WAIT_FOR|OPTIONS|IMPORT)\s*(?:\+=|:=|=)\s*' + quoted_string_re + '$') + args_assign = re.compile(r'(ATTR|ENV|IMPORT|RUN){([a-zA-Z0-9/_.*%-]+)}\s*(=|\+=)\s*' + quoted_string_re + '$') + # Find comma-separated groups, but allow commas that are inside quoted strings. + # Using quoted_string_re + '?' so that strings missing the last double quote diff --git a/0015-Really-don-t-enable-systemd-journald-audit.socket.patch b/0015-Really-don-t-enable-systemd-journald-audit.socket.patch new file mode 100644 index 0000000..5d91475 --- /dev/null +++ b/0015-Really-don-t-enable-systemd-journald-audit.socket.patch @@ -0,0 +1,22 @@ +From 9a0acc0b292d283b4507c6b749396c019af7e4ab Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Wed, 25 Aug 2021 16:03:04 +0200 +Subject: [PATCH] Really don't enable systemd-journald-audit.socket + +RHEL-only + +Resolves: #1973856 + +diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in +index d981273b07..f190dff5fb 100644 +--- a/units/systemd-journald.service.in ++++ b/units/systemd-journald.service.in +@@ -33,7 +33,7 @@ RestrictRealtime=yes + RestrictSUIDSGID=yes + RuntimeDirectory=systemd/journal + RuntimeDirectoryPreserve=yes +-Sockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket ++Sockets=systemd-journald.socket systemd-journald-dev-log.socket + StandardOutput=null + SystemCallArchitectures=native + SystemCallErrorNumber=EPERM diff --git a/0016-rules-add-elevator-kernel-command-line-parameter.patch b/0016-rules-add-elevator-kernel-command-line-parameter.patch new file mode 100644 index 0000000..f63077b --- /dev/null +++ b/0016-rules-add-elevator-kernel-command-line-parameter.patch @@ -0,0 +1,51 @@ +From 1e423276a24d7c895d196f9f10bf8c0b9155c633 Mon Sep 17 00:00:00 2001 +From: Lukas Nykryn +Date: Tue, 12 Feb 2019 16:58:16 +0100 +Subject: [PATCH] rules: add elevator= kernel command line parameter + +Kernel removed the elevator= option, so let's reintroduce +it for rhel8 via udev rule. + +RHEL-only + +Resolves: #2003002 + +diff --git a/rules.d/40-elevator.rules b/rules.d/40-elevator.rules +new file mode 100644 +index 0000000000..dbe8fc81a4 +--- /dev/null ++++ b/rules.d/40-elevator.rules +@@ -0,0 +1,20 @@ ++# We aren't adding devices skip the elevator check ++ACTION!="add", GOTO="sched_out" ++ ++SUBSYSTEM!="block", GOTO="sched_out" ++ENV{DEVTYPE}!="disk", GOTO="sched_out" ++ ++# Technically, dm-multipath can be configured to use an I/O scheduler. ++# However, there are races between the 'add' uevent and the linking in ++# of the queue/scheduler sysfs file. For now, just skip dm- devices. ++KERNEL=="dm-*|md*", GOTO="sched_out" ++ ++# Skip bio-based devices, which don't support an I/O scheduler. ++ATTR{queue/scheduler}=="none", GOTO="sched_out" ++ ++# If elevator= is specified on the kernel command line, change the ++# scheduler to the one specified. ++IMPORT{cmdline}="elevator" ++ENV{elevator}!="", ATTR{queue/scheduler}="$env{elevator}" ++ ++LABEL="sched_out" +\ No newline at end of file +diff --git a/rules.d/meson.build b/rules.d/meson.build +index c5c3590b29..7e0bd89200 100644 +--- a/rules.d/meson.build ++++ b/rules.d/meson.build +@@ -5,6 +5,7 @@ install_data( + install_dir : udevrulesdir) + + rules = files(''' ++ 40-elevator.rules + 40-redhat.rules + 60-autosuspend.rules + 60-block.rules diff --git a/0017-units-don-t-enable-tmp.mount-statically-in-local-fs..patch b/0017-units-don-t-enable-tmp.mount-statically-in-local-fs..patch new file mode 100644 index 0000000..de26ffa --- /dev/null +++ b/0017-units-don-t-enable-tmp.mount-statically-in-local-fs..patch @@ -0,0 +1,23 @@ +From 41ccc595538752f04f88c80fe7a9e283d4ef12c4 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Wed, 22 Sep 2021 14:38:00 +0200 +Subject: [PATCH] units: don't enable tmp.mount statically in local-fs.target + +RHEL-only + +Related: #2000927 + +diff --git a/units/meson.build b/units/meson.build +index 69d53f4259..9eb535858a 100644 +--- a/units/meson.build ++++ b/units/meson.build +@@ -159,8 +159,7 @@ units = [ + ['time-set.target', ''], + ['time-sync.target', ''], + ['timers.target', ''], +- ['tmp.mount', '', +- 'local-fs.target.wants/'], ++ ['tmp.mount', ''], + ['umount.target', ''], + ['usb-gadget.target', ''], + ['user.slice', ''], diff --git a/0018-pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch b/0018-pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch new file mode 100644 index 0000000..88cd3d5 --- /dev/null +++ b/0018-pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch @@ -0,0 +1,54 @@ +From 4ec48c87803916e90a8f30afae6c8bdee5bb9ba5 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 1 Aug 2018 13:19:39 +0200 +Subject: [PATCH] pid1: bump DefaultTasksMax to 80% of the kernel pid.max value + +This should be hopefully high enough even for the very big deployments. + +RHEL-only + +Resolves: #2003031 + +diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml +index 3805a010e2..b8e2b65625 100644 +--- a/man/systemd-system.conf.xml ++++ b/man/systemd-system.conf.xml +@@ -404,10 +404,10 @@ + Configure the default value for the per-unit TasksMax= setting. See + systemd.resource-control5 + for details. This setting applies to all unit types that support resource control settings, with the exception +- of slice units. Defaults to 15% of the minimum of kernel.pid_max=, kernel.threads-max= ++ of slice units. Defaults to 80% of the minimum of kernel.pid_max=, kernel.threads-max= + and root cgroup pids.max. + Kernel has a default value for kernel.pid_max= and an algorithm of counting in case of more than 32 cores. +- For example with the default kernel.pid_max=, DefaultTasksMax= defaults to 4915, ++ For example with the default kernel.pid_max=, DefaultTasksMax= defaults to 26214, + but might be greater in other systems or smaller in OS containers. + + +diff --git a/src/core/main.c b/src/core/main.c +index 57aedb9b93..7ea848ebeb 100644 +--- a/src/core/main.c ++++ b/src/core/main.c +@@ -98,7 +98,7 @@ + #include + #endif + +-#define DEFAULT_TASKS_MAX ((TasksMax) { 15U, 100U }) /* 15% */ ++#define DEFAULT_TASKS_MAX ((TasksMax) { 80U, 100U }) /* 80% */ + + static enum { + ACTION_RUN, +diff --git a/src/core/system.conf.in b/src/core/system.conf.in +index 96fb64d2c1..c0dc6a7e17 100644 +--- a/src/core/system.conf.in ++++ b/src/core/system.conf.in +@@ -54,7 +54,7 @@ + #DefaultBlockIOAccounting=no + #DefaultMemoryAccounting={{ 'yes' if MEMORY_ACCOUNTING_DEFAULT else 'no' }} + #DefaultTasksAccounting=yes +-#DefaultTasksMax=15% ++#DefaultTasksMax=80% + #DefaultLimitCPU= + #DefaultLimitFSIZE= + #DefaultLimitDATA= diff --git a/0019-set-core-ulimit-to-0-like-on-RHEL-7.patch b/0019-set-core-ulimit-to-0-like-on-RHEL-7.patch new file mode 100644 index 0000000..86ace0e --- /dev/null +++ b/0019-set-core-ulimit-to-0-like-on-RHEL-7.patch @@ -0,0 +1,22 @@ +From 7344cdfb2792f67e50848f87eced21cded226d4a Mon Sep 17 00:00:00 2001 +From: David Tardon +Date: Mon, 25 Jan 2021 16:19:56 +0100 +Subject: [PATCH] set core ulimit to 0 like on RHEL-7 + +RHEL-only + +Resolves: #1998509 + +diff --git a/src/core/system.conf.in b/src/core/system.conf.in +index c0dc6a7e17..5913b5b0e4 100644 +--- a/src/core/system.conf.in ++++ b/src/core/system.conf.in +@@ -59,7 +59,7 @@ + #DefaultLimitFSIZE= + #DefaultLimitDATA= + #DefaultLimitSTACK= +-#DefaultLimitCORE= ++DefaultLimitCORE=0:infinity + #DefaultLimitRSS= + #DefaultLimitNOFILE=1024:{{HIGH_RLIMIT_NOFILE}} + #DefaultLimitAS= diff --git a/0020-ci-use-C9S-chroots-in-Packit.patch b/0020-ci-use-C9S-chroots-in-Packit.patch new file mode 100644 index 0000000..53451d2 --- /dev/null +++ b/0020-ci-use-C9S-chroots-in-Packit.patch @@ -0,0 +1,24 @@ +From 402595e7b0668b8fe44b5b00b1dd45ba9cc42b82 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Thu, 4 Nov 2021 12:31:32 +0100 +Subject: [PATCH] ci: use C9S chroots in Packit + +rhel-only +Related: #2017035 + +diff --git a/.packit.yml b/.packit.yml +index 3461bccbc5..ce8782aae2 100644 +--- a/.packit.yml ++++ b/.packit.yml +@@ -37,9 +37,8 @@ jobs: + trigger: pull_request + metadata: + targets: +- # FIXME: change to CentOS 9 once it's available +- - fedora-34-x86_64 +- - fedora-34-aarch64 ++ - centos-stream-9-x86_64 ++ - centos-stream-9-aarch64 + + # TODO: can't use TFT yet due to https://pagure.io/fedora-ci/general/issue/184 + # Run tests (via testing farm) diff --git a/0021-test-mountpointutil-util-do-not-assert-in-test_mnt_i.patch b/0021-test-mountpointutil-util-do-not-assert-in-test_mnt_i.patch new file mode 100644 index 0000000..4e220c8 --- /dev/null +++ b/0021-test-mountpointutil-util-do-not-assert-in-test_mnt_i.patch @@ -0,0 +1,133 @@ +From 68199fe69a2c46e498bc7e9528d54922deecc553 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 14 Sep 2020 17:58:03 +0200 +Subject: [PATCH] test-mountpointutil-util: do not assert in test_mnt_id() + +https://bugzilla.redhat.com/show_bug.cgi?id=1803070 + +I *think* this a kernel bug: the mnt_id as listed in /proc/self/mountinfo is different +than the one we get from /proc/self/fdinfo/. This only matters when both statx and +name_to_handle_at are unavailable and we hit the fallback path that goes through fdinfo: + +(gdb) !uname -r +5.6.19-200.fc31.ppc64le + +(gdb) !cat /proc/self/mountinfo +697 664 253:0 /var/lib/mock/fedora-31-ppc64le/root / rw,relatime shared:298 master:1 - xfs /dev/mapper/fedora_rh--power--vm14-root rw,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota +698 697 253:0 /var/cache/mock/fedora-31-ppc64le/yum_cache /var/cache/yum rw,relatime shared:299 master:1 - xfs /dev/mapper/fedora_rh--power--vm14-root rw,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota +699 697 253:0 /var/cache/mock/fedora-31-ppc64le/dnf_cache /var/cache/dnf rw,relatime shared:300 master:1 - xfs /dev/mapper/fedora_rh--power--vm14-root rw,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota +700 697 0:32 /mock-selinux-plugin.7me9bfpi /proc/filesystems rw,nosuid,nodev shared:301 master:18 - tmpfs tmpfs rw,seclabel <========================================================== +701 697 0:41 / /sys ro,nosuid,nodev,noexec,relatime shared:302 - sysfs sysfs ro,seclabel +702 701 0:21 / /sys/fs/selinux ro,nosuid,nodev,noexec,relatime shared:306 master:8 - selinuxfs selinuxfs rw +703 697 0:42 / /dev rw,nosuid shared:303 - tmpfs tmpfs rw,seclabel,mode=755 +704 703 0:43 / /dev/shm rw,nosuid,nodev shared:304 - tmpfs tmpfs rw,seclabel +705 703 0:45 / /dev/pts rw,nosuid,noexec,relatime shared:307 - devpts devpts rw,seclabel,gid=5,mode=620,ptmxmode=666 +706 703 0:6 /btrfs-control /dev/btrfs-control rw,nosuid shared:308 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +707 703 0:6 /loop-control /dev/loop-control rw,nosuid shared:309 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +708 703 0:6 /loop0 /dev/loop0 rw,nosuid shared:310 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +709 703 0:6 /loop1 /dev/loop1 rw,nosuid shared:311 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +710 703 0:6 /loop10 /dev/loop10 rw,nosuid shared:312 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +711 703 0:6 /loop11 /dev/loop11 rw,nosuid shared:313 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +712 703 0:6 /loop2 /dev/loop2 rw,nosuid shared:314 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +713 703 0:6 /loop3 /dev/loop3 rw,nosuid shared:315 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +714 703 0:6 /loop4 /dev/loop4 rw,nosuid shared:316 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +715 703 0:6 /loop5 /dev/loop5 rw,nosuid shared:317 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +716 703 0:6 /loop6 /dev/loop6 rw,nosuid shared:318 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +717 703 0:6 /loop7 /dev/loop7 rw,nosuid shared:319 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +718 703 0:6 /loop8 /dev/loop8 rw,nosuid shared:320 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +719 703 0:6 /loop9 /dev/loop9 rw,nosuid shared:321 master:9 - devtmpfs devtmpfs rw,seclabel,size=4107840k,nr_inodes=64185,mode=755 +720 697 0:44 / /run rw,nosuid,nodev shared:305 - tmpfs tmpfs rw,seclabel,mode=755 +721 720 0:25 /systemd/nspawn/propagate/9cc8a155d0244558b273f773d2b92142 /run/systemd/nspawn/incoming ro master:12 - tmpfs tmpfs rw,seclabel,mode=755 +722 697 0:32 /mock-resolv.dvml91hp /etc/resolv.conf rw,nosuid,nodev shared:322 master:18 - tmpfs tmpfs rw,seclabel +725 697 0:47 / /proc rw,nosuid,nodev,noexec,relatime shared:323 - proc proc rw +603 725 0:47 /sys /proc/sys ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw +604 725 0:44 /systemd/inaccessible/reg /proc/kallsyms ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755 +605 725 0:44 /systemd/inaccessible/reg /proc/kcore ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755 +606 725 0:44 /systemd/inaccessible/reg /proc/keys ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755 +607 725 0:44 /systemd/inaccessible/reg /proc/sysrq-trigger ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755 +608 725 0:44 /systemd/inaccessible/reg /proc/timer_list ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755 +609 725 0:47 /bus /proc/bus ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw +610 725 0:47 /fs /proc/fs ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw +611 725 0:47 /irq /proc/irq ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw +612 725 0:47 /scsi /proc/scsi ro,nosuid,nodev,noexec,relatime shared:323 - proc proc rw +613 703 0:46 / /dev/mqueue rw,nosuid,nodev,noexec,relatime shared:324 - mqueue mqueue rw,seclabel +614 701 0:26 / /sys/fs/cgroup rw,nosuid,nodev,noexec,relatime shared:325 - cgroup2 cgroup rw,seclabel,nsdelegate +615 603 0:44 /.#proc-sys-kernel-random-boot-id4fbdce67af46d1c2//deleted /proc/sys/kernel/random/boot_id ro,nosuid,nodev,noexec shared:305 - tmpfs tmpfs rw,seclabel,mode=755 +616 725 0:44 /.#proc-sys-kernel-random-boot-id4fbdce67af46d1c2//deleted /proc/sys/kernel/random/boot_id rw,nosuid,nodev shared:305 - tmpfs tmpfs rw,seclabel,mode=755 +617 725 0:44 /.#proc-kmsg5b7a8bcfe6717139//deleted /proc/kmsg rw,nosuid,nodev shared:305 - tmpfs tmpfs rw,seclabel,mode=755 + +The test process does +name_to_handle_at("/proc/filesystems") which returns -EOPNOTSUPP, and then +openat(AT_FDCWD, "/proc/filesystems") which returns 4, and then +read(open("/proc/self/fdinfo/4", ...)) which gives +"pos:\t0\nflags:\t012100000\nmnt_id:\t725\n" + +and the "725" is clearly inconsistent with "700" in /proc/self/mountinfo. + +We could either drop the fallback path (and fail name_to_handle_at() is not +avaliable) or ignore the error in the test. Not sure what is better. I think +this issue only occurs sometimes and with older kernels, so probably continuing +with the current flaky implementation is better than ripping out the fallback. + +Another strace: +writev(2, [{iov_base="mnt ids of /proc/sys is 603", iov_len=27}, {iov_base="\n", iov_len=1}], 2mnt ids of /proc/sys is 603 +) = 28 +name_to_handle_at(AT_FDCWD, "/", {handle_bytes=128 => 12, handle_type=129, f_handle=0x52748401000000008b93e20d}, [697], 0) = 0 +writev(2, [{iov_base="mnt ids of / is 697", iov_len=19}, {iov_base="\n", iov_len=1}], 2mnt ids of / is 697 +) = 20 +name_to_handle_at(AT_FDCWD, "/proc/kcore", {handle_bytes=128 => 12, handle_type=1, f_handle=0x92ddcfcd2e802d0100000000}, [605], 0) = 0 +writev(2, [{iov_base="mnt ids of /proc/kcore is 605", iov_len=29}, {iov_base="\n", iov_len=1}], 2mnt ids of /proc/kcore is 605 +) = 30 +name_to_handle_at(AT_FDCWD, "/dev", {handle_bytes=128 => 12, handle_type=1, f_handle=0x8ae269160c802d0100000000}, [703], 0) = 0 +writev(2, [{iov_base="mnt ids of /dev is 703", iov_len=22}, {iov_base="\n", iov_len=1}], 2mnt ids of /dev is 703 +) = 23 +name_to_handle_at(AT_FDCWD, "/proc/filesystems", {handle_bytes=128}, 0x7fffe36ddb84, 0) = -1 EOPNOTSUPP (Operation not supported) +openat(AT_FDCWD, "/proc/filesystems", O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH) = 4 +openat(AT_FDCWD, "/proc/self/fdinfo/4", O_RDONLY|O_CLOEXEC) = 5 +fstat(5, {st_mode=S_IFREG|0400, st_size=0, ...}) = 0 +fstat(5, {st_mode=S_IFREG|0400, st_size=0, ...}) = 0 +read(5, "pos:\t0\nflags:\t012100000\nmnt_id:\t725\n", 2048) = 36 +read(5, "", 1024) = 0 +close(5) = 0 +close(4) = 0 +writev(2, [{iov_base="mnt ids of /proc/filesystems are 700, 725", iov_len=41}, {iov_base="\n", iov_len=1}], 2mnt ids of /proc/filesystems are 700, 725 +) = 42 +writev(2, [{iov_base="the other path for mnt id 725 is /proc", iov_len=38}, {iov_base="\n", iov_len=1}], 2the other path for mnt id 725 is /proc +) = 39 +writev(2, [{iov_base="Assertion 'path_equal(p, t)' failed at src/test/test-mountpoint-util.c:94, function test_mnt_id(). Aborting.", iov_len=108}, {iov_base="\n", iov_len=1}], 2Assertion 'path_equal(p, t)' failed at src/test/test-mountpoint-util.c:94, function test_mnt_id(). Aborting. +) = 109 +rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0 +rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1], [], 8) = 0 +getpid() = 20 +gettid() = 20 +tgkill(20, 20, SIGABRT) = 0 +rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 + +RHEL notes: af918c4 should mitigate this issue, but in some build +systems (Copr, brew, etc.) we don't have enough privileges to create a +new mount namespace + +Cherry-picked manually from https://github.com/systemd/systemd/pull/17050. + +rhel-only +Related: #2017035 + +diff --git a/src/test/test-mountpoint-util.c b/src/test/test-mountpoint-util.c +index d11edf502a..9515d8cf7b 100644 +--- a/src/test/test-mountpoint-util.c ++++ b/src/test/test-mountpoint-util.c +@@ -101,8 +101,12 @@ TEST(mnt_id) { + /* The ids don't match? If so, then there are two mounts on the same path, let's check if + * that's really the case */ + char *t = hashmap_get(h, INT_TO_PTR(mnt_id2)); +- log_debug("the other path for mnt id %i is %s\n", mnt_id2, t); +- assert_se(path_equal(p, t)); ++ log_debug("Path for mnt id %i from /proc/self/mountinfo is %s\n", mnt_id2, t); ++ ++ if (!path_equal(p, t)) ++ /* Apparent kernel bug in /proc/self/fdinfo */ ++ log_warning("Bad mount id given for %s: %d, should be %d", ++ p, mnt_id2, mnt_id); + } + } + diff --git a/sources b/sources index 6a6a3d7..66a9519 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-249.tar.gz) = 0810d09cc32e4aaa4425ee5b7ddf129262b061ce159cbd43571fabda48285243d8f80b566379ece9215d531b9407ee45e1e72c71935644fea31c7bca1bbf540c +SHA512 (systemd-250.tar.gz) = b618d86357c85f27a0af416af5818767af2233255a4a40b8f6a0bd690971ae1936a8ec32eaa84034f03aebfdc9a84d1f74b6f4c37a4db46d0851e636266f9cd4 diff --git a/systemd.spec b/systemd.spec index 2dda13a..2e17102 100644 --- a/systemd.spec +++ b/systemd.spec @@ -20,8 +20,8 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd -Version: 249 -Release: 9%{?dist} +Version: 250 +Release: 1%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -78,6 +78,27 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[ # patches in this range before applying upstream pull requests. # RHEL-specific +Patch0001: 0001-logind-set-RemoveIPC-to-false-by-default.patch +Patch0002: 0002-tmpfiles-don-t-create-resolv.conf-stub-resolv.conf-s.patch +Patch0003: 0003-Copy-40-redhat.rules-from-RHEL-8.patch +Patch0004: 0004-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch +Patch0005: 0005-unit-don-t-add-Requires-for-tmp.mount.patch +Patch0006: 0006-units-add-Install-section-to-tmp.mount.patch +Patch0007: 0007-rc-local-order-after-network-online.target.patch +Patch0008: 0008-ci-drop-CIs-irrelevant-for-downstream.patch +Patch0009: 0009-ci-reconfigure-Packit-for-RHEL-9.patch +Patch0010: 0010-ci-run-unit-tests-on-z-stream-branches-as-well.patch +Patch0011: 0011-random-util-increase-random-seed-size-to-1024.patch +Patch0012: 0012-journal-don-t-enable-systemd-journald-audit.socket-b.patch +Patch0013: 0013-journald.conf-don-t-touch-current-audit-settings.patch +Patch0014: 0014-Revert-udev-remove-WAIT_FOR-key.patch +Patch0015: 0015-Really-don-t-enable-systemd-journald-audit.socket.patch +Patch0016: 0016-rules-add-elevator-kernel-command-line-parameter.patch +Patch0017: 0017-units-don-t-enable-tmp.mount-statically-in-local-fs..patch +Patch0018: 0018-pid1-bump-DefaultTasksMax-to-80-of-the-kernel-pid.ma.patch +Patch0019: 0019-set-core-ulimit-to-0-like-on-RHEL-7.patch +Patch0020: 0020-ci-use-C9S-chroots-in-Packit.patch +Patch0021: 0021-test-mountpointutil-util-do-not-assert-in-test_mnt_i.patch # Downstream-only patches (9000–9999) @@ -849,6 +870,9 @@ getent passwd systemd-oom &>/dev/null || useradd -r -l -g systemd-oom -d / -s /s %files standalone-sysusers -f .file-list-standalone-sysusers %changelog +* Mon Jan 31 2022 Jan Macku - 250-1 +- Rebase to v250 (#2047768) + * Thu Nov 18 2021 systemd maintenance team - 249-9 - test: don't install test-network-generator-conversion.sh w/o networkd (#2017035) - meson.build: change operator combining bools from + to and (#2017035)