Compare commits

..

No commits in common. "a10s" and "c8" have entirely different histories.
a10s ... c8

1146 changed files with 219441 additions and 10372 deletions

View File

@ -1,3 +0,0 @@
[suppress_file]
# Those shared objects are private to systemd
file_name_regexp=libsystemd-(shared|core)-.*.so

View File

@ -1 +0,0 @@
1

10
.gitignore vendored
View File

@ -1,9 +1 @@
*~
/.mail.list
/systemd-*/
/.build-*.log
/x86_64/
/systemd-*src.rpm
/systemd-*.tar.xz
/systemd-*.tar.gz
/*.rpm
SOURCES/systemd-239.tar.gz

1
.systemd.metadata Normal file
View File

@ -0,0 +1 @@
8803baa484cbe36680463c8c5e6febeff074b8e7 SOURCES/systemd-239.tar.gz

View File

@ -1,7 +0,0 @@
- project:
vars:
install_repo_exclude:
- systemd-standalone-repart
- systemd-standalone-shutdown
- systemd-standalone-sysusers
- systemd-standalone-tmpfiles

View File

@ -1,18 +0,0 @@
From 1c27c902ad8316f490648a0e4415abd51b450b1a Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Tue, 11 Jun 2024 23:04:12 +0100
Subject: [PATCH] Create CNAME
---
docs/CNAME | 1 +
1 file changed, 1 insertion(+)
create mode 100644 docs/CNAME
diff --git a/docs/CNAME b/docs/CNAME
new file mode 100644
index 0000000000..cdcf4d9a52
--- /dev/null
+++ b/docs/CNAME
@@ -0,0 +1 @@
+systemd.io
\ No newline at end of file

View File

@ -1,103 +0,0 @@
From d918804408801bf46a49018e374ebdfbeae08805 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 5 Jun 2024 11:28:21 +0200
Subject: [PATCH] man/systemd: reorder content a bit
Section "Description" didn't actually say what systemd does. And we had a giant
"Concepts" section that actually described units types and other details about
them. So let's move the basic description of functionality to "Description" and
rename the following section to "Units".
The link to the Original Design Document is moved to "See Also", it is of
historical interest mostly at this point.
The only actual change is that when talking about API filesystems, /dev is also
mentioned. (I think /sys+/proc+/dev are the canonical set and should be always
listed on one breath.)
(cherry picked from commit f11aaf7dfb295de429b1567282b19caaba036bba)
---
man/systemd.xml | 49 ++++++++++++++++++++++++-------------------------
1 file changed, 24 insertions(+), 25 deletions(-)
diff --git a/man/systemd.xml b/man/systemd.xml
index 66db5bbf25..f4aa7e06ca 100644
--- a/man/systemd.xml
+++ b/man/systemd.xml
@@ -62,10 +62,29 @@
<filename>user.conf.d</filename> directories. See
<citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for more information.</para>
+
+ <para><command>systemd</command> contains native implementations of various tasks that need to be
+ executed as part of the boot process. For example, it sets the hostname or configures the loopback
+ network device. It also sets up and mounts various API file systems, such as <filename>/sys/</filename>,
+ <filename>/proc/</filename>, and <filename>/dev/</filename>.</para>
+
+ <para>Note that some but not all interfaces provided by systemd are covered by the
+ <ulink url="https://systemd.io/PORTABILITY_AND_STABILITY/">Interface Portability and Stability Promise</ulink>.</para>
+
+ <para>The D-Bus API of <command>systemd</command> is described in
+ <citerefentry><refentrytitle>org.freedesktop.systemd1</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ and
+ <citerefentry><refentrytitle>org.freedesktop.LogControl1</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ </para>
+
+ <para>Systems which invoke systemd in a container or initrd environment should implement the <ulink
+ url="https://systemd.io/CONTAINER_INTERFACE">Container Interface</ulink> or
+ <ulink url="https://systemd.io/INITRD_INTERFACE/">initrd Interface</ulink>
+ specifications, respectively.</para>
</refsect1>
<refsect1>
- <title>Concepts</title>
+ <title>Units</title>
<para>systemd provides a dependency system between various
entities called "units" of 11 different types. Units encapsulate
@@ -261,34 +280,10 @@
example, start jobs for any of those inactive units getting queued as
well.</para>
- <para>systemd contains native implementations of various tasks
- that need to be executed as part of the boot process. For example,
- it sets the hostname or configures the loopback network device. It
- also sets up and mounts various API file systems, such as
- <filename>/sys/</filename> or <filename>/proc/</filename>.</para>
-
- <para>For more information about the concepts and
- ideas behind systemd, please refer to the
- <ulink url="https://0pointer.de/blog/projects/systemd.html">Original Design Document</ulink>.</para>
-
- <para>Note that some but not all interfaces provided by systemd are covered by the
- <ulink url="https://systemd.io/PORTABILITY_AND_STABILITY/">Interface Portability and Stability Promise</ulink>.</para>
-
<para>Units may be generated dynamically at boot and system
manager reload time, for example based on other configuration
files or parameters passed on the kernel command line. For details, see
<citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
-
- <para>The D-Bus API of <command>systemd</command> is described in
- <citerefentry><refentrytitle>org.freedesktop.systemd1</refentrytitle><manvolnum>5</manvolnum></citerefentry>
- and
- <citerefentry><refentrytitle>org.freedesktop.LogControl1</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
- </para>
-
- <para>Systems which invoke systemd in a container or initrd environment should implement the <ulink
- url="https://systemd.io/CONTAINER_INTERFACE">Container Interface</ulink> or
- <ulink url="https://systemd.io/INITRD_INTERFACE/">initrd Interface</ulink>
- specifications, respectively.</para>
</refsect1>
<refsect1>
@@ -1558,6 +1553,10 @@
<member><citerefentry project='man-pages'><refentrytitle>bootup</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
</simplelist></para>
+
+ <para>For more information about the concepts and
+ ideas behind systemd, please refer to the
+ <ulink url="https://0pointer.de/blog/projects/systemd.html">Original Design Document</ulink>.</para>
</refsect1>
</refentry>

View File

@ -1,43 +0,0 @@
From f2b5c1ff51b7c7876036c6c722e2a47b696695d9 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 8 May 2024 10:38:11 +0200
Subject: [PATCH] hostnamed: don't allow hostnamed to exit on idle if varlink
connections are still ongoing
And while we are at it, ongoing PK authorizations are also a reason to
block exit on idle.
(cherry picked from commit ac908152b3b43a49f793d225c075423422cd3e33)
---
src/hostname/hostnamed.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/src/hostname/hostnamed.c b/src/hostname/hostnamed.c
index 82d08803fa..fe1216fc1c 100644
--- a/src/hostname/hostnamed.c
+++ b/src/hostname/hostnamed.c
@@ -1682,6 +1682,13 @@ static int connect_varlink(Context *c) {
return 0;
}
+static bool context_check_idle(void *userdata) {
+ Context *c = ASSERT_PTR(userdata);
+
+ return varlink_server_current_connections(c->varlink_server) == 0 &&
+ hashmap_isempty(c->polkit_registry);
+}
+
static int run(int argc, char *argv[]) {
_cleanup_(context_destroy) Context context = {
.hostname_source = _HOSTNAME_INVALID, /* appropriate value will be set later */
@@ -1731,8 +1738,8 @@ static int run(int argc, char *argv[]) {
context.bus,
"org.freedesktop.hostname1",
DEFAULT_EXIT_USEC,
- /* check_idle= */ NULL,
- /* userdata= */ NULL);
+ context_check_idle,
+ &context);
if (r < 0)
return log_error_errno(r, "Failed to run event loop: %m");

View File

@ -1,30 +0,0 @@
From 0d573787ea1610ba57a359cf437841f62b186e77 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Wed, 12 Jun 2024 00:48:56 +0900
Subject: [PATCH] sd-dhcp-server: clear buffer before receive
I do not think this is necessary, but all other places in
libsystemd-network we clear buffer before receive. Without this,
Coverity warns about use-of-uninitialized-values.
Let's silence Coverity.
Closes CID#1469721.
(cherry picked from commit 40f9fa0af4c3094d93e833e62f7e301cd453da62)
---
src/libsystemd-network/sd-dhcp-server.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/libsystemd-network/sd-dhcp-server.c b/src/libsystemd-network/sd-dhcp-server.c
index c3b0f82dc4..4967f066dc 100644
--- a/src/libsystemd-network/sd-dhcp-server.c
+++ b/src/libsystemd-network/sd-dhcp-server.c
@@ -1252,7 +1252,7 @@ static int server_receive_message(sd_event_source *s, int fd,
/* Preallocate the additional size for DHCP Relay Agent Information Option if needed */
buflen += relay_agent_information_length(server->agent_circuit_id, server->agent_remote_id) + 2;
- message = malloc(buflen);
+ message = malloc0(buflen);
if (!message)
return -ENOMEM;

View File

@ -1,29 +0,0 @@
From a3d94332a2b5128697373d3093c1cfa56649ec61 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Mon, 10 Jun 2024 12:59:58 +0200
Subject: [PATCH] rules: Limit the number of device units generated for serial
ttys
As per the suggestion in https://github.com/systemd/systemd/issues/33242.
This reduces the number of /dev/ttySXX device units generated in
mkosi from 32 to 4.
(cherry picked from commit dc38f9addd04c34d1fd743efc407bdebb3573d05)
---
rules.d/99-systemd.rules.in | 2 ++
1 file changed, 2 insertions(+)
diff --git a/rules.d/99-systemd.rules.in b/rules.d/99-systemd.rules.in
index ad0c7e2fb5..8ba6f177f8 100644
--- a/rules.d/99-systemd.rules.in
+++ b/rules.d/99-systemd.rules.in
@@ -10,6 +10,8 @@
ACTION=="remove", GOTO="systemd_end"
SUBSYSTEM=="tty", KERNEL=="tty[a-zA-Z]*|hvc*|xvc*|hvsi*|ttysclp*|sclp_line*|3270/tty[0-9]*", TAG+="systemd"
+# Exclude 8250 serial ports with a zero IO port, as they are not usable until "setserial /dev/ttySxxx port …" is invoked.
+SUBSYSTEM=="tty", KERNEL=="ttyS*", DRIVERS=="serial8250", ATTR{port}=="0x0", ENV{SYSTEMD_READY}="0"
KERNEL=="vport*", TAG+="systemd"
SUBSYSTEM=="ptp", TAG+="systemd"

View File

@ -1,81 +0,0 @@
From 514ef0f93b76cbe0ba6b4de07a7b21fd0c2b7bae Mon Sep 17 00:00:00 2001
From: q66 <q66@chimera-linux.org>
Date: Thu, 6 Jun 2024 13:45:48 +0200
Subject: [PATCH] strbuf: use GREEDY_REALLOC to grow the buffer
This allows us to reserve a bunch of capacity ahead of time,
improving the performance of hwdb significantly thanks to not
having to reallocate so many times.
Before:
```
$ sudo time valgrind --leak-check=full ./systemd-hwdb update
==113297== Memcheck, a memory error detector
==113297== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al.
==113297== Using Valgrind-3.23.0 and LibVEX; rerun with -h for copyright info
==113297== Command: ./systemd-hwdb update
==113297==
==113297==
==113297== HEAP SUMMARY:
==113297== in use at exit: 0 bytes in 0 blocks
==113297== total heap usage: 1,412,640 allocs, 1,412,640 frees, 117,920,009,195 bytes allocated
==113297==
==113297== All heap blocks were freed -- no leaks are possible
==113297==
==113297== For lists of detected and suppressed errors, rerun with: -s
==113297== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
132.44user 21.15system 2:35.61elapsed 98%CPU (0avgtext+0avgdata 228560maxresident)k
0inputs+25296outputs (0major+6886930minor)pagefaults 0swaps
```
After:
```
$ sudo time valgrind --leak-check=full ./systemd-hwdb update
==112572== Memcheck, a memory error detector
==112572== Copyright (C) 2002-2024, and GNU GPL'd, by Julian Seward et al.
==112572== Using Valgrind-3.23.0 and LibVEX; rerun with -h for copyright info
==112572== Command: ./systemd-hwdb update
==112572==
==112572==
==112572== HEAP SUMMARY:
==112572== in use at exit: 0 bytes in 0 blocks
==112572== total heap usage: 1,320,113 allocs, 1,320,113 frees, 70,614,501 bytes allocated
==112572==
==112572== All heap blocks were freed -- no leaks are possible
==112572==
==112572== For lists of detected and suppressed errors, rerun with: -s
==112572== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
21.94user 0.19system 0:22.23elapsed 99%CPU (0avgtext+0avgdata 229876maxresident)k
0inputs+25264outputs (0major+57275minor)pagefaults 0swaps
```
Co-authored-by: Yu Watanabe <watanabe.yu+github@gmail.com>
(cherry picked from commit 621b10fe2c3203c537996e84c7c89b0ff994ad93)
---
src/basic/strbuf.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/src/basic/strbuf.c b/src/basic/strbuf.c
index 0617acc8d2..6d43955bb1 100644
--- a/src/basic/strbuf.c
+++ b/src/basic/strbuf.c
@@ -107,7 +107,6 @@ static void bubbleinsert(struct strbuf_node *node,
/* add string, return the index/offset into the buffer */
ssize_t strbuf_add_string(struct strbuf *str, const char *s, size_t len) {
uint8_t c;
- char *buf_new;
struct strbuf_child_entry *child;
struct strbuf_node *node;
ssize_t off;
@@ -147,10 +146,8 @@ ssize_t strbuf_add_string(struct strbuf *str, const char *s, size_t len) {
}
/* add new string */
- buf_new = realloc(str->buf, str->len + len+1);
- if (!buf_new)
+ if (!GREEDY_REALLOC(str->buf, str->len + len + 1))
return -ENOMEM;
- str->buf = buf_new;
off = str->len;
memcpy(str->buf + off, s, len);
str->len += len;

View File

@ -1,132 +0,0 @@
From 30df42a9277bbf138d52887c9b79e452db425585 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Fri, 17 May 2024 16:20:11 +0200
Subject: [PATCH] tpm2-setup: Don't fail if we can't access the TPM due to
authorization failure
The TPM might be password/pin protected for various reasons even if
there is no SRK yet. Let's handle those cases gracefully instead of
failing the unit as it is enabled by default.
(cherry picked from commit d6518003f8ebbfb6f85dbf227736ae05b0961199)
---
catalog/systemd.catalog.in | 13 +++++++++++++
src/shared/tpm2-util.c | 2 ++
src/systemd/sd-messages.h | 3 +++
src/tpm2-setup/tpm2-setup.c | 13 ++++++++++++-
units/systemd-tpm2-setup-early.service.in | 3 +++
units/systemd-tpm2-setup.service.in | 3 +++
6 files changed, 36 insertions(+), 1 deletion(-)
diff --git a/catalog/systemd.catalog.in b/catalog/systemd.catalog.in
index 3c9a6860da..2831152763 100644
--- a/catalog/systemd.catalog.in
+++ b/catalog/systemd.catalog.in
@@ -780,3 +780,16 @@ Documentation: https://systemd.io/PORTABLE_SERVICES/
A Portable Service @PORTABLE_ROOT@ (with extensions: @PORTABLE_EXTENSION@) has been
detached from the system and is no longer available for use. The list of attached
Portable Services can be queried with 'portablectl list'.
+
+-- ad7089f928ac4f7ea00c07457d47ba8a
+Subject: Authorization failure while attempting to enroll SRK into TPM
+Defined-By: systemd
+Support: %SUPPORT_URL%
+Documentation: man:systemd-tpm2-setup.service(8)
+
+An authorization failure occured while attempting to enroll a Storage Root Key (SRK) on the Trusted Platform
+Module (TPM). Most likely this means that a PIN/Password (authValue) has been set on the Owner hierarchy of
+the TPM.
+
+Automatic SRK enrollment on TPMs in such scenarios is not supported. In order to unset the PIN/password
+protection on the owner hierarchy issue a command like the following: 'tpm2_changeauth -c o -p <OLDPW> ""'.
diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c
index 87ce53cf95..9603f1837e 100644
--- a/src/shared/tpm2-util.c
+++ b/src/shared/tpm2-util.c
@@ -2119,6 +2119,8 @@ int tpm2_create_primary(
/* creationData= */ NULL,
/* creationHash= */ NULL,
/* creationTicket= */ NULL);
+ if (rc == TPM2_RC_BAD_AUTH)
+ return log_debug_errno(SYNTHETIC_ERRNO(EDEADLK), "Authorization failure while attempting to enroll SRK into TPM.");
if (rc != TSS2_RC_SUCCESS)
return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
"Failed to generate primary key in TPM: %s",
diff --git a/src/systemd/sd-messages.h b/src/systemd/sd-messages.h
index e3f68068a8..16e9986be3 100644
--- a/src/systemd/sd-messages.h
+++ b/src/systemd/sd-messages.h
@@ -272,6 +272,9 @@ _SD_BEGIN_DECLARATIONS;
#define SD_MESSAGE_PORTABLE_DETACHED SD_ID128_MAKE(76,c5,c7,54,d6,28,49,0d,8e,cb,a4,c9,d0,42,11,2b)
#define SD_MESSAGE_PORTABLE_DETACHED_STR SD_ID128_MAKE_STR(76,c5,c7,54,d6,28,49,0d,8e,cb,a4,c9,d0,42,11,2b)
+#define SD_MESSAGE_SRK_ENROLLMENT_NEEDS_AUTHORIZATION SD_ID128_MAKE(ad,70,89,f9,28,ac,4f,7e,a0,0c,07,45,7d,47,ba,8a)
+#define SD_MESSAGE_SRK_ENROLLMENT_NEEDS_AUTHORIZATION_STR SD_ID128_MAKE_STR(ad,70,89,f9,28,ac,4f,7e,a0,0c,07,45,7d,47,ba,8a)
+
_SD_END_DECLARATIONS;
#endif
diff --git a/src/tpm2-setup/tpm2-setup.c b/src/tpm2-setup/tpm2-setup.c
index 35628fc02a..b95c5e7a58 100644
--- a/src/tpm2-setup/tpm2-setup.c
+++ b/src/tpm2-setup/tpm2-setup.c
@@ -3,6 +3,8 @@
#include <getopt.h>
#include <unistd.h>
+#include "sd-messages.h"
+
#include "build.h"
#include "fd-util.h"
#include "fileio.h"
@@ -223,6 +225,8 @@ static int load_public_key_tpm2(struct public_key_data *ret) {
/* ret_name= */ NULL,
/* ret_qname= */ NULL,
NULL);
+ if (r == -EDEADLK)
+ return r;
if (r < 0)
return log_error_errno(r, "Failed to get or create SRK: %m");
if (r > 0)
@@ -289,6 +293,13 @@ static int run(int argc, char *argv[]) {
}
r = load_public_key_tpm2(&tpm2_key);
+ if (r == -EDEADLK) {
+ log_struct_errno(LOG_INFO, r,
+ LOG_MESSAGE("Insufficient permissions to access TPM, not generating SRK."),
+ "MESSAGE_ID=" SD_MESSAGE_SRK_ENROLLMENT_NEEDS_AUTHORIZATION_STR);
+ return 76; /* Special return value which means "Insufficient permissions to access TPM,
+ * cannot generate SRK". This isn't really an error when called at boot. */;
+ }
if (r < 0)
return r;
@@ -383,4 +394,4 @@ static int run(int argc, char *argv[]) {
return 0;
}
-DEFINE_MAIN_FUNCTION(run);
+DEFINE_MAIN_FUNCTION_WITH_POSITIVE_FAILURE(run);
diff --git a/units/systemd-tpm2-setup-early.service.in b/units/systemd-tpm2-setup-early.service.in
index 9982c84aba..7fdb99b53f 100644
--- a/units/systemd-tpm2-setup-early.service.in
+++ b/units/systemd-tpm2-setup-early.service.in
@@ -21,3 +21,6 @@ ConditionPathExists=!/run/systemd/tpm2-srk-public-key.pem
Type=oneshot
RemainAfterExit=yes
ExecStart={{LIBEXECDIR}}/systemd-tpm2-setup --early=yes --graceful
+
+# The tool returns 76 if the TPM cannot be accessed due to an authorization failure and we can't generate an SRK.
+SuccessExitStatus=76
diff --git a/units/systemd-tpm2-setup.service.in b/units/systemd-tpm2-setup.service.in
index 0af7292528..ac29a76966 100644
--- a/units/systemd-tpm2-setup.service.in
+++ b/units/systemd-tpm2-setup.service.in
@@ -22,3 +22,6 @@ ConditionPathExists=!/etc/initrd-release
Type=oneshot
RemainAfterExit=yes
ExecStart={{LIBEXECDIR}}/systemd-tpm2-setup --graceful
+
+# The tool returns 76 if the TPM cannot be accessed due to an authorization failure and we can't generate an SRK.
+SuccessExitStatus=76

View File

@ -1,37 +0,0 @@
From ba031f1fe86e36d7adc0340b047de32399c98bf7 Mon Sep 17 00:00:00 2001
From: Ronan Pigott <ronan@rjp.ie>
Date: Fri, 8 Mar 2024 13:40:08 -0700
Subject: [PATCH] resolved: permit dnssec rrtype questions when we aren't
validating
This check introduced in 91adc4db33f6 is intended to spare us from
encountering broken resolver behavior we don't want to deal with.
However if we aren't validating we more than likely don't know the state
of the upstream resolver's support for dnssec. Let's let clients try
these queries if they want.
This brings the behavior of sd-resolved in-line with previouly stated
change in the meaning of DNSSEC=no, which now means "don't validate"
rather than "don't validate, because the upstream resolver is declared to
be dnssec-unaware".
Fixes: 9c47b334445a ("resolved: enable DNS proxy mode if client wants DNSSEC")
(cherry picked from commit 364c948707afa097f6ad177b61c2b51a86c0089a)
---
src/resolve/resolved-dns-server.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/src/resolve/resolved-dns-server.c b/src/resolve/resolved-dns-server.c
index 340f11f4f4..b37f541c7f 100644
--- a/src/resolve/resolved-dns-server.c
+++ b/src/resolve/resolved-dns-server.c
@@ -706,9 +706,6 @@ bool dns_server_dnssec_supported(DnsServer *server) {
if (dns_server_get_dnssec_mode(server) == DNSSEC_YES) /* If strict DNSSEC mode is enabled, always assume DNSSEC mode is supported. */
return true;
- if (!DNS_SERVER_FEATURE_LEVEL_IS_DNSSEC(server->possible_feature_level))
- return false;
-
if (server->packet_bad_opt)
return false;

View File

@ -1,123 +0,0 @@
From 70f5fb2f7ab585458008b1d3144e4ebaf98db42e Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Sun, 2 Jun 2024 16:24:52 +0200
Subject: [PATCH] repart: Use crypt_reencrypt_run() if available
crypt_reencrypt() is deprecated, so let's look for and prefer
crypt_reencrypt_run() if it is available.
(cherry picked from commit b99b2941276a74878a23470b36c75b0c21dbdd4a)
---
meson.build | 1 +
src/partition/repart.c | 6 +++++-
src/shared/cryptsetup-util.c | 19 ++++++++-----------
src/shared/cryptsetup-util.h | 6 +++---
4 files changed, 17 insertions(+), 15 deletions(-)
diff --git a/meson.build b/meson.build
index ea4e12aa1c..e42151998b 100644
--- a/meson.build
+++ b/meson.build
@@ -1262,6 +1262,7 @@ foreach ident : ['crypt_set_metadata_size',
'crypt_token_max',
'crypt_reencrypt_init_by_passphrase',
'crypt_reencrypt',
+ 'crypt_reencrypt_run',
'crypt_set_data_offset',
'crypt_set_keyring_to_link',
'crypt_resume_by_volume_key']
diff --git a/src/partition/repart.c b/src/partition/repart.c
index 6f67d46025..2ecae4ca03 100644
--- a/src/partition/repart.c
+++ b/src/partition/repart.c
@@ -3913,7 +3913,7 @@ static int partition_target_sync(Context *context, Partition *p, PartitionTarget
}
static int partition_encrypt(Context *context, Partition *p, PartitionTarget *target, bool offline) {
-#if HAVE_LIBCRYPTSETUP && HAVE_CRYPT_SET_DATA_OFFSET && HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE && HAVE_CRYPT_REENCRYPT
+#if HAVE_LIBCRYPTSETUP && HAVE_CRYPT_SET_DATA_OFFSET && HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE && (HAVE_CRYPT_REENCRYPT_RUN || HAVE_CRYPT_REENCRYPT)
const char *node = partition_target_path(target);
struct crypt_params_luks2 luks_params = {
.label = strempty(ASSERT_PTR(p)->new_label),
@@ -4220,7 +4220,11 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta
if (r < 0)
return log_error_errno(r, "Failed to load reencryption context: %m");
+#if HAVE_CRYPT_REENCRYPT_RUN
+ r = sym_crypt_reencrypt_run(cd, NULL, NULL);
+#else
r = sym_crypt_reencrypt(cd, NULL);
+#endif
if (r < 0)
return log_error_errno(r, "Failed to encrypt %s: %m", node);
} else {
diff --git a/src/shared/cryptsetup-util.c b/src/shared/cryptsetup-util.c
index 288e6e8942..d0dd434df8 100644
--- a/src/shared/cryptsetup-util.c
+++ b/src/shared/cryptsetup-util.c
@@ -54,10 +54,10 @@ DLSYM_FUNCTION(crypt_volume_key_get);
#if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE
DLSYM_FUNCTION(crypt_reencrypt_init_by_passphrase);
#endif
-#if HAVE_CRYPT_REENCRYPT
-DISABLE_WARNING_DEPRECATED_DECLARATIONS;
+#if HAVE_CRYPT_REENCRYPT_RUN
+DLSYM_FUNCTION(crypt_reencrypt_run);
+#elif HAVE_CRYPT_REENCRYPT
DLSYM_FUNCTION(crypt_reencrypt);
-REENABLE_WARNING;
#endif
DLSYM_FUNCTION(crypt_metadata_locking);
#if HAVE_CRYPT_SET_DATA_OFFSET
@@ -246,11 +246,8 @@ int dlopen_cryptsetup(void) {
/* libcryptsetup added crypt_reencrypt() in 2.2.0, and marked it obsolete in 2.4.0, replacing it with
* crypt_reencrypt_run(), which takes one extra argument but is otherwise identical. The old call is
- * still available though, and given we want to support 2.2.0 for a while longer, we'll stick to the
- * old symbol. However, the old symbols now has a GCC deprecation decorator, hence let's turn off
- * warnings about this for now. */
-
- DISABLE_WARNING_DEPRECATED_DECLARATIONS;
+ * still available though, and given we want to support 2.2.0 for a while longer, we'll use the old
+ * symbol if the new one is not available. */
ELF_NOTE_DLOPEN("cryptsetup",
"Support for disk encryption, integrity, and authentication",
@@ -304,7 +301,9 @@ int dlopen_cryptsetup(void) {
#if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE
DLSYM_ARG(crypt_reencrypt_init_by_passphrase),
#endif
-#if HAVE_CRYPT_REENCRYPT
+#if HAVE_CRYPT_REENCRYPT_RUN
+ DLSYM_ARG(crypt_reencrypt_run),
+#elif HAVE_CRYPT_REENCRYPT
DLSYM_ARG(crypt_reencrypt),
#endif
DLSYM_ARG(crypt_metadata_locking),
@@ -316,8 +315,6 @@ int dlopen_cryptsetup(void) {
if (r <= 0)
return r;
- REENABLE_WARNING;
-
/* Redirect the default logging calls of libcryptsetup to our own logging infra. (Note that
* libcryptsetup also maintains per-"struct crypt_device" log functions, which we'll also set
* whenever allocating a "struct crypt_device" context. Why set both? To be defensive: maybe some
diff --git a/src/shared/cryptsetup-util.h b/src/shared/cryptsetup-util.h
index f00ac367b6..d255e59004 100644
--- a/src/shared/cryptsetup-util.h
+++ b/src/shared/cryptsetup-util.h
@@ -70,10 +70,10 @@ DLSYM_PROTOTYPE(crypt_volume_key_get);
#if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE
DLSYM_PROTOTYPE(crypt_reencrypt_init_by_passphrase);
#endif
-#if HAVE_CRYPT_REENCRYPT
-DISABLE_WARNING_DEPRECATED_DECLARATIONS;
+#if HAVE_CRYPT_REENCRYPT_RUN
+DLSYM_PROTOTYPE(crypt_reencrypt_run);
+#elif HAVE_CRYPT_REENCRYPT
DLSYM_PROTOTYPE(crypt_reencrypt);
-REENABLE_WARNING;
#endif
DLSYM_PROTOTYPE(crypt_metadata_locking);
#if HAVE_CRYPT_SET_DATA_OFFSET

View File

@ -1,136 +0,0 @@
From 4a468387acbc8a2bd51bffaeca242e415e55b614 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Wed, 12 Jun 2024 12:09:25 +0200
Subject: [PATCH] test: dump a simple summary at the end of TEST-02-UNITTEST
Let's dump a list of skipped tests and logs from failed tests at the end
of TEST-02-UNITTEST to make debugging fails in CI slightly less painful.
(cherry picked from commit 2ac0e52f29eb5f0040882fc46bcfa369893577f3)
---
test/TEST-02-UNITTESTS/test.sh | 8 ----
test/test-functions | 68 ---------------------------------
test/units/TEST-02-UNITTESTS.sh | 14 +++++++
3 files changed, 14 insertions(+), 76 deletions(-)
diff --git a/test/TEST-02-UNITTESTS/test.sh b/test/TEST-02-UNITTESTS/test.sh
index f165c99368..2cf9c31096 100755
--- a/test/TEST-02-UNITTESTS/test.sh
+++ b/test/TEST-02-UNITTESTS/test.sh
@@ -37,12 +37,4 @@ test_append_files() {
fi
}
-check_result_nspawn() {
- check_result_nspawn_unittests "${1}"
-}
-
-check_result_qemu() {
- check_result_qemu_unittests
-}
-
do_test "$@"
diff --git a/test/test-functions b/test/test-functions
index be6eb1d9b2..8b497b2e27 100644
--- a/test/test-functions
+++ b/test/test-functions
@@ -1860,74 +1860,6 @@ check_result_qemu() {
return $ret
}
-check_result_nspawn_unittests() {
- local workspace="${1:?}"
- local ret=1
-
- [[ -e "$workspace/testok" ]] && ret=0
-
- if [[ -s "$workspace/failed" ]]; then
- ret=$((ret + 1))
- echo "=== Failed test log ==="
- cat "$workspace/failed"
- else
- if [[ -s "$workspace/skipped" ]]; then
- echo "=== Skipped test log =="
- cat "$workspace/skipped"
- # We might have only skipped tests - that should not fail the job
- ret=0
- fi
- if [[ -s "$workspace/testok" ]]; then
- echo "=== Passed tests ==="
- cat "$workspace/testok"
- fi
- fi
-
- get_bool "${TIMED_OUT:=}" && ret=1
- check_coverage_reports "$workspace" || ret=5
-
- save_journal "$workspace/var/log/journal" $ret
- echo "${JOURNAL_LIST:-"No journals were saved"}"
-
- _umount_dir "${initdir:?}"
-
- return $ret
-}
-
-check_result_qemu_unittests() {
- local ret=1
-
- mount_initdir
- [[ -e "${initdir:?}/testok" ]] && ret=0
-
- if [[ -s "$initdir/failed" ]]; then
- ret=$((ret + 1))
- echo "=== Failed test log ==="
- cat "$initdir/failed"
- else
- if [[ -s "$initdir/skipped" ]]; then
- echo "=== Skipped test log =="
- cat "$initdir/skipped"
- # We might have only skipped tests - that should not fail the job
- ret=0
- fi
- if [[ -s "$initdir/testok" ]]; then
- echo "=== Passed tests ==="
- cat "$initdir/testok"
- fi
- fi
-
- get_bool "${TIMED_OUT:=}" && ret=1
- check_coverage_reports "$initdir" || ret=5
-
- save_journal "$initdir/var/log/journal" $ret
- echo "${JOURNAL_LIST:-"No journals were saved"}"
-
- _umount_dir "$initdir"
-
- return $ret
-}
-
create_rc_local() {
dinfo "Create rc.local"
mkdir -p "${initdir:?}/etc/rc.d"
diff --git a/test/units/TEST-02-UNITTESTS.sh b/test/units/TEST-02-UNITTESTS.sh
index 6392425130..4448643f9a 100755
--- a/test/units/TEST-02-UNITTESTS.sh
+++ b/test/units/TEST-02-UNITTESTS.sh
@@ -95,6 +95,20 @@ export -f run_test
find /usr/lib/systemd/tests/unit-tests/ -maxdepth 1 -type f -name "${TESTS_GLOB}" -print0 |
xargs -0 -I {} --max-procs="$MAX_QUEUE_SIZE" bash -ec "run_test {}"
+# Write all pending messages, so they don't get mixed with the summaries below
+journalctl --sync
+
+# No need for full test logs in this case
+if [[ -s /skipped-tests ]]; then
+ : "=== SKIPPED TESTS ==="
+ cat /skipped-tests
+fi
+
+if [[ -s /failed ]]; then
+ : "=== FAILED TESTS ==="
+ cat /failed
+fi
+
# Test logs are sometimes lost, as the system shuts down immediately after
journalctl --sync

View File

@ -1,29 +0,0 @@
From d316aed5d8e15fb5b13b5618f1b2d1d020b1e7bf Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Mon, 3 Jun 2024 12:35:29 +0200
Subject: [PATCH] repart: Use CRYPT_ACTIVATE_PRIVATE
Let's skip udev device scanning when activating a LUKS volume in
systemd-repart as we don't depend on any udev symlinks and don't
expect anything except repart to access the volume.
Suggested by https://github.com/systemd/systemd/issues/33129#issuecomment-2143390941.
(cherry picked from commit 726fc7ae696510b04c24810f691d34f5d20529d6)
---
src/partition/repart.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/partition/repart.c b/src/partition/repart.c
index 2ecae4ca03..78cf60f724 100644
--- a/src/partition/repart.c
+++ b/src/partition/repart.c
@@ -4236,7 +4236,7 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta
dm_name,
NULL,
VOLUME_KEY_SIZE,
- arg_discard ? CRYPT_ACTIVATE_ALLOW_DISCARDS : 0);
+ (arg_discard ? CRYPT_ACTIVATE_ALLOW_DISCARDS : 0) | CRYPT_ACTIVATE_PRIVATE);
if (r < 0)
return log_error_errno(r, "Failed to activate LUKS superblock: %m");

View File

@ -1,26 +0,0 @@
From 4ebcdcb1360dbb10444f518bad7f04e10bcb6387 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Tue, 11 Jun 2024 23:09:30 +0100
Subject: [PATCH] NEWS: note that new stable releases will be in the main repo
(cherry picked from commit 40d637bace4041f081088673cb230669c1e34faf)
---
NEWS | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/NEWS b/NEWS
index 02ad8b2c79..bbee0852be 100644
--- a/NEWS
+++ b/NEWS
@@ -81,6 +81,11 @@ CHANGES WITH 256:
* systemd.crash_reboot and related settings are deprecated in favor of
systemd.crash_action=.
+ * Stable releases for version v256 and newer will now be pushed in the
+ main repository. The systemd-stable repository will be used for existing
+ stable branches (v255-stable and lower), and when they reach EOL it will
+ be archived.
+
General Changes and New Features:
* Various programs will now attempt to load the main configuration file

View File

@ -1,29 +0,0 @@
From 2034de6157cc0d3e60489cdc16c7a5651f38783c Mon Sep 17 00:00:00 2001
From: David Tardon <dtardon@redhat.com>
Date: Wed, 12 Jun 2024 14:35:34 +0200
Subject: [PATCH] shell-completion: only offer devices for completion
This skips directories and other stuff like /dev/core, /dev/initctl or
/dev/log.
(cherry picked from commit bde35f4a91663ebb854330f582baeef0f9adcbfb)
---
shell-completion/bash/udevadm | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/shell-completion/bash/udevadm b/shell-completion/bash/udevadm
index 05f921cf49..3842d722e7 100644
--- a/shell-completion/bash/udevadm
+++ b/shell-completion/bash/udevadm
@@ -32,10 +32,7 @@ __get_all_sysdevs() {
}
__get_all_device_nodes() {
- local i
- for i in /dev/* /dev/*/* /dev/*/*/*; do
- echo $i
- done
+ find /dev -xtype b -o -xtype c
}
__get_all_device_units() {

View File

@ -1,98 +0,0 @@
From a61a83a22b5f464463f9ab9e3ee3950f299c9f43 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 12 Jun 2024 18:31:56 +0200
Subject: [PATCH] CODING_STYLE: document "reterr_" return parameters
In some recent PRs (e.g. #32628) I started to systematically name return
parameters that shall only be initialized on failure (because they carry
additional error meta information, such as the line/column number of
parse failures or so). Let's make this official in the coding style.
(cherry picked from commit 7811864b08393eda5ff92145ea2776180d9b28ee)
---
docs/CODING_STYLE.md | 62 ++++++++++++++++++++++++++++++++++----------
1 file changed, 48 insertions(+), 14 deletions(-)
diff --git a/docs/CODING_STYLE.md b/docs/CODING_STYLE.md
index 8f687e6662..309436a397 100644
--- a/docs/CODING_STYLE.md
+++ b/docs/CODING_STYLE.md
@@ -164,30 +164,64 @@ SPDX-License-Identifier: LGPL-2.1-or-later
thread. Use `is_main_thread()` to detect whether the calling thread is the
main thread.
-- Do not write functions that clobber call-by-reference variables on
- failure. Use temporary variables for these cases and change the passed in
- variables only on success. The rule is: never clobber return parameters on
- failure, always initialize return parameters on success.
-
-- Typically, function parameters fit into three categories: input parameters,
- mutable objects, and call-by-reference return parameters. Input parameters
- should always carry suitable "const" declarators if they are pointers, to
- indicate they are input-only and not changed by the function. Return
- parameters are best prefixed with "ret_", to clarify they are return
- parameters. (Conversely, please do not prefix parameters that aren't
- output-only with "ret_", in particular not mutable parameters that are both
- input as well as output). Example:
+- Typically, function parameters fit into four categories: input parameters,
+ mutable objects, call-by-reference return parameters that are initialized on
+ success, and call-by-reference return parameters that are initialized on
+ failure. Input parameters should always carry suitable `const` declarators if
+ they are pointers, to indicate they are input-only and not changed by the
+ function. The name of return parameters that are initialized on success
+ should be prefixed with `ret_`, to clarify they are return parameters. The
+ name of return parameters that are initialized on failure should be prefixed
+ with `reterr_`. (Examples of such parameters: those which carry additional
+ error information, such as the row/column of parse errors or so).
+ Conversely, please do not prefix parameters that aren't output-only with
+ `ret_` or `reterr_`, in particular not mutable parameters that are both input
+ as well as output.
+
+ Example:
```c
static int foobar_frobnicate(
Foobar* object, /* the associated mutable object */
const char *input, /* immutable input parameter */
- char **ret_frobnicated) { /* return parameter */
+ char **ret_frobnicated, /* return parameter on success */
+ unsigned *reterr_line, /* return parameter on failure */
+ unsigned *reterr_column) { /* ditto */
return 0;
}
```
+- Do not write functions that clobber call-by-reference success return
+ parameters on failure (i.e. `ret_xyz`, see above), or that clobber
+ call-by-reference failure return parameters on success
+ (i.e. `reterr_xyz`). Use temporary variables for these cases and change the
+ passed in variables only in the right condition. The rule is: never clobber
+ success return parameters on failure, always initialize success return
+ parameters on success (and the reverse for failure return parameters, of
+ course).
+
+- Please put `reterr_` return parameters in the function parameter list last,
+ and `ret_` return parameters immediately before that.
+
+ Good:
+
+ ```c
+ static int do_something(
+ const char *input,
+ const char *ret_on_success,
+ const char *reterr_on_failure);
+ ```
+
+ Not good:
+
+ ```c
+ static int do_something(
+ const char *reterr_on_failure,
+ const char *ret_on_success,
+ const char *input);
+ ```
+
- The order in which header files are included doesn't matter too
much. systemd-internal headers must not rely on an include order, so it is
safe to include them in any order possible. However, to not clutter global

View File

@ -1,27 +0,0 @@
From 51390a1f41a762ef96d3c496d8a5d890d722907d Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 4 Jun 2024 11:02:34 +0200
Subject: [PATCH] analyze: show pcrs also in sha384 bank
SHA384 is pretty much the bank we actually *want* to use, since it's
faster to calculate than SHA256, hence at the very least, start
considering.
(cherry picked from commit acaca5ab250a51be6ba07768bee80bf0f7b462fa)
---
src/analyze/analyze-pcrs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/analyze/analyze-pcrs.c b/src/analyze/analyze-pcrs.c
index 43e415fc6d..1c3da3fd84 100644
--- a/src/analyze/analyze-pcrs.c
+++ b/src/analyze/analyze-pcrs.c
@@ -11,7 +11,7 @@
static int get_pcr_alg(const char **ret) {
assert(ret);
- FOREACH_STRING(alg, "sha256", "sha1") {
+ FOREACH_STRING(alg, "sha256", "sha384", "sha1") {
_cleanup_free_ char *p = NULL;
if (asprintf(&p, "/sys/class/tpm/tpm0/pcr-%s/0", alg) < 0)

View File

@ -1,41 +0,0 @@
From 3706b5e8e92fe6a4ff21cefe66f2eb27953a3fdf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cristian=20Rodr=C3=ADguez?= <cristian@rodriguez.im>
Date: Thu, 13 Jun 2024 11:59:28 -0400
Subject: [PATCH] fundamental: declare flex array updated for gcc15 and clang
19
Silly workaround that:
- allowed flexible arrays in unions
- allowed flexible arrays in otherwise empty structs
Is no longer needed since https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=adb1c8a0f167c3a1f7593d75f5a10eb07a5d741a
(GCC15) or clang 19 https://github.com/llvm/llvm-project/commit/14ba782a87e16e9e15460a51f50e67e2744c26d9
(cherry picked from commit 3c2f2146f50c75662987541719bedc4aee9df939)
---
src/fundamental/macro-fundamental.h | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/fundamental/macro-fundamental.h b/src/fundamental/macro-fundamental.h
index 5ccbda5186..8aca5f784a 100644
--- a/src/fundamental/macro-fundamental.h
+++ b/src/fundamental/macro-fundamental.h
@@ -517,6 +517,10 @@ static inline uint64_t ALIGN_OFFSET_U64(uint64_t l, uint64_t ali) {
} \
}
+/* Restriction/bug (see above) was fixed in GCC 15 and clang 19.*/
+#if __GNUC__ >= 15 || (defined(__clang__) && __clang_major__ >= 19)
+#define DECLARE_FLEX_ARRAY(type, name) type name[];
+#else
/* Declare a flexible array usable in a union.
* This is essentially a work-around for a pointless constraint in C99
* and might go away in some future version of the standard.
@@ -528,6 +532,7 @@ static inline uint64_t ALIGN_OFFSET_U64(uint64_t l, uint64_t ali) {
dummy_t __empty__ ## name; \
type name[]; \
}
+#endif
/* Declares an ELF read-only string section that does not occupy memory at runtime. */
#define DECLARE_NOALLOC_SECTION(name, text) \

View File

@ -1,31 +0,0 @@
From aedeaf745028a463150fd6d2b1aca778797735ac Mon Sep 17 00:00:00 2001
From: Nick Rosbrook <enr0n@ubuntu.com>
Date: Fri, 14 Jun 2024 17:31:22 -0400
Subject: [PATCH] man: add a bit of a warning to systemd-tmpfiles --purge
Mention that by default, /home is managed by tmpfiles.d/home.conf, and
recommend that users run systemd-tmpfiles --dry-run --purge first to
see exactly what will be removed.
(cherry picked from commit 9ebcac3b5125a8b0b11f371731ea167cd4684adc)
---
man/systemd-tmpfiles.xml | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/man/systemd-tmpfiles.xml b/man/systemd-tmpfiles.xml
index 008bff62da..6f3ec66611 100644
--- a/man/systemd-tmpfiles.xml
+++ b/man/systemd-tmpfiles.xml
@@ -150,7 +150,11 @@
<varlistentry>
<term><option>--purge</option></term>
<listitem><para>If this option is passed, all files and directories created by a
- <filename>tmpfiles.d/</filename> entry will be deleted.</para>
+ <filename>tmpfiles.d/</filename> entry will be deleted. Keep in mind that by default,
+ <filename>/home</filename> is created by <command>systemd-tmpfiles</command>
+ (see <filename>/usr/lib/tmpfiles.d/home.conf</filename>). Therefore it is recommended
+ to first run <command>systemd-tmpfiles --dry-run --purge</command> to be certain which files
+ and directories will be deleted.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry>

View File

@ -1,65 +0,0 @@
From 1a0e6961cfaed42bda542e111738c136f7b4d73f Mon Sep 17 00:00:00 2001
From: Mike Yuan <me@yhndnzj.com>
Date: Sat, 15 Jun 2024 17:27:33 +0200
Subject: [PATCH] man,units: drop "temporary" from description of
systemd-tmpfiles
Historically, systemd-tmpfiles was designed to manager temporary
files, but nowadays it has become a generic tool for managing
all kinds of files. To avoid user confusion, let's remove "temporary"
from the tool's description.
As discussed in #33349
(cherry picked from commit b5c8cc0a3b8e4e2fea0539d6420a76b524ea5735)
---
man/systemd-tmpfiles.xml | 8 +++++---
units/systemd-tmpfiles-setup.service | 2 +-
units/user/systemd-tmpfiles-setup.service | 2 +-
3 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/man/systemd-tmpfiles.xml b/man/systemd-tmpfiles.xml
index 6f3ec66611..9767aead85 100644
--- a/man/systemd-tmpfiles.xml
+++ b/man/systemd-tmpfiles.xml
@@ -55,9 +55,11 @@
<refsect1>
<title>Description</title>
- <para><command>systemd-tmpfiles</command> creates, deletes, and cleans up volatile and temporary files
- and directories, using the configuration file format and location specified in
- <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>. It must
+ <para><command>systemd-tmpfiles</command> creates, deletes, and cleans up files and directories, using
+ the configuration file format and location specified in
+ <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ Historically, it was designed to manage volatile and temporary files, as the name suggests, but it provides
+ generic file management functionality and can be used to manage any kind of files. It must
be invoked with one or more commands <option>--create</option>, <option>--remove</option>, and
<option>--clean</option>, to select the respective subset of operations.</para>
diff --git a/units/systemd-tmpfiles-setup.service b/units/systemd-tmpfiles-setup.service
index 6cae32850f..b92beb7314 100644
--- a/units/systemd-tmpfiles-setup.service
+++ b/units/systemd-tmpfiles-setup.service
@@ -8,7 +8,7 @@
# (at your option) any later version.
[Unit]
-Description=Create Volatile Files and Directories
+Description=Create System Files and Directories
Documentation=man:tmpfiles.d(5) man:systemd-tmpfiles(8)
DefaultDependencies=no
diff --git a/units/user/systemd-tmpfiles-setup.service b/units/user/systemd-tmpfiles-setup.service
index 156689edcd..54e453c4fc 100644
--- a/units/user/systemd-tmpfiles-setup.service
+++ b/units/user/systemd-tmpfiles-setup.service
@@ -8,7 +8,7 @@
# (at your option) any later version.
[Unit]
-Description=Create User's Volatile Files and Directories
+Description=Create User Files and Directories
Documentation=man:tmpfiles.d(5) man:systemd-tmpfiles(8)
DefaultDependencies=no
Conflicts=shutdown.target

View File

@ -1,24 +0,0 @@
From 9f5f3c2f8bc2c3d82678672f3e700c1eb4e52d61 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Sun, 16 Jun 2024 11:16:21 +0100
Subject: [PATCH] mkosi: enable unprivileged user ns for integration tests
Ubuntu disables them by default in Noble, ship a sysctl to turn them back on
so that tests can use them
(cherry picked from commit 4cfcde024f34b3e5f682364d4e0c6185ef07d467)
---
.../usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf | 4 ++++
1 file changed, 4 insertions(+)
create mode 100644 mkosi.images/system/mkosi.extra/usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf
diff --git a/mkosi.images/system/mkosi.extra/usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf b/mkosi.images/system/mkosi.extra/usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf
new file mode 100644
index 0000000000..657ac72f8d
--- /dev/null
+++ b/mkosi.images/system/mkosi.extra/usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf
@@ -0,0 +1,4 @@
+# Ubuntu since Noble disables unprivileged user namespaces by default, re-enable them as they are needed
+# for integration tests
+kernel.apparmor_restrict_unprivileged_unconfined = 0
+kernel.apparmor_restrict_unprivileged_userns = 0

View File

@ -1,74 +0,0 @@
From 21feae324e812580062c36aa14cc5e68a37aa151 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Sun, 16 Jun 2024 15:28:56 +0100
Subject: [PATCH] mkosi: use ports.ubuntu.com for non-x86 backports
Follow-up for 46368556afee7a1f3a1685609942438ef2d9d6c1
(cherry picked from commit c01cb8cbff8512b65b7903b55f78c8d12661b8d7)
---
mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf | 3 ---
.../mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf | 9 +++++++++
.../system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf | 9 +++++++++
.../mkosi.conf.d/10-ubuntu/noble-backports-ports.sources | 6 ++++++
4 files changed, 24 insertions(+), 3 deletions(-)
create mode 100644 mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf
create mode 100644 mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf
create mode 100644 mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports-ports.sources
diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf
index 25957b1e92..86f9736ed9 100644
--- a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf
@@ -3,9 +3,6 @@
[Match]
Distribution=ubuntu
-[Distribution]
-PackageManagerTrees=noble-backports.sources:/etc/apt/sources.list.d/noble-backports.sources
-
[Content]
Packages=
linux-image-generic
diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf
new file mode 100644
index 0000000000..0ec4807822
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+# The ports Ubuntu archive is for non i386/amd64 repositories
+
+[Match]
+Architecture=!x86-64
+Architecture=!x86
+
+[Distribution]
+PackageManagerTrees=noble-backports-ports.sources:/etc/apt/sources.list.d/noble-backports-ports.sources
diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf
new file mode 100644
index 0000000000..c08eeac337
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+# The main Ubuntu archive is only for i386/amd64 repositories
+
+[Match]
+Architecture=|x86-64
+Architecture=|x86
+
+[Distribution]
+PackageManagerTrees=noble-backports.sources:/etc/apt/sources.list.d/noble-backports.sources
diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports-ports.sources b/mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports-ports.sources
new file mode 100644
index 0000000000..5b96dc544d
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports-ports.sources
@@ -0,0 +1,6 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+Types: deb
+URIs: http://ports.ubuntu.com
+Suites: noble-backports
+Components: main universe
+Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg

View File

@ -1,58 +0,0 @@
From 9802a28b367b3d403c41b570949e3c91f505ede5 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Sun, 16 Jun 2024 20:42:12 +0100
Subject: [PATCH] mkosi: install EFI packages only on EFI architectures
sbsigntool, systemd-boot and systemd-boot-efi do not exist on other
architectures
(cherry picked from commit 47fe3f29b4ba1b44ae71a7e67c579c4883731dd4)
---
.../mkosi.conf.d/10-debian-ubuntu/mkosi.conf | 3 ---
.../10-debian-ubuntu/mkosi.conf.d/efi.conf | 16 ++++++++++++++++
2 files changed, 16 insertions(+), 3 deletions(-)
create mode 100644 mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/efi.conf
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
index ae014fa966..ecac78049d 100644
--- a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf
@@ -20,8 +20,6 @@ VolatilePackages=
libsystemd-dev
libudev-dev
systemd
- systemd-boot
- systemd-boot-efi
systemd-container
systemd-coredump
systemd-dev
@@ -74,7 +72,6 @@ Packages=
python3-pexpect
python3-psutil
quota
- sbsigntool
softhsm2
squashfs-tools
stress
diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/efi.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/efi.conf
new file mode 100644
index 0000000000..781670a775
--- /dev/null
+++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/efi.conf
@@ -0,0 +1,16 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+# sbsigntool exists only on UEFI architectures
+
+[Match]
+Architecture=|x86
+Architecture=|x86-64
+Architecture=|arm
+Architecture=|arm64
+Architecture=|riscv32
+Architecture=|riscv64
+
+[Content]
+Packages=
+ sbsigntool
+ systemd-boot
+ systemd-boot-efi

View File

@ -1,31 +0,0 @@
From 50b53b8221aa9d5e8fa3269b73d13b8a304728a8 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Sun, 16 Jun 2024 13:41:50 +0100
Subject: [PATCH] test: check the skip condition before installing additional
files
(cherry picked from commit e1daedb4be6d8180790e0b303872fb1c87ddc7fc)
---
test/units/TEST-43-PRIVATEUSER-UNPRIV.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh b/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh
index 165af47f15..f8a2a62467 100755
--- a/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh
+++ b/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh
@@ -6,13 +6,13 @@ set -o pipefail
# shellcheck source=test/units/util.sh
. "$(dirname "$0")"/util.sh
-install_extension_images
-
if [[ "$(sysctl -ne kernel.apparmor_restrict_unprivileged_userns)" -eq 1 ]]; then
echo "Cannot create unprivileged user namespaces" >/skipped
exit 77
fi
+install_extension_images
+
systemd-analyze log-level debug
runas testuser systemd-run --wait --user --unit=test-private-users \

View File

@ -1,37 +0,0 @@
From 51a2e7be5ec1a28be11d309897671c8dd4511ae8 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Sun, 16 Jun 2024 16:08:57 +0100
Subject: [PATCH] test: drop unneeded firmware: uefi setting
These tests no longer need this, as they are running in nspawn, drop it
(cherry picked from commit f44fc531c95e37c83203375c411189009a01b482)
---
test/TEST-09-REBOOT/meson.build | 2 --
test/TEST-18-FAILUREACTION/meson.build | 2 --
2 files changed, 4 deletions(-)
diff --git a/test/TEST-09-REBOOT/meson.build b/test/TEST-09-REBOOT/meson.build
index c4b41bc97b..b7556189f5 100644
--- a/test/TEST-09-REBOOT/meson.build
+++ b/test/TEST-09-REBOOT/meson.build
@@ -4,7 +4,5 @@ integration_tests += [
integration_test_template + {
'name' : fs.name(meson.current_source_dir()),
'storage' : 'persistent',
- # FIXME; Figure out why reboot sometimes hangs with 'linux' firmware.
- 'firmware' : 'uefi',
},
]
diff --git a/test/TEST-18-FAILUREACTION/meson.build b/test/TEST-18-FAILUREACTION/meson.build
index 5edfbcad1f..8dec5f37e7 100644
--- a/test/TEST-18-FAILUREACTION/meson.build
+++ b/test/TEST-18-FAILUREACTION/meson.build
@@ -3,7 +3,5 @@
integration_tests += [
integration_test_template + {
'name' : fs.name(meson.current_source_dir()),
- # FIXME; Figure out why reboot sometimes hangs with 'linux' firmware.
- 'firmware' : 'uefi',
},
]

View File

@ -1,28 +0,0 @@
From df1e7d9572fab94209989f341bb1e1a86d88223b Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Sun, 16 Jun 2024 19:21:32 +0100
Subject: [PATCH] test: drop obsolete comment
We want to keep various logic here instead of mkosi, so drop the
temporary comment
(cherry picked from commit 626518ecd5e7b0c0c708ba53d7eb62934506ed54)
---
test/integration-test-wrapper.py | 4 ----
1 file changed, 4 deletions(-)
diff --git a/test/integration-test-wrapper.py b/test/integration-test-wrapper.py
index 5b098a3e01..1e015e7d47 100755
--- a/test/integration-test-wrapper.py
+++ b/test/integration-test-wrapper.py
@@ -2,10 +2,6 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
'''Test wrapper command for driving integration tests.
-
-Note: This is deliberately rough and only intended to drive existing tests
-with the expectation that as part of formally defining the API it will be tidy.
-
'''
import argparse

View File

@ -1,25 +0,0 @@
From a36cb5660e4d84c16242c1d70b99d9a2e389f191 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Sun, 16 Jun 2024 19:15:24 +0100
Subject: [PATCH] test: support TEST_NO_KVM
The shell integration suite allows to manually deselect KVM, so
suppor the same env var for the same purpose in python.
(cherry picked from commit 7d2701e7d1d0a7194026dd371071df6e63f59a82)
---
test/integration-test-wrapper.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/test/integration-test-wrapper.py b/test/integration-test-wrapper.py
index 1e015e7d47..15b1ce1055 100755
--- a/test/integration-test-wrapper.py
+++ b/test/integration-test-wrapper.py
@@ -124,6 +124,7 @@ def main():
*args.mkosi_args,
'--append',
'--qemu-firmware', args.firmware,
+ '--qemu-kvm', "auto" if not bool(int(os.getenv("TEST_NO_KVM", "0"))) else "no",
'--kernel-command-line-extra',
' '.join([
'systemd.hostname=H',

View File

@ -1,30 +0,0 @@
From 6178aa4bbcc6b0531314c1a2e9df61e45e6c9ad4 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Mon, 17 Jun 2024 14:09:40 +0100
Subject: [PATCH] test: support TEST_NO_QEMU in mkosi integration wrapper
Same as the old integration test suite, allow skipping tests that
require qemu.
ppc64el's vsock support doesn't appear to work, so we'll skip it,
as it is already done in the legacy framework.
(cherry picked from commit 464d182b3e470e4163ca376145539a537a6e43a2)
---
test/integration-test-wrapper.py | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/test/integration-test-wrapper.py b/test/integration-test-wrapper.py
index 15b1ce1055..b6a16aa3ef 100755
--- a/test/integration-test-wrapper.py
+++ b/test/integration-test-wrapper.py
@@ -57,6 +57,10 @@ def main():
print(f"SYSTEMD_SLOW_TESTS=1 not found in environment, skipping {args.name}", file=sys.stderr)
exit(77)
+ if args.vm and bool(int(os.getenv("TEST_NO_QEMU", "0"))):
+ print(f"TEST_NO_QEMU=1, skipping {args.name}", file=sys.stderr)
+ exit(77)
+
name = args.name + (f"-{i}" if (i := os.getenv("MESON_TEST_ITERATION")) else "")
dropin = textwrap.dedent(

View File

@ -1,27 +0,0 @@
From 7d65709901cb3fc746639398776cfdb7cb750a03 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Mon, 17 Jun 2024 15:37:43 +0100
Subject: [PATCH] test: use 'auto' instead of 'uefi' for automated fallback
mkosi will prefer UEFI if the architecture supports it, but fallback
to 'linux' if it doesn't.
(cherry picked from commit 80468db8fa21ffd07dc2f28c656eeaf8f0292367)
---
test/TEST-06-SELINUX/meson.build | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/test/TEST-06-SELINUX/meson.build b/test/TEST-06-SELINUX/meson.build
index 7a850beb81..9261a49c49 100644
--- a/test/TEST-06-SELINUX/meson.build
+++ b/test/TEST-06-SELINUX/meson.build
@@ -5,7 +5,8 @@ integration_tests += [
'name' : fs.name(meson.current_source_dir()),
'cmdline' : integration_test_template['cmdline'] + ['selinux=1', 'lsm=selinux'],
# FIXME; Figure out why reboot sometimes hangs with 'linux' firmware.
- 'firmware' : 'uefi',
+ # Use 'auto' to automatically fallback on non-uefi architectures.
+ 'firmware' : 'auto',
'vm' : true,
},
]

View File

@ -1,45 +0,0 @@
From f7d55cc801611781fbff2817f2fd4a16ec96ca85 Mon Sep 17 00:00:00 2001
From: Mike Yuan <me@yhndnzj.com>
Date: Mon, 17 Jun 2024 07:47:20 +0200
Subject: [PATCH] core/service: fix accept-socket deserialization
Follow-up for 45b1017488cef2a5bacdf82028ce900a311c9a1c
(cherry picked from commit 9f5d8c3da4f505346bd1edfae907a2abcdbdc578)
---
src/core/service.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/core/service.c b/src/core/service.c
index 8ec27c463a..6e81460ad0 100644
--- a/src/core/service.c
+++ b/src/core/service.c
@@ -1351,7 +1351,7 @@ static int service_coldplug(Unit *u) {
service_start_watchdog(s);
if (UNIT_ISSET(s->accept_socket)) {
- Socket* socket = SOCKET(UNIT_DEREF(s->accept_socket));
+ Socket *socket = SOCKET(UNIT_DEREF(s->accept_socket));
if (socket->max_connections_per_source > 0) {
SocketPeer *peer;
@@ -3220,8 +3220,8 @@ static int service_deserialize_item(Unit *u, const char *key, const char *value,
} else if (streq(key, "accept-socket")) {
Unit *socket;
- if (u->type != UNIT_SOCKET) {
- log_unit_debug(u, "Failed to deserialize accept-socket: unit is not a socket");
+ if (unit_name_to_type(value) != UNIT_SOCKET) {
+ log_unit_debug(u, "Deserialized accept-socket is not a socket unit, ignoring: %s", value);
return 0;
}
@@ -3230,7 +3230,7 @@ static int service_deserialize_item(Unit *u, const char *key, const char *value,
log_unit_debug_errno(u, r, "Failed to load accept-socket unit '%s': %m", value);
else {
unit_ref_set(&s->accept_socket, u, socket);
- SOCKET(socket)->n_connections++;
+ ASSERT_PTR(SOCKET(socket))->n_connections++;
}
} else if (streq(key, "socket-fd")) {

View File

@ -1,26 +0,0 @@
From 4cc6da9a5dfb69f149404d5a784c57bca2a21237 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Tue, 18 Jun 2024 00:09:03 +0900
Subject: [PATCH] test-network: mention that the captive portal option is
supported since v2.20
The current latest release is v2.19, hence the test is typically skipped now.
(cherry picked from commit 4f6d8ab0767e534553bfa130f39dbb07ebb804a4)
---
test/test-network/systemd-networkd-tests.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py
index 92cb07f11c..0355c7aca1 100755
--- a/test/test-network/systemd-networkd-tests.py
+++ b/test/test-network/systemd-networkd-tests.py
@@ -5824,6 +5824,8 @@ class NetworkdRATests(unittest.TestCase, Utilities):
self.assertIn('pref high', output)
self.assertNotIn('pref low', output)
+ # radvd supports captive portal since v2.20.
+ # https://github.com/radvd-project/radvd/commit/791179a7f730decbddb2290ef0e34aa85d71b1bc
@unittest.skipUnless(radvd_check_config('captive-portal.conf'), "Installed radvd doesn't support captive portals")
def test_captive_portal(self):
copy_network_unit('25-veth-client.netdev',

View File

@ -1,27 +0,0 @@
From b455006ae189d4ceef4214d8d4ab2027781d37e0 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Mon, 17 Jun 2024 17:40:28 +0100
Subject: [PATCH] CI: disable secure boot in mkosi GHA runs
Booting a guest with secure boot is broken in Azure due to a hypervisor
bug. Disable it for now. Given there's no option, need to edit
the configuration on the fly.
(cherry picked from commit bdd0b45bfd7190bb8eb50c71ff6f50a80d6e6e52)
---
.github/workflows/mkosi.yml | 2 ++
1 file changed, 2 insertions(+)
diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml
index 425d737b62..62efd367cb 100644
--- a/.github/workflows/mkosi.yml
+++ b/.github/workflows/mkosi.yml
@@ -117,6 +117,8 @@ jobs:
- name: Configure
run: |
+ # XXX: drop after the HyperV bug that breaks secure boot KVM guests is solved
+ sed -i "s/'firmware'\s*:\s*'auto'/'firmware' : 'uefi'/g" test/*/meson.build
tee mkosi.local.conf <<EOF
[Distribution]
Distribution=${{ matrix.distro }}

View File

@ -1,23 +0,0 @@
From d89c99c7ad165fa2471e1c5c1a3bdedab0818da9 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Mon, 17 Jun 2024 15:40:10 +0100
Subject: [PATCH] mkosi: bump to latest
(cherry picked from commit 3001339dc5b3faf8f8edee4c07b14a4abdf3d66f)
---
.github/workflows/mkosi.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml
index 62efd367cb..3a8dabd95c 100644
--- a/.github/workflows/mkosi.yml
+++ b/.github/workflows/mkosi.yml
@@ -92,7 +92,7 @@ jobs:
steps:
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
- - uses: systemd/mkosi@0081ea66faf56a35353d6aeadfe42f9679c7d1cf
+ - uses: systemd/mkosi@6972f9efba5c8472d990be3783b7e7dbf76e109e
# Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
# immediately, we remove the files in the background. However, we first move them to a different location

View File

@ -1,23 +0,0 @@
From a776dcf7af3b189f4f9616d174dbfc53a9bd6db6 Mon Sep 17 00:00:00 2001
From: Carlo Teubner <carlo@cteubner.net>
Date: Tue, 18 Jun 2024 09:41:59 +0100
Subject: [PATCH] NEWS: fix typo
(cherry picked from commit f6d517f8478bdd83b7d149b242a47d7686235c7e)
---
NEWS | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/NEWS b/NEWS
index bbee0852be..da81fe3c5d 100644
--- a/NEWS
+++ b/NEWS
@@ -195,7 +195,7 @@ CHANGES WITH 256:
additional per-user service managers, whose users are transient and
are only defined as long as the service manager is running. (This is
implemented via DynamicUser=1), allowing a user manager to be used to
- manager a group of processes without needing to create an actual user
+ manage a group of processes without needing to create an actual user
account. These service managers run with home directories of
/var/lib/capsules/<capsule-name> and can contain regular services and
other units. A capsule is started via a simple "systemctl start

View File

@ -1,69 +0,0 @@
From c26e56d08f30a2946dfa1d03781c63bfa9f56c1d Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Fri, 7 Jun 2024 21:39:45 +0100
Subject: [PATCH] install: allow removing symlinks even for units that are gone
If a symlink is leftover, still allow cleaning it up via 'disable'. This
happens when a unit is stopped and removed, but not disabled, and a reload
has already happened. At that point, cleaning up the old symlinks becomes
impossible through the APIs, and needs to be done manually. Always allow
cleaning up symlinks, if they exist, by only erroring out if there is an
OOM.
Follow-up for f31f10a6207efc9ae9e0b1f73975b5b610914017
(cherry picked from commit 5163c9b1e56293b1bb2803420613c5b374570892)
---
src/shared/install.c | 14 ++++++++++----
test/units/TEST-26-SYSTEMCTL.sh | 6 ++++++
2 files changed, 16 insertions(+), 4 deletions(-)
diff --git a/src/shared/install.c b/src/shared/install.c
index dd2bd5c948..c94b456c21 100644
--- a/src/shared/install.c
+++ b/src/shared/install.c
@@ -2282,7 +2282,9 @@ static int install_context_mark_for_removal(
else {
log_debug_errno(r, "Unit %s not found, removing name.", i->name);
r = install_changes_add(changes, n_changes, r, i->path ?: i->name, NULL);
- if (r < 0)
+ /* In case there's no unit, we still want to remove any leftover symlink, even if
+ * the unit might have been removed already, hence treating ENOENT as non-fatal. */
+ if (r != -ENOENT)
return r;
}
} else if (r < 0) {
@@ -2874,9 +2876,13 @@ static int do_unit_file_disable(
r = install_info_add(&ctx, *name, NULL, lp->root_dir, /* auxiliary= */ false, &info);
if (r >= 0)
r = install_info_traverse(&ctx, lp, info, SEARCH_LOAD|SEARCH_FOLLOW_CONFIG_SYMLINKS, NULL);
-
- if (r < 0)
- return install_changes_add(changes, n_changes, r, *name, NULL);
+ if (r < 0) {
+ r = install_changes_add(changes, n_changes, r, *name, NULL);
+ /* In case there's no unit, we still want to remove any leftover symlink, even if
+ * the unit might have been removed already, hence treating ENOENT as non-fatal. */
+ if (r != -ENOENT)
+ return r;
+ }
/* If we enable multiple units, some with install info and others without,
* the "empty [Install] section" warning is not shown. Let's make the behavior
diff --git a/test/units/TEST-26-SYSTEMCTL.sh b/test/units/TEST-26-SYSTEMCTL.sh
index ae7a5d6eb6..1471f3fd9e 100755
--- a/test/units/TEST-26-SYSTEMCTL.sh
+++ b/test/units/TEST-26-SYSTEMCTL.sh
@@ -343,6 +343,12 @@ systemctl cat "$UNIT_NAME"
systemctl help "$UNIT_NAME"
systemctl service-watchdogs
systemctl service-watchdogs "$(systemctl service-watchdogs)"
+# Ensure that the enablement symlinks can still be removed after the user is gone, to avoid having leftovers
+systemctl enable "$UNIT_NAME"
+systemctl stop "$UNIT_NAME"
+rm -f "/usr/lib/systemd/system/$UNIT_NAME"
+systemctl daemon-reload
+systemctl disable "$UNIT_NAME"
# show/set-environment
# Make sure PATH is set

View File

@ -1,35 +0,0 @@
From 90ec0265707d381ed8cc77de475cd963686eaba3 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 18 Jun 2024 09:54:33 +0200
Subject: [PATCH] tmpfiles: honour --dry-run when removing directories
(cherry picked from commit edeceb80a91e8400e8c22f08a41045a2ba270fe6)
---
src/tmpfiles/tmpfiles.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
index 807925f199..283be21d16 100644
--- a/src/tmpfiles/tmpfiles.c
+++ b/src/tmpfiles/tmpfiles.c
@@ -3024,10 +3024,16 @@ static int remove_recursive(
return r;
if (remove_instance) {
- log_debug("Removing directory \"%s\".", instance);
- r = RET_NERRNO(rmdir(instance));
- if (r < 0 && !IN_SET(r, -ENOENT, -ENOTEMPTY))
- return log_error_errno(r, "Failed to remove %s: %m", instance);
+ log_action("Would remove", "Removing", "%s directory \"%s\".", instance);
+ if (!arg_dry_run) {
+ r = RET_NERRNO(rmdir(instance));
+ if (r < 0) {
+ bool fatal = !IN_SET(r, -ENOENT, -ENOTEMPTY);
+ log_full_errno(fatal ? LOG_ERR : LOG_DEBUG, r, "Failed to remove %s: %m", instance);
+ if (fatal)
+ return r;
+ }
+ }
}
return 0;
}

View File

@ -1,68 +0,0 @@
From e76015738942246db70f444b3567afd1b132f824 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 18 Jun 2024 09:55:20 +0200
Subject: [PATCH] tmpfiles: insist on at least one configuration file being
specified on --purge
Also, extend the man page explanation substantially, matching more
closely what --create says.
Fixes: #33349
(cherry picked from commit 41064a3c97c9a53c97bbe8a1de799a82c4374a2d)
---
man/systemd-tmpfiles.xml | 26 ++++++++++++++++++++------
src/tmpfiles/tmpfiles.c | 4 ++++
2 files changed, 24 insertions(+), 6 deletions(-)
diff --git a/man/systemd-tmpfiles.xml b/man/systemd-tmpfiles.xml
index 9767aead85..2a494b9c5c 100644
--- a/man/systemd-tmpfiles.xml
+++ b/man/systemd-tmpfiles.xml
@@ -151,12 +151,26 @@
<varlistentry>
<term><option>--purge</option></term>
- <listitem><para>If this option is passed, all files and directories created by a
- <filename>tmpfiles.d/</filename> entry will be deleted. Keep in mind that by default,
- <filename>/home</filename> is created by <command>systemd-tmpfiles</command>
- (see <filename>/usr/lib/tmpfiles.d/home.conf</filename>). Therefore it is recommended
- to first run <command>systemd-tmpfiles --dry-run --purge</command> to be certain which files
- and directories will be deleted.</para>
+
+ <listitem><para>If this option is passed, all files and directories marked for
+ <emphasis>creation</emphasis> by the <filename>tmpfiles.d/</filename> files specified on the command
+ line will be <emphasis>deleted</emphasis>. Specifically, this acts on all files and directories
+ marked with <varname>f</varname>, <varname>F</varname>, <varname>d</varname>, <varname>D</varname>,
+ <varname>v</varname>, <varname>q</varname>, <varname>Q</varname>, <varname>p</varname>,
+ <varname>L</varname>, <varname>c</varname>, <varname>b</varname>, <varname>C</varname>,
+ <varname>w</varname>, <varname>e</varname>. If this switch is used at least one
+ <filename>tmpfiles.d/</filename> file (or <filename>-</filename> for standard input) must be
+ specified on the command line or the invocation will be refused, for safety reasons (as otherwise
+ much of the installed system files might be removed).</para>
+
+ <para>The primary usecase for this option is to automatically remove files and directories that
+ originally have been created on behalf of an installed packaged at package removal time.</para>
+
+ <para>It is recommended to first run this command in combination with <option>--dry-run</option>
+ (see below) to verify which files and directories will be deleted.</para>
+
+ <para><emphasis>Warning!</emphasis> This is is usually not the command you want! In most cases
+ <option>--remove</option> is what you are looking for.</para>
<xi:include href="version-info.xml" xpointer="v256"/></listitem>
</varlistentry>
diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
index 283be21d16..1704197207 100644
--- a/src/tmpfiles/tmpfiles.c
+++ b/src/tmpfiles/tmpfiles.c
@@ -4344,6 +4344,10 @@ static int parse_argv(int argc, char *argv[]) {
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"You need to specify at least one of --clean, --create, --remove, or --purge.");
+ if (FLAGS_SET(arg_operation, OPERATION_PURGE) && optind >= argc)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Refusing --purge without specification of a configuration file.");
+
if (arg_replace && arg_cat_flags != CAT_CONFIG_OFF)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Option --replace= is not supported with --cat-config/--tldr.");

View File

@ -1,37 +0,0 @@
From 08b8237303efdf072a0f61615b7f1633eafc8e0a Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 18 Jun 2024 09:56:15 +0200
Subject: [PATCH] tmpfiles: move --purge to command section in --help text
where it belongs
Also, make contrast between --remove and --purge clearer: one deletes
files marked for deletion, the other deletes files marked for creation.
(cherry picked from commit 69d76823ce6e9c307184946ed55b207eb728e625)
---
src/tmpfiles/tmpfiles.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
index 1704197207..8cc8c1ccd6 100644
--- a/src/tmpfiles/tmpfiles.c
+++ b/src/tmpfiles/tmpfiles.c
@@ -4148,7 +4148,9 @@ static int help(void) {
"\n%3$sCommands:%4$s\n"
" --create Create files and directories\n"
" --clean Clean up files and directories\n"
- " --remove Remove files and directories\n"
+ " --remove Remove files and directories marked for removal\n"
+ " --purge Delete files and directories marked for creation in\n"
+ " specified configuration files (careful!)\n"
" -h --help Show this help\n"
" --version Show package version\n"
"\n%3$sOptions:%4$s\n"
@@ -4157,7 +4159,6 @@ static int help(void) {
" --tldr Show non-comment parts of configuration\n"
" --boot Execute actions only safe at boot\n"
" --graceful Quietly ignore unknown users or groups\n"
- " --purge Delete all files owned by the configuration files\n"
" --prefix=PATH Only apply rules with the specified prefix\n"
" --exclude-prefix=PATH Ignore rules with the specified prefix\n"
" -E Ignore rules prefixed with /dev, /proc, /run, /sys\n"

View File

@ -1,37 +0,0 @@
From 7b18adadde58798a895366105c6c1517231029d9 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Tue, 18 Jun 2024 13:35:32 +0100
Subject: [PATCH] mkosi: restrict noble-backports to noble builds
Follow-up for c01cb8cbff8512b65b7903b55f78c8d12661b8d7
(cherry picked from commit f97b243edfcae211aade6ceb2fd89ae9d9209fac)
---
.../system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf | 1 +
mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf | 1 +
2 files changed, 2 insertions(+)
diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf
index 0ec4807822..582f038b5f 100644
--- a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf
@@ -4,6 +4,7 @@
[Match]
Architecture=!x86-64
Architecture=!x86
+Release=noble
[Distribution]
PackageManagerTrees=noble-backports-ports.sources:/etc/apt/sources.list.d/noble-backports-ports.sources
diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf
index c08eeac337..7347be9069 100644
--- a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf
+++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf
@@ -4,6 +4,7 @@
[Match]
Architecture=|x86-64
Architecture=|x86
+Release=noble
[Distribution]
PackageManagerTrees=noble-backports.sources:/etc/apt/sources.list.d/noble-backports.sources

View File

@ -1,22 +0,0 @@
From f8f669fd69bf15f386308ef8f4cbbbd5a7ad69cd Mon Sep 17 00:00:00 2001
From: Antonio Alvarez Feijoo <antonio.feijoo@suse.com>
Date: Tue, 18 Jun 2024 14:07:50 +0200
Subject: [PATCH] repart: fix memory leak
(cherry picked from commit a81f5ffd40081441dafc678fe83d185436dde35a)
---
src/partition/repart.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/partition/repart.c b/src/partition/repart.c
index 78cf60f724..8f64520ee7 100644
--- a/src/partition/repart.c
+++ b/src/partition/repart.c
@@ -187,6 +187,7 @@ STATIC_DESTRUCTOR_REGISTER(arg_tpm2_hash_pcr_values, freep);
STATIC_DESTRUCTOR_REGISTER(arg_tpm2_public_key, freep);
STATIC_DESTRUCTOR_REGISTER(arg_tpm2_pcrlock, freep);
STATIC_DESTRUCTOR_REGISTER(arg_filter_partitions, freep);
+STATIC_DESTRUCTOR_REGISTER(arg_defer_partitions, freep);
STATIC_DESTRUCTOR_REGISTER(arg_image_policy, image_policy_freep);
STATIC_DESTRUCTOR_REGISTER(arg_copy_from, strv_freep);
STATIC_DESTRUCTOR_REGISTER(arg_copy_source, freep);

View File

@ -1,42 +0,0 @@
From 34ba18b0124407403690738b46fbd6236fe65c92 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Tue, 18 Jun 2024 17:55:31 +0900
Subject: [PATCH] logs-show: do not use _SOURCE_MONOTONIC_TIMESTAMP field
The timestamp is not in CLOCK_MONOTONIC, but CLOCK_BOOTTIME,
while header monotonic timestamp is in CLOCK_MONOTONIC. Hence, we cannot
adjust timestamp by comparing with header monotonic timestamp and
_SOURCE_MONOTONIC_TIMESTAMP field.
Fixes a regression caused by affde1d7e79a634ee6053dbd4a57b3b51b74c170.
Fixes #33293.
(cherry picked from commit 144498e7e6efe2d90981cb14e3ed462a70a955c6)
---
src/shared/logs-show.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/shared/logs-show.c b/src/shared/logs-show.c
index c71c868889..153a4110ce 100644
--- a/src/shared/logs-show.c
+++ b/src/shared/logs-show.c
@@ -450,6 +450,9 @@ static void parse_display_realtime(
assert(j);
assert(ret);
+ // FIXME: _SOURCE_MONOTONIC_TIMESTAMP is in CLOCK_BOOTTIME, hence we cannot use it for adjusting realtime.
+ source_monotonic = NULL;
+
/* First, try _SOURCE_REALTIME_TIMESTAMP. */
if (source_realtime && safe_atou64(source_realtime, &t) >= 0 && VALID_REALTIME(t)) {
*ret = t;
@@ -488,6 +491,9 @@ static void parse_display_timestamp(
assert(ret_display_ts);
assert(ret_boot_id);
+ // FIXME: _SOURCE_MONOTONIC_TIMESTAMP is in CLOCK_BOOTTIME, hence we cannot use it for adjusting realtime.
+ source_monotonic = NULL;
+
if (source_realtime && safe_atou64(source_realtime, &t) >= 0 && VALID_REALTIME(t))
source_ts.realtime = t;

View File

@ -1,98 +0,0 @@
From 67ff61b054e8d4d4d3923c3b81586b2d4e286d6b Mon Sep 17 00:00:00 2001
From: Jan Macku <jamacku@redhat.com>
Date: Thu, 16 May 2024 14:24:38 +0200
Subject: [PATCH] ci: update workflows to run on source-git setup
rhel-only: ci
Related: RHEL-36636
---
.github/workflows/cflite_pr.yml | 3 ---
.github/workflows/codeql.yml | 6 ------
.github/workflows/differential-shellcheck.yml | 4 ----
.github/workflows/linter.yml | 3 ---
.github/workflows/unit_tests.yml | 3 ---
5 files changed, 19 deletions(-)
diff --git a/.github/workflows/cflite_pr.yml b/.github/workflows/cflite_pr.yml
index f0d321794a..87dcd3c478 100644
--- a/.github/workflows/cflite_pr.yml
+++ b/.github/workflows/cflite_pr.yml
@@ -5,9 +5,6 @@
name: ClusterFuzzLite PR fuzzing
on:
pull_request:
- branches:
- - main
- - v[0-9]+-stable
permissions: read-all
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 0d284f75f1..daf34486d2 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -6,9 +6,6 @@ name: "CodeQL"
on:
pull_request:
- branches:
- - main
- - v[0-9]+-stable
paths:
- '**/meson.build'
- '.github/**/codeql*'
@@ -16,9 +13,6 @@ on:
- 'test/**'
- 'tools/**'
push:
- branches:
- - main
- - v[0-9]+-stable
permissions:
contents: read
diff --git a/.github/workflows/differential-shellcheck.yml b/.github/workflows/differential-shellcheck.yml
index 244f5d503b..403b5cfc58 100644
--- a/.github/workflows/differential-shellcheck.yml
+++ b/.github/workflows/differential-shellcheck.yml
@@ -4,11 +4,7 @@
name: Differential ShellCheck
on:
push:
- branches:
- - main
pull_request:
- branches:
- - main
permissions:
contents: read
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
index cf0bc09453..e7fb70f2f5 100644
--- a/.github/workflows/linter.yml
+++ b/.github/workflows/linter.yml
@@ -6,9 +6,6 @@ name: Lint Code Base
on:
pull_request:
- branches:
- - main
- - v[0-9]+-stable
permissions:
contents: read
diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml
index 895068c2a2..bf6c820092 100644
--- a/.github/workflows/unit_tests.yml
+++ b/.github/workflows/unit_tests.yml
@@ -5,9 +5,6 @@
name: Unit tests
on:
pull_request:
- branches:
- - main
- - v[0-9]+-stable
permissions:
contents: read

View File

@ -1,282 +0,0 @@
From 67b16d23396d9837f878850e890f90228d59d49e Mon Sep 17 00:00:00 2001
From: Jan Macku <jamacku@redhat.com>
Date: Thu, 16 May 2024 14:36:04 +0200
Subject: [PATCH] ci: setup source-git automation
rhel-only: ci
Related: RHEL-36636
---
.github/advanced-commit-linter.yml | 17 +++++
.github/auto-merge.yml | 4 ++
.github/pull-request-validator.yml | 4 ++
.github/regression-sniffer.yml | 1 +
.github/tracker-validator.yml | 31 ++++++++
.github/workflows/gather-pr-metadata.yml | 12 ++--
.../source-git-automation-on-demand.yml | 72 +++++++++++++++++++
.github/workflows/source-git-automation.yml | 45 ++++++++++++
8 files changed, 179 insertions(+), 7 deletions(-)
create mode 100644 .github/advanced-commit-linter.yml
create mode 100644 .github/auto-merge.yml
create mode 100644 .github/pull-request-validator.yml
create mode 100644 .github/regression-sniffer.yml
create mode 100644 .github/tracker-validator.yml
create mode 100644 .github/workflows/source-git-automation-on-demand.yml
create mode 100644 .github/workflows/source-git-automation.yml
diff --git a/.github/advanced-commit-linter.yml b/.github/advanced-commit-linter.yml
new file mode 100644
index 0000000000..3609fe4612
--- /dev/null
+++ b/.github/advanced-commit-linter.yml
@@ -0,0 +1,17 @@
+policy:
+ cherry-pick:
+ upstream:
+ - github: systemd/systemd
+ exception:
+ note:
+ - rhel-only
+ - RHEL-only
+ tracker:
+ - keyword:
+ - 'Resolves: '
+ - 'Related: '
+ - 'Reverts: '
+ type: jira
+ issue-format:
+ - 'RHEL-\d+$'
+ url: 'https://issues.redhat.com/browse/'
diff --git a/.github/auto-merge.yml b/.github/auto-merge.yml
new file mode 100644
index 0000000000..35c2539295
--- /dev/null
+++ b/.github/auto-merge.yml
@@ -0,0 +1,4 @@
+labels:
+ dont-merge: dont-merge
+ manual-merge: pr/needs-manual-merge
+target-branch': ['main']
diff --git a/.github/pull-request-validator.yml b/.github/pull-request-validator.yml
new file mode 100644
index 0000000000..4bb5bbec12
--- /dev/null
+++ b/.github/pull-request-validator.yml
@@ -0,0 +1,4 @@
+labels:
+ missing-review: pr/needs-review
+ changes-requested: pr/changes-requested
+ missing-failing-ci: pr/needs-ci
diff --git a/.github/regression-sniffer.yml b/.github/regression-sniffer.yml
new file mode 100644
index 0000000000..3824028e92
--- /dev/null
+++ b/.github/regression-sniffer.yml
@@ -0,0 +1 @@
+upstream: systemd/systemd
diff --git a/.github/tracker-validator.yml b/.github/tracker-validator.yml
new file mode 100644
index 0000000000..2e858606ff
--- /dev/null
+++ b/.github/tracker-validator.yml
@@ -0,0 +1,31 @@
+labels:
+ missing-tracker: tracker/missing
+ invalid-product: tracker/invalid-product
+ invalid-component: tracker/invalid-component
+ unapproved: tracker/unapproved
+products:
+ - Red Hat Enterprise Linux 10
+ - CentOS Stream 10
+ - rhel-10.0.beta
+ - rhel-10.0
+ - rhel-10.0.z
+ - rhel-10.1
+ - rhel-10.1.z
+ - rhel-10.2
+ - rhel-10.2.z
+ - rhel-10.3
+ - rhel-10.3.z
+ - rhel-10.4
+ - rhel-10.4.z
+ - rhel-10.5
+ - rhel-10.5.z
+ - rhel-10.6
+ - rhel-10.6.z
+ - rhel-10.7
+ - rhel-10.7.z
+ - rhel-10.8
+ - rhel-10.8.z
+ - rhel-10.9
+ - rhel-10.9.z
+ - rhel-10.10
+ - rhel-10.10.z
diff --git a/.github/workflows/gather-pr-metadata.yml b/.github/workflows/gather-pr-metadata.yml
index e4a0caff03..857689a37b 100644
--- a/.github/workflows/gather-pr-metadata.yml
+++ b/.github/workflows/gather-pr-metadata.yml
@@ -1,18 +1,17 @@
---
-
name: Gather Pull Request Metadata
on:
pull_request:
- branches: [ main ]
+ types: [ opened, reopened, synchronize ]
+ branches: [ main, rhel-10.0.beta, rhel-10.* ]
permissions:
contents: read
jobs:
gather-metadata:
- if: github.repository == 'systemd/systemd'
- runs-on: ubuntu-24.04
+ runs-on: ubuntu-latest
steps:
- name: Repository checkout
@@ -20,11 +19,10 @@ jobs:
- id: metadata
name: Gather Pull Request Metadata
- uses: redhat-plumbers-in-action/gather-pull-request-metadata@17821d3bc27c1efed339595898c2e622accc5a1b
+ uses: redhat-plumbers-in-action/gather-pull-request-metadata@v1
- name: Upload Pull Request Metadata artifact
- uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
+ uses: actions/upload-artifact@v4
with:
name: Pull Request Metadata
path: ${{ steps.metadata.outputs.metadata-file }}
- retention-days: 1
diff --git a/.github/workflows/source-git-automation-on-demand.yml b/.github/workflows/source-git-automation-on-demand.yml
new file mode 100644
index 0000000000..af9ea781f6
--- /dev/null
+++ b/.github/workflows/source-git-automation-on-demand.yml
@@ -0,0 +1,72 @@
+name: Source git Automation Scheduled/On Demand
+on:
+ schedule:
+ # Workflow runs every 45 minutes
+ - cron: '*/45 * * * *'
+ workflow_dispatch:
+ inputs:
+ pr-number:
+ description: 'Pull Request number/s ; when not provided, the workflow will run for all open PRs'
+ required: true
+ default: '0'
+
+permissions:
+ contents: read
+
+jobs:
+ # Get all open PRs
+ gather-pull-requests:
+ if: github.repository == 'redhat-plumbers/systemd-rhel10'
+ runs-on: ubuntu-latest
+
+ outputs:
+ pr-numbers: ${{ steps.get-pr-numbers.outputs.result }}
+ pr-numbers-manual: ${{ steps.parse-manual-input.outputs.result }}
+
+ steps:
+ - id: get-pr-numbers
+ if: inputs.pr-number == '0'
+ name: Get all open PRs
+ uses: actions/github-script@v6
+ with:
+ # !FIXME: this is not working if there is more than 100 PRs opened
+ script: |
+ const { data: pullRequests } = await github.rest.pulls.list({
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ state: 'open',
+ per_page: 100
+ });
+ return pullRequests.map(pr => pr.number);
+
+ - id: parse-manual-input
+ if: inputs.pr-number != '0'
+ name: Parse manual input
+ run: |
+ # shellcheck disable=SC2086
+ echo "result="[ ${{ inputs.pr-number }} ]"" >> $GITHUB_OUTPUT
+ shell: bash
+
+ validate-pr:
+ name: 'Validation of Pull Request #${{ matrix.pr-number }}'
+ needs: [ gather-pull-requests ]
+ runs-on: ubuntu-latest
+
+ strategy:
+ fail-fast: false
+ matrix:
+ pr-number: ${{ inputs.pr-number == 0 && fromJSON(needs.gather-pull-requests.outputs.pr-numbers) || fromJSON(needs.gather-pull-requests.outputs.pr-numbers-manual) }}
+
+ permissions:
+ # required for merging PRs
+ contents: write
+ # required for PR comments and setting labels
+ pull-requests: write
+
+ steps:
+ - name: Source-git Automation
+ uses: redhat-plumbers-in-action/source-git-automation@v1
+ with:
+ pr-number: ${{ matrix.pr-number }}
+ jira-api-token: ${{ secrets.JIRA_API_TOKEN }}
+ token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/source-git-automation.yml b/.github/workflows/source-git-automation.yml
new file mode 100644
index 0000000000..d58242efa7
--- /dev/null
+++ b/.github/workflows/source-git-automation.yml
@@ -0,0 +1,45 @@
+name: Source git Automation
+on:
+ workflow_run:
+ workflows: [ Gather Pull Request Metadata ]
+ types:
+ - completed
+
+permissions:
+ contents: read
+
+jobs:
+ download-metadata:
+ if: >
+ github.event.workflow_run.event == 'pull_request' &&
+ github.event.workflow_run.conclusion == 'success' &&
+ github.repository == 'redhat-plumbers/systemd-rhel10'
+ runs-on: ubuntu-latest
+
+ outputs:
+ pr-metadata: ${{ steps.Artifact.outputs.pr-metadata-json }}
+
+ steps:
+ - id: Artifact
+ name: Download Artifact
+ uses: redhat-plumbers-in-action/download-artifact@v1
+ with:
+ name: Pull Request Metadata
+
+ source-git-automation:
+ needs: [ download-metadata ]
+ runs-on: ubuntu-latest
+
+ permissions:
+ # required for merging PRs
+ contents: write
+ # required for PR comments and setting labels
+ pull-requests: write
+
+ steps:
+ - name: Source-git Automation
+ uses: redhat-plumbers-in-action/source-git-automation@v1
+ with:
+ pr-metadata: ${{ needs.download-metadata.outputs.pr-metadata }}
+ jira-api-token: ${{ secrets.JIRA_API_TOKEN }}
+ token: ${{ secrets.GITHUB_TOKEN }}

View File

@ -1,61 +0,0 @@
From 970ac707323ce1b50c6f45184df4373d651e669c Mon Sep 17 00:00:00 2001
From: Jan Macku <jamacku@redhat.com>
Date: Fri, 17 May 2024 13:55:40 +0200
Subject: [PATCH] ci: reconfigure Packit for RHEL 10
rhel-only: ci
Related: RHEL-36636
---
.packit.yml | 28 +++++++++-------------------
1 file changed, 9 insertions(+), 19 deletions(-)
diff --git a/.packit.yml b/.packit.yml
index 2dcc9e86ca..340c6992ec 100644
--- a/.packit.yml
+++ b/.packit.yml
@@ -24,14 +24,12 @@ actions:
- "bash -ec 'git describe --tags --abbrev=0 | cut -b 2-'"
post-upstream-clone:
- # Use the Fedora Rawhide specfile
- - "git clone https://src.fedoraproject.org/rpms/systemd .packit_rpm --depth=1"
+ # Use the CentOS Stream 10 specfile
+ - "git clone -b c10s https://gitlab.com/redhat/centos-stream/rpms/systemd.git .packit_rpm --depth=1"
# Drop the "sources" file so rebase-helper doesn't think we're a dist-git
- "rm -fv .packit_rpm/sources"
- # Drop backported patches from the specfile, but keep the downstream-only ones
- # - Patch(0000-0499): backported patches from upstream
- # - Patch0500-9999: downstream-only patches
- - "sed -ri '/^Patch(0[0-4]?[0-9]{0,2})?\\:.+\\.patch/d' .packit_rpm/systemd.spec"
+ # Drop all patches, since they're already included in the tarball
+ - "sed -ri '/^Patch[0-9]+:/d' .packit_rpm/systemd.spec"
# Build the RPM with --werror. Even though --werror doesn't work in all
# cases (see [0]), we can't use -Dc_args=/-Dcpp_args= here because of the
# RPM hardening macros, that use $CFLAGS/$CPPFLAGS (see [1]).
@@ -45,20 +43,12 @@ actions:
# until the change propagates to Rawhide's specfile
- "sed -ri '0,/^BuildRequires: .+$/s//&\\nBuildRequires: libarchive-devel\\nRequires: libarchive/' .packit_rpm/systemd.spec"
+# Available targets can be listed via `copr-cli list-chroots`
jobs:
- job: copr_build
trigger: pull_request
targets:
- - fedora-rawhide-aarch64
- - fedora-rawhide-i386
- - fedora-rawhide-ppc64le
- - fedora-rawhide-s390x
- - fedora-rawhide-x86_64
-
-- job: tests
- trigger: pull_request
- fmf_url: https://src.fedoraproject.org/tests/systemd
- fmf_ref: main
- tmt_plan: ci
- targets:
- - fedora-rawhide-x86_64
+ - centos-stream-10-aarch64
+ - centos-stream-10-ppc64le
+ - centos-stream-10-s390x
+ - centos-stream-10-x86_64

View File

@ -1,37 +0,0 @@
From 517bf132e5508a2ac140dbea3650e89205dee052 Mon Sep 17 00:00:00 2001
From: Jan Macku <jamacku@redhat.com>
Date: Fri, 21 Jun 2024 16:15:24 +0200
Subject: [PATCH] ci: allow to pass parameters together with rhel-only note
Supported parameters:
* feature - for feature related commits (cross-version)
* bugfix - for bugfix related commits (cross-version)
* doc - for documentation related commits (usually version specific)
* workaround - for workaround related commits (usually version specific)
* ci - for CI related commits (version specific)
* test - for test related commits (version specific)
* other - for commits that do not fit into any of the above categories or use just `rhel-only`
rhel-only: ci
Related: RHEL-36636
---
.github/advanced-commit-linter.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/.github/advanced-commit-linter.yml b/.github/advanced-commit-linter.yml
index 3609fe4612..3e3e3fe2bf 100644
--- a/.github/advanced-commit-linter.yml
+++ b/.github/advanced-commit-linter.yml
@@ -4,8 +4,8 @@ policy:
- github: systemd/systemd
exception:
note:
- - rhel-only
- - RHEL-only
+ - 'rhel-only: (feature|bugfix|doc|workaround|ci|test|other)'
+ - 'RHEL-only: (feature|bugfix|doc|workaround|ci|test|other)'
tracker:
- keyword:
- 'Resolves: '

View File

@ -1,59 +0,0 @@
From 8ca92aa84573b47bb6ee6a5853ecd08463b97af8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Tue, 9 Jan 2024 11:28:04 +0100
Subject: [PATCH] journal: again create user journals for users with high uids
This effectively reverts a change in 115d5145a257c1a27330acf9f063b5f4d910ca4d
'journald: move uid_for_system_journal() to uid-alloc-range.h', which slipped
in an additional check of uid_is_container(uid). The problem is that that change
is not backwards-compatible at all and very hard for users to handle.
There is no common agreement on mappings of high-range uids. Systemd declares
ownership of a large range for container uids in https://systemd.io/UIDS-GIDS/,
but this is only a recent change and various sites allocated those ranges
in a different way, in particular FreeIPA uses (used?) uids from this range
for human users. On big sites with lots of users changing uids is obviously a
hard problem. We generally assume that uids cannot be "freed" and/or changed
and/or reused safely, so we shouldn't demand the same from others.
This is somewhat similar to the situation with SYSTEM_ALLOC_UID_MIN /
SYSTEM_UID_MAX, which we tried to define to a fixed value in our code, causing
huge problems for existing systems with were created with a different
definition and couldn't be easily updated. For that case, we added a
configuration time switch and we now parse /etc/login.defs to actually use the
value that is appropriate for the local system.
Unfortunately, login.defs doesn't have a concept of container allocation ranges
(and we don't have code to parse and use those nonexistent names either), so we
can't tell users to adjust logind.defs to work around the changed definition.
login.defs has SUB_UID_{MIN,MAX}, but those aren't really the same thing,
because they are used to define where the add allocations for subuids, which is
generally a much smaller range. Maybe we should talk with other folks about
the appropriate allocation ranges and define some new settings in login.defs.
But this would require discussion and coordination with other projects first.
Actualy, it seems that this change was needed at all. The code in the container
does not log to the outside journal. It talks to its own journald, which does
journal splitting using its internal logic based on shifted uids. So let's
revert the change to fix user systems.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2251843.
rhel-only: bugfix
Related: RHEL-40924
---
src/basic/uid-classification.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/basic/uid-classification.c b/src/basic/uid-classification.c
index e2d2cebc6d..2c8b06c0d3 100644
--- a/src/basic/uid-classification.c
+++ b/src/basic/uid-classification.c
@@ -127,5 +127,5 @@ bool uid_for_system_journal(uid_t uid) {
/* Returns true if the specified UID shall get its data stored in the system journal. */
- return uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY || uid_is_container(uid);
+ return uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY;
}

View File

@ -1,67 +0,0 @@
From 6ad266a125eabbf27dfbe64aae9a0d9060c2bd08 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Tue, 18 Jun 2024 20:32:10 +0200
Subject: [PATCH] tmpfiles: make --purge hard to (mis-)use
Follow-up for https://github.com/systemd/systemd/pull/33383.
rhel-only: bugfix
Related: RHEL-40924
---
src/tmpfiles/tmpfiles.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
index 8cc8c1ccd6..14048545db 100644
--- a/src/tmpfiles/tmpfiles.c
+++ b/src/tmpfiles/tmpfiles.c
@@ -4197,6 +4197,7 @@ static int parse_argv(int argc, char *argv[]) {
ARG_IMAGE_POLICY,
ARG_REPLACE,
ARG_DRY_RUN,
+ ARG_DESTROY_DATA,
ARG_NO_PAGER,
};
@@ -4220,10 +4221,18 @@ static int parse_argv(int argc, char *argv[]) {
{ "replace", required_argument, NULL, ARG_REPLACE },
{ "dry-run", no_argument, NULL, ARG_DRY_RUN },
{ "no-pager", no_argument, NULL, ARG_NO_PAGER },
+
+ /* This is not documented on purpose.
+ * If you think --purge should be allowed without jumping through hoops,
+ * consider opening a bug report with the description of the use case.
+ */
+ { "destroy-data", no_argument, NULL, ARG_DESTROY_DATA },
+
{}
};
int c, r;
+ bool destroy_data = false;
assert(argc >= 0);
assert(argv);
@@ -4330,6 +4339,10 @@ static int parse_argv(int argc, char *argv[]) {
arg_dry_run = true;
break;
+ case ARG_DESTROY_DATA:
+ destroy_data = true;
+ break;
+
case ARG_NO_PAGER:
arg_pager_flags |= PAGER_DISABLE;
break;
@@ -4349,6 +4362,10 @@ static int parse_argv(int argc, char *argv[]) {
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Refusing --purge without specification of a configuration file.");
+ if (FLAGS_SET(arg_operation, OPERATION_PURGE) && !arg_dry_run && !destroy_data)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Refusing --purge without --destroy-data.");
+
if (arg_replace && arg_cat_flags != CAT_CONFIG_OFF)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Option --replace= is not supported with --cat-config/--tldr.");

View File

@ -1,33 +0,0 @@
From 79519b922b59c2282223742327cc8d75c7b219d0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 14 Dec 2022 22:24:53 +0100
Subject: [PATCH] fedora: use system-auth in pam systemd-user
Adjust upstream config to use our shared stack
rhel-only: feature
Related: RHEL-40924
---
src/login/systemd-user.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in
index 8a3c9e0165..74ef5f2552 100644
--- a/src/login/systemd-user.in
+++ b/src/login/systemd-user.in
@@ -7,7 +7,7 @@
-account sufficient pam_systemd_home.so
{% endif %}
account sufficient pam_unix.so no_pass_expiry
-account required pam_permit.so
+account include system-auth
{% if HAVE_SELINUX %}
session required pam_selinux.so close
@@ -20,4 +20,4 @@ session required pam_namespace.so
-session optional pam_systemd_home.so
{% endif %}
session optional pam_umask.so silent
-session optional pam_systemd.so
+session include system-auth

View File

@ -1,317 +0,0 @@
From b91be007c4172b50e5ca570c3c3cd64fecbf377b Mon Sep 17 00:00:00 2001
From: Jan Macku <jamacku@redhat.com>
Date: Tue, 25 Jun 2024 14:00:45 +0200
Subject: [PATCH] net-naming-scheme: start rhel10 naming and include rhel8 and
rhel9 ones
Also add RHEL8,9,10 versions to version-info.xml file
rhel-only: feature
Resolves: RHEL-22621
---
man/systemd.net-naming-scheme.xml | 186 ++++++++++++++++++++++++++++++
man/version-info.xml | 33 ++++++
src/shared/netif-naming-scheme.c | 17 +++
src/shared/netif-naming-scheme.h | 20 ++++
4 files changed, 256 insertions(+)
diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml
index ff811c2bd7..690e3d2c27 100644
--- a/man/systemd.net-naming-scheme.xml
+++ b/man/systemd.net-naming-scheme.xml
@@ -525,7 +525,193 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><constant>rhel-10.0</constant></term>
+
+ <listitem><para>Same as naming scheme <constant>v255</constant>.</para>
+
+ <xi:include href="version-info.xml" xpointer="rhel-10.0"/>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ <para>By default <constant>rhel-10.0</constant> is used.</para>
+
+ <refsect2>
+ <title>RHEL-9 schemes</title>
+ <para>It is also possible to pick a scheme from RHEL-9</para>
+ <variablelist>
+ <varlistentry>
+ <term><constant>rhel-9.0</constant></term>
+
+ <listitem><para>Since version <constant>v247</constant> we no longer set
+ <varname>ID_NET_NAME_SLOT</varname> if we detect that a PCI device associated with a slot is a PCI
+ bridge as that would create naming conflict when there are more child devices on that bridge. Now,
+ this is relaxed and we will use slot information to generate the name based on it but only if
+ the PCI device has multiple functions. This is safe because distinct function number is a part of
+ the device name for multifunction devices.</para>
+
+ <xi:include href="version-info.xml" xpointer="rhel-9.0"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><constant>rhel-9.1</constant></term>
+
+ <listitem><para>Same as naming scheme <constant>rhel-9.0</constant>.</para>
+
+ <xi:include href="version-info.xml" xpointer="rhel-9.1"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><constant>rhel-9.2</constant></term>
+
+ <listitem><para>Same as naming scheme <constant>rhel-9.0</constant>.</para>
+
+ <xi:include href="version-info.xml" xpointer="rhel-9.2"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><constant>rhel-9.3</constant></term>
+
+ <listitem><para>Naming was changed for SR-IOV virtual device representors.</para>
+
+ <para>The <literal>r<replaceable>slot</replaceable></literal> suffix was added to differentiate SR-IOV
+ virtual device representors attached to a single physical device interface.</para>
+
+ <xi:include href="version-info.xml" xpointer="rhel-9.3"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><constant>rhel-9.4</constant></term>
+
+ <listitem><para>Same as naming scheme <constant>rhel-9.3</constant>.</para>
+
+ <xi:include href="version-info.xml" xpointer="rhel-9.4"/>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect2>
+
+ <refsect2>
+ <title>RHEL-8 schemes</title>
+ <para>It is also possible to pick a scheme from RHEL-8</para>
+ <variablelist>
+ <varlistentry>
+ <term><constant>rhel-8.0</constant></term>
+
+ <listitem><para>Same as naming scheme <constant>v239</constant>.</para>
+
+ <xi:include href="version-info.xml" xpointer="rhel-8.0"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><constant>rhel-8.1</constant></term>
+
+ <listitem><para>Same as naming scheme <constant>rhel-8.0</constant>.</para>
+
+ <xi:include href="version-info.xml" xpointer="rhel-8.1"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><constant>rhel-8.2</constant></term>
+
+ <listitem><para>Same as naming scheme <constant>rhel-8.0</constant>.</para>
+
+ <xi:include href="version-info.xml" xpointer="rhel-8.2"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><constant>rhel-8.3</constant></term>
+
+ <listitem><para>Same as naming scheme <constant>rhel-8.0</constant>.</para>
+
+ <xi:include href="version-info.xml" xpointer="rhel-8.3"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><constant>rhel-8.4</constant></term>
+
+ <listitem><para>If the PCI slot is assocated with PCI bridge and that has multiple child network
+ controllers then all of them might derive the same value of <varname>ID_NET_NAME_SLOT</varname>
+ property. That could cause naming conflict if the property is selected as a device name. Now, we detect the
+ situation, slot - bridge relation, and we don't produce the <varname>ID_NET_NAME_SLOT</varname> property to
+ avoid possible naming conflict.</para>
+
+ <xi:include href="version-info.xml" xpointer="rhel-8.4"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><constant>rhel-8.5</constant></term>
+
+ <listitem><para>Same as naming scheme <constant>rhel-8.4</constant>.</para>
+
+ <xi:include href="version-info.xml" xpointer="rhel-8.5"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><constant>rhel-8.6</constant></term>
+
+ <listitem><para>Same as naming scheme <constant>rhel-8.4</constant>.</para>
+
+ <xi:include href="version-info.xml" xpointer="rhel-8.6"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><constant>rhel-8.7</constant></term>
+
+ <listitem><para>PCI hotplug slot names for the s390 PCI driver are a hexadecimal representation
+ of the <filename>function_id</filename> device attribute. This attribute is now used to build the
+ <varname>ID_NET_NAME_SLOT</varname>. Before that, all slot names were parsed as decimal
+ numbers, which could either result in an incorrect value of the <varname>ID_NET_NAME_SLOT</varname>
+ property or none at all.</para>
+
+ <para>Some firmware and hypervisor implementations report unreasonable high numbers for the onboard
+ index. To prevent the generation of bogus onbard interface names, index numbers greater than 16381
+ (2^14-1) were ignored. For s390 PCI devices index values up to 65535 (2^16-1) are valid. To account
+ for that, the limit is increased to now 65535.</para>
+
+ <xi:include href="version-info.xml" xpointer="rhel-8.7"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><constant>rhel-8.8</constant></term>
+
+ <listitem><para>Same as naming scheme <constant>rhel-8.7</constant>.</para>
+
+ <xi:include href="version-info.xml" xpointer="rhel-8.8"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><constant>rhel-8.9</constant></term>
+
+ <listitem><para>Same as naming scheme <constant>rhel-8.7</constant>.</para>
+
+ <xi:include href="version-info.xml" xpointer="rhel-8.9"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><constant>rhel-8.10</constant></term>
+
+ <listitem><para>Same as naming scheme <constant>rhel-8.7</constant>.</para>
+
+ <xi:include href="version-info.xml" xpointer="rhel-8.10"/>
+ </listitem>
+ </varlistentry>
</variablelist>
+ </refsect2>
<para>Note that <constant>latest</constant> may be used to denote the latest scheme known (to this
particular version of systemd).</para>
diff --git a/man/version-info.xml b/man/version-info.xml
index bd210b20d3..274450d408 100644
--- a/man/version-info.xml
+++ b/man/version-info.xml
@@ -81,4 +81,37 @@
<para id="v255">Added in version 255.</para>
<para id="v256">Added in version 256.</para>
<para id="v257">Added in version 257.</para>
+ <para id="rhel-8.0">Added in rhel-8.0.</para>
+ <para id="rhel-8.1">Added in rhel-8.1.</para>
+ <para id="rhel-8.2">Added in rhel-8.2.</para>
+ <para id="rhel-8.3">Added in rhel-8.3.</para>
+ <para id="rhel-8.4">Added in rhel-8.4.</para>
+ <para id="rhel-8.5">Added in rhel-8.5.</para>
+ <para id="rhel-8.6">Added in rhel-8.6.</para>
+ <para id="rhel-8.7">Added in rhel-8.7.</para>
+ <para id="rhel-8.8">Added in rhel-8.8.</para>
+ <para id="rhel-8.9">Added in rhel-8.9.</para>
+ <para id="rhel-8.10">Added in rhel-8.10.</para>
+ <para id="rhel-9.0">Added in rhel-9.0.</para>
+ <para id="rhel-9.1">Added in rhel-9.1.</para>
+ <para id="rhel-9.2">Added in rhel-9.2.</para>
+ <para id="rhel-9.3">Added in rhel-9.3.</para>
+ <para id="rhel-9.4">Added in rhel-9.4.</para>
+ <para id="rhel-9.5">Added in rhel-9.5.</para>
+ <para id="rhel-9.6">Added in rhel-9.6.</para>
+ <para id="rhel-9.7">Added in rhel-9.7.</para>
+ <para id="rhel-9.8">Added in rhel-9.8.</para>
+ <para id="rhel-9.9">Added in rhel-9.9.</para>
+ <para id="rhel-9.10">Added in rhel-9.10.</para>
+ <para id="rhel-10.0">Added in rhel-10.0.</para>
+ <para id="rhel-10.1">Added in rhel-10.1.</para>
+ <para id="rhel-10.2">Added in rhel-10.2.</para>
+ <para id="rhel-10.3">Added in rhel-10.3.</para>
+ <para id="rhel-10.4">Added in rhel-10.4.</para>
+ <para id="rhel-10.5">Added in rhel-10.5.</para>
+ <para id="rhel-10.6">Added in rhel-10.6.</para>
+ <para id="rhel-10.7">Added in rhel-10.7.</para>
+ <para id="rhel-10.8">Added in rhel-10.8.</para>
+ <para id="rhel-10.9">Added in rhel-10.9.</para>
+ <para id="rhel-10.10">Added in rhel-10.10.</para>
</refsect1>
diff --git a/src/shared/netif-naming-scheme.c b/src/shared/netif-naming-scheme.c
index 2955b6e8d5..e4d4c0ba88 100644
--- a/src/shared/netif-naming-scheme.c
+++ b/src/shared/netif-naming-scheme.c
@@ -24,6 +24,23 @@ static const NamingScheme naming_schemes[] = {
{ "v253", NAMING_V253 },
{ "v254", NAMING_V254 },
{ "v255", NAMING_V255 },
+ { "rhel-8.0", NAMING_RHEL_8_0 },
+ { "rhel-8.1", NAMING_RHEL_8_1 },
+ { "rhel-8.2", NAMING_RHEL_8_2 },
+ { "rhel-8.3", NAMING_RHEL_8_3 },
+ { "rhel-8.4", NAMING_RHEL_8_4 },
+ { "rhel-8.5", NAMING_RHEL_8_5 },
+ { "rhel-8.6", NAMING_RHEL_8_6 },
+ { "rhel-8.7", NAMING_RHEL_8_7 },
+ { "rhel-8.8", NAMING_RHEL_8_8 },
+ { "rhel-8.9", NAMING_RHEL_8_9 },
+ { "rhel-8.10", NAMING_RHEL_8_10 },
+ { "rhel-9.0", NAMING_RHEL_9_0 },
+ { "rhel-9.1", NAMING_RHEL_9_1 },
+ { "rhel-9.2", NAMING_RHEL_9_2 },
+ { "rhel-9.3", NAMING_RHEL_9_3 },
+ { "rhel-9.4", NAMING_RHEL_9_4 },
+ { "rhel-10.0", NAMING_RHEL_10_0 },
/* … add more schemes here, as the logic to name devices is updated … */
EXTRA_NET_NAMING_MAP
diff --git a/src/shared/netif-naming-scheme.h b/src/shared/netif-naming-scheme.h
index 62afdc514a..b0697c141e 100644
--- a/src/shared/netif-naming-scheme.h
+++ b/src/shared/netif-naming-scheme.h
@@ -63,6 +63,26 @@ typedef enum NamingSchemeFlags {
* systemd version 255, naming scheme "v255". */
NAMING_V255 = NAMING_V254 & ~NAMING_BRIDGE_MULTIFUNCTION_SLOT,
+ NAMING_RHEL_8_0 = NAMING_V239,
+ NAMING_RHEL_8_1 = NAMING_V239,
+ NAMING_RHEL_8_2 = NAMING_V239,
+ NAMING_RHEL_8_3 = NAMING_V239,
+ NAMING_RHEL_8_4 = NAMING_V239 | NAMING_BRIDGE_NO_SLOT,
+ NAMING_RHEL_8_5 = NAMING_RHEL_8_4,
+ NAMING_RHEL_8_6 = NAMING_RHEL_8_4,
+ NAMING_RHEL_8_7 = NAMING_RHEL_8_4 | NAMING_SLOT_FUNCTION_ID | NAMING_16BIT_INDEX,
+ NAMING_RHEL_8_8 = NAMING_RHEL_8_7,
+ NAMING_RHEL_8_9 = NAMING_RHEL_8_7,
+ NAMING_RHEL_8_10 = NAMING_RHEL_8_7,
+
+ NAMING_RHEL_9_0 = NAMING_V250 | NAMING_BRIDGE_MULTIFUNCTION_SLOT,
+ NAMING_RHEL_9_1 = NAMING_RHEL_9_0,
+ NAMING_RHEL_9_2 = NAMING_RHEL_9_0,
+ NAMING_RHEL_9_3 = NAMING_RHEL_9_0 | NAMING_SR_IOV_R,
+ NAMING_RHEL_9_4 = NAMING_RHEL_9_3,
+
+ NAMING_RHEL_10_0 = NAMING_V255,
+
EXTRA_NET_NAMING_SCHEMES
_NAMING_SCHEME_FLAGS_INVALID = -EINVAL,

View File

@ -1,109 +0,0 @@
From ee9a767142ec66b1ca93af9401dc8f723ae59881 Mon Sep 17 00:00:00 2001
From: Jan Macku <jamacku@redhat.com>
Date: Wed, 12 Jun 2024 14:23:30 +0200
Subject: [PATCH] rules: copy 40-redhat.rules from RHEL 9
Also split rules into 40-redhat-hotplug.rules, 40-redhat-s390.rules and 40-redhat.rules.
rhel-only: feature
Resolves: RHEL-40360
---
rules.d/40-redhat-hotplug.rules | 23 +++++++++++++++++++++++
rules.d/40-redhat-s390.rules | 24 ++++++++++++++++++++++++
rules.d/40-redhat.rules | 8 ++++++++
rules.d/meson.build | 5 ++++-
4 files changed, 59 insertions(+), 1 deletion(-)
create mode 100644 rules.d/40-redhat-hotplug.rules
create mode 100644 rules.d/40-redhat-s390.rules
create mode 100644 rules.d/40-redhat.rules
diff --git a/rules.d/40-redhat-hotplug.rules b/rules.d/40-redhat-hotplug.rules
new file mode 100644
index 0000000000..5555eeac75
--- /dev/null
+++ b/rules.d/40-redhat-hotplug.rules
@@ -0,0 +1,23 @@
+# do not edit this file, it will be overwritten on update
+
+# CPU hotadd request
+SUBSYSTEM!="cpu", GOTO="cpu_online_end"
+ACTION!="add", GOTO="cpu_online_end"
+CONST{arch}=="ppc64*", GOTO="cpu_online_end"
+CONST{arch}=="s390*", ATTR{configure}=="0", GOTO="cpu_online_end"
+
+TEST=="online", ATTR{online}=="0", ATTR{online}="1"
+
+LABEL="cpu_online_end"
+
+# Memory hotadd request
+SUBSYSTEM!="memory", GOTO="memory_hotplug_end"
+ACTION!="add", GOTO="memory_hotplug_end"
+CONST{arch}=="s390*", GOTO="memory_hotplug_end"
+CONST{arch}=="ppc64*", GOTO="memory_hotplug_end"
+
+ENV{.state}="online"
+CONST{virt}=="none", ENV{.state}="online_movable"
+ATTR{state}=="offline", ATTR{state}="$env{.state}"
+
+LABEL="memory_hotplug_end"
diff --git a/rules.d/40-redhat-s390.rules b/rules.d/40-redhat-s390.rules
new file mode 100644
index 0000000000..64698b90e8
--- /dev/null
+++ b/rules.d/40-redhat-s390.rules
@@ -0,0 +1,24 @@
+# do not edit this file, it will be overwritten on update
+
+# Rule for prandom character device node permissions
+KERNEL=="prandom", MODE="0644"
+
+# Rules for creating the ID_PATH for SCSI devices based on the CCW bus
+# using the form: ccw-<BUS_ID>-zfcp-<WWPN>:<LUN>
+#
+ACTION=="remove", GOTO="zfcp_scsi_device_end"
+
+#
+# Set environment variable "ID_ZFCP_BUS" to "1" if the devices
+# (both disk and partition) are SCSI devices based on FCP devices
+#
+KERNEL=="sd*", SUBSYSTEMS=="ccw", DRIVERS=="zfcp", ENV{.ID_ZFCP_BUS}="1"
+
+# For SCSI disks
+KERNEL=="sd*[!0-9]", SUBSYSTEMS=="scsi", ENV{.ID_ZFCP_BUS}=="1", ENV{DEVTYPE}=="disk", SYMLINK+="disk/by-path/ccw-$attr{hba_id}-zfcp-$attr{wwpn}:$attr{fcp_lun}"
+
+
+# For partitions on a SCSI disk
+KERNEL=="sd*[0-9]", SUBSYSTEMS=="scsi", ENV{.ID_ZFCP_BUS}=="1", ENV{DEVTYPE}=="partition", SYMLINK+="disk/by-path/ccw-$attr{hba_id}-zfcp-$attr{wwpn}:$attr{fcp_lun}-part%n"
+
+LABEL="zfcp_scsi_device_end"
diff --git a/rules.d/40-redhat.rules b/rules.d/40-redhat.rules
new file mode 100644
index 0000000000..975d56fdfd
--- /dev/null
+++ b/rules.d/40-redhat.rules
@@ -0,0 +1,8 @@
+# do not edit this file, it will be overwritten on update
+
+# reload sysctl.conf / sysctl.conf.d settings when the bridge module is loaded
+ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/usr/lib/systemd/systemd-sysctl --prefix=/proc/sys/net/bridge"
+
+# load SCSI generic (sg) driver
+SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_device", TEST!="[module/sg]", RUN+="/sbin/modprobe -bv sg"
+SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_target", TEST!="[module/sg]", RUN+="/sbin/modprobe -bv sg"
diff --git a/rules.d/meson.build b/rules.d/meson.build
index 3040fae8a4..edf419f449 100644
--- a/rules.d/meson.build
+++ b/rules.d/meson.build
@@ -5,7 +5,10 @@ install_data(
install_dir : udevrulesdir)
rules = [
- [files('60-autosuspend.rules',
+ [files('40-redhat-hotplug.rules',
+ '40-redhat-s390.rules',
+ '40-redhat.rules',
+ '60-autosuspend.rules',
'60-block.rules',
'60-cdrom_id.rules',
'60-dmi-id.rules',

View File

@ -1,43 +0,0 @@
From ed416f79aac6c1136f5d20a19cfc20c2709ab314 Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Thu, 5 Aug 2021 17:11:47 +0200
Subject: [PATCH] tmpfiles: don't create resolv.conf -> stub-resolv.conf
symlink
RHEL-only: bugfix
Related: RHEL-40924
---
tmpfiles.d/meson.build | 1 -
tmpfiles.d/systemd-resolve.conf | 10 ----------
2 files changed, 11 deletions(-)
delete mode 100644 tmpfiles.d/systemd-resolve.conf
diff --git a/tmpfiles.d/meson.build b/tmpfiles.d/meson.build
index bec24ac7b4..55ce48979d 100644
--- a/tmpfiles.d/meson.build
+++ b/tmpfiles.d/meson.build
@@ -10,7 +10,6 @@ files = [['README', ''],
['systemd-nologin.conf', 'HAVE_PAM'],
['systemd-nspawn.conf', 'ENABLE_MACHINED'],
['systemd-pstore.conf', 'ENABLE_PSTORE'],
- ['systemd-resolve.conf', 'ENABLE_RESOLVE'],
['systemd-tmp.conf', ''],
['tmp.conf', ''],
['x11.conf', ''],
diff --git a/tmpfiles.d/systemd-resolve.conf b/tmpfiles.d/systemd-resolve.conf
deleted file mode 100644
index cb1c56d6a6..0000000000
--- a/tmpfiles.d/systemd-resolve.conf
+++ /dev/null
@@ -1,10 +0,0 @@
-# This file is part of systemd.
-#
-# systemd is free software; you can redistribute it and/or modify it
-# under the terms of the GNU Lesser General Public License as published by
-# the Free Software Foundation; either version 2.1 of the License, or
-# (at your option) any later version.
-
-# See tmpfiles.d(5) for details
-
-L! /etc/resolv.conf - - - - ../run/systemd/resolve/stub-resolv.conf

View File

@ -1,25 +0,0 @@
From 9a6ef20bab1411570b3af6f6bbdb1a299ea8e73a Mon Sep 17 00:00:00 2001
From: David Tardon <dtardon@redhat.com>
Date: Thu, 15 Jul 2021 11:15:17 +0200
Subject: [PATCH] random-util: increase random seed size to 1024
RHEL-only: feature
Related: RHEL-40924
---
src/basic/random-util.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/basic/random-util.h b/src/basic/random-util.h
index b1a4d10971..08b1a3599a 100644
--- a/src/basic/random-util.h
+++ b/src/basic/random-util.h
@@ -21,7 +21,7 @@ static inline uint32_t random_u32(void) {
}
/* Some limits on the pool sizes when we deal with the kernel random pool */
-#define RANDOM_POOL_SIZE_MIN 32U
+#define RANDOM_POOL_SIZE_MIN 1024U
#define RANDOM_POOL_SIZE_MAX (10U*1024U*1024U)
#define RANDOM_EFI_SEED_SIZE 32U

View File

@ -1,25 +0,0 @@
From 15465a4a302c4379746a21ef7b7fb9a9bfea9297 Mon Sep 17 00:00:00 2001
From: Jan Synacek <jsynacek@redhat.com>
Date: Thu, 2 May 2019 14:11:54 +0200
Subject: [PATCH] journal: don't enable systemd-journald-audit.socket by
default
RHEL-only: feature
Related: RHEL-40924
---
presets/90-systemd.preset | 1 -
1 file changed, 1 deletion(-)
diff --git a/presets/90-systemd.preset b/presets/90-systemd.preset
index da6b9805fd..004ea6fe14 100644
--- a/presets/90-systemd.preset
+++ b/presets/90-systemd.preset
@@ -21,7 +21,6 @@ enable systemd-boot-update.service
enable systemd-confext.service
enable systemd-homed.service
enable systemd-homed-activate.service
-enable systemd-journald-audit.socket
enable systemd-mountfsd.socket
enable systemd-network-generator.service
enable systemd-networkd.service

View File

@ -1,22 +0,0 @@
From b340b4c797599aa444f9dbf07c6ef7ea29021604 Mon Sep 17 00:00:00 2001
From: David Tardon <dtardon@redhat.com>
Date: Thu, 5 Aug 2021 15:26:13 +0200
Subject: [PATCH] journald.conf: don't touch current audit settings
RHEL-only: policy
Related: RHEL-40924
---
src/journal/journald.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/journal/journald.conf b/src/journal/journald.conf
index 13cdd6300f..fc307c53c2 100644
--- a/src/journal/journald.conf
+++ b/src/journal/journald.conf
@@ -47,4 +47,4 @@
#MaxLevelSocket=debug
#LineMax=48K
#ReadKMsg=yes
-#Audit=yes
+Audit=

View File

@ -1,59 +0,0 @@
From 5725d315940804ba80468e6e3b6ea4653587f109 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Wed, 1 Aug 2018 13:19:39 +0200
Subject: [PATCH] pid1: bump DefaultTasksMax to 80% of the kernel pid.max value
This should be hopefully high enough even for the very big deployments.
RHEL-only: feature
Related: RHEL-40924
---
man/systemd-system.conf.xml | 4 ++--
src/core/manager.c | 2 +-
src/core/system.conf.in | 2 +-
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml
index ae5b61b149..22919842f5 100644
--- a/man/systemd-system.conf.xml
+++ b/man/systemd-system.conf.xml
@@ -520,10 +520,10 @@
<listitem><para>Configure the default value for the per-unit <varname>TasksMax=</varname> setting. See
<citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for details. This setting applies to all unit types that support resource control settings, with the exception
- of slice units. Defaults to 15% of the minimum of <varname>kernel.pid_max=</varname>, <varname>kernel.threads-max=</varname>
+ of slice units. Defaults to 80% of the minimum of <varname>kernel.pid_max=</varname>, <varname>kernel.threads-max=</varname>
and root cgroup <varname>pids.max</varname>.
Kernel has a default value for <varname>kernel.pid_max=</varname> and an algorithm of counting in case of more than 32 cores.
- For example, with the default <varname>kernel.pid_max=</varname>, <varname>DefaultTasksMax=</varname> defaults to 4915,
+ For example, with the default <varname>kernel.pid_max=</varname>, <varname>DefaultTasksMax=</varname> defaults to 26214,
but might be greater in other systems or smaller in OS containers.</para>
<xi:include href="version-info.xml" xpointer="v228"/></listitem>
diff --git a/src/core/manager.c b/src/core/manager.c
index 90e72b0c02..8ddf37fdad 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -117,7 +117,7 @@
/* How many units and jobs to process of the bus queue before returning to the event loop. */
#define MANAGER_BUS_MESSAGE_BUDGET 100U
-#define DEFAULT_TASKS_MAX ((CGroupTasksMax) { 15U, 100U }) /* 15% */
+#define DEFAULT_TASKS_MAX ((CGroupTasksMax) { 80U, 100U }) /* 80% */
static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata);
static int manager_dispatch_cgroups_agent_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata);
diff --git a/src/core/system.conf.in b/src/core/system.conf.in
index 1c08aa4d22..4fe420c344 100644
--- a/src/core/system.conf.in
+++ b/src/core/system.conf.in
@@ -59,7 +59,7 @@
#DefaultIPAccounting=no
#DefaultMemoryAccounting={{ 'yes' if MEMORY_ACCOUNTING_DEFAULT else 'no' }}
#DefaultTasksAccounting=yes
-#DefaultTasksMax=15%
+#DefaultTasksMax=80%
#DefaultLimitCPU=
#DefaultLimitFSIZE=
#DefaultLimitDATA=

View File

@ -1,53 +0,0 @@
From 2b9b38af0bd6f15d316869022ad296f5927f2d2b Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Tue, 21 Sep 2021 15:01:19 +0200
Subject: [PATCH] udev/net-setup-link: change the default MACAddressPolicy to
"none"
While stable MAC address for interface types that don't have the
address provided by HW could be useful it also breaks LACP based bonds.
Let's err on the side of caution and don't change the MAC address from
udev.
RHEL-only: policy
Related: RHEL-40924
---
man/systemd.link.xml | 2 +-
network/99-default.link | 2 +-
test/fuzz/fuzz-link-parser/99-default.link | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/man/systemd.link.xml b/man/systemd.link.xml
index 3991d91881..0002eb3617 100644
--- a/man/systemd.link.xml
+++ b/man/systemd.link.xml
@@ -1386,7 +1386,7 @@ OriginalName=*
[Link]
NamePolicy=keep kernel database onboard slot path
AlternativeNamesPolicy=database onboard slot path
-MACAddressPolicy=persistent</programlisting>
+MACAddressPolicy=none</programlisting>
</example>
<example>
diff --git a/network/99-default.link b/network/99-default.link
index 56030b62be..5628dcf845 100644
--- a/network/99-default.link
+++ b/network/99-default.link
@@ -12,4 +12,4 @@ OriginalName=*
[Link]
NamePolicy=keep kernel database onboard slot path
AlternativeNamesPolicy=database onboard slot path
-MACAddressPolicy=persistent
+MACAddressPolicy=none
diff --git a/test/fuzz/fuzz-link-parser/99-default.link b/test/fuzz/fuzz-link-parser/99-default.link
index feb5b1fbb0..3d755898b4 100644
--- a/test/fuzz/fuzz-link-parser/99-default.link
+++ b/test/fuzz/fuzz-link-parser/99-default.link
@@ -9,4 +9,4 @@
[Link]
NamePolicy=keep kernel database onboard slot path
-MACAddressPolicy=persistent
+MACAddressPolicy=none

View File

@ -1,40 +0,0 @@
From 74151c1fd19cbd73f2a6d1c2f84eac9bb73eac7e Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Tue, 22 Feb 2022 13:24:11 +0100
Subject: [PATCH] core: decrease log level of messages about use of
KillMode=none
RHEL-only: bugfix
Related: RHEL-40924
---
src/core/load-fragment.c | 2 +-
src/core/unit.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
index 5ae68886af..d4c006eb87 100644
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -868,7 +868,7 @@ int config_parse_kill_mode(
}
if (m == KILL_NONE)
- log_syntax(unit, LOG_WARNING, filename, line, 0,
+ log_syntax(unit, LOG_DEBUG, filename, line, 0,
"Unit uses KillMode=none. "
"This is unsafe, as it disables systemd's process lifecycle management for the service. "
"Please update the service to use a safer KillMode=, such as 'mixed' or 'control-group'. "
diff --git a/src/core/unit.c b/src/core/unit.c
index 2d40618fcb..0ec5dcaf75 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -5867,7 +5867,7 @@ int unit_log_leftover_process_start(const PidRef *pid, int sig, void *userdata)
/* During start we print a warning */
- log_unit_warning(userdata,
+ log_unit_debug(userdata,
"Found left-over process " PID_FMT " (%s) in control group while starting unit. Ignoring.\n"
"This usually indicates unclean termination of a previous run, or service implementation deficiencies.",
pid->pid, strna(comm));

View File

@ -1,180 +0,0 @@
From 40527d91d2fb1d987473bb4bcf1c929a85ffe9a0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 3 Jul 2024 16:51:05 +0200
Subject: [PATCH] meson: rename libbasic to libbasic_static
Our variables for internal libraries are named 'libfoo' for the shared lib
variant, and 'libfoo_static' for the static lib variant. The only exception was
libbasic, because we didn't have a shared variant for it. But let's rename it
for consitency. This makes the build config easier to understand.
see currently unmerged https://github.com/systemd/systemd/pull/33599
RHEL-only workaround
Resolves: RHEL-46020
---
meson.build | 4 ++--
src/basic/meson.build | 2 +-
src/libsystemd/meson.build | 2 +-
src/partition/meson.build | 2 +-
src/shared/meson.build | 2 +-
src/shutdown/meson.build | 2 +-
src/sysusers/meson.build | 2 +-
src/test/meson.build | 8 ++++----
src/tmpfiles/meson.build | 2 +-
9 files changed, 13 insertions(+), 13 deletions(-)
diff --git a/meson.build b/meson.build
index e42151998b..18115cad5e 100644
--- a/meson.build
+++ b/meson.build
@@ -2078,7 +2078,7 @@ libsystemd = shared_library(
# Make sure our library is never deleted from memory, so that our open logging fds don't leak on dlopen/dlclose cycles.
'-z', 'nodelete',
'-Wl,--version-script=' + libsystemd_sym_path],
- link_with : [libbasic],
+ link_with : [libbasic_static],
link_whole : [libsystemd_static],
dependencies : [librt,
threads,
@@ -2243,7 +2243,7 @@ nss_template = {
'link_with' : [
libsystemd_static,
libshared_static,
- libbasic,
+ libbasic_static,
],
'dependencies' : [
librt,
diff --git a/src/basic/meson.build b/src/basic/meson.build
index 9a214575a5..b538775576 100644
--- a/src/basic/meson.build
+++ b/src/basic/meson.build
@@ -274,7 +274,7 @@ filesystem_switch_case_h = custom_target(
basic_sources += [filesystem_list_h, filesystem_switch_case_h, filesystems_gperf_h]
-libbasic = static_library(
+libbasic_static = static_library(
'basic',
basic_sources,
fundamental_sources,
diff --git a/src/libsystemd/meson.build b/src/libsystemd/meson.build
index 6d4337d1a7..243549299f 100644
--- a/src/libsystemd/meson.build
+++ b/src/libsystemd/meson.build
@@ -118,7 +118,7 @@ libsystemd_static = static_library(
libsystemd_sources,
include_directories : libsystemd_includes,
c_args : libsystemd_c_args,
- link_with : [libbasic],
+ link_with : [libbasic_static],
dependencies : [threads,
librt,
userspace],
diff --git a/src/partition/meson.build b/src/partition/meson.build
index 52e1368116..2cfe43e029 100644
--- a/src/partition/meson.build
+++ b/src/partition/meson.build
@@ -32,7 +32,7 @@ executables += [
'sources' : files('repart.c'),
'c_args' : '-DSTANDALONE',
'link_with' : [
- libbasic,
+ libbasic_static,
libshared_fdisk,
libshared_static,
libsystemd_static,
diff --git a/src/shared/meson.build b/src/shared/meson.build
index c5106d87d5..e513c0ec1c 100644
--- a/src/shared/meson.build
+++ b/src/shared/meson.build
@@ -358,7 +358,7 @@ libshared = shared_library(
'-Wl,--version-script=' + libshared_sym_path],
link_depends : libshared_sym_path,
link_whole : [libshared_static,
- libbasic,
+ libbasic_static,
libsystemd_static],
dependencies : [libshared_deps,
userspace],
diff --git a/src/shutdown/meson.build b/src/shutdown/meson.build
index 219f9fd308..9bc60f83e5 100644
--- a/src/shutdown/meson.build
+++ b/src/shutdown/meson.build
@@ -20,7 +20,7 @@ executables += [
'sources' : systemd_shutdown_sources,
'c_args' : '-DSTANDALONE',
'link_with' : [
- libbasic,
+ libbasic_static,
libshared_static,
libsystemd_static,
],
diff --git a/src/sysusers/meson.build b/src/sysusers/meson.build
index 0f9c067d50..403d82a340 100644
--- a/src/sysusers/meson.build
+++ b/src/sysusers/meson.build
@@ -14,7 +14,7 @@ executables += [
'sources' : files('sysusers.c'),
'c_args' : '-DSTANDALONE',
'link_with' : [
- libbasic,
+ libbasic_static,
libshared_static,
libsystemd_static,
],
diff --git a/src/test/meson.build b/src/test/meson.build
index 3abbb94d9f..9d3c7d675f 100644
--- a/src/test/meson.build
+++ b/src/test/meson.build
@@ -274,7 +274,7 @@ executables += [
# only static linking apart from libdl, to make sure that the
# module is linked to all libraries that it uses.
'sources' : files('test-dlopen.c'),
- 'link_with' : libbasic,
+ 'link_with' : libbasic_static,
'dependencies' : libdl,
'install' : false,
'type' : 'manual',
@@ -410,7 +410,7 @@ executables += [
},
test_template + {
'sources' : files('test-sizeof.c'),
- 'link_with' : libbasic,
+ 'link_with' : libbasic_static,
},
test_template + {
'sources' : files('test-time-util.c'),
@@ -590,7 +590,7 @@ executables += [
test_template + {
'sources' : files('../libsystemd/sd-device/test-sd-device-thread.c'),
'link_with' : [
- libbasic,
+ libbasic_static,
libsystemd,
],
'dependencies' : threads,
@@ -598,7 +598,7 @@ executables += [
test_template + {
'sources' : files('../libudev/test-udev-device-thread.c'),
'link_with' : [
- libbasic,
+ libbasic_static,
libudev,
],
'dependencies' : threads,
diff --git a/src/tmpfiles/meson.build b/src/tmpfiles/meson.build
index 2e918509a7..09ad839586 100644
--- a/src/tmpfiles/meson.build
+++ b/src/tmpfiles/meson.build
@@ -20,7 +20,7 @@ executables += [
'sources' : systemd_tmpfiles_sources,
'c_args' : '-DSTANDALONE',
'link_with' : [
- libbasic,
+ libbasic_static,
libshared_static,
libsystemd_static,
],

View File

@ -1,63 +0,0 @@
From 9eccd6c09f06979003eb2ae1f159defc40213fe0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 3 Jul 2024 17:03:26 +0200
Subject: [PATCH] meson: build libsystemd-core via an intermediate static
library
By itself, this is not useful. I'm making this a separate commit to
make debugging easier. It turns out that meson does static libraries
using references, so the "static library" a tiny stub stub that refers
to the object files on disk and this has negligible cost:
$ ls -lhd build/src/core/libsystemd-core-257.{a,so}
-rw-r--r-- 1 zbyszek zbyszek 36K Jul 3 16:54 build/src/core/libsystemd-core-257.a
-rwxr-xr-x 1 zbyszek zbyszek 6.1M Jul 3 16:54 build/src/core/libsystemd-core-257.so
see currently unmerged https://github.com/systemd/systemd/pull/33599
RHEL-only workaround
Resolves: RHEL-46020
---
src/core/meson.build | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/src/core/meson.build b/src/core/meson.build
index 7a2012a372..1ef31cc529 100644
--- a/src/core/meson.build
+++ b/src/core/meson.build
@@ -110,17 +110,13 @@ load_fragment_gperf_nulstr_c = custom_target(
libcore_name = 'systemd-core-@0@'.format(shared_lib_tag)
-libcore = shared_library(
+libcore_static = static_library(
libcore_name,
libcore_sources,
load_fragment_gperf_c,
load_fragment_gperf_nulstr_c,
include_directories : includes,
c_args : ['-fvisibility=default'],
- link_args : ['-shared',
- '-Wl,--version-script=' + libshared_sym_path],
- link_depends : libshared_sym_path,
- link_with : libshared,
dependencies : [libacl,
libapparmor,
libaudit,
@@ -135,6 +131,16 @@ libcore = shared_library(
libselinux,
threads,
userspace],
+ build_by_default : false)
+
+libcore = shared_library(
+ libcore_name,
+ c_args : ['-fvisibility=default'],
+ link_args : ['-shared',
+ '-Wl,--version-script=' + libshared_sym_path],
+ link_depends : libshared_sym_path,
+ link_whole: libcore_static,
+ link_with : libshared,
install : true,
install_dir : pkglibdir)

View File

@ -1,101 +0,0 @@
From f3b375da4cd070788b2b8a21fe678c15cb4babe8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 3 Jul 2024 17:05:31 +0200
Subject: [PATCH] meson: add option to build systemd-executor "statically"
The new link-executor-shared option is similar to the existing
link-udev-shared: when set to false, we link to the static versions of our
internal libraries.
The resulting exuctor binary is fairly large, about as large as libsystemd-core
(14 MB without lto, 8 with lto).
This is intended as a workaround for the fuckup with the pinned executor
binary:
when an upgrade is performed, the package manager will install new version of
the libraries and new version of the code, and some time later reexecute the
managers. This creates a window when the pinned executor binary will fail to
execute. There are two factors which make the issue easier to hit:
- when the distribution uses a finely-grained shared-lib-tag. E.g. Fedora
uses version-release as the tag, which means that the issue occurs on
every package upgrade. This is the right thing to do, because the
ABI of our internal libraries is not stable at all, so replacing the
library from a different version in place creates a window where our
programs may crash or misbehave.
- when the distribution doesn't immediately reexec all the managers after
upgrade. In early versions of systemd, we used to hammer the machine during
upgrade, doing daemon-reexecs repeatedly. This works, but is ugly and
wasteful. Doing the reexecs while the upgrade is in progres also creates a
window where a mix of old and new configs or both is loaded. Users are
particularly annoyed by those reloads if there is some issue in the
configuration causing us to emit warnings on every reexec. Doing the
reexecs once after the new configuration and libraries have been put
in place is nicer.
The pinning of the executor binary breaks upgrades and in particular
it penalizes the distributions which make use of the features which
were previously added to avoid bugs and inefficiency during upgrades.
When the executor is linked statically, there is a smaller chance that it'll
fail to load libraries. The issue can still occur because other libraries, not
our own, are linked dynamically.
see currently unmerged https://github.com/systemd/systemd/pull/33599
RHEL-only workaround
Resolves: RHEL-46020
---
meson_options.txt | 2 ++
src/core/meson.build | 16 ++++++++++++----
2 files changed, 14 insertions(+), 4 deletions(-)
diff --git a/meson_options.txt b/meson_options.txt
index d52ca4e4b5..3cce818392 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -21,6 +21,8 @@ option('rootprefix', type : 'string', deprecated: true,
description : '''This option is deprecated and will be removed in a future release''')
option('link-udev-shared', type : 'boolean',
description : 'link systemd-udevd and its helpers to libsystemd-shared.so')
+option('link-executor-shared', type : 'boolean',
+ description : 'link systemd-executor to libsystemd-shared.so and libsystemd-core.so')
option('link-systemctl-shared', type: 'boolean',
description : 'link systemctl against libsystemd-shared.so')
option('link-networkd-shared', type: 'boolean',
diff --git a/src/core/meson.build b/src/core/meson.build
index 1ef31cc529..dbeb752977 100644
--- a/src/core/meson.build
+++ b/src/core/meson.build
@@ -156,6 +156,17 @@ systemd_executor_sources = files(
'exec-invoke.c',
)
+executor_libs = get_option('link-executor-shared') ? \
+ [
+ libcore,
+ libshared,
+ ] : [
+ libcore_static,
+ libshared_static,
+ libbasic_static,
+ libsystemd_static,
+ ]
+
executables += [
libexec_template + {
'name' : 'systemd',
@@ -173,10 +184,7 @@ executables += [
'public' : true,
'sources' : systemd_executor_sources,
'include_directories' : core_includes,
- 'link_with' : [
- libcore,
- libshared,
- ],
+ 'link_with' : executor_libs,
'dependencies' : [
libapparmor,
libpam,

View File

@ -1,86 +0,0 @@
From 13a07024f674e770844de29cd3d01cb7117f56d9 Mon Sep 17 00:00:00 2001
From: Lukas Nykryn <lnykryn@redhat.com>
Date: Mon, 8 Jul 2024 14:44:45 +0200
Subject: [PATCH] taint: remove unmerged-bin
In rhel10 we will have separate bin and sbin
RHEL-only: policy
Resolves: RHEL-46277
---
catalog/systemd.catalog.in | 1 -
catalog/systemd.pl.catalog.in | 1 -
man/org.freedesktop.systemd1.xml | 9 ---------
src/core/taint.c | 7 +------
4 files changed, 1 insertion(+), 17 deletions(-)
diff --git a/catalog/systemd.catalog.in b/catalog/systemd.catalog.in
index 2831152763..66ffefd1c8 100644
--- a/catalog/systemd.catalog.in
+++ b/catalog/systemd.catalog.in
@@ -560,7 +560,6 @@ Support: %SUPPORT_URL%
The following "tags" are possible:
- "unmerged-usr" - /bin, /sbin, /lib* are not symlinks to their counterparts
under /usr/
-- "unmerged-bin" - /usr/sbin is not a symlink to /usr/bin/
- "var-run-bad" — /var/run is not a symlink to /run/
- "cgroupsv1" - the system is using the deprecated cgroup v1 hierarchy
- "local-hwclock" - the local hardware clock (RTC) is configured to be in
diff --git a/catalog/systemd.pl.catalog.in b/catalog/systemd.pl.catalog.in
index 75039e9fcd..fcba4b500a 100644
--- a/catalog/systemd.pl.catalog.in
+++ b/catalog/systemd.pl.catalog.in
@@ -566,7 +566,6 @@ Support: %SUPPORT_URL%
Możliwe są następujące „etykiety”:
• „unmerged-usr” — /bin, /sbin, /lib* nie są dowiązaniami symbolicznymi
do swoich odpowiedników pod /usr/,
-• „unmerged-bin” — /usr/sbin nie jest dowiązaniem symbolicznym do /usr/bin/,
• „var-run-bad” — /var/run nie jest dowiązaniem symbolicznym do /run/,
• „cgroupsv1” — system używa przestarzałej hierarchii cgroup v1,
• „local-hwclock” — lokalny zegar sprzętowy (RTC) jest skonfigurowany
diff --git a/man/org.freedesktop.systemd1.xml b/man/org.freedesktop.systemd1.xml
index b0b45097e3..f2b5ca39e7 100644
--- a/man/org.freedesktop.systemd1.xml
+++ b/man/org.freedesktop.systemd1.xml
@@ -1666,15 +1666,6 @@ node /org/freedesktop/systemd1 {
<xi:include href="version-info.xml" xpointer="v252"/></listitem>
</varlistentry>
- <varlistentry>
- <term><literal>unmerged-bin</literal></term>
-
- <listitem><para><filename>/usr/sbin</filename> is not a symlink to <filename>/usr/bin/</filename>.
- </para>
-
- <xi:include href="version-info.xml" xpointer="v256"/></listitem>
- </varlistentry>
-
<varlistentry>
<term><literal>var-run-bad</literal></term>
diff --git a/src/core/taint.c b/src/core/taint.c
index 969b37f209..4c98312f54 100644
--- a/src/core/taint.c
+++ b/src/core/taint.c
@@ -32,7 +32,7 @@ static int short_uid_gid_range(UIDRangeUsernsMode mode) {
}
char* taint_string(void) {
- const char *stage[12] = {};
+ const char *stage[11] = {};
size_t n = 0;
/* Returns a "taint string", e.g. "local-hwclock:var-run-bad". Only things that are detected at
@@ -44,11 +44,6 @@ char* taint_string(void) {
if (readlink_malloc("/bin", &bin) < 0 || !PATH_IN_SET(bin, "usr/bin", "/usr/bin"))
stage[n++] = "unmerged-usr";
- /* Note that the check is different from default_PATH(), as we want to taint on uncanonical symlinks
- * too. */
- if (readlink_malloc("/usr/sbin", &usr_sbin) < 0 || !PATH_IN_SET(usr_sbin, "bin", "/usr/bin"))
- stage[n++] = "unmerged-bin";
-
if (readlink_malloc("/var/run", &var_run) < 0 || !PATH_IN_SET(var_run, "../run", "/run"))
stage[n++] = "var-run-bad";

View File

@ -1,28 +0,0 @@
From c2f507732264038dbef44b7652c8f5dee148e1e2 Mon Sep 17 00:00:00 2001
From: Lukas Nykryn <lnykryn@redhat.com>
Date: Mon, 8 Jul 2024 13:13:10 +0200
Subject: [PATCH] presets: remove resolved
We noticed that some people are installing systemd* and then
have daemons they don't need running. So let's remove resolved
from presets so its usage is a bit more deliberate
RHEL-only: policy
Resolves: RHEL-46576
---
presets/90-systemd.preset | 1 -
1 file changed, 1 deletion(-)
diff --git a/presets/90-systemd.preset b/presets/90-systemd.preset
index 004ea6fe14..676f14f0d3 100644
--- a/presets/90-systemd.preset
+++ b/presets/90-systemd.preset
@@ -27,7 +27,6 @@ enable systemd-networkd.service
enable systemd-networkd-wait-online.service
enable systemd-nsresourced.socket
enable systemd-pstore.service
-enable systemd-resolved.service
enable systemd-sysext.service
enable systemd-timesyncd.service
enable systemd-userdbd.socket

View File

@ -1,40 +0,0 @@
From 5d244e25b994f1db5988cf6de14fff9058a75bc2 Mon Sep 17 00:00:00 2001
From: Jan Macku <jamacku@redhat.com>
Date: Mon, 15 Jul 2024 14:13:14 +0200
Subject: [PATCH] ci: allow `policy` as rhel-only keyword
rhel-only: ci
Related: RHEL-40924
---
.github/advanced-commit-linter.yml | 4 ++--
CONTRIBUTING.md | 1 +
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/.github/advanced-commit-linter.yml b/.github/advanced-commit-linter.yml
index 3e3e3fe2bf..4a7e6542b4 100644
--- a/.github/advanced-commit-linter.yml
+++ b/.github/advanced-commit-linter.yml
@@ -4,8 +4,8 @@ policy:
- github: systemd/systemd
exception:
note:
- - 'rhel-only: (feature|bugfix|doc|workaround|ci|test|other)'
- - 'RHEL-only: (feature|bugfix|doc|workaround|ci|test|other)'
+ - 'rhel-only: (feature|bugfix|policy|doc|workaround|ci|test|other)'
+ - 'RHEL-only: (feature|bugfix|policy|doc|workaround|ci|test|other)'
tracker:
- keyword:
- 'Resolves: '
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 28466facac..c2e3a2d4d0 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -37,6 +37,7 @@ If the change isn't upstream relevant or accepted by upstream, mark the commit w
- `feature` - for feature-related commits (cross-version)
- `bugfix` - for bugfix-related commits (cross-version)
+- `policy` - for policy-related commits (cross-version)
- `doc` - for documentation-related commits (usually version-specific)
- `workaround` - for workaround-related commits (usually version-specific)
- `ci` - for CI-related commits (version-specific)

View File

@ -1,68 +0,0 @@
From 1a643a20c5e772fc15a921ed81c7b010fa6bd4a7 Mon Sep 17 00:00:00 2001
From: Jan Macku <jamacku@redhat.com>
Date: Tue, 16 Jul 2024 10:08:06 +0200
Subject: [PATCH] ci: run mkosi test only for Fedora and CentOS Stream
rhel-only: ci
Related: RHEL-40924
---
.github/workflows/mkosi.yml | 24 ++----------------------
1 file changed, 2 insertions(+), 22 deletions(-)
diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml
index 3a8dabd95c..9add22c2ea 100644
--- a/.github/workflows/mkosi.yml
+++ b/.github/workflows/mkosi.yml
@@ -8,7 +8,7 @@ on:
push:
branches:
- main
- - v[0-9]+-stable
+ - rhel-10.*
paths:
- '**'
- '!README*'
@@ -26,7 +26,7 @@ on:
pull_request:
branches:
- main
- - v[0-9]+-stable
+ - rhel-10.*
paths:
- '**'
- '!README*'
@@ -54,21 +54,6 @@ jobs:
fail-fast: false
matrix:
include:
- - distro: arch
- release: rolling
- sanitizers: ""
- llvm: 0
- cflags: "-O2 -D_FORTIFY_SOURCE=3"
- - distro: debian
- release: testing
- sanitizers: ""
- llvm: 0
- cflags: "-Og"
- - distro: ubuntu
- release: noble
- sanitizers: ""
- llvm: 0
- cflags: "-Og"
- distro: fedora
release: "40"
sanitizers: ""
@@ -79,11 +64,6 @@ jobs:
sanitizers: address,undefined
llvm: 1
cflags: "-Og"
- - distro: opensuse
- release: tumbleweed
- sanitizers: ""
- llvm: 0
- cflags: "-Og"
- distro: centos
release: "9"
sanitizers: ""

View File

@ -1,27 +0,0 @@
From 423af3467e66fd07a3a739b40af97b265bd4e45e Mon Sep 17 00:00:00 2001
From: Jan Macku <jamacku@redhat.com>
Date: Tue, 16 Jul 2024 10:09:23 +0200
Subject: [PATCH] taint: remove unused variable `usr_sbin`
follow-up to https://github.com/redhat-plumbers/systemd-rhel10/commit/13a07024f674e770844de29cd3d01cb7117f56d9
rhel-only: policy
Related: RHEL-40924
---
src/core/taint.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/core/taint.c b/src/core/taint.c
index 4c98312f54..370f0297e3 100644
--- a/src/core/taint.c
+++ b/src/core/taint.c
@@ -39,7 +39,7 @@ char* taint_string(void) {
* runtime should be tagged here. For stuff that is known during compilation, emit a warning in the
* configuration phase. */
- _cleanup_free_ char *bin = NULL, *usr_sbin = NULL, *var_run = NULL;
+ _cleanup_free_ char *bin = NULL, *var_run = NULL;
if (readlink_malloc("/bin", &bin) < 0 || !PATH_IN_SET(bin, "usr/bin", "/usr/bin"))
stage[n++] = "unmerged-usr";

View File

@ -1,28 +0,0 @@
From fb422df08369fd10a4d3543697f09a7bd2f4c288 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Wed, 17 Jul 2024 12:19:03 +0200
Subject: [PATCH] packit: drop the libarchive workaround
As it's not needed anymore.
rhel-only: ci
Related: RHEL-40924
---
.packit.yml | 3 ---
1 file changed, 3 deletions(-)
diff --git a/.packit.yml b/.packit.yml
index 340c6992ec..03b3aae7d5 100644
--- a/.packit.yml
+++ b/.packit.yml
@@ -39,9 +39,6 @@ actions:
- 'sed -i "/^CONFIGURE_OPTS=(/a--werror" .packit_rpm/systemd.spec'
# Ignore unpackaged standalone binaries
- "sed -i 's/assert False,.*/pass/' .packit_rpm/split-files.py"
- # Temporarily add libarchive-devel build dep and libarchive runtime dep
- # until the change propagates to Rawhide's specfile
- - "sed -ri '0,/^BuildRequires: .+$/s//&\\nBuildRequires: libarchive-devel\\nRequires: libarchive/' .packit_rpm/systemd.spec"
# Available targets can be listed via `copr-cli list-chroots`
jobs:

View File

@ -1,28 +0,0 @@
From 43bf3e1a42e2c1a6ecd0ca6fd72c9bc6fe904703 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Wed, 17 Jul 2024 12:22:55 +0200
Subject: [PATCH] packit: drop the dependency on python3-zstd
Since it's only in the RHEL buildroot repo.
rhel-only: ci
Related: RHEL-40924
---
.packit.yml | 3 +++
1 file changed, 3 insertions(+)
diff --git a/.packit.yml b/.packit.yml
index 03b3aae7d5..48ba210947 100644
--- a/.packit.yml
+++ b/.packit.yml
@@ -39,6 +39,9 @@ actions:
- 'sed -i "/^CONFIGURE_OPTS=(/a--werror" .packit_rpm/systemd.spec'
# Ignore unpackaged standalone binaries
- "sed -i 's/assert False,.*/pass/' .packit_rpm/split-files.py"
+ # Drop the python3dist(zstd) dependency, as it's only in the RHEL buildroot
+ # repo
+ - "sed -i '/python3dist(zstd)/d' .packit_rpm/systemd.spec"
# Available targets can be listed via `copr-cli list-chroots`
jobs:

View File

@ -1,30 +0,0 @@
From 612afd332a5e647faed3c3acba03ca653bace41b Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Fri, 5 Apr 2024 15:56:58 +0200
Subject: [PATCH] coredump: by default process and store core files up to 1GiB
This brings policy inline with RHEL-9.
rhel-only: policy
Related: RHEL-46778
---
src/coredump/coredump.conf | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/src/coredump/coredump.conf b/src/coredump/coredump.conf
index ae341e40d7..3603edb782 100644
--- a/src/coredump/coredump.conf
+++ b/src/coredump/coredump.conf
@@ -19,9 +19,8 @@
[Coredump]
#Storage=external
#Compress=yes
-# On 32-bit, the default is 1G instead of 32G.
-#ProcessSizeMax=32G
-#ExternalSizeMax=32G
+ProcessSizeMax=1G
+ExternalSizeMax=1G
#JournalSizeMax=767M
#MaxUse=
#KeepFree=

View File

@ -1,23 +0,0 @@
From 352f8ad0bfdd8a41f6aa34e3e43038ae75eedf73 Mon Sep 17 00:00:00 2001
From: Jan Synacek <jsynacek@redhat.com>
Date: Tue, 15 May 2018 09:24:20 +0200
Subject: [PATCH] Avoid /tmp being mounted as tmpfs without the user's will
rhel-only: policy
Related: RHEL-40924
---
units/basic.target | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/units/basic.target b/units/basic.target
index d8cdd5ac14..9eae0782a2 100644
--- a/units/basic.target
+++ b/units/basic.target
@@ -19,4 +19,5 @@ After=sysinit.target sockets.target paths.target slices.target tmp.mount
# require /var and /var/tmp, but only add a Wants= type dependency on /tmp, as
# we support that unit being masked, and this should not be considered an error.
RequiresMountsFor=/var /var/tmp
-Wants=tmp.mount
+# RHEL-only: Disable /tmp on tmpfs.
+#Wants=tmp.mount

View File

@ -1,39 +0,0 @@
From e794e570a50392b503549befb65bc8cac0a29869 Mon Sep 17 00:00:00 2001
From: Lukas Nykryn <lnykryn@redhat.com>
Date: Mon, 5 Sep 2016 12:47:09 +0200
Subject: [PATCH] unit: don't add Requires for tmp.mount
rhel-only: policy
Related: RHEL-40924
---
src/core/mount.c | 2 +-
src/core/unit.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/core/mount.c b/src/core/mount.c
index ebafcafa92..9edb2d47eb 100644
--- a/src/core/mount.c
+++ b/src/core/mount.c
@@ -313,7 +313,7 @@ static int mount_add_mount_dependencies(Mount *m) {
if (r < 0)
return r;
- if (UNIT(m)->fragment_path) {
+ if (UNIT(m)->fragment_path && !streq(UNIT(m)->id, "tmp.mount")) {
/* If we have fragment configuration, then make this dependency required/wanted */
r = unit_add_dependency(
other,
diff --git a/src/core/unit.c b/src/core/unit.c
index 0ec5dcaf75..a5556ba462 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -1544,7 +1544,7 @@ static int unit_add_mount_dependencies(Unit *u) {
return r;
changed = changed || r > 0;
- if (m->fragment_path) {
+ if (m->fragment_path && !streq(m->id, "tmp.mount")) {
r = unit_add_dependency(
u,
unit_mount_dependency_type_to_dependency_type(t),

View File

@ -1,28 +0,0 @@
From 571c902adb894bfff481de4591a56a16add2670b Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Wed, 22 Sep 2021 14:38:00 +0200
Subject: [PATCH] units: don't enable tmp.mount statically in local-fs.target
rhel-only: policy
Related: RHEL-40924
---
units/meson.build | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/units/meson.build b/units/meson.build
index b231341a1f..39fa6f42c0 100644
--- a/units/meson.build
+++ b/units/meson.build
@@ -761,10 +761,7 @@ units = [
{ 'file' : 'time-set.target' },
{ 'file' : 'time-sync.target' },
{ 'file' : 'timers.target' },
- {
- 'file' : 'tmp.mount',
- 'symlinks' : ['local-fs.target.wants/'],
- },
+ { 'file' : 'tmp.mount' },
{ 'file' : 'tpm2.target' },
{ 'file' : 'umount.target' },
{ 'file' : 'usb-gadget.target' },

View File

@ -1,64 +0,0 @@
From fefc4bc15fe28d8f7def8bd75ada13ede21663cb Mon Sep 17 00:00:00 2001
From: Jan Macku <jamacku@redhat.com>
Date: Thu, 8 Aug 2024 13:12:58 +0200
Subject: [PATCH] netif-naming-scheme: add rhel-9.5 scheme
rhel-only: policy
Resolves: RHEL-44416
---
man/systemd.net-naming-scheme.xml | 15 +++++++++++++++
src/shared/netif-naming-scheme.c | 1 +
src/shared/netif-naming-scheme.h | 1 +
3 files changed, 17 insertions(+)
diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml
index 690e3d2c27..b2d78c95ab 100644
--- a/man/systemd.net-naming-scheme.xml
+++ b/man/systemd.net-naming-scheme.xml
@@ -592,6 +592,21 @@
<xi:include href="version-info.xml" xpointer="rhel-9.4"/>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term><constant>rhel-9.5</constant></term>
+
+ <listitem><para>Never generate a slot name when a PCI bridge is detected.</para>
+
+ <para>Since version <constant>"rhel-9.0"</constant>, we have generated slot-based names
+ for PCI multifunction devices, because we assumed that it is enough to use function numbers
+ to distinguish between devices. However, name conflict can occur if these devices are not
+ children of the same PCI bridge, e.g. there are multiple PCI bridges in the same slot.
+ </para>
+
+ <xi:include href="version-info.xml" xpointer="rhel-9.5"/>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect2>
diff --git a/src/shared/netif-naming-scheme.c b/src/shared/netif-naming-scheme.c
index e4d4c0ba88..149794e926 100644
--- a/src/shared/netif-naming-scheme.c
+++ b/src/shared/netif-naming-scheme.c
@@ -40,6 +40,7 @@ static const NamingScheme naming_schemes[] = {
{ "rhel-9.2", NAMING_RHEL_9_2 },
{ "rhel-9.3", NAMING_RHEL_9_3 },
{ "rhel-9.4", NAMING_RHEL_9_4 },
+ { "rhel-9.5", NAMING_RHEL_9_5 },
{ "rhel-10.0", NAMING_RHEL_10_0 },
/* … add more schemes here, as the logic to name devices is updated … */
diff --git a/src/shared/netif-naming-scheme.h b/src/shared/netif-naming-scheme.h
index b0697c141e..a55bb0b1cb 100644
--- a/src/shared/netif-naming-scheme.h
+++ b/src/shared/netif-naming-scheme.h
@@ -80,6 +80,7 @@ typedef enum NamingSchemeFlags {
NAMING_RHEL_9_2 = NAMING_RHEL_9_0,
NAMING_RHEL_9_3 = NAMING_RHEL_9_0 | NAMING_SR_IOV_R,
NAMING_RHEL_9_4 = NAMING_RHEL_9_3,
+ NAMING_RHEL_9_5 = NAMING_RHEL_9_4 & ~NAMING_BRIDGE_MULTIFUNCTION_SLOT,
NAMING_RHEL_10_0 = NAMING_V255,

View File

@ -1,197 +0,0 @@
From 45fe2e91e4f73c998ff4d29c316cc4fca9d25942 Mon Sep 17 00:00:00 2001
From: Etienne Champetier <e.champetier@ateme.com>
Date: Tue, 9 Jul 2024 11:53:50 -0400
Subject: [PATCH] udev-builtin-net_id: use firmware_node/sun for
ID_NET_NAME_SLOT
pci_get_hotplug_slot() has the following limitations:
- if slots are not hotpluggable, they are not in /sys/bus/pci/slots.
- the address at /sys/bus/pci/slots/X/addr doesn't contains the function part,
so on some system, 2 different slots with different _SUN end up with the same
hotplug_slot, leading to naming conflicts.
- it tries all parent devices until it finds a slot number, which is incorrect,
and what led to NAMING_BRIDGE_MULTIFUNCTION_SLOT being disabled.
The use of PCI hotplug to find the slot (ACPI _SUN) was introduced in
https://github.com/systemd/systemd/commit/0035597a30d120f70df2dd7da3d6128fb8ba6051
"udev: net_id - export PCI hotplug slot names" on 2012/11/26.
At the same time on the kernel side we got
https://github.com/torvalds/linux/commit/bb74ac23b10820d8722c3e1f4add9ef59e703f63
"ACPI: create _SUN sysfs file" on 2012/11/16.
Using PCI hotplug was the only way at the time, but now 12 years later we can use
firmware_node/sun sysfs file.
Looking at a small selection of server HW, for HPE (Gen10 DL325), the _SUN is attached
to the NIC device, whereas for Dell (R640/R6515/R6615) and Cisco (UCSC-C220-M5SX),
the _SUN is on the first parent pcieport.
We still fallback to pci_get_hotplug_slot() to handle the s390 case and
maybe some other coner cases (_SUN on grand parent device that is not a
bridge ?).
(cherry picked from commit 0a4ecc54cb9f2d3418b970c51bfadb69c34ae9eb)
Related: RHEL-44416
---
man/systemd.net-naming-scheme.xml | 6 ++-
src/shared/netif-naming-scheme.h | 5 ++-
src/udev/udev-builtin-net_id.c | 72 ++++++++++++++++++++++++++-----
3 files changed, 69 insertions(+), 14 deletions(-)
diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml
index b2d78c95ab..ea9a9c8d3c 100644
--- a/man/systemd.net-naming-scheme.xml
+++ b/man/systemd.net-naming-scheme.xml
@@ -528,7 +528,7 @@
<varlistentry>
<term><constant>rhel-10.0</constant></term>
- <listitem><para>Same as naming scheme <constant>v255</constant>.</para>
+ <listitem><para>PCI slot number is now read from <constant>firmware_node/sun</constant> sysfs file</para>
<xi:include href="version-info.xml" xpointer="rhel-10.0"/>
</listitem>
@@ -604,6 +604,8 @@
children of the same PCI bridge, e.g. there are multiple PCI bridges in the same slot.
</para>
+ <para>PCI slot number is now read from <constant>firmware_node/sun</constant> sysfs file</para>
+
<xi:include href="version-info.xml" xpointer="rhel-9.5"/>
</listitem>
</varlistentry>
@@ -798,7 +800,7 @@ ID_NET_NAME_ONBOARD_LABEL=Ethernet Port 1
</example>
<example>
- <title>PCI Ethernet card in hotplug slot with firmware index number</title>
+ <title>PCI Ethernet card in slot with firmware index number</title>
<programlisting># /sys/devices/pci0000:00/0000:00:1c.3/0000:05:00.0/net/ens1
ID_NET_NAME_MAC=enx000000000466
diff --git a/src/shared/netif-naming-scheme.h b/src/shared/netif-naming-scheme.h
index a55bb0b1cb..229232d452 100644
--- a/src/shared/netif-naming-scheme.h
+++ b/src/shared/netif-naming-scheme.h
@@ -43,6 +43,7 @@ typedef enum NamingSchemeFlags {
NAMING_DEVICETREE_ALIASES = 1 << 15, /* Generate names from devicetree aliases */
NAMING_USB_HOST = 1 << 16, /* Generate names for usb host */
NAMING_SR_IOV_R = 1 << 17, /* Use "r" suffix for SR-IOV VF representors */
+ NAMING_FIRMWARE_NODE_SUN = 1 << 18, /* Use firmware_node/sun to get PCI slot number */
/* And now the masks that combine the features above */
NAMING_V238 = 0,
@@ -80,9 +81,9 @@ typedef enum NamingSchemeFlags {
NAMING_RHEL_9_2 = NAMING_RHEL_9_0,
NAMING_RHEL_9_3 = NAMING_RHEL_9_0 | NAMING_SR_IOV_R,
NAMING_RHEL_9_4 = NAMING_RHEL_9_3,
- NAMING_RHEL_9_5 = NAMING_RHEL_9_4 & ~NAMING_BRIDGE_MULTIFUNCTION_SLOT,
+ NAMING_RHEL_9_5 = (NAMING_RHEL_9_4 & ~NAMING_BRIDGE_MULTIFUNCTION_SLOT) | NAMING_FIRMWARE_NODE_SUN,
- NAMING_RHEL_10_0 = NAMING_V255,
+ NAMING_RHEL_10_0 = NAMING_V255 | NAMING_FIRMWARE_NODE_SUN,
EXTRA_NET_NAMING_SCHEMES
diff --git a/src/udev/udev-builtin-net_id.c b/src/udev/udev-builtin-net_id.c
index 384a1f31cb..d34357fdb2 100644
--- a/src/udev/udev-builtin-net_id.c
+++ b/src/udev/udev-builtin-net_id.c
@@ -566,6 +566,51 @@ static int pci_get_hotplug_slot(sd_device *dev, uint32_t *ret) {
return -ENOENT;
}
+static int get_device_firmware_node_sun(sd_device *dev, uint32_t *ret) {
+ const char *attr;
+ int r;
+
+ assert(dev);
+ assert(ret);
+
+ r = device_get_sysattr_value_filtered(dev, "firmware_node/sun", &attr);
+ if (r < 0)
+ return log_device_debug_errno(dev, r, "Failed to read firmware_node/sun, ignoring: %m");
+
+ r = safe_atou32(attr, ret);
+ if (r < 0)
+ return log_device_warning_errno(dev, r, "Failed to parse firmware_node/sun '%s', ignoring: %m", attr);
+
+ return 0;
+}
+
+static int pci_get_slot_from_firmware_node_sun(sd_device *dev, uint32_t *ret) {
+ int r;
+ sd_device *slot_dev;
+
+ assert(dev);
+ assert(ret);
+
+ /* Try getting the ACPI _SUN for the device */
+ if (get_device_firmware_node_sun(dev, ret) >= 0)
+ return 0;
+
+ r = sd_device_get_parent_with_subsystem_devtype(dev, "pci", NULL, &slot_dev);
+ if (r < 0)
+ return log_device_debug_errno(dev, r, "Failed to find pci parent, ignoring: %m");
+
+ if (is_pci_bridge(slot_dev) && is_pci_multifunction(dev) <= 0)
+ return log_device_debug_errno(dev, SYNTHETIC_ERRNO(ESTALE),
+ "Not using slot information because the parent pcieport "
+ "is a bridge and the PCI device is not multifunction.");
+
+ /* Try getting the ACPI _SUN from the parent pcieport */
+ if (get_device_firmware_node_sun(slot_dev, ret) >= 0)
+ return 0;
+
+ return -ENOENT;
+}
+
static int get_pci_slot_specifiers(
sd_device *dev,
char **ret_domain,
@@ -616,7 +661,7 @@ static int get_pci_slot_specifiers(
static int names_pci_slot(sd_device *dev, sd_device *pci_dev, const char *prefix, const char *suffix, EventMode mode) {
_cleanup_free_ char *domain = NULL, *bus_and_slot = NULL, *func = NULL, *port = NULL;
- uint32_t hotplug_slot = 0; /* avoid false maybe-uninitialized warning */
+ uint32_t slot = 0; /* avoid false maybe-uninitialized warning */
char str[ALTIFNAMSIZ];
int r;
@@ -641,20 +686,27 @@ static int names_pci_slot(sd_device *dev, sd_device *pci_dev, const char *prefix
strna(domain), bus_and_slot, strna(func), strna(port),
special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), empty_to_na(str));
- r = pci_get_hotplug_slot(pci_dev, &hotplug_slot);
- if (r < 0)
- return r;
- if (r > 0)
- /* If the hotplug slot is found through the function ID, then drop the domain from the name.
- * See comments in parse_hotplug_slot_from_function_id(). */
- domain = mfree(domain);
+ if (naming_scheme_has(NAMING_FIRMWARE_NODE_SUN))
+ r = pci_get_slot_from_firmware_node_sun(pci_dev, &slot);
+ else
+ r = -1;
+ /* If we don't find a slot using firmware_node/sun, fallback to hotplug_slot */
+ if (r < 0) {
+ r = pci_get_hotplug_slot(pci_dev, &slot);
+ if (r < 0)
+ return r;
+ if (r > 0)
+ /* If the hotplug slot is found through the function ID, then drop the domain from the name.
+ * See comments in parse_hotplug_slot_from_function_id(). */
+ domain = mfree(domain);
+ }
if (snprintf_ok(str, sizeof str, "%s%ss%"PRIu32"%s%s%s",
- prefix, strempty(domain), hotplug_slot, strempty(func), strempty(port), strempty(suffix)))
+ prefix, strempty(domain), slot, strempty(func), strempty(port), strempty(suffix)))
udev_builtin_add_property(dev, mode, "ID_NET_NAME_SLOT", str);
log_device_debug(dev, "Slot identifier: domain=%s slot=%"PRIu32" func=%s port=%s %s %s",
- strna(domain), hotplug_slot, strna(func), strna(port),
+ strna(domain), slot, strna(func), strna(port),
special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), empty_to_na(str));
return 0;

View File

@ -1,36 +0,0 @@
From f5470e9076138ccf69fb6576e950a75da4b89717 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Fri, 2 Aug 2024 16:51:15 +0900
Subject: [PATCH] man/net-naming-scheme: add missing period
Follow-up for 0a4ecc54cb9f2d3418b970c51bfadb69c34ae9eb.
(cherry picked from commit 2bb72aadb8169c9310c8ca0d586d277a4a71e2f8)
Related: RHEL-44416
---
man/systemd.net-naming-scheme.xml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml
index ea9a9c8d3c..e458b5dd6b 100644
--- a/man/systemd.net-naming-scheme.xml
+++ b/man/systemd.net-naming-scheme.xml
@@ -528,7 +528,7 @@
<varlistentry>
<term><constant>rhel-10.0</constant></term>
- <listitem><para>PCI slot number is now read from <constant>firmware_node/sun</constant> sysfs file</para>
+ <listitem><para>PCI slot number is now read from <constant>firmware_node/sun</constant> sysfs file.</para>
<xi:include href="version-info.xml" xpointer="rhel-10.0"/>
</listitem>
@@ -604,7 +604,7 @@
children of the same PCI bridge, e.g. there are multiple PCI bridges in the same slot.
</para>
- <para>PCI slot number is now read from <constant>firmware_node/sun</constant> sysfs file</para>
+ <para>PCI slot number is now read from <constant>firmware_node/sun</constant> sysfs file.</para>
<xi:include href="version-info.xml" xpointer="rhel-9.5"/>
</listitem>

View File

@ -1,28 +0,0 @@
From 6bec94d825960a39bed6429531e722fd1571664b Mon Sep 17 00:00:00 2001
From: Jan Macku <jamacku@redhat.com>
Date: Wed, 14 Aug 2024 12:21:59 +0200
Subject: [PATCH] Revert "packit: drop the dependency on python3-zstd"
This reverts commit 43bf3e1a42e2c1a6ecd0ca6fd72c9bc6fe904703.
rhel-only: ci
Related: RHEL-36636
---
.packit.yml | 3 ---
1 file changed, 3 deletions(-)
diff --git a/.packit.yml b/.packit.yml
index 48ba210947..03b3aae7d5 100644
--- a/.packit.yml
+++ b/.packit.yml
@@ -39,9 +39,6 @@ actions:
- 'sed -i "/^CONFIGURE_OPTS=(/a--werror" .packit_rpm/systemd.spec'
# Ignore unpackaged standalone binaries
- "sed -i 's/assert False,.*/pass/' .packit_rpm/split-files.py"
- # Drop the python3dist(zstd) dependency, as it's only in the RHEL buildroot
- # repo
- - "sed -i '/python3dist(zstd)/d' .packit_rpm/systemd.spec"
# Available targets can be listed via `copr-cli list-chroots`
jobs:

View File

@ -1,48 +0,0 @@
From a81dc0cad9c24df7c005378fe2c438a98054a7d3 Mon Sep 17 00:00:00 2001
From: Mike Yuan <me@yhndnzj.com>
Date: Sun, 30 Jun 2024 13:12:45 +0200
Subject: [PATCH] systemctl: do not try to acquire triggering units for
template units
(cherry picked from commit 09d6038d833468ba7c24c658597387ef699ca4fd)
Resolves: RHEL-55132
---
src/systemctl/systemctl-util.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/src/systemctl/systemctl-util.c b/src/systemctl/systemctl-util.c
index 2482b7ccb2..08a3ebe128 100644
--- a/src/systemctl/systemctl-util.c
+++ b/src/systemctl/systemctl-util.c
@@ -327,14 +327,15 @@ int get_active_triggering_units(sd_bus *bus, const char *unit, bool ignore_maske
if (r < 0)
return r;
+ if (unit_name_is_valid(name, UNIT_NAME_TEMPLATE))
+ goto skip;
+
if (ignore_masked) {
r = unit_is_masked(bus, name);
if (r < 0)
return r;
- if (r > 0) {
- *ret = NULL;
- return 0;
- }
+ if (r > 0)
+ goto skip;
}
dbus_path = unit_dbus_path_from_name(name);
@@ -370,6 +371,10 @@ int get_active_triggering_units(sd_bus *bus, const char *unit, bool ignore_maske
*ret = TAKE_PTR(active);
return 0;
+
+skip:
+ *ret = NULL;
+ return 0;
}
void warn_triggering_units(sd_bus *bus, const char *unit, const char *operation, bool ignore_masked) {

View File

@ -1,24 +0,0 @@
From dee8164e2d136efb7bac04775c8bef255f659766 Mon Sep 17 00:00:00 2001
From: Mike Yuan <me@yhndnzj.com>
Date: Sat, 22 Jun 2024 12:08:39 +0200
Subject: [PATCH] core/unit: add one assertion for u->manager
(cherry picked from commit 8b17371b6185c9829bb21a813aadb2225ccfc4de)
Resolves: RHEL-55734
---
src/core/unit.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/core/unit.c b/src/core/unit.c
index a5556ba462..c668c45ee9 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -6103,6 +6103,7 @@ int unit_test_trigger_loaded(Unit *u) {
void unit_destroy_runtime_data(Unit *u, const ExecContext *context) {
assert(u);
+ assert(u->manager);
assert(context);
/* EXEC_PRESERVE_RESTART is handled via unit_release_resources()! */

View File

@ -1,88 +0,0 @@
From 45d326633b32f4dee739ca38a67347c828c1c136 Mon Sep 17 00:00:00 2001
From: Mike Yuan <me@yhndnzj.com>
Date: Sat, 22 Jun 2024 12:03:50 +0200
Subject: [PATCH] core/service: destroy runtime data when Type=oneshot services
exit
Currently, we have a bunch of Type=oneshot + RemainAfterExit=yes
services that make use of credentials. When those exits, the cred mounts
remain established, which is pointless and quite annoying. Let's
instead destroy the runtime data on SERVICE_EXITED, if no process
will be spawned for the unit again.
(cherry picked from commit c26948c6dae1d2ca13499b36f193b13a0760834c)
Resolves: RHEL-55734
---
src/core/service.c | 37 ++++++++++++++++++++++++++-----------
1 file changed, 26 insertions(+), 11 deletions(-)
diff --git a/src/core/service.c b/src/core/service.c
index 6e81460ad0..60cc902745 100644
--- a/src/core/service.c
+++ b/src/core/service.c
@@ -1206,13 +1206,12 @@ static void service_search_main_pid(Service *s) {
}
static void service_set_state(Service *s, ServiceState state) {
+ Unit *u = UNIT(ASSERT_PTR(s));
ServiceState old_state;
const UnitActiveState *table;
- assert(s);
-
if (s->state != state)
- bus_unit_send_pending_change_signal(UNIT(s), false);
+ bus_unit_send_pending_change_signal(u, false);
table = s->type == SERVICE_IDLE ? state_translation_table_idle : state_translation_table;
@@ -1246,8 +1245,8 @@ static void service_set_state(Service *s, ServiceState state) {
SERVICE_DEAD, SERVICE_FAILED,
SERVICE_DEAD_BEFORE_AUTO_RESTART, SERVICE_FAILED_BEFORE_AUTO_RESTART, SERVICE_AUTO_RESTART, SERVICE_AUTO_RESTART_QUEUED,
SERVICE_DEAD_RESOURCES_PINNED)) {
- unit_unwatch_all_pids(UNIT(s));
- unit_dequeue_rewatch_pids(UNIT(s));
+ unit_unwatch_all_pids(u);
+ unit_dequeue_rewatch_pids(u);
}
if (state != SERVICE_START)
@@ -1256,15 +1255,31 @@ static void service_set_state(Service *s, ServiceState state) {
if (!IN_SET(state, SERVICE_START_POST, SERVICE_RUNNING, SERVICE_RELOAD, SERVICE_RELOAD_SIGNAL, SERVICE_RELOAD_NOTIFY))
service_stop_watchdog(s);
- /* For the inactive states unit_notify() will trim the cgroup,
- * but for exit we have to do that ourselves... */
- if (state == SERVICE_EXITED && !MANAGER_IS_RELOADING(UNIT(s)->manager))
- unit_prune_cgroup(UNIT(s));
+ if (state == SERVICE_EXITED && !MANAGER_IS_RELOADING(u->manager)) {
+ /* For the inactive states unit_notify() will trim the cgroup. But for exit we have to
+ * do that ourselves... */
+ unit_prune_cgroup(u);
+
+ /* If none of ExecReload= and ExecStop*= is used, we can safely destroy runtime data
+ * as soon as the service enters SERVICE_EXITED. This saves us from keeping the credential mount
+ * for the whole duration of the oneshot service while no processes are actually running,
+ * among other things. */
+
+ bool start_only = true;
+ for (ServiceExecCommand c = SERVICE_EXEC_RELOAD; c < _SERVICE_EXEC_COMMAND_MAX; c++)
+ if (s->exec_command[c]) {
+ start_only = false;
+ break;
+ }
+
+ if (start_only)
+ unit_destroy_runtime_data(u, &s->exec_context);
+ }
if (old_state != state)
- log_unit_debug(UNIT(s), "Changed %s -> %s", service_state_to_string(old_state), service_state_to_string(state));
+ log_unit_debug(u, "Changed %s -> %s", service_state_to_string(old_state), service_state_to_string(state));
- unit_notify(UNIT(s), table[old_state], table[state], s->reload_result == SERVICE_SUCCESS);
+ unit_notify(u, table[old_state], table[state], s->reload_result == SERVICE_SUCCESS);
}
static usec_t service_coldplug_timeout(Service *s) {

View File

@ -1,34 +0,0 @@
From 05c29b1e58784c87ecb4ae7b56425af786e1cd05 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Tue, 30 Jul 2024 11:53:32 +0200
Subject: [PATCH] cgroup-util: Ignore kernel threads in cg_kill_items()
Similar to the implementation of cgroup.kill in the kernel, let's
skip kernel threads in cg_kill_items() as trying to kill kernel
threads as an unprivileged process will fail with EPERM and doesn't
do anything when running privileged.
(cherry picked from commit 0fbb569de1dcc06118dba006cf7a40caf6cd94d0)
Resolves: RHEL-55746
---
src/basic/cgroup-util.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c
index 553ee6075a..1fc83a656a 100644
--- a/src/basic/cgroup-util.c
+++ b/src/basic/cgroup-util.c
@@ -369,6 +369,12 @@ static int cg_kill_items(
if (set_get(s, PID_TO_PTR(pidref.pid)) == PID_TO_PTR(pidref.pid))
continue;
+ /* Ignore kernel threads to mimick the behavior of cgroup.kill. */
+ if (pidref_is_kernel_thread(&pidref) > 0) {
+ log_debug("Ignoring kernel thread with pid " PID_FMT " in cgroup '%s'", pidref.pid, path);
+ continue;
+ }
+
if (log_kill)
ret_log_kill = log_kill(&pidref, sig, userdata);

View File

@ -1,30 +0,0 @@
From 418d2192e0e2bcdc7fe10f4f331231a2ad5a5c00 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Wed, 31 Jul 2024 13:38:50 +0200
Subject: [PATCH] cgroup-util: Don't try to open pidfd for kernel threads
The kernel might start returning -EINVAL when trying to open pidfd's
for kernel threads so let's not try to open pidfd's for kernel threads.
(cherry picked from commit ead48ec35c863650944352a3455f26ce3b393058)
Resolves: RHEL-55746
---
src/basic/cgroup-util.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c
index 1fc83a656a..b0fe0ecbe8 100644
--- a/src/basic/cgroup-util.c
+++ b/src/basic/cgroup-util.c
@@ -149,7 +149,9 @@ int cg_read_pidref(FILE *f, PidRef *ret, CGroupFlags flags) {
if (pid == 0)
return -EREMOTE;
- if (FLAGS_SET(flags, CGROUP_NO_PIDFD)) {
+ /* We might read kernel thread pids from cgroup.procs for which we cannot create a pidfd so
+ * catch those and don't try to create a pidfd for them. */
+ if (FLAGS_SET(flags, CGROUP_NO_PIDFD) || pid_is_kernel_thread(pid) > 0) {
*ret = PIDREF_MAKE_FROM_PID(pid);
return 1;
}

View File

@ -1,27 +0,0 @@
From d41b2bdf876e0d46486c1800d5ee12a6f641a9d4 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Sat, 3 Aug 2024 05:48:51 +0900
Subject: [PATCH] cgroup-util: fix typo
Follow-up for 0fbb569de1dcc06118dba006cf7a40caf6cd94d0.
(cherry picked from commit ec4964692ae0e080c596610adee2ddb83008c839)
Resolves: RHEL-55746
---
src/basic/cgroup-util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c
index b0fe0ecbe8..2c64a54906 100644
--- a/src/basic/cgroup-util.c
+++ b/src/basic/cgroup-util.c
@@ -371,7 +371,7 @@ static int cg_kill_items(
if (set_get(s, PID_TO_PTR(pidref.pid)) == PID_TO_PTR(pidref.pid))
continue;
- /* Ignore kernel threads to mimick the behavior of cgroup.kill. */
+ /* Ignore kernel threads to mimic the behavior of cgroup.kill. */
if (pidref_is_kernel_thread(&pidref) > 0) {
log_debug("Ignoring kernel thread with pid " PID_FMT " in cgroup '%s'", pidref.pid, path);
continue;

View File

@ -1,75 +0,0 @@
From c3300ddbcdd138da8bd3fb31d0f35a20f5b6ca13 Mon Sep 17 00:00:00 2001
From: Lukas Nykryn <lnykryn@redhat.com>
Date: Thu, 22 Aug 2024 13:42:11 +0200
Subject: [PATCH] netif-naming-scheme: rename rhel-10.0 to rhel-10.0.beta
rhel-only: policy
Related: RHEL-55728
---
man/systemd.net-naming-scheme.xml | 6 +++---
man/version-info.xml | 1 +
src/shared/netif-naming-scheme.c | 2 +-
src/shared/netif-naming-scheme.h | 2 +-
4 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml
index e458b5dd6b..610a05485b 100644
--- a/man/systemd.net-naming-scheme.xml
+++ b/man/systemd.net-naming-scheme.xml
@@ -526,15 +526,15 @@
</varlistentry>
<varlistentry>
- <term><constant>rhel-10.0</constant></term>
+ <term><constant>rhel-10.0-beta</constant></term>
<listitem><para>PCI slot number is now read from <constant>firmware_node/sun</constant> sysfs file.</para>
- <xi:include href="version-info.xml" xpointer="rhel-10.0"/>
+ <xi:include href="version-info.xml" xpointer="rhel-10.0.beta"/>
</listitem>
</varlistentry>
</variablelist>
- <para>By default <constant>rhel-10.0</constant> is used.</para>
+ <para>By default <constant>rhel-10.0-beta</constant> is used.</para>
<refsect2>
<title>RHEL-9 schemes</title>
diff --git a/man/version-info.xml b/man/version-info.xml
index 274450d408..c05cebfbe2 100644
--- a/man/version-info.xml
+++ b/man/version-info.xml
@@ -103,6 +103,7 @@
<para id="rhel-9.8">Added in rhel-9.8.</para>
<para id="rhel-9.9">Added in rhel-9.9.</para>
<para id="rhel-9.10">Added in rhel-9.10.</para>
+ <para id="rhel-10.0.beta">Added in rhel-10.0-beta.</para>
<para id="rhel-10.0">Added in rhel-10.0.</para>
<para id="rhel-10.1">Added in rhel-10.1.</para>
<para id="rhel-10.2">Added in rhel-10.2.</para>
diff --git a/src/shared/netif-naming-scheme.c b/src/shared/netif-naming-scheme.c
index 149794e926..cb5f8c5d38 100644
--- a/src/shared/netif-naming-scheme.c
+++ b/src/shared/netif-naming-scheme.c
@@ -41,7 +41,7 @@ static const NamingScheme naming_schemes[] = {
{ "rhel-9.3", NAMING_RHEL_9_3 },
{ "rhel-9.4", NAMING_RHEL_9_4 },
{ "rhel-9.5", NAMING_RHEL_9_5 },
- { "rhel-10.0", NAMING_RHEL_10_0 },
+ { "rhel-10.0-beta", NAMING_RHEL_10_0_BETA },
/* … add more schemes here, as the logic to name devices is updated … */
EXTRA_NET_NAMING_MAP
diff --git a/src/shared/netif-naming-scheme.h b/src/shared/netif-naming-scheme.h
index 229232d452..2e2023ba5b 100644
--- a/src/shared/netif-naming-scheme.h
+++ b/src/shared/netif-naming-scheme.h
@@ -83,7 +83,7 @@ typedef enum NamingSchemeFlags {
NAMING_RHEL_9_4 = NAMING_RHEL_9_3,
NAMING_RHEL_9_5 = (NAMING_RHEL_9_4 & ~NAMING_BRIDGE_MULTIFUNCTION_SLOT) | NAMING_FIRMWARE_NODE_SUN,
- NAMING_RHEL_10_0 = NAMING_V255 | NAMING_FIRMWARE_NODE_SUN,
+ NAMING_RHEL_10_0_BETA = NAMING_V255 | NAMING_FIRMWARE_NODE_SUN,
EXTRA_NET_NAMING_SCHEMES

View File

@ -1,43 +0,0 @@
From 8da695b27c2620e6410e0b1a4d8dda4747d89b5f Mon Sep 17 00:00:00 2001
From: Lukas Nykryn <lnykryn@redhat.com>
Date: Thu, 22 Aug 2024 13:47:56 +0200
Subject: [PATCH] net-naming-scheme: disable NAMING_FIRMWARE_NODE_SUN
It seems that virtio devices always have "0" in
the firmware_node/sun. And because of that, udev will
always name the device ens0, which leads to collisions.
So let's disable it for now.
rhel-only: policy
Resolves: RHEL-55728
---
man/systemd.net-naming-scheme.xml | 2 +-
src/shared/netif-naming-scheme.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml
index 610a05485b..8be24e4243 100644
--- a/man/systemd.net-naming-scheme.xml
+++ b/man/systemd.net-naming-scheme.xml
@@ -528,7 +528,7 @@
<varlistentry>
<term><constant>rhel-10.0-beta</constant></term>
- <listitem><para>PCI slot number is now read from <constant>firmware_node/sun</constant> sysfs file.</para>
+ <listitem><para>Same as naming scheme <constant>v255</constant>.</para>
<xi:include href="version-info.xml" xpointer="rhel-10.0.beta"/>
</listitem>
diff --git a/src/shared/netif-naming-scheme.h b/src/shared/netif-naming-scheme.h
index 2e2023ba5b..fb733ba768 100644
--- a/src/shared/netif-naming-scheme.h
+++ b/src/shared/netif-naming-scheme.h
@@ -83,7 +83,7 @@ typedef enum NamingSchemeFlags {
NAMING_RHEL_9_4 = NAMING_RHEL_9_3,
NAMING_RHEL_9_5 = (NAMING_RHEL_9_4 & ~NAMING_BRIDGE_MULTIFUNCTION_SLOT) | NAMING_FIRMWARE_NODE_SUN,
- NAMING_RHEL_10_0_BETA = NAMING_V255 | NAMING_FIRMWARE_NODE_SUN,
+ NAMING_RHEL_10_0_BETA = NAMING_V255,
EXTRA_NET_NAMING_SCHEMES

View File

@ -1,38 +0,0 @@
From 6a8e030c0a8481e42ee60a52e7a91f736537f5e3 Mon Sep 17 00:00:00 2001
From: Lukas Nykryn <lnykryn@redhat.com>
Date: Thu, 22 Aug 2024 14:31:54 +0200
Subject: [PATCH] net-naming-scheme: remove NAMING_FIRMWARE_NODE_SUN from 9.5
rhel-only: policy
Resolves: RHEL-55728
---
man/systemd.net-naming-scheme.xml | 2 --
src/shared/netif-naming-scheme.h | 2 +-
2 files changed, 1 insertion(+), 3 deletions(-)
diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml
index 8be24e4243..246c6509e3 100644
--- a/man/systemd.net-naming-scheme.xml
+++ b/man/systemd.net-naming-scheme.xml
@@ -604,8 +604,6 @@
children of the same PCI bridge, e.g. there are multiple PCI bridges in the same slot.
</para>
- <para>PCI slot number is now read from <constant>firmware_node/sun</constant> sysfs file.</para>
-
<xi:include href="version-info.xml" xpointer="rhel-9.5"/>
</listitem>
</varlistentry>
diff --git a/src/shared/netif-naming-scheme.h b/src/shared/netif-naming-scheme.h
index fb733ba768..b2b2ee648f 100644
--- a/src/shared/netif-naming-scheme.h
+++ b/src/shared/netif-naming-scheme.h
@@ -81,7 +81,7 @@ typedef enum NamingSchemeFlags {
NAMING_RHEL_9_2 = NAMING_RHEL_9_0,
NAMING_RHEL_9_3 = NAMING_RHEL_9_0 | NAMING_SR_IOV_R,
NAMING_RHEL_9_4 = NAMING_RHEL_9_3,
- NAMING_RHEL_9_5 = (NAMING_RHEL_9_4 & ~NAMING_BRIDGE_MULTIFUNCTION_SLOT) | NAMING_FIRMWARE_NODE_SUN,
+ NAMING_RHEL_9_5 = NAMING_RHEL_9_4 & ~NAMING_BRIDGE_MULTIFUNCTION_SLOT,
NAMING_RHEL_10_0_BETA = NAMING_V255,

View File

@ -1,33 +0,0 @@
From 38623336fb84eb0df1f72ef8d472a36bb5d60822 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Wed, 21 Aug 2024 11:25:46 +0200
Subject: [PATCH] Revert "cgroup-util: Don't try to open pidfd for kernel
threads"
The kernel patch was reverted so let's try again to open pidfds
for kernel threads.
This reverts commit ead48ec35c863650944352a3455f26ce3b393058.
(cherry picked from commit 1ce69e06615e69692a6d02d447acfd77f5d44631)
Related: RHEL-52634
---
src/basic/cgroup-util.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c
index 2c64a54906..a6ad711ac0 100644
--- a/src/basic/cgroup-util.c
+++ b/src/basic/cgroup-util.c
@@ -149,9 +149,7 @@ int cg_read_pidref(FILE *f, PidRef *ret, CGroupFlags flags) {
if (pid == 0)
return -EREMOTE;
- /* We might read kernel thread pids from cgroup.procs for which we cannot create a pidfd so
- * catch those and don't try to create a pidfd for them. */
- if (FLAGS_SET(flags, CGROUP_NO_PIDFD) || pid_is_kernel_thread(pid) > 0) {
+ if (FLAGS_SET(flags, CGROUP_NO_PIDFD)) {
*ret = PIDREF_MAKE_FROM_PID(pid);
return 1;
}

View File

@ -1,30 +0,0 @@
From 65dbacdb67ae94f7481a413dfea651b2d8a74d13 Mon Sep 17 00:00:00 2001
From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Wed, 28 Aug 2024 14:08:30 +0200
Subject: [PATCH] ukify: Skip test on architectures without UEFI
(cherry picked from commit 5121f7c45b37afca53c89f42123b1dd6a04fa80f)
Related: RHEL-52634
---
src/ukify/test/test_ukify.py | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/ukify/test/test_ukify.py b/src/ukify/test/test_ukify.py
index 0e3f932890..15d1578695 100755
--- a/src/ukify/test/test_ukify.py
+++ b/src/ukify/test/test_ukify.py
@@ -35,6 +35,13 @@ except ImportError as e:
sys.path.append(os.path.dirname(__file__) + '/..')
import ukify
+# Skip if we're running on an architecture that does not use UEFI.
+try:
+ ukify.guess_efi_arch()
+except ValueError as e:
+ print(str(e), file=sys.stderr)
+ sys.exit(77)
+
build_root = os.getenv('PROJECT_BUILD_ROOT')
try:
slow_tests = bool(int(os.getenv('SYSTEMD_SLOW_TESTS', '1')))

View File

@ -1,25 +0,0 @@
From d6ed92f6f6bffbf98700002eeed231af3336b40e Mon Sep 17 00:00:00 2001
From: Jan Macku <jamacku@redhat.com>
Date: Thu, 5 Sep 2024 12:36:01 +0200
Subject: [PATCH] ci: rename beta branch to match dist-git name
rhel-only: ci
Related: RHEL-57603
---
.github/tracker-validator.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.github/tracker-validator.yml b/.github/tracker-validator.yml
index 2e858606ff..1226b8a92a 100644
--- a/.github/tracker-validator.yml
+++ b/.github/tracker-validator.yml
@@ -6,7 +6,7 @@ labels:
products:
- Red Hat Enterprise Linux 10
- CentOS Stream 10
- - rhel-10.0.beta
+ - rhel-10.0-beta
- rhel-10.0
- rhel-10.0.z
- rhel-10.1

View File

@ -1,41 +0,0 @@
From ab07d071227dd878a7376296ab4baaca4522e4fb Mon Sep 17 00:00:00 2001
From: Chengen Du <chengen.du@canonical.com>
Date: Mon, 12 Aug 2024 11:41:52 +0800
Subject: [PATCH] udev: Handle PTP device symlink properly on udev action
'change'
PTP device symlink creation rules are currently executed only when the
udev action is 'add'. If a user reloads the rules and runs the udevadm
trigger command to reapply changes, the symlink may be deleted, which
can prevent the chronyd service from restarting properly.
Signed-off-by: Chengen Du <chengen.du@canonical.com>
(cherry picked from commit 6bd12be3fa7761f190e17efdbdbff4440da7528b)
Resolves: RHEL-59871
---
rules.d/50-udev-default.rules.in | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/rules.d/50-udev-default.rules.in b/rules.d/50-udev-default.rules.in
index 9b00c7037e..6f80feeecf 100644
--- a/rules.d/50-udev-default.rules.in
+++ b/rules.d/50-udev-default.rules.in
@@ -30,6 +30,9 @@ SUBSYSTEM=="pci|usb|platform", IMPORT{builtin}="path_id"
SUBSYSTEM=="net", IMPORT{builtin}="net_driver"
+SUBSYSTEM=="ptp", ATTR{clock_name}=="KVM virtual PTP", SYMLINK+="ptp_kvm"
+SUBSYSTEM=="ptp", ATTR{clock_name}=="hyperv", SYMLINK+="ptp_hyperv"
+
ACTION!="add", GOTO="default_end"
SUBSYSTEM=="tty", KERNEL=="ptmx", GROUP="tty", MODE="0666"
@@ -116,7 +119,4 @@ KERNEL=="vhost-net", GROUP="kvm", MODE="{{DEV_KVM_MODE}}", OPTIONS+="static_node
KERNEL=="udmabuf", GROUP="kvm"
-SUBSYSTEM=="ptp", ATTR{clock_name}=="KVM virtual PTP", SYMLINK+="ptp_kvm"
-SUBSYSTEM=="ptp", ATTR{clock_name}=="hyperv", SYMLINK+="ptp_hyperv"
-
LABEL="default_end"

View File

@ -1,121 +0,0 @@
From 1fbfcb7d98c95e80e9332770b78613a803c15c20 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Tue, 30 Jul 2024 10:51:21 +0100
Subject: [PATCH] Fix detection of TDX confidential VM on Azure platform
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The original CVM detection logic for TDX assumes that the guest can see
the standard TDX CPUID leaf. This was true in Azure when this code was
originally written, however, current Azure now blocks that leaf in the
paravisor. Instead it is required to use the same Azure specific CPUID
leaf that is used for SEV-SNP detection, which reports the VM isolation
type.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 9d7be044cad1ae54e344daf8f2ec37da46faf0fd)
Related: RHEL-56144
---
src/basic/confidential-virt.c | 11 ++++++++---
src/boot/efi/vmm.c | 9 ++++++---
src/fundamental/confidential-virt-fundamental.h | 1 +
3 files changed, 15 insertions(+), 6 deletions(-)
diff --git a/src/basic/confidential-virt.c b/src/basic/confidential-virt.c
index b6521cf5bf..8a88a3eb83 100644
--- a/src/basic/confidential-virt.c
+++ b/src/basic/confidential-virt.c
@@ -76,7 +76,7 @@ static uint64_t msr(uint64_t index) {
return ret;
}
-static bool detect_hyperv_sev(void) {
+static bool detect_hyperv_cvm(uint32_t isoltype) {
uint32_t eax, ebx, ecx, edx, feat;
char sig[13] = {};
@@ -100,7 +100,7 @@ static bool detect_hyperv_sev(void) {
ebx = ecx = edx = 0;
cpuid(&eax, &ebx, &ecx, &edx);
- if ((ebx & CPUID_HYPERV_ISOLATION_TYPE_MASK) == CPUID_HYPERV_ISOLATION_TYPE_SNP)
+ if ((ebx & CPUID_HYPERV_ISOLATION_TYPE_MASK) == isoltype)
return true;
}
@@ -133,7 +133,7 @@ static ConfidentialVirtualization detect_sev(void) {
if (!(eax & EAX_SEV)) {
log_debug("No sev in CPUID, trying hyperv CPUID");
- if (detect_hyperv_sev())
+ if (detect_hyperv_cvm(CPUID_HYPERV_ISOLATION_TYPE_SNP))
return CONFIDENTIAL_VIRTUALIZATION_SEV_SNP;
log_debug("No hyperv CPUID");
@@ -171,6 +171,11 @@ static ConfidentialVirtualization detect_tdx(void) {
if (memcmp(sig, CPUID_SIG_INTEL_TDX, sizeof(sig)) == 0)
return CONFIDENTIAL_VIRTUALIZATION_TDX;
+ log_debug("No tdx in CPUID, trying hyperv CPUID");
+
+ if (detect_hyperv_cvm(CPUID_HYPERV_ISOLATION_TYPE_TDX))
+ return CONFIDENTIAL_VIRTUALIZATION_TDX;
+
return CONFIDENTIAL_VIRTUALIZATION_NONE;
}
diff --git a/src/boot/efi/vmm.c b/src/boot/efi/vmm.c
index 60e216d54c..3459461390 100644
--- a/src/boot/efi/vmm.c
+++ b/src/boot/efi/vmm.c
@@ -337,7 +337,7 @@ static uint64_t msr(uint32_t index) {
return val;
}
-static bool detect_hyperv_sev(void) {
+static bool detect_hyperv_cvm(uint32_t isoltype) {
uint32_t eax, ebx, ecx, edx, feat;
char sig[13] = {};
@@ -354,7 +354,7 @@ static bool detect_hyperv_sev(void) {
if (ebx & CPUID_HYPERV_ISOLATION && !(ebx & CPUID_HYPERV_CPU_MANAGEMENT)) {
__cpuid(CPUID_HYPERV_ISOLATION_CONFIG, eax, ebx, ecx, edx);
- if ((ebx & CPUID_HYPERV_ISOLATION_TYPE_MASK) == CPUID_HYPERV_ISOLATION_TYPE_SNP)
+ if ((ebx & CPUID_HYPERV_ISOLATION_TYPE_MASK) == isoltype)
return true;
}
@@ -379,7 +379,7 @@ static bool detect_sev(void) {
* specific CPUID checks.
*/
if (!(eax & EAX_SEV))
- return detect_hyperv_sev();
+ return detect_hyperv_cvm(CPUID_HYPERV_ISOLATION_TYPE_SNP);
msrval = msr(MSR_AMD64_SEV);
@@ -403,6 +403,9 @@ static bool detect_tdx(void) {
if (memcmp(sig, CPUID_SIG_INTEL_TDX, sizeof(sig)) == 0)
return true;
+ if (detect_hyperv_cvm(CPUID_HYPERV_ISOLATION_TYPE_TDX))
+ return true;
+
return false;
}
#endif /* ! __i386__ && ! __x86_64__ */
diff --git a/src/fundamental/confidential-virt-fundamental.h b/src/fundamental/confidential-virt-fundamental.h
index 986923e1c2..618b5800ea 100644
--- a/src/fundamental/confidential-virt-fundamental.h
+++ b/src/fundamental/confidential-virt-fundamental.h
@@ -65,6 +65,7 @@
#define CPUID_HYPERV_ISOLATION_TYPE_MASK UINT32_C(0xf)
#define CPUID_HYPERV_ISOLATION_TYPE_SNP 2
+#define CPUID_HYPERV_ISOLATION_TYPE_TDX 3
#define EAX_SEV (UINT32_C(1) << 1)
#define MSR_SEV (UINT64_C(1) << 0)

View File

@ -1,76 +0,0 @@
From d697ad145aa564aff3ac5cb9b6a63667ce2b391c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 2 Aug 2024 16:26:00 +0100
Subject: [PATCH] confidential-virt: split caching of CVM detection into
separate method
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We have different impls of detect_confidential_virtualization per
architecture. The detection is cached in the x86_64 impl, and as we
add support for more targets, we want to use caching for all. It thus
makes sense to split caching out into an architecture independent
method.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 1c4bd7adcc281af2a2dd40867f64f2ac54a43c7a)
Related: RHEL-56144
---
src/basic/confidential-virt.c | 25 ++++++++++++++-----------
1 file changed, 14 insertions(+), 11 deletions(-)
diff --git a/src/basic/confidential-virt.c b/src/basic/confidential-virt.c
index 8a88a3eb83..0e05ecffbf 100644
--- a/src/basic/confidential-virt.c
+++ b/src/basic/confidential-virt.c
@@ -194,34 +194,37 @@ static bool detect_hypervisor(void) {
return is_hv;
}
-ConfidentialVirtualization detect_confidential_virtualization(void) {
- static thread_local ConfidentialVirtualization cached_found = _CONFIDENTIAL_VIRTUALIZATION_INVALID;
+static ConfidentialVirtualization detect_confidential_virtualization_impl(void) {
char sig[13] = {};
- ConfidentialVirtualization cv = CONFIDENTIAL_VIRTUALIZATION_NONE;
-
- if (cached_found >= 0)
- return cached_found;
/* Skip everything on bare metal */
if (detect_hypervisor()) {
cpuid_leaf(0, sig, true);
if (memcmp(sig, CPUID_SIG_AMD, sizeof(sig)) == 0)
- cv = detect_sev();
+ return detect_sev();
else if (memcmp(sig, CPUID_SIG_INTEL, sizeof(sig)) == 0)
- cv = detect_tdx();
+ return detect_tdx();
}
- cached_found = cv;
- return cv;
+ return CONFIDENTIAL_VIRTUALIZATION_NONE;
}
#else /* ! x86_64 */
-ConfidentialVirtualization detect_confidential_virtualization(void) {
+static ConfidentialVirtualization detect_confidential_virtualization_impl(void) {
log_debug("No confidential virtualization detection on this architecture");
return CONFIDENTIAL_VIRTUALIZATION_NONE;
}
#endif /* ! x86_64 */
+ConfidentialVirtualization detect_confidential_virtualization(void) {
+ static thread_local ConfidentialVirtualization cached_found = _CONFIDENTIAL_VIRTUALIZATION_INVALID;
+
+ if (cached_found == _CONFIDENTIAL_VIRTUALIZATION_INVALID)
+ cached_found = detect_confidential_virtualization_impl();
+
+ return cached_found;
+}
+
static const char *const confidential_virtualization_table[_CONFIDENTIAL_VIRTUALIZATION_MAX] = {
[CONFIDENTIAL_VIRTUALIZATION_NONE] = "none",
[CONFIDENTIAL_VIRTUALIZATION_SEV] = "sev",

View File

@ -1,90 +0,0 @@
From a9da2854f199bb3729b29ea4175858067313659e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 2 Aug 2024 11:03:10 +0100
Subject: [PATCH] confidential-virt: add detection for s390x target
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The s390x platform provides confidential VMs using the "Secure Execution"
technology, which is also referred to as "Protected Virtualization" or
just "prot virt" in Linux / QEMU.
This can be detected through a simple sysfs attribute.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 6c35e0a51cc6a852ce239ea46cd75c133212a68e)
Resolves: RHEL-56144
---
src/basic/confidential-virt.c | 30 +++++++++++++++++++++++++-----
src/basic/confidential-virt.h | 1 +
2 files changed, 26 insertions(+), 5 deletions(-)
diff --git a/src/basic/confidential-virt.c b/src/basic/confidential-virt.c
index 0e05ecffbf..c246636c7c 100644
--- a/src/basic/confidential-virt.c
+++ b/src/basic/confidential-virt.c
@@ -11,6 +11,7 @@
#include "confidential-virt-fundamental.h"
#include "confidential-virt.h"
#include "fd-util.h"
+#include "fileio.h"
#include "missing_threads.h"
#include "string-table.h"
#include "utf8.h"
@@ -209,6 +210,24 @@ static ConfidentialVirtualization detect_confidential_virtualization_impl(void)
return CONFIDENTIAL_VIRTUALIZATION_NONE;
}
+#elif defined(__s390x__)
+static ConfidentialVirtualization detect_confidential_virtualization_impl(void) {
+ _cleanup_free_ char *s = NULL;
+ size_t readsize;
+ int r;
+
+ r = read_full_virtual_file("/sys/firmware/uv/prot_virt_guest", &s, &readsize);
+ if (r < 0) {
+ log_debug_errno(r, "Unable to read /sys/firmware/uv/prot_virt_guest: %m");
+ return CONFIDENTIAL_VIRTUALIZATION_NONE;
+ }
+
+ if (readsize >= 1 && s[0] == '1')
+ return CONFIDENTIAL_VIRTUALIZATION_PROTVIRT;
+
+ return CONFIDENTIAL_VIRTUALIZATION_NONE;
+}
+
#else /* ! x86_64 */
static ConfidentialVirtualization detect_confidential_virtualization_impl(void) {
log_debug("No confidential virtualization detection on this architecture");
@@ -226,11 +245,12 @@ ConfidentialVirtualization detect_confidential_virtualization(void) {
}
static const char *const confidential_virtualization_table[_CONFIDENTIAL_VIRTUALIZATION_MAX] = {
- [CONFIDENTIAL_VIRTUALIZATION_NONE] = "none",
- [CONFIDENTIAL_VIRTUALIZATION_SEV] = "sev",
- [CONFIDENTIAL_VIRTUALIZATION_SEV_ES] = "sev-es",
- [CONFIDENTIAL_VIRTUALIZATION_SEV_SNP] = "sev-snp",
- [CONFIDENTIAL_VIRTUALIZATION_TDX] = "tdx",
+ [CONFIDENTIAL_VIRTUALIZATION_NONE] = "none",
+ [CONFIDENTIAL_VIRTUALIZATION_SEV] = "sev",
+ [CONFIDENTIAL_VIRTUALIZATION_SEV_ES] = "sev-es",
+ [CONFIDENTIAL_VIRTUALIZATION_SEV_SNP] = "sev-snp",
+ [CONFIDENTIAL_VIRTUALIZATION_TDX] = "tdx",
+ [CONFIDENTIAL_VIRTUALIZATION_PROTVIRT] = "protvirt",
};
DEFINE_STRING_TABLE_LOOKUP(confidential_virtualization, ConfidentialVirtualization);
diff --git a/src/basic/confidential-virt.h b/src/basic/confidential-virt.h
index c02f3b2321..f92e3e883d 100644
--- a/src/basic/confidential-virt.h
+++ b/src/basic/confidential-virt.h
@@ -13,6 +13,7 @@ typedef enum ConfidentialVirtualization {
CONFIDENTIAL_VIRTUALIZATION_SEV_ES,
CONFIDENTIAL_VIRTUALIZATION_SEV_SNP,
CONFIDENTIAL_VIRTUALIZATION_TDX,
+ CONFIDENTIAL_VIRTUALIZATION_PROTVIRT,
_CONFIDENTIAL_VIRTUALIZATION_MAX,
_CONFIDENTIAL_VIRTUALIZATION_INVALID = -EINVAL,

View File

@ -1,37 +0,0 @@
From 776706c0b675a52ea83d1790e3598253592dd6a6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 2 Aug 2024 13:07:13 +0100
Subject: [PATCH] man/systemd-detect-virt: fix row spanning for VM header
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This fixes
commit 9b0688f491674b53ef7a52bdf561a430c53673d6
Author: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Tue Jan 9 10:52:49 2024 +0900
virt: add Google Compute Engine support
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 9ffdfc67c6aedcb66c2b18c2c61bc32e585e6d6e)
Related: RHEL-56144
---
man/systemd-detect-virt.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/man/systemd-detect-virt.xml b/man/systemd-detect-virt.xml
index 2239294145..6b49e3a519 100644
--- a/man/systemd-detect-virt.xml
+++ b/man/systemd-detect-virt.xml
@@ -62,7 +62,7 @@
</thead>
<tbody>
<row>
- <entry valign="top" morerows="16">VM</entry>
+ <entry valign="top" morerows="17">VM</entry>
<entry><varname>qemu</varname></entry>
<entry>QEMU software virtualization, without KVM</entry>
</row>

View File

@ -1,74 +0,0 @@
From 390217689905f0e12f080ddf8bd4fdefefcd38df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 2 Aug 2024 13:17:56 +0100
Subject: [PATCH] man/systemd-detect-virt: list known CVM technologies
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Add a section which lists the known confidential virtual machine
technologies.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit a8fb5d21fd6127a6d05757c793cc9ba47f65c893)
Related: RHEL-56144
---
man/systemd-detect-virt.xml | 44 +++++++++++++++++++++++++++++++++++++
1 file changed, 44 insertions(+)
diff --git a/man/systemd-detect-virt.xml b/man/systemd-detect-virt.xml
index 6b49e3a519..a4fcdfbc9d 100644
--- a/man/systemd-detect-virt.xml
+++ b/man/systemd-detect-virt.xml
@@ -217,6 +217,50 @@
WSL is categorized as a container for practical purposes.
Multiple WSL environments share the same kernel and services
should generally behave like when being run in a container.</para>
+
+ <para>When executed with <option>--cvm</option>, instead of
+ printing the virtualization technology, it will display the
+ confidential virtual machine technology, if any. The
+ following technologies are currently identified:</para>
+
+ <table>
+ <title>Known confidential virtualization technologies</title>
+ <tgroup cols='2' align='left' colsep='1' rowsep='1'>
+ <colspec colname="id" />
+ <colspec colname="product" />
+ <thead>
+ <row>
+ <entry>Arch</entry>
+ <entry>ID</entry>
+ <entry>Technology</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry valign="top" morerows="3">x86_64</entry>
+ <entry><varname>sev</varname></entry>
+ <entry>AMD Secure Encrypted Virtualization</entry>
+ </row>
+ <row>
+ <entry><varname>sev-es</varname></entry>
+ <entry>AMD Secure Encrypted Virtualization - Encrypted State</entry>
+ </row>
+ <row>
+ <entry><varname>sev-snp</varname></entry>
+ <entry>AMD Secure Encrypted Virtualization - Secure Nested Paging</entry>
+ </row>
+ <row>
+ <entry><varname>tdx</varname></entry>
+ <entry>Intel Trust Domain Extensions</entry>
+ </row>
+ <row>
+ <entry>s390x</entry>
+ <entry><varname>protvirt</varname></entry>
+ <entry>IBM Protected Virtualization (Secure Execution)</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
</refsect1>
<refsect1>

View File

@ -1,3 +0,0 @@
# Increase the number of virtual memory areas that one process may request
# https://fedoraproject.org/wiki/Changes/IncreaseVmMaxMapCount
vm.max_map_count=1048576

View File

@ -1,2 +0,0 @@
[OOM]
DefaultMemoryPressureDurationSec=20s

View File

@ -1,3 +0,0 @@
[Slice]
ManagedOOMMemoryPressure=kill
ManagedOOMMemoryPressureLimit=80%

View File

@ -1,20 +0,0 @@
# SPDX-License-Identifier: MIT-0
#
# This config file is installed as part of systemd.
# It may be freely copied and edited (following the MIT No Attribution license).
#
# To make local modifications, one of the following methods may be used:
# 1. add a drop-in file that extends this file by creating the
# /etc/systemd/network/98-default-mac-none.link.d/ directory and creating a
# new .conf file there.
# 2. copy this file into /etc/systemd/network or one of the other paths checked
# by systemd-udevd and edit it there.
# This file should not be edited in place, because it'll be overwritten on upgrades.
[Match]
Kind=bridge bond team
[Link]
NamePolicy=keep kernel database onboard slot path
AlternativeNamesPolicy=database onboard slot path
MACAddressPolicy=none

Some files were not shown because too many files have changed in this diff Show More