Compare commits
No commits in common. "c8" and "c8-beta" have entirely different histories.
@ -1,20 +0,0 @@
|
||||
From ca150b92be2e0edf3bfafe88ee79a419e7e11aaa Mon Sep 17 00:00:00 2001
|
||||
From: Jan Macku <jamacku@redhat.com>
|
||||
Date: Mon, 4 Mar 2024 13:40:45 +0100
|
||||
Subject: [PATCH] ci: add configuration for regression sniffer GA
|
||||
|
||||
rhel-only
|
||||
|
||||
Related: RHEL-1087
|
||||
---
|
||||
.github/regression-sniffer.yml | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
create mode 100644 .github/regression-sniffer.yml
|
||||
|
||||
diff --git a/.github/regression-sniffer.yml b/.github/regression-sniffer.yml
|
||||
new file mode 100644
|
||||
index 0000000000..3824028e92
|
||||
--- /dev/null
|
||||
+++ b/.github/regression-sniffer.yml
|
||||
@@ -0,0 +1 @@
|
||||
+upstream: systemd/systemd
|
||||
@ -1,35 +0,0 @@
|
||||
From ccaa361e04719efc6bcf7f3201cc9e6a869677d8 Mon Sep 17 00:00:00 2001
|
||||
From: Michal Sekletar <msekleta@redhat.com>
|
||||
Date: Mon, 4 Mar 2024 14:40:32 +0100
|
||||
Subject: [PATCH] coredump: actually store parsed unit in the context
|
||||
|
||||
RHEL-only
|
||||
|
||||
Related: RHEL-18302
|
||||
---
|
||||
src/coredump/coredump.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c
|
||||
index d8acd2d3a7..7af8e97877 100644
|
||||
--- a/src/coredump/coredump.c
|
||||
+++ b/src/coredump/coredump.c
|
||||
@@ -1262,6 +1262,8 @@ static int gather_pid_metadata(
|
||||
context->meta[CONTEXT_EXE] = t;
|
||||
|
||||
if (cg_pid_get_unit(pid, &t) >= 0) {
|
||||
+ context->meta[CONTEXT_UNIT] = t;
|
||||
+
|
||||
if (!is_journald_crash(context)) {
|
||||
/* OK, now we know it's not the journal, hence we can make use of it now. */
|
||||
log_set_target(LOG_TARGET_JOURNAL_OR_KMSG);
|
||||
@@ -1275,8 +1277,7 @@ static int gather_pid_metadata(
|
||||
}
|
||||
|
||||
set_iovec_string_field(iovec, n_iovec, "COREDUMP_UNIT=", context->meta[CONTEXT_UNIT]);
|
||||
- } else
|
||||
- context->meta[CONTEXT_UNIT] = t;
|
||||
+ }
|
||||
|
||||
if (cg_pid_get_user_unit(pid, &t) >= 0)
|
||||
set_iovec_field_free(iovec, n_iovec, "COREDUMP_USER_UNIT=", t);
|
||||
@ -1,184 +0,0 @@
|
||||
From 899e3c43d6ac9d97c3cb9340b778427391def4ac Mon Sep 17 00:00:00 2001
|
||||
From: Jacek Migacz <jmigacz@redhat.com>
|
||||
Date: Mon, 26 Feb 2024 13:47:24 +0100
|
||||
Subject: [PATCH] resolved: limit the number of signature validations in a
|
||||
transaction
|
||||
|
||||
It has been demonstrated that tolerating an unbounded number of dnssec
|
||||
signature validations is a bad idea. It is easy for a maliciously
|
||||
crafted DNS reply to contain as many keytag collisions as desired,
|
||||
causing us to iterate every dnskey and signature combination in vain.
|
||||
|
||||
The solution is to impose a maximum number of validations we will
|
||||
tolerate. While collisions are not hard to craft, I still expect they
|
||||
are unlikely in the wild so it should be safe to pick fairly small
|
||||
values.
|
||||
|
||||
Here two limits are imposed: one on the maximum number of invalid
|
||||
signatures encountered per rrset, and another on the total number of
|
||||
validations performed per transaction.
|
||||
|
||||
(cherry picked from commit 67d0ce8843d612a2245d0966197d4f528b911b66)
|
||||
|
||||
Resolves: RHEL-26644
|
||||
---
|
||||
src/resolve/resolved-dns-dnssec.c | 16 ++++++++++++++--
|
||||
src/resolve/resolved-dns-dnssec.h | 9 ++++++++-
|
||||
src/resolve/resolved-dns-transaction.c | 19 ++++++++++++++++---
|
||||
3 files changed, 38 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
|
||||
index 0a6f482cc1..5dbfbc94c7 100644
|
||||
--- a/src/resolve/resolved-dns-dnssec.c
|
||||
+++ b/src/resolve/resolved-dns-dnssec.c
|
||||
@@ -996,6 +996,7 @@ int dnssec_verify_rrset_search(
|
||||
DnsResourceRecord **ret_rrsig) {
|
||||
|
||||
bool found_rrsig = false, found_invalid = false, found_expired_rrsig = false, found_unsupported_algorithm = false;
|
||||
+ unsigned nvalidations = 0;
|
||||
DnsResourceRecord *rrsig;
|
||||
int r;
|
||||
|
||||
@@ -1041,6 +1042,14 @@ int dnssec_verify_rrset_search(
|
||||
if (realtime == USEC_INFINITY)
|
||||
realtime = now(CLOCK_REALTIME);
|
||||
|
||||
+ /* Have we seen an unreasonable number of invalid signaures? */
|
||||
+ if (nvalidations > DNSSEC_INVALID_MAX) {
|
||||
+ if (ret_rrsig)
|
||||
+ *ret_rrsig = NULL;
|
||||
+ *result = DNSSEC_TOO_MANY_VALIDATIONS;
|
||||
+ return (int) nvalidations;
|
||||
+ }
|
||||
+
|
||||
/* Yay, we found a matching RRSIG with a matching
|
||||
* DNSKEY, awesome. Now let's verify all entries of
|
||||
* the RRSet against the RRSIG and DNSKEY
|
||||
@@ -1050,6 +1059,8 @@ int dnssec_verify_rrset_search(
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
+ nvalidations++;
|
||||
+
|
||||
switch (one_result) {
|
||||
|
||||
case DNSSEC_VALIDATED:
|
||||
@@ -1060,7 +1071,7 @@ int dnssec_verify_rrset_search(
|
||||
*ret_rrsig = rrsig;
|
||||
|
||||
*result = one_result;
|
||||
- return 0;
|
||||
+ return (int) nvalidations;
|
||||
|
||||
case DNSSEC_INVALID:
|
||||
/* If the signature is invalid, let's try another
|
||||
@@ -1107,7 +1118,7 @@ int dnssec_verify_rrset_search(
|
||||
if (ret_rrsig)
|
||||
*ret_rrsig = NULL;
|
||||
|
||||
- return 0;
|
||||
+ return (int) nvalidations;
|
||||
}
|
||||
|
||||
int dnssec_has_rrsig(DnsAnswer *a, const DnsResourceKey *key) {
|
||||
@@ -2301,6 +2312,7 @@ static const char* const dnssec_result_table[_DNSSEC_RESULT_MAX] = {
|
||||
[DNSSEC_FAILED_AUXILIARY] = "failed-auxiliary",
|
||||
[DNSSEC_NSEC_MISMATCH] = "nsec-mismatch",
|
||||
[DNSSEC_INCOMPATIBLE_SERVER] = "incompatible-server",
|
||||
+ [DNSSEC_TOO_MANY_VALIDATIONS] = "too-many-validations",
|
||||
};
|
||||
DEFINE_STRING_TABLE_LOOKUP(dnssec_result, DnssecResult);
|
||||
|
||||
diff --git a/src/resolve/resolved-dns-dnssec.h b/src/resolve/resolved-dns-dnssec.h
|
||||
index dfee7232c0..4d6abee084 100644
|
||||
--- a/src/resolve/resolved-dns-dnssec.h
|
||||
+++ b/src/resolve/resolved-dns-dnssec.h
|
||||
@@ -9,12 +9,13 @@ typedef enum DnssecVerdict DnssecVerdict;
|
||||
#include "resolved-dns-rr.h"
|
||||
|
||||
enum DnssecResult {
|
||||
- /* These five are returned by dnssec_verify_rrset() */
|
||||
+ /* These six are returned by dnssec_verify_rrset() */
|
||||
DNSSEC_VALIDATED,
|
||||
DNSSEC_VALIDATED_WILDCARD, /* Validated via a wildcard RRSIG, further NSEC/NSEC3 checks necessary */
|
||||
DNSSEC_INVALID,
|
||||
DNSSEC_SIGNATURE_EXPIRED,
|
||||
DNSSEC_UNSUPPORTED_ALGORITHM,
|
||||
+ DNSSEC_TOO_MANY_VALIDATIONS,
|
||||
|
||||
/* These two are added by dnssec_verify_rrset_search() */
|
||||
DNSSEC_NO_SIGNATURE,
|
||||
@@ -45,6 +46,12 @@ enum DnssecVerdict {
|
||||
/* The longest digest we'll ever generate, of all digest algorithms we support */
|
||||
#define DNSSEC_HASH_SIZE_MAX (MAX(20, 32))
|
||||
|
||||
+/* The most invalid signatures we will tolerate for a single rrset */
|
||||
+#define DNSSEC_INVALID_MAX 5
|
||||
+
|
||||
+/* The total number of signature validations we will tolerate for a single transaction */
|
||||
+#define DNSSEC_VALIDATION_MAX 64
|
||||
+
|
||||
int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, bool revoked_ok);
|
||||
int dnssec_key_match_rrsig(const DnsResourceKey *key, DnsResourceRecord *rrsig);
|
||||
|
||||
diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
|
||||
index 6f614d7493..1ca6c9abc8 100644
|
||||
--- a/src/resolve/resolved-dns-transaction.c
|
||||
+++ b/src/resolve/resolved-dns-transaction.c
|
||||
@@ -2870,11 +2870,14 @@ static int dnssec_validate_records(
|
||||
DnsTransaction *t,
|
||||
Phase phase,
|
||||
bool *have_nsec,
|
||||
+ unsigned *nvalidations,
|
||||
DnsAnswer **validated) {
|
||||
|
||||
DnsResourceRecord *rr;
|
||||
int r;
|
||||
|
||||
+ assert(nvalidations);
|
||||
+
|
||||
/* Returns negative on error, 0 if validation failed, 1 to restart validation, 2 when finished. */
|
||||
|
||||
DNS_ANSWER_FOREACH(rr, t->answer) {
|
||||
@@ -2909,6 +2912,7 @@ static int dnssec_validate_records(
|
||||
r = dnssec_verify_rrset_search(t->answer, rr->key, t->validated_keys, USEC_INFINITY, &result, &rrsig);
|
||||
if (r < 0)
|
||||
return r;
|
||||
+ *nvalidations += r;
|
||||
|
||||
log_debug("Looking at %s: %s", strna(dns_resource_record_to_string(rr)), dnssec_result_to_string(result));
|
||||
|
||||
@@ -3086,7 +3090,8 @@ static int dnssec_validate_records(
|
||||
DNSSEC_SIGNATURE_EXPIRED,
|
||||
DNSSEC_NO_SIGNATURE))
|
||||
manager_dnssec_verdict(t->scope->manager, DNSSEC_BOGUS, rr->key);
|
||||
- else /* DNSSEC_MISSING_KEY or DNSSEC_UNSUPPORTED_ALGORITHM */
|
||||
+ else /* DNSSEC_MISSING_KEY, DNSSEC_UNSUPPORTED_ALGORITHM,
|
||||
+ or DNSSEC_TOO_MANY_VALIDATIONS */
|
||||
manager_dnssec_verdict(t->scope->manager, DNSSEC_INDETERMINATE, rr->key);
|
||||
|
||||
/* This is a primary response to our question, and it failed validation.
|
||||
@@ -3180,13 +3185,21 @@ int dns_transaction_validate_dnssec(DnsTransaction *t) {
|
||||
return r;
|
||||
|
||||
phase = DNSSEC_PHASE_DNSKEY;
|
||||
- for (;;) {
|
||||
+ for (unsigned nvalidations = 0;;) {
|
||||
bool have_nsec = false;
|
||||
|
||||
- r = dnssec_validate_records(t, phase, &have_nsec, &validated);
|
||||
+ r = dnssec_validate_records(t, phase, &have_nsec, &nvalidations, &validated);
|
||||
if (r <= 0)
|
||||
return r;
|
||||
|
||||
+ if (nvalidations > DNSSEC_VALIDATION_MAX) {
|
||||
+ /* This reply requires an onerous number of signature validations to verify. Let's
|
||||
+ * not waste our time trying, as this shouldn't happen for well-behaved domains
|
||||
+ * anyway. */
|
||||
+ t->answer_dnssec_result = DNSSEC_TOO_MANY_VALIDATIONS;
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
/* Try again as long as we managed to achieve something */
|
||||
if (r == 1)
|
||||
continue;
|
||||
@ -1,34 +0,0 @@
|
||||
From 92124e84be68005be92cce046c7c679b98199d66 Mon Sep 17 00:00:00 2001
|
||||
From: Jacek Migacz <jmigacz@redhat.com>
|
||||
Date: Mon, 26 Feb 2024 13:56:36 +0100
|
||||
Subject: [PATCH] resolved: reduce the maximum nsec3 iterations to 100
|
||||
|
||||
According to RFC9267, the 2500 value is not helpful, and in fact it can
|
||||
be harmful to permit a large number of iterations. Combined with limits
|
||||
on the number of signature validations, I expect this will mitigate the
|
||||
impact of maliciously crafted domains designed to cause excessive
|
||||
cryptographic work.
|
||||
|
||||
(cherry picked from commit eba291124bc11f03732d1fc468db3bfac069f9cb)
|
||||
|
||||
Related: RHEL-26644
|
||||
---
|
||||
src/resolve/resolved-dns-dnssec.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
|
||||
index 5dbfbc94c7..5a0540568c 100644
|
||||
--- a/src/resolve/resolved-dns-dnssec.c
|
||||
+++ b/src/resolve/resolved-dns-dnssec.c
|
||||
@@ -22,8 +22,9 @@
|
||||
/* Permit a maximum clock skew of 1h 10min. This should be enough to deal with DST confusion */
|
||||
#define SKEW_MAX (1*USEC_PER_HOUR + 10*USEC_PER_MINUTE)
|
||||
|
||||
-/* Maximum number of NSEC3 iterations we'll do. RFC5155 says 2500 shall be the maximum useful value */
|
||||
-#define NSEC3_ITERATIONS_MAX 2500
|
||||
+/* Maximum number of NSEC3 iterations we'll do. RFC5155 says 2500 shall be the maximum useful value, but
|
||||
+ * RFC9276 § 3.2 says that we should reduce the acceptable iteration count */
|
||||
+#define NSEC3_ITERATIONS_MAX 100
|
||||
|
||||
/*
|
||||
* The DNSSEC Chain of trust:
|
||||
@ -1,117 +0,0 @@
|
||||
From f896e672ec6101ccbb21108345946e834455a25f Mon Sep 17 00:00:00 2001
|
||||
From: Franck Bui <fbui@suse.com>
|
||||
Date: Fri, 3 Apr 2020 10:00:25 +0200
|
||||
Subject: [PATCH] pid1: by default make user units inherit their umask from the
|
||||
user manager
|
||||
|
||||
This patch changes the way user managers set the default umask for the units it
|
||||
manages.
|
||||
|
||||
Indeed one can expect that if user manager's umask is redefined through PAM
|
||||
(via /etc/login.defs or pam_umask), all its children including the units it
|
||||
spawns have their umask set to the new value.
|
||||
|
||||
Hence make user units inherit their umask value from their parent instead of
|
||||
the hard coded value 0022 but allow them to override this value via their unit
|
||||
file.
|
||||
|
||||
Note that reexecuting managers with 'systemctl daemon-reexec' after changing
|
||||
UMask= has no effect. To take effect managers need to be restarted with
|
||||
'systemct restart' instead. This behavior was already present before this
|
||||
patch.
|
||||
|
||||
Fixes #6077.
|
||||
|
||||
(cherry picked from commit 5e37d1930b41b24c077ce37c6db0e36c745106c7)
|
||||
|
||||
Related: RHEL-28048
|
||||
---
|
||||
man/systemd.exec.xml | 9 +++++++--
|
||||
src/basic/process-util.c | 17 +++++++++++++++++
|
||||
src/basic/process-util.h | 1 +
|
||||
src/core/unit.c | 12 ++++++++++--
|
||||
4 files changed, 35 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
|
||||
index b04b4ba552..844c1ce94b 100644
|
||||
--- a/man/systemd.exec.xml
|
||||
+++ b/man/systemd.exec.xml
|
||||
@@ -590,8 +590,13 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
|
||||
<term><varname>UMask=</varname></term>
|
||||
|
||||
<listitem><para>Controls the file mode creation mask. Takes an access mode in octal notation. See
|
||||
- <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry> for details. Defaults
|
||||
- to 0022.</para></listitem>
|
||||
+ <citerefentry><refentrytitle>umask</refentrytitle><manvolnum>2</manvolnum></citerefentry> for
|
||||
+ details. Defaults to 0022 for system units. For units of the user service manager the default value
|
||||
+ is inherited from the user instance (whose default is inherited from the system service manager, and
|
||||
+ thus also is 0022). Hence changing the default value of a user instance, either via
|
||||
+ <varname>UMask=</varname> or via a PAM module, will affect the user instance itself and all user
|
||||
+ units started by the user instance unless a user unit has specified its own
|
||||
+ <varname>UMask=</varname>.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
diff --git a/src/basic/process-util.c b/src/basic/process-util.c
|
||||
index 9e2237375d..af44bfab3e 100644
|
||||
--- a/src/basic/process-util.c
|
||||
+++ b/src/basic/process-util.c
|
||||
@@ -657,6 +657,23 @@ int get_process_ppid(pid_t pid, pid_t *ret) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
+int get_process_umask(pid_t pid, mode_t *umask) {
|
||||
+ _cleanup_free_ char *m = NULL;
|
||||
+ const char *p;
|
||||
+ int r;
|
||||
+
|
||||
+ assert(umask);
|
||||
+ assert(pid >= 0);
|
||||
+
|
||||
+ p = procfs_file_alloca(pid, "status");
|
||||
+
|
||||
+ r = get_proc_field(p, "Umask", WHITESPACE, &m);
|
||||
+ if (r == -ENOENT)
|
||||
+ return -ESRCH;
|
||||
+
|
||||
+ return parse_mode(m, umask);
|
||||
+}
|
||||
+
|
||||
int wait_for_terminate(pid_t pid, siginfo_t *status) {
|
||||
siginfo_t dummy;
|
||||
|
||||
diff --git a/src/basic/process-util.h b/src/basic/process-util.h
|
||||
index a3bd2851b4..9059aad4cc 100644
|
||||
--- a/src/basic/process-util.h
|
||||
+++ b/src/basic/process-util.h
|
||||
@@ -41,6 +41,7 @@ int get_process_cwd(pid_t pid, char **cwd);
|
||||
int get_process_root(pid_t pid, char **root);
|
||||
int get_process_environ(pid_t pid, char **environ);
|
||||
int get_process_ppid(pid_t pid, pid_t *ppid);
|
||||
+int get_process_umask(pid_t pid, mode_t *umask);
|
||||
|
||||
int wait_for_terminate(pid_t pid, siginfo_t *status);
|
||||
|
||||
diff --git a/src/core/unit.c b/src/core/unit.c
|
||||
index 76fb9f8075..d3459dcdd0 100644
|
||||
--- a/src/core/unit.c
|
||||
+++ b/src/core/unit.c
|
||||
@@ -167,8 +167,16 @@ static void unit_init(Unit *u) {
|
||||
if (ec) {
|
||||
exec_context_init(ec);
|
||||
|
||||
- ec->keyring_mode = MANAGER_IS_SYSTEM(u->manager) ?
|
||||
- EXEC_KEYRING_SHARED : EXEC_KEYRING_INHERIT;
|
||||
+ if (MANAGER_IS_SYSTEM(u->manager))
|
||||
+ ec->keyring_mode = EXEC_KEYRING_SHARED;
|
||||
+ else {
|
||||
+ ec->keyring_mode = EXEC_KEYRING_INHERIT;
|
||||
+
|
||||
+ /* User manager might have its umask redefined by PAM or UMask=. In this
|
||||
+ * case let the units it manages inherit this value by default. They can
|
||||
+ * still tune this value through their own unit file */
|
||||
+ (void) get_process_umask(getpid_cached(), &ec->umask);
|
||||
+ }
|
||||
}
|
||||
|
||||
kc = unit_get_kill_context(u);
|
||||
@ -1,28 +0,0 @@
|
||||
From 49dbe60d4b3c6f111911c8217bc5e7da5a4ba0d0 Mon Sep 17 00:00:00 2001
|
||||
From: Michal Sekletar <msekleta@redhat.com>
|
||||
Date: Wed, 31 May 2023 18:50:12 +0200
|
||||
Subject: [PATCH] pam: add call to pam_umask
|
||||
|
||||
Setting umask for user sessions via UMASK setting in /etc/login.defs is
|
||||
a well-known feature. Let's make sure that user manager also runs with
|
||||
this umask value.
|
||||
|
||||
Follow-up for 5e37d1930b41b24c077ce37c6db0e36c745106c7.
|
||||
|
||||
(cherry picked from commit 159f1b78576ce91c3932f4867f07361a530875d3)
|
||||
|
||||
Resolves: RHEL-28048
|
||||
---
|
||||
src/login/systemd-user.m4 | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/login/systemd-user.m4 b/src/login/systemd-user.m4
|
||||
index eb291beaed..a194a636d6 100644
|
||||
--- a/src/login/systemd-user.m4
|
||||
+++ b/src/login/systemd-user.m4
|
||||
@@ -10,4 +10,5 @@ session required pam_selinux.so nottys open
|
||||
session required pam_loginuid.so
|
||||
session optional pam_keyinit.so force revoke
|
||||
session required pam_namespace.so
|
||||
+session optional pam_umask.so silent
|
||||
session optional pam_systemd.so
|
||||
@ -1,81 +0,0 @@
|
||||
From 045ba12c6337760f0a7f8b0ceb9f998b309e025f Mon Sep 17 00:00:00 2001
|
||||
From: Jan Macku <jamacku@redhat.com>
|
||||
Date: Fri, 9 Feb 2024 14:48:02 +0100
|
||||
Subject: [PATCH] ci: deploy systemd man to GitHub Pages
|
||||
|
||||
rhel-only
|
||||
|
||||
Related: RHEL-32494
|
||||
|
||||
Co-authored-by: Frantisek Sumsal <frantisek@sumsal.cz>
|
||||
---
|
||||
.github/workflows/deploy-man-pages.yml | 60 ++++++++++++++++++++++++++
|
||||
1 file changed, 60 insertions(+)
|
||||
create mode 100644 .github/workflows/deploy-man-pages.yml
|
||||
|
||||
diff --git a/.github/workflows/deploy-man-pages.yml b/.github/workflows/deploy-man-pages.yml
|
||||
new file mode 100644
|
||||
index 0000000000..9da38a1687
|
||||
--- /dev/null
|
||||
+++ b/.github/workflows/deploy-man-pages.yml
|
||||
@@ -0,0 +1,60 @@
|
||||
+name: Deploy systemd man to Pages
|
||||
+
|
||||
+on:
|
||||
+ push:
|
||||
+ branches: [ rhel-8.10.0 ]
|
||||
+ paths:
|
||||
+ - man/*
|
||||
+ - .github/workflows/deploy-man-pages.yml
|
||||
+ schedule:
|
||||
+ # Run every Monday at 4:00 AM UTC
|
||||
+ - cron: 0 4 * * 1
|
||||
+ workflow_dispatch:
|
||||
+
|
||||
+permissions:
|
||||
+ contents: read
|
||||
+
|
||||
+# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
|
||||
+# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
|
||||
+concurrency:
|
||||
+ group: pages
|
||||
+ cancel-in-progress: false
|
||||
+
|
||||
+jobs:
|
||||
+ # Single deploy job since we're just deploying
|
||||
+ deploy:
|
||||
+ environment:
|
||||
+ name: github-pages
|
||||
+ url: ${{ steps.deployment.outputs.page_url }}
|
||||
+ runs-on: ubuntu-latest
|
||||
+
|
||||
+ permissions:
|
||||
+ pages: write
|
||||
+ id-token: write
|
||||
+
|
||||
+ steps:
|
||||
+ - uses: actions/checkout@v4
|
||||
+
|
||||
+ - name: Install dependencies
|
||||
+ run: |
|
||||
+ RELEASE="$(lsb_release -cs)"
|
||||
+ sudo add-apt-repository -y --no-update --enable-source
|
||||
+ sudo apt-get -y update
|
||||
+ sudo apt-get -y build-dep systemd
|
||||
+
|
||||
+ - name: Build HTML man pages
|
||||
+ run: |
|
||||
+ meson setup build
|
||||
+ ninja -C build man/html
|
||||
+
|
||||
+ - name: Setup Pages
|
||||
+ uses: actions/configure-pages@v4
|
||||
+
|
||||
+ - name: Upload artifact
|
||||
+ uses: actions/upload-pages-artifact@v3
|
||||
+ with:
|
||||
+ path: ./build/man
|
||||
+
|
||||
+ - name: Deploy to GitHub Pages
|
||||
+ id: deployment
|
||||
+ uses: actions/deploy-pages@v4
|
||||
@ -1,24 +0,0 @@
|
||||
From 604d2f1c8b6ecb46be7f70c5be7ae6fc6be04cab Mon Sep 17 00:00:00 2001
|
||||
From: Jan Macku <jamacku@redhat.com>
|
||||
Date: Thu, 11 Apr 2024 10:14:51 +0200
|
||||
Subject: [PATCH] ci(src-git): update list of supported products
|
||||
|
||||
rhel-only
|
||||
|
||||
Related: RHEL-32494
|
||||
---
|
||||
.github/tracker-validator.yml | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/.github/tracker-validator.yml b/.github/tracker-validator.yml
|
||||
index b09f702dd9..1bb684e722 100644
|
||||
--- a/.github/tracker-validator.yml
|
||||
+++ b/.github/tracker-validator.yml
|
||||
@@ -16,5 +16,5 @@ products:
|
||||
- rhel-8.8.0.z
|
||||
- rhel-8.9.0
|
||||
- rhel-8.9.0.z
|
||||
- - rhel-8.10.0
|
||||
- - rhel-8.10.0.z
|
||||
+ - rhel-8.10
|
||||
+ - rhel-8.10.z
|
||||
@ -9,5 +9,4 @@ session required pam_selinux.so close
|
||||
session required pam_selinux.so nottys open
|
||||
session required pam_loginuid.so
|
||||
session required pam_namespace.so
|
||||
session optional pam_umask.so silent
|
||||
session include system-auth
|
||||
|
||||
@ -13,7 +13,7 @@
|
||||
Name: systemd
|
||||
Url: http://www.freedesktop.org/wiki/Software/systemd
|
||||
Version: 239
|
||||
Release: 82%{?dist}.2
|
||||
Release: 81%{?dist}
|
||||
# For a breakdown of the licensing, see README
|
||||
License: LGPLv2+ and MIT and GPLv2+
|
||||
Summary: System and Service Manager
|
||||
@ -1055,14 +1055,6 @@ Patch1002: 1002-udev-net_id-introduce-naming-scheme-for-RHEL-8.10.patch
|
||||
Patch1003: 1003-doc-add-missing-listitem-to-systemd.net-naming-schem.patch
|
||||
Patch1004: 1004-service-schedule-cleanup-of-PID-hashmaps-when-we-now.patch
|
||||
Patch1005: 1005-man-update-link-to-RHEL-documentation.patch
|
||||
Patch1006: 1006-ci-add-configuration-for-regression-sniffer-GA.patch
|
||||
Patch1007: 1007-coredump-actually-store-parsed-unit-in-the-context.patch
|
||||
Patch1008: 1008-resolved-limit-the-number-of-signature-validations-i.patch
|
||||
Patch1009: 1009-resolved-reduce-the-maximum-nsec3-iterations-to-100.patch
|
||||
Patch1010: 1010-pid1-by-default-make-user-units-inherit-their-umask-.patch
|
||||
Patch1011: 1011-pam-add-call-to-pam_umask.patch
|
||||
Patch1012: 1012-ci-deploy-systemd-man-to-GitHub-Pages.patch
|
||||
Patch1013: 1013-ci-src-git-update-list-of-supported-products.patch
|
||||
|
||||
%ifarch %{ix86} x86_64 aarch64
|
||||
%global have_gnu_efi 1
|
||||
@ -1516,6 +1508,10 @@ chmod g+s /run/log/journal/ /run/log/journal/`cat /etc/machine-id 2>/dev/null` /
|
||||
# Apply ACL to the journal directory
|
||||
setfacl -Rnm g:wheel:rx,d:g:wheel:rx,g:adm:rx,d:g:adm:rx /var/log/journal/ &>/dev/null || :
|
||||
|
||||
# Stop-gap until rsyslog.rpm does this on its own. (This is supposed
|
||||
# to fail when the link already exists)
|
||||
ln -s /usr/lib/systemd/system/rsyslog.service /etc/systemd/system/syslog.service &>/dev/null || :
|
||||
|
||||
# Remove spurious /etc/fstab entries from very old installations
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1009023
|
||||
if [ -e /etc/fstab ]; then
|
||||
@ -1689,21 +1685,6 @@ fi
|
||||
%files tests -f .file-list-tests
|
||||
|
||||
%changelog
|
||||
* Tue Jul 23 2024 systemd maintenance team <systemd-maint@redhat.com> - 239-82.2
|
||||
- spec: do not create symlink /etc/systemd/system/syslog.service (RHEL-13179)
|
||||
|
||||
* Thu Apr 11 2024 systemd maintenance team <systemd-maint@redhat.com> - 239-82.1
|
||||
- pid1: by default make user units inherit their umask from the user manager (RHEL-28048)
|
||||
- pam: add call to pam_umask (RHEL-28048)
|
||||
- ci: deploy systemd man to GitHub Pages (RHEL-32494)
|
||||
- ci(src-git): update list of supported products (RHEL-32494)
|
||||
|
||||
* Thu Mar 07 2024 systemd maintenance team <systemd-maint@redhat.com> - 239-82
|
||||
- ci: add configuration for regression sniffer GA (RHEL-1087)
|
||||
- coredump: actually store parsed unit in the context (RHEL-18302)
|
||||
- resolved: limit the number of signature validations in a transaction (RHEL-26644)
|
||||
- resolved: reduce the maximum nsec3 iterations to 100 (RHEL-26644)
|
||||
|
||||
* Mon Feb 26 2024 systemd maintenance team <systemd-maint@redhat.com> - 239-81
|
||||
- man: update link to RHEL documentation (RHEL-26355)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user