IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This fixes a few unrelated issues:
- when ENABLE_MACHINED is false, machinectl is not installed, but _sd_machines
is still used in a few places that want to complete -M and such.
Also, bash completion calls machinectl in various places.
Make missing machinectl mean "no machines" in this case, so
that no error is generated in the callers.
- machinectl list --full would print multiple lines of output per machine,
breaking grep, issue introduced in e2268fa43742ece4a5cdc2e93f731b2bb2fcc883.
Using --max-addresses=1 would fix the issue, but let's use
--max-addresses=0 because we now can.
- the lists used in various places were slightly different for no good reason.
- don't use a subshell if not necessary.
The code for bash still uses the same combined list of images and running
machines for various commands. The zsh code uses images for start/clone, and
running machines for the rest. Maybe something to fix in the future.
Replaces #25048.
Quoting https://github.com/systemd/systemd/pull/25050#discussion_r998721845:
This part seems to be quite racy, at least in the C8S job:
[ 1767.520856] H testsuite-15.sh[35]: *** test transient slice drop-ins
[ 1767.520856] H testsuite-15.sh[35]: + mkdir -p /etc/systemd/system/slice.d
[ 1767.522480] H testsuite-15.sh[35]: + mkdir -p /etc/systemd/system/a-.slice.d
[ 1767.524992] H testsuite-15.sh[35]: + mkdir -p /etc/systemd/system/a-b-.slice.d
[ 1767.526799] H testsuite-15.sh[35]: + mkdir -p /etc/systemd/system/a-b-c.slice.d
[ 1767.528302] H testsuite-15.sh[35]: + echo -e '[Unit]\nDocumentation=man:drop1'
[ 1767.528434] H testsuite-15.sh[35]: + echo -e '[Unit]\nDocumentation=man:drop2'
[ 1767.528519] H testsuite-15.sh[35]: + echo -e '[Unit]\nDocumentation=man:drop3'
[ 1767.528595] H testsuite-15.sh[35]: + echo -e '[Unit]\nDocumentation=man:drop4'
[ 1767.528676] H testsuite-15.sh[35]: + systemctl cat a-b-c.slice
[ 1767.541321] H systemctl[1042]: No files found for a-b-c.slice.
[ 1767.542854] H systemd[1]: testsuite-15.service: Main process exited, code=exited, status=1/FAILURE
[ 1767.542995] H systemd[1]: testsuite-15.service: Failed with result 'exit-code'.
[ 1767.543360] H systemd[1]: Failed to start testsuite-15.service.
[ 1767.543542] H systemd[1]: testsuite-15.service: Consumed 1.586s CPU time.
[ 1767.543938] H systemd[1]: Reached target testsuite.target.
[ 1767.545737] H systemd[1]: Starting end.service...
Let's document that "." is a bad choice of character when naming
interfaces. Let's also document the hard restrictions we make when
naming interfaces.
Result of the mess that is #25052.
* chore: enable scorecard action
* chore: add badge to the README file
* chore: enable on config file update
* chore: update scorecard to 2.0.4
* chore: run scorecard on PR at main branch
* chore: add condition to publish_result key
* chore: skip upload to code scanning if PR
* chore: only runs scorecard in the main repo
Resolves: #25042
The man page says nothing about "e". Glibc clearly accepts it without fuss, but
it is meaningless for a memory object (and probably doesn't work). This use is
not portable, so let's avoid it.
We would deadlock when passing the data back from the forked-off process that
was doing backtrace generation back to the coredump parent. This is because we
fork the child and wait for it to exit. The child tries to write too much data
to the output pipe, and and after the first 64k blocks on the parent because
the pipe is full. The bug surfaced in Fedora because of a combination of four
factors:
- 87707784c70dc9894ec613df0a6e75e732a362a3 was backported to v251.5, which
allowed coredump processing to be successful.
- 1a0281a3ebf4f8c16d40aa9e63103f16cd23bb2a was NOT backported, so the output
was very verbose.
- Fedora has the ELF package metadata available, so a lot of output can be
generated. Most other distros just don't have the information.
- gnome-calendar crashes and has a bazillion modules and 69596 bytes of output
are generated for it.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2135778.
The code is changed to try to write data opportunistically. If we get partial
information, that is still logged. In is generally better to log partial
backtrace information than nothing at all.
We do not provide any numerical libraries, and iszero_safe() is only
used in parsing or formatting JSON. Hence, it is not necessary for us to
request that the function provides the same result on different systems.
Fixes#25044.
Use target process context to set socket context when using SELinuxContextFromNet
not systemd's context. Currently when using the SELinuxContextFromNet option for
a socket activated services, systemd calls getcon_raw which returns init_t and
uses the resulting context to compute the context to be passed to the
setsockcreatecon call. A socket of type init_t is created and listened on and
this means that SELinux policy cannot be written to control which processes
(SELinux types) can connect to the socket since the ref policy allows all
'types' to connect to sockets of the type init_t. When security accessors see
that any process can connect to a socket this raises serious concerns. I have
spoken with SELinux contributors in person and on the mailing list and the
consensus is that the best solution is to use the target executables context
when computing the sockets context in all cases.
[zjs review/comment:
This removes the branch that was added in 16115b0a7b7cdf08fb38084d857d572d8a9088dc.
16115b0a7b7cdf08fb38084d857d572d8a9088dc did two things: it had the branch here
in 'socket_determine_selinux_label()' and a code in 'exec_child()' to call
'label_get_child_mls_label(socket_fd, command->path, &label)'.
Before this patch, the flow was:
'''
mac_selinux_get_child_mls_label:
peercon = getpeercon_raw(socket_fd);
if (!exec_label)
exec_label = getfilecon_raw(exe);
socket_open_fds:
if (params->selinux_context_net) #
label = mac_selinux_get_our_label(); # this part is removed
else #
label = mac_selinux_get_create_label_from_exe(path);
socket_address_listen_in_cgroup(s, &p->address, label);
exec_child():
exec_context = mac_selinux_get_child_mls_label(fd, executable, context->selinux_context);
setexeccon(exec_context);
'''
]
Similarly to DumpByFileDescriptor vs Dump,
DumpUnitsMatchingPatternsByFileDescriptor is used in preference. Dissimilarly,
a fallback to DumpUnitsMatchingPatterns is not done on error, because there is
no need for backwards compatibility.
The code is still more verbose than I'd like, but there are four different code
paths with slightly different rules in each case, so it's hard to make this all
very brief. Since we have a separate file dedicated to making those calls, the
verbose-but-easy-to-follow implementation should be OK.
Closes#24989.
I only did a quick test that all both variants works locally and over ssh.
Otherwise we might hit a race where we read the test log just before
it's fully written to the disk:
```
======================================================================
FAIL: test_interleaved (__main__.ExecutionResumeTest.test_interleaved)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/root/systemd/test/test-exec-deserialization.py", line 170, in test_interleaved
self.check_output(expected_output)
File "/root/systemd/test/test-exec-deserialization.py", line 111, in check_output
self.assertEqual(output, expected_output)
AssertionError: 'foo\n' != 'foo\nbar\n'
foo
+ bar
```
With some debug:
```
test_interleaved (__main__.ExecutionResumeTest.test_interleaved) ...
Assertion failed; file contents just after the assertion:
b'foo\n'
File contents 5 seconds later:
b'foo\nbar\n'
FAIL
```
Seen quite often in CentOS CI on the fast baremetal machines.
