IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Strictly speaking, this breaks the backward compatibility, but I guess
in most cases people already sets Scope=link for such routes.
This behavior matches with how 'ip route' command adds such route by
default.
Prompted by https://twitter.com/jplitza/status/1480500562391179270.
No need to invoke ls when we are just interested in file names.
Also, the cd to source root makes the output identical to
"git ls-files" (relative instead of absolute paths).
Dangling symlinks get pruned when packaging up the installation
directory. Just store empty files instead, and compare the names
rather than the content for .requires/.wants - the filename is
what is important anyway, the content is ignored.
Fixes#22059
Otherwise we might hit a window where the coredump happens before
midnight, but we check for it after midnight, which yields no results.
E.g.:
```
$ coredumpctl --no-legend --no-pager --file system.journal
Wed 2022-01-05 01:00:06 CET 359 0 0 SIGABRT journal /usr/bin/udevadm n/a
$ coredumpctl --since 23:59:55 --no-legend --no-pager --file system.journal
No coredumps found.
$ coredumpctl --since "2022-01-04 23:59:59" --no-legend --no-pager --file system.journal
Wed 2022-01-05 01:00:06 CET 359 0 0 SIGABRT journal /usr/bin/udevadm n/a
```
19:50:59 F: Missing a shared library required by /var/tmp/systemd-test.NIPT2q/root/lib/systemd/libsystemd-core-250.so.
19:50:59 F: Run "ldd /var/tmp/systemd-test.NIPT2q/root/lib/systemd/libsystemd-core-250.so" to find out what it is.
19:50:59 F: libsystemd-shared-250.so => not found
19:50:59 F: Cannot create a test image.
The user may be busy when auto-rebalancing the user's home device.
Workaround for #21589.
---
Dec 01 15:03:15 H systemd-homework[1078]: Provided password unlocks user record.
Dec 01 15:03:15 H systemd-homework[1078]: Image file '/home/test-user.home' already locked, can't use.
Dec 01 15:03:15 H systemd-homed[240]: Worker reported error code EADDRINUSE.
Dec 01 15:03:15 H systemd-homed[240]: Activation failed: Address already in use
---
since in that case we might be also slow enough to miss the rate-limit
window. However, let's not set the trigger limit unconditionally to
still have coverage for the unaltered path unit (but without sacrificing
CI stability).
See: https://github.com/systemd/systemd/pull/21808#issuecomment-998927401
When conditions fail on a service unit, a path unit can cause
PID 1 to busy loop as it keeps trying to activate the service unit.
To avoid this from happening, add a trigger limit to the path unit,
identical to the trigger limit we have for socket units.
Initially, let's start with a high limit and not make it configurable.
If needed, we can add properties to configure the rate limit similar
to the ones we have for socket units.
On some runs `sleep infinity` run by the user manager uses over 3M of
memory, which is higher than the MemoryHigh= set on testbloat and
testmunch. If no pgscan is generated, then systemd-oomd sorts by memory
usage which leads to a situation where testchill (using 3M) could be
targeted over testbloat (1M-2M).
Fix this by setting reasonable MemoryHigh= values for all of these test
units. Even if somehow testchill throttles a bit at 3M, testbloat and
testmunch should still be trying to use over 100M at memory and will
throttle down to 5M and 6M with the new values. This should reflect
the desired state in pgscan and memory usage during the test run.
Fixes#21684
The openssl binary is an optional dependency.
If systemd has been built with OpenSSL support, we want to test its
OpenSSL functionality.
So record a failure message in /failed if the binary is missing.
See https://github.com/systemd/systemd/pull/21724#issuecomment-992707614
Otherwise we might miss the "Device path too long" message:
```
[ 21.083274] testsuite-64.sh[374]: swapoff /dev/vda1
[ 21.089841] testsuite-64.sh[376]: ++ mktemp
[ 21.095115] testsuite-64.sh[271]: + logfile=/tmp/tmp.a1MULA35wL
[ 21.095115] testsuite-64.sh[271]: + journalctl -b -q --no-pager -o short-monotonic -p info --grep 'Device path.*vda.?'\'' too long to fit into unit name'
...
[ 21.277360] systemd[1]: testsuite-64.service: Main process exited, code=exited, status=1/FAILURE
[ 21.277508] systemd[1]: testsuite-64.service: Failed with result 'exit-code'.
...
[ 21.323500] systemd[1]: Device path '/sys/devices/pci0000:00/0000:00:03.0/0000:01:00.0/0000:02:00.0/0000:03:00.0/0000:04:00.0/0000:05:00.0/0000:06:00.0/0000:07:00.0/0000:08:00.0/0000:09:00.0/0000:0a:00.0/0000:0b:00.0/0000:0c:00.0/0000:0d:00.0/0000:0e:00.0/0000:0f:00.0/0000:10:00.0/0000:11:00.0/0000:12:00.0/0000:13:00.0/0000:14:00.0/0000:15:00.0/0000:16:00.0/0000:17:00.0/0000:18:00.0/0000:19:00.0/0000:1a:00.0/virtio0/block/vda/vda1' too long to fit into unit name, ignoring device.
```
TEST-67-INTEGRITY times out quite often, and when it passes
it does so a few seconds short of the timeout. It's a slow
qemu test, so bump the timeout.
TEST-50-DISSECT has been reported to fail in the same way
on Debian's infrastructure, again narrowly failing or passing
just short of the timeout.
This fixes the following warning:
-----
In /github/workspace/test/units/testsuite-62.sh line 39:
KERNEL_MINOR="${KERNEL_VERSION#$KERNEL_MAJOR.}"
^-----------^ SC2295 (info): Expansions inside ${..} need to be quoted separately, otherwise they match as patterns.
Did you mean:
KERNEL_MINOR="${KERNEL_VERSION#"$KERNEL_MAJOR".}"
It picks the whole content of the directory by default, but we don't
want to install .gitattributes files. Add it to all invocations, not
just the ones on subdirs with .gitattributes, so that we don't regress
in the future.
Fixes#21715
People often assigns the MAC address of the enslaved interface to e.g.
bridge interface. So, the local assignment bit should not be adjusted.
Fixes#21649.
Writing a byte to test10.socket is actually the root cause of issue #19154:
depending on the timing, it's possible that PID1 closes the socket before socat
(or nc, it doesn't matter which tool is actually used) tries to write that one
byte to the socket. In this case writing to the socket returns EPIPE, which
causes socat to exit(1) and subsequently make the test fail.
Since we're only interested in connecting to the socket and triggering the rate
limit of the socket, this patch removes the parts that write the single byte to
the socket, which should remove the race for good.
Since it shouldn't matter whether the test uses socat or nc, let's switch back
to nc and hence remove the sole user of socat. The exit status of nc is however
ignored because some versions might choke when the socket is closed
unexpectedly.
This commit adds a function which converts a bus message containing the
environment variables to a JSON object and uses this function to support
JSON formatted output for the "systemctl show-environment" command.
Fixes#21348
By default checks PSI on /proc/pressure, and causes a unit to be skipped
if the threshold is above the given configuration for the avg300
measurement.
Also allow to pass a custom timespan, and a particular slice unit to
check under.
Fixes#20139
In order to avoid inflating the dependency list for the core
library, use dlopen when inspecting elfs, since it's only
used in two non-core executables.
Allows to pass a portable profile when doing offline analysis of
units. Especially useful for analyzing portable images, since a
lot of the security-relevant settings in those cases come from
the profiles, but they are not shipped in the portable images.
Make oomctl a bit less likely to race with systemd-oomd receiving the
managed oom cgroup info by checking oomctl output in a loop with
timeout.
Fixes#21146
The test was changed at @bluca 's request to avoid sleeps,
but the change insufficient to avoid all races.
The kill command is now run from the script itself to avoid using
ExecStartPost
All our D-Bus services support the LogControl1 API, but homed didn't so
far. Fix that, and make use of it in the test case, to make debugging it
easier.
Linux 5.15 broke kernel API:
e70344c059
Previously setting IOPRIO_CLASS_NONE for a process would then report
IOPRIO_CLASS_NONE back. But since 5.15 it reports IOPRIO_CLASS_BE
instead. Since IOPRIO_CLASS_NONE is an alias for a special setting of
IOPRIO_CLASS_BE this makes some sense, but it's also a kernel API
breakage that our testsuite trips up on.
(I made some minimal effort to inform the kernel people about this API
breakage during the 5.15 rc phase, but noone was interested.)
Either way let's hadle this gracefully in our test suite and accept
"best-effort" too when "none" was set.
(This is only triggable if the tests are run on 5.15 with full privs)
ASan is having a hard time to get its LD_PRELOAD= shenanigans straight
with all the shells flying around. Let's make it a bit easier by using
one of the nifty systemctl's features instead.
so we can run TEST-46 under sanitizers once again.
`systemd-homed` runs fsck on home directories, which reports a memory
leak we're not interested in. Let's introduce an LSan suppression file
to get around this. Since the patterns in the suppression file are
matched using basic substring match[0], they're a bit cumbersome, but
should get the work one.
[0] https://github.com/google/sanitizers/wiki/AddressSanitizerLeakSanitizer#suppressions
Example leaks (as reported by TEST-46):
```
systemd-homed[1333]: =================================================================
systemd-homed[1333]: ==1333==ERROR: LeakSanitizer: detected memory leaks
systemd-homed[1333]: Direct leak of 24 byte(s) in 1 object(s) allocated from:
systemd-homed[1333]: #0 0x7f0c8facccd1 in calloc (/usr/lib/clang/12.0.1/lib/linux/libclang_rt.asan-x86_64.so+0xf4cd1)
systemd-homed[1333]: #1 0x558d9494ff67 (/usr/bin/fsck+0x3f67)
systemd-homed[1333]: Direct leak of 6 byte(s) in 1 object(s) allocated from:
systemd-homed[1333]: #0 0x7f0c8fa906c1 in strdup (/usr/lib/clang/12.0.1/lib/linux/libclang_rt.asan-x86_64.so+0xb86c1)
systemd-homed[1333]: #1 0x558d949518fd (/usr/bin/fsck+0x58fd)
systemd-homed[1333]: SUMMARY: AddressSanitizer: 30 byte(s) leaked in 2 allocation(s).
systemd-homed[1337]: ==1337==WARNING: Symbolizer was blocked from starting itself!
systemd-homed[1337]: =================================================================
systemd-homed[1337]: ==1337==ERROR: LeakSanitizer: detected memory leaks
systemd-homed[1337]: Direct leak of 67584 byte(s) in 1 object(s) allocated from:
systemd-homed[1337]: #0 0x7f01edb84b19 (/usr/lib/clang/12.0.1/lib/linux/libclang_rt.asan-x86_64.so+0xf4b19)
systemd-homed[1337]: #1 0x7f01e8326829 (/usr/bin/../lib/libLLVM-12.so+0xb46829)
systemd-homed[1337]: SUMMARY: AddressSanitizer: 67584 byte(s) leaked in 1 allocation(s).
```
With the suppression file:
```
systemd-homed[1339]: -----------------------------------------------------
systemd-homed[1339]: Suppressions used:
systemd-homed[1339]: count bytes template
systemd-homed[1339]: 2 30 /bin/fsck$
systemd-homed[1339]: -----------------------------------------------------
systemd-homed[1343]: ==1343==WARNING: Symbolizer was blocked from starting itself!
systemd-homed[1343]: -----------------------------------------------------
systemd-homed[1343]: Suppressions used:
systemd-homed[1343]: count bytes template
systemd-homed[1343]: 1 67584 /lib/libLLVM
systemd-homed[1343]: -----------------------------------------------------
```
This moves the backing store to a separate tmpfs which we can nicely put
a size limit on to make sure we can test maximization sanely: if we ask
for the home dir to be grown really large it should effectively only be
grown until the size of the backing tmpfs.
(While we are at it, also set a cheaper KDF so that we don't waste CI
cycles for password hashing that aren#t secure anyway.)
Since the GNU `diff` utility uses grep-style regular expressions[0], which
use the BRE style, we need to tweak the regex to make it work properly
(most notably - in BRE the meta characters need to be escaped).
```
$ diff a b
21c21
< Volume Key: 256bit
---
> Volume Key: 257bit
25c25
< Disk Ceiling: 323.2M
---
> Disk Ceiling: 323.1M
$ diff -I '^\s*Disk (Size|Free|Floor|Ceiling):' a b
21c21
< Volume Key: 256bit
---
> Volume Key: 257bit
25c25
< Disk Ceiling: 323.2M
---
> Disk Ceiling: 323.1M
$ diff -I '^\s*Disk \(Size\|Free\|Floor\|Ceiling\):' a b && echo OK
21c21
< Volume Key: 256bit
---
> Volume Key: 257bit
```
Caught in one of the nightly CentOS CI cron jobs.
[0] https://www.gnu.org/software/diffutils/manual/html_node/Specified-Lines.html
Forcing a specific fs for the image is usually a bad idea because the initrd
(borrowed from the host) is likely to include only support for the filesystem
used by the host's rootfs.
Since the point of this test is to check aliases on mount units, there's no
specific need for ext4, hence drop any parts that request or rely on ext4.
systemd-run --scope --user failed to run in system 249.6, cf. #21297. Add tests
for systemd-run --scope and systemd-run --scope --user to make sure this does
not regress again.
This introduces `ExitType=main|cgroup` for services.
Similar to how `Type` specifies the launch of a service, `ExitType` is
concerned with how systemd determines that a service exited.
- If set to `main` (the current behavior), the service manager will consider
the unit stopped when the main process exits.
- The `cgroup` exit type is meant for applications whose forking model is not
known ahead of time and which might not have a specific main process.
The service will stay running as long as at least one process in the cgroup
is running. This is intended for transient or automatically generated
services, such as graphical applications inside of a desktop environment.
Motivation for this is #16805. The original PR (#18782) was reverted (#20073)
after realizing that the exit status of "the last process in the cgroup" can't
reliably be known (#19385)
This version instead uses the main process exit status if there is one and just
listens to the cgroup empty event otherwise.
The advantages of a service with `ExitType=cgroup` over scopes are:
- Integrated logging / stdout redirection
- Avoids the race / synchronisation issue between launch and scope creation
- More extensive use of drop-ins and thus distro-level configuration:
by moving from scopes to services we can have drop ins that will affect
properties that can only be set during service creation,
like `OOMPolicy` and security-related properties
- It makes systemd-xdg-autostart-generator usable by fixing [1], as obviously
only services can be used in the generator, not scopes.
[1] https://bugs.kde.org/show_bug.cgi?id=433299
The new lvm autoactivation method runs `vgchange` via
`systemd-run --no-block`[0], which means that checking if the unit
is in the `active` state is not enough, since the main binary might
still be running. Let's fix this by waiting until the unit reaches
the `exited` sub state.
Follow-up to:
* 29f8bef05e
* e50d743f99
[0] https://sourceware.org/git/?p=lvm2.git;a=blob;f=udev/69-dm-lvm.rules.in;h=39e5b98074010745f78a7a86a05929700c9cd690;hb=67722b312390cdab29c076c912e14bd739c5c0f6#l83
Example:
```
[ 17.102002] systemd-udevd[282]: sdf: '/usr/bin/systemd-run -r --no-block --property DefaultDependencies=no --unit lvm-activate-iscsi_lvm2212 /usr/bin/lvm vgchange -aay --nohints iscsi_lvm2212'(err) 'Running as unit: lvm-activate-iscsi_>
[ 17.102522] systemd-udevd[282]: sdf: Process '/usr/bin/systemd-run -r --no-block --property DefaultDependencies=no --unit lvm-activate-iscsi_lvm2212 /usr/bin/lvm vgchange -aay --nohints iscsi_lvm2212' succeeded.
[ 17.102697] systemd-udevd[282]: sdf: Adding watch on '/dev/sdf'
[ 17.104944] systemd[1]: lvm-activate-iscsi_lvm2212.service: Changed dead -> running
...
[ 17.105434] systemd[1]: Started /usr/bin/lvm vgchange -aay --nohints iscsi_lvm2212.
[ 17.105601] systemd[931]: lvm-activate-iscsi_lvm2212.service: Executing: /usr/bin/lvm vgchange -aay --nohints iscsi_lvm2212
...
[ 17.420228] testsuite-64.sh[268]: + systemctl -q is-active lvm-activate-iscsi_lvm2212.service
[ 17.420228] testsuite-64.sh[268]: + return 0
[ 17.420228] testsuite-64.sh[268]: + test -e /dev/disk/by-path/ip-127.0.0.1:3260-iscsi-iqn.2021-09.com.example:iscsi.lvm.test-lun-4
[ 17.420228] testsuite-64.sh[268]: + udevadm settle
[ 17.420228] testsuite-64.sh[268]: + test -e /dev/iscsi_lvm2212/mypart1
...
[ 17.451313] systemd[1]: testsuite-64.service: Main process exited, code=exited, status=1/FAILURE
[ 17.451475] systemd[1]: testsuite-64.service: Failed with result 'exit-code'.
...
[ 17.555759] systemd[1]: Starting End the test...
[ 17.556972] sh[941]: + systemctl poweroff --no-block
...
[ 17.688923] lvm[931]: 2 logical volume(s) in volume group "iscsi_lvm2212" now active
...
[ 17.838484] systemd[1]: lvm-activate-iscsi_lvm2212.service: Child 931 belongs to lvm-activate-iscsi_lvm2212.service.
[ 17.838718] systemd[1]: lvm-activate-iscsi_lvm2212.service: Main process exited, code=exited, status=0/SUCCESS (success)
```
In some cases an offline analysis should ignore some fields, for example
a portable service in an image will never list RootImage/RootDirectory, as
they are added at runtime, and thus can be skipped.
Alternative to https://github.com/systemd/systemd/pull/20531.
Whenever a service triggered by another unit fails condition checks,
stop the triggering unit to prevent systemd busy looping trying to
start the triggered unit.
This test makes assumptions on the availability of some mappings contained in
kbd-model-map and therefore strongly relies on the version shipped by
upstream. IOW the test is likely to fail if it's installed on a system with a
more comprehensive kbd-model-map.
This patch makes the upstream kbd-model-map file available via a symlink in
test/testdata/test-keymap-util dir and makes sure that this specific version is
always used by test-keymap-util regardless of whether the test is installed and
run on a different system or directly run (optionally via meson) from the
project working dir.
When combined with a tmpfs on /run or /var/lib, allows to create
arbitrary and ephemeral symlinks for StateDirectory or RuntimeDirectory.
This is especially useful when sharing these directories between
different services, to make the same state/runtime directory 'backend'
appear as different names to each service, so that they can be added/removed
to a sharing agreement transparently, without code changes.
An example (simplified, but real) use case:
foo.service:
StateDirectory=foo
bar.service:
StateDirectory=bar
foo.service.d/shared.conf:
StateDirectory=
StateDirectory=shared:foo
bar.service.d/shared.conf:
StateDirectory=
StateDirectory=shared:bar
foo and bar use respectively /var/lib/foo and /var/lib/bar. Then
the orchestration layer decides to stop this sharing, the drop-in
can be removed. The services won't need any update and will keep
working and being able to store state, transparently.
To keep backward compatibility, new DBUS messages are added.
The /var/lib/private/foo -> /var/lib/foo symlink for StateDirectory and
DynamicUser is set up on the host filesystem, before the mount namespacing
is brought up. If an empty /var/lib is used, to ensure the service does not
see other services data, the symlink is then not available despite
/var/lib/private being set up as expected.
Make a list of symlinks that need to be set up, and create them after all
the namespaced filesystems have been created, but before any eventual
read-only switch is flipped.
Previously, the prefix delegation is enabled when at least one
downstream interfaces request it. But, when the DHCPv6 client on the
upstream interface is configured, some downstream interfaces may not
exist yet, nor have .network file assigned.
Also, if a system has thousands of interfaces, then the previous logic
introduce O(n^2) search.
This makes the prefix delegation is always enabled, except when it is
explicitly disabled. Hopefully, that should not break anything, as the
DHCPv6 server should ignore the prefix delegation request if the server
do not have any prefix to delegate.
Collecting coverage causes a significant slowdown in general, but since
this test requires certain timing, we need to tweak the defaults to make
it reliably pass.
Depending on the location of the original build dir, either ProtectHome=
or ProtectSystem= may get in the way when creating the gcov metadata
files.
Follow-up to:
* 02d7e73013
* 6c9efba677
Otherwise we miss quite a lot of coverage (mainly from logind,
hostnamed, networkd, and possibly others), since they can't write their
reports with `ProtectSystem=strict`.
With `ProtectSystem=strict` gcov is unable to write the *.gcda files
with collected coverage. Let's add a yet another switch to make such
restriction less strict to make gcov happy.
This addresses following errors:
```
...
systemd-networkd[272469]: profiling:/systemd-meson-build/src/shared/libsystemd-shared-249.a.p/binfmt-util.c.gcda:Cannot open
systemd-networkd[272469]: profiling:/systemd-meson-build/src/shared/libsystemd-shared-249.a.p/base-filesystem.c.gcda:Cannot open
systemd-networkd[272469]: profiling:/systemd-meson-build/src/shared/libsystemd-shared-249.a.p/barrier.c.gcda:Cannot open
systemd-networkd[272469]: profiling:/systemd-meson-build/src/shared/libsystemd-shared-249.a.p/ask-password-api.c.gcda:Cannot open
systemd-networkd[272469]: profiling:/systemd-meson-build/src/shared/libsystemd-shared-249.a.p/apparmor-util.c.gcda:Cannot open
systemd-networkd[272469]: profiling:/systemd-meson-build/src/shared/libsystemd-shared-249.a.p/acpi-fpdt.c.gcda:Cannot open
...
```
When playing around with the coverage-enabled build I kept hitting
an issue where dnsmasq failed to start because the previous instance was
still shutting down. This should, hopefully, help to mitigate that.
I want to mark some files to be ignored for licensing purposes,
e.g. output from fuzzers and other samples. By using the gitattribute
machinery for this we don't need to design a custom protocol:
$ git check-attr generated test/test-sysusers/unhappy-*
test/test-sysusers/unhappy-1.expected-err: generated: set
test/test-sysusers/unhappy-1.input: generated: unspecified
test/test-sysusers/unhappy-2.expected-err: generated: set
test/test-sysusers/unhappy-2.input: generated: unspecified
test/test-sysusers/unhappy-3.expected-err: generated: set
test/test-sysusers/unhappy-3.input: generated: unspecified
