IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
modprobe treats "-" and "_" interchangeably, thereby avoiding frequent
errors because some module names contain dashes and others underscores.
Because modprobe@.service unescapes the instance name, an attempt to
start "modprobe@dm-crypt.service" will run "modprobe -abq dm/crypt",
which is doomed to fail. "modprobe@dm_crypt.service" will work as
expected. Thus unescaping the instance name has surprising side effects.
Use "%i" instead.
(cherry picked from commit bf25cf6c49253e922524dfa0e7960f554838f18b)
(cherry picked from commit c98d0130dc8efd826cd85020337353cdbe644bb4)
Currently needed by test-dhcp-server unit test, af_packet is not built-in on
openSUSE distributions.
(cherry picked from commit a1af99df8e29ffb55b0c698eeda2c9bf795fc0e1)
(cherry picked from commit db2193609e554732c0288ccf27d5e58083f9219c)
We have a test where we compare the results from nftw() and our own
resurce_dit_at(). nftw() skips a dangling symlink when running under mkosi and
the test fails. I don't understand why nftw() does that, but in our code we
don't need to test and care about the details of nftw(), which we don't use,
outside of the one test, so let's just skip symlinks in the test.
Closes#29603.
(cherry picked from commit 974959e6f6352b76355b76ab550c0e729b2a8c21)
(cherry picked from commit 7db0b4c8df422fafa245f7ab0833b0ec764174ad)
We read properties of the unit, hence it shouldn't be GC'ed as long as
we run. Hence, let's just set AddRef unconditionally for the units we
create.
(cherry picked from commit 49a510eba29c78f4b7dc1c39391314a48eb8833b)
(cherry picked from commit 8326f9e378333ae01f686086bb1fd4d300d7c99b)
As systemd-journal-upload deals mostly with remote servers, add
some failsafes to its unit to restart on failures.
```
[Service]
Restart=on-failure
RestartSteps=10
RestartMaxDelaySec=60
```
(cherry picked from commit c08bec1587e102dd0435969e422288d69431e92c)
(cherry picked from commit fe0bf9f61913d70739359268134cbd10e375fe93)
When DHCP server is not running, sending force-renew command triggers
assertion.
(cherry picked from commit d311f5e277ae3609e661415b6c429fe3cd25e40b)
(cherry picked from commit 2cd9de1bbd76fc8a4f8cc0b10ea7cbb78fe0db1d)
We already do in the same way for sd-dhcp-client and friends.
(cherry picked from commit 39ba10f19e7d384ad48aaad9ff6c0b3c3e6bbef1)
(cherry picked from commit a7117e29f59fa6a81eb7025ec446b95c6b35f91a)
Follow-up for fc35a9f8d1632c4e7a279228f869bfc77d8f5b9c.
Fixes the issue https://github.com/systemd/systemd/pull/29472#issuecomment-1759092138.
(cherry picked from commit 9bd91e34aaf7c759617d4763853e55f419c06ffe)
(cherry picked from commit f453cbc5162eca42c415b8dc2325a7d734aca3e5)
There's really no point in logging about one of the most common cases we
have: that no BPF-LSM policy was installed for a specific unit.
(cherry picked from commit 58f1bd9b4ab889d0378a236d759649d4b45395f9)
(cherry picked from commit 86a85cb2b56f582c3a1e09d17a7f544bad0c23a7)
Let's show which fds are closed as part of the left-over fd set logic on
daemon reload/reexec cycles.
This is useful to debug accidentally unclaimed fds.
(cherry picked from commit 91a6447607635802ac2278b7997cde687e2549a4)
(cherry picked from commit b4cdf320554f122700e9d12c81dccf2c7565860b)
We have the "tasks.max" cgroup attribute only if we run in a cgroup
namespace, but not on the host. Hence let's handle ENODATA silently
simply to reduce the debug noise generated.
(cherry picked from commit bde7e12255a82f9b714fb3e44c291a79f7647cc9)
(cherry picked from commit d3a5c9f0bc030d8ba0ef8abb190afacb9cd06682)
According to the respective change in the DPS:
<https://github.com/uapi-group/specifications/pull/86>
Signed-off-by: Roland Hieber <rhi@pengutronix.de>
(cherry picked from commit 7c6dd200468f88c189d042c7ee25547032e296cd)
(cherry picked from commit 9f415a6347f6dbe725da5ef632b33e422a2845e8)
The device-mapper driver can return a wild variety of errors when trying
to activate the same dm-verity volume concurrently, as it might happen
with an image. There is a fallback logic in place, but the original
return code was clobbered when userspace signature check was added.
Add it back.
Follow-up for c2fa92e7e8907d9
(cherry picked from commit ace07128ac014d5e7d7d1664beb58e5f3700d59c)
(cherry picked from commit c2155c19c06dfe5dd086f7b62c30762e3e5aad92)
I am seeing some failures and I don't know what is failing and why even
with debug logs, so add more details
(cherry picked from commit 15461b7f19272d39e59e4c6d87dfe9d48f4d1f99)
(cherry picked from commit 31f64d0bc81d5e40a03478206c7d805ce8595366)
When verifying seals produced with forward secure sealing, the verification
currently does not check that old entries are only sealed with the key for
their epoch and not a more recent one. This missing check allows an attacker
to remove seals, and create new ones with the currently available key, and
verify will claim everything is in order, although all entries could have
been modified.
This resolves CVE-2023-31439.
Co-authored-by: Felix Dörre <felix.doerre@kit.edu>
(cherry picked from commit 3846d3aa292a6daa1916f667bdd79ebee9cb4ac4)
(cherry picked from commit ea67d4755b5d81a42a9013d6ce72c9cf7adb56b9)
Grepping around showed a few extra entries that are not listed in the
remove_loader_variables() function. Namely:
- BootNext
- OsIndications
- LoaderConfigConsoleMode
- LoaderEntryLastBooted
Of which the latter two are systemd specific, even though they are
undocumented. Ensure they're removed - follow-up commits will add
documentation references.
Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
(cherry picked from commit 976904bf26957e75dbed467334592badf108beee)
(cherry picked from commit c6540a35ab6913ccdc57720d2a9d4e3d86e9178e)
Currently some of the code base check for the variable presence before
removing it, and some do not.
More so, in all cases (being updated) we're dealing with non-volatile
variables where changing those attribute to NVRAM wear out.
From what information I could find, there is no definitive answer if the
UEFI implementation will write to the NVRAM even when the variable is
missing.
So add a simple helper that checks for the variable presence before
removing it. While also having a bit cleaner API than the current
efivar_set(..., NULL, ...);
efivar_unset() follows the design from efivar_set*() where it returns an
EFI_STATUS even though its (presently) unused.
v2:
- add inline comment, use early return
v3:
- typos? typos!
Signed-off-by: Emil Velikov <emil.velikov@collabora.com>
(cherry picked from commit 5ee3c914a4e904567e66654177b07777dde0d100)
(cherry picked from commit 917569e3c1e1361d2c7bac584b99e075a4cb0b0d)
note that this slightly changes the semantic of assert when NDEBUG is
defined. if there's an extern function call (without attribute pure or
similar) then the compiler has to assume it has side effects and still
emit the function call.
whereas the old assert guaranteed that nothing will be evaluated on
NDEBUG.
Closes: https://github.com/systemd/systemd/issues/29408
(cherry picked from commit be1666886b3f4355ab33f571187e3de8aae3ad40)
(cherry picked from commit a9b83fc26ccdb6ef83c8eb2b505ee4c25a320276)
The second half of `chown_recursive` works only if the kernel has ACL support.
(cherry picked from commit ec757e920c9f57a89a4378c10cd96264b058f418)
(cherry picked from commit 756a42cd1ea7d66d93337791fbe03e0f648bfb36)
'[[ not found'
(cherry picked from commit c7986bc9b64e095399c3e380441b4de26d1276a1)
(cherry picked from commit 52d4f5ec539c746c9a61a3bb4607f965a36675fe)
Debugging mount unit failures caused by systemd not being able to
create the mount point is currently rather hard. Let's log about
failures to create mount points to simplify debugging.
(cherry picked from commit ce427d0e73667e1b125c82c5c77f98dd9fbe561d)
(cherry picked from commit 915f25da9ebbe93d9768eca3b82897bb9fddc42b)
Before this fix, when recursive-errors was set to 'no' during a systemd-analyze
verification, the parent slice was checked regardless. The 'no' setting means that,
only the specified unit should be looked at and verified and errors in the slices should be
ignored. This commit fixes that issue.
Example:
Say we have a sample.service file:
[Unit]
Description=Sample Service
[Service]
ExecStart=/bin/echo "a"
Slice=support.slice
Before Change:
systemd-analyze verify --recursive-errors=no maanya/sample.service
Assertion 'u' failed at src/core/unit.c:153, function unit_has_name(). Aborting.
Aborted (core dumped)
After Change:
systemd-analyze verify --recursive-errors=no maanya/sample.service
{No errors}
(cherry picked from commit f660c7fa56b247c278fdb2ebcfea37912f249524)
(cherry picked from commit e48c57c5c2f6af3601f6e0f66d77e548efe14f93)
kernel-install uses do_execute(). We would log whenever a spawned child
finished, but we would not log anything when the child is launched. When the
children log output without a prefix (as the kernel-install plugins do), it
is hard to see where that output is coming from.
(cherry picked from commit 9ec4f7c7a4f4d56de6d00adbfe5d316edd0ec314)
(cherry picked from commit da0536a111605666b3ef165d494d5bacb262076b)
Follow-up for 38f901791f3c4b1cbd04b71323bbef2fdab65f83
(cherry picked from commit 1f998158a988fcf4cd182d9de27e1d8b16cfe474)
(cherry picked from commit 839117de6c93fcdac201f38e84c0cc1a4b2db638)
I was missing an example of how to use cryptenroll. We have that, but in
another page. Instead of repeating, let's just direct the user to the right
place.
Also, reformat synopsis to the "official" non-nested syntax.
(cherry picked from commit 38e3c61dbb1ad69e7df910d07fa8b47f3d97f660)
(cherry picked from commit ddfbdad6bbbad1b92f8cad64582edba93bfd3221)
Both styles were mixed in the file, but I find the latter much nicer,
because it's not the func that is the pointer, but the return type.
(cherry picked from commit 00d811a5482fda1a6c2b9362d047da2dcd1d7418)
(cherry picked from commit 3fec10d500a48aefc88beaa02ea6e623641125b5)
"/dev" or "/dev/" is the mount point, not a device path. In particular,
'systemctl status /dev' clearly does not refer to a device, so let's tweak
the code a bit to say that those are not device paths.
(Treating "/../dev" same as "/dev" would be also be reasonable, but that
requires chase(), which requires disk access, which we don't want to do from
this lightweight function.)
(cherry picked from commit 8f1998b8d3a5bfe61ee4d6d6aa6bb2efb94074c0)
(cherry picked from commit fc13a268128c25e9da18f7dd11c5b524cc8ae1c2)
I think that those functions should be adjusted, but let's first add a test to
establish current behaviour.
(cherry picked from commit bf9a49a5534316353b9fdda1c40026781bc6bda8)
(cherry picked from commit 1025ef21a2aae52ff9a71547f8faa728e0477557)
Fixes a bug introduced by 0843ec6c44c7b41b14f6f32d3ee7039e5e615296.
Fixes https://github.com/systemd/systemd/issues/29145.
(In upstream, the issue is fixed by 8d3c5b39b9bbc89953d1da3e9fbff1524c952ac6).
Realistically, the only thing that the caller can do is ignore failures related
to missing credentials. If the caller requires some credentials to be present,
they should just check which output variables are not NULL. One of the callers
was already doing that, and the other wanted to, but missed -ENOENT. By
suppressing -ENOENT and -ENXIO, both callers are simplified.
Fixes a warning at boot:
systemd-vconsole-setup[221]: Failed to import credentials, ignoring: No such file or directory
(cherry picked from commit 55ace8e5c58441d1a2c64b297a38b232ef0c0e28)
Once we've flushed the runtime journal to /var, stop trying to open
it since that will just fail with ENOENT all the time.
(cherry picked from commit 418a4987775280adef4e6ac4e474937ea89f0f5c)
(cherry picked from commit 01469405c7b9ef175a16c89c4a518798d2c8f65d)
