IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
It looks like zero'ing the struct is not enough, and with some level
of optimizations there is still non-zero padding left over.
Switch to member-by-member initialization. Also convert all remaining
bpf_attr variables in other files.
(cherry picked from commit 9ca600e2bfacc52a65c89f3485723b2c27394e55)
(cherry picked from commit 95ee2c6b481b7a1f953cb720c35df568b7a6cb70)
(apparently overlayfs has issues with xattrs, hence don't require that
/usr supports xattrs)
(cherry picked from commit 84319c5c07e7283f31930c799dfd948d251d9b73)
(cherry picked from commit 3dcf950663f906db8a9baa465bd2ac384e832a46)
When building with Clang and using structured initialization, the
bpf_attr union is not zero-padded, so the kernel misdetects it as
an unsupported extension.
zero it until Clang's behaviour matches GCC. Do not skip the test
on Github Actions anymore.
(cherry picked from commit 28abf5ad3483a417d3d4de561533d282493a7f2a)
(cherry picked from commit 94bb28590b21f37bcd9b831029af05a8a78f49ef)
unset-environment is completed with variable names in the environment block.
set-environment the same, but suffixed with "=".
import-environment is completed with variable names in the client environment.
(cherry picked from commit 341992081b6ece1adba270e239f96c9840884885)
(cherry picked from commit 6db2ae66185d8feffe5a19841cff64835afae136)
I mean, the old code at least used O_PATH, but still, we shouldn't
allocate/close an fd if we don't have to.
(cherry picked from commit 15308e5083391f6a1b9ce25c5b7323f37544eab8)
(cherry picked from commit a2f0da2de006c74bca64b3ce5b023e99bcca4498)
commit 15d7ab87c4e5917f5788f1f8dce327a1e272bea3 introduced the
change to add an 'alias' state, but it was wired to systemctl
only when running in 'client-side' mode. Return success as
expected and documented also when running in 'server-mode'.
Fixes https://github.com/systemd/systemd/issues/18134
(cherry picked from commit bf3b428f73eb51f4abb64a80ea5be346b9eeb2fe)
(cherry picked from commit 7c63e5ed58fc5d0cf2653e614fee2765b495085a)
Explicitly document the behavior introduced in #7437: when picking a new
UID shift base with "-U", a hash of the machine name will be tried
before falling back to fully random UID base candidates.
(cherry picked from commit 68709a636c838e0754b49caa6ff2d4168e3c99c8)
(cherry picked from commit 4032a1358897ecaf4e485399b03c6186fb2c90e9)
This explicitly documents the default `UTC` timezone which is used
by systemd and (other softwares) when `/etc/localtime` is not present.
Ref: https://github.com/systemd/systemd/blob/v247/src/basic/time-util.c#L1460-L1469
(cherry picked from commit 3d909037e3bb86bb14ceef98325b2759b938a4b3)
(cherry picked from commit a580023f1da331bd454ea72cad146215b255e0d0)
`AllowedIPs=` only affects "routing inside the network interface
itself", as in, which wireguard peer packets with a specific destination
address are sent to, and what source addresses are accepted from which
peer.
To cause packets to be sent via wireguard in first place, a route via
that interface needs to be added - either in the `[Routes]` section on
the `.network` matching the wireguard interface, or outside of networkd.
This is a common cause of misunderstanding, because tools like wg-quick
also add routes to the interface. However, those tools are meant as a
"extremely simple script for easily bringing up a WireGuard interface,
suitable for a few common use cases (from their manpage).
Networkd also should support other usecases - like setting AllowedIPs to
0.0.0.0/0 and ::/0 and having a dynamic routing protocol setting more
specific routes (or the user manually setting them).
Reported-In: https://github.com/systemd/systemd/issues/14176
(cherry picked from commit c6b90e5c5e54e98b6aed38677f77d8491f2e49c8)
(cherry picked from commit 14475e0e793be33bfad371c6d3545c7448f78730)
Upgrading to qemu 5.2 breaks TEST-36-NUMAPOLICY like:
qemu-system-x86_64: total memory for NUMA nodes (0x0) should
equal RAM size (0x20000000)
Use the new (as in >=2014) form of memdev in test 36:
-object memory-backend-ram,id=mem0,size=512M -numa node,memdev=mem0,nodeid=0
Since some target systems are as old as qemu 1.5.3 (CentOS7) but the new
kind to specify was added in qemu 2.1 this needs to add version parsing and
add the argument only when qemu is >=5.2.
Fixes#17986.
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
(cherry picked from commit 43b49470d1f2808555c07f64cd0a1529b7ddd559)
(cherry picked from commit b7171ae4bdb5c827c1ab0c97934b75f3169af8bb)
Previously, we'd already have explicit logging for the case where
$XDG_RUNTIME_DIR is not set. Let's also add some explicit logging for
the EPERM/ACCESS case. Let's also in both cases suggest the
--machine=<user>@.host syntax.
And while we are at it, let's remove side-effects from the macro.
By checking for both the EPERM/EACCES case and the $XDG_RUNTIME_DIR case
we will now catch both the cases where people use "su" to issue a
"systemctl --user" operation, and those where they (more correctly, but
still not good enough) call "su -".
Fixes: #17901
(cherry picked from commit 1ecb46724cae151606bc825f0e39f14d4dfe1a0e)
(cherry picked from commit 36bc4a18fd8117cab0d4ff02eac89579a86cd399)
So far when asked for augmented bus credentials and the process was
already gone we'd fail fatally. Let's make this graceful instead, and
never allow augmenting fail due to PID having vanished — unless the
augmenting is the explicit and only purpose of the requested operation.
This should be safe as clients have to explicitly query the acquired
creds anyway and handle if they couldn't be acquired. Moreover we
already handle permission problems gracefully, thus clients must be
ready to deal with missing creds.
This is useful to make selinux authorization work for short-lived client
proceses. PReviously we'd augment creds to have more info to log about
(the selinux decision would not be based on augmented data however,
because that'd be unsafe), and would fail if we couldn't get it. Now,
we'll try to acquire the data, but if we cannot acquire it, we'll still
do the selinux check, except that logging will be more limited.
(cherry picked from commit f8ecc2c00df7bd810557f3056ec12f6a0730812d)
(cherry picked from commit a1b1ef65a4371e8aec4b0df1326e4cb5de005e80)
For unknown reasons, sd-bus has trouble connecting to the filtered
D-Bus system proxy exported by Flatpak and the connection to the
bus is closed during authentication. Don't mistake this for a remote
error - that was causing a hard "not found" failure rather than a fallback.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1912131 for background.
This commit adds support for disabling the read and write
workqueues with the new crypttab options no-read-workqueue
and no-write-workqueue. These correspond to the cryptsetup
options --perf-no_read_workqueue and --perf-no_write_workqueue
respectively.
(cherry picked from commit 227acf0009bde2cd7f8bc371615b05e84137847d)
There are two ways in swich sd_login_* functions acquire data:
some are derived from the cgroup path, but others use the data serialized
by logind.
When the tests are executed under Fedora's mock, without systemd-spawn
but instead in a traditional chroot, test-login gets confused:
the "outside" cgroup path is visible, so sd_pid_get_unit() and
sd_pid_get_session() work, but sd_session_is_active() and other functions
that need logind data fail.
Such a buildroot setup is fairly bad, but it can be encountered in the wild, so
let's just skip the tests in that case.
/* Information printed is from the live system */
sd_pid_get_unit(0, …) → "session-237.scope"
sd_pid_get_user_unit(0, …) → "n/a"
sd_pid_get_slice(0, …) → "user-1000.slice"
sd_pid_get_session(0, …) → "237"
sd_pid_get_owner_uid(0, …) → 1000
sd_pid_get_cgroup(0, …) → "/user.slice/user-1000.slice/session-237.scope"
sd_uid_get_display(1000, …) → "(null)"
sd_uid_get_sessions(1000, …) → [0] ""
sd_uid_get_seats(1000, …) → [0] ""
Assertion 'r >= 0' failed at src/libsystemd/sd-login/test-login.c:104, function test_login(). Aborting.
(cherry picked from commit ac5644635dba54ce5eb0ff394fc0bc772a984849)
(based on 4275f1c95e730ca9422463be29747ad4b6b1fb91)
Follow-up for ac24e418d9bc988ecf114c464701b35934948178.
The original motivation of the commit and RFE #15339 is to start dhcpv6
client in managed mode when neither M nor O flag is set in the RA.
But, previously, if the setting is set to "always", then the DHCPv6
client is always started in managed mode even if O flag is set in the
RA. Such the behavior breaks RFC 7084.
(cherry picked from commit 0e686feaff71465e3220f234871f66a39f0f57ad)
These two judgement can't judge that two entries are repeating fully.
So i think seqnum is needed to make full judgement.
(cherry picked from commit b17f651a17cd6ec0ceac7835f2f8607fbd9ddb95)
(cherry picked from commit 60fc09f5db900d622aa956fdc98283f149b4a8b2)
Use symlink_atomic_label() instead of symlink_atomic() as the symlink
may need a different label than the parent directory.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
(cherry picked from commit 7b87bece5ded3e8f068df8402901198c069ab5cf)
(cherry picked from commit 029331f56a1b6e4fb2823a56a108f741a576d7af)
Support gcc 8 on arm
(cherry picked from commit 361f41645cdf920d431e2d68dcfa3f98088c2e03)
(cherry picked from commit cb17e9874fb881d0147d44b29163e35471cf00f6)
reallocarray() is defined in stdlib.h, so that would be right header to
check for its presense.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 5bb20fd3d33f7e866a0845f15c1ab5b595147f1e)
(cherry picked from commit 1d8cfe817861a0b0de2b561f6770e33d1242db63)
In some cases it is not defined. Eg in a yocto build:
src/systemd/meson.build:61:15: ERROR: Unknown variable cxx.
(cherry picked from commit 442bc2afee6c5f731c7b3e76ccab7301703a45a7)
(cherry picked from commit dad90a476e667b9c570cf236c90b50ccae7e8817)
The recent bug report indicated a race at device creation and the
sound.target dependencies, and the cause turned out to be the condition
of the sound.target trigger. Currently it's set for "card*", but this
is actually the parent object; i.e. the sound.target is triggered before
the sound devices are created.
For assuring the whole sound device creations beforehand, we need to use
"controlC*" instead of "card*"; as already described in
78-sound-card.rules, this is guaranteed to be the last device, and can
be used as a synchronization point.
BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1179363
Signed-off-by: Takashi Iwai <tiwai@suse.de>
(cherry picked from commit 5926e592fa5e6290b9f4588939945869adb5c55f)
This is a fix of #17751. Specifically:
1. Sort #include headers again
2. Remove tabs, as per coding style
3. Don't install fds in half-initialized objects
4. Use asynchronous_close() everywhere
That all said:
Quit frankly, I am not convinced we should do all this at all. If
close()ing of these input devices is really that slow, then this should
probably be fixed in the kernel, not worked around in userspace like
this.
(cherry picked from commit c74d5fe25d53263c143f0a9c2698d8bb483e398c)
Commit [1] added a workaround when unified cgroups are used but missed
legacy cgroups where there is the same issue.
[1] <2dbc45aea7>
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
(cherry picked from commit 35e7a62ca32a30169a94693b831e53c832251984)
THis doesn't change the condition's logic at all, but is an attempt to
make things a bit more readable: instead of checking log_target !=
LOG_TARGET_AUTO let's actually list the targets where we want to
consider journal/syslog/kmsg, to make things a bit less confusing. After
all the message here is not to avoid them if LOG_TARGET_AUTO is set, but
to definitely do them in the other cases.
(cherry picked from commit ef9bddb79984aa1b9d605d44b8c0890e8289bef1)
The logic was changed in bc694c06e60505efeb09e5278a7b22cdfa23975e, let's
update the comment accordingly.
(cherry picked from commit 27ffec083140467a03f463a446c6d19dc5e437ab)
When running tests in a mkosi container, /run/systemd might not
exist yet in the container which causes test-execute to fail.
Fixes#17842.
(cherry picked from commit 77f16dbd6d93f2b4a96984254cca25cab03479af)
Either suppress the entry entirely, or not at all. But do not suppress
the "localhost" names we recognize, leaving the ones we do not in place.
On Fedora, where "localhost4.localdomain4" is among those listed in
/etc/hosts for 127.0.0.1 we'd thus otherwise drop the "localhost" but
keep the "localhost4.localdomain4" and then on reverse lookups only
return that, which is highly confusing.
(cherry picked from commit 9ca875e80c38d5bd9898cab61a612ad16d527a5a)
Make them rather fail than go to the network.
Previously we'd filter them on LLMNR (explicitly) and MDNS (implicitly,
because it doesn't have .local suffix), but not on DNS.
In order to make _gateway truly reliable, let's not allow it to go to
DNS either, and keep it local.
This is particular relevant, as clients can now request lookups without
local RR synthesis, where we'd rather have NXDOMAIN returned for
_gateway than have it hit the network.
(cherry picked from commit fbbc72189f7844df8500bb10a58988f70bf90c99)
Apparently 30s is a bit too long for some cases, see #5552. But not
caching SERVFAIL at all also breaks stuff, see explanation in
201d99584ed7af8078bb243ce2587e5455074713.
Let's try to find some middle ground, by lowering the cache timeout to
10s. This should be ample for the problem
201d99584ed7af8078bb243ce2587e5455074713 attackes, but not as long as
half a miute, as #5552 complains.
Fixes: #5552
(cherry picked from commit 19bcef9dc3fde342f138394333ab04d7e44b7da2)
Apparently, IF_UNICAST_IF does not influence the routing decisions done
during connect(). But SO_BINDTODEVICE/SO_BINDTOINDEX does, which however
brings a lot of other semantics with it, we are not so interested in
(i.e. it doesn't not allow packets from any other iface to us, even if
routing otherwise allows it).
Hence, let's bind to the ifindex immediately before the connect() and
unbind right after again, so that we get the semantics we want, but not
the ones we don't.
Fixes: #11935
Replaces: #12004
(cherry picked from commit d301c52383ca7cfa6b7cda87d7a4209c234a532c)
This extracts the IP address (as union in_addr_union) from a socket
address (i.e. a struct sockaddr).
(cherry picked from commit 3132597182c806e5193aebb0b67cdc0f73154a51)
