IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Currently, sd-dhcp-server accepts spurious client IDs, then the leases
exposed by networkd may be invalid. Let's make networkctl gracefully
show such leases.
Fixes#25984.
(cherry picked from commit 841dfd3dc0dd370a21f190a5b7b870db1c95f7e6)
Fixes a bug introduced by af2aea8bb64b0dc42ecbe5549216eb567681a803.
Fixes#25883 and #25891.
(cherry picked from commit 303dfa73b389e8f6dc58954e867c21724c1446f7)
When the target (Where=) of a mount does not exist, systemd tries to
create it. But previously, it'd always been created as a directory. That
doesn't work if one wants to bind-mount a file to a target that doesn't
exist.
Fixes: #17184
(cherry picked from commit 218cfe23354397ded28ac898f82b52724f48dae7)
This patch merge the TPM2 detection paths when we are inside and outside
an initrd.
Signed-off-by: Alberto Planas <aplanas@suse.com>
(cherry picked from commit e37dfcec528b43e203d198f978f9eaa87787c762)
During the credentials encryption, if systemd it is compiled with TPM2
support, it will try to use it depending on the key flags passed.
The current code only checks if the system has a functional TPM2 if the
case of the INITRD flag.
This patch do a similar check in the case that it is outside initrd (but
still automatic).
Signed-off-by: Alberto Planas <aplanas@suse.com>
(cherry picked from commit e653a194e490fae7d166f40762c334006d592051)
In make_credential_host_secret, the credential.secret file is generated
first as a temporary anonymous file that is later instantiated with
linkat(2). This system call requires CAP_DAC_READ_SEARCH capability
when the flag AT_EMPTY_PATH is used.
This patch check if the capability is effective, and if not uses the
alternative codepath for creating named temporary files.
Non-root users can now create per-user credentials with:
export SYSTEMD_CREDENTIAL_SECRET=$HOME/.config/systemd/credential.secret
systemd-creds setup
Signed-off-by: Alberto Planas <aplanas@suse.com>
(cherry picked from commit 1615578f2792fdeecaf65606861bd3db9eb949c3)
On RHEL/CentOS/Fedora this directory is provided by the chkconfig or
initscripts package, which might not be installed:
testsuite-26.sh[1225]: + [[ -x /usr/lib/systemd/system-generators/systemd-sysv-generator ]]
testsuite-26.sh[1225]: + cat
testsuite-26.sh[2330]: /usr/lib/systemd/tests/testdata/units/testsuite-26.sh: line 299: /etc/init.d/issue-24990: No such file or directory
Follow-up to 5f882cc3ab32636d9242effb2cefad20d92d2ec2.
(cherry picked from commit 7fcf0fab078ed92a4f6c3c3658c0a9dfd67c9601)
CURLOPT_PROTOCOLS [0] was deprecated in libcurl 7.85.0 with
CURLOPT_PROTOCOLS_STR [1] as a replacement, causing build warnings/errors:
../build/src/import/curl-util.c: In function ‘curl_glue_make’:
../build/src/import/curl-util.c:255:9: error: ‘CURLOPT_PROTOCOLS’ is deprecated: since 7.85.0. Use CURLOPT_PROTOCOLS_STR [-Werror=deprecated-declarations]
255 | if (curl_easy_setopt(c, CURLOPT_PROTOCOLS, CURLPROTO_HTTP|CURLPROTO_HTTPS|CURLPROTO_FILE) != CURLE_OK)
| ^~
In file included from ../build/src/import/curl-util.h:4,
from ../build/src/import/curl-util.c:6:
/usr/include/curl/curl.h:1749:3: note: declared here
1749 | CURLOPTDEPRECATED(CURLOPT_PROTOCOLS, CURLOPTTYPE_LONG, 181,
| ^~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
Since there's no grace period between the two symbols, let's resort
to a light if-def-ery to resolve this.
[0] https://curl.se/libcurl/c/CURLOPT_PROTOCOLS.html
[1] https://curl.se/libcurl/c/CURLOPT_PROTOCOLS_STR.html
(cherry picked from commit e61a4c0b7c79eabbe4eb50ff2e663734fde769f0)
CURLINFO_PROTOCOL has been deprecated in curl 7.85.0 causing compilation
warnings/errors:
../build/src/import/pull-job.c: In function ‘pull_job_curl_on_finished’:
../build/src/import/pull-job.c:142:9: error: ‘CURLINFO_PROTOCOL’ is deprecated: since 7.85.0. Use CURLINFO_SCHEME [-Werror=deprecated-declarations]
142 | code = curl_easy_getinfo(curl, CURLINFO_PROTOCOL, &protocol);
| ^~~~
In file included from ../build/src/import/curl-util.h:4,
from ../build/src/import/pull-job.h:6,
from ../build/src/import/pull-common.h:7,
from ../build/src/import/pull-job.c:16:
/usr/include/curl/curl.h:2896:3: note: declared here
2896 | CURLINFO_PROTOCOL CURL_DEPRECATED(7.85.0, "Use CURLINFO_SCHEME")
| ^~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
Since both CURLINFO_SCHEME and CURLINFO_PROTOCOL were introduced in
the same curl version (7.52.0 [0][1]) we don't have to worry about
backwards compatibility.
[0] https://curl.se/libcurl/c/CURLINFO_SCHEME.html
[1] https://curl.se/libcurl/c/CURLINFO_PROTOCOL.html
(cherry picked from commit 2285c462ebb0b5d9a7043719a4f0d684a5dc37c2)
Inspired by #25957 there's one other place where we don't guard
acl_free() calls with a NULL check.
Fix that.
(cherry picked from commit 34680637e838415204850f77c93ca6ca219abaf1)
When built with ACL support, we might be processing a tmpfiles
entry where there's no cause for us to call parse_acls_from_arg,
then we get to the end of parse_line without having ever populated
i.{acl_access, acl_default}.
Then we pass a null pointer into acl_free().
From UBSAN w/ GCC 13.0.0_pre20230101:
```
$ systemd-tmpfiles --clean
/var/tmp/portage/sys-apps/acl-2.3.1-r1/work/acl-2.3.1/libacl/acl_free.c:44:14: runtime error: applying non-zero offset 18446744073709551608 to null pointer
#0 0x7f65d868b482 in acl_free /var/tmp/portage/sys-apps/acl-2.3.1-r1/work/acl-2.3.1/libacl/acl_free.c:44
#1 0x55fe7e592249 in item_free_contents ../systemd-9999/src/tmpfiles/tmpfiles.c:2855
#2 0x55fe7e5a347a in parse_line ../systemd-9999/src/tmpfiles/tmpfiles.c:3158
#3 0x55fe7e5a347a in read_config_file ../systemd-9999/src/tmpfiles/tmpfiles.c:3897
#4 0x55fe7e590c61 in read_config_files ../systemd-9999/src/tmpfiles/tmpfiles.c:3985
#5 0x55fe7e590c61 in run ../systemd-9999/src/tmpfiles/tmpfiles.c:4157
#6 0x55fe7e590c61 in main ../systemd-9999/src/tmpfiles/tmpfiles.c:4218
#7 0x7f65d7ebe289 (/usr/lib64/libc.so.6+0x23289)
#8 0x7f65d7ebe344 in __libc_start_main (/usr/lib64/libc.so.6+0x23344)
#9 0x55fe7e591900 in _start (/usr/bin/systemd-tmpfiles+0x11900)
```
(cherry picked from commit 9f804ab04d566ff745849e1c4ced680a0447cf76)
Let's pass USEC_INFINITY from sd_event_source_set_time_relative() to
sd_event_source_set_time() instead of raising EOVERFLOW.
We should raise EOVERFLOW only if your addition fails, but not if the
input already is USEC_INFINITY, since it's an entirely valid operation
to have an infinite time-out, and we should support that.
(cherry picked from commit ef8591951aefccb668201f24aa481aa6cda834da)
Commit 1b86c7c59ecc ("virt: make virtualization enum a named type")
made the conversion from `if (!r)` to `if (v != VIRTUALIZATION_NONE)`.
However, the initial test was meaning "if r is null", IOW "if r IS
`VIRTUALIZATION_NONE`).
The test is wrong and this can lead to false detection of the container
environment (when calling `systemctl exit`).
For example, https://gitlab.freedesktop.org/whot/libevdev/-/jobs/34207974
is calling `systemctl exit 0`, and systemd terminates with the exit code
`130`.
Fixing that typo makes `systemctl exit 0` returns `0`.
Fixes: 1b86c7c59ecc26efdf278f5c1c4430346021cd38.
(cherry picked from commit a91078bc57950c9b0c19fd25fb2e802409695304)
The second argument to dump_list() actually ends up in a TABLE_FIELD
cell now, where we implicitly append a ":". Hence drop it from the
strings.
Follow-up for: 37a50123fac050c7ccde4afcf3f37ee77aad012c
(cherry picked from commit ef503f1cec53f654780591adee6e3e223b575f56)
Previously, if a client disconnected after sending a lookup request but
before waiting for the reply we'd log at LOG_ERR level. That's
confusing, since it's entirely OK for the client to lose interest.
Hence, let's downgrade to debug level.
Fixes: #25892
(cherry picked from commit 40557509be084f27d48bc5fc51286a664b96942e)
This reverts commit b99bf5811850afdb2502ba37251c48348da63c82.
It seems that using this protocol on some firmwares to forcibly
initialize console devices may break handles (already opened file
handles and the device handle itself) that we rely on to access the
boot filesystem, making it impossible to load the selected entry.
It might be possible to get a new handle by querying for the device
handle by using its device path after calling into this protocol, but
this is untested. The firmware might also be so buggy that accessing
devices after using this protocol is impossible.
It seems prudent to revert this for now until some reliable way is found
to initialize console devices without introducing huge boot delays. Any
users on firmware where console devices cannot be accessed would have to
rely on disabling fastboot.
Fixes: #25737, #25846
(cherry picked from commit f151abb0e5fa4f820109eb0541bfdcba319d2b92)
cannot pass false as argument because function wants a pointer to bool
instead, use NULL instead
(cherry picked from commit 2cc697d7400446a7ea823bc38061501cd85b046a)
GCC-13 -std=gnu2x FTBS with:
error: incompatible type for argument 3 of ‘_hashmap_free’
(cherry picked from commit a4a1569ff1e9ab62996f8b42dcc14a09f91b5715)
../src/basic/cgroup-util.c: In function ‘skip_session’:
../src/basic/cgroup-util.c:1241:32: error: incompatible types when returning type ‘_Bool’ but ‘const char *’ was expected
1241 | return false;
(cherry picked from commit db8e720984269a050a7a78aeb503a7402ef567f7)
If we run in a container we shouldn#t try to import creds passed in from
a VMM, as they are not for us, but for the VM itself.
(cherry picked from commit 13b99dccb7617756626f93c102aefff99a964436)
If the page size of a swap space doesn't match the page size of the
currently running kernel, swapon will fail. Let's instruct it to
reinitialize the swap space instead.
(cherry picked from commit cc137d53e36da5e57b060be5e621864f572b2cac)
After #25268, it is now possible to check whether a credential
is present on a FIDO2 token without actually attempting to retrieve said
credential. However, when cryptsetup plugins are not enabled, the
fallback unlock routines are not able to make multiple attempts with
multiple different FIDO2 key slots.
Instead of looking for one FIDO2 key slot when trying to unlock, we now
attempt to use all key slots applicable.
Fixes#19208.
(cherry picked from commit e6319a102e5b6f7c1588ca851d66db7c3ade1665)
Since commit 1ad6e8b302e87b6891a2bfc35ad397b0afe3d940, unsetting an environment
variable means restoring it to its default value.
However this doesn't work well when localed updates locale.conf. Indeed when a
variable is removed from that file, localed calls "UnsetAndSetEnvironment"
method which restores the default values of the unset variables obtained by
PID1 when it first read locale.conf. But since locale.conf has been updated,
these default values might be outdated and localed needs to instruct PID1 to
read locale.conf again.
Reloading PID1 configuration is quite an heavy operation for this purpose but
there's no other way unless we change again the meaning of "UnsetEnvironment"
or we introduce a new method that really unset an env variable.
That said given the fact that localed modifies locale.conf, it should have an
effect on PID1 default environment rather than on the environment explicitly
set by the user (m->client_manager).
(cherry picked from commit c8966e812e6dcbec95814e6e9c2ed2b351e269ac)
A FreezeUnit operation can hang due to the presence of kernel threads
(see last 2 commits). Keeping the default configuration will mean the
system will hang for 25 seconds in suspend waiting for the response. 1.5
seconds should be sufficient for most cases.
(cherry picked from commit 432a32117506657186e16bd8e0642bbb30326bc4)
This ensures that services with `RemainAfterExit` but without any
process running won't cause failure during freeze.
(cherry picked from commit fcb0878f7563df9701a4d066378995c0b7ec32be)
It's a bashism, but we use other bash features anyway, and it's cleaner
and much less verbose.
(cherry picked from commit 1f9caf28cafbec89b93b8e6b641d387ac5acdd24)
