shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-03-19 22:50:17 +03:00
Code

Merge pull request #33691 from DaanDeMeyer/backport-mkosi

Browse Source 
Backport mkosi and integration test changes to v256-stable
This commit is contained in:
Daan De Meyer 2024-07-11 16:42:06 +02:00 committed by GitHub
commit 6d07d59237
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
35 changed files with 135 additions and 74 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
.github/workflows/mkosi.yml vendored
View File

@ -59,40 +59,47 @@ jobs:
sanitizers: ""
llvm: 0
cflags: "-O2 -D_FORTIFY_SOURCE=3"
relabel: no
- distro: debian
release: testing
sanitizers: ""
llvm: 0
cflags: "-Og"
relabel: no
- distro: ubuntu
release: noble
sanitizers: ""
llvm: 0
cflags: "-Og"
relabel: no
- distro: fedora
release: "40"
sanitizers: ""
llvm: 0
cflags: "-Og"
relabel: yes
- distro: fedora
release: rawhide
sanitizers: address,undefined
llvm: 1
cflags: "-Og"
relabel: yes
- distro: opensuse
release: tumbleweed
sanitizers: ""
llvm: 0
cflags: "-Og"
relabel: no
- distro: centos
release: "9"
sanitizers: ""
llvm: 0
cflags: "-Og"
relabel: yes
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- uses: systemd/mkosi@6b66aa9096948e0bc38154333687584e0351f450
- uses: systemd/mkosi@4681dd733a925cd048d0301af26221bce0c95eed
# Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
# immediately, we remove the files in the background. However, we first move them to a different location
@ -140,6 +147,9 @@ jobs:
SANITIZERS=${{ matrix.sanitizers }}
MESON_OPTIONS=--werror
LLVM=${{ matrix.llvm }}
SYSEXT=1
SELinuxRelabel=${{ matrix.relabel }}
[Host]
QemuMem=4G
@ -187,7 +197,7 @@ jobs:
-Dvmspawn=enabled
- name: Build image
run: meson compile -C build mkosi
run: sudo meson compile -C build mkosi
- name: Run integration tests
run: sudo --preserve-env meson test -C build --no-rebuild --suite integration-tests --print-errorlogs --no-stdsplit --num-processes "$(($(nproc) - 1))"

14
docs/HACKING.md
View File

@ -58,15 +58,15 @@ RuntimeBuildSources=yes
After enabling this setting, the source and build directories will be mounted to
`/work/src` and `/work/build` respectively when booting the image as a container
or virtual machine. To build the latest changes and re-install after booting the
image, run `mkosi -t none` in another terminal on the host and run one of the
following commands in the container or virtual machine depending on the
distribution:
image, run one of the following commands in another terminal on your host (
choose the right one depending on the distribution of the container or virtual
machine):
```sh
dnf upgrade --disablerepo="*" /work/build/*.rpm # CentOS/Fedora
apt install --reinstall /work/build/*.deb # Debian/Ubuntu
pacman -U /work/build/*.pkg.tar # Arch Linux
zypper install --allow-unsigned-rpm /work/build/*.rpm # OpenSUSE
mkosi -t none && mkosi ssh dnf upgrade --disablerepo="*" "/work/build/*.rpm" # CentOS/Fedora
mkosi -t none && mkosi ssh apt install --reinstall "/work/build/*.deb" # Debian/Ubuntu
mkosi -t none && mkosi ssh pacman -U "/work/build/*.pkg.tar" # Arch Linux
mkosi -t none && mkosi ssh zypper install --allow-unsigned-rpm "/work/build/*.rpm" # OpenSUSE
```
and optionally restart the daemon(s) you're working on using

2
mkosi.clean
View File

@ -2,4 +2,4 @@
set -e
set -o nounset
rm -f "$OUTPUTDIR"/*.{rpm,deb,pkg.tar}
rm -f "$OUTPUTDIR"/*.{rpm,deb,pkg.tar} "$OUTPUTDIR"/systemd.raw

6
mkosi.conf
View File

@ -11,7 +11,6 @@ BuildDirectory=build/mkosi.builddir
CacheDirectory=build/mkosi.cache
[Content]
SELinuxRelabel=no
BuildSourcesEphemeral=yes
Autologin=yes
@ -24,6 +23,10 @@ ExtraTrees=
Environment=
SYSTEMD_REPART_OVERRIDE_FSTYPE_ROOT=%F
# Disable relabeling by default as it only matters for TEST-06-SELINUX, takes a non-trivial amount of time
# and results in lots of errors when building images as a regular user.
SELinuxRelabel=no
# Adding more kernel command line arguments is likely to hit the kernel command line limit (512 bytes) in
# various scenarios. Consider adding support for a credential instead if possible and using that.
KernelCommandLine=systemd.crash_shell
@ -83,6 +86,7 @@ Packages=
dnsmasq
dosfstools
e2fsprogs
erofs-utils
findutils
gdb
grep

2
mkosi.conf.d/10-arch/mkosi.build.chroot
View File

@ -33,7 +33,7 @@ if ((LLVM)) && [[ -n "$SANITIZERS" ]]; then
fi
MKOSI_MESON_OPTIONS="-D mode=developer -D b_sanitize=${SANITIZERS:-none}"
if ((WIPE)); then
if ((WIPE)) && [[ -d "$BUILDDIR/meson-private" ]]; then
MKOSI_MESON_OPTIONS="$MKOSI_MESON_OPTIONS --wipe"
fi

4
mkosi.conf.d/10-arch/mkosi.conf
View File

@ -37,8 +37,8 @@ Packages=
linux
man-db
multipath-tools
nmap
open-iscsi
openbsd-netcat
openssh
openssl
pacman
@ -54,7 +54,7 @@ Packages=
shadow
softhsm
squashfs-tools
stress
stress-ng
tgt
tpm2-tools
tpm2-tss

6
mkosi.conf.d/10-centos-fedora/mkosi.build.chroot
View File

@ -2,6 +2,8 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
set -e
. mkosi.functions
if ((NO_BUILD)); then
exit 0
fi
@ -62,7 +64,7 @@ if ((LLVM)) && [[ -n "$SANITIZERS" ]]; then
fi
MKOSI_MESON_OPTIONS="-D mode=developer -D b_sanitize=${SANITIZERS:-none}"
if ((WIPE)); then
if ((WIPE)) && [[ -d "$BUILDDIR/meson-private" ]]; then
MKOSI_MESON_OPTIONS="$MKOSI_MESON_OPTIONS --wipe"
fi
@ -120,3 +122,5 @@ CXX_LD="$( ((LLVM)) && echo lld)" \
cp "$OUTPUTDIR"/*.rpm "$PACKAGEDIR"
cp "$OUTPUTDIR"/*.rpm "$BUILDDIR"
make_sysext_unsigned /var/tmp/BUILD/*/BUILDROOT

4
mkosi.conf.d/10-centos-fedora/mkosi.conf
View File

@ -45,7 +45,7 @@ Packages=
libcap-ng-utils
libubsan
man-db
netcat
nmap-ncat
openssh-clients
openssh-server
pam
@ -62,7 +62,7 @@ Packages=
sbsigntools
softhsm
squashfs-tools
stress
stress-ng
tpm2-tools
util-linux
veritysetup

13
mkosi.conf.d/10-centos-fedora/mkosi.conf.d/10-selinux.conf
View File

@ -1,20 +1,13 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
# libselinux does not work in the slightest with /usr-only images so don't install the packages if we're
# building a /usr-only image.
[Match]
Profile=!particle
[Content]
# libselinux does not work in the slightest with /usr-only images so don't install the packages if we're
# building a /usr-only image.
Packages=
selinux-policy
selinux-policy-targeted
setools-console
# We relabel on first boot instead of at build time because it is only possible to label without root
# if the labels exist in the host system, and we want to be able to cross-build to other distributions.
SELinuxRelabel=no
InitrdPackages=
selinux-policy
selinux-policy-targeted

2
mkosi.conf.d/10-debian-ubuntu/mkosi.build.chroot
View File

@ -56,7 +56,7 @@ if ((LLVM)) && [[ -n "$SANITIZERS" ]]; then
fi
MKOSI_MESON_OPTIONS="-D mode=developer -D b_sanitize=${SANITIZERS:-none}"
if ((WIPE)); then
if ((WIPE)) && [[ -d "$BUILDDIR/meson-private" ]]; then
MKOSI_MESON_OPTIONS="$MKOSI_MESON_OPTIONS --wipe"
fi

4
mkosi.conf.d/10-debian-ubuntu/mkosi.conf
View File

@ -65,7 +65,7 @@ Packages=
locales
man-db
multipath-tools
netcat-openbsd
ncat
open-iscsi
openssh-client
openssh-server
@ -78,7 +78,7 @@ Packages=
quota
softhsm2
squashfs-tools
stress
stress-ng
tgt
tpm2-tools
tzdata

6
mkosi.conf.d/10-opensuse/mkosi.build.chroot
View File

@ -2,6 +2,8 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
set -e
. mkosi.functions
if ((NO_BUILD)); then
exit 0
fi
@ -63,7 +65,7 @@ if [[ -z "${MKOSI_LDFLAGS// }" ]]; then
fi
MKOSI_MESON_OPTIONS="-D mode=developer -D b_sanitize=${SANITIZERS:-none}"
if ((WIPE)); then
if ((WIPE)) && [[ -d "$BUILDDIR/meson-private" ]]; then
MKOSI_MESON_OPTIONS="$MKOSI_MESON_OPTIONS --wipe"
fi
@ -139,3 +141,5 @@ fi
cp "$OUTPUTDIR"/*.rpm "$PACKAGEDIR"
cp "$OUTPUTDIR"/*.rpm "$BUILDDIR"
make_sysext_unsigned /var/tmp/BUILD/*/BUILDROOT

9
mkosi.conf.d/10-opensuse/mkosi.conf
View File

@ -8,13 +8,14 @@ InitrdInclude=initrd/
[Distribution]
Release=tumbleweed
Repositories=non-oss
PackageManagerTrees=macros.db_backend:/etc/rpm/macros.db_backend
[Content]
Environment=
GIT_URL=https://src.opensuse.org/rpm/systemd
GIT_BRANCH=devel
GIT_COMMIT=23bfa9d83b6e24a5395a704b816a351f3dc5b5316e580cacedd1b5d9e068c117
GIT_URL=https://code.opensuse.org/package/systemd
GIT_BRANCH=master
GIT_COMMIT=6812406e52a474568744c267e7bade1496bb26a5
VolatilePackages=
systemd
@ -60,6 +61,7 @@ Packages=
libkmod2
libubsan1
multipath-tools
ncat
open-iscsi
openssh-clients
openssh-server
@ -79,6 +81,7 @@ Packages=
shadow
softhsm
squashfs
stress-ng
tgt
timezone
tpm2.0-tools

0
mkosi.extra/.autorelabel
View File

6
mkosi.extra/usr/lib/systemd/system-preset/00-mkosi.preset
View File

@ -32,10 +32,10 @@ disable auditd.service
# systemd-timesyncd is not enabled by default in the default systemd preset so enable it here instead.
enable systemd-timesyncd.service
# Skipped if selinux is not enabled, required for TEST-06-SELINUX.
enable autorelabel.service
# Enabled by default on OpenSUSE and not conditioned out in containers, so let's disable these here instead.
disable iscsi.service
disable iscsid.socket
disable iscsiuio.socket
# mkosi relabels the image itself so no need to do it on boot.
disable selinux-autorelabel-mark.service

49
mkosi.functions Normal file
View File

@ -0,0 +1,49 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
make_sysext_unsigned() {
if ! ((SYSEXT)); then
return
fi
mkdir -p /usr/lib/systemd/repart/definitions/sysext-unsigned.repart.d
cat >/usr/lib/systemd/repart/definitions/sysext-unsigned.repart.d/10-root.conf <<EOF
[Partition]
Type=root
Format=erofs
CopyFiles=/usr/
Minimize=best
EOF
. /usr/lib/os-release
mkdir -p "$1"/usr/lib/extension-release.d
cat >"$1"/usr/lib/extension-release.d/extension-release.systemd <<EOF
ID=$ID
SYSEXT_ID=systemd
SYSEXT_SCOPE=system
ARCHITECTURE=$ARCHITECTURE
EOF
if [[ -n "$VERSION_ID" ]]; then
cat >>"$1"/usr/lib/extension-release.d/extension-release.systemd <<EOF
VERSION_ID=$VERSION_ID
EOF
fi
if [[ -n "$SYSEXT_LEVEL" ]]; then
cat >>"$1"/usr/lib/extension-release.d/extension-release.systemd <<EOF
SYSEXT_LEVEL=$SYSEXT_LEVEL
EOF
fi
rm -f "$BUILDDIR"/systemd.raw
env --unset=SYSTEMD_REPART_OVERRIDE_FSTYPE_ROOT \
"$BUILDDIR"/systemd-repart \
--make-ddi=sysext-unsigned \
--copy-source="$1" \
--pretty=no \
"$BUILDDIR"/systemd.raw
cp "$BUILDDIR"/systemd.raw "$OUTPUTDIR"
}

2
mkosi.images/minimal-base/mkosi.conf.d/10-arch.conf
View File

@ -7,7 +7,7 @@ Distribution=arch
Packages=
inetutils
iproute
openbsd-netcat
nmap
RemoveFiles=
# Arch Linux doesn't split their gcc-libs package so we manually remove

2
mkosi.images/minimal-base/mkosi.conf.d/10-centos-fedora.conf
View File

@ -9,4 +9,4 @@ Packages=
hostname
iproute
iproute-tc
netcat
nmap-ncat

2
mkosi.images/minimal-base/mkosi.conf.d/10-debian-ubuntu-opensuse.conf
View File

@ -9,4 +9,4 @@ Packages=
hostname
iproute2
mount
netcat-openbsd
ncat

2
mkosi.images/minimal-base/mkosi.conf.d/10-opensuse.conf
View File

@ -7,5 +7,5 @@ Distribution=opensuse
Packages=
hostname
iproute2
netcat-openbsd
ncat
patterns-base-minimal_base

2
mkosi.postinst.chroot
View File

@ -32,7 +32,7 @@ done
# We want /var/log/journal to be created on first boot so it can be created with the right chattr settings by
# systemd-journald.
rm -r "$BUILDROOT/var/log/journal"
rm -rf "$BUILDROOT/var/log/journal"
rm -f /etc/nsswitch.conf
cp "$SRCDIR/factory/etc/nsswitch.conf" /etc/nsswitch.conf

2
test/TEST-06-SELINUX/meson.build
View File

@ -3,7 +3,7 @@
integration_tests += [
integration_test_template + {
'name' : fs.name(meson.current_source_dir()),
'cmdline' : integration_test_template['cmdline'] + ['systemd.wants=autorelabel.service', 'selinux=1', 'lsm=selinux'],
'cmdline' : integration_test_template['cmdline'] + ['selinux=1', 'lsm=selinux'],
# FIXME; Figure out why reboot sometimes hangs with 'linux' firmware.
# Use 'auto' to automatically fallback on non-uefi architectures.
'firmware' : 'auto',

2
test/TEST-13-NSPAWN/test.sh
View File

@ -32,7 +32,7 @@ test_append_files() {
ls \
md5sum \
mountpoint \
nc \
ncat \
ps \
seq \
sleep \

1
test/TEST-46-HOMED/test.sh
View File

@ -24,6 +24,7 @@ test_append_files() {
inst_binary ssh
inst_binary sshd
inst_binary ssh-keygen
image_install -o /usr/lib/ssh/sshd-session
}
do_test "$@"

2
test/TEST-55-OOMD/test.sh
View File

@ -14,7 +14,7 @@ TEST_NO_NSPAWN=1
test_append_files() {
local workspace="${1:?}"
image_install mkswap swapon swapoff stress
image_install mkswap swapon swapoff stress-ng
image_install -o btrfs
mkdir -p "${workspace:?}/etc/systemd/system/init.scope.d/"

1
test/TEST-74-AUX-UTILS/test.sh
View File

@ -31,6 +31,7 @@ test_append_files() {
inst_binary ssh
inst_binary sshd
inst_binary ssh-keygen
image_install -o /usr/lib/ssh/sshd-session
inst_binary usermod
instmods vmw_vsock_virtio_transport
instmods vsock_loopback

2
test/test-functions
View File

@ -208,7 +208,7 @@ BASICTOOLS=(
mount
mountpoint
mv
nc
ncat
nproc
ping
pkill

20
test/units/TEST-07-PID1.exec-context.sh
View File

@ -186,27 +186,27 @@ if ! systemd-detect-virt -cq; then
)
# We should fail with EPERM when trying to bind to a socket not on the allow list
# (nc exits with 2 in that case)
# (ncat exits with 2 in that case)
systemd-run --wait -p SuccessExitStatus="1 2" --pipe "${ARGUMENTS[@]}" \
bash -xec 'timeout 1s nc -l 127.0.0.1 9999; exit 42'
bash -xec 'timeout 1s ncat -l 127.0.0.1 9999; exit 42'
systemd-run --wait -p SuccessExitStatus="1 2" --pipe "${ARGUMENTS[@]}" \
bash -xec 'timeout 1s nc -l ::1 9999; exit 42'
bash -xec 'timeout 1s ncat -l ::1 9999; exit 42'
systemd-run --wait -p SuccessExitStatus="1 2" --pipe "${ARGUMENTS[@]}" \
bash -xec 'timeout 1s nc -6 -u -l ::1 9999; exit 42'
bash -xec 'timeout 1s ncat -6 -u -l ::1 9999; exit 42'
systemd-run --wait -p SuccessExitStatus="1 2" --pipe "${ARGUMENTS[@]}" \
bash -xec 'timeout 1s nc -4 -l 127.0.0.1 6666; exit 42'
bash -xec 'timeout 1s ncat -4 -l 127.0.0.1 6666; exit 42'
systemd-run --wait -p SuccessExitStatus="1 2" --pipe -p SocketBindDeny=any \
bash -xec 'timeout 1s nc -l 127.0.0.1 9999; exit 42'
bash -xec 'timeout 1s ncat -l 127.0.0.1 9999; exit 42'
# Consequently, we should succeed when binding to a socket on the allow list
# and keep listening on it until we're killed by `timeout` (EC 124)
systemd-run --wait --pipe -p SuccessExitStatus=124 "${ARGUMENTS[@]}" \
bash -xec 'timeout 1s nc -4 -l 127.0.0.1 1234; exit 1'
bash -xec 'timeout 1s ncat -4 -l 127.0.0.1 1234; exit 1'
systemd-run --wait --pipe -p SuccessExitStatus=124 "${ARGUMENTS[@]}" \
bash -xec 'timeout 1s nc -4 -u -l 127.0.0.1 5678; exit 1'
bash -xec 'timeout 1s ncat -4 -u -l 127.0.0.1 5678; exit 1'
systemd-run --wait --pipe -p SuccessExitStatus=124 "${ARGUMENTS[@]}" \
bash -xec 'timeout 1s nc -6 -l ::1 1234; exit 1'
bash -xec 'timeout 1s ncat -6 -l ::1 1234; exit 1'
systemd-run --wait --pipe -p SuccessExitStatus=124 "${ARGUMENTS[@]}" \
bash -xec 'timeout 1s nc -6 -l ::1 6666; exit 1'
bash -xec 'timeout 1s ncat -6 -l ::1 6666; exit 1'
fi
losetup -d "$LODEV"

2
test/units/TEST-07-PID1.issue-2467.sh
View File

@ -8,7 +8,7 @@ set -o pipefail
rm -f /tmp/nonexistent
systemctl start issue2467.socket
nc -i20 -w20 -U /run/test.ctl || :
ncat -i20 -w20 -U /run/test.ctl || :
# TriggerLimitIntervalSec= by default is set to 2s. A "sleep 10" should give
# systemd enough time even on slower machines, to reach the trigger limit.

8
test/units/TEST-07-PID1.issue-3171.sh
View File

@ -30,21 +30,21 @@ EOF
systemctl start issue-3171.socket
systemctl is-active issue-3171.socket
[[ "$(stat --format='%G' /run/issue-3171.socket)" == adm ]]
echo A | nc -w1 -U /run/issue-3171.socket
echo A | ncat -w1 -U /run/issue-3171.socket
mv $U ${U}.disabled
systemctl daemon-reload
systemctl is-active issue-3171.socket
[[ "$(stat --format='%G' /run/issue-3171.socket)" == adm ]]
echo B | nc -w1 -U /run/issue-3171.socket && exit 1
echo B | ncat -w1 -U /run/issue-3171.socket && exit 1
mv ${U}.disabled $U
systemctl daemon-reload
systemctl is-active issue-3171.socket
echo C | nc -w1 -U /run/issue-3171.socket && exit 1
echo C | ncat -w1 -U /run/issue-3171.socket && exit 1
[[ "$(stat --format='%G' /run/issue-3171.socket)" == adm ]]
systemctl restart issue-3171.socket
systemctl is-active issue-3171.socket
echo D | nc -w1 -U /run/issue-3171.socket
echo D | ncat -w1 -U /run/issue-3171.socket
[[ "$(stat --format='%G' /run/issue-3171.socket)" == adm ]]

2
test/units/TEST-13-NSPAWN.nspawn.sh
View File

@ -702,7 +702,7 @@ EOF
testcase_notification_socket() {
# https://github.com/systemd/systemd/issues/4944
local root
local cmd='echo a | nc -U -u -w 1 /run/host/notify'
local cmd='echo a | ncat -U -u -w 1 /run/host/notify'
root="$(mktemp -d /var/lib/machines/TEST-13-NSPAWN.check_notification_socket.XXX)"
create_dummy_container "$root"

4
test/units/TEST-55-OOMD-testbloat.service
View File

@ -3,8 +3,8 @@
Description=Create a lot of memory pressure
[Service]
# A VERY small memory.high will cause the 'stress' (trying to use a lot of memory)
# A VERY small memory.high will cause the 'stress-ng' (trying to use a lot of memory)
# to throttle and be put under heavy pressure.
MemoryHigh=3M
Slice=TEST-55-OOMD-workload.slice
ExecStart=stress --timeout 3m --vm 10 --vm-bytes 200M --vm-keep --vm-stride 1
ExecStart=stress-ng --timeout 3m --vm 10 --vm-bytes 200M --vm-keep

2
test/units/TEST-55-OOMD-testmunch.service
View File

@ -5,4 +5,4 @@ Description=Create some memory pressure
[Service]
MemoryHigh=12M
Slice=TEST-55-OOMD-workload.slice
ExecStart=stress --timeout 3m --vm 10 --vm-bytes 200M --vm-keep --vm-stride 1
ExecStart=stress-ng --timeout 3m --vm 10 --vm-bytes 200M --vm-keep

8
test/units/TEST-55-OOMD.sh
View File

@ -6,14 +6,6 @@ set -o pipefail
# shellcheck source=test/units/util.sh
. "$(dirname "$0")"/util.sh
. /etc/os-release
# OpenSUSE does not have the stress tool packaged. It does have stress-ng but the stress-ng does not support
# --vm-stride which this test uses.
if [[ "$ID" =~ "opensuse" ]]; then
echo "Skipping due to missing stress package in OpenSUSE" >>/skipped
exit 77
fi
systemd-analyze log-level debug
# Ensure that the init.scope.d drop-in is applied on boot

2
tools/update-distro-hash.py
View File

@ -69,7 +69,7 @@ def update_distro(args, distro: str):
print(f"+ {shlex.join(cmd)}")
changes = subprocess.check_output(cmd, text=True).strip()
conf_dir = Path('mkosi.images/system/mkosi.conf.d')
conf_dir = Path('mkosi.conf.d')
files = conf_dir.glob('*/*.conf')
for file in files:
s = file.read_text()