IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
I noticed that systemd-tty-password-agent would time out when asked to
stop via SIGTERM, and eventually be killed, under some circumstances. It
took me a while but i figured out what was going on:
systemd-ask-pw-agent blocks SIGTERM because it wants async notifications
on SIGTERM via signalfd() to listen on. That mostly works great: except
for one case: if we actually get a pw query request, and hence need to
acquire the terminal: we issue open_terminal() in that case, but if the
terminal is used otherwsie we'll hang, and because SIGTERM is blocked
we'll hang and cannot exit cleanly.
Address that: optionally, in open_terminal() look for SIGTERM by
unblcking the signal mask via ppoll() while we wait.
When running interactively, let's connect the test unit directly
to the console. This enables adding "bash" anywhere within an
integration test to get a shell within the test environment.
If a non-zero timeout is specified we should not bypass ppoll() even if
no fds are specified, since it will still act as a time based sleep in
that case.
Terminating the plymouth/console agents when the wall agent takes over
can happen asynchronously, after all the pw queries are async anyway and
hence can be seen by both the plymouth/console agents and the wall
agent.
By stopping the two agents with "--no-block" we add a bit of robustness,
since trouble of them exiting won't block the wall agent to start.
This addresses the issue the previous commit fixes in a different way.
I noticed that systemd-tty-password-agent would time out when asked to
stop via SIGTERM, and eventually be killed, under some circumstances.
It took me a while but i figured out what was going on:
systemd-ask-pw-agent blocks SIGTERM because it wants async notifications
on SIGTERM via signalfd() to listen on. That mostly works great: except
for one case: if we actually get a pw query request, and hence need to
acquire the terminal: we issue open_terminal() in that case, but if the
terminal is used otherwsie we'll hang, and because SIGTERM is blocked
we'll hang and cannot exit cleanly.
Address that: optionally, in acquire_terminal() look for SIGTERM by
unblcking the signal mask via ppoll() while we wait.
mkosi switch to the newer -blockdev qemu option in systemd/mkosi#3557 [1], but
cache=unsafe is an option only -drive supports.
Since the qemu-system_x86-64 man page [2] says this, cache.writeback=on is the
default and mkosi setting the other two options to the values corresponding to
unsafe, it should be fine to drop the cache=unsafe option.
┌─────────────┬─────────────────┬──────────────┬────────────────┐
│ │ cache.writeback │ cache.direct │ cache.no-flush │
├─────────────┼─────────────────┼──────────────┼────────────────┤
│writeback │ on │ off │ off │
├─────────────┼─────────────────┼──────────────┼────────────────┤
│none │ on │ on │ off │
├─────────────┼─────────────────┼──────────────┼────────────────┤
│writethrough │ off │ off │ off │
├─────────────┼─────────────────┼──────────────┼────────────────┤
│directsync │ off │ on │ off │
├─────────────┼─────────────────┼──────────────┼────────────────┤
│unsafe │ on │ off │ on │
└─────────────┴─────────────────┴──────────────┴────────────────┘
[1] https://github.com/systemd/mkosi/pull/3557
[2] https://manpages.ubuntu.com/manpages/noble/en/man1/qemu-system-x86_64.1.html
In various scenarios we invoke containers with access to the kernel
keyring blocked. Let's make sure we can handle this properly: when the
invocation ID is stored in in the kernel keyring and we try to read it
and get EPERM we should handle it gracefully, like EOPNOTSUPP.
This reverts commit b6a2df630701de0bcf77850ced213d7fc3d0c4de.
The functionality is entirely redundant, we already have
sd_json_variant_filter() which does the same, and is in fact even more
powerful, since it takes a list instead of a single field to remove.
When we're building ParticleOS images, we don't want the package
manager (or mkosi) to run systemd-sysusers, systemd-tmpfiles or
systemctl preset so let's add a few more bypass environment
variables that we can set to have execution of these skipped like
we already have $SYSTEMD_HWDB_UPDATE_BYPASS and $KERNEL_INSTALL_BYPASS.
This delegates one or more namespaces to the service. Concretely,
this setting influences in which order we unshare namespaces. Delegated
namespaces are unshared *after* the user namespace is unshared. Other
namespaces are unshared *before* the user namespace is unshared.
Fixes#35369
Two error conditions are unreachable, as now both glibc and kernel
support statx(). In other many places, failure in statx() are handled as
critical, even if it is filtered by seccomp or so. Let's follow the same
way here.
struct statx in glibc header was introduced in glibc-2.28
(fd70af45528d59a00eb3190ef6706cb299488fcd), but at that time,
sys/stat.h conflicts with linux/stat.h. Since glibc-2.30
(5dad6ffbb2b76215cfcd38c3001778536ada8e8a), sys/stat.h includes
linux/stat.h if exists.
Since now our baseline of glibc is 2.31. Hence, we can drop workarounds
for struct statx by importing linux/stat.h from newer kernel (v6.14-rc4).
The current glibc versions used by major distributions:
CentOS 9: 2.34
CentOS 10: 2.39
Fedora 40: 2.39
Fedora 41: 2.40
Fedora 42: 2.41
Ubuntu 20.04 LTS (focal): 2.31
Ubuntu 22.04 LTS (jammy): 2.35
Ubuntu 24.04 LTS (noble): 2.39
Ubuntu 24.10 (oracular): 2.40
Debian 11 (Bullseye, oldstable): 2.31
Debian 12 (Bookworm, stable): 2.36
openSUSE SLE-15-SP6: 2.38
openSUSE Tumbleweed: 2.40
Hence, based on our supporting policy, we can bump the base line to 2.31.
This commit does not change anything on our source code. But, will drop
many workarounds for supporting older glibc in later commits.
Hinted by CID#1591563 but the issue is different -- when
sd_event_source_set_destroy_callback() fails, we would use the old
n_sources value and possibly missing sd_event_source_unref() of the last
added source.
