IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
When running unprivileged, checking /proc/1/root doesn't work because
it requires privileges. Instead, let's add an environment variable so
the process that chroot's can tell (systemd) subprocesses whether
they're running in a chroot or not.
(cherry picked from commit 2701c2f67de592fe2565b084cfaec1667767dbaf)
When unit_need_daemon_reload() calls unit_find_dropin_paths() to check
for new drop-in configs, the manager's unit path cache is used to limit
which directories are considered. If a new drop-in directory is created,
it may not be in the unit path cache, and hence unit_need_daemon_reload()
may return false, despite a new drop-in being present. However, if a
unit path cache is not given to unit_file_find_dropin_paths() at all,
then it behaves as if the target path was found in the unit path cache.
So, to fix this, adapt unit_find_dropin_paths() to take a boolean
argument indicating whether or not to pass along the unit path cache.
Set this to false in unit_need_daemon_reload().
Fixes#31752
(cherry picked from commit 82c482d573c9d2f3ab36f7be8d32772f90f2c335)
When creating a user, check if the requested group name matches a user
name in the queue. If that matched user name is also going to be a group
name, then use it for the new user too. In other words, allow the
following:
u foo -
u bar -:foo
when both foo and bar are new users.
Fixes#33547
(cherry picked from commit 18a8f03e5160ca3828d327d9bbd1b32f26d792a3)
This fixes the following assertion:
===
SYSTEMD_LOG_LEVEL=debug systemctl --user -H foo --boot-loader-entry=help
Assertion 'transport != BUS_TRANSPORT_REMOTE || runtime_scope == RUNTIME_SCOPE_SYSTEM' failed at src/shared/bus-util.c:284, function bus_connect_transport(). Ignoring.
Failed to connect to bus: Operation not supported
===
Fixes a bug introduced by 97af80c5a7029c3f92e982dcf9338b9e67ad9cde.
Fixes#33661.
Fixes oss-fuzz#70153.
(cherry picked from commit 1056457d1132e78cbf914e8abfa661465b952412)
Running the following commands:
# mkdir -p /var/lib/pcrlock.d/123-empty.pcrlock.d
# /usr/lib/systemd/systemd-pcrlock predict --pcr=1+2+3+4+5+16
Will result in:
...
Floating point exception
Running the following commands:
# mkdir -p /var/lib/pcrlock.d/123-empty.pcrlock.d
# /usr/lib/systemd/systemd-pcrlock make-policy --pcr=1+2+3+4+5+16
Will result to this (partial) log:
...
Predicted future PCRs in 133us.
[]
...
Written policy digest 0000000000000000000000000000000000000000000000000000000000000000 to NV index 0x1921da6
...
So, add missing checks to handle gracefully cases where there's no variant
inside the component.
Signed-off-by: Arnaud Patard <arnaud.patard@collabora.com>
(cherry picked from commit e7a93e75219b22424bab95fe45982f5eef21d581)
Rebuilding the integration test every time is very slow. Let's
introduce a way to iterate on an integration test without rebuilding
the image every time. By making a btrfs snapshot before we run the
integration test, we can then systemctl soft-reboot after running
the test to restore the rootfs to a pristine state before running
the test again.
As /run/nextroot will get nuked on reboot or soft-reboot, we introduce
a tmpfiles snippet to make sure it is recreated every (soft-)reboot
and adapt the existing tests to deal with this new symlink.
(cherry picked from commit af153e36ae67c242251951c12d6d6b6ae4783845)
TEST_SHELL can be used to get a shell in the integration test
environment without actually immediately starting the test.
(cherry picked from commit dd1c01b20fb8eef6a4d41ac7f0d3d83399e27593)
Since, at least the old framework, checks for the presence of the file
at the end and marks the whole test as skipped if it exists.
Resolves: systemd/systemd-centos-ci#728
(cherry picked from commit 4d1fbe53c1cc9b04acd897c728d996191daa618d)
On Fedora the sshd-session binary is under /usr/libexec/openssh/ so
cover this path as well in the old framework.
Follow-up for aaa7b36bd15ca3a96a1e11a557482b0bc59c769f.
(cherry picked from commit ce2344bbee468c7d524e508a8ff7f5f7ae85acb5)
We document that when multiple credentials of the same name are found,
we use the first one found so let's actually implement that behavior.
(cherry picked from commit 3de13e6148731ae9c36885afd78b1421e6f16305)
Remove an early return that prevents --prompt-root-password or
--prompt-root-shell and systemd.firstboot=off using credentials. In that case,
arg_prompt_root_password and arg_prompt_root_shell will be false, but the
prompt helpers still need to be called to read the credentials. Furthermore, if
only the root shell has been set, don't overwrite the root password.
(cherry picked from commit 35bc4c34240afdd55e117b909f26fa9a5dc54f3b)
If /etc/passwd and/or /etc/shadow exist but don't have an existing root entry,
one needs to be added. Previously this only worked if the files didn't exist.
(cherry picked from commit 2319154a6bec7b8c42e901dfacaefe95bf4e3750)
Although locked and empty passwords in /etc/passwd are treated the same, in all
other cases the entry is configured to read the password from /etc/shadow.
(cherry picked from commit 5088de9daa156a095e79684c658f9035db971538)
It means: a) user cannot be created, something's wrong in the
test environment -> fail the test; b) user already exists, we shall not
continue and delete (foreign) user.
(cherry picked from commit 3e6e3e6d40db0a9e9741ef4942218193fca7b28e)
TEST-46-HOMED fails on ext4 because the filesystem is deemed to small
for activation by cryptsetup. Let's bump the minimal filesystem size for
ext4 a bit to be in the same ballpark as ext4 and btrfs to avoid weird
errors due to impossibly small filesystems.
Also use U64_MB while we're touching this.
(cherry picked from commit ae07feb401ff70b122650ac01041021703d4b8ad)
There are multiple subtests, just move them around into functions
(leveraging the testcase_* convention) to make space for new related
subtests.
(cherry picked from commit 4f0541dc595277a62431c46d59dc258005160650)
This allows mkosi to combine fstab.extra with its own fstab.extra so
that it doesn't override the one we pass for the test.
(cherry picked from commit ebe17e3f9e6f6b7a85677fc10439936b41d196e3)
We don't need to allow non-root, and the policy needs to specify destination
and interface too, to narrow it down
Follow-up for 7b5c38a91def6cf236605010a0a93a1cd4c137e9
(cherry picked from commit a4c436c9d8ae20baf9d1d08d43e64e6355bcce83)
Follow-up for 19a44dfe4525ab01caf593a9c2beada4b412910d
If a drop-in is set from upper level, e.g. global unit_type.d/,
even if a unit is masked, its dropin_paths would still be partially
populated. However, unit_need_daemon_reload() would always
compare u->dropin_paths with empty strv in case of masked units,
resulting in it always returning true. Instead, let's ignore
dropins entirely here.
Fixes#33672
(cherry picked from commit 11b3775f514f521f353741ff6ac4d66cf0e928e8)
On Debian and derivatives writing calls to localed are blocked as other
tools are used to change settings, override that policy for the tests
(cherry picked from commit 7b5c38a91def6cf236605010a0a93a1cd4c137e9)
I don't know why yet, but TEST-73-LOCALE can take more than 10
minutes. Until we figure out why, let's give it a higher priority
so it doesn't bottleneck the test run.
(cherry picked from commit 14963ea90d72300d3e27b5776d1aa45594b10a94)
Otherwise fixfiles will try to relabel it which could potentially
lead to disaster. We also change the recommendation in HACKING.md
to set the default so that TEST-06-SELINUX can override it.
(cherry picked from commit 575f954b5d0e03d41fe08ce2a7d85b868e89b904)
Let's document in detail how to build the integration test image and run
the integration tests without building systemd. To streamline the process,
we stop automatically using binaries from build/ when invoking mkosi directly
and don't automatically use a tools tree anymore if systemd on the host is too
old. Instead, we document these options in HACKING.md and change the mkosi meson
target to automatically use the current build directory as an extra binary search
path for mkosi.
(cherry picked from commit d279ec4a50d83ab44200ea410fa09d7ba2e5c824)
We already have selinux=0 in the default kernel command line so
enforcing=0 is redundant. Instead, pass in enforcing=0 when we
enable selinux in TEST-06-SELINUX.
(cherry picked from commit f5c44df92922d74cfff40989d6617e3a9e4c5904)
Let's make sure we don't load libnss_systemd.so from bash as the
necessary environment variables aren't set to make that work when
we're running with sanitizers enabled.
We can't add a sanitizer wrapper for bash as the wrapper runs using
bash so you end up in a loop.
(cherry picked from commit 5ac0dc70ff330a531539a92552fbeb0f542edfb5)
This is only possible since a recent kernel version, and fails otherwise,
like on CentOS 9
(cherry picked from commit ff8c89aa5a84733dd777f3e9113df33ce6c1ab1e)
Archlinux split out one ssh binary, install it in the legacy test
setup if present for the tests that need ssh
(cherry picked from commit aaa7b36bd15ca3a96a1e11a557482b0bc59c769f)
- Stop installing the policy in the initramfs as it's not really
supported anyway (https://github.com/fedora-selinux/selinux-policy/issues/2221)
- Stop relabeling on first boot and prefer to do it at image build time
- Disable mkosi relabeling by default but enable it in CI
- Build image as root in CI so the SELinux relabeling works properly
(cherry picked from commit dedd712dd9b4883678765b9bc1a8ac349cf24f3b)
stress-ng is available in OpenSUSE and in CentOS Stream without needing
EPEL so let's switch to it instead of stress.
(cherry picked from commit 3e3a15c06e03f1bec209066da5b1340e1dd03dc8)
In https://github.com/systemd/mkosi/pull/2847, the '@' specifier is
removed, CLI arguments take priority over configuration files again
and the "main" image is defined at the top level instead of in
mkosi.images/. Additionally, not every setting from the top level
configuration is inherited by the images in mkosi.images/ anymore,
only settings which make sense to be inherited are inherited.
This commit gets rid of all the usages of '@', moves the "main" image
configuration from mkosi.images/system to the top level and gets rid
of various hacks we had in place to deal with quirks of the old
configuration parsing logic.
We also remove usages of Images= and --append as these options are
removed by the mentioned PR.
(cherry picked from commit 20345a86b7157e229c1c7e3976005548bad159a4)
If the io.systemd.DynamicUser or io.systemd.Machine files exist,
but nothing is listening on them, the nss-systemd module returns
ECONNREFUSED and systemd-sysusers fails to creat the user/group.
This is problematic when ran by packaging scripts, as the package
assumes that after this has run, the user/group exist and can
be used. adduser does not fail in the same situation.
Change sysusers to print a loud warning but otherwise continue
when NSS returns an error.
(cherry picked from commit fc9938d6f8e7081df5420bf88bf98f683b1391c0)
