IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Currently the test works only with policy shipped by Fedora, which makes
it pretty much useless in most of our CIs. Let's drop the custom module
and make the test more generic, so it works with the refpolicy as well,
which should allow us to run it on Arch and probably even in Ubuntu CI.
--tpm2-device-key= requires OpenSSL >= 3 with KDF-SS, so let's skip the
test if we're running with older OpenSSL.
+ systemd-cryptenroll --tpm2-device-key=/tmp/srk.pub --tpm2-pcrs=12:sha256=F5A5FD42D16A20302798EF6ED309979B43003D2320D9F0E8EA9831A92759FB4B /tmp/systemd-cryptsetup-H8y.IMAGE
Failed to find TPM2 pcrlock policy file 'pcrlock.json': No such file or directory
Allocating context for crypt device /tmp/systemd-cryptsetup-H8y.IMAGE.
Trying to open and read device /tmp/systemd-cryptsetup-H8y.IMAGE with direct-io.
Trying to open device /tmp/systemd-cryptsetup-H8y.IMAGE without direct-io.
Initialising device-mapper backend library.
Trying to load LUKS2 crypt type from device /tmp/systemd-cryptsetup-H8y.IMAGE.
Crypto backend (OpenSSL 1.1.1k FIPS 25 Mar 2021) initialized in cryptsetup library version 2.3.7.
Detected kernel Linux 4.18.0-521.el8.ppc64le ppc64le.
...
Failed to find TPM PCR public key file 'tpm2-pcr-public-key.pem': No such file or directory
Failed to read TPM2 PCR public key, proceeding without: No such file or directory
Can't find symbol Esys_TR_GetTpmHandle: /lib64/libtss2-esys.so.0: undefined symbol: Esys_TR_GetTpmHandle
libtss2-esys too old, does not include Esys_TR_GetTpmHandle.
Can't find symbol Esys_TR_GetTpmHandle: /lib64/libtss2-esys.so.0: undefined symbol: Esys_TR_GetTpmHandle
libtss2-esys too old, does not include Esys_TR_GetTpmHandle.
PolicyPCR calculated digest: 9a1f511fb94f030eb21d0332ef2739727bf0ead4ec26a204d15b09cdeb4b2555
Calculating sealed object.
Calculating encrypted seed for sealed object.
Calculating encrypted seed for ECC sealed object.
Calculating KDFe().
KDF-SS requires openssl >= 3.
Could not calculate KDFe: Operation not supported
Could not calculate encrypted seed: Operation not supported
Failed to seal to TPM2: Operation not supported
don't let the devices to be announced just as model "Linux". Let's instead
propagate the underlying block device's model. Also do something
reasonably smart for the serial and firmware version fields.
Prompted by #29972, because right now it's practically impossible to pass
-fno-sanitize=function to the fuzzer targets without some extensive
sed'ing.
This splits both c_args and cpp_args to separate arguments for
tools/meson-build.sh, because the other way would be to use `eval`, so
the space-separated but quoted strings passed to these options are not
split where they shouldn't, and I'd rather avoid using `eval` if
possible.
Also, this switches the positional arguments we pass to `meson setup`,
as they were in incorrect order (docs say it should be buildir followed
by sourcedir); meson is apparently clever enough to figure this out and
switch the arguments around if necessary, so it didn't complain.
Let's just rely on the word splitting done by bash instead of messing
with that ourselves, as it's just adding extra complexity to appease one
ShellCheck check. Also, this apparently never worked for the nspawn
stuff anyway, since I forgot to set $IFS to an appropriate value, so it
always put all arguments from $KERNEL_APPEND into a single array item
with an extra newline, which then made systemd sad:
~# readarray arr <<< "foo bar baz"; for i in "${arr[@]}"; do echo "'$i'"; done
'foo bar baz
'
~# make -C test/TEST-45-TIMEDATE/ clean setup run BUILD_DIR=$PWD/build TEST_NO_QEMU=1 KERNEL_APPEND="systemd.log_level=console"
...
~# journalctl -o short-monotonic --no-hostname --file /var/tmp/systemd-tests/systemd-test.XaDX67/system.journal --grep "Failed to parse" -p info --no-pager
[551138.986882] systemd-tmpfiles[21]: Failed to parse log level 'console
[551138.987179] systemd-remount-fs[20]: Failed to parse log level 'console
[551138.993125] systemd-sysusers[23]: Failed to parse log level 'console
[551138.998685] journalctl[29]: Failed to parse log level 'console
Resolves: #29945
Let's use the newly gained feature of `busctl` and start is as a
Type=notify unit, which should make sure the unit is started only after
`busctl` is on the bus listening for messages.
This should help with a race spotted in CIs, where we continued too
early after starting `busctl monitor` and miss the emitted signals:
[ 10.914831] testsuite-45.sh[694]: + systemd-run --unit busctl-monitor.service --service-type=exec busctl monitor --json=short '--match=type='\''signal'\'',sender=org.freedesktop.timesync1,member='\''PropertiesChanged'\'',path=/org/free>
[ 11.064365] systemd[1]: Starting busctl-monitor.service...
[ 11.064903] systemd[1]: Started busctl-monitor.service.
[ 11.065192] testsuite-45.sh[740]: Running as unit: busctl-monitor.service; invocation ID: ee44a9d713c34b9a97e3e7f6f4fffe77
...
[ 11.069255] testsuite-45.sh[694]: + timedatectl ntp-servers ntp99 10.0.0.1
[ 11.077140] systemd-timesyncd[728]: Network configuration changed, trying to establish connection.
[ 11.077461] testsuite-45.sh[694]: + assert_networkd_ntp ntp99 10.0.0.1
...
[ 11.087418] testsuite-45.sh[694]: + assert_timesyncd_signal '2023-11-08 16:28:48.861455' LinkNTPServers 10.0.0.1
...
[ 11.095543] testsuite-45.sh[694]: + for _ in {0..9}
[ 11.095543] testsuite-45.sh[694]: + journalctl -q '--since=2023-11-08 16:28:48.861455' -p info _SYSTEMD_UNIT=busctl-monitor.service --grep .
[ 11.193258] systemd-journald[375]: Received client request to sync journal.
[ 11.112424] testsuite-45.sh[694]: + sleep .5
[ 11.160318] dbus-daemon[465]: [system] Connection :1.56 (uid=0 pid=741 comm="/usr/bin/busctl monitor --json=short --match=type=") became a monitor.
Resolves: #29923
41e4ce06fe shortened existing sleeps, which resulted in the check being
sometimes done before the property had a chance to update. Let's do what
what we do with the rest of the checks and retry it a couple of times.
Resolves: #29923
As in their current form they didn't work at all:
systemd-timesyncd[190115]: Assertion 's' failed at src/libsystemd/sd-event/sd-event.c:3058, function sd_event_source_set_enabled(). Ignoring.
systemd-timesyncd[190115]: Failed to reenable system ntp server change event source!
systemd-timesyncd[190115]: Failed to enable ntp server defer event, ignoring: Invalid argument
This was also pointed out in the post-merge review [0].
Let's address this together with the rest of the comments, and add
some tests to make sure everything works as it should.
Resolves: #28770
Follow-up to: 8f1c446
[0] 8f1c446979 (r124147466)
The cleanup uses PERSISTENT_HANDLE while the test uses PERSISTENT, so change
the test to use PERSISTENT_HANDLE so it's cleaned up (i.e. removed from the
tpm) after the test.
When starting a service with a non-root user and a SystemCallFilter and
other settings (like ProtectClock), the no_new_privs flag should not be set.
Also, test that CapabilityBoundingSet behaves correctly, since we need
to preserve some capabilities to do the seccomp filter and restore the
ones set by the service before executing.
Let's wait for the "latest" message systemd-bsod prints to the console
to appear, otherwise we might be too fast and take a console snapshot
before it contains all the information:
[ 44.237788] testsuite-04.sh[1744]: + setterm --term linux --dump --file /tmp/console.dump
[ 44.246089] systemd-bsod[1858]: QR code could not be printed, ignoring: Operation not supported
[ 44.305692] testsuite-04.sh[1744]: + grep -aq 'The current boot has failed' /tmp/console.dump
[ 44.308047] testsuite-04.sh[1744]: + grep -aq 'Service emergency message' /tmp/console.dump
[ 44.311200] testsuite-04.sh[1744]: + grep -aq 'Press any key to exit' /tmp/console.dump
[ 44.314359] testsuite-04.sh[1744]: + at_exit
[ 44.315087] testsuite-04.sh[1744]: + local EC=1
[ 44.315945] testsuite-04.sh[1744]: + [[ 1 -ne 0 ]]
[ 44.316647] testsuite-04.sh[1744]: + [[ -e /tmp/console.dump ]]
[ 44.318305] testsuite-04.sh[1744]: + cat /tmp/console.dump
[ 44.319320] testsuite-04.sh[1871]: The current boot has failed!
[ 44.319970] testsuite-04.sh[1871]: Service emergency message
- Rename generic_array_bisect_one() -> generic_array_bisect_step(), as there
is also generic_array_bisect_plus_one(), so the original name is confusing.
- Make generic_array_bisect_step() return TEST_GOTO_NEXT or TEST_GOTO_PREVIOUS
when the current array does not contain any matching entries.
- Make generic_array_bisect_step() symmetric with respect to the direction
we are going to, except for the journal corruption handling.
- Make generic_array_bisect_step() gracefully handle journal corruptions,
so the corruption handling in the caller side can be mostly dropped.
- Especially, when the last entry in an array is corrupted, previously
we tried to find a valid entry sequentially from the end of the array,
but now we anyway bisect the array. That should improve performance of
reading corrupted journal files.
- Return earlier when no entry linked to the chained array (n == 0).
- Add many comments.
No behavior change unless journal is corrupted.
Let's put this back in, as it could help with occasional machine lock ups
on overloaded systems (and it didn't help with the original issue
anyway).
This reverts commit 3a89904e45.