IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Add a section which lists the known confidential virtual machine
technologies.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit a8fb5d21fd6127a6d05757c793cc9ba47f65c893)
The s390x platform provides confidential VMs using the "Secure Execution"
technology, which is also referred to as "Protected Virtualization" or
just "prot virt" in Linux / QEMU.
This can be detected through a simple sysfs attribute.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 6c35e0a51cc6a852ce239ea46cd75c133212a68e)
We have different impls of detect_confidential_virtualization per
architecture. The detection is cached in the x86_64 impl, and as we
add support for more targets, we want to use caching for all. It thus
makes sense to split caching out into an architecture independent
method.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 1c4bd7adcc281af2a2dd40867f64f2ac54a43c7a)
Since, at least the old framework, checks for the presence of the file
at the end and marks the whole test as skipped if it exists.
Resolves: systemd/systemd-centos-ci#728
(cherry picked from commit 4d1fbe53c1cc9b04acd897c728d996191daa618d)
tcp reset / icmp port-unreachable are markedly different conditions than
packet loss. It doesn't make much sense to retry in this case. It's
actually not clear if there is any benefit at all retrying tcp
connections, which were presumably already retried as necessary by the
tcp stack.
(cherry picked from commit ddd710a355acc698b48159f3e501dda5a7dc2704)
On Fedora the sshd-session binary is under /usr/libexec/openssh/ so
cover this path as well in the old framework.
Follow-up for aaa7b36bd15ca3a96a1e11a557482b0bc59c769f.
(cherry picked from commit ce2344bbee468c7d524e508a8ff7f5f7ae85acb5)
We document that when multiple credentials of the same name are found,
we use the first one found so let's actually implement that behavior.
(cherry picked from commit 3de13e6148731ae9c36885afd78b1421e6f16305)
Credentials are written to a temporary file and renamed to the
destination with renameat() which will replace existing files so
EEXIST should not happen so drop the handling for EEXIST.
(cherry picked from commit 2c2ed3272b992b6eb13864e49847c943e42be00f)
The kernel might start returning -EINVAL when trying to open pidfd's
for kernel threads so let's not try to open pidfd's for kernel threads.
(cherry picked from commit ead48ec35c863650944352a3455f26ce3b393058)
Each log context field can expand to up to three iovecs (key, value
and newline) so let's fix the size calculation to take this into
account.
(cherry picked from commit fc83ff3f55ee53fd9101d4e45736f3f996ee7ca6)
All messages logged from exec_spawn() are attributed to the unit
and as such we should set the log level to the unit's max log level
for the duration of the function.
(cherry picked from commit 7881f485c9f57b1c7de4308eeab54458890c5c19)
Remove an early return that prevents --prompt-root-password or
--prompt-root-shell and systemd.firstboot=off using credentials. In that case,
arg_prompt_root_password and arg_prompt_root_shell will be false, but the
prompt helpers still need to be called to read the credentials. Furthermore, if
only the root shell has been set, don't overwrite the root password.
(cherry picked from commit 35bc4c34240afdd55e117b909f26fa9a5dc54f3b)
If /etc/passwd and/or /etc/shadow exist but don't have an existing root entry,
one needs to be added. Previously this only worked if the files didn't exist.
(cherry picked from commit 2319154a6bec7b8c42e901dfacaefe95bf4e3750)
Although locked and empty passwords in /etc/passwd are treated the same, in all
other cases the entry is configured to read the password from /etc/shadow.
(cherry picked from commit 5088de9daa156a095e79684c658f9035db971538)
A PE image's memory footprint might be larger than its file size due
to uninitialized memory sections. Normally all PE headers should be
parsed to check the actual required size, but the legacy EFI handover
protocol is only used for x86 Linux bzImages, so we know only the last
section will require extra memory. Use SizeOfImage from the PE header
and if it is larger than the file size, allocate and zero extra memory
before using it.
Fixes https://github.com/systemd/systemd/issues/33816
(cherry picked from commit 19812661f1f65ebe777d1626b5abf6475faababc)
Otherwise, when an interface gained its carrier, the interface may not
have matching .network file yet, then link_reconfigure_impl() returns
zero, and link_handle_bound_by_list() is skipped.
Fixes#33837.
(cherry picked from commit 36b8ad085c6902631ad7054bffbda33d6d168823)
This reverts commit ffef01acddcac27caaef02f7f28bff03d7799e5e.
Similar to 2d393b1b6d8 ("network: IPv6 Compliance: Router Advertisement
Processing, Reachable Time [v6LC.2.2.15]"),
Extract from: https://www.ietf.org/rfc/rfc4861.html#section-4.2, p.21,
first paragraph:
The Router Lifetime applies only to
the router's usefulness as a default router; it
does not apply to information contained in other
message fields or options.
So it does not make sense to prevent DHCPv6 when Router Lifetime is 0.
Fixes#33357.
(cherry picked from commit 7767896d127264f660e1e8a714e5cd760840921f)
The original CVM detection logic for TDX assumes that the guest can see
the standard TDX CPUID leaf. This was true in Azure when this code was
originally written, however, current Azure now blocks that leaf in the
paravisor. Instead it is required to use the same Azure specific CPUID
leaf that is used for SEV-SNP detection, which reports the VM isolation
type.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 9d7be044cad1ae54e344daf8f2ec37da46faf0fd)
Even if a timespan specified to IgnoreCarrierLoss= for an interface,
when the carrier of the interface lost, bound interfaces might be bring
down immediately.
Let's also postpone bringing down bound interfaces with the specified
timespan.
(cherry picked from commit e8eaed0240d642e70c567b08f3593e4cf45a255a)
This is similar to what we do for veth interfaces in remove_veth_links().
When a container rebooted, macvlan interfaces created by the previous
boot may still exist in the kernel, and that causes -EADDRINUSE after
reboot.
Hopefully fixes#680.
(cherry picked from commit 1bfa47418e9df03c2562a4c82dc319cf7c3b228c)
Similar to the implementation of cgroup.kill in the kernel, let's
skip kernel threads in cg_kill_items() as trying to kill kernel
threads as an unprivileged process will fail with EPERM and doesn't
do anything when running privileged.
(cherry picked from commit 0fbb569de1dcc06118dba006cf7a40caf6cd94d0)
On CentOS/Fedora, dracut is configured to write the initrd to
/boot/initramfs-$KERNEL_VERSION...img so let's check for that as well
if no initrds were supplied.
(cherry picked from commit b56920e36c5692c0dde701bfb48330653a9c62c9)
If we're running from within a container, we're very likely not going
to want to use the kernel command line from /proc/cmdline, so let's add
a check to see if we're running from a container to decide whether we'll
use the kernel command line from /proc/cmdline.
(cherry picked from commit 35c01ec59e0c2e6bd06cb18ca2ff612c6a7ea35d)
- Improve wording for explanation when these variables are inherited
- Clarify that these variables are not placed in the process environment block,
so /proc/PID/environ cannot be used as a debugging tool
(cherry picked from commit 6c1e0823b04525716d9ee0031a2b6735d3f7dfa4)
The new file, modules.weakdep, generated by depmod to get the weak
dpendencies information can be present
(05828b4a6e),
so remove it like the other similar files.
Signed-off-by: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
(cherry picked from commit eef4cd51f94d837bd0e71512c831634a2902522d)
This probably rarely helped anyway, but it also in some cases interferes
with auxiliary dnssec queries where the authoritative nameserver does
not support EDNS0/DNSSEC.
Fixes: ac6844460ca1 ("resolved: support RFC 8914 EDE error codes")
(cherry picked from commit cd2ce31adbfa5fb4f08267a13ace3a72e7597a2f)
It means: a) user cannot be created, something's wrong in the
test environment -> fail the test; b) user already exists, we shall not
continue and delete (foreign) user.
(cherry picked from commit 3e6e3e6d40db0a9e9741ef4942218193fca7b28e)
TEST-46-HOMED fails on ext4 because the filesystem is deemed to small
for activation by cryptsetup. Let's bump the minimal filesystem size for
ext4 a bit to be in the same ballpark as ext4 and btrfs to avoid weird
errors due to impossibly small filesystems.
Also use U64_MB while we're touching this.
(cherry picked from commit ae07feb401ff70b122650ac01041021703d4b8ad)
There are multiple subtests, just move them around into functions
(leveraging the testcase_* convention) to make space for new related
subtests.
(cherry picked from commit 4f0541dc595277a62431c46d59dc258005160650)
This allows mkosi to combine fstab.extra with its own fstab.extra so
that it doesn't override the one we pass for the test.
(cherry picked from commit ebe17e3f9e6f6b7a85677fc10439936b41d196e3)
EINVAL should be used when a function is called with an invalid
argument. Here, the signal is not a function argument.
Follow-up for 7a64c5f23efbb51fe4f1229c1a8aed6dd858a0a9.
(cherry picked from commit ab9af70edb23f2a66e93e2e16f87cd98873885b7)
The signalfd_siginfo struct is received from outside via a FD, hence
assert() is not appropriate way to check it. Just do a normal runtime
check.
(cherry picked from commit 7a64c5f23efbb51fe4f1229c1a8aed6dd858a0a9)
