IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Users can currently pick specific versions of NIC naming, but that
does not guarantee that NIC names won't change after the kernel adds
a new sysfs attribute.
This patch allows for an allow/deny list of sysfs attributes
that could be used when composing the name.
These lists can be supplied as an hwdb entry in the form of
/etc/udev/hwdb.d/50-net-naming-allowlist.hwdb
net:naming:drvirtio_net
ID_NET_NAME_ALLOW=0
ID_NET_NAME_ALLOW_ACPI_INDEX=1
ID_NET_NAME_ALLOW_ADDR_ASSIGN_TYPE=1
ID_NET_NAME_ALLOW_ADDRESS=1
ID_NET_NAME_ALLOW_ARI_ENABLED=1
ID_NET_NAME_ALLOW_DEV_PORT=1
ID_NET_NAME_ALLOW_FUNCTION_ID=1
ID_NET_NAME_ALLOW_IFLINK=1
ID_NET_NAME_ALLOW_INDEX=1
ID_NET_NAME_ALLOW_LABEL=1
ID_NET_NAME_ALLOW_PHYS_PORT_NAME=1
ID_NET_NAME_ALLOW_TYPE=1
Since EC keys doesn't support encryption directly, we use ECDH protocol.
We generate a pair of EC keys in the same EC group, then derive a shared secret using the generated private key and the public key in the token.
The derived shared secret is used as a volume key. The generated public key is stored in the LUKS2 JSON token header area. The generated private key is erased.
To unlock a volume, we derive the shared secret with the stored public key and a private key in the token.
Co-authored-by: MkfsSion <mkfssion@mkfssion.com>
We already refuse the other two cursor-related options (--cursor= and
--after-cursor=) with --since=, so let's do the same with
--cursor-file=.
Closes: #20523
Regardless of whether a vc path is passed, the behavior of
systemd-vconsole-setup wasn't ideal when either the passed vc or /dev/tty1 was
in graphics mode.
When a vc in graphics mode was passed, no message was emitted despite the fact
that the font settings couldn't be applied. The previous code might have
assumed that setfont(8) would throw a warning but that's not case.
When no argument was passed, systemd-vconsole-setup was supposed to
automatically select a valid tty, init it and copy the font setting to the
remaining ttys. However if the selected virtual console was in KD_GRAPHICS mode
the initialization of the font failed not only for the selected source vc but
for all of them.
This patch enables IFNAME_VALID_ALTERNATIVE for checks guarding the
parsing of RestrictNetworkInterfaces=.
The underlying implementation for this option already supports
altnames.
There's a race condition where the EXIT_STATUS= message we send
just before shutting down the VM doesn't arrive on the host,
presumably because the VM is shut down before the kernel has had a
chance to forward the message to the host.
Since there's no obvious way to wait until the message has been
flushed to the host, let's send the message before we execute the
final sync() instead of after executing the final sync(). In my
testing, this seems to either guarantee the message is sent or
introduces sufficient delay that the kernel always has time to flush
its socket buffers to the host.
Now that creds are processed even if systemd.firstboot=no is set, we can
use it to disable the root pw prompt *and* the new homectl prompt at the
same time, without breaking the creds stuff.
This extends what systemd-firstboot does and runs on first boots only
and either processes user records passed in via credentials to create,
or asks the user interactively to create one (only if no regular user
exists yet).
So far by setting systemd.firstboot=no simply short-cut the whole tool
and made it exit early. This is against what the docs say though: they
just claim the user isn't asked for questions anymore. Let's change
behaviour so that the code actually matches the docs, or more
specifically: if credentials are passed into firstboot, then honour
them, regardless of the kernel cmdline option.
After all, if we get explicit data passed in we should operate on it,
and then leave systemd.firstboot=no just affect the interactivity.
I think this was actually mostly a bug introduced because the credential
stuff was added after the kernel cmdline option, hence this just catches
up with the new addition.
This is just paranoia. In all these cases we don't really care about the
trailing NUL byte. But if there's space for it dns_label_unescape() is
going to insert it, and that's a good safety strategy.
This is a follow-up to c29c3adefa8cd859f8cb87d9ad62f3d77b7cd102 which
fixed an actual bug, unlike this commit, which is just paranoia.
