IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Let's mention that the new mount API may be used to establish new
mounts in a container without needing the /run/host/incoming directory.
(cherry picked from commit 74cc5e2041)
We initially read from temp file, then strip it, and write
back to it. If the file suddenly disappeared during the process,
it indicates someone else is touching our temp file
behind our back. Let's not silently continue.
(cherry picked from commit 3b5b2ff8fa)
The nice value is part of struct sched_attr, and consequently invoking
sched_setattr() after setpriority() would clobber the nice value with
the default (as we are not setting it in struct sched_attr).
It would be best to combine both calls, but for now simply invoke
setpriority() after sched_setattr() to make sure Nice= remains effective
when used together with CPUSchedulingPolicy=.
(cherry picked from commit 711a157738)
When unit_need_daemon_reload() calls unit_find_dropin_paths() to check
for new drop-in configs, the manager's unit path cache is used to limit
which directories are considered. If a new drop-in directory is created,
it may not be in the unit path cache, and hence unit_need_daemon_reload()
may return false, despite a new drop-in being present. However, if a
unit path cache is not given to unit_file_find_dropin_paths() at all,
then it behaves as if the target path was found in the unit path cache.
So, to fix this, adapt unit_find_dropin_paths() to take a boolean
argument indicating whether or not to pass along the unit path cache.
Set this to false in unit_need_daemon_reload().
Fixes#31752
(cherry picked from commit 82c482d573)
We generally don't care about library debuginfo so let's just disable
debuginfod so it doesn't get in the way when debugging.
We use /root/.gdbinit as the systemwide gdbinit location is distribution
specific.
(cherry picked from commit 2561e2a356)
gcc15 has -Wunterminated-string-initialization in -Wextra and
warns about string constants that are not null terminated even though
the functions do do out of bounds access.
Silence the warnings by simply not providing an explicit size.
(cherry picked from commit af1a6db58f)
When creating a user, check if the requested group name matches a user
name in the queue. If that matched user name is also going to be a group
name, then use it for the new user too. In other words, allow the
following:
u foo -
u bar -:foo
when both foo and bar are new users.
Fixes#33547
(cherry picked from commit 18a8f03e51)
This fixes the following assertion:
===
SYSTEMD_LOG_LEVEL=debug systemctl --user -H foo --boot-loader-entry=help
Assertion 'transport != BUS_TRANSPORT_REMOTE || runtime_scope == RUNTIME_SCOPE_SYSTEM' failed at src/shared/bus-util.c:284, function bus_connect_transport(). Ignoring.
Failed to connect to bus: Operation not supported
===
Fixes a bug introduced by 97af80c5a7.
Fixes#33661.
Fixes oss-fuzz#70153.
(cherry picked from commit 1056457d11)
Running the following commands:
# mkdir -p /var/lib/pcrlock.d/123-empty.pcrlock.d
# /usr/lib/systemd/systemd-pcrlock predict --pcr=1+2+3+4+5+16
Will result in:
...
Floating point exception
Running the following commands:
# mkdir -p /var/lib/pcrlock.d/123-empty.pcrlock.d
# /usr/lib/systemd/systemd-pcrlock make-policy --pcr=1+2+3+4+5+16
Will result to this (partial) log:
...
Predicted future PCRs in 133us.
[]
...
Written policy digest 0000000000000000000000000000000000000000000000000000000000000000 to NV index 0x1921da6
...
So, add missing checks to handle gracefully cases where there's no variant
inside the component.
Signed-off-by: Arnaud Patard <arnaud.patard@collabora.com>
(cherry picked from commit e7a93e7521)
OpenSUSE's busybox has a bunch of Provides for basic tools that cause
it to get pulled into images unless the corresponding tool is explicitly
installed so let's add explicit tools to make sure we don't get busybox.
(cherry picked from commit 857e4528f5)
Rebuilding the integration test every time is very slow. Let's
introduce a way to iterate on an integration test without rebuilding
the image every time. By making a btrfs snapshot before we run the
integration test, we can then systemctl soft-reboot after running
the test to restore the rootfs to a pristine state before running
the test again.
As /run/nextroot will get nuked on reboot or soft-reboot, we introduce
a tmpfiles snippet to make sure it is recreated every (soft-)reboot
and adapt the existing tests to deal with this new symlink.
(cherry picked from commit af153e36ae)
The next commit will introduce a way to iterate on integration
tests which depends on btrfs specific features.
We leave CentOS on ext4 as its kernel does not support btrfs.
(cherry picked from commit edc6592e53)
TEST_SHELL can be used to get a shell in the integration test
environment without actually immediately starting the test.
(cherry picked from commit dd1c01b20f)
- Add the required options to make the package managers non interactive
- Use apt-get instead of apt
- Remove --reinstall from apt-get command so we only install newer packages
- Add --needed to pacman command so we only install newer packages
(cherry picked from commit 5f5b6fa901)
Not required anymore as we don't do /usr only anymore and the symlink
will be created by the debian systemd package.
(cherry picked from commit 63bafef12b)
As at this stage, a persistent journal file has been already opened, and
saved seqnum has been reset, and any later journal entries will be stored
to the file. Hence we should not open the runtime journal file by
server_system_journal_open() again.
(cherry picked from commit b55027efe4)
The setting is about vacuuming archived journal files. It is not
necessary to rotate the current journal. Note, journal file rotation is
controlled by MaxFileSec=.
Fixes#31315.
(cherry picked from commit b63c18db03)
Let's explicitly pass the value to -fstrict-flex-arrays. This does
not change behavior but it does (selfishly) make my error not bug
out with an error saying -fstrict-flex-arrays does not exist.
(cherry picked from commit ad723ca3e5)
Add a section which lists the known confidential virtual machine
technologies.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit a8fb5d21fd)
The s390x platform provides confidential VMs using the "Secure Execution"
technology, which is also referred to as "Protected Virtualization" or
just "prot virt" in Linux / QEMU.
This can be detected through a simple sysfs attribute.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 6c35e0a51c)
We have different impls of detect_confidential_virtualization per
architecture. The detection is cached in the x86_64 impl, and as we
add support for more targets, we want to use caching for all. It thus
makes sense to split caching out into an architecture independent
method.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 1c4bd7adcc)
Since, at least the old framework, checks for the presence of the file
at the end and marks the whole test as skipped if it exists.
Resolves: systemd/systemd-centos-ci#728
(cherry picked from commit 4d1fbe53c1)
tcp reset / icmp port-unreachable are markedly different conditions than
packet loss. It doesn't make much sense to retry in this case. It's
actually not clear if there is any benefit at all retrying tcp
connections, which were presumably already retried as necessary by the
tcp stack.
(cherry picked from commit ddd710a355)
On Fedora the sshd-session binary is under /usr/libexec/openssh/ so
cover this path as well in the old framework.
Follow-up for aaa7b36bd1.
(cherry picked from commit ce2344bbee)
We document that when multiple credentials of the same name are found,
we use the first one found so let's actually implement that behavior.
(cherry picked from commit 3de13e6148)
Credentials are written to a temporary file and renamed to the
destination with renameat() which will replace existing files so
EEXIST should not happen so drop the handling for EEXIST.
(cherry picked from commit 2c2ed3272b)
The kernel might start returning -EINVAL when trying to open pidfd's
for kernel threads so let's not try to open pidfd's for kernel threads.
(cherry picked from commit ead48ec35c)
Each log context field can expand to up to three iovecs (key, value
and newline) so let's fix the size calculation to take this into
account.
(cherry picked from commit fc83ff3f55)
All messages logged from exec_spawn() are attributed to the unit
and as such we should set the log level to the unit's max log level
for the duration of the function.
(cherry picked from commit 7881f485c9)
Remove an early return that prevents --prompt-root-password or
--prompt-root-shell and systemd.firstboot=off using credentials. In that case,
arg_prompt_root_password and arg_prompt_root_shell will be false, but the
prompt helpers still need to be called to read the credentials. Furthermore, if
only the root shell has been set, don't overwrite the root password.
(cherry picked from commit 35bc4c3424)
If /etc/passwd and/or /etc/shadow exist but don't have an existing root entry,
one needs to be added. Previously this only worked if the files didn't exist.
(cherry picked from commit 2319154a6b)
