IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
We were missing one service result (oom-kill), and the ratelimit one is
called differently. Correct that so that we generate proper log messages
for these cases.
Background: Fedora/RHEL are switching to sysusers.d metadata for
creation of users and groups for system users defined by packages
(https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers).
Packages carry sysusers files. During package installation, rpm calls an
program to execute on this config. This program may either be
/usr/lib/rpm/sysusers.sh which calls useradd/groupadd, or
/usr/bin/systemd-sysusers. To match the functionality provided by
useradd/groupadd from the shadow-utils project, systemd-sysusers must
emit audit events so that it provides a drop-in replacement.
systemd-sysuers will emit audit events AUDIT_ADD_USER/AUDIT_ADD_GROUP
when adding users and groups. The operation "names" are copied from
shadow-utils, so the format of the events that is generated on success
should be identical. On failure, things are more complicated. We write
the whole file at once, once, so we first generate "success" messages
for each entry, then we try to write the files, and if things fail, we
generate failure messages to all entries that we failed to write.
Background: Fedora/RHEL are switching to sysusers.d metadata for creation of
users and groups for system users defined by packages
(https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers).
Packages carry sysusers files. During package installation, rpm calls an
program to execute on this config. This program may either be
/usr/lib/rpm/sysusers.sh which calls useradd/groupadd, or
/usr/bin/systemd-sysusers. To match the functionality provided by
useradd/groupadd from the shadow-utils project, systemd-sysusers must emit
audit events so that it provides a drop-in replacement.
systemd-sysuers will emit audit events AUDIT_ADD_USER/AUDIT_ADD_GROUP when
adding users and groups. The operation "names" are copied from shadow-utils in
Fedora (which has a patch to change them from the upstream version), so the
format of the events that is generated on success should be identical.
The helper code is shared between sysusers and utmp-wtmp. I changed the
audit_fd variable to be unconditional. This way we can avoid ugly iffdefery
every time the variable would be used. The cost is that 4 bytes of unused
storage might be present. This is negligible, and the compiler might even be
able to optimize that away if it inlines things.
The arm confidential compute architecture (CCA) provides a platform design for
confidential VMs running in a new realm context.
This can be detected by the existence of a platform device exported for the
arm-cca-guest driver, which provides attestation services via the realm
services interface (RSI) to the Realm Management Monitor (RMM).
Like the other methods systemd uses to detect Confidential VM's, checking
the sysfs entry suggests that this is a confidential VM and should only be
used for informative purposes, or to trigger further attestation.
Like the s390 detection logic, the sysfs path being checked is not labeled
as ABI, and may change in the future. It was chosen because its
directly tied to the kernel's detection of the realm service interface rather
to the Trusted Security Module (TSM) which is what is being triggered by the
device entry. The TSM module has a provider string of 'arm-cca-guest' which
could also be used, but that (IMHO) doesn't currently provide any additional
benefit except that it can fail of the module isn't loaded.
More information can be found here:
https://developer.arm.com/documentation/den0125/0300
Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>
Let's clarify more explicitly that privileged calls to
systemd-notify --pid= and sd_pid_notify() effectively override any
configured NotifyAccess=main|exec for a service.
Same package, but xsltproc is a very recently introduced Provides
for libxslt, and isn't available on CentOS Stream 9, so let's install
the package directly instead.
When copying a directory from or to an image, let's always merge
with existing directories instead of failing with "File Exists".
Fixes https://github.com/systemd/mkosi/issues/3342.
* fd36e4c562 Rebuilt for the bin-sbin merge (2nd attempt)
* cddeca136f Rebuilt for the bin-sbin merge (2nd attempt)
* 20cc578e59 Enable signing systemd-boot on OBS builds
* b1bd57ecce Revert use of PrivateTmp=disconnected
* 30f50b1870 Drop patch numbers
* 1814bfe794 remove STI test
* 3a9c32b8a9 Version 257.2
* 4df2711a9f Add bcond for OBS-specific quirks
* e570cd53df spec: drop trailing whitespace
* c7379c9460 Replace 'udevadm hwdb' with systemd-hwdb
* 3386f5d704 Rename source .abignore file
* fd860fd12d Drop a build dependency on a linter package: pytest-flakes
* 133ae30e33 Drop patches based on %upstream macro instead of patch number
* e157552c6c Always build in release mode
* fc47a92e4a Re-enable upstream behaviour of systemd-tmpfiles --purge
* 62abb21906 Version 257.1
* 35e6814ef4 Add patch for test-time-util
* bd8339bf00 sysusers: support new ! line flag for creating fully locked accounts
* c2f5f4a68a Version 257
* 31aaef8e17 Enable slow tests during build
* 8160e63e52 Limit logic required for building locally
* 3a62443e41 OBS build: add support for xz and zst compression formats
* 9667464ad7 Get rid of _tag variable
* 73dc492b5e upgpkg: 257.2-2: rebuild with changes for service restart
* 6b7355b5bb do not restart any templated units
* 332718f955 exclude vmspawn units from restart as well
* 5a749a6716 exclude systemd-nspawn@* services from restart
* 8a10796f8b upgpkg: 257.2-1: new upstream release
* 16294a0b44 Add support for building from git in OBS
* 38b664eed4 upgpkg: 257.1-1: new upstream release
* e26158dda9 upgpkg: 257-1: new upstream release
* c984b75c3f restart services after upgrade...
* 27fae2c192 upgpkg: 256.9-1: new upstream release
* 1afdd08a60 upgpkg: 256.8-2: apply: shutdown: close DM block device before issuing DM_DEV_REMOVE ioctl
In containers securityfs is typically not mounted. Our lsm-bpf code
so far detected this situation and claimed the kernel was lacking
lsm-bpf support. Which isn't quite true though, it might very well
support it. This made boots of systemd in systemd-nspawn a bit ugly,
because of the misleading log message at boot.
Let's improve things, and make clearer what is going on.
Follow-up for 8402ca04d1a063c3d8a9e3d5c16df8bb8778ae98
While at it, turn the retval check for sd_bus_track_count_name()
into assertion, given we're working with already established tracks
(service_name_is_valid() should never yield false in this case).
Addresses https://github.com/systemd/systemd/pull/35406#discussion_r1912066774
