IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This introduces 'i' prefix for match string. When specified, string or
pattern will match case-insensitively.
Closes#34359.
Co-authored-by: Ryan Wilson <ryantimwilson@meta.com>
The verb s not really specific to credential management, it was always a
bit misplaced. Hence move it to systemd-analyze, where we already have
some general TPM related verbs such as "srk" and "pcrs"
Linux kernel v4.18 (2018-08-12) added user-namespace support to FUSE, and
bumped the FUSE version to 7.27 (see: da315f6e0398 (Merge tag
'fuse-update-4.18' of
git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse, Linus Torvalds,
2018-06-07). This means that on such kernels it is safe to enable FUSE in
nspawn containers.
In outer_child(), before calling copy_devnodes(), check the FUSE version to
decide whether enable (>=7.27) or disable (<7.27) FUSE in the container. We
look at the FUSE version instead of the kernel version in order to enable FUSE
support on older-versioned kernels that may have the mentioned patchset
backported ([as requested by @poettering][1]). However, I am not sure that
this is safe; user-namespace support is not a documented part of the FUSE
protocol, which is what FUSE_KERNEL_VERSION/FUSE_KERNEL_MINOR_VERSION are meant
to capture. While the same patchset
- added FUSE_ABORT_ERROR (which is all that the 7.27 version bump
is documented as including),
- bumped FUSE_KERNEL_MINOR_VERSION from 26 to 27, and
- added user-namespace support
these 3 things are not inseparable; it is conceivable to me that a backport
could include the first 2 of those things and exclude the 3rd; perhaps it would
be safer to check the kernel version.
Do note that our get_fuse_version() function uses the fsopen() family of
syscalls, which were not added until Linux kernel v5.2 (2019-07-07); so if
nothing has been backported, then the minimum kernel version for FUSE-in-nspawn
is actually v5.2, not v4.18.
Pass whether or not to enable FUSE to copy_devnodes(); have copy_devnodes()
copy in /dev/fuse if enabled.
Pass whether or not to enable FUSE back over fd_outer_socket to run_container()
so that it can pass that to append_machine_properties() (via either
register_machine() or allocate_scope()); have append_machine_properties()
append "DeviceAllow=/dev/fuse rw" if enabled.
For testing, simply check that /dev/fuse can be opened for reading and writing,
but that actually reading from it fails with EPERM. The test assumes that if
FUSE is supported (/dev/fuse exists), then the testsuite is running on a kernel
with FUSE >= 7.27; I am unsure how to go about writing a test that validates
that the version check disables FUSE on old kernels.
[1]: https://github.com/systemd/systemd/issues/17607#issuecomment-745418835Closes#17607
Right now it mostly duplicates a test that already exists in
TEST-50-DISSECT.mountfsd.sh, but it serves as a template for more unprivileged
nspawn tests.
The .cred suffix is stripped from a credential as it is imported from
the ESP, hence it should not be included in the credential name embedded
in the credential.
Fixes: #33497
So far you had to pick:
1. Use a signed PCR TPM2 policy to lock your disk to (i.e. UKI vendor
blesses your setup via signature)
or
2. Use a pcrlock policy (i.e. local system blesses your setup via
dynamic local policy stored in NV index)
It was not possible combine these two, because TPM2 access policies do
not allow the combination of PolicyAuthorize (used to implement #1
above) and PolicyAuthorizeNV (used to implement #2) in a single policy,
unless one is "further upstream" (and can simply remove the other from
the policy freely).
This is quite limiting of course, since we actually do want to enforce
on each TPM object that both the OS vendor policy and the local policy
must be fulfilled, without the chance for the vendor or the local system
to disable the other.
This patch addresses this: instead of trying to find a way to come up
with some adventurous scheme to combine both policy into one TPM2
policy, we simply shard the symmetric LUKS decryption key: one half we
protect via the signed PCR policy, and the other we protect via the
pcrlock policy. Only if both halves can be acquired the disk can be
decrypted.
This means:
1. we simply double the unlock key in length in case both policies shall
be used.
2. We store two resulting TPM policy hashes in the LUKS token JSON, one
for each policy
3. We store two sealed TPM policy key blobs in the LUKS token JSON, for
both halves of the LUKS unlock key.
This patch keeps the "sharding" logic relatively generic (i.e. the low
level logic is actually fine with more than 2 shards), because I figure
sooner or later we might have to encode more shards, for example if we
add further TPM2-based access policies, for example when combining FIDO2
with TPM2, or implementing TOTP for this.
Now that mkfs.btrfs is adding support for compressing the generated
filesystem (https://github.com/kdave/btrfs-progs/pull/882), let's
add general support for specifying the compression algorithm and
compression level to use.
We opt to not parse the specified compression algorithm and instead
pass it on as is to the mkfs tool. This has a few benefits:
- We support every compression algorithm supported by every tool
automatically.
- Users don't need to modify systemd-repart if a mkfs tool learns a
new compression algorithm in the future
- We don't need to maintain a bunch of tables for filesystem to map
from our generic compression algorithm enum to the filesystem specific
names.
We don't add support for btrfs just yet until the corresponding PR
in btrfs-progs is merged.
Force means force, we skip checks with PID1 for existing units, but
then bail out with EEXIST if the files are actually there. Overwrite
everything instead.
These operations might require slow I/O, and thus might block PID1's main
loop for an undeterminated amount of time. Instead of performing them
inline, fork a worker process and stash away the D-Bus message, and reply
once we get a SIGCHILD indicating they have completed. That way we don't
break compatibility and callers can continue to rely on the fact that when
they get the method reply the operation either succeeded or failed.
To keep backward compatibility, unlike reload control processes, these
are ran inside init.scope and not the target cgroup. Unlike ExecReload,
this is under our control and is not defined by the unit. This is necessary
because previously the operation also wasn't ran from the target cgroup,
so suddenly forking a copy-on-write copy of pid1 into the target cgroup
will make memory usage spike, and if there is a MemoryMax= or MemoryHigh=
set and the cgroup is already close to the limit, it will cause an OOM
kill, where previously it would have worked fine.
One of the major pait points of managing fleets of headless nodes is
that when something fails at startup, unless debug level was already
enabled (which usually isn't, as it's a firehose), one needs to manually
enable it and pray the issue can be reproduced, which often is really
hard and time consuming, just to get extra info. Usually the extra log
messages are enough to triage an issue.
This new option makes it so that when a service fails and is restarted
due to Restart=, log level for that unit is set to debug, so that all
setup code in pid1 and sd-executor logs at debug level, and also a new
DEBUG_INVOCATION=1 env var is passed to the service itself, so that it
knows it should start with a higher log level. Once the unit succeeds
or reaches the rate limit the original level is restored.
I don't actually need this anymore since we're going with a
unit based approach for the containers stuff internally so
let's just revert it.
Fixes#34085
This reverts commit ce2291730d5f91190e97e7c515ac772ae4970062.
Note, `systemd-analyze foo@.service --instance=hoge` is equivalent to
`systemd-analyze foo@hoge.service`. But, the option may be useful when
e.g. passing multiple template units that have restriction on their
instance name:
```
$ ls
template_aaa@.service template_bbb@.service template_ccc@.service
$ systemd-analyze ./template_* --instance=hoge
```
Without the option, we need to embed an instance name into each unit
name, so cannot use globs.
Prompted by #33681.
When running unprivileged, checking /proc/1/root doesn't work because
it requires privileges. Instead, let's add an environment variable so
the process that chroot's can tell (systemd) subprocesses whether
they're running in a chroot or not.
Otherwise, several messages for the last invocation have not been
stored to journal yet.
Hopefully fixes the following race:
===
[ 603.037765] H systemd-run[10503]: Running as unit: invocation-id-test-26448.service; invocation ID: 1a49edeb05a641aaa2def72411134822
[ 603.099587] H bash[10504]: invocation 10 1a49edeb05a641aaa2def72411134822
[ 603.212069] H systemd[1]: invocation-id-test-26448.service: Deactivated successfully.
[ 603.225092] H systemd-run[10503]: Finished with result: success
[ 603.225163] H TEST-04-JOURNAL.sh[10506]: + journalctl --list-invocation -u invocation-id-test-26448.service
[ 603.225318] H systemd-run[10503]: Main processes terminated with: code=exited, status=0/SUCCESS
[ 603.225357] H TEST-04-JOURNAL.sh[10507]: + tee /tmp/tmp.UzSmYamXyg/10
[ 603.225357] H TEST-04-JOURNAL.sh[10507]: IDX INVOCATION ID FIRST ENTRY LAST ENTRY
[ 603.225357] H TEST-04-JOURNAL.sh[10507]: -9 d6efabb546014027b6bd7ee3a78386d6 Wed 2024-08-14 22:12:16 UTC Wed 2024-08-14 22:12:17 UTC
[ 603.225357] H TEST-04-JOURNAL.sh[10507]: -8 3e402b81c28d4a8fa2c5e8e31dffd9ee Wed 2024-08-14 22:12:17 UTC Wed 2024-08-14 22:12:17 UTC
[ 603.225357] H TEST-04-JOURNAL.sh[10507]: -7 5ebd0ba07d4f4f52bc84275f55a3ee2e Wed 2024-08-14 22:12:17 UTC Wed 2024-08-14 22:12:17 UTC
[ 603.225357] H TEST-04-JOURNAL.sh[10507]: -6 bc53c49d6ce24bb7acd438c3e61cfb23 Wed 2024-08-14 22:12:17 UTC Wed 2024-08-14 22:12:17 UTC
[ 603.225357] H TEST-04-JOURNAL.sh[10507]: -5 24680907919e4839a75378117bb5a816 Wed 2024-08-14 22:12:17 UTC Wed 2024-08-14 22:12:17 UTC
[ 603.225357] H TEST-04-JOURNAL.sh[10507]: -4 ec364ed7673c4a1fa22929f95ce7047b Wed 2024-08-14 22:12:17 UTC Wed 2024-08-14 22:12:17 UTC
[ 603.225357] H TEST-04-JOURNAL.sh[10507]: -3 2e8a4dea43044d1a9faf922f7a2f3d42 Wed 2024-08-14 22:12:17 UTC Wed 2024-08-14 22:12:17 UTC
[ 603.225357] H TEST-04-JOURNAL.sh[10507]: -2 ac610b6e6c9c4a29bf8947890685478b Wed 2024-08-14 22:12:17 UTC Wed 2024-08-14 22:12:17 UTC
[ 603.225357] H TEST-04-JOURNAL.sh[10507]: -1 9b7d52c3620948f9831e323910f605f5 Wed 2024-08-14 22:12:17 UTC Wed 2024-08-14 22:12:17 UTC
[ 603.225357] H TEST-04-JOURNAL.sh[10507]: 0 1a49edeb05a641aaa2def72411134822 Wed 2024-08-14 22:12:17 UTC Wed 2024-08-14 22:12:17 UTC
[ 603.225823] H systemd-run[10503]: Service runtime: 174ms
[ 603.225866] H TEST-04-JOURNAL.sh[10508]: + journalctl --list-invocation -u invocation-id-test-26448.service --reverse
[ 603.226110] H systemd-run[10503]: CPU time consumed: 12ms
[ 603.226142] H TEST-04-JOURNAL.sh[10509]: + tee /tmp/tmp.UzSmYamXyg/10-r
[ 603.226378] H systemd-run[10503]: Memory peak: 1.4M (swap: 0B)
[ 603.230161] H TEST-04-JOURNAL.sh[10509]: IDX INVOCATION ID FIRST ENTRY LAST ENTRY
[ 603.230161] H TEST-04-JOURNAL.sh[10509]: 0 1a49edeb05a641aaa2def72411134822 Wed 2024-08-14 22:12:17 UTC Wed 2024-08-14 22:12:18 UTC
[ 603.230161] H TEST-04-JOURNAL.sh[10509]: -1 9b7d52c3620948f9831e323910f605f5 Wed 2024-08-14 22:12:17 UTC Wed 2024-08-14 22:12:17 UTC
[ 603.230161] H TEST-04-JOURNAL.sh[10509]: -2 ac610b6e6c9c4a29bf8947890685478b Wed 2024-08-14 22:12:17 UTC Wed 2024-08-14 22:12:17 UTC
[ 603.230161] H TEST-04-JOURNAL.sh[10509]: -3 2e8a4dea43044d1a9faf922f7a2f3d42 Wed 2024-08-14 22:12:17 UTC Wed 2024-08-14 22:12:17 UTC
[ 603.230161] H TEST-04-JOURNAL.sh[10509]: -4 ec364ed7673c4a1fa22929f95ce7047b Wed 2024-08-14 22:12:17 UTC Wed 2024-08-14 22:12:17 UTC
[ 603.230161] H TEST-04-JOURNAL.sh[10509]: -5 24680907919e4839a75378117bb5a816 Wed 2024-08-14 22:12:17 UTC Wed 2024-08-14 22:12:17 UTC
[ 603.230161] H TEST-04-JOURNAL.sh[10509]: -6 bc53c49d6ce24bb7acd438c3e61cfb23 Wed 2024-08-14 22:12:17 UTC Wed 2024-08-14 22:12:17 UTC
[ 603.230161] H TEST-04-JOURNAL.sh[10509]: -7 5ebd0ba07d4f4f52bc84275f55a3ee2e Wed 2024-08-14 22:12:17 UTC Wed 2024-08-14 22:12:17 UTC
[ 603.230161] H TEST-04-JOURNAL.sh[10509]: -8 3e402b81c28d4a8fa2c5e8e31dffd9ee Wed 2024-08-14 22:12:17 UTC Wed 2024-08-14 22:12:17 UTC
[ 603.230161] H TEST-04-JOURNAL.sh[10509]: -9 d6efabb546014027b6bd7ee3a78386d6 Wed 2024-08-14 22:12:16 UTC Wed 2024-08-14 22:12:17 UTC
===
When unit_need_daemon_reload() calls unit_find_dropin_paths() to check
for new drop-in configs, the manager's unit path cache is used to limit
which directories are considered. If a new drop-in directory is created,
it may not be in the unit path cache, and hence unit_need_daemon_reload()
may return false, despite a new drop-in being present. However, if a
unit path cache is not given to unit_file_find_dropin_paths() at all,
then it behaves as if the target path was found in the unit path cache.
So, to fix this, adapt unit_find_dropin_paths() to take a boolean
argument indicating whether or not to pass along the unit path cache.
Set this to false in unit_need_daemon_reload().
Fixes#31752
