1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00
Commit Graph

5525 Commits

Author SHA1 Message Date
Zbigniew Jędrzejewski-Szmek
92e43e5c53 TEST-64: use more idiomatic loop syntax 2024-12-04 09:58:52 +01:00
Yu Watanabe
552e5db9ac Revert "mkosi: extend DefaultTimeoutStopSec= when running on sanitizers"
This reverts commit b75befc3c9.

Unfortunately, it does not work. Let's revert.
2024-12-04 09:13:18 +09:00
Mike Yuan
703b1b7f24 core/service: preserve RuntimeDirectory= even if oneshot service exits
Follow-up for c26948c6da

We only want to get rid of cred mount here, and RuntimeDirectory=
is documented to be retained for SERVICE_EXITED state.

Fixes #35427
2024-12-02 10:57:45 +01:00
Yu Watanabe
472e3cce6e TEST-13-NSPAWN: enable debugging logs by nspawn run by systemd-run
Otherwise, it is hard to debug issue #35209.
2024-12-01 15:40:19 +01:00
Yu Watanabe
b75befc3c9 mkosi: extend DefaultTimeoutStopSec= when running on sanitizers
Hopefully fixes #35335.
2024-11-30 04:28:24 +09:00
Yu Watanabe
6bb3771e8c TEST-67-INTEGRITY: blkid should not provide the underlying loopback block device
Fixes #35363.
2024-11-28 00:56:43 +09:00
Yu Watanabe
d5c4f1997a TEST-67-INTEGRITY: modernize test code
- make udevd generate debugging logs for loopback and DM devices,
- insert 'udevadm wait' at several places to make the device processed
  by udevd,
- cleanup generated integritysetup service before moving to next
  algorithm,
- drop unnecessary exit on command failure,
- also test data splitting mode for all algorithms.
2024-11-28 00:56:23 +09:00
Lennart Poettering
c18a102464 tests: fix access mode of root inode of throw-away container images
Otherwise the root inode will typically have what mkdtemp sets up, which
is something like 0700, which is weird and somewhat broken when trying
to look into containers from unpriv users.
2024-11-28 00:13:27 +09:00
Luca Boccassi
0566bd9643
machine: increase timeouts in attempt to fix #35115 (#35117)
An attempt to fix https://github.com/systemd/systemd/issues/35115
2024-11-26 16:12:56 +00:00
Daan De Meyer
e3b5a0c32d test: Use env in testsuite readme
Let's make sure we use env when we're setting environment variables
to rely less on shell specifics.
2024-11-25 14:54:23 +00:00
Zbigniew Jędrzejewski-Szmek
766d74fd8b
core/device: ignore ID_PROCESSING udev property on enumerate (#35332)
Fixes #35329.
2024-11-25 14:21:36 +01:00
Zbigniew Jędrzejewski-Szmek
d293fade24
Check inode number to see if we are in init namespace (#35306)
This is a more comprehensive fix compared to #35273. Also adds a minimal
test only.

Based on Luca's #35273 but generalizes the code a bit.

In v258 we really should get rid of the old heuristics around userns and
cgroupns detection, but given we are late in the v257 cycle this keeps
them in.
2024-11-25 14:13:36 +01:00
Daan De Meyer
4a346b779a test: Dump coredumps from journal in the integration test wrapper
Fixes #35277
2024-11-25 19:12:11 +09:00
Yu Watanabe
0e42004f3e networkd-test.py: disable IPv6AcceptRA= if not necessary
To speed up the test. Otherwise, it takes about few seconds interfaces
to enter the configured state. And may networkd-wait-online timeouts.
2024-11-25 10:07:26 +00:00
Yu Watanabe
675feaf521 TEST-17: add reproducer for issue #35329
Without the previous commit, the test case will fail.
2024-11-25 15:33:48 +09:00
Luca Boccassi
6fd3496cfd test: mask tmpfiles.d file shipped by selinux policy package in containers
This tmpfiles.d wants to write to sysfs, which is read-only in containers,
so systemd-tmpfiles --create fails in TEST-22-TMPFILES when ran in nspawn
if the selinux policy package is instealled. Mask it, as it's not our
config file, we don't need it in the test.
2024-11-25 15:25:55 +09:00
Daan De Meyer
ceca7c5005 test: Fix typing errors in integration-test-wrapper.py 2024-11-24 16:47:20 +01:00
Daan De Meyer
4f969b20b0 test: Format integration-test-wrapper.py 2024-11-24 16:47:20 +01:00
Daan De Meyer
6d2fd490cf integration-test-wrapper: Remove unneeded format strings 2024-11-24 16:47:20 +01:00
Yu Watanabe
9e05e33871 networkd-test.py: fix interface state checker
After 259125d53d, network interfaces
declared by .netdev files are created after systemd-networkd sends READY
notification. So, even when networkd is started, the netdevs may not
be created yet, and 'ip' command may fail. Let's also check the return
code of the command.

This also
- drops never worked stdout checks,
- makes the test fail if the interface is not created within the timeout.
2024-11-23 17:33:43 +09:00
Luca Boccassi
193bf42ab0 detect-virt: check the inode number of the pid namespace
The indoe number of root pid namespace is hardcoded in the kernel to
0xEFFFFFFC since 3.8, so check the inode number of our pid namespace
if all else fails. If it's not 0xEFFFFFFC then we are in a pid
namespace, hence a container environment.

Fixes https://github.com/systemd/systemd/issues/35249

[Reworked by Lennart, to make use of namespace_is_init()]
2024-11-23 00:14:20 +01:00
Yu Watanabe
2b397d43ab test-network: actually check metric and preference
Otherwise, nexthop ID may contain e.g. 300, then
===
AssertionError: '300' unexpectedly found in
'default nhid 3860882700 via fe80::1034:56ff:fe78:9a99 proto ra metric 512 expires 1798sec pref high\n
 default nhid 2639230080 via fe80::1034:56ff:fe78:9a98 proto ra metric 2048 expires 1798sec pref low'
===
2024-11-21 03:43:35 +09:00
Yu Watanabe
52b0351a15
core/exec-invoke: suppress placeholder home only in build_environment() (#35219)
Alternative to https://github.com/systemd/systemd/pull/34789
Closes #34789
2024-11-20 17:34:25 +09:00
Ivan Kruglov
3aa3f130c1 machine: add debug for systemd-nspawn@.service 2024-11-19 19:12:32 +01:00
Ivan Kruglov
df18408ac6 machine: increase timeouts in attempt to fix #35115 2024-11-19 18:04:27 +01:00
Mike Yuan
b718b86e1b
core/exec-invoke: suppress placeholder home only in build_environment()
Currently, get_fixed_user() employs USER_CREDS_SUPPRESS_PLACEHOLDER,
meaning home path is set to NULL if it's empty or root. However,
the path is also used for applying WorkingDirectory=~, and we'd
spuriously use the invoking user's home as fallback even if
User= is changed in that case.

Let's instead delegate such suppression to build_environment(),
so that home is proper initialized for usage at other steps.
shell doesn't actually suffer from such problem, but it's changed
too for consistency.

Alternative to #34789
2024-11-19 00:38:18 +01:00
Yu Watanabe
c295b558bf test-network: add test case for IPv6 Core Conformance test v6LC.2.2.23 2024-11-19 04:48:39 +09:00
Yu Watanabe
16ccdc3748 test-network: split out check_router_preference() from test_router_preference()
This also drop high2.network and low2.network, and edit high.network and
low.network during the test.
2024-11-19 04:44:59 +09:00
Frantisek Sumsal
238ddac165 test: ignore inconsistent coverage errors
lcov 2.1 introduced additional consistency checks [0] which make it trip
over our coverage results quite often:

Summary coverage rate:
  source files: 915
  lines.......: 36.9% (78950 of 214010 lines)
  functions...: 53.3% (6906 of 12949 functions)
Message summary:
  73 warning messages:
    inconsistent: 73
lcov: ERROR: (corrupt) unable to read trace file '/var/tmp/systemd-test-TEST-04-JOURNAL/coverage-info.new': lcov: ERROR: (inconsistent) "/build/src/shutdown/umount.c":298: function 'umount_with_timeout' is not hit but line 317 is.
        To skip consistency checks, see the 'check_data_consistency' section in man lcovrc(5).
        (use "lcov --ignore-errors inconsistent ..." to bypass this error)
        (use "lcov --ignore-errors corrupt ..." to bypass this error)

This is caused by coverage collected during shutdown which is a bit
unreliable, especially towards the final shutdown stage(s). Let's just
ignore the consistency errors for now.

[0] https://github.com/linux-test-project/lcov/releases/tag/v2.2
2024-11-15 15:54:28 +00:00
Luca Boccassi
893aa45886 test: skip TEST-84-STORAGETM if running with bugged libnvme
libnvme 1.11 appears to require a kernel built with NVME TLS
kconfigs, and fails hard if it is not, as the expected
privileged keyring '.nvme' is not present. We cannot just
create it from userspace, as privileged keyrings can only
be created by the kernel itself (those starting with '.').

Skip the test if the library exactly matches this version.

https://github.com/linux-nvme/nvme-cli/issues/2573

Fixes https://github.com/systemd/systemd/issues/35130
2024-11-14 18:00:35 +00:00
Yu Watanabe
3ea89c64c8
nspawn: several follow-ups for recent changes (#35146)
Closes #35116.
2024-11-15 00:12:40 +09:00
Yu Watanabe
360e59ed1c
network/ndisc: fix coalescing of ndisc routes when multiple router exists (#35119)
Fixes #33470.
2024-11-15 00:10:22 +09:00
Luca Boccassi
6a479f0d63
network/netdev: follow-ups for reloading .netdev files (#34979)
Follow-ups for #34909.
2024-11-14 11:36:26 +00:00
Yu Watanabe
a65f008784 TEST-13-NSPAWN: add test case for /dev/net/tun
For issue #35116.
2024-11-14 18:08:50 +09:00
Yu Watanabe
0f8afaf94d network/ndisc: dynamically configure nexthops when routes with gateway are requested
Previously, when multiple routers send RAs with the same preference,
then the kernel merges routes with the same gateway address:
===
default proto ra metric 1024 expires 595sec pref medium
        nexthop via fe80::200:10ff:fe10:1060 dev enp0s9 weight 1
        nexthop via fe80::200:10ff:fe10:1061 dev enp0s9 weight 1
===
This causes IPv6 Conformance Test v6LC.2.2.11 failure, as reported in #33470.

To avoid the coalescing issue, we can use nexthop, as suggested by Ido Schimmel:
https://lore.kernel.org/netdev/ZytjEINNRmtpadr_@shredder/
> BTW, you can avoid the coalescing problem by using the nexthop API.
> # ip nexthop add id 1 via fe80::200:10ff:fe10:1060 dev enp0s9
> # ip -6 route add default nhid 1 expires 600 proto ra
> # ip nexthop add id 2 via fe80::200:10ff:fe10:1061 dev enp0s9
> # ip -6 route append default nhid 2 expires 600 proto ra
> # ip -6 route
> fe80::/64 dev enp0s9 proto kernel metric 256 pref medium
> default nhid 1 via fe80::200:10ff:fe10:1060 dev enp0s9 proto ra metric 1024 expires 563sec pref medium
> default nhid 2 via fe80::200:10ff:fe10:1061 dev enp0s9 proto ra metric 1024 expires 594sec pref medium

Fixes #33470.

Suggested-by: Ido Schimmel <idosch@idosch.org>
2024-11-14 11:59:59 +09:00
Yu Watanabe
bbef21e4e5 test-network: update KeepConfiguration=dhcp -> dynamic 2024-11-14 10:24:27 +09:00
Yu Watanabe
f1ca3479ec networkd-test.py: show current status when wait-online failed
For easier debugging on failure.
2024-11-14 10:17:19 +09:00
Yu Watanabe
5b73edfa7f test-network: add tests for reloading .netdev files for independent netdevs 2024-11-14 10:17:19 +09:00
Yu Watanabe
d7b323c2dd test-network: several cleanups
- fix verifiers in test_router_preference() to make them actually check
  if unnecessary routes are removed,
- stop radv in test_ndisc_vs_static_route() before checking if the static
  route is preserved even when the router sends a RA with zero lifetime,
- make verifiers in NetworkdIPv6PrefixTests stricter.
2024-11-12 18:08:25 +09:00
Yu Watanabe
3304a029b8
network: forget IPv4 non-local routes when an interface went down (#35099)
Fixes #35047.
2024-11-12 01:07:43 +09:00
Lennart Poettering
67e003d7dd
Introduce systemd-keyutil to do various key/certificate operations (#35095)
Let's gather generic key/certificate operations in a new tool
systemd-keyutil instead of spreading them across various special purpose
tools.

Fixes #35087
2024-11-11 16:09:07 +01:00
Yu Watanabe
7f1b36a82a test-network: add test case for issue #35047 2024-11-11 13:59:41 +00:00
Yu Watanabe
1ca180b994 network/nexthop: do not remove depending nexthops when a nexthop is removed
Previously, when a nexthop is removed, depending nexthops were removed, but
that's not necessary, as the kernel keeps them, at least with v6.11.
2024-11-11 13:59:41 +00:00
Yu Watanabe
130d66956f test-network: reconfigure interface cleanly to drop previous DHCP lease and friends
Follow-up for 451c2baf30.

With the commits, reloading .network files does not release previously
acquired DHCP lease and friends if possible.

On graceful reconfigure triggered by the reload, the interface may
acquire a new DHCPv4 lease earlier than DHCPv6 lease. In that case,
the check will fail as it is done with the new DHCPv4 lease and old
DHCPv6 lease, which does not contain any IPv6 DNS servers or so.
So, when switching from no -> yes, we need to wait a new lease with DNS
servers or so. To achieve that, we need to clean reconfigure the interface.
2024-11-11 11:53:24 +09:00
Yu Watanabe
52f46b77d7 network: reset 'configured' flags even if we keep DHCP lease and friends on reconfigure
Follow-up for 451c2baf30.

With the commits, reloading .network files does not release previously
acquired DHCP lease and friends if possible. If previously a DHCP client
was configured as not requesting DNS servers or so, then the previously
acquired lease might not contain any DNS servers. In that case, if the
new .network file enables UseDNS=, then the interface should enter the
configured state after a new lease is acquired. To achieve that, we need
to reset the flags.

With this change, the workaround applied to the test by the commit
451c2baf30 can be dropped.
2024-11-11 11:53:24 +09:00
Daan De Meyer
4b1ad0398e Introduce systemd-keyutil to do various key/certificate operations
Let's gather generic key/certificate operations in a new tool
systemd-keyutil instead of spreading them across various special
purpose tools.

Fixes #35087
2024-11-08 15:00:21 +01:00
Franck Bui
514d9e1665 test: install integration-test-setup.sh in testdata/
integration-test-setup.sh is an auxiliary script that tests rely on at
runtime. As such, install the script in testdata/.

Follow-up for af153e36ae.
2024-11-08 12:37:40 +01:00
Ryan Wilson
d8091e1281 Fix PrivatePIDs=yes integration test for kernels with no /proc/scsi 2024-11-08 13:38:35 +09:00
Daan De Meyer
e5011dd239
Introduce systemd-sbsign to do secure boot signing (#35021)
Currently in mkosi and ukify we use sbsigntools to do secure boot
signing. This has multiple issues:

- sbsigntools is practically unmaintained, sbvarsign is completely
broken with the latest gnu-efi when built without -fshort-wchar and
upstream has completely ignored my bug report about this.
- sbsigntools only supports openssl engines and not the new providers
API.
- sbsigntools doesn't allow us to cache hardware token pins in the
kernel keyring like we do nowadays when we sign stuff ourselves in
systemd-repart or systemd-measure

There are alternative tools like sbctl and pesign but these do not
support caching hardware token pins in the kernel keyring either.

To get around the issues with sbsigntools, let's introduce our own
tool systemd-sbsign to do secure boot signing. This allows us to
take advantage of our own openssl infra so that hardware token pins
are cached in the kernel keyring as expected and we get openssl
provider support as well.
2024-11-06 17:38:10 +01:00
Michele Dionisio
d865abf9eb networkd: add possibility to specify MulticastIGMPVersion 2024-11-06 15:50:27 +00:00
Daan De Meyer
8cbd9d8328 sbsign: Add validate-key verb
This verb checks that we can load the specified private key.
2024-11-06 14:01:09 +01:00
Daan De Meyer
5f163921e9 Introduce systemd-sbsign to do secure boot signing
Currently in mkosi and ukify we use sbsigntools to do secure boot
signing. This has multiple issues:

- sbsigntools is practically unmaintained, sbvarsign is completely
broken with the latest gnu-efi when built without -fshort-wchar and
upstream has completely ignored my bug report about this.
- sbsigntools only supports openssl engines and not the new providers
API.
- sbsigntools doesn't allow us to cache hardware token pins in the
kernel keyring like we do nowadays when we sign stuff ourselves in
systemd-repart or systemd-measure

There are alternative tools like sbctl and pesign but these do not
support caching hardware token pins in the kernel keyring either.

To get around the issues with sbsigntools, let's introduce our own
tool systemd-sbsign to do secure boot signing. This allows us to
take advantage of our own openssl infra so that hardware token pins
are cached in the kernel keyring as expected and we get openssl
provider support as well.
2024-11-06 14:00:49 +01:00
Ivan Kruglov
1e2cd07394 machine: tests for io.systemd.Machine.Open 2024-11-06 11:58:51 +01:00
Yu Watanabe
df69f29728
network: reconfigure interface more gracefully (#35035)
split-out of #34989.
2024-11-06 17:57:56 +09:00
Luca Boccassi
78b032d727 test: delete /swapfile after swapoff
[   23.608342] TEST-55-OOMD.sh[689]: + btrfs filesystem mkswapfile -s 64M /swapfile
[   23.651930] TEST-55-OOMD.sh[704]: ERROR: cannot create new swapfile: File exists
2024-11-06 05:02:57 +09:00
Luca Boccassi
7af37f3a90
Add PrivatePIDs= (continued) (#34940) 2024-11-05 18:42:28 +00:00
Yu Watanabe
451c2baf30 network: keep dynamic configurations as possible as we can on reconfigure
E.g. when a .network file is updated, but DHCP setting is unchanged, it
is not necessary to drop acquired DHCP lease.
So, let's not stop DHCP client and friends in link_reconfigure_impl(),
but stop them later when we know they are not necessary anymore.

Still DHCP clients and friends are stopped and leases are dropped when
the explicit reconfiguration is requested
2024-11-06 02:05:00 +09:00
Daan De Meyer
406f177501 core: Introduce PrivatePIDs=
This new setting allows unsharing the pid namespace in a unit. Because
you have to fork to get a process into a pid namespace, we fork in
systemd-executor to get into the new pid namespace. The parent then
sends the pid of the child process back to the manager and exits while
the child process continues on with the rest of exec_invoke() and then
executes the actual payload.

Communicating the child pid is done via a new pidref socket pair that is
set up on manager startup.

We unshare the PID namespace right before the mount namespace so we
mount procfs correctly. Note PrivatePIDs=yes always implies MountAPIVFS=yes
to mount procfs.

When running unprivileged in a user session, user namespace is set up first
to allow for PID namespace to be unshared. However, when running in
privileged mode, we unshare the user namespace last to ensure the user
namespace does not own the PID namespace and cannot break out of the sandbox.

Note we disallow Type=forking services from using PrivatePIDs=yes since the
init proess inside the PID namespace must not exit for other processes in
the namespace to exist.

Note Daan De Meyer did the original work for this commit with Ryan Wilson
addressing follow-ups.

Co-authored-by: Daan De Meyer <daan.j.demeyer@gmail.com>
2024-11-05 05:32:02 -08:00
Daan De Meyer
b5dc805583 tmpfiles: Implement L? to only create symlinks if source exists
This allows a single tmpfiles snippet with lines to symlink directories
from /usr/share/factory to be shared across many different configurations
while making sure symlinks only get created if the source actually exists.
2024-11-04 19:04:21 +01:00
Daan De Meyer
a07864a4fe bootctl: Add --secure-boot-auto-enroll
When specified, bootctl install will also set up secure boot
auto-enrollment. For now, We sign all variables using the same
certificate and key pair.
2024-11-03 10:46:17 +01:00
Daan De Meyer
2ec809dd3b TEST-64-UDEV-STORAGE: Don't hardcode device name in long-sysfs-path test
There's no guarantee our device will be named /dev/vda, so give it
a serial so we can query for its devname inside the test.
2024-11-02 20:43:22 +01:00
Daan De Meyer
29a8e71d9c TEST-17-UDEV: Don't hardcode root device name
There's no guarantee the root device will be /dev/sda, so let's use
bootctl to get the actual path instead of harcoding it.
2024-11-02 20:43:19 +01:00
Luca Boccassi
89099136d7
machine: introduce io.systemd.MachineImage.{Clone, Remove} methods (#34853)
This PR introduces io.systemd.MachineImage.Clone and Remove methods.
They are 1:1 mapping to DBus alternatives.
2024-11-02 12:06:23 +00:00
Andres Beltran
eae5127246 core: add id-mapped mount support for Exec directories 2024-11-01 18:45:28 +00:00
Lennart Poettering
acc35e5129
core/service: don't propagate stop jobs if RestartMode=direct (#34768)
Fixes https://github.com/systemd/systemd/issues/34758
2024-11-01 17:25:49 +01:00
Ivan Kruglov
b50fe8a0d9 machine: remove redundant --more in TEST-13-NSPAWN.machined 2024-11-01 15:30:39 +01:00
Ivan Kruglov
0c16936acc machine: tests for io.systemd.MachineImage.{Clone, Remove} methods 2024-11-01 15:30:39 +01:00
Luca Boccassi
57b908caef
network: update tunnel or vxlan with Local=dhcp4 and friends (#34957)
Fixes #24854.
2024-11-01 11:10:21 +00:00
Luca Boccassi
890bdd1d77 core: add read-only flag for exec directories
When an exec directory is shared between services, this allows one of the
service to be the producer of files, and the other the consumer, without
letting the consumer modify the shared files.
This will be especially useful in conjunction with id-mapped exec directories
so that fully sandboxed services can share directories in one direction, safely.
2024-11-01 10:46:55 +00:00
Yu Watanabe
80f38c1f65 test-network: add test case for tunnel Local=dhcp4
For issue #24854.
2024-10-31 18:41:44 +09:00
Yu Watanabe
b1e11a252d TEST-13-NSPAWN: add test cases for listing multiple machines 2024-10-31 11:02:23 +09:00
Yu Watanabe
f0fdefc045 TEST-13-NSPAWN: trivially kill all processes in the container on termination
Follow-up for 841988f80d.

No functional change, as $PID is 0 when the trap is inserted.
2024-10-31 10:59:14 +09:00
Yu Watanabe
1856ab4503 TEST-13-NSPAWN: check returned machine list 2024-10-31 10:59:14 +09:00
Yu Watanabe
e79b58c825 TEST-13-NSPAWN: fix race between container exit and varlink call
Follow-up for 3cb72c7862.

The test container exits shortly, hence when varlinkctl is called, the
container may be already terminated. Let's make the container live
infinitely.
Also, this makes the os-release files removed after the container is started.
2024-10-31 10:59:14 +09:00
Yu Watanabe
0de5562413 test-network: test for reload of .netdev file of stacked netdev
For issue #9627, #27177, and #34907.
2024-10-31 05:30:40 +09:00
Yu Watanabe
f7d5d7c593
network/tunnel: reuse existing 6rd sit tunnel (#34938)
split-out of #34909.
2024-10-31 04:04:55 +09:00
Yu Watanabe
6ab12224c9
network: process queued remove requests on stop (#34871)
Fixes a regression caused by 85a6f300c1
and its later commits.
Fixes #34837.
2024-10-31 04:03:11 +09:00
Yu Watanabe
59528e55af test-network: add test case for reuse of existing 6rd SIT tunnel 2024-10-31 02:09:31 +09:00
Lennart Poettering
f2ef9f7760
Fix display of qrcodes by bsod and other related cleanups (#34914) 2024-10-30 17:44:40 +01:00
Yu Watanabe
58a011ba48 test-network: add test for DHCPv4 address removal on stop
For issue #34837.
2024-10-31 00:34:48 +09:00
Luca Boccassi
58ada3eab2
coredump: AccessContainer= bunch of followups (#34333)
Fixes #34130
2024-10-30 14:37:44 +00:00
Zbigniew Jędrzejewski-Szmek
abf1cae0a7 bsod: make message for qrcode more useful
People know what a qrcode is. We don't need to tell them to scan it.
Instead, we should say what the code contains.

While at it, rename "stream" to "f" in line with the usual style.
2024-10-30 15:03:17 +01:00
Michal Sekletar
65c75f99e1 test: add test coverage for EnterNamespace= 2024-10-30 12:38:27 +00:00
Lennart Poettering
5c11f6e0a9
core/service: support sd_notify() MAINPIDFD=1 and MAINPIDFDID= (#34932) 2024-10-30 08:45:25 +01:00
Lennart Poettering
eae9e74f35
network: add missing else in dhcp_lease_load (#34927)
Fixes: 3fd6708cde (network: Serialize DNR servers)

---

Fixes: #34926
2024-10-30 08:39:15 +01:00
Luca Boccassi
d140d478e2
sysusers: optionally create fully locked accounts (#34876)
Let's ramp up security for system user accounts, at least where
possible, by creating them fully locked (instead of just with an invalid
password). This matters when taking non-password (i.e. SSH) logins into
account.

Fixes: #13522
2024-10-29 18:46:14 +00:00
Mike Yuan
c3ecb747f1
TEST-80-NOTIFYACCESS: don't specify --pid= if MAINPID= is provided explicitly
Otherwise, with recent additions, the MAINPIDFDID= generated by
systemd-notify would mismatch with overridden MAINPID=.
2024-10-29 18:42:16 +01:00
Lennart Poettering
c00c6d1959 busctl: add a testcase that definitely causes the timeout to trigger 2024-10-29 16:50:11 +01:00
Lennart Poettering
8187515aab busctl: rename --num-matches= → --limit-messages=
We should avoid unnecessary abbreviations for such messages, and this
puts a maximum limit on things, hence it should indicate this in the
name.

Moreover, matches is a bit confusing, since most people will probably
call "busctl monitor" without any match specification, i.e. zero
matches, but that's not what was meant here at all.

Also, add a brief switch for this (-N) since I figure in particular
"-N1" might be a frequent operation people might want to use.

Follow-up for: 989e843e75
See: #34048
2024-10-29 16:50:06 +01:00
Lennart Poettering
ebc64de22f udevadm: automatically anable JSON-SEQ in case JSON is used for "udevadm info -a"
We are going to output a series of JSON objects, hence let's
automatically enable JSON-SEQ output mode, as we usually do.

"jq --seq" supports this natively, hence this should not really restrict
us.

Follow-up for: 67ea8a4c0e
2024-10-29 22:39:59 +09:00
Lennart Poettering
5ada96c842 test: test new 'u' sysusers.d lines 2024-10-29 11:00:13 +01:00
Ronan Pigott
f54f473b36 network: add missing else in dhcp_lease_load
Fixes: 3fd6708cde (network: Serialize DNR servers)
2024-10-28 20:59:17 -07:00
David Michael
3eec82f6b3 socket: support setting ownership of message queues
This applies the existing SocketUser=/SocketGroup= options to units
defining a POSIX message queue, bringing them in line with UNIX
sockets and FIFOs.  They are set on the file descriptor rather than
a file system path because the /dev/mqueue path interface is an
optional mount unit.
2024-10-28 23:40:42 +01:00
Ryan Wilson
cd58b5a135 cgroup: Add support for ProtectControlGroups= private and strict
This commit adds two settings private and strict to
the ProtectControlGroups= property. Private will unshare the cgroup
namespace and mount a read-write private cgroup2 filesystem at /sys/fs/cgroup.
Strict does the same except the mount is read-only. Since the unit is
running in a cgroup namespace, the new root of /sys/fs/cgroup is the unit's
own cgroup.

We also add a new dbus property ProtectControlGroupsEx which accepts strings
instead of boolean. This will allow users to use private/strict via dbus
and systemd-run in addition to service files.

Note private and strict fall back to no and yes respectively if the kernel
doesn't support cgroup2 or system is not using unified hierarchy.

Fixes: #34634
2024-10-28 08:37:36 -07:00
Mike Yuan
9b42c58a2b
TEST-03-JOBS: add test case for #34758 2024-10-27 20:04:58 +01:00
Lennart Poettering
b58b13f1c6 test: add brief testcase for systemd-run disconnect handling 2024-10-25 17:51:04 +02:00
Lennart Poettering
6fb0c52295 ci: add some basic testing of the new --pty and --pipe switches 2024-10-25 14:14:26 +02:00
Lennart Poettering
c4363051e4
Merge pull request #34880 from poettering/change-user-on-pam-always
core: make sure that if PAMName= is set we always do the full user ch…
2024-10-25 09:22:03 +02:00
Lennart Poettering
f515ea1cd4 test: add quick test to verify the PAM stack really ran in all run0 modes of operation 2024-10-24 22:56:44 +02:00
Lennart Poettering
1c6f542e81 ci: give new userdbctl some CI exposure 2024-10-24 10:17:35 +02:00