1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-25 01:34:28 +03:00
Commit Graph

77631 Commits

Author SHA1 Message Date
Luca Boccassi
d145d1d410 meson: update version numbers for 257~rc1 2024-11-06 16:58:14 +00:00
Luca Boccassi
f10d1c679e NEWS: finalize 2024-11-06 16:58:14 +00:00
Luca Boccassi
e1c8f3a8d9 NEWS: update list of contributors 2024-11-06 16:53:46 +00:00
Luca Boccassi
859634ea63 NEWS: add note about sd-sbsign 2024-11-06 16:49:42 +00:00
Luca Boccassi
4484cad6f3
Update hwdb and translations (#35048) 2024-11-06 16:42:11 +00:00
Daan De Meyer
e5011dd239
Introduce systemd-sbsign to do secure boot signing (#35021)
Currently in mkosi and ukify we use sbsigntools to do secure boot
signing. This has multiple issues:

- sbsigntools is practically unmaintained, sbvarsign is completely
broken with the latest gnu-efi when built without -fshort-wchar and
upstream has completely ignored my bug report about this.
- sbsigntools only supports openssl engines and not the new providers
API.
- sbsigntools doesn't allow us to cache hardware token pins in the
kernel keyring like we do nowadays when we sign stuff ourselves in
systemd-repart or systemd-measure

There are alternative tools like sbctl and pesign but these do not
support caching hardware token pins in the kernel keyring either.

To get around the issues with sbsigntools, let's introduce our own
tool systemd-sbsign to do secure boot signing. This allows us to
take advantage of our own openssl infra so that hardware token pins
are cached in the kernel keyring as expected and we get openssl
provider support as well.
2024-11-06 17:38:10 +01:00
Luca Boccassi
66d044b560 Update NEWS for recent PRs 2024-11-06 15:50:59 +00:00
Michele Dionisio
d865abf9eb networkd: add possibility to specify MulticastIGMPVersion 2024-11-06 15:50:27 +00:00
Luca Boccassi
f72fe2d73c
Grammar and formatting for DeviceTree docs (#35050) 2024-11-06 15:13:18 +00:00
Luca Boccassi
839c37dc7f Update translations
ninja -C build systemd-pot
ninja -C build systemd-update-po
2024-11-06 14:42:31 +00:00
Luca Boccassi
8e152361e9 Update hwdb
ninja -C build update-hwdb
2024-11-06 14:41:26 +00:00
Daan De Meyer
65fbf3b194 ukify: Add --signing-provider= option 2024-11-06 15:18:46 +01:00
Léane GRASSER
b8cb1bc983 po: Translated using Weblate (French)
Currently translated at 100.0% (253 of 253 strings)

Co-authored-by: Léane GRASSER <leane.grasser@proton.me>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/fr/
Translation: systemd/main
2024-11-06 15:07:28 +01:00
Zbigniew Jędrzejewski-Szmek
78ed1e973c docs/TPM2_PCR_MEASUREMENTS: drop quotes from around section titles
The section headers used quotes as if the strings were some constants. But
AFAICT, those are just normal plain-text titles. Also lowercase them, because
this is almost like a table and it's easier to read without capitalization.
2024-11-06 15:02:24 +01:00
Zbigniew Jędrzejewski-Szmek
265488414c tree-wide: use Device*T*ree spelling
We used both, in fact "Devicetree" was more common. But we have a general rule
that we capitalize all words in names and also we have a DeviceTree=
configuration setting, which we cannot change. If we use two different
spelllings, this will make it harder for people to use the correct one in
config files. So use the "DeviceTree" spelling everywhere.
2024-11-06 15:00:55 +01:00
Luca Boccassi
d99fe076b5
introduce report_errno_and_exit() helper (#35028)
This is a follow for https://github.com/systemd/systemd/pull/34853. In
particular, this comment
https://github.com/systemd/systemd/pull/34853#discussion_r1825837705.
2024-11-06 13:51:10 +00:00
Yu Watanabe
b66948bbf2 core/manager: silence false-positive warning by coverity
Follow-up for 406f177501.

Closes CID#1564897.
2024-11-06 13:47:33 +00:00
Luca Boccassi
4055529003
machine: introduce io.systemd.Machine.Open method (#34867)
This PR introduces io.systemd.Machine.Open method which combines three
DBus alternatives:
- OpenMachinePTY
- OpenMachineLogin
- OpenMachineShell

The PR contains basic tests.
2024-11-06 13:45:04 +00:00
Zbigniew Jędrzejewski-Szmek
d0ab0e5fa5 pid1: stop refusing to boot with cgroup v1
Since v256 we completely fail to boot if v1 is configured. Fedora 41 was just
released with v256.7 and this is probably the first major exposure of users to
this code. It turns out not work very well. Fedora switched to v2 as default in
F31 (2019) and at that time some people added configuration to use v1 either
because of Docker or for other reasons. But it's been long enough ago that
people don't remember this and are now very unhappy when the system refuses to
boot after an upgrade.

Refusing to boot is also unnecessarilly punishing to users. For machines that
are used remotely, this could mean somebody needs to physically access the
machine. For other users, the machine might be the only way to access the net
and help, and people might not know how to set kernel parameters without some
docs. And because this is in systemd, after an upgrade all boot choices are
affected, and it's not possible to e.g. select an older kernel for boot. And
crashing the machine doesn't really serve our goal either: we were giving a
hint how to continue using v1 and nothing else.

If the new override is configured, warn and immediately boot to v1.
If v1 is configured w/o the override, warn and wait 30 s and boot to v2.
Also give a hint how to switch to v2.

https://bugzilla.redhat.com/show_bug.cgi?id=2323323
https://bugzilla.redhat.com/show_bug.cgi?id=2323345
https://bugzilla.redhat.com/show_bug.cgi?id=2322467
https://www.reddit.com/r/Fedora/comments/1gfcyw9/refusing_to_run_under_cgroup_01_sy_specified_on/

The advice is to set systemd.unified_cgroup_hierarchy=1 (instead of removing
systemd.unified_cgroup_hierarchy=0). I think this is easier to convey. Users
who are understand what is going on can just remove the option instead.

The caching is dropped in cg_is_legacy_wanted(). It turns out that the
order in which those functions are called during early setup is very fragile.
If cg_is_legacy_wanted() is called before we have set up the v2 hierarchy,
we incorrectly cache a true answer. The function is called just a handful
of times at most, so we don't really need to cache the response.
2024-11-06 13:43:25 +00:00
Zbigniew Jędrzejewski-Szmek
bc11463e8e man/systemd-stub: rework the description of sections
The text added for .dtbauto/.hwids was very hard to grok. This rewords it to be
proper English. No semantic changes are intended.

When updating this, I noticed that the interaction of multi-profile UKIs and
dtb autoselection is very unclear, a FIXME is added.
2024-11-06 14:40:21 +01:00
Daan De Meyer
d835c4476b ukify: Add support for systemd-sbsign 2024-11-06 14:01:33 +01:00
Daan De Meyer
8cbd9d8328 sbsign: Add validate-key verb
This verb checks that we can load the specified private key.
2024-11-06 14:01:09 +01:00
Daan De Meyer
5f163921e9 Introduce systemd-sbsign to do secure boot signing
Currently in mkosi and ukify we use sbsigntools to do secure boot
signing. This has multiple issues:

- sbsigntools is practically unmaintained, sbvarsign is completely
broken with the latest gnu-efi when built without -fshort-wchar and
upstream has completely ignored my bug report about this.
- sbsigntools only supports openssl engines and not the new providers
API.
- sbsigntools doesn't allow us to cache hardware token pins in the
kernel keyring like we do nowadays when we sign stuff ourselves in
systemd-repart or systemd-measure

There are alternative tools like sbctl and pesign but these do not
support caching hardware token pins in the kernel keyring either.

To get around the issues with sbsigntools, let's introduce our own
tool systemd-sbsign to do secure boot signing. This allows us to
take advantage of our own openssl infra so that hardware token pins
are cached in the kernel keyring as expected and we get openssl
provider support as well.
2024-11-06 14:00:49 +01:00
Ivan Kruglov
1e2cd07394 machine: tests for io.systemd.Machine.Open 2024-11-06 11:58:51 +01:00
Ivan Kruglov
a686bedb88 machine: introduce io.systemd.Machine.Open method 2024-11-06 11:37:51 +01:00
Ivan Kruglov
7779d4944c json: introduce json_dispatch_strv_environment()
I just moved json_dispatch_environment() from src/shared/user-record.c
under name 'json_dispatch_strv_environment()' to shared json code.
2024-11-06 11:37:51 +01:00
Ivan Kruglov
b0eca6dee0 machine: machine_default_shell_path() & machine_default_shell_args() helper functions 2024-11-06 11:37:51 +01:00
Ivan Kruglov
41f1f283d7 machine: introduce machine_start_getty() and machine_start_shell() helpers 2024-11-06 11:37:51 +01:00
Ivan Kruglov
c0589b0227 use report_errno_and_exit() in src/core/exec-invoke.c 2024-11-06 11:18:38 +01:00
Ivan Kruglov
7022563b5b use report_errno_and_exit() in src/shared/elf-util.c 2024-11-06 11:18:38 +01:00
Ivan Kruglov
3d44b469f3 use report_errno_and_exit() in src/shared/dissect-image.c 2024-11-06 11:18:38 +01:00
Ivan Kruglov
9af164b71c use report_errno_and_exit() in src/shared/mount-util.c 2024-11-06 11:18:38 +01:00
Ivan Kruglov
f72a64f352 use report_errno_and_exit() in src/shutdown/umount.c 2024-11-06 11:18:38 +01:00
Ivan Kruglov
a567de392d process-util: introduce report_errno_and_exit() as part of src/basic/process-util.{h,c} 2024-11-06 11:18:38 +01:00
Yu Watanabe
ea457d59e9 man/varlink: fix typo
Follow-up for 4f5fabe7a3.
2024-11-06 19:06:47 +09:00
Yu Watanabe
9dcf5c226e man/udev: fix typo
Follow-up for df8f9b88bd.
2024-11-06 19:06:40 +09:00
Zbigniew Jędrzejewski-Szmek
f755ac99cb man/systemd-measure: add forgotten "="
Both syntaxes work, but let's use one syntax for consistency.

Fixup for 0641ce809a27cc1bc358924c26770f19d1213ec1.
2024-11-06 10:18:16 +01:00
Zbigniew Jędrzejewski-Szmek
ad6a4bf09c man/systemd-measure: update to new ukify syntax, non-root operation
It's been a while, but systemd-measure doesn't need root, and
ukify has a more modern syntax.
2024-11-06 10:14:29 +01:00
Yu Watanabe
df69f29728
network: reconfigure interface more gracefully (#35035)
split-out of #34989.
2024-11-06 17:57:56 +09:00
Lennart Poettering
682195a00a
UKI: Introduce .dtbauto sections (#34855)
Split out from #34158
2024-11-06 09:29:04 +01:00
Andres Beltran
f348831d27 namespace-util: make idmapping not supported if syscalls return EPERM 2024-11-06 09:27:33 +01:00
Lennart Poettering
299b6c3c28
Various man page updates (#35032)
Fixes: #34996
Fixes: #15032
Fixes: #32751
Fixes: #33130
Fixes: #34735
Fixes: #34840
Fixes: #34949
2024-11-06 09:26:57 +01:00
Zbigniew Jędrzejewski-Szmek
ddcdc6b365
mount-util: introduce path_is_network_fs_harder() and use it in networkd (#35040)
Closes #32426.
2024-11-06 08:39:24 +01:00
Lennart Poettering
df8f9b88bd man: convert multiple left-over "See Also" sections to <simplelist>
These were forgotten during the initial conversion, probably because
most of them consisted only of a single entry.

Fix that.
2024-11-05 22:57:51 +01:00
Lennart Poettering
607d297487 man: link up D-Bus API docs from daemon man pages
Let's systematically make sure that we link up the D-Bus interfaces from
the daemon man pages once in prose and once in short form at the bottom
("See Also"), for all daemons.

Also, add reverse links at the bottom of the D-Bus API docs.

Fixes: #34996
2024-11-05 22:57:51 +01:00
Lennart Poettering
2f69ad26ca man: point people from sd-bus man page to busctl 2024-11-05 22:57:51 +01:00
Lennart Poettering
4f5fabe7a3 man: add brief entrypoint man page for sd-varlink
We have this in a similar fashion for the other APIs libsystemd
provides. Add the same for sd-varlink. There isn't too much on it for
now, but at least it's a start.

Also link it up everywhere.
2024-11-05 22:57:51 +01:00
Lennart Poettering
ac804bc2f8 man: tone down claims on processes having exited already in ExecStop=
Processes can easily survive the first kill operation we execute, hence
we shouldn't make strong claims about them having exited already. Let's
just say "likely" hence.

Fixes: #15032
2024-11-05 22:57:51 +01:00
Lennart Poettering
5adc433799 man: document that .path units don't care for hidden files
Fixes: #32751
2024-11-05 22:57:51 +01:00
Lennart Poettering
b711737096 man: document that PrivateTmp= is unaffected by ProtectSystem=strict
Fixes: #33130
2024-11-05 22:57:51 +01:00