1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-31 21:18:09 +03:00
Commit Graph

45958 Commits

Author SHA1 Message Date
Zbigniew Jędrzejewski-Szmek
8b25484af3 NEWS: update contributors list for v246-pre 2020-07-23 17:30:54 +02:00
Zbigniew Jędrzejewski-Szmek
c015d657ec hwdb: update again for v246
Just a few minor changes.
2020-07-23 17:25:40 +02:00
Lennart Poettering
b226422cd7 firstboot: don't create /etc/passwd with mode 000
It needs to be world readable (unlike /etc/shadow) when created anew.

This fixes systems that boot with "systemd-nspawn --volatile=yes", i.e.
come up with an entirely empty /etc/ and thus no existing /etc/passwd
file when firstboot runs.
2020-07-23 17:09:11 +02:00
Lennart Poettering
2a2e78e969 nspawn: fix MS_SHARED mount propagation for userns containers
We want our OS trees to be MS_SHARED by default, so that our service
namespacing logic can work correctly. Thus in nspawn we mount everything
MS_SHARED when organizing our tree. We do this early on, before changing
the user namespace (if that's requested). However CLONE_NEWUSER actually
resets MS_SHARED to MS_SLAVE for all mounts (so that less privileged
environments can't affect the more privileged ones). Hence, when
invoking it we have to reset things to MS_SHARED afterwards again. This
won't reestablish propagation, but it will make sure we get a new set of
mount peer groups everywhere that then are honoured for the mount
namespaces/propagated mounts set up inside the container further down.
2020-07-23 17:08:39 +02:00
szb512
fe224669fb Update mkosi.ubuntu to 'focal'
[zjs: Looking at https://packages.ubuntu.com/bionic/iptables-dev, iptables-dev
was a transitional package that was pulling in libxtables-dev, libip4tc-dev,
and libip6tc-dev (as listed by @GiedriusS). iptables-dev is gone in focal, so
replace it by the expanded list.]
2020-07-23 16:44:09 +02:00
Yu Watanabe
6f5d73aba6 network: compare with peer address if it is specified
Follow-ups for dfef713f3e.
2020-07-23 16:37:56 +02:00
Zbigniew Jędrzejewski-Szmek
01b92946c5
Merge pull request #16532 from yuwata/network-sync-state-file
network: sync link state file on dbus call, and ndisc cleanups
2020-07-23 16:34:38 +02:00
Zbigniew Jędrzejewski-Szmek
5cf821acf8 man: do not say that isolate is like switching runlevels
We need to do better here, but for now let's at least not trick
users into nuking their graphical environment. Inspired by #16548.
2020-07-23 15:30:35 +02:00
Zbigniew Jędrzejewski-Szmek
402e1e699f
Merge pull request #16557 from keszybz/two-ci-fixes
Two ci fixes
2020-07-23 15:24:46 +02:00
Zbigniew Jędrzejewski-Szmek
0390b094f5 meson: do not choke on time epoch when there are no git tags
github ci was failing with:

meson.build:685:16: ERROR: String '' cannot be converted to int
2020-07-23 12:25:14 +02:00
Zbigniew Jędrzejewski-Szmek
960a64691f semaphore: pull in tree explicitly
semaphoreci was failing with:
Can't exec "tree": No such file or directory at /tmp/autopkgtest-lxc.v9oand4g/downtmp/build.TIm/src/test/udev-test.pl line 1752.

https://semaphoreci.com/systemd/systemd/branches/pull-request-16551/builds/1
2020-07-23 12:25:14 +02:00
Lennart Poettering
495454f40f update NEWS 2020-07-23 10:02:16 +02:00
Lennart Poettering
82ff544160
Merge pull request #16496 from DaanDeMeyer/firstboot-shell
firstboot: Add --root-shell option and tighten up passwd/shadow handling
2020-07-23 08:39:45 +02:00
Daan De Meyer
bd190899bb Get SOURCE_EPOCH from the latest git tag instead of NEWS
Currently, each change to NEWS triggers a meson reconfigure that
changes SOURCE_EPOCH which causes a full rebuild. Since NEWS changes
relatively often, we have a full rebuild each time we pull from
master even if we pull semi-regularly. This is further compounded
when using branches since NEWS has a relatively high chance to
differ between branches which causes git to update the modification
time, leading to a full rebuild when switching between branches.

We fix this by using the creation time of the latest git tag instead.
2020-07-23 08:38:30 +02:00
Lennart Poettering
00b868e857
Merge pull request #16542 from keszybz/make-targets-fail-again
Make targets fail again
2020-07-23 08:37:47 +02:00
Lennart Poettering
c3f8a065e9 execute: take ownership of more fields in ExecParameters
Let's simplify things a bit, and take ownership of more fields in
ExecParameters, so that they are automatically freed when the structure
is released.
2020-07-23 08:37:21 +02:00
Daan De Meyer
28900a1bfe firstboot: Add --root-shell option 2020-07-22 21:22:46 +01:00
Daan De Meyer
c4a53ebf7a firstboot: Tighten up passwd/shadow handling
There are a lot of edge cases that the current implementation
doesn't handle, especially in cases where one of passwd/shadow
exists and the other doesn't exist. For example, if
--root-password is specified, we will write /etc/shadow but
won't add a root entry to /etc/passwd if there is none.

To fix some of these issues, we constrain systemd-firstboot to
only modify /etc/passwd and /etc/shadow if both do not exist
already (or --force) is specified. On top of that, we calculate
all necessary information for both passwd and shadow upfront so
we can take it all into account when writing the actual files.

If no root password options are given --force is specified or both
files do not exist, we lock the root account for security purposes.
2020-07-22 21:22:41 +01:00
Zbigniew Jędrzejewski-Szmek
94d1ddbd7c pid1: target units can fail through dependencies
Fixes #16401.

c80a9a33d0 introduced the .can_fail field,
but didn't set it on .targets. Targets can fail through dependencies.
This leaves .slice and .device units as the types that cannot fail.

$ systemctl cat bad.service bad.target bad-fallback.service
[Service]
Type=oneshot
ExecStart=false

[Unit]
OnFailure=bad-fallback.service

[Service]
Type=oneshot
ExecStart=echo Fixing everythign!

$ sudo systemctl start bad.target
systemd[1]: Starting bad.service...
systemd[1]: bad.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: bad.service: Failed with result 'exit-code'.
systemd[1]: Failed to start bad.service.
systemd[1]: Dependency failed for bad.target.
systemd[1]: bad.target: Job bad.target/start failed with result 'dependency'.
systemd[1]: bad.target: Triggering OnFailure= dependencies.
systemd[1]: Starting bad-fallback.service...
echo[46901]: Fixing everythign!
systemd[1]: bad-fallback.service: Succeeded.
systemd[1]: Finished bad-fallback.service.
2020-07-22 17:58:12 +02:00
Zbigniew Jędrzejewski-Szmek
74c8e3c4e0 Revert "units: drop OnFailure= from .target units"
This reverts commit c7220ca802.

The removal was done as a reaction to the messages from systemd:
initrd-root-fs.target: Requested dependency OnFailure=emergency.target ignored (target units cannot fail).
initrd.target: Requested dependency OnFailure=emergency.target ignored (target units cannot fail).
initrd-root-device.target: Requested dependency OnFailure=emergency.target ignored (target units cannot fail).
initrd-fs.target: Requested dependency OnFailure=emergency.target ignored (target units cannot fail).
local-fs.target: Requested dependency OnFailure=emergency.target ignored (target units cannot fail).
...
But it seems that the messages themselves are wrong, and the units were OK.
2020-07-22 17:58:12 +02:00
Zbigniew Jędrzejewski-Szmek
771b52427a core/job: adjust whitespace and comment 2020-07-22 17:58:12 +02:00
Yu Watanabe
7f8c1e95a5 test-network: add test for duplicated IPv6Token= 2020-07-22 20:26:11 +09:00
Yu Watanabe
2c62149509 network: ndisc: ignore duplicated IPv6Token= 2020-07-22 20:26:11 +09:00
Yu Watanabe
92ee90af47 network: ndisc: do not store duplicated data in Set
The Address objects in the set generated by ndisc_router_generate_addresses()
have the equivalent prefixlen, flags, prefered lifetime.
This commit makes ndisc_router_generate_addresses() return Set of
in6_addr.
2020-07-22 20:26:05 +09:00
Zbigniew Jędrzejewski-Szmek
3bb4126262
Merge pull request #16536 from poettering/time-clock-map-fixes
time-util: clock mapping improvements
2020-07-22 13:05:13 +02:00
Yu Watanabe
3dbd8a15d5 util: use IN6_ARE_ADDR_EQUAL() macro 2020-07-22 19:55:15 +09:00
Yu Watanabe
f91b234077 test-network: drop unnecessary sleep() in NetworkdStateFileTests.test_state_file 2020-07-22 19:55:15 +09:00
Yu Watanabe
1b14222124 network: make bus methods sync link state file 2020-07-22 19:55:15 +09:00
Yu Watanabe
c2a6595014 network: introduce link_save_and_clean() 2020-07-22 19:55:14 +09:00
Yu Watanabe
f281fc1e95 tree-wide: use siphash24_compress_string() where it is applicable 2020-07-22 19:55:14 +09:00
Yu Watanabe
1c568d65ac util: introduce siphash24_compress_string() 2020-07-22 19:55:14 +09:00
Yu Watanabe
6c04fccb1d util: make siphash24_compress_boolean() inline
This also changes the stored type from int to uint8_t in order to make
hash value endianness independent.
2020-07-22 19:55:14 +09:00
Zbigniew Jędrzejewski-Szmek
e3643b00a8 test-path: decrease variable scope 2020-07-22 12:12:54 +02:00
Zbigniew Jędrzejewski-Szmek
8f8c7801e9 test: increase timeout for test-path
The CI occasionally fail in test-path with a timeout. test-path loads
units from the filesystem, and this conceivably might take more than
the default limit of 3 s. Increase the timeout substantially to see if
this helps.
2020-07-22 12:12:36 +02:00
Zbigniew Jędrzejewski-Szmek
2859bb932b
Merge pull request #16530 from yuwata/udev-fix-race-in-renaming-network-interface
udev: fix race in renaming network interface
2020-07-22 11:50:09 +02:00
Lennart Poettering
63fdaa36c5
Merge pull request #16407 from bluca/verity_reuse
verity: re-use already open devices if the hashes match
2020-07-22 11:36:49 +02:00
Zbigniew Jędrzejewski-Szmek
8fa2cd83c6 Revert "man: add note about systemd-vconsole-setup.service and tty as input/output"
This reverts commit 0b57803630.

From https://github.com/systemd/systemd/pull/16503#issuecomment-660212813:
systemd-vconsole-setup (the binary) is supposed to run asynchronously by udev
therefore ordering early interactive services after systemd-vconsole-setup.service
has basically no effect.

Let's remove this paragraph. It's better to say nothing than to give pointless
advice.
2020-07-22 10:43:52 +02:00
Elisei Roca
2aa5a13aa9 test: adapt test-functions for SUSE 2020-07-22 10:42:42 +02:00
Zbigniew Jędrzejewski-Szmek
f25e9eda52
Merge pull request #16514 from keszybz/zstd-decompress-fix
Fix coredumpctl operation with zstd-compressed journals
2020-07-22 10:40:19 +02:00
Zbigniew Jędrzejewski-Szmek
b876b07812
Merge pull request #16540 from poettering/acl-fix
two ACL handling fixes
2020-07-22 10:34:12 +02:00
Luca Boccassi
ac1f3ad05f verity: re-use already open devices if the hashes match
Opening a verity device is an expensive operation. The kernelspace operations
are mostly sequential with a global lock held regardless of which device
is being opened. In userspace jumps in and out of multiple libraries are
required. When signatures are used, there's the additional cryptographic
checks.

We know when two devices are identical: they have the same root hash.
If libcrypsetup returns EEXIST, double check that the hashes are really
the same, and that either both or none have a signature, and if everything
matches simply remount the already open device. The kernel will do
reference counting for us.

In order to quickly and reliably discover if a device is already open,
change the node naming scheme from '/dev/mapper/major:minor-verity' to
'/dev/mapper/$roothash-verity'.

Unfortunately libdevmapper is not 100% reliable, so in some case it
will say that the device already exists and it is active, but in
reality it is not usable. Fallback to an individually-activated
unique device name in those cases for robustness.
2020-07-21 23:42:03 +01:00
Luca Boccassi
536879480a dm-util: use CRYPT_DEACTIVATE_DEFERRED instead of ioctl 2020-07-21 23:26:41 +01:00
Lennart Poettering
d81be4e752 coredump: port to use common add_acls_for_user()
It's line-by-line the same logic, hence use the common implementation.
2020-07-21 22:58:40 +02:00
Lennart Poettering
2ea6247e01 acl-util: fix error handling in add_acls_for_user() 2020-07-21 22:58:40 +02:00
Lennart Poettering
002674387c offline-passwd: use chase_symlinks()
In case the passwd/group file is symlinked, follow things correctly.

Follow-up for: #16512
Addresses: https://github.com/systemd/systemd/pull/16512#discussion_r458073677
2020-07-21 22:31:00 +02:00
Lennart Poettering
628db21130 update TODO 2020-07-21 17:46:14 +02:00
Zbigniew Jędrzejewski-Szmek
0da322d9a4 man: update docs with the new functions and other enhancements 2020-07-21 17:42:16 +02:00
Zbigniew Jędrzejewski-Szmek
7cbb7d62c6 homectl: fix warning about unused function
../src/home/homectl-pkcs11.c:19:13: warning: ‘pkcs11_callback_data_release’ defined but not used [-Wunused-function]
   19 | static void pkcs11_callback_data_release(struct pkcs11_callback_data *data) {
      |             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
2020-07-21 17:42:16 +02:00
Zbigniew Jędrzejewski-Szmek
06847d0fba TODO: add entry for XZ
The docs for XZ don't seem to answer this at first blush, or maybe
I'm looking in the wrong place... This might make XZ less terribly slow,
but on the other hand, almost nobody uses it, so it doesn't matter that
much.
2020-07-21 17:42:15 +02:00
Zbigniew Jędrzejewski-Szmek
e4a321fc08 journal/compress: remove loop in decompress_startswith_zstd()
This should be more efficient with no downsides. Same considerations as in the
previous commit hold.
2020-07-21 17:42:15 +02:00