1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-23 21:35:11 +03:00
Commit Graph

69972 Commits

Author SHA1 Message Date
Ronan Pigott
3fcd83645a resolved: delay server feature detection
Some fields of the DnsPacket are not populated until we extract an
answer, like p->opt, despite being referenced by macros like
DNS_PACKET_RCODE. We can reorder some of the basic checks to follow
dns_packet_extract.
2024-01-03 17:25:07 -07:00
Ronan Pigott
980cb160eb dns: remove some magic numbers
Let's use enum values for the EDNS codes now that we have them, for
readability.
2024-01-03 17:25:07 -07:00
Ronan Pigott
056db7863e dns: introduce more EDNS codes from IANA 2024-01-03 17:25:07 -07:00
Lennart Poettering
2a02a8db91
Merge pull request #26663 from poettering/vpick
add new "vpick" concept for automatically picking newest resource from .v/ dir containing versioned files
2024-01-03 22:17:32 +01:00
Yu Watanabe
82a1597778
Merge pull request #28797 from Werkov/eff_limits
Add MemoryMaxEffective=, MemoryHighEffective= and TasksMaxEff…  …ective= properties
2024-01-04 05:38:06 +09:00
Michal Sekletar
508b4786e8 logind: don't setup idle session watch for lock-screen and greeter
Reason to skip the idle session logic for these session classes is that
they are idle by default.
2024-01-04 05:27:41 +09:00
Rose
b4a9d19e4e basic: fix overflow detection in sigbus_pop
The current check checks for n_sigbus_queue
being greater than or equal to SIGBUS_QUEUE_MAX,
when it should be just greater than as
n_sigbus_queue being SIGBUS_QUEUE_MAX indicates
that the queue is full, but not overflowed.
2024-01-04 05:26:01 +09:00
Yu Watanabe
f3f6c65618
Merge pull request #30710 from YHNdnzj/logind-ret-gather
logind-session: modernization
2024-01-04 05:25:41 +09:00
Frantisek Sumsal
c707e346fb test: temporarily adjust the default mount rate limit
(Hopefully) a temporary workaround for #30573 where starting a user
session when PID 1 is rate limited stalls even after it leaves the rate
limited state:

[   11.658201] H systemd[1]: Sent message type=signal sender=n/a destination=n/a path=/org/freedesktop/systemd1 interface=org.freedesktop.systemd1.Manager member=UnitRemoved cookie=4208 reply_cookie=0 signature=so error-name=n/a error-mes>
[   11.658233] H systemd[1]: Event source 0x559babdd8bb0 (mount-monitor-dispatch) left rate limit state.
[  101.562697] H busctl[784]: Failed to get credentials: Transport endpoint is not connected
[  101.563480] H systemd[1]: systemd-journald.service: Got notification message from PID 300 (WATCHDOG=1)
[  101.563725] H testsuite-74.sh[784]: BusAddress=unixexec:path=systemd-run,argv1=-M.host,argv2=-PGq,argv3=--wait,argv4=-pUser%3dtestuser,argv5=-pPAMName%3dlogin,argv6=systemd-stdio-bridge,argv7=-punix:path%3d%24%7bXDG_RUNTIME_DIR%7d/bus
[  101.564136] H systemd[1]: Successfully forked off '(sd-expire)' as PID 787.
[  101.564754] H systemd[1]: Successfully forked off '(sd-expire)' as PID 788.
[  101.564831] H testsuite-74.sh[381]: + echo 'Subtest /usr/lib/systemd/tests/testdata/units/testsuite-74.busctl.sh failed'

The issue appeared after ee07fff03b which does a bunch of mounts/umounts
that get PID 1 into a rate limited state, and is frequent enough to be
annoying, so let's temporarily bump the rate limit to alleviate that.
2024-01-04 05:24:47 +09:00
Frantisek Sumsal
519f0074cf test: install correct kpartx udev rules on Debian
Resolves: #30703
2024-01-04 05:24:20 +09:00
Yu Watanabe
124c712692
Merge pull request #30532 from yuwata/udev-extend-timeout-kill-worker
udev: extend timeout to prevent kill worker
2024-01-04 05:21:50 +09:00
Yu Watanabe
aea57b1415
Merge pull request #28836 from msekletar/aux-scope
core/manager: add dbus API to create auxiliary scope from running service
2024-01-04 04:52:39 +09:00
Dmitry Konishchev
0e1ab2261c Fix KeepCarrier tun/tap device option
When KeepCarrier is set, networkd doesn't close tun/tap file descriptor
preserving the active interface state, but doesn't disable its queue
which makes kernel to think that it's still active and send packets to
it.

This patch disables the created queue right after tun/tap interface
creation.

Here is the steps to reproduce the bug:

Having:

systemd/network/10-tun-test.netdev:

    [NetDev]
    Name=tun-test
    Kind=tun

    [Tun]
    MultiQueue=yes
    KeepCarrier=yes

systemd/network/10-tun-test.network:

    [Match]
    Name=tun-test

    [Network]
    DHCP=no
    IPv6AcceptRA=false

    LLMNR=false
    MulticastDNS=false

    Address=172.31.0.1/24

app.c:

    #include <fcntl.h>
    #include <stdio.h>
    #include <string.h>
    #include <unistd.h>
    #include <linux/if.h>
    #include <sys/ioctl.h>
    #include <linux/if_tun.h>

    int main() {
        int fd;
        struct ifreq ifr;

        memset(&ifr, 0, sizeof ifr);
        strcpy(ifr.ifr_name, "tun-test");
        ifr.ifr_flags = IFF_TUN | IFF_NO_PI | IFF_MULTI_QUEUE;

        if((fd = open("/dev/net/tun", O_RDWR)) < 0) {
            perror("Open error");
            return 1;
        }

        if(ioctl(fd, TUNSETIFF, &ifr)) {
            perror("Configure error");
            return 1;
        }

        puts("Ready.");

        char buf[1500];

        while(1) {
            int size = read(fd, buf, sizeof buf);
            if(size < 0) {
                perror("Read error");
                return 1;
            }
            printf("Read %d bytes.\n", size);
        }

        return 0;
    }

Run:
* gcc -o app app.c && ./app
* ping -I tun-test 172.31.0.2

Before the patch the app shows no pings, but after it works properly.
2024-01-04 04:37:39 +09:00
Lennart Poettering
97c493f214 update TODO 2024-01-03 19:01:37 +01:00
Lennart Poettering
0345366ac3 tests: add integration tests for vpick logic 2024-01-03 19:01:37 +01:00
Lennart Poettering
7d93e4af80 man: document the new vpick concept 2024-01-03 18:38:46 +01:00
Lennart Poettering
a5ecdf7c6b discover-image: add support for vpick 2024-01-03 18:38:46 +01:00
Lennart Poettering
0cb110231e execute: teach RootDirectory= and RootImage= the new vpick logic 2024-01-03 18:38:46 +01:00
Lennart Poettering
d768856819 dissect: port to vpick for selecting image 2024-01-03 18:38:46 +01:00
Lennart Poettering
300a03bec3 nspawn: hook up --image=/--directory=/--template= with vpick logic 2024-01-03 18:38:46 +01:00
Lennart Poettering
9e61ed1115 vpick: add new tool "systemd-vpick" which exposes vpick on the command line
Usecase:

    $ du $(systemd-vpick /srv/myimages.v/foo___.raw)

In order to determine size of newest image in /srv/myimages.v/
2024-01-03 18:38:46 +01:00
Lennart Poettering
76511c1bd3 shared: add new "vpick" concept for ".v/" directories that contain versioned resources
This adds a new concept for handling paths. At appropriate places, if a
path such as /foo/bar/baz.v/ is specified, we'll
automatically enumerate all entries in /foo/bar/baz.v/baz* and then
do a version sort and pick the newest file.

A slightly more complex syntax is available, too:

/foo/bar/baz.v/quux___waldo

if that's used, then we'll look for all files matching
/foo/bar/baz.v/quux*waldo, and split out the middle, and version sort
it, and pick the nwest.

The ___ wildcard indicates both a version string, and if needed an
architecture ID, in case per-arch entries shall be supported.

This is a very simple way to maintain versioned resources in a dir, and
make systemd's components automatically pick the newest. Example:

    /srv/myimages.v/foobar_1.32.65_x86-64.raw
    /srv/myimages.v/foobar_1.33.45_x86-64.raw
    /srv/myimages.v/foobar_1.31.5_x86-64.raw
    /srv/myimages.v/foobar_1.31.5_arm64.raw

If now nspawn is invoked like this:

    systemd-nspawn --image=/srv/myimages.v/foobar___.raw

Then it will automatically pick
/srv/myimages.v/foobar_1.33.45_x86-64.raw as the version to boot on
x86-64, and /srv/myimages.v/foobar_1.31.5_arm64.raw on arm64.

This commit only adds the basic implementation for picking files from a
dir, but no hook-up anywhere.
2024-01-03 18:38:46 +01:00
Lennart Poettering
cc03788086 stat-util: add inode_type_from_string() helper 2024-01-03 18:38:46 +01:00
Lennart Poettering
63566c6b6f string-util: add strrstr() helper 2024-01-03 18:38:46 +01:00
Lennart Poettering
cb599f881a strv: add new strv_endswith() helper 2024-01-03 18:38:46 +01:00
Lennart Poettering
de84484e7b
Merge pull request #29940 from poettering/stub-confext-pickup
stub/sysext: pick up confexts from ESP, too
2024-01-03 17:40:36 +01:00
Lennart Poettering
5f1fddbd31
Merge pull request #30194 from poettering/tpm-target
units: add a tpm2.target synchronization point and small generator that pulls in
2024-01-03 17:40:17 +01:00
Mike Yuan
41935c0c3a
logind-session: use RET_GATHER more 2024-01-03 23:22:58 +08:00
Mike Yuan
8ccba83fd8
logind-session-device: trivial modernizations 2024-01-03 23:22:57 +08:00
Mike Yuan
42e6ad1684 labeler: add matches for login and logind 2024-01-03 15:00:36 +00:00
Lennart Poettering
56f20e3a46
Merge pull request #30704 from yuwata/sd-dhcp-server-lease
dhcp-server: use sd_dhcp_client_id and split out lease handling to sd-dhcp-server-lease.[ch]
2024-01-03 13:58:30 +01:00
Lennart Poettering
52be84f52c
Merge pull request #30697 from yuwata/network-address-remove-and-cancel
network/address: several cleanups for address removal
2024-01-03 13:55:26 +01:00
Lennart Poettering
ae17fcb61a tpm2-util: handle TPMs gracefully that do not support ECC and return TPM2_RC_VALUES
If a TPM doesn't do ECC it could either return zero curves when asked
for it, or it could simply fail with TPM2_RC_VALUES because it doesn't
recognize the capability at all.

Handle both cases the same way.

Fixes: #30679
2024-01-03 13:54:20 +01:00
Michal Sekletar
fd7fd59b6d tests: add test for StartAuxiliaryScope() 2024-01-03 13:50:46 +01:00
Michal Sekletar
84c01612de core/manager: add dbus API to create auxiliary scope from running service
This commit introduces new D-Bus API, StartAuxiliaryScope(). It may be
used by services as part of the restart procedure. Service sends an
array of PID file descriptors corresponding to processes that are part
of the service and must continue running also after service restarts,
i.e. they haven't finished the job why they were spawned in the first
place (e.g. long running video transcoding job). Systemd creates new
scope unit for these processes and migrates them into it. Cgroup
properties of scope are copied from the service so it retains same
cgroup settings and limits as service had.
2024-01-03 13:50:41 +01:00
Lennart Poettering
7bf4b5605e update TODO 2024-01-03 13:50:06 +01:00
Lennart Poettering
4e1f0037b8 units: add a tpm2.target synchronization point and small generator that pulls in
Distributions apparently only compile a subset of TPM2 drivers into the
kernel. For those not compiled it but provided as kmod we need a
synchronization point: we must wait before the first TPM2 interaction
until the driver is available and accessible.

This adds a tpm2.target unit as such a synchronization point. It's
ordered after /dev/tpmrm0, and is pulled in by a generator whenever we
detect that the kernel reported a TPM2 to exist but we have no device
for it yet.

This should solve the issue, but might create problems: if there are TPM
devices supported by firmware that we don't have Linux drivers for we'll
hang for a bit. Hence let's add a kernel cmdline switch to disable (or
alternatively force) this logic.

Fixes: #30164
2024-01-03 13:49:02 +01:00
Lennart Poettering
6018a27cb7 test-64: only look at plugged devices, not all of them 2024-01-03 13:47:57 +01:00
Michal Koutný
93f8e88d23 cgroup: Restrict effective limits with global resource provision
Global resource (whole system or root cg's (e.g. in a container)) is
also a well-defined limit for memory and tasks, take it into account
when calculating effective limits.
2024-01-03 13:43:04 +01:00
Michal Koutný
ce35bb95c7 test: Add effective cgroup limits testing 2024-01-03 13:37:58 +01:00
Michal Koutný
834ca54624 test: Convert rlimit test to subtest of generic limit testing
No functional change intended. Preparation for new tests.
2024-01-03 13:37:58 +01:00
Michal Koutný
4fb0d2dc14 cgroup: Add EffectiveMemoryMax=, EffectiveMemoryHigh= and EffectiveTasksMax= properties
Users become perplexed when they run their workload in a unit with no
explicit limits configured (moreover, listing the limit property would
even show it's infinity) but they experience unexpected resource
limitation.

The memory and pid limits come as the most visible, therefore add new
unit read-only properties:
- EffectiveMemoryMax=,
- EffectiveMemoryHigh=,
- EffectiveTasksMax=.

These properties represent the most stringent limit systemd is aware of
for the given unit -- and that is typically(*) the effective value.

Implement the properties by simply traversing all parents in the
leaf-slice tree and picking the minimum value. Note that effective
limits are thus defined even for units that don't enable explicit
accounting (because of the hierarchy).

(*) The evasive case is when systemd runs in a cgroupns and cannot
reason about outer setup. Complete solution would need kernel support.
2024-01-03 13:37:08 +01:00
Yu Watanabe
04d4086c22 resolve/mdns: do not append goodby packet entries to known answers section
When we receive a goodby packet about a host, and we have a cache entry about
the host, we do not immediately remove the cache entry, but update it with TTL 1.
See RFC 6762 section 10.1 and 3755027c2c.

If we receive a request soon after the goodby packet, previously the
entry was included in the known answers section of the reply. But such
information should not be appended.

Follow-up for 3755027c2c.
2024-01-03 13:16:43 +01:00
Luca Boccassi
2e3414660c varlink: avoid logging content of message if it contains sensitive data
This is important now that creds are sent via varlink

 systemd-creds[463]: varlink-3: Sending message: {"parameters":{"data":"Zm9vYmFyCg=="}}
 systemd-creds[462]: varlink-3: New incoming message: {"method":"io.systemd.Credentials.Encrypt","parameters":{"data":"Zm9vYmFyCg=="}}
2024-01-03 11:54:48 +01:00
Luca Boccassi
fa9a6db478 json: add JSON_FORMAT_REFUSE_SENSITIVE to json_variant_format()
Returns -EPERM if any node in the variant is marked as sensitive,
useful to avoid leaking data to log messages and so on
2024-01-03 11:54:48 +01:00
Lennart Poettering
caef0bc3dc creds: open up access to clients via Polkit
Use auth_admin_keep, so that users don't have to re-auth interactively
again and again when encrypting/decrypting batches of credentials.
2024-01-03 11:53:52 +01:00
Lennart Poettering
2a1ffd3e3a bus-polkit: port polkit_registry to use value destructors in hash_ops 2024-01-03 11:53:52 +01:00
Lennart Poettering
d04c1a1c8e bus-polkit: add support for authenticating varlink peers via polkit
This extends our current polkit logic, so that we can in a very similar
fashion as we already can authenticate dbus peers authenticate varlink
connection peers.

polkit natively speaks dbus and can authentication dbus peers. To get
the same level of support for varlink we'll use authentication by
pidfd+uid. This requires polkit v124, and if that's not available it
will fallback to authorizing root only as before.

Co-authored-by: Luca Boccassi <bluca@debian.org>
2024-01-03 11:53:29 +01:00
Mike Yuan
7c2e495c75
Merge pull request #30694 from yuwata/sd-netlink-move-macro-and-introduce-tos-getter
sd-netlink: two cleanups
2024-01-03 18:47:12 +08:00
Mike Yuan
f6ce1ad033
Merge pull request #30686 from poettering/uki-measured-check-imply-tpm2
efi-loader: when detecting if we are booted in UKI measured boot mode, imply a check for TPM2
2024-01-03 18:39:22 +08:00