1
0
mirror of https://github.com/systemd/systemd.git synced 2024-10-29 21:55:36 +03:00
Commit Graph

61561 Commits

Author SHA1 Message Date
Yu Watanabe
daff9d5460
Merge pull request #25564 from poettering/dissect-discover
systemd-dissect: add simple "--discover" command
2022-12-08 12:29:07 +09:00
Yu Watanabe
cc488e9ba8
Merge pull request #25666 from poettering/selinux-getconf-fixup
selinux getXYZcon() NULL return fixes
2022-12-08 12:23:29 +09:00
Jade Lovelace
3b703840d9 oomd: print dry run output at INFO level
Otherwise, the dry run isn't much use since it would be logged at debug
and not seen.
2022-12-08 09:26:57 +09:00
Frantisek Sumsal
5dd34c2604 test: wait for the monitoring service to become active
Otherwise we might start querying resolved too early, causing the
monitoring service to miss stuff:

```
[ 1103.149474] testsuite-75.sh[35]: + systemd-run -u resmontest.service -p Type=notify resolvectl monitor
[ 1103.353803] testsuite-75.sh[423]: Running as unit: resmontest.service
[ 1103.353989] testsuite-75.sh[35]: + knotc zone-begin test.
[ 1103.354160] testsuite-75.sh[425]: OK
...
[ 1103.355298] testsuite-75.sh[35]: + knotc reload
[ 1103.355363] testsuite-75.sh[438]: Reloaded
[ 1103.355536] testsuite-75.sh[35]: + : '--- nss-resolve/nss-myhostname tests'
[ 1103.355536] testsuite-75.sh[35]: + run getent -s resolve hosts ns1.unsigned.test
[ 1103.356127] testsuite-75.sh[443]: + getent -s resolve hosts ns1.unsigned.test
[ 1103.356505] testsuite-75.sh[444]: + tee /tmp/tmp.bXg5Uj5Jkk
[ 1103.359591] resolvectl[424]: → Q: ns1.unsigned.test IN AAAA
[ 1103.359591] resolvectl[424]: ← S: success
[ 1103.359850] testsuite-75.sh[444]: 10.0.0.1        ns1.unsigned.test
[ 1103.359939] resolvectl[424]: → Q: ns1.unsigned.test IN A
[ 1103.359939] resolvectl[424]: ← S: success
[ 1103.359939] resolvectl[424]: ← A: ns1.unsigned.test IN A 10.0.0.1
[ 1103.360149] testsuite-75.sh[35]: + grep -qE '^10\.0\.0\.1\s+ns1\.unsigned\.test' /tmp/tmp.bXg5Uj5Jkk
[ 1103.362119] systemd[1]: Starting resmontest.service...
[ 1103.362633] systemd[1]: Started resmontest.service.
[ 1103.363263] testsuite-75.sh[35]: + monitor_check_rr 'ns1.unsigned.test IN A 10.0.0.1'
[ 1103.363263] testsuite-75.sh[35]: + local 'match=ns1.unsigned.test IN A 10.0.0.1'
[ 1103.363377] testsuite-75.sh[35]: + set +o pipefail
[ 1103.363836] testsuite-75.sh[458]: + journalctl -u resmontest.service -f --full
[ 1103.364042] testsuite-75.sh[459]: + grep -m1 'ns1.unsigned.test IN A 10.0.0.1'
...
Trying to halt container. Send SIGTERM again to trigger immediate termination.
Container TEST-75 terminated by signal KILL.
```
2022-12-08 09:05:14 +09:00
Space Meyer
ff868eaade journald: prevent segfault on empty attr/current
getpidcon() might set con to NULL, even when it returned a 0 return
code[0]. The subsequent strlen(con) will then cause a segfault.

Alternatively the behaviour could also be changed in getpidcon. I
don't know whether the libselinux folks are comitted to the current
behaviour, but the getpidcon man page doesn't really make it obvious
this case could happen.

[0] fb7f35495f/libselinux/src/procattr.c (L155-L158)
2022-12-08 01:00:25 +01:00
msizanoen1
3d19e122cf core/unit: allow overriding an ongoing freeze operation
Sometimes a freeze operation can hang due to the presence of kernel
threads inside the unit cgroup (e.g. QEMU-KVM). This ensures that the
ThawUnit operation invoked by systemd-sleep at wakeup always thaws the
unit.
2022-12-08 00:54:53 +01:00
msizanoen1
a14137d90e core/cgroup: thaw slice of unit when thawing unit
This ensures starting a new unit under a frozen slice work as expected.
2022-12-08 00:54:53 +01:00
msizanoen1
fcb0878f75 core/slice: skip member units without realized cgroup during freeze or thaw
This ensures that services with `RemainAfterExit` but without any
process running won't cause failure during freeze.
2022-12-08 00:54:53 +01:00
msizanoen1
efa736d383 sleep: always thaw user.slice even if freezing failed
`FreezeUnit` can fail even when some units did got frozen, causing some
user units to be frozen. A possible symptom is `user@.service` being
frozen while still being able to log in over SSH.
2022-12-08 00:54:53 +01:00
Luca Boccassi
2d18605ca8
Merge pull request #25632 from keszybz/chroot-fix
Add trivial check for preset operation in chroot
2022-12-07 20:51:47 +01:00
Luca Boccassi
a101d7849d
Merge pull request #25465 from DaanDeMeyer/repart-workspace
repart: Cleanup created files on failure
2022-12-07 20:45:23 +01:00
Jelle van der Waa
ff4d26dff4 hostnamed: expose FirmwareDate dbus property
Expose /sys/class/dmi/id/bios_date as dbus property in hostnamed.
2022-12-07 20:35:56 +01:00
Jelle van der Waa
f233bbd607 hostnamed: expose FirmwareVendor as dbus property
Expose /sys/class/dmi/id/bios_vendor as dbus property in hostnamed.
2022-12-07 20:34:30 +01:00
Lennart Poettering
0305cf6e9d dissect: add simple --discover command 2022-12-07 17:57:22 +01:00
Lennart Poettering
3775e1410c discover-image: store image class in Image object too, if known 2022-12-07 17:44:35 +01:00
Lennart Poettering
e0cd19007e discover-image: add stringification helpers for ImageClass 2022-12-07 17:44:35 +01:00
Zbigniew Jędrzejewski-Szmek
54c84c8a7a ukify: allow multiple initrds
If given, multiple initrds are concatenated into a temporary file which then
becomes the .initrd section.

It is also possible to give no initrd. After all, some machines boot without an
initrd, and it should be possible to use the stub without requiring an initrd.
(The stub might not like this, but this is something to fix there.)
2022-12-07 17:22:05 +01:00
Zbigniew Jędrzejewski-Szmek
1f6da5d902 ci: install pefile 2022-12-07 15:53:47 +01:00
Zbigniew Jędrzejewski-Szmek
0fdf4e1810 man: add man page for ukify 2022-12-07 15:53:47 +01:00
Zbigniew Jędrzejewski-Szmek
483c9c1b8a ukify: try to find the uname string in the linux image if not specified
The approach is based on mkinicpio's autodetection.

This is hacky as hell. Some cases are actually fairly nice: ppc64el images have
a note that contains 'uname -r'. (The note is not uniquely labeled at all, and
only contains the release part instead of the full version-hostname-release
string, and we don't actually care about ppc, and it's very hard to read the
note from Python, but in general that'd be the approach I'd like.)

I opted to simply read and decompress the full linux binary in some cases.
Python doesn't make it easy to do streaming decompression with regexp matching,
and it doesn't seem to matter much: the image decompresses in a fraction of a
second.
2022-12-07 15:53:45 +01:00
Zbigniew Jędrzejewski-Szmek
a1d6dbb1c9 tests: add pytest tests for ukify
Some gymnastics were needed to import ukify as a module. Before the file
was templated, this was trivial: insert the directory in sys.path, call import.
But it's a real pain to import the unsuffixed file after processing. Instead,
the untemplated file is imported, which works well enough for tests and is
very simple.

The tests can be called via pytest:
  PATH=build/:$PATH pytest -v src/ukify/test/test_ukify.py
or directly:
  PATH=build/:$PATH src/ukify/test/test_ukify.py
or via the meson test machinery output:
  meson test -C build test-ukify -v
or without verbose output:
  meson test -C build test-ukify

Zekret files are obfuscated using base64.
2022-12-07 15:52:37 +01:00
Luca Boccassi
3dd581f9e4
Merge pull request #25651 from keszybz/man-halt
Deemphasize 'halt' subcommand
2022-12-07 15:49:30 +01:00
Zbigniew Jędrzejewski-Szmek
30ec2eaef5 meson,ukify: hook up ukify, add --version option
The option is added because we have a similar one for kernel-install. This
program requires python, and some people might want to skip it because of this.

The tool is installed in /usr/lib/systemd for now, since the interface might
change.

A template file is used, but there is no .in suffix.
The problem is that we'll later want to import the file as a module
for tests, but recent Python versions make it annoyingly hard to import
a module from a file without a .py suffix. imp.load_sources() works, but it
is deprecated and throws warnings.
importlib.machinery.SourceFileLoader().load_module() works, but is also
deprecated. And the documented replacements are a maze of twisted little
callbacks that result in an empty module.
So let's take the easy way out, and skip the suffix which makes it easy
to import the template as a module after adding the directory to sys.path.
2022-12-07 15:32:13 +01:00
Zbigniew Jędrzejewski-Szmek
f4780cbe30 ukify: add helper to create UKIs
Features:
- adds sections .linux, .initrd, .uname, .osrel, .pcrpkey, .pcrsig, .cmdline, .splash
- multiple initrds can be concatenated
- section flags are set properly (READONLY, DATA or CODE)
- uses systemd-measure to precalculate pcr measurements and create a signed json policy
- the inner linux image will be signed automatically with sbsign if unsigned
- uses sbsign to sign the output image
- offsets are calculated so that sections are placed adjacent, with .linux last
- custom sections are possible
- multiple pcr signing keys can be specified and different boot phase paths can be
  signed with different keys
- most things can be overriden (path to tools, stub file, signing keys, pcr banks,
  boot phase paths, whether to sign things)
- superficial verification of slash bmp is done
- kernel uname "scraping" from the kernel if not specified (in a later patch)

TODO:
- change systemd-measure to not require a functional TPM2. W/o this, we'd need
  to support all banks in the build machine, which is hard to guarantee.
- load signing keys from /etc/kernel/
- supress exceptions, so if something external fails, the user will not see a traceback
- conversion to BMP from other formats

$ sudo /usr/lib/systemd/ukify \
  --tools=build/ \
  --measure \
  /lib/modules/6.0.5-300.fc37.x86_64/vmlinuz \
  /boot/08a5690a2eed47cf92ac0a5d2e3cf6b0/6.0.5-300.fc37.x86_64/initrd \
  --secureboot-private-key=server.key --secureboot-certificate=server.crt \
  --pcr-private-key=tpm2-pcr-private.pem --pcr-public-key=tpm2-pcr-public.pem \
  --cmdline='rw quiet' \
  --section test:TESTTESTTEST \
  --section test2:TESTTESTTEST2 \
  --pcr-banks=sha1 \
  --uname="$(uname -rv)"

Host arch 'x86_64', efi arch 'x64'
+ sbverify --list /lib/modules/6.0.5-300.fc37.x86_64/vmlinuz
+ build/systemd-measure calculate --linux=/lib/modules/6.0.5-300.fc37.x86_64/vmlinuz --osrel=/etc/os-release --cmdline=/tmp/tmpcmdline_5aufjir --pcrpkey=tpm2-pcr-public.pem --initrd=/boot/08a5690a2eed47cf92ac0a5d2e3cf6b0/6.0.5-300.fc37.x86_64/initrd --bank=sha1
11:sha1=03df5e5243bc002b959d52359fe04e266d0b5ebf
11:sha1=54949b82bae32e80343ff0f01eeeeb75f4c07d3f
11:sha1=0fc62be88aa9c5ad7282aa8adb504f451bcec9df
11:sha1=b71155e7fcd467f7c1696f675e37887032e2eafa
+ build/systemd-measure sign --linux=/lib/modules/6.0.5-300.fc37.x86_64/vmlinuz --osrel=/etc/os-release --cmdline=/tmp/tmpcmdline_5aufjir --pcrpkey=tpm2-pcr-public.pem --initrd=/boot/08a5690a2eed47cf92ac0a5d2e3cf6b0/6.0.5-300.fc37.x86_64/initrd --bank=sha1 --private-key=tpm2-pcr-private.pem --public-key=tpm2-pcr-public.pem
+ objcopy /usr/lib/systemd/boot/efi/linuxx64.efi.stub --add-section .osrel=/etc/os-release --change-section-vma .osrel=0x22000 --add-section .cmdline=/tmp/tmpcmdline_5aufjir --change-section-vma .cmdline=0x23000 --add-section .pcrpkey=tpm2-pcr-public.pem --change-section-vma .pcrpkey=0x24000 --add-section .initrd=/boot/08a5690a2eed47cf92ac0a5d2e3cf6b0/6.0.5-300.fc37.x86_64/initrd --change-section-vma .initrd=0x25000 --add-section .uname=/tmp/tmpuname0v3uzh5r --change-section-vma .uname=0x4009000 --add-section .test=/tmp/tmptestuxve59c8 --change-section-vma .test=0x400a000 --add-section .test2=/tmp/tmptest2_i143p9i --change-section-vma .test2=0x400b000 --add-section .pcrsig=/tmp/tmppcrsigdtcqxz_w --change-section-vma .pcrsig=0x400c000 --add-section .linux=/lib/modules/6.0.5-300.fc37.x86_64/vmlinuz --change-section-vma .linux=0x400d000 /tmp/uki4vsbf7y8
+ sbsign --key server.key --cert server.crt /tmp/uki4vsbf7y8 --output vmlinuz.efi
warning: data remaining[79849520 vs 79866644]: gaps between PE/COFF sections?
warning: data remaining[79849520 vs 79866648]: gaps between PE/COFF sections?
Signing Unsigned original image
Wrote signed vmlinuz.efi
2022-12-07 15:32:13 +01:00
Lennart Poettering
4a69c2c748 selinux-setup: minor modernizations 2022-12-07 15:26:18 +01:00
Lennart Poettering
af614e45c3 selinux: accept the fact that getxyzcon() can return success and NULL
Inspired by #25664: let's check explicitly for NULL everywhere we do one
of those getXYZcon() calls.

We usually turn this into EOPNOTSUPP, as when selinux is off (which is
supposed to be the only case this can happen according to selinux docs)
we otherwise return EOPNOTSUPP in that case.

Note that in most cases we have an explicit mac_selinux_use() call
beforehand, hence this should mostly not be triggerable codepaths.
2022-12-07 15:25:37 +01:00
Yu Watanabe
42f8b6a808 network: manage addresses in the way the kernel does
This effectively reverts 5d0030310c.

With the commit 5d0030310c, networkd manages
addresses with the detailed hash and compare functions. But that causes
networkd cannot detect address update by the kernel or an external tool.
See issue
https://github.com/systemd/systemd/issues/481#issuecomment-1328132401.

With this commit, networkd (again) manages addresses in the way that the
kernel does. Hence, we can correctly detect address update.
2022-12-07 15:10:45 +01:00
Yu Watanabe
b448fc0a6f test-network: try to change MAC address more
Follow-up for 23b6bf274f.
2022-12-07 15:08:23 +01:00
Frantisek Sumsal
ed7c45a8c8 packit: ignore unpackaged files
It may take a bit for newly introduced binaries/other files to get
properly integrated into the Rawhide specfile, so don't choke up in the
meantime when rpmbuild detects unpackaged files.
2022-12-07 15:07:14 +01:00
Lennart Poettering
f18b0a7630 update TODO 2022-12-07 14:31:57 +01:00
Luca Boccassi
87edf80b1b
Merge pull request #25502 from keszybz/pam-namespace-add
Add pam_namespace to user@.service pam stack
2022-12-07 13:01:50 +01:00
Yu Watanabe
47c57b4813 core: use correct scope of looking up units
Fixes a bug introduced by 3b3557c410.

Fixes #25625.
2022-12-07 12:45:33 +01:00
Zbigniew Jędrzejewski-Szmek
1f9caf28ca TEST-65: use [[ -v ]] more
It's a bashism, but we use other bash features anyway, and it's cleaner
and much less verbose.
2022-12-07 12:38:15 +01:00
Zbigniew Jędrzejewski-Szmek
a7eed3eca3 TEST-65: check cat-config operation in chroot
This verifies the fix in 2075b6dd39.
2022-12-07 12:38:10 +01:00
Lennart Poettering
31d4258011
Merge pull request #25648 from keszybz/exitrd
Build systemd-shutdown.standalone
2022-12-07 11:34:54 +01:00
Zbigniew Jędrzejewski-Szmek
269d17f955 man: deemphasize "halt"
Systemd documents "halt" as the primary shutdown mechanism, redirecting
"reboot" and "shutdown" to the halt(8), but halt is a really strange and
obsolete concept. Who would want to really keep their machine running after
shutdown? I expect that halting is almost unused. Let's at least make it less
prominent in the docs.

While at it, use "power off" for a verb and "power-off" for noun (but "poweroff"
of the actual command name).
2022-12-07 10:26:31 +01:00
Yu Watanabe
9644fbd584 fuzz-systemctl: adjust size limit
Follow-up for 719b7d4dc2.

The size of the current reproducer is 250KB. Hence, 16KB should be
enough, but still we can test most arguments within the size.

Hopefully fixes oss-fuzz#53552.
2022-12-07 09:56:50 +01:00
Yu Watanabe
bf9afd7b31
Merge pull request #25628 from zhangjian3032/dev/fix-set-bond-mac-failed
network: Fix set bond device MAC address failed
2022-12-07 13:34:39 +09:00
Daan De Meyer
94799c305a test-fs-util: Add relative path chase_symlinks() tests 2022-12-07 10:39:20 +09:00
Zbigniew Jędrzejewski-Szmek
cc420ae52a
Merge pull request #25616 from poettering/chase-symlinks-opendir
chase-symlinks/systemctl: let's handle cases without /proc/ better
2022-12-06 17:10:54 +01:00
Lennart Poettering
86adf4a5e8 gpt: add helpers for deriving data partition from verity or verity sig designator
let's add the inverse of the existing partition_verity_of() and
partition_verity_sig_of()
2022-12-06 16:41:06 +01:00
Frantisek Sumsal
0e336ea265
Merge pull request #25644 from yuwata/escape-fix-octescape
escape: fix octescape()
2022-12-06 15:22:08 +00:00
Yu Watanabe
f4ee7b98c4 network: drop REMOVING flag when a netlink message is sent to kernel
When an interface goes to down, the kernel drops several routes
automatically, and at the same time networkd requests to remove
them, but the kernel sometimes does not respond the requests. Hence,
the routes cannot drop the REMOVING flag, and networkd will never try
to configure other routes which depend on the previously removed
routes even if they are already reconfigured.

With this patch, when networkd sends a request to configure a route
(or any other network settings), REMOVING flag for the route is dropped
without waiting for the reply about the previous remove request, as we
can expect it will appear even if it is already removed or under removing.

Fixes #24999.
2022-12-06 16:01:01 +01:00
Luca Boccassi
0927ae6a5c
Merge pull request #25645 from yuwata/boot-fix-false-maybe-uninitialized
boot: fix false maybe-uninitialized warning
2022-12-06 16:00:10 +01:00
Aidan Dang
b04ff66b42 Implement --luks-pbkdf-force-iterations for homed 2022-12-06 15:56:11 +01:00
Zbigniew Jędrzejewski-Szmek
9551c46a3d man: reword sentence
"Such as … suchlike" repeats too much.
2022-12-06 11:44:30 +01:00
Zbigniew Jędrzejewski-Szmek
6ed3aca5c3 meson: build a standalone version of systemd-shutdown
I'd like to use this as a basis for an exitrd:

When compiled with -Dstandalone-binaries=true -Db_lto=true -Dbuildtype=release,
the new file is 800k. It's more than I'd like, but still quite a bit less
than libsystemd-shared.so, which is 3800k.
2022-12-06 10:15:54 +01:00
Zbigniew Jędrzejewski-Szmek
9702d82414 test: do the --help/--version checks for repart.standalone too 2022-12-06 10:15:54 +01:00
Jian Zhang
23b6bf274f test-network: add test for bond mac address config
Signed-off-by: Jian Zhang <zhangjian.3032@bytedance.com>
2022-12-06 14:41:31 +08:00
Yu Watanabe
64e7a14146
Merge pull request #25559 from intelfx/work/systemd-importd-quotas
import: wire up SYSTEMD_IMPORT_BTRFS_{SUBVOL,QUOTA} to importd
2022-12-06 14:05:35 +09:00