1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00
Commit Graph

1230 Commits

Author SHA1 Message Date
Sam James
dde6f1d745 meson: search for 'bpf-unknown-none' too
We currently search for 'bpf-gcc' and 'bpf-none-gcc'. Gentoo's
sys-devel/bpf-toolchain package uses 'bpf-unknown-none-gcc', as does Fedora's
cross-binutils. Search for this name too.
2024-08-25 02:31:59 +09:00
Adrian Vovk
bf2c741fd7
sysupdate: Implement systemd-sysupdated dbus service
Co-authored-by: Tom Coldrick <thomas.coldrick@codethink.co.uk>
Co-authored-by: Abderrahim Kitouni <abderrahim.kitouni@codethink.co.uk>
2024-08-21 09:31:41 +01:00
Yu Watanabe
f548bc4011 meson: enable -Wunterminated-string-initialization
With af1a6db58f, now we can build with the
option.
2024-08-07 13:34:36 +02:00
Michal Sekletar
68511cebe5 coredump: generate properly symbolized stacktrace for containerized processes 2024-08-06 18:32:42 +02:00
Daan De Meyer
ad723ca3e5 meson: Use -fstrict-flex-arrays=3
Let's explicitly pass the value to -fstrict-flex-arrays. This does
not change behavior but it does (selfishly) make my error not bug
out with an error saying -fstrict-flex-arrays does not exist.
2024-08-04 09:55:45 +09:00
Daan De Meyer
944faf6598 Make vcs-tag do something useful for non-developer mode as well
When building packages of arbitrary commits of systemd-stable,
distributors might want to include a git sha of the exact commit
they're on. Let's extend vcs-tag a little to make this possible.

If we're on a commit matching a tag, don't generate a git sha at all.
If we're not on a commit matching a tag, generate a vcs tag as usually.
However, if we're not in developer mode, don't append a '^' if the tree
is dirty to accomodate package builds applying various patches to the
tree which shouldn't be considered as "dirty" edits.
2024-07-22 12:04:40 +02:00
Dominique Martinet
8da20e3fe2 meson: fix missing failure if bpf-framework was enabled
If building with clang and clang does not support bpf, then enabling
-Dbpf-framework=enabled would silently drop the feature (even printing
bpf-framework: enabled in the meson build recap, and no message anywhere
that'd hint at the failure!)

This is unexpected, so add check to fail hard in this case.

All other code paths (gcc, missing bpftool) properly check for the
option, but it is not as easy for a custom command so check explicitly
2024-07-20 15:59:34 +02:00
Daan De Meyer
d279ec4a50 mkosi: Streamline running the integration tests without building systemd
Let's document in detail how to build the integration test image and run
the integration tests without building systemd. To streamline the process,
we stop automatically using binaries from build/ when invoking mkosi directly
and don't automatically use a tools tree anymore if systemd on the host is too
old. Instead, we document these options in HACKING.md and change the mkosi meson
target to automatically use the current build directory as an extra binary search
path for mkosi.
2024-07-18 11:39:07 +02:00
Lennart Poettering
25ff515b39 sd-varlink: make our internal Varlink API public as sd-varlink.[ch]
It's time. sd-json was already done earlier in this cycle, let's now
make sd-varlink public too.

This is mostly just a search/replace job of epical proportions.

I left some functions internal (mostly IDL handling), and I turned some
static inline calls into regular calls.
2024-07-16 11:57:32 +02:00
Zbigniew Jędrzejewski-Szmek
c80c5c20d4
Merge pull request #33599 from keszybz/link-executor-statically
Link executor statically
2024-07-08 12:46:41 +02:00
Daan De Meyer
6a4fcf8cef meson: Fix various versions
Follow up for 8b3b01c4b7

We switch to PROJECT_VERSION instead of PROJECT_VERSION_FULL where
we report our version and which is likely being parsed to avoid
breaking compat. If we didn't, the output would change from systemd
255 to systemd 255.1 which could break various tools.
2024-07-04 19:28:12 +02:00
Zbigniew Jędrzejewski-Szmek
732ed8a84e meson: rename libbasic to libbasic_static
Our variables for internal libraries are named 'libfoo' for the shared lib
variant, and 'libfoo_static' for the static lib variant. The only exception was
libbasic, because we didn't have a shared variant for it. But let's rename it
for consitency. This makes the build config easier to understand.
2024-07-03 17:25:26 +02:00
Daan De Meyer
48d6dad100 meson: Define __TARGET_ARCH macros required by bpf
These are required by the bpf_tracing.h header in libbpf, see
https://github.com/libbpf/libbpf/blob/master/src/bpf_tracing.h.

bpf_tracing.h does have a few fallbacks in case __TARGET_ARCH_XXX
is not defined but recommends using the __TARGET_ARCH macros instead
so let's do that.
2024-07-03 01:16:35 +02:00
Zbigniew Jędrzejewski-Szmek
28f1f1a5e6 Drop support for nscd
nscd is known to be racy [1] and it was already deprecated and later dropped in
Fedora a while back [1,2]. We don't need to support obsolete stuff in systemd,
and the cache in systemd-resolved provides a better solution anyway.

We announced the plan to drop nscd in d44934f378.

[1] https://fedoraproject.org/wiki/Changes/DeprecateNSCD
[2] https://fedoraproject.org/wiki/Changes/RemoveNSCD

The option is kept as a stub without any effect to make the transition easier.
2024-06-28 18:51:56 +02:00
Daan De Meyer
b00f44c3cf meson: Drop genkey target
In mkosi.images/system/mkosi.conf, we configure the certificate as
an extra tree so it's available inside the image. However, we pick up
the certificate from the top level repository directory and not from the
build directory where it is generated by the genkey meson target.

We currently have no way to access the build directory that mkosi was
invoked from when parsing the configuration file. Thus we have no way to
specify the correct location to the certificate when it's located in the
build directory.

For now, let's look for the key and certificate in the top level repository
root directory and drop the genkey target.

We don't have to change the Github Actions CI because it already runs genkey
manually before the image build (which is something we forgot to remove when
introducing the genkey target and is the reason this didn't cause issues before).
2024-06-28 10:20:10 +02:00
Florian Schmaus
016e9d8d08 core/exec-invoke: use sched_setattr instead of sched_setscheduler
The kernel's sched_setattr interface allows for more control over a processes
scheduling attributes as the previously used sched_setscheduler interface.

Using sched_setattr is also the prerequisite for support of utilization
clamping (UCLAMP [1], see #26705) and allows to set sched_runtime. The latter,
sched_runtime, will probably become a relevant scheduling parameter of the
EEVDF scheduler [2, 3], and therefore will not only apply to processes
scheduled via SCHED_DEADLINE, but also for processes scheduled via
SCHED_OTHER/SCHED_BATCH (i.e., most processes).

1: https://docs.kernel.org/next/scheduler/sched-util-clamp.html
2: https://lwn.net/Articles/969062/
3: https://lwn.net/ml/linux-kernel/20240405110010.934104715@infradead.org/
2024-06-26 20:54:53 +02:00
Johannes Schneider
b608bf5620 meson: bpf: propagate 'sysroot' for cross compilation
During cross-compilation of systemd, the compiler used to build the bpf's needs
to be pointed at the correct include searchpath. Which can be done by passing
the corresponding directory in through the cflags; for example in yocto/bitbake
this would work: CFLAGS += "--sysroot=${STAGING_DIR_TARGET}"

Signed-off-by: Johannes Schneider <johannes.schneider@leica-geosystems.com>
2024-06-21 08:25:58 +09:00
Zbigniew Jędrzejewski-Szmek
bfd5a0687f various: move const ptr indicator to return value 2024-06-19 16:28:28 +02:00
Lennart Poettering
309a747fa6 libsystemd: turn json.[ch] into a public API
This is preparation for making our Varlink API a public API. Since our
Varlink API is built on top of our JSON API we need to make that public
first (it's a nice API, but JSON APIs there are already enough, this is
purely about the Varlink angle).

I made most of the json.h APIs public, and just placed them in
sd-json.h. Sometimes I wasn't so sure however, since the underlying data
structures would have to be made public too. If in doubt I didn#t risk
it, and moved the relevant API to src/libsystemd/sd-json/json-util.h
instead (without any sd_* symbol prefixes).

This is mostly a giant search/replace patch.
2024-06-12 18:42:22 +02:00
Daan De Meyer
b99b294127 repart: Use crypt_reencrypt_run() if available
crypt_reencrypt() is deprecated, so let's look for and prefer
crypt_reencrypt_run() if it is available.
2024-06-12 18:53:37 +09:00
Daan De Meyer
b7865c2408 meson: Pass -Wno-deprecated-declarations when detecting libcryptsetup functions
Otherwise we fail to detect crypt_reencrypt() if -Werror is used.
2024-06-03 12:52:48 +02:00
Luca Boccassi
4b4393466a meson: add static libs to libudev/libsystemd target aliases
If static libraries are enabled, then group them in the build target together
with the shared libraries, to match the install tags.
2024-06-01 00:38:26 +02:00
Luca Boccassi
d12018ca18 meson: add alias targets to group nss and pam modules
Add aliases grouping these modules, so that they can be built
without knowing the SONAME version in advance. Match the install
tag names.
2024-05-31 23:57:24 +02:00
Zbigniew Jędrzejewski-Szmek
822ee89b95 meson: fix comment 2024-05-31 13:34:58 +02:00
Zbigniew Jędrzejewski-Szmek
95a248c56f
Merge pull request #33008 from fbuihuu/optionally-link-ssh-dropins
Optionally link ssh dropins
2024-05-28 16:02:40 +02:00
Daan De Meyer
096f923f7a meson: Run genkey command with --force
Sometimes meson decides to rerun the command even if the files already
exist. Let's run with --force so we don't fail if that's the case.
2024-05-27 17:48:55 +02:00
Franck Bui
50d80ec5ac meson: don't put a symlink pointing to '20-systemd-userdb.conf' in /etc in all cases
It's only needed on distros where sshd doesn't support drop-ins in /usr, which
is not the case on SUSE.
2024-05-27 17:20:55 +02:00
Franck Bui
de0f11d790 meson: don't put a symlink pointing to '20-systemd-ssh-proxy.conf' in /etc in all cases
On distros like SUSE where ssh config dropins in /usr are supported, there's no
need for a symlink in /etc/ssh/ssh_config.d/ that points to the dropin
installed somewhere in /usr (that is not reachable by ssh).
2024-05-27 17:20:26 +02:00
Daan De Meyer
2189b3268d meson: Add genkey target
Let's automatically generate keys instead of requiring developers to
do it manually.
2024-05-27 12:02:31 +02:00
Daan De Meyer
e2f9f3409a meson: Look up mkosi once 2024-05-27 12:02:31 +02:00
Michal Sekletar
9d8533b715 libsystemd: link with '-z nodelete'
We want to avoid reinitialization of our global variables with static
storage duration in case we get dlopened multiple times by the same
application. This will avoid potential resource leaks that could have
happened otherwise (e.g. leaking journal socket fd).
2024-05-22 22:09:25 +02:00
Lennart Poettering
d6bfc3d889 pidfd: properly detect if libc offers pidfd syscalls and make use of them then
We never updated the meson checks when glibc finally learned about these
syscalls, address that.
2024-05-08 15:36:40 +02:00
Lennart Poettering
cd7c207795 tree-wide: add dlopen ELF notes to all dlopen() deps of ours
Use 'recommended' priority for the default compression library, to
indicate that it should be prioritized over the other ones, as it
will be used to compress journals/core files.
Also use 'recommended' for kmod, as systems will likely fail to boot
if it's missing from the initrd.
Use 'suggested' for everything else.

There is one dlopen'ed TPM library that has the name generated
at runtime (depending on the driver), so that cannot be added, as it
needs to be known at build time.
Also when we support multiple ABI versions list them all, as for the
same reason we cannot know which one will be used at build time.

$ dlopen-notes.py build/libsystemd.so.0.39.0 build/src/shared/libsystemd-shared-256.so
libarchive.so.13 suggested
libbpf.so.0 suggested
libbpf.so.1 suggested
libcryptsetup.so.12 suggested
libdw.so.1 suggested
libelf.so.1 suggested
libfido2.so.1 suggested
libgcrypt.so.20 suggested
libidn2.so.0 suggested
libip4tc.so.2 suggested
libkmod.so.2 recommended
liblz4.so.1 suggested
liblzma.so.5 suggested
libp11-kit.so.0 suggested
libpcre2-8.so.0 suggested
libpwquality.so.1 suggested
libqrencode.so.3 suggested
libqrencode.so.4 suggested
libtss2-esys.so.0 suggested
libtss2-mu.so.0 suggested
libtss2-rc.so.0 suggested
libzstd.so.1 recommended

Co-authored-by: Luca Boccassi <bluca@debian.org>
2024-05-08 11:07:36 +01:00
Daan De Meyer
38db5eff34 test: Only set environment variable if integration tests are enabled.
If we set it to '0' if integration tests are not enabled then we can't
enable them from the command line since environment from meson takes
priority over environment variables from the command line.

We also rename the related variables to avoid conflicts with the
existing integration_tests variable.
2024-05-06 10:56:54 +02:00
Daan De Meyer
69e02d94f5 meson: Remove --debug from mkosi arguments
The exit status issue for which we introduced this was fixed so
let's remove --debug again to make the meson output less verbose.
2024-05-05 14:49:21 +02:00
Luca Boccassi
6c699c61ca meson: bump libbpf dependency to 1.4.0 when using gcc
bpf_core_type_id_kernel() needs libbpf 1.4.0 when building with gcc
rather than clang, so bump the dependency accordingly.

More precisely, the following change is needed:

b19fdbf1be

Related to: https://github.com/systemd/systemd/issues/31869

Follow-up for 8aee931e7a
2024-04-30 01:17:03 +02:00
Luca Boccassi
8d6e439aae meson: copy prefix mapping CFLAGS when building BPF objects
Otherwise the filenames will contain variable paths and break reproducibility
2024-04-29 19:00:34 +02:00
Luca Boccassi
aab7bb5968 meson: define 's390' for 's390x' when building BPF objects
The kernel headers match on __s390__ so the build fails

../src/nsresourced/bpf/userns_restrict/userns-restrict.bpf.c:159:6: error: Must specify a BPF target arch via __TARGET_ARCH_xxx
void BPF_KPROBE(userns_restrict_free_user_ns, struct work_struct *work) {
     ^
/usr/include/bpf/bpf_tracing.h:817:20: note: expanded from macro 'BPF_KPROBE'
        return ____##name(___bpf_kprobe_args(args));                        \
                          ^
/usr/include/bpf/bpf_tracing.h:797:41: note: expanded from macro '___bpf_kprobe_args'
                                        ^
/usr/include/bpf/bpf_helpers.h:195:29: note: expanded from macro '___bpf_apply'
                            ^
note: (skipping 2 expansions in backtrace; use -fmacro-backtrace-limit=0 to see all)
/usr/include/bpf/bpf_tracing.h:789:72: note: expanded from macro '___bpf_kprobe_args1'
                                                                       ^
/usr/include/bpf/bpf_tracing.h:563:29: note: expanded from macro 'PT_REGS_PARM1'
                            ^
<scratch space>:125:6: note: expanded from here
 GCC error "Must specify a BPF target arch via __TARGET_ARCH_xxx"
2024-04-29 15:20:39 +02:00
Luca Boccassi
d1b0407065 meson: update version numbers for 256~rc1 2024-04-25 22:26:08 +01:00
Daan De Meyer
ff4fe9dee2 meson: Properly check dependencies of mkosi target
Let's insist on mkosi being found if the integration-tests option
is enabled and let's only add dependencies on systemd-journal-remote
and systemd-measure if they're being built. Drop ukify from the list
as its part of public_programs.
2024-04-25 17:06:00 +02:00
Richard Maw
4933a51dc8 mkosi: Build images with --debug to aid debugging in CI 2024-04-24 17:33:22 +01:00
Daan De Meyer
b85e54961c test: Various mkosi integration test improvements
- Stop using logging module since the default output formatting is
  pretty bad. Prefer print() for now.
- Log less, logging the full mkosi command line is rather verbose,
  especially when it contains multi-line dropins.
- Streamline the journalctl command we output for debugging failed
  tests.
- Don't force usage of the disk image format.
- Don't force running without unit tests.
- Don't force disabling RuntimeBuildSources.
- Update documentation to streamline the command for running a single
  test and remove sudo as it's not required anymore.
- Improve the console output by having the test unit's output logged
  to both the journal and the console.
- Disable journal console log forwarding as we have journal forwarding
  as a better alternative.
- Delete existing journal file before running test.
- Delete journal files of succeeded tests to reduce disk usage.
- Rename system_mkosi target to just mkosi
- Pass in mkosi source directory explicitly to accomodate arbitrary
  build directory locations.
- Add test interactive debugging if stdout is connected to a tty
- Stop explicitly using the 'system' image since it'll likely be
  dropped soon.
- Only forward journal if we're not running in debugging mode.
- Stop using testsuite.target and instead just add the necessary
  extras to the main testsuite unit via the credential dropin.
- Override type to idle so test output is not interleaved with
  status output.
- Don't build mkosi target by default
- Always add the mkosi target if mkosi is found
- Remove dependency of the integration tests on the mkosi target
  as otherwise the image is always built, even though we configure
  it to not be built by default.
- Move mkosi output, cache and build directory into build/ so that
  invocations from meson and regular invocations share the same
  directories.
- Various aesthetic cleanups.
2024-04-23 10:32:42 +02:00
Richard Maw
945b722f13 test: Add mkosi-based integration test runner
The first two tests are included to ensure parallel test execution is
demonstrable.
2024-04-18 16:26:38 +01:00
Lennart Poettering
702a52f4b5 mountfsd: add new systemd-mountfsd component 2024-04-06 16:08:24 +02:00
Lennart Poettering
8aee931e7a nsresourced: add new daemon for granting clients user namespaces and assigning resources to them
This adds a small, socket-activated Varlink daemon that can delegate UID
ranges for user namespaces to clients asking for it.

The primary call is AllocateUserRange() where the user passes in an
uninitialized userns fd, which is then set up.

There are other calls that allow assigning a mount fd to a userns
allocated that way, to set up permissions for a cgroup subtree, and to
allocate a veth for such a user namespace.

Since the UID assignments are supposed to be transitive, i.e. not
permanent, care is taken to ensure that users cannot create inodes owned
by these UIDs, so that persistancy cannot be acquired. This is
implemented via a BPF-LSM module that ensures that any member of a
userns allocated that way cannot create files unless the mount it
operates on is owned by the userns itself, or is explicitly
allowelisted.

BPF LSM program with contributions from Alexei Starovoitov.
2024-04-06 16:08:24 +02:00
Lennart Poettering
593428680c build-sys: pick up vmlinux.h from running kernel BTF or user 2024-04-06 16:08:24 +02:00
Luca Boccassi
3abc3671f5
Merge pull request #31131 from poettering/dlopen-kmod
turn libkmod into a dlopen() dependency, too
2024-04-06 13:19:27 +01:00
Luca Boccassi
1ce28e5a24 meson: set -fno-ssa-phiopt when building bpf with gcc
There are bugs in the kernel verifier that cause legitimate code
to be rejected, disabling this optimization makes bpf programs
built with a new enough gcc work again.

Fixes https://github.com/systemd/systemd/issues/31888
2024-04-05 12:55:53 +09:00
Lennart Poettering
1d98716ef7 libkmod: turn into dlopen() dependency
As it turns out libkmod has quite a bunch of deps, including various
compressing libs and similar. By turning this into a dlopen()
dependency, we can make our depchain during install time quite a bit
smaller. In particular as inside of containers kmod doesn't help anyway
as CAP_SYS_MODULE is not available anyway.

While we are at it, also share the code that sets up logging/kmod
context.

After:

$ lddtree ./build/systemd
systemd => ./build/systemd (interpreter => /lib64/ld-linux-x86-64.so.2)
    libsystemd-core-255.so => ./build/src/core/libsystemd-core-255.so
        libaudit.so.1 => /lib64/libaudit.so.1
            libcap-ng.so.0 => /lib64/libcap-ng.so.0
                ld-linux-x86-64.so.2 => /lib64/ld-linux-x86-64.so.2
        libm.so.6 => /lib64/libm.so.6
        libmount.so.1 => /lib64/libmount.so.1
            libblkid.so.1 => /lib64/libblkid.so.1
        libseccomp.so.2 => /lib64/libseccomp.so.2
        libselinux.so.1 => /lib64/libselinux.so.1
            libpcre2-8.so.0 => /lib64/libpcre2-8.so.0
    libsystemd-shared-255.so => /home/lennart/projects/systemd/build/src/shared/libsystemd-shared-255.so
        libacl.so.1 => /lib64/libacl.so.1
            libattr.so.1 => /lib64/libattr.so.1
        libcap.so.2 => /lib64/libcap.so.2
        libcrypt.so.2 => /lib64/libcrypt.so.2
        libgcrypt.so.20 => /lib64/libgcrypt.so.20
            libgpg-error.so.0 => /lib64/libgpg-error.so.0
        liblz4.so.1 => /lib64/liblz4.so.1
        libcrypto.so.3 => /lib64/libcrypto.so.3
            libz.so.1 => /lib64/libz.so.1
        libpam.so.0 => /lib64/libpam.so.0
            libeconf.so.0 => /lib64/libeconf.so.0
        liblzma.so.5 => /lib64/liblzma.so.5
        libzstd.so.1 => /lib64/libzstd.so.1
    libc.so.6 => /lib64/libc.so.6

Before:

$ lddtree ./build/systemd
systemd => ./build/systemd (interpreter => /lib64/ld-linux-x86-64.so.2)
    libsystemd-core-255.so => ./build/src/core/libsystemd-core-255.so
        libaudit.so.1 => /lib64/libaudit.so.1
            libcap-ng.so.0 => /lib64/libcap-ng.so.0
                ld-linux-x86-64.so.2 => /lib64/ld-linux-x86-64.so.2
        libkmod.so.2 => /lib64/libkmod.so.2
            libzstd.so.1 => /lib64/libzstd.so.1
            liblzma.so.5 => /lib64/liblzma.so.5
            libz.so.1 => /lib64/libz.so.1
            libcrypto.so.3 => /lib64/libcrypto.so.3
            libgcc_s.so.1 => /lib64/libgcc_s.so.1
        libm.so.6 => /lib64/libm.so.6
        libmount.so.1 => /lib64/libmount.so.1
            libblkid.so.1 => /lib64/libblkid.so.1
        libseccomp.so.2 => /lib64/libseccomp.so.2
        libselinux.so.1 => /lib64/libselinux.so.1
            libpcre2-8.so.0 => /lib64/libpcre2-8.so.0
    libsystemd-shared-255.so => /home/lennart/projects/systemd/build/src/shared/libsystemd-shared-255.so
        libacl.so.1 => /lib64/libacl.so.1
            libattr.so.1 => /lib64/libattr.so.1
        libcap.so.2 => /lib64/libcap.so.2
        libcrypt.so.2 => /lib64/libcrypt.so.2
        libgcrypt.so.20 => /lib64/libgcrypt.so.20
            libgpg-error.so.0 => /lib64/libgpg-error.so.0
        liblz4.so.1 => /lib64/liblz4.so.1
        libpam.so.0 => /lib64/libpam.so.0
            libeconf.so.0 => /lib64/libeconf.so.0
    libc.so.6 => /lib64/libc.so.6
2024-04-04 18:16:45 +02:00
Lennart Poettering
5360b10f29 ssh-generator: create privsep dir via tmpfiles.d/ if we are told to
To make it easy to have a workable ssh-generator on various distros,
let's optionally generate the ssh privsep dir via tmpfiles.d/ drop-in.

This enables the concept with a path of /run/sshd/ as default. This is
the path Debian/Ubuntu uses, and means that we just work on those
distros. Debian/Ubuntu is the only distro (apparently?) that puts the
privsep dir under /run/, hence always needs the dir to be created
manually. Other distros don't need it that much, because they place the
dir in /usr/ (fedora, best choice!) or /var/ (others, not ideal, because
still mutable).

Also adds a longer explanation about this in NEWS, in the hope that
distro maintaines read that and maybe start cleaning this up.

Alternative to: #31543
2024-04-04 01:01:10 +09:00