IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
In a couple of recent CI runs I noticed TEST-36 failing due to a missed
service exit notification and a subsequent fail of the `grep` command:
```
[ 257.112153] H systemd[1]: Started numa-test.service.
[ 257.114343] H systemd[899]: numa-test.service: Failed to set NUMA memory policy: Invalid argument
[ 257.118270] H systemd[899]: numa-test.service: Failed at step NUMA_POLICY spawning /bin/sleep: Invalid argument
[ 257.126170] H systemd[1]: Bus private-bus-connection: changing state RUNNING → CLOSING
[ 257.130290] H systemd[1]: numa-test.service: Failed to send unit change signal for numa-test.service: Connection reset by peer
[ 257.131567] H systemd[1]: Received SIGCHLD from PID 899 ((sleep)).
[ 257.132870] H systemd[1]: Got disconnect on private connection.
[ 257.134299] H systemd[1]: systemd-journald.service: Got notification message from PID 498 (FDSTORE=1)
[ 257.135611] H systemd[1]: systemd-journald.service: Added fd 38 (n/a) to fd store.
[ 257.136999] H systemd[1]: systemd-journald.service: Received EPOLLHUP on stored fd 38 (stored), closing.
[ 257.366996] H testsuite-36.sh[536]: + stopJournalctl
[ 257.366996] H testsuite-36.sh[536]: + local unit=init.scope
[ 257.366996] H testsuite-36.sh[536]: + echo 'Force journald to write all queued messages'
[ 257.366996] H testsuite-36.sh[536]: Force journald to write all queued messages
[ 257.366996] H testsuite-36.sh[536]: + journalctl --sync
[ 257.488642] H systemd-journald[498]: Received client request to rotate journal.
[ 257.520821] H testsuite-36.sh[536]: + journalctl -u init.scope --cursor-file=jounalCursorFile
[ 257.981399] H testsuite-36.sh[536]: + pid1StopUnit numa-test.service
[ 257.984533] H testsuite-36.sh[536]: + systemctl stop numa-test.service
[ 258.173656] H systemd[1]: Bus private-bus-connection: changing state AUTHENTICATING → RUNNING
[ 258.180710] H systemd[1]: numa-test.service: Trying to enqueue job numa-test.service/stop/replace
[ 258.182424] H systemd[1]: Added job numa-test.service/stop to transaction.
[ 258.185234] H systemd[1]: numa-test.service: Installed new job numa-test.service/stop as 738
[ 258.187017] H systemd[1]: numa-test.service: Enqueued job numa-test.service/stop as 738
[ 258.239930] H testsuite-36.sh[536]: + grep 'numa-test.service: Main process exited, code=exited, status=242/NUMA' journal.log
```
Let's mitigate this by checking the test service exit status directly
instead of relying on the notification.
This commit adds a new Verity= setting to repart definition files
with two possible values: "data" and "hash".
If Verity= is set to "data", repart works as before, and populates
the partition with the content from CopyBlocks= or CopyFiles=.
If Verity= is set to "hash", repart will try to find a matching
data partition with Verity=data and equal values for CopyBlocks=
or CopyFiles=, Format= and MakeDirectories=. If a matching data
partition is found, repart will generate verity hashes for that
data partition in the verity partition. The UUID of the data
partition is set to the first 128 bits of the verity root hash. The
UUID of the hashes partition is set to the final 128 bits of the
verity root hash.
Fixes#24559
On certain systems the `install_libnss()` function might end up with an
empty list of libraries to install, which triggers an assertion in
`image_install()`:
```
I: Install libnss
..//test-functions: line 2721: 1: parameter null or not set
make: *** [Makefile:4: setup] Error 1
```
E.g.:
```
# LD_DEBUG=files getent passwd 2>&1 >/dev/null | sed -n '/calling init: .*libnss_/ {s!^.* /!/!; p}'
/lib64/libnss_sss.so.2
/lib64/libnss_systemd.so.2
# dnf -y remove sssd-client systemd-libs
# LD_DEBUG=files getent passwd 2>&1 >/dev/null | sed -n '/calling init: .*libnss_/ {s!^.* /!/!; p}'
<no output>
```
Let's handle this case gracefully.
Until now using the INTERACTIVE_DEBUG=yes stuff together with sanitizers
was almost impossible, since the console kept eating up our inputs or
not responding at all. After a painful day of debugging I noticed that
if we use a shell script in the initrd -> root transition, we might end up
with a plymouthd still running, which kept screwing with the tty.
E.g. with initrd -> wrapper -> systemd transition, where the `wrapper`
is a simple script:
```
exec -- /usr/lib/systemd/systemd "$@"
```
we'd end up with a stray plymouthd process after the bootup:
```
1 0 440 2 20 0 0 0 worker I ? 0:00 [kworker/5:2-ata_sff]
1 0 453 2 20 0 0 0 worker I ? 0:00 [kworker/9:2-rcu_gp]
5 0 456 1 20 0 7252 1960 do_epo S ? 0:00 @usr/sbin/plymouthd --mode=boot --pid-file=/run/plymouth/pid --attach-to-session
```
After killing it, the tty works finally as expected.
The loading of an extension image from a symlink "NAME.raw" to
"NAME-VERSION.raw" failed because the release file name check worked
with the backing file of the loop device which already resolves the
symlink and thus the found name "NAME-VERSION" mismatched "NAME".
Pass the original filename and use it instead of the backing file
when available. This fixes the loading of "NAME.raw" extensions which
are a symlink to "NAME-VERSION.raw" as, e.g., may be the case when
systemd-sysupdate manages multiple versions.
Fixes https://github.com/systemd/systemd/issues/24293
Dumping everything to console slows the test quite considerably on
slower machines, so let's forward nspawn logs to the journal to still
have them available in case something goes south.
This should, hopefully, help with TEST-13 timeouts in Ubuntu CI and
maybe with CPU soft lockups in CentOS CI.
This should make the test faster on fast machines and more reliable on
slower/under-load machines, where the 4 sec sleep wasn't sometimes enough.
Spotted on C8S machines under load:
```
test_added_after (__main__.ExecutionResumeTest) ... FAIL
test_added_before (__main__.ExecutionResumeTest) ... ok
test_interleaved (__main__.ExecutionResumeTest) ... ok
test_issue_6533 (__main__.ExecutionResumeTest) ... ok
test_no_change (__main__.ExecutionResumeTest) ... ok
test_removal (__main__.ExecutionResumeTest) ... ok
test_swapped (__main__.ExecutionResumeTest) ... ok
======================================================================
FAIL: test_added_after (__main__.ExecutionResumeTest)
----------------------------------------------------------------------
Traceback (most recent call last):
File "./test/test-exec-deserialization.py", line 101, in check_output
with open(self.output_file, 'r') as log:
FileNotFoundError: [Errno 2] No such file or directory: '/tmp/tmpjnec1dj4'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "./test/test-exec-deserialization.py", line 150, in test_added_after
self.check_output(expected_output)
File "./test/test-exec-deserialization.py", line 104, in check_output
self.fail()
AssertionError: None
----------------------------------------------------------------------
Ran 7 tests in 44.270s
```
New directive `NetLabel=` provides a method for integrating static and dynamic
network configuration into Linux NetLabel subsystem rules, used by Linux
Security Modules (LSMs) for network access control. The label, with suitable
LSM rules, can be used to control connectivity of (for example) a service with
peers in the local network. At least with SELinux, only the ingress can be
controlled but not egress. The benefit of using this setting is that it may be
possible to apply interface independent part of NetLabel configuration at very
early stage of system boot sequence, at the time when the network interfaces
are not available yet, with netlabelctl(8), and the per-interface configuration
with systemd-networkd once the interfaces appear later. Currently this feature
is only implemented for SELinux.
The option expects a single NetLabel label. The label must conform to lexical
restrictions of LSM labels. When an interface is configured with IP addresses,
the addresses and subnetwork masks will be appended to the NetLabel Fallback
Peer Labeling rules. They will be removed when the interface is
deconfigured. Failures to manage the labels will be ignored.
Example:
```
[DHCPv4]
NetLabel=system_u:object_r:localnet_peer_t:s0
```
With the above rules for interface `eth0`, when the interface is configured with
an IPv4 address of 10.0.0.123/8, `systemd-networkd` performs the equivalent of
`netlabelctl` operation
```
$ sudo netlabelctl unlbl add interface eth0 address:10.0.0.0/8 label:system_u:object_r:localnet_peer_t:s0
```
Result:
```
$ sudo netlabelctl -p unlbl list
...
interface: eth0
address: 10.0.0.0/8
label: "system_u:object_r:localnet_peer_t:s0"
...
```
This reverts commit 1a0e065e9f.
This does not work as expected.
After `losetup --detach`, the kernel lazily removes the loop device.
But, systemd-dissect should gracefully handle that. If it does not, then
it is a bug in systemd-dissect.
Let's not hide the real issue in systemd-dissect.
delv on Ubuntu defaults to /etc/bind/bind.keys instead of /etc/bind.keys
when reading trust anchors, so let's create a symlink to make the test
work there as well.
Resolves: #24453
Set both timeouts to some reasonable values instead of just `infinity`
to provide some form of a safe-net in case the test goes haywire and the
environment didn't set the timeouts itself (like our CIs do).
CIs set QEMU and nspawn timeouts by themselves which reflect their needs
and possibilities, so let's respect that value, instead of using one
pre-set value which might or might not work for all of them.
Both Ubuntu CI and CentOS CI set these values themselves.
to avoid scope clashing in case some previous test crashed and/or didn't
clean up properly. Currently all test machines are called `root`, since
the name is automagically derived from the container path (in this case
`/var/tmp/systemd-test.XXXXXX/root`).
E.g. (from Ubuntu CI):
```
[23:10:12] --x-- Running TEST-71-HOSTNAME --x--
make: Entering directory '/tmp/autopkgtest.5LjnBV/build.0mE/systemd/test/TEST-71-HOSTNAME'
+ make -C TEST-71-HOSTNAME setup run
TEST-71-HOSTNAME SETUP: test hostnamed
Reusing existing cached image /tmp/autopkgtest.5LjnBV/build.0mE/systemd/test/TEST-71-HOSTNAME/../default.img → /tmp/autopkgtest.5LjnBV/build.0mE/systemd/test/default.img
'/var/tmp/systemd-test.1yy2SS/default.img' -> '/tmp/autopkgtest.5LjnBV/build.0mE/systemd/test/default.img'
I: Masking supporting services
'/var/tmp/systemd-test.1yy2SS/root/etc/systemd/system/systemd-hwdb-update.service' -> '/dev/null'
'/var/tmp/systemd-test.1yy2SS/root/etc/systemd/system/systemd-journal-catalog-update.service' -> '/dev/null'
'/var/tmp/systemd-test.1yy2SS/root/etc/systemd/system/systemd-networkd.service' -> '/dev/null'
'/var/tmp/systemd-test.1yy2SS/root/etc/systemd/system/systemd-networkd.socket' -> '/dev/null'
'/var/tmp/systemd-test.1yy2SS/root/etc/systemd/system/systemd-resolved.service' -> '/dev/null'
TEST-71-HOSTNAME RUN: test hostnamed
+ env --unset=UNIFIED_CGROUP_HIERARCHY --unset=SYSTEMD_NSPAWN_UNIFIED_HIERARCHY timeout --foreground 1200 /bin/systemd-nspawn --register=no --kill-signal=SIGKILL --directory=/var/tmp/systemd-test.1yy2SS/root --setenv=SYSTEMD_UNIT_PATH=/usr/lib/systemd/tests/testdata/testsuite-71.units:/usr/lib/systemd/tests/testdata/units: /lib/systemd/systemd systemd.unit=testsuite.target systemd.wants=testsuite-71.service systemd.wants=end.service
Spawning container root on /var/tmp/systemd-test.1yy2SS/root.
Press ^] three times within 1s to kill container.
Failed to allocate scope: Unit root.scope already exists.
E: nspawn failed with exit code 1
```
I don't see where it would ever be a good thing that file copies done
via tmpfiles.d/ C lines cause the tmpfiles operation to fail if their
source happens to be missing. It's a problem if we can't set up the
destination properly (which is the job of systemd-tmpfiles after all),
but if the source is simply missing (NB: setting up the source is the job of
of the rules writer) this shouldn't be a problem.
This is useful for copying stuff into place if it happens to exist. For
example, if systemd-stub passes additional data into the initrd's
/.extra/ directory, we can copy it into a better place (e.g. /run/) with
this, where it will survive the initrd→host transition.
This mirrors behaviour of the recently added "^" line modifier which may
be used source "w" lines from credentials – there two the behaviour is
to simply skip the line if the source is missing.
getopt allows non-ambiguous abbreviations, so backwards-compat is maintained, and
people can use --kill-who (or even shorter abbreviations). English is flexible,
so in common speach people would use both forms, even if "whom" is technically
more correct. The advantage of using the longer form in the code is that we
effectively allow both forms, so we stop punishing people who DTGCT¹, but still
allow people to use the spoken form if they prefer.
1. Do the gramatically correct thing
When a service unit Requires= a socket, and the socket is restarted while the
service is in state=activating, the propagated restart is being discarded. This
is contrary to the documentation for Requires=, which states "this unit will be
stopped (or restarted) if one of the other units is explicitly stopped (or
restarted)".
Otherwise we might never hit the trigger limit and wait indefinitely.
Found when trying to run the test on an EC2 xen machine without a nested
virt in CentOS CI (in preparations for some ... unforseseen consequences).
/bin/sh as a shell is punishing. There is no good reason to make
the occasional root login unpleasant.
Since /bin/sh is usually /bin/bash in compat mode, i.e. if one is
available, the other will be too, /bin/bash is almost as good as a default.
But to avoid a regression in the situation where /bin/bash (or
DEFAULT_USER_SHELL) is not installed, we check with access() and fall back
to /bin/sh. This should make this change in behaviour less risky.
(FWIW, e.g. Fedora/RHEL use /bin/bash as default for root.)
This is a follow-up of sorts for 53350c7bba,
which added the default-user-shell option, but most likely with the idea
of using /bin/bash less ;)
Fixes#24369.
When a service is triggered by a path unit, pass the
path unit name and the path that triggered it via env vars
to the spawned processes.
Note that this is best-effort, as there might be many triggers
at the same time, but we only get woken up by one.
Otherwise we might start writing to one of its partition before the
respective node is created under /dev, resulting in... interesting
stuff.
Resolves: #24390
The knot.service on Ubuntu Jammy loads an env file which we didn't
install, causing the service to fail:
```
knot.service: Will spawn child (service_enter_start_pre): /usr/sbin/knotc
knot.service: Failed to load environment files: No such file or directory
knot.service: Failed to run 'start-pre' task: No such file or directory
knot.service: Failed with result 'resources'.
knot.service: Service will not restart (restart setting)
```
Previously, the test would rely on the fact that systemd-hwdb would
follow symlinks outside of the --root= hierarchy. That's a bug however,
and systemd-hwdb shouldn't do that. Hence let's remove the fact that the
test relies on it, so that we can then fix systemd-hwdb (specifically:
conf_files_list()) accordingly.
In 'udevadm lock' the device /dev/loopX is locked instead of
/dev/loopXp1. Hence, 'udevadm wait' should wait for /dev/loopX.
For some reasons, the kernel sometimes does not emit uevent for
partitions, and 'udevadm wait' for partitions may fail.
Fixes#24360.
Some tests (like TEST-02) set a multiline string to $KERNEL_APPEND
(which is a valid thing to do), unfortunately we'd use only the first
line of it and throw the rest away, e.g:
```
$ printf "%s" "$x"
hello
this is a multiline
kernel command line
$ read -ra out <<< "$x"
$ printf "%s" "${out[@]}"
hello
```
Let's use readarray/mapfile instead to avoid this:
```
$ readarray out <<< "$x"
$ printf "%s" "${out[@]}"
hello
this is a multiline
kernel command line
```
We can't get any FS meta-data from a suspended device. Hence defer
making any plugged/unplugged decisions, i.e. we just import whatever was
previous state and skip processing all other rules.
Thanks Lennart Poettering <lennart@poettering.net> for suggesting this
solution.
libdevmapper/device mapper driver can return semi-random failures when
opening verity devices, and we have fallback code to deal with it.
But the test was not expecting the fallback path, so it became unreliable.
Fixes https://github.com/systemd/systemd/issues/23866
While I had tested that a symlink to /dev/null works to "mask" a sysext
I must have gotten something wrong and thus the instructions in
519c2f0d6b don't work. What works,
at least at the moment, is to instead have an empty directory with the
extension name under /etc/extensions/.
Correct the info in the man page and add a test for it.
When an extension image has binaries they should match the host
architecture. Currently there is no way to specify this requirement.
Introduce an ARCHITECTURE field in the extension's release file that
may be set to prevent loading on the wrong host architecture.
Since this new field is introduced late, we don't want to make
specifying it mandatory as it would break existing sysext images.
See https://github.com/systemd/systemd/issues/24061
A sysext image that merely contains static binaries has no dependency
on the host distribution and should be able to be used anywhere.
Support the special '_any' value for the ID field in the extension to
opt-out of ID and VERSION_ID/SYSEXT_LEVEL matching.
See https://github.com/systemd/systemd/issues/24061
Test the functionality implemented in the previous commit ("cryptsetup: ask for
PIN when trying to activate using a LUKS2 token plugin"): when "tpm2-device" is
not specified, systemd-cryptsetup calls crypt_activate_by_token_pin() to try to
unlock using a LUKS2 token plugin, test whether this is able to obtain the
provided PIN.
Previously it was possible to set delegate property for scope, but you
were not able to allow unprivileged process to manage the scope's cgroup
hierarchy. This is useful when launching manager process that will run
unprivileged but is supposed to manage its own (scope) sub-hierarchy.
Fixes#21683
systemd-measure is not built without gnu-efi, which is the case, for
example, on ppc64le. Let's skip the relevant test case in this case
instead of failing.
```
The Meson build system
Version: 0.58.2
...
Host machine cpu family: ppc64
Host machine cpu: ppc64le
...
Message: Skipping systemd-measure.1 because HAVE_GNU_EFI is false
...
[ 115.711775] testsuite-70.sh[745]: + cat
[ 115.741996] testsuite-70.sh[832]: + /usr/lib/systemd/systemd-measure calculate --linux=/tmp/tpmdata1 --initrd=/tmp/tpmdata2
[ 115.754015] testsuite-70.sh[833]: + cmp - /tmp/result
[ 115.758004] testsuite-70.sh[832]: /usr/lib/systemd/tests/testdata/units/testsuite-70.sh: line 56: /usr/lib/systemd/systemd-measure: No such file or directory
[ 115.773851] testsuite-70.sh[833]: cmp: EOF on - which is empty
[ 115.983681] sh[835]: + systemctl poweroff --no-block
```
crypt_init_data_device() replaces the crypt_device struct with a
new allocation, losing the old one, which we get from crypt_init().
Use crypt_set_data_device() instead.
Enhance the test to cover this option too.
This command takes a mountpoint, unmounts it and makes sure the
underlying partition devices and block device are removed before
exiting.
To mirror the --mount operation, we also add a --rmdir option which
does the opposite of --mkdir, and a -U option which is a shortcut
for --umount --rmdir.
On fast systems we might race against systemd and check the mount unit
after mounting it way too early before systemd had a chance to react to
the change.
```
[ 4.677701] H systemd[1]: Event source 0x210b3b0 (mount-monitor-dispatch) entered rate limit state.
...
[ 4.863731] H testsuite-64.sh[812]: + mount /logsysfsRxx
[ 4.865918] H kernel: EXT4-fs (vda2): mounted filesystem with ordered data mode. Opts: (null)
[ 4.866213] H testsuite-64.sh[812]: + systemctl status /logsysfsRxx
[ 4.877502] H testsuite-64.sh[919]: ○ logsysfsRxx.mount - /logsysfsRxx
[ 4.877502] H testsuite-64.sh[919]: Loaded: loaded (/etc/fstab; generated)
[ 4.877502] H testsuite-64.sh[919]: Active: inactive (dead)
[ 4.877502] H testsuite-64.sh[919]: Where: /logsysfsRxx
[ 4.877502] H testsuite-64.sh[919]: What: /dev/disk/by-uuid/deadbeef-dead-dead-beef-222222222222
[ 4.877502] H testsuite-64.sh[919]: Docs: man:fstab(5)
[ 4.877502] H testsuite-64.sh[919]: man:systemd-fstab-generator(8)
[ 4.877502] H testsuite-64.sh[919]: Aug 03 10:10:10 H systemd[1]: logsysfsRxx.mount: Processing implicit device dependencies
[ 4.877502] H testsuite-64.sh[919]: Aug 03 10:10:10 H systemd[1]: logsysfsRxx.mount: Added Requires dependency on /dev/disk/by-uuid/deadbeef-dead-dead-beef-222222222222
[ 4.877502] H testsuite-64.sh[919]: Aug 03 10:10:10 H systemd[1]: logsysfsRxx.mount: Added StopPropagatedFrom dependency on /dev/disk/by-uuid/deadbeef-dead-dead-beef-222222222222
[ 4.895683] H sh[920]: + systemctl poweroff --no-block
[ 4.906533] H systemd[1]: Found unit logsysfsRxx.mount at /run/systemd/generator/logsysfsRxx.mount (regular file)
[ 4.906594] H systemd[1]: Preset files don't specify rule for logsysfsRxx.mount. Enabling.
[ 4.906990] H systemd[1]: testsuite-64.service: Main process exited, code=exited, status=3/NOTIMPLEMENTED
[ 4.907057] H systemd[1]: testsuite-64.service: Failed with result 'exit-code'.
[ 4.907287] H systemd[1]: Failed to start testsuite-64.service.
[ 4.955293] H systemd[1]: Starting end.service...
[ 4.955736] H systemd-logind[809]: The system will power off now!
[ 4.955868] H systemd-logind[809]: System is powering down.
[ 4.975781] H systemd[1]: Event source 0x210b3b0 (mount-monitor-dispatch) left rate limit state.
[ 4.975821] H systemd[1]: logsysfsRxx.mount: Processing implicit device dependencies
[ 4.975857] H systemd[1]: logsysfsRxx.mount: Added Requires dependency on /dev/vda2
[ 4.975893] H systemd[1]: logsysfsRxx.mount: Added StopPropagatedFrom dependency on /dev/vda2
[ 4.975928] H systemd[1]: Unit blockdev@dev-vda2.target has alias blockdev@.target.
[ 4.975967] H systemd[1]: logsysfsRxx.mount: Added After dependency on /dev/vda2
[ 4.976081] H systemd[1]: logsysfsRxx.mount: Changed dead -> mounted
```
Since the library is dlopen()ed by libpthread and required during
pthread_exit()/pthread_cancel(), let's install it explicitly if available to
avoid unexpected fails in tests. This also consolidates all related
workarounds for this library across the test scripts.
systemd-sysctl currently fails silently under any of these conditions:
- Missing permission to write a sysctl.
- Invalid sysctl (path doesn't exists).
- Ignore failure flag ('-' in front of the sysctl name).
Because of this behaviour, configuration issues can go unnoticed as
there is no way to detect those unless going through the logs.
--strict option forces systemd-sysctl to fail if a sysctl is invalid or
if permission are insufficient. Errors on sysctl marked as "ignore
failure" will still be ignored.
That's not necessary. Moreover, if the socket units are stopped in
`setUpModule()`, then there exists a short timespan that we cannot call
`udevadm control`, as the control socket may not be opened yet.
If we run whole tests, then the first test is
NetworkctlTests.test_altname, and it calls `udevadm control` in `setUp()`.
Hence, the test may fail.
Fixes https://github.com/systemd/systemd-centos-ci/pull/512#issuecomment-1191591008.
