IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
When `SELinuxContext=` parameter is prefixed with `-`, the documentation states
that any errors determining or changing context should be ignored, but this
doesn't actually happen and the service may fail with `229/SELINUX_CONTEXT`.
Fix by adding checks to `context->selinux_context_ignore`.
Closes: #21057
Doing start rate limit checks before doing condition checks made
condition check failures count towards the start rate limit which
broke existing assumptions (see #21025). Run the rate limit checks
after the condition checks again to restore the previous behaviour.
We're actually falling back to `more` in the mkosi image which doesn't
behave quite the same as less which is somewhat annoying. Let's make
sure `less` is installed so systemd can use it as the pager.
The checks for finding a new available address in the pool were broken in two
ways: not using UINT32_TO_PTR() on hashmap lookups resulted in false negatives,
and the check wasn't skipping the server address if that was part of the pool.
Move the check for available addresses to a small helper function and fix both
issues, and also add a check to the REQUEST code for the server address.
The DHCP server configuration supports setting a maximum lease time, but old
leases are never actually cleared out if the client doesn't send a RELEASE.
This causes the pool to run out of addresses on networks where clients just
disappear, which is a fairly common occurrence on wireless networks.
Fix this by cleaning up expired leases before processing client requests, so
addresses can be reused for new clients.
This makes sure that a switch like --bind=:/foo does the right thing if
user namespacing is one: the backing dir should be owned by the
container's root UID not the host's. Thus, whenever the source path is
left empty and we automatically generate a source dir as temporary
directory, ensure it's owned by the right UID.
Fixes: #20869
This shows the cgroup tree of the root slice of the container now, by
querying the cgroup pid tree via the bus instead of going directly to
the cgroupfs.
A fallback is kept for really old systemd versions where querying the
PID tree was not available.
Fixes: #20958
Otherwise we likely show rubbish because even in local containers we
nowadays have cgroup namespacing, hence we likely can't access the
cgroup tree from the host at the same place as inside the container.
The utility function parse_integrity_options is used to both validate
integritytab options or validate and return values. In the case where
we are validating only and we have specific value options we will
assert.
Those devices show up as /sys/devices/vif-N, let's use that number
to name them enXN.
Without this, all schemes fail and they keep the kernel names, which can
be racy.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
To prevent situations like in #17602 from happening, let's drop
direct recursive template dependencies. These will almost certainly
lead to infinite recursion so let's drop them immediately to avoid
instantiating potentially thousands of irrelevant units.
Example of a template that would lead to infinite recursion which
is caught by this check:
notify@.service:
```
[Unit]
Wants=notify@%n.service
```
When combined with a tmpfs on /run or /var/lib, allows to create
arbitrary and ephemeral symlinks for StateDirectory or RuntimeDirectory.
This is especially useful when sharing these directories between
different services, to make the same state/runtime directory 'backend'
appear as different names to each service, so that they can be added/removed
to a sharing agreement transparently, without code changes.
An example (simplified, but real) use case:
foo.service:
StateDirectory=foo
bar.service:
StateDirectory=bar
foo.service.d/shared.conf:
StateDirectory=
StateDirectory=shared:foo
bar.service.d/shared.conf:
StateDirectory=
StateDirectory=shared:bar
foo and bar use respectively /var/lib/foo and /var/lib/bar. Then
the orchestration layer decides to stop this sharing, the drop-in
can be removed. The services won't need any update and will keep
working and being able to store state, transparently.
To keep backward compatibility, new DBUS messages are added.
This teachs the LUKS backend UID mapping, similar to the existing
logic for the "directory", "subvolume" and "fscrypt" backends: the files
will be owned by "nobody" on the fs itself, but will be mapped to
logging in user via uidmapped mounts.
This way LUKS home dirs become truly portable: no local UID info will
leak onto the images anymore, and the need to recursively chown them on
activation goes away. This means activation is always as performant as
it should be.